chore(deps)(deps): bump the spring group across 1 directory with 2 updates

[dependabot]

Bumps the spring group with 2 updates in the / directory: org.springframework.boot:spring-boot-starter-parent and org.springframework.ai:spring-ai-bom.

Updates org.springframework.boot:spring-boot-starter-parent from 4.0.5 to 4.0.6

Release notes

Sourced from org.springframework.boot:spring-boot-starter-parent's releases.

v4.0.6

🐞 Bug Fixes

• Default security is misconfigured when spring-boot-actuator-autoconfigure is present and spring-boot-health is not #50188
• Elasticsearch Rest5Client auto-configuration misconfigures underlying HTTP client #50187
• ApplicationPidFileWriter does not handle symlinks correctly #50185
• RandomValuePropertySource is not suitable for secrets #50183
• Cassandra auto-configuration misconfigures CqlSessionBuilder #50180
• ApplicationTemp does not handle symlinks correctly #50178
• Remote DevTools performs comparison incorrectly #50176
• spring.rabbitmq.ssl.verify-hostname is applied inconsistently #50174
• Whole number values are ignored when configuring min and max expected values and SLO boundaries for a distribution summary meter #50077
• Classic starters are missing several modules #50071
• Module spring-boot-resttestclient is missing from spring-boot-starter-test-classic #50069
• Annotations like @Ssl don't work on @Bean methods when using @ServiceConnection #50064
• EnversRevisionRepositoriesRegistrar should reuse @EnableEnversRepositories rather than configuring the JPA counterpart #50039
• WebFlux Cloud Foundry links endpoint includes query string from received request in resolved links #50017
• Imports on a containing test class are ignored when a nested class has imports #50012
• With spring.jackson.use-jackson2-defaults set to true, FAIL_ON_UNKNOWN_PROPERTIES is enabled #49951
• 500 response from env endpoint when supplied pattern is invalid #49946
• Reactive MongoDB starter has a transitive dependency on the synchronous MongoDB driver #49945
• HTTP method is lost when configuring excludes in EndpointRequest #49943
• Honor HttpMethod for reactive additional endpoint paths #49880
• Docker Compose support doesn't work with apache/artemis image #49869
• Docker Compose support doesn't work with apache/activemq image #49866
• Spring Security's PathPatternRequestMatcher.Builder is not auto-configured when using WebMvcTest and spring-boot-security-test #49854
• API versioning path strategy should be applied path last as it is not meant to yield #49800

📔 Documentation

• Update docs to encourage Java fundamentals for beginners that prefer to learn that way #50146
• HTTP Service Interface Clients still document that API versioning can be configured via properties #50126
• Link to the observability section of the Lettuce documentation is broken #50097
• Javadoc for StaticResourceLocation.FAVICON doesn't describe icons location #50085
• MySamlRelyingPartyConfiguration is missing a Kotlin sample #50024
• Incorrect default value for management.httpexchanges.recording.include in configuration metadata #50019
• Link to the Kubernetes documentation when discussing startup probes #50015
• Typo in JdbcSessionAutoConfiguration Javadoc #49873
• Clarify that configuration property default values are not available through the Environment #49851
• Document the need for Liquibase and Flyway starters #49839
• Kafka documentation refers to deprecated JSON serializer and deserializer classes #49826

🔨 Dependency Upgrades

• Upgrade to Elasticsearch Client 9.2.8 #50027
• Upgrade to Groovy 5.0.5 #49911
• Upgrade to Hibernate 7.2.12.Final #50134
• Upgrade to Jackson Bom 3.1.2 #50051
• Upgrade to Jaxen 2.0.1 #50104
• Upgrade to Jaybird 6.0.5 #49914

... (truncated)

Commits

• 8821ad2 Release v4.0.6
• 9e4048a Merge branch '3.5.x' into 4.0.x
• 20bb11c Next development version (v3.5.15-SNAPSHOT)
• 98daa8e Merge branch '3.5.x' into 4.0.x
• 9dc5aa2 Polish
• 874f629 Fix default security with actuator but without health
• e41b3bf Enable hostname verification for SSL connections to Elasticsearch
• ef8527b Merge branch '3.5.x' into 4.0.x
• f533a45 Do not follow symlinks when writing PID file
• 4a7bd33 Merge branch '3.5.x' into 4.0.x
• Additional commits viewable in compare view

Updates org.springframework.ai:spring-ai-bom from 2.0.0-M3 to 2.0.0-M4

Release notes

Sourced from org.springframework.ai:spring-ai-bom's releases.

Spring AI 2.0.0-M4 Release Notes

🎯 Highlights

This release includes 2 new features, 10 bug fixes, 13 other improvements.

⚠️ Upgrading Notes

• If you are using Vertex AI, OCI GenAI, or ZhiPu AI integrations, begin planning migration to alternative model providers such as OpenAI, Azure OpenAI, Anthropic, or other supported providers. These deprecated integrations will be removed in a future major release. #5676

📢 Noteworthy

• The Vertex AI model integration classes have been deprecated and will be removed in a future release. Users should plan to migrate to alternative model providers. #5676
• The ZhiPu AI model integration classes have been deprecated and will be removed in a future release. Users should plan to migrate to alternative model providers. #5676
• The OCI GenAI model integration classes have been deprecated and will be removed in a future release. Users should plan to migrate to alternative model providers. #5676

⭐ New Features

• Added capability to use Google Search alongside custom tools in Gemini 3.x models, enhancing the search and tool integration capabilities. #5669
• Added support for dynamically disabling native structured output functionality, providing more flexibility in output handling. 019267f

🪲 Bug Fixes

• Resolved issue where extraBody configuration was being lost when toolDefinitions were specified in API requests. e65d5de
• Corrected regression in AzureOpenAiChatOptions where the stop field initializer was not working properly. 6e8e5fe
• Corrected handling of string values for TAG and TEXT filter values in Redis vector store filter expression converter. 32c79b0
• Resolved key handling issues in Neo4j vector store filter expression converter. d97da30
• Corrected identifier parsing logic in the filter expression text parser to handle edge cases properly. ccc29d1
• Enhanced the reliability of media fetching operations in the Bedrock proxy chat model implementation. 75e2bd7
• Updated and fixed prompt caching tests to work correctly with the Claude Haiku 4.5 model on Bedrock. #5648
• Corrected the API key header configuration when using the OpenAI SDK with Azure OpenAI deployments. 0b142aa
• Fixed collection field initialization in super-builders to use null defaults instead of empty collections, preventing unintended behavior #5619
• Improved type safety in HeaderUtils by adding explicit type parameters to collection operations a20203a

🔨 Dependency Upgrades

• Updated Google Generative AI SDK dependency to version 1.44.0, bringing latest features and improvements. #5669
• Upgraded OpenAI SDK dependency to version 4.28.0 for latest OpenAI API features and fixes. 0ad60de
• Upgraded the Anthropic SDK dependency to version 2.17.0 for latest features and improvements #5621

🔩 Build Updates

• Improved stability and reliability of Oracle and PgVector vector store integration tests. 490a369
• Resolved flakiness in Bedrock converse integration test assertions for more reliable test execution. 3c38bb4
• Corrected issues in Google GenAI auto-configuration test suite. 1560afc
• Resolved issues in Mistral AI integration test suite for improved test reliability. aac56ee
• Improved internal implementation of filter evaluation logic in SimpleVectorStore for better maintainability. ba9220b
• Improved Maven dependency management by adding missing test scope for json-unit-assertj and leveraging Maven transitivity for test dependencies. 86911c4

🙏 Contributors

Thanks to all contributors who made this release possible:

• Andres (@​andresdiegolanda)
• Christian Tzolov (@​tzolov)
• ddobrin (@​ddobrin)
• Dylan Weijgertze (@​dylanwe)

... (truncated)

Commits

• 5069974 Release version 2.0.0-M4
• 490a369 Fix Oracle/PgVector ITs
• e65d5de Fix extraBody lost when toolDefinitions is present
• 3c38bb4 Fix Bedrock converse IT assertions flakiness
• 1560afc fix: Google GenAI autoconfig tests
• aac56ee fix Mistral IT
• 6e8e5fe Fix AzureOpenAiChatOptions#stop field initializer regression
• 1fa0019 Deprecate Vertex AI classes
• 32ee391 Deprecate ZhiPu AI classes
• d36be40 Deprecate OCI GenAI classes
• Additional commits viewable in compare view

[dependabot]

Labels

The following labels could not be found: area:backend, type:dependencies. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	maven/​org.springframework.ai/​spring-ai-starter-mcp-server-webmvc@​2.0.0-M3 ⏵ 2.0.0-M4
	maven/​org.springframework.boot/​spring-boot-starter-actuator@​4.0.5 ⏵ 4.0.6
	maven/​org.springframework.boot/​spring-boot-starter-cache@​4.0.5 ⏵ 4.0.6
	maven/​org.springframework.boot/​spring-boot-starter-data-neo4j@​4.0.5 ⏵ 4.0.6
	maven/​org.springframework.boot/​spring-boot-starter-test@​4.0.5 ⏵ 4.0.6
	maven/​org.springframework.boot/​spring-boot-starter-web@​4.0.5 ⏵ 4.0.6

View full report