deps: bump the minor-and-patch group across 1 directory with 16 updates

[dependabot]

Bumps the minor-and-patch group with 16 updates in the / directory:

Package	From	To
software.amazon.awssdk:bom	2.32.25	2.33.0
org.liquibase:liquibase-core	4.32.0	4.33.0
io.jsonwebtoken:jjwt-api	0.12.6	0.13.0
io.jsonwebtoken:jjwt-impl	0.12.6	0.13.0
io.jsonwebtoken:jjwt-jackson	0.12.6	0.13.0
org.openapitools:jackson-databind-nullable	0.2.6	0.2.7
net.logstash.logback:logstash-logback-encoder	8.0	8.1
com.google.code.gson:gson	2.11.0	2.13.1
org.projectlombok:lombok	1.18.36	1.18.38
org.springdoc:springdoc-openapi-starter-webmvc-ui	2.8.11	2.8.12
jakarta.mail:jakarta.mail-api	2.1.3	2.1.4
com.google.guava:guava	33.4.0-jre	33.4.8-jre
org.instancio:instancio-junit	5.5.0	5.5.1
org.apache.maven.plugins:maven-compiler-plugin	3.13.0	3.14.0
org.jacoco:jacoco-maven-plugin	0.8.12	0.8.13
org.apache.maven.plugins:maven-surefire-plugin	3.5.2	3.5.3

Updates software.amazon.awssdk:bom from 2.32.25 to 2.33.0

Updates org.liquibase:liquibase-core from 4.32.0 to 4.33.0

Release notes

Sourced from org.liquibase:liquibase-core's releases.

Liquibase v4.33.0

Liquibase 4.33.0 is a minor release

Liquibase 4.33.0 delivers important updates across Policy Checks, Change Automation, and other areas of platform enhancement, along with critical bug fixes and improvements to MongoDB, PostgreSQL, and DB2 on Z/OS support. See the Liquibase 4.33.0 Release Notes for the complete set of release information.

UPDATE

The bug fix introduced in #7036 flags multiple Formatted SQL headers in one changelog. Removing these multiple Formatted SQL headers from your changelog can lead to checksum errors for previously deployed changelogs. And while there is a workaround by specifying a validCheckSum attribute, in the next release we will introduce a new global argument (--fail-on-multiple-formatted-sql-headers=[true (default) | false]) as a user option to decide when to fail an operation in which multiple formatted SQL headers are detected.

Notable Changes

[PRO]

Change Automation

• PostgreSQL Composite TYPE Support in Database Inspection. Liquibase Pro now includes support for inspecting PostgreSQL Composite TYPE objects during database inspection operations such as snapshot and diff. This enhancement ensures Composite TYPEs appear in inspection outputs, helping users manage and track changes to complex data structures more effectively. [INT-1249] [INT-135]

• PostgreSQL Composite TYPE Support in generate-changelog and diff-changelog. Liquibase Pro now includes support for detecting PostgreSQL composite TYPE objects during generate-changelog and diff-changelog operations. This enhancement ensures that composite TYPE definitions—used to group multiple fields into a custom data structure—are captured and modeled alongside other schema elements, helping users manage and track changes more comprehensively. [INT-1251]

• PostgreSQL Password Escaping Enhancement. Liquibase now escapes special characters in PostgreSQL passwords when using the psql native executor. Previously, if a password included characters requiring percent-encoding (such as @, %, or #), the executor would fail with a psql: error: invalid percent-encoded token message. [DAT-20254]

• Db2 on Z/OS JCL Executor. Liquibase Pro now includes the ability to submit JCL jobs to the mainframe via Db2 DSNUTILU stored procedure. This enables users to automate more sophisticated procedures by integrating system level activities and database activities in a standard changelog format. This feature is enabled by a runwith:JCL decoration on applicable changesets containing properly formatted JCL.[INT-573, INT-1217]

• Improved Persistent Spool File Behavior for SQLPlus Executor. The SQLPlus executor ensures that spool files are always retained when --sqlplus-create-spool=true, giving users consistent access to output files. Previously, spool file retention was tied to the --sqlplus-keep-temp setting; now, this setting applies only to temporary SQL files, not spool files. This decoupling improves clarity and gives users more control—if a spool file is created, it will remain unless users opt out by setting --sqlplus-create-spool=false. [DAT-18983]

Policy Checks

• MongoChangetypeAttributes Policy Check. Introduced a new quality check named MongoChangetypeAttributes that allows users to enforce specific values or patterns for attributes within MongoDB-specific changetypes. Users can select a single Mongo changetype (e.g., createIndex, dropCollection) and specify expected values or patterns for its attributes. The check triggers if a specified attribute is present but does not match the defined value or regex—ensuring consistent standards across Mongo changesets. This supports validation across key changetypes attributes like adminCommand, createCollection, insertOne, and more, and enhances control and quality enforcement in MongoDB deployment pipelines. [DAT-18275]

[OSS]

Important dependency updates

• Liquibase OSS 4.33+ has Java 24 core build support.
• The liquibase-cdi and liquibase-cdi-jakarta modules are still supported, but have been removed from the OSS distribution to their own repositories at https://github.com/liquibase/liquibase-cdi and https://github.com/liquibase/liquibase-cdi-jakarta

⚠️[PRO] and [OSS] Upcoming Change in Distributions

Liquibase is evolving to better serve both open-source contributors and enterprise customers by introducing a clearer separation between its Open Source (OSS) and PRO offerings. This change is designed to ensure that each distribution is optimized for its respective users—providing open-source users with flexibility and control, while delivering scalability, reliability, and governance for enterprise teams.

The new structure enables Liquibase to more effectively support developers at all stages—from experimentation and community collaboration to mission-critical deployments. Liquibase 4.32.0 introduced the first general availability (GA) release of independently packaged Pro distributions, along with dedicated distribution channels and key-based access enforcement for Pro capabilities. This marks a significant step toward delivering a curated, enterprise-grade experience for Pro users.

The OSS distribution and its delivery channels remain unchanged in this phase.

• Learn more https://docs.liquibase.com/start/install/home.html

PRO PRs

🆕New Features

... (truncated)

Changelog

Sourced from org.liquibase:liquibase-core's changelog.

Liquibase 4.33.0 is a major release

Liquibase 4.33.0 delivers important updates across Policy Checks, Change Automation, and other areas of platform enhancement, along with critical bug fixes and improvements to MongoDB, PostgreSQL, and DB2 on Z/OS support. See the Liquibase 4.33.0 Release Notes for the complete set of release information.

Notable Changes

[PRO]

Change Automation

• PostgreSQL Composite TYPE Support in Database Inspection. Liquibase Pro now includes support for inspecting PostgreSQL Composite TYPE objects during database inspection operations such as snapshot and diff. This enhancement ensures Composite TYPEs appear in inspection outputs, helping users manage and track changes to complex data structures more effectively. [INT-1249] [INT-135]
• PostgreSQL Composite TYPE Support in generate-changelog and diff-changelog. Liquibase Pro now includes support for detecting PostgreSQL composite TYPE objects during generate-changelog and diff-changelog operations. This enhancement ensures that composite TYPE definitions—used to group multiple fields into a custom data structure—are captured and modeled alongside other schema elements, helping users manage and track changes more comprehensively. [INT-1251]
• PostgreSQL Password Escaping Enhancement. Liquibase now escapes special characters in PostgreSQL passwords when using the psql native executor. Previously, if a password included characters requiring percent-encoding (such as @, %, or #), the executor would fail with a psql: error: invalid percent-encoded token message. [DAT-20254]
• Db2 on Z/OS JCL Executor. Liquibase Pro now includes the ability to submit JCL jobs to the mainframe via Db2 DSNUTILU stored procedure. This enables users to automate more sophisticated procedures by integrating system level activities and database activities in a standard changelog format. This feature is enabled by a runwith:JCL decoration on applicable changesets containing properly formatted JCL.[INT-573, INT-1217]
• Improved Persistent Spool File Behavior for SQLPlus Executor. The SQLPlus executor ensures that spool files are always retained when --sqlplus-create-spool=true, giving users consistent access to output files. Previously, spool file retention was tied to the --sqlplus-keep-temp setting; now, this setting applies only to temporary SQL files, not spool files. This decoupling improves clarity and gives users more control—if a spool file is created, it will remain unless users opt out by setting --sqlplus-create-spool=false. [DAT-18983]

Policy Checks

• MongoChangetypeAttributes Policy Check. Introduced a new quality check named MongoChangetypeAttributes that allows users to enforce specific values or patterns for attributes within MongoDB-specific changetypes. Users can select a single Mongo changetype (e.g., createIndex, dropCollection) and specify expected values or patterns for its attributes. The check triggers if a specified attribute is present but does not match the defined value or regex—ensuring consistent standards across Mongo changesets. This supports validation across key changetypes attributes like adminCommand, createCollection, insertOne, and more, and enhances control and quality enforcement in MongoDB deployment pipelines. [DAT-18275]

[OSS]

Important dependency updates

• Liquibase OSS 4.33+ has Java 24 core build support.
• The liquibase-cdi and liquibase-cdi-jakarta modules are still supported, but have been removed from the OSS distribution to their own repositories.

️[PRO] and [OSS] Upcoming Change in Distributions

Liquibase is evolving to better serve both open-source contributors and enterprise customers by introducing a clearer separation between its Open Source (OSS) and PRO offerings. This change is designed to ensure that each distribution is optimized for its respective users—providing open-source users with flexibility and control, while delivering scalability, reliability, and governance for enterprise teams. The new structure enables Liquibase to more effectively support developers at all stages—from experimentation and community collaboration to mission-critical deployments. Liquibase 4.32.0 introduced the first general availability (GA) release of independently packaged Pro distributions, along with dedicated distribution channels and key-based access enforcement for Pro capabilities. This marks a significant step toward delivering a curated, enterprise-grade experience for Pro users. The OSS distribution and its delivery channels remain unchanged in this phase.

• Learn more https://docs.liquibase.com/start/install/home.html

PRO PRs

New Features

• [DAT-20202] Added ProJdbcExecutor in order to show SQL warning messages on compiler errors liquibase/liquibase-pro#2410 by @​wwillard7800
• [DAT-20173] Changes to allow connection to Azure MI liquibase/liquibase-pro#2489 by @​wwillard7800
• [DAT-20286] Added code to use the getVisibleUrl method for display of URL liquibase/liquibase-pro#2478 by @​wwillard7800
• [INT-1318] Added application name to JDBC properties liquibase/liquibase-pro#2381 by @​wwillard7800
• [DAT-18983] Always keep the spool file if it was created liquibase/liquibase-pro#2476 by @​wwillard7800 Documentation: https://docs.liquibase.com/concepts/changelogs/attributes/run-with-spool-file.html
• [DAT-20132] support regular expressions for string comparisons liquibase/liquibase-checks#221 by @​StevenMassaro
• [DAT-20134] remove sql from changeset compatibility list for MongoChangetypeAttributes liquibase/liquibase-checks#224 by @​StevenMassaro
• [DAT-20133] add additional logging around AbstractChangetypeAttributesCheck when not checking change liquibase/liquibase-checks#223 by @​StevenMassaro
• [DAT-20131] compare JSON in MongoChangetypeAttributes using JSON equivalence liquibase/liquibase-checks#220 by @​StevenMassaro
• [INT-1361] added default collation to change DataTypeAttribute. liquibase/liquibase-pro#2457 by @​SvampX
• [DAT-19897] Add InitPropertiesCommandStep to generate Liquibase properties summary liquibase/liquibase-pro#2245 by @​filipelautert
• feat: Refactor Snowflake JDBC connection, removing all Snowflakedriver dependencies from this class liquibase/liquibase-pro#2436 by @​filipelautert
• [DAT-19668] New message appears when using the --force flag with rollback-one-changeset, rollback-one-update, and update-one-changeset liquibase/liquibase-pro#2352 by @​wwillard7800
• [DAT-20254] Use PercentEscaper to percent encode password for PostgreSQL liquibase/liquibase-pro#2369 by @​wwillard7800
• [INT-1217] Implementation of JCL native executor liquibase/liquibase-pro#2244 by @​wwillard7800

... (truncated)

Commits

• 75773ed chore: update changelog for version 4.33.0 release with notable changes and e...
• 26aabfc fix: do not snapshot index type for cockroach DB as indexes behave different ...
• 4b85cfc Allow showSqlWarnings message to be overridden in JdbcExecutor DAT-20202 (#7017)
• b97c439 chore(deps): bump org.apache.maven.plugins:maven-enforcer-plugin from 3.5.0 t...
• d91fa78 chore(deps): bump org.junit.jupiter:junit-jupiter from 5.12.2 to 5.13.2 (#7068)
• 4b2c62b chore(deps): bump org.junit.platform:junit-platform-suite from 1.11.4 to 1.13...
• e939564 chore(deps): bump junit-jupiter.version from 5.12.2 to 5.13.2 (#7066)
• 1834475 chore(deps-dev): bump com.microsoft.sqlserver:mssql-jdbc from 12.10.0.jre8 to...
• c6962c3 chore(deps-dev): bump org.xerial:sqlite-jdbc from 3.50.1.0 to 3.50.2.0 (#7073)
• 864026b chore(deps): bump com.opencsv:opencsv from 5.11 to 5.11.2 (#7061)
• Additional commits viewable in compare view

Updates io.jsonwebtoken:jjwt-api from 0.12.6 to 0.13.0

Release notes

Sourced from io.jsonwebtoken:jjwt-api's releases.

0.13.0

This is the last minor JJWT release branch that will support Java 7.

Any necessary emergency bug fixes will be fixed in subsequent 0.13.x patch releases, but all new development, including Java 8 compatible changes, will be in the next minor (0.14.0) release.

All future JJWT major and minor versions ( 0.14.0 and later) will require Java 8 or later.

What's Changed

This release contains a single change:

• The previously private JacksonDeserializer(ObjectMapper objectMapper, Map<String, Class<?>> claimTypeMap) constructor is now public for those that want register a claims type converter on their own specified ObjectMapper instance. Thank you to @​kesrishubham2510 for PR #972. See Issue 914.

Full Changelog: jwtk/jjwt@0.12.7...0.13.0

0.12.7

This patch release:

• Adds a new Maven BOM! This is useful for multi-module projects. See Issue 967.

• Allows the JwtParserBuilder to have empty nested algorithm collections, effectively disabling the parser's associated feature:

  • Emptying the zip() nested collection disables JWT decompression.
  • Emptying the sig() nested collection disables JWS mac/signature verification (i.e. all JWSs will be unsupported/rejected).
  • Emptying either the enc() or key() nested collections disables JWE decryption (i.e. all JWEs will be unsupported/rejected)

  See Issue 996.

• Fixes bug 961 where JwtParserBuilder nested collection builders were not correctly replacing algorithms with the same id.

• Ensures a JwkSet's keys collection is no longer entirely secret/redacted by default. This was an overzealous default that was unnecessarily restrictive; the keys collection itself should always be public, and each individual key within should determine which fields should be redacted when printed. See Issue 976.

• Improves performance slightly by ensuring all jjwt-api utility methods that create *Builder instances (Jwts.builder(), Jwts.parserBuilder(), Jwks.builder(), etc) no longer use reflection.

  Instead,static factories are created via reflection only once during initial jjwt-api classloading, and then *Builders are created via standard instantiation using the new operator thereafter. This also benefits certain environments that may not have ideal ClassLoader implementations (e.g. Tomcat in some cases).

  NOTE: because this changes which classes are loaded via reflection, any environments that must explicitly reference reflective class names (e.g. GraalVM applications) will need to be updated to reflect the new factory class names.

  See Issue 988.

• Upgrades the Gson dependency to 2.11.0

• Upgrades the BouncyCastle dependency to 1.78.1

New Contributors

• @​sigpwned made their first contribution in jwtk/jjwt#968
• @​TheMrMilchmann made their first contribution in jwtk/jjwt#979
• @​atanasg made their first contribution in jwtk/jjwt#974

Full Changelog: jwtk/jjwt@0.12.6...0.12.7

Changelog

Sourced from io.jsonwebtoken:jjwt-api's changelog.

0.13.0

This is the last minor JJWT release branch that will support Java 7. Any necessary emergency bug fixes will be fixed in subsequent 0.13.x patch releases, but all new development, including Java 8 compatible changes, will be in the next minor (0.14.0) release.

All future JJWT major and minor versions ( 0.14.0 and later) will require Java 8 or later.

This 0.13.0 minor release has only one change:

• The previously private JacksonDeserializer(ObjectMapper objectMapper, Map<String, Class<?>> claimTypeMap) constructor is now public for those that want register a claims type converter on their own specified ObjectMapper instance. See Issue 914.

0.12.7

This patch release:

• Adds a new Maven BOM, useful for multi-module projects. See Issue 967.

• Allows the JwtParserBuilder to have empty nested algorithm collections, effectively disabling the parser's associated feature:

  • Emptying the zip() nested collection disables JWT decompression.
  • Emptying the sig() nested collection disables JWS mac/signature verification (i.e. all JWSs will be unsupported/rejected).
  • Emptying either the enc() or key() nested collections disables JWE decryption (i.e. all JWEs will be unsupported/rejected)

  See Issue 996.

• Fixes bug 961 where JwtParserBuilder nested collection builders were not correctly replacing algorithms with the same id.

• Ensures a JwkSet's keys collection is no longer entirely secret/redacted by default. This was an overzealous default that was unnecessarily restrictive; the keys collection itself should always be public, and each individual key within should determine which fields should be redacted when printed. See Issue 976.

• Improves performance slightly by ensuring all jjwt-api utility methods that create *Builder instances (Jwts.builder(), Jwts.parserBuilder(), Jwks.builder(), etc) no longer use reflection.

  Instead,static factories are created via reflection only once during initial jjwt-api classloading, and then *Builders are created via standard instantiation using the new operator thereafter. This also benefits certain environments that may not have ideal ClassLoader implementations (e.g. Tomcat in some cases).

  NOTE: because this changes which classes are loaded via reflection, any environments that must explicitly reference reflective class names (e.g. GraalVM applications) will need to be updated to reflect the new factory class names.

  See Issue 988.

• Upgrades the Gson dependency to 2.11.0

• Upgrades the BouncyCastle dependency to 1.78.1

Commits

• a757add [maven-release-plugin] prepare release 0.13.0
• e357463 Preparing for the 0.13.0 release.
• b6f8cb8 Made constructor public to allow users their own objectMapper instance (#972)
• 03f088a Bumping development version to 0.13.0-SNAPSHOT (#1014)
• 3f2697f Release 0.12.7 (#1012)
• efed1cf Updated 0.12.7 change list
• ca27b12 Resolves #1010 (#1011)
• 55c7b9a Resolves #771 (#1009)
• 6e9c6a5 Bump org.bouncycastle:bcpkix-jdk18on from 1.78 to 1.78.1 (#1008)
• 7ec7dd1 Enable JwtParser empty nested algorithm collections. (#1007)
• Additional commits viewable in compare view

Updates io.jsonwebtoken:jjwt-impl from 0.12.6 to 0.13.0

Release notes

Sourced from io.jsonwebtoken:jjwt-impl's releases.

0.13.0

This is the last minor JJWT release branch that will support Java 7.

Any necessary emergency bug fixes will be fixed in subsequent 0.13.x patch releases, but all new development, including Java 8 compatible changes, will be in the next minor (0.14.0) release.

All future JJWT major and minor versions ( 0.14.0 and later) will require Java 8 or later.

What's Changed

This release contains a single change:

• The previously private JacksonDeserializer(ObjectMapper objectMapper, Map<String, Class<?>> claimTypeMap) constructor is now public for those that want register a claims type converter on their own specified ObjectMapper instance. Thank you to @​kesrishubham2510 for PR #972. See Issue 914.

Full Changelog: jwtk/jjwt@0.12.7...0.13.0

0.12.7

This patch release:

• Adds a new Maven BOM! This is useful for multi-module projects. See Issue 967.

• Allows the JwtParserBuilder to have empty nested algorithm collections, effectively disabling the parser's associated feature:

  • Emptying the zip() nested collection disables JWT decompression.
  • Emptying the sig() nested collection disables JWS mac/signature verification (i.e. all JWSs will be unsupported/rejected).
  • Emptying either the enc() or key() nested collections disables JWE decryption (i.e. all JWEs will be unsupported/rejected)

  See Issue 996.

• Fixes bug 961 where JwtParserBuilder nested collection builders were not correctly replacing algorithms with the same id.

• Ensures a JwkSet's keys collection is no longer entirely secret/redacted by default. This was an overzealous default that was unnecessarily restrictive; the keys collection itself should always be public, and each individual key within should determine which fields should be redacted when printed. See Issue 976.

• Improves performance slightly by ensuring all jjwt-api utility methods that create *Builder instances (Jwts.builder(), Jwts.parserBuilder(), Jwks.builder(), etc) no longer use reflection.

  Instead,static factories are created via reflection only once during initial jjwt-api classloading, and then *Builders are created via standard instantiation using the new operator thereafter. This also benefits certain environments that may not have ideal ClassLoader implementations (e.g. Tomcat in some cases).

  NOTE: because this changes which classes are loaded via reflection, any environments that must explicitly reference reflective class names (e.g. GraalVM applications) will need to be updated to reflect the new factory class names.

  See Issue 988.

• Upgrades the Gson dependency to 2.11.0

• Upgrades the BouncyCastle dependency to 1.78.1

New Contributors

• @​sigpwned made their first contribution in jwtk/jjwt#968
• @​TheMrMilchmann made their first contribution in jwtk/jjwt#979
• @​atanasg made their first contribution in jwtk/jjwt#974

Full Changelog: jwtk/jjwt@0.12.6...0.12.7

Changelog

Sourced from io.jsonwebtoken:jjwt-impl's changelog.

0.13.0

This is the last minor JJWT release branch that will support Java 7. Any necessary emergency bug fixes will be fixed in subsequent 0.13.x patch releases, but all new development, including Java 8 compatible changes, will be in the next minor (0.14.0) release.

All future JJWT major and minor versions ( 0.14.0 and later) will require Java 8 or later.

This 0.13.0 minor release has only one change:

• The previously private JacksonDeserializer(ObjectMapper objectMapper, Map<String, Class<?>> claimTypeMap) constructor is now public for those that want register a claims type converter on their own specified ObjectMapper instance. See Issue 914.

0.12.7

This patch release:

• Adds a new Maven BOM, useful for multi-module projects. See Issue 967.

• Allows the JwtParserBuilder to have empty nested algorithm collections, effectively disabling the parser's associated feature:

  • Emptying the zip() nested collection disables JWT decompression.
  • Emptying the sig() nested collection disables JWS mac/signature verification (i.e. all JWSs will be unsupported/rejected).
  • Emptying either the enc() or key() nested collections disables JWE decryption (i.e. all JWEs will be unsupported/rejected)

  See Issue 996.

• Fixes bug 961 where JwtParserBuilder nested collection builders were not correctly replacing algorithms with the same id.

• Ensures a JwkSet's keys collection is no longer entirely secret/redacted by default. This was an overzealous default that was unnecessarily restrictive; the keys collection itself should always be public, and each individual key within should determine which fields should be redacted when printed. See Issue 976.

• Improves performance slightly by ensuring all jjwt-api utility methods that create *Builder instances (Jwts.builder(), Jwts.parserBuilder(), Jwks.builder(), etc) no longer use reflection.

  Instead,static factories are created via reflection only once during initial jjwt-api classloading, and then *Builders are created via standard instantiation using the new operator thereafter. This also benefits certain environments that may not have ideal ClassLoader implementations (e.g. Tomcat in some cases).

  NOTE: because this changes which classes are loaded via reflection, any environments that must explicitly reference reflective class names (e.g. GraalVM applications) will need to be updated to reflect the new factory class names.

  See Issue 988.

• Upgrades the Gson dependency to 2.11.0

• Upgrades the BouncyCastle dependency to 1.78.1

Commits

• a757add [maven-release-plugin] prepare release 0.13.0
• e357463 Preparing for the 0.13.0 release.
• b6f8cb8 Made constructor public to allow users their own objectMapper instance (#972)
• 03f088a Bumping development version to 0.13.0-SNAPSHOT (#1014)
• 3f2697f Release 0.12.7 (#1012)
• efed1cf Updated 0.12.7 change list
• ca27b12 Resolves #1010 (#1011)
• 55c7b9a Resolves #771 (#1009)
• 6e9c6a5 Bump org.bouncycastle:bcpkix-jdk18on from 1.78 to 1.78.1 (#1008)
• 7ec7dd1 Enable JwtParser empty nested algorithm collections. (#1007)
• Additional commits viewable in compare view

Updates io.jsonwebtoken:jjwt-jackson from 0.12.6 to 0.13.0

Updates io.jsonwebtoken:jjwt-impl from 0.12.6 to 0.13.0

Release notes

Sourced from io.jsonwebtoken:jjwt-impl's releases.

0.13.0

This is the last minor JJWT release branch that will support Java 7.

Any necessary emergency bug fixes will be fixed in subsequent 0.13.x patch releases, but all new development, including Java 8 compatible changes, will be in the next minor (0.14.0) release.

All future JJWT major and minor versions ( 0.14.0 and later) will require Java 8 or later.

What's Changed

This release contains a single change:

• The previously private JacksonDeserializer(ObjectMapper objectMapper, Map<String, Class<?>> claimTypeMap) constructor is now public for those that want register a claims type converter on their own specified ObjectMapper instance. Thank you to @​kesrishubham2510 for PR #972. See Issue 914.

Full Changelog: jwtk/jjwt@0.12.7...0.13.0

0.12.7

This patch release:

• Adds a new Maven BOM! This is useful for multi-module projects. See Issue 967.

• Allows the JwtParserBuilder to have empty nested algorithm collections, effectively disabling the parser's associated feature:

  • Emptying the zip() nested collection disables JWT decompression.
  • Emptying the sig() nested collection disables JWS mac/signature verification (i.e. all JWSs will be unsupported/rejected).
  • Emptying either the enc() or key() nested collections disables JWE decryption (i.e. all JWEs will be unsupported/rejected)

  See Issue 996.

• Fixes bug 961 where JwtParserBuilder nested collection builders were not correctly replacing algorithms with the same id.

• Ensures a JwkSet's keys collection is no longer entirely secret/redacted by default. This was an overzealous default that was unnecessarily restrictive; the keys collection itself should always be public, and each individual key within should determine which fields should be redacted when printed. See Issue 976.

• Improves performance slightly by ensuring all jjwt-api utility methods that create *Builder instances (Jwts.builder(), Jwts.parserBuilder(), Jwks.builder(), etc) no longer use reflection.

  Instead,static factories are created via reflection only once during initial jjwt-api classloading, and then *Builders are created via standard instantiation using the new operator thereafter. This also benefits certain environments that may not have ideal ClassLoader implementations (e.g. Tomcat in some cases).

  NOTE: because this changes which classes are loaded via reflection, any environments that must explicitly reference reflective class names (e.g. GraalVM applications) will need to be updated to reflect the new factory class names.

  See Issue 988.

• Upgrades the Gson dependency to 2.11.0

• Upgrades the BouncyCastle dependency to 1.78.1

New Contributors

• @​sigpwned made their first contribution in jwtk/jjwt#968
• @​TheMrMilchmann made their first contribution in jwtk/jjwt#979
• @​atanasg made their first contribution in jwtk/jjwt#974

Full Changelog: jwtk/jjwt@0.12.6...0.12.7

Changelog

Sourced from io.jsonwebtoken:jjwt-impl's changelog.

0.13.0

This is the last minor JJWT release branch that will support Java 7. Any necessary emergency bug fixes will be fixed in subsequent 0.13.x patch releases, but all new development, including Java 8 compatible changes, will be in the next minor (0.14.0) release.

All future JJWT major and minor versions ( 0.14.0 and later) will require Java 8 or later.

This 0.13.0 minor release has only one change:

• The previously private JacksonDeserializer(ObjectMapper objectMapper, Map<String, Class<?>> claimTypeMap) constructor is now public for those that want register a claims type converter on their own specified ObjectMapper instance. See Issue 914.

0.12.7

This patch release:

• Adds a new Maven BOM, useful for multi-module projects. See Issue 967.

• Allows the JwtParserBuilder to have empty nested algorithm collections, effectively disabling the parser's associated feature:

  • Emptying the zip() nested collection disables JWT decompression.
  • Emptying the sig() nested collection disables JWS mac/signature verification (i.e. all JWSs will be unsupported/rejected).
  • Emptying either the enc() or key() nested collections disables JWE decryption (i.e. all JWEs will be unsupported/rejected)

  See Issue 996.

• Fixes bug 961 where JwtParserBuilder nested collection builders were not correctly replacing algorithms with the same id.

• Ensures a JwkSet's keys collection is no longer entirely secret/redacted by default. This was an overzealous default that was unnecessarily restrictive; the keys collection itself should always be public, and each individual key within should determine which fields should be redacted when printed. See Issue 976.

• Improves performance slightly by ensuring all jjwt-api utility methods that create *Builder instances (Jwts.builder(), Jwts.parserBuilder(), Jwks.builder(), etc) no longer use reflection.

  Instead,static factories are created via reflection only once during initial jjwt-api classloading, and then *Builders are created via standard instantiation using the new operator thereafter. This also benefits certain environments that may not have ideal ClassLoader implementations (e.g. Tomcat in some cases).

  NOTE: because this changes which classes are loaded via reflection, any environments that must explicitly reference reflective class names (e.g. GraalVM applications) will need to be updated to reflect the new factory class names.

  See Issue 988.

• Upgrades the Gson dependency to 2.11.0

• Upgrades the BouncyCastle dependency to 1.78.1

Commits

• a757add [maven-release-plugin] prepare release 0.13.0
• e357463 Preparing for the 0.13.0 release.
• b6f8cb8 Made constructor public to allow users their own objectMapper instance (#972)
• 03f088a Bumping development version to 0.13.0-SNAPSHOT (#1014)
• 3f2697f Release 0.12.7 (#1012)
• efed1cf Updated 0.12.7 change list
• ca27b12 Resolves #1010 (#1011)
• 55c7b9a Resolves #771 (#1009)
• 6e9c6a5 Bump org.bouncycastle:bcpkix-jdk18on from 1.78 to 1.78.1 (#1008)
• 7ec7dd1 Enable JwtParser empty nested algorithm collections. (#1007)
• Additional commits viewable in compare view

Updates io.jsonwebtoken:jjwt-jackson from 0.12.6 to 0.13.0

Updates org.openapitools:jackson-databind-nullable from 0.2.6 to 0.2.7

Release notes

Sourced from org.openapitools:jackson-databind-nullable's releases.

v0.2.7 released

What's Changed

• Update parent and dependencies by @​Til7701 in OpenAPITools/jackson-databind-nullable#61
• 0.2.7 release by @​wing328 in OpenAPITools/jackson-databind-nullable#63
• update pom.xml to use central publishing maven plugin, add workflow by @​wing328 in OpenAPITools/jackson-databind-nullable#66

New Contributors

• @​Til7701 made their first contribution in OpenAPITools/jackson-databind-nullable#61

Full Changelog: OpenAPITools/jackson-databind-nullable@v0.2.6...v0.2.7

Commits

• 2f8776c set version for plugins
• 27dd77c update pom.xml with deploy and production
• 872a3d9 update pom.xml to use central publishing maven plugin, add workflow (#66)
• 10d3f44 add sec.gpg.enc
• 674ac07 0.2.7 release (#63)
• 6687b74 Update parent and dependencies (#61)
• See full diff in compare view

Updates net.logstash.logback:logstash-logback-encoder from 8.0 to 8.1

Release notes

Sourced from net.logstash.logback:logstash-logback-encoder's releases.

logstash-logback-encoder-8.1

What's Changed

✨ New features and improvements

• Update LoggingEventJsonPatternParser to fix breaking logback change by @​jordanjennings in #1061

🐞 Bug fixes

• Always build source jar by @​philsttr in logfellow/logstash-logback-encoder#1037

📖 Documentation, Tests and Build

• Bump copyright year to 2025 by @​philsttr in logfellow/logstash-logback-encoder#1064

🆙 Dependency Upgrades

• Bump org.jacoco:jacoco-maven-plugin from 0.8.10 to 0.8.12 by @​dependabot in logfellow/logstash-logback-encoder#1031
• Bump org.apache.maven.plugins:maven-source-plugin from 3.3.0 to 3.3.1 by @​dependabot in logfellow/logstash-logback-encoder#1034
• Bump org.apache.maven.plugins:maven-gpg-plugin from 3.0.1 to 3.2.4 by @​dependabot in logfellow/logstash-logback-encoder#1033
• Bump org.sonatype.plugins:nexus-staging-maven-plugin from 1.6.13 to 1.7.0 by @​dependabot in logfellow/logstash-logback-encoder#1030
• Bump actions/upload-artifact@v4 by @​philsttr in logfellow/logstash-logback-encoder#1062
• Bump dependencies to latest by @​philsttr in logfellow/logstash-logback-encoder#1063
• Bump maven to 3.9.9 by @​philsttr in logfellow/logstash-logback-encoder#1065

New Contributors

• @​jordanjennings made their first contribution in #1061

Full Changelog: logfellow/logstash-logback-encoder@logstash-logback-encoder-8.0...logstash-logback-encoder-8.1

Commits

• a998591 [maven-release-plugin] prepare release logstash-logback-encoder-8.1
• 16714f1 [release]
• 88c5d27 [release]
• ed1b470 Update readme for 8.1
• f280cfd Bump maven to 3.9.9 (#1065)
• 053afde Bump copyright year to 2025 (#1064)
• a03fd11 Bump dependencies to latest (#1063)
• f4e5ff3 Update LoggingEventJsonPatternParser to fix breaking logback change (#1061)
• 83aa0fe Bump actions/upload-artifact@v4 (#1062)
• 76f5295 Bump org.sonatype.plugins:nexus-staging-maven-plugin (#1030)
• Additional commits viewable in compare view

Updates com.google.code.gson:gson from 2.11.0 to 2.13.1

Release notes

Sourced from com.google.code.gson:gson's releases.

Gson 2.13.1

What's Changed

• Give FieldNamingStrategy the ability to return multiple String names by @​mfriesen in google/gson#2776
• Remove outdated android-proguard-example by @​Goooler in google/gson#2843
• Adjust Troubleshooting Guide ProGuard / R8 section by @​Marcono1234 in google/gson#2844
• Update dependencies, including the problematic com.google.errorprone:error_prone_annotations:2.37.0.

New Contributors

• @​mfriesen made their first contribution in google/gson#2776
• @​Goooler made their first contribution in google/gson#2843

Full Changelog: https://github.com/goo...

Description has been truncated

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.