Dear Spring community,

It is my pleasure to announce that the first Spring Framework 6.0 milestone release is available from htts://repo.spring.io/milestone now. This initial milestone covers our baseline upgrade efforts, in particular requiring JDK 17+ and migrating to the Jakarta EE 9 APIs; see my recent baseline blog post for the rationale. At the same time, it removes many long-deprecated classes, including several support packages for outdated third-party infrastructure.

For current upgrade notes, please refer to our Upgrading to Spring Framework 6.0 page which we will keep updating. Follow our main branch on GitHub for the latest changes, as we prepare for 6.0 M2 and the corresponding Spring Boot 3.0 M1 release in January. At that point, you will also be able to consume Spring Framework 6.0 through https://start.spring.io/. For the time being, feel free to grab 6.0 M1 from https://repo.spring.io/…

Update Jan 5, 2022: The releases include fixes for CVE-2021-22060 whose official publication was deferred until today since many people take time off at the end of the year.

On behalf of the team and everyone who has contributed, I am pleased to announce that Spring Framework 5.3.14 and 5.2.19 are available now.

Spring Framework 5.3.14 includes 36 fixes and improvements. Spring Framework 5.2.19 includes 11 selected fixes and improvements.

Stay tuned for the announcement of Spring Framework 6.0.0-M1 later today!

Project Page | GitHub | Issues | Documentation

On behalf of the community, I am pleased to announce that the General Availability (RELEASE) of the Spring Cloud 2020.0.5 Release Train is available today. The release can be found in Maven Central. You can check out the 2020.0.5 release notes for more information.

Notable Changes in the 2020.0.5 Release Train

Spring Cloud Netflix

• Upgraded Netflix/Eureka to 1.10.17 issue

Spring Cloud Config

• Support Using HTTPS proxies for Git Repositories (1965)
• Support ordering AWS, Redis, and CredHub Repositories (1980)

Spring Cloud Gateway

• Enhancements for metrics: Netty connections, path as tag, and route definition count
…

Hi, Spring fans! In this installment, we continue our tour of all things @Controller by looking at the nascent Spring GraphQL project

Hi, Spring fans! How are you? Welcome to another installment of This Week in Spring! I'm doing alright! It's noon as I write this, and I've got GSUG joint presentation with Matt Raible later today. Then, tonight at midnight my time to 5 am or 6 am, I'm kicking off a two-day workshop for GOTO! I look forward to seeing ya there! Anyway, we've got a lot to cover so let's dive into it!

• Read this first! If you've been living under a rock, you may not have heard of the recent Log4J2 vulnerability. If you're using the default, out-of-the-box Spring Boot logging support, then this does not apply to you! But, if you are using Log4j2, specifically, then you need to read this post on Log4j2 and Spring Boot!
• Bruno Borges tweets this very simple workaround for those of you who are using Log4j2 and can't change the startup scripts of your application afflicted by the Log4j2 exploit
• Once you're sure your applications are healthy and happy, check out the new Spring Native 0.11 release! And its new AOT engine, which brings Spring Native to the Next Level…

On behalf of the community, I am pleased to announce that the Release Candidate 1 (RC1) of the Spring Cloud Square 0.4.0 is available today. The release can be found in Spring Milestone repository. You can check out the 0.4.0-RC1 release notes for more information.

This is primarily a bugfix release. See all issues included in this release here.

Notable changes in RC1:

• Spring Cloud Sleuth integration for OkHttpClient #36

The documentation for this milestone can be found here.

The Spring GraphQL team has just released the 4th milestone towards a 1.0.0 release. Thanks to all contributors!

In this milestone, we have further improved the annotation programming model and extended the Spring Data support that were provided in the previous milestones.

Interface Projections for GraphQL Arguments

If you're familiar with Spring Data's Interface-based Projections, then this new feature will make perfect sense: you can use a well-defined interface to work with GraphQL arguments, without the need for any Object implementation.

For example:

@Controller
public class…

Updates: Since this blog post has been published, a new logback 1.2.9 version has been published. While this fixes a security issue, prerequisites for exploits are very different as they "requires write access to logback's configuration file". Log4J also released a new 2.17.0 version with fixes for CVE-2021-45046 and CVE-2021-45105. Spring Boot 2.5.8 and 2.6.2 haven been released and provide dependency management for logback 1.2.9 and Log4J 2.17.0. Log4J 2.17.1 contains a fix for CVE-2021-44832

As you may have seen in the news, a new zero-day exploit has been reported against the popular Log4J2 library which can allow an attacker to remotely execute code. The vulnerability has been reported with CVE-2021-44228 against the log4j-core jar and has been fixed in Log4J v2.15.0…

Hi, Spring fans! This week, Josh Long (@starbuxman) talks to transformational leader, my old boss, legendary technologist, and friend Patrick Chanezon (@chanezon).