fix(deps): update spring.version [security] (major)

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
org.springframework:spring-context	3.2.18.RELEASE -> 5.2.21.RELEASE
org.springframework:spring-webmvc	3.2.18.RELEASE -> 5.2.20.RELEASE
org.springframework:spring-web	3.2.18.RELEASE -> 6.0.0
org.springframework:spring-core	3.2.18.RELEASE -> 4.3.17.RELEASE
org.springframework:spring-beans	3.2.18.RELEASE -> 5.2.22.RELEASE

GitHub Vulnerability Alerts

CVE-2022-22968

In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions, the patterns for disallowedFields on a DataBinder are case sensitive which means a field is not effectively protected unless it is listed with both upper and lower case for the first character of the field, including upper and lower case for the first character of all nested fields within the property path. Versions 5.3.19 and 5.2.21 contain a patch for this issue.

CVE-2022-22965

Spring Framework prior to versions 5.2.20 and 5.3.18 contains a remote code execution vulnerability known as Spring4Shell.

Impact

A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.

These are the prerequisites for the exploit:

• JDK 9 or higher
• Apache Tomcat as the Servlet container
• Packaged as WAR
• spring-webmvc or spring-webflux dependency

Patches

• Spring Framework 5.3.18 and 5.2.20
• Spring Boot 2.6.6 and 2.5.12

Workarounds

For those who are unable to upgrade, leaked reports recommend setting disallowedFields on WebDataBinder through an @ControllerAdvice. This works generally, but as a centrally applied workaround fix, may leave some loopholes, in particular if a controller sets disallowedFields locally through its own @InitBinder method, which overrides the global setting.

To apply the workaround in a more fail-safe way, applications could extend RequestMappingHandlerAdapter to update the WebDataBinder at the end after all other initialization. In order to do that, a Spring Boot application can declare a WebMvcRegistrations bean (Spring MVC) or a WebFluxRegistrations bean (Spring WebFlux).

CVE-2016-9878

An issue was discovered in Pivotal Spring Framework before 3.2.18, 4.2.x before 4.2.9, and 4.3.x before 4.3.5. Paths provided to the ResourceServlet were not properly sanitized and as a result exposed to directory traversal attacks.

CVE-2016-1000027

Pivotal Spring Framework before 6.0.0 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required.

Maintainers recommend investigating alternative components or a potential mitigating control. Version 4.2.6 and 3.2.17 contain enhanced documentation advising users to take precautions against unsafe Java deserialization, version 5.3.0 deprecate the impacted classes and version 6.0.0 removed it entirely.

CVE-2024-22259

Applications that use UriComponentsBuilder in Spring Framework to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html  attack or to a SSRF attack if the URL is used after passing validation checks.

This is the same as CVE-2024-22243 https://spring.io/security/cve-2024-22243, but with different input.

CVE-2024-38809

Description

Applications that parse ETags from If-Match or If-None-Match request headers are vulnerable to DoS attack.

Affected Spring Products and Versions

org.springframework:spring-web in versions

6.1.0 through 6.1.11
6.0.0 through 6.0.22
5.3.0 through 5.3.37

Older, unsupported versions are also affected

Mitigation

Users of affected versions should upgrade to the corresponding fixed version.
6.1.x -> 6.1.12
6.0.x -> 6.0.23
5.3.x -> 5.3.38
No other mitigation steps are necessary.

Users of older, unsupported versions could enforce a size limit on If-Match and If-None-Match headers, e.g. through a Filter.

CVE-2024-22262

Applications that use UriComponentsBuilder to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html  attack or to a SSRF attack if the URL is used after passing validation checks.

This is the same as CVE-2024-22259 https://spring.io/security/cve-2024-22259  and CVE-2024-22243 https://spring.io/security/cve-2024-22243 , but with different input.

CVE-2016-5007

Both Spring Security 3.2.x, 4.0.x, 4.1.0 and the Spring Framework 3.2.x, 4.0.x, 4.1.x, 4.2.x (as well as other unsupported versions) rely on URL pattern mappings for authorization and for mapping requests to controllers respectively. Differences in the strictness of the pattern matching mechanisms, for example with regards to space trimming in path segments, can lead Spring Security to not recognize certain paths as not protected that are in fact mapped to Spring MVC controllers that should be protected. The problem is compounded by the fact that the Spring Framework provides richer features with regards to pattern matching as well as by the fact that pattern matching in each Spring Security and the Spring Framework can easily be customized creating additional differences.

CVE-2018-1257

Spring Framework, versions 5.0.x prior to 5.0.6, versions 4.3.x prior to 4.3.17, and older unsupported versions allows applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a regular expression, denial of service attack.

CVE-2018-1272

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, provide client-side support for multipart requests. When Spring MVC or Spring WebFlux server application (server A) receives input from a remote client, and then uses that input to make a multipart request to another server (server B), it can be exposed to an attack, where an extra multipart is inserted in the content of the request from server A, causing server B to use the wrong value for a part it expects. This could to lead privilege escalation, for example, if the part content represents a username or user roles.

CVE-2018-1271

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). When static resources are served from a file system on Windows (as opposed to the classpath, or the ServletContext), a malicious user can send a request using a specially crafted URL that can lead a directory traversal attack.

CVE-2022-22970

In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, applications that handle file uploads are vulnerable to DoS attack if they rely on data binding to set a MultipartFile or javax.servlet.Part to a field in a model object.

---

Release Notes

spring-projects/spring-framework (org.springframework:spring-context)

v5.2.21.RELEASE

Compare Source

⭐ New Features

• Remove DNS lookups during websocket connection initiation #​28281

🐞 Bug Fixes

• Improve documentation and matching algorithm in data binders #​28334
• CodeGenerationException thrown when using AnnotationMBeanExporter on JDK 17 #​28279
• ResponseEntity objects are accumulated in ConcurrentReferenceHashMap #​28273
• NotWritablePropertyException when attempting to declaratively configure ClassLoader properties #​28272

v5.2.20.RELEASE

Compare Source

⭐ New Features

• Restrict access to property paths on Class references #​28262
• Improve diagnostics in SpEL for large array creation #​28257

v5.2.19.RELEASE

Compare Source

⭐ New Features

• Declare serialVersionUID on DefaultAopProxyFactory #​27785
• Use ByteArrayDecoder in DefaultClientResponse::createException #​27667

🐞 Bug Fixes

• ProxyFactoryBean getObject called before setInterceptorNames, silently creating an invalid proxy [SPR-7582] #​27817
• Possible NPE in Spring MVC LogFormatUtils #​27783
• UndertowHeadersAdapter's remove() method violates Map contract #​27593
• Fix assertion failure messages in DefaultDataBuffer.checkIndex() #​27577

📔 Documentation

• Lazy annotation throws exception if non-required bean does not exist #​27660
• Incorrect Javadoc in [NamedParameter]JdbcOperations.queryForObject methods regarding exceptions #​27581
• DefaultResponseErrorHandler update javadoc comment #​27571

🔨 Dependency Upgrades

• Upgrade to Reactor Dysprosium-SR25 #​27635
• Upgrade to Log4j2 2.16.0 #​27825

v5.2.18.RELEASE

Compare Source

⭐ New Features

• Enhance DefaultResponseErrorHandler to allow logging complete error response body #​27558
• DefaultMessageListenerContainer does not log an error/warning when consumer tasks have been rejected #​27457

🐞 Bug Fixes

• Performance impact of con.getContentLengthLong() in AbstractFileResolvingResource.isReadable() downloading huge jars to check component length #​27549
• Performance impact of ResourceUrlEncodingFilter on HttpServletResponse#encodeURL #​27548
• Avoid duplicate JCacheOperationSource bean registration in <cache:annotation-driven /> #​27547
• Non-escaped closing curly brace in RegEx results in initialization error on Android #​27502
• Proxy generation with Java 17 fails with "Cannot invoke "Object.getClass()" because "cause" is null" #​27498
• ConcurrentReferenceHashMap's entrySet violates the Map contract #​27455

🔨 Dependency Upgrades

• Upgrade to Reactor Dysprosium-SR24 #​27526

v5.2.17.RELEASE

Compare Source

⭐ New Features

• Invalid JavaBean property 'logoutHandlers' being accessed (warning in the logs for Spring Security's ConcurrentSessionFilter) #​27396
• Convenient configuration of type permissions for XStream 1.4.18 #​27344
• ResponseStatusException.initCause always throws IllegalStateException #​27212

🐞 Bug Fixes

• Support char, float, and double primitive default values in BeanUtils.instantiateClass() #​27401
• CommonsMultipartResolver and DEBUG logging lead to empty fileMap in MultipartHttpServletRequest #​27398
• Fix UrlPathHelper#shouldRemoveSemicolonContent() #​27310
• CompositeUriComponentsContributor#hasContributors: method name is not compliant with its intention #​27275
• WebSocketMessageBrokerStats.getExecutorStatsInfo() throws exception if Executor is not a ThreadPoolExecutor #​27213

📔 Documentation

• Fix Kotlin example for filtering handler functions #​27352
• Document when prepareTestInstance() is invoked when using the SpringMethodRule #​27312

🔨 Dependency Upgrades

• Upgrade to Reactor Dysprosium-SR23 #​27378

v5.2.16.RELEASE

Compare Source

⭐ New Features

• BeanCreationException error message should always include declaring class of constructor (or factory method) #​27140
• SynchronossPartHttpMessageReader should only create temp directory when needed #​27094
• Deprecate internal APIs in ScriptUtils implementations #​26948

🪲 Bug Fixes

• AOP auto-proxying with proxyTargetClass=true and introduction advice does not work for JDK proxy targets #​27148
• SimpleMethodMetadataReadingVisitor.Source.toString() omits separator for method arguments #​27096
• DefaultPathSegment allows shared empty parameters map to be mutated #​27065
• Ignore comments when searching for SQL statement delimiter in ScriptUtils #​26942
• Ignore delimiter enclosed in double quotes in ScriptUtils #​26936

📔 Documentation

• Fix @Transactional examples regarding method visibility #​27005
• Improve @Transactional docs regarding method visibility #​27004
• Document transactional semantics for @TransactionalEventListener after completion methods #​26979

🔨 Dependency Upgrades

• Upgrade to Reactor Dysprosium-SR21 #​27163

v5.2.15.RELEASE

Compare Source

⭐ New Features

• Ensure multipart temp directories do not collide #​26932
• InvalidPathException in log when running SpringBootTest with NIO Path property on Windows #​26894
• Spring AOP should not apply UndeclaredThrowableException to checked exceptions from Kotlin methods #​26839

🪲 Bug Fixes

• Fix web parameters resolution when injected via constructor #​26923
• Fix Kotlin filter parameter bug in Router DSLs #​26921
• Incorrect check in AbstractBrokerRegistration's constructor #​26898
• @ModelAttribute(binding=false) is not honored with WebFlux #​26888

📔 Documentation

• Remove leftover Javadoc from WebClient #​26809

🔨 Dependency Upgrades

• Upgrade to Reactor Dysprosium-SR20 #​26891

v5.2.14.RELEASE

Compare Source

⭐ New Features

• Add missing nullable annotation to ResponseEntity ok convenience method #​26614
• Support cookies with Expires attribute but no Max-Age attribute in MockHttpServletResponse #​26559

🪲 Bug Fixes

• @DirtiesContext not applied when class-level @EnabledIf evaluates to false #​26697
• StatusAssertion value methods fail when used with custom status code #​26666
• Local @CrossOrigin maxAge value should override global value #​26620
• Correctly set auto-growing array's element #​26606
• Fix handling of "file:" paths to non-existent files on Windows #​26589
• ClassLoader.getResource can throw IllegalArgumentException #​26588
• LoadTimeWeaver no longer weaves bean classes annotated with @Component #​26584
• ResourceUrlProvider detects wrong set of handler mappings #​26562

🔨 Dependency Upgrades

• Upgrade to Reactor Dysprosium-SR19 #​26768

v5.2.13.RELEASE

Compare Source

⭐ New Features

• Inefficient reflection operations for destroy method determination #​26499
• No way to affect response when unhandled exceptions thrown from ForwardedHeaderTransformer #​26465
• Fail early FactoryBean instantiation for LinkageError #​26426
• Close mapping streams after the ValidatorFactory has been built in LocalValidatorFactoryBean #​26424
• Defensively handle loadClass null result in BeanUtils.findEditorByConvention (against misbehaving ClassLoader impl such as in the GWT JettyLauncher) #​26256

🪲 Bug Fixes

• Avoid unnecessary wrapping for SqlParameterValue #​26547
• Autowiring shortcut fails with NoSuchBeanDefinitionException after removeBeanDefinition call #​26518
• SimpleJdbcInsert (sporadically) does not insert all columns #​26503
• DefaultHandlerExceptionResolver handling of media type exception on Tomcat 7+ #​26475
• Websocket extensions not working #​26452
• AbstractBeanDefinition#equals handles propertyValues incorrectly #​26435
• Remove obsolete commandName attribute in spring-form.tld #​26338
• NettyHeadersAdapter.add() accepts @Nullable value but throws NullPointerException #​26277

📔 Documentation

• Document the "SpringProperties mechanism" mentioned in the testing chapter #​26494
• UriComponentsBuilder documentation error for HTTP request encoding #​26455
• Wrong documentation for CachePut #​26404

🔨 Dependency Upgrades

• Upgrade to Reactor Dysprosium-SR17 #​26549

v5.2.12.RELEASE

Compare Source

⭐ New Features

• ContentCachingResponseWrapper should not add “Content-Length” when “Transfer-Encoding” is present #​26191
• Register bean definition dependencies when used via configuration class injected fields #​26168
• Wildcard is a valid Access-Control-Expose-Headers value #​26115
• EntityManagerFactory startup failure in deferred mode is only available on first use #​26094

🪲 Bug Fixes

• AbstractJackson2HttpMessageConverter writes partial data when exception occurs during write #​26246
• Remove duplicate "property" in PropertyCacheKey.toString() #​26242
• DataBuffer Leak in Server Response #​26234
• GenericConversionService$Converters.getMatchableConverters throws ConcurrentModificationException on Java 9+ #​26184
• ConcurrentModificationException in NativeMessageHeaderAccessor#copyHeaders #​26158
• MimeType is no longer actually serializable #​26128
• PathMatchingResourcePatternResolver fails to resolve resources from JAR located in path with '#' on JDK 11+ #​26105
• UrlPathHelper#removeJsessionid doesn't remove the jsessionid from the URL #​26083
• NamedParameterJdbcTemplate.batchUpdate does not individually apply the SQL type from each SqlParameterSource argument #​26073
• DataBufferUtils#join may release a DataBuffer more than necessary #​26061

📔 Documentation

• Clarify intended advice execution behavior in Spring version 5.2.7+ #​26204
• DateTimeFormat ISO.DATE_TIME javadoc contains misleading default note #​26135
• Document that @Transactional does not propagate to new threads #​26102

🔨 Dependency Upgrades

• Upgrade to Reactor Dysprosium-SR15 #​26175

v5.2.11.RELEASE

Compare Source

⭐ New Features

• StompSubProtocolHandler logs failed authentication with error stack trace #​26037
• MergedAnnotationCollectors.toAnnotationSet() should not create intermediate ArrayList #​26036
• DefaultSimpUserRegistry prevents event from being published if original SimpMessageHeaderAccessor cannot be found #​26013
• DefaultWebClientBuilder copies references #​25993
• Inefficient request handling inside ServletRequestDataBinder #​25990

