Skip to content

chore(deps): update spring #53

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Sep 9, 2025
Merged

chore(deps): update spring #53

merged 1 commit into from
Sep 9, 2025

Conversation

NetcrackerCLPLCI
Copy link
Contributor

@NetcrackerCLPLCI NetcrackerCLPLCI commented Sep 9, 2025
edited
Loading

This PR contains the following updates:

Package Type Update Change
org.springdoc:springdoc-openapi-starter-webmvc-api (source) compile patch 2.8.12 -> 2.8.13
org.springframework.security:spring-security-test (source) test minor 6.4.9 -> 6.5.3
org.springframework.boot:spring-boot-test (source) test minor 3.4.9 -> 3.5.5
org.springframework.boot:spring-boot-starter-test (source) test minor 3.4.9 -> 3.5.5

Release Notes

springdoc/springdoc-openapi (org.springdoc:springdoc-openapi-starter-webmvc-api)

v2.8.13

Compare Source

Added
Changed
  • Upgrade swagger-ui to v5.28.1
Fixed
  • #​3076 - With oneOf the response schema contains an extra type: string
spring-projects/spring-security (org.springframework.security:spring-security-test)

v6.5.3

Compare Source

⭐ New Features

  • Add META-INF/LICENSE.txt to published jars #​17639
  • Update Angular documentation links in csrf.adoc #​17653
  • Update Shibboleth Repository URL #​17637
  • Use 2004-present Copyright #​17634

🪲 Bug Fixes

  • Add Missing Navigation in Preparing for 7.0 Guide #​17731
  • DPoP authentication throws JwtDecoderFactory ClassNotFoundException #​17249
  • OpenSamlAssertingPartyDetails Should Be Serializable #​17727
  • Use final values in equals and hashCode #​17621

🔨 Dependency Upgrades

  • Bump com.webauthn4j:webauthn4j-core from 0.29.4.RELEASE to 0.29.5.RELEASE #​17739
  • Bump com.webauthn4j:webauthn4j-core from 0.29.4.RELEASE to 0.29.5.RELEASE #​17690
  • Bump com.webauthn4j:webauthn4j-core from 0.29.4.RELEASE to 0.29.5.RELEASE #​17684
  • Bump com.webauthn4j:webauthn4j-core from 0.29.4.RELEASE to 0.29.5.RELEASE #​17661
  • Bump io.micrometer:micrometer-observation from 1.14.8 to 1.14.9 #​17615
  • Bump io.micrometer:micrometer-observation from 1.14.8 to 1.14.9 #​17599
  • Bump io.micrometer:micrometer-observation from 1.14.9 to 1.14.10 #​17737
  • Bump io.micrometer:micrometer-observation from 1.14.9 to 1.14.10 #​17701
  • Bump io.mockk:mockk from 1.14.4 to 1.14.5 #​17614
  • Bump io.spring.develocity.conventions from 0.0.23 to 0.0.24 #​17647
  • Bump io.spring.gradle:spring-security-release-plugin from 1.0.10 to 1.0.11 #​17733
  • Bump io.spring.gradle:spring-security-release-plugin from 1.0.10 to 1.0.11 #​17711
  • Bump io.spring.gradle:spring-security-release-plugin from 1.0.6 to 1.0.10 #​17612
  • Bump io.spring.gradle:spring-security-release-plugin from 1.0.6 to 1.0.10 #​17598
  • Bump org-eclipse-jetty from 11.0.25 to 11.0.26 #​17742
  • Bump org.apache.maven:maven-resolver-provider from 3.9.10 to 3.9.11 #​17613
  • Bump org.apache.maven:maven-resolver-provider from 3.9.10 to 3.9.11 #​17595
  • Bump org.assertj:assertj-core from 3.27.3 to 3.27.4 #​17760
  • Bump org.assertj:assertj-core from 3.27.3 to 3.27.4 #​17692
  • Bump org.assertj:assertj-core from 3.27.3 to 3.27.4 #​17683
  • Bump org.assertj:assertj-core from 3.27.3 to 3.27.4 #​17671
  • Bump org.gretty:gretty from 4.1.6 to 4.1.7 #​17616
  • Bump org.gretty:gretty from 4.1.6 to 4.1.7 #​17597
  • Bump org.hibernate.orm:hibernate-core from 6.6.20.Final to 6.6.23.Final #​17646
  • Bump org.hibernate.orm:hibernate-core from 6.6.23.Final to 6.6.24.Final #​17660
  • Bump org.hibernate.orm:hibernate-core from 6.6.23.Final to 6.6.25.Final #​17694
  • Bump org.hibernate.orm:hibernate-core from 6.6.23.Final to 6.6.25.Final #​17685
  • Bump org.jfrog.buildinfo:build-info-extractor-gradle from 4.34.1 to 4.34.2 #​17650
  • Bump org.springframework.data:spring-data-bom from 2024.1.7 to 2024.1.8 #​17645
  • Bump org.springframework.ldap:spring-ldap-core from 3.2.13 to 3.2.14 #​17757
  • Bump org.springframework:spring-framework-bom from 6.2.8 to 6.2.9 #​17651
  • Bump org.springframework:spring-framework-bom from 6.2.8 to 6.2.9 #​17596
  • Bump org.springframework:spring-framework-bom from 6.2.9 to 6.2.10 #​17735

