Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update dependency org.springframework:spring-web to v6 [SECURITY] - autoclosed #800

Closed
wants to merge 1 commit into from
Closed

Update dependency org.springframework:spring-web to v6 [SECURITY] - autoclosed #800

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Feb 10, 2024
edited
Loading

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
org.springframework:spring-web 5.3.31 -> 6.0.0 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2016-1000027

Pivotal Spring Framework before 6.0.0 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required.

Maintainers recommend investigating alternative components or a potential mitigating control. Version 4.2.6 and 3.2.17 contain enhanced documentation advising users to take precautions against unsafe Java deserialization, version 5.3.0 deprecate the impacted classes and version 6.0.0 removed it entirely.

Release Notes

spring-projects/spring-framework (org.springframework:spring-web)

v6.0.0

Compare Source

See What's New in Spring Framework 6.x and Upgrading to Spring Framework 6.x for upgrade instructions and details of new features.

⭐ New Features

  • Avoid direct URL construction and URL equality checks #​29486
  • Simplify creating RFC 7807 responses from functional endpoints #​29462
  • Allow test classes to provide runtime hints via declarative mechanisms #​29455

📔 Documentation

  • Align javadoc of DefaultParameterNameDiscoverer with its behavior #​29494
  • Document AOT support in the TestContext framework #​29482
  • Document Ahead of Time processing in the reference guide #​29350

🔨 Dependency Upgrades

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​ophiuhus and @​wilkinsona

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@renovate renovate bot force-pushed the renovate/maven-org.springframework-spring-web-vulnerability branch from b6d3ba0 to 23d8d6d Compare February 10, 2024 23:55
@renovate renovate bot changed the title fix(deps): update dependency org.springframework:spring-web to v6 [security] Update dependency org.springframework:spring-web to v6 [SECURITY] Feb 11, 2024
@renovate renovate bot changed the title Update dependency org.springframework:spring-web to v6 [SECURITY] Update dependency org.springframework:spring-web to v6 [SECURITY] - autoclosed Feb 11, 2024
@renovate renovate bot closed this Feb 11, 2024
@renovate renovate bot deleted the renovate/maven-org.springframework-spring-web-vulnerability branch February 11, 2024 20:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants