Bump com.nimbusds:nimbus-jose-jwt from 9.47 to 10.2 in /prime-router

[dependabot]

Bumps com.nimbusds:nimbus-jose-jwt from 9.47 to 10.2.

Changelog

Sourced from com.nimbusds:nimbus-jose-jwt's changelog.

9.47 (2024-11-14) * Adds static JSONArrayUtils.parse(String). * Adds static JSONArrayUtils.toJSONString(List). * JSONObjectUtils.toJSONString must throw NPE on null String (iss #577). * Fixes regression: Invalid JSON was accepted in versions 9.24+ (iss #574).

9.48 (2024-12-20) * Adds static JWTClaimsSet.getClaimAsString(String) to get the specified JWT claim (registered or custom) as String, with primitive or Wrapper types converted to String.

10.0 (2025-01-02) * Removes the "fips" build profile, it was breaking the Gson dependency shading (iss #550). * Removes the optional BouncyCastle FIPS JCA provider and PKIX dependencies, not required in tests. * Updates to optional BouncyCastle 1.79 (JDK 1.8 on). * Updates pom.xml, bumps Maven plugins.

10.0.1 (2025-01-03) * Adds "Automatic-Module-Name: com.nimbusds.jose.jwt" to restore established module name (iss #550). * Cleans up unused "Multi-Release: true" (iss #550). * Updates Tink dependency to 1.16.0 (iss #571).

10.0.2 (2025-02-25) * Updates JSONObjectUtils.parse and JSONArrayUtils.parse to reject JSON strings with object and array nesting deeper than 255. This is intended to prevent StackOverflowError's in Gson when a parsed JSON string with excessive nesting is serialised, for example to log the claims of a parsed JWT. Note that in Gson the JSON reader is not susceptible to StackOverflowError's, only the serialisation. The nesting limit of depth 255 is introduced in Gson 2.12.0 (iss #583). * Updates GSon to 2.12.1.

10.1 (2025-04-03) * Restores module-info.java. * Adds ExpiredJWTException extends BadJWTException to enable easy programmatic detection whether a JWT has expired (iss #585). * Adds URLBasedJWKSetSource getJWKSetURL and getResourceRetriever methods to ease class extension.

10.2 (2025-04-07) * Gson is made a direct instead of a shaded dependency to address module issues introduced in 10.1 (iss #550).

Commits

• 11b9457 Updates pom.xml, bumps Maven plugins
• ea6c9f4 [maven-release-plugin] prepare release 10.0
• dd59601 [maven-release-plugin] prepare for next development iteration
• 9fd735f Removes unused import from JCASupportTest
• b7995df Adds "Automatic-Module-Name: com.nimbusds.jose.jwt" to restore established mo...
• acaae58 Cleans up unused "Multi-Release: true" (iss #550)
• 3537ec8 Updates Tink dependency to 1.16.0 (iss #571)
• dba7845 [maven-release-plugin] prepare release 10.0.1
• a952d04 [maven-release-plugin] prepare for next development iteration
• 393a96f Updates JSONObjectUtils.parse and JSONArrayUtils.parse to reject JSON strings...
• Additional commits viewable in compare view

You can trigger a rebase of this PR by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Package	Version	Score	Details

Scanned Manifest Files

[github-actions]

Test Results

1 306 tests  ±0   1 302 ✅ ±0   7m 44s ⏱️ -15s
  170 suites ±0       4 💤 ±0 
  170 files   ±0       0 ❌ ±0 

Results for commit 5808876. ± Comparison against base commit 2b7a768.

♻️ This comment has been updated with latest results.

[github-actions]

Integration Test Results

 60 files  ±0   60 suites  ±0   43m 58s ⏱️ +33s
428 tests ±0  418 ✅ ±0  10 💤 ±0  0 ❌ ±0 
431 runs  ±0  421 ✅ ±0  10 💤 ±0  0 ❌ ±0 

Results for commit 5808876. ± Comparison against base commit 2b7a768.

♻️ This comment has been updated with latest results.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[jack-h-wang]

@dependabot recreate

[jack-h-wang]

server2serverauth smoke test fails on 10.2, but succeeds on 10.1.

[jack-h-wang]

@dependabot rebase

[jack-h-wang]

@dependabot rebase

[adegolier]

@dependabot rebase

[scott-aquia]

🎉 Snyk checks have passed. No issues have been found so far.

✅ security/snyk check is complete. No issues have been found. (View Details)

[adegolier]

#17981 has been created to deal with work associated with this update

[dependabot]

Superseded by #18094.