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​codingtim

v6.5.2

Compare Source

🪲 Bug Fixes

  • <websocket-message-broker> should pick up a bean named csrfChannelInterceptor #​17495
  • Add 7.0 Migration Steps for Messaging PathPattern Usage #​17509
  • EnableReactiveMethodSecurity should not import Servlet configuration #​17545
  • Fix equals and hashCode in PathPatternRequestMatcher to include HTTP method #​17337
  • Fix securityContextRepository() initialization in oauth2Login() DSL #​17557
  • OAuth2Login DSL should support post-processing AuthenticationProvider implementations #​17176
  • Websocket XML config should pick up PathPatternMessageMatcher.Builder #​17508

🔨 Dependency Upgrades

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​fkowal and @​therepanic

v6.5.1

Compare Source

⭐ New Features

  • Create demonstration of include-code usage #​17161
  • Setup include-code extension for docs #​17160

🪲 Bug Fixes

  • ClearSiteDataHeaderWriter log is misleading #​17166
  • Fix to allow multiple AuthenticationFilter instances to process each request #​17216
  • Inconsistent constructor declaration on bean with name '_reactiveMethodSecurityConfiguration' #​17210
  • OAuth2ResourceServer using authenticationManagerResolver results in tokenAuthenticationManager cannot be null while startup #​17172
  • Publishing a default TargetVisitor should not override Spring MVC support #​17189
  • Use HttpStatus in back-channel logout filters #​17157

🔨 Dependency Upgrades

  • Bump com.fasterxml.jackson:jackson-bom from 2.18.4 to 2.18.4.1 #​17233
  • Bump com.webauthn4j:webauthn4j-core from 0.29.2.RELEASE to 0.29.3.RELEASE #​17192
  • Bump io-spring-javaformat from 0.0.43 to 0.0.45 #​17152
  • Bump io.micrometer:micrometer-observation from 1.14.7 to 1.14.8 #​17220
  • Bump io.projectreactor:reactor-bom from 2023.0.18 to 2023.0.19 #​17232
  • Bump io.spring.develocity.conventions from 0.0.22 to 0.0.23 #​17204
  • Bump org.apache.maven:maven-resolver-provider from 3.9.9 to 3.9.10 #​17214
  • Bump org.hibernate.orm:hibernate-core from 6.6.15.Final to 6.6.17.Final #​17184
  • Bump org.hibernate.orm:hibernate-core from 6.6.17.Final to 6.6.18.Final #​17256
  • Bump org.springframework.data:spring-data-bom from 2024.1.6 to 2024.1.7 #​17257
  • Bump org.springframework.ldap:spring-ldap-core from 3.2.12 to 3.2.13 #​17239
  • Bump org.springframework:spring-framework-bom from 6.2.7 to 6.2.8 #​17238

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​evgeniycheban

v6.5.0

Compare Source

⭐ New Features

  • Add documentation for DPoP support #​17072
  • Add logging to CsrfTokenRequestHandler implementations #​16994
  • Add mapping for DPoP in DefaultMapOAuth2AccessTokenResponseConverter #​16806
  • Bump Gradle Wrapper from 8.13 to 8.14 #​17018
  • ClientRegistrations.fromIssuerLocation does not include failure information #​17015
  • Fix Typo In SubjectDnX509PrincipalExtractorTests #​16997
  • Implement internal cache in JtiClaimValidator #​17107
  • Polish javadoc #​16924
  • Remove unused classes #​16935
  • Replace NimbusOpaqueTokenIntrospector with SpringOpaqueTokenIntrospector in Documentation #​16962
  • RequestHeaderAuthenticationFilter creates a session even if not configured to do so #​17147

🪲 Bug Fixes

  • Add FunctionalInterface To X509PrincipalExtractor #​16952
  • Change NonNull import from reactor to spring #​16571
  • Fix DPoP jkt claim to be JWK SHA-256 thumbprint #​17080
  • Minor error in the Handling Logouts documentation #​17049
  • SecurityAnnotationScanner's method comparison should use .equals #​17145
  • Use proper configuration key in Opaque Token documentation #​17014

