traefik-forward-auth0 icon indicating copy to clipboard operation
traefik-forward-auth0 copied to clipboard

Published 20 hours ago verified publisher icon dniel

Update dependency org.springframework.boot:spring-boot-dependencies to v2.5.12 [SECURITY]

Open renovate[bot] opened this issue 2 years ago • 0 comments

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
org.springframework.boot:spring-boot-dependencies (source) 2.3.0.RELEASE -> 2.5.12 age adoption passing confidence

This PR upgrades one or more Spring framework packages to fix a critical vulnerability.

Release Notes

spring-projects/spring-boot

v2.5.12

Compare Source

:lady_beetle: Bug Fixes

  • MustacheAutoConfiguration in a Servlet web application fails with a ClassNotFoundException when Spring MVC is not on the classpath #​30456

:notebook_with_decorative_cover: Documentation

  • Javadoc of org.springframework.boot.gradle.plugin.ResolveMainClassName.setClasspath(Object) is inaccurate #​30468
  • Document that @DefaultValue can be used on a record component #​30460

:hammer: Dependency Upgrades

  • Upgrade to Jackson Bom 2.12.6.20220326 #​30477
  • Upgrade to Spring Framework 5.3.18 #​30491

:heart: Contributors

We'd like to thank all the contributors who worked on this release!

v2.5.11

Compare Source

:star: New Features

:lady_beetle: Bug Fixes

  • Thymeleaf auto-configuration in a reactive application can fail due to duplicate templateEngine beans #​30384
  • ConfigurationPropertyName#equals is not symmetric when adapt has removed trailing characters from an element #​30317
  • server.tomcat.keep-alive-timeout is not applied to HTTP/2 #​30267
  • Setting spring.mustache.enabled to false has no effect #​30250
  • bootWar is configured eagerly #​30211
  • Actuator @ReadOperation on Flux cancels request after first element emitted #​30095
  • No metrics are bound for R2DBC ConnectionPools that have been wrapped #​30090
  • Unnecessary allocations in Prometheus scraping endpoint #​30085
  • Condition evaluation report entry for a @ConditionalOnSingleCandidate that does not match due to multiple primary beans isn't as clear as it could be #​30073
  • Generated password are logged without an "unsuitable for production use" note #​30061
  • Files in META-INF are not found when deploying a Gradle-built executable war to a servlet container #​30026
  • spring-boot-configuration-processor fails compilation due to @DefaultValue with a long value and generates invalid metadata for byte and short properties with out-of-range default values #​30020
  • Dependency management for Netty tcNative is incomplete leading to possible version conflicts #​30010
  • Dependency management for Apache Kafka is incomplete #​29023

:notebook_with_decorative_cover: Documentation

  • Fix JsonSerializer example in reference guide #​30329
  • Default value of spring.thymeleaf.reactive.media-types is not documented #​30280
  • Add Netty in "Enable HTTP Response Compression" #​30234
  • Fix typo #​30118
  • Remove non-existent spring.data.cassandra.connection.connection-timeout property from the documentation #​30074
  • Use Gradle's task configuration avoidance APIs in the Gradle Plugin's reference docs #​30056
  • Polish web examples in reference doc #​30027
  • Improve property placeholder documentation to mention environment variables and default values #​30012
  • Use Gradle's task configuration avoidance APIs in the main reference docs #​30000
  • Document how to access the H2 Console in a secured web application #​29932
  • Add links to Spring Boot for Apache Geode to the reference documentation #​29697
  • Include default Dev Tools properties in the reference documentation #​29406
  • Document the WebSocket-related exclusions that are required to use Jetty 10 #​29275
  • Clarify type matching that is performed when using @MockBean and @SpyBean #​28656
  • Add documentation for spring.profiles.include #​28451
  • Document the scalar types supported by MapBinder #​27581
  • Document when config data properties are invalid #​25849
  • Document how to rely on ServletContext with an embedded container setup #​24561
  • Clarify that build plugins or the CLI does not have an auto-compile feature #​17851
  • Document how to structure configurations so that @Bean methods are included in slice tests #​16088

:hammer: Dependency Upgrades

:heart: Contributors

We'd like to thank all the contributors who worked on this release!

v2.5.10

Compare Source

:lady_beetle: Bug Fixes
  • Default JmxAutoConfiguration changes JConsole hierarchy for multi-property @ManagedResource object names #​29953
  • The active profiles log message is ambiguous when a profile's name contains a comma #​29896
  • Failed application contexts are not deregistered from SpringApplicationShutdownHook #​29874
  • Gradle Plugin triggers eager configuration of some tasks #​29762
  • MimeMapping for ots has a trailing space in its mime type #​29746
  • Dependency management for Liquibase does not include its liquibase-cdi module #​29676
  • Ignore invalid stream types when reading log update events #​29675
  • bootJar, bootRun, and bootWar do not pick up changes to the main source set's runtime classpath that are made after Boot's plugin has been applied #​29672
  • @SpyBean causes BeanCurrentlyInCreationException when there are circular references #​29639
  • server.tomcat.use-relative-redirects=true not honored when server.forward-headers-strategy=framework #​29333
  • A fat jar built with Gradle moves META-INF beneath BOOT-INF/classes while Maven leaves it at the jar's root #​28562
:notebook_with_decorative_cover: Documentation
  • bootRun example should use mainClass, rather than main which was deprecated in Gradle 7.1 #​29965
  • Rectify incorrect sanitizing regex example provided in how-to docs #​29951
  • "Customizing the Banner" should make it more obvious that any environment property can be used #​29931
  • Update javadoc to reflect move from WebSecurityConfigurerAdapter to SecurityFilterChain #​29900
  • Link directly to the Integration Properties section of the appendix when cross-referencing Kafka properties #​29758
  • Add documentation for WebMvc.fn #​29683
  • Move appendix subsections under appendix section #​29667
  • In Gradle plugin docs, replace classifier (deprecated) with archiveClassifier in examples #​29611
  • Clarify relation of import path to resultant properties in configtree import data #​29606
  • Upgrade version of gradle-git-properties in reference doc #​29535
  • Rename Boxfuse to CloudCaptain #​29523
  • Provide some guidance on identifying and resolving Devtools classloading issues #​29438
  • Warn about the dangers of early bean initialization when using @ConditionalOnExpression #​29276
  • Document that placeholders in @DefaultValue annotations are not resolved #​23164
:hammer: Dependency Upgrades
:heart: Contributors

We'd like to thank all the contributors who worked on this release!

v2.5.9

Compare Source

:lady_beetle: Bug Fixes

  • ConfigurationPropertySources.attach will always reattach when called multiple times #​29409
  • 'spring.config.import' placeholders can resolve from profile-specific documents when they should fail #​29386
  • Embedded launch script fails if jar is owned by an unknown user #​29370
  • Maven repackaging of a jar with a deeply nested package is prohibitively slow #​29175
  • @SpringBootTest does not use spring.main.web-application-type properties declared in test resource files #​29169
  • Warning from AprLifecycleListener when using Tomcat Native and Tomcat 9.0.55 or later #​28814

:notebook_with_decorative_cover: Documentation

  • Clarify documentation for RestTemplate customization #​29394
  • Refer to Maven Resolver rather than Aether #​29255

:hammer: Dependency Upgrades

:heart: Contributors

We'd like to thank all the contributors who worked on this release!

v2.5.8

Compare Source

:lady_beetle: Bug Fixes

  • DatabaseInitializationDependencyConfigurer triggers eager initialization of factory beans #​28977
  • App fails to start when it depends on thymeleaf-extras-springsecurity5 but does not have Spring Security on the classpath #​28967
  • Platform used for Quartz, Session, Integration, and Batch schema initialization cannot be configured #​28932
  • Image buildpack references without tag do not default to latest version #​28921
  • The getter and setter that's used during configuration property binding varies when a getter or setter has been overridden to use a subclass of the property's type #​28917
  • Invalid classpath index manifest attribute in war files built with Maven #​28895
  • The name of the matching-strategy property is incorrect in the action message of the failure analysis for a PatternParseException #​28809
  • Dependency management for org.elasticsearch.distribution.integ-test-zip:elasticsearch should declare its type as zip #​28725

:notebook_with_decorative_cover: Documentation

  • Polish Creating Your Own Auto-configuration section in Core Features reference doc #​29115
  • Polish CacheManager customization section in reference doc #​29094
  • Document that using DevTools with a remote application is not supported with WebFlux #​28955
  • 2.5.x snapshot documentation links to source code on the main branch #​28856
  • Polish README.adoc #​28835
  • Fix output of "spring --version" in reference documentation #​28831
  • Fix typos in the "External Application Properties" section #​28830
  • Improve deprecation notice on ResourceProperties to direct people to WebProperties for dependency injection and then getResources() #​28762
  • Add a package description for org.springframework.boot.actuate.metrics.data #​28756

:hammer: Dependency Upgrades

:heart: Contributors

We'd like to thank all the contributors who worked on this release!

v2.5.7

Compare Source

:lady_beetle: Bug Fixes
  • Dependency management for JSTL is out of date #​28659
  • JUnit annotations may prevent a test context from being cached #​28565
  • Avoid duplicate AOP proxy class definition with FilteredClassLoader #​28531
  • Profiles added using @ActiveProfiles have different precedence #​28530
  • Logback should default to JVM's default charset instead of ASCII #​28486
  • When a parent context has method validation configuration, it isn't auto-configured in its child contexts #​28479
  • Prometheus actuator endpoint should produce a text/plain response unless application/openmetrics-text is explicitly accepted #​28446
:notebook_with_decorative_cover: Documentation
  • Fix "Configure Two DataSources" example #​28712
  • Update URL for GraphQL Spring Boot starter #​28683
  • Fix @deprecated and @see in org.springframework.boot.loader.archive.Archive's javadoc #​28680
  • Configuration sample in reference doc has wrong yaml formatting #​28671
  • Fix yaml sample format in reference doc #​28670
  • Fix typo in "Ant-style path matching" #​28549
  • Change description of property "logging.logback.rollingpolicy.max-history" to match Logback documentation #​28466
  • Improve documentation on using an embedded ActiveMQ broker #​28434
  • Don't use markdown syntax in javadoc or error messages #​28424
:hammer: Dependency Upgrades
:heart: Contributors

We'd like to thank all the contributors who worked on this release!

v2.5.6

Compare Source

:lady_beetle: Bug Fixes

  • Misleading failure analysis when jOOQ's DSLContext is unavailable due to R2DBC taking precedence over JDBC #​28379
  • When lazy initialization is enabled, JMX endpoints are not available #​28371
  • JarFileWrapper may cause many FinalReferences causing GC pressure #​28356
  • Flattened VCAP_SERVICES properties are not sanitized by default #​28353
  • MeterValue with "d" suffix not parsed as Duration for timer #​28351
  • CachingOperationInvoker cache can consume a significant amount of heap space #​28347
  • Devtools restart fails with in-memory R2DBC database and SQL initialization scripts #​28345
  • ActiveMQ starter depends on org.apache.geronimo.specs:geronimo-j2ee-management_1.1_spec #​28340
  • spring-boot-starter-oauth2-client has an unnecessary dependency on com.sun.mail:jakarta.mail #​28333
  • Layertools extract does not preserve last modified and last access times #​28190
  • NumberFormatException when configuring spring.rabbitmq.addresses with an IPv6 address #​28134
  • Broken content negotiation for OpenMetrics #​28130

:notebook_with_decorative_cover: Documentation

  • Fix typo in EnvironmentPostProcessor's class-level javadoc #​28382
  • Remove obsolete info about Spring Integration's metrics support #​28375
  • Update docs to be explicit about dot notation being correctly mapped #​28201
  • Section 4.4 File Rotation mentions the wrong configuration file name for Log4j2 #​28193
  • Update Javadoc with note mentioning that class using ConstructorBinding must be enabled using annotations #​28171
  • Make it clearer that, when using @AutoConfigureTestEntityManager outside of @DataJpaTest, any tests using the test entity manager must be @Transactional #​28159

:hammer: Dependency Upgrades

:heart: Contributors

We'd like to thank all the contributors who worked on this release!

v2.5.5

Compare Source

:lady_beetle: Bug Fixes

  • Actuator endpoints do not sanitize SPRING_APPLICATION_JSON by default #​28081
  • Startup failure due to non-empty schema when using Flyway and Spring Integration's DataSource initialization #​28079
  • Web MVC metrics may have the wrong status when a filter throws an exception other than NestedServletException #​28069
  • Embedded Undertow throws MalformedURLException when archive filename contains characters that are reserved in a URL #​28032
  • Concurrent image builds cause error deleting builder image #​27993
  • War deployment in standalone Tomcat causes memory leak (Metaspace) #​27987
  • IndexOutOfBoundsException when running a Zip64 jar file larger than 4,294,967,295 bytes #​27900
  • Azure App Service is not correctly detected on Windows #​27819
  • @MockBean combined with @Repeat results in "the field cannot have an existing value" error #​27798
  • NullPointerException in RoutingDataSourceHealthContributor when a routing data source has a target with a null routing key #​27698

:notebook_with_decorative_cover: Documentation

  • Document that devtools restart doesn't work when using AspectJ weaving #​28083
  • Default value for spring.data.elasticsearch.client.reactive.endpoints is not documented #​28072
  • Clarify Selenium auto-configuration requires HtmlUnit #​27943
  • Document that spring-boot-starter-parent configures Java compilation to use -parameters #​27885
  • Fix inconsistent devtools doc #​27876
  • Fix typo in javadoc #​27873
  • Document how to parameterize output directory for REST Docs with WebTestClient #​27803
  • Document support for Java 17 #​26767

:hammer: Dependency Upgrades

:heart: Contributors

We'd like to thank all the contributors who worked on this release!

v2.5.4

Compare Source

:lady_beetle: Bug Fixes

  • spring-boot-configuration-metadata leaks enforced dependency constraints into consuming builds #​27730
  • Potential NPE in TomcatMetricsBinder.findContext() #​27616
  • Cyclic bean definition when a Spring Data repository is a dependency of a MeterBinder #​27591
  • spring-boot:build-image hangs when exceptions are thrown during upload #​27535
  • WebTestClientContextCustomizerFactory causes an IllegalStateException when WebClient is on the classpath without a supported HTTP client #​27527
  • spring.security.dispatcher-types is not applied to Spring Security's filter when running in a separate management context #​27505
  • A URI with non-alpha characters in its scheme is not sanitized #​27488

:notebook_with_decorative_cover: Documentation

  • Mention productionRuntimeClasspath in Gradle plugin's documentation #​27620
  • Fix typo in javadoc #​27618

:hammer: Dependency Upgrades

:heart: Contributors

We'd like to thank all the contributors who worked on this release!

v2.5.3

Compare Source

:star: New Features

:beetle: Bug Fixes

  • DataSourceBuilder throws an UnsupportedDataSourcePropertyException when trying to derive a DataSource from an unknown DataSource type #​27453
  • DatabaseInitializerDetector and DependsOnDatabaseInitializationDetector implementations may be instantiated with the wrong ClassLoader #​27422
  • YamlPropertySourceLoader may not use the right ClassLoader to check if SnakeYAML is present #​27419
  • Setting Gson as preferred mapper breaks controller methods returning JSON Strings #​27361
  • Dependency management for Prometheus's Pushgateway is incomplete #​27349
  • Exception thrown from /actuator/configprops endpoint when spring.config.import=configtree:xxxx is used #​27346
  • Layers configuration XSD is not available #​27321
  • Redis health indicators report that Redis is up when the cluster's state is fail #​27304
  • App fails to start when using Spring Batch with JDBC and lazy initialization is enabled #​27221
  • Spring Session JDBC does not work when lazy initialization is enabled #​27220
  • AbstractDataSourceInitializers are not detected as database initializers #​27215
  • Optional file search locations with pattern throws exception if not present #​27211
  • File named "config" in working directory causes IllegalStateException #​27210
  • Live Reload using Devtools no longer connects #​27205
  • Live Reload using Devtools no longer connects #​27204
  • DurationStyle.SIMPLE.print does not work correctly with ChronoUnit.MICROS #​27154
  • Since 2.5.1, a circular reference is created when one SpringLiquibase bean is configured to depend on another #​27131
  • Configuration property metadata has the wrong default value for spring.netty.leak-detection #​27104
  • "Cannot determine database's type as ConnectionFactory is not options-capable" error message doesn't provide enough detail #​26977
  • @SpyBean does not work when used to spy on a Spring Data Repository #​7033

:notebook_with_decorative_cover: Documentation

  • Fix reference to a configuration property in cloud.adoc #​27357
  • Document auto-configured Jetty metrics #​27301
  • Document that hateoas starter is spring MVC specific #​27139
  • Improve javadoc of @DefaultValue [#&#8203

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • [ ] If you want to rebase/retry this PR, click this checkbox.

This PR has been generated by Mend Renovate. View repository job log here.

renovate[bot] avatar Apr 04 '22 11:04 renovate[bot]