Congratulations on the 9.0 release!
Now seems like it might be a good time to review Nimbus's release process and backporting policies for potential improvements.
Spring Security is a project that depends on Nimbus and also follows semantic versioning. The two projects release at different paces and with different support guarantees.
For example, Spring Security releases a minor version every six months. Nimbus, it appears, releases with just about every PR merge. Spring Security supports minor releases for 18 months from the release date. It's not clear to me to which minor versions, if any, Nimbus regularly backports fixes nor for how long they'll do it.
These factors together introduce some challenges with Spring Security users getting Nimbus's bug fixes and security patches.
For example, Spring Security 5.3.0 released in March 2020 and depends on nimbus-jose-jwt 8.9. Ideally, Spring Security 5.3.x would only make maintenance upgrades from 8.9.x. But, up to this point, we've been taking minor version Nimbus upgrades in our 5.3.x release to simplify getting bug fixes and security patches introduced in future Nimbus versions.
As another example, Spring Security 5.4 releases in September and would ideally upgrade to 8.20 since that is the next 8.x minor release. However, now that 9 is released, I wonder how simple it will be to get bug fixes and security patches regularly applied to 8.20.x over the next 18 months.
Is there a way to improve how Nimbus releases or how it supports older versions? Some things that would be nice to consider would be a release calendar and a clearer understanding of which minor versions will get fixes and security patches over a longer period of time.