Skip to content

Update dependency org.springframework.boot:spring-boot-dependencies to v4#489

Open
renovate[bot] wants to merge 1 commit into
developmentfrom
renovate/major-springbootversion
Open

Update dependency org.springframework.boot:spring-boot-dependencies to v4#489
renovate[bot] wants to merge 1 commit into
developmentfrom
renovate/major-springbootversion

Conversation

@renovate

@renovate renovate Bot commented Nov 20, 2025

Copy link
Copy Markdown
Contributor

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
org.springframework.boot:spring-boot-dependencies (source) 3.5.164.1.0 age adoption passing confidence

Release Notes

spring-projects/spring-boot (org.springframework.boot:spring-boot-dependencies)

v4.1.0

Full release notes for Spring Boot 4.1 are available on the wiki.

⭐ New Features

  • Add public constructor to InvalidConfigurationPropertyValueException that accepts a cause #​50211
  • Reduce memory consumption when repeatedly calling WritableJson.toByteArray #​49428

🐞 Bug Fixes

  • MailSender auto-configuration does not enable hostname verification #​50747
  • Artemis auto-configuration uses a predictable default location for the embedded broker's data #​50745
  • Embedded LDAP SSL should not be enabled when its bundle is empty #​50700
  • InetAddressFilter.externalAddresses does not exclude special purpose addresses from RFC 6890 #​50668
  • NullPointerException in reactor-netty SniProvider and unmapped SSL bundle with RSocket #​50645
  • SSL should not be enabled when a SSL bundle is overridden to an empty string #​50635
  • Test auto-configuration no longer integrates Spring Security with HtmlUnitDriver #​50633
  • Configuration property metadata includes incorrect class references #​50632
  • Docker Compose support does not restore thread interrupt flag when catching InterruptedException #​50618
  • RabbitProperties enables SSL even when spring.rabbitmq.ssl.bundle is overridden to an empty string #​50612
  • NullPointerException in reactor-netty SniProvider when SSL bundle uses client-auth or server truststore without server-name-bundles #​50610
  • SpringJtaPlatform should have been deprecated since 4.1.0-M3 #​50592
  • Layer written outside the output location of '//' exception is thrown when using extract layers in root directory #​50510
  • ConfigurationPropertiesReportEndpoint exposes AOP proxy internals #​50417
  • Created StackTracePrinter instances have no access to the Environment #​50414
  • MappingsEndpoint reports the context's own ID as parentId when a parent exists #​50412
  • Buildpack module does not validate long-to-int casts #​50410
  • Gradle gRPC support fails if protobuf-java dependency is used instead of protobuf-java-util #​50405
  • GraphQL WebSocket support does not configure allowed origins #​50394
  • Spring Boot Loader Does Not Support RSA and EC Signed Jars #​50298
  • Meter registries are not removed from the global registry when the context is closed #​50287
  • DataSourceBuilder cannot derive a DataSource from a lazy connection proxy #​50271
  • Nullable annotations from AbstractErrorController.getErrorAttributes are not aligned with implementation #​50266
  • Bean definitions can be added with an initializer before setAllowBeanDefinitionOverriding is called #​50264
  • EndpointRequest links matcher unnecessarily matches HTTP methods other than GET #​50261
  • Actuator's '/cloudfoundryapplication' endpoint does not work if restrictive CORS configuration is provided using a bean named corsConfigurationSource #​50258
  • ThreadPoolTaskScheduleBuilder unnecessarily loses precision when configuring await termination time #​50234
  • NimbusJwtDecoder silently accepts unknown values for spring.security.oauth2.resourceserver.jwt.jws-algorithms #​50228
  • Missing dependency management for spring-boot-web-server-test #​50224
  • Spring Batch support for MongoDB modules are not included in dependency management #​50223
  • Apply HTML escaping to timestamp attribute in Whitelabel error page #​50216
  • GrpcServerHealthScheduler is not started in servlet environments #​50209
  • Setting server.servlet.session.cookie.partitioned=true has no effect when using Tomcat #​50204

📔 Documentation

  • Fix reference to Gradle documentation for module replacement #​50647
  • Document SSL reloading with Let's Encrypt #​50630
  • Remove the use of Optional from Data Neo4j repository examples #​50622
  • Fix typos in documentation #​50620
  • Clarify dependency requirement for Bean Validation support #​50614
  • Document Java 25 requirement for AOT cache #​50485
  • Add links for Java CAS Client Spring Boot Starter #​50285
  • Document known testcontainers lifecycle issues #​50220
  • Document adding multiple connectors for Jetty #​50218
  • Polish InvalidConfigurationPropertyValueException constructor javadoc #​50214
  • Fix typo in Spring Security OAuth2 client registration documentation #​50199

🔨 Dependency Upgrades

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​Abdlatif-nabgha, @​DragonFSKY, @​Kapil-chn7, @​Kimgyuilli, @​SJvaca30, @​SebTardif, @​ares333, @​codingkiddo, @​dlwldnjs1009, @​eddumelendez, @​henriquejsza, @​igormukhin, @​johnnypwong, @​kwondh5217, @​leestana01, @​mheath, @​mmoayyed, @​msridhar, @​ngocnhan-tran1996, @​nosan, @​quaff, @​scordio, @​vinhhieu21, @​vpavic, @​won-seoop, and @​zxuhan

v4.0.7

🐞 Bug Fixes

  • MailSender auto-configuration does not enable hostname verification #​50746
  • Artemis auto-configuration uses a predictable default location for the embedded broker's data #​50744
  • NullPointerException in reactor-netty SniProvider and unmapped SSL bundle with RSocket #​50640
  • SSL should not be enabled when a SSL bundle is overridden to an empty string #​50634
  • Docker Compose support does not restore thread interrupt flag when catching InterruptedException #​50617
  • RabbitProperties enables SSL even when spring.rabbitmq.ssl.bundle is overridden to an empty string #​50611
  • NullPointerException in reactor-netty SniProvider when SSL bundle uses client-auth or server truststore without server-name-bundles #​50609
  • Test auto-configuration no longer integrates Spring Security with HtmlUnitDriver #​50602
  • Layer written outside the output location of '//' exception is thrown when using extract layers in root directory #​50509
  • ConfigurationPropertiesReportEndpoint exposes AOP proxy internals #​50416
  • Created StackTracePrinter instances have no access to the Environment #​50413
  • MappingsEndpoint reports the context's own ID as parentId when a parent exists #​50411
  • Buildpack module does not validate long-to-int casts #​50409
  • GraphQL WebSocket support does not configure allowed origins #​50393
  • Configuration property metadata includes incorrect class references #​50375
  • Spring Boot Loader Does Not Support RSA and EC Signed Jars #​50297
  • Meter registries are not removed from the global registry when the context is closed #​50286
  • Nullable annotations from AbstractErrorController.getErrorAttributes are not aligned with implementation #​50265
  • EndpointRequest links matcher unnecessarily matches HTTP methods other than GET #​50260
  • Actuator's '/cloudfoundryapplication' endpoint does not work if restrictive CORS configuration is provided using a bean named corsConfigurationSource #​50257
  • ThreadPoolTaskScheduleBuilder unnecessarily loses precision when configuring await termination time #​50233
  • NimbusJwtDecoder silently accepts unknown values for spring.security.oauth2.resourceserver.jwt.jws-algorithms #​50227
  • Apply HTML escaping to timestamp attribute in Whitelabel error page #​50215
  • Setting server.servlet.session.cookie.partitioned=true has no effect when using Tomcat #​50201

📔 Documentation

  • Fix reference to Gradle documentation for module replacement #​50646
  • Document SSL reloading with Let's Encrypt #​50629
  • Remove the use of Optional from Data Neo4j repository examples #​50621
  • Fix typos in documentation #​50619
  • Clarify dependency requirement for Bean Validation support #​50613
  • Document Java 25 requirement for AOT cache #​50484
  • Add links for Java CAS Client Spring Boot Starter #​50281
  • Document known testcontainers lifecycle issues #​50219
  • Document adding multiple connectors for Jetty #​50217
  • Polish InvalidConfigurationPropertyValueException constructor javadoc #​50213
  • Fix typo in Spring Security OAuth2 client registration documentation #​50198

🔨 Dependency Upgrades

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​Abdlatif-nabgha, @​DragonFSKY, @​Kapil-chn7, @​Kimgyuilli, @​SJvaca30, @​SebTardif, @​ares333, @​codingkiddo, @​dlwldnjs1009, @​henriquejsza, @​igormukhin, @​johnnypwong, @​kwondh5217, @​leestana01, @​mheath, @​mmoayyed, @​msridhar, @​ngocnhan-tran1996, @​nosan, @​quaff, @​scordio, @​vinhhieu21, @​won-seoop, and @​zxuhan

v4.0.6

🐞 Bug Fixes

  • Default security is misconfigured when spring-boot-actuator-autoconfigure is present and spring-boot-health is not #​50188
  • Elasticsearch Rest5Client auto-configuration misconfigures underlying HTTP client #​50187
  • ApplicationPidFileWriter does not handle symlinks correctly #​50185
  • RandomValuePropertySource is not suitable for secrets #​50183
  • Cassandra auto-configuration misconfigures CqlSessionBuilder #​50180
  • ApplicationTemp does not handle symlinks correctly #​50178
  • Remote DevTools performs comparison incorrectly #​50176
  • spring.rabbitmq.ssl.verify-hostname is applied inconsistently #​50174
  • Whole number values are ignored when configuring min and max expected values and SLO boundaries for a distribution summary meter #​50077
  • Classic starters are missing several modules #​50071
  • Module spring-boot-resttestclient is missing from spring-boot-starter-test-classic #​50069
  • Annotations like @Ssl don't work on @Bean methods when using @ServiceConnection #​50064
  • EnversRevisionRepositoriesRegistrar should reuse @EnableEnversRepositories rather than configuring the JPA counterpart #​50039
  • WebFlux Cloud Foundry links endpoint includes query string from received request in resolved links #​50017
  • Imports on a containing test class are ignored when a nested class has imports #​50012
  • With spring.jackson.use-jackson2-defaults set to true, FAIL_ON_UNKNOWN_PROPERTIES is enabled #​49951
  • 500 response from env endpoint when supplied pattern is invalid #​49946
  • Reactive MongoDB starter has a transitive dependency on the synchronous MongoDB driver #​49945
  • HTTP method is lost when configuring excludes in EndpointRequest #​49943
  • Honor HttpMethod for reactive additional endpoint paths #​49880
  • Docker Compose support doesn't work with apache/artemis image #​49869
  • Docker Compose support doesn't work with apache/activemq image #​49866
  • Spring Security's PathPatternRequestMatcher.Builder is not auto-configured when using WebMvcTest and spring-boot-security-test #​49854
  • API versioning path strategy should be applied path last as it is not meant to yield #​49800

📔 Documentation

  • Update docs to encourage Java fundamentals for beginners that prefer to learn that way #​50146
  • HTTP Service Interface Clients still document that API versioning can be configured via properties #​50126
  • Link to the observability section of the Lettuce documentation is broken #​50097
  • Javadoc for StaticResourceLocation.FAVICON doesn't describe icons location #​50085
  • MySamlRelyingPartyConfiguration is missing a Kotlin sample #​50024
  • Incorrect default value for management.httpexchanges.recording.include in configuration metadata #​50019
  • Link to the Kubernetes documentation when discussing startup probes #​50015
  • Typo in JdbcSessionAutoConfiguration Javadoc #​49873
  • Clarify that configuration property default values are not available through the Environment #​49851
  • Document the need for Liquibase and Flyway starters #​49839
  • Kafka documentation refers to deprecated JSON serializer and deserializer classes #​49826

🔨 Dependency Upgrades

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​GollapudiSrikanth, @​MohammedGhallab, @​bachhs, @​dlwldnjs1009, @​edwardsre, @​kodama-kcc, @​kwondh5217, @​ppapaj, @​quaff, @​refeccd, @​scordio, and @​xxxxxxjun

v4.0.5

🐞 Bug Fixes

  • Test starter for Spring Integration does not include Spring Integration test module #​49784
  • Some sliced tests that import TransactionAutoConfiguration do not import TransactionManagerCustomizationAutoConfiguration #​49782
  • WebSocket messaging's task executors are only auto-configured and stompWebSocketHandlerMapping is only forced to be eager when using Jackson #​49753
  • WebSocket app fails to start when Jackson is on the classpath but there's no JsonMapper bean #​49749
  • Metadata annotation processor ignores method-level @NestedConfigurationProperty when using constructor binding #​49738
  • Override of property in external 'application.properties' or 'application.yaml' is ignored #​49731
  • NativeImageResourceProvider does not find Flyway migration scripts in subdirectories #​49706
  • Add @ConditionalOnWebApplication to NettyReactiveWebServerAutoConfiguration #​49695
  • @GraphQlTest does not include @ControllerAdvice #​49672

📔 Documentation

  • Fix incorrect indefinite articles in Javadoc #​49727
  • Add some more Kotlin examples and trivial style fixes #​49714
  • Overhaul Spring Session documentation following modularization #​49704

🔨 Dependency Upgrades

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​Joowon-Seo, @​deejay1, @​dlwldnjs1009, @​kwondh5217, @​ljrmorgan, and @​quaff

v4.0.4

⚠️ Attention Required

  • OpenTelemetry's ZipkinSpanExporter has been deprecated and its support will be removed in Spring Boot 4.2. #​49453
  • Jackson 2 has been upgraded to 2.21.1 in response to the Jackson team ending support for Jackson 2.20.x. #​49389
  • Jackson has been upgraded to 3.1.0 in response to the Jackson team ending support for Jackson 3.0.x. #​49383
  • The default value for server.tomcat.max-part-count has been increased from 10 to 50. This aligns it with Tomcat's own default and the default in Spring Boot 3.x. #​49311

🐞 Bug Fixes

  • EndpointRequest request matcher for health groups is too complex #​49649
  • "/cloudfoundryapplication" web path is not limited to Actuator #​49646
  • Fix EndpointRequest.toLinks() when base-path is '/' #​49617
  • Docker fails when a 'tcp://' address ends with a slash (for example 'tcp://docker:2375/') #​49596
  • RSocket exposes duplicate endpoint for websocket setups #​49593
  • Failure analysis for a missing mail sender is misleading #​49582
  • SpringBootContextLoader mentions class that no longer exists in message for classes or locations assertion #​49535
  • Ordering of 'spring.config.import' is inconsistent when defined in environment or system properties #​49482
  • "spring.main.cloud-platform=none" does not disable cloud features #​49479
  • SSL support with Docker Compose does not work as documented #​49385
  • Auto-configuration overrides authorization server configuration applied by Customizer beans #​49367
  • Using @AutoConfigureWebTestClient prevents separate configuration of spring.test.webtestclient.timeout from taking effect #​49344
  • NoSuchMethodException when forcing the use of Log4J2LoggingSystem using org.springframework.boot.logging.LoggingSystem system property #​49343
  • RouterFunctions descriptions in Actuator do not support nesting #​49302
  • Maven plugin does not set '-parameters' option when processing AOT code #​49295
  • HTTP Service Interface Client doesn't work in a native image due to missing property binding #​49274
  • ErrorPageRegistrarBeanPostProcessor is not auto-configured in war deployments and the ErrorPageCustomizer is not applied #​49176
  • Missing starter for spring-boot-restdocs #​48289

📔 Documentation

  • Document support for Java 26 #​49604
  • List all supported colors when describing color-coded log output #​49562
  • Improve EndpointRequest matcher documentation #​49520
  • Clarify that running is the only supported input state when triggering a Quartz job through the Actuator endpoint #​49514
  • Document security considerations for forwarded headers in cloud deployments #​49507
  • Tutorial in the reference guide has outdated instructions #​49429
  • Document additional repositories required for shibboleth.net #​49392
  • Javadoc of JettyHttpClientBuilder refers to the wrong type #​49387
  • Example spring-devtools.properties file is shown in the wrong format #​49362
  • Clarify inferred relationships between OAuth 2 registrations and providers #​49327
  • Mention using org.springframework.boot.aot Gradle plugin directly for AOT processing with the JVM #​49321
  • Remove superfluous semi-colon from read timeout configuration example for HTTP service interface clients [#​49306](https://redirect.github.com/spring-projects/sprin

Note

PR body was truncated to here.


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot added the dependencies Pull requests that update a dependency file label Nov 20, 2025
@coderabbitai

coderabbitai Bot commented Nov 20, 2025

Copy link
Copy Markdown

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.


Comment @coderabbitai help to get the list of available commands and usage tips.

@renovate
renovate Bot force-pushed the renovate/major-springbootversion branch from 51f5b48 to 03366f9 Compare December 1, 2025 13:21
@renovate
renovate Bot force-pushed the renovate/major-springbootversion branch from 03366f9 to ba8d89c Compare December 18, 2025 21:41
@renovate
renovate Bot force-pushed the renovate/major-springbootversion branch from ba8d89c to bcff954 Compare January 22, 2026 17:24
@renovate
renovate Bot force-pushed the renovate/major-springbootversion branch from bcff954 to b6b1ca1 Compare February 19, 2026 17:54
@renovate
renovate Bot force-pushed the renovate/major-springbootversion branch 2 times, most recently from 6839e2c to e3ad0e6 Compare March 26, 2026 13:00
@renovate
renovate Bot force-pushed the renovate/major-springbootversion branch from e3ad0e6 to c325496 Compare April 23, 2026 18:58
@renovate
renovate Bot force-pushed the renovate/major-springbootversion branch 4 times, most recently from 16bc87c to d68eff7 Compare May 22, 2026 18:34
@renovate
renovate Bot force-pushed the renovate/major-springbootversion branch 2 times, most recently from 57191fd to 0db5bfd Compare July 8, 2026 09:14
@renovate
renovate Bot force-pushed the renovate/major-springbootversion branch from 0db5bfd to d9ecc87 Compare July 16, 2026 15:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file renovate-ignore

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant