SpringBoot Breaking dependency change in spring-boot-starter-parent-v2.3.4 (nimbus-jose-jwt)

I encountered the following runtime error after bumping spring-boot-starter-parent from 2.3.3.RELEASE to 2.3.4.RELEASE, in a lib that depended on an older version of nimbus-jose-jwt:

java.lang.NoSuchMethodError: com.nimbusds.jose.jwk.source.DefaultJWKSetCache.<init>(JLjava/util/concurrent/TimeUnit;)

It seems nimbus-jose-jwt had a breaking API change between versions 8.9 and 8.10, where a constructor for DefaultJWKSetCache was changed from requiring 2 to requiring 3 arguments: https://bitbucket.org/connect2id/nimbus-jose-jwt/commits/f65bfa5#Lsrc/main/java/com/nimbusds/jose/jwk/source/DefaultJWKSetCache.javaF79

nimbus-jose-jwt was suggested bumped to version 8.8 here: #22996 and bumped to version 8.19 here: https://github.com/spring-projects/spring-boot/commit/0b3a1310bde978730b6943d25beeab1b4f1e975d to align with Spring Security 5.3.4: https://github.com/spring-projects/spring-boot/pull/22996#issuecomment-679895538

Hopefully this issue can make the troubleshooting process faster for others.

Comment From: wilkinsona

Thanks for the report. Unfortunately, there's no perfect solution here. We can either revert #22996 and reinstate the dependency convergence problem or we can live with the problem that you have described above. I think the latter is the better of the two options. Anyone affected by this problem should override the opinion of Spring Boot's dependency management to select a version of Nimbus JOSE JWT that meets their needs.