🔨 Dependency Upgrades

  • Bump com.fasterxml.jackson:jackson-bom from 2.18.3 to 2.18.4 #​17069
  • Bump com.fasterxml.jackson:jackson-bom from 2.18.3 to 2.19.0 #​16995
  • Bump com.google.code.gson:gson from 2.13.0 to 2.13.1 #​16990
  • Bump com.webauthn4j:webauthn4j-core from 0.29.0.RELEASE to 0.29.1.RELEASE #​17024
  • Bump com.webauthn4j:webauthn4j-core from 0.29.1.RELEASE to 0.29.2.RELEASE #​17095
  • Bump io.micrometer:micrometer-observation from 1.14.6 to 1.14.7 #​17096
  • Bump io.mockk:mockk from 1.14.0 to 1.14.2 #​17019
  • Bump io.projectreactor:reactor-bom from 2023.0.17 to 2023.0.18 #​17111
  • Bump io.spring.gradle:spring-security-release-plugin from 1.0.5 to 1.0.6 #​17040
  • Bump org-apache-maven-resolver from 1.9.22 to 1.9.23 #​17088
  • Bump org-eclipse-jetty from 11.0.24 to 11.0.25 #​16761
  • Bump org.hibernate.orm:hibernate-core from 6.6.13.Final to 6.6.14.Final #​17089
  • Bump org.hibernate.orm:hibernate-core from 6.6.14.Final to 6.6.15.Final #​17105
  • Bump org.seleniumhq.selenium:selenium-java from 4.31.0 to 4.32.0 #​17037
  • Bump org.springframework.data:spring-data-bom from 2024.1.4 to 2024.1.5 #​16981
  • Bump org.springframework.data:spring-data-bom from 2024.1.5 to 2024.1.6 #​17137
  • Bump org.springframework:spring-framework-bom from 6.2.6 to 6.2.7 #​17124

🔩 Build Updates

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​dkowis, @​franticticktick, @​hammadirshad, @​jearton, @​ngocnhan-tran1996, @​quaff, and @​yybmion

spring-projects/spring-boot (org.springframework.boot:spring-boot-test)

v3.5.5

Compare Source

🐞 Bug Fixes
  • Hazelcast health indicator reports the wrong status when Hazelcast has shut down due to an out-of-memory error #​46909
  • Performance critical tracing code has high overhead due to the use of the Stream API #​46844
  • SpringLiquibaseCustomizer is exposed outside its defined visibility scope #​46758
  • Race condition in OutputCapture can result in stale data #​46721
  • Auto-configured WebClient no longer uses context's ReactorResourceFactory #​46673
  • Default value not detected for a field annoted with @Name #​46666
  • Missing metadata when using @Name with a constructor-bound property #​46663
  • Missing property for Spring Authorization Server's PAR endpoint #​46641
  • Property name is incorrect when reporting a mis-configured OAuth 2 Resource Server JWT public key location #​46636
  • Memory not freed on context restart in JpaMetamodel#CACHE with spring.main.lazy-initialization=true #​46634
  • Auto-configured MockMvc ignores @FilterRegistration annotation #​46605
  • Failure to discover default value for a primitive should not lead to document its default value #​46561
📔 Documentation
  • Kotlin samples for configuration metadata are in the wrong package #​46857
  • Observability examples in the reference guide are missing the Kotlin version #​46798
  • Align method descriptions for SslOptions getCiphers and getEnabledProtocols with @returns #​46769
  • Tracing samples in the reference guide are missing the Kotlin version #​46767
  • Improve Virtual Threads section to mention the changes in Java 24 #​46610
  • spring.test.webtestclient.timeout is not documented #​46588
  • spring-boot-test-autoconfigure should use the configuration properties annotation processor like other modules #​46585
  • Adapt deprecation level for management.health.influxdb.enabled #​46580
  • spring.test.mockmvc properties are not documented #​46578
🔨 Dependency Upgrades
❤️ Contributors

Thank you to all the contributors who worked on this release:

@​Kguswo, @​deejay1, @​ganjisriver, @​izeye, @​jetflo, @​ngocnhan-tran1996, @​nicolasgarea, @​nosan, @​prishedko, @​quaff, @​schmidti159, @​scordio, @​shakuzen, @​tommyk-gears, @​zahra7, and @​zakaria-shahen

v3.5.4

Compare Source

🐞 Bug Fixes
  • LambdaSafe.withFilter is not public #​46474
  • Executable JAR application class encounters performance issues when used with Palo Alto Network Cortex XDR agent #​46402
  • Runtime dependencies are missing from aotCompileClasspath and aotTestCompileClasspath when using Kotlin #​46398
  • Additional fields for structured JSON logging incompatible with nested ecs logging in 3.5.x #​46351
  • Change in DefaultErrorAttributes alters the shape of API validation error responses #​46260
  • jdbc.connections.active and jdbc.connections.idle metrics are not available when using Hikari in a native image #​46225
  • developmentOnly and testAndDevelopmentOnly dependencies may prevent implementation dependencies from being included in the uber-jar #​46205
  • Hash calculation for uber archive entries that require unpacking is inefficient #​46203
  • Permissions are applied inconsistently when building uber archives with Gradle #​46194
  • Environment variables using legacy dash format can no longer be bound #​46184
  • EmbeddedWebServerFactoryCustomizerAutoConfiguration fails when undertow-core is on the classpath and undertow-servlet is not #​46180
  • Executable JAR application class encounters performance issues #​46177
  • Executable JAR application class encounters performance issues #​46176
  • Setting spring.reactor.context-propagation has no effect when lazy initialization is enabled #​46174
  • Setting spring.netty.leak-detection has no effect when lazy initialization is enabled #​46170
  • SslInfo does not use its Clock when checking certificate validity #​46011
📔 Documentation
  • Fix description of spring.batch.job.enabled #​46247
  • Fix broken Kotlin examples in reference documentation #​46168
  • Add Logback Access Reactor Netty to community starters #​46060
🔨 Dependency Upgrades
❤️ Contributors

Thank you to all the contributors who worked on this release:

@​Dockerel, @​PiyalAhmed, @​benelog, @​dmitrysulman, @​izeye, @​ngocnhan-tran1996, @​nosan, and @​quaff

v3.5.3

Compare Source

🐞 Bug Fixes
  • Binder context does not restore previous source causing missing data on Spring Boot 3.5 or above #​46040

v3.5.2

Compare Source

🐞 Bug Fixes
  • IllegalArgumentException: 'name' must not be null thrown when property source filtering applied twice #​46032

v3.5.1

Compare Source

⚠️ Noteworthy Changes
  • This release upgrades to Tomcat 10.1.42 which has introduced limits for part count and header size in multipart/form-data requests. These limits can be customized using server.tomcat.max-part-count and server.tomcat.max-part-header-size respectively.
⭐ New Features
  • Allow Specifying ConfigData.Options On ConfigDataEnvironmentContributors #​42932
🐞 Bug Fixes
  • Executable JAR application class encounters performance issues when classpath URLs reference a host #​46028
  • Loading from spring.factories may fail with a ClassNotFoundException when the TCCL changes between calls #​46019
  • spring.couchbase.authentication.jks.private-key-password has no effect #​46006
  • Actuator heapdump endpoint is failing on modern OpenJ9 JVMs #​46005
  • UnboundConfigurationPropertiesException is no longer thrown from IndexedElementsBinder #​45994
  • DataSouceBuilder can fail with a NPE when the driver is null #​45992
  • JSON writer incorrectly escapes forward slash which can cause structure logging issues #​45980
  • ManagementContextAutoConfiguration adds a property source that degrades binding performance #​45968
  • ClientHttpConnectorAutoConfiguration fails to load when 'java.net.http.HttpClient' is unavailable #​45955
  • It is not possible to opt-out of profile validation or use profile names that contain '.' #​45947
  • GraphQlProperties.DeprecatedSse is not annotated as deprecated #​45878
  • SpringApplication.setEnvironmentPrefix is ignored when reading MANAGEMENT_SERVER_PORT #​45857
  • Write and delete operations no longer work in the Cloud Foundry actuator support with Spring Security due to CSRF protection #​45848
  • ConditionalOnAvailableEndpoint does not use the ConditionContext's ClassLoader to load exposure outcome contributors #​45803
  • Binding no longer works with sytem environment properties that are not upper case #​45741
  • ManagementWebServerFactoryCustomizer and ManagementErrorPageCustomizer should not have the same order #​45736
  • Default version of Awailitility is not compatible with Kotlin 1.9 baseline #​45673
  • Spring Boot 3.5's dependency management should have been upgraded to Lettuce 6.6.0.RELEASE #​45670
  • Spring Boot 3.5's dependency management should have been upgraded to Jedis 6.0.0 #​45669
  • SAML2 autoconfiguration is not imported by @WebMvcTest #​45666
  • Spring Boot 3.5's dependency management should have been upgraded to MongoDB 5.5.0 #​45660
📔 Documentation
  • Fix Docker security options links in Packaging OCI images sections #​46021
  • Improve documentation for configuring Spring Security with '/error' #​46009
  • Timestamps in Retrieving Audit Events examples do not match the accompanying text #​45997
  • Add SSL response structure to actuator info endpoint documentation #​45921
  • Update javadoc of test slice annotations to suggest MockitoBean rather than MockBean #​45915
  • Include configuration classes from all modules in the "Auto-configuration Classes" appendix #​45863
  • Links to Testcontainers javadoc for many classes not in the core testcontainers module do not work #​45844
  • Update documentation to reflect changes in TestRestTemplate's default redirect behavior #​45842
  • Deprecation replacement for spring.codec.* properties has a typo #​45743
  • Gradle Shadow Plugin link in the reference guide is outdated #​45740
  • Example of using prometheus-metrics-exporter-pushgateway has wrong artifactId #​45684
  • Document use of git-commit-id-maven-plugin consistently #​45683
  • Update javadoc of Configurer classes that apply sensible defaults to describe how they're typically used #​45656
🔨 Dependency Upgrades
❤️ Contributors

Thank you to all the contributors who worked on this release:

@​Peksa, @​Rutujakolte03, @​chanbinme, @​csbiy, @​davidlj95, @​izeye, @​juliojgd, @​ngocnhan-tran1996, @​nicolasgarea, @​nosan, @​quaff, @​shekharAggarwal, @​tanruian, and @​wonyongg

v3.5.0

Compare Source

Full release notes for Spring Boot 3.5 are available on the wiki.

⭐ New Features
  • Make heapdump endpoint restricted by default #​45624
  • Remove SSL status tag from metrics #​45602
  • Remove 'spring.http.client' deprecation and change 'spring.http.reactiveclient.settings' to 'spring.http.reactiveclient' #​45507
🐞 Bug Fixes
  • Unable to override/set nested ConfigurationProperties by passing as a system property #​45639
  • ValidationAutoConfiguration triggers early initialization of properties binding #​45618
  • Micrometer "enable" annotations property does not cover observed aspect #​45617
  • spring.graphql.sse.timeout is no longer exposed #​45613
  • SpringApplication.setEnvironmentPrefix is ignored when reading SPRING_PROFILES_ACTIVE #​45549
  • IllegalStateException when extracting using layers a module with no code of its own #​45449
  • Removed spring.batch.initialize-schema property is still considered #​45380
  • ReactorHttpClientBuilder does not offer a factory method to create the HttpClient #​45378
  • Suggested values for spring.jpa.hibernate.ddl-auto are not aligned with Hibernate #​45351
  • Custom default units declared on a field are ignored when binding properties in a native image #​45347
  • DockerRegistryConfigAuthentication uses the wrong serverUrl as a fallback for the Credentials helper #​45345
  • Various spring.datasource properties are mistakenly marked as ignored #​45342
  • JerseyWebApplicationInitializer always gets loaded, setting a ServletContext initParameter #​45297
  • DockerRegistryConfigAuthentication does not align with Docker CLI #​45292
  • Unlike the Docker CLI, "\x00" characters are not trimmed from a decoded Docker Registry password #​45290
  • CloudFoundry security matcher logs a warning due to use of the 'ignoring()' method #​32622
📔 Documentation
  • Document the java info contribution #​45634
  • Document the process info contribution #​45632
  • Document the os info contribution #​45630
  • Document typical spring.application.group and name use #​45628
  • Document that bean methods should be static when annotated with @ConfigurationPropertiesBinding #​45626
  • Document the way that primary Kotlin constructors are used when binding #​45553
  • Improve "profile" reference documentation with additional admonitions #​45551
  • Improve setEnvironmentPrefix(...) reference documentation #​45376
  • Document all the available Testcontainers integrations #​45367
  • Document when a spring.config.import value is relative and when it is fixed #​45363
  • Update org.cyclonedx.bom version in docs to 2.3.0 #​45320
  • Update link to "Parameter Name Retention" section of Spring Framework's release notes #​45299
🔨 Dependency Upgrades

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

@lis0x90 lis0x90 merged commit 95dadc3 into main Sep 9, 2025
6 of 8 checks passed
@lis0x90 lis0x90 deleted the renovate-main/spring branch September 9, 2025 12:16
@github-actions github-actions bot locked and limited conversation to collaborators Sep 9, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@lis0x90 lis0x90 Awaiting requested review from lis0x90 lis0x90 is a code owner

Assignees

@lis0x90 lis0x90

Labels

branch:main group:spring renovate:core type:minor type:patch

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@NetcrackerCLPLCI @lis0x90 @renovate-bot