It has been 27 days since the last alg=none JWT vulnerability.

The "Marvel's Avengers" videogame accepts alg=none tokens in API login responses
(and completely ignores signatures as well, for good measure).