feat: upgrade Spring Boot 3.5 → 4.0.6 (Spring 7, Jackson 2.21, GWT 2.13)#3672
Open
luis100 wants to merge 1 commit into
Open
feat: upgrade Spring Boot 3.5 → 4.0.6 (Spring 7, Jackson 2.21, GWT 2.13)#3672luis100 wants to merge 1 commit into
luis100 wants to merge 1 commit into
Conversation
Spring Boot 4.0.6 brings Spring Framework 7.0.7, Jackson 2.21.2, and a reorganised auto-configuration package structure. Key changes: Dependency bumps (pom.xml): - spring-boot: 3.5.14 → 4.0.6 - spring: 6.2.18 → 7.0.7 - jackson: 2.20.1 → 2.21.2 - gwt: 2.12.2 → 2.13.0 - logback: 1.5.25 → 1.5.32 - mockito: 5.18.0 → 5.20.0 - pekko: stays at 1.4.0 - Remove explicit jakarta.servlet-api / jakarta.persistence-api overrides (Spring Boot 4 BOM manages these correctly) - Remove separate jackson-bom import (Spring Boot 4 BOM covers it) Import path migrations (Spring Boot 4 moved packages): - EntityScan: o.s.boot.autoconfigure.domain → o.s.boot.persistence.autoconfigure - ServletComponentScan: o.s.boot.web.servlet → o.s.boot.web.server.servlet.context - CookieSameSiteSupplier: o.s.boot.web.servlet.server → o.s.boot.web.server.servlet - Security auto-config excludes switched to excludeName= string literals (class refs no longer resolvable at compile time in Boot 4 module structure) Pbkdf2PasswordEncoderImpl: Pbkdf2PasswordEncoder is no longer extendable in Spring Security 6.4+; reimplemented to directly implement PasswordEncoder using the same PBKDF2WithHmacSHA512 logic, preserving hash compatibility. FindRequest: added public no-arg constructor + setters alongside the existing @JsonDeserialize(builder=...) to satisfy Jackson 2.21 strict mode when the builder pattern is not honoured by the deserialization path. All 233 CI (travis group) integration tests pass. E2E API tests pass (4/4). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
dosubot
Bot
added
size:L
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Spring Boot 4.0.6 upgrade, bringing Spring Framework 7.0.7, Jackson 2.21.2, and GWT 2.13.0.
Dependency bumps
Removed explicit
jakarta.servlet-api,jakarta.persistence-api, andjackson-bomoverrides — the Spring Boot 4 BOM manages these correctly.Import path migrations
Spring Boot 4 reorganised several auto-configuration packages:
EntityScan:o.s.boot.autoconfigure.domain→o.s.boot.persistence.autoconfigureServletComponentScan:o.s.boot.web.servlet→o.s.boot.web.server.servlet.contextCookieSameSiteSupplier:o.s.boot.web.servlet.server→o.s.boot.web.server.servlet@SpringBootApplication(exclude=...)class refs replaced withexcludeName=string literals (class locations changed in Boot 4 module structure)Pbkdf2PasswordEncoderImplPbkdf2PasswordEncoderis no longer extendable in Spring Security 6.4+. Reimplemented as a directPasswordEncoderimplementation using the samePBKDF2WithHmacSHA512logic — hash output is identical, existing stored hashes remain valid.FindRequestAdded public no-arg constructor + setters alongside the existing
@JsonDeserialize(builder=...)to satisfy Jackson 2.21 strict deserialization paths. The builder is still used by Jackson 2 via the annotation; the setters are a fallback for paths that bypass it.Test plan
mvn test -Pcore -Dtestng.groups=travis)mvn test -f roda-api-tests/pom.xml) — see PR fix(e2e): fix GET request NPE and deserialization errors in roda-api-tests #3671mvn package -Pcore -DskipTests)🤖 Generated with Claude Code