- changed status to open
Dependency convergence failed for nimbus-jose-jwt in spring-security
Issue #441
resolved
Spring Security depends on oauth2-oidc-sdk
and nimbus-jose-jwt
. oauth2-oidc-sdk
recently downgraded versions. Unfortunately, Spring Security had already upgraded both libraries. Is there a way to get the 9.43.x
line of oauth2-oidc-sdk
back up to nimbus-jose-jwt
version 9.31
? We would like to avoid downgrading ourselves since we provide nimbus-jose-jwt
as a transitive dependency of spring-security-oauth2-jose
. See #13843 for background.
Comments (3)
-
-
reporter Thanks for the update Yavor. I’ve spoken with Josh and for now, we will revert to
nimbus-jose-jwt:9.24.4
as we should not have taken the update foroauth2-oidc-sdk:9.43.2
and instead waited for9.43.3
. -
reporter - changed status to resolved
- Log in to comment
I believe the downgrade in May was made in response to a request by Josh Cummings from Spring Security.
The most recent stable JWT lib is 9.35. Let us know if you'd prefer 9.35 instead (recommended).