Skip to content

Update dependency org.springframework:spring-expression to v6.2.19#5735

Merged
vdiez merged 1 commit into
masterfrom
renovate/org.springframework-spring-expression-6.x
Jul 9, 2026
Merged

Update dependency org.springframework:spring-expression to v6.2.19#5735
vdiez merged 1 commit into
masterfrom
renovate/org.springframework-spring-expression-6.x

Conversation

@renovate

@renovate renovate Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
org.springframework:spring-expression 6.2.186.2.19 age confidence

Release Notes

spring-projects/spring-framework (org.springframework:spring-expression)

v6.2.19

Compare Source

⚠️ Security Fixes

This maintenance release fixes a high number of CVEs. You can learn more about this in the "Spring and Security In The Times Of AI" blog post. Here is the full list of 16 CVEs:

  • CVE-2026-41838 "Spring Framework Predictable Session ID in WebSocket Module"
  • CVE-2026-41839 "Spring Framework Escalation via Session Fixation in WebFlux"
  • CVE-2026-41840 "Spring Framework Denial of Service via Multipart Requests in WebFlux"
  • CVE-2026-41841 "Spring Framework Information Disclosure via Static Resource Cache in Spring MVC and WebFlux"
  • CVE-2026-41842 "Spring Framework Denial of Service via Versioned Resources in Spring MVC and WebFlux"
  • CVE-2026-41843 "Spring Framework Path Traversal via Versioned Static Resources in Spring MVC and WebFlux"
  • CVE-2026-41844 "Spring Framework Open Redirect in Spring MVC and WebFlux"
  • CVE-2026-41845 "Spring Framework Cross-site Scripting via JavaScriptUtils"
  • CVE-2026-41846 "Spring Framework Cross-site Scripting via JSP Form Tags"
  • CVE-2026-41848 "Spring Framework Denial of Service via AntPathMatcher"
  • CVE-2026-41850 "Spring Framework Algorithmic Denial of Service via SpEL Expressions"
  • CVE-2026-41851 "Spring Framework Denial of Service via Unbounded Cache in SpEL"
  • CVE-2026-41852 "Spring Framework Arbitrary Method Invocation in SpEL Expressions"
  • CVE-2026-41853 "Spring Framework Multipart Request Smuggling in Spring MVC and WebFlux"
  • CVE-2026-41854 "Spring Framework Server-Side Request Forgery via UriComponentsBuilder"
  • CVE-2026-41855 "Spring Framework Unsafe Deserialization via Jackson JMS Converters"
⭐ New Features
  • Avoid too many character access attempts in AntPathMatcher #​36886
  • Track operations during SpEL expression evaluation #​36887
  • Ensure getters have non-void return types in SpEL #​36888
  • Expose ClassLoader from DefaultDeserializer #​36839
  • Refine default view name resolution #​36794
  • Refine Jackson JMS converters #​36792
  • Improve ABNF rule checks in RfcUriParser #​36788
  • Detect custom deserialized NullValue instances in AbstractValueAdaptingCache #​36728
  • Warn against unsafe static resource locations in MVC and WebFlux #​36693
  • Consistent compatibility with Woodstox as an alternative to Xerces #​36683
🐞 Bug Fixes
  • Data is lost for joined DataBuffer in DataBufferUtils #​36874
  • CronExpression skips days on midnight DST gap #​36873
  • Concurrency issue against shared cookie field in CookieLocaleResolver#setLocaleContext #​36870
  • Server Sent Event does not support multi-line comments #​36867
  • Regression in 6.2.0+: ConfigurationClassParser incorrectly removes component-scanned bean when the same class is also registered under a different name via XML #​36849
  • Bean Background Bootstrap and Lazy Init #​36847
  • Fix JSP tag processing #​36798
  • Fix script processing capabilities #​36796
  • Parsing failure for MIME type with quoted parameter values #​36734
  • Circular dependency between supplier-created beans is silently ignored on startup #​36732
  • Non-deterministic "Body token not expected" in org.springframework.http.codec.multipart.PartGenerator #​36722
  • Regression on value class parameter handling #​36720
  • Cache collisions in CachingResourceResolver #​36718
  • Unexpected path element removal when resolving versioned resources #​36699
📔 Documentation
  • Fix broken links to Selenium documentation #​36877
  • Fix applicability note on setAutoGrowCollectionLimit #​36864
  • Javadoc of nestingLevel parameter in MethodParameter constructor is inconsistent with actual implementation #​36848
🔨 Dependency Upgrades

Configuration

📅 Schedule: (in timezone CET)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Never, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot added the dependencies Pull requests that update a dependency file label Jul 2, 2026
@hashicorp-vault-sonar-prod

hashicorp-vault-sonar-prod Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Renovate Jira issue ID: SONARJAVA-6566

@sonarqube-next

sonarqube-next Bot commented Jul 2, 2026

Copy link
Copy Markdown

@vdiez vdiez left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Auto-approved: Renovate dependency update.

@vdiez vdiez enabled auto-merge (squash) July 9, 2026 12:08
@vdiez vdiez merged commit db0a247 into master Jul 9, 2026
17 checks passed
@vdiez vdiez deleted the renovate/org.springframework-spring-expression-6.x branch July 9, 2026 12:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant