Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update dependency org.springframework.boot:spring-boot-autoconfigure to v2.5.15 (main) #30

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Update dependency org.springframework.boot:spring-boot-autoconfigure to v2.5.15 (main) #30

wants to merge 1 commit into from

Conversation

mend-for-github-com[bot]
Copy link

@mend-for-github-com mend-for-github-com bot commented Apr 30, 2024
edited
Loading

This PR contains the following updates:

Package Type Update Change
org.springframework.boot:spring-boot-autoconfigure (source) compile minor 2.1.4.RELEASE -> 2.5.15

By merging this PR, the issue #31 will be automatically resolved and closed:

Severity CVSS Score CVE Reachability
High High 7.5 CVE-2023-20883

Release Notes

spring-projects/spring-boot (org.springframework.boot:spring-boot-autoconfigure)

v2.5.15

Compare Source

🐞 Bug Fixes

  • Welcome page may return a 404 when an acceptable response cannot be produced #​35559
  • Loading application.yml fails with NoSuchMethodError when using SnakeYAML 2.0 #​35414
  • CloudFoundry integration does not use endpoint path mappings #​35411

🔨 Dependency Upgrades

v2.5.14

Compare Source

🐞 Bug Fixes

  • Dependency management for Artemis is incomplete #​31077
  • Default properties configured on SpringApplication have higher precedence than properties configured with @PropertySource #​31068
  • A failure when an instrumented WebClient records metrics causes the request to fail #​30978
  • Configuration properties for Statsd's buffered and step properties are missing #​30898
  • Debug logging for requests to WebFlux-based Actuator endpoints does not identify the endpoint #​30880
  • Event handling in JobExecutionExitCodeGenerator is not thread-safe #​30705
  • SearchStrategy argument of MethodValidationExcludeFilter byAnnotation(Class, SearchStrategy) is not used #​30631
  • @ConditionalOnProperty meta annotation with @AliasFor does not work #​30505
  • Hibernate service loading logs HHH000505 warnings for ServiceConfigurationError with Gradle-built jars since 2.5.10 when using Java 11 or later #​30413
  • Cryptic startup failure with bare LOGGING_LEVEL environment variable #​30281

📔 Documentation

  • Fix link to Upgrading From 1.x in multi-page documentation #​30890
  • Extend documentation on Datadog metrics #​30879
  • Document support for Java 18 #​30548

🔨 Dependency Upgrades

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

v2.5.13

Compare Source

🐞 Bug Fixes

  • bootBuildInfo fails with a NullPointerException when an additional property has a null value #​30654
  • Incorrect Neo4j username property replacement hint by spring-boot-properties-migrator #​30550
  • Add Tomcat locale mapping for Japanese to preserve UTF-8 charset #​30535
  • ApplicationAvailabilityBean is not thread-safe #​30489
  • NullPointerException is thrown when accessing /actuator/configprops if a class annotated with both @Configuration and @ConfigurationProperties has a static @Bean method #​30068
  • @SpringBootTest(webEnvironment = WebEnvironment.NONE) is overridden by spring.main.web-application-type in application.properties #​29695
  • Respect WebApplicationType.REACTIVE in tests with a mock web environment #​29170

📔 Documentation

  • Update doc samples to reflect AdoptOpenJDK move to the Eclipse Foundation #​30748
  • Move Jetty 9 specific exclusions to the correct dependency #​30522
  • Polish documentation #​30498
  • Update list of default internal proxies in Web Server howto #​30461

🔨 Dependency Upgrades

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

v2.5.12

Compare Source

🐞 Bug Fixes

  • MustacheAutoConfiguration in a Servlet web application fails with a ClassNotFoundException when Spring MVC is not on the classpath #​30456

📔 Documentation

  • Javadoc of org.springframework.boot.gradle.plugin.ResolveMainClassName.setClasspath(Object) is inaccurate #​30468
  • Document that @DefaultValue can be used on a record component #​30460

🔨 Dependency Upgrades

  • Upgrade to Jackson Bom 2.12.6.20220326 #​30477
  • Upgrade to Spring Framework 5.3.18 #​30491

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

v2.5.11

Compare Source

⭐ New Features

🐞 Bug Fixes

  • Thymeleaf auto-configuration in a reactive application can fail due to duplicate templateEngine beans #​30384
  • ConfigurationPropertyName#equals is not symmetric when adapt has removed trailing characters from an element #​30317
  • server.tomcat.keep-alive-timeout is not applied to HTTP/2 #​30267
  • Setting spring.mustache.enabled to false has no effect #​30250
  • bootWar is configured eagerly #​30211
  • Actuator @ReadOperation on Flux cancels request after first element emitted #​30095
  • No metrics are bound for R2DBC ConnectionPools that have been wrapped #​30090
  • Unnecessary allocations in Prometheus scraping endpoint #​30085
  • Condition evaluation report entry for a @ConditionalOnSingleCandidate that does not match due to multiple primary beans isn't as clear as it could be #​30073
  • Generated password are logged without an "unsuitable for production use" note #​30061
  • Files in META-INF are not found when deploying a Gradle-built executable war to a servlet container #​30026
  • spring-boot-configuration-processor fails compilation due to @DefaultValue with a long value and generates invalid metadata for byte and short properties with out-of-range default values #​30020
  • Dependency management for Netty tcNative is incomplete leading to possible version conflicts #​30010
  • Dependency management for Apache Kafka is incomplete #​29023

📔 Documentation

  • Fix JsonSerializer example in reference guide #​30329
  • Default value of spring.thymeleaf.reactive.media-types is not documented #​30280
  • Add Netty in "Enable HTTP Response Compression" #​30234
  • Fix typo #​30118
  • Remove non-existent spring.data.cassandra.connection.connection-timeout property from the documentation #​30074
  • Use Gradle's task configuration avoidance APIs in the Gradle Plugin's reference docs #​30056
  • Polish web examples in reference doc #​30027
  • Improve property placeholder documentation to mention environment variables and default values #​30012
  • Use Gradle's task configuration avoidance APIs in the main reference docs #​30000
  • Document how to access the H2 Console in a secured web application #​29932
  • Add links to Spring Boot for Apache Geode to the reference documentation #​29697
  • Include default Dev Tools properties in the reference documentation #​29406
  • Document the WebSocket-related exclusions that are required to use Jetty 10 #​29275
  • Clarify type matching that is performed when using @MockBean and @SpyBean #​28656
  • Add documentation for spring.profiles.include #​28451
  • Document the scalar types supported by MapBinder #​27581
  • Document when config data properties are invalid #​25849
  • Document how to rely on ServletContext with an embedded container setup #​24561
  • Clarify that build plugins or the CLI does not have an auto-compile feature #​17851
  • Document how to structure configurations so that @Bean methods are included in slice tests #​16088

🔨 Dependency Upgrades

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

v2.5.10

Compare Source

🐞 Bug Fixes

  • Default JmxAutoConfiguration changes JConsole hierarchy for multi-property @ManagedResource object names #​29953
  • The active profiles log message is ambiguous when a profile's name contains a comma #​29896
  • Failed application contexts are not deregistered from SpringApplicationShutdownHook #​29874
  • Gradle Plugin triggers eager configuration of some tasks #​29762
  • MimeMapping for ots has a trailing space in its mime type #​29746
  • Dependency management for Liquibase does not include its liquibase-cdi module #​29676
  • Ignore invalid stream types when reading log update events #​29675
  • bootJar, bootRun, and bootWar do not pick up changes to the main source set's runtime classpath that are made after Boot's plugin has been applied #​29672
  • @SpyBean causes BeanCurrentlyInCreationException when there are circular references #​29639
  • server.tomcat.use-relative-redirects=true not honored when server.forward-headers-strategy=framework #​29333
  • A fat jar built with Gradle moves META-INF beneath BOOT-INF/classes while Maven leaves it at the jar's root #​28562

📔 Documentation

  • bootRun example should use mainClass, rather than main which was deprecated in Gradle 7.1 #​29965
  • Rectify incorrect sanitizing regex example provided in how-to docs #​29951
  • "Customizing the Banner" should make it more obvious that any environment property can be used #​29931
  • Update javadoc to reflect move from WebSecurityConfigurerAdapter to SecurityFilterChain #​29900
  • Link directly to the Integration Properties section of the appendix when cross-referencing Kafka properties #​29758
  • Add documentation for WebMvc.fn #​29683
  • Move appendix subsections under appendix section #​29667
  • In Gradle plugin docs, replace classifier (deprecated) with archiveClassifier in examples #​29611
  • Clarify relation of import path to resultant properties in configtree import data #​29606
  • Upgrade version of gradle-git-properties in reference doc #​29535
  • Rename Boxfuse to CloudCaptain #​29523
  • Provide some guidance on identifying and resolving Devtools classloading issues #​29438
  • Warn about the dangers of early bean initialization when using @ConditionalOnExpression #​29276
  • Document that placeholders in @DefaultValue annotations are not resolved #​23164

🔨 Dependency Upgrades

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

v2.5.9

Compare Source

🐞 Bug Fixes

  • ConfigurationPropertySources.attach will always reattach when called multiple times #​29409
  • 'spring.config.import' placeholders can resolve from profile-specific documents when they should fail #​29386
  • Embedded launch script fails if jar is owned by an unknown user #​29370
  • Maven repackaging of a jar with a deeply nested package is prohibitively slow #​29175
  • @SpringBootTest does not use spring.main.web-application-type properties declared in test resource files #​29169
  • Warning from AprLifecycleListener when using Tomcat Native and Tomcat 9.0.55 or later #​28814

📔 Documentation

  • Clarify documentation for RestTemplate customization #​29394
  • Refer to Maven Resolver rather than Aether #​29255

🔨 Dependency Upgrades

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

v2.5.8

Compare Source

🐞 Bug Fixes

  • DatabaseInitializationDependencyConfigurer triggers eager initialization of factory beans #​28977
  • App fails to start when it depends on thymeleaf-extras-springsecurity5 but does not have Spring Security on the classpath #​28967
  • Platform used for Quartz, Session, Integration, and Batch schema initialization cannot be configured #​28932
  • Image buildpack references without tag do not default to latest version #​28921
  • The getter and setter that's used during configuration property binding varies when a getter or setter has been overridden to use a subclass of the property's type #​28917
  • Invalid classpath index manifest attribute in war files built with Maven #​28895
  • The name of the matching-strategy property is incorrect in the action message of the failure analysis for a PatternParseException #​28809
  • Dependency management for org.elasticsearch.distribution.integ-test-zip:elasticsearch should declare its type as zip #​28725

📔 Documentation

  • Polish Creating Your Own Auto-configuration section in Core Features reference doc #​29115
  • Polish CacheManager customization section in reference doc #​29094
  • Document that using DevTools with a remote application is not supported with WebFlux #​28955
  • 2.5.x snapshot documentation links to source code on the main branch #​28856
  • Polish README.adoc #​28835
  • Fix output of "spring --version" in reference documentation #​28831
  • Fix typos in the "External Application Properties" section #​28830
  • Improve deprecation notice on ResourceProperties to direct people to WebProperties for dependency injection and then getResources() #​28762
  • Add a package description for org.springframework.boot.actuate.metrics.data #​28756

🔨 Dependency Upgrades

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

v2.5.7

Compare Source

🐞 Bug Fixes

  • Dependency management for JSTL is out of date #​28659
  • JUnit annotations may prevent a test context from being cached #​28565
  • Avoid duplicate AOP proxy class definition with FilteredClassLoader #​28531
  • Profiles added using @ActiveProfiles have different precedence #​28530
  • Logback should default to JVM's default charset instead of ASCII #​28486
  • When a parent context has method validation configuration, it isn't auto-configured in its child contexts #​28479
  • Prometheus actuator endpoint should produce a text/plain response unless application/openmetrics-text is explicitly accepted #​28446

📔 Documentation

  • Fix "Configure Two DataSources" example #​28712
  • Update URL for GraphQL Spring Boot starter #​28683
  • Fix @deprecated and @see in org.springframework.boot.loader.archive.Archive's javadoc #​28680
  • Configuration sample in reference doc has wrong yaml formatting #​28671
  • Fix yaml sample format in reference doc #​28670
  • Fix typo in "Ant-style path matching" #​28549
  • Change description of property "logging.logback.rollingpolicy.max-history" to match Logback documentation #​28466
  • Improve documentation on using an embedded ActiveMQ broker #​28434
  • Don't use markdown syntax in javadoc or error messages #​28424

🔨 Dependency Upgrades

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

v2.5.6

Compare Source

🐞 Bug Fixes

  • Misleading failure analysis when jOOQ's DSLContext is unavailable due to R2DBC taking precedence over JDBC #​28379
  • When lazy initialization is enabled, JMX endpoints are not available #​28371
  • JarFileWrapper may cause many FinalReferences causing GC pressure #​28356
  • Flattened VCAP_SERVICES properties are not sanitized by default #​28353
  • MeterValue with "d" suffix not parsed as Duration for timer #​28351
  • CachingOperationInvoker cache can consume a significant amount of heap space #​28347
  • Devtools restart fails with in-memory R2DBC database and SQL initialization scripts #​28345
  • ActiveMQ starter depends on org.apache.geronimo.specs:geronimo-j2ee-management_1.1_spec #​28340
  • spring-boot-starter-oauth2-client has an unnecessary dependency on com.sun.mail:jakarta.mail #​28333
  • Layertools extract does not preserve last modified and last access times #​28190
  • NumberFormatException when configuring spring.rabbitmq.addresses with an IPv6 address #​28134
  • Broken content negotiation for OpenMetrics #​28130

📔 Documentation

  • Fix typo in EnvironmentPostProcessor's class-level javadoc #​28382
  • Remove obsolete info about Spring Integration's metrics support #​28375
  • Update docs to be explicit about dot notation being correctly mapped #​28201
  • Section 4.4 File Rotation mentions the wrong configuration file name for Log4j2 #​28193
  • Update Javadoc with note mentioning that class using ConstructorBinding must be enabled using annotations #​28171
  • Make it clearer that, when using @AutoConfigureTestEntityManager outside of @DataJpaTest, any tests using the test entity manager must be @Transactional #​28159

🔨 Dependency Upgrades

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

v2.5.5

Compare Source

🐞 Bug Fixes

  • Actuator endpoints do not sanitize SPRING_APPLICATION_JSON by default #​28081
  • Startup failure due to non-empty schema when using Flyway and Spring Integration's DataSource initialization #​28079
  • Web MVC metrics may have the wrong status when a filter throws an exception other than NestedServletException #​28069
  • Embedded Undertow throws MalformedURLException when archive filename contains characters that are reserved in a URL [#​28032](https://togithub.com

@mend-for-github-com mend-for-github-com bot added the security fix Security fix generated by Mend label Apr 30, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
security fix Security fix generated by Mend
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants