Update spring boot to v3 (major)

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
org.springframework.boot:spring-boot-dependencies (source)	2.3.4.RELEASE -> 3.3.4
org.springframework.boot:spring-boot-maven-plugin (source)	2.3.4.RELEASE -> 3.3.4

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

spring-projects/spring-boot (org.springframework.boot:spring-boot-dependencies)

v3.3.4

Compare Source

🐞 Bug Fixes

• management.health.db.ignore-routing-datasources=true has no effect when an AbstractRoutingDataSource has been wrapped #​42322
• Missing details in OAuth2ClientProperties validation error message #​42279
• FileNotFoundException from unused mis-configured SSL bundles #​42169
• ZipkinHttpClientSender fails with "Failed to introspect Class" when spring-web is not on the classpath #​42161
• @RestartScope can cause 'Recursive update' exceptions when used with container beans #​42107
• JarLauncher fails to load large jar files #​42079
• PropertiesMigrationListener wrongly reports property as deprecated when has group #​42071
• Using an empty string MongoDB 'replica-set-name' property will result in ClusterType=REPLICA_SET #​42059
• Default Logback config uses deprecated "converterClass" attribute #​42006

📔 Documentation

• Document that spring.jmx.enabled is not intended for third-party libraries #​42285
• Update link to Log4j2 system properties #​42263
• Links to GraphQL in the reference guide redirect to the root instead of specific sections #​42208
• Syntax error in "Receive a message reactively section" of the reference guide #​42200
• Deprecation reason for the autotime enabled, percentiles, and percentiles-historgram properties is confusing #​42193
• Replace RFC 7807 by RFC 9457 in property documentation #​42190
• Document that configuration property binding to a Kotlin value class with a default is not supported #​42176
• Update documentation to reflect new no handler found exception behavior #​42167
• Polish configuration property reference #​42165
• Remove link to “Converting a Spring Boot JAR Application to a WAR” as the guide is no longer available #​42111
• Fix StatsD link typo on Metrics documentation page #​42109
• Improve docker without buildpacks documentation #​42106
• Improve documentation in "Command-line Completion" #​42103
• Kotlin code examples are missing from the Testing section #​42094
• Fix incorrect command in Docker configuration for Colima #​42078
• Gradle Plugin AOT documentation has sample error #​42046

🔨 Dependency Upgrades

• Upgrade to Groovy 4.0.23 #​42292
• Upgrade to Hibernate 6.5.3.Final #​42365
• Upgrade to Infinispan 15.0.8.Final #​42253
• Upgrade to Jakarta Servlet JSP JSTL 3.0.2 #​42254
• Upgrade to Jetty 12.0.13 #​42256
• Upgrade to Jetty Reactive HTTPClient 4.0.7 #​42255
• Upgrade to Logback 1.5.8 #​42257
• Upgrade to Micrometer 1.13.4 #​42129
• Upgrade to Micrometer Tracing 1.3.4 #​42130
• Upgrade to MSSQL JDBC 12.6.4.jre11 #​42258
• Upgrade to Native Build Tools Plugin 0.10.3 #​42205
• Upgrade to Netty 4.1.113.Final #​42259
• Upgrade to Postgresql 42.7.4 #​42260
• Upgrade to R2DBC MariaDB 1.2.2 #​42326
• Upgrade to Reactor Bom 2023.0.10 #​42131
• Upgrade to SendGrid 4.10.3 #​42366
• Upgrade to Spring Data Bom 2024.0.4 #​42132
• Upgrade to Spring Framework 6.1.13 #​42133
• Upgrade to Spring HATEOAS 2.3.3 #​42282
• Upgrade to Spring Integration 6.3.4 #​42134
• Upgrade to Spring Kafka 3.2.4 #​42135
• Upgrade to Spring Pulsar 1.1.4 #​42136
• Upgrade to Spring Retry 2.0.9 #​42327
• Upgrade to Tomcat 10.1.30 #​42346
• Upgrade to Undertow 2.3.17.Final #​42303
• Upgrade to Zipkin Reporter 3.4.2 #​42364

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​Alchemik, @​arefbehboudi, @​einarpehrson, @​izeye, @​martinfrancois, @​mushroom528, @​nosan, and @​quaff

v3.3.3

Compare Source

⭐ New Features

• Add TWENTY_THREE to JavaVersion enum #​41716

🐞 Bug Fixes

• Extending DefaultErrorAttributes and overriding getErrorAttributes() gets called twice #​41995
• When using WebFlux, server.error.include-binding-errors=ALWAYS no longer has an effect when the BindingResult exception is the cause of a ResponseStatusException #​41987
• PropertiesLauncher does not respect classpath.idx when adding jars in BOOT-INF/lib to the classpath #​41970
• Web extension for SBOM endpoint isn't available under /cloudfoundryapplication #​41890
• Launcher's ClassLoader is no longer parallel capable #​41873
• spring-boot-testcontainers causes unwanted container initialization during AOT processing #​41859
• ReactiveElasticsearchRepositoriesAutoConfiguration should back off when Reactor is not on the classpath #​41678
• mvn spring-boot:build-image fails when 'classifier' is set to non-default value #​41661
• Spring Boot Maven plugin AOT cannot handle Maven modules with module-info.java #​41647
• Docker publishRegistry in Maven plugin configuration is validated when publish option is false #​41641
• Using Gradle's new file permission API is implemented in a way that prevents removal of the old API #​41607
• Some @ControllerEndpoint and @RestControllerEndpoint infrastructure remains undeprecated #​41596
• Constructor binding of EnumMap fails due to missing key type #​41563

📔 Documentation

• Improve documented logging property descriptions and default values #​41989
• Explain that enabling virtual threads disables traditional thread pools #​41976
• Harmonize code sample for MyUserHandler in reference documentation #​41949
• Document when environment variable property mapping applies #​41945
• Javadoc of slice test annotations should describe more accurately which components are considered #​41935
• Fix duplicate words #​41920
• Document the need to explicitly reset mock servers when using mock server customizers directly #​41849
• Correct grammar in 'Running your Application with Maven' #​41840
• Document more clearly that username and password are not used when spring.data.redis.url is set #​41748
• Pulsar configuration does not have default value for several entries in the metadata #​41683
• management.otlp.metrics.export.aggregation-temporality does not have a default value in the metadata #​41676
• management.newrelic.metrics.export.client-provider-type does not have a default value in the metadata #​41670
• server.error.include-path does not have a default value in the metadata #​41667
• The effect upon Actuator of defining your own SecurityFilterChain is documented inconsistently #​41638
• "Use Spring Data repositories" How-to incorrectly refers to Repository annotations #​41628
• "Use Spring Data repositories" How-to incorrectly refers to Repository annotations #​41627
• Update link to documentation for log4j-spring-boot #​41622
• Fix link to Flyway reference documentation #​41593
• Document configuration property binding's support for using @Name to customize a property name #​41585
• Add hint for new dependencies required for Flyway #​41574
• Document that spring-boot:repackage should not be run from the command-line #​22317

🔨 Dependency Upgrades

• Upgrade to ActiveMQ 6.1.3 #​41782
• Upgrade to Awaitility 4.2.2 #​41707
• Upgrade to Byte Buddy 1.14.19 #​41886
• Upgrade to Couchbase Client 3.6.3 #​41967
• Upgrade to CycloneDX Maven Plugin 2.8.1 #​41783
• Upgrade to Infinispan 15.0.7.Final #​41784
• Upgrade to Jakarta Servlet JSP JSTL 3.0.1 #​41845
• Upgrade to Jersey 3.1.8 #​41785
• Upgrade to Jetty 12.0.12 #​41828
• Upgrade to Jetty Reactive HTTPClient 4.0.6 #​41786
• Upgrade to jOOQ 3.19.11 #​41846
• Upgrade to Kotlin 1.9.25 #​41787
• Upgrade to Logback 1.5.7 #​41887
• Upgrade to Maven Deploy Plugin 3.1.3 #​41942
• Upgrade to Maven Install Plugin 3.1.3 #​41943
• Upgrade to Micrometer 1.13.3 #​41733
• Upgrade to Micrometer Tracing 1.3.3 #​41734
• Upgrade to Neo4j Java Driver 5.23.0 #​41743
• Upgrade to Netty 4.1.112.Final #​41788
• Upgrade to Pulsar 3.2.4 #​41789
• Upgrade to Pulsar Reactive 0.5.7 #​41888
• Upgrade to Reactor Bom 2023.0.9 #​41735
• Upgrade to RxJava3 3.1.9 #​41847
• Upgrade to SLF4J 2.0.16 #​41790
• Upgrade to Spring AMQP 3.1.7 #​41953
• Upgrade to Spring Authorization Server 1.3.2 #​41736
• Upgrade to Spring Data Bom 2024.0.3 #​41737
• Upgrade to Spring Framework 6.1.12 #​41738
• Upgrade to Spring HATEOAS 2.3.2 #​41889
• Upgrade to Spring Integration 6.3.3 #​41974
• Upgrade to Spring Kafka 3.2.3 #​41954
• Upgrade to Spring LDAP 3.2.6 #​41739
• Upgrade to Spring Pulsar 1.1.3 #​41740
• Upgrade to Spring Retry 2.0.8 #​41944
• Upgrade to Spring Security 6.3.3 #​41985
• Upgrade to Spring Session 3.3.2 #​41742
• Upgrade to Tomcat 10.1.28 #​41791
• Upgrade to Yasson 3.0.4 #​41792

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​PiyalAhmed, @​Rajin9601, @​cms04, @​dreis2211, @​eddumelendez, @​hyunmin0317, @​ivamly, @​jmewes, @​jxblum, @​lamtrinhdev, @​ngocnhan-tran1996, @​quaff, and @​ritzykey

v3.3.2

Compare Source

🐞 Bug Fixes

• No configuration property for defaultTimeout setting that was introduced in Spring Integration 6.2 #​41521
• NPE during auto-configuration in OnClassCondition.resolveOutcomesThreaded because firstHalf is null #​41504
• Spring Authorization Server now defaults multipleIssuersAllowed to false and it cannot be easily re-enabled #​41355
• ServiceConnection does not work with @DataLdapTest #​41325
• PropertiesMigrationListener wrongly reports property as deprecated #​41252
• @NestedConfigurationProperty doesn't work on records #​41251
• TestcontainersLifecycleBeanPostProcessor does not work correctly with scoped beans #​41238
• Error message can be misleading if spring.config.import fails to resolve #​41236
• build-image failures after docker desktop update with 'Illegal char <:> at index 5: npipe:////' #​41234
• When using Jetty, filters, listeners, and servlets are not initialized with the same thread context classloader #​41225
• DirtiesContext used with Webflux, a random port and multiple contexts causes multiple contexts to misbehave #​41221
• NoSuchMethodException on org.apache.activemq.ActiveMQConnectionFactory.<init> when using spring-boot-starter-activemq in a native image #​41214

📔 Documentation

• Fix documentation links in the README #​41531
• Document the types to which each spring.mvc.format and spring.webflux.format property applies #​41518
• Document that logging.file.name and logging.file.path cannot be used together #​41516
• Refine CDS how-to guide #​41464
• Fix typos in javadoc of BootstrapContext #​41448
• CDS link in "Efficient Deployments" documentation is broken #​41321
• Update Kotlin DSL examples that configure the environment of bootBuildImage to be additive #​41270
• Document tracing support for RestClient #​41192
• Documentation wrongly states that zipkin-sender-urlconnection is needed #​41181

🔨 Dependency Upgrades

• Upgrade to AspectJ 1.9.22.1 #​41474
• Upgrade to Byte Buddy 1.14.18 #​41371
• Upgrade to Dependency Management Plugin 1.1.6 #​41372
• Upgrade to GraphQL Java 22.1 #​41219
• Upgrade to Groovy 4.0.22 #​41373
• Upgrade to HttpCore5 5.2.5 #​41374
• Upgrade to Jackson Bom 2.17.2 #​41375
• Upgrade to Jetty 12.0.11 #​41376
• Upgrade to JsonAssert 1.5.3 #​41377
• Upgrade to JUnit Jupiter 5.10.3 #​41378
• Upgrade to Kafka 3.7.1 #​41379
• Upgrade to Lombok 1.18.34 #​41380
• Upgrade to Micrometer 1.13.2 #​41298
• Upgrade to Micrometer Tracing 1.3.2 #​41299
• Upgrade to MSSQL JDBC 12.6.3.jre11 #​41381
• Upgrade to Neo4j Java Driver 5.22.0 #​41382
• Upgrade to R2DBC MariaDB 1.2.1 #​41383
• Upgrade to Reactor Bom 2023.0.8 #​41384
• Upgrade to Spring Data Bom 2024.0.2 #​41300
• Upgrade to Spring Framework 6.1.11 #​41301
• Upgrade to Spring GraphQL 1.3.2 #​41527
• Upgrade to Spring HATEOAS 2.3.1 #​41497
• Upgrade to Spring Integration 6.3.2 #​41302
• Upgrade to Spring Kafka 3.2.2 #​41303
• Upgrade to Spring Pulsar 1.1.2 #​41536
• Upgrade to Spring Retry 2.0.7 #​41485
• Upgrade to Tomcat 10.1.26 #​41498

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​acouvreur, @​anbusampath, @​eddumelendez, @​izeye, @​jxblum, @​mateusscheper, @​opcooc, and @​sdeleuze

v3.3.1

Compare Source

🐞 Bug Fixes

• SQL Server JDBC URL is malformed after adding org.springframework.boot.jdbc.parameters label #​41169
• Git instant properties cannot be coerced following git-commit-id Maven plugin upgrade #​41152
• Excluding status code from DefaultErrorAttributes throws NPE #​41141
• Spring Boot remote restart with devtools causes 'factory already defined' Tomcat error when running with 'java -jar' #​41107
• MongoHealthIndicator not compliant with Mongo stable API with strict setting #​41104
• Service connection for bitnami mongodb fails to connect #​41097
• Image building requires builder to specify a stack #​41091
• DataSourceProperties fail to bind if java.sql module isn't included #​41084
• AOT causes Logback configuration error when using include #​41081
• Image building hangs when builder and buildpack are configured #​41049
• IllegalArgumentException when trying to use Tomcat's HttpNio2Protocol with Spring Boot-configured SSL #​41010
• Uber jar fails to start when it contains a dependency with Multi-Release: true in its manifest and unexpected file entries in META-INF/versions #​41006
• JSP-related resources may not be found in an executable war file when using Jetty #​40996
• The value of the tomcat.threads.config.max metric is always -1, irrespective of the configured maximum number of threads #​40957
• The auto-configured reactiveNeo4jTransactionManager may cause a failure due to multiple TransactionManager beans #​40953
• Application fails to start when server.tomcat.threads.max < 10 #​40945
• SBOM actuator endpoint doesn't work in a native image #​40939
• Starter parent applies its configuration of the CycloneDX Maven plugin too broadly #​40927
• buildInfo does not work with Gradle 8.7 or later when the configuration cache is enabled #​40924
• Prometheus Exemplars are missing from _count #​40904
• Extract fails due to a duplicate entry when BOOT-INF/classes contains a directory that's also present in the root of the jar #​40903
• sbom is not available to the actuator endpoint when using bootRun or bootWar #​40890
• A newline character is missing from the start of the default banner #​40889

📔 Documentation

• Fix links to Spring AMQP's javadoc #​41144
• Document more precisely how a Container's Docker image name is used to find the matching service connection #​41123
• Cross-link to the CDS how-to guide #​41118
• Fix typos in javadoc of MockServerRestClientCustomizer and MockServerRestTemplateCustomizer #​41065
• Improve readability when listing three pillars of observability #​41064
• Add CDS training run configuration documentation #​41045
• Document the need to switch to io.micrometer:micrometer-registry-prometheus-simpleclient to use the Prometheus push gateway #​40993
• Improve consistency of documentation guidelines for packaging and running applications #​40977
• Fix typos in method names and javadoc #​40976
• Replace hard-coded links to Micrometer in documentation #​40967
• Add Kotlin example for @Testcontainers #​40943
• Fix various minor inconsistencies of the documentation #​40942
• Warn in the documentation that spring.profiles.group can only be used in non-profile-specific documents #​40941
• Broken Micrometer links in documentation #​40916
• Document Buildpacks CDS and Spring AOT support #​40762

🔨 Dependency Upgrades

• Upgrade to Byte Buddy 1.14.17 #​41066
• Upgrade to FreeMarker 2.3.33 #​41067
• Upgrade to HSQLDB 2.7.3 #​41068
• Upgrade to Infinispan 15.0.5.Final #​41159
• Upgrade to Jaybird 5.0.5.java11 #​41132
• Upgrade to Jersey 3.1.7 #​41069
• Upgrade to Jetty 12.0.10 #​41071
• Upgrade to Jetty Reactive HTTPClient 4.0.5 #​41070
• Upgrade to jOOQ 3.19.10 #​41133
• Upgrade to Maven Help Plugin 3.4.1 #​41073
• Upgrade to Maven Jar Plugin 3.4.2 #​41160
• Upgrade to Micrometer 1.13.1 #​41030
• Upgrade to Micrometer Tracing 1.3.1 #​41042
• Upgrade to MSSQL JDBC 12.6.2.jre11 #​41074
• Upgrade to Neo4j Java Driver 5.21.0 #​41043
• Upgrade to Netty 4.1.111.Final #​41075
• Upgrade to Pulsar Reactive 0.5.6 #​41134
• Upgrade to Reactor Bom 2023.0.7 #​41031
• Upgrade to Spring AMQP 3.1.6 #​41145
• Upgrade to Spring Authorization Server 1.3.1 #​41032
• Upgrade to Spring Data Bom 2024.0.1 #​41033
• Upgrade to Spring Framework 6.1.10 #​41150
• Upgrade to Spring GraphQL 1.3.1 #​41035
• Upgrade to Spring Integration 6.3.1 #​41036
• Upgrade to Spring Kafka 3.2.1 #​41037
• Upgrade to Spring LDAP 3.2.4 #​41038
• Upgrade to Spring Pulsar 1.1.1 #​41039
• Upgrade to Spring Security 6.3.1 #​41040
• Upgrade to Spring Session 3.3.1 #​41041
• Upgrade to Tomcat 10.1.25 #​41161

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​Eng-Fouad, @​PiyalAhmed, @​Seungpang, @​asashour, @​cmabdullah, @​dependabot[bot], @​donghoony, @​erie0210, @​izeye, @​mateusscheper, @​onobc, @​quaff, @​sdeleuze, and @​vsanna

v3.3.0

Compare Source

⭐ New Features

• Add support for descriptions of record components in configuration metadata generation #​29403

🐞 Bug Fixes

• gradlew bootBuildImage fails with Podman on macOS Sonoma #​40871
• Pulsar auth parameters don't properly encode JSON values #​40869
• When using JPA and ImportTestcontainers, test context may fail to refresh due to "Mapped port can only be obtained after the container is started" #​40863
• Default MIME mappings are not loaded unless additional mappings are configured #​40860
• Starting from 3.2.x, @SpyBean is not able to initialise MongoRepository bean of the generic type #​40855
• Auto-configuration ordering change breaks DocumentReference (in non-reactive MongoTemplate) when depending on mongodb-driver-reactivestreams #​40851
• Neo4jReactiveDataAutoConfiguration creates incorrectly named bean #​40836
• Image building fails during cleanup when bind mount has read-only content #​40799
• Failure Analysis for InvalidConfigurationPropertyValueException is skipped when the property is not set #​40691
• IllegalArgumentException can be thrown when running an uber jar on a shared drive #​40643
• setReadTimeout can't be set via Reflective factory on JettyClientHttpRequestFactory #​40638
• URISyntaxException is raised if the spring boot application is started in a location that contains invalid URI characters #​40616
• resolveMainClassName fails when building with Gradle using Java 22 #​40613
• AnsiOutput.detectIfAnsiCapable broken on JDK22 #​40609
• Help information for spring init's build option has the wrong default #​40606
• JarUrlConnection.getPermission() can throw NullPointerException if jarFileConnection is null #​40599
• Whitespace is not correctly trimmed when generating configuration properties metadata from records #​40593
• In some situations, the failure when the AOT-generated initializer cannot be loaded is less helpful than before #​40584
• Properties binding eagerly creates superfluous maps #​40561
• Configuring SSL bundle reload for non-file resource types causes errors that are difficult to diagnose #​40560
• spring-boot-dependencies cannot be used with repositories that ban com.oracle.database.jdbc:ojdbc-bom #​40535
• Buildpacks do not support Docker with containerd image store #​40526
• SpringBootMockMvcBuilderCustomizer can crash cryptically while collecting data that it would have discarded anyway #​40517
• Containers not shut down between tests when using .withReuse(true) but env. does not support reuse (e.g. CI builds) #​40509
• CookieSameSiteSupplier influences session cookie #​40501
• <springProperty> and <springProfile> do not work in <include> after Logback upgrade #​40491
• Runtime hint registration for property binding should not fail when parameter information is unavailable #​40486
• ServiceLevelObjectiveBoundary properties cannot be bound in a native image application #​40483
• server.error.include-binding-errors does not recognize MethodValidationResult exceptions #​40474
• spring.data.redis.cluster.nodes and spring.data.redis.sentinel.nodes do not handle IPv6 addresses correctly #​40467
• Using relative paths to describe the classpath in the error message from ResolveMainClassName hinders problem diagnosis #​40465
• Jartools extract command doesn't extract all files from META-INF #​40456
• Native image doesn't start and doesn't log anything if an environment post processor throws an exception #​40451
• Unlike DataSourceAutoConfiguration, DevToolsDataSourceAutoConfiguration assumes that javax.sql.DataSource will always be available #​40441

📔 Documentation

• Improve graceful shutdown documentation to remove ambiguity #​40846
• Document ways to opt out from immutable @ConfigurationProperties binding with single constructor #​40844
• Document that a custom HttpMessageConverters bean can be used to reorder json message converters when needed #​40839
• Address ambiguity now that Testcontainers has two classes named KafkaContainer #​40756
• Publish API documentation for Spring Boot's Kotlin APIs #​40692
• Fix typo in features doc #​40631
• Code inclusion in Jersey documentation is broken #​40629
• Add How-To for ManagedClassNameFilter #​40617
• Clarify devtools restart class loader #​40608
• Document default value of management.zipkin.tracing.encoding #​40588
• Note that spring-boot-docker-compose is excluded by default from packaged jars #​40565
• Clarify docs around spring.jpa.generate-ddl #​40523
• Clarify the directory that's used by default to find Docker Compose compose.yaml #​40515
• Suggest testAndDevelopmentOnly configuration when using Docker Compose support in tests #​40481
• Clarify that all named properties must match for @ConditionalOnProperty to match #​40471
• Links to Spring Batch javadoc for EnableBatchProcessing and DefaultBatchConfiguration are broken #​40141
• Add grpc starter and httpexchange starter to the community starters document #​39437

🔨 Dependency Upgrades

• Upgrade to Byte Buddy 1.14.16 #​40879
• Upgrade to Cassandra Driver 4.18.1 #​40842
• Upgrade to Couchbase Client 3.6.2 #​40737
• Upgrade to Dependency Management Plugin 1.1.5 #​40738
• Upgrade to Elasticsearch Client 8.13.4 #​40739
• Upgrade to GraphQL Java 22.0 #​40618
• Upgrade to Hibernate 6.5.2.Final #​40867
• Upgrade to Infinispan 15.0.4.Final #​40865
• Upgrade to Jackson Bom 2.17.1 #​40742
• Upgrade to Jakarta XML SOAP 3.0.2 #​40786
• Upgrade to Jakarta XML WS 4.0.2 #​40787
• Upgrade to Jetty 12.0.9 #​40743
• Upgrade to Jetty Reactive HTTPClient 4.0.4 #​40811
• Upgrade to jOOQ 3.19.8 #​40744
• Upgrade to Kotlin 1.9.24 #​40745
• Upgrade to Kotlin Coroutines 1.8.1 #​40746
• Upgrade to Maven Deploy Plugin 3.1.2 #​40747
• Upgrade to Maven Install Plugin 3.1.2 #​40748
• Upgrade to Maven Jar Plugin 3.4.1 #​40749
• Upgrade to Maven Shade Plugin 3.5.3 #​40750
• Upgrade to Micrometer 1.13.0 #​40666
• Upgrade to Micrometer Tracing 1.3.0 #​40667
• Upgrade to Native Build Tools Plugin 0.10.2 #​40840
• Upgrade to Neo4j Java Driver 5.20.0 #​40681
• Upgrade to Netty 4.1.110.Final #​40880
• Upgrade to Pooled JMS 3.1.6 #​40751
• Upgrade to Pulsar 3.2.3 #​40841
• Upgrade to Pulsar Reactive 0.5.5 #​40812
• Upgrade to R2DBC Proxy 1.1.5.RELEASE #​40752
• Upgrade to Reactor Bom 2023.0.6 #​40668
• Upgrade to SAAJ Impl 3.0.4 #​40788
• Upgrade to Spring AMQP 3.1.5 #​40829
• Upgrade to Spring Authorization Server 1.3.0 #​40669
• Upgrade to Spring Batch 5.1.2 #​40670
• Upgrade to Spring Data Bom 2024.0.0 #​40671
• Upgrade to Spring Framework 6.1.8 #​40830
• Upgrade to Spring GraphQL 1.3.0 #​40673
• Upgrade to Spring HATEOAS 2.3.0 #​40674
• Upgrade to Spring Integration 6.3.0 #​40675
• Upgrade to Spring Kafka 3.2.0 #​40676
• Upgrade to Spring Pulsar 1.1.0 #​40677
• Upgrade to Spring Retry 2.0.6 #​40789
• Upgrade to Spring Security 6.3.0 #​40678
• Upgrade to Spring Session 3.3.0 #​40679
• Upgrade to Spring WS 4.0.11 #​40680
• Upgrade to Testcontainers 1.19.8 #​40753
• Upgrade to Tomcat 10.1.24 #​40790
• Upgrade to Undertow 2.3.13.Final #​40755

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​An1s9n, @​DanielLiu1123, @​PiyalAhmed, @​chaewss, @​coursar, @​dependabot[bot], @​dsyer, @​dukbong, @​facewise, @​izeye, @​nahidshahin, @​onobc, @​quaff, @​snicoll, @​tobi-laa, and @​yokotaso

v3.2.10

Compare Source

🐞 Bug Fixes

• management.health.db.ignore-routing-datasources=true has no effect when an AbstractRoutingDataSource has been wrapped #​42313
• Missing details in OAuth2ClientProperties validation error message #​42278
• FileNotFoundException from unused mis-configured SSL bundles #​42119
• PropertiesMigrationListener wrongly reports property as deprecated when has group #​42068
• Using an empty string MongoDB 'replica-set-name' property will result in ClusterType=REPLICA_SET #​42055
• JarLauncher fails to load large jar files #​42012
• @RestartScope can cause 'Recursive update' exceptions when used with container beans #​41571

📔 Documentation

• Document that spring.jmx.enabled is not intended for third-party libraries #​42272
• Update link to Log4j2 system properties #​42262
• Links to GraphQL in the reference guide redirect to the root instead of specific sections [#​42207](https://redirect.gi

---

Configuration

📅 Schedule: Branch creation - "after 10pm every weekday,before 5am every weekday,every weekend" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[changelogg]

Hey! Changelogs info seems to be missing or might be in incorrect format.
Please use the below template in PR description to ensure Changelogg can detect your changes:
- (tag) changelog_text
or
- tag: changelog_text
OR
You can add tag in PR header or while doing a commit too
(tag) PR header
or
tag: PR header
Valid tags: added / feat, changed, deprecated, fixed / fix, removed, security, build, ci, chore, docs, perf, refactor, revert, style, test
Thanks!
For more info, check out changelogg docs

[viezly]

Pull request by bot. No need to analyze

[socket-security]

New and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package	New capabilities	Transitives	Size	Publisher

🚮 Removed packages: maven/org.springframework.boot/[email protected]

View full report↗︎

[socket-security]

🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎

To accept the risk, merge this PR and you will not be notified again.

Alert	Package	Note	Source	CI
Critical CVE	maven/org.springframework.boot/[email protected]	CVE: GHSA-g5h3-w546-pj7f Spring Boot Security Bypass with Wildcard Pattern Matching on Cloud Foundry (CRITICAL) Affected versions: < 2.5.15 Patched version: 2.5.15	pom.xml	⚠︎
Possible typosquat attack	maven/org.webjars.npm/[email protected]	Did you mean: org.webjars:angular-ui-router	modules/customiere-crm-clients/pom.xml pom.xml	⚠︎
Critical CVE	maven/org.apache.derby/[email protected]	CVE: GHSA-rcjc-c4pj-xxrp Apache Derby: LDAP injection vulnerability in authenticator (CRITICAL) Affected versions: >= 10.1.1.0, < 10.14.3 Patched version: 10.14.3	modules/customiere-crm-clients/pom.xml pom.xml	⚠︎
Critical CVE	maven/org.apache.derby/[email protected]	CVE: GHSA-wr69-g62g-2r9h Improper Restriction of XML External Entity Reference in Apace Derby (CRITICAL) Affected versions: <= 10.11.1.1 Patched version: 10.12.1.1	modules/customiere-crm-clients/pom.xml pom.xml	⚠︎
Critical CVE	maven/org.jboss.netty/[email protected]	CVE: GHSA-cqqj-4p63-rrmm HTTP Request Smuggling in Netty (CRITICAL) Affected versions: < 4.0.0 Patched version: No patched versions	modules/customiere-crm-clients/pom.xml pom.xml	⚠︎
Critical CVE	maven/net.sourceforge.htmlunit/[email protected]	CVE: GHSA-3xrr-7m6p-p7xh HtmlUnit Code Injection vulnerability (CRITICAL) Affected versions: < 3.0.0 Patched version: 3.0.0	modules/customiere-crm-clients/pom.xml pom.xml	⚠︎
Critical CVE	maven/org.springframework/[email protected]	CVE: GHSA-36p3-wjmg-h94x Remote Code Execution in Spring Framework (CRITICAL) Affected versions: < 5.2.20.RELEASE Patched version: 5.2.20.RELEASE	modules/customiere-crm-clients/pom.xml pom.xml	⚠︎
Critical CVE	maven/org.slf4j/[email protected]	CVE: GHSA-w77p-8cfg-2x43 Improper Access Control in SLF4J (CRITICAL) Affected versions: <= 1.7.25 Patched version: 1.7.26	modules/customiere-crm-clients/pom.xml pom.xml	⚠︎
Critical CVE	maven/com.thoughtworks.xstream/[email protected]	CVE: GHSA-f554-x222-wgf7 Command Injection in Xstream (CRITICAL) Affected versions: = 1.4.10 Patched version: 1.4.11	modules/customiere-crm-clients/pom.xml pom.xml	⚠︎
Critical CVE	maven/com.thoughtworks.xstream/[email protected]	CVE: GHSA-hf23-9pf7-388p Deserialization of Untrusted Data and Code Injection in xstream (CRITICAL) Affected versions: <= 1.4.10 Patched version: 1.4.11	modules/customiere-crm-clients/pom.xml pom.xml	⚠︎
Critical CVE	maven/org.apache.ivy/[email protected]	CVE: GHSA-94rr-4jr5-9h2p Apache Ivy does not verify target path when extracting the archive (CRITICAL) Affected versions: >= 2.4.0, < 2.5.1 Patched version: 2.5.1	modules/customiere-crm-clients/pom.xml pom.xml	⚠︎
Critical CVE	maven/org.quartz-scheduler/[email protected]	CVE: GHSA-9qcf-c26r-x5rf XML external entity injection in Terracotta Quartz Scheduler (CRITICAL) Affected versions: < 2.3.2 Patched version: 2.3.2	modules/customiere-crm-clients/pom.xml pom.xml	⚠︎
Critical CVE	maven/org.apache.zookeeper/[email protected]	CVE: GHSA-7286-pgfv-vxvh Authorization Bypass Through User-Controlled Key vulnerability in Apache ZooKeeper (CRITICAL) Affected versions: < 3.7.2 Patched version: 3.7.2	pom.xml	⚠︎
Critical CVE	maven/commons-fileupload/[email protected]	CVE: GHSA-7x9j-7223-rg5m Improper Access Control in commons-fileupload (CRITICAL) Affected versions: < 1.3.3 Patched version: 1.3.3	modules/customiere-crm-clients/pom.xml pom.xml	⚠︎
Critical CVE	maven/org.springframework.boot/[email protected]	CVE: GHSA-36p3-wjmg-h94x Remote Code Execution in Spring Framework (CRITICAL) Affected versions: < 5.2.20.RELEASE Patched version: 5.2.20.RELEASE	pom.xml	⚠︎
Critical CVE	maven/org.springframework.boot/[email protected]	CVE: GHSA-36p3-wjmg-h94x Remote Code Execution in Spring Framework (CRITICAL) Affected versions: < 5.2.20.RELEASE Patched version: 5.2.20.RELEASE	pom.xml	⚠︎
Critical CVE	maven/org.springframework/[email protected]	CVE: GHSA-36p3-wjmg-h94x Remote Code Execution in Spring Framework (CRITICAL) Affected versions: < 5.2.20.RELEASE Patched version: 5.2.20.RELEASE	modules/customiere-crm-clients/pom.xml pom.xml	⚠︎
Critical CVE	maven/org.springframework/[email protected]	CVE: GHSA-4wrc-f8pq-fpqp Pivotal Spring Framework contains unsafe Java deserialization methods (CRITICAL) Affected versions: < 6.0.0 Patched version: 6.0.0	modules/customiere-crm-clients/pom.xml pom.xml	⚠︎

View full report↗︎

Next steps

What is a critical CVE?

Contains a Critical Common Vulnerability and Exposure (CVE).

Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

What is a typosquat?

Package name is similar to other popular packages and may not be the package you want.

Use care when consuming similarly named packages and ensure that you did not intend to consume a different package. Malicious packages often publish using similar names as existing popular packages.

Take a deeper look at the dependency

Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.

Remove the package

If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.

Mark a package as acceptable risk

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of ecosystem/package-name@version specifiers. e.g. @SocketSecurity ignore npm/[email protected] or ignore all packages with @SocketSecurity ignore-all

• @SocketSecurity ignore maven/org.springframework.boot/[email protected]
• @SocketSecurity ignore maven/org.webjars.npm/[email protected]
• @SocketSecurity ignore maven/org.apache.derby/[email protected]
• @SocketSecurity ignore maven/org.jboss.netty/[email protected]
• @SocketSecurity ignore maven/net.sourceforge.htmlunit/[email protected]
• @SocketSecurity ignore maven/org.springframework/[email protected]
• @SocketSecurity ignore maven/org.slf4j/[email protected]
• @SocketSecurity ignore maven/com.thoughtworks.xstream/[email protected]
• @SocketSecurity ignore maven/org.apache.ivy/[email protected]
• @SocketSecurity ignore maven/org.quartz-scheduler/[email protected]
• @SocketSecurity ignore maven/org.apache.zookeeper/[email protected]
• @SocketSecurity ignore maven/commons-fileupload/[email protected]
• @SocketSecurity ignore maven/org.springframework.boot/[email protected]
• @SocketSecurity ignore maven/org.springframework.boot/[email protected]
• @SocketSecurity ignore maven/org.springframework/[email protected]
• @SocketSecurity ignore maven/org.springframework/[email protected]