diff --git a/README.md b/README.md
index 63390a95..8c3db1c3 100644
--- a/README.md
+++ b/README.md
@@ -26,26 +26,26 @@ X.509 and JWT SVIDs and bundles.
 Download
 --------
 
-The JARs can be downloaded from [Maven Central](https://search.maven.org/search?q=g:io.spiffe%20AND%20v:0.6.0). 
+The JARs can be downloaded from [Maven Central](https://search.maven.org/search?q=g:io.spiffe%20AND%20v:0.6.1). 
 
 The dependencies can be added to `pom.xml`:
 ```xml
 <dependency>
   <groupId>io.spiffe</groupId>
   <artifactId>java-spiffe-core</artifactId>
-  <version>0.6.0</version>
+  <version>0.6.1</version>
 </dependency>
 <dependency>
   <groupId>io.spiffe</groupId>
   <artifactId>java-spiffe-provider</artifactId>
-  <version>0.6.0</version>
+  <version>0.6.1</version>
 </dependency>
 ```
 
 Using Gradle:
 ```gradle
-implementation 'io.spiffe:java-spiffe-core:0.6.0'
-implementation 'io.spiffe:java-spiffe-provider:0.6.0'
+implementation 'io.spiffe:java-spiffe-core:0.6.1'
+implementation 'io.spiffe:java-spiffe-provider:0.6.1'
 ```
 
 ### MacOS Support
@@ -55,14 +55,14 @@ Add to your `pom.xml`:
 <dependency>
   <groupId>io.spiffe</groupId>
   <artifactId>grpc-netty-macos</artifactId>
-  <version>0.6.0</version>
+  <version>0.6.1</version>
   <scope>runtime</scope>
 </dependency>
 ```
 
 Using Gradle:
 ```gradle
-runtimeOnly 'io.spiffe:grpc-netty-macos:0.6.0'
+runtimeOnly 'io.spiffe:grpc-netty-macos:0.6.1'
 ```
 
 ### Build the JARs
diff --git a/build.gradle b/build.gradle
index f1b8abbd..6a64f444 100644
--- a/build.gradle
+++ b/build.gradle
@@ -12,14 +12,14 @@ allprojects {
 
 subprojects {
     group = 'io.spiffe'
-    version = '0.6.0'
+    version = '0.6.1'
 
     ext {
-        grpcVersion = '1.30.2'
+        grpcVersion = '1.31.1'
         jupiterVersion = '5.6.2'
-        mockitoVersion = '3.3.3'
+        mockitoVersion = '3.5.2'
         lombokVersion = '1.18.12'
-        nimbusVersion = '8.19'
+        nimbusVersion = '8.20'
     }
 
     apply plugin: 'java-library'
@@ -95,8 +95,8 @@ subprojects {
     }
 
     dependencies {
-        implementation group: 'org.apache.commons', name: 'commons-lang3', version: '3.10'
-        implementation group: 'commons-validator', name: 'commons-validator', version: "1.6"
+        implementation group: 'org.apache.commons', name: 'commons-lang3', version: '3.11'
+        implementation group: 'commons-validator', name: 'commons-validator', version: "1.7"
 
         testCompileOnly group: 'org.junit.jupiter', name: 'junit-jupiter-api', version: "${jupiterVersion}"
         testRuntimeOnly group: 'org.junit.jupiter', name: 'junit-jupiter-engine', version: "${jupiterVersion}"
diff --git a/java-spiffe-core/build.gradle b/java-spiffe-core/build.gradle
index a86c1dfe..7223fa7b 100644
--- a/java-spiffe-core/build.gradle
+++ b/java-spiffe-core/build.gradle
@@ -57,7 +57,7 @@ dependencies {
     testFixturesImplementation group: 'com.nimbusds', name: 'nimbus-jose-jwt', version: "${nimbusVersion}"
 
     // using bouncy castle for generating X.509 certs for testing purposes
-    testFixturesImplementation group: 'org.bouncycastle', name: 'bcpkix-jdk15on', version: '1.65'
-    testFixturesImplementation group: 'org.apache.commons', name: 'commons-lang3', version: '3.10'
+    testFixturesImplementation group: 'org.bouncycastle', name: 'bcpkix-jdk15on', version: '1.66'
+    testFixturesImplementation group: 'org.apache.commons', name: 'commons-lang3', version: '3.11'
 }
 
diff --git a/java-spiffe-core/grpc-netty-macos/build.gradle b/java-spiffe-core/grpc-netty-macos/build.gradle
index ebb01d00..5106e337 100644
--- a/java-spiffe-core/grpc-netty-macos/build.gradle
+++ b/java-spiffe-core/grpc-netty-macos/build.gradle
@@ -2,7 +2,7 @@ description = "Java SPIFFE Library GRPC-Netty MacOS module"
 
 dependencies {
     implementation group: 'io.grpc', name: 'grpc-netty', version: "${grpcVersion}"
-    implementation group: 'io.netty', name: 'netty-transport-native-kqueue', version: '4.1.50.Final', classifier: 'osx-x86_64'
+    implementation group: 'io.netty', name: 'netty-transport-native-kqueue', version: '4.1.51.Final', classifier: 'osx-x86_64'
 }
 
 jar {
diff --git a/java-spiffe-core/src/main/java/io/spiffe/svid/jwtsvid/JwtSvid.java b/java-spiffe-core/src/main/java/io/spiffe/svid/jwtsvid/JwtSvid.java
index 78ad31d0..89e03395 100644
--- a/java-spiffe-core/src/main/java/io/spiffe/svid/jwtsvid/JwtSvid.java
+++ b/java-spiffe-core/src/main/java/io/spiffe/svid/jwtsvid/JwtSvid.java
@@ -278,11 +278,10 @@ private static SpiffeId getSpiffeIdOfSubject(final JWTClaimsSet claimsSet) throw
 
     }
 
-    private static void validateAudience(final List<String> audClaim, final Set<String> expectedAudience) throws JwtSvidException {
-        for (String aud : audClaim) {
-            if (!expectedAudience.contains(aud)) {
-                throw new JwtSvidException(String.format("expected audience in %s (audience=%s)", expectedAudience, audClaim));
-            }
+    // expected audiences must be a subset of the audience claim in the token
+    private static void validateAudience(final List<String> audClaim, final Set<String> expectedAudiences) throws JwtSvidException {
+        if (!audClaim.containsAll(expectedAudiences)) {
+            throw new JwtSvidException(String.format("expected audience in %s (audience=%s)", expectedAudiences, audClaim));
         }
     }
 }
diff --git a/java-spiffe-core/src/test/java/io/spiffe/svid/jwtsvid/JwtSvidParseAndValidateTest.java b/java-spiffe-core/src/test/java/io/spiffe/svid/jwtsvid/JwtSvidParseAndValidateTest.java
index 80bc6ab4..8a740758 100644
--- a/java-spiffe-core/src/test/java/io/spiffe/svid/jwtsvid/JwtSvidParseAndValidateTest.java
+++ b/java-spiffe-core/src/test/java/io/spiffe/svid/jwtsvid/JwtSvidParseAndValidateTest.java
@@ -19,6 +19,7 @@
 import java.security.KeyPair;
 import java.util.Collections;
 import java.util.Date;
+import java.util.HashSet;
 import java.util.Set;
 import java.util.function.Supplier;
 import java.util.stream.Stream;
@@ -28,9 +29,9 @@
 
 class JwtSvidParseAndValidateTest {
 
-    private static final String HS256TOKEN = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImF1dGhvcml0eTEifQ.eyJzdWIiOiJ" +
-            "zcGlmZmU6Ly90ZXN0LmRvbWFpbi9ob3N0IiwibmFtZSI6IkpvaG4gRG9lIiwiZXhwIjoxMjM0MzQzNTM0NTUsImlhdCI6MTUxNjIzOTAyMn0." +
-            "TWSPgMbs227cbZxSLg247Uuag0Kz72cuSpJuozcMddA";
+    private static final String HS256TOKEN = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImF1dGhvcml0eTEifQ." +
+            "eyJzdWIiOiJzcGlmZmU6Ly90ZXN0LmRvbWFpbi9ob3N0IiwibmFtZSI6IkpvaG4gRG9lIiwiZXhwIjoxMjM0MzQzNTM0NTUsImlh" +
+            "dCI6MTUxNjIzOTAyMiwiYXVkIjoiYXVkaWVuY2UifQ.wNm5pQGSLCw5N9ddgSF2hkgmQpGnG9le_gpiFmyBhao";
 
     @ParameterizedTest
     @MethodSource("provideJwtScenarios")
@@ -112,7 +113,7 @@ static Stream<Arguments> provideJwtScenarios() {
 
         SpiffeId spiffeId = trustDomain.newSpiffeId("host");
         Date expiration = new Date(System.currentTimeMillis() + 3600000);
-        Set<String> audience = Collections.singleton("audience");
+        Set<String> audience = new HashSet<String>() {{add("audience1"); add("audience2");}};
 
         JWTClaimsSet claims = TestUtils.buildJWTClaimSet(audience, spiffeId.toString(), expiration);
 
@@ -120,7 +121,7 @@ static Stream<Arguments> provideJwtScenarios() {
                 Arguments.of(TestCase.builder()
                         .name("1. success using EC signature")
                         .jwtBundle(jwtBundle)
-                        .expectedAudience(audience)
+                        .expectedAudience(Collections.singleton("audience1"))
                         .generateToken(() -> TestUtils.generateToken(claims, key1, "authority1"))
                         .expectedException(null)
                         .expectedJwtSvid(newJwtSvidInstance(
@@ -151,7 +152,7 @@ static Stream<Arguments> provideJwtScenarios() {
                 Arguments.of(TestCase.builder()
                         .name("4. unsupported algorithm")
                         .jwtBundle(jwtBundle)
-                        .expectedAudience(audience)
+                        .expectedAudience(Collections.singleton("audience"))
                         .generateToken(() -> HS256TOKEN)
                         .expectedException(new JwtSvidException("Unsupported token signature algorithm HS256"))
                         .build()),
@@ -181,7 +182,7 @@ static Stream<Arguments> provideJwtScenarios() {
                         .jwtBundle(jwtBundle)
                         .expectedAudience(Collections.singleton("another"))
                         .generateToken(() -> TestUtils.generateToken(claims, key1, "authority1"))
-                        .expectedException(new JwtSvidException("expected audience in [another] (audience=[audience])"))
+                        .expectedException(new JwtSvidException("expected audience in [another] (audience=[audience2, audience1])"))
                         .build()),
                 Arguments.of(TestCase.builder()
                         .name("9. invalid subject claim")
diff --git a/java-spiffe-helper/README.md b/java-spiffe-helper/README.md
index 4d98fae4..02812757 100644
--- a/java-spiffe-helper/README.md
+++ b/java-spiffe-helper/README.md
@@ -10,11 +10,11 @@ The Helper automatically gets the SVID updates and stores them in the KeyStore a
 
 On Linux:
 
-`java -jar java-spiffe-helper-0.6.0-linux-x86_64.jar -c helper.conf`
+`java -jar java-spiffe-helper-0.6.1-linux-x86_64.jar -c helper.conf`
 
 On Mac OS:
 
-`java -jar java-spiffe-helper-0.6.0-osx-x86_64.jar -c helper.conf`
+`java -jar java-spiffe-helper-0.6.1-osx-x86_64.jar -c helper.conf`
 
 (The jar can be found in `build/libs`, after running the gradle build)