Skip to content

Update dependency org.springframework.boot:spring-boot-devtools to v3.4.0#27

Open
mend-for-github-com[bot] wants to merge 1 commit into
mainfrom
whitesource-remediate/org.springframework.boot.spring.boot.devtools
Open

Update dependency org.springframework.boot:spring-boot-devtools to v3.4.0#27
mend-for-github-com[bot] wants to merge 1 commit into
mainfrom
whitesource-remediate/org.springframework.boot.spring.boot.devtools

Conversation

@mend-for-github-com
Copy link
Copy Markdown

@mend-for-github-com mend-for-github-com Bot commented May 26, 2026

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Type Update Change
org.springframework.boot:spring-boot-devtools (source) dependencies minor 3.3.53.4.0

By merging this PR, the issue #23 will be automatically resolved and closed:

Severity CVSS Score Vulnerability
High High 7.5 CVE-2026-40972

Release Notes

spring-projects/spring-boot (org.springframework.boot:spring-boot-devtools)

v3.4.0

⭐ New Features

  • Add withDefaultRequestConfigCustomizer method to HttpComponentsClientHttpRequestFactoryBuilder #​43139
  • Fail JsonWriter if duplicate names are detected #​43041
  • Add JsonObjectDeserializer.nullSafeValue method that accepts a mapper Function #​42972
  • Support timeout property for GraphQL over SSE #​42966
  • Improve performance of ConfigurationPropertiesBinder by storing bind handlers on first access #​42950
  • Improve performance of ConcurrentReferenceCachingMetadataReaderFactory #​42949
  • Log warning in HikariCheckpointRestoreLifecycle if pool suspension isn't configured #​42937
  • Remove spring-boot-starter-aop dependency from spring-boot-starter-data-jpa and spring-boot-starter-integration #​42934

🐞 Bug Fixes

  • Jersey body handling is inconsistent with Spring Webflux and Spring MVC #​43209
  • Classes are accidentally named "structure logging" instead of "structured logging" #​43203
  • StructuredLoggingJsonProperties customizer should be a Class reference rather than a String #​43202
  • Cannot package OCI image when 'docker.io/paketobuildpacks/new-relic' is provided as a buildpack #​43171
  • Incorrect Type for 'management.endpoints.access.default' defined in additional-spring-configuration-metadata.json #​43154
  • WebServerPortFileWriter fails when using a portfile without extension #​43117
  • SslOptions.isSpecified() only returns true if ciphers and enabled protocols are set #​43084
  • SslHealthIndicator throws NullPointerException when using SslBundle with SslStoreBundle.NONE #​43078
  • JdkClientHttpRequestFactoryBuilder and JettyClientHttpRequestFactoryBuilder do not set Ciphers or Enabled Protocols #​43077
  • Root cause of errors is hidden when loading images from archive #​43070
  • mvn spring-boot:run fails on Windows with "Could Not Find or Load Main Class" when path contains non-ASCII characters #​43062
  • A @SpyBean on the output of a FactoryBean is not reset #​43053
  • Logback logging system does not process URLs with paths not ending in .xml #​42990
  • Bean-based conditions do not consider factory beans correctly when determining if they are a candidate #​42970
  • NPE in bootBuildImage when setting DOCKER_CONTEXT=default #​42960
  • Warning due to duplicate MockResolver extensions #​42957
  • HttpHostConnectException is thrown when using buildpacks with Gradle or Maven on Windows #​42952
  • build-info doesn't support seconds since the epoch from project.build.outputTimestamp #​42936
  • NPE in OnClassCondition.resolveOutcomesThreaded following thread interruption because firstHalf is null #​42926
  • Default WebSocketMessageBrokerConfigurer is always overriding custom channel executor #​42924
  • X-Registry-Auth header sent to Docker Engine API contains field "authHeader" #​42915
  • ApplicationContextRunner has inconsistent behaviour with duplicate auto-configuration class names #​17963

📔 Documentation

  • Migrate class references to full javadoc links #​43239
  • Documentation for 'spring.datasource.type' is misleading #​43199
  • Update "Upgrading From" section to use "2.x" #​43160
  • Include spring-boot-loader in API documentation #​43153
  • Document how and where to add custom GraalVM configuration files #​43074
  • Rework DataSource configuration examples to separate defining an additional DataSource and defining a DataSource of a different type #​43059
  • Location of the layers schema is incorrect in the Maven Plugin's examples #​43033
  • Link to Eclipse setup instructions #​42954
  • Fix link to Checkpoint and Restore status page #​42939

🔨 Dependency Upgrades

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​ahoehma, @​deki, @​izeye, @​ngocnhan-tran1996, @​nosan, @​quaff, and @​wickdynex

v3.3.13

⚠️ Noteworthy Changes

  • This release upgrades to Tomcat 10.1.42 which has introduced limits for part count and header size in multipart/form-data requests. These limits can be customized using server.tomcat.max-part-count and server.tomcat.max-part-header-size respectively.

🐞 Bug Fixes

  • Executable JAR application class encounters performance issues when classpath URLs reference a host #​46015
  • Loading from spring.factories may fail with a ClassNotFoundException when the TCCL changes between calls #​45984
  • DataSouceBuilder can fail with a NPE when the driver is null #​45976
  • Actuator heapdump endpoint is failing on modern OpenJ9 JVMs #​45973

📔 Documentation

  • Fix Docker security options links in Packaging OCI images sections #​46016
  • Timestamps in Retrieving Audit Events examples do not match the accompanying text #​45995
  • Links to Testcontainers javadoc for many classes not in the core testcontainers module do not work #​45802
  • Gradle Shadow Plugin link in the reference guide is outdated #​45720
  • Document use of git-commit-id-maven-plugin consistently #​45677
  • Improve documentation for configuring Spring Security with '/error' #​45663
  • Clarify the situation with support for Prometheus PushGateway and the deprecated simpleclient #​44392
  • Update javadoc of Configurer classes that apply sensible defaults to describe how they're typically used #​42878

🔨 Dependency Upgrades

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​chanbinme, @​davidlj95, @​ngocnhan-tran1996, @​nicolasgarea, @​nosan, @​quaff, and @​wonyongg

v3.3.12

🐞 Bug Fixes

  • Micrometer "enable" annotations property does not cover observed aspect #​45601
  • SpringApplication.setEnvironmentPrefix is ignored when reading SPRING_PROFILES_ACTIVE #​45387
  • IllegalStateException when extracting using layers a module with no code of its own #​45385
  • Custom default units declared on a field are ignored when binding properties in a native image #​45343
  • Suggested values for spring.jpa.hibernate.ddl-auto are not aligned with Hibernate #​45336
  • JerseyWebApplicationInitializer always gets loaded, setting a ServletContext initParameter #​45289

📔 Documentation

  • Document that bean methods should be static when annotated with @ConfigurationPropertiesBinding #​45621
  • Document typical spring.application.name use #​45597
  • Document the process info contribution #​45567
  • Document the java info contribution #​45566
  • Document the os info contribution #​45565
  • Improve "profile" reference documentation with additional admonitions #​45522
  • Improve setEnvironmentPrefix(...) reference documentation #​45370
  • Document when a spring.config.import value is relative and when it is fixed #​45349
  • Update link to "Parameter Name Retention" section of Spring Framework's release notes #​45286
  • Document the way that primary Kotlin constructors are used when binding #​44849
  • Document all the available Testcontainers integrations #​44187

🔨 Dependency Upgrades

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​ahrytsiuk, @​izeye, @​ngocnhan-tran1996, @​nosan, @​quaff, @​thecooldrop, and @​yybmion

v3.3.11

🐞 Bug Fixes

  • Spring Boot with native image container image build fails on podman due to directory permissions #​45233
  • MessageSourceMessageInterpolator does not replace a parameter when the message matches its code #​45212
  • IntegrationMbeanExporter is not eligible for getting processed by all BeanPostProcessors warnings are shown when using JMX #​45186
  • OAuth2AuthorizationServerJwtAutoConfiguration uses @ConditionalOnClass incorrectly #​45177
  • ImagePlatform can cause "OS must not be empty" IllegalArgumentException #​45152
  • MongoDB's dependency management is missing Kotlin coroutine driver modules #​45018
  • TypeUtils does not handle generics with identical names in different positions #​45011
  • Post-processing to apply custom JdbcConnectionDetails triggers an NPE in Hikari if the JDBC URL is for an unknown driver #​44997
  • DataSourceBuilder triggers an NPE in Hikari when trying to build a DataSource with a JDBC URL for an unknown driver #​44994
  • Wrong jOOQ exception translator with empty db name #​44954
  • spring.datasource.hikari.data-source-class-name cannot be used as a driver class name is always required and Hikari does not accept both #​44938
  • Neo4jReactiveDataAutoConfiguration assumes that certain beans are available #​44930
  • EmbeddedLdapAutoConfiguration should not rely on PreDestroy #​44870
  • DataSourceTransactionManagerAutoConfiguration should run after DataSourceAutoConfiguration #​44810
  • SSL config does not watch for symlink file changes #​44807

📔 Documentation

  • Make @Component a javadoc link #​45247
  • Fix documentation links to buildpacks.io #​45238
  • Escape the asterisk in spring-application.adoc #​45032
  • Show the use of token properties in authorization server clients configuration example #​44990
  • WebFlux security documentation incorrectly links to servlet classes #​44955
  • Add reference to Styra (OPA) Spring Boot SDK #​44951
  • TaskExecution documentation should describe what happens when multiple Executor beans are present #​44907
  • Clarify the use of multiple profile expressions with "spring.config.activate.on-profile" #​44866
  • Documentation lists coordinates for some dependencies that are not actually managed #​44855
  • Polish javadoc of SpringProfileAction #​44787
  • Add details of the purpose of the metrics endpoint #​44767

🔨 Dependency Upgrades

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​EvaristeGalois11, @​MelleD, @​ali-jalaal, @​erichaagdev, @​florgust, @​izeye, @​jonatan-ivanov, @​nenros, @​nevenc, @​ngocnhan-tran1996, @​nosan, @​quaff, and @​rainboyan

v3.3.10

🐞 Bug Fixes

  • Docker API error message is missing in some cases #​44628
  • When loading configuration from a Resource, Log4J2LoggingSystem may not close the InputStream #​44467
  • DefaultJmsListenerContainerFactoryConfigurer#setObservationRegistry should not be public #​44466
  • When the main class is not proxied, native testing that uses the application's main method does not work #​44461
  • When loading from a resource, PemContent does not close the InputStream #​44443
  • ResourceBanner does not close the InputStream used to read the banner #​44441
  • Kafka in native-image fails when using SSL bundles #​44435
  • ConfigDataLocationResolvers and PropertySourceLoaders are loaded using a potentially different class loader #​44427
  • Kafka message sending fails with 'class SslBundleSslEngineFactory could not be found' #​44414
  • Nested test classes don't inherit properties from @DataJpaTest on enclosing class #​44348

📔 Documentation

  • Polish javadoc of SqlR2dbcScriptDatabaseInitializer #​44763
  • Remove OpenShift link that 404s #​44724
  • Multiline properties in documentation are missing backslashes #​44583
  • Fix link to javadoc for JavaExec.setArgsString #​44526
  • Fix typo in documentation #​44514
  • Update descriptions of properties that no longer require Flyway Teams #​44460
  • Samples for metadata annotation processers have invalid fold attribute #​44413
  • Adapt Javadoc reference of JooqExceptionTranslator to use ExceptionTranslatorExecuteListener #​44385
  • Clarify which Mongo properties are ignored when URI property is set #​44384

🔨 Dependency Upgrades

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​KmYgJn, @​bekoenig, @​bernie-schelberg-invicara, @​dmitrysulman, @​izeye, @​metters, @​ngocnhan-tran1996, @​nosan, and @​quaff

v3.3.9

🐞 Bug Fixes

  • Reactive Jetty web server does not fail fast when configured to use a server name bundle which Jetty does not support #​44316
  • When web server application context refresh fails, the original failure is lost if stopping or destroying the web server throws an exception #​44310
  • Maven plugin does not consistently use ArgFile for classpath argument on Windows #​44305
  • View resolver for Thymeleaf should back off if spring-webmvc is not present #​44259
  • Banner placeholder and defaults do not work during development #​44137
  • WebServer is not destroyed when ReactiveWebServerApplicationContext refresh fails #​44134
  • Mustache templates return with ISO-8859-1 charset rather than UTF-8 in Content-Type response header #​44053
  • Logback configuration that relies on inner-classes does not work in a native image #​44021
  • IllegalStateException: Unable to register SSL bundle after 3.3.8 or 3.4.2 #​43966

📔 Documentation

  • Document that auto-configuration classes should be identified using their binary names #​44298
  • Correct typo in MVC security when explaining when UserDetailsService auto-configuration will back off #​44267
  • Link to JarLauncher's javadoc #​44168
  • When using observability annotations, recommend that care is taken to avoid double instrumentation #​44037
  • Fix typo in Running Your Application #​44032
  • Source snippet in Developing Your First Spring Boot Application section uses the root package #​43982
  • Correct the location of MyApplication.java in "Developing Your First Spring Boot Application" #​43965
  • Add links to Jackson Javadoc #​43961
  • Warn that some Quartz database schema scripts must be modified before use #​43955
  • Document Kubernetes preStop handler when using a Docker image without a shell #​43830

🔨 Dependency Upgrades

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​Ru311, @​ashishkujoy, @​izeye, @​jearton, @​ngocnhan-tran1996, @​nosan, and @​timotheeandres

v3.3.8

🐞 Bug Fixes

  • POSTGRESQL_USERNAME and POSTGRESQL_DATABASE are ignored when using the Bitnami PostgreSQL image with Docker Compose #​43787
  • docker compose ps now fails due to unknown --orphans flag with 2.23 or earlier #​43710
  • Build info timestamp is truncated to seconds #​43612
  • FileWatcher used for SSL reload does not support symlinks #​43586
  • BindableRuntimeHintsRegistrar should handle TypeNotPresentException #​43598

📔 Documentation

  • Document that the @ConfigurationProperties annotation processor cannot generate description and defaultValue metadata for external types #​43925
  • Fix description of management.metrics.graphql.autotime.enabled #​43904
  • Document 'base64:' prefix support #​43809
  • Update OpenTelemetry section in Supported Monitoring Systems to refer to OTLP instead #​43727
  • Javadoc of DataSourceBuilder does not reference all supported types #​43724
  • Links to the Javadoc of Jakarta Messaging are invalid #​43661
  • Paragraph HTML tags are rendered as-is in Maven Plugin reference documentation #​43622
  • Javadoc link for jakarta.xml.bind is invalid #​43606
  • Documentation still has references to 'layertools' #​43601
  • Javadoc of ConstructorBinding should not use markdown formatting #​43590

🔨 Dependency Upgrades

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​arefbehboudi, @​dreis2211, @​gavarava, @​hezean, @​izeye, @​jxblum, @​ngocnhan-tran1996, @​quaff, and @​tmaciejewski

v3.3.7

🐞 Bug Fixes

  • KafkaProperties fail to build SSL properties when the bundle name is an empty string #​43561
  • With multiple ResourceHandlerRegistrationCustomizer beans in the context, only one of them is used #​43494
  • Kafka dependency management does not include the kafka-server module #​43450
  • Failures in -Djarmode=tools do not consistently return a non-zero exit #​43435
  • SpringApplicationShutdownHandlers do not run in deterministic order #​43430
  • Failure analysis for InvalidConfigurationPropertyValueException doesn't correctly handle fuzzy matching of environment variables #​43380
  • Diagnostics are poor when property resolution throws a ConversionFailedException #​43378
  • Unable to find a @SpringBootConfiguration results in misleading error message #​43357
  • H2ConsoleAutoConfiguration causes early initialization of DataSource beans #​43337
  • Accept progress on numbers >2GB #​43328
  • Overriding log level with an environment variable does not work when using an environment prefix #​43304
  • Methods to build producer / consumer properties from KafkaProperties are inconvienenent to use without an SSL bundle #​43300
  • UnsupportedOperationException when starting a Maven shaded application on Java 21 with virtual threads enabled #​43284
  • Unable to use Docker Compose support when mixing dedicated and shared services #​40139

📔 Documentation

  • Fix typo in documentation #​43557
  • Fix typo #​43512
  • Links to logback javadoc are incorrect #​43439
  • Fix JUnit javadoc links #​43383
  • Document that server.ssl.cipher and server.ssl.enabled-protocols are not fallbacks used with SSL bundles #​43353
  • Restore System property in Logging section of the reference documentation #​43341
  • Use <annotationProcessorPaths> in Maven examples for configuring an annotation processor #​43329
  • Fix link to proxyBeanMethods in @AutoConfiguration javadoc #​43323
  • Fix links to Servlet and JPA javadoc #​43320
  • Link to @EnableMethodSecurity instead of the deprecated @EnableGlobalMethodSecurity #​43308
  • Fix Javadoc link for Hikari #​43305

🔨 Dependency Upgrades

@mend-for-github-com mend-for-github-com Bot added the security fix Security fix generated by Mend label May 26, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

security fix Security fix generated by Mend

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants