Skip to content

Update dependency org.springframework.boot:spring-boot-starter-web to v3.3.12 - autoclosed #22

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

Update dependency org.springframework.boot:spring-boot-starter-web to v3.3.12 - autoclosed #22

wants to merge 1 commit into from

Conversation

@mend-for-github-com
Copy link

@mend-for-github-com mend-for-github-com bot commented Feb 24, 2025
edited
Loading

This PR contains the following updates:

Package Type Update Change
org.springframework.boot:spring-boot-starter-web (source) dependencies patch 3.3.5 -> 3.3.12

By merging this PR, the issue #20 will be automatically resolved and closed:

Severity CVSS Score Vulnerability
Critical Critical 9.8 CVE-2024-50379
Critical Critical 9.8 CVE-2024-56337
Critical Critical 9.8 CVE-2025-24813
Critical Critical 9.8 CVE-2025-31651
High High 7.5 CVE-2025-48976
High High 7.5 CVE-2025-48988
Medium Medium 6.6 CVE-2024-12798
Medium Medium 6.5 CVE-2025-49125
Medium Medium 6.5 CVE-2025-55668

By merging this PR, the issue #20 will be automatically resolved and closed:

Severity CVSS Score Vulnerability
Medium Medium 6.6 CVE-2024-12798
Medium Medium 4.4 CVE-2024-12801
Low Low 3.1 CVE-2025-22233

Release Notes

spring-projects/spring-boot (org.springframework.boot:spring-boot-starter-web)

v3.3.12

🐞 Bug Fixes

  • Micrometer "enable" annotations property does not cover observed aspect #​45601
  • SpringApplication.setEnvironmentPrefix is ignored when reading SPRING_PROFILES_ACTIVE #​45387
  • IllegalStateException when extracting using layers a module with no code of its own #​45385
  • Custom default units declared on a field are ignored when binding properties in a native image #​45343
  • Suggested values for spring.jpa.hibernate.ddl-auto are not aligned with Hibernate #​45336
  • JerseyWebApplicationInitializer always gets loaded, setting a ServletContext initParameter #​45289

📔 Documentation

  • Document that bean methods should be static when annotated with @ConfigurationPropertiesBinding #​45621
  • Document typical spring.application.name use #​45597
  • Document the process info contribution #​45567
  • Document the java info contribution #​45566
  • Document the os info contribution #​45565
  • Improve "profile" reference documentation with additional admonitions #​45522
  • Improve setEnvironmentPrefix(...) reference documentation #​45370
  • Document when a spring.config.import value is relative and when it is fixed #​45349
  • Update link to "Parameter Name Retention" section of Spring Framework's release notes #​45286
  • Document the way that primary Kotlin constructors are used when binding #​44849
  • Document all the available Testcontainers integrations #​44187

🔨 Dependency Upgrades

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​ahrytsiuk, @​izeye, @​ngocnhan-tran1996, @​nosan, @​quaff, @​thecooldrop, and @​yybmion

v3.3.11

🐞 Bug Fixes

  • Spring Boot with native image container image build fails on podman due to directory permissions #​45233
  • MessageSourceMessageInterpolator does not replace a parameter when the message matches its code #​45212
  • IntegrationMbeanExporter is not eligible for getting processed by all BeanPostProcessors warnings are shown when using JMX #​45186
  • OAuth2AuthorizationServerJwtAutoConfiguration uses @ConditionalOnClass incorrectly #​45177
  • ImagePlatform can cause "OS must not be empty" IllegalArgumentException #​45152
  • MongoDB's dependency management is missing Kotlin coroutine driver modules #​45018
  • TypeUtils does not handle generics with identical names in different positions #​45011
  • Post-processing to apply custom JdbcConnectionDetails triggers an NPE in Hikari if the JDBC URL is for an unknown driver #​44997
  • DataSourceBuilder triggers an NPE in Hikari when trying to build a DataSource with a JDBC URL for an unknown driver #​44994
  • Wrong jOOQ exception translator with empty db name #​44954
  • spring.datasource.hikari.data-source-class-name cannot be used as a driver class name is always required and Hikari does not accept both #​44938
  • Neo4jReactiveDataAutoConfiguration assumes that certain beans are available #​44930
  • EmbeddedLdapAutoConfiguration should not rely on PreDestroy #​44870
  • DataSourceTransactionManagerAutoConfiguration should run after DataSourceAutoConfiguration #​44810
  • SSL config does not watch for symlink file changes #​44807

📔 Documentation

  • Make @Component a javadoc link #​45247
  • Fix documentation links to buildpacks.io #​45238
  • Escape the asterisk in spring-application.adoc #​45032
  • Show the use of token properties in authorization server clients configuration example #​44990
  • WebFlux security documentation incorrectly links to servlet classes #​44955
  • Add reference to Styra (OPA) Spring Boot SDK #​44951
  • TaskExecution documentation should describe what happens when multiple Executor beans are present #​44907
  • Clarify the use of multiple profile expressions with "spring.config.activate.on-profile" #​44866
  • Documentation lists coordinates for some dependencies that are not actually managed #​44855
  • Polish javadoc of SpringProfileAction #​44787
  • Add details of the purpose of the metrics endpoint #​44767

🔨 Dependency Upgrades

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​EvaristeGalois11, @​MelleD, @​ali-jalaal, @​erichaagdev, @​florgust, @​izeye, @​jonatan-ivanov, @​nenros, @​nevenc, @​ngocnhan-tran1996, @​nosan, @​quaff, and @​rainboyan

v3.3.10

🐞 Bug Fixes

  • Docker API error message is missing in some cases #​44628
  • When loading configuration from a Resource, Log4J2LoggingSystem may not close the InputStream #​44467
  • DefaultJmsListenerContainerFactoryConfigurer#setObservationRegistry should not be public #​44466
  • When the main class is not proxied, native testing that uses the application's main method does not work #​44461
  • When loading from a resource, PemContent does not close the InputStream #​44443
  • ResourceBanner does not close the InputStream used to read the banner #​44441
  • Kafka in native-image fails when using SSL bundles #​44435
  • ConfigDataLocationResolvers and PropertySourceLoaders are loaded using a potentially different class loader #​44427
  • Kafka message sending fails with 'class SslBundleSslEngineFactory could not be found' #​44414
  • Nested test classes don't inherit properties from @DataJpaTest on enclosing class #​44348

📔 Documentation

  • Polish javadoc of SqlR2dbcScriptDatabaseInitializer #​44763
  • Remove OpenShift link that 404s #​44724
  • Multiline properties in documentation are missing backslashes #​44583
  • Fix link to javadoc for JavaExec.setArgsString #​44526
  • Fix typo in documentation #​44514
  • Update descriptions of properties that no longer require Flyway Teams #​44460
  • Samples for metadata annotation processers have invalid fold attribute #​44413
  • Adapt Javadoc reference of JooqExceptionTranslator to use ExceptionTranslatorExecuteListener #​44385
  • Clarify which Mongo properties are ignored when URI property is set #​44384

🔨 Dependency Upgrades

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​KmYgJn, @​bekoenig, @​bernie-schelberg-invicara, @​dmitrysulman, @​izeye, @​metters, @​ngocnhan-tran1996, @​nosan, and @​quaff

v3.3.9

🐞 Bug Fixes

  • Reactive Jetty web server does not fail fast when configured to use a server name bundle which Jetty does not support #​44316
  • When web server application context refresh fails, the original failure is lost if stopping or destroying the web server throws an exception #​44310
  • Maven plugin does not consistently use ArgFile for classpath argument on Windows #​44305
  • View resolver for Thymeleaf should back off if spring-webmvc is not present #​44259
  • Banner placeholder and defaults do not work during development #​44137
  • WebServer is not destroyed when ReactiveWebServerApplicationContext refresh fails #​44134
  • Mustache templates return with ISO-8859-1 charset rather than UTF-8 in Content-Type response header #​44053
  • Logback configuration that relies on inner-classes does not work in a native image #​44021
  • IllegalStateException: Unable to register SSL bundle after 3.3.8 or 3.4.2 #​43966

📔 Documentation

  • Document that auto-configuration classes should be identified using their binary names #​44298
  • Correct typo in MVC security when explaining when UserDetailsService auto-configuration will back off #​44267
  • Link to JarLauncher's javadoc #​44168
  • When using observability annotations, recommend that care is taken to avoid double instrumentation #​44037
  • Fix typo in Running Your Application #​44032
  • Source snippet in Developing Your First Spring Boot Application section uses the root package #​43982
  • Correct the location of MyApplication.java in "Developing Your First Spring Boot Application" #​43965
  • Add links to Jackson Javadoc #​43961
  • Warn that some Quartz database schema scripts must be modified before use #​43955
  • Document Kubernetes preStop handler when using a Docker image without a shell #​43830

🔨 Dependency Upgrades

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​Ru311, @​ashishkujoy, @​izeye, @​jearton, @​ngocnhan-tran1996, @​nosan, and @​timotheeandres

v3.3.8

🐞 Bug Fixes

  • POSTGRESQL_USERNAME and POSTGRESQL_DATABASE are ignored when using the Bitnami PostgreSQL image with Docker Compose #​43787
  • docker compose ps now fails due to unknown --orphans flag with 2.23 or earlier #​43710
  • Build info timestamp is truncated to seconds #​43612
  • FileWatcher used for SSL reload does not support symlinks #​43586
  • BindableRuntimeHintsRegistrar should handle TypeNotPresentException #​43598

📔 Documentation

  • Document that the @ConfigurationProperties annotation processor cannot generate description and defaultValue metadata for external types #​43925
  • Fix description of management.metrics.graphql.autotime.enabled #​43904
  • Document 'base64:' prefix support #​43809
  • Update OpenTelemetry section in Supported Monitoring Systems to refer to OTLP instead #​43727
  • Javadoc of DataSourceBuilder does not reference all supported types #​43724
  • Links to the Javadoc of Jakarta Messaging are invalid #​43661
  • Paragraph HTML tags are rendered as-is in Maven Plugin reference documentation #​43622
  • Javadoc link for jakarta.xml.bind is invalid #​43606
  • Documentation still has references to 'layertools' #​43601
  • Javadoc of ConstructorBinding should not use markdown formatting #​43590

🔨 Dependency Upgrades

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​arefbehboudi, @​dreis2211, @​gavarava, @​hezean, @​izeye, @​jxblum, @​ngocnhan-tran1996, @​quaff, and @​tmaciejewski

v3.3.7

🐞 Bug Fixes

  • KafkaProperties fail to build SSL properties when the bundle name is an empty string #​43561
  • With multiple ResourceHandlerRegistrationCustomizer beans in the context, only one of them is used #​43494
  • Kafka dependency management does not include the kafka-server module #​43450
  • Failures in -Djarmode=tools do not consistently return a non-zero exit #​43435
  • SpringApplicationShutdownHandlers do not run in deterministic order #​43430
  • Failure analysis for InvalidConfigurationPropertyValueException doesn't correctly handle fuzzy matching of environment variables #​43380
  • Diagnostics are poor when property resolution throws a ConversionFailedException #​43378
  • Unable to find a @SpringBootConfiguration results in misleading error message #​43357
  • H2ConsoleAutoConfiguration causes early initialization of DataSource beans #​43337
  • Accept progress on numbers >2GB #​43328
  • Overriding log level with an environment variable does not work when using an environment prefix #​43304
  • Methods to build producer / consumer properties from KafkaProperties are inconvienenent to use without an SSL bundle #​43300
  • UnsupportedOperationException when starting a Maven shaded application on Java 21 with virtual threads enabled #​43284
  • Unable to use Docker Compose support when mixing dedicated and shared services #​40139

📔 Documentation

  • Fix typo in documentation #​43557
  • Fix typo #​43512
  • Links to logback javadoc are incorrect #​43439
  • Fix JUnit javadoc links #​43383
  • Document that server.ssl.cipher and server.ssl.enabled-protocols are not fallbacks used with SSL bundles #​43353
  • Restore System property in Logging section of the reference documentation #​43341
  • Use <annotationProcessorPaths> in Maven examples for configuring an annotation processor #​43329
  • Fix link to proxyBeanMethods in @AutoConfiguration javadoc #​43323
  • Fix links to Servlet and JPA javadoc #​43320
  • Link to @EnableMethodSecurity instead of the deprecated @EnableGlobalMethodSecurity #​43308
  • Fix Javadoc link for Hikari #​43305

🔨 Dependency Upgrades

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​BenchmarkingBuffalo, @​kgb-financial-com, @​ngocnhan-tran1996, @​nosan, @​quaff, @​scordio, and @​sobychacko

v3.3.6

⚠️ Noteworthy

🐞 Bug Fixes

  • Spring Boot 3.3.x dependencies do not converge for Micrometer Tracing and OpenTelemetry #​43200
  • Cannot package OCI image when 'docker.io/paketobuildpacks/new-relic' is provided as a buildpack #​43170
  • WebServerPortFileWriter fails when using a portfile without extension #​43116
  • SslOptions.isSpecified() only returns true if ciphers and enabled protocols are set #​43083
  • Root cause of errors is hidden when loading images from archive #​43069
  • mvn spring-boot:run fails on Windows with "Could Not Find or Load Main Class" when path contains non-ASCII characters #​43051
  • Logback logging system does not process URLs with paths not ending in .xml #​42989
  • NPE in bootBuildImage when setting DOCKER_CONTEXT=default #​42959
  • build-info doesn't support seconds since the epoch from project.build.outputTimestamp #​42935
  • NPE in OnClassCondition.resolveOutcomesThreaded following thread interruption because firstHalf is null #​42925
  • X-Registry-Auth header sent to Docker Engine API contains field "authHeader" #​42914
  • A @SpyBean on the output of a FactoryBean is not reset #​31204

📔 Documentation

  • Documentation for 'spring.datasource.type' is misleading #​43198
  • Update "Upgrading From" section to use "2.x" #​43159
  • Include spring-boot-loader in API documentation #​43151
  • Document how and where to add custom GraalVM configuration files #​43073
  • Rework DataSource configuration examples to separate defining an additional DataSource and defining a DataSource of a different type #​43058
  • Location of the layers schema is incorrect in the Maven Plugin's examples #​43032
  • Link to Eclipse setup instructions #​42953
  • Fix link to Checkpoint and Restore status page #​42938
  • Update HttpWebServiceMessageSenderBuilder javadoc #​42893
  • Move default value descriptions to "description" in logging property metadata #​42881

🔨 Dependency Upgrades

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​ahoehma, @​izeye, @​ngocnhan-tran1996, @​nosan, @​quaff, and @​wickdynex

  • If you want to rebase/retry this PR, check this box

@mend-for-github-com mend-for-github-com bot added the security fix Security fix generated by Mend label Feb 24, 2025
@mend-for-github-com mend-for-github-com bot force-pushed the whitesource-remediate/org.springframework.boot.spring.boot.starter.web branch from fac9249 to 33f0402 Compare March 21, 2025 05:47
@mend-for-github-com mend-for-github-com bot changed the title Update dependency org.springframework.boot:spring-boot-starter-web to v3.3.8 Update dependency org.springframework.boot:spring-boot-starter-web to v3.3.9 Mar 21, 2025
@mend-for-github-com mend-for-github-com bot force-pushed the whitesource-remediate/org.springframework.boot.spring.boot.starter.web branch from 33f0402 to 61f06a9 Compare March 25, 2025 18:57
@mend-for-github-com mend-for-github-com bot changed the title Update dependency org.springframework.boot:spring-boot-starter-web to v3.3.9 Update dependency org.springframework.boot:spring-boot-starter-web to v3.3.8 Mar 25, 2025
@mend-for-github-com mend-for-github-com bot force-pushed the whitesource-remediate/org.springframework.boot.spring.boot.starter.web branch from 61f06a9 to 752c7c4 Compare June 20, 2025 20:23
@mend-for-github-com mend-for-github-com bot changed the title Update dependency org.springframework.boot:spring-boot-starter-web to v3.3.8 Update dependency org.springframework.boot:spring-boot-starter-web to v3.3.12 Jun 20, 2025
@mend-for-github-com mend-for-github-com bot changed the title Update dependency org.springframework.boot:spring-boot-starter-web to v3.3.12 Update dependency org.springframework.boot:spring-boot-starter-web to v3.3.12 - autoclosed Aug 18, 2025
@mend-for-github-com mend-for-github-com bot deleted the whitesource-remediate/org.springframework.boot.spring.boot.starter.web branch August 18, 2025 18:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

security fix Security fix generated by Mend

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants