v4.1.0

Compare Source

Full release notes for Spring Boot 4.1 are available on the wiki.

⭐ New Features

• Add public constructor to InvalidConfigurationPropertyValueException that accepts a cause #​50211
• Reduce memory consumption when repeatedly calling WritableJson.toByteArray #​49428

🐞 Bug Fixes

• MailSender auto-configuration does not enable hostname verification #​50747
• Artemis auto-configuration uses a predictable default location for the embedded broker's data #​50745
• Embedded LDAP SSL should not be enabled when its bundle is empty #​50700
• InetAddressFilter.externalAddresses does not exclude special purpose addresses from RFC 6890 #​50668
• NullPointerException in reactor-netty SniProvider and unmapped SSL bundle with RSocket #​50645
• SSL should not be enabled when a SSL bundle is overridden to an empty string #​50635
• Test auto-configuration no longer integrates Spring Security with HtmlUnitDriver #​50633
• Configuration property metadata includes incorrect class references #​50632
• Docker Compose support does not restore thread interrupt flag when catching InterruptedException #​50618
• RabbitProperties enables SSL even when spring.rabbitmq.ssl.bundle is overridden to an empty string #​50612
• NullPointerException in reactor-netty SniProvider when SSL bundle uses client-auth or server truststore without server-name-bundles #​50610
• SpringJtaPlatform should have been deprecated since 4.1.0-M3 #​50592
• Layer written outside the output location of '//' exception is thrown when using extract layers in root directory #​50510
• ConfigurationPropertiesReportEndpoint exposes AOP proxy internals #​50417
• Created StackTracePrinter instances have no access to the Environment #​50414
• MappingsEndpoint reports the context's own ID as parentId when a parent exists #​50412
• Buildpack module does not validate long-to-int casts #​50410
• Gradle gRPC support fails if protobuf-java dependency is used instead of protobuf-java-util #​50405
• GraphQL WebSocket support does not configure allowed origins #​50394
• Spring Boot Loader Does Not Support RSA and EC Signed Jars #​50298
• Meter registries are not removed from the global registry when the context is closed #​50287
• DataSourceBuilder cannot derive a DataSource from a lazy connection proxy #​50271
• Nullable annotations from AbstractErrorController.getErrorAttributes are not aligned with implementation #​50266
• Bean definitions can be added with an initializer before setAllowBeanDefinitionOverriding is called #​50264
• EndpointRequest links matcher unnecessarily matches HTTP methods other than GET #​50261
• Actuator's '/cloudfoundryapplication' endpoint does not work if restrictive CORS configuration is provided using a bean named corsConfigurationSource #​50258
• ThreadPoolTaskScheduleBuilder unnecessarily loses precision when configuring await termination time #​50234
• NimbusJwtDecoder silently accepts unknown values for spring.security.oauth2.resourceserver.jwt.jws-algorithms #​50228
• Missing dependency management for spring-boot-web-server-test #​50224
• Spring Batch support for MongoDB modules are not included in dependency management #​50223
• Apply HTML escaping to timestamp attribute in Whitelabel error page #​50216
• GrpcServerHealthScheduler is not started in servlet environments #​50209
• Setting server.servlet.session.cookie.partitioned=true has no effect when using Tomcat #​50204

📔 Documentation

• Fix reference to Gradle documentation for module replacement #​50647
• Document SSL reloading with Let's Encrypt #​50630
• Remove the use of Optional from Data Neo4j repository examples #​50622
• Fix typos in documentation #​50620
• Clarify dependency requirement for Bean Validation support #​50614
• Document Java 25 requirement for AOT cache #​50485
• Add links for Java CAS Client Spring Boot Starter #​50285
• Document known testcontainers lifecycle issues #​50220
• Document adding multiple connectors for Jetty #​50218
• Polish InvalidConfigurationPropertyValueException constructor javadoc #​50214
• Fix typo in Spring Security OAuth2 client registration documentation #​50199

🔨 Dependency Upgrades

• Upgrade to ActiveMQ 6.2.6 #​50652
• Upgrade to Byte Buddy 1.18.10 #​50693
• Upgrade to Caffeine 3.2.4 #​50338
• Upgrade to Cassandra Driver 4.19.3 #​50654
• Upgrade to Couchbase Client 3.11.3 #​50576
• Upgrade to Elasticsearch Client 9.4.2 #​50655
• Upgrade to Glassfish JAXB 4.0.9 #​50656
• Upgrade to Groovy 5.0.6 #​50340
• Upgrade to Hibernate 7.4.1.Final #​50732
• Upgrade to Infinispan 16.1.4 #​50342
• Upgrade to Jackson 2 Bom 2.21.4 #​50657
• Upgrade to Jackson Bom 3.1.4 #​50658
• Upgrade to Jakarta Json Bind 3.0.2 #​50659
• Upgrade to Jakarta XML Bind 4.0.5 #​50345
• Upgrade to Jaxen 2.0.6 #​50710
• Upgrade to Jetty 12.1.10 #​50661
• Upgrade to Jetty Reactive HTTPClient 4.1.5 #​50711
• Upgrade to jOOQ 3.21.5 #​50712
• Upgrade to Kafka 4.2.1 #​50662
• Upgrade to Kotlin 2.3.21 #​50347
• Upgrade to Lettuce 7.5.2.RELEASE #​50581
• Upgrade to Liquibase 5.0.3 #​50582
• Upgrade to Logback 1.5.34 #​50663
• Upgrade to Maven Enforcer Plugin 3.6.3 #​50583
• Upgrade to Maven Failsafe Plugin 3.5.6 #​50664
• Upgrade to Maven Surefire Plugin 3.5.6 #​50665
• Upgrade to Micrometer 1.17.0 #​50559
• Upgrade to Micrometer Tracing 1.7.0 #​50560
• Upgrade to MongoDB 5.8.0 #​50608
• Upgrade to Native Build Tools Plugin 1.1.1 #​50585
• Upgrade to Neo4j Java Driver 6.1.0 #​50586
• Upgrade to Netty 4.2.15.Final #​50666
• Upgrade to OpenTelemetry 1.62.0 #​50588
• Upgrade to Oracle Database 23.26.2.0.0 #​50667
• Upgrade to Postgresql 42.7.11 #​50349
• Upgrade to Protobuf Java 4.34.2 #​50590
• Upgrade to Protobuf Maven Plugin 5.1.4 #​50589
• Upgrade to Pulsar 4.2.2 #​50713
• Upgrade to R2DBC MySQL 1.4.2 #​50351
• Upgrade to Reactor Bom 2025.0.6 #​50561
• Upgrade to SAAJ Impl 3.0.6 #​50714
• Upgrade to SLF4J 2.0.18 #​50591
• Upgrade to Spring AMQP 4.1.0 #​50562
• Upgrade to Spring Batch 6.0.4 #​50563
• Upgrade to Spring Data Bom 2026.0.0 #​50564
• Upgrade to Spring Framework 7.0.8 #​50565
• Upgrade to Spring GraphQL 2.0.4 #​50741
• Upgrade to Spring gRPC 1.1.0 #​50566
• Upgrade to Spring HATEOAS 3.1.1 #​50567
• Upgrade to Spring Integration 7.1.0 #​50568
• Upgrade to Spring Kafka 4.1.0 #​50569
• Upgrade to Spring LDAP 4.1.0 #​50570
• Upgrade to Spring Pulsar 2.0.6 #​50571
• Upgrade to Spring RESTDocs 4.0.1 #​50572
• Upgrade to Spring Security 7.1.0 #​50573
• Upgrade to Spring Session 4.1.0 #​50574
• Upgrade to Spring WS 5.0.2 #​50575
• Upgrade to SQLite JDBC 3.53.2.0 #​50715
• Upgrade to Tomcat 11.0.22 #​50354

