Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update spring boot to v3 (major) #68

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Update spring boot to v3 (major) #68

wants to merge 1 commit into from

Conversation

whitesource-demo[bot]
Copy link

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
org.springframework.boot:spring-boot-starter-data-jpa (source) 2.3.1.RELEASE -> 3.0.0 age adoption passing confidence
org.springframework.boot:spring-boot-gradle-plugin (source) 2.2.0.RELEASE -> 3.1.5 age adoption passing confidence

By merging this PR, the below vulnerabilities will be automatically resolved:

Severity CVSS Score CVE
Critical Critical 10.0 CVE-2021-44228
Critical Critical 9.8 CVE-2016-1000027
Critical Critical 9.8 CVE-2020-10683
Critical Critical 9.8 CVE-2022-22965
Critical Critical 9.0 CVE-2021-45046
High High 7.8 CVE-2021-22118
High High 7.8 CVE-2022-27772
High High 7.5 CVE-2017-18640
High High 7.5 CVE-2019-17563
High High 7.5 CVE-2020-11996
High High 7.5 CVE-2020-13934
High High 7.5 CVE-2020-13935
High High 7.5 CVE-2020-17527
High High 7.5 CVE-2020-25649
High High 7.5 CVE-2020-36518
High High 7.5 CVE-2020-5398
High High 7.5 CVE-2021-25122
High High 7.5 CVE-2021-41079
High High 7.5 CVE-2021-46877
High High 7.5 CVE-2022-25857
High High 7.5 CVE-2022-42003
High High 7.5 CVE-2022-42004
High High 7.5 CVE-2023-24998
High High 7.5 CVE-2023-44487
High High 7.4 CVE-2020-25638
High High 7.0 CVE-2019-12418
High High 7.0 CVE-2020-9484
High High 7.0 CVE-2021-25329

Release Notes

spring-projects/spring-boot (org.springframework.boot:spring-boot-starter-data-jpa)

v3.0.0

See the Release notes for 3.0 for upgrade instructions and details of new features.

⭐ New Features

  • Provide a configuration property for the observation patterns of Spring Integration components #​33099

🐞 Bug Fixes

  • io.micrometer.tracing.Tracer on the classpath breaks AOT processing for tests #​33298
  • Tracer library HTTP instrumentation is auto-configured unnecessarily #​33287
  • Auto-configuration ignores user-provided ObservationConventions #​33285
  • ScheduledBeanLazyInitializationExcludeFilter is auto-configured even when annotation-based scheduled has not been enabled #​33284
  • SpringBootContextLoader prints banner twice when using a @ContextHierarchy #​33263
  • Properties migrator causes an application to fail to start if it tries to map a property whose metadata data entry contains an invalid configuration property name #​33250
  • Wavefront MeterRegistryCustomizer is not applying application tags from application.properties #​33244
  • Actuator responses no longer format timestamps as ISO-8601 #​33236
  • Configuration property is not bound in a native image when property has get, set, and is methods #​33232
  • Configuration property binding does not deal with bridge methods #​33212
  • Contribute missing resource hints for GraphQL schema files and GraphiQL HTML page #​33208
  • Hints for ClientHttpRequestFactory should only be generated for matching methods #​33203
  • Native profile should configure execution in pluginManagement #​33184
  • Configuring management.server.port via a config tree results in a ConverterNotFoundException when the management context is refreshed #​33169
  • JBoss logging does not route directly to SLF4J when using Logback #​33155
  • Test with UseMainMethod.Always do not work with Kotlin main functions #​33114
  • Maven process-aot does not specify source and target release when compiling generated sources #​33112
  • Some Actuator beans are ineligible for post-processing #​33110
  • AOT-generated source fails to compile when Actuator is enabled on a WebFlux project #​33106
  • @ContextHierarchy should never be used with main method #​33078
  • Maven process-aot fails when compiler plugin has been configured with --enable-preview #​33012
  • Wavefront application tags differ from those used in a Spring Boot 2.x application #​32844
  • Maven goal spring-boot:build-image runs package phase twice #​26455

📔 Documentation

  • Document observation for R2DBC #​33335
  • Align Tomcat multiple connectors example with recommendation to configure SSL declaratively #​33333
  • Actuator document is misleading about k8s startup probe #​33327
  • Update documented for @Timed to reflect narrower support #​33282
  • Update reference documentation to replace mentions of tags providers and contributors with their Observation-based equivalents #​33281
  • Link to Micrometer's @Timed documentation #​33266
  • Clarify use of the spring.cache.type property with Hazelcast #​33258
  • Example git.commit.time in the Actuator API documentation is thousands of years in the future #​33256
  • Update Spring Security filter dispatcher types docs to reflect change in default value #​33252
  • Documentation for nested configuration properties in a native image uses @NestedConfigurationProperty too widely #​33239
  • Document that the jar task should not be disabled when building a native image #​33238
  • Document nesting configuration properties using records or Kotlin data classes and how and when to use @NestedConfigurationProperty #​33235
  • Links to Features describes sections that have moved elsewhere #​33214
  • Fix broken links in docs #​33209
  • Document the need for compilation with -parameters when targeting a native image #​33182
  • Remove outdated native image documentation #​33109
  • Mention @RegisterReflectionForBinding in the docs #​32903

🔨 Dependency Upgrades

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​artembilan, @​dreis2211, @​hpoettker, @​izeye, @​jonatan-ivanov, @​oppegard, @​sdeleuze, @​ttddyy, @​tumit, and @​vpavic

v2.7.17

⚠️ Noteworthy Changes

  • The behavior of spring.jms.listener.concurrency has been corrected to match the documentation (#​37180). If you were setting spring.jms.listener.concurrency without also setting spring.jms.listener.max-concurrency, please review your configuration when upgrading.

🐞 Bug Fixes

  • @Order does not work on (CommandLine|Application)Runner @Bean methods #​37905
  • Gradle plugin uses to-be-deprecated API for getting and setting file permissions #​37878
  • Task executor metrics are not registered when using lazy initialization #​37832
  • Constructor binding with a custom collection type does not work #​37734
  • Dependency management for kafka-server-common with a test classifier is missing #​37499
  • fileMode and dirMode are not applied to all entries in an archive produced by BootJar #​37496
  • Gradle plugin's build info support produces a deprecation warning when using Gradle 8.4-rc-1 #​37493
  • RepackageMojo doesn't support 1 digit numerical values for project.build.outputTimestamp #​37438
  • Restarter creates memory leak in tests #​37373
  • Contrary to the documentation, setting spring.jms.listener.concurrency alone configures the maximum concurrency #​37180
  • Application fails to start when an optional config import cannot be resolved #​35683
  • @ComponentScan on a test class is processed when creating a test context but is not included in the context's cache key #​31577
  • AspectJ transaction management with compile-time weaving does not work with spring.main.lazy-initialization=true #​37506

📔 Documentation

  • Remove link to LiveReload website due to timeout #​37643
  • Refer to ActiveMQ as ActiveMQ "Classic" #​37606
  • Use more idiomatic Kotlin in example for "Map Health Indicators to Micrometer Metrics" #​37491
  • Document support for Java 21 #​37371

🔨 Dependency Upgrades

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​bottlerocketjonny, @​dependabot[bot], @​erichaagdev, @​esperar, @​izeye, @​jbertram, @​nielsbasjes, @​onobc, @​ttddyy, and @​vpavic

v2.7.16

⭐ New Features

  • Add TWENTY_ONE to JavaVersion enum #​37362

🐞 Bug Fixes

  • Invalid Accept header produces HTTP 500 in WelcomePageHandlerMapping #​37455
  • PrivateKeyParser doesn't support ed448, XDH and RSA-PSS keys #​37237
  • Parsing OCI image names that are invalid due to the use of upper case letters is very slow #​35657
  • Using https with elliptic curves other than secp384r1 fails #​34232
  • Saml2RelyingPartyAutoConfiguration ignores sign-request when metadata-url is used #​33747
  • Leaking file descriptor / socket within DomainSocket tooling #​32423

📔 Documentation

  • Correct the description of spring.artemis.broker-url #​37260
  • Add default value metadata for management.metrics.export.signalfx.published-histogram-type #​37210
  • Document that PKCS8 PEM files should be used whenever possible #​37170
  • Polish javadoc #​37112

🔨 Dependency Upgrades

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​dependabot[bot], @​hakan-krgn, @​izeye, @​mdeinum, and @​quaff

v2.7.15

⚠️ Noteworthy Changes

  • This release upgrades to MariaDB 3.1.4 from 3.0.x to restore compatibility with Java 8. If the upgrade is problematic and Java 8 compatibility is not a requirement, downgrade to 3.0.x by using the mariadb.version property

🐞 Bug Fixes

  • Artemis ConnectionFactory is not configured when CachingConnectionFactory is missing and enabled properties are false #​36767
  • server.max-http-request-header-size doesn't affect Netty server with http2 enabled #​36766
  • LogbackLoggingSystem does not report suppressed exception details #​36645
  • Tomcat warns about a missing +/- prefix when enabling multiple protocols through server.ssl.enabled-protocols #​36572
  • Descriptions of started and ready time metrics contain time units but the unit may change when the metrics are exported #​36507
  • management.metrics.export.wavefront properties are incomplete #​36498
  • management.metrics.export.signalfx properties are incomplete #​36497
  • management.metrics.export.atlas properties are incomplete #​36496
  • Script-based database initialization fails with an unhelpful error message when configured with a resource that points to a directory #​36386
  • JobLauncherApplicationRunner returns a success exit code even when no jobs have been run #​36060
  • DatabaseDriver swallows real exception #​34728
  • Application Context initialized twice during test when exception thrown during initialization #​24888

📔 Documentation

  • Maven plugin docs contain invalid parameter for image building #​37048
  • Align javadoc of AbstractFilterRegistrationBean#setDispatcherTypes #​36965
  • Update RestTemplateBuilder#defaultHeader javadoc to reference correct client-side HTTP request class #​36614
  • @since is missing from javadoc of values added to JavaVersion since its introduction #​36608
  • Document that server.forward-headers-strategy property defaults to native when running on Kubernetes #​36564
  • Clarify the effect of using @EnableWebMvc #​36506
  • Documentation of spring.redis.url incorrectly states that it does not override spring.redis.user #​36477
  • Improve documentation to describe how @EntityScan and @Enable?Repositories can be used to tune scanning #​36282
  • Document that scripts for database initialization are optional by default and how they can be made mandatory #​36176
  • Document @DataR2dbcTest support #​35014
  • Update expected size of the jar file in the first application getting started documentation #​34514
  • Improve documentation of spring.cache.type=none #​33694
  • Clarify that spring.security.filter properties only apply to servlet-based web apps #​33551
  • Describe quirks of JUL and Log4j2 in the javadoc of OutputCaptureExtension #​32562
  • Documentation describes how to opt in to using the path pattern parser but it's now the default #​32557
  • Clarify table that shows how logging properties are transferred to system properties #​32160
  • Rework Working with NoSQL Technologies to clarify which stores are supported by Spring Data #​29694
  • Clarify how nested directories are treated for configtree with wildcards #​28203
  • Document defaults for spring.mvc.format.* and spring.webflux.format.* properties #​30041

🔨 Dependency Upgrades

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​MahatmaFatalError, @​NersesAM, @​chicobento, @​dependabot[bot], @​dreis2211, @​eddumelendez, @​elevne, @​fzyzcjy, @​itsAkshayDubey, @​izeye, @​msobeck, @​rob-valor, @​spa-abaudat, and @​vpavic

v2.7.14

🐞 Bug Fixes

  • Only one health group can be exposed using management.endpoint.health.group.xxx.additional-path=server:/newpath when using Jersey #​36250
  • MockitoPostProcessor doesn't check FactoryBean.OBJECT_TYPE_ATTRIBUTE correctly #​36224
  • ConfigurationPropertiesReportEndpoint does not display primitive wrapper types #​36076
  • When using Flyway 9.20.0, auto-configuration fails with a NoSuchMethodError due to the removal of Oracle-related methods from FluentConfiguration #​36029
  • Saml2RelyingPartyRegistrationConfiguration can choose the wrong RelyingPartyRegistration.Builder when using a metadata file with multiple providers #​35902
  • ImportsContextCustomizer does not support AliasFor #​34917
  • ConfigurationPropertyName#equals is not symmetric when element has trailing dashes #​34804

📔 Documentation

  • Add Javadoc since to ImageReference.inTaglessForm() #​36048
  • Polish Kafka Properties Docs #​36032
  • Fix typo in the Using R2DBC section of the reference documentation #​36019
  • Improve Kubernetes liveness and readiness probes customization documentation #​34978
  • Document auto-configuration of underlying HTTP client when using WebClient or RestTemplate #​34136

🔨 Dependency Upgrades

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​ThomazPassarelli, @​bbulgarelli, @​bedla, @​dependabot[bot], @​dkswnkk, @​eydunn, @​garyrussell, @​izeye, @​lasselindqvist, @​lmartelli, and @​quaff

v2.7.13

🐞 Bug Fixes

  • Spring Boot properties migrator can create circular references #​35919
  • Devtools does not support package-private main classes #​35858
  • Java 20 is supported but there's no value for it in the JavaVersion enum #​35758
  • Processing of @EndpointCloudFoundryExtension logs a warnings as it does not use @AliasFor on its override of the endpoint attribute #​35716
  • Actuator loggers list endpoint throws exception on Log4J2 loggers with custom log levels #​35227
  • Validation is not applied for ConfigurationProperties that implement Validator and use @ConstructorBinding #​33669

📔 Documentation

  • Description of spring.data.mongodb.uri property incorrectly states that it overrides spring.data.mongodb.database #​35686
  • Update description of spring-boot-starter-data-rest to clarify that it uses Spring MVC #​35678
  • Move property notes up to external configuration section #​35662
  • Document audience support in OAuth2 resource server #​35286
  • Add @DynamicPropertySource to documented list of property source ordering #​32901

🔨 Dependency Upgrades

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​bbulgarelli, @​bikash30851, and @​twobiers

v2.7.12

🐞 Bug Fixes

  • Welcome page may return a 404 when an acceptable response cannot be produced #​35552
  • Invalid reference format error when tagging images using Podman #​35358
  • FactoryBean.getObject for non-singleton executed when resetting mocks #​35324
  • Can't use PEM encoded PKCS#8 EC keys with server.ssl.certificate-private-key #​35322
  • Webflux server gracefulshutdown throws NullPointerException #​35264
  • Health actuator mail details shows the port as -1 when using the default port #​35247
  • SessionRepositoryFilterConfiguration can cause early initialization of SessionRepository beans including Redis #​35240
  • Devtools main method search algorithm can find incorrect main method #​35214
  • When a WebFlux app is deployed to Cloud Foundry some metrics are lost and numerous beans are ineligible for post-processing #​35163
  • Liveness and readiness probes return down when lazy initialization is enabled #​35161
  • Treating a null Flyway-specific password as an empty string prevents the use of PGPASS for authentication #​35110
  • WebClient auto-configuration tries to use HttpComponentsClientHttpConnector when all required classes are not present #​34964
  • MinIdle and MaxValidationTime properties missing for R2DBC pools #​34724

📔 Documentation

  • Polish formatting of permitAll() endpoint security Kotlin example #​35454
  • Wrong anchors in Maven plugin documentation #​35371
  • Correct list of annotations that are equivalent to @SpringBootApplication #​35180
  • Harmonize references to application.yaml files in reference docs #​34628

🔨 Dependency Upgrades

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​JunJaBoy, @​aasaru, @​davin111, and @​ivandimitrov8080

v2.7.11

🐞 Bug Fixes

  • CloudFoundry integration does not use endpoint path mappings #​35085
  • Gradle Spring Boot plugin with Kotlin DSL does not support includeProjectDependencies in bootJar > layered > dependencies configuration #​35033
  • Banner placeholders use default values too soon #​34764
  • Cassandra default configuration substitutions don't resolve against configuration derived from spring.data.cassandra properties #​34643
  • ApplicationAvailability bean is auto-configured even if a custom one is already present #​34347
  • Nested test classes don't inherit properties from slice test annotations on enclosing class #​33317

📔 Documentation

  • Use current Neo4j version in Testcontainers-based examples #​34775
  • Clarify servlet container compatibility #​34697
  • Document that optional dependencies are included by default in fat jars built with Maven #​34636

🔨 Dependency Upgrades

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​SeasonPanPan, @​acktsap, @​dreis2211, @​jgslima, @​krzyk, and @​meistermeier

v2.7.10

🐞 Bug Fixes

  • Some of the deprecated spring.security.saml2.relyingparty.registration.*.identityprovider.* properties are ignored #​34525
  • Maven plugin uses timezone-local timestamps when outputTimestamp is used #​34424
  • Loading application.yml fails with NoSuchMethodError when using SnakeYAML 2.0 #​34405
  • EmbeddedWebServerFactoryCustomizerAutoConfiguration should not run when embedded web server is not configured #​34332
  • Image builds with podman fail when image buildpacks are configured #​34324
  • org.springframework.boot.web.embedded.jetty.GracefulShutdown uses the wrong class to create its logger #​34220
  • StandardConfigDataResource can import the same file twice if the classpath includes '.' #​34212

📔 Documentation

  • Document support for Java 20 #​34642
  • Update two references to old APIs #​34567
  • Clarify conventions for custom error pages in WebFlux #​34534
  • Add documentation tip showing how to configure publishRegistry Maven properties from the command line #​34517
  • Document support for Gradle 8 #​34458
  • Document how to get socket location for image building configuration with podman #​34435
  • Fix typo in Encrypting Properties #​34386
  • Use plugins DSL consistently in Spring Boot Gradle Plugin docs #​34048
  • Add link to Failover starter #​32943

🔨 Dependency Upgrades

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​1993heqiang, @​anandmnair, @​anthonydahanne, @​dsyer, @​izeye, @​jongwooo, and @​terminux

v2.7.9

🐞 Bug Fixes

  • Maven Plugin's PropertiesMergingResourceTransformer closes InputStream when it should not do so #​34063
  • Actuator Health web endpoint broken with Gson and Java 17 #​34030
  • Dependency management for Mongo's Java Driver is incomplete #​33941
  • Using devtools with Reactive application results in slower restarts #​33855
  • Spies are not reset after test execution when

@whitesource-demo whitesource-demo bot added the security fix Security fix generated by WhiteSource label Nov 5, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
security fix Security fix generated by WhiteSource
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants