Starting with version 6.0.9, the Spring Framework reference documentation site is generated with Antora. This is a big change that brings many improvements. This blog post provides context around that.

Overview

For a long time the Spring Framework reference documentation had two versions, one single page, and one multipage. The single page was very large but often preferred for the ability to search with Ctrl+F. The multipage provided structure, but it was difficult to navigate and search. See for example the single and multiple versions from 4.3.x.

In 5.0 we switched to a single version that split the documentation into several high-level sections as a kind of middle ground between the single and the multipage versions. You could still use Ctrl+F within a section, while the content one any one of those pages wasn't as large as the full documentation. In this version we also added left-hand side navigation to make it easy to navigate the content. See example…

I'm happy to announce that a Spring for GraphQL 1.2 release candidate is now available via https://repo.spring.io/milestone.

Pagination for Querydsl and Query By Example

The M1 release provided abstractions and infrastructure for pagination and sorting, including support for input and output types on annotated controller methods that minimize what applications need to do to support paginated queries.

The current release candidate completes this by extending pagination support to our Querydsl and Query By Example DataFetcher implementations, both of which now expose a scrollable factory method.

I'm pleased to announce that Spring Web Flow 3.0 RC1 is now available from the Spring milestone repository.

As mentioned in the 3.0 M1 announcement, milestone 1 did not include JSF support. This release changes that and upgrades the Spring Faces module to a Spring Framework 6, Jakarta EE, and Java 17 baseline. The spring-webflow-samples, including JSF samples, have been upgraded to the latest, and you can use sample changes as pointers for your own upgrades.

Spring Web Flow has also migrated from JIRA to GitHub issues recently, and that means you can now search, create, and watch both issues and pull requests, from the project's GitHub issues…

It has been almost 4 years since the last set of Spring Web Flow releases. Nevertheless, the project continues to serve a specific need particularly well, arguably better than alternatives, and remains in active use. While there hasn't been a strong driver for new releases, the upcoming Spring Framework 6 brings a Java 17 baseline and makes the shift to Jakarta EE, which creates the need for such a release in order to enable applications to migrate to this new baseline.

Today I'm pleased to announce the availability of Spring Web Flow 3.0 M1 in the Spring milestone repository. This release focuses mainly on compatibility with Spring Framework 6 and Jakarta EE. The Travel booking-mvc sample on spring-projects/spring-webflow-samples has been updated and the commit history provides example changes…

On behalf of the Spring for GraphQL team and every contributor, it is my pleasure to announce the 1.0 GA release. It's been 10 months since the project was announced and under 2 years since the first commit, unremarkably called "first commit". The project began with the modest goal to replace the (now archived) minimal GraphQL Java Spring integration, but has since moved significantly beyond through community feedback and collaboration across Spring Boot, Spring Framework, Spring Data, and Spring Security.

The following are highlights from the release:

• Annotation-based programming model for data fetchers
• Data binding from input arguments with validation
• Field-level security through annotations on data @Controller methods
• Server handlers and interception over HTTP, WebSocket, and RSocket
• Querydsl and Query by Example repositories as data fetchers
• Batch loading support
• Client for executing over HTTP, WebSocket, and RSocket
• Test support with HTTP, WebSocket, RSocket, or directly, without a client
• GraphiQL page and schema printing page
…

Yesterday we announced a Spring Framework RCE vulnerability CVE-2022-22965, listing Apache Tomcat as one of several preconditions. The Apache Tomcat team has since released versions 10.0.20, 9.0.62, and 8.5.78 all of which close the attack vector on Tomcat's side. While the vulnerability is not in Tomcat itself, in real world situations, it is important to be able to choose among multiple upgrade paths that in turn provides flexibility and layered protection.

Upgrading to Spring Framework 5.3.18+ or 5.2.20+ continues to be our main recommendation not only because it addresses the root cause…

Updates

• [04-13] "Data Binding Rules Vulnerability CVE-2022-22968" follow-up blog post published, related to the "disallowedFields" from the Suggested Workarounds
• [04-08] Snyk announces an additional attack vector for Glassfish and Payara. See also related Payara, upcoming release announcement
• [04-04] Updated Am I Impacted with improved description for deployment requirements
• [04-01] Updated Am I Impacted with additional notes
• [04-01] Updated Suggested Workarounds section for Apache Tomcat upgrades and Java 8 downgrades
• [04-01] "Mitigation Alternative" follow-up blog post published, announcing Apache Tomcat releases versions 10.0.20, 9.0.62, and 8.5.78…

On behalf of everyone involved, I'm pleased to announce the availability of the sixth and final milestone of Spring for GraphQL on the way to 1.0. Our next stop is RC1 in 4 weeks, followed by the GA on May 17.

GraphQL Client

A GraphQL client is something we identified as a goal quite early on. It's issue number 10 from 336 at present in the issue tracker, but we viewed testing support as higher priority and so the GraphQL Tester came first and has been available from the start.

The Tester did prove valuable and popular, but we knew we had to fully explore the client before 1.0 as the two are…

The Spring Framework 5.3.14 and 5.2.19 releases on December 16 included fixes for CVE-2021-22060 and are a follow-up to CVE-2021-22096, to address additional types of input that can cause the issue. As the Spring Boot releases 2.6.2 and 2.5.8 picking up these Spring Framework versions were due the day before Christmas and given the medium severity, we postponed the announcement until after the new year, to avoid disclosure during a period when many take time off. Please, upgrade to those latest maintenance releases.

The recently released Spring Boot 2.5.6 and 2.4.12 releases contain fixes for the following security vulnerabilities:

• CVE-2021-22096 for the Spring Framework
• CVE-2021-22047 for Spring Data REST
• CVE-2021-22097 for Spring AMQP

In addition, Spring Cloud OpenFeign has released versions 3.0.5 and 2.2.10, based on the same Spring Boot versions, and containing a fix for the following security vulnerability:

• CVE-2021-22044 for Spring Cloud OpenFeign

Please, review the reports and upgrade!