Skip to content

Update dependency org.springframework.boot:spring-boot-starter-web to v3.4.11 #25

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Update dependency org.springframework.boot:spring-boot-starter-web to v3.4.11 #25

wants to merge 1 commit into from

Conversation

@mend-for-github-com
Copy link

@mend-for-github-com mend-for-github-com bot commented Sep 16, 2025
edited
Loading

This PR contains the following updates:

Package Type Update Change
org.springframework.boot:spring-boot-starter-web (source) dependencies minor 3.3.5 -> 3.4.11

By merging this PR, the issue #20 will be automatically resolved and closed:

Severity CVSS Score Vulnerability
Critical Critical 9.8 CVE-2024-50379
Critical Critical 9.8 CVE-2024-56337
Critical Critical 9.8 CVE-2025-24813
Critical Critical 9.8 CVE-2025-31651
Critical Critical 9.6 CVE-2025-55754
High High 7.5 CVE-2025-48976
High High 7.5 CVE-2025-48988
High High 7.5 CVE-2025-48989
Medium Medium 6.6 CVE-2024-12798
Medium Medium 6.5 CVE-2025-49125
Medium Medium 6.5 CVE-2025-55668

By merging this PR, the issue #20 will be automatically resolved and closed:

Severity CVSS Score Vulnerability
Medium Medium 6.9 CVE-2025-11226
Medium Medium 6.6 CVE-2024-12798
Medium Medium 4.4 CVE-2024-12801
Low Low 3.1 CVE-2025-22233

Release Notes

spring-projects/spring-boot (org.springframework.boot:spring-boot-starter-web)

v3.4.11

🐞 Bug Fixes

  • In an uber war, value of the Sbom-Location manifest attribute does not match the SBOM's actual location #​47735
  • Homebrew formula for the CLI should use libexec #​47696
  • When virtual threads are enabled, embedded Jetty does not use recommended virtual thread configuration #​47690
  • ClientHttpRequestFactoryRuntimeHints is missing timeout methods with Duration overloads #​47675
  • OnBeanCondition no longer correctly finds annotations on scoped target proxy beans #​47633
  • JavaVersion doesn't work reliably in native-image #​47619
  • In an uber war, value of the Sbom-Location manifest attribute does not match the SBOM's actual location #​47408
  • LiquibaseEndpoint always uses defaultSchema instead of liquibaseSchema #​47300
  • Signed jar verification fails when nested in an uber war running on an Oracle JVM #​47284
  • Bitnami legacy images are not automatically detected #​46983

📔 Documentation

  • Dependency management for Maven AntRun Plugin is missing changelog link #​47732
  • Developing Your First Spring Boot Application has outdated tools #​47699
  • Include deprecated configuration properties in the reference documentation #​47622
  • Aggregated Javadoc should link to the proper version of JakartaEE #​47592
  • Use non-deprecated syntax to configure sourceCompatibility #​47339
  • Fix link to Framework's @Bean annotation #​47329
  • Update managed dependency version override examples in documentation #​47304

🔨 Dependency Upgrades

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​DKARAGODIN, @​Lublanski, @​fhiyo, @​ngocnhan-tran1996, @​nosan, @​scottfrederick, and @​xyraclius

v3.4.10

🐞 Bug Fixes

  • available() does not behave correctly when reading stored entries from a NestedJarFile #​47056
  • Flyway Ignore Migration Patterns setting can't be set to an empty string #​46984
  • spring-boot-docker-compose doesn't create service connections when image has registry host but not project #​46974
  • Quoted -D arguments break system property resolution on Linux with Spring AOT #​46555

📔 Documentation

  • Default value of server.tomcat.resource.cache-ttl is not documented #​47252
  • Fix links to Flyway reference documentation #​46976
  • Clarify Javadoc of Customizer interfaces about overriding behavior #​46938

🔨 Dependency Upgrades

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​Chanwon-Seo, @​doljae, @​izeye, and @​quaff

v3.4.9

🐞 Bug Fixes

  • Hazelcast health indicator reports the wrong status when Hazelcast has shut down due to an out-of-memory error #​46877
  • Performance critical tracing code has high overhead due to the use of the Stream API #​46838
  • SpringLiquibaseCustomizer is exposed outside its defined visibility scope #​46752
  • Race condition in OutputCapture can result in stale data #​46685
  • Default value not detected for a field annoted with @Name #​46662
  • Memory not freed on context restart in JpaMetamodel#CACHE with spring.main.lazy-initialization=true #​46630
  • Property name is incorrect when reporting a mis-configured OAuth 2 Resource Server JWT public key location #​46627
  • Missing metadata when using @Name with a constructor-bound property #​46599
  • Failure to discover default value for a primitive should not lead to document its default value #​46551

📔 Documentation

  • Observability examples in the reference guide are missing the Kotlin version #​46775
  • Kotlin samples for configuration metadata are in the wrong package #​46774
  • Align method descriptions for SslOptions getCiphers and getEnabledProtocols with @returns #​46756
  • Tracing samples in the reference guide are missing the Kotlin version #​46699
  • spring-boot-test-autoconfigure should use the configuration properties annotation processor like other modules #​46584
  • spring.test.webtestclient.timeout is not documented #​46577
  • spring.test.mockmvc properties are not documented #​46576
  • Adapt deprecation level for management.health.influxdb.enabled #​46574
  • Improve Virtual Threads section to mention the changes in Java 24 #​46547

🔨 Dependency Upgrades

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​Kguswo, @​Pankraz76, @​deejay1, @​ganjisriver, @​izeye, @​nicolasgarea, @​nosan, @​prishedko, @​quaff, @​schmidti159, @​scordio, @​shakuzen, @​tommyk-gears, @​zahra7, and @​zakaria-shahen

v3.4.8

🐞 Bug Fixes

  • LambdaSafe.withFilter is not public #​46472
  • Executable JAR application class encounters performance issues when used with Palo Alto Network Cortex XDR agent #​46401
  • Runtime dependencies are missing from aotCompileClasspath and aotTestCompileClasspath when using Kotlin #​46397
  • jdbc.connections.active and jdbc.connections.idle metrics are not available when using Hikari in a native image #​46214
  • Hash calculation for uber archive entries that require unpacking is inefficient #​46202
  • Permissions are applied inconsistently when building uber archives with Gradle #​46193
  • EmbeddedWebServerFactoryCustomizerAutoConfiguration fails when undertow-core is on the classpath and undertow-servlet is not #​46178
  • Setting spring.netty.leak-detection has no effect when lazy initialization is enabled #​46164
  • Executable JAR application class encounters performance issues #​46063
  • developmentOnly and testAndDevelopmentOnly dependencies may prevent implementation dependencies from being included in the uber-jar #​46043
  • Binder context does not restore previous source causing missing data on Spring Boot 3.5 or above #​46039
  • Setting spring.reactor.context-propagation has no effect when lazy initialization is enabled #​45846

📔 Documentation

  • Fix description of spring.batch.job.enabled #​46228
  • Fix broken Kotlin examples in reference documentation #​46064

🔨 Dependency Upgrades

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​Dockerel, @​PiyalAhmed, @​benelog, @​dmitrysulman, @​izeye, @​nosan, and @​quaff

v3.4.7

⚠️ Noteworthy Changes

  • This release upgrades to Tomcat 10.1.42 which has introduced limits for part count and header size in multipart/form-data requests. These limits can be customized using server.tomcat.max-part-count and server.tomcat.max-part-header-size respectively.

🐞 Bug Fixes

  • Executable JAR application class encounters performance issues when classpath URLs reference a host #​46027
  • Loading from spring.factories may fail with a ClassNotFoundException when the TCCL changes between calls #​46018
  • Actuator heapdump endpoint is failing on modern OpenJ9 JVMs #​46004
  • DataSouceBuilder can fail with a NPE when the driver is null #​45991
  • JSON writer incorrectly escapes forward slash which can cause structure logging issues #​45972
  • spring.couchbase.authentication.jks.private-key-password has no effect #​45883
  • ConditionalOnAvailableEndpoint does not use the ConditionContext's ClassLoader to load exposure outcome contributors #​45800
  • ManagementWebServerFactoryCustomizer and ManagementErrorPageCustomizer should not have the same order #​45728
  • SAML2 autoconfiguration is not imported by @WebMvcTest #​45650

📔 Documentation

  • Fix Docker security options links in Packaging OCI images sections #​46020
  • Improve documentation for configuring Spring Security with '/error' #​46008
  • Timestamps in Retrieving Audit Events examples do not match the accompanying text #​45996
  • Update javadoc of test slice annotations to suggest MockitoBean rather than MockBean #​45887
  • Include configuration classes from all modules in the "Auto-configuration Classes" appendix #​45861
  • Links to Testcontainers javadoc for many classes not in the core testcontainers module do not work #​45843
  • Add SSL response structure to actuator info endpoint documentation #​45792
  • Gradle Shadow Plugin link in the reference guide is outdated #​45739
  • Document use of git-commit-id-maven-plugin consistently #​45682
  • Update javadoc of Configurer classes that apply sensible defaults to describe how they're typically used #​45655
  • Clarify the situation with support for Prometheus PushGateway and the deprecated simpleclient #​45649

🔨 Dependency Upgrades

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​chanbinme, @​csbiy, @​davidlj95, @​izeye, @​ngocnhan-tran1996, @​nicolasgarea, @​nosan, @​quaff, @​shekharAggarwal, and @​wonyongg

v3.4.6

🐞 Bug Fixes

  • Micrometer "enable" annotations property does not cover observed aspect #​45616
  • SpringApplication.setEnvironmentPrefix is ignored when reading SPRING_PROFILES_ACTIVE #​45548
  • IllegalStateException when extracting using layers a module with no code of its own #​45448
  • Suggested values for spring.jpa.hibernate.ddl-auto are not aligned with Hibernate #​45350
  • Custom default units declared on a field are ignored when binding properties in a native image #​45346
  • JerseyWebApplicationInitializer always gets loaded, setting a ServletContext initParameter #​45296

📔 Documentation

  • Document the java info contribution #​45633
  • Document the process info contribution #​45631
  • Document the os info contribution #​45629
  • Document typical spring.application.group and name use #​45627
  • Document that bean methods should be static when annotated with @ConfigurationPropertiesBinding #​45625
  • Document the way that primary Kotlin constructors are used when binding #​45552
  • Improve "profile" reference documentation with additional admonitions #​45550
  • Improve setEnvironmentPrefix(...) reference documentation #​45375
  • Document all the available Testcontainers integrations #​45366
  • Document when a spring.config.import value is relative and when it is fixed #​45362
  • Update link to "Parameter Name Retention" section of Spring Framework's release notes #​45298

🔨 Dependency Upgrades

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​ahrytsiuk, @​izeye, @​ngocnhan-tran1996, @​nosan, @​quaff, @​thecooldrop, and @​yybmion

