Skip to content

Comments

chore: Java 17 migration (Phases 1-3) - build config, CI, and dependency upgrades#351

Open
devin-ai-integration[bot] wants to merge 2 commits intomasterfrom
feature/java-17-migration
Open

chore: Java 17 migration (Phases 1-3) - build config, CI, and dependency upgrades#351
devin-ai-integration[bot] wants to merge 2 commits intomasterfrom
feature/java-17-migration

Conversation

@devin-ai-integration
Copy link

@devin-ai-integration devin-ai-integration bot commented Feb 12, 2026

Java 17 Migration (Phases 1-3)

Summary

Migrates the project from Java 11 to Java 17, upgrading Spring Boot from 2.6.3 → 2.7.18 and all major dependencies. Includes source code fixes required by breaking API changes in JJWT 0.12.x and Netflix DGS 5.5.1.

Build config changes (build.gradle, .github/workflows/gradle.yml):

  • Java source/target compatibility: 11 → 17
  • Spring Boot: 2.6.3 → 2.7.18
  • DGS codegen plugin: 5.0.6 → 6.0.3
  • Netflix DGS: 4.9.21 → 5.5.1 (+ forced graphql-java:19.2 to resolve federation compatibility)
  • JJWT: 0.11.2 → 0.12.5
  • MyBatis: 2.2.2 → 2.3.2, Joda-Time: 2.10.13 → 2.12.7, SQLite JDBC: 3.36.0.3 → 3.45.0.0
  • REST Assured: 4.5.1 → 5.4.0 (with explicit rest-assured-common and spring-commons to prevent Spring BOM downgrade)
  • CI pipeline: JDK 11 → JDK 17

Source code fixes:

  • DefaultJwtService: migrated from deprecated JJWT 0.11 API (parserBuilder, setSubject, parseClaimsJws, getBody) to 0.12 API (parser, subject, parseSignedClaims, getPayload). Switched key creation from SecretKeySpec + SignatureAlgorithm.HS512 to Keys.hmacShaKeyFor().
  • ArticleDatafetcher / CommentDatafetcher: replaced graphql.relay.DefaultPageInfo with DGS-generated io.spring.graphql.types.PageInfo to fix type incompatibility introduced by DGS 5.5.1.

Review & Testing Checklist for Human

  • JWT algorithm change (HIGH RISK): Keys.hmacShaKeyFor() auto-selects HMAC algorithm based on key byte length (HS256 for 32-47 bytes, HS384 for 48-63, HS512 for 64+). The old code hardcoded HS512. Verify the production jwt.secret value is ≥64 bytes, otherwise the signing algorithm silently downgrades and all existing tokens become invalid after deployment.
  • DGS + graphql-java version mismatch: DGS 5.5.1 officially targets graphql-java 18.x, but we force 19.2 to satisfy federation-graphql-java-support. Test GraphQL queries/mutations manually to ensure no runtime issues.
  • Run the app locally (./gradlew bootRun) and verify REST API endpoints work (e.g., curl http://localhost:8080/tags, user registration/login, article CRUD).
  • Verify pagination in GraphQL responses — the PageInfo type change affects hasPreviousPage/hasNextPage field names.

Notes


Open with Devin

devin-ai-integration bot and others added 2 commits February 12, 2026 11:42
- Update Java source/target compatibility from 11 to 17
- Upgrade Spring Boot from 2.6.3 to 2.7.18
- Upgrade Netflix DGS codegen plugin from 5.0.6 to 6.0.3
- Upgrade Netflix DGS from 4.9.21 to 5.5.1
- Upgrade MyBatis from 2.2.2 to 2.3.2
- Upgrade JJWT from 0.11.2 to 0.12.5
- Upgrade Joda-Time from 2.10.13 to 2.12.7
- Upgrade SQLite JDBC from 3.36.0.3 to 3.45.0.0
- Upgrade REST Assured from 4.5.1 to 5.4.0
- Update CI pipeline to use JDK 17

Co-Authored-By: Vedant Khanna <vedantkhanna@gmail.com>
- Fix PageInfo type mismatch: use DGS-generated PageInfo instead of graphql.relay.DefaultPageInfo
- Fix JJWT 0.12.x API changes: update to new builder/parser methods
- Fix JJWT key handling: use Keys.hmacShaKeyFor() for proper key size detection
- Fix graphql-java version: force 19.2 for federation-graphql-java-support compatibility
- Fix REST Assured version: add explicit rest-assured-common and spring-commons 5.4.0

Co-Authored-By: Vedant Khanna <vedantkhanna@gmail.com>
@devin-ai-integration
Copy link
Author

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

  • Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
  • Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

  • Disable automatic comment and CI monitoring

Copy link
Author

@devin-ai-integration devin-ai-integration bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no potential bugs to report.

View in Devin Review to see 5 additional findings.

Open in Devin Review

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants