This is an automated email from the ASF dual-hosted git repository. lhotari pushed a commit to branch branch-4.1 in repository https://gitbox.apache.org/repos/asf/pulsar.git
commit c30cb6a77ad1b427456fda457ebbe01356c4aee0 Author: guptas6est <[email protected]> AuthorDate: Tue Nov 4 11:37:18 2025 +0000 [fix][sec] Override nimbus-jose-jwt to remediate CVE-2023-52428 and CVE-2025-53864 (#24937) (cherry picked from commit 676ba078de57ff1a8b30384babc88becdf61e566) --- pom.xml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 0e161c00cd0..82dda89a943 100644 --- a/pom.xml +++ b/pom.xml @@ -369,7 +369,7 @@ flexible messaging model and an intuitive client API.</description> <extra-enforcer-rules.version>1.6.1</extra-enforcer-rules.version> <oshi.version>6.4.0</oshi.version> <checkerframework.version>3.33.0</checkerframework.version> - + <nimbus-jose-jwt.version>9.37.4</nimbus-jose-jwt.version> <commons-beanutils.version>1.11.0</commons-beanutils.version> <commons-configuration2.version>2.12.0</commons-configuration2.version> </properties> @@ -1739,6 +1739,12 @@ flexible messaging model and an intuitive client API.</description> <artifactId>opentelemetry-semconv</artifactId> <version>${opentelemetry.semconv.version}</version> </dependency> + <!-- enforce nimbus-jose-jwt version that gets pulled transitively --> + <dependency> + <groupId>com.nimbusds</groupId> + <artifactId>nimbus-jose-jwt</artifactId> + <version>${nimbus-jose-jwt.version}</version> + </dependency> <dependency> <groupId>commons-beanutils</groupId> <artifactId>commons-beanutils</artifactId>
