Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update dependency org.springframework:spring-webmvc to v6 [SECURITY] - autoclosed #18

Conversation

renovate[bot]
Copy link

@renovate renovate bot commented Oct 31, 2024

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
org.springframework:spring-webmvc 5.3.31 -> 6.0.0 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2024-38828

Spring MVC controller methods with an @​RequestBody byte[] method parameter are vulnerable to a DoS attack.


Release Notes

spring-projects/spring-framework (org.springframework:spring-webmvc)

v6.0.0

Compare Source

See What's New in Spring Framework 6.x and Upgrading to Spring Framework 6.x for upgrade instructions and details of new features.

⭐ New Features

  • Avoid direct URL construction and URL equality checks #​29486
  • Simplify creating RFC 7807 responses from functional endpoints #​29462
  • Allow test classes to provide runtime hints via declarative mechanisms #​29455

📔 Documentation

  • Align javadoc of DefaultParameterNameDiscoverer with its behavior #​29494
  • Document AOT support in the TestContext framework #​29482
  • Document Ahead of Time processing in the reference guide #​29350

🔨 Dependency Upgrades

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​ophiuhus and @​wilkinsona

v5.3.39

⭐ New Features

  • SimpleEvaluationContext should disable array allocation #​33386

v5.3.38

⭐ New Features

  • Efficient handling of conditional HTTP requests #​33378

🐞 Bug Fixes

  • Fix incorrect weak ETag validation #​33377
  • SimpleEvaluationContext does not enforce read-only semantics #​33320
  • ConversionService cannot convert primitive array to Object[] #​33314
  • SpEL Indexer silently ignores failure to set property as index #​33312
  • Mockito mock falsely initialized as CGLIB proxy with AspectJ aspect #​33142
  • "file:." cannot be resolved to java.nio.file.Path (and plain "." value resolves to classpath root) #​33140

📔 Documentation

  • Typo in Annotation-driven Listener Endpoints section of Spring Framework documentation #​33052
  • Container Extension Points section of Spring Framework documentation refers to the wrong property name #​33039
  • Incorrect constructor details in the javadoc for ApplicationContextEvent #​33034

🔨 Dependency Upgrades

v5.3.37

⭐ New Features

  • AnnotationUtils performance degrades with deep stacks #​32923

🐞 Bug Fixes

  • AspectJ CTW aspects executed twice #​32974
  • SpEL compilation fails when indexing into a Map with a primitive #​32911
  • SpEL compilation fails when indexing into an array or list with an Integer #​32909
  • Application not starting with @EnableTransactionManagement(mode = AdviceMode.ASPECTJ) #​32885

🔨 Dependency Upgrades

v5.3.36

🐞 Bug Fixes

  • Overridden aspect method runs twice #​32868
  • @DateTimeFormat(iso = DateTimeFormat.ISO.DATE\_TIME) cannot convert UTC without milliseconds to java.util.Date #​32860
  • Spring AOP fails against registered @Configurable aspect #​32840

v5.3.35

⭐ New Features

  • Accept ajc-compiled @Aspect classes for Spring AOP proxy usage #​32818

🐞 Bug Fixes

  • DeferredQueryInvocationHandler fails to unwrap QuerySqmImpl class outside of transaction #​32770
  • MergedAnnotations search does not find container for repeatable annotation #​32751
  • AnnotationConfigWebApplicationContext should propagate ApplicationStartup to BeanFactory #​32749
  • Ignore non-String keys in PropertiesPropertySource.getPropertyNames() #​32744
  • "multiple subscribers not supported" when using WebClient exchange #​32728
  • Deadlock/Stall in ConcurrentWebSocketSessionDecorator with Undertow 2.3.10 #​32698

📔 Documentation

  • Correct documentation on streaming with MockMvcWebTestClient #​32723
  • Update links to HttpOnly documentation at OWASP in ResponseCookie #​32668

🔨 Dependency Upgrades

v5.3.34

Compare Source

⭐ New Features

  • Log column type for limited support message in JdbcUtils.getResultSetValue #​32603
  • Avoid additional unnecessary Annotation array cloning in TypeDescriptor #​32477
  • Avoid cloning empty Annotation array in TypeDescriptor #​32466

🐞 Bug Fixes

  • Refine scheme, userinfo, host and port parsing in UriComponentsBuilder #​32618
  • MethodIntrospector.selectMethods() fails to detect bridge methods across ApplicationContexts #​32588
  • JmsUtils.commitIfNecessary catches and ignores JMS IllegalStateException, losing message with ActiveMQ Artemis #​32480
  • Consistently apply TaskDecorator to ManagedExecutorService as well #​32457

🔨 Dependency Upgrades

v5.3.33

Compare Source

⭐ New Features

  • Extract reusable method for URI validations #​32442
  • Allow UriTemplate to be built with an empty template #​32438
  • Refine *HttpMessageConverter#getContentLength return value null safety #​32332

🐞 Bug Fixes

  • AopUtils.getMostSpecificMethod does not return original method for proxy-derived method anymore #​32369
  • Better protect against concurrent error handling for async requests #​32342
  • Restore Jetty 10 compatibility in JettyClientHttpResponse #​32337
  • ContentCachingResponseWrapper no longer honors Content-Type and Content-Length #​32322

📔 Documentation

  • Build KDoc against 5.3.x Spring Framework Javadoc #​32414

🔨 Dependency Upgrades

v5.3.32

Compare Source

⭐ New Features

  • Add CORS support for Private Network Access #​31974
  • Avoid early getMostSpecificMethod resolution in CommonAnnotationBeanPostProcessor #​31969

🐞 Bug Fixes

  • Consistent parsing of user information in UriComponentsBuilder #​32247
  • QualifierAnnotationAutowireCandidateResolver.checkQualifier does identity checks when comparing arrays used as qualifier fields #​32108
  • Guard against multiple body subscriptions in Jetty and JDK reactive responses #​32101
  • Static resources caching issues with ShallowEtagHeaderFilter and Jetty caching directives #​32051
  • ChannelSendOperator.WriteBarrier race condition in request(long) method leads to response being dropped #​32021
  • Spring AOP does not propagate arguments for dynamic prototype-scoped advice #​31964
  • MergedAnnotation swallows IllegalAccessException for attribute method #​31961
  • CronTrigger hard-codes default ZoneId instead of participating in scheduler-wide Clock setup #​31950
  • MergedAnnotations finds duplicate annotations on method in multi-level interface hierarchy #​31825
  • PathEditor cannot handle absolute Windows paths with forward slashes #​31728
  • Include Hibernate's Query.scroll() in SharedEntityManagerCreator's queryTerminatingMethods set #​31684
  • TypeDescriptor does not check generics in equals method (for ConversionService caching) #​31674
  • Slow SpEL performance due to method sorting in ReflectiveMethodResolver #​31665
  • Jackson encoder releases resources in wrong order #​31657
  • WebSocketMessageBrokerStats has null stats for stompSubProtocolHandler since 5.3.2 #​31642

📔 Documentation

  • Document cron-vs-quartz parsing convention for dayOfWeek part in CronExpression #​32131

🔨 Dependency Upgrades


Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot force-pushed the renovate/maven-org.springframework-spring-webmvc-vulnerability branch from 38a90f4 to 08b0b62 Compare November 6, 2024 05:53
@renovate renovate bot force-pushed the renovate/maven-org.springframework-spring-webmvc-vulnerability branch from 08b0b62 to 7b43637 Compare December 11, 2024 17:00
@renovate renovate bot changed the title Update dependency org.springframework:spring-webmvc to v6 [SECURITY] Update dependency org.springframework:spring-webmvc to v6 [SECURITY] - autoclosed Dec 12, 2024
@renovate renovate bot closed this Dec 12, 2024
@renovate renovate bot deleted the renovate/maven-org.springframework-spring-webmvc-vulnerability branch December 12, 2024 01:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants