Update Spring All

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
org.springframework.boot:spring-boot-starter-test (source)	2.7.14 -> 2.7.18
org.springframework.security:spring-security-web (source)	5.8.10 -> 5.8.14
org.springframework.security:spring-security-config (source)	5.8.10 -> 5.8.14
org.springframework.security:spring-security-crypto (source)	5.8.10 -> 5.8.14
org.springframework.security:spring-security-core (source)	5.8.10 -> 5.8.14
org.springframework.cloud:spring-cloud-dependencies (source)	2021.0.8 -> 2021.0.9
org.springframework.security:spring-security-rsa (source)	1.1.1 -> 1.1.5

---

Release Notes

spring-projects/spring-boot (org.springframework.boot:spring-boot-starter-test)

v2.7.18

⚠️ Noteworthy Changes

• Following the Paketo team's announcement that the Bionic CNB builders will be removed, the default builder using by bootBuildImage (Gradle) and spring-boot:build-image (Maven) has been changed to Paketo Jammy #​38477

🐞 Bug Fixes

• App fails to start with a NoSuchMethodError when using Flyway 10.0.0 #​38164
• spring.webflux.multipart.max-disk-usage-per-part behaves incorrectly for values where the number of bytes overflows an int #​38146
• Mail health indicator fails when host is not set in properties #​38007

📔 Documentation

• Document supported SQL comment prefixes #​38385
• Fix link to Elasticsearch health indicator #​38330
• Improve --help and documentation for "encodepassword -a/--algorithm" in the Spring Boot CLI #​38203
• Document that TomcatConnectorCustomizers are not applied to additional connectors #​38183
• MyErrorWebExceptionHandler example in documentation isn't working #​38104
• Document that SerializationFeature.WRITE_DURATIONS_AS_TIMESTAMPS is disabled by default #​38083
• Update "Running Behind a Front-end Proxy Server" to include reactive and ForwardedHeaderTransformer #​37282
• Improve documentation of classpath.idx file and its generation by the Maven and Gradle plugins #​37125
• Document configuration for building images with Colima #​34522
• Code sample in "Developing Your First Spring Boot Application" does not work #​34513
• Document ConfigurationPropertyCaching #​34172
• Document that application.* banner variables require a packaged jar or the use of Boot's launcher #​33489
• Add section on AspectJ support #​32642
• Document server.servlet.encoding.* properties and server.servlet.encoding.mapping in particular #​32472
• Add a section on customizing embedded reactive servers #​31917
• Clarify that MVC components provided through WebMvcRegistrations are subject to subsequent processing and configuration by MVC #​31232
• Clarifying documentation on including a top-level @TestConfiguration class in a test #​30513
• Clarify that @AutoConfigureWebTestClient binds WebTestClient to mock infrastructure #​29890
• Improve systemd configuration documentation #​28453
• Document how to customize the basePackages that auto-configurations consider (for example Spring Data Repositories) #​27549
• Document additional user configuration that's required after setting spring.hateoas.use-hal-as-default-json-media-type to false #​26814
• Add how-to documentation for test-only database migrations with Flyway/Liquibase #​26796

🔨 Dependency Upgrades

• Upgrade to ActiveMQ 5.16.7 #​38427
• Upgrade to DB2 JDBC 11.5.9.0 #​38428
• Upgrade to Dropwizard Metrics 4.2.22 #​38429
• Upgrade to Elasticsearch 7.17.15 #​38430
• Upgrade to Glassfish JAXB 2.3.9 #​38431
• Upgrade to Micrometer 1.9.17 #​38279
• Upgrade to Netty 4.1.101.Final #​38432
• Upgrade to Pooled JMS 1.2.6 #​38433
• Upgrade to Reactor Bom 2020.0.38 #​38280
• Upgrade to Spring Batch 4.3.10 #​38281
• Upgrade to Spring Data Bom 2021.2.18 #​38282
• Upgrade to Spring Framework 5.3.31 #​38283
• Upgrade to Spring HATEOAS 1.5.6 #​38373
• Upgrade to Spring Integration 5.5.20 #​38491
• Upgrade to Spring RESTDocs 2.0.8.RELEASE #​38434
• Upgrade to Spring WS 3.1.8 #​38284
• Upgrade to Tomcat 9.0.83 #​38435

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​GVictorG7, @​PENEKhun, @​dreis2211, and @​izeye

v2.7.17

⚠️ Noteworthy Changes

• The behavior of spring.jms.listener.concurrency has been corrected to match the documentation (#​37180). If you were setting spring.jms.listener.concurrency without also setting spring.jms.listener.max-concurrency, please review your configuration when upgrading.

🐞 Bug Fixes

• @Order does not work on (CommandLine|Application)Runner @Bean methods #​37905
• Gradle plugin uses to-be-deprecated API for getting and setting file permissions #​37878
• Task executor metrics are not registered when using lazy initialization #​37832
• Constructor binding with a custom collection type does not work #​37734
• Dependency management for kafka-server-common with a test classifier is missing #​37499
• fileMode and dirMode are not applied to all entries in an archive produced by BootJar #​37496
• Gradle plugin's build info support produces a deprecation warning when using Gradle 8.4-rc-1 #​37493
• RepackageMojo doesn't support 1 digit numerical values for project.build.outputTimestamp #​37438
• Restarter creates memory leak in tests #​37373
• Contrary to the documentation, setting spring.jms.listener.concurrency alone configures the maximum concurrency #​37180
• Application fails to start when an optional config import cannot be resolved #​35683
• @ComponentScan on a test class is processed when creating a test context but is not included in the context's cache key #​31577
• AspectJ transaction management with compile-time weaving does not work with spring.main.lazy-initialization=true #​37506

📔 Documentation

• Remove link to LiveReload website due to timeout #​37643
• Refer to ActiveMQ as ActiveMQ "Classic" #​37606
• Use more idiomatic Kotlin in example for "Map Health Indicators to Micrometer Metrics" #​37491
• Document support for Java 21 #​37371

🔨 Dependency Upgrades

• Upgrade to Dropwizard Metrics 4.2.21 #​37893
• Upgrade to Elasticsearch 7.17.14 #​37840
• Upgrade to Infinispan 13.0.20.Final #​37841
• Upgrade to Jetty 9.4.53.v20231009 #​37842
• Upgrade to Jetty Reactive HTTPClient 1.1.15 #​37927
• Upgrade to Micrometer 1.9.16 #​37674
• Upgrade to Netty 4.1.100.Final #​37843
• Upgrade to Pooled JMS 1.2.5 #​37894
• Upgrade to Reactor Bom 2020.0.37 #​37675
• Upgrade to Spring AMQP 2.4.17 #​37676
• Upgrade to Spring Data Bom 2021.2.17 #​37677
• Upgrade to Spring Session Bom 2021.2.3 #​37928
• Upgrade to Tomcat 9.0.82 #​37895
• Upgrade to UnboundID LDAPSDK 6.0.10 #​37753
• Upgrade to Undertow 2.2.28.Final #​37929

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​bottlerocketjonny, @​dependabot[bot], @​erichaagdev, @​esperar, @​izeye, @​jbertram, @​nielsbasjes, @​onobc, @​ttddyy, and @​vpavic

v2.7.16

⭐ New Features

• Add TWENTY_ONE to JavaVersion enum #​37362

🐞 Bug Fixes

• Invalid Accept header produces HTTP 500 in WelcomePageHandlerMapping #​37455
• PrivateKeyParser doesn't support ed448, XDH and RSA-PSS keys #​37237
• Parsing OCI image names that are invalid due to the use of upper case letters is very slow #​35657
• Using https with elliptic curves other than secp384r1 fails #​34232
• Saml2RelyingPartyAutoConfiguration ignores sign-request when metadata-url is used #​33747
• Leaking file descriptor / socket within DomainSocket tooling #​32423

📔 Documentation

• Correct the description of spring.artemis.broker-url #​37260
• Add default value metadata for management.metrics.export.signalfx.published-histogram-type #​37210
• Document that PKCS8 PEM files should be used whenever possible #​37170
• Polish javadoc #​37112

🔨 Dependency Upgrades

• Upgrade to Elasticsearch 7.17.13 #​37286
• Upgrade to Jetty 9.4.52.v20230823 #​37287
• Upgrade to Lombok 1.18.30 #​37486
• Upgrade to Micrometer 1.9.15 #​37245
• Upgrade to Reactor Bom 2020.0.36 #​37246
• Upgrade to Spring AMQP 2.4.16 #​37247
• Upgrade to Spring Data Bom 2021.2.16 #​37248
• Upgrade to Spring Framework 5.3.30 #​37249
• Upgrade to Spring GraphQL 1.0.6 #​37250
• Upgrade to Spring Integration 5.5.19 #​37251
• Upgrade to Spring Security 5.7.11 #​37414
• Upgrade to Spring WS 3.1.7 #​37415
• Upgrade to Tomcat 9.0.80 #​37288

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​dependabot[bot], @​hakan-krgn, @​izeye, @​mdeinum, and @​quaff

v2.7.15

⚠️ Noteworthy Changes

• This release upgrades to MariaDB 3.1.4 from 3.0.x to restore compatibility with Java 8. If the upgrade is problematic and Java 8 compatibility is not a requirement, downgrade to 3.0.x by using the mariadb.version property

🐞 Bug Fixes

• Artemis ConnectionFactory is not configured when CachingConnectionFactory is missing and enabled properties are false #​36767
• server.max-http-request-header-size doesn't affect Netty server with http2 enabled #​36766
• LogbackLoggingSystem does not report suppressed exception details #​36645
• Tomcat warns about a missing +/- prefix when enabling multiple protocols through server.ssl.enabled-protocols #​36572
• Descriptions of started and ready time metrics contain time units but the unit may change when the metrics are exported #​36507
• management.metrics.export.wavefront properties are incomplete #​36498
• management.metrics.export.signalfx properties are incomplete #​36497
• management.metrics.export.atlas properties are incomplete #​36496
• Script-based database initialization fails with an unhelpful error message when configured with a resource that points to a directory #​36386
• JobLauncherApplicationRunner returns a success exit code even when no jobs have been run #​36060
• DatabaseDriver swallows real exception #​34728
• Application Context initialized twice during test when exception thrown during initialization #​24888

📔 Documentation

• Maven plugin docs contain invalid parameter for image building #​37048
• Align javadoc of AbstractFilterRegistrationBean#setDispatcherTypes #​36965
• Update RestTemplateBuilder#defaultHeader javadoc to reference correct client-side HTTP request class #​36614
• @since is missing from javadoc of values added to JavaVersion since its introduction #​36608
• Document that server.forward-headers-strategy property defaults to native when running on Kubernetes #​36564
• Clarify the effect of using @EnableWebMvc #​36506
• Documentation of spring.redis.url incorrectly states that it does not override spring.redis.user #​36477
• Improve documentation to describe how @EntityScan and @Enable?Repositories can be used to tune scanning #​36282
• Document that scripts for database initialization are optional by default and how they can be made mandatory #​36176
• Document @DataR2dbcTest support #​35014
• Update expected size of the jar file in the first application getting started documentation #​34514
• Improve documentation of spring.cache.type=none #​33694
• Clarify that spring.security.filter properties only apply to servlet-based web apps #​33551
• Describe quirks of JUL and Log4j2 in the javadoc of OutputCaptureExtension #​32562
• Documentation describes how to opt in to using the path pattern parser but it's now the default #​32557
• Clarify table that shows how logging properties are transferred to system properties #​32160
• Rework Working with NoSQL Technologies to clarify which stores are supported by Spring Data #​29694
• Clarify how nested directories are treated for configtree with wildcards #​28203
• Document defaults for spring.mvc.format.* and spring.webflux.format.* properties #​30041

🔨 Dependency Upgrades

• Upgrade to Elasticsearch 7.17.12 #​36870
• Upgrade to Groovy 3.0.19 #​37055
• Upgrade to MariaDB 3.1.4 #​36394
• Upgrade to Micrometer 1.9.14 #​36824
• Upgrade to Netty 4.1.97.Final #​37085
• Upgrade to Reactor Bom 2020.0.35 #​36825
• Upgrade to Spring AMQP 2.4.15 #​36826
• Upgrade to Spring Batch 4.3.9 #​36827
• Upgrade to Spring Data Bom 2021.2.15 #​36828
• Upgrade to Tomcat 9.0.79 #​36992
• Upgrade to Undertow 2.2.26.Final #​37029

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​MahatmaFatalError, @​NersesAM, @​chicobento, @​dependabot[bot], @​dreis2211, @​eddumelendez, @​elevne, @​fzyzcjy, @​itsAkshayDubey, @​izeye, @​msobeck, @​rob-valor, @​spa-abaudat, and @​vpavic

spring-projects/spring-security (org.springframework.security:spring-security-web)

v5.8.14

Compare Source

⭐ New Features

• Document the role of CredentialsContainer #​15319

🪲 Bug Fixes

• Clarify url Parameter Usage in AD Provider Constructor #​15409
• Using sec:authorize in JSPX causes 'java.lang.NullPointerException: Cannot invoke "jakarta.servlet.ServletRegistration.getClassName()" because "registration" is null' #​15363

🔨 Dependency Upgrades

• Bump com.github.spullara.mustache.java:compiler from 0.9.13 to 0.9.14 #​15375
• Bump io.projectreactor.netty:reactor-netty from 1.0.46 to 1.0.47 #​15391
• Bump io.projectreactor.netty:reactor-netty from 1.0.47 to 1.0.48 #​15606
• Bump io.projectreactor:reactor-bom from 2020.0.45 to 2020.0.46 #​15390
• Bump io.projectreactor:reactor-bom from 2020.0.46 to 2020.0.47 #​15604
• Bump org-eclipse-jetty from 9.4.54.v20240208 to 9.4.55.v20240627 #​15360
• Bump org.skyscreamer:jsonassert from 1.5.1 to 1.5.2 #​15291
• Bump org.skyscreamer:jsonassert from 1.5.1 to 1.5.3 #​15335
• Bump org.springframework:spring-framework-bom from 5.3.37 to 5.3.39 #​15615

🔩 Build Updates

• Automate check of expected branch version #​15226
• Bump @antora/collector-extension from 1.0.0-alpha.4 to 1.0.0-alpha.6 in /docs #​15447
• Bump @antora/collector-extension from 1.0.0-alpha.6 to 1.0.0-alpha.7 in /docs #​15484
• Bump @antora/collector-extension from 1.0.0-alpha.7 to 1.0.0-beta.1 in /docs #​15558
• Bump @antora/collector-extension from 1.0.0-beta.1 to 1.0.0-beta.2 in /docs #​15633
• Bump @springio/antora-extensions from 1.11.1 to 1.12.0 in /docs #​15417
• Bump @springio/antora-extensions from 1.12.0 to 1.13.0 in /docs #​15523
• Bump @springio/antora-extensions from 1.13.0 to 1.13.1 in /docs #​15559
• Bump @springio/antora-extensions from 1.13.1 to 1.14.2 in /docs #​15632
• Bump @springio/asciidoctor-extensions from 1.0.0-alpha.10 to 1.0.0-alpha.11 in /docs #​15416
• Bump @springio/asciidoctor-extensions from 1.0.0-alpha.11 to 1.0.0-alpha.12 in /docs #​15524
• Bump antora from 3.2.0-alpha.4 to 3.2.0-alpha.5 in /docs #​15330
• Bump antora from 3.2.0-alpha.5 to 3.2.0-alpha.6 in /docs #​15481
• Bump com.gradle.develocity from 3.17.5 to 3.17.6 #​15463

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @​Haarolean
• @​dependabot[bot]

v5.8.13

Compare Source

⭐ New Features

• doc: added hint to declare GrantedAuthorityDefaults as infrastructure bean #​14779
• Enhance Logging in RequestMatcherDelegatingAuthorizationManage #​14837
• Improve PasswordEncoder Error Messaging #​14951
• InMemoryUserDetailsManager: consider improving the error message when no PasswordEncoding has been specified #​14880
• Mention all required dependencies in LDAP documentation #​15235
• Remove useBase64 parameter #​14862

🪲 Bug Fixes

• AbstractRequestMatcherRegistry#requestMatchers should pick MvcRequestMatcher when using MockMvc #​13849
• Always Use Request-Level ServletContext to Evaluate Request Matcher Paths #​15195
• Assert WebSession is not null #​14977
• Conditionally Add Conventions Plugin #​15152
• DispatcherServletDelegatingRequestMatcher causes errors when there is more than one ServletContext #​14418
• Fix Java example in multitenanci.adoc #​15146
• LDIF file on official documentation breaks the startup process #​15089
• Link to article with remember-me-persistent-token strategy is broken #​14358
• ProxyRestrictionConditionValidator is missing in the OpenSaml4AuthenticationProvider.SAML20AssertionValidators class #​14931
• Resolving invalid CSRF token values is not consistent #​15184
• Restore Build Scan Capability #​15120
• Wrong information for RequestCacheAwareFilter in the Spring Security documentation. #​14855

🔨 Dependency Upgrades

• Bump io.projectreactor.netty:reactor-netty from 1.0.44 to 1.0.45 #​15074
• Bump io.projectreactor.netty:reactor-netty from 1.0.45 to 1.0.46 #​15231
• Bump io.projectreactor.tools:blockhound from 1.0.8.RELEASE to 1.0.9.RELEASE #​14923
• Bump io.projectreactor:reactor-bom from 2020.0.43 to 2020.0.44 #​15073
• Bump io.projectreactor:reactor-bom from 2020.0.44 to 2020.0.45 #​15230
• Bump org.hsqldb:hsqldb from 2.7.2 to 2.7.3 #​15191
• Bump org.springframework:spring-framework-bom from 5.3.34 to 5.3.35 #​15085
• Bump org.springframework:spring-framework-bom from 5.3.35 to 5.3.36 #​15135
• Bump org.springframework:spring-framework-bom from 5.3.36 to 5.3.37 #​15253
• Bump slackapi/slack-github-action from 1.25.0 to 1.26.0 #​14938

🔩 Build Updates

• Attach Antora Docs to Pull Requests #​14992
• Bump @antora/collector-extension from 1.0.0-alpha.3 to 1.0.0-alpha.4 in /docs #​15160
• Bump @springio/antora-extensions from 1.10.0 to 1.11.1 in /docs #​15140
• Bump com.github.spullara.mustache.java:compiler from 0.9.11 to 0.9.13 #​15001
• Bump com.gradle.develocity from 3.17.2 to 3.17.4 #​15099
• Bump com.gradle.develocity from 3.17.4 to 3.17.5 #​15240
• Bump io.spring.ge.conventions from 0.0.16 to 0.0.17 #​14959
• Consider Adding a Build Updates section to the release changelog #​14485
• Migrate to com.gradle.develocity plugin #​15021
• Update Gradle Enterprise plugin to 3.17.2 #​15020

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @​caio-henrique
• @​jzheaux
• @​dukbong
• @​Harsh4902
• @​abimael-turing
• @​dependabot[bot]
• @​sheriumair
• @​paschm

v5.8.12

Compare Source

🪲 Bug Fixes

• Conditional check for data-source-ref is incorrect #​14742

🔨 Dependency Upgrades

• Bump io.projectreactor.netty:reactor-netty from 1.0.43 to 1.0.44 #​14878
• Bump io.projectreactor:reactor-bom from 2020.0.42 to 2020.0.43 #​14877
• Bump io.spring.ge.conventions from 0.0.15 to 0.0.16 #​14822
• Bump org.springframework:spring-framework-bom from 5.3.33 to 5.3.34 #​14891

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @​dependabot[bot]
• @​sheriumair

v5.8.11

Compare Source

🪲 Bug Fixes

• Allow tab in HTTP header values. #​14590
• Check for null Authentication #​14664
• PostAuthorize Method Interceptors Should Use Order from AuthorizationInterceptorsOrder #​14720
• Remove duplicate setSecurityContextHolderStrategy #​14603
• Spring security's ServerLogoutHandler order problem. #​14379

🔨 Dependency Upgrades

• Bump io.projectreactor.netty:reactor-netty from 1.0.41 to 1.0.43 #​14730
• Bump io.projectreactor:reactor-bom from 2020.0.41 to 2020.0.42 #​14729
• Bump org.springframework:spring-framework-bom from 5.3.32 to 5.3.33 #​14759

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @​chbecker2
• @​kse-music
• @​dependabot[bot]

spring-cloud/spring-cloud-release (org.springframework.cloud:spring-cloud-dependencies)

v2021.0.9

---

Configuration

📅 Schedule: Branch creation - "after 7am and before 11am every weekday" in timezone Europe/London, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.