Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(deps): update dependency org.springframework:spring-webmvc to v5 [security] #260

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Sep 25, 2024

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
org.springframework:spring-webmvc 4.3.30.RELEASE -> 5.2.20.RELEASE age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2022-22965

Spring Framework prior to versions 5.2.20 and 5.3.18 contains a remote code execution vulnerability known as Spring4Shell.

Impact

A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.

These are the prerequisites for the exploit:

  • JDK 9 or higher
  • Apache Tomcat as the Servlet container
  • Packaged as WAR
  • spring-webmvc or spring-webflux dependency

Patches

Workarounds

For those who are unable to upgrade, leaked reports recommend setting disallowedFields on WebDataBinder through an @ControllerAdvice. This works generally, but as a centrally applied workaround fix, may leave some loopholes, in particular if a controller sets disallowedFields locally through its own @InitBinder method, which overrides the global setting.

To apply the workaround in a more fail-safe way, applications could extend RequestMappingHandlerAdapter to update the WebDataBinder at the end after all other initialization. In order to do that, a Spring Boot application can declare a WebMvcRegistrations bean (Spring MVC) or a WebFluxRegistrations bean (Spring WebFlux).


Release Notes

spring-projects/spring-framework (org.springframework:spring-webmvc)

v5.2.20.RELEASE

Compare Source

⭐ New Features

  • Restrict access to property paths on Class references #​28262
  • Improve diagnostics in SpEL for large array creation #​28257

v5.2.19.RELEASE

Compare Source

⭐ New Features

  • Declare serialVersionUID on DefaultAopProxyFactory #​27785
  • Use ByteArrayDecoder in DefaultClientResponse::createException #​27667

🐞 Bug Fixes

  • ProxyFactoryBean getObject called before setInterceptorNames, silently creating an invalid proxy [SPR-7582] #​27817
  • Possible NPE in Spring MVC LogFormatUtils #​27783
  • UndertowHeadersAdapter's remove() method violates Map contract #​27593
  • Fix assertion failure messages in DefaultDataBuffer.checkIndex() #​27577

📔 Documentation

  • Lazy annotation throws exception if non-required bean does not exist #​27660
  • Incorrect Javadoc in [NamedParameter]JdbcOperations.queryForObject methods regarding exceptions #​27581
  • DefaultResponseErrorHandler update javadoc comment #​27571

🔨 Dependency Upgrades

v5.2.18.RELEASE

Compare Source

⭐ New Features

  • Enhance DefaultResponseErrorHandler to allow logging complete error response body #​27558
  • DefaultMessageListenerContainer does not log an error/warning when consumer tasks have been rejected #​27457

🐞 Bug Fixes

  • Performance impact of con.getContentLengthLong() in AbstractFileResolvingResource.isReadable() downloading huge jars to check component length #​27549
  • Performance impact of ResourceUrlEncodingFilter on HttpServletResponse#encodeURL #​27548
  • Avoid duplicate JCacheOperationSource bean registration in <cache:annotation-driven /> #​27547
  • Non-escaped closing curly brace in RegEx results in initialization error on Android #​27502
  • Proxy generation with Java 17 fails with "Cannot invoke "Object.getClass()" because "cause" is null" #​27498
  • ConcurrentReferenceHashMap's entrySet violates the Map contract #​27455

🔨 Dependency Upgrades

  • Upgrade to Reactor Dysprosium-SR24 #​27526

v5.2.17.RELEASE

Compare Source

⭐ New Features

  • Invalid JavaBean property 'logoutHandlers' being accessed (warning in the logs for Spring Security's ConcurrentSessionFilter) #​27396
  • Convenient configuration of type permissions for XStream 1.4.18 #​27344
  • ResponseStatusException.initCause always throws IllegalStateException #​27212

🐞 Bug Fixes

  • Support char, float, and double primitive default values in BeanUtils.instantiateClass() #​27401
  • CommonsMultipartResolver and DEBUG logging lead to empty fileMap in MultipartHttpServletRequest #​27398
  • Fix UrlPathHelper#shouldRemoveSemicolonContent() #​27310
  • CompositeUriComponentsContributor#hasContributors: method name is not compliant with its intention #​27275
  • WebSocketMessageBrokerStats.getExecutorStatsInfo() throws exception if Executor is not a ThreadPoolExecutor #​27213

📔 Documentation

  • Fix Kotlin example for filtering handler functions #​27352
  • Document when prepareTestInstance() is invoked when using the SpringMethodRule #​27312

🔨 Dependency Upgrades

  • Upgrade to Reactor Dysprosium-SR23 #​27378

v5.2.16.RELEASE

Compare Source

⭐ New Features

  • BeanCreationException error message should always include declaring class of constructor (or factory method) #​27140
  • SynchronossPartHttpMessageReader should only create temp directory when needed #​27094
  • Deprecate internal APIs in ScriptUtils implementations #​26948

🪲 Bug Fixes

  • AOP auto-proxying with proxyTargetClass=true and introduction advice does not work for JDK proxy targets #​27148
  • SimpleMethodMetadataReadingVisitor.Source.toString() omits separator for method arguments #​27096
  • DefaultPathSegment allows shared empty parameters map to be mutated #​27065
  • Ignore comments when searching for SQL statement delimiter in ScriptUtils #​26942
  • Ignore delimiter enclosed in double quotes in ScriptUtils #​26936

📔 Documentation

  • Fix @Transactional examples regarding method visibility #​27005
  • Improve @Transactional docs regarding method visibility #​27004
  • Document transactional semantics for @TransactionalEventListener after completion methods #​26979

🔨 Dependency Upgrades

  • Upgrade to Reactor Dysprosium-SR21 #​27163

v5.2.15.RELEASE

Compare Source

⭐ New Features

  • Ensure multipart temp directories do not collide #​26932
  • InvalidPathException in log when running SpringBootTest with NIO Path property on Windows #​26894
  • Spring AOP should not apply UndeclaredThrowableException to checked exceptions from Kotlin methods #​26839

🪲 Bug Fixes

  • Fix web parameters resolution when injected via constructor #​26923
  • Fix Kotlin filter parameter bug in Router DSLs #​26921
  • Incorrect check in AbstractBrokerRegistration's constructor #​26898
  • @ModelAttribute(binding=false) is not honored with WebFlux #​26888

📔 Documentation

  • Remove leftover Javadoc from WebClient #​26809

🔨 Dependency Upgrades

  • Upgrade to Reactor Dysprosium-SR20 #​26891

v5.2.14.RELEASE

Compare Source

⭐ New Features

  • Add missing nullable annotation to ResponseEntity ok convenience method #​26614
  • Support cookies with Expires attribute but no Max-Age attribute in MockHttpServletResponse #​26559

🪲 Bug Fixes

  • @DirtiesContext not applied when class-level @EnabledIf evaluates to false #​26697
  • StatusAssertion value methods fail when used with custom status code #​26666
  • Local @CrossOrigin maxAge value should override global value #​26620
  • Correctly set auto-growing array's element #​26606
  • Fix handling of "file:" paths to non-existent files on Windows #​26589
  • ClassLoader.getResource can throw IllegalArgumentException #​26588
  • LoadTimeWeaver no longer weaves bean classes annotated with @Component #​26584
  • ResourceUrlProvider detects wrong set of handler mappings #​26562

🔨 Dependency Upgrades

  • Upgrade to Reactor Dysprosium-SR19 #​26768

v5.2.13.RELEASE

Compare Source

⭐ New Features

  • Inefficient reflection operations for destroy method determination #​26499
  • No way to affect response when unhandled exceptions thrown from ForwardedHeaderTransformer #​26465
  • Fail early FactoryBean instantiation for LinkageError #​26426
  • Close mapping streams after the ValidatorFactory has been built in LocalValidatorFactoryBean #​26424
  • Defensively handle loadClass null result in BeanUtils.findEditorByConvention (against misbehaving ClassLoader impl such as in the GWT JettyLauncher) #​26256

🪲 Bug Fixes

  • Avoid unnecessary wrapping for SqlParameterValue #​26547
  • Autowiring shortcut fails with NoSuchBeanDefinitionException after removeBeanDefinition call #​26518
  • SimpleJdbcInsert (sporadically) does not insert all columns #​26503
  • DefaultHandlerExceptionResolver handling of media type exception on Tomcat 7+ #​26475
  • Websocket extensions not working #​26452
  • AbstractBeanDefinition#equals handles propertyValues incorrectly #​26435
  • Remove obsolete commandName attribute in spring-form.tld #​26338
  • NettyHeadersAdapter.add() accepts @Nullable value but throws NullPointerException #​26277

📔 Documentation

  • Document the "SpringProperties mechanism" mentioned in the testing chapter #​26494
  • UriComponentsBuilder documentation error for HTTP request encoding #​26455
  • Wrong documentation for CachePut #​26404

🔨 Dependency Upgrades

  • Upgrade to Reactor Dysprosium-SR17 #​26549

v5.2.12.RELEASE

Compare Source

⭐ New Features

  • ContentCachingResponseWrapper should not add “Content-Length” when “Transfer-Encoding” is present #​26191
  • Register bean definition dependencies when used via configuration class injected fields #​26168
  • Wildcard is a valid Access-Control-Expose-Headers value #​26115
  • EntityManagerFactory startup failure in deferred mode is only available on first use #​26094

🪲 Bug Fixes

  • AbstractJackson2HttpMessageConverter writes partial data when exception occurs during write #​26246
  • Remove duplicate "property" in PropertyCacheKey.toString() #​26242
  • DataBuffer Leak in Server Response #​26234
  • GenericConversionService$Converters.getMatchableConverters throws ConcurrentModificationException on Java 9+ #​26184
  • ConcurrentModificationException in NativeMessageHeaderAccessor#copyHeaders #​26158
  • MimeType is no longer actually serializable #​26128
  • PathMatchingResourcePatternResolver fails to resolve resources from JAR located in path with '#' on JDK 11+ #​26105
  • UrlPathHelper#removeJsessionid doesn't remove the jsessionid from the URL #​26083
  • NamedParameterJdbcTemplate.batchUpdate does not individually apply the SQL type from each SqlParameterSource argument #​26073
  • DataBufferUtils#join may release a DataBuffer more than necessary #​26061

📔 Documentation

  • Clarify intended advice execution behavior in Spring version 5.2.7+ #​26204
  • DateTimeFormat ISO.DATE_TIME javadoc contains misleading default note #​26135
  • Document that @Transactional does not propagate to new threads #​26102

🔨 Dependency Upgrades

  • Upgrade to Reactor Dysprosium-SR15 #​26175

v5.2.11.RELEASE

Compare Source

⭐ New Features

  • StompSubProtocolHandler logs failed authentication with error stack trace #​26037
  • MergedAnnotationCollectors.toAnnotationSet() should not create intermediate ArrayList #​26036
  • DefaultSimpUserRegistry prevents event from being published if original SimpMessageHeaderAccessor cannot be found #​26013
  • DefaultWebClientBuilder copies references #​25993
  • Inefficient request handling inside ServletRequestDataBinder #​25990

🪲 Bug Fixes

  • Add FullyQualifiedAnnotationBeanNameGenerator.INSTANCE #​26027
  • Autowiring does not work reliably in case of dynamically changing prototype bean class #​26020
  • Order of profiles in tests is not preserved #​26008
  • SseEmitter: connection closed after first event #​25989

📔 Documentation

  • Fix a broken Asciidoctor syntax in core-resources.adoc #​26000

v5.2.10.RELEASE

Compare Source

⭐ New Features

  • Optimize Jackson resource management in codecs #​25910
  • Avoid creation of unused logger instance in AbstractMediaTypeExpression #​25901
  • Native Hibernate 5 bootstrapping with JTA transaction manager requires hibernate.transaction.coordinator_class=jta to be set #​25858
  • Cannot test @RequestPart multipart controllers with Servlet MockPart #​25829
  • Add MariaDB to the supported database products for procedures and functions #​25811
  • Optimize String argument resolution in MessageTag #​25809
  • Avoid repeated Charset resolution in MimeType #​25808

🪲 Bug Fixes

  • Incorrect http response for a request using the Range header for pre-compressed resources #​25976
  • @ActiveProfiles with same profiles but different order results in duplicate ApplicationContext #​25973
  • LinkedMultiValueMap downstream issue with MultiValueMapAdapter package private base class #​25960
  • DataBufferUtils.CompositeMatcher causes poor performance when one or more matchers does not match #​25915
  • HttpSeverOperations overrides content-length to 0 on HTTP HEAD #​25908
  • jsessionid breaks request mappings when removeSemicolonContent is turned off #​25864
  • JettyClientHttpConnector triggers early cancellation #​25849
  • Race condition in DataBufferUtils.readAsynchronousFileChannel resulting in FD leak (Channel remains open) #​25831
  • SimpMessagingTemplate.convertAndSend results in UnsupportedOperationException when Spring Cloud Sleuth is present #​25821
  • ClassCastException when wiring bean using method injection (NullBean instead of 'null') #​25806
  • Thread-scoped bean creation freezes if dependent bean is retrieved before dependency bean #​25801
  • Sending an event as part of the EMF lock triggers a deadlock #​25799
  • Wrong type inference in Kotlin while overriding RequestMappingHandlerMapping#getMappingForMethod #​25657
  • SseEmitter (ResponseBodyEmitter) keeps collecting messages if not initialized #​25442

📔 Documentation

  • Correct DispatcherServlet initialization sample webmvc.adoc #​25965
  • Document that TransactionalEventListener only works with non-reactive transactions #​25805
  • Published reference documentation contains unnecessary folders and files #​25783
  • Incorrect example in javadocs of Assert.notNull(object, messageSupplier) #​25774

🔨 Dependency Upgrades

v5.2.9.RELEASE

Compare Source

⭐ New Features

  • HttpHeaders.setContentDispositionFormData should ignore empty filename #​25769
  • StringDecoder does not provide a way to configure the default charset #​25762
  • MimeMessageHelper.addAttachment: configurable encoding of attachment filename #​25755
  • Current log level not checked by LogAccessor supplier-enabled logging methods #​25741
  • PropertiesLoaderSupport should ignore socket/connect exceptions as well #​25717
  • Avoid repeated calls to getPathWithinApplication from UrlPathHelper.getLookupPathForRequest #​25669
  • Avoid full singleton lock for DefaultSingletonBeanRegistry.getSingleton(beanName, false) #​25667
  • XStreamMarshaller should avoid direct use of CompositeClassLoader which is not exported by XStream in OSGi #​25662
  • Avoid LinkedList performance issues through use of ArrayDeque #​25652
  • Introduce createContext() factory method in AbstractGenericContextLoader #​25600
  • Declare MessagePostProcessor as a @FunctionalInterface #​25571
  • Assert preconditions for MergedAnnotations.from() factory methods #​25568
  • Provide access to AbstractRoutingDataSource's resolved target DataSources #​25544
  • Possible optimization in UrlResource #​25531
  • Refine use of substring operations #​25445
  • Cache abstraction does not log hit / miss for synchronized access #​25248

🪲 Bug Fixes

  • Issue with Forwarded Header and Multiple Values #​25737
  • CallMetaDataContext.reconcileParameters overwrites cursor name #​25707
  • VerifyErrors when using SpEL compilation with Thymeleaf when invoking a default method defined in an interface #​25706
  • SQLErrorCodesFactory.getErrorCodes(DataSource) returns empty error codes if access to transactional connection fails #​25681
  • Make "org.springframework.util.unit.DataSize" class Serializable #​25675
  • Joda-Time presence check fails to detect Joda-Time 2.x specifically #​25655
  • Regression in SimpleThreadScope introduced in 5.2.7 #​25618
  • Potential integer overflow in ExecutorConfigurationSupport.setAwaitTerminationSeconds(int) and AbstractResourceBasedMessageSource.setCacheSeconds(int) #​25613
  • Remove session on 4xx response from WebSocket handshake #​25608
  • spring-jdbc don't set out parameter name from metadata for Postgresql function after issue#25399 #​25588
  • FileUrlResource isWritable method returns true if URL protocol is not indicating a file #​25584
  • Lazy dependency proxy does not populate bean dependencies #​25562
  • Bean creation fails with StackOverflowError after upgrading from 5.1.13 to 5.2.7 #​25546
  • StaticListableBeanFactory.isSingleton() returns false for singleton beans #​25522
  • Standalone MockMvc ignores @RestControllerAdvice annotation attributes #​25520
  • MockHttpServletResponse reset() does not reset charset field #​25501
  • AnnotationTypeMappings does not filter repeatable annotations #​25483
  • Wrong error message for type mismatch in jsonPath().value() #​25480
  • Fix infinite loop bug in AnnotationScanner #​25429
  • Overloaded @Bean method with name mismatch causes bean to be created twice (in case of ASM processing) #​25263

📔 Documentation

  • Prevent confusion about build(boolean) method in UriComponentsBuilder #​25604
  • Document how to specify Jackson JSON view serialization hints with @RestController and Webflux #​25596
  • Inconsistent log level in @Bean javadoc and ConfigurationClassEnhancer #​25590
  • Fix asciidoctor syntax for source #​25539
  • Improve Javadoc for @RequestMapping#params #​25482
  • Document that SimpleCacheManager requires caches to be initialized when not used as a bean #​22988

🔨 Dependency Upgrades

  • Upgrade to Reactor Dysprosium-SR12 #​25730

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

v5.2.8.RELEASE

Compare Source

⭐ New Features

  • Defer creating logger in StandardWebSocketHandlerAdapter #​25427
  • MutablePropertySources will not find or remove proxied sources #​25369
  • Profiles should be comparable when created via Profiles.of() #​25340
  • Avoid re-creating RSocketRequester instance per subscriber #​25330
  • Hoist Class.getName() from String concatenation to dodge an issue related to profile pollution #​25324
  • Improve Random seed in SocketUtils #​25321
  • Support fragments in UriComponentsBuilder.fromHttpUrl() #​25300
  • Support for custom cache registration in CaffeineCacheManager #​25230
  • Don't get ContentCachingResponseWrapper in ShallowEtagHeaderFilter so that users can extend this wrapper #​24976
  • Unnecessarily alarming stack trace logged during scheduler resolution #​23268
  • Expose a setExceptionListener method in DefaultJmsListenerContainerFactory [SPR-17570] #​22102

🪲 Bug fixes

  • UriComponentsBuilder.cloneBuilder() cause sharing query parameters between builders #​25423
  • SimpleJdbcCall does not find stored function with PostgreSQL driver 42.2.11 #​25399
  • MappingJackson2HttpMessageConverter might be too specific in its Charset support #​25322
  • ReactorNetty websocket issue for multiple clients with different protocols #​25315
  • Mutating a ServerHttpRequest breaks the existing context path #​25279
  • ServerHttpRequest.getSslInfo() always returns null for reactor-netty HTTP/2 requests #​25278
  • NoRollbackFor rule causes TransactionAspectSupport to log unwarranted "exception overridden" error on WebSphere #​25253
  • AbstractJackson2HttpMessageConverter - Check for encoding breaks JSON to POJO de-serialization experience #​25247
  • The AbstractTemplateViewResolver class is not abstract #​25240
  • WebClient: NPE and leak in case connection is reset by server. #​25216
  • Oracle LOB segments holding TEMP space after executing SP using SimpleJdbcCall with SqlParameterSource #​22972
  • IllegalReferenceCountException happens when the operation was canceled #​22594
  • DefaultListableBeanFactory.getBean(Class) may throw NoSuchBeanDefinitionException when removeBeanDefinition is being called simultaneously to remove an unrelated bean #​22263

📔 Documentation

  • Clarify enforceInitMethod/enforceDestroyMethod default values in AbstractBeanDefinition #​25402
  • Improve JavaDoc for ConfigurableApplicationContext.refresh() #​25380
  • Fix interface and class names in examples in core-aop doc #​25351
  • Wording changes #​25314
  • Fix typo in Java example for handler class #​25302
  • Improve Javadoc for @​Value regarding supported expressions #​25284
  • Fix syntax in validation examples #​25251
  • Document exception handling limitations in TaskDecorator implementations (specifically for ThreadPoolTaskExecutor#submit) #​25231

🔨 Dependency upgrades

❤️ Contributors

We’d like to thank all the contributors who worked on our current release!

v5.2.7.RELEASE

Compare Source

⭐ New Features

  • Implement reliable invocation order for advice within an @Aspect #​25186
  • Performance enhancement in execution of ResponseEntity.of() #​25183
  • Support for shared GroovyClassLoader in GroovyScriptFactory #​25177
  • Suggest making a Set.size() > 0 judgement for AbstractApplicationContext.earlyApplicationEvents #​25161
  • Make use of custom types configurable in YamlProcessor #​25152
  • Avoid need for default constructor in ContextAnnotationAutowireCandidateResolver subclasses #​25131
  • ConstructorResolver.resolveConstructorArguments() return value issue #​25130
  • Introduce serializeToByteArray/deserializeFromByteArray convenience methods #​25117
  • Custom HTTP Method on MockServerHttpRequest #​25109
  • Missing null checks in AbstractMessageChannel.addInterceptor/setInterceptors #​25088
  • Avoid full synchronization in AbstractRefreshableApplicationContext.getBeanFactory() since it can lead to massive thread blocking #​25081
  • Simplify use of HttpContext in HttpComponentsClientHttpRequestFactory in support of user associated connections #​25066
  • ResolvableType forClass fails when a type in the generic signature isn't present #​25064
  • Include timeout unit in shutdown failure logging #​25058
  • Drop unnecessary intermediate StringBuilder.toString() call in ServerSentEventHttpMessageReader #​25024
  • Fix concurrency issues in XStreamMarshaller #​25017
  • Introduce mechanism to discover whether a reactive type registered in ReactiveAdapterRegistry uses deferred computation #​24995
  • Avoid logging exception for closed session in AbstractSockJsSession #​24986
  • Include response body in RestTemplate exception when there is no suitable HttpMessageConverter #​24964

🪲 Bug Fixes

  • ExchangeStrategies custom codec's reader & writer are not registered #​25149
  • MultiValueMapAdapter.getFirst fails with IndexOutOfBoundsException in case of empty List #​25140
  • WebSphereUowTransactionManager causes exception for PROPAGATION_SUPPORTS when timeout is specified #​25132
  • Avoid ClassCastException on IllegalArgumentException when invoking sync get cache method #​25110
  • DefaultServerRequestBuilder does not respect attributes when building the ServerRequest #​25106
  • Fix race condition in WriteResultPublisher between subscription and error in publishError #​25096
  • Jackson message converters and codecs do not respect character encoding in canRead/canWrite #​25076
  • DefaultClientResponseBuilder empty logPrefix when creating a DefaultClientResponse based on another #​25069
  • HttpHeaders equals may return false without comparing actual content #​25034
  • Fix race condition in WriteResultPublisher between subscription and completion in publishComplete #​24989

📔 Documentation

  • Javadoc for hibernate5 OpenSessionInViewFilter mentions FlushMode.NEVER #​25158
  • Document that the Map backing a MapPropertySource should not contain null values #​25142
  • Javadoc for JdbcOperations.batchUpdate should mention that negative values are possible #​25138
  • Fix URI pattern example in webflux.adoc #​25137
  • Document how reactive transactions work for cancellation in 5.2 and how it will work in 5.3 #​25091
  • Document whether code can rely on specific subclasses of HttpClientErrorException/HttpServerErrorException being thrown from DefaultResponseErrorHandler #​25067
  • Fix SpelEvaluationException with example code #​25045
  • javadoc: remove a comment documented a limitation on @Lookup annotation #​25044
  • Document all predefined variables from ApplicationContext available in SpEL expressions #​25037
  • Document ReactiveTransactionManager support in reference manual #​25036
  • Document ReactiveTransactionManager support #​25030
  • Change to placeholder value in XML is not reevaluated at runtime #​25022
  • Add missing @PathVariable declarations in examples in webmvc.adoc #​25006

🔨 Dependency Upgrades

  • Upgrade to Reactor Dysprosium-SR8 #​25210

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

v5.2.6.RELEASE

Compare Source

⭐ New Features

  • Cache meta-annotations for stereotype check in AnnotationBeanNameGenerator #​24980
  • Use WebsocketServerSpec in ReactorNettyRequestUpgradeStrategy #​24959
  • Warn about unsupported "/path/**/other" patterns with WebFlux PathPatternParser #​24958
  • Allow override of data binding in ModelAttributeMethodArgumentResolver #​24947
  • Rid pointless wrapping with BufferedInputStream from class reading #​24946
  • ResponseStatusExceptionResolver ignores ResponseStatusException headers #​24944
  • Caching of autowire candidate metadata for lazy beans #​24904
  • Put a limit on the size of DefaultSingletonBeanRegistry#suppressedExceptions #​24902
  • Prevent setting parent bean factory to self #​24900
  • Honor overridden AcceptHeaderLocaleContextResolver.getDefaultLocale() #​24871
  • Improve performance of StringUtils.deleteAny() #​24870
  • 'args' argument of 'JdbcTemplate#query(String, Object[], RowCallbackHandler)' method should be marked @Nullable #​24839
  • Improve usage of ByteArrayOutputStream/ByteArrayInputStream #​24805
  • Simplify conversion of ByteArrayOutputStream to String #​24785
  • Optimize sortPostProcessors() in PostProcessorRegistrationDelegate #​24776
  • Reduce byte array allocations in StompEncoder #​24694

🪲 Bug Fixes

  • ConflictingBeanDefinitionException on repeated index evaluation #​24978
  • Reintroduce synthesized annotation attribute value caching #​24970
  • MockHttpServletRequest should not strip brackets from IPV6 address supplied via Host header #​24916
  • Memory leak in MimeTypeUtils LRUCache #​24886
  • Annotation searches potentially synthesize annotations unnecessarily #​24861
  • Connection created by SingleConnectionDataSource with suppressClose=true always returns isClosed=false even if the target connection is closed #​24853
  • DefaultListableBeanFactory.getBean(Class) throws NoSuchBeanDefinitionException on existing bean if getBean(Class) previously tried before registration #​24852
  • Cannot dispatch without an AsyncContext when an expected error is thrown #​24835
  • Duplicate Vary headers after enabling CORS filter #​24829
  • Make it possible to run Spring MVC without kotlin-reflect #​24828
  • Recursively copy directory with symbolic link #​24823
  • Connection leak with WebClient retrieve().toBodilessEntity() #​24788
  • Using UriComponentsBuilder.cloneBuilder does not copy uriVariables #​24782
  • Fix empty domain handling in ResponseCookie #​24758
  • Illegal reflective access warning for interface-based lookup method injection #​24657
  • Annotation retrieval performance degradation after 5.2 #​23905

📔 Documentation

  • HttpHeaders#getETagValuesAsList(String) does not document IAE #​24950
  • Describe that bean disposal is unsupported for the beans created by FactoryBean #​24948
  • Deprecate AnnotationFilter.NONE (since MergedAnnotations always filters java.lang.* annotations) #​24932
  • Improve Javadoc [#​24908](https://redirect.github.com/spring-pr

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot changed the title fix(deps): update dependency org.springframework:spring-webmvc to v6 [security] fix(deps): update dependency org.springframework:spring-webmvc to v6 [security] - autoclosed Sep 25, 2024
@renovate renovate bot closed this Sep 25, 2024
@renovate renovate bot deleted the renovate/maven-org.springframework-spring-webmvc-vulnerability branch September 25, 2024 17:33
@renovate renovate bot changed the title fix(deps): update dependency org.springframework:spring-webmvc to v6 [security] - autoclosed fix(deps): update dependency org.springframework:spring-webmvc to v6 [security] Sep 26, 2024
@renovate renovate bot reopened this Sep 26, 2024
@renovate renovate bot restored the renovate/maven-org.springframework-spring-webmvc-vulnerability branch September 26, 2024 21:12
@renovate renovate bot force-pushed the renovate/maven-org.springframework-spring-webmvc-vulnerability branch from 3d67520 to 504d7ba Compare September 26, 2024 21:12
@renovate renovate bot force-pushed the renovate/maven-org.springframework-spring-webmvc-vulnerability branch 2 times, most recently from c74ea1f to 8d8fc2b Compare October 23, 2024 01:17
@renovate renovate bot force-pushed the renovate/maven-org.springframework-spring-webmvc-vulnerability branch from 8d8fc2b to 9302dc7 Compare November 5, 2024 22:48
@renovate renovate bot changed the title fix(deps): update dependency org.springframework:spring-webmvc to v6 [security] fix(deps): update dependency org.springframework:spring-webmvc to v5 [security] Nov 5, 2024
@renovate renovate bot force-pushed the renovate/maven-org.springframework-spring-webmvc-vulnerability branch from 9302dc7 to 474e7d7 Compare November 6, 2024 02:19
@renovate renovate bot changed the title fix(deps): update dependency org.springframework:spring-webmvc to v5 [security] fix(deps): update dependency org.springframework:spring-webmvc to v6 [security] Nov 6, 2024
@renovate renovate bot force-pushed the renovate/maven-org.springframework-spring-webmvc-vulnerability branch from 474e7d7 to 12fcfd0 Compare December 10, 2024 20:01
@renovate renovate bot force-pushed the renovate/maven-org.springframework-spring-webmvc-vulnerability branch from 12fcfd0 to 111b0e2 Compare December 11, 2024 18:57
@renovate renovate bot changed the title fix(deps): update dependency org.springframework:spring-webmvc to v6 [security] fix(deps): update dependency org.springframework:spring-webmvc to v5 [security] Dec 11, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants