Update all dependencies

[renovate]

Note: This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
org.springdoc:springdoc-openapi-starter-webmvc-ui (source)	2.6.0 -> 3.0.0
com.squareup.retrofit2:retrofit	2.11.0 -> 3.0.0
org.flywaydb:flyway-maven-plugin (source)	10.10.0 -> 11.20.0
org.openapitools:openapi-generator-maven-plugin	7.17.0 -> 7.18.0
org.springframework.boot:spring-boot-starter-parent (source)	3.3.0 -> 4.0.1

---

Release Notes

springdoc/springdoc-openapi (org.springdoc:springdoc-openapi-starter-webmvc-ui)

v3.0.0

Compare Source

v2.8.14

Compare Source

Added

• #​3090 - Add logs to notify when SpringDocs/Scalar is enabled because SpringDocs/Scalar is enabled by default

Changed

• Upgrade swagger-ui to v5.30.1
• Upgrade swagger-core to v2.2.38
• Upgrade spring-boot to v3.5.7
• Upgrade commons-lang3 to v3.18.0
• Upgrade scalar to v0.3.12

Fixed

• #​3107 - Fix:compatible with lower version of getOpenApi().
• #​3121 - NPE in KotlinDeprecatedPropertyCustomizer - resolvedSchema is null

v2.8.13

Compare Source

Added

• #​3084 - Add Scalar Support

Changed

• Upgrade swagger-ui to v5.28.1

Fixed

• #​3076 - With oneOf the response schema contains an extra type: string

v2.8.12

Compare Source

Changed

• Upgrade swagger-ui to v5.28.0

Fixed

• #​3073 - Duplicate key class Parameter when documenting two GET methods with same path and PathVariable.
• #​3071 - @​io.swagger.v3.oas.annotations.parameters.RequestBody does not work well with @​RequestPart
• #​3066 - Parameter is now required after upgrading to springdoc-openapi 2.8.10

v2.8.11

Compare Source

Added

• #​3065 - javadoc and overall performance optimization

Changed

• Upgrade spring-boot to v3.5.5

Fixed

• #​3064 -ClassNotFoundException: kotlin.reflect.full.KClasses

v2.8.10

Added

• #​3046 - Feature Request: Support @​jakarta.annotation.Nonnull.
• #​3042 - Support externalDocs configure on SpecPropertiesCustomizer
• #​3057 - Refactor webhook discovery and scanning mechanism

Changed

• Upgrade spring-boot to v3.5.4
• Upgrade swagger-ui to v5.27.1
• Upgrade swagger-core to 2.2.36

Fixed

• #​3050 - @​RequestPart JSON parameters missing Content-Type in generated curl commands, causing 415 errors.
• #​2978 - Parameter is no longer optional after upgrade to 2.8.8
• #​3022 - NullPointerException thrown in SchemaUtils.
• #​3026 - Fix unexpected merging of media types
• #​3036 - Fixed "desciption"
• #​3039 - Fix: Property resolution for extensions within @​OpenAPIDefinition Info object
• #​3051 - Fixes so that a RequestPart with a Map is added to the RequestBody
• #​3060 - Use adaptFromForwardedHeaders instead of deprecated fromHttpRequest

v2.8.9

Added

• #​2944 - Support for @​Positive
• #​3011 - type-use for method parameters

Changed

• Upgrade spring-boot to version 3.5.0

Fixed

• #​2982 - application/problem+json content type is not set for ProblemDetails
• #​2990 - Issues with POST Request, application/x-www-form-urlencoded and only one parameter
• #​2998 - io.swagger.v3.oas.annotations.Webhook does not work when defined on the method level
• #​3012 - Order of examples is (sometimes) not preserved

v2.8.8

Fixed

• #​2977 - Handle projects not using kotlin-reflect #​2977

v2.8.7

Added

• #​2944 - Introducing springdoc-openapi-bom project
• #​2948 - Customize Servers via application.yml
• #​2963 - Set default content type for problem details object to application/problem+jso
• #​2971 - List of value classes in Kotlin

Changed

• Upgrade swagger-ui to v5.21.0
• Upgrade swagger-core to 2.2.30
• Upgrade spring-boot to version 3.4.5
• Upgrade spring-security-oauth2-authorization-server to version 1.4.3

Fixed

• #​2947 - Unexpected warning "Appended trailing slash to static resource location"
• #​2960 - NPE when customizing group's open-api without specifying any schema
• #​2969 - fix path to register resource handler to work SwaggerIndexPageTransformer
  considering /webjar path prefix
• #​2964 - Cannot add custom description and example for java.time.Duration since v2.8.6
• #​2972 - @​Header(schema = @​Schema(type = "string")) generates empty or broken schema in
  OpenAPI output since 2.8.0
• #​2976, #​2967 - Build Failure due to Private Inner Class.

v2.8.6

Added

• #​2909 - Check both SerDe BeanPropertyDefinition for @​JsonUnwrapped/@​Schema
• #​2927 - Bail sealed class subtype introspection on Schema
• #​2917 - Add Future to ignored response wrappers
• #​2938 - Add out of the box support for LocalTime, YearMonth, MonthDay

Changed

• Upgrade swagger-ui to v5.20.1
• Upgrade swagger-core to 2.2.29
• Upgrade spring-cloud-function to 4.2.2
• Upgrade spring-boot to version 3.4.4

Fixed

• #​2928 - Add missing builder methods in SchemaBuilder
• #​2905 - ModelResolver.enumAsRef = true result in invalid openapi with actuator using
  enum param
• #​2939 - Duplicate ModelConverter registration with Spring Boot DevTools
• #​2941 - SpringBoot native fails /v3/api-docs when using a Map as an http entity field

v2.8.5

Added

• #​2696 - Do not require JsonSubType annotation for sealed classes
• #​2898 - add needed runtime reflection hints for native image
• #​2891 - Refactor trimIndent Method
• #​2931 - OpenAPIService serverBaseUrl is not thread safe
• #​2933 - Wrong schema generation with PagedModel generated VIA_DTO and wrapped in
  ResponseEntity

Changed

• Upgrade swagger-ui to v5.18.3

Fixed

• #​2902 - Schema replaced by String when using @​ApiResponse with RepresentationModel (
  Hateoas links)
• #​2876 - Restentpoints with same name get mix up
• #​2895 - Only filter out actuator endpoints with double asterisks.
• #​2894 - respect @​JsonUnwrapped & @​Schema on props not fields only
• #​2881 - fix defaultValue when using @​PageableDefault together with
  one-indexed-parameters
• #​2888 - Provide a better consistency for parameters and responses order.

v2.8.4

Compare Source

Added

• #​2873 - Improve performance of getGenericMapResponse
• #​2836 - Provide option to set allowed locales
• 2862 - Align Swagger-UI Prefix Path with Swagger-WebMvc Behavior

Changed

• Upgrade spring-boot to 3.4.2
• Upgrade spring-cloud-function to 4.2.1
• Upgrade swagger-core to 2.2.28

Fixed

• #​2870 - Springdoc 2.8.x + Spring Boot 3.4.1 breaks native image support
• #​2869 - Exception logged when generating schema for delete method of Spring Data
  repository.
• #​2856 - @​JsonUnwrapped is ignored in new version of lib.
• #​2852 - @​Schema(types = "xxx") does not work for multipart param with enabled
  springdoc.default-support-form-data config option.

v2.8.3

Compare Source

Added

• #​2851 - Refine condition, for ignoring types when using PolymorphicModelConverter

v2.8.2

Compare Source

Added

• #​2849 - Provide better compatibility for projects migrating from OAS 3.0 to OAS 3.1

Fixed

• #​2846 - ClassCastException with spring-data-rest and openapi version 3.1 bug
• #​2844 - PageableObject and SortObject are called Pageablenull and Sortnull

v2.8.1

Compare Source

Added

• #​3090 - Add logs to notify when SpringDocs/Scalar is enabled because SpringDocs/Scalar is enabled by default

Changed

• Upgrade swagger-ui to v5.30.1
• Upgrade swagger-core to v2.2.38
• Upgrade spring-boot to v3.5.7
• Upgrade commons-lang3 to v3.18.0
• Upgrade scalar to v0.3.12

Fixed

• #​3107 - Fix:compatible with lower version of getOpenApi().
• #​3121 - NPE in KotlinDeprecatedPropertyCustomizer - resolvedSchema is null

v2.8.0

Compare Source

Added

• #​2790 - Moving to OpenAPI 3.1 as the default implementation for springdoc-openapi
• #​2817 - Obey annotations when flattening ParameterObject fields
• #​2826 - Make it possible to mark parameters with @​RequestParam annotation to be sent in
  form instead of query.
• #​2822 - Support returning null in ParameterCustomizer
• #​2830 - Add support for deprecated fields.
• #​2780 - Add Security Schema by AutoConfigure

Changed

• Upgrade spring-boot to 3.4.1
• Upgrade spring-cloud-function to 4.2.0
• Upgrade swagger-core to 2.2.27

Fixed

• #​2804 - Stable release 2.7.0 depends on Spring Cloud Milestone 4.2.0-M1
• #​2828 - Required a bean of type '
  org.springframework.data.rest.webmvc.mapping.Associations' that could not be found.
• #​2823 - Capturing pattern in identical paths only renders the path element of one method
• #​2817 - Automatically add required if a field is @​notNull or @​NotBlank.
• #​2814 - An unresolvable circular reference with
  management.endpoint.gateway.enabled=true.
• #​2798 - Object schema generated for Unit Kotlin type.
• #​2797 - Removing operationId via customizer does not work anymore.
• #​2833 - Resolve infinite recursion and add example test with OpenAPI v3.1
• #​2827 - Ignoring @​Parameter(required = false)

v2.7.0

Compare Source

Added

• #​2777 - Add SortAsQueryParam annotation
• #​2786 - No static resource swagger-ui/index.html error after migration to 2.7.0-RC1

Changed

• Upgrade spring-boot to 3.4.0
• Upgrade swagger-ui to 5.18.2
• Upgrade spring-security-oauth2-authorization-server to 1.4.0

square/retrofit (com.squareup.retrofit2:retrofit)

v3.0.0

Compare Source

Changed

• Upgrade to OkHttp 4.12 (from 3.14).

  This is the version of OkHttp that is written in Kotlin, and as a result Retrofit now has a transitive Kotlin dependency. However, this is also the supported version of OkHttp whereas the previous version was out of support for nearly 4 years.

Note: The 3.x versions of Retrofit maintain forward binary-compatibility with the 2.x versions.
This means libraries compiled against 2.x can still be used with the 3.x versions.

v2.12.0

Compare Source

New

• First-party converters now support deferring serialization to happen when the request body is written (i.e., during HTTP execution) rather than when the HTTP request is created. In some cases this moves conversion from a calling thread to a background thread, such as in the case when using Call.enqueue directly.

  The following converters support this feature through a new withStreaming() factory method:

  • Gson
  • Jackson
  • Moshi
  • Protobuf
  • Wire

Fixed

• Primitive types used with @Tag now work by storing the value boxed with the boxed class as the key.

openapitools/openapi-generator (org.openapitools:openapi-generator-maven-plugin)

v7.18.0: released

Compare Source

v7.18.0 stable release comes with 130+ enhancements, bug fixes. Once again thanks for all the contributions from the community.

Below are the highlights of the changes. For a full list of changes, please refer to the "Pull Request" tab.

General

• feat: prevent variable resolution when prefixed with $ in server URL templates #​22550
• Fix siblings of $ref using allOf in openapi normalizer #​22364

C++

• fix(cpp-qt): Fix enum query parameter serialization for both inline and referenced enums #​22559
• [cpp-rest] Fixes segfault for nullable strings #​22405
• Add Basic and Bearer Authorization to the CPP Pistache generator #​22337
• Fixes oatpp generator to expose network server on 0.0.0.0 instead of localhost #​22330
• [cpp-rest] Fixing Incorrect Header Name Used #​22298

C#

• [csharp] Patch dependencies with vulnerabilities #​22262

Crystal

• fix(generator): fix java.lang.NullPointerException in constructing example code #​22545
• [crystal] fix Model#to_h method #​22508
• [crystal] Add option to set params_encoder #​22484
• [crystal-lang] Various fixes for Crystal client #​22465

Go

• [GO] Generate imports for UnmarshalJSON func only when it's present #​22524
• fix: missing imports for array of files and date-time parameters #​22390

Java

• [BUG][JAVA][Spring] fix Lombok @​Getter disables validation #​22544
• Fix Spring Framework 7 compatibility in jvm-spring-restclient and jvm-spring-webclient #​22467
• [Java] Support JsonNullable in JaxRS-spec #​22412
• [JAVA][native] Add support for UnaryInterceptors #​22381
• Add support for custom tls server names. #​22372
• [JAVA] [NATIVE] Add gzip capability #​22358
• [Java] Use Fully Qualified Name for java.util.Locale in Generated Classes #​22342
• [JAXRS] Partial revert changing path generation if interface, fixes #​22279 #​22316
• [JAVA jaxrs-spec gen] add option for generating swagger V3 annotations #​22300
• [REQ-22001] Add MCP server support to apiService.mustache #​22197

Kotlin

• fix(kotlin): add JsonCreator/JsonValue to Jackson enums #​22535
• [kotlin][client] Deprecate jvm-volley support #​22521
• [kotlin] fix query parameter encoding #​22512
• [kotlin-client] Vert.x: Fix enum class name template for default operation parameters #​22504
• [kotlin] Make API classes open (non-final) unless nonPublicApi is used #​22461
• [kotlin-spring][server] Feat: Return from controllers without ResponseEntity wrapper #​22377
• Add support for oneOf with discriminator when using kotlinx.serialization #​22373
• Fix Kotlin codegen for enum with int items (issue #​15204) #​22324
• [kotlin-spring][server] Feat: Add Spring Declarative HTTP Interface support for easy client instantiation #​22302

Nim

• [nim] Nim Generator Fixes #​22385

PHP

• [php][php-nextgen] Cleanup api authentication code when using api keys in cookies or supporting multiple authentication methods #​22433
• [php][php-nextgen] fix return type if empty and non-empty responses are mixed #​22322
• [php][php-nextgen] fix array enum query parameters #​22320
• [php] Fix PHP generator validation for nullable required properties #​22292

ProtoBuf

• [Protobuf] Add isEnumSchema check in generateNestedSchema #​22384

Python

• python-fastapi: avoid log message in constructor #​22522
• Make python code compatible with urllib3 v2.6.0+ #​22520
• fix: use httpx in generated configuration.py #​22418
• [python] Fix pyproject (poetry 2.x) for httpx #​22289

Ruby

• [Ruby] Fixes anyOf Support in Responses #​22392

Rust

• [rust-server] feat: Add serde_validate support #​22553
• Update rust-server Cargo.toml to fix client feature compile #​22511
• fix: Rust-server bytes response fixed to not attempt string conversion #​22471
• [Rust-Axum] FIX: do not generate Partial Ord/Ord for Any type #​22469
• [Rust] Implement support for multipart file uploads for reqwest-async and reqwest-trait #​22454
• Ensure rust-server compiles with no-default-features #​22445
• Add support for trait mocking in rust-server generator #​22332
• Fixups for rust-server hyper1 support #​22321
• [Rust-Axum] Fix: incorrect regex pattern validation #​22277

Scala

• Fixed scala-sttp4-jsoniter compilation error: replace .getRight with .orFail #​22536

TypeScript

• [typescript-fetch]: fix logic when stringEnums is explicitly set to false #​22466
• Typescript-Angular: Fix several query parameters serialization issues #​22459
• [typescript-rxjs] Feat: Add @​deprecated JSDoc tag to API operations #​22419
• [typescript-nestjs-server] Fix #​21842 by updating api.module.mustache #​22403
• [typescript-node] Fixes generation when parent contains TypeScript primitive #​22401
• [typescript] replace headers with same case-insensitive key to match http spec #​22393
• [typescript-axios] add support for accept headers #​22318
• fix: Format Date/DateTime Query Parameters in exploded, non-container Parameter #​22268

spring-projects/spring-boot (org.springframework.boot:spring-boot-starter-parent)

v4.0.1

Compare Source

v4.0.0

Compare Source

v3.5.9

Compare Source

v3.5.8

Compare Source

⚠️ Noteworthy changes

• This release contains a fix to get Testcontainers working with modern Docker versions. If this causes problems in your setup, you can downgrade the minimum Docker API, effectively reverting that change.

🐞 Bug Fixes

• Gradle war task does not exclude starter POMs from lib-provided #​48196
• Testcontainers integration fails on Docker 29.0.0 #​48192
• SslMeterBinder doesn't register metrics for dynamically added bundles if no bundles exist at bind time #​48180
• Properties bound in the child management context ignore the parent's environment prefix #​48176
• ssl.chain.expiry metrics doesn't update for dynamically registered SSL bundles #​48153
• Auto-configuration exclusions are checked using a different class loader to the one that loads auto-configuration classes #​48129
• New arm64 macbooks fail to bootBuildImage due to incorrect platform image #​48127
• NullPointerException when using @ConditionalOnSingleCandidate with multiple manually registered singletons #​48123
• Buildpack fails with recent Docker installs due to hardcoded version in URL #​48102
• Image building may fail when specifying a platform if an image has already been built with a different platform #​48098
• Undertow's ServletContext is destroy too early, making it unusable in @PreDestroy methods #​48061
• PortInUseException incorrectly thrown on failure to bind port due to Netty IP misconfiguration #​48058
• Auto-configured JCacheMetrics cannot be customized #​48056
• WebSecurityCustomizer beans are excluded by WebMvcTest #​48054
• Devtools Restarter does not work with a parameterless main method #​47987
• Setting 'max-uri-tags' does not prevent unlimited meter growth on any AutoConfiguredCompositeMeterRegistry #​47923
• Docker response 407 is not handled correctly resulting in no error message #​47900
• spring-boot-maven-plugin process-aot goal does not find package-private main method #​47780

📔 Documentation

• Revise AWS section of "Deploying to the Cloud" in reference manual #​48156
• Fix typo in PortInUseException Javadoc #​48133
• Correct section about required setters in "Type-safe Configuration Properties" #​48130
• Document EndpointObjectMapper and management.endpoints.jackson.isolated-object-mapper #​48114
• Document support for configuring servlet context init parameters using properties #​48111
• Clarify how warnings about soon-to-expire SSL certificates are reported #​48062
• Document how to use ContextPropagatingTaskDecorator for propagating trace context over thread boundaries #​48052
• Use since attribute in configuration properties deprecation consistently #​47980
• BootstrapContext#getOrElseThrow has incorrect reference to IllegalStateException #​47905
• Clarify when BootstrapContext get methods may return null rather than throwing an exception or calling the fallback supplier #​47898
• Document that Actuator endpoint may have at most one extension of each type #​47873
• Limit Kotlin API documentation to Kotlin-specific APIs #​47859
• Adapt AOTCache documentation to JEP 514 #​47274

🔨 Dependency Upgrades

• Downgrade to Cassandra Driver 4.19.0 #​47926
• Upgrade to AspectJ 1.9.25 #​48005
• Upgrade to Caffeine 3.2.3 #​48006
• Upgrade to Cassandra Driver 4.19.2 #​48183
• Upgrade to DB2 JDBC 12.1.3.0 #​48083
• Upgrade to Hibernate 6.6.36.Final #​48148
• Upgrade to Jackson Bom 2.19.4 #​48008
• Upgrade to Jetty 12.0.30 #​48118
• Upgrade to Jetty Reactive HTTPClient 4.0.13 #​48149
• Upgrade to jOOQ 3.19.28 #​48084
• Upgrade to Logback 1.5.21 #​48085
• Upgrade to Micrometer 1.15.6 #​48009
• Upgrade to Micrometer Tracing 1.5.6 #​48010
• Upgrade to MySQL 9.5.0 #​48011
• Upgrade to Neo4j Java Driver 5.28.10 #​48044
• Upgrade to Quartz 2.5.1 #​48012
• Upgrade to R2DBC Postgresql 1.0.9.RELEASE #​48013
• Upgrade to Reactor Bom 2024.0.12 #​48014
• Upgrade to Spring Data Bom 2025.0.6 #​48039
• Upgrade to Spring Framework 6.2.14 #​48166
• Upgrade to Spring Integration 6.5.4 #​48040
• Upgrade to Spring Kafka 3.3.11 #​48041
• Upgrade to Spring Pulsar 1.2.12 #​48042
• Upgrade to Spring Security 6.5.7 #​48043
• Upgrade to Tomcat 10.1.49 #​48086

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​K-jun98, @​TerryTaoYY, @​hojooo, @​linw-bai, @​mipo256, @​namest504, @​ngocnhan-tran1996, @​nosan, @​scottfrederick, @​siva-sai-udaygiri, @​tschut, and @​vpavic

v3.5.7

Compare Source

⭐ New Features

• Add TWENTY_FIVE to JavaVersion enum #​47609

🐞 Bug Fixes

• Signed jar verification fails when nested in an uber war running on an Oracle JVM #​47771
• In an uber war, value of the Sbom-Location manifest attribute does not match the SBOM's actual location #​47737
• Homebrew formula for the CLI should use libexec #​47722
• When virtual threads are enabled, embedded Jetty does not use recommended virtual thread configuration #​47717
• ClientHttpRequestFactoryRuntimeHints is missing timeout methods with Duration overloads #​47678
• OnBeanCondition no longer correctly finds annotations on scoped target proxy beans #​47635
• JavaVersion doesn't work reliably in native-image #​47620
• LiquibaseEndpoint always uses defaultSchema instead of liquibaseSchema #​47346
• Launcher fails to find main method when it is parameterless #​47311
• Package private Main class using Java 25 is not found by build plugins #​47309
• Bitnami legacy images are not automatically detected #​47275
• Maven plugin does not provide an easy way to exclude optional dependencies from uber jar #​25403

📔 Documentation

• Some spring.test.* properties are not documented #​47775
• Dependency management for Maven AntRun Plugin is missing changelog link #​47744
• Developing Your First Spring Boot Application has outdated tools #​47700
• Include deprecated configuration properties in the reference documentation #​47669
• Aggregated Javadoc should link to the proper version of JakartaEE #​47593
• Update javadoc of TestRestTemplate following change to redirect behavior #​47474
• Use non-deprecated syntax to configure sourceCompatibility #​47343
• Fix link to Framework's @Bean annotation #​47330
• Update managed dependency version override examples in documentation #​47306

🔨 Dependency Upgrades

• Upgrade to ActiveMQ 6.1.8 #​47767
• Upgrade to Angus Mail 2.0.5 #​47525
• Upgrade to AssertJ 3.27.6 #​47526
• Upgrade to Byte Buddy 1.17.8 #​47527
• Upgrade to Cassandra Driver 4.19.1 #​47768
• Upgrade to Classmate 1.7.1 #​47528
• Upgrade to Elasticsearch Client 8.18.8 #​47671
• Upgrade to Glassfish JAXB 4.0.6 #​47529
• Upgrade to GraphQL Java 24.3 #​47755
• Upgrade to Groovy 4.0.29 #​47713
• Upgrade to Hibernate 6.6.33.Final #​47530
• Upgrade to HttpClient5 5.5.1 #​47531
• Upgrade to HttpCore5 5.3.6 #​47532
• Upgrade to Jakarta Mail 2.1.5 #​47533
• Upgrade to Jakarta XML Bind 4.0.4 #​47242
• Upgrade to Jetty 12.0.29 #​47728
• Upgrade to Jetty Reactive HTTPClient 4.0.12 #​47534
• Upgrade to jOOQ 3.19.27 #​47536
• Upgrade to Logback 1.5.20 #​47714
• Upgrade to Lombok 1.18.42 #​47538
• Upgrade to Maven Compiler Plugin 3.14.1 #​47539
• Upgrade to Micrometer 1.15.5 #​47457
• Upgrade to Micrometer Tracing 1.5.5 #​47458
• Upgrade to MongoDB 5.5.2 #​47648
• Upgrade to MSSQL JDBC 12.10.2.jre11 #​47612
• Upgrade to Netty 4.1.128.Final #​47649
• Upgrade to Postgresql 42.7.8 #​47540
• Upgrade to Pulsar 4.0.7 #​47541
• Upgrade to R2DBC H2 1.0.1.RELEASE #​47729
• Upgrade to R2DBC Postgresql 1.0.8.RELEASE #​47542
• Upgrade to Reactor Bom 2024.0.11 #​47459
• Upgrade to RxJava3 3.1.12 #​47543
• Upgrade to Spring AMQP 3.2.8 #​47614
• Upgrade to Spring Authorization Server 1.5.3 #​47460
• Upgrade to Spring Batch 5.2.4 #​47487
• Upgrade to Spring Data Bom 2025.0.5 #​47461
• Upgrade to Spring Framework 6.2.12 #​47462
• Upgrade to Spring GraphQL 1.4.3 #​47754
• Upgrade to Spring Integration 6.5.3 #​47615
• Upgrade to Spring LDAP 3.3.4 #​47463
• Upgrade to Spring Pulsar 1.2.11 #​47464
• Upgrade to Spring Security 6.5.6 #​47465
• Upgrade to Spring Session 3.5.3 #​47466
• Upgrade to Spring WS 4.1.2 #​47467
• Upgrade to Tomcat 10.1.48 #​47613
• Upgrade to Undertow 2.3.20.Final #​47545
• Upgrade to WebJars Locator Lite 1.1.2 #​47546

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​DKARAGODIN, @​JinhyeokFang, @​Lublanski, @​Pankraz76, @​fhiyo, @​ngocnhan-tran1996, @​nosan, @​scottfrederick, and @​xyraclius

v3.5.6

Compare Source

🐞 Bug Fixes

• Quoted -D arguments break system property resolution on Linux with Spring AOT #​47166
• Groovy Templates fails with an NPE when rendering an auto new line #​47139
• available() does not behave correctly when reading stored entries from a NestedJarFile #​47057
• spring-boot-docker-compose doesn't create service connections when image has registry host but not project #​47019
• Flyway Ignore Migration Patterns setting can't be set to an empty string [#​47013](https://redirect.github.com/s

---

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM, only on Monday ( * 0-3 * * 1 ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Package	Version	Score	Details
maven/com.squareup.retrofit2:retrofit	3.0.0	🟢 6.9	Details Check Score Reason Code-Review 🟢 7 Found 3/4 approved changesets -- score normalized to 7 Maintained 🟢 10 30 commit(s) and 7 issue activity found in the last 90 days -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 9 binaries present in source code Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 License 🟢 10 license file detected Fuzzing 🟢 10 project is fuzzed Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Signed-Releases ⚠️ -1 no releases found Security-Policy ⚠️ 0 security policy file not detected Packaging 🟢 10 packaging workflow detected Vulnerabilities 🟢 9 1 existing vulnerabilities detected SAST 🟢 9 SAST tool is not run on all commits -- score normalized to 9
maven/org.flywaydb:flyway-maven-plugin	11.20.0	🟢 4.8	Details Check Score Reason Maintained 🟢 9 11 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 9 Packaging ⚠️ -1 packaging workflow not detected Code-Review ⚠️ 0 Found 1/29 approved changesets -- score normalized to 0 Token-Permissions 🟢 9 detected GitHub workflow tokens with excessive permissions Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Binary-Artifacts 🟢 9 binaries present in source code Security-Policy ⚠️ 0 security policy file not detected License 🟢 10 license file detected Fuzzing 🟢 10 project is fuzzed Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Vulnerabilities 🟢 6 4 existing vulnerabilities detected
maven/org.openapitools:openapi-generator-maven-plugin	7.18.0	🟢 4	Details Check Score Reason Code-Review 🟢 8 Found 21/26 approved changesets -- score normalized to 8 Maintained 🟢 10 30 commit(s) and 4 issue activity found in the last 90 days -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Security-Policy ⚠️ 0 security policy file not detected License 🟢 10 license file detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Signed-Releases ⚠️ -1 no releases found Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Packaging 🟢 10 packaging workflow detected Fuzzing ⚠️ 0 project is not fuzzed Binary-Artifacts ⚠️ 0 binaries present in source code SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Vulnerabilities ⚠️ 0 601 existing vulnerabilities detected
maven/org.springdoc:springdoc-openapi-starter-webmvc-ui	3.0.0	🟢 5.3	Details Check Score Reason Security-Policy 🟢 10 security policy file detected Maintained 🟢 10 30 commit(s) and 6 issue activity found in the last 90 days -- score normalized to 10 Code-Review ⚠️ 2 Found 6/24 approved changesets -- score normalized to 2 Dangerous-Workflow ⚠️ -1 no workflows found Token-Permissions ⚠️ -1 No tokens found Packaging ⚠️ -1 packaging workflow not detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Pinned-Dependencies ⚠️ -1 no dependencies found Binary-Artifacts 🟢 10 no binaries found in the repo License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Signed-Releases ⚠️ -1 no releases found SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Vulnerabilities 🟢 9 1 existing vulnerabilities detected

Scanned Files

• pom.xml