getyourguide · pboos · Dec 5, 2025 · Dec 4, 2025 · Dec 4, 2025 · Dec 4, 2025
@@ -3,10 +3,6 @@ plugins {
     alias(libs.plugins.nexus.publish)
 }
 
-ext['spring-framework.version'] = '6.2.11'
-ext['tomcat.version'] = '11.0.12'
-ext['netty.version'] = '4.2.6.Final' // Due to security vulnerabilities in 4.125.Final and older
-
 apply from: "${rootDir}/gradle/publish-root.gradle"
 
 allprojects {
@@ -68,31 +64,6 @@ subprojects {
         annotationProcessor(libs.lombok)
         testCompileOnly(libs.lombok)
         testAnnotationProcessor(libs.lombok)
-
-        // Security constraints
-        constraints {
-            implementation("org.springframework:spring-web:6.2.12") {
-                because("versions below 6.2.11 have security vulnerabilities including CVE-2024-38820 and CVE-2025-41249 - see dependabot #12, #24")
-            }
-            implementation("org.springframework:spring-webmvc:6.2.12") {
-                because("versions below 6.2.11 have security vulnerabilities including CVE-2025-41242 and CVE-2025-41249 - see dependabot #24, #247")
-            }
-            implementation("org.apache.tomcat.embed:tomcat-embed-core:11.0.14") {
-                because("versions below 11.0.12 have security vulnerabilities including CVE-2024-56337, CVE-2025-55754, CVE-2025-61795 - see dependabot #13, #27, #28")
-            }
-            implementation("org.apache.commons:commons-lang3:3.20.0") {
-                because("versions below 3.18.0 have security vulnerabilities including CVE-2025-48924 - see dependabot #15")
-            }
-            implementation("io.projectreactor.netty:reactor-netty-http:1.3.0") {
-                because("versions below 1.2.8 have security vulnerabilities including CVE-2025-22227 - see dependabot #16")
-            }
-            implementation("io.netty:netty-codec-http2:4.2.7.Final") {
-                because("versions below 4.1.124.Final have security vulnerabilities including CVE-2025-55163 - see dependabot #17")
-            }
-            implementation("io.netty:netty-codec:4.2.7.Final") {
-                because("versions below 4.1.125.Final have security vulnerabilities including CVE-2025-58057 - see dependabot #21")
-            }
-        }
     }
 
     checkstyle {

@@ -5,18 +5,6 @@ plugins {
     alias(libs.plugins.openapi.generator)
 }
 
-// Needed for security. See:
-// - https://github.com/getyourguide/openapi-validation-java/security/dependabot/25
-// - https://github.com/getyourguide/openapi-validation-java/security/dependabot/7
-// - https://github.com/getyourguide/openapi-validation-java/security/dependabot/6
-// Hopefully with spring-boot 3.4.2+ this won't be needed anymore and can be removed.
-dependencyManagement {
-    dependencies {
-        dependency 'ch.qos.logback:logback-core:1.5.21'
-        dependency 'ch.qos.logback:logback-classic:1.5.21'
-    }
-}
-
 dependencies {
     implementation project(':examples:examples-common')
     implementation project(':spring-boot-starter:spring-boot-starter-web')

@@ -5,18 +5,6 @@ plugins {
     alias(libs.plugins.openapi.generator)
 }
 
-// Needed for security. See:
-// - https://github.com/getyourguide/openapi-validation-java/security/dependabot/25
-// - https://github.com/getyourguide/openapi-validation-java/security/dependabot/7
-// - https://github.com/getyourguide/openapi-validation-java/security/dependabot/6
-// Hopefully with spring-boot 3.4.2+ this won't be needed anymore and can be removed.
-dependencyManagement {
-    dependencies {
-        dependency 'ch.qos.logback:logback-core:1.5.21'
-        dependency 'ch.qos.logback:logback-classic:1.5.21'
-    }
-}
-
 dependencies {
     implementation project(':examples:examples-common')
     implementation project(':spring-boot-starter:spring-boot-starter-webflux')

@@ -3,9 +3,9 @@
 import com.getyourguide.openapi.validation.example.openapi.model.BadRequestResponse;
 import java.util.Optional;
 import org.springframework.boot.autoconfigure.web.WebProperties;
-import org.springframework.boot.autoconfigure.web.reactive.error.AbstractErrorWebExceptionHandler;
 import org.springframework.boot.web.error.ErrorAttributeOptions;
-import org.springframework.boot.web.reactive.error.ErrorAttributes;
+import org.springframework.boot.webflux.autoconfigure.error.AbstractErrorWebExceptionHandler;
+import org.springframework.boot.webflux.error.ErrorAttributes;
 import org.springframework.context.ApplicationContext;
 import org.springframework.core.annotation.Order;
 import org.springframework.http.HttpStatus;

@@ -1,6 +1,6 @@
 [versions]
 java = "21"
-spring-boot = "3.5.7"
+spring-boot = "4.0.0"
 spring-dependency-management = "1.1.7"
 openapi-generator = "7.17.0"
 openapi-tools = "0.2.8"

@@ -1,5 +1,5 @@
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
-distributionUrl=https\://services.gradle.org/distributions/gradle-8.10.2-bin.zip
+distributionUrl=https\://services.gradle.org/distributions/gradle-9.2.1-bin.zip
 zipStoreBase=GRADLE_USER_HOME
 zipStorePath=wrapper/dists
@@ -13,7 +13,7 @@ public MultiReadContentCachingRequestWrapper buildContentCachingRequestWrapper(H
             return (MultiReadContentCachingRequestWrapper) request;
         }
 
-        return new MultiReadContentCachingRequestWrapper(request);
+        return new MultiReadContentCachingRequestWrapper(request, 0 /* no limit */);
     }
 
     public ContentCachingResponseWrapper buildContentCachingResponseWrapper(HttpServletResponse response) {

@@ -11,10 +11,6 @@
 
 public class MultiReadContentCachingRequestWrapper extends ContentCachingRequestWrapper {
 
-    public MultiReadContentCachingRequestWrapper(HttpServletRequest request) {
-        super(request);
-    }
-
     public MultiReadContentCachingRequestWrapper(HttpServletRequest request, int contentCacheLimit) {
         super(request, contentCacheLimit);
     }

@@ -5,8 +5,8 @@
 import java.util.Optional;
 import org.junit.jupiter.api.AfterEach;
 import org.junit.jupiter.api.Test;
-import org.springframework.boot.web.reactive.context.AnnotationConfigReactiveWebApplicationContext;
-import org.springframework.boot.web.servlet.context.AnnotationConfigServletWebApplicationContext;
+import org.springframework.boot.web.context.reactive.AnnotationConfigReactiveWebApplicationContext;
+import org.springframework.boot.web.context.servlet.AnnotationConfigServletWebApplicationContext;
 import org.springframework.context.ConfigurableApplicationContext;
 import org.springframework.context.annotation.AnnotationConfigApplicationContext;
 import org.springframework.mock.web.MockServletContext;

@@ -16,8 +16,8 @@
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
 import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.boot.test.autoconfigure.web.servlet.AutoConfigureMockMvc;
 import org.springframework.boot.test.context.SpringBootTest;
+import org.springframework.boot.webmvc.test.autoconfigure.AutoConfigureMockMvc;
 import org.springframework.test.context.junit.jupiter.SpringExtension;
 import org.springframework.test.web.servlet.MockMvc;
 

@@ -15,8 +15,8 @@
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
 import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.boot.test.autoconfigure.web.servlet.AutoConfigureMockMvc;
 import org.springframework.boot.test.context.SpringBootTest;
+import org.springframework.boot.webmvc.test.autoconfigure.AutoConfigureMockMvc;
 import org.springframework.http.MediaType;
 import org.springframework.http.ResponseEntity;
 import org.springframework.test.context.junit.jupiter.SpringExtension;

@@ -18,8 +18,8 @@
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
 import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.boot.test.autoconfigure.web.servlet.AutoConfigureMockMvc;
 import org.springframework.boot.test.context.SpringBootTest;
+import org.springframework.boot.webmvc.test.autoconfigure.AutoConfigureMockMvc;
 import org.springframework.http.MediaType;
 import org.springframework.test.context.bean.override.mockito.MockitoSpyBean;
 import org.springframework.test.context.junit.jupiter.SpringExtension;

@@ -19,8 +19,8 @@
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
 import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.boot.test.autoconfigure.web.servlet.AutoConfigureMockMvc;
 import org.springframework.boot.test.context.SpringBootTest;
+import org.springframework.boot.webmvc.test.autoconfigure.AutoConfigureMockMvc;
 import org.springframework.http.MediaType;
 import org.springframework.test.context.junit.jupiter.SpringExtension;
 import org.springframework.test.web.servlet.MockMvc;

@@ -84,8 +84,8 @@ private Mono<AlreadyDidValidation> optionalValidateRequestWithFailOnViolation(
         AlreadyDidValidation alreadyDidValidation
     ) {
         if (!trafficSelector.shouldFailOnRequestViolation(requestMetaData)
-            || !request.getHeaders().containsKey("Content-Type")
-            || !request.getHeaders().containsKey("Content-Length")) {
+            || !request.getHeaders().containsHeader("Content-Type")
+            || !request.getHeaders().containsHeader("Content-Length")) {
             return Mono.just(alreadyDidValidation);
         }
 

@@ -6,8 +6,8 @@
 import java.util.Optional;
 import org.junit.jupiter.api.AfterEach;
 import org.junit.jupiter.api.Test;
-import org.springframework.boot.web.reactive.context.AnnotationConfigReactiveWebApplicationContext;
-import org.springframework.boot.web.servlet.context.AnnotationConfigServletWebApplicationContext;
+import org.springframework.boot.web.context.reactive.AnnotationConfigReactiveWebApplicationContext;
+import org.springframework.boot.web.context.servlet.AnnotationConfigServletWebApplicationContext;
 import org.springframework.context.ConfigurableApplicationContext;
 import org.springframework.context.annotation.AnnotationConfigApplicationContext;
 import org.springframework.mock.web.MockServletContext;

@@ -7,14 +7,14 @@
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
 import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.boot.test.autoconfigure.web.servlet.AutoConfigureMockMvc;
 import org.springframework.boot.test.context.SpringBootTest;
+import org.springframework.boot.webtestclient.autoconfigure.AutoConfigureWebTestClient;
 import org.springframework.http.MediaType;
 import org.springframework.test.context.junit.jupiter.SpringExtension;
 import org.springframework.test.web.reactive.server.WebTestClient;
 
 @SpringBootTest
-@AutoConfigureMockMvc
+@AutoConfigureWebTestClient
 @ExtendWith(SpringExtension.class)
 public class ExceptionsNoExceptionHandlerTest {
 

@@ -11,8 +11,8 @@
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
 import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.boot.test.autoconfigure.web.servlet.AutoConfigureMockMvc;
 import org.springframework.boot.test.context.SpringBootTest;
+import org.springframework.boot.webtestclient.autoconfigure.AutoConfigureWebTestClient;
 import org.springframework.http.MediaType;
 import org.springframework.http.ResponseEntity;
 import org.springframework.test.context.junit.jupiter.SpringExtension;
@@ -26,7 +26,7 @@
     SpringBootTestConfiguration.class,
     ExceptionsWithExceptionHandlerTest.ExceptionHandlerConfiguration.class,
 })
-@AutoConfigureMockMvc
+@AutoConfigureWebTestClient
 @ExtendWith(SpringExtension.class)
 public class ExceptionsWithExceptionHandlerTest {
 

@@ -12,8 +12,8 @@
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
 import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.boot.test.autoconfigure.web.servlet.AutoConfigureMockMvc;
 import org.springframework.boot.test.context.SpringBootTest;
+import org.springframework.boot.webtestclient.autoconfigure.AutoConfigureWebTestClient;
 import org.springframework.http.MediaType;
 import org.springframework.test.context.bean.override.mockito.MockitoSpyBean;
 import org.springframework.test.context.junit.jupiter.SpringExtension;
@@ -23,7 +23,7 @@
     "openapi.validation.should-fail-on-request-violation=true",
     "openapi.validation.should-fail-on-response-violation=true",
 })
-@AutoConfigureMockMvc
+@AutoConfigureWebTestClient
 @ExtendWith(SpringExtension.class)
 public class FailOnViolationIntegrationTest {
 

@@ -13,14 +13,14 @@
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
 import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.boot.test.autoconfigure.web.servlet.AutoConfigureMockMvc;
 import org.springframework.boot.test.context.SpringBootTest;
+import org.springframework.boot.webtestclient.autoconfigure.AutoConfigureWebTestClient;
 import org.springframework.http.MediaType;
 import org.springframework.test.context.junit.jupiter.SpringExtension;
 import org.springframework.test.web.reactive.server.WebTestClient;
 
 @SpringBootTest
-@AutoConfigureMockMvc
+@AutoConfigureWebTestClient
 @ExtendWith(SpringExtension.class)
 public class OpenApiValidationIntegrationTest {
     @Autowired

@@ -21,6 +21,7 @@ dependencies {
 
     testFixturesApi platform(SpringBootPlugin.BOM_COORDINATES)
     testFixturesApi 'org.springframework.boot:spring-boot-starter-test'
+    testFixturesApi 'org.springframework.boot:spring-boot-webmvc-test'
     // For openapi generated code
     testFixturesApi 'org.springframework.boot:spring-boot-starter-validation'
     testFixturesApi(libs.openapi.tools.jacksonDatabindNullable)

@@ -21,6 +21,7 @@ dependencies {
 
     testFixturesApi platform(SpringBootPlugin.BOM_COORDINATES)
     testFixturesApi 'org.springframework.boot:spring-boot-starter-test'
+    testFixturesApi 'org.springframework.boot:spring-boot-webtestclient'
     // For openapi generated code
     testFixturesApi 'org.springframework.boot:spring-boot-starter-validation'
     testFixturesApi(libs.openapi.tools.jacksonDatabindNullable)