Skip to content

Bump spring.version from 7.0.7 to 7.0.8#1507

Merged
rowleya merged 1 commit into
masterfrom
dependabot/maven/spring.version-7.0.8
Jun 16, 2026
Merged

Bump spring.version from 7.0.7 to 7.0.8#1507
rowleya merged 1 commit into
masterfrom
dependabot/maven/spring.version-7.0.8

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 15, 2026

Copy link
Copy Markdown
Contributor

Bumps spring.version from 7.0.7 to 7.0.8.
Updates org.springframework:spring-framework-bom from 7.0.7 to 7.0.8

Release notes

Sourced from org.springframework:spring-framework-bom's releases.

v7.0.8

⚠️ Security Fixes

This maintenance release fixes a high number of CVEs. You can learn more about this in the "Spring and Security In The Times Of AI" blog post. Here is the full list of 16 CVEs:

  • CVE-2026-41838 "Spring Framework Predictable Session ID in WebSocket Module"
  • CVE-2026-41839 "Spring Framework Escalation via Session Fixation in WebFlux"
  • CVE-2026-41840 "Spring Framework Denial of Service via Multipart Requests in WebFlux"
  • CVE-2026-41841 "Spring Framework Information Disclosure via Static Resource Cache in Spring MVC and WebFlux"
  • CVE-2026-41842 "Spring Framework Denial of Service via Versioned Resources in Spring MVC and WebFlux"
  • CVE-2026-41843 "Spring Framework Path Traversal via Versioned Static Resources in Spring MVC and WebFlux"
  • CVE-2026-41844 "Spring Framework Open Redirect in Spring MVC and WebFlux"
  • CVE-2026-41845 "Spring Framework Cross-site Scripting via JavaScriptUtils"
  • CVE-2026-41846 "Spring Framework Cross-site Scripting via JSP Form Tags"
  • CVE-2026-41848 "Spring Framework Denial of Service via AntPathMatcher"
  • CVE-2026-41850 "Spring Framework Algorithmic Denial of Service via SpEL Expressions"
  • CVE-2026-41851 "Spring Framework Denial of Service via Unbounded Cache in SpEL"
  • CVE-2026-41852 "Spring Framework Arbitrary Method Invocation in SpEL Expressions"
  • CVE-2026-41853 "Spring Framework Multipart Request Smuggling in Spring MVC and WebFlux"
  • CVE-2026-41854 "Spring Framework Server-Side Request Forgery via UriComponentsBuilder"
  • CVE-2026-41855 "Spring Framework Unsafe Deserialization via Jackson JMS Converters"

⭐ New Features

  • Include zone ID in CronTrigger's equals/hashCode implementations #36871
  • Expose ClassLoader from DefaultDeserializer #36833
  • Use immutable map for SEPARATORS static field in DefaultPathContainer #36821
  • Track operations during SpEL expression evaluation #36801
  • Ensure getters have non-void return types in SpEL #36800
  • Avoid too many character access attempts in AntPathMatcher #36799
  • Refine default view name resolution #36793
  • Refine Jackson JMS converters #36791
  • Improve ABNF rule checks in RfcUriParser #36787
  • Restrict SpringVersion.getVersion() to "major.minor.patch" format #36785
  • Runtime compatibility with JPA 4.0 M4 and corresponding Hibernate 8.0 snapshots #36784
  • Allow specifying the charset to use in ExchangeFilterFunctions#basicAuthentication #36777
  • Use CollectionUtils to initialize HashMap in DefaultUriBuilderFactory #36763
  • Improve error messages in SpEL #36756
  • Improve pattern caching in SpEL #36755
  • Avoid ResolvableType#forType contention for implicit cache cleanup #36745
  • Switch to JdkIdGenerator for WebSocket Sessions #36740
  • Detect custom deserialized NullValue instances in AbstractValueAdaptingCache #36727
  • LiteWebJarsResourceResolver does not resolve directories #36726
  • Warn against unsafe static resource locations in MVC and WebFlux #36692
  • Consistent compatibility with Woodstox as an alternative to Xerces #36682
  • Improve principal checks for SockJS session #36681
  • Set host header consistently in STOMP relay CONNECT frames #36673
  • Support Micrometer context propagation in Kotlin Flow #36667
  • Reliable detection of broadcast messages in UserDestinationMessageHandler #36662

... (truncated)

Commits
  • 9e8cea3 Release v7.0.8
  • 2c18c33 Track operations during SpEL expression evaluation
  • 83667f8 Ensure getters have non-void return types in SpEL
  • 7a8917b Improve additional error messages in SpEL
  • 7baa865 Further improve pattern caching in SpEL
  • 12b44f2 Avoid too many character access attempts in AntPathMatcher
  • e8f1024 Ensure consistent JSP tag attribute processing
  • a1826b7 Refine JavaScriptUtils#javaScriptEscape
  • 7add524 Prevent special prefixes in default view name resolution
  • 9bec52b Add trusted packages to MappingJackson2MessageConverter
  • Additional commits viewable in compare view

Updates org.springframework:spring-test from 7.0.7 to 7.0.8

Release notes

Sourced from org.springframework:spring-test's releases.

v7.0.8

⚠️ Security Fixes

This maintenance release fixes a high number of CVEs. You can learn more about this in the "Spring and Security In The Times Of AI" blog post. Here is the full list of 16 CVEs:

  • CVE-2026-41838 "Spring Framework Predictable Session ID in WebSocket Module"
  • CVE-2026-41839 "Spring Framework Escalation via Session Fixation in WebFlux"
  • CVE-2026-41840 "Spring Framework Denial of Service via Multipart Requests in WebFlux"
  • CVE-2026-41841 "Spring Framework Information Disclosure via Static Resource Cache in Spring MVC and WebFlux"
  • CVE-2026-41842 "Spring Framework Denial of Service via Versioned Resources in Spring MVC and WebFlux"
  • CVE-2026-41843 "Spring Framework Path Traversal via Versioned Static Resources in Spring MVC and WebFlux"
  • CVE-2026-41844 "Spring Framework Open Redirect in Spring MVC and WebFlux"
  • CVE-2026-41845 "Spring Framework Cross-site Scripting via JavaScriptUtils"
  • CVE-2026-41846 "Spring Framework Cross-site Scripting via JSP Form Tags"
  • CVE-2026-41848 "Spring Framework Denial of Service via AntPathMatcher"
  • CVE-2026-41850 "Spring Framework Algorithmic Denial of Service via SpEL Expressions"
  • CVE-2026-41851 "Spring Framework Denial of Service via Unbounded Cache in SpEL"
  • CVE-2026-41852 "Spring Framework Arbitrary Method Invocation in SpEL Expressions"
  • CVE-2026-41853 "Spring Framework Multipart Request Smuggling in Spring MVC and WebFlux"
  • CVE-2026-41854 "Spring Framework Server-Side Request Forgery via UriComponentsBuilder"
  • CVE-2026-41855 "Spring Framework Unsafe Deserialization via Jackson JMS Converters"

⭐ New Features

  • Include zone ID in CronTrigger's equals/hashCode implementations #36871
  • Expose ClassLoader from DefaultDeserializer #36833
  • Use immutable map for SEPARATORS static field in DefaultPathContainer #36821
  • Track operations during SpEL expression evaluation #36801
  • Ensure getters have non-void return types in SpEL #36800
  • Avoid too many character access attempts in AntPathMatcher #36799
  • Refine default view name resolution #36793
  • Refine Jackson JMS converters #36791
  • Improve ABNF rule checks in RfcUriParser #36787
  • Restrict SpringVersion.getVersion() to "major.minor.patch" format #36785
  • Runtime compatibility with JPA 4.0 M4 and corresponding Hibernate 8.0 snapshots #36784
  • Allow specifying the charset to use in ExchangeFilterFunctions#basicAuthentication #36777
  • Use CollectionUtils to initialize HashMap in DefaultUriBuilderFactory #36763
  • Improve error messages in SpEL #36756
  • Improve pattern caching in SpEL #36755
  • Avoid ResolvableType#forType contention for implicit cache cleanup #36745
  • Switch to JdkIdGenerator for WebSocket Sessions #36740
  • Detect custom deserialized NullValue instances in AbstractValueAdaptingCache #36727
  • LiteWebJarsResourceResolver does not resolve directories #36726
  • Warn against unsafe static resource locations in MVC and WebFlux #36692
  • Consistent compatibility with Woodstox as an alternative to Xerces #36682
  • Improve principal checks for SockJS session #36681
  • Set host header consistently in STOMP relay CONNECT frames #36673
  • Support Micrometer context propagation in Kotlin Flow #36667
  • Reliable detection of broadcast messages in UserDestinationMessageHandler #36662

... (truncated)

Commits
  • 9e8cea3 Release v7.0.8
  • 2c18c33 Track operations during SpEL expression evaluation
  • 83667f8 Ensure getters have non-void return types in SpEL
  • 7a8917b Improve additional error messages in SpEL
  • 7baa865 Further improve pattern caching in SpEL
  • 12b44f2 Avoid too many character access attempts in AntPathMatcher
  • e8f1024 Ensure consistent JSP tag attribute processing
  • a1826b7 Refine JavaScriptUtils#javaScriptEscape
  • 7add524 Prevent special prefixes in default view name resolution
  • 9bec52b Add trusted packages to MappingJackson2MessageConverter
  • Additional commits viewable in compare view

Updates org.springframework:spring-webmvc from 7.0.7 to 7.0.8

Release notes

Sourced from org.springframework:spring-webmvc's releases.

v7.0.8

⚠️ Security Fixes

This maintenance release fixes a high number of CVEs. You can learn more about this in the "Spring and Security In The Times Of AI" blog post. Here is the full list of 16 CVEs:

  • CVE-2026-41838 "Spring Framework Predictable Session ID in WebSocket Module"
  • CVE-2026-41839 "Spring Framework Escalation via Session Fixation in WebFlux"
  • CVE-2026-41840 "Spring Framework Denial of Service via Multipart Requests in WebFlux"
  • CVE-2026-41841 "Spring Framework Information Disclosure via Static Resource Cache in Spring MVC and WebFlux"
  • CVE-2026-41842 "Spring Framework Denial of Service via Versioned Resources in Spring MVC and WebFlux"
  • CVE-2026-41843 "Spring Framework Path Traversal via Versioned Static Resources in Spring MVC and WebFlux"
  • CVE-2026-41844 "Spring Framework Open Redirect in Spring MVC and WebFlux"
  • CVE-2026-41845 "Spring Framework Cross-site Scripting via JavaScriptUtils"
  • CVE-2026-41846 "Spring Framework Cross-site Scripting via JSP Form Tags"
  • CVE-2026-41848 "Spring Framework Denial of Service via AntPathMatcher"
  • CVE-2026-41850 "Spring Framework Algorithmic Denial of Service via SpEL Expressions"
  • CVE-2026-41851 "Spring Framework Denial of Service via Unbounded Cache in SpEL"
  • CVE-2026-41852 "Spring Framework Arbitrary Method Invocation in SpEL Expressions"
  • CVE-2026-41853 "Spring Framework Multipart Request Smuggling in Spring MVC and WebFlux"
  • CVE-2026-41854 "Spring Framework Server-Side Request Forgery via UriComponentsBuilder"
  • CVE-2026-41855 "Spring Framework Unsafe Deserialization via Jackson JMS Converters"

⭐ New Features

  • Include zone ID in CronTrigger's equals/hashCode implementations #36871
  • Expose ClassLoader from DefaultDeserializer #36833
  • Use immutable map for SEPARATORS static field in DefaultPathContainer #36821
  • Track operations during SpEL expression evaluation #36801
  • Ensure getters have non-void return types in SpEL #36800
  • Avoid too many character access attempts in AntPathMatcher #36799
  • Refine default view name resolution #36793
  • Refine Jackson JMS converters #36791
  • Improve ABNF rule checks in RfcUriParser #36787
  • Restrict SpringVersion.getVersion() to "major.minor.patch" format #36785
  • Runtime compatibility with JPA 4.0 M4 and corresponding Hibernate 8.0 snapshots #36784
  • Allow specifying the charset to use in ExchangeFilterFunctions#basicAuthentication #36777
  • Use CollectionUtils to initialize HashMap in DefaultUriBuilderFactory #36763
  • Improve error messages in SpEL #36756
  • Improve pattern caching in SpEL #36755
  • Avoid ResolvableType#forType contention for implicit cache cleanup #36745
  • Switch to JdkIdGenerator for WebSocket Sessions #36740
  • Detect custom deserialized NullValue instances in AbstractValueAdaptingCache #36727
  • LiteWebJarsResourceResolver does not resolve directories #36726
  • Warn against unsafe static resource locations in MVC and WebFlux #36692
  • Consistent compatibility with Woodstox as an alternative to Xerces #36682
  • Improve principal checks for SockJS session #36681
  • Set host header consistently in STOMP relay CONNECT frames #36673
  • Support Micrometer context propagation in Kotlin Flow #36667
  • Reliable detection of broadcast messages in UserDestinationMessageHandler #36662

... (truncated)

Commits
  • 9e8cea3 Release v7.0.8
  • 2c18c33 Track operations during SpEL expression evaluation
  • 83667f8 Ensure getters have non-void return types in SpEL
  • 7a8917b Improve additional error messages in SpEL
  • 7baa865 Further improve pattern caching in SpEL
  • 12b44f2 Avoid too many character access attempts in AntPathMatcher
  • e8f1024 Ensure consistent JSP tag attribute processing
  • a1826b7 Refine JavaScriptUtils#javaScriptEscape
  • 7add524 Prevent special prefixes in default view name resolution
  • 9bec52b Add trusted packages to MappingJackson2MessageConverter
  • Additional commits viewable in compare view

@dependabot dependabot Bot added bug Something isn't working dependabot Automatic PR by dependabot labels Jun 15, 2026
@dependabot dependabot Bot requested review from Christian-B and rowleya as code owners June 15, 2026 13:43
@dependabot dependabot Bot added bug Something isn't working dependabot Automatic PR by dependabot labels Jun 15, 2026
@coveralls

coveralls commented Jun 15, 2026

Copy link
Copy Markdown

Coverage Status

coverage: 36.263% (+0.04%) from 36.227% — dependabot/maven/spring.version-7.0.8 into master

Bumps `spring.version` from 7.0.7 to 7.0.8.

Updates `org.springframework:spring-framework-bom` from 7.0.7 to 7.0.8
- [Release notes](https://github.com/spring-projects/spring-framework/releases)
- [Commits](spring-projects/spring-framework@v7.0.7...v7.0.8)

Updates `org.springframework:spring-test` from 7.0.7 to 7.0.8
- [Release notes](https://github.com/spring-projects/spring-framework/releases)
- [Commits](spring-projects/spring-framework@v7.0.7...v7.0.8)

Updates `org.springframework:spring-webmvc` from 7.0.7 to 7.0.8
- [Release notes](https://github.com/spring-projects/spring-framework/releases)
- [Commits](spring-projects/spring-framework@v7.0.7...v7.0.8)

---
updated-dependencies:
- dependency-name: org.springframework:spring-framework-bom
  dependency-version: 7.0.8
  dependency-type: direct:production
  update-type: version-update:semver-patch
- dependency-name: org.springframework:spring-test
  dependency-version: 7.0.8
  dependency-type: direct:production
  update-type: version-update:semver-patch
- dependency-name: org.springframework:spring-webmvc
  dependency-version: 7.0.8
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/maven/spring.version-7.0.8 branch from 5844917 to 4c41859 Compare June 15, 2026 14:09
@rowleya rowleya enabled auto-merge June 15, 2026 14:10
@rowleya rowleya added this pull request to the merge queue Jun 15, 2026
@dependabot @github

dependabot Bot commented on behalf of github Jun 15, 2026

Copy link
Copy Markdown
Contributor Author

Dependabot attempted to update this pull request, but because the branch dependabot/maven/spring.version-7.0.8 is protected it was unable to do so.

@github-merge-queue github-merge-queue Bot removed this pull request from the merge queue due to no response for status checks Jun 15, 2026
@rowleya rowleya added this pull request to the merge queue Jun 16, 2026
Merged via the queue into master with commit 0b1170c Jun 16, 2026
14 of 15 checks passed
@dependabot dependabot Bot deleted the dependabot/maven/spring.version-7.0.8 branch June 16, 2026 06:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

bug Something isn't working dependabot Automatic PR by dependabot

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants