Upgrade Spring Boot 2.6.3 → 3.3.13 (incremental migration)#349
Open
devin-ai-integration[bot] wants to merge 7 commits intomasterfrom
Open
Upgrade Spring Boot 2.6.3 → 3.3.13 (incremental migration)#349devin-ai-integration[bot] wants to merge 7 commits intomasterfrom
devin-ai-integration[bot] wants to merge 7 commits intomasterfrom
Conversation
- Spring Boot 2.6.3 -> 2.7.18 - Gradle 7.4 -> 8.5 (required for JDK 21 support) - dependency-management plugin 1.0.11 -> 1.0.15 - MyBatis starter 2.2.2 -> 2.3.2 - DGS 4.9.21 -> 4.10.3 - jjwt 0.11.2 -> 0.11.5 - SQLite JDBC 3.36.0.3 -> 3.42.0.1 - rest-assured 4.5.1 -> 5.2.0 - Lombok 1.18.30 (explicit, for JDK 21 compatibility) Co-Authored-By: Doris Tian <doristian23@gmail.com>
- Spring Boot 2.7.18 -> 3.0.13 - Java source/target 11 -> 17 - dependency-management plugin 1.0.15 -> 1.1.4 - DGS codegen plugin 5.0.6 -> 5.12.4 - DGS framework 4.10.3 -> 6.0.5 (platform BOM) - MyBatis starter 2.3.2 -> 3.0.3 - jjwt 0.11.5 -> 0.12.3 (new builder API) - Migrate javax.validation -> jakarta.validation - Migrate javax.servlet -> jakarta.servlet - Replace WebSecurityConfigurerAdapter with SecurityFilterChain bean - Replace antMatchers with requestMatchers (Spring Security 6) - Replace authorizeRequests with authorizeHttpRequests - Update jjwt API: setSubject->subject, setExpiration->expiration, parserBuilder->parser, parseClaimsJws->parseSignedClaims - Use SHA-512 digest for signing key to ensure minimum key size - Fix GraphQL PageInfo type to use DGS-generated types - Fix CustomizeExceptionHandler for HttpStatusCode parameter Co-Authored-By: Doris Tian <doristian23@gmail.com>
- Spring Boot 3.0.13 -> 3.1.12 - DGS platform 6.0.5 -> 7.6.0 - MyBatis starter 3.0.3 -> 3.0.4 - rest-assured 5.2.0 -> 5.3.2 Co-Authored-By: Doris Tian <doristian23@gmail.com>
- Spring Boot 3.1.12 -> 3.2.12 - DGS platform 7.6.0 -> 8.7.1 - Update GraphQLCustomizeExceptionHandler for DGS 8.x API changes (onException -> handleException returning CompletableFuture) Co-Authored-By: Doris Tian <doristian23@gmail.com>
- Spring Boot 3.2.12 -> 3.3.7 - dependency-management plugin 1.1.4 -> 1.1.6 - DGS platform 8.7.1 -> 9.1.2 - jjwt 0.12.3 -> 0.12.6 - joda-time 2.10.13 -> 2.12.7 - SQLite JDBC 3.42.0.1 -> 3.46.1.0 Co-Authored-By: Doris Tian <doristian23@gmail.com>
- JDK 11 -> JDK 17 (required for Spring Boot 3.x) Co-Authored-By: Doris Tian <doristian23@gmail.com>
Author
🤖 Devin AI EngineerI'll be helping with this pull request! Here's what you should know: ✅ I will automatically:
Note: I can only respond to comments from users who have write access to this repository. ⚙️ Control Options:
|
![devin-ai-integration[bot]](https://avatars.githubusercontent.com/in/811515?s=60&v=4){kind=small}
- Spring Boot 3.3.7 -> 3.3.13 - Fixes CVE-2025-22228 (CRITICAL): Authentication Bypass in spring-security-crypto - Fixes CVE-2025-24813 (HIGH): Path Equivalence in tomcat-embed-core - Fixes CVE-2025-31650 (HIGH): Improper Cleanup in tomcat-embed-core - Fixes CVE-2025-48988 (HIGH): Resource allocation in tomcat-embed-core - Fixes CVE-2025-49124 (HIGH): Untrusted Search Path in tomcat-embed-core - Fixes CVE-2025-41234 (MEDIUM): HTTP Response Splitting in spring-web - Fixes multiple other Tomcat and Spring Security CVEs Co-Authored-By: Doris Tian <doristian23@gmail.com>
devin-ai-integration
bot
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Upgrade Spring Boot 2.6.3 → 3.3.13 (incremental migration)
Summary
Incremental Spring Boot upgrade performed in 7 steps, with all 68 tests passing at each step:
javax.*→jakarta.*, Spring Security 6 migration, jjwt 0.12.x API migrationDataFetcherExceptionHandler.onException→handleException(returnsCompletableFuture)Key migrations:
javax.validation.*/javax.servlet.*→jakarta.*across 16 filesWebSecurityConfigurerAdapter, replaced withSecurityFilterChainbean;antMatchers→requestMatchers;authorizeRequests→authorizeHttpRequestssetSubject→subject,parserBuilder→parser,parseClaimsJws→parseSignedClaims, etc.) + SHA-512 key derivation to meet minimum key size requirementDefaultPageInfo→ DGS-generatedPageInfotype with builder pattern; exception handler returnsCompletableFutureUpdates since last revision
security/snyk) still reports 1 failure (not a required check). Remaining CVEs (e.g. intomcat-embed-core,spring-beans,spring-core) require Spring Boot 3.4.x, which is outside the 3.3.x upgrade target. These should be tracked as follow-up work.Review & Testing Checklist for Human
DefaultJwtService.java): The secret is now hashed with SHA-512 before creating the HMAC key, instead of using raw bytes directly. This will invalidate all existing JWTs in any deployed environment. Verify this is acceptable, or plan a token rotation/migration strategy.WebSecurityConfig.java): Verify therequestMatchersrules match the previousantMatchersbehavior exactly — particularly the ordering of/articles/feed(authenticated) vs/articles/**(permitAll), and that GraphQL endpoints remain accessible.ArticleDatafetcher.java,CommentDatafetcher.java): The DGS-generatedPageInfouseshasPreviousPage/hasNextPagevs the oldhasPrevious/hasNext. Verify downstream consumers (frontend) expect these field names../gradlew testwas run. Recommend starting the app locally and hitting a few REST + GraphQL endpoints to confirm runtime behavior.Notes