🪲 Bug Fixes

• Add FullyQualifiedAnnotationBeanNameGenerator.INSTANCE #​26027
• Autowiring does not work reliably in case of dynamically changing prototype bean class #​26020
• Order of profiles in tests is not preserved #​26008
• SseEmitter: connection closed after first event #​25989

📔 Documentation

• Fix a broken Asciidoctor syntax in core-resources.adoc #​26000

v5.2.10.RELEASE

Compare Source

⭐ New Features

• Optimize Jackson resource management in codecs #​25910
• Avoid creation of unused logger instance in AbstractMediaTypeExpression #​25901
• Native Hibernate 5 bootstrapping with JTA transaction manager requires hibernate.transaction.coordinator_class=jta to be set #​25858
• Cannot test @RequestPart multipart controllers with Servlet MockPart #​25829
• Add MariaDB to the supported database products for procedures and functions #​25811
• Optimize String argument resolution in MessageTag #​25809
• Avoid repeated Charset resolution in MimeType #​25808

🪲 Bug Fixes

• Incorrect http response for a request using the Range header for pre-compressed resources #​25976
• @ActiveProfiles with same profiles but different order results in duplicate ApplicationContext #​25973
• LinkedMultiValueMap downstream issue with MultiValueMapAdapter package private base class #​25960
• DataBufferUtils.CompositeMatcher causes poor performance when one or more matchers does not match #​25915
• HttpSeverOperations overrides content-length to 0 on HTTP HEAD #​25908
• jsessionid breaks request mappings when removeSemicolonContent is turned off #​25864
• JettyClientHttpConnector triggers early cancellation #​25849
• Race condition in DataBufferUtils.readAsynchronousFileChannel resulting in FD leak (Channel remains open) #​25831
• SimpMessagingTemplate.convertAndSend results in UnsupportedOperationException when Spring Cloud Sleuth is present #​25821
• ClassCastException when wiring bean using method injection (NullBean instead of 'null') #​25806
• Thread-scoped bean creation freezes if dependent bean is retrieved before dependency bean #​25801
• Sending an event as part of the EMF lock triggers a deadlock #​25799
• Wrong type inference in Kotlin while overriding RequestMappingHandlerMapping#getMappingForMethod #​25657
• SseEmitter (ResponseBodyEmitter) keeps collecting messages if not initialized #​25442

📔 Documentation

• Correct DispatcherServlet initialization sample webmvc.adoc #​25965
• Document that TransactionalEventListener only works with non-reactive transactions #​25805
• Published reference documentation contains unnecessary folders and files #​25783
• Incorrect example in javadocs of Assert.notNull(object, messageSupplier) #​25774

🔨 Dependency Upgrades

• Upgrade to RSocket 1.0.3 #​25957
• Upgrade to Reactor Dysprosium-SR13 #​25946

v5.2.9.RELEASE

Compare Source

⭐ New Features

• HttpHeaders.setContentDispositionFormData should ignore empty filename #​25769
• StringDecoder does not provide a way to configure the default charset #​25762
• MimeMessageHelper.addAttachment: configurable encoding of attachment filename #​25755
• Current log level not checked by LogAccessor supplier-enabled logging methods #​25741
• PropertiesLoaderSupport should ignore socket/connect exceptions as well #​25717
• Avoid repeated calls to getPathWithinApplication from UrlPathHelper.getLookupPathForRequest #​25669
• Avoid full singleton lock for DefaultSingletonBeanRegistry.getSingleton(beanName, false) #​25667
• XStreamMarshaller should avoid direct use of CompositeClassLoader which is not exported by XStream in OSGi #​25662
• Avoid LinkedList performance issues through use of ArrayDeque #​25652
• Introduce createContext() factory method in AbstractGenericContextLoader #​25600
• Declare MessagePostProcessor as a @FunctionalInterface #​25571
• Assert preconditions for MergedAnnotations.from() factory methods #​25568
• Provide access to AbstractRoutingDataSource's resolved target DataSources #​25544
• Possible optimization in UrlResource #​25531
• Refine use of substring operations #​25445
• Cache abstraction does not log hit / miss for synchronized access #​25248

🪲 Bug Fixes

• Issue with Forwarded Header and Multiple Values #​25737
• CallMetaDataContext.reconcileParameters overwrites cursor name #​25707
• VerifyErrors when using SpEL compilation with Thymeleaf when invoking a default method defined in an interface #​25706
• SQLErrorCodesFactory.getErrorCodes(DataSource) returns empty error codes if access to transactional connection fails #​25681
• Make "org.springframework.util.unit.DataSize" class Serializable #​25675
• Joda-Time presence check fails to detect Joda-Time 2.x specifically #​25655
• Regression in SimpleThreadScope introduced in 5.2.7 #​25618
• Potential integer overflow in ExecutorConfigurationSupport.setAwaitTerminationSeconds(int) and AbstractResourceBasedMessageSource.setCacheSeconds(int) #​25613
• Remove session on 4xx response from WebSocket handshake #​25608
• spring-jdbc don't set out parameter name from metadata for Postgresql function after issue#25399 #​25588
• FileUrlResource isWritable method returns true if URL protocol is not indicating a file #​25584
• Lazy dependency proxy does not populate bean dependencies #​25562
• Bean creation fails with StackOverflowError after upgrading from 5.1.13 to 5.2.7 #​25546
• StaticListableBeanFactory.isSingleton() returns false for singleton beans #​25522
• Standalone MockMvc ignores @RestControllerAdvice annotation attributes #​25520
• MockHttpServletResponse reset() does not reset charset field #​25501
• AnnotationTypeMappings does not filter repeatable annotations #​25483
• Wrong error message for type mismatch in jsonPath().value() #​25480
• Fix infinite loop bug in AnnotationScanner #​25429
• Overloaded @Bean method with name mismatch causes bean to be created twice (in case of ASM processing) #​25263

📔 Documentation

• Prevent confusion about build(boolean) method in UriComponentsBuilder #​25604
• Document how to specify Jackson JSON view serialization hints with @RestController and Webflux #​25596
• Inconsistent log level in @Bean javadoc and ConfigurationClassEnhancer #​25590
• Fix asciidoctor syntax for source #​25539
• Improve Javadoc for @RequestMapping#params #​25482
• Document that SimpleCacheManager requires caches to be initialized when not used as a bean #​22988

🔨 Dependency Upgrades

• Upgrade to Reactor Dysprosium-SR12 #​25730

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @​eitan613
• @​yfei-z
• @​diguage
• @​genie2014
• @​maciejmiklas
• @​marschall
• @​XenoAmess
• @​yilianhuaixiao

v5.2.8.RELEASE

Compare Source

⭐ New Features

• Defer creating logger in StandardWebSocketHandlerAdapter #​25427
• MutablePropertySources will not find or remove proxied sources #​25369
• Profiles should be comparable when created via Profiles.of() #​25340
• Avoid re-creating RSocketRequester instance per subscriber #​25330
• Hoist Class.getName() from String concatenation to dodge an issue related to profile pollution #​25324
• Improve Random seed in SocketUtils #​25321
• Support fragments in UriComponentsBuilder.fromHttpUrl() #​25300
• Support for custom cache registration in CaffeineCacheManager #​25230
• Don't get ContentCachingResponseWrapper in ShallowEtagHeaderFilter so that users can extend this wrapper #​24976
• Unnecessarily alarming stack trace logged during scheduler resolution #​23268
• Expose a setExceptionListener method in DefaultJmsListenerContainerFactory [SPR-17570] #​22102

🪲 Bug fixes

• UriComponentsBuilder.cloneBuilder() cause sharing query parameters between builders #​25423
• SimpleJdbcCall does not find stored function with PostgreSQL driver 42.2.11 #​25399
• MappingJackson2HttpMessageConverter might be too specific in its Charset support #​25322
• ReactorNetty websocket issue for multiple clients with different protocols #​25315
• Mutating a ServerHttpRequest breaks the existing context path #​25279
• ServerHttpRequest.getSslInfo() always returns null for reactor-netty HTTP/2 requests #​25278
• NoRollbackFor rule causes TransactionAspectSupport to log unwarranted "exception overridden" error on WebSphere #​25253
• AbstractJackson2HttpMessageConverter - Check for encoding breaks JSON to POJO de-serialization experience #​25247
• The AbstractTemplateViewResolver class is not abstract #​25240
• WebClient: NPE and leak in case connection is reset by server. #​25216
• Oracle LOB segments holding TEMP space after executing SP using SimpleJdbcCall with SqlParameterSource #​22972
• IllegalReferenceCountException happens when the operation was canceled #​22594
• DefaultListableBeanFactory.getBean(Class) may throw NoSuchBeanDefinitionException when removeBeanDefinition is being called simultaneously to remove an unrelated bean #​22263

📔 Documentation

• Clarify enforceInitMethod/enforceDestroyMethod default values in AbstractBeanDefinition #​25402
• Improve JavaDoc for ConfigurableApplicationContext.refresh() #​25380
• Fix interface and class names in examples in core-aop doc #​25351
• Wording changes #​25314
• Fix typo in Java example for handler class #​25302
• Improve Javadoc for @​Value regarding supported expressions #​25284
• Fix syntax in validation examples #​25251
• Document exception handling limitations in TaskDecorator implementations (specifically for ThreadPoolTaskExecutor#submit) #​25231

🔨 Dependency upgrades

• Upgrade to Reactor Dysprosium-SR10 #​25376
• Upgrade to nohttp 0.0.5 #​25266

❤️ Contributors

We’d like to thank all the contributors who worked on our current release!

• @​origoni
• @​Buzzardo
• @​wonwoo
• @​jryan128
• @​MaksimKoniukhov
• @​stsypanov

v5.2.7.RELEASE

Compare Source

⭐ New Features

• Implement reliable invocation order for advice within an @Aspect #​25186
• Performance enhancement in execution of ResponseEntity.of() #​25183
• Support for shared GroovyClassLoader in GroovyScriptFactory #​25177
• Suggest making a Set.size() > 0 judgement for AbstractApplicationContext.earlyApplicationEvents #​25161
• Make use of custom types configurable in YamlProcessor #​25152
• Avoid need for default constructor in ContextAnnotationAutowireCandidateResolver subclasses #​25131
• ConstructorResolver.resolveConstructorArguments() return value issue #​25130
• Introduce serializeToByteArray/deserializeFromByteArray convenience methods #​25117
• Custom HTTP Method on MockServerHttpRequest #​25109
• Missing null checks in AbstractMessageChannel.addInterceptor/setInterceptors #​25088
• Avoid full synchronization in AbstractRefreshableApplicationContext.getBeanFactory() since it can lead to massive thread blocking #​25081
• Simplify use of HttpContext in HttpComponentsClientHttpRequestFactory in support of user associated connections #​25066
• ResolvableType forClass fails when a type in the generic signature isn't present #​25064
• Include timeout unit in shutdown failure logging #​25058
• Drop unnecessary intermediate StringBuilder.toString() call in ServerSentEventHttpMessageReader #​25024
• Fix concurrency issues in XStreamMarshaller #​25017
• Introduce mechanism to discover whether a reactive type registered in ReactiveAdapterRegistry uses deferred computation #​24995
• Avoid logging exception for closed session in AbstractSockJsSession #​24986
• Include response body in RestTemplate exception when there is no suitable HttpMessageConverter #​24964

🪲 Bug Fixes

• ExchangeStrategies custom codec's reader & writer are not registered #​25149

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.