Bump com.nimbusds:nimbus-jose-jwt from 10.7 to 10.8

[dependabot]

Bumps com.nimbusds:nimbus-jose-jwt from 10.7 to 10.8.

Changelog

Sourced from com.nimbusds:nimbus-jose-jwt's changelog.

10.7 (2026-01-08) * Adds MaxCompressedCipherTextLength that implements JWEDecrypterOption, to to configure the maximum allowed length of compressed cipher text. * Adds JWEObject.decrypt(JWEDecrypter, Set) method to support the MaxCompressedCipherTextLength option.

10.8 (2026-02-19) * Adds a PasswordBasedDecrypter(byte[], Set) constructor to specify names of the critical header parameters that are deferred to the application for processing. Aligns with other JWEDecrypter and CriticalHeaderParamsAware implementations (iss #610). * Fixes getDeferredCriticalHeaderParams() in AESDecrypter, DirectDecrypter, RSADecrypter, ECDHDecrypter, X25519Decrypter, ECDH1PUDecrypter, ECDH1PUX25519Decrypter, MultiDecrypter, MACVerifier, ECDSAVerifier and Ed25519Verifier. Must internally call critPolicy.getDeferredCriticalHeaderParams(), not critPolicy.getProcessedCriticalHeaderParams() (iss #612).

Commits

• 9509dc5 [maven-release-plugin] prepare for next development iteration
• 0e27c9c Adds a PasswordBasedDecrypter(byte[], Set<String>) constructor to specify nam...
• decee47 Fixes getDeferredCriticalHeaderParams() in AESDecrypter, DirectDecrypter, RSA...
• b8d40c9 [maven-release-plugin] prepare release 10.8
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[greptile-apps]

Greptile Summary

Updates com.nimbusds:nimbus-jose-jwt from 10.7 to 10.8, a bug fix release that improves the library's handling of critical header parameters in JWE decryption.

Key Changes:

• Adds new PasswordBasedDecrypter constructor for specifying deferred critical header parameters
• Fixes bug in getDeferredCriticalHeaderParams() across multiple decrypter and verifier classes (was incorrectly calling getProcessedCriticalHeaderParams())

Impact:

• Low risk: This is a transitive dependency used through azure-identity for ADLS support
• No breaking changes or API modifications affecting existing code
• Bug fixes improve correctness without requiring code changes

Confidence Score: 5/5

• This PR is safe to merge with minimal risk
• This is a minor version bump (10.7 to 10.8) of nimbus-jose-jwt that only includes bug fixes. The changelog shows two specific fixes: adding a new constructor to PasswordBasedDecrypter and fixing getDeferredCriticalHeaderParams() methods in multiple decrypter/verifier classes. These are non-breaking changes that improve correctness. The library is used as a transitive dependency through azure-identity for ADLS support, and no direct usage of the affected APIs was found in the codebase.
• No files require special attention

Important Files Changed

Filename	Overview
gradle/libs.versions.toml	Dependency version bump from 10.7 to 10.8 - bug fix release with no breaking changes

_{Last reviewed commit: 2490b97}