[2.8.x] Upgrade Spring to fix Spring4Shell vulnerability

[mkurz]

https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement

Also see #11213

[ProChirathF]

We have other dependencies pulling Spring 5.3.18, do we know if Play 2.8.15 is compatible with Spring 5.3.x or would you recommend us to force 5.2.20

[mkurz]

Hey Chirath, we can easily test this by temporary upgrading to 5.3.x in the 2.8.x branch. Here is the pull request: #10819
If all tests turn green it should be pretty safe to use 5.3.18 in your project:
https://app.travis-ci.com/github/playframework/playframework/builds/249075661
The test coverage for the spring databinder is very high, we have many tests for that in Play.

[mkurz]

(Updated the last comment with the now correct link the travis: https://app.travis-ci.com/github/playframework/playframework/builds/249075661)

[mkurz]

@ProChirathF The build with Spring 5.3.18 didn't fail, so I would assume it's safe to use those dependencies with Play 2.8.15: https://app.travis-ci.com/github/playframework/playframework/builds/249075661 🥳