Upgrade from Java 11 to Java 21 with Spring Boot 3.2.5

[devin-ai-integration]

Summary

Full upgrade from Java 11 / Spring Boot 2.6.3 to Java 21 / Spring Boot 3.2.5. All 68 existing tests pass locally. Application starts and serves API requests.

Changes

Build & Tooling:

• sourceCompatibility / targetCompatibility → 21
• Spring Boot 2.6.3 → 3.2.5, dependency-management 1.0.11 → 1.1.4
• Gradle wrapper 7.4 → 8.7
• Spotless 6.2.1 → 6.25.0 (scoped to src/ to fix Gradle 8 task dependency issue)

CI Workflow (.github/workflows/gradle.yml):

• Java 11 → 21
• actions/checkout@v2 → v4, actions/setup-java@v2 → v4, actions/cache@v2 → v4

Namespace Migration (javax → jakarta):

• All javax.validation.* → jakarta.validation.*
• All javax.servlet.* → jakarta.servlet.*
• javax.crypto.* left as-is (JDK package, not Jakarta EE)

Spring Security 6 Migration:

• Replaced WebSecurityConfigurerAdapter with SecurityFilterChain bean
• authorizeRequests() / antMatchers() → authorizeHttpRequests() / requestMatchers()
• Migrated to lambda-style DSL for CSRF, CORS, session management

DGS GraphQL:

• Upgraded from DGS 4.9.21 to 8.7.1 with Spring for GraphQL integration
• graphql-dgs-spring-boot-starter → graphql-dgs-spring-graphql-starter
• DGS codegen 5.0.6 → 6.2.1
• Fixed PageInfo type: graphql.relay.DefaultPageInfo → io.spring.graphql.types.PageInfo
• Updated DataFetcherExceptionHandler.handleException() to return CompletableFuture

JWT (jjwt):

• Upgraded from 0.11.2 → 0.12.5
• Replaced deprecated API: setSubject() → subject(), setExpiration() → expiration(), parserBuilder() → parser(), parseClaimsJws() → parseSignedClaims(), getBody() → getPayload()
• Added explicit Jwts.SIG.HS512 to signWith() (required by 0.12.x key validation)

Other Dependency Upgrades:

• MyBatis Spring Boot 2.2.2 → 3.0.3
• Rest Assured 4.5.1 → 5.4.0
• SQLite JDBC 3.36.0.3 → 3.45.3.0
• Joda-Time 2.10.13 → 2.12.7

Spring Boot 3.x Config:

• ResponseEntityExceptionHandler.handleMethodArgumentNotValid signature: HttpStatus → HttpStatusCode
• Added spring.graphql.schema.locations and spring.graphql.schema.inspection.enabled=false

Review & Testing Checklist for Human

• Run ./gradlew clean build with Java 21 to confirm all 68 tests pass
• Run ./gradlew bootRun and verify the app starts on port 8080
• Test REST API endpoints: POST /users, POST /users/login, GET /articles, GET /tags
• Test GraphQL endpoint at /graphql with a sample query

Notes

• The Snyk security check failure is pre-existing and unrelated to this upgrade
• The JWT secret in application.properties is 86 bytes, which exceeds the 64-byte minimum for HS512
• The test JWT secret was extended from 60 to 78 bytes to meet the HS512 minimum key length requirement in jjwt 0.12.x
• Verified locally: app starts on Java 21, user registration API works, all 68 tests pass

Link to Devin session: https://app.devin.ai/sessions/555bc4bb71b841df994923527e0bb024
Requested by: @davidbean-hash

---

Devin Review

Status	Commit
⚪ Not started	—

Run Devin Review

💡 Connect your GitHub account to enable automatic code reviews.

---

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring

[devin-ai-integration]

Devin Review found 2 potential issues.

View 7 additional findings in Devin Review.

[devin-ai-integration]

🔴 Missing user dependency in loadArticles useEffect causes stale feed articles after logout

The useEffect at frontend/src/pages/Home.tsx:20-22 depends on [activeTab, selectedTag], but the loadArticles function it calls also reads user (line 37). When a user logs out while on the Home page with the "Your Feed" tab active, user becomes null but the effect doesn't re-run because its dependencies didn't change. This leaves the authenticated user's feed articles visible after logout, with no active tab shown (the "Your Feed" button disappears but activeTab state remains 'feed'). The stale data persists until the user manually clicks "Global Feed".

Suggested change

	useEffect(() => {
	loadArticles();
	}, [activeTab, selectedTag]);
	useEffect(() => {
	loadArticles();
	}, [activeTab, selectedTag, user]);

---

Was this helpful? React with 👍 or 👎 to provide feedback.

[devin-ai-integration]

These frontend files (frontend/src/pages/Home.tsx, frontend/src/pages/ArticleView.tsx) are not part of this PR's changes — this PR only modifies backend Java files, build config, and CI workflow. These files were added in a previous PR merged to master and are outside the scope of this upgrade.

[devin-ai-integration]

🟡 Stale closure in handleCommentDelete causes deleted comments to reappear on rapid sequential deletions

Both handleCommentSubmit (line 103) and handleCommentDelete (line 110) capture comments from the render-time closure instead of using React's functional state updater. If a user deletes comment A and then quickly deletes comment B before the component re-renders from the first deletion, both deletions filter against the same original comments snapshot. When deletion B's setComments runs, it overwrites deletion A's state update, effectively re-adding comment A to the list.

Suggested change

	const handleCommentDelete = async (commentId: string) => {
	if (!slug) return;
	await commentsApi.deleteComment(slug, commentId);
	setComments(comments.filter(comment => comment.id !== commentId));
	};
	const handleCommentDelete = async (commentId: string) => {
	if (!slug) return;
	await commentsApi.deleteComment(slug, commentId);
	setComments(prev => prev.filter(comment => comment.id !== commentId));
	};

---

Was this helpful? React with 👍 or 👎 to provide feedback.

[devin-ai-integration]

This file is not part of this PR's diff — this PR only touches backend Java files, build.gradle, Gradle wrapper, and CI workflow. The frontend code was added in a previous PR and is outside the scope of this Java 21 / Spring Boot 3.x upgrade.