Skip to content

deps(phase2): upgrade Spring Boot 2.4.5 → 2.7.18#12

Merged
sundancekid73 merged 1 commit into
mainfrom
deps/phase2-spring-boot-2.7
Jun 10, 2026
Merged

deps(phase2): upgrade Spring Boot 2.4.5 → 2.7.18#12
sundancekid73 merged 1 commit into
mainfrom
deps/phase2-spring-boot-2.7

Conversation

@sundancekid73

@sundancekid73 sundancekid73 commented Jun 10, 2026

Copy link
Copy Markdown
Collaborator

Summary

  • Spring Boot 2.4.5 → 2.7.18 (final 2.x LTS, EOL Nov 2023)
  • io.spring.dependency-management plugin 1.0.11 → 1.1.6
  • Spring Security version pin removed — now BOM-managed at 5.7.11
  • Transitive upgrades: logback 1.2.3 → 1.2.12, snakeyaml 1.27 → 1.30, spring-core 5.3.6 → 5.3.31

CVEs closed

CVE Severity Component
CVE-2022-22965 Spring4Shell RCE 9.8 spring-beans
CVE-2022-22978 auth bypass 9.8 spring-security
CVE-2022-1471 snakeyaml deserialization 8.3 snakeyaml
CVE-2023-20883 MVC DoS 7.5 spring-boot
CVE-2023-6378 logback deserialization 7.1 logback
CVE-2022-22950 SpEL DoS 6.5 spring-expression
+ several medium/low spring-context, spring-web CVEs

Temporary workarounds (removed in later phases)

  • spring.mvc.pathmatch.matching-strategy: ant_path_matcher — SpringFox breaks with Boot 2.6+ default path matcher; removed in Phase 4 when SpringFox is replaced with SpringDoc
  • spring.main.allow-circular-references: true — Keycloak adapter 6.0.1 has a circular dependency that Boot 2.6 now rejects; removed in Phase 5 when Keycloak adapter is replaced with Spring Security OAuth2

Test plan

  • All 56 tests pass locally (./gradlew test)
  • CI green

Generated with Claude Code

@sundancekid73 @claude
deps(phase2): upgrade Spring Boot 2.4.5 → 2.7.18 (last 2.x LTS)
6040f37 
Closes CVEs in Spring Boot 2.4.5 stack:
- CVE-2022-22965 Spring4Shell (9.8), CVE-2022-22950 SpEL DoS (6.5),
  CVE-2023-20883 MVC DoS (7.5), CVE-2022-22978 security auth bypass (9.8)
- Logback 1.2.3 → 1.2.12, snakeyaml 1.27 → 1.30, spring-core 5.3.6 → 5.3.31
- Spring Security BOM-managed → 5.7.11 (removed explicit version pin)
- io.spring.dependency-management plugin 1.0.11 → 1.1.6

Workarounds for legacy components (removed in upcoming phases):
- spring.mvc.pathmatch.matching-strategy=ant_path_matcher: SpringFox
  breaks with Boot 2.6+ default path_pattern_parser (removed in Phase 4)
- spring.main.allow-circular-references=true: Keycloak adapter 6.0.1
  has a circular reference between securityConfig and KeycloakConfigResolver
  that Boot 2.6 now rejects by default (removed in Phase 5)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@sundancekid73 sundancekid73 merged commit b5bc454 into main Jun 10, 2026
8 checks passed
@sundancekid73 sundancekid73 deleted the deps/phase2-spring-boot-2.7 branch June 10, 2026 07:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@sundancekid73