Skip to content

build(deps): bump springBoot from 4.0.6 to 4.1.0#3943

Merged
duanemay merged 4 commits into
developfrom
dependabot/gradle/springBoot-4.1.0
Jun 11, 2026
Merged

build(deps): bump springBoot from 4.0.6 to 4.1.0#3943
duanemay merged 4 commits into
developfrom
dependabot/gradle/springBoot-4.1.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 10, 2026

Copy link
Copy Markdown
Contributor

Bumps springBoot from 4.0.6 to 4.1.0.
Updates org.springframework.boot:spring-boot-dependencies from 4.0.6 to 4.1.0

Release notes

Sourced from org.springframework.boot:spring-boot-dependencies's releases.

v4.1.0

⭐ New Features

  • Add public constructor to InvalidConfigurationPropertyValueException that accepts a cause #50211
  • Reduce memory consumption when repeatedly calling WritableJson.toByteArray #49428

🐞 Bug Fixes

  • MailSender auto-configuration does not enable hostname verification #50747
  • Artemis auto-configuration uses a predictable default location for the embedded broker's data #50745
  • Embedded LDAP SSL should not be enabled when its bundle is empty #50700
  • InetAddressFilter.externalAddresses does not exclude special purpose addresses from RFC 6890 #50668
  • NullPointerException in reactor-netty SniProvider and unmapped SSL bundle with RSocket #50645
  • SSL should not be enabled when a SSL bundle is overridden to an empty string #50635
  • Test auto-configuration no longer integrates Spring Security with HtmlUnitDriver #50633
  • Configuration property metadata includes incorrect class references #50632
  • Docker Compose support does not restore thread interrupt flag when catching InterruptedException #50618
  • RabbitProperties enables SSL even when spring.rabbitmq.ssl.bundle is overridden to an empty string #50612
  • NullPointerException in reactor-netty SniProvider when SSL bundle uses client-auth or server truststore without server-name-bundles #50610
  • SpringJtaPlatform should have been deprecated since 4.1.0-M3 #50592
  • Layer written outside the output location of '//' exception is thrown when using extract layers in root directory #50510
  • ConfigurationPropertiesReportEndpoint exposes AOP proxy internals #50417
  • Created StackTracePrinter instances have no access to the Environment #50414
  • MappingsEndpoint reports the context's own ID as parentId when a parent exists #50412
  • Buildpack module does not validate long-to-int casts #50410
  • Gradle gRPC support fails if protobuf-java dependency is used instead of protobuf-java-util #50405
  • GraphQL WebSocket support does not configure allowed origins #50394
  • Spring Boot Loader Does Not Support RSA and EC Signed Jars #50298
  • Meter registries are not removed from the global registry when the context is closed #50287
  • DataSourceBuilder cannot derive a DataSource from a lazy connection proxy #50271
  • Nullable annotations from AbstractErrorController.getErrorAttributes are not aligned with implementation #50266
  • Bean definitions can be added with an initializer before setAllowBeanDefinitionOverriding is called #50264
  • EndpointRequest links matcher unnecessarily matches HTTP methods other than GET #50261
  • Actuator's '/cloudfoundryapplication' endpoint does not work if restrictive CORS configuration is provided using a bean named corsConfigurationSource #50258
  • ThreadPoolTaskScheduleBuilder unnecessarily loses precision when configuring await termination time #50234
  • NimbusJwtDecoder silently accepts unknown values for spring.security.oauth2.resourceserver.jwt.jws-algorithms #50228
  • Missing dependency management for spring-boot-web-server-test #50224
  • Spring Batch support for MongoDB modules are not included in dependency management #50223
  • Apply HTML escaping to timestamp attribute in Whitelabel error page #50216
  • GrpcServerHealthScheduler is not started in servlet environments #50209
  • Setting server.servlet.session.cookie.partitioned=true has no effect when using Tomcat #50204

📔 Documentation

  • Fix reference to Gradle documentation for module replacement #50647
  • Document SSL reloading with Let's Encrypt #50630
  • Remove the use of Optional from Data Neo4j repository examples #50622
  • Fix typos in documentation #50620
  • Clarify dependency requirement for Bean Validation support #50614
  • Document Java 25 requirement for AOT cache #50485

... (truncated)

Commits

Updates org.springframework.boot from 4.0.6 to 4.1.0

Release notes

Sourced from org.springframework.boot's releases.

v4.1.0

⭐ New Features

  • Add public constructor to InvalidConfigurationPropertyValueException that accepts a cause #50211
  • Reduce memory consumption when repeatedly calling WritableJson.toByteArray #49428

🐞 Bug Fixes

  • MailSender auto-configuration does not enable hostname verification #50747
  • Artemis auto-configuration uses a predictable default location for the embedded broker's data #50745
  • Embedded LDAP SSL should not be enabled when its bundle is empty #50700
  • InetAddressFilter.externalAddresses does not exclude special purpose addresses from RFC 6890 #50668
  • NullPointerException in reactor-netty SniProvider and unmapped SSL bundle with RSocket #50645
  • SSL should not be enabled when a SSL bundle is overridden to an empty string #50635
  • Test auto-configuration no longer integrates Spring Security with HtmlUnitDriver #50633
  • Configuration property metadata includes incorrect class references #50632
  • Docker Compose support does not restore thread interrupt flag when catching InterruptedException #50618
  • RabbitProperties enables SSL even when spring.rabbitmq.ssl.bundle is overridden to an empty string #50612
  • NullPointerException in reactor-netty SniProvider when SSL bundle uses client-auth or server truststore without server-name-bundles #50610
  • SpringJtaPlatform should have been deprecated since 4.1.0-M3 #50592
  • Layer written outside the output location of '//' exception is thrown when using extract layers in root directory #50510
  • ConfigurationPropertiesReportEndpoint exposes AOP proxy internals #50417
  • Created StackTracePrinter instances have no access to the Environment #50414
  • MappingsEndpoint reports the context's own ID as parentId when a parent exists #50412
  • Buildpack module does not validate long-to-int casts #50410
  • Gradle gRPC support fails if protobuf-java dependency is used instead of protobuf-java-util #50405
  • GraphQL WebSocket support does not configure allowed origins #50394
  • Spring Boot Loader Does Not Support RSA and EC Signed Jars #50298
  • Meter registries are not removed from the global registry when the context is closed #50287
  • DataSourceBuilder cannot derive a DataSource from a lazy connection proxy #50271
  • Nullable annotations from AbstractErrorController.getErrorAttributes are not aligned with implementation #50266
  • Bean definitions can be added with an initializer before setAllowBeanDefinitionOverriding is called #50264
  • EndpointRequest links matcher unnecessarily matches HTTP methods other than GET #50261
  • Actuator's '/cloudfoundryapplication' endpoint does not work if restrictive CORS configuration is provided using a bean named corsConfigurationSource #50258
  • ThreadPoolTaskScheduleBuilder unnecessarily loses precision when configuring await termination time #50234
  • NimbusJwtDecoder silently accepts unknown values for spring.security.oauth2.resourceserver.jwt.jws-algorithms #50228
  • Missing dependency management for spring-boot-web-server-test #50224
  • Spring Batch support for MongoDB modules are not included in dependency management #50223
  • Apply HTML escaping to timestamp attribute in Whitelabel error page #50216
  • GrpcServerHealthScheduler is not started in servlet environments #50209
  • Setting server.servlet.session.cookie.partitioned=true has no effect when using Tomcat #50204

📔 Documentation

  • Fix reference to Gradle documentation for module replacement #50647
  • Document SSL reloading with Let's Encrypt #50630
  • Remove the use of Optional from Data Neo4j repository examples #50622
  • Fix typos in documentation #50620
  • Clarify dependency requirement for Bean Validation support #50614
  • Document Java 25 requirement for AOT cache #50485

... (truncated)

Commits

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
build(deps): bump springBoot from 4.0.6 to 4.1.0
5b264c7 
Bumps `springBoot` from 4.0.6 to 4.1.0.

Updates `org.springframework.boot:spring-boot-dependencies` from 4.0.6 to 4.1.0
- [Release notes](https://github.com/spring-projects/spring-boot/releases)
- [Commits](spring-projects/spring-boot@v4.0.6...v4.1.0)

Updates `org.springframework.boot` from 4.0.6 to 4.1.0
- [Release notes](https://github.com/spring-projects/spring-boot/releases)
- [Commits](spring-projects/spring-boot@v4.0.6...v4.1.0)

---
updated-dependencies:
- dependency-name: org.springframework.boot:spring-boot-dependencies
  dependency-version: 4.1.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
- dependency-name: org.springframework.boot
  dependency-version: 4.1.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file java Pull requests that update Java code labels Jun 10, 2026
@strehle strehle requested review from Copilot and duanemay June 10, 2026 18:30
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file java Pull requests that update Java code labels Jun 10, 2026
@strehle

strehle commented Jun 10, 2026

Copy link
Copy Markdown
Member

should we go directly to 4.1 ? , @duanemay ?

Copilot AI reviewed Jun 10, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the project’s Spring Boot version used by the Gradle version catalog, affecting both the Spring Boot Gradle plugin and the imported spring-boot-dependencies BOM for dependency management across subprojects.

Changes:

  • Bump springBoot version catalog entry from 4.0.6 to 4.1.0.

