Skip to content

fix(deps): update dependency org.springframework:spring-web to v6 [security] #1169

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix(deps): update dependency org.springframework:spring-web to v6 [security] #1169

wants to merge 1 commit into from

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Jun 4, 2025
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
org.springframework:spring-web 5.2.22.RELEASE -> 6.0.0 age confidence

GitHub Vulnerability Alerts

CVE-2016-1000027

Pivotal Spring Framework before 6.0.0 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required.

Maintainers recommend investigating alternative components or a potential mitigating control. Version 4.2.6 and 3.2.17 contain enhanced documentation advising users to take precautions against unsafe Java deserialization, version 5.3.0 deprecate the impacted classes and version 6.0.0 removed it entirely.

CVE-2024-22259

Applications that use UriComponentsBuilder in Spring Framework to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html  attack or to a SSRF attack if the URL is used after passing validation checks.

This is the same as CVE-2024-22243 https://spring.io/security/cve-2024-22243, but with different input.

CVE-2024-38809

Description

Applications that parse ETags from If-Match or If-None-Match request headers are vulnerable to DoS attack.

Affected Spring Products and Versions

org.springframework:spring-web in versions

6.1.0 through 6.1.11
6.0.0 through 6.0.22
5.3.0 through 5.3.37

Older, unsupported versions are also affected

Mitigation

Users of affected versions should upgrade to the corresponding fixed version.
6.1.x -> 6.1.12
6.0.x -> 6.0.23
5.3.x -> 5.3.38
No other mitigation steps are necessary.

Users of older, unsupported versions could enforce a size limit on If-Match and If-None-Match headers, e.g. through a Filter.

CVE-2024-22262

Applications that use UriComponentsBuilder to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html  attack or to a SSRF attack if the URL is used after passing validation checks.

This is the same as CVE-2024-22259 https://spring.io/security/cve-2024-22259  and CVE-2024-22243 https://spring.io/security/cve-2024-22243 , but with different input.

Release Notes

spring-projects/spring-framework (org.springframework:spring-web)

v6.0.0

Compare Source

See What's New in Spring Framework 6.x and Upgrading to Spring Framework 6.x for upgrade instructions and details of new features.

⭐ New Features
  • Avoid direct URL construction and URL equality checks #​29486
  • Simplify creating RFC 7807 responses from functional endpoints #​29462
  • Allow test classes to provide runtime hints via declarative mechanisms #​29455
📔 Documentation
  • Align javadoc of DefaultParameterNameDiscoverer with its behavior #​29494
  • Document AOT support in the TestContext framework #​29482
  • Document Ahead of Time processing in the reference guide #​29350
🔨 Dependency Upgrades
❤️ Contributors

Thank you to all the contributors who worked on this release:

@​ophiuhus and @​wilkinsona

v5.3.39

⭐ New Features
  • SimpleEvaluationContext should disable array allocation #​33386

v5.3.38

⭐ New Features
  • Efficient handling of conditional HTTP requests #​33378
🐞 Bug Fixes
  • Fix incorrect weak ETag validation #​33377
  • SimpleEvaluationContext does not enforce read-only semantics #​33320
  • ConversionService cannot convert primitive array to Object[] #​33314
  • SpEL Indexer silently ignores failure to set property as index #​33312
  • Mockito mock falsely initialized as CGLIB proxy with AspectJ aspect #​33142
  • "file:." cannot be resolved to java.nio.file.Path (and plain "." value resolves to classpath root) #​33140
📔 Documentation
  • Typo in Annotation-driven Listener Endpoints section of Spring Framework documentation #​33052
  • Container Extension Points section of Spring Framework documentation refers to the wrong property name #​33039
  • Incorrect constructor details in the javadoc for ApplicationContextEvent #​33034
🔨 Dependency Upgrades

v5.3.37

⭐ New Features
  • AnnotationUtils performance degrades with deep stacks #​32923
🐞 Bug Fixes
  • AspectJ CTW aspects executed twice #​32974
  • SpEL compilation fails when indexing into a Map with a primitive #​32911
  • SpEL compilation fails when indexing into an array or list with an Integer #​32909
  • Application not starting with @EnableTransactionManagement(mode = AdviceMode.ASPECTJ) #​32885
🔨 Dependency Upgrades

v5.3.36

🐞 Bug Fixes
  • Overridden aspect method runs twice #​32868
  • @DateTimeFormat(iso = DateTimeFormat.ISO.DATE\_TIME) cannot convert UTC without milliseconds to java.util.Date #​32860
  • Spring AOP fails against registered @Configurable aspect #​32840

v5.3.35

⭐ New Features
  • Accept ajc-compiled @Aspect classes for Spring AOP proxy usage #​32818
🐞 Bug Fixes
  • DeferredQueryInvocationHandler fails to unwrap QuerySqmImpl class outside of transaction #​32770
  • MergedAnnotations search does not find container for repeatable annotation #​32751
  • AnnotationConfigWebApplicationContext should propagate ApplicationStartup to BeanFactory #​32749
  • Ignore non-String keys in PropertiesPropertySource.getPropertyNames() #​32744
  • "multiple subscribers not supported" when using WebClient exchange #​32728
  • Deadlock/Stall in ConcurrentWebSocketSessionDecorator with Undertow 2.3.10 #​32698
📔 Documentation
  • Correct documentation on streaming with MockMvcWebTestClient #​32723
  • Update links to HttpOnly documentation at OWASP in ResponseCookie #​32668
🔨 Dependency Upgrades

v5.3.34

⭐ New Features
  • Log column type for limited support message in JdbcUtils.getResultSetValue #​32603
  • Avoid additional unnecessary Annotation array cloning in TypeDescriptor #​32477
  • Avoid cloning empty Annotation array in TypeDescriptor #​32466
🐞 Bug Fixes
  • Refine scheme, userinfo, host and port parsing in UriComponentsBuilder #​32618
  • MethodIntrospector.selectMethods() fails to detect bridge methods across ApplicationContexts #​32588
  • JmsUtils.commitIfNecessary catches and ignores JMS IllegalStateException, losing message with ActiveMQ Artemis #​32480
  • Consistently apply TaskDecorator to ManagedExecutorService as well #​32457
🔨 Dependency Upgrades

v5.3.33

⭐ New Features
  • Extract reusable method for URI validations #​32442
  • Allow UriTemplate to be built with an empty template #​32438
  • Refine *HttpMessageConverter#getContentLength return value null safety #​32332
🐞 Bug Fixes
  • AopUtils.getMostSpecificMethod does not return original method for proxy-derived method anymore #​32369
  • Better protect against concurrent error handling for async requests #​32342
  • Restore Jetty 10 compatibility in JettyClientHttpResponse #​32337
  • ContentCachingResponseWrapper no longer honors Content-Type and Content-Length #​32322
📔 Documentation
  • Build KDoc against 5.3.x Spring Framework Javadoc #​32414
🔨 Dependency Upgrades

v5.3.32

⭐ New Features
  • Add CORS support for Private Network Access #​31974
  • Avoid early getMostSpecificMethod resolution in CommonAnnotationBeanPostProcessor #​31969
🐞 Bug Fixes
  • Consistent parsing of user information in UriComponentsBuilder #​32247
  • QualifierAnnotationAutowireCandidateResolver.checkQualifier does identity checks when comparing arrays used as qualifier fields #​32108
  • Guard against multiple body subscriptions in Jetty and JDK reactive responses #​32101
  • Static resources caching issues with ShallowEtagHeaderFilter and Jetty caching directives #​32051
  • ChannelSendOperator.WriteBarrier race condition in request(long) method leads to response being dropped #​32021
  • Spring AOP does not propagate arguments for dynamic prototype-scoped advice #​31964
  • MergedAnnotation swallows IllegalAccessException for attribute method #​31961
  • CronTrigger hard-codes default ZoneId instead of participating in scheduler-wide Clock setup #​31950
  • MergedAnnotations finds duplicate annotations on method in multi-level interface hierarchy #​31825
  • PathEditor cannot handle absolute Windows paths with forward slashes #​31728
  • Include Hibernate's Query.scroll() in SharedEntityManagerCreator's queryTerminatingMethods set #​31684
  • TypeDescriptor does not check generics in equals method (for ConversionService caching) #​31674
  • Slow SpEL performance due to method sorting in ReflectiveMethodResolver #​31665
  • Jackson encoder releases resources in wrong order #​31657
  • WebSocketMessageBrokerStats has null stats for stompSubProtocolHandler since 5.3.2 #​31642
📔 Documentation
  • Document cron-vs-quartz parsing convention for dayOfWeek part in CronExpression #​32131
🔨 Dependency Upgrades

v5.3.31

⭐ New Features
  • Log4jLog needs to re-resolve ExtendedLogger on deserialization (for compatibility with Log4J 2.21) #​31583
🐞 Bug Fixes
  • MessageBuilder#createMessage should not define the payload as @Nullable #​31611
  • Avoid duplicate JAR resources in PathMatchingResourcePatternResolver on MS Windows #​31603
  • Spring web integration commons fileupload receives files and other parameter uploads, with a null pointer #​31564
  • Function column out doesn't resolve to SqlOutParameter #​31560
  • Resolve to empty MultiValueMap when no matrix variables are provided #​31484
  • BeanUtils.copyProperties() consumes large amount of memory #​31481
  • CGLIB BeanCopier falls back to ClassLoader.defineClass for public target #​31436
  • R2DBC Connection is closed during transaction when using TransactionAwareConnectionFactoryProxy #​31411
  • HibernateJpaDialect and HibernateExceptionTranslator throw SQLExceptionTranslator-provided exception instead of returning it #​31410
  • NamedParameterJdbcTemplate throws unexpected exception for null query #​31394
  • LazyResolutionMessage does not implement proper toString #​31385
  • Illegal reflective access in ContextOverridingClassLoader.isEligibleForOverriding #​31233
📔 Documentation
  • Clarify documentation for @Transactional on interfaces #​31401
  • Default behavior of BeanPropertyRowMapper.getColumnValue(ResultSet, int, Class) inconsistent with code #​31349
  • Referencing a @Bean method in a @Configuration class' @PostConstruct method leads to circular reference #​31339
  • Incorrect reference information about CGLIB supported method visibility #​31311
🔨 Dependency Upgrades

v5.3.30

⭐ New Features
  • Optimize ClassUtils#getMostSpecificMethod #​31100
  • Optimize whitespace checks in StringUtils #​31069
  • Align validation metadata handling in PayloadMethodArgumentResolver #​31056
  • Register an override for an existing adapter in ReactiveAdapterRegistry #​31048
  • Make bean initialization deterministic for multiple @Autowired methods on same bean class #​30994
  • Performance bottlenecks while creating scoped bean instances #​30892
🐞 Bug Fixes
  • Possible classloader leak through incomplete clearing of annotation caches #​31176
  • Spring LogFactory implementation deviates from original Apache LogFactory in terms of abstract method declarations #​31167
  • Bean injection fails due to nullSafeConciseToString() invoking isEmpty() on a Map/Collection proxy #​31156
  • SpelExpressionParser throws IllegalStateException instead of ParseException for invalid expression #​31099
  • @DynamicPropertySource in @Nested test class cannot override dynamic properties from enclosing class #​31085
  • TransactionalApplicationListenerMethodAdapter should find @TransactionalEventListener on target class method #​31037
  • ScheduledAnnotationBeanPostProcessor: graceful shutdown should not interrupt currently running jobs #​31020
  • Permgen memory leak due to ClassInfo caching in java.beans.Introspector on JDK 11/17 #​31005
  • MethodIntrospector.selectMethods(?) fails to find methods in case of special bridge method arrangement #​30907
📔 Documentation
  • Fix documentation: Passing in Lists of Values for IN Clause does not work with JdbcTemplate #​31229
  • Refine CORS documentation for wildcard processing #​31168
  • Propagation REQUIRES_NEW may cause connection pool deadlock #​31040
  • Clarify R2DBC ConnectionAccessor and DatabasePopulator exception declarations #​30933
  • Doc: Avoid deadlock in @PostConstruct through SmartInitializingSingleton or ContextRefreshedEvent #​30889

v5.3.29

⭐ New Features
  • Avoid illegal reflective access in ContextOverridingClassLoader.isEligibleForOverriding #​30868
  • Improve diagnostics for CGLIB ClassLoader issues with shared classes in parent ClassLoader #​30866
  • JdbcTemplate does not call handleWarnings in case of exception #​30852
  • Tolerate AnnotationUtils.isCandidateClass call with null as annotation type #​30843
  • Simplify DefaultSingletonBeanRegistry.isDependent() #​30841
  • Provide explicit support for collections, maps, and arrays in ObjectUtils.nullSafeConciseToString() #​30811
  • Extend list of supported types in ObjectUtils.nullSafeConciseToString() #​30806
  • Align ConcurrentMapCacheManager locking behavior with CaffeineCacheManager #​30781
  • ResolvableType.hasUnresolvableGenerics() should cache its result #​30715
  • Ensure Spring LogFactory contains all public methods from Apache LogFactory #​30711
  • Translate SQL Exception with State S0001 and Vendor Code 2628 to a Spring Exception in MSSQL 2019 #​30682
🐞 Bug Fixes
  • For a prototype bean, if first-time rejected value is null, subsequent value will wrongly be null always #​30809
  • Revert changes to toString() in FieldError #​30800
  • Fix log level on error with @TransactionalEventListener #​30784
  • SerializableTypeWrapper does not consistently catch InvocationTargetException #​30767
  • NPE in MvcUriComponentsBuilder with no-arg target method on interface #​30757
  • Jackson2ObjectMapperBuilder breaks when modules customizer follows modulesToInstall #​30752
  • Spring ORM SpringBeanContainer when trying to create a bean fails with not found bean definition, and fallbacks to default hibernate bean creation #​30685
📔 Documentation
  • ResultSet holdability into the View layer broken by Hibernate 5 #​30863
  • Clarify ReactiveTransactionManager exception declarations #​30819
  • Doc: JdbcTransactionManager vs DataSourceTransactionManager #​30814
🔨 Dependency Upgrades

v5.3.28

⭐ New Features
  • ClassLoader can be null in DeserializingConverter and should be annotated with @Nullable #​30672
  • Performance optimization in AbstractBeanFactoryBasedTargetSource.hashCode() #​30585
  • Consistent support for MultiValueMap and common Map implementations in CollectionFactory #​30441
  • Reject null and empty SpEL expressions #​30373
  • Introduce Environment.matchesProfiles() for profile expressions #​30226
🐞 Bug Fixes
  • Change of behaviour for UUID in bean validation output in v5.3.27 #​30662
  • Spring Framework 5.3.27 appears to cause issues in OSGi environment #​30637
  • Inconsistent ProxyCallbackFilter#equals/hashCode methods in CglibAopProxy #​30616
  • EclipseLinkJpaDialect: Unexpected default isolation levels #​30589
  • ThreadLocalTargetSource does not include actual target bean name in NamedThreadLocal #​30586
  • ApplicationListenerMethodAdapter inconsistently publishes events from CompletableFuture #​30584
  • For @Bean method that returns null, @Autowired injects NullBean instead of null for cached arguments #​30551
  • Make maximum SpEL expression length configurable #​30446
  • Respect TaskDecorator configuration on DefaultManagedTaskExecutor #​30443
📔 Documentation
  • Document which @Scheduled attributes support SpEL expressions #​30642
  • FileSystemUtils::deleteRecursively Javadoc refers to File instead of Path #​30555
🔨 Dependency Upgrades

v5.3.27

⭐ New Features
  • Limit string concatenation in SpEL expressions #​30331
  • Limit SpEL expression length #​30329
  • Disable variable assignment in SimpleEvaluationContext #​30327
  • Introduce StringUtils.truncate() #​30291
  • Introduce ObjectUtils.nullSafeConciseToString() #​30287
  • Make HttpComponentsHeadersAdapter#getFirst nullable #​30269
🐞 Bug Fixes
  • Fix regression in ReactorServerHttpRequest related to IPV6 Zone id with "%" #​30314
  • SSE breaks with indenting serializer in WebMvc.fn #​30302
  • Increase max regex length in SpEL expressions #​30298
  • NullPointerException on timeout in HttpComponentsClientHttpConnector when using Apache HttpComponents #​30246
  • Wrong MockRestRequestMatchers.header() method in spring-test being invoked (JDK issue?) #​30235
  • TypeNotPresentException: org/springframework/cglib/proxy/NoOp not present on Java 17 #​30228
  • Refine generic type management in AbstractMessageWriterResultHandler #​30215
  • MvcUriComponentsBuilder.fromMethodCall breaks for controller with CharSequence return type #​30212
  • Handle all exceptions for stored proc output param retrieval in SharedEntityManagerCreator #​30164
📔 Documentation
  • Fix @PathVariable reference documentation code snippets #​30258
  • Fix example in Javadoc for @EnableWebSocket #​30187
  • Fix anchor in link to "Web on Reactive Stack" chapter #​30163
🔨 Dependency Upgrades

v5.3.26

⭐ New Features
  • Improve diagnostics in SpEL for matches operator #​30145
  • Improve diagnostics in SpEL for repeated text #​30143
  • Increase scope of regex pattern cache for the SpEL matches operator #​30141
  • Minor updates in HandlerMappingIntrospector #​30128
  • Allow SnakeYaml 2.0 runtime compatibility #​30097
  • Add missing @Nullable annotations to LogMessage.format methods #​30009
  • ASM upgrade for JDK 20/21 support #​29966
  • Allow MockRest to match header/queryParam value list with one Matcher #​29964
  • Add MockMvc.multipart() Kotlin extensions with HttpMethod #​29941
  • Release R2DBC connection when cleanup fails in transaction #​29925
  • org.springframework.web.context.ContextLoader should lazily load ContextLoader.properties #​29909
  • Improve generated default name for @JmsListener subscription #​29902
  • Include all Hibernate query methods in SharedEntityManagerCreator's queryTerminatingMethods set #​29888
  • SQL supplier in R2DBC DatabaseClient is eagerly invoked #​29887
  • Spring Framework 5.3.x is incompatible with Jetty 10 (Client) #​29867
  • Possible infinite forward loop with MockMvcWebConnection #​29866
  • Refine Jackson2ObjectMapperBuilder#configureFeature exception handling #​29860
  • Fix R2dbcTransactionManager debug log: don't log a Mono #​29824
🐞 Bug Fixes
  • RequestedContentTypeResolver does not ignore quality factor when filtering */* media types #​30121
  • SpEL: cannot call methods declared in java.lang.Object on a JDK proxy #​30118
  • CaffeineCacheManager getCache method cause thread block #​30085
  • Protect JMS connection creation against prepareConnection errors #​30051
  • ReactorServerHttpRequest does not reflect forwarded host and port when forwarding-header-strategy=native or cloud platform detected #​29974
  • WebSocket stats not updated correctly when sessions cleared #​29947
  • Explicit target ClassLoader for interface-based proxies in MvcUriComponentsBuilder #​29914
  • Closing an ApplicationContext leads to Exception at ExecutorServiceAdapter #​29908
  • Invalid Accept header results in IllegalStateException #​29836
  • JettyWebSocketCreator referenced from a method is not visible from class loader with Jetty10RequestUpgradeStrategy #​29256
📔 Documentation
  • Fix minor spacings in webflux docs #​30095
  • @AspectJ argument name resolution algorithm is outdated in reference manual #​30057
  • Fix "Configuring a Global Date and Time Format" example #​30036
  • Consistent @Bean method return type for equivalence with XML example #​29970
  • Update @DynamicPropertySource examples regarding changes in Testcontainers #​29940
  • Clarify semantics of primitivesDefaultedForNullValue in BeanPropertyRowMapper #​29926
  • Clearly document that DataClassRowMapper supports Java records #​29922
  • Outdated Javadoc for AbstractApplicationContext.postProcessBeanFactory #​29916
🔨 Dependency Upgrades
  • Upgrade to Reactor Netty 2020.0.30 #​30116

v5.3.25

⭐ New Features
  • JmsTemplate.convertAndSend throws NullPointerException during shutdown #​29719
  • Optimize object creation in RequestMappingHandlerMapping#handleNoMatch #​29667
  • Add title to SockJS iFrames for accessibility compliance #​29596
🐞 Bug Fixes
  • ResourceHandlers cannot resolve static resources with certain wildcard patterns #​29716
  • AnnotatedElementUtils.findMergedRepeatableAnnotations does not fetch results when other attributes exist for container annotation #​29686
  • BeanWrapperImpl NPE in setWrappedInstance after invoking getPropertyValue (with SimpleBeanInfoFactory) #​29684
  • SpEL ConstructorReference does not generate AST representation of arrays #​29666
  • SpEL: Two double quotes are replaced by one double quote in single quoted String literal (and vice versa) #​29653
  • SpEL string literal misses single quotation marks in toStringAST() #​29652
  • 500 error from WebFlux when parsing Content-Type leads to InvalidMediaTypeException #​29637
  • WebMvcConfigurationSupport should not catch Throwable for SourceHttpMessageConverter #​29537
📔 Documentation
  • Update Jakarta Mail info in ref docs #​29708
  • Improve documentation for literals in SpEL expressions #​29701
  • Fix some typos in Kotlin WebClient example code #​29542
  • Fix link to Bean Utils Light Library in BeanUtils Javadoc #​29536
  • Fix link to WebFlux section in reference manual #​29526
  • Link to Spring WebFlux section is broken #​29517
🔨 Dependency Upgrades

v5.3.24

⭐ New Features
  • Avoid reflection for annotation method invocations #​29448
  • Avoid unnecessary allocations in StompDecoder#unescape #​29443
  • Avoid String allocations in MediaType.checkParameters #​29428
  • Reduce allocations caused by producible media types #​29412
  • Provide optional SimpleBeanInfoFactory for better introspection performance in 5.3.x #​29330
  • Filter out null WebSocket session attributes #​29315
  • Introduce TestSocketUtils as a replacement for SocketUtils #​29132
  • Avoid Commons Logging API for using LoggingCacheErrorHandler with a custom logger #​28678
🐞 Bug Fixes
  • Missing SessionFactory property (filter AutoCloseable from PropertyDescriptors) #​29480
  • SpEL ternary and Elvis expressions are missing enclosing parentheses in toStringAST() #​29463
  • If-Unmodified-Since header check removes Last-Modified and Etag headers from response, even if condition passes #​29362
  • Annotation searches fail for non-public repeatable annotations #​29301
  • AbstractBeanFactory's interaction with BeanPostProcessorCacheAwareList is not fully thread-safe #​29299
  • WebTestClient cannot assert custom HTTP status code #​29283
  • Body token not expected error when trying to upload a large multipart file #​29227
  • Avoid resizing of Maps created by CollectionUtils #​29190
  • DefaultWebClient logging sensitive information in URI #​29148
  • Fix SimpleMailMessage nullability annotations #​29139
  • Webflux fails to apply the rule for controller methods returning void to kotlin suspend functions returning Unit #​27629
  • Resource.isFile() return true when the resource path actually not exists #​26707
  • AnnotatedElementUtils does not find merged repeatable annotations on other repeatable annotations #​20279
📔 Documentation
  • Fix two typos in integration.adoc and webflux.adoc #​29469
  • Fix typo: "as describe in" -> "as described in" #​29393
  • Fix typos #​29364
  • Correct documentation for "other return values" from a web controller method #​29349
  • Document how to use WebJars without webjars-locator-core dependency #​29322
  • Update RestTemplate Javadoc with regards to setting interceptors on startup vs at runtime #​29311
  • Document how to switch to the default set of TestExecutionListeners #​29281
  • Document limitation of AopTestUtils.getUltimateTargetObject() regarding non-static TargetSource #​29276
  • Fix typo in WebSocket reference doc regarding subscription header #​29228
  • Fix MockMvc sample setup #​29201
🔨 Dependency Upgrades
❤️ Contributors

We'd like to thank all the contributors who worked on this release!

v5.3.23

⭐ New Features
  • Introduce AnnotationUtils.isSynthesizedAnnotation(Annotation) #​29054
  • Introduce createContext() factory method in AbstractGenericWebContextLoader #​28983
  • Support TreeSet collection type in CollectionFactory.createCollection() without using reflection #​28949
  • Document when RequestEntity.getUrl() throws an UnsupportedOperationException #​28930
  • Deprecate NestedIOException #​28929
  • Make isConnected() in WebSocketConnectionManager public #​28785
  • Expose headers from STOMP RECEIPT frame to registered callbacks #​28715
  • Make WebClientException serializable #​28321
🐞 Bug Fixes
  • Ordering inconsistency with beans defined in parent context #​29105
  • RelativeRedirectResponseWrapper does not commit response in sendRedirect #​29050
  • MockServerContainerContextCustomizerFactory does not support @Nested tests #​29037
  • Request to improve KotlinSerializationJsonHttpMessageConverter logic in RestTemplate #​29008
  • WebFlux: multipart requests hang sometimes #​28963
  • DataBufferUtils.write(Publisher, Path) loses context #​28933
  • connectionTimeOut and readTimeout not working on UrlResource #​28909
  • SockJsServiceRegistration#setSupressCors has a typo and should be deprecated #​28853
  • RenderingResponse does not set status code on redirect views #​28839
  • Avoid IllegalArgumentException when setting WebSocket error status #​28836
  • Loss of context path after using ServerRequest.from #​28820
  • ResponseCookie does not declare nullability annotations consistently for domain and path #​28780
📔 Documentation
  • Fix typo in data-access section #​29048
  • Correct description of @RequestParam with WebFlux #​28944
  • Fix broken kdoc-api links in kotlin.adoc #​28908
  • Fix typos in Javadoc of class AbstractEncoder #​28885
  • Fix links in Javadoc and reference docs #​28876
  • Add missing closing parenthesis in reference doc #​28867
  • Fix typos in Javadoc, reference docs, and code #​28822
  • Replace use of the <tt> HTML tag in Javadoc #​28819
  • Fix broken link in rsocket documentation #​28817
  • Clarify docs on JNDI properties in Servlet environment #​28488
  • Improve documentation of Caching annotations #​28183
🔨 Dependency Upgrades
❤️ Contributors

We'd like to thank all the contributors who worked on this release!

[v5.3.22](https://redirect.github.com/spring-projects/spri

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot added the security Pull requests that address a security vulnerability label Jun 4, 2025
@renovate renovate bot force-pushed the renovate/maven-org.springframework-spring-web-vulnerability branch from 4f0cf80 to d2cba8c Compare June 5, 2025 05:23
@renovate renovate bot force-pushed the renovate/maven-org.springframework-spring-web-vulnerability branch 7 times, most recently from e8b0814 to 7396749 Compare June 20, 2025 12:31
@renovate renovate bot force-pushed the renovate/maven-org.springframework-spring-web-vulnerability branch from 7396749 to 7b40a1e Compare July 2, 2025 06:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

security Pull requests that address a security vulnerability

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants