Update vulnerable Spring framework packages [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
org.springframework.boot:spring-boot-starter-data-jpa (source)	2.4.5 -> 2.5.12
org.springframework:spring-webmvc	5.3.6 -> 5.3.18
org.springframework:spring-context	5.3.6 -> 5.3.18
org.springframework:spring-web	5.3.6 -> 5.3.18

This PR upgrades one or more Spring framework packages to fix a critical vulnerability.

---

Release Notes

spring-projects/spring-boot

v2.5.12

🐞 Bug Fixes

• MustacheAutoConfiguration in a Servlet web application fails with a ClassNotFoundException when Spring MVC is not on the classpath #​30456

📔 Documentation

• Javadoc of org.springframework.boot.gradle.plugin.ResolveMainClassName.setClasspath(Object) is inaccurate #​30468
• Document that @DefaultValue can be used on a record component #​30460

🔨 Dependency Upgrades

• Upgrade to Jackson Bom 2.12.6.20220326 #​30477
• Upgrade to Spring Framework 5.3.18 #​30491

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @​quaff
• @​eddumelendez
• @​candrews

v2.5.11

⭐ New Features

• Add EIGHTEEN to JavaVersion enum #​29524

🐞 Bug Fixes

• Thymeleaf auto-configuration in a reactive application can fail due to duplicate templateEngine beans #​30384
• ConfigurationPropertyName#equals is not symmetric when adapt has removed trailing characters from an element #​30317
• server.tomcat.keep-alive-timeout is not applied to HTTP/2 #​30267
• Setting spring.mustache.enabled to false has no effect #​30250
• bootWar is configured eagerly #​30211
• Actuator @ReadOperation on Flux cancels request after first element emitted #​30095
• No metrics are bound for R2DBC ConnectionPools that have been wrapped #​30090
• Unnecessary allocations in Prometheus scraping endpoint #​30085
• Condition evaluation report entry for a @ConditionalOnSingleCandidate that does not match due to multiple primary beans isn't as clear as it could be #​30073
• Generated password are logged without an "unsuitable for production use" note #​30061
• Files in META-INF are not found when deploying a Gradle-built executable war to a servlet container #​30026
• spring-boot-configuration-processor fails compilation due to @DefaultValue with a long value and generates invalid metadata for byte and short properties with out-of-range default values #​30020
• Dependency management for Netty tcNative is incomplete leading to possible version conflicts #​30010
• Dependency management for Apache Kafka is incomplete #​29023

📔 Documentation

• Fix JsonSerializer example in reference guide #​30329
• Default value of spring.thymeleaf.reactive.media-types is not documented #​30280
• Add Netty in "Enable HTTP Response Compression" #​30234
• Fix typo #​30118
• Remove non-existent spring.data.cassandra.connection.connection-timeout property from the documentation #​30074
• Use Gradle's task configuration avoidance APIs in the Gradle Plugin's reference docs #​30056
• Polish web examples in reference doc #​30027
• Improve property placeholder documentation to mention environment variables and default values #​30012
• Use Gradle's task configuration avoidance APIs in the main reference docs #​30000
• Document how to access the H2 Console in a secured web application #​29932
• Add links to Spring Boot for Apache Geode to the reference documentation #​29697
• Include default Dev Tools properties in the reference documentation #​29406
• Document the WebSocket-related exclusions that are required to use Jetty 10 #​29275
• Clarify type matching that is performed when using @MockBean and @SpyBean #​28656
• Add documentation for spring.profiles.include #​28451
• Document the scalar types supported by MapBinder #​27581
• Document when config data properties are invalid #​25849
• Document how to rely on ServletContext with an embedded container setup #​24561
• Clarify that build plugins or the CLI does not have an auto-compile feature #​17851
• Document how to structure configurations so that @Bean methods are included in slice tests #​16088

🔨 Dependency Upgrades

• Upgrade to Couchbase Client 3.1.8 #​30221
• Upgrade to Dropwizard Metrics 4.1.31 #​30222
• Upgrade to Groovy 3.0.10 #​30223
• Upgrade to Hibernate Validator 6.2.3.Final #​30224
• Upgrade to Lettuce 6.1.8.RELEASE #​30336
• Upgrade to Log4j2 2.17.2 #​30225
• Upgrade to Logback 1.2.11 #​30226
• Upgrade to Micrometer 1.7.10 #​30171
• Upgrade to Netty 4.1.75.Final #​30227
• Upgrade to Netty tcNative 2.0.51.Final #​30228
• Upgrade to R2DBC Bom Arabba-SR13 #​30337
• Upgrade to Reactor 2020.0.17 #​30169
• Upgrade to Spring AMQP 2.3.15 #​30173
• Upgrade to Spring Data 2021.0.10 #​30172
• Upgrade to Spring Framework 5.3.17 #​30170
• Upgrade to Spring Integration 5.5.10 #​30175
• Upgrade to Spring Kafka 2.7.12 #​30351
• Upgrade to Spring Retry 1.3.2 #​30229
• Upgrade to Spring WS 3.1.3 #​30174
• Upgrade to Tomcat 9.0.60 #​30230

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @​izeye
• @​stokpop
• @​larsgrefer
• @​wonwoo
• @​abelsromero
• @​fml2
• @​hak7a3
• @​octylFractal
• @​hpoettker
• @​62mkv
• @​PPakSang
• @​m-semnani

v2.5.10

🐞 Bug Fixes

• Default JmxAutoConfiguration changes JConsole hierarchy for multi-property @ManagedResource object names #​29953
• The active profiles log message is ambiguous when a profile's name contains a comma #​29896
• Failed application contexts are not deregistered from SpringApplicationShutdownHook #​29874
• Gradle Plugin triggers eager configuration of some tasks #​29762
• MimeMapping for ots has a trailing space in its mime type #​29746
• Dependency management for Liquibase does not include its liquibase-cdi module #​29676
• Ignore invalid stream types when reading log update events #​29675
• bootJar, bootRun, and bootWar do not pick up changes to the main source set's runtime classpath that are made after Boot's plugin has been applied #​29672
• @SpyBean causes BeanCurrentlyInCreationException when there are circular references #​29639
• server.tomcat.use-relative-redirects=true not honored when server.forward-headers-strategy=framework #​29333
• A fat jar built with Gradle moves META-INF beneath BOOT-INF/classes while Maven leaves it at the jar's root #​28562

📔 Documentation

• bootRun example should use mainClass, rather than main which was deprecated in Gradle 7.1 #​29965
• Rectify incorrect sanitizing regex example provided in how-to docs #​29951
• "Customizing the Banner" should make it more obvious that any environment property can be used #​29931
• Update javadoc to reflect move from WebSecurityConfigurerAdapter to SecurityFilterChain #​29900
• Link directly to the Integration Properties section of the appendix when cross-referencing Kafka properties #​29758
• Add documentation for WebMvc.fn #​29683
• Move appendix subsections under appendix section #​29667
• In Gradle plugin docs, replace classifier (deprecated) with archiveClassifier in examples #​29611
• Clarify relation of import path to resultant properties in configtree import data #​29606
• Upgrade version of gradle-git-properties in reference doc #​29535
• Rename Boxfuse to CloudCaptain #​29523
• Provide some guidance on identifying and resolving Devtools classloading issues #​29438
• Warn about the dangers of early bean initialization when using @ConditionalOnExpression #​29276
• Document that placeholders in @DefaultValue annotations are not resolved #​23164

🔨 Dependency Upgrades

• Upgrade to ActiveMQ 5.16.4 #​29925
• Upgrade to AppEngine SDK 1.9.95 #​29926
• Upgrade to Dropwizard Metrics 4.1.30 #​29768
• Upgrade to Glassfish JAXB 2.3.6 #​29769
• Upgrade to Hibernate Validator 6.2.2.Final #​29770
• Upgrade to Jetty 9.4.45.v20220203 #​29771
• Upgrade to Jetty Reactive HTTPClient 1.1.11 #​29927
• Upgrade to Johnzon 1.2.16 #​29772
• Upgrade to Json-smart 2.4.8 #​29773
• Upgrade to Micrometer 1.7.9 #​29708
• Upgrade to Neo4j Java Driver 4.2.9 #​29774
• Upgrade to Netty 4.1.74.Final #​29775
• Upgrade to Netty tcNative 2.0.50.Final #​29973
• Upgrade to Postgresql 42.2.25 #​29777
• Upgrade to Reactor 2020.0.16 #​29707
• Upgrade to SLF4J 1.7.36 #​29778
• Upgrade to Spring Batch 4.3.5 #​29714
• Upgrade to Spring Data 2021.0.9 #​29711
• Upgrade to Spring Framework 5.3.16 #​29709
• Upgrade to Spring Integration 5.5.9 #​29962
• Upgrade to Spring Kafka 2.7.11 #​29712
• Upgrade to Spring LDAP 2.3.6 #​29710
• Upgrade to Spring Security 5.5.5 #​29713
• Upgrade to Spring Session 2021.0.5 #​29715
• Upgrade to Thymeleaf 3.0.15.RELEASE #​29779
• Upgrade to Tomcat 9.0.58 #​29780
• Upgrade to Undertow 2.2.16.Final #​29781

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @​dreis2211
• @​UbaidurRehman1
• @​mhalbritter
• @​quaff
• @​axelfontaine
• @​lachlan-roberts
• @​aahlenst
• @​jvalkeal
• @​mihailcornescu
• @​izeye
• @​larsgrefer
• @​halcyon22
• @​polarbear567
• @​gcoppex
• @​terminux

v2.5.9

🐞 Bug Fixes

• ConfigurationPropertySources.attach will always reattach when called multiple times #​29409
• 'spring.config.import' placeholders can resolve from profile-specific documents when they should fail #​29386
• Embedded launch script fails if jar is owned by an unknown user #​29370
• Maven repackaging of a jar with a deeply nested package is prohibitively slow #​29175
• @SpringBootTest does not use spring.main.web-application-type properties declared in test resource files #​29169
• Warning from AprLifecycleListener when using Tomcat Native and Tomcat 9.0.55 or later #​28814

📔 Documentation

• Clarify documentation for RestTemplate customization #​29394
• Refer to Maven Resolver rather than Aether #​29255

🔨 Dependency Upgrades

• Upgrade to HttpCore5 5.1.3 #​29334
• Upgrade to Infinispan 12.1.11.Final #​29335
• Upgrade to Jaybird 4.0.5.java8 #​29336
• Upgrade to JBoss Logging 3.4.3.Final #​29337
• Upgrade to Lettuce 6.1.6.RELEASE #​29338
• Upgrade to Log4j2 2.17.1 #​29183
• Upgrade to Logback 1.2.10 #​29339
• Upgrade to MariaDB 2.7.5 #​29496
• Upgrade to Maven Jar Plugin 3.2.2 #​29340
• Upgrade to Micrometer 1.7.8 #​29310
• Upgrade to MySQL 8.0.28 #​29464
• Upgrade to Netty 4.1.73.Final #​29341
• Upgrade to Netty tcNative 2.0.47.Final #​29465
• Upgrade to Pooled JMS 1.2.3 #​29466
• Upgrade to R2DBC Bom Arabba-SR12 #​29391
• Upgrade to Reactor 2020.0.15 #​29309
• Upgrade to SLF4J 1.7.33 #​29392
• Upgrade to Spring AMQP 2.3.14 #​29312
• Upgrade to Spring Data 2021.0.8 #​29311
• Upgrade to Spring Framework 5.3.15 #​29326
• Upgrade to Spring HATEOAS 1.3.7 #​29352
• Upgrade to Spring Integration 5.5.8 #​29314
• Upgrade to Spring Kafka 2.7.10 #​29313
• Upgrade to Spring REST Docs 2.0.6.RELEASE #​29321

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @​izeye
• @​dreis2211
• @​jprinet

v2.5.8

🐞 Bug Fixes

• DatabaseInitializationDependencyConfigurer triggers eager initialization of factory beans #​28977
• App fails to start when it depends on thymeleaf-extras-springsecurity5 but does not have Spring Security on the classpath #​28967
• Platform used for Quartz, Session, Integration, and Batch schema initialization cannot be configured #​28932
• Image buildpack references without tag do not default to latest version #​28921
• The getter and setter that's used during configuration property binding varies when a getter or setter has been overridden to use a subclass of the property's type #​28917
• Invalid classpath index manifest attribute in war files built with Maven #​28895
• The name of the matching-strategy property is incorrect in the action message of the failure analysis for a PatternParseException #​28809
• Dependency management for org.elasticsearch.distribution.integ-test-zip:elasticsearch should declare its type as zip #​28725

📔 Documentation

• Polish Creating Your Own Auto-configuration section in Core Features reference doc #​29115
• Polish CacheManager customization section in reference doc #​29094
• Document that using DevTools with a remote application is not supported with WebFlux #​28955
• 2.5.x snapshot documentation links to source code on the main branch #​28856
• Polish README.adoc #​28835
• Fix output of "spring --version" in reference documentation #​28831
• Fix typos in the "External Application Properties" section #​28830
• Improve deprecation notice on ResourceProperties to direct people to WebProperties for dependency injection and then getResources() #​28762
• Add a package description for org.springframework.boot.actuate.metrics.data #​28756

🔨 Dependency Upgrades

• Upgrade to AppEngine SDK 1.9.93 #​29038
• Upgrade to Caffeine 2.9.3 #​29039
• Upgrade to DB2 JDBC 11.5.7.0 #​29117
• Upgrade to Dropwizard Metrics 4.1.29 #​29118
• Upgrade to Ehcache3 3.9.9 #​29119
• Upgrade to Hazelcast 4.1.8 #​29145
• Upgrade to Hibernate 5.4.33 #​29120
• Upgrade to HttpAsyncClient 4.1.5 #​29043
• Upgrade to HttpCore 4.4.15 #​29044
• Upgrade to Infinispan 12.1.10.Final #​29121
• Upgrade to Jackson Bom 2.12.6 #​29045
• Upgrade to JDOM2 2.0.6.1 #​29046
• Upgrade to Kotlin 1.5.32 #​29047
• Upgrade to Log4j2 2.17.0 #​28983
• Upgrade to Logback 1.2.9 #​29011
• Upgrade to Micrometer 1.7.7 #​28962
• Upgrade to Netty 4.1.72.Final #​29004
• Upgrade to Reactor 2020.0.14 #​28960
• Upgrade to Spring AMQP 2.3.13 #​28994
• Upgrade to Spring Framework 5.3.14 #​28961
• Upgrade to Spring Integration 5.5.7 #​28966
• Upgrade to Spring LDAP 2.3.5 #​28963
• Upgrade to Spring Security 5.5.4 #​28964
• Upgrade to Spring Session 2021.0.4 #​28965
• Upgrade to Spring WS 3.1.2 #​29048
• Upgrade to Thymeleaf 3.0.14.RELEASE #​29049
• Upgrade to Tomcat 9.0.56 #​29050
• Upgrade to Undertow 2.2.14.Final #​29051
• Upgrade to XmlUnit2 2.8.4 #​29123

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @​asa1997
• @​vashisthabhinav
• @​An1s9n
• @​copbint
• @​charissathomas
• @​jprinet
• @​mikrethor
• @​fml2
• @​polarbear567
• @​terminux

v2.5.7

🐞 Bug Fixes

• Dependency management for JSTL is out of date #​28659
• JUnit annotations may prevent a test context from being cached #​28565
• Avoid duplicate AOP proxy class definition with FilteredClassLoader #​28531
• Profiles added using @ActiveProfiles have different precedence #​28530
• Logback should default to JVM's default charset instead of ASCII #​28486
• When a parent context has method validation configuration, it isn't auto-configured in its child contexts #​28479
• Prometheus actuator endpoint should produce a text/plain response unless application/openmetrics-text is explicitly accepted #​28446

📔 Documentation

• Fix "Configure Two DataSources" example #​28712
• Update URL for GraphQL Spring Boot starter #​28683
• Fix @deprecated and @see in org.springframework.boot.loader.archive.Archive's javadoc #​28680
• Configuration sample in reference doc has wrong yaml formatting #​28671
• Fix yaml sample format in reference doc #​28670
• Fix typo in "Ant-style path matching" #​28549
• Change description of property "logging.logback.rollingpolicy.max-history" to match Logback documentation #​28466
• Improve documentation on using an embedded ActiveMQ broker #​28434
• Don't use markdown syntax in javadoc or error messages #​28424

🔨 Dependency Upgrades

• Upgrade to AppEngine SDK 1.9.92 #​28556
• Upgrade to Gson 2.8.9 #​28557
• Upgrade to Hazelcast 4.1.6 #​28558
• Upgrade to Johnzon 1.2.15 #​28559
• Upgrade to Kafka 2.7.2 #​28694
• Upgrade to Logback 1.2.7 #​28695
• Upgrade to Micrometer 1.7.6 #​28511
• Upgrade to Neo4j Java Driver 4.2.8 #​28717
• Upgrade to Netty 4.1.70.Final #​28560
• Upgrade to Netty tcNative 2.0.46.Final #​28718
• Upgrade to Reactor 2020.0.13 #​28509
• Upgrade to Spring AMQP 2.3.12 #​28600
• Upgrade to Spring Batch 4.3.4 #​28250
• Upgrade to Spring Data 2021.0.7 #​28512
• Upgrade to Spring Framework 5.3.13 #​28510
• Upgrade to Spring HATEOAS 1.3.6 #​28609
• Upgrade to Spring Integration 5.5.6 #​28513
• Upgrade to Spring Kafka 2.7.9 #​28539
• Upgrade to Tomcat 9.0.55 #​28696

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @​izeye
• @​ghusta
• @​dreis2211
• @​jzheaux
• @​phxql
• @​polarbear567
• @​vpavic
• @​weixsun
• @​slowjoe007
• @​ledoyen

v2.5.6

🐞 Bug Fixes

• Misleading failure analysis when jOOQ's DSLContext is unavailable due to R2DBC taking precedence over JDBC #​28379
• When lazy initialization is enabled, JMX endpoints are not available #​28371
• JarFileWrapper may cause many FinalReferences causing GC pressure #​28356
• Flattened VCAP_SERVICES properties are not sanitized by default #​28353
• MeterValue with "d" suffix not parsed as Duration for timer #​28351
• CachingOperationInvoker cache can consume a significant amount of heap space #​28347
• Devtools restart fails with in-memory R2DBC database and SQL initialization scripts #​28345
• ActiveMQ starter depends on org.apache.geronimo.specs:geronimo-j2ee-management_1.1_spec #​28340
• spring-boot-starter-oauth2-client has an unnecessary dependency on com.sun.mail:jakarta.mail #​28333
• Layertools extract does not preserve last modified and last access times #​28190
• NumberFormatException when configuring spring.rabbitmq.addresses with an IPv6 address #​28134
• Broken content negotiation for OpenMetrics #​28130

📔 Documentation

• Fix typo in EnvironmentPostProcessor's class-level javadoc #​28382
• Remove obsolete info about Spring Integration's metrics support #​28375
• Update docs to be explicit about dot notation being correctly mapped #​28201
• Section 4.4 File Rotation mentions the wrong configuration file name for Log4j2 #​28193
• Update Javadoc with note mentioning that class using ConstructorBinding must be enabled using annotations #​28171
• Make it clearer that, when using @AutoConfigureTestEntityManager outside of @DataJpaTest, any tests using the test entity manager must be @Transactional #​28159

🔨 Dependency Upgrades

• Upgrade to Dropwizard Metrics 4.1.26 #​28280
• Upgrade to Ehcache3 3.9.7 #​28394
• Upgrade to HttpCore5 5.1.2 #​28281
• Upgrade to Jaybird 4.0.4.java8 #​28282
• Upgrade to Jetty 9.4.44.v20210927 #​28283
• Upgrade to Lombok 1.18.22 #​28284
• Upgrade to Micrometer 1.7.5 #​28242
• Upgrade to MySQL 8.0.27 #​28395
• Upgrade to Netty 4.1.69.Final #​28360
• Upgrade to Netty tcNative 2.0.44.Final #​28285
• Upgrade to Postgresql 42.2.24 #​28286
• Upgrade to R2DBC Bom Arabba-SR11 #​28287
• Upgrade to Reactor 2020.0.12 #​28240
• Upgrade to SendGrid 4.7.6 #​28396
• Upgrade to Spring AMQP 2.3.11 #​28245
• Upgrade to Spring Data 2021.0.6 #​28244
• Upgrade to Spring Framework 5.3.12 #​28241
• Upgrade to Spring HATEOAS 1.3.5 #​28243
• Upgrade to Spring Integration 5.5.5 #​28249
• Upgrade to Spring Kafka 2.7.8 #​28246
• Upgrade to Spring Security 5.5.3 #​28247
• Upgrade to Spring Session 2021.0.3 #​28248
• Upgrade to Tomcat 9.0.54 #​28288
• Upgrade to Undertow 2.2.12.Final #​28289
• Upgrade to XmlUnit2 2.8.3 #​28397

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @​dreis2211
• @​dvonsegg
• @​kandulsh
• @​artembilan
• @​fml2
• @​polarbear567
• @​inomag
• @​martin-v

v2.5.5

🐞 Bug Fixes

• Actuator endpoints do not sanitize SPRING_APPLICATION_JSON by default #​28081
• Startup failure due to non-empty schema when using Flyway and Spring Integration's DataSource initialization #​28079
• Web MVC metrics may have the wrong status when a filter throws an exception other than NestedServletException #​28069
• Embedded Undertow throws MalformedURLException when archive filename contains characters that are reserved in a URL #​28032
• Concurrent image builds cause error deleting builder image #​27993
• War deployment in standalone Tomcat causes memory leak (Metaspace) #​27987
• IndexOutOfBoundsException when running a Zip64 jar file larger than 4,294,967,295 bytes #​27900
• Azure App Service is not correctly detected on Windows #​27819
• @MockBean combined with @Repeat results in "the field cannot have an existing value" error #​27798
• NullPointerException in RoutingDataSourceHealthContributor when a routing data source has a target with a null routing key #​27698

📔 Documentation

• Document that devtools restart doesn't work when using AspectJ weaving #​28083
• Default value for spring.data.elasticsearch.client.reactive.endpoints is not documented #​28072
• Clarify Selenium auto-configuration requires HtmlUnit #​27943
• Document that spring-boot-starter-parent configures Java compilation to use -parameters #​27885
• Fix inconsistent devtools doc #​27876
• Fix typo in javadoc #​27873
• Document how to parameterize output directory for REST Docs with WebTestClient #​27803
• Document support for Java 17 #​26767

🔨 Dependency Upgrades

• Upgrade to Ehcache3 3.9.6 #​27974
• Upgrade to Glassfish EL 3.0.4 #​27975
• Upgrade to Groovy 3.0.9 #​27976
• Upgrade to Gson 2.8.8 #​27977
• Upgrade to Jackson Bom 2.12.5 #​27978
• Upgrade to Jetty EL 9.0.52 #​27979
• Upgrade to jOOQ 3.14.15 #​28088
• Upgrade to Kotlin 1.5.31 #​28089
• Upgrade to Kotlin Coroutines 1.5.2 #​27982
• Upgrade to Lettuce 6.1.5.RELEASE #​28031
• Upgrade to Logback 1.2.6 #​27983
• Upgrade to Maven War Plugin 3.3.2 #​27984
• Upgrade to Micrometer 1.7.4 #​27916
• Upgrade to Netty 4.1.68.Final #​27985
• Upgrade to Netty tcNative 2.0.43.Final #​27986
• Upgrade to Reactor 2020.0.11 #​27914
• Upgrade to SendGrid 4.7.5 #​28109
• Upgrade to Spring Data 2021.0.5 #​27917
• Upgrade to Spring Framework 5.3.10 #​27915
• Upgrade to Spring HATEOAS 1.3.4 #​27970
• Upgrade to Spring Integration 5.5.4 #​27949
• Upgrade to Spring Kafka 2.7.7 #​27918
• Upgrade to Tomcat 9.0.53 #​27963

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @​dreis2211
• @​quaff
• @​thegeekyasian
• @​jdubois
• @​brneto
• @​hpoettker
• @​polarbear567
• @​cdalexndr

v2.5.4

🐞 Bug Fixes

• spring-boot-configuration-metadata leaks enforced dependency constraints into consuming builds #​27730
• Potential NPE in TomcatMetricsBinder.findContext() #​27616
• Cyclic bean definition when a Spring Data repository is a dependency of a MeterBinder #​27591
• spring-boot:build-image hangs when exceptions are thrown during upload #​27535
• WebTestClientContextCustomizerFactory causes an IllegalStateException when WebClient is on the classpath without a supported HTTP client #​27527
• spring.security.dispatcher-types is not applied to Spring Security's filter when running in a separate management context #​27505
• A URI with non-alpha characters in its scheme is not sanitized #​27488

📔 Documentation

• Mention productionRuntimeClasspath in Gradle plugin's documentation #​27620
• Fix typo in javadoc #​27618

🔨 Dependency Upgrades

• Upgrade to ActiveMQ 5.16.3 #​27742
• Upgrade to AppEngine SDK 1.9.91 #​27743
• Upgrade to Cassandra Driver 4.11.3 #​27674
• Upgrade to Couchbase Client 3.1.7 #​27675
• Upgrade to Ehcache3 3.9.5 #​27676
• Upgrade to Glassfish JAXB 2.3.5 #​27677
• Upgrade to Hazelcast 4.1.5 #​27744
• Upgrade to Hazelcast Hibernate5 2.2.1 #​27678
• Upgrade to Janino 3.1.6 #​27679
• Upgrade to Logback 1.2.5 #​27680
• Upgrade to MariaDB 2.7.4 #​27681
• Upgrade to Maven Enforcer Plugin 3.0.0 #​27682
• Upgrade to Micrometer 1.7.3 #​27601
• Upgrade to MIMEPull 1.9.15 #​27683
• Upgrade to Netty 4.1.67.Final #​27745
• Upgrade to Nimbus JOSE JWT 9.10.1 #​27701
• Upgrade to OAuth2 OIDC SDK 9.9.1 #​27700
• Upgrade to Reactor 2020.0.10 #​27600
• Upgrade to SendGrid 4.7.4 #​27684
• Upgrade to Spring Data 2021.0.4 #​27633
• Upgrade to Spring Integration 5.5.3 #​27604
• Upgrade to Spring Kafka 2.7.6 #​27602
• Upgrade to Spring Security 5.5.2 #​27603
• Upgrade to Spring Session 2021.0.2 #​27605
• Upgrade to Tomcat 9.0.52 #​27685
• Upgrade to Undertow 2.2.10.Final #​27686

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @​billyto
• @​izeye
• @​dreis2211
• @​wuwen5
• @​hpoettker

v2.5.3

⭐ New Features

• Add Java 17 to JavaVersion enum #​26769

🪲 Bug Fixes

• DataSourceBuilder throws an UnsupportedDataSourcePropertyException when trying to derive a DataSource from an unknown DataSource type #​27453
• DatabaseInitializerDetector and DependsOnDatabaseInitializationDetector implementations may be instantiated with the wrong ClassLoader #​27422
• YamlPropertySourceLoader may not use the right ClassLoader to check if SnakeYAML is present #​27419
• Setting Gson as preferred mapper breaks controller methods returning JSON Strings #​27361
• Dependency management for Prometheus's Pushgateway is incomplete #​27349
• Exception thrown from /actuator/configprops endpoint when spring.config.import=configtree:xxxx is used #​27346
• Layers configuration XSD is not available #​27321
• Redis health indicators report that Redis is up when the cluster's state is fail #​27304
• App fails to start when using Spring Batch with JDBC and lazy initialization is enabled #​27221
• Spring Session JDBC does not work when lazy initialization is enabled #​27220
• AbstractDataSourceInitializers are not detected as database initializers #​27215
• Optional file search locations with pattern throws exception if not present #​27211
• File named "config" in working directory causes IllegalStateException #​27210
• Live Reload using Devtools no longer connects #​27205
• Live Reload using Devtools no longer connects [#​27204](https://togithub

---

Configuration

📅 Schedule: "" (UTC).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, click this checkbox.

---

This PR has been generated by WhiteSource Renovate. View repository job log here.