8000 Bump com.nimbusds:nimbus-jose-jwt from 10.7 to 10.8 by dependabot[bot] · Pull Request #2265 · atlanhq/atlan-java · GitHub
[go: up one dir, main page]
Skip to content

Bump com.nimbusds:nimbus-jose-jwt from 10.7 to 10.8#2265

Closed
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/gradle/com.nimbusds-nimbus-jose-jwt-10.8
Closed

Bump com.nimbusds:nimbus-jose-jwt from 10.7 to 10.8#2265
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/gradle/com.nimbusds-nimbus-jose-jwt-10.8

Conversation

@dependabot
Copy link
Contributor
@dependabot dependabot bot commented on behalf of github Feb 20, 2026
edited
Loading

Bumps com.nimbusds:nimbus-jose-jwt from 10.7 to 10.8.

Changelog

Sourced from com.nimbusds:nimbus-jose-jwt's changelog.

10.7 (2026-01-08) * Adds MaxCompressedCipherTextLength that implements JWEDecrypterOption, to to configure the maximum allowed length of compressed cipher text. * Adds JWEObject.decrypt(JWEDecrypter, Set) method to support the MaxCompressedCipherTextLength option.

10.8 (2026-02-19) * Adds a PasswordBasedDecrypter(byte[], Set) constructor to specify names of the critical header parameters that are deferred to the application for processing. Aligns with other JWEDecrypter and CriticalHeaderParamsAware implementations (iss #610). * Fixes getDeferredCriticalHeaderParams() in AESDecrypter, DirectDecrypter, RSADecrypter, ECDHDecrypter, X25519Decrypter, ECDH1PUDecrypter, ECDH1PUX25519Decrypter, MultiDecrypter, MACVerifier, ECDSAVerifier and Ed25519Verifier. Must internally call critPolicy.getDeferredCriticalHeaderParams(), not critPolicy.getProcessedCriticalHeaderParams() (iss #612).

Commits
  • 9509dc5 [maven-release-plugin] prepare for next development iteration
  • 0e27c9c Adds a PasswordBasedDecrypter(byte[], Set<String>) constructor to specify nam...
  • decee47 Fixes getDeferredCriticalHeaderParams() in AESDecrypter, DirectDecrypter, RSA...
  • b8d40c9 [maven-release-plugin] prepare release 10.8
  • See full diff in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
Bump com.nimbusds:nimbus-jose-jwt from 10.7 to 10.8
2490b97 
Bumps [com.nimbusds:nimbus-jose-jwt](https://bitbucket.org/connect2id/nimbus-jose-jwt) from 10.7 to 10.8.
- [Changelog](https://bitbucket.org/connect2id/nimbus-jose-jwt/src/master/CHANGELOG.txt)
- [Commits](https://bitbucket.org/connect2id/nimbus-jose-jwt/branches/compare/10.8..10.7)

---
updated-dependencies:
- dependency-name: com.nimbusds:nimbus-
8000
jose-jwt
  dependency-version: '10.8'
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file java Pull requests that update Java code labels Feb 20, 2026
@dependabot dependabot bot requested a review from cmgrote as a code owner February 20, 2026 04:53
@dependabot dependabot bot added dependencies Pull requests that update a dependency file java Pull requests that update Java code labels Feb 20, 2026
@greptile-apps
Copy link
greptile-apps bot commented Feb 20, 2026

Greptile Summary

Updates com.nimbusds:nimbus-jose-jwt from 10.7 to 10.8, a bug fix release that improves the library's handling of critical header parameters in JWE decryption.

Key Changes:

  • Adds new PasswordBasedDecrypter constructor for specifying deferred critical header parameters
  • Fixes bug in getDeferredCriticalHeaderParams() across multiple decrypter and verifier classes (was incorrectly calling getProcessedCriticalHeaderParams())

Impact:

  • Low risk: This is a transitive dependency used through azure-identity for ADLS support
  • No breaking changes or API modifications affecting existing code
  • Bug fixes improve correctness without requiring code changes

Confidence Score: 5/5

  • This PR is safe to merge with minimal risk
  • This is a minor version bump (10.7 to 10.8) of nimbus-jose-jwt that only includes bug fixes. The changelog shows two specific fixes: adding a new constructor to PasswordBasedDecrypter and fixing getDeferredCriticalHeaderParams() methods in multiple decrypter/verifier classes. These are non-breaking changes that improve correctness. The library is used as a transitive dependency through azure-identity for ADLS support, and no direct usage of the affected APIs was found in the codebase.
  • No files require special attention

Important Files Changed
Filename Overview
gradle/libs.versions.toml Dependency version bump from 10.7 to 10.8 - bug fix release with no breaking changes

Last reviewed commit: 2490b97

cmgrote added a commit that referenced this pull request Mar 9, 2026
@cmgrote @claude
chore(deps): consolidate dependency updates
9c65b9f 
Consolidates updates from the following dependency PRs:
- #2296: Bump de.siegmar:fastcsv from 4.1.0 to 4.1.1
- #2294: Bump awssdk from 2.41.32 to 2.42.8
- #2293: Bump docker/build-push-action from 6.19.2 to 7.0.0
- #2292: Bump docker/setup-buildx-action from 3.12.0 to 4.0.0
- #2289: Bump com.google.cloud:libraries-bom from 26.76.0 to 26.77.0
- #2288: Bump jetty from 12.1.6 to 12.1.7
- #2286: Bump docker/login-action from 3.7.0 to 4.0.0
- #2284: Bump com.diffplug.spotless:spotless-plugin-gradle from 8.2.1 to 8.3.0
- #2281: Bump com.gradleup.shadow from 9.3.1 to 9.3.2
- #2280: Bump actions/download-artifact from 7.0.0 to 8.0.0
- #2278: Bump co.elastic.clients:elasticsearch-java from 9.3.1 to 9.3.2
- #2277: Bump actions/upload-artifact from 6.0.0 to 7.0.0
- #2276: Bump pkl from 0.30.2 to 0.31.0
- #2275: Bump org.pkl-lang:org.pkl-lang.gradle.plugin from 0.30.2 to 0.31.0
- #2269: Bump io.openlineage:openlineage-java from 1.44.0 to 1.44.1
- #2268: Bump com.jayway.jsonpath:json-path from 2.10.0 to 3.0.0
- #2266: Bump jackson from 2.21.0 to 2.21.1
- #2265: Bump com.nimbusds:nimbus-jose-jwt from 10.7 to 10.8

Also removes the claude.yml workflow (VPN step incompatible with public repo).

Co-Authored-By: Claude <noreply@anthropic.com>
Signed-off-by: Chris (He/Him) <cgrote@gmail.com>
@cmgrote cmgrote mentioned this pull request Mar 9, 2026
Merged
cmgrote added a commit that referenced this pull request Mar 9, 2026
@cmgrote @claude
chore(deps): consolidate dependency updates (#2297)
fd7149e 
Consolidates updates from the following dependency PRs:
- #2296: Bump de.siegmar:fastcsv from 4.1.0 to 4.1.1
- #2294: Bump awssdk from 2.41.32 to 2.42.8
- #2293: Bump docker/build-push-action from 6.19.2 to 7.0.0
- #2292: Bump docker/setup-buildx-action from 3.12.0 to 4.0.0
- #2289: Bump com.google.cloud:libraries-bom from 26.76.0 to 26.77.0
- #2288: Bump jetty from 12.1.6 to 12.1.7
- #2286: Bump docker/login-action from 3.7.0 to 4.0.0
- #2284: Bump com.diffplug.spotless:spotless-plugin-gradle from 8.2.1 to 8.3.0
- #2281: Bump com.gradleup.shadow from 9.3.1 to 9.3.2
- #2280: Bump actions/download-artifact from 7.0.0 to 8.0.0
- #2278: Bump co.elastic.clients:elasticsearch-java from 9.3.1 to 9.3.2
- #2277: Bump actions/upload-artifact from 6.0.0 to 7.0.0
- #2276: Bump pkl from 0.30.2 to 0.31.0
- #2275: Bump org.pkl-lang:org.pkl-lang.gradle.plugin from 0.30.2 to 0.31.0
- #2269: Bump io.openlineage:openlineage-java from 1.44.0 to 1.44.1
- #2268: Bump com.jayway.jsonpath:json-path from 2.10.0 to 3.0.0
- #2266: Bump jackson from 2.21.0 to 2.21.1
- #2265: Bump com.nimbusds:nimbus-jose-jwt from 10.7 to 10.8

Also removes the claude.yml workflow (VPN step incompatible with public repo).

Signed-off-by: Chris (He/Him) <cgrote@gmail.com>
Co-authored-by: Claude <noreply@anthropic.com>
@dependabot @github
Copy link
Contributor Author
dependabot bot commented on behalf of github Mar 9, 2026

Looks like com.nimbusds:nimbus-jose-jwt is up-to-date now, so this is no longer needed.

@dependabot dependabot bot closed this Mar 9, 2026
@dependabot dependabot bot deleted the dependabot/gradle/com.nimbusds-nimbus-jose-jwt-10.8 branch March 9, 2026 11:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cmgrote cmgrote Awaiting requested review from cmgrote cmgrote is a code owner

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file java Pull requests that update Java code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants

0