@duanemay

duanemay commented Jun 10, 2026

Copy link
Copy Markdown
Member

Yes

duanemay added 3 commits June 10, 2026 16:11
@duanemay
Fix SAML Request matching in MockMVC Test
fcaa283 
Spring Security 7.1.0 replaced the inline HTML generation in
  Saml2WebSsoAuthenticationRequestFilter with the new FormPostRedirectStrategy. The old code produced
  <input type="hidden" name="SAMLRequest" value="..."> (type first); the new template produces <input
  name="SAMLRequest" type="hidden" value="..."> (name first). The tests searched for literal string, which no longer matches,
@duanemay
Allow unsigned SamlLogout Requests and Responses
7ac46ab 
Spring Security 7.1.0 throws NPE in RedirectParameters when SigAlg is absent (unsigned redirect-binding logout request/response).

This follows the current flow where other parameters are not being validated.
@duanemay
Allow unsigned SamlLogout Requests and Responses without NPE handling.
fe723b5
@github-project-automation github-project-automation Bot moved this from Inbox to Pending Merge | Prioritized in Foundational Infrastructure Working Group Jun 10, 2026
@duanemay duanemay requested a review from Copilot June 10, 2026 23:29
Copilot AI reviewed Jun 10, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 6 out of 6 changed files in this pull request and generated 5 comments.

Comment thread uaa/src/test/java/org/cloudfoundry/identity/uaa/mock/saml/SamlAuthenticationMockMvcTests.java
Comment on lines +87 to +91
private static String extractSamlRequestFromPostForm(String html) {
int nameIdx = html.indexOf("name=\"SAMLRequest\"");
int valueStart = html.indexOf("value=\"", nameIdx) + "value=\"".length();
return html.substring(valueStart, html.indexOf("\"", valueStart));
}
Comment thread .../src/main/java/org/cloudfoundry/identity/uaa/authentication/SamlLogoutResponseValidator.java
Comment on lines +31 to +36
// Spring Security 7.1.0 throws NPE in RedirectParameters when SigAlg is absent (unsigned
// redirect-binding logout response). Treat the absence of a signature as acceptable — consistent
// with this validator's policy of not requiring signatures on logout messages.
if (parameters != null && parameters.getLogoutResponse().getParameters().get(Saml2ParameterNames.SIG_ALG) == null) {
return Saml2LogoutValidatorResult.success();
}
Comment thread ...r/src/main/java/org/cloudfoundry/identity/uaa/authentication/SamlLogoutRequestValidator.java
Comment on lines +30 to +35
// Spring Security 7.1.0 throws NPE in RedirectParameters when SigAlg is absent (unsigned
// redirect-binding logout request). Treat the absence of a signature as acceptable — consistent
// with this validator's policy of not requiring signatures on logout messages.
if (parameters != null && parameters.getLogoutRequest().getParameters().get(Saml2ParameterNames.SIG_ALG) == null) {
return Saml2LogoutValidatorResult.success();
}
Comment thread .../test/java/org/cloudfoundry/identity/uaa/authentication/SamlLogoutResponseValidatorTest.java
Comment on lines +61 to +66
void unsignedResponseSucceedsWithoutCallingDelegate() {
Saml2LogoutResponse logoutResponse = mock(Saml2LogoutResponse.class);
when(logoutResponse.getParameters()).thenReturn(Collections.emptyMap());
Saml2LogoutResponseValidatorParameters parameters = mock(Saml2LogoutResponseValidatorParameters.class);
when(parameters.getLogoutResponse()).thenReturn(logoutResponse);

Comment thread ...c/test/java/org/cloudfoundry/identity/uaa/authentication/SamlLogoutRequestValidatorTest.java
Comment on lines +61 to +66
void unsignedRequestSucceedsWithoutCallingDelegate() {
Saml2LogoutRequest logoutRequest = mock(Saml2LogoutRequest.class);
when(logoutRequest.getParameters()).thenReturn(Collections.emptyMap());
Saml2LogoutRequestValidatorParameters parameters = mock(Saml2LogoutRequestValidatorParameters.class);
when(parameters.getLogoutRequest()).thenReturn(logoutRequest);

@duanemay duanemay merged commit fad59a0 into develop Jun 11, 2026
27 checks passed
@duanemay duanemay deleted the dependabot/gradle/springBoot-4.1.0 branch June 11, 2026 14:06
@github-project-automation github-project-automation Bot moved this from Pending Merge | Prioritized to Done in Foundational Infrastructure Working Group Jun 11, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@duanemay duanemay duanemay approved these changes

@strehle strehle strehle approved these changes

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file java Pull requests that update Java code

Projects

Foundational Infrastructure Working Group
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@strehle @duanemay