Skip to content

Update spring security to v6.5.2 #1064

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

Update spring security to v6.5.2 #1064

wants to merge 1 commit into from

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Jul 29, 2025
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
org.springframework.security:spring-security-crypto (source) 6.4.5 -> 6.5.2 age confidence
org.springframework.security:spring-security-config (source) 6.4.5 -> 6.5.2 age confidence
org.springframework.security:spring-security-core (source) 6.4.5 -> 6.5.2 age confidence
org.springframework.security:spring-security-web (source) 6.4.5 -> 6.5.2 age confidence

Release Notes

spring-projects/spring-security (org.springframework.security:spring-security-crypto)

v6.5.2

Compare Source

🪲 Bug Fixes
  • <websocket-message-broker> should pick up a bean named csrfChannelInterceptor #​17495
  • Add 7.0 Migration Steps for Messaging PathPattern Usage #​17509
  • EnableReactiveMethodSecurity should not import Servlet configuration #​17545
  • Fix equals and hashCode in PathPatternRequestMatcher to include HTTP method #​17337
  • Fix securityContextRepository() initialization in oauth2Login() DSL #​17557
  • OAuth2Login DSL should support post-processing AuthenticationProvider implementations #​17176
  • Websocket XML config should pick up PathPatternMessageMatcher.Builder #​17508
🔨 Dependency Upgrades
❤️ Contributors

Thank you to all the contributors who worked on this release:

@​fkowal and @​therepanic

v6.5.1

Compare Source

⭐ New Features

  • Create demonstration of include-code usage #​17161
  • Setup include-code extension for docs #​17160

🪲 Bug Fixes

  • ClearSiteDataHeaderWriter log is misleading #​17166
  • Fix to allow multiple AuthenticationFilter instances to process each request #​17216
  • Inconsistent constructor declaration on bean with name '_reactiveMethodSecurityConfiguration' #​17210
  • OAuth2ResourceServer using authenticationManagerResolver results in tokenAuthenticationManager cannot be null while startup #​17172
  • Publishing a default TargetVisitor should not override Spring MVC support #​17189
  • Use HttpStatus in back-channel logout filters #​17157

🔨 Dependency Upgrades

  • Bump com.fasterxml.jackson:jackson-bom from 2.18.4 to 2.18.4.1 #​17233
  • Bump com.webauthn4j:webauthn4j-core from 0.29.2.RELEASE to 0.29.3.RELEASE #​17192
  • Bump io-spring-javaformat from 0.0.43 to 0.0.45 #​17152
  • Bump io.micrometer:micrometer-observation from 1.14.7 to 1.14.8 #​17220
  • Bump io.projectreactor:reactor-bom from 2023.0.18 to 2023.0.19 #​17232
  • Bump io.spring.develocity.conventions from 0.0.22 to 0.0.23 #​17204
  • Bump org.apache.maven:maven-resolver-provider from 3.9.9 to 3.9.10 #​17214
  • Bump org.hibernate.orm:hibernate-core from 6.6.15.Final to 6.6.17.Final #​17184
  • Bump org.hibernate.orm:hibernate-core from 6.6.17.Final to 6.6.18.Final #​17256
  • Bump org.springframework.data:spring-data-bom from 2024.1.6 to 2024.1.7 #​17257
  • Bump org.springframework.ldap:spring-ldap-core from 3.2.12 to 3.2.13 #​17239
  • Bump org.springframework:spring-framework-bom from 6.2.7 to 6.2.8 #​17238

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​evgeniycheban

v6.5.0

Compare Source

⭐ New Features

  • Add documentation for DPoP support #​17072
  • Add logging to CsrfTokenRequestHandler implementations #​16994
  • Add mapping for DPoP in DefaultMapOAuth2AccessTokenResponseConverter #​16806
  • Bump Gradle Wrapper from 8.13 to 8.14 #​17018
  • ClientRegistrations.fromIssuerLocation does not include failure information #​17015
  • Fix Typo In SubjectDnX509PrincipalExtractorTests #​16997
  • Implement internal cache in JtiClaimValidator #​17107
  • Polish javadoc #​16924
  • Remove unused classes #​16935
  • Replace NimbusOpaqueTokenIntrospector with SpringOpaqueTokenIntrospector in Documentation #​16962
  • RequestHeaderAuthenticationFilter creates a session even if not configured to do so #​17147

🪲 Bug Fixes

  • Add FunctionalInterface To X509PrincipalExtractor #​16952
  • Change NonNull import from reactor to spring #​16571
  • Fix DPoP jkt claim to be JWK SHA-256 thumbprint #​17080
  • Minor error in the Handling Logouts documentation #​17049
  • SecurityAnnotationScanner's method comparison should use .equals #​17145
  • Use proper configuration key in Opaque Token documentation #​17014

🔨 Dependency Upgrades

  • Bump com.fasterxml.jackson:jackson-bom from 2.18.3 to 2.18.4 #​17069
  • Bump com.fasterxml.jackson:jackson-bom from 2.18.3 to 2.19.0 #​16995
  • Bump com.google.code.gson:gson from 2.13.0 to 2.13.1 #​16990
  • Bump com.webauthn4j:webauthn4j-core from 0.29.0.RELEASE to 0.29.1.RELEASE #​17024
  • Bump com.webauthn4j:webauthn4j-core from 0.29.1.RELEASE to 0.29.2.RELEASE #​17095
  • Bump io.micrometer:micrometer-observation from 1.14.6 to 1.14.7 #​17096
  • Bump io.mockk:mockk from 1.14.0 to 1.14.2 #​17019
  • Bump io.projectreactor:reactor-bom from 2023.0.17 to 2023.0.18 #​17111
  • Bump io.spring.gradle:spring-security-release-plugin from 1.0.5 to 1.0.6 #​17040
  • Bump org-apache-maven-resolver from 1.9.22 to 1.9.23 #​17088
  • Bump org-eclipse-jetty from 11.0.24 to 11.0.25 #​16761
  • Bump org.hibernate.orm:hibernate-core from 6.6.13.Final to 6.6.14.Final #​17089
  • Bump org.hibernate.orm:hibernate-core from 6.6.14.Final to 6.6.15.Final #​17105
  • Bump org.seleniumhq.selenium:selenium-java from 4.31.0 to 4.32.0 #​17037
  • Bump org.springframework.data:spring-data-bom from 2024.1.4 to 2024.1.5 #​16981
  • Bump org.springframework.data:spring-data-bom from 2024.1.5 to 2024.1.6 #​17137
  • Bump org.springframework:spring-framework-bom from 6.2.6 to 6.2.7 #​17124

🔩 Build Updates

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​dkowis, @​franticticktick, @​hammadirshad, @​jearton, @​ngocnhan-tran1996, @​quaff, and @​yybmion

v6.4.8

Compare Source

🪲 Bug Fixes

  • <websocket-message-broker> should pick up a bean named csrfChannelInterceptor #​17494
  • Fix securityContextRepository() initialization in oauth2Login() DSL #​17502
  • Support add nested security configurers during builder initialization #​17020

🔨 Dependency Upgrades

  • Bump io-spring-javaformat from 0.0.46 to 0.0.47 #​17464
  • Bump io.micrometer:micrometer-observation from 1.14.8 to 1.14.9 #​17576
  • Bump org-apache-maven-resolver from 1.9.23 to 1.9.24 #​17463
  • Bump org.apache.maven:maven-resolver-provider from 3.9.10 to 3.9.11 #​17574
  • Bump org.hibernate.orm:hibernate-core from 6.6.17.Final to 6.6.19.Final #​17465
  • Bump org.hibernate.orm:hibernate-core from 6.6.19.Final to 6.6.20.Final #​17490
  • Bump org.hibernate.orm:hibernate-core from 6.6.20.Final to 6.6.22.Final #​17575
  • Bump org.springframework.data:spring-data-bom from 2024.1.6 to 2024.1.7 #​17480
  • Bump org.springframework.data:spring-data-bom from 2024.1.7 to 2024.1.8 #​17577
  • Bump org.springframework.ldap:spring-ldap-core from 3.2.12 to 3.2.13 #​17462
  • Bump org.springframework:spring-framework-bom from 6.2.7 to 6.2.8 #​17461
  • Bump org.springframework:spring-framework-bom from 6.2.8 to 6.2.9 #​17578

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​kse-music and @​marcusdacoregio

v6.4.7

Compare Source

🪲 Bug Fixes

  • ClearSiteDataHeaderWriter log is misleading #​17165
  • Fix inconsistent constructor declaration for ReactiveAuthorizationManagerMethodSecurityConfiguration #​17197
  • Fix to allow multiple AuthenticationFilter instances to process each request #​17215
  • Use HttpStatus in back-channel logout filters #​17156

🔨 Dependency Upgrades

  • Bump com.fasterxml.jackson:jackson-bom from 2.18.4 to 2.18.4.1 #​17229
  • Bump io-spring-javaformat from 0.0.43 to 0.0.45 #​17148
  • Bump io-spring-javaformat from 0.0.45 to 0.0.46 #​17199
  • Bump io.micrometer:micrometer-observation from 1.14.7 to 1.14.8 #​17221
  • Bump io.projectreactor:reactor-bom from 2023.0.18 to 2023.0.19 #​17230
  • Bump io.spring.develocity.conventions from 0.0.22 to 0.0.23 #​17206
  • Bump org.apache.maven:maven-resolver-provider from 3.9.9 to 3.9.10 #​17212
  • Bump org.hibernate.orm:hibernate-core from 6.6.15.Final to 6.6.17.Final #​17183
  • Bump org.hibernate.orm:hibernate-core from 6.6.17.Final to 6.6.18.Final #​17253
  • Bump org.springframework.data:spring-data-bom from 2024.1.6 to 2024.1.7 #​17254
  • Bump org.springframework.ldap:spring-ldap-core from 3.2.12 to 3.2.13 #​17237
  • Bump org.springframework:spring-framework-bom from 6.2.7 to 6.2.8 #​17236

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​damable-nuvolex

v6.4.6

Compare Source

⭐ New Features

  • Bump Gradle Wrapper from 8.13 to 8.14 #​17017
  • ClientRegistrations.fromIssuerLocation does not include failure information #​17016
  • RequestHeaderAuthenticationFilter creates a session even if not configured to do so #​17146

🪲 Bug Fixes

  • Clear Site Data references non-existent constructor #​17034
  • Ensure Serializable Components Have Serialization Sample #​17038
  • Minor error in the Handling Logouts documentation #​17048
  • NPE in BaseOpenSamlAuthenticationProvider #​17008
  • SecurityAnnotationScanner's method comparison should use .equals #​17143
  • StrictFirewallServerWebExchange should still protect when request is mutated #​17032
  • Use proper configuration key in Opaque Token documentation #​17013

🔨 Dependency Upgrades

  • Bump com.fasterxml.jackson:jackson-bom from 2.18.3 to 2.18.4 #​17065
  • Bump io.micrometer:micrometer-observation from 1.14.6 to 1.14.7 #​17094
  • Bump io.projectreactor:reactor-bom from 2023.0.17 to 2023.0.18 #​17110
  • Bump io.spring.gradle:spring-security-release-plugin from 1.0.5 to 1.0.6 #​17042
  • Bump org-apache-maven-resolver from 1.9.22 to 1.9.23 #​17086
  • Bump org.hibernate.orm:hibernate-core from 6.6.13.Final to 6.6.14.Final #​17087
  • Bump org.hibernate.orm:hibernate-core from 6.6.14.Final to 6.6.15.Final #​17103
  • Bump org.springframework.data:spring-data-bom from 2024.1.4 to 2024.1.5 #​16983
  • Bump org.springframework:spring-framework-bom from 6.2.6 to 6.2.7 #​17121

🔩 Build Updates

Configuration

📅 Schedule: Branch creation - "after 7am and before 11am every weekday" in timezone Europe/London, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot added the dependencies Pull requests that update a dependency file label Jul 29, 2025
@hmcts-jenkins-a-to-c hmcts-jenkins-a-to-c bot deployed to preview July 29, 2025 07:36 Active
@github-actions github-actions bot mentioned this pull request Aug 4, 2025
Merged
@github-actions github-actions bot closed this Aug 4, 2025
@renovate
Copy link
Contributor Author

renovate bot commented Aug 4, 2025

Renovate Ignore Notification

Because you closed this PR without merging, Renovate will ignore this update (6.5.2). You will get a PR once a newer version is released. To ignore this dependency forever, add it to the ignoreDeps array of your Renovate config.

If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.

@renovate renovate bot deleted the renovate/spring-security branch August 4, 2025 10:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file ns:am prd:am rel:am-role-assignment-refresh-batch-pr-1064

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants