chore(deps): update dependency org.springframework:spring-web to v6 #43
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
5.3.14
->6.0.0
By merging this PR, the below vulnerabilities will be automatically resolved:
GitHub Vulnerability Alerts
CVE-2016-1000027
Pivotal Spring Framework before 6.0.0 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required.
Maintainers recommend investigating alternative components or a potential mitigating control. Version 4.2.6 and 3.2.17 contain enhanced documentation advising users to take precautions against unsafe Java deserialization, version 5.3.0 deprecate the impacted classes and version 6.0.0 removed it entirely.
Pivotal Spring Framework contains unsafe Java deserialization methods
CVE-2016-1000027 / GHSA-4wrc-f8pq-fpqp
More information
Details
Pivotal Spring Framework before 6.0.0 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required.
Maintainers recommend investigating alternative components or a potential mitigating control. Version 4.2.6 and 3.2.17 contain enhanced documentation advising users to take precautions against unsafe Java deserialization, version 5.3.0 deprecate the impacted classes and version 6.0.0 removed it entirely.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Release Notes
spring-projects/spring-framework
v6.0.0
Compare Source
See What's New in Spring Framework 6.x and Upgrading to Spring Framework 6.x for upgrade instructions and details of new features.
⭐ New Features
📔 Documentation
🔨 Dependency Upgrades
❤️ Contributors
Thank you to all the contributors who worked on this release:
@ophiuhus and @wilkinsona
v5.3.29
Compare Source
⭐ New Features
JdbcTemplate
does not callhandleWarnings
in case of exception #30852AnnotationUtils.isCandidateClass
call withnull
as annotation type #30843DefaultSingletonBeanRegistry.isDependent()
#30841ObjectUtils.nullSafeConciseToString()
#30811ObjectUtils.nullSafeConciseToString()
#30806ResolvableType.hasUnresolvableGenerics()
should cache its result #30715LogFactory
contains all public methods from ApacheLogFactory
#30711🐞 Bug Fixes
toString()
inFieldError
#30800@TransactionalEventListener
#30784Jackson2ObjectMapperBuilder
breaks whenmodules
customizer followsmodulesToInstall
#30752📔 Documentation
ReactiveTransactionManager
exception declarations #30819JdbcTransactionManager
vsDataSourceTransactionManager
#30814🔨 Dependency Upgrades
v5.3.28
Compare Source
⭐ New Features
@Nullable
#30672Environment.matchesProfiles()
for profile expressions #30226🐞 Bug Fixes
@Bean
method that returnsnull
,@Autowired
injectsNullBean
instead ofnull
for cached arguments #30551📔 Documentation
@Scheduled
attributes support SpEL expressions #30642🔨 Dependency Upgrades
v5.3.27
Compare Source
⭐ New Features
StringUtils.truncate()
#30291ObjectUtils.nullSafeConciseToString()
#30287HttpComponentsHeadersAdapter#getFirst
nullable #30269🐞 Bug Fixes
AbstractMessageWriterResultHandler
#30215SharedEntityManagerCreator
#30164📔 Documentation
@PathVariable
reference documentation code snippets #30258@EnableWebSocket
#30187🔨 Dependency Upgrades
v5.3.26
Compare Source
⭐ New Features
matches
operator #30145matches
operator #30141@Nullable
annotations toLogMessage.format
methods #30009MockMvc.multipart()
Kotlin extensions withHttpMethod
#29941@JmsListener
subscription #29902SharedEntityManagerCreator
'squeryTerminatingMethods
set #29888DatabaseClient
is eagerly invoked #29887Jackson2ObjectMapperBuilder#configureFeature
exception handling #29860🐞 Bug Fixes
java.lang.Object
on a JDK proxy #30118forwarding-header-strategy=native
or cloud platform detected #29974Jetty10RequestUpgradeStrategy
#29256📔 Documentation
@AspectJ
argument name resolution algorithm is outdated in reference manual #30057@Bean
method return type for equivalence with XML example #29970@DynamicPropertySource
examples regarding changes in Testcontainers #29940primitivesDefaultedForNullValue
inBeanPropertyRowMapper
#29926DataClassRowMapper
supports Java records #29922🔨 Dependency Upgrades
v5.3.25
Compare Source
⭐ New Features
🐞 Bug Fixes
ConstructorReference
does not generate AST representation of arrays #29666String
literal (and vice versa) #29653WebMvcConfigurationSupport
should not catchThrowable
forSourceHttpMessageConverter
#29537📔 Documentation
🔨 Dependency Upgrades
v5.3.24
Compare Source
⭐ New Features
null
WebSocket session attributes #29315🐞 Bug Fixes
📔 Documentation
webjars-locator-core
dependency #29322🔨 Dependency Upgrades
❤️ Contributors
We'd like to thank all the contributors who worked on this release!
v5.3.23
Compare Source
⭐ New Features
🐞 Bug Fixes
@Nested
tests #29037📔 Documentation
@RequestParam
with WebFlux #28944<tt>
HTML tag in Javadoc #28819🔨 Dependency Upgrades
❤️ Contributors
We'd like to thank all the contributors who worked on this release!
v5.3.22
Compare Source
⭐ New Features
MockMvcRequestBuilders.multipart(HttpMethod, String, Object...)
#28631🐞 Bug Fixes
GenericApplicationContext
does not honorProtocolResolver
when a resource loader is set viasetResourceLoader()
#28703@Transactional
(readOnly) is applied to the connection before the transaction has begun #28610📔 Documentation
@Production
#28680@Required
Kotlin documentation to use annotation use site targets #28630@ComponentScan
basePackages attribute #28628🔨 Dependency Upgrades
❤️ Contributors
We'd like to thank all the contributors who worked on this release!
v5.3.21
Compare Source
⭐ New Features
org.springframework.web
log category at runtime #28477🐞 Bug Fixes
PathPattern
and UrlPathHelper is set to not decode #27791📔 Documentation
@Required
#28590🔨 Dependency Upgrades
❤️ Contributors
We'd like to thank all the contributors who worked on this release!
v5.3.20
Compare Source
⭐ New Features
@Value
etc. [SPR-10656] #15284🐞 Bug Fixes
@ModelAttribute
name attribute is not supported in WebFlux #28423📔 Documentation
🔨 Dependency Upgrades
❤️ Contributors
We'd like to thank all the contributors who worked on this release!
v5.3.19
Compare Source
⭐ New Features
🐞 Bug Fixes
ServletOutputStream::isReady()
when reading chunked data across network packets #28241🔨 Dependency Upgrades
❤️ Contributors
We'd like to thank all the contributors who worked on this release!
v5.3.18
Compare Source
⭐ New Features
🐞 Bug Fixes
SessionTransactionData
#28234📔 Documentation
@Transactional
test does not execute all JPA lifecycle callback methods #28228❤️ Contributors
We'd like to thank all the contributors who worked on this release!
v5.3.17
Compare Source
⭐ New Features
🐞 Bug Fixes