Skip to content

Update maven#103

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate-main/maven
Open

Update maven#103
renovate[bot] wants to merge 1 commit into
mainfrom
renovate-main/maven

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate Bot commented Mar 18, 2026
edited
Loading

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
org.projectlombok:lombok (source) 1.18.421.18.46 age adoption passing confidence
com.fasterxml.jackson.core:jackson-databind (source) 2.20.22.21.2 age adoption passing confidence
io.projectreactor.netty:reactor-netty 1.3.31.3.5 age adoption passing confidence
org.springframework:spring-context 7.0.57.0.7 age adoption passing confidence
org.springframework:spring-webflux 7.0.57.0.7 age adoption passing confidence
org.springframework:spring-web 7.0.57.0.7 age adoption passing confidence

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

Spring Framework Improper Path Limitation with Script View Templates

CVE-2026-22737 / GHSA-4773-3jfm-qmx3

More information

Details

Use of Java scripting engine enabled (e.g. JRuby, Jython) template views in Spring MVC and Spring WebFlux applications can result in disclosure of content from files outside the configured locations for script template views. This issue affects Spring Framework: from 7.0.0 through 7.0.5, from 6.2.0 through 6.2.16, from 6.1.0 through 6.1.25, from 5.3.0 through 5.3.46.

Severity

  • CVSS Score: 5.9 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Spring MVC and WebFlux has Server Sent Event stream corruption

CVE-2026-22735 / GHSA-6hcq-hmm3-jj3c

More information

Details

Spring MVC and WebFlux applications are vulnerable to stream corruption when using Server-Sent Events (SSE). This issue affects Spring Foundation: from 7.0.0 through 7.0.5, from 6.2.0 through 6.2.16, from 6.1.0 through 6.1.25, from 5.3.0 through 5.3.46.

Severity

  • CVSS Score: 2.6 / 10 (Low)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Spring Framework DoS with Multipart Temp Files in WebFlux

CVE-2026-22740 / GHSA-5843-p793-ghmm

More information

Details

A WebFlux server application that processes multipart requests creates temp files for parts larger than 10 K. Under some circumstances, temp files may remain not deleted after the request is fully processed. This allows an attacker to consume available disk space.

Older, unsupported versions are also affected.

Severity

  • CVSS Score: 0.0 / 10 (None)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Spring MVC and WebFlux applications are vulnerable to Denial of Service attacks when resolving static resources

CVE-2026-22745 / GHSA-6p4f-wcwh-5vvm

More information

Details

Spring MVC and WebFlux applications are vulnerable to Denial of Service attacks when resolving static resources.

More precisely, an application can be vulnerable when all the following are true:

  • the application is using Spring MVC or Spring WebFlux
  • the application is serving static resources from the file system
  • the application is running on a Windows platform

When all the conditions above are met, the attacker can send malicious requests that are slow to resolve and that can keep HTTP connections in use. This can cause a Denial of Service on the application.

Severity

  • CVSS Score: 5.3 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Spring MVC and WebFlux applications are vulnerable to cache poisoning when resolving static resources.

CVE-2026-22741 / GHSA-wg35-8jpf-2xv3

More information

Details

Spring MVC and WebFlux applications are vulnerable to cache poisoning when resolving static resources.

More precisely, an application can be vulnerable when all the following are true:

When all the conditions above are met, the attacker can send malicious requests and poison the resource cache with resources using the wrong encoding. This can cause a denial of service by breaking the front-end application for clients.

Severity

  • CVSS Score: 0.0 / 10 (None)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Release Notes

projectlombok/lombok (org.projectlombok:lombok)

v1.18.46

Compare Source

v1.18.44

reactor/reactor-netty (io.projectreactor.netty:reactor-netty)

v1.3.5

Compare Source

Reactor Netty 1.3.5 is part of 2025.0.5 Release Train.

What's Changed
✨ New features and improvements
🐞 Bug fixes
New Contributors

Full Changelog: reactor/reactor-netty@v1.3.4...v1.3.5

v1.3.4

Compare Source

Reactor Netty 1.3.4 is part of 2025.0.4 Release Train.

What's Changed
✨ New features and improvements
🐞 Bug fixes

Full Changelog: reactor/reactor-netty@v1.3.3...v1.3.4

spring-projects/spring-framework (org.springframework:spring-context)

v7.0.7

Compare Source

⭐ New Features

  • Improve SpringValidatorAdapter and MethodValidationAdapter performance #​36621
  • Support JSON array decoding to Flux in KotlinSerializationJsonDecoder #​36597
  • Deprecate methodIdentification() in CacheAspectSupport for removal #​36575
  • Add MockRestServiceServer#createServer variant for RestClient #​36572
  • Create RestClientXhrTransport variant replacing RestTemplateXhrTransport #​36566
  • Improve error handling in multipart codecs #​36563
  • Make ApplicationListenerMethodAdapter#getTargetMethod() public #​36558
  • ApiVersionConfigurer.setSupportedVersionPredicate() returns void instead of ApiVersionConfigurer #​36551
  • LazyConnectionDataSourceProxy does not work well with Hibernate's multi-tenancy by schema strategy #​36527
  • Add registerManagedResource variant with bean key argument to MBeanExporter #​36520
  • Handle blank Accept-Language header in AcceptHeaderLocaleResolver #​36513
  • Make AbstractStreamingClientHttpRequest and AbstractBufferingClientHttpRequest public #​36501
  • MySQL Error 149 (Galera/WSREP conflict) not translated to ConcurrencyFailureException in Spring JDBC/ORM #​36499
  • Add PreFlightRequestFilter #​36482
  • Support configuration of extension context scope for SpringExtension via Spring or JUnit properties #​36460
  • Lower log level of "Cache miss for REQUEST dispatch" in HandlerMappingIntrospector #​36309

🐞 Bug Fixes

  • WebDataBinder unnecessarily instantiates collections when using the "!" and "_" prefixes #​36625
  • Cache pollution from high-cardinality FieldError default messages in MessageSourceSupport #​36609
  • MergedAnnotation does not use ClassLoader for method or field #​36606
  • @Sql fails if DataSource is wrapped in a TransactionAwareDataSourceProxy #​36611
  • AnnotatedTypeMetadata no longer retains source declaration order on Java 24+ #​36598
  • MergedAnnotation.asMap() fails when an attribute references a non-existent class #​36586
  • FileSystemResource does not strictly follow the Resource#isReadable() contract #​36584
  • Converter overrides in HttpMessageConverters only apply when defaults are registered #​36579
  • Invalid method return type metadata for ClassFile variant on JDK 24+ #​36577
  • Fix Writer lifecycle for AbstractJsonHttpMessageConverter.writeInternal(Object, Type, Writer) #​36565
  • Flushing-related regression in SseServerResponse #​36537
  • LazyConnectionDataSourceProxy does not pass on holdability to target Connection #​36528
  • AnnotationBeanNameGenerator fails when an annotation references a non-existent class #​36524
  • Perserve default API version in RestClientAdapter #​36514
  • Inconsistent codings resolution in resource resolvers #​36507
  • DefaultJmsListenerContainer may hang in an endless loop in doShutdown #​36506
  • Query not hidden in DefaultClientResponse checkpoint #​36502
  • RestClient closes stream for ResponseEntity responses #​36492
  • IllegalStateException when using websocket handshake headers with Tomcat #​36486
  • Invalid nullness information for ParameterizedTypeReference #​36477
  • WebTestClient cannot assert null list elements #​36476
  • Handle Kotlin nullable value class param correctly in CoroutineUtils #​36449
  • Remove RFC 2047 encoding from Content-Disposition filename #​36328

📔 Documentation

  • Clarify semantics of HttpMethod.valueOf() #​36652
  • Document whitespace semantics in SpEL expressions #​36628
  • Document that spring.profiles.active is ignored by @ActiveProfiles #​36600
  • MergedAnnotation.asAnnotationAttributes() Javadoc incorrectly states that it creates an immutable map #​36567
  • Fix incorrect Javadoc in HandlerMethodReturnValueHandlerComposite regarding caching #​36555
  • Fix incorrect method name in TypeDescriptor.array() Javadoc #​36549
  • Introduce Kotlin examples for Bean Overrides (@MockitoBean, etc.) #​36541
  • Fix incorrect cross-reference links in AbstractEnvironment Javadoc #​36516
  • Document RetryTemplate#invoke variants in reference manual #​36452
  • Link observability section to Micrometer Observation Handler docs #​34994

🔨 Dependency Upgrades

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​Mohak-Nagaraju, @​Sineaggi, @​T45K, @​angry-2k, @​bebeis, @​cookie-meringue, @​dmitrysulman, @​elgunshukurov, @​itsmevichu, @​junhyung8795, @​msridhar, @​nameearly, @​tobifasc, and @​xxxxxxjun

v7.0.6

Compare Source

⚠️ Attention Required

  • Log warning when default context configuration is ignored within test class hierarchies #​36390
  • Ignore flush calls on ServletServerHttpResponse body outputstream #​36385

⭐ New Features

  • Leverage ResourceHandlerUtils in ScriptTemplateView #​36458
  • Restore ScriptTemplateViewTests #​36456
  • Fix log message in ConfigurationClassBeanDefinitionReader #​36453
  • DefaultResponseErrorHandler - setMessageConverters() not called via RestClient #​36434
  • Resolve context initializers only once in AbstractTestContextBootstrapper #​36430
  • Invoke resolveContextLoader() only once in AbstractTestContextBootstrapper #​36425
  • Further align synthesized annotation toString() with modern JDKs #​36417
  • Introduce setDefaultCharset() in AbstractResourceBasedMessageSource #​36413
  • Support for JPA 4.0 flush mode "explicit" #​36401
  • Support application-wide defaultHtmlEscape setting in WebFlux RequestContext #​36400
  • Support Predicate<RequestPath>> in path API version resolver #​36398
  • Avoid duplicate flushes in HttpMessageConverter implementations #​36383
  • Add support for non-flushing OutputStream to StreamUtils #​36382
  • Make it easier to get InputStream from RestClient #​36380
  • RuntimeHintsWriter should comply with reachability-metadata-schema-v1.2.0.json #​36379
  • Make it easier to create custom HttpExchangeAdapter #​36374
  • Improve ResourceHttpMessageConverter target type support #​36368
  • org.springframework.test.web.servlet.assertj.AbstractHttpServletResponseAssert#headers case sensitivity #​36349
  • Allow registering serialized lambda metadata through RuntimeHints #​36339
  • Refactor calculateHashCode in RequestMappingInfo #​36325

🐞 Bug Fixes

  • MetadataReader misses enclosing class name for Kotlin nested classes with Java 24+ #​36451
  • Guard against invalid id/event values in Server Sent Events #​36440
  • Component scanning fails against non-loadable annotation type with enum array on Java 25 #​36432
  • Duplicate ServletServerHttpRequest headers #​36418
  • Incomplete debug message in ConfigurationClassBeanDefinitionReader #​36410
  • Inconsistent ApplicationEventMulticaster state after removing ApplicationListener implemented by FactoryBean #​36404
  • Propagate max frame length to WebSocket session #​36370
  • Graceful shutdown of SimpleAsyncTaskExecutor #​36362
  • Duplicate response headers with ResponseEntity<Mono<T>> (or Kotlin suspend function) controller method #​36357
  • HttpServiceProxyFactory returns LinkedHashMap instead of target type for method with generic return type #​36326
  • HttpMediaTypeException thrown when calculating compatible media types #​36300

📔 Documentation

  • Document FullyQualifiedConfigurationBeanNameGenerator in Javadoc and reference docs #​36455
  • Document @Fallback alongside Primary in the reference manual and @Bean Javadoc #​36439
  • Fix links to UriComponentsBuilder and polish examples #​36403
  • Emphasize @Configuration classes over XML and Groovy in testing chapter #​36393
  • Document tips to avoid issues with ignored default context configuration in tests #​36392
  • Polish SpEL operator examples in reference docs #​36367
  • Add programmatic configuration tabs in the transactional refdoc #​36323
  • Document registration recommendations for BeanPostProcessor and BeanFactoryPostProcessor #​34964

🔨 Dependency Upgrades

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​AgilAghamirzayev, @​aavoronin93, @​cetf9h, @​froggy0m0, @​gbouwen, @​husseinvr97, @​jisub-dev, @​ngocnhan-tran1996, @​siom79, and @​xxxxxxjun

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot added the branch:main label Mar 18, 2026
@renovate renovate Bot requested a review from lis0x90 as a code owner March 18, 2026 12:53
@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud Bot commented Mar 18, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@renovate renovate Bot force-pushed the renovate-main/maven branch 3 times, most recently from afe1867 to 1705506 Compare March 24, 2026 13:50
@renovate renovate Bot force-pushed the renovate-main/maven branch 2 times, most recently from 95124f4 to 2c4143e Compare April 2, 2026 08:59
@renovate renovate Bot force-pushed the renovate-main/maven branch from 2c4143e to 099e68d Compare April 8, 2026 19:10
@renovate renovate Bot changed the title chore(deps): update maven Update maven Apr 8, 2026
@renovate renovate Bot force-pushed the renovate-main/maven branch 2 times, most recently from 1131d34 to 9103052 Compare April 17, 2026 14:49
@renovate renovate Bot force-pushed the renovate-main/maven branch from 9103052 to 051aa7d Compare April 29, 2026 18:56
@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud Bot commented Apr 29, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@renovate renovate Bot added the security label May 22, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lis0x90 lis0x90 Awaiting requested review from lis0x90 lis0x90 is a code owner

Assignees

@lis0x90 lis0x90

Labels

branch:main group:maven manager:maven renovate:core security

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@lis0x90