Update all non-major maven dependencies

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
org.springframework.boot:spring-boot-starter-validation (source)	3.3.1 → 3.5.10
org.springframework:spring-core	6.1.6 → 6.2.15
org.springframework:spring-web	6.1.6 → 6.1.21
jakarta.validation:jakarta.validation-api (source)	3.0.2 → 3.1.1
com.fasterxml.jackson.datatype:jackson-datatype-jsr310	2.14.0 → 2.21.0
com.fasterxml.jackson.core:jackson-databind (source)	2.14.0 → 2.21.0
net.logstash.logback:logstash-logback-encoder	7.1.1 → 7.4
ch.qos.logback:logback-classic (source, changelog)	1.2.11 → 1.2.13
ch.qos.logback:logback-core (source, changelog)	1.2.11 → 1.5.25
org.projectlombok:lombok (source)	1.18.36 → 1.18.42
commons-codec:commons-codec (source)	1.15 → 1.21.0
org.apache.commons:commons-lang3 (source)	3.12.0 → 3.18.0

GitHub Vulnerability Alerts

CVE-2024-38809

Description

Applications that parse ETags from If-Match or If-None-Match request headers are vulnerable to DoS attack.

Affected Spring Products and Versions

org.springframework:spring-web in versions

6.1.0 through 6.1.11
6.0.0 through 6.0.22
5.3.0 through 5.3.37

Older, unsupported versions are also affected

Mitigation

Users of affected versions should upgrade to the corresponding fixed version.
6.1.x -> 6.1.12
6.0.x -> 6.0.23
5.3.x -> 5.3.38
No other mitigation steps are necessary.

Users of older, unsupported versions could enforce a size limit on If-Match and If-None-Match headers, e.g. through a Filter.

CVE-2024-38820

The fix for CVE-2022-22968 made disallowedFields patterns in DataBinder case insensitive. However, String.toLowerCase() has some Locale dependent exceptions that could potentially result in fields not protected as expected.

CVE-2025-41234

Description

In Spring Framework, versions 6.0.x as of 6.0.5, versions 6.1.x and 6.2.x, an application is vulnerable to a reflected file download (RFD) attack when it sets a “Content-Disposition” header with a non-ASCII charset, where the filename attribute is derived from user-supplied input.

Specifically, an application is vulnerable when all the following are true:

• The header is prepared with org.springframework.http.ContentDisposition.
• The filename is set via ContentDisposition.Builder#filename(String, Charset).
• The value for the filename is derived from user-supplied input.
• The application does not sanitize the user-supplied input.
• The downloaded content of the response is injected with malicious commands by the attacker (see RFD paper reference for details).

An application is not vulnerable if any of the following is true:

• The application does not set a “Content-Disposition” response header.
• The header is not prepared with org.springframework.http.ContentDisposition.
• The filename is set via one of:
  • ContentDisposition.Builder#filename(String), or
  • ContentDisposition.Builder#filename(String, ASCII)
• The filename is not derived from user-supplied input.
• The filename is derived from user-supplied input but sanitized by the application.
• The attacker cannot inject malicious content in the downloaded content of the response.

Affected Spring Products and VersionsSpring Framework

• 6.2.0 - 6.2.7
• 6.1.0 - 6.1.20
• 6.0.5 - 6.0.28
• Older, unsupported versions are not affected

Mitigation

Users of affected versions should upgrade to the corresponding fixed version.

Affected version(s)	Fix version	Availability
6.2.x	6.2.8	OSS
6.1.x	6.1.21	OSS
6.0.x	6.0.29	Commercial

No further mitigation steps are necessary.

CVE-2023-6378

A serialization vulnerability in logback receiver component part of logback allows an attacker to mount a Denial-Of-Service attack by sending poisoned data.

This is only exploitable if logback receiver component is deployed. See https://logback.qos.ch/manual/receivers.html

CVE-2024-12798

ACE vulnerability in JaninoEventEvaluator by QOS.CH logback-core up to and including version 1.5.12 in Java applications allows attackers to execute arbitrary code by compromising an existing logback configuration file or by injecting an environment variable before program execution.

Malicious logback configuration files can allow the attacker to execute arbitrary code using the JaninoEventEvaluator extension.

A successful attack requires the user to have write access to a configuration file. Alternatively, the attacker could inject a malicious environment variable pointing to a malicious configuration file. In both cases, the attack requires existing privilege.

CVE-2024-12801

Server-Side Request Forgery (SSRF) in SaxEventRecorder by QOS.CH logback version 1.5.12 on the Java platform, allows an attacker to forge requests by compromising logback configuration files in XML.

The attacks involves the modification of DOCTYPE declaration in  XML configuration files.

CVE-2025-11226

QOS.CH logback-core versions up to 1.5.18 contain an ACE vulnerability in conditional configuration file processing in Java applications. This vulnerability allows an attacker to execute arbitrary code by compromising an existing logback configuration file or by injecting a malicious environment variable before program execution.

A successful attack requires the Janino library and Spring Framework to be present on the user's class path. Additionally, the attacker must have write access to a configuration file. Alternatively, the attacker could inject a malicious environment variable pointing to a malicious configuration file. In both cases, the attack requires existing privileges.

CVE-2026-1225

ACE vulnerability in configuration file processing by QOS.CH logback-core up to and including version 1.5.24 in Java applications, allows an attacker to instantiate classes already present on the class path by compromising an existing logback configuration file.

The instantiation of a potentially malicious Java class requires that said class is present on the user's class-path. In addition, the attacker must have write access to a configuration file. However, after successful instantiation, the instance is very likely to be discarded with no further ado.

CVE-2025-48924

Uncontrolled Recursion vulnerability in Apache Commons Lang.

This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0.

The methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a StackOverflowError could cause an application to stop.

Users are recommended to upgrade to version 3.18.0, which fixes the issue.

---

Release Notes

spring-projects/spring-boot (org.springframework.boot:spring-boot-starter-validation)

v3.5.10

Compare Source

v3.5.9

Compare Source

v3.5.8

Compare Source

⚠️ Noteworthy changes

• This release contains a fix to get Testcontainers working with modern Docker versions. If this causes problems in your setup, you can downgrade the minimum Docker API, effectively reverting that change.

🐞 Bug Fixes

• Gradle war task does not exclude starter POMs from lib-provided #​48196
• Testcontainers integration fails on Docker 29.0.0 #​48192
• SslMeterBinder doesn't register metrics for dynamically added bundles if no bundles exist at bind time #​48180
• Properties bound in the child management context ignore the parent's environment prefix #​48176
• ssl.chain.expiry metrics doesn't update for dynamically registered SSL bundles #​48153
• Auto-configuration exclusions are checked using a different class loader to the one that loads auto-configuration classes #​48129
• New arm64 macbooks fail to bootBuildImage due to incorrect platform image #​48127
• NullPointerException when using @ConditionalOnSingleCandidate with multiple manually registered singletons #​48123
• Buildpack fails with recent Docker installs due to hardcoded version in URL #​48102
• Image building may fail when specifying a platform if an image has already been built with a different platform #​48098
• Undertow's ServletContext is destroy too early, making it unusable in @PreDestroy methods #​48061
• PortInUseException incorrectly thrown on failure to bind port due to Netty IP misconfiguration #​48058
• Auto-configured JCacheMetrics cannot be customized #​48056
• WebSecurityCustomizer beans are excluded by WebMvcTest #​48054
• Devtools Restarter does not work with a parameterless main method #​47987
• Setting 'max-uri-tags' does not prevent unlimited meter growth on any AutoConfiguredCompositeMeterRegistry #​47923
• Docker response 407 is not handled correctly resulting in no error message #​47900
• spring-boot-maven-plugin process-aot goal does not find package-private main method #​47780

📔 Documentation

• Revise AWS section of "Deploying to the Cloud" in reference manual #​48156
• Fix typo in PortInUseException Javadoc #​48133
• Correct section about required setters in "Type-safe Configuration Properties" #​48130
• Document EndpointObjectMapper and management.endpoints.jackson.isolated-object-mapper #​48114
• Document support for configuring servlet context init parameters using properties #​48111
• Clarify how warnings about soon-to-expire SSL certificates are reported #​48062
• Document how to use ContextPropagatingTaskDecorator for propagating trace context over thread boundaries #​48052
• Use since attribute in configuration properties deprecation consistently #​47980
• BootstrapContext#getOrElseThrow has incorrect reference to IllegalStateException #​47905
• Clarify when BootstrapContext get methods may return null rather than throwing an exception or calling the fallback supplier #​47898
• Document that Actuator endpoint may have at most one extension of each type #​47873
• Limit Kotlin API documentation to Kotlin-specific APIs #​47859
• Adapt AOTCache documentation to JEP 514 #​47274

🔨 Dependency Upgrades

• Downgrade to Cassandra Driver 4.19.0 #​47926
• Upgrade to AspectJ 1.9.25 #​48005
• Upgrade to Caffeine 3.2.3 #​48006
• Upgrade to Cassandra Driver 4.19.2 #​48183
• Upgrade to DB2 JDBC 12.1.3.0 #​48083
• Upgrade to Hibernate 6.6.36.Final #​48148
• Upgrade to Jackson Bom 2.19.4 #​48008
• Upgrade to Jetty 12.0.30 #​48118
• Upgrade to Jetty Reactive HTTPClient 4.0.13 #​48149
• Upgrade to jOOQ 3.19.28 #​48084
• Upgrade to Logback 1.5.21 #​48085
• Upgrade to Micrometer 1.15.6 #​48009
• Upgrade to Micrometer Tracing 1.5.6 #​48010
• Upgrade to MySQL 9.5.0 #​48011
• Upgrade to Neo4j Java Driver 5.28.10 #​48044
• Upgrade to Quartz 2.5.1 #​48012
• Upgrade to R2DBC Postgresql 1.0.9.RELEASE #​48013
• Upgrade to Reactor Bom 2024.0.12 #​48014
• Upgrade to Spring Data Bom 2025.0.6 #​48039
• Upgrade to Spring Framework 6.2.14 #​48166
• Upgrade to Spring Integration 6.5.4 #​48040
• Upgrade to Spring Kafka 3.3.11 #​48041
• Upgrade to Spring Pulsar 1.2.12 #​48042
• Upgrade to Spring Security 6.5.7 #​48043
• Upgrade to Tomcat 10.1.49 #​48086

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​K-jun98, @​TerryTaoYY, @​hojooo, @​linw-bai, @​mipo256, @​namest504, @​ngocnhan-tran1996, @​nosan, @​scottfrederick, @​siva-sai-udaygiri, @​tschut, and @​vpavic

v3.5.7

Compare Source

⭐ New Features

• Add TWENTY_FIVE to JavaVersion enum #​47609

🐞 Bug Fixes

• Signed jar verification fails when nested in an uber war running on an Oracle JVM #​47771
• In an uber war, value of the Sbom-Location manifest attribute does not match the SBOM's actual location #​47737
• Homebrew formula for the CLI should use libexec #​47722
• When virtual threads are enabled, embedded Jetty does not use recommended virtual thread configuration #​47717
• ClientHttpRequestFactoryRuntimeHints is missing timeout methods with Duration overloads #​47678
• OnBeanCondition no longer correctly finds annotations on scoped target proxy beans #​47635
• JavaVersion doesn't work reliably in native-image #​47620
• LiquibaseEndpoint always uses defaultSchema instead of liquibaseSchema #​47346
• Launcher fails to find main method when it is parameterless #​47311
• Package private Main class using Java 25 is not found by build plugins #​47309
• Bitnami legacy images are not automatically detected #​47275
• Maven plugin does not provide an easy way to exclude optional dependencies from uber jar #​25403

📔 Documentation

• Some spring.test.* properties are not documented #​47775
• Dependency management for Maven AntRun Plugin is missing changelog link #​47744
• Developing Your First Spring Boot Application has outdated tools #​47700
• Include deprecated configuration properties in the reference documentation #​47669
• Aggregated Javadoc should link to the proper version of JakartaEE #​47593
• Update javadoc of TestRestTemplate following change to redirect behavior #​47474
• Use non-deprecated syntax to configure sourceCompatibility #​47343
• Fix link to Framework's @Bean annotation #​47330
• Update managed dependency version override examples in documentation #​47306

🔨 Dependency Upgrades

• Upgrade to ActiveMQ 6.1.8 #​47767
• Upgrade to Angus Mail 2.0.5 #​47525
• Upgrade to AssertJ 3.27.6 #​47526
• Upgrade to Byte Buddy 1.17.8 #​47527
• Upgrade to Cassandra Driver 4.19.1 #​47768
• Upgrade to Classmate 1.7.1 #​47528
• Upgrade to Elasticsearch Client 8.18.8 #​47671
• Upgrade to Glassfish JAXB 4.0.6 #​47529
• Upgrade to GraphQL Java 24.3 #​47755
• Upgrade to Groovy 4.0.29 #​47713
• Upgrade to Hibernate 6.6.33.Final #​47530
• Upgrade to HttpClient5 5.5.1 #​47531
• Upgrade to HttpCore5 5.3.6 #​47532
• Upgrade to Jakarta Mail 2.1.5 #​47533
• Upgrade to Jakarta XML Bind 4.0.4 #​47242
• Upgrade to Jetty 12.0.29 #​47728
• Upgrade to Jetty Reactive HTTPClient 4.0.12 #​47534
• Upgrade to jOOQ 3.19.27 #​47536
• Upgrade to Logback 1.5.20 #​47714
• Upgrade to Lombok 1.18.42 #​47538
• Upgrade to Maven Compiler Plugin 3.14.1 #​47539
• Upgrade to Micrometer 1.15.5 #​47457
• Upgrade to Micrometer Tracing 1.5.5 #​47458
• Upgrade to MongoDB 5.5.2 #​47648
• Upgrade to MSSQL JDBC 12.10.2.jre11 #​47612
• Upgrade to Netty 4.1.128.Final #​47649
• Upgrade to Postgresql 42.7.8 #​47540
• Upgrade to Pulsar 4.0.7 #​47541
• Upgrade to R2DBC H2 1.0.1.RELEASE #​47729
• Upgrade to R2DBC Postgresql 1.0.8.RELEASE #​47542
• Upgrade to Reactor Bom 2024.0.11 #​47459
• Upgrade to RxJava3 3.1.12 #​47543
• Upgrade to Spring AMQP 3.2.8 #​47614
• Upgrade to Spring Authorization Server 1.5.3 #​47460
• Upgrade to Spring Batch 5.2.4 #​47487
• Upgrade to Spring Data Bom 2025.0.5 #​47461
• Upgrade to Spring Framework 6.2.12 #​47462
• Upgrade to Spring GraphQL 1.4.3 #​47754
• Upgrade to Spring Integration 6.5.3 #​47615
• Upgrade to Spring LDAP 3.3.4 #​47463
• Upgrade to Spring Pulsar 1.2.11 #​47464
• Upgrade to Spring Security 6.5.6 #​47465
• Upgrade to Spring Session 3.5.3 #​47466
• Upgrade to Spring WS 4.1.2 #​47467
• Upgrade to Tomcat 10.1.48 #​47613
• Upgrade to Undertow 2.3.20.Final #​47545
• Upgrade to WebJars Locator Lite 1.1.2 #​47546

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​DKARAGODIN, @​JinhyeokFang, @​Lublanski, @​Pankraz76, @​fhiyo, @​ngocnhan-tran1996, @​nosan, @​scottfrederick, and @​xyraclius

v3.5.6

Compare Source

🐞 Bug Fixes

• Quoted -D arguments break system property resolution on Linux with Spring AOT #​47166
• Groovy Templates fails with an NPE when rendering an auto new line #​47139
• available() does not behave correctly when reading stored entries from a NestedJarFile #​47057
• spring-boot-docker-compose doesn't create service connections when image has registry host but not project #​47019
• Flyway Ignore Migration Patterns setting can't be set to an empty string #​47013

📔 Documentation

• Default value of server.tomcat.resource.cache-ttl is not documented #​47253
• Document Java 25 support #​47245
• Fix links to Flyway reference documentation #​46988
• Clarify Javadoc of Customizer interfaces about overriding behavior #​46942

🔨 Dependency Upgrades

• Upgrade to Ehcache3 3.10.9 #​47106
• Upgrade to Elasticsearch Client 8.18.6 #​47094
• Upgrade to Gson 2.13.2 #​47158
• Upgrade to Hibernate 6.6.29.Final #​47216
• Upgrade to HikariCP 6.3.3 #​47187
• Upgrade to HttpCore5 5.3.5 #​47108
• Upgrade to Infinispan 15.2.6.Final #​47109
• Upgrade to Jakarta Activation 2.1.4 #​47188
• Upgrade to Jakarta Mail 2.1.4 #​47110
• Upgrade to Jaybird 6.0.3 #​47111
• Upgrade to Jetty 12.0.27 #​47159
• Upgrade to jOOQ 3.19.26 #​47160
• Upgrade to Lombok 1.18.40 #​47113
• Upgrade to MariaDB 3.5.6 #​47189
• Upgrade to Maven Failsafe Plugin 3.5.4 #​47190
• Upgrade to Maven Shade Plugin 3.6.1 #​47191
• Upgrade to Maven Surefire Plugin 3.5.4 #​47192
• Upgrade to Micrometer 1.15.4 #​47083
• Upgrade to Micrometer Tracing 1.5.4 #​47084
• Upgrade to Netty 4.1.127.Final #​47127
• Upgrade to R2DBC MSSQL 1.0.3.RELEASE #​47193
• Upgrade to Reactor Bom 2024.0.10 #​47085
• Upgrade to Spring AMQP 3.2.7 #​47086
• Upgrade to Spring Batch 5.2.3 #​47087
• Upgrade to Spring Data Bom 2025.0.4 #​47088
• Upgrade to Spring Framework 6.2.11 #​47089
• Upgrade to Spring GraphQL 1.4.2 #​47090
• Upgrade to Spring Integration 6.5.2 #​47091
• Upgrade to Spring Kafka 3.3.10 #​47092
• Upgrade to Spring Pulsar 1.2.10 #​47093
• Upgrade to Spring Security 6.5.5 #​47257
• Upgrade to Tomcat 10.1.46 #​47194
• Upgrade to Undertow 2.3.19.Final #​47115
• Upgrade to XmlUnit2 2.10.4 #​47243

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​Chanwon-Seo, @​doljae, @​izeye, and @​quaff

v3.5.5

Compare Source

🐞 Bug Fixes

• Hazelcast health indicator reports the wrong status when Hazelcast has shut down due to an out-of-memory error #​46909
• Performance critical tracing code has high overhead due to the use of the Stream API #​46844
• SpringLiquibaseCustomizer is exposed outside its defined visibility scope #​46758
• Race condition in OutputCapture can result in stale data #​46721
• Auto-configured WebClient no longer uses context's ReactorResourceFactory #​46673
• Default value not detected for a field annoted with @Name #​46666
• Missing metadata when using @Name with a constructor-bound property #​46663
• Missing property for Spring Authorization Server's PAR endpoint #​46641
• Property name is incorrect when reporting a mis-configured OAuth 2 Resource Server JWT public key location #​46636
• Memory not freed on context restart in JpaMetamodel#CACHE with spring.main.lazy-initialization=true #​46634
• Auto-configured MockMvc ignores @FilterRegistration annotation #​46605
• Failure to discover default value for a primitive should not lead to document its default value #​46561

📔 Documentation

• Kotlin samples for configuration metadata are in the wrong package #​46857
• Observability examples in the reference guide are missing the Kotlin version #​46798
• Align method descriptions for SslOptions getCiphers and getEnabledProtocols with @returns #​46769
• Tracing samples in the reference guide are missing the Kotlin version #​46767
• Improve Virtual Threads section to mention the changes in Java 24 #​46610
• spring.test.webtestclient.timeout is not documented #​46588
• spring-boot-test-autoconfigure should use the configuration properties annotation processor like other modules #​46585
• Adapt deprecation level for management.health.influxdb.enabled #​46580
• spring.test.mockmvc properties are not documented #​46578

🔨 Dependency Upgrades

• Upgrade to Angus Mail 2.0.4 #​46725
• Upgrade to AssertJ 3.27.4 #​46726
• Upgrade to Byte Buddy 1.17.7 #​46883
• Upgrade to Couchbase Client 3.8.3 #​46794
• Upgrade to Elasticsearch Client 8.18.5 #​46830
• Upgrade to Hibernate 6.6.26.Final #​46884
• Upgrade to Hibernate Validator 8.0.3.Final #​46728
• Upgrade to HikariCP 6.3.2 #​46729
• Upgrade to Jersey 3.1.11 #​46730
• Upgrade to Jetty 12.0.25 #​46831
• Upgrade to Jetty Reactive HTTPClient 4.0.11 #​46885
• Upgrade to jOOQ 3.19.25 #​46808
• Upgrade to MariaDB 3.5.5 #​46779
• Upgrade to Maven Javadoc Plugin 3.11.3 #​46886
• Upgrade to Micrometer 1.15.3 #​46701
• Upgrade to Micrometer Tracing 1.5.3 #​46702
• Upgrade to MySQL 9.4.0 #​46732
• Upgrade to Netty 4.1.124.Final #​46832
• Upgrade to Pulsar 4.0.6 #​46733
• Upgrade to Reactor Bom 2024.0.9 #​46703
• Upgrade to REST Assured 5.5.6 #​46849
• Upgrade to Spring Authorization Server 1.5.2 #​46704
• Upgrade to Spring Data Bom 2025.0.3 #​46705
• Upgrade to Spring Framework 6.2.10 #​46706
• Upgrade to Spring Kafka 3.3.9 #​46871
• Upgrade to Spring LDAP 3.3.3 #​46707
• Upgrade to Spring Pulsar 1.2.9 #​46708
• Upgrade to Spring RESTDocs 3.0.5 #​46920
• Upgrade to Spring Security 6.5.3 #​46709
• Upgrade to Spring Session 3.5.2 #​46710
• Upgrade to Tomcat 10.1.44 #​46734

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​Kguswo, @​deejay1, @​ganjisriver, @​izeye, @​jetflo, @​ngocnhan-tran1996, @​nicolasgarea, @​nosan, @​prishedko, @​quaff, @​schmidti159, @​scordio, @​shakuzen, @​tommyk-gears, @​zahra7, and @​zakaria-shahen

v3.5.4

Compare Source

🐞 Bug Fixes

• LambdaSafe.withFilter is not public #​46474
• Executable JAR application class encounters performance issues when used with Palo Alto Network Cortex XDR agent #​46402
• Runtime dependencies are missing from aotCompileClasspath and aotTestCompileClasspath when using Kotlin #​46398
• Additional fields for structured JSON logging incompatible with nested ecs logging in 3.5.x #​46351
• Change in DefaultErrorAttributes alters the shape of API validation error responses #​46260
• jdbc.connections.active and jdbc.connections.idle metrics are not available when using Hikari in a native image #​46225
• developmentOnly and testAndDevelopmentOnly dependencies may prevent implementation dependencies from being included in the uber-jar #​46205
• Hash calculation for uber archive entries that require unpacking is inefficient #​46203
• Permissions are applied inconsistently when building uber archives with Gradle #​46194
• Environment variables using legacy dash format can no longer be bound #​46184
• EmbeddedWebServerFactoryCustomizerAutoConfiguration fails when undertow-core is on the classpath and undertow-servlet is not #​46180
• Executable JAR application class encounters performance issues #​46177
• Executable JAR application class encounters performance issues #​46176
• Setting spring.reactor.context-propagation has no effect when lazy initialization is enabled #​46174
• Setting spring.netty.leak-detection has no effect when lazy initialization is enabled #​46170
• SslInfo does not use its Clock when checking certificate validity #​46011

📔 Documentation

• Fix description of spring.batch.job.enabled #​46247
• Fix broken Kotlin examples in reference documentation #​46168
• Add Logback Access Reactor Netty to community starters #​46060

🔨 Dependency Upgrades

• Upgrade to ActiveMQ 6.1.7 #​46373
• Upgrade to Caffeine 3.2.2 #​46432
• Upgrade to Couchbase Client 3.8.2 #​46460
• Upgrade to GraphQL Java 24.1 #​46395
• Upgrade to Groovy 4.0.28 #​46516
• Upgrade to Hibernate 6.6.22.Final #​46492
• Upgrade to HikariCP 6.3.1 #​46493
• Upgrade to Infinispan 15.2.5.Final #​46461
• Upgrade to Jackson Bom 2.19.2 #​46494
• Upgrade to Jetty 12.0.23 #​46375
• Upgrade to MariaDB 3.5.4 #​46376
• Upgrade to Maven Invoker Plugin 3.9.1 #​46377
• Upgrade to Micrometer 1.15.2 #​46280
• Upgrade to Micrometer Tracing 1.5.2 #​46281
• Upgrade to MSSQL JDBC 12.10.1.jre11 #​46378
• Upgrade to MySQL 9.3.0 #​46371
• Upgrade to Neo4j Java Driver 5.28.9 #​46434
• Upgrade to Netty 4.1.123.Final #​46435
• Upgrade to Prometheus Client 1.3.10 #​46379
• Upgrade to Reactor Bom 2024.0.8 #​46282
• Upgrade to RxJava3 3.1.11 #​46380
• Upgrade to Spring AMQP 3.2.6 #​46283
• Upgrade to Spring Data Bom 2025.0.2 #​46284
• Upgrade to Spring Framework 6.2.9 #​46218
• Upgrade to Spring GraphQL 1.4.1 #​46381
• Upgrade to Spring Integration 6.5.1 #​46359
• Upgrade to Spring Kafka 3.3.8 #​46360
• Upgrade to Spring LDAP 3.3.2 #​46285
• Upgrade to Spring Pulsar 1.2.8 #​46286
• Upgrade to Spring Security 6.5.2 #​46477
• Upgrade to Spring WS 4.1.1 #​46362
• Upgrade to Testcontainers 1.21.3 #​46382
• Upgrade to Tomcat 10.1.43 #​46383
• Upgrade to XmlUnit2 2.10.3 #​46384

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​Dockerel, @​PiyalAhmed, @​benelog, @​dmitrysulman, @​izeye, @​ngocnhan-tran1996, @​nosan, and @​quaff

v3.5.3

Compare Source

🐞 Bug Fixes

• Binder context does not restore previous source causing missing data on Spring Boot 3.5 or above #​46040

v3.5.2

Compare Source

🐞 Bug Fixes

• IllegalArgumentException: 'name' must not be null thrown when property source filtering applied twice #​46032

v3.5.1

Compare Source

⚠️ Noteworthy Changes

• This release upgrades to Tomcat 10.1.42 which has introduced limits for part count and header size in multipart/form-data requests. These limits can be customized using server.tomcat.max-part-count and server.tomcat.max-part-header-size respectively.

⭐ New Features

• Allow Specifying ConfigData.Options On ConfigDataEnvironmentContributors #​42932

🐞 Bug Fixes

• Executable JAR application class encounters performance issues when classpath URLs reference a host #​46028
• Loading from spring.factories may fail with a ClassNotFoundException when the TCCL changes between calls #​46019
• spring.couchbase.authentication.jks.private-key-password has no effect #​46006
• Actuator heapdump endpoint is failing on modern OpenJ9 JVMs #​46005
• UnboundConfigurationPropertiesException is no longer thrown from IndexedElementsBinder [#​459

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.