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​Abdlatif-nabgha, @​DragonFSKY, @​Kapil-chn7, @​Kimgyuilli, @​SJvaca30, @​SebTardif, @​ares333, @​codingkiddo, @​dlwldnjs1009, @​eddumelendez, @​henriquejsza, @​igormukhin, @​johnnypwong, @​kwondh5217, @​leestana01, @​mheath, @​mmoayyed, @​msridhar, @​ngocnhan-tran1996, @​nosan, @​quaff, @​scordio, @​vinhhieu21, @​vpavic, @​won-seoop, and @​zxuhan

v4.0.7

Compare Source

🐞 Bug Fixes

• MailSender auto-configuration does not enable hostname verification #​50746
• Artemis auto-configuration uses a predictable default location for the embedded broker's data #​50744
• NullPointerException in reactor-netty SniProvider and unmapped SSL bundle with RSocket #​50640
• SSL should not be enabled when a SSL bundle is overridden to an empty string #​50634
• Docker Compose support does not restore thread interrupt flag when catching InterruptedException #​50617
• RabbitProperties enables SSL even when spring.rabbitmq.ssl.bundle is overridden to an empty string #​50611
• NullPointerException in reactor-netty SniProvider when SSL bundle uses client-auth or server truststore without server-name-bundles #​50609
• Test auto-configuration no longer integrates Spring Security with HtmlUnitDriver #​50602
• Layer written outside the output location of '//' exception is thrown when using extract layers in root directory #​50509
• ConfigurationPropertiesReportEndpoint exposes AOP proxy internals #​50416
• Created StackTracePrinter instances have no access to the Environment #​50413
• MappingsEndpoint reports the context's own ID as parentId when a parent exists #​50411
• Buildpack module does not validate long-to-int casts #​50409
• GraphQL WebSocket support does not configure allowed origins #​50393
• Configuration property metadata includes incorrect class references #​50375
• Spring Boot Loader Does Not Support RSA and EC Signed Jars #​50297
• Meter registries are not removed from the global registry when the context is closed #​50286
• Nullable annotations from AbstractErrorController.getErrorAttributes are not aligned with implementation #​50265
• EndpointRequest links matcher unnecessarily matches HTTP methods other than GET #​50260
• Actuator's '/cloudfoundryapplication' endpoint does not work if restrictive CORS configuration is provided using a bean named corsConfigurationSource #​50257
• ThreadPoolTaskScheduleBuilder unnecessarily loses precision when configuring await termination time #​50233
• NimbusJwtDecoder silently accepts unknown values for spring.security.oauth2.resourceserver.jwt.jws-algorithms #​50227
• Apply HTML escaping to timestamp attribute in Whitelabel error page #​50215
• Setting server.servlet.session.cookie.partitioned=true has no effect when using Tomcat #​50201

📔 Documentation

• Fix reference to Gradle documentation for module replacement #​50646
• Document SSL reloading with Let's Encrypt #​50629
• Remove the use of Optional from Data Neo4j repository examples #​50621
• Fix typos in documentation #​50619
• Clarify dependency requirement for Bean Validation support #​50613
• Document Java 25 requirement for AOT cache #​50484
• Add links for Java CAS Client Spring Boot Starter #​50281
• Document known testcontainers lifecycle issues #​50219
• Document adding multiple connectors for Jetty #​50217
• Polish InvalidConfigurationPropertyValueException constructor javadoc #​50213
• Fix typo in Spring Security OAuth2 client registration documentation #​50198

🔨 Dependency Upgrades

• Upgrade to Caffeine 3.2.4 #​50322
• Upgrade to Cassandra Driver 4.19.3 #​50681
• Upgrade to Glassfish JAXB 4.0.9 #​50682
• Upgrade to Groovy 5.0.6 #​50324
• Upgrade to Hibernate 7.2.19.Final #​50733
• Upgrade to Jackson 2 Bom 2.21.4 #​50684
• Upgrade to Jackson Bom 3.1.4 #​50685
• Upgrade to Jakarta Json Bind 3.0.2 #​50686
• Upgrade to Jakarta XML Bind 4.0.5 #​50328
• Upgrade to Jaxen 2.0.6 #​50717
• Upgrade to Jetty 12.1.10 #​50688
• Upgrade to Jetty Reactive HTTPClient 4.1.5 #​50718
• Upgrade to jOOQ 3.19.35 #​50719
• Upgrade to Liquibase 5.0.3 #​50554
• Upgrade to Logback 1.5.34 #​50689
• Upgrade to Maven Enforcer Plugin 3.6.3 #​50555
• Upgrade to Maven Failsafe Plugin 3.5.6 #​50690
• Upgrade to Maven Surefire Plugin 3.5.6 #​50691
• Upgrade to Micrometer 1.16.6 #​50535
• Upgrade to Micrometer Tracing 1.6.6 #​50536
• Upgrade to Neo4j Java Driver 6.1.0 #​50556
• Upgrade to Netty 4.2.15.Final #​50692
• Upgrade to Postgresql 42.7.11 #​50332
• Upgrade to R2DBC MySQL 1.4.2 #​50333
• Upgrade to Reactor Bom 2025.0.6 #​50537
• Upgrade to SAAJ Impl 3.0.6 #​50720
• Upgrade to SLF4J 2.0.18 #​50558
• Upgrade to Spring AMQP 4.0.4 #​50538
• Upgrade to Spring Batch 6.0.4 #​50539
• Upgrade to Spring Data Bom 2025.1.6 #​50540
• Upgrade to Spring Framework 7.0.8 #​50541
• Upgrade to Spring GraphQL 2.0.4 #​50740
• Upgrade to Spring HATEOAS 3.0.4 #​50542
• Upgrade to Spring Integration 7.0.5 #​50543
• Upgrade to Spring Kafka 4.0.6 #​50544
• Upgrade to Spring LDAP 4.0.4 #​50545
• Upgrade to Spring Pulsar 2.0.6 #​50546
• Upgrade to Spring RESTDocs 4.0.1 #​50547
• Upgrade to Spring Security 7.0.6 #​50548
• Upgrade to Spring Session 4.0.4 #​50549
• Upgrade to Spring WS 5.0.2 #​50550
• Upgrade to Tomcat 11.0.22 #​50335

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​Abdlatif-nabgha, @​DragonFSKY, @​Kapil-chn7, @​Kimgyuilli, @​SJvaca30, @​SebTardif, @​ares333, @​codingkiddo, @​dlwldnjs1009, @​henriquejsza, @​igormukhin, @​johnnypwong, @​kwondh5217, @​leestana01, @​mheath, @​mmoayyed, @​msridhar, @​ngocnhan-tran1996, @​nosan, @​quaff, @​scordio, @​vinhhieu21, @​won-seoop, and @​zxuhan

v4.0.6

Compare Source

🐞 Bug Fixes

• Default security is misconfigured when spring-boot-actuator-autoconfigure is present and spring-boot-health is not #​50188
• Elasticsearch Rest5Client auto-configuration misconfigures underlying HTTP client #​50187
• ApplicationPidFileWriter does not handle symlinks correctly #​50185
• RandomValuePropertySource is not suitable for secrets #​50183
• Cassandra auto-configuration misconfigures CqlSessionBuilder #​50180
• ApplicationTemp does not handle symlinks correctly #​50178
• Remote DevTools performs comparison incorrectly #​50176
• spring.rabbitmq.ssl.verify-hostname is applied inconsistently #​50174
• Whole number values are ignored when configuring min and max expected values and SLO boundaries for a distribution summary meter #​50077
• Classic starters are missing several modules #​50071
• Module spring-boot-resttestclient is missing from spring-boot-starter-test-classic #​50069
• Annotations like @Ssl don't work on @Bean methods when using @ServiceConnection #​50064
• EnversRevisionRepositoriesRegistrar should reuse @EnableEnversRepositories rather than configuring the JPA counterpart #​50039
• WebFlux Cloud Foundry links endpoint includes query string from received request in resolved links #​50017
• Imports on a containing test class are ignored when a nested class has imports #​50012
• With spring.jackson.use-jackson2-defaults set to true, FAIL_ON_UNKNOWN_PROPERTIES is enabled #​49951
• 500 response from env endpoint when supplied pattern is invalid #​49946
• Reactive MongoDB starter has a transitive dependency on the synchronous MongoDB driver #​49945
• HTTP method is lost when configuring excludes in EndpointRequest #​49943
• Honor HttpMethod for reactive additional endpoint paths #​49880
• Docker Compose support doesn't work with apache/artemis image #​49869
• Docker Compose support doesn't work with apache/activemq image #​49866
• Spring Security's PathPatternRequestMatcher.Builder is not auto-configured when using WebMvcTest and spring-boot-security-test #​49854
• API versioning path strategy should be applied path last as it is not meant to yield #​49800

📔 Documentation

• Update docs to encourage Java fundamentals for beginners that prefer to learn that way #​50146
• HTTP Service Interface Clients still document that API versioning can be configured via properties #​50126
• Link to the observability section of the Lettuce documentation is broken #​50097
• Javadoc for StaticResourceLocation.FAVICON doesn't describe icons location #​50085
• MySamlRelyingPartyConfiguration is missing a Kotlin sample #​50024
• Incorrect default value for management.httpexchanges.recording.include in configuration metadata #​50019
• Link to the Kubernetes documentation when discussing startup probes #​50015
• Typo in JdbcSessionAutoConfiguration Javadoc #​49873
• Clarify that configuration property default values are not available through the Environment #​49851
• Document the need for Liquibase and Flyway starters #​49839
• Kafka documentation refers to deprecated JSON serializer and deserializer classes #​49826

🔨 Dependency Upgrades

• Upgrade to Elasticsearch Client 9.2.8 #​50027
• Upgrade to Groovy 5.0.5 #​49911
• Upgrade to Hibernate 7.2.12.Final #​50134
• Upgrade to Jackson Bom 3.1.2 #​50051
• Upgrade to Jaxen 2.0.1 #​50104
• Upgrade to Jaybird 6.0.5 #​49914
• Upgrade to Jetty 12.1.8 #​49915
• Upgrade to jOOQ 3.19.32 #​50105
• Upgrade to Log4j2 2.25.4 #​49916
• Upgrade to Lombok 1.18.46 #​50150
• Upgrade to MariaDB 3.5.8 #​49917
• Upgrade to Micrometer 1.16.5 #​49972
• Upgrade to Micrometer Tracing 1.6.5 #​49973
• Upgrade to MongoDB 5.6.5 #​50028
• Upgrade to MySQL 9.7.0 #​50159
• Upgrade to Neo4j Java Driver 6.0.5 #​50075
• Upgrade to Reactor Bom 2025.0.5 #​49974
• Upgrade to Spring AMQP 4.0.3 #​49975
• Upgrade to Spring Data Bom 2025.1.5 #​49976
• Upgrade to Spring Framework 7.0.7 #​49977
• Upgrade to Spring GraphQL 2.0.3 #​49978
• Upgrade to Spring Kafka 4.0.5 #​49979
• Upgrade to Spring LDAP 4.0.3 #​49980
• Upgrade to Spring Pulsar 2.0.5 #​49981
• Upgrade to Spring Security 7.0.5 #​49982
• Upgrade to Spring Session 4.0.3 #​49983
• Upgrade to Testcontainers 2.0.5 #​50135
• Upgrade to Thymeleaf 3.1.5.RELEASE #​50152
• Upgrade to Thymeleaf Extras SpringSecurity 3.1.5.RELEASE #​50153
• Upgrade to Tomcat 11.0.21 #​49918

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​GollapudiSrikanth, @​MohammedGhallab, @​bachhs, @​dlwldnjs1009, @​edwardsre, @​kodama-kcc, @​kwondh5217, @​ppapaj, @​quaff, @​refeccd, @​scordio, and @​xxxxxxjun

v4.0.5

Compare Source

🐞 Bug Fixes

• Test starter for Spring Integration does not include Spring Integration test module #​49784
• Some sliced tests that import TransactionAutoConfiguration do not import TransactionManagerCustomizationAutoConfiguration #​49782
• WebSocket messaging's task executors are only auto-configured and stompWebSocketHandlerMapping is only forced to be eager when using Jackson #​49753
• WebSocket app fails to start when Jackson is on the classpath but there's no JsonMapper bean #​49749
• Metadata annotation processor ignores method-level @NestedConfigurationProperty when using constructor binding #​49738
• Override of property in external 'application.properties' or 'application.yaml' is ignored #​49731
• NativeImageResourceProvider does not find Flyway migration scripts in subdirectories #​49706
• Add @ConditionalOnWebApplication to NettyReactiveWebServerAutoConfiguration #​49695
• @GraphQlTest does not include @ControllerAdvice #​49672

📔 Documentation

• Fix incorrect indefinite articles in Javadoc #​49727
• Add some more Kotlin examples and trivial style fixes #​49714
• Overhaul Spring Session documentation following modularization #​49704

🔨 Dependency Upgrades

• Upgrade to Brave 6.3.1 #​49763
• Upgrade to Jackson 2 Bom 2.21.2 #​49764
• Upgrade to jOOQ 3.19.31 #​49765
• Upgrade to Netty 4.2.12.Final #​49794
• Upgrade to Tomcat 11.0.20 #​49767
• Upgrade to Zipkin Reporter 3.5.3 #​49762

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​Joowon-Seo, @​deejay1, @​dlwldnjs1009, @​kwondh5217, @​ljrmorgan, and @​quaff

v4.0.4

Compare Source

⚠️ Attention Required

• OpenTelemetry's ZipkinSpanExporter has been deprecated and its support will be removed in Spring Boot 4.2. #​49453
• Jackson 2 has been upgraded to 2.21.1 in response to the Jackson team ending support for Jackson 2.20.x. #​49389
• Jackson has been upgraded to 3.1.0 in response to the Jackson team ending support for Jackson 3.0.x. #​49383
• The default value for server.tomcat.max-part-count has been increased from 10 to 50. This aligns it with Tomcat's own default and the default in Spring Boot 3.x. #​49311

🐞 Bug Fixes

• EndpointRequest request matcher for health groups is too complex #​49649
• "/cloudfoundryapplication" web path is not limited to Actuator #​49646
• Fix EndpointRequest.toLinks() when base-path is '/' #​49617
• Docker fails when a 'tcp://' address ends with a slash (for example 'tcp://docker:2375/') #​49596
• RSocket exposes duplicate endpoint for websocket setups #​49593
• Failure analysis for a missing mail sender is misleading #​49582
• SpringBootContextLoader mentions class that no longer exists in message for classes or locations assertion #​49535
• Ordering of 'spring.config.import' is inconsistent when defined in environment or system properties #​49482
• "spring.main.cloud-platform=none" does not disable cloud features #​49479
• SSL support with Docker Compose does not work as documented #​49385
• Auto-configuration overrides authorization server configuration applied by Customizer beans #​49367
• Using @AutoConfigureWebTestClient prevents separate configuration of spring.test.webtestclient.timeout from taking effect #​49344
• NoSuchMethodException when forcing the use of Log4J2LoggingSystem using org.springframework.boot.logging.LoggingSystem system property #​49343
• RouterFunctions descriptions in Actuator do not support nesting #​49302
• Maven plugin does not set '-parameters' option when processing AOT code #​49295
• HTTP Service Interface Client doesn't work in a native image due to missing property binding #​49274
• ErrorPageRegistrarBeanPostProcessor is not auto-configured in war deployments and the ErrorPageCustomizer is not applied #​49176
• Missing starter for spring-boot-restdocs #​48289

📔 Documentation

• Document support for Java 26 #​49604
• List all supported colors when describing color-coded log output #​49562
• Improve EndpointRequest matcher documentation #​49520
• Clarify that running is the only supported input state when triggering a Quartz job through the Actuator endpoint #​49514
• Document security considerations for forwarded headers in cloud deployments #​49507
• Tutorial in the reference guide has outdated instructions #​49429
• Document additional repositories required for shibboleth.net #​49392
• Javadoc of JettyHttpClientBuilder refers to the wrong type #​49387
• Example spring-devtools.properties file is shown in the wrong format #​49362
• Clarify inferred relationships between OAuth 2 registrations and providers #​49327
• Mention using org.springframework.boot.aot Gradle plugin directly for AOT processing with the JVM #​49321
• Remove superfluous semi-colon from read timeout configuration example for HTTP service interface clients #​49306
• Update CLI's INSTALL.txt to reflect Groovy no longer being bundled #​49298
• JDK requirement for the CLI still refers to Java 8 #​49293
• Java and Kotlin samples of an environ

✂ Note

PR body was truncated to here.