Skip to content

Bump spring-framework from 6.2.19 to 7.0.8#133

Open
dependabot[bot] wants to merge 1 commit into
2024.1.xfrom
dependabot/gradle/2024.1.x/spring-framework-7.0.8
Open

Bump spring-framework from 6.2.19 to 7.0.8#133
dependabot[bot] wants to merge 1 commit into
2024.1.xfrom
dependabot/gradle/2024.1.x/spring-framework-7.0.8

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 9, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Bumps spring-framework from 6.2.19 to 7.0.8.
Updates org.springframework:spring-aop from 6.2.19 to 7.0.8

Release notes

Sourced from org.springframework:spring-aop's releases.

v7.0.8

⚠️ Security Fixes

This maintenance release fixes a high number of CVEs. You can learn more about this in the "Spring and Security In The Times Of AI" blog post. Here is the full list of 16 CVEs:

  • CVE-2026-41838 "Spring Framework Predictable Session ID in WebSocket Module"
  • CVE-2026-41839 "Spring Framework Escalation via Session Fixation in WebFlux"
  • CVE-2026-41840 "Spring Framework Denial of Service via Multipart Requests in WebFlux"
  • CVE-2026-41841 "Spring Framework Information Disclosure via Static Resource Cache in Spring MVC and WebFlux"
  • CVE-2026-41842 "Spring Framework Denial of Service via Versioned Resources in Spring MVC and WebFlux"
  • CVE-2026-41843 "Spring Framework Path Traversal via Versioned Static Resources in Spring MVC and WebFlux"
  • CVE-2026-41844 "Spring Framework Open Redirect in Spring MVC and WebFlux"
  • CVE-2026-41845 "Spring Framework Cross-site Scripting via JavaScriptUtils"
  • CVE-2026-41846 "Spring Framework Cross-site Scripting via JSP Form Tags"
  • CVE-2026-41848 "Spring Framework Denial of Service via AntPathMatcher"
  • CVE-2026-41850 "Spring Framework Algorithmic Denial of Service via SpEL Expressions"
  • CVE-2026-41851 "Spring Framework Denial of Service via Unbounded Cache in SpEL"
  • CVE-2026-41852 "Spring Framework Arbitrary Method Invocation in SpEL Expressions"
  • CVE-2026-41853 "Spring Framework Multipart Request Smuggling in Spring MVC and WebFlux"
  • CVE-2026-41854 "Spring Framework Server-Side Request Forgery via UriComponentsBuilder"
  • CVE-2026-41855 "Spring Framework Unsafe Deserialization via Jackson JMS Converters"

⭐ New Features

  • Include zone ID in CronTrigger's equals/hashCode implementations #36871
  • Expose ClassLoader from DefaultDeserializer #36833
  • Use immutable map for SEPARATORS static field in DefaultPathContainer #36821
  • Track operations during SpEL expression evaluation #36801
  • Ensure getters have non-void return types in SpEL #36800
  • Avoid too many character access attempts in AntPathMatcher #36799
  • Refine default view name resolution #36793
  • Refine Jackson JMS converters #36791
  • Improve ABNF rule checks in RfcUriParser #36787
  • Restrict SpringVersion.getVersion() to "major.minor.patch" format #36785
  • Runtime compatibility with JPA 4.0 M4 and corresponding Hibernate 8.0 snapshots #36784
  • Allow specifying the charset to use in ExchangeFilterFunctions#basicAuthentication #36777
  • Use CollectionUtils to initialize HashMap in DefaultUriBuilderFactory #36763
  • Improve error messages in SpEL #36756
  • Improve pattern caching in SpEL #36755
  • Avoid ResolvableType#forType contention for implicit cache cleanup #36745
  • Switch to JdkIdGenerator for WebSocket Sessions #36740
  • Detect custom deserialized NullValue instances in AbstractValueAdaptingCache #36727
  • LiteWebJarsResourceResolver does not resolve directories #36726
  • Warn against unsafe static resource locations in MVC and WebFlux #36692
  • Consistent compatibility with Woodstox as an alternative to Xerces #36682
  • Improve principal checks for SockJS session #36681
  • Set host header consistently in STOMP relay CONNECT frames #36673
  • Support Micrometer context propagation in Kotlin Flow #36667
  • Reliable detection of broadcast messages in UserDestinationMessageHandler #36662

... (truncated)

Commits
  • 9e8cea3 Release v7.0.8
  • 2c18c33 Track operations during SpEL expression evaluation
  • 83667f8 Ensure getters have non-void return types in SpEL
  • 7a8917b Improve additional error messages in SpEL
  • 7baa865 Further improve pattern caching in SpEL
  • 12b44f2 Avoid too many character access attempts in AntPathMatcher
  • e8f1024 Ensure consistent JSP tag attribute processing
  • a1826b7 Refine JavaScriptUtils#javaScriptEscape
  • 7add524 Prevent special prefixes in default view name resolution
  • 9bec52b Add trusted packages to MappingJackson2MessageConverter
  • Additional commits viewable in compare view

Updates org.springframework:spring-aspects from 6.2.19 to 7.0.8

Release notes

Sourced from org.springframework:spring-aspects's releases.

v7.0.8

⚠️ Security Fixes

This maintenance release fixes a high number of CVEs. You can learn more about this in the "Spring and Security In The Times Of AI" blog post. Here is the full list of 16 CVEs:

  • CVE-2026-41838 "Spring Framework Predictable Session ID in WebSocket Module"
  • CVE-2026-41839 "Spring Framework Escalation via Session Fixation in WebFlux"
  • CVE-2026-41840 "Spring Framework Denial of Service via Multipart Requests in WebFlux"
  • CVE-2026-41841 "Spring Framework Information Disclosure via Static Resource Cache in Spring MVC and WebFlux"
  • CVE-2026-41842 "Spring Framework Denial of Service via Versioned Resources in Spring MVC and WebFlux"
  • CVE-2026-41843 "Spring Framework Path Traversal via Versioned Static Resources in Spring MVC and WebFlux"
  • CVE-2026-41844 "Spring Framework Open Redirect in Spring MVC and WebFlux"
  • CVE-2026-41845 "Spring Framework Cross-site Scripting via JavaScriptUtils"
  • CVE-2026-41846 "Spring Framework Cross-site Scripting via JSP Form Tags"
  • CVE-2026-41848 "Spring Framework Denial of Service via AntPathMatcher"
  • CVE-2026-41850 "Spring Framework Algorithmic Denial of Service via SpEL Expressions"
  • CVE-2026-41851 "Spring Framework Denial of Service via Unbounded Cache in SpEL"
  • CVE-2026-41852 "Spring Framework Arbitrary Method Invocation in SpEL Expressions"
  • CVE-2026-41853 "Spring Framework Multipart Request Smuggling in Spring MVC and WebFlux"
  • CVE-2026-41854 "Spring Framework Server-Side Request Forgery via UriComponentsBuilder"
  • CVE-2026-41855 "Spring Framework Unsafe Deserialization via Jackson JMS Converters"

⭐ New Features

  • Include zone ID in CronTrigger's equals/hashCode implementations #36871
  • Expose ClassLoader from DefaultDeserializer #36833
  • Use immutable map for SEPARATORS static field in DefaultPathContainer #36821
  • Track operations during SpEL expression evaluation #36801
  • Ensure getters have non-void return types in SpEL #36800
  • Avoid too many character access attempts in AntPathMatcher #36799
  • Refine default view name resolution #36793
  • Refine Jackson JMS converters #36791
  • Improve ABNF rule checks in RfcUriParser #36787
  • Restrict SpringVersion.getVersion() to "major.minor.patch" format #36785
  • Runtime compatibility with JPA 4.0 M4 and corresponding Hibernate 8.0 snapshots #36784
  • Allow specifying the charset to use in ExchangeFilterFunctions#basicAuthentication #36777
  • Use CollectionUtils to initialize HashMap in DefaultUriBuilderFactory #36763
  • Improve error messages in SpEL #36756
  • Improve pattern caching in SpEL #36755
  • Avoid ResolvableType#forType contention for implicit cache cleanup #36745
  • Switch to JdkIdGenerator for WebSocket Sessions #36740
  • Detect custom deserialized NullValue instances in AbstractValueAdaptingCache #36727
  • LiteWebJarsResourceResolver does not resolve directories #36726
  • Warn against unsafe static resource locations in MVC and WebFlux #36692
  • Consistent compatibility with Woodstox as an alternative to Xerces #36682
  • Improve principal checks for SockJS session #36681
  • Set host header consistently in STOMP relay CONNECT frames #36673
  • Support Micrometer context propagation in Kotlin Flow #36667
  • Reliable detection of broadcast messages in UserDestinationMessageHandler #36662

... (truncated)

Commits
  • 9e8cea3 Release v7.0.8
  • 2c18c33 Track operations during SpEL expression evaluation
  • 83667f8 Ensure getters have non-void return types in SpEL
  • 7a8917b Improve additional error messages in SpEL
  • 7baa865 Further improve pattern caching in SpEL
  • 12b44f2 Avoid too many character access attempts in AntPathMatcher
  • e8f1024 Ensure consistent JSP tag attribute processing
  • a1826b7 Refine JavaScriptUtils#javaScriptEscape
  • 7add524 Prevent special prefixes in default view name resolution
  • 9bec52b Add trusted packages to MappingJackson2MessageConverter
  • Additional commits viewable in compare view

Updates org.springframework:spring-beans from 6.2.19 to 7.0.8

Release notes

Sourced from org.springframework:spring-beans's releases.

v7.0.8

⚠️ Security Fixes

This maintenance release fixes a high number of CVEs. You can learn more about this in the "Spring and Security In The Times Of AI" blog post. Here is the full list of 16 CVEs:

  • CVE-2026-41838 "Spring Framework Predictable Session ID in WebSocket Module"
  • CVE-2026-41839 "Spring Framework Escalation via Session Fixation in WebFlux"
  • CVE-2026-41840 "Spring Framework Denial of Service via Multipart Requests in WebFlux"
  • CVE-2026-41841 "Spring Framework Information Disclosure via Static Resource Cache in Spring MVC and WebFlux"
  • CVE-2026-41842 "Spring Framework Denial of Service via Versioned Resources in Spring MVC and WebFlux"
  • CVE-2026-41843 "Spring Framework Path Traversal via Versioned Static Resources in Spring MVC and WebFlux"
  • CVE-2026-41844 "Spring Framework Open Redirect in Spring MVC and WebFlux"
  • CVE-2026-41845 "Spring Framework Cross-site Scripting via JavaScriptUtils"
  • CVE-2026-41846 "Spring Framework Cross-site Scripting via JSP Form Tags"
  • CVE-2026-41848 "Spring Framework Denial of Service via AntPathMatcher"
  • CVE-2026-41850 "Spring Framework Algorithmic Denial of Service via SpEL Expressions"
  • CVE-2026-41851 "Spring Framework Denial of Service via Unbounded Cache in SpEL"
  • CVE-2026-41852 "Spring Framework Arbitrary Method Invocation in SpEL Expressions"
  • CVE-2026-41853 "Spring Framework Multipart Request Smuggling in Spring MVC and WebFlux"
  • CVE-2026-41854 "Spring Framework Server-Side Request Forgery via UriComponentsBuilder"
  • CVE-2026-41855 "Spring Framework Unsafe Deserialization via Jackson JMS Converters"

⭐ New Features

  • Include zone ID in CronTrigger's equals/hashCode implementations #36871
  • Expose ClassLoader from DefaultDeserializer #36833
  • Use immutable map for SEPARATORS static field in DefaultPathContainer #36821
  • Track operations during SpEL expression evaluation #36801
  • Ensure getters have non-void return types in SpEL #36800
  • Avoid too many character access attempts in AntPathMatcher #36799
  • Refine default view name resolution #36793
  • Refine Jackson JMS converters #36791
  • Improve ABNF rule checks in RfcUriParser #36787
  • Restrict SpringVersion.getVersion() to "major.minor.patch" format #36785
  • Runtime compatibility with JPA 4.0 M4 and corresponding Hibernate 8.0 snapshots #36784
  • Allow specifying the charset to use in ExchangeFilterFunctions#basicAuthentication #36777
  • Use CollectionUtils to initialize HashMap in DefaultUriBuilderFactory #36763
  • Improve error messages in SpEL #36756
  • Improve pattern caching in SpEL #36755
  • Avoid ResolvableType#forType contention for implicit cache cleanup #36745
  • Switch to JdkIdGenerator for WebSocket Sessions #36740
  • Detect custom deserialized NullValue instances in AbstractValueAdaptingCache #36727
  • LiteWebJarsResourceResolver does not resolve directories #36726
  • Warn against unsafe static resource locations in MVC and WebFlux #36692
  • Consistent compatibility with Woodstox as an alternative to Xerces #36682
  • Improve principal checks for SockJS session #36681
  • Set host header consistently in STOMP relay CONNECT frames #36673
  • Support Micrometer context propagation in Kotlin Flow #36667
  • Reliable detection of broadcast messages in UserDestinationMessageHandler #36662

... (truncated)

Commits
  • 9e8cea3 Release v7.0.8
  • 2c18c33 Track operations during SpEL expression evaluation
  • 83667f8 Ensure getters have non-void return types in SpEL
  • 7a8917b Improve additional error messages in SpEL
  • 7baa865 Further improve pattern caching in SpEL
  • 12b44f2 Avoid too many character access attempts in AntPathMatcher
  • e8f1024 Ensure consistent JSP tag attribute processing
  • a1826b7 Refine JavaScriptUtils#javaScriptEscape
  • 7add524 Prevent special prefixes in default view name resolution
  • 9bec52b Add trusted packages to MappingJackson2MessageConverter
  • Additional commits viewable in compare view

Updates org.springframework:spring-context from 6.2.19 to 7.0.8

Release notes

Sourced from org.springframework:spring-context's releases.

v7.0.8

⚠️ Security Fixes

This maintenance release fixes a high number of CVEs. You can learn more about this in the "Spring and Security In The Times Of AI" blog post. Here is the full list of 16 CVEs:

  • CVE-2026-41838 "Spring Framework Predictable Session ID in WebSocket Module"
  • CVE-2026-41839 "Spring Framework Escalation via Session Fixation in WebFlux"
  • CVE-2026-41840 "Spring Framework Denial of Service via Multipart Requests in WebFlux"
  • CVE-2026-41841 "Spring Framework Information Disclosure via Static Resource Cache in Spring MVC and WebFlux"
  • CVE-2026-41842 "Spring Framework Denial of Service via Versioned Resources in Spring MVC and WebFlux"
  • CVE-2026-41843 "Spring Framework Path Traversal via Versioned Static Resources in Spring MVC and WebFlux"
  • CVE-2026-41844 "Spring Framework Open Redirect in Spring MVC and WebFlux"
  • CVE-2026-41845 "Spring Framework Cross-site Scripting via JavaScriptUtils"
  • CVE-2026-41846 "Spring Framework Cross-site Scripting via JSP Form Tags"
  • CVE-2026-41848 "Spring Framework Denial of Service via AntPathMatcher"
  • CVE-2026-41850 "Spring Framework Algorithmic Denial of Service via SpEL Expressions"
  • CVE-2026-41851 "Spring Framework Denial of Service via Unbounded Cache in SpEL"
  • CVE-2026-41852 "Spring Framework Arbitrary Method Invocation in SpEL Expressions"
  • CVE-2026-41853 "Spring Framework Multipart Request Smuggling in Spring MVC and WebFlux"
  • CVE-2026-41854 "Spring Framework Server-Side Request Forgery via UriComponentsBuilder"
  • CVE-2026-41855 "Spring Framework Unsafe Deserialization via Jackson JMS Converters"

⭐ New Features

  • Include zone ID in CronTrigger's equals/hashCode implementations #36871
  • Expose ClassLoader from DefaultDeserializer #36833
  • Use immutable map for SEPARATORS static field in DefaultPathContainer #36821
  • Track operations during SpEL expression evaluation #36801
  • Ensure getters have non-void return types in SpEL #36800
  • Avoid too many character access attempts in AntPathMatcher #36799
  • Refine default view name resolution #36793
  • Refine Jackson JMS converters #36791
  • Improve ABNF rule checks in RfcUriParser #36787
  • Restrict SpringVersion.getVersion() to "major.minor.patch" format #36785
  • Runtime compatibility with JPA 4.0 M4 and corresponding Hibernate 8.0 snapshots #36784
  • Allow specifying the charset to use in ExchangeFilterFunctions#basicAuthentication #36777
  • Use CollectionUtils to initialize HashMap in DefaultUriBuilderFactory #36763
  • Improve error messages in SpEL #36756
  • Improve pattern caching in SpEL #36755
  • Avoid ResolvableType#forType contention for implicit cache cleanup #36745
  • Switch to JdkIdGenerator for WebSocket Sessions #36740
  • Detect custom deserialized NullValue instances in AbstractValueAdaptingCache #36727
  • LiteWebJarsResourceResolver does not resolve directories #36726
  • Warn against unsafe static resource locations in MVC and WebFlux #36692
  • Consistent compatibility with Woodstox as an alternative to Xerces #36682
  • Improve principal checks for SockJS session #36681
  • Set host header consistently in STOMP relay CONNECT frames #36673
  • Support Micrometer context propagation in Kotlin Flow #36667
  • Reliable detection of broadcast messages in UserDestinationMessageHandler #36662

... (truncated)

Commits
  • 9e8cea3 Release v7.0.8
  • 2c18c33 Track operations during SpEL expression evaluation
  • 83667f8 Ensure getters have non-void return types in SpEL
  • 7a8917b Improve additional error messages in SpEL
  • 7baa865 Further improve pattern caching in SpEL
  • 12b44f2 Avoid too many character access attempts in AntPathMatcher
  • e8f1024 Ensure consistent JSP tag attribute processing
  • a1826b7 Refine JavaScriptUtils#javaScriptEscape
  • 7add524 Prevent special prefixes in default view name resolution
  • 9bec52b Add trusted packages to MappingJackson2MessageConverter
  • Additional commits viewable in compare view

Updates org.springframework:spring-core from 6.2.19 to 7.0.8

Release notes

Sourced from org.springframework:spring-core's releases.

v7.0.8

⚠️ Security Fixes

This maintenance release fixes a high number of CVEs. You can learn more about this in the "Spring and Security In The Times Of AI" blog post. Here is the full list of 16 CVEs:

  • CVE-2026-41838 "Spring Framework Predictable Session ID in WebSocket Module"
  • CVE-2026-41839 "Spring Framework Escalation via Session Fixation in WebFlux"
  • CVE-2026-41840 "Spring Framework Denial of Service via Multipart Requests in WebFlux"
  • CVE-2026-41841 "Spring Framework Information Disclosure via Static Resource Cache in Spring MVC and WebFlux"
  • CVE-2026-41842 "Spring Framework Denial of Service via Versioned Resources in Spring MVC and WebFlux"
  • CVE-2026-41843 "Spring Framework Path Traversal via Versioned Static Resources in Spring MVC and WebFlux"
  • CVE-2026-41844 "Spring Framework Open Redirect in Spring MVC and WebFlux"
  • CVE-2026-41845 "Spring Framework Cross-site Scripting via JavaScriptUtils"
  • CVE-2026-41846 "Spring Framework Cross-site Scripting via JSP Form Tags"
  • CVE-2026-41848 "Spring Framework Denial of Service via AntPathMatcher"
  • CVE-2026-41850 "Spring Framework Algorithmic Denial of Service via SpEL Expressions"
  • CVE-2026-41851 "Spring Framework Denial of Service via Unbounded Cache in SpEL"
  • CVE-2026-41852 "Spring Framework Arbitrary Method Invocation in SpEL Expressions"
  • CVE-2026-41853 "Spring Framework Multipart Request Smuggling in Spring MVC and WebFlux"
  • CVE-2026-41854 "Spring Framework Server-Side Request Forgery via UriComponentsBuilder"
  • CVE-2026-41855 "Spring Framework Unsafe Deserialization via Jackson JMS Converters"

⭐ New Features

  • Include zone ID in CronTrigger's equals/hashCode implementations #36871
  • Expose ClassLoader from DefaultDeserializer #36833
  • Use immutable map for SEPARATORS static field in DefaultPathContainer #36821
  • Track operations during SpEL expression evaluation #36801
  • Ensure getters have non-void return types in SpEL #36800
  • Avoid too many character access attempts in AntPathMatcher #36799
  • Refine default view name resolution #36793
  • Refine Jackson JMS converters #36791
  • Improve ABNF rule checks in RfcUriParser #36787
  • Restrict SpringVersion.getVersion() to "major.minor.patch" format #36785
  • Runtime compatibility with JPA 4.0 M4 and corresponding Hibernate 8.0 snapshots #36784
  • Allow specifying the charset to use in ExchangeFilterFunctions#basicAuthentication #36777
  • Use CollectionUtils to initialize HashMap in DefaultUriBuilderFactory #36763
  • Improve error messages in SpEL #36756
  • Improve pattern caching in SpEL #36755
  • Avoid ResolvableType#forType contention for implicit cache cleanup #36745
  • Switch to JdkIdGenerator for WebSocket Sessions #36740
  • Detect custom deserialized NullValue instances in AbstractValueAdaptingCache #36727
  • LiteWebJarsResourceResolver does not resolve directories #36726
  • Warn against unsafe static resource locations in MVC and WebFlux #36692
  • Consistent compatibility with Woodstox as an alternative to Xerces #36682
  • Improve principal checks for SockJS session #36681
  • Set host header consistently in STOMP relay CONNECT frames #36673
  • Support Micrometer context propagation in Kotlin Flow #36667
  • Reliable detection of broadcast messages in UserDestinationMessageHandler #36662

... (truncated)

Commits
  • 9e8cea3 Release v7.0.8
  • 2c18c33 Track operations during SpEL expression evaluation
  • 83667f8 Ensure getters have non-void return types in SpEL
  • 7a8917b Improve additional error messages in SpEL
  • 7baa865 Further improve pattern caching in SpEL
  • 12b44f2 Avoid too many character access attempts in AntPathMatcher
  • e8f1024 Ensure consistent JSP tag attribute processing
  • a1826b7 Refine JavaScriptUtils#javaScriptEscape
  • 7add524 Prevent special prefixes in default view name resolution
  • 9bec52b Add trusted packages to MappingJackson2MessageConverter
  • Additional commits viewable in compare view

Updates org.springframework:spring-jdbc from 6.2.19 to 7.0.8

Release notes

Sourced from org.springframework:spring-jdbc's releases.

v7.0.8

⚠️ Security Fixes

This maintenance release fixes a high number of CVEs. You can learn more about this in the "Spring and Security In The Times Of AI" blog post. Here is the full list of 16 CVEs:

  • CVE-2026-41838 "Spring Framework Predictable Session ID in WebSocket Module"
  • CVE-2026-41839 "Spring Framework Escalation via Session Fixation in WebFlux"
  • CVE-2026-41840 "Spring Framework Denial of Service via Multipart Requests in WebFlux"
  • CVE-2026-41841 "Spring Framework Information Disclosure via Static Resource Cache in Spring MVC and WebFlux"
  • CVE-2026-41842 "Spring Framework Denial of Service via Versioned Resources in Spring MVC and WebFlux"
  • CVE-2026-41843 "Spring Framework Path Traversal via Versioned Static Resources in Spring MVC and WebFlux"
  • CVE-2026-41844 "Spring Framework Open Redirect in Spring MVC and WebFlux"
  • CVE-2026-41845 "Spring Framework Cross-site Scripting via JavaScriptUtils"
  • CVE-2026-41846 "Spring Framework Cross-site Scripting via JSP Form Tags"
  • CVE-2026-41848 "Spring Framework Denial of Service via AntPathMatcher"
  • CVE-2026-41850 "Spring Framework Algorithmic Denial of Service via SpEL Expressions"
  • CVE-2026-41851 "Spring Framework Denial of Service via Unbounded Cache in SpEL"
  • CVE-2026-41852 "Spring Framework Arbitrary Method Invocation in SpEL Expressions"
  • CVE-2026-41853 "Spring Framework Multipart Request Smuggling in Spring MVC and WebFlux"
  • CVE-2026-41854 "Spring Framework Server-Side Request Forgery via UriComponentsBuilder"
  • CVE-2026-41855 "Spring Framework Unsafe Deserialization via Jackson JMS Converters"

⭐ New Features

  • Include zone ID in CronTrigger's equals/hashCode implementations #36871
  • Expose ClassLoader from DefaultDeserializer #36833
  • Use immutable map for SEPARATORS static field in DefaultPathContainer #36821
  • Track operations during SpEL expression evaluation #36801
  • Ensure getters have non-void return types in SpEL #36800
  • Avoid too many character access attempts in AntPathMatcher #36799
  • Refine default view name resolution #36793
  • Refine Jackson JMS converters #36791
  • Improve ABNF rule checks in RfcUriParser #36787
  • Restrict SpringVersion.getVersion() to "major.minor.patch" format #36785
  • Runtime compatibility with JPA 4.0 M4 and corresponding Hibernate 8.0 snapshots #36784
  • Allow specifying the charset to use in ExchangeFilterFunctions#basicAuthentication #36777
  • Use CollectionUtils to initialize HashMap in DefaultUriBuilderFactory #36763
  • Improve error messages in SpEL #36756
  • Improve pattern caching in SpEL #36755
  • Avoid ResolvableType#forType contention for implicit cache cleanup #36745
  • Switch to JdkIdGenerator for WebSocket Sessions #36740
  • Detect custom deserialized NullValue instances in AbstractValueAdaptingCache #36727
  • LiteWebJarsResourceResolver does not resolve directories #36726
  • Warn against unsafe static resource locations in MVC and WebFlux #36692
  • Consistent compatibility with Woodstox as an alternative to Xerces #36682
  • Improve principal checks for SockJS session #36681
  • Set host header consistently in STOMP relay CONNECT frames #36673
  • Support Micrometer context propagation in Kotlin Flow #36667
  • Reliable detection of broadcast messages in UserDestinationMessageHandler #36662

... (truncated)

Commits
  • 9e8cea3 Release v7.0.8
  • 2c18c33 Track operations during SpEL expression evaluation
  • 83667f8 Ensure getters have non-void return types in SpEL
  • 7a8917b Improve additional error messages in SpEL
  • 7baa865 Further improve pattern caching in SpEL
  • 12b44f2 Avoid too many character access attempts in AntPathMatcher
  • e8f1024 Ensure consistent JSP tag attribute processing
  • a1826b7 Refine JavaScriptUtils#javaScriptEscape
  • 7add524 Prevent special prefixes in default view name resolution
  • 9bec52b Add trusted packages to MappingJackson2MessageConverter
  • Additional commits viewable in compare view

Updates org.springframework:spring-test from 6.2.19 to 7.0.8

Release notes

Sourced from org.springframework:spring-test's releases.

v7.0.8

⚠️ Security Fixes

This maintenance release fixes a high number of CVEs. You can learn more about this in the "Spring and Security In The Times Of AI" blog post. Here is the full list of 16 CVEs:

  • CVE-2026-41838 "Spring Framework Predictable Session ID in WebSocket Module"
  • CVE-2026-41839 "Spring Framework Escalation via Session Fixation in WebFlux"
  • CVE-2026-41840 "Spring Framework Denial of Service via Multipart Requests in WebFlux"
  • CVE-2026-41841 "Spring Framework Information Disclosure via Static Resource Cache in Spring MVC and WebFlux"
  • CVE-2026-41842 "Spring Framework Denial of Service via Versioned Resources in Spring MVC and WebFlux"
  • CVE-2026-41843 "Spring Framework Path Traversal via Versioned Static Resources in Spring MVC and WebFlux"
  • CVE-2026-41844 "Spring Framework Open Redirect in Spring MVC and WebFlux"
  • CVE-2026-41845 "Spring Framework Cross-site Scripting via JavaScriptUtils"
  • CVE-2026-41846 "Spring Framework Cross-site Scripting via JSP Form Tags"
  • CVE-2026-41848 "Spring Framework Denial of Service via AntPathMatcher"
  • CVE-2026-41850 "Spring Framework Algorithmic Denial of Service via SpEL Expressions"
  • CVE-2026-41851 "Spring Framework Denial of Service via Unbounded Cache in SpEL"
  • CVE-2026-41852 "Spring Framework Arbitrary Method Invocation in SpEL Expressions"
  • CVE-2026-41853 "Spring Framework Multipart Request Smuggling in Spring MVC and WebFlux"
  • CVE-2026-41854 "Spring Framework Server-Side Request Forgery via UriComponentsBuilder"
  • CVE-2026-41855 "Spring Framework Unsafe Deserialization via Jackson JMS Converters"

⭐ New Features

  • Include zone ID in CronTrigger's equals/hashCode implementations #36871
  • Expose ClassLoader from DefaultDeserializer #36833
  • Use immutable map for SEPARATORS static field in DefaultPathContainer #36821
  • Track operations during SpEL expression evaluation #36801
  • Ensure getters have non-void return types in SpEL #36800
  • Avoid too many character access attempts in AntPathMatcher #36799
  • Refine default view name resolution #36793
  • Refine Jackson JMS converters #36791
  • Improve ABNF rule checks in RfcUriParser #36787
  • Restrict SpringVersion.getVersion() to "major.minor.patch" format #36785
  • Runtime compatibility with JPA 4.0 M4 and corresponding Hibernate 8.0 snapshots #36784
  • Allow specifying the charset to use in ExchangeFilterFunctions#basicAuthentication #36777
  • Use CollectionUtils to initialize HashMap in DefaultUriBuilderFactory #36763
  • Improve error messages in SpEL #36756
  • Improve pattern caching in SpEL #36755
  • Avoid ResolvableType#forType contention for implicit cache cleanup #36745
  • Switch to JdkIdGenerator for WebSocket Sessions #36740
  • Detect custom deserialized NullValue instances in AbstractValueAdaptingCache #36727
  • LiteWebJarsResourceResolver does not resolve directories #36726
  • Warn against unsafe static resource locations in MVC and WebFlux #36692
  • Consistent compatibility with Woodstox as an alternative to Xerces #36682
  • Improve principal checks for SockJS session #36681
  • Set host header consistently in STOMP relay CONNECT frames #36673
  • Support Micrometer context propagation in Kotlin Flow #36667
  • Reliable detection of broadcast messages in UserDestinationMessageHandler #36662

... (truncated)

Commits
  • 9e8cea3 Release v7.0.8
  • 2c18c33 Track operations during SpEL expression evaluation
  • 83667f8 Ensure getters have non-void return types in SpEL
  • 7a8917b Improve additional error messages in SpEL
  • 7baa865 Further improve pattern caching in SpEL

@dependabot dependabot Bot mentioned this pull request Jun 9, 2026
Closed
@dependabot
Bump spring-framework from 6.2.19 to 7.0.8
39b1ebf 
Bumps `spring-framework` from 6.2.19 to 7.0.8.

Updates `org.springframework:spring-aop` from 6.2.19 to 7.0.8
- [Release notes](https://github.com/spring-projects/spring-framework/releases)
- [Commits](spring-projects/spring-framework@v6.2.19...v7.0.8)

Updates `org.springframework:spring-aspects` from 6.2.19 to 7.0.8
- [Release notes](https://github.com/spring-projects/spring-framework/releases)
- [Commits](spring-projects/spring-framework@v6.2.19...v7.0.8)

Updates `org.springframework:spring-beans` from 6.2.19 to 7.0.8
- [Release notes](https://github.com/spring-projects/spring-framework/releases)
- [Commits](spring-projects/spring-framework@v6.2.19...v7.0.8)

Updates `org.springframework:spring-context` from 6.2.19 to 7.0.8
- [Release notes](https://github.com/spring-projects/spring-framework/releases)
- [Commits](spring-projects/spring-framework@v6.2.19...v7.0.8)

Updates `org.springframework:spring-core` from 6.2.19 to 7.0.8
- [Release notes](https://github.com/spring-projects/spring-framework/releases)
- [Commits](spring-projects/spring-framework@v6.2.19...v7.0.8)

Updates `org.springframework:spring-jdbc` from 6.2.19 to 7.0.8
- [Release notes](https://github.com/spring-projects/spring-framework/releases)
- [Commits](spring-projects/spring-framework@v6.2.19...v7.0.8)

Updates `org.springframework:spring-test` from 6.2.19 to 7.0.8
- [Release notes](https://github.com/spring-projects/spring-framework/releases)
- [Commits](spring-projects/spring-framework@v6.2.19...v7.0.8)

Updates `org.springframework:spring-tx` from 6.2.19 to 7.0.8
- [Release notes](https://github.com/spring-projects/spring-framework/releases)
- [Commits](spring-projects/spring-framework@v6.2.19...v7.0.8)

Updates `org.springframework:spring-web` from 6.2.19 to 7.0.8
- [Release notes](https://github.com/spring-projects/spring-framework/releases)
- [Commits](spring-projects/spring-framework@v6.2.19...v7.0.8)

---
updated-dependencies:
- dependency-name: org.springframework:spring-aop
  dependency-version: 7.0.8
  dependency-type: direct:production
  update-type: version-update:semver-major
- dependency-name: org.springframework:spring-aspects
  dependency-version: 7.0.8
  dependency-type: direct:production
  update-type: version-update:semver-major
- dependency-name: org.springframework:spring-beans
  dependency-version: 7.0.8
  dependency-type: direct:production
  update-type: version-update:semver-major
- dependency-name: org.springframework:spring-context
  dependency-version: 7.0.8
  dependency-type: direct:production
  update-type: version-update:semver-major
- dependency-name: org.springframework:spring-core
  dependency-version: 7.0.8
  dependency-type: direct:production
  update-type: version-update:semver-major
- dependency-name: org.springframework:spring-jdbc
  dependency-version: 7.0.8
  dependency-type: direct:production
  update-type: version-update:semver-major
- dependency-name: org.springframework:spring-test
  dependency-version: 7.0.8
  dependency-type: direct:production
  update-type: version-update:semver-major
- dependency-name: org.springframework:spring-tx
  dependency-version: 7.0.8
  dependency-type: direct:production
  update-type: version-update:semver-major
- dependency-name: org.springframework:spring-web
  dependency-version: 7.0.8
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot changed the title Bump spring-framework from 6.2.18 to 7.0.8 Bump spring-framework from 6.2.19 to 7.0.8 Jun 10, 2026
@dependabot dependabot Bot force-pushed the dependabot/gradle/2024.1.x/spring-framework-7.0.8 branch from fff0e69 to 39b1ebf Compare June 10, 2026 06:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependency upgrade

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants