It has been 11 days since the last alg=none JWT vulnerability.

The UK NHS COVID-19 contact tracing app for Android was accepting
alg=none tokens in venue check-in QR codes. Write-up here.