Skip to content

deps(deps): bump the spring group across 1 directory with 2 updates#268

Closed
dependabot[bot] wants to merge 1 commit intodevelopfrom
dependabot/maven/spring-9b7705898d
Closed

deps(deps): bump the spring group across 1 directory with 2 updates#268
dependabot[bot] wants to merge 1 commit intodevelopfrom
dependabot/maven/spring-9b7705898d

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Apr 13, 2026
edited
Loading

Bumps the spring group with 2 updates in the / directory: org.springframework.boot:spring-boot-dependencies and org.springframework.boot:spring-boot-starter-test.

Updates org.springframework.boot:spring-boot-dependencies from 3.4.1 to 3.5.14

Release notes

Sourced from org.springframework.boot:spring-boot-dependencies's releases.

v3.5.14

🐞 Bug Fixes

  • ApplicationPidFileWriter does not handle symlinks correctly #50173
  • RandomValuePropertySource is not suitable for secrets #50172
  • Cassandra auto-configuration misconfigures CqlSessionBuilder #50171
  • ApplicationTemp does not handle symlinks correctly #50170
  • Remote DevTools performs comparison incorrectly #50169
  • spring.rabbitmq.ssl.verify-hostname is applied inconsistently #50168
  • EnversRevisionRepositoriesRegistrar should reuse @EnableEnversRepositories rather than configuring the JPA counterpart #50035
  • Annotations like @Ssl don't work on @Bean methods when using @ServiceConnection #50033
  • Whole number values are ignored when configuring min and max expected values and SLO boundaries for a distribution summary meter #50021
  • WebFlux Cloud Foundry links endpoint includes query string from received request in resolved links #50008
  • 500 response from env endpoint when supplied pattern is invalid #49942
  • HTTP method is lost when configuring excludes in EndpointRequest #49885
  • Docker Compose support doesn't work with apache/artemis image #49865
  • Honor HttpMethod for reactive additional endpoint paths #49864
  • Docker Compose support doesn't work with apache/activemq image #49863
  • Imports on a containing test class are ignored when a nested class has imports #49860

📔 Documentation

  • Link to the observability section of the Lettuce documentation is broken #50092
  • Javadoc for StaticResourceLocation.FAVICON doesn't describe icons location #50083
  • MySamlRelyingPartyConfiguration is missing a Kotlin sample #50023
  • Incorrect default value for management.httpexchanges.recording.include in configuration metadata #50010
  • Link to the Kubernetes documentation when discussing startup probes #50007
  • Update docs to encourage Java fundamentals for beginners that prefer to learn that way #49895
  • Clarify that configuration property default values are not available through the Environment #49835

🔨 Dependency Upgrades

... (truncated)

Commits
  • 7d7b3ac Release v3.5.14
  • 9dc5aa2 Polish
  • f533a45 Do not follow symlinks when writing PID file
  • f3b8eb0 Use SecureRandom in RandomValuePropertySource
  • e22083a Enable hostname verification for SSL connections to Cassandra
  • 5ceb1a2 Improve ApplicationTemp's temporary directory creation
  • 4b0862c Use constant-time comparison for remote DevTools secret
  • e4febe2 Apply verify-hostname consistently
  • 2c2ffe5 Fix Windows test failure
  • 0046a44 Protect against corrupt buildpack archives
  • Additional commits viewable in compare view

Updates org.springframework.boot:spring-boot-starter-test from 3.4.1 to 3.5.14

Release notes

Sourced from org.springframework.boot:spring-boot-starter-test's releases.

v3.5.14

🐞 Bug Fixes

  • ApplicationPidFileWriter does not handle symlinks correctly #50173
  • RandomValuePropertySource is not suitable for secrets #50172
  • Cassandra auto-configuration misconfigures CqlSessionBuilder #50171
  • ApplicationTemp does not handle symlinks correctly #50170
  • Remote DevTools performs comparison incorrectly #50169
  • spring.rabbitmq.ssl.verify-hostname is applied inconsistently #50168
  • EnversRevisionRepositoriesRegistrar should reuse @EnableEnversRepositories rather than configuring the JPA counterpart #50035
  • Annotations like @Ssl don't work on @Bean methods when using @ServiceConnection #50033
  • Whole number values are ignored when configuring min and max expected values and SLO boundaries for a distribution summary meter #50021
  • WebFlux Cloud Foundry links endpoint includes query string from received request in resolved links #50008
  • 500 response from env endpoint when supplied pattern is invalid #49942
  • HTTP method is lost when configuring excludes in EndpointRequest #49885
  • Docker Compose support doesn't work with apache/artemis image #49865
  • Honor HttpMethod for reactive additional endpoint paths #49864
  • Docker Compose support doesn't work with apache/activemq image #49863
  • Imports on a containing test class are ignored when a nested class has imports #49860

📔 Documentation

  • Link to the observability section of the Lettuce documentation is broken #50092
  • Javadoc for StaticResourceLocation.FAVICON doesn't describe icons location #50083
  • MySamlRelyingPartyConfiguration is missing a Kotlin sample #50023
  • Incorrect default value for management.httpexchanges.recording.include in configuration metadata #50010
  • Link to the Kubernetes documentation when discussing startup probes #50007
  • Update docs to encourage Java fundamentals for beginners that prefer to learn that way #49895
  • Clarify that configuration property default values are not available through the Environment #49835

🔨 Dependency Upgrades

... (truncated)

Commits
  • 7d7b3ac Release v3.5.14
  • 9dc5aa2 Polish
  • f533a45 Do not follow symlinks when writing PID file
  • f3b8eb0 Use SecureRandom in RandomValuePropertySource
  • e22083a Enable hostname verification for SSL connections to Cassandra
  • 5ceb1a2 Improve ApplicationTemp's temporary directory creation
  • 4b0862c Use constant-time comparison for remote DevTools secret
  • e4febe2 Apply verify-hostname consistently
  • 2c2ffe5 Fix Windows test failure
  • 0046a44 Protect against corrupt buildpack archives
  • Additional commits viewable in compare view

Most Recent Ignore Conditions Applied to This Pull Request
Dependency Name Ignore Conditions
org.springframework.boot:spring-boot-dependencies [>= 4.a0, < 5]
org.springframework.boot:spring-boot-starter-test [>= 4.a0, < 5]

@dependabot @github
Copy link
Copy Markdown
Contributor Author

dependabot Bot commented on behalf of github Apr 13, 2026

Labels

The following labels could not be found: dependencies, java. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

@dependabot dependabot Bot requested a review from a team as a code owner April 13, 2026 04:31
@github-actions github-actions Bot changed the base branch from main to develop April 13, 2026 04:32
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Apr 13, 2026
edited
Loading

⚠️ Deprecation Warning: The deny-licenses option is deprecated for possible removal in the next major release. For more information, see issue 997.

Dependency Review

The following issues were found:
  • ✅ 0 vulnerable package(s)
  • ✅ 0 package(s) with incompatible licenses
  • ✅ 0 package(s) with invalid SPDX license definitions
  • ⚠️ 1 package(s) with unknown licenses.
See the Details below.

License Issues

aether-datafixers-spring-boot-starter/pom.xml

PackageVersionLicenseIssue Type
org.springframework.boot:spring-boot-dependencies3.5.14NullUnknown License
Denied Licenses: GPL-3.0-only, GPL-3.0-or-later, AGPL-3.0-only, AGPL-3.0-or-later

OpenSSF Scorecard

PackageVersionScoreDetails
maven/org.springframework.boot:spring-boot-starter-test 3.5.14 🟢 6.3
Details
CheckScoreReason
Code-Review⚠️ 0Found 0/30 approved changesets -- score normalized to 0
Maintained🟢 1030 commit(s) and 29 issue activity found in the last 90 days -- score normalized to 10
Packaging⚠️ -1packaging workflow not detected
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Token-Permissions🟢 10GitHub workflow tokens follow principle of least privilege
License🟢 10license file detected
Branch-Protection🟢 3branch protection is not maximal on development and all release branches
Signed-Releases⚠️ -1no releases found
Security-Policy🟢 10security policy file detected
SAST⚠️ 0no SAST tool detected
Binary-Artifacts🟢 5binaries present in source code
Fuzzing🟢 10project is fuzzed
Pinned-Dependencies🟢 4dependency not pinned by hash detected -- score normalized to 4
maven/org.springframework.boot:spring-boot-dependencies 3.5.14 🟢 6.3
Details
CheckScoreReason
Code-Review⚠️ 0Found 0/30 approved changesets -- score normalized to 0
Maintained🟢 1030 commit(s) and 29 issue activity found in the last 90 days -- score normalized to 10
Packaging⚠️ -1packaging workflow not detected
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Token-Permissions🟢 10GitHub workflow tokens follow principle of least privilege
License🟢 10license file detected
Branch-Protection🟢 3branch protection is not maximal on development and all release branches
Signed-Releases⚠️ -1no releases found
Security-Policy🟢 10security policy file detected
SAST⚠️ 0no SAST tool detected
Binary-Artifacts🟢 5binaries present in source code
Fuzzing🟢 10project is fuzzed
Pinned-Dependencies🟢 4dependency not pinned by hash detected -- score normalized to 4

Scanned Files

  • aether-datafixers-functional-tests/pom.xml
  • aether-datafixers-spring-boot-starter/pom.xml

@dependabot dependabot Bot changed the base branch from develop to main April 20, 2026 04:32
@dependabot dependabot Bot force-pushed the dependabot/maven/spring-9b7705898d branch from c1f8472 to 480f637 Compare April 20, 2026 04:32
@dependabot dependabot Bot changed the title deps(deps): bump the spring group with 2 updates deps(deps): bump the spring group across 1 directory with 2 updates Apr 20, 2026
@github-actions github-actions Bot changed the base branch from main to develop April 20, 2026 04:32
@dependabot dependabot Bot changed the base branch from develop to main April 27, 2026 04:32
@dependabot dependabot Bot force-pushed the dependabot/maven/spring-9b7705898d branch from 480f637 to f7a5955 Compare April 27, 2026 04:32
@github-actions github-actions Bot changed the base branch from main to develop April 27, 2026 04:33
@dependabot
deps(deps): bump the spring group across 1 directory with 2 updates
708bfab 
Bumps the spring group with 2 updates in the / directory: [org.springframework.boot:spring-boot-dependencies](https://github.com/spring-projects/spring-boot) and [org.springframework.boot:spring-boot-starter-test](https://github.com/spring-projects/spring-boot).


Updates `org.springframework.boot:spring-boot-dependencies` from 3.4.1 to 3.5.14
- [Release notes](https://github.com/spring-projects/spring-boot/releases)
- [Commits](spring-projects/spring-boot@v3.4.1...v3.5.14)

Updates `org.springframework.boot:spring-boot-starter-test` from 3.4.1 to 3.5.14
- [Release notes](https://github.com/spring-projects/spring-boot/releases)
- [Commits](spring-projects/spring-boot@v3.4.1...v3.5.14)

---
updated-dependencies:
- dependency-name: org.springframework.boot:spring-boot-dependencies
  dependency-version: 3.5.13
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: spring
- dependency-name: org.springframework.boot:spring-boot-starter-test
  dependency-version: 3.5.13
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: spring
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot changed the base branch from develop to main April 27, 2026 04:34
@dependabot dependabot Bot force-pushed the dependabot/maven/spring-9b7705898d branch from f7a5955 to 708bfab Compare April 27, 2026 04:34
@github-actions github-actions Bot changed the base branch from main to develop April 27, 2026 04:34
@dependabot @github
Copy link
Copy Markdown
Contributor Author

dependabot Bot commented on behalf of github Apr 30, 2026

This pull request was built based on a group rule. Closing it will not ignore any of these versions in future pull requests.

To ignore these dependencies, configure ignore rules in dependabot.yml

@dependabot dependabot Bot deleted the dependabot/maven/spring-9b7705898d branch April 30, 2026 10:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Splatcrafter