jsonwebtoken dependency version #1768

ethanhere · 2024-08-16T17:29:05Z

ethanhere
Aug 16, 2024

We are upgrading our applications to use micronaut-platform 4.5.1 and micronaut-core 4.5.4 and micronaut-security 4.9.1:

<parent>
    <groupId>myorg</groupId>
    <artifactId>myorgparent</artifactId>
    <version>1.0</version>
</parent>
<groupId>myorg</groupId>
<artifactId>myapp</artifactId>
<version>1.0</version>
<packaging>pom</packaging>

`

<dependencyManagement>
    <dependencies>
        <dependency>
            <groupId>io.micronaut.platform</groupId>
            <artifactId>micronaut-platform</artifactId>
            <version>4.5.1</version>
            <type>pom</type>
            <scope>import</scope>
        </dependency>

        <dependency>
            <groupId>io.micronaut</groupId>
            <artifactId>micronaut-core-bom</artifactId>
            <version>4.5.4</version>
            <type>pom</type>
            <scope>import</scope>
        </dependency>
<dependencyManagement>

`
In the parent project, myorg:myorgparent we have an module (myorg.security.jwt) that has io.jsonwebtoken dependency
io.jsonwebtoken:jjwt-api:0.11.5
io.jsonwebtoken:jjwt-impl:0.11.5
io.jsonwebtoken:jjwt-jackson:0.11.5

When I build and unit test our app, our test code uses code in myorg.security.jwt that uses io.jsonwebtoken:jjwt-api code. We found that at runtime, it uses io.jsonwebtoken:jjwt-api with version 0.12.6. That would cause java.lang.NoSuchMethodError: 'io.jsonwebtoken.Claims io.jsonwebtoken.Jwts.claims()'

Because when we build the parent artifacts myorg:myorgparent we compiled using io.jsonwebtoken:jjwt-api:0.11.5, but when building myapp and run unit test, the runtime jar is io.jsonwebtoken:jjwt-api:0.12.6.

I found that in micronaut-secuirty 4.9.1 file (https://github.com/micronaut-projects/micronaut-security/blob/v4.9.1/gradle/libs.versions.toml), it has:
...
managed-jjwt = "0.12.6"
...
managed-jjwt-api = { module = "io.jsonwebtoken:jjwt-api", version.ref = "managed-jjwt" }
managed-jjwt-impl = { module = "io.jsonwebtoken:jjwt-impl", version.ref = "managed-jjwt" }
managed-jjwt-jackson = { module = "io.jsonwebtoken:jjwt-jackson", version.ref = "managed-jjwt" }
...

I also searched "jsonwebtoken" string in micronaut-secuirty 4.9.1 java code and only found the following 3 tests uses jsonwebtoken code:
./test-suite-jwt-tck/src/main/java/io/micronaut/security/jwt/tck/JsonWebTokenSignatureValidatorTest.java:import io.jsonwebtoken.Jwts;
./test-suite-jwt-tck/src/main/java/io/micronaut/security/jwt/tck/JsonWebTokenSignatureValidatorTest.java:import io.jsonwebtoken.io.Encoders;
./test-suite-jwt-tck/src/main/java/io/micronaut/security/jwt/tck/JsonWebTokenParserTest.java:import io.jsonwebtoken.Jwts;

Is it possible that micronaut not forcing the application to use the same version jsonwebtoken library, given micronaut only uses jsonwebtoken in its test code?

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

jsonwebtoken dependency version #1768

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Replies: 0 comments

Select a reply

jsonwebtoken dependency version #1768

ethanhere Aug 16, 2024

Replies: 0 comments

ethanhere
Aug 16, 2024