chore(deps): update dependency org.springframework:spring-web to v6

[mend-for-github-com]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
org.springframework:spring-web	5.3.14 -> 6.0.0

By merging this PR, the below vulnerabilities will be automatically resolved:

Severity	CVSS Score	CVE
Critical	9.8	CVE-2016-1000027

GitHub Vulnerability Alerts

CVE-2016-1000027

Pivotal Spring Framework before 6.0.0 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required.

Maintainers recommend investigating alternative components or a potential mitigating control. Version 4.2.6 and 3.2.17 contain enhanced documentation advising users to take precautions against unsafe Java deserialization, version 5.3.0 deprecate the impacted classes and version 6.0.0 removed it entirely.

---

Pivotal Spring Framework contains unsafe Java deserialization methods

CVE-2016-1000027 / GHSA-4wrc-f8pq-fpqp

More information

Details

Pivotal Spring Framework before 6.0.0 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required.

Maintainers recommend investigating alternative components or a potential mitigating control. Version 4.2.6 and 3.2.17 contain enhanced documentation advising users to take precautions against unsafe Java deserialization, version 5.3.0 deprecate the impacted classes and version 6.0.0 removed it entirely.

Severity

• CVSS Score: 9.8 / 10 (Critical)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

• https://nvd.nist.gov/vuln/detail/CVE-2016-1000027
• https://github.com/spring-projects/spring-framework/issues/21680
• https://github.com/spring-projects/spring-framework/issues/24434
• https://github.com/spring-projects/spring-framework/issues/24434#issuecomment-1231625331
• https://github.com/spring-projects/spring-framework/issues/24434#issuecomment-579669626
• https://github.com/spring-projects/spring-framework/issues/24434#issuecomment-582313417
• https://github.com/spring-projects/spring-framework/issues/24434#issuecomment-744519525
• https://github.com/spring-projects/spring-framework/commit/2b051b8b321768a4cfef83077db65c6328ffd60f
• https://github.com/spring-projects/spring-framework/commit/5cbe90b2cd91b866a5a9586e460f311860e11cfa
• https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-1000027
• https://github.com/spring-projects/spring-framework
• https://jira.spring.io/browse/SPR-17143?redirect=false
• https://security-tracker.debian.org/tracker/CVE-2016-1000027
• https://security.netapp.com/advisory/ntap-20230420-0009/
• https://spring.io/blog/2022/05/11/spring-framework-5-3-20-and-5-2-22-available-now
• https://support.contrastsecurity.com/hc/en-us/articles/4402400830612-Spring-web-Java-Deserialization-CVE-2016-1000027
• https://www.tenable.com/security/research/tra-2016-20

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

spring-projects/spring-framework

v6.0.0

Compare Source

See What's New in Spring Framework 6.x and Upgrading to Spring Framework 6.x for upgrade instructions and details of new features.

⭐ New Features

• Avoid direct URL construction and URL equality checks #​29486
• Simplify creating RFC 7807 responses from functional endpoints #​29462
• Allow test classes to provide runtime hints via declarative mechanisms #​29455

📔 Documentation

• Align javadoc of DefaultParameterNameDiscoverer with its behavior #​29494
• Document AOT support in the TestContext framework #​29482
• Document Ahead of Time processing in the reference guide #​29350

🔨 Dependency Upgrades

• Upgrade to Reactor 2022.0.0 #​29465

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​ophiuhus and @​wilkinsona

v5.3.29

Compare Source

⭐ New Features

• Avoid illegal reflective access in ContextOverridingClassLoader.isEligibleForOverriding #​30868
• Improve diagnostics for CGLIB ClassLoader issues with shared classes in parent ClassLoader #​30866
• JdbcTemplate does not call handleWarnings in case of exception #​30852
• Tolerate AnnotationUtils.isCandidateClass call with null as annotation type #​30843
• Simplify DefaultSingletonBeanRegistry.isDependent() #​30841
• Provide explicit support for collections, maps, and arrays in ObjectUtils.nullSafeConciseToString() #​30811
• Extend list of supported types in ObjectUtils.nullSafeConciseToString() #​30806
• Align ConcurrentMapCacheManager locking behavior with CaffeineCacheManager #​30781
• ResolvableType.hasUnresolvableGenerics() should cache its result #​30715
• Ensure Spring LogFactory contains all public methods from Apache LogFactory #​30711
• Translate SQL Exception with State S0001 and Vendor Code 2628 to a Spring Exception in MSSQL 2019 #​30682

🐞 Bug Fixes

• For a prototype bean, if first-time rejected value is null, subsequent value will wrongly be null always #​30809
• Revert changes to toString() in FieldError #​30800
• Fix log level on error with @TransactionalEventListener #​30784
• SerializableTypeWrapper does not consistently catch InvocationTargetException #​30767
• NPE in MvcUriComponentsBuilder with no-arg target method on interface #​30757
• Jackson2ObjectMapperBuilder breaks when modules customizer follows modulesToInstall #​30752
• Spring ORM SpringBeanContainer when trying to create a bean fails with not found bean definition, and fallbacks to default hibernate bean creation #​30685

📔 Documentation

• ResultSet holdability into the View layer broken by Hibernate 5 #​30863
• Clarify ReactiveTransactionManager exception declarations #​30819
• Doc: JdbcTransactionManager vs DataSourceTransactionManager #​30814

🔨 Dependency Upgrades

• Upgrade to Reactor 2020.0.34 #​30873

v5.3.28

Compare Source

⭐ New Features

• ClassLoader can be null in DeserializingConverter and should be annotated with @Nullable #​30672
• Performance optimization in AbstractBeanFactoryBasedTargetSource.hashCode() #​30585
• Consistent support for MultiValueMap and common Map implementations in CollectionFactory #​30441
• Reject null and empty SpEL expressions #​30373
• Introduce Environment.matchesProfiles() for profile expressions #​30226

🐞 Bug Fixes

• Change of behaviour for UUID in bean validation output in v5.3.27 #​30662
• Spring Framework 5.3.27 appears to cause issues in OSGi environment #​30637
• Inconsistent ProxyCallbackFilter#equals/hashCode methods in CglibAopProxy #​30616
• EclipseLinkJpaDialect: Unexpected default isolation levels #​30589
• ThreadLocalTargetSource does not include actual target bean name in NamedThreadLocal #​30586
• ApplicationListenerMethodAdapter inconsistently publishes events from CompletableFuture #​30584
• For @Bean method that returns null, @Autowired injects NullBean instead of null for cached arguments #​30551
• Make maximum SpEL expression length configurable #​30446
• Respect TaskDecorator configuration on DefaultManagedTaskExecutor #​30443

📔 Documentation

• Document which @Scheduled attributes support SpEL expressions #​30642
• FileSystemUtils::deleteRecursively Javadoc refers to File instead of Path #​30555

🔨 Dependency Upgrades

• Upgrade to Reactor 2020.0.33 #​30656

v5.3.27

Compare Source

⭐ New Features

• Limit string concatenation in SpEL expressions #​30331
• Limit SpEL expression length #​30329
• Disable variable assignment in SimpleEvaluationContext #​30327
• Introduce StringUtils.truncate() #​30291
• Introduce ObjectUtils.nullSafeConciseToString() #​30287
• Make HttpComponentsHeadersAdapter#getFirst nullable #​30269

🐞 Bug Fixes

• Fix regression in ReactorServerHttpRequest related to IPV6 Zone id with "%" #​30314
• SSE breaks with indenting serializer in WebMvc.fn #​30302
• Increase max regex length in SpEL expressions #​30298
• NullPointerException on timeout in HttpComponentsClientHttpConnector when using Apache HttpComponents #​30246
• Wrong MockRestRequestMatchers.header() method in spring-test being invoked (JDK issue?) #​30235
• TypeNotPresentException: org/springframework/cglib/proxy/NoOp not present on Java 17 #​30228
• Refine generic type management in AbstractMessageWriterResultHandler #​30215
• MvcUriComponentsBuilder.fromMethodCall breaks for controller with CharSequence return type #​30212
• Handle all exceptions for stored proc output param retrieval in SharedEntityManagerCreator #​30164

📔 Documentation

• Fix @PathVariable reference documentation code snippets #​30258
• Fix example in Javadoc for @EnableWebSocket #​30187
• Fix anchor in link to "Web on Reactive Stack" chapter #​30163

🔨 Dependency Upgrades

• Upgrade to Reactor 2020.0.31 #​30315

v5.3.26

Compare Source

⭐ New Features

• Improve diagnostics in SpEL for matches operator #​30145
• Improve diagnostics in SpEL for repeated text #​30143
• Increase scope of regex pattern cache for the SpEL matches operator #​30141
• Minor updates in HandlerMappingIntrospector #​30128
• Allow SnakeYaml 2.0 runtime compatibility #​30097
• Add missing @Nullable annotations to LogMessage.format methods #​30009
• ASM upgrade for JDK 20/21 support #​29966
• Allow MockRest to match header/queryParam value list with one Matcher #​29964
• Add MockMvc.multipart() Kotlin extensions with HttpMethod #​29941
• Release R2DBC connection when cleanup fails in transaction #​29925
• org.springframework.web.context.ContextLoader should lazily load ContextLoader.properties #​29909
• Improve generated default name for @JmsListener subscription #​29902
• Include all Hibernate query methods in SharedEntityManagerCreator's queryTerminatingMethods set #​29888
• SQL supplier in R2DBC DatabaseClient is eagerly invoked #​29887
• Spring Framework 5.3.x is incompatible with Jetty 10 (Client) #​29867
• Possible infinite forward loop with MockMvcWebConnection #​29866
• Refine Jackson2ObjectMapperBuilder#configureFeature exception handling #​29860
• Fix R2dbcTransactionManager debug log: don't log a Mono #​29824

🐞 Bug Fixes

• RequestedContentTypeResolver does not ignore quality factor when filtering */* media types #​30121
• SpEL: cannot call methods declared in java.lang.Object on a JDK proxy #​30118
• CaffeineCacheManager getCache method cause thread block #​30085
• Protect JMS connection creation against prepareConnection errors #​30051
• ReactorServerHttpRequest does not reflect forwarded host and port when forwarding-header-strategy=native or cloud platform detected #​29974
• WebSocket stats not updated correctly when sessions cleared #​29947
• Explicit target ClassLoader for interface-based proxies in MvcUriComponentsBuilder #​29914
• Closing an ApplicationContext leads to Exception at ExecutorServiceAdapter #​29908
• Invalid Accept header results in IllegalStateException #​29836
• JettyWebSocketCreator referenced from a method is not visible from class loader with Jetty10RequestUpgradeStrategy #​29256

📔 Documentation

• Fix minor spacings in webflux docs #​30095
• @AspectJ argument name resolution algorithm is outdated in reference manual #​30057
• Fix "Configuring a Global Date and Time Format" example #​30036
• Consistent @Bean method return type for equivalence with XML example #​29970
• Update @DynamicPropertySource examples regarding changes in Testcontainers #​29940
• Clarify semantics of primitivesDefaultedForNullValue in BeanPropertyRowMapper #​29926
• Clearly document that DataClassRowMapper supports Java records #​29922
• Outdated Javadoc for AbstractApplicationContext.postProcessBeanFactory #​29916

🔨 Dependency Upgrades

• Upgrade to Reactor Netty 2020.0.30 #​30116

v5.3.25

Compare Source

⭐ New Features

• JmsTemplate.convertAndSend throws NullPointerException during shutdown #​29719
• Optimize object creation in RequestMappingHandlerMapping#handleNoMatch #​29667
• Add title to SockJS iFrames for accessibility compliance #​29596

🐞 Bug Fixes

• ResourceHandlers cannot resolve static resources with certain wildcard patterns #​29716
• AnnotatedElementUtils.findMergedRepeatableAnnotations does not fetch results when other attributes exist for container annotation #​29686
• BeanWrapperImpl NPE in setWrappedInstance after invoking getPropertyValue (with SimpleBeanInfoFactory) #​29684
• SpEL ConstructorReference does not generate AST representation of arrays #​29666
• SpEL: Two double quotes are replaced by one double quote in single quoted String literal (and vice versa) #​29653
• SpEL string literal misses single quotation marks in toStringAST() #​29652
• 500 error from WebFlux when parsing Content-Type leads to InvalidMediaTypeException #​29637
• WebMvcConfigurationSupport should not catch Throwable for SourceHttpMessageConverter #​29537

📔 Documentation

• Update Jakarta Mail info in ref docs #​29708
• Improve documentation for literals in SpEL expressions #​29701
• Fix some typos in Kotlin WebClient example code #​29542
• Fix link to Bean Utils Light Library in BeanUtils Javadoc #​29536
• Fix link to WebFlux section in reference manual #​29526
• Link to Spring WebFlux section is broken #​29517

🔨 Dependency Upgrades

• Upgrade to Reactor 2020.0.27 #​29798

v5.3.24

Compare Source

⭐ New Features

• Avoid reflection for annotation method invocations #​29448
• Avoid unnecessary allocations in StompDecoder#unescape #​29443
• Avoid String allocations in MediaType.checkParameters #​29428
• Reduce allocations caused by producible media types #​29412
• Provide optional SimpleBeanInfoFactory for better introspection performance in 5.3.x #​29330
• Filter out null WebSocket session attributes #​29315
• Introduce TestSocketUtils as a replacement for SocketUtils #​29132
• Avoid Commons Logging API for using LoggingCacheErrorHandler with a custom logger #​28678

🐞 Bug Fixes

• Missing SessionFactory property (filter AutoCloseable from PropertyDescriptors) #​29480
• SpEL ternary and Elvis expressions are missing enclosing parentheses in toStringAST() #​29463
• If-Unmodified-Since header check removes Last-Modified and Etag headers from response, even if condition passes #​29362
• Annotation searches fail for non-public repeatable annotations #​29301
• AbstractBeanFactory's interaction with BeanPostProcessorCacheAwareList is not fully thread-safe #​29299
• WebTestClient cannot assert custom HTTP status code #​29283
• Body token not expected error when trying to upload a large multipart file #​29227
• Avoid resizing of Maps created by CollectionUtils #​29190
• DefaultWebClient logging sensitive information in URI #​29148
• Fix SimpleMailMessage nullability annotations #​29139
• Webflux fails to apply the rule for controller methods returning void to kotlin suspend functions returning Unit #​27629
• Resource.isFile() return true when the resource path actually not exists #​26707
• AnnotatedElementUtils does not find merged repeatable annotations on other repeatable annotations #​20279

📔 Documentation

• Fix two typos in integration.adoc and webflux.adoc #​29469
• Fix typo: "as describe in" -> "as described in" #​29393
• Fix typos #​29364
• Correct documentation for "other return values" from a web controller method #​29349
• Document how to use WebJars without webjars-locator-core dependency #​29322
• Update RestTemplate Javadoc with regards to setting interceptors on startup vs at runtime #​29311
• Document how to switch to the default set of TestExecutionListeners #​29281
• Document limitation of AopTestUtils.getUltimateTargetObject() regarding non-static TargetSource #​29276
• Fix typo in WebSocket reference doc regarding subscription header #​29228
• Fix MockMvc sample setup #​29201

🔨 Dependency Upgrades

• Upgrade to Reactor 2020.0.25 #​29464

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @​sangmin7648
• @​izeye
• @​dreis2211
• @​catmug
• @​inabajunmr
• @​iamgd67
• @​davidcostanzo
• @​jprinet
• @​stgerhardt
• @​onobc
• @​vpavic

v5.3.23

Compare Source

⭐ New Features

• Introduce AnnotationUtils.isSynthesizedAnnotation(Annotation) #​29054
• Introduce createContext() factory method in AbstractGenericWebContextLoader #​28983
• Support TreeSet collection type in CollectionFactory.createCollection() without using reflection #​28949
• Document when RequestEntity.getUrl() throws an UnsupportedOperationException #​28930
• Deprecate NestedIOException #​28929
• Make isConnected() in WebSocketConnectionManager public #​28785
• Expose headers from STOMP RECEIPT frame to registered callbacks #​28715
• Make WebClientException serializable #​28321

🐞 Bug Fixes

• Ordering inconsistency with beans defined in parent context #​29105
• RelativeRedirectResponseWrapper does not commit response in sendRedirect #​29050
• MockServerContainerContextCustomizerFactory does not support @Nested tests #​29037
• Request to improve KotlinSerializationJsonHttpMessageConverter logic in RestTemplate #​29008
• WebFlux: multipart requests hang sometimes #​28963
• DataBufferUtils.write(Publisher, Path) loses context #​28933
• connectionTimeOut and readTimeout not working on UrlResource #​28909
• SockJsServiceRegistration#setSupressCors has a typo and should be deprecated #​28853
• RenderingResponse does not set status code on redirect views #​28839
• Avoid IllegalArgumentException when setting WebSocket error status #​28836
• Loss of context path after using ServerRequest.from #​28820
• ResponseCookie does not declare nullability annotations consistently for domain and path #​28780

📔 Documentation

• Fix typo in data-access section #​29048
• Correct description of @RequestParam with WebFlux #​28944
• Fix broken kdoc-api links in kotlin.adoc #​28908
• Fix typos in Javadoc of class AbstractEncoder #​28885
• Fix links in Javadoc and reference docs #​28876
• Add missing closing parenthesis in reference doc #​28867
• Fix typos in Javadoc, reference docs, and code #​28822
• Replace use of the <tt> HTML tag in Javadoc #​28819
• Fix broken link in rsocket documentation #​28817
• Clarify docs on JNDI properties in Servlet environment #​28488
• Improve documentation of Caching annotations #​28183

🔨 Dependency Upgrades

• Upgrade to Reactor 2020.0.23 #​29129

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @​boahc077
• @​1993heqiang
• @​luvarqpp
• @​arend-von-reinersdorff
• @​jensdietrich
• @​wilkinsona
• @​npriebe
• @​vpavic
• @​jupiterhub
• @​izeye
• @​napstr
• @​marcwrobel
• @​arvyy
• @​jbotuck
• @​chanhyeong
• @​yuezk
• @​edfeff
• @​adrianbob
• @​FlorianKirmaier
• @​meloning

v5.3.22

Compare Source

⭐ New Features

• Improve regex "." matching for URL paths #​28815
• Spring JDBC does not recognize LocalDate and LocalDateTime in javaType to sqlType Mapping #​28778
• ResolvableType.forInstance should return NONE for null instance #​28776
• Correctly identify MaxUploadSizeExceededException through keywords in message from Jetty 9.4.x #​28759
• Introduce StringUtils.trimAllWhitespace(CharSequence) #​28757
• Trim string input in Converters where whitespace is irrelevant #​28756
• Trim string input in PropertyEditors where whitespace is irrelevant #​28755
• Improve diagnostics for CGLIB ClassLoader issues on Java 9+ #​28747
• Create well-known non-interface types in CollectionFactory without using reflection #​28718
• Revise internals of LoggingCacheErrorHandler #​28672
• Simplify creation of LoggingCacheErrorHandler with logged stacktrace #​28670
• Fix DataSourceUtils inconsistent exception handling #​28669
• Introduce lenient parsing in DataSize regarding whitespace #​28643
• Support adding rather than replacing modules in Jackson2ObjectMapperBuilder #​28633
• Add MockMvcRequestBuilders.multipart(HttpMethod, String, Object...) #​28631
• Avoid parsing request body in DispatcherServlet for "parameters={masked}" log message #​28587
• Avoid synchronization in AbstractAspectJAdvice#calculateArgumentBindings #​26377

🐞 Bug Fixes

• WebFlux multipart temporary file not deleted when the client disconnects early #​28740
• Ensure channelExecutors and taskScheduler in STOMP WebSocket config are qualified #​28736
• MockHttpServletResponse addHeader does not allow Comment part with Set-Cookie header #​28730
• Meta-annotations are unnecessarily synthesized in MergedAnotations #​28704
• GenericApplicationContext does not honor ProtocolResolver when a resource loader is set via setResourceLoader() #​28703
• R2DBC: @Transactional(readOnly) is applied to the connection before the transaction has begun #​28610

📔 Documentation

• Fix Kotlin code snippets language #​28810
• Fix typos in reference docs and project documentation #​28805
• Fix and improve Javadoc in spring-beans and spring-aop #​28803
• Fix and improve Javadoc in spring-core and spring-context #​28802
• Fix and improve Javadoc in spring-messaging, spring-jms and spring-expression #​28800
• Fix and improve Javadoc in spring-r2dbc, spring-oxm, spring-orm and spring-jdbc #​28796
• Fix and improve Javadoc in spring-test #​28795
• Fix and improve Javadoc in spring-tx #​28794
• Fix and improve Javadoc in spring-web #​28791
• Fix and improve Javadoc in spring-webflux #​28790
• Fix and improve Javadoc in spring-webmvc #​28789
• Fix and improve Javadoc in spring-websocket #​28788
• Fix Kotlin example for defines a custom @Production #​28680
• Fix a typo in ResponseEntity documentation #​28647
• Document that Kotlin inline classes are not supported yet #​28642
• Refine @Required Kotlin documentation to use annotation use site targets #​28630
• Fix Kotlin example for @ComponentScan basePackages attribute #​28628
• Kotlin examples for setter injection incorrectly use field injection #​28596
• Fix expectations in MockMvc Kotlin documentation #​28301

🔨 Dependency Upgrades

• Update to Bouncycastle 1.71 #​28636
• Upgrade to Reactor 2020.0.21 #​28765

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @​jasonjiang9527
• @​izeye
• @​marcwrobel
• @​larsgrefer
• @​jprinet
• @​vikeychen
• @​kacperkrzyzak
• @​kevin0x90
• @​vpavic
• @​CodeInDreams
• @​4ra1n

v5.3.21

Compare Source

⭐ New Features

• Expose ThreadPoolTaskExecutor queue size and capacity for metrics #​28583
• Lazily initialize DataSize.PATTERN #​28560
• MockMvcWebTestClient forces HTTP POST for multipart requests #​28545
• Support for CGLIB BeanCopier utility on JDK 17 #​28530
• Allow changes to org.springframework.web log category at runtime #​28477

🐞 Bug Fixes

• Avoid eager instantiation of non-singleton FactoryBean in getBeanNamesForType #​28616
• ObjectToObjectConverter doesn't consider return type of static methods #​28609
• Charset for input stream ignored in Jaxb2XmlDecoder #​28599
• Support RouterFunction ordering in Spring MVC #​28595
• Always construct new exception on error in DefaultWebClient #​28550
• HierarchicalUriComponents::getPort() throws NumberFormatException with invalid port in URI #​28521
• Cannot serve static resources with spaces from "file:" location when using PathPattern and UrlPathHelper is set to not decode #​27791

📔 Documentation

• Fix code sample for nested router functions #​28603
• Fix Kotlin example for @Required #​28590
• Fix Kotlin example for dependency injection with static factory method #​28589
• Update documentation regarding nested test class support #​28579
• Update reference docs to use PropertySourcesPlaceholderConfigurer #​28572
• Fix typo in webflux.adoc #​28542
• Fix Javadoc for DatabaseClient #​28520
• CachingConnectionFactory with WebLogic JMS not caching producers nor consumers #​28500
• Fix Kotlin example for static factory method #​28399

🔨 Dependency Upgrades

• Upgrade to Reactor 2020.0.20 #​28612

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @​rguihard
• @​hsteinmueller
• @​gorisanson
• @​fsgonz
• @​pokab
• @​eltociear

v5.3.20

Compare Source

⭐ New Features

• Refine CachedIntrospectionResults property introspection #​28445
• Improve tests and Javadoc on binding to a property of type javax.servlet.Part #​27830
• WritableResource doesn't have parity with Resource in @Value etc. [SPR-10656] #​15284

🐞 Bug Fixes

• Ignore invalid STOMP frame #​28443
• @ModelAttribute name attribute is not supported in WebFlux #​28423
• Fix BindingResult error when ModelAttribute has custom name in WebFlux #​28422
• Request body deserialization failures are not captured by exception handlers in WebFlux #​28155

📔 Documentation

• Remove Log4J initialization from package-info.java in spring-web #​28420
• Remove Log4J configurer from package-info.java in spring-core #​28411
• Fix github issue reference in RequestMappingHandlerMapping #​28372
• Add Javadoc since tags for GraphQL constants #​28369
• Fix method reference in Kotlin documentation #​28340

🔨 Dependency Upgrades

• Upgrade to ASM 9.3 #​28390
• Upgrade to Reactor 2020.0.19 #​28437

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @​izeye
• @​koenpunt
• @​missingdays
• @​zhangmingqi09
• @​binchoo
• @​gorisanson
• @​jprinet
• @​nealshan
• @​bougar

v5.3.19

Compare Source

⭐ New Features

• Remove DNS lookups during websocket connection initiation #​28280
• Add application/graphql+json Media type and MIME type constants #​28271
• Fix debug log for no matching acceptableTypes #​28116
• Provide support for post-processing a LocalValidatorFactoryBean's validator Configuration without requiring sub-classing #​27956

🐞 Bug Fixes

• Improve documentation and matching algorithm in data binders #​28333
• NotWritablePropertyException when attempting to declaratively configure ClassLoader properties #​28269
• BeanPropertyRowMapper's support for direct column name matches is missing in DataClassRowMapper #​28243
• AbstractListenerReadPublisher does not call ServletOutputStream::isReady() when reading chunked data across network packets #​28241
• ResponseEntity objects are accumulated in ConcurrentReferenceHashMap #​28232
• Lambda proxy generation fix causes BeanNotOfRequiredTypeException #​28209
• CodeGenerationException thrown when using AnnotationMBeanExporter on JDK 17 #​28138

🔨 Dependency Upgrades

• Upgrade to Reactor 2020.0.18 #​28329

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @​GatinMI

v5.3.18

Compare Source

⭐ New Features

• Restrict access to property paths on Class references #​28261
• Introduce cancel(boolean mayInterruptIfRunning) in ScheduledTask #​28233

🐞 Bug Fixes

• Move off deprecated API in SessionTransactionData #​28234

📔 Documentation

• Introduce warnings in documentation of SerializationUtils #​28246
• Update copyright date in reference manual #​28237
• @Transactional test does not execute all JPA lifecycle callback methods #​28228

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @​izeye
• @​quaff

v5.3.17

Compare Source

⭐ New Features

• Using DataClassRowMapper causes "No property found for column" debug messages in logs #​28179
• Improve diagnostics in SpEL for large array creation #​28145
• Support custom HTTP status in client-side REST testing support #​28105
• AsyncRestTemplate logging too verbose #​28049

🐞 Bug Fixes

• java.lang.NoClassDefFoundError: org/springframework/cglib/beans/BeanMapEmitter #​28110
• CronExpression fails to calculate properly next execution when running on the day of winter daylight saving time #​28095
• Private init/destroy method may be invoked twice #​28083
• MappingJacksonValue and Jackson2CodecSupport#registerObjectMappersForType do not work together [#​28045](https