v3.4.5

🐞 Bug Fixes

  • Spring Boot with native image container image build fails on podman due to directory permissions #​45256
  • Neo4jReactiveDataAutoConfiguration assumes that certain beans are available #​45235
  • Wrong jOOQ exception translator with empty db name #​45219
  • MessageSourceMessageInterpolator does not replace a parameter when the message matches its code #​45213
  • IntegrationMbeanExporter is not eligible for getting processed by all BeanPostProcessors warnings are shown when using JMX #​45194
  • OAuth2AuthorizationServerJwtAutoConfiguration uses @ConditionalOnClass incorrectly #​45178
  • MongoDB's dependency management is missing Kotlin coroutine driver modules #​45159
  • ImagePlatform can cause "OS must not be empty" IllegalArgumentException #​45153
  • TypeUtils does not handle generics with identical names in different positions #​45039
  • HttpClient5 5.4.3 breaks local Docker transport #​45028
  • spring.datasource.hikari.data-source-class-name cannot be used as a driver class name is always required and Hikari does not accept both #​45002
  • Post-processing to apply custom JdbcConnectionDetails triggers an NPE in Hikari if the JDBC URL is for an unknown driver #​44998
  • DataSourceBuilder triggers an NPE in Hikari when trying to build a DataSource with a JDBC URL for an unknown driver #​44995
  • SSL config does not watch for symlink file changes #​44887
  • EmbeddedLdapAutoConfiguration should not rely on PreDestroy #​44874
  • DataSourceTransactionManagerAutoConfiguration should run after DataSourceAutoConfiguration #​44819
  • JsonValueWriter can throw StackOverflowError on deeply nested items #​44627
  • In a reactive web app, SslBundle can no longer open store file locations without using a 'file:' prefix #​44535
  • Logging a Path object using structured logging throws StackOverflowError #​44507

📔 Documentation

  • Make @Component a javadoc link #​45258
  • Fix documentation links to buildpacks.io #​45241
  • Clarify the use of multiple profile expressions with "spring.config.activate.on-profile" #​45224
  • Show the use of token properties in authorization server clients configuration example #​45176
  • Add details of the purpose of the metrics endpoint #​45047
  • Escape the asterisk in spring-application.adoc #​45033
  • Add reference to Styra (OPA) Spring Boot SDK #​44976
  • Update CDS documentation to cover AOTCache #​44970
  • WebFlux security documentation incorrectly links to servlet classes #​44966
  • Replace mentions of deprecated MockBean annotation #​44947
  • TaskExecution documentation should describe what happens when multiple Executor beans are present #​44908
  • Documentation lists coordinates for some dependencies that are not actually managed #​44879
  • Polish javadoc of SpringProfileAction #​44826

🔨 Dependency Upgrades

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​EvaristeGalois11, @​MelleD, @​aahlenst, @​ali-jalaal, @​erichaagdev, @​florgust, @​geniusYoo, @​izeye, @​jonatan-ivanov, @​nenros, @​nevenc, @​ngocnhan-tran1996, @​nosan, @​quaff, and @​rainboyan

v3.4.4

❗ Noteworthy Changes

Tomcat APR support is now disabled by default if you are using Java 24 or higher. This change has been made to prevent JDK from issuing warnings.

Please see the updated release notes for details.

🐞 Bug Fixes

  • Actuator throws an exception when using prototype scoped DataSource bean #​44706
  • Docker API error message is missing in some cases #​44630
  • DefaultJmsListenerContainerFactoryConfigurer#setObservationRegistry should not be public #​44585
  • When an application contains multiple DataSource beans, EntityManagerFactoryBuilder will default ddl-auto to a value that may only be appropriate for the primary DataSource #​44516
  • When the main class is not proxied, native testing that uses the application's main method does not work #​44481
  • When loading configuration from a Resource, Log4J2LoggingSystem may not close the InputStream #​44473
  • When loading from a resource, PemContent does not close the InputStream #​44454
  • ResourceBanner does not close the InputStream used to read the banner #​44452
  • ConfigDataLocationResolvers and PropertySourceLoaders are loaded using a potentially different class loader #​44450
  • Kafka message sending fails with 'class SslBundleSslEngineFactory could not be found' [#​44437

@mend-for-github-com mend-for-github-com bot added the security fix Security fix generated by Mend label Sep 16, 2025
@mend-for-github-com mend-for-github-com bot force-pushed the whitesource-remediate/org.springframework.boot.spring.boot.starter.web branch from 5648a07 to 6f24c07 Compare November 21, 2025 01:11
@mend-for-github-com mend-for-github-com bot changed the title Update dependency org.springframework.boot:spring-boot-starter-web to v3.3.12 Update dependency org.springframework.boot:spring-boot-starter-web to v3.4.11 Nov 21, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

security fix Security fix generated by Mend

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant