Breaking dependency change in spring-boot-starter-parent-v2.3.4 (nimbus-jose-jwt)

[jorgengranseth]

I encountered the following runtime error after bumping spring-boot-starter-parent from 2.3.3.RELEASE to 2.3.4.RELEASE, in a lib that depended on an older version of nimbus-jose-jwt:

java.lang.NoSuchMethodError: com.nimbusds.jose.jwk.source.DefaultJWKSetCache.<init>(JLjava/util/concurrent/TimeUnit;)

It seems nimbus-jose-jwt had a breaking API change between versions 8.9 and 8.10, where a constructor for DefaultJWKSetCache was changed from requiring 2 to requiring 3 arguments:
https://bitbucket.org/connect2id/nimbus-jose-jwt/commits/f65bfa5#Lsrc/main/java/com/nimbusds/jose/jwk/source/DefaultJWKSetCache.javaF79

nimbus-jose-jwt was suggested bumped to version 8.8 here: #22996
and bumped to version 8.19 here: 0b3a131
to align with Spring Security 5.3.4: #22996 (comment)

Hopefully this issue can make the troubleshooting process faster for others.

[wilkinsona]

Thanks for the report. Unfortunately, there's no perfect solution here. We can either revert #22996 and reinstate the dependency convergence problem or we can live with the problem that you have described above. I think the latter is the better of the two options. Anyone affected by this problem should override the opinion of Spring Boot's dependency management to select a version of Nimbus JOSE JWT that meets their needs.