build(deps): bump com.nimbusds:nimbus-jose-jwt from 9.41.2 to 9.46 #3098
Conversation
![dependabot[bot]](https://avatars.githubusercontent.com/in/29110?s=60&v=4){kind=small}
Bumps [com.nimbusds:nimbus-jose-jwt](https://bitbucket.org/connect2id/nimbus-jose-jwt) from 9.41.2 to 9.42. - [Changelog](https://bitbucket.org/connect2id/nimbus-jose-jwt/src/master/CHANGELOG.txt) - [Commits](https://bitbucket.org/connect2id/nimbus-jose-jwt/commits/tag/9.42) --- updated-dependencies: - dependency-name: com.nimbusds:nimbus-jose-jwt dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>
dependabot
bot
added
dependencies
|
Prevents Green Tests -> HS256 no longer allowed , Changelog 9.41.2 (2024-10-01) * JWEHeader must support the special case of an "aud" header value of type string (iss #569). 9.42 (2024-10-28) * Promotes getCompatibleAlgorithms from MACSigner to MACProvider. * Promotes getMinRequiredSecretLength from MACSigner to MACProvider. * Removes the Set argument from the protected MACProvider constructors, the compatible HSxxx algorithms are now determined within the constructor. * MACVerifier must enforce a minimum secret key length of 384 bits for HS384 and of 512 bits for HS512 (iss #563). * OctetSequenceKeyGenerator must support "exp", "nbf" and "iat" (iss #575). * Updates to com.google.crypto.tink:tink:1.15.0 Commits |
- fix validation_succeeds_with_different_alg, which is failing after bumping to com.nimbusds-nimbus-jose-jwt-9.42, which adds validation on key length when using key algorithm HS256, see: - https://bitbucket.org/connect2id/nimbus-jose-jwt/src/60b715f220c1eaf0bdd8c28488d52b0851160ec7/CHANGELOG.txt#lines-1704 - https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/563/incorrect-validation-of-secret-length-for
|
Yeah, looks like the test can be fixed (see commit) but would this be a breaking change? Given that we currently don't put validation on the user-provided key length in the bosh release (haven't checked the API but probably we don't either). |
|
A newer version of com.nimbusds:nimbus-jose-jwt exists, but since this PR has been edited by someone other than Dependabot I haven't updated it. You'll get a PR for the updated version as normal once this PR is merged. |
Yes removing HS256 is a breaking change but we should announce it and then do it in next major version I dont know prod. customer with HSxxx usage, but only RS256 |
…com.nimbusds-nimbus-jose-jwt-9.42 # Conflicts: # dependencies.gradle
strehle
changed the title
strehle
deleted the
dependabot/gradle/com.nimbusds-nimbus-jose-jwt-9.42
branch
Bumps com.nimbusds:nimbus-jose-jwt from 9.41.2 to 9.42.
Changelog
Sourced from com.nimbusds:nimbus-jose-jwt's changelog.
Commits
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot mergewill merge this PR after your CI passes on it@dependabot squash and mergewill squash and merge this PR after your CI passes on it@dependabot cancel mergewill cancel a previously requested merge and block automerging@dependabot reopenwill reopen this PR if it is closed@dependabot closewill close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)