I am trying to figure out whether i should pick(based on the adoption):
-nimbus-jose-jwt - Used By 279 artifacts OR
-jose4j - Used by 655 artifacts
I found that jose4j 's author, Brian Campbell, is active, based on the commits, it has the features that i need i.e support for JWE and it works well, but what i don't like is this:
So, are developers picking jose4j, is it a good choice(am i being paranoid?) or should i move to nimbus(the Used By artifacts is more for nimbus, does it mean it s more widely adopted?)
Looks like that vulnerability is in Logback, which is a dependency that's only used in the unit tests (further down that page you screenshotted shows the different dependency categorizations).
I need get that updated, obviously, but it doesn't impact the library itslef.