Sourced from com.sap.cloud.security.xsuaa:token-client's releases.

3.6.6

• added Token Exchange support to Security Library for ID Token exchange and XSUAA Token exchange

Dependency upgrades

• Update Spring dependencies (#1907)
• Bump the prod-deps-ver group with 9 updates (#1902)
• Bump the dev-deps group with 3 updates (#1901)
• Bump io.projectreactor:reactor-test from 3.7.11 to 3.8.2 (#1892)
• Configure Dependabot with dependency groups (#1900)
• Bump org.sonatype.central:central-publishing-maven-plugin (#1894)
• Bump org.apache.httpcomponents.client5:httpclient5 from 5.5.1 to 5.6 (#1895)
• Bump org.json:json from 20250517 to 20251224 (#1898)
• Bump ch.qos.logback:logback-core from 1.5.19 to 1.5.25 in /token-client (#1899)
• Bump org.jacoco:jacoco-maven-plugin from 0.8.13 to 0.8.14 (#1873)
• Bump org.apache.maven.plugins:maven-pmd-plugin from 3.27.0 to 3.28.0 (#1874)
• Bump reactor.version from 3.7.11 to 3.7.12 (#1875)
• Bump spring.core.version from 6.2.11 to 6.2.12 (#1878)
• Bump com.github.spotbugs:spotbugs-maven-plugin from 4.9.6.0 to 4.9.8.1 (#1880)
• Bump com.github.spotbugs:spotbugs-annotations from 4.9.6 to 4.9.8 (#1881)
• Bump spring.security.version from 6.5.5 to 6.5.6 (#1882)
• Bump spring.security.oauth2.version from 6.5.5 to 6.5.6 (#1883)
• Bump ch.qos.logback:logback-core from 1.5.13 to 1.5.19 in /token-client (#1884)

3.6.5

Dependency upgrades

• Bump org.sonatype.central:central-publishing-maven-plugin (#1867)
• Bump io.projectreactor:reactor-test from 3.7.9 to 3.7.11 (#1868)
• Remove version pinning for nimbus-jose-jwt
• Update jetty dependency to 12.0.27 (#1865)
• Bump reactor.version from 3.7.9 to 3.7.11 (#1849)
• Bump org.mockito:mockito-core from 5.19.0 to 5.20.0 (#1860)
• Bump log4j2.version from 2.25.1 to 2.25.2 (#1861)
• Bump org.apache.maven.plugins:maven-javadoc-plugin from 3.11.3 to 3.12.0 (#1862)
• Bump org.assertj:assertj-core from 3.27.4 to 3.27.6 (#1864)
• Bump spring.boot.version from 3.5.5 to 3.5.6 (#1863)
• Bump org.apache.httpcomponents.client5:httpclient5 from 5.5 to 5.5.1 (#1859)
• Bump org.apache.maven.plugins:maven-surefire-plugin from 3.5.3 to 3.5.4 (#1852)
• Bump io.github.hakky54:logcaptor from 2.12.0 to 2.12.1 (#1853)
• Bump spring.core.version from 6.2.10 to 6.2.11 (#1850)
• Bump spring.security.version from 6.5.3 to 6.5.5 (#1855)
• Bump spring.security.oauth2.version from 6.5.3 to 6.5.5 (#1856)
• Bump com.github.spotbugs:spotbugs-annotations from 4.9.4 to 4.9.6 (#1857)
• Bump com.github.spotbugs:spotbugs-maven-plugin from 4.9.4.2 to 4.9.6.0 (#1858)

3.6.4

Dependency upgrades

• Override nimbus dependency (#1845)
• Bump com.github.spotbugs:spotbugs-maven-plugin from 4.9.4.1 to 4.9.4.2 (#1844)
• Bump io.projectreactor:reactor-test from 3.7.7 to 3.7.9 (#1843)
• Bump com.github.spotbugs:spotbugs-maven-plugin from 4.9.3.2 to 4.9.4.1 (#1842)

... (truncated)

Sourced from com.sap.cloud.security.xsuaa:token-client's changelog.

3.6.6

• added Token Exchange support to Security Library for ID Token exchange and XSUAA Token exchange

Dependency upgrades

• Update Spring dependencies (#1907)
• Bump the prod-deps-ver group with 9 updates (#1902)
• Bump the dev-deps group with 3 updates (#1901)
• Bump io.projectreactor:reactor-test from 3.7.11 to 3.8.2 (#1892)
• Configure Dependabot with dependency groups (#1900)
• Bump org.sonatype.central:central-publishing-maven-plugin (#1894)
• Bump org.apache.httpcomponents.client5:httpclient5 from 5.5.1 to 5.6 (#1895)
• Bump org.json:json from 20250517 to 20251224 (#1898)
• Bump ch.qos.logback:logback-core from 1.5.19 to 1.5.25 in /token-client (#1899)
• Bump org.jacoco:jacoco-maven-plugin from 0.8.13 to 0.8.14 (#1873)
• Bump org.apache.maven.plugins:maven-pmd-plugin from 3.27.0 to 3.28.0 (#1874)
• Bump reactor.version from 3.7.11 to 3.7.12 (#1875)
• Bump spring.core.version from 6.2.11 to 6.2.12 (#1878)
• Bump com.github.spotbugs:spotbugs-maven-plugin from 4.9.6.0 to 4.9.8.1 (#1880)
• Bump com.github.spotbugs:spotbugs-annotations from 4.9.6 to 4.9.8 (#1881)
• Bump spring.security.version from 6.5.5 to 6.5.6 (#1882)
• Bump spring.security.oauth2.version from 6.5.5 to 6.5.6 (#1883)
• Bump ch.qos.logback:logback-core from 1.5.13 to 1.5.19 in /token-client (#1884)

3.6.5

Dependency upgrades

• Bump org.sonatype.central:central-publishing-maven-plugin (#1867)
• Bump io.projectreactor:reactor-test from 3.7.9 to 3.7.11 (#1868)
• Remove version pinning for nimbus-jose-jwt
• Update jetty dependency to 12.0.27 (#1865)
• Bump reactor.version from 3.7.9 to 3.7.11 (#1849)
• Bump org.mockito:mockito-core from 5.19.0 to 5.20.0 (#1860)
• Bump log4j2.version from 2.25.1 to 2.25.2 (#1861)
• Bump org.apache.maven.plugins:maven-javadoc-plugin from 3.11.3 to 3.12.0 (#1862)
• Bump org.assertj:assertj-core from 3.27.4 to 3.27.6 (#1864)
• Bump spring.boot.version from 3.5.5 to 3.5.6 (#1863)
• Bump org.apache.httpcomponents.client5:httpclient5 from 5.5 to 5.5.1 (#1859)
• Bump org.apache.maven.plugins:maven-surefire-plugin from 3.5.3 to 3.5.4 (#1852)
• Bump io.github.hakky54:logcaptor from 2.12.0 to 2.12.1 (#1853)
• Bump spring.core.version from 6.2.10 to 6.2.11 (#1850)
• Bump spring.security.version from 6.5.3 to 6.5.5 (#1855)
• Bump spring.security.oauth2.version from 6.5.3 to 6.5.5 (#1856)
• Bump com.github.spotbugs:spotbugs-annotations from 4.9.4 to 4.9.6 (#1857)
• Bump com.github.spotbugs:spotbugs-maven-plugin from 4.9.4.2 to 4.9.6.0 (#1858)

3.6.4

... (truncated)

• 699d25f Release 3.6.6 (#1908)
• 033870b Update Spring dependencies (#1907)
• b69f9f9 Bump the prod-deps-ver group with 9 updates (#1902)
• c6c6cbb Bump the dev-deps group with 3 updates (#1901)
• 3ffaebc Bump io.projectreactor:reactor-test from 3.7.11 to 3.8.2 (#1892)
• d791dbf Configure Dependabot with dependency groups (#1900)
• e051197 Bump org.sonatype.central:central-publishing-maven-plugin (#1894)
• 3ae6036 Bump org.apache.httpcomponents.client5:httpclient5 from 5.5.1 to 5.6 (#1895)
• 1723785 Bump org.json:json from 20250517 to 20251224 (#1898)
• 2aa234a Bump ch.qos.logback:logback-core from 1.5.19 to 1.5.25 in /token-client (#1899)
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)