Update dependency org.springframework:spring-core to v5.3.27 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
org.springframework:spring-core	5.3.21 -> 5.3.27

GitHub Vulnerability Alerts

CVE-2023-20861

In Spring Framework versions 6.0.0 - 6.0.6, 5.3.0 - 5.3.25, 5.2.0.RELEASE - 5.2.22.RELEASE, and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.

CVE-2023-20863

In Spring Framework versions prior to 5.2.24.release+ , 5.3.27+ and 6.0.8+ , it is possible for a user to provide a specially crafted Spring Expression Language (SpEL) expression that may cause a denial-of-service (DoS) condition.

---

Release Notes

spring-projects/spring-framework (org.springframework:spring-core)

v5.3.27

Compare Source

⭐ New Features

• Limit string concatenation in SpEL expressions #​30331
• Limit SpEL expression length #​30329
• Disable variable assignment in SimpleEvaluationContext #​30327
• Introduce StringUtils.truncate() #​30291
• Introduce ObjectUtils.nullSafeConciseToString() #​30287
• Make HttpComponentsHeadersAdapter#getFirst nullable #​30269

🐞 Bug Fixes

• Fix regression in ReactorServerHttpRequest related to IPV6 Zone id with "%" #​30314
• SSE breaks with indenting serializer in WebMvc.fn #​30302
• Increase max regex length in SpEL expressions #​30298
• NullPointerException on timeout in HttpComponentsClientHttpConnector when using Apache HttpComponents #​30246
• Wrong MockRestRequestMatchers.header() method in spring-test being invoked (JDK issue?) #​30235
• TypeNotPresentException: org/springframework/cglib/proxy/NoOp not present on Java 17 #​30228
• Refine generic type management in AbstractMessageWriterResultHandler #​30215
• MvcUriComponentsBuilder.fromMethodCall breaks for controller with CharSequence return type #​30212
• Handle all exceptions for stored proc output param retrieval in SharedEntityManagerCreator #​30164

📔 Documentation

• Fix @PathVariable reference documentation code snippets #​30258
• Fix example in Javadoc for @EnableWebSocket #​30187
• Fix anchor in link to "Web on Reactive Stack" chapter #​30163

🔨 Dependency Upgrades

• Upgrade to Reactor 2020.0.31 #​30315

v5.3.26

Compare Source

⭐ New Features

• Improve diagnostics in SpEL for matches operator #​30145
• Improve diagnostics in SpEL for repeated text #​30143
• Increase scope of regex pattern cache for the SpEL matches operator #​30141
• Minor updates in HandlerMappingIntrospector #​30128
• Allow SnakeYaml 2.0 runtime compatibility #​30097
• Add missing @Nullable annotations to LogMessage.format methods #​30009
• ASM upgrade for JDK 20/21 support #​29966
• Allow MockRest to match header/queryParam value list with one Matcher #​29964
• Add MockMvc.multipart() Kotlin extensions with HttpMethod #​29941
• Release R2DBC connection when cleanup fails in transaction #​29925
• org.springframework.web.context.ContextLoader should lazily load ContextLoader.properties #​29909
• Improve generated default name for @JmsListener subscription #​29902
• Include all Hibernate query methods in SharedEntityManagerCreator's queryTerminatingMethods set #​29888
• SQL supplier in R2DBC DatabaseClient is eagerly invoked #​29887
• Spring Framework 5.3.x is incompatible with Jetty 10 (Client) #​29867
• Possible infinite forward loop with MockMvcWebConnection #​29866
• Refine Jackson2ObjectMapperBuilder#configureFeature exception handling #​29860
• Fix R2dbcTransactionManager debug log: don't log a Mono #​29824

🐞 Bug Fixes

• RequestedContentTypeResolver does not ignore quality factor when filtering */* media types #​30121
• SpEL: cannot call methods declared in java.lang.Object on a JDK proxy #​30118
• CaffeineCacheManager getCache method cause thread block #​30085
• Protect JMS connection creation against prepareConnection errors #​30051
• ReactorServerHttpRequest does not reflect forwarded host and port when forwarding-header-strategy=native or cloud platform detected #​29974
• WebSocket stats not updated correctly when sessions cleared #​29947
• Explicit target ClassLoader for interface-based proxies in MvcUriComponentsBuilder #​29914
• Closing an ApplicationContext leads to Exception at ExecutorServiceAdapter #​29908
• Invalid Accept header results in IllegalStateException #​29836
• JettyWebSocketCreator referenced from a method is not visible from class loader with Jetty10RequestUpgradeStrategy #​29256

📔 Documentation

• Fix minor spacings in webflux docs #​30095
• @AspectJ argument name resolution algorithm is outdated in reference manual #​30057
• Fix "Configuring a Global Date and Time Format" example #​30036
• Consistent @Bean method return type for equivalence with XML example #​29970
• Update @DynamicPropertySource examples regarding changes in Testcontainers #​29940
• Clarify semantics of primitivesDefaultedForNullValue in BeanPropertyRowMapper #​29926
• Clearly document that DataClassRowMapper supports Java records #​29922
• Outdated Javadoc for AbstractApplicationContext.postProcessBeanFactory #​29916

🔨 Dependency Upgrades

• Upgrade to Reactor Netty 2020.0.30 #​30116

v5.3.25

Compare Source

⭐ New Features

• JmsTemplate.convertAndSend throws NullPointerException during shutdown #​29719
• Optimize object creation in RequestMappingHandlerMapping#handleNoMatch #​29667
• Add title to SockJS iFrames for accessibility compliance #​29596

🐞 Bug Fixes

• ResourceHandlers cannot resolve static resources with certain wildcard patterns #​29716
• AnnotatedElementUtils.findMergedRepeatableAnnotations does not fetch results when other attributes exist for container annotation #​29686
• BeanWrapperImpl NPE in setWrappedInstance after invoking getPropertyValue (with SimpleBeanInfoFactory) #​29684
• SpEL ConstructorReference does not generate AST representation of arrays #​29666
• SpEL: Two double quotes are replaced by one double quote in single quoted String literal (and vice versa) #​29653
• SpEL string literal misses single quotation marks in toStringAST() #​29652
• 500 error from WebFlux when parsing Content-Type leads to InvalidMediaTypeException #​29637
• WebMvcConfigurationSupport should not catch Throwable for SourceHttpMessageConverter #​29537

📔 Documentation

• Update Jakarta Mail info in ref docs #​29708
• Improve documentation for literals in SpEL expressions #​29701
• Fix some typos in Kotlin WebClient example code #​29542
• Fix link to Bean Utils Light Library in BeanUtils Javadoc #​29536
• Fix link to WebFlux section in reference manual #​29526
• Link to Spring WebFlux section is broken #​29517

🔨 Dependency Upgrades

• Upgrade to Reactor 2020.0.27 #​29798

v5.3.24

Compare Source

⭐ New Features

• Avoid reflection for annotation method invocations #​29448
• Avoid unnecessary allocations in StompDecoder#unescape #​29443
• Avoid String allocations in MediaType.checkParameters #​29428
• Reduce allocations caused by producible media types #​29412
• Provide optional SimpleBeanInfoFactory for better introspection performance in 5.3.x #​29330
• Filter out null WebSocket session attributes #​29315
• Introduce TestSocketUtils as a replacement for SocketUtils #​29132
• Avoid Commons Logging API for using LoggingCacheErrorHandler with a custom logger #​28678

🐞 Bug Fixes

• Missing SessionFactory property (filter AutoCloseable from PropertyDescriptors) #​29480
• SpEL ternary and Elvis expressions are missing enclosing parentheses in toStringAST() #​29463
• If-Unmodified-Since header check removes Last-Modified and Etag headers from response, even if condition passes #​29362
• Annotation searches fail for non-public repeatable annotations #​29301
• AbstractBeanFactory's interaction with BeanPostProcessorCacheAwareList is not fully thread-safe #​29299
• WebTestClient cannot assert custom HTTP status code #​29283
• Body token not expected error when trying to upload a large multipart file #​29227
• Avoid resizing of Maps created by CollectionUtils #​29190
• DefaultWebClient logging sensitive information in URI #​29148
• Fix SimpleMailMessage nullability annotations #​29139
• Webflux fails to apply the rule for controller methods returning void to kotlin suspend functions returning Unit #​27629
• Resource.isFile() return true when the resource path actually not exists #​26707
• AnnotatedElementUtils does not find merged repeatable annotations on other repeatable annotations #​20279

📔 Documentation

• Fix two typos in integration.adoc and webflux.adoc #​29469
• Fix typo: "as describe in" -> "as described in" #​29393
• Fix typos #​29364
• Correct documentation for "other return values" from a web controller method #​29349
• Document how to use WebJars without webjars-locator-core dependency #​29322
• Update RestTemplate Javadoc with regards to setting interceptors on startup vs at runtime #​29311
• Document how to switch to the default set of TestExecutionListeners #​29281
• Document limitation of AopTestUtils.getUltimateTargetObject() regarding non-static TargetSource #​29276
• Fix typo in WebSocket reference doc regarding subscription header #​29228
• Fix MockMvc sample setup #​29201

🔨 Dependency Upgrades

• Upgrade to Reactor 2020.0.25 #​29464

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @​sangmin7648
• @​izeye
• @​dreis2211
• @​catmug
• @​inabajunmr
• @​iamgd67
• @​davidcostanzo
• @​jprinet
• @​stgerhardt
• @​onobc
• @​vpavic

v5.3.23

Compare Source

⭐ New Features

• Introduce AnnotationUtils.isSynthesizedAnnotation(Annotation) #​29054
• Introduce createContext() factory method in AbstractGenericWebContextLoader #​28983
• Support TreeSet collection type in CollectionFactory.createCollection() without using reflection #​28949
• Document when RequestEntity.getUrl() throws an UnsupportedOperationException #​28930
• Deprecate NestedIOException #​28929
• Make isConnected() in WebSocketConnectionManager public #​28785
• Expose headers from STOMP RECEIPT frame to registered callbacks #​28715
• Make WebClientException serializable #​28321

🐞 Bug Fixes

• Ordering inconsistency with beans defined in parent context #​29105
• RelativeRedirectResponseWrapper does not commit response in sendRedirect #​29050
• MockServerContainerContextCustomizerFactory does not support @Nested tests #​29037
• Request to improve KotlinSerializationJsonHttpMessageConverter logic in RestTemplate #​29008
• WebFlux: multipart requests hang sometimes #​28963
• DataBufferUtils.write(Publisher, Path) loses context #​28933
• connectionTimeOut and readTimeout not working on UrlResource #​28909
• SockJsServiceRegistration#setSupressCors has a typo and should be deprecated #​28853
• RenderingResponse does not set status code on redirect views #​28839
• Avoid IllegalArgumentException when setting WebSocket error status #​28836
• Loss of context path after using ServerRequest.from #​28820
• ResponseCookie does not declare nullability annotations consistently for domain and path #​28780

📔 Documentation

• Fix typo in data-access section #​29048
• Correct description of @RequestParam with WebFlux #​28944
• Fix broken kdoc-api links in kotlin.adoc #​28908
• Fix typos in Javadoc of class AbstractEncoder #​28885
• Fix links in Javadoc and reference docs #​28876
• Add missing closing parenthesis in reference doc #​28867
• Fix typos in Javadoc, reference docs, and code #​28822
• Replace use of the <tt> HTML tag in Javadoc #​28819
• Fix broken link in rsocket documentation #​28817
• Clarify docs on JNDI properties in Servlet environment #​28488
• Improve documentation of Caching annotations #​28183

🔨 Dependency Upgrades

• Upgrade to Reactor 2020.0.23 #​29129

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @​boahc077
• @​1993heqiang
• @​luvarqpp
• @​arend-von-reinersdorff
• @​jensdietrich
• @​wilkinsona
• @​npriebe
• @​vpavic
• @​jupiterhub
• @​izeye
• @​napstr
• @​marcwrobel
• @​arvyy
• @​jbotuck
• @​chanhyeong
• @​yuezk
• @​edfeff
• @​adrianbob
• @​FlorianKirmaier
• @​meloning

v5.3.22

Compare Source

⭐ New Features

• Improve regex "." matching for URL paths #​28815
• Spring JDBC does not recognize LocalDate and LocalDateTime in javaType to sqlType Mapping #​28778
• ResolvableType.forInstance should return NONE for null instance #​28776
• Correctly identify MaxUploadSizeExceededException through keywords in message from Jetty 9.4.x #​28759
• Introduce StringUtils.trimAllWhitespace(CharSequence) #​28757
• Trim string input in Converters where whitespace is irrelevant #​28756
• Trim string input in PropertyEditors where whitespace is irrelevant #​28755
• Improve diagnostics for CGLIB ClassLoader issues on Java 9+ #​28747
• Create well-known non-interface types in CollectionFactory without using reflection #​28718
• Revise internals of LoggingCacheErrorHandler #​28672
• Simplify creation of LoggingCacheErrorHandler with logged stacktrace #​28670
• Fix DataSourceUtils inconsistent exception handling #​28669
• Introduce lenient parsing in DataSize regarding whitespace #​28643
• Support adding rather than replacing modules in Jackson2ObjectMapperBuilder #​28633
• Add MockMvcRequestBuilders.multipart(HttpMethod, String, Object...) #​28631
• Avoid parsing request body in DispatcherServlet for "parameters={masked}" log message #​28587
• Avoid synchronization in AbstractAspectJAdvice#calculateArgumentBindings #​26377

🐞 Bug Fixes

• WebFlux multipart temporary file not deleted when the client disconnects early #​28740
• Ensure channelExecutors and taskScheduler in STOMP WebSocket config are qualified #​28736
• MockHttpServletResponse addHeader does not allow Comment part with Set-Cookie header #​28730
• Meta-annotations are unnecessarily synthesized in MergedAnotations #​28704
• GenericApplicationContext does not honor ProtocolResolver when a resource loader is set via setResourceLoader() #​28703
• R2DBC: @Transactional(readOnly) is applied to the connection before the transaction has begun #​28610

📔 Documentation

• Fix Kotlin code snippets language #​28810
• Fix typos in reference docs and project documentation #​28805
• Fix and improve Javadoc in spring-beans and spring-aop #​28803
• Fix and improve Javadoc in spring-core and spring-context #​28802
• Fix and improve Javadoc in spring-messaging, spring-jms and spring-expression #​28800
• Fix and improve Javadoc in spring-r2dbc, spring-oxm, spring-orm and spring-jdbc #​28796
• Fix and improve Javadoc in spring-test #​28795
• Fix and improve Javadoc in spring-tx #​28794
• Fix and improve Javadoc in spring-web #​28791
• Fix and improve Javadoc in spring-webflux #​28790
• Fix and improve Javadoc in spring-webmvc #​28789
• Fix and improve Javadoc in spring-websocket #​28788
• Fix Kotlin example for defines a custom @Production #​28680
• Fix a typo in ResponseEntity documentation #​28647
• Document that Kotlin inline classes are not supported yet #​28642
• Refine @Required Kotlin documentation to use annotation use site targets #​28630
• Fix Kotlin example for @ComponentScan basePackages attribute #​28628
• Kotlin examples for setter injection incorrectly use field injection #​28596
• Fix expectations in MockMvc Kotlin documentation #​28301

🔨 Dependency Upgrades

• Update to Bouncycastle 1.71 #​28636
• Upgrade to Reactor 2020.0.21 #​28765

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @​jasonjiang9527
• @​izeye
• @​marcwrobel
• @​larsgrefer
• @​jprinet
• @​vikeychen
• @​kacperkrzyzak
• @​kevin0x90
• @​vpavic
• @​CodeInDreams
• @​4ra1n

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.