It has been 62 days since the last alg=none JWT vulnerability.

Apache Pulsar accepted alg=none tokens if it was configured to authenticate clients via JWT.