Skip to content

Bump org.springframework:spring-framework-bom from 6.2.19-SNAPSHOT to 6.2.20-SNAPSHOT#11080

Closed
dependabot[bot] wants to merge 1 commit into
6.5.xfrom
dependabot/gradle/6.5.x/org.springframework-spring-framework-bom-6.2.20-SNAPSHOT
Closed

Bump org.springframework:spring-framework-bom from 6.2.19-SNAPSHOT to 6.2.20-SNAPSHOT#11080
dependabot[bot] wants to merge 1 commit into
6.5.xfrom
dependabot/gradle/6.5.x/org.springframework-spring-framework-bom-6.2.20-SNAPSHOT

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 10, 2026

Copy link
Copy Markdown
Contributor

Bumps org.springframework:spring-framework-bom from 6.2.19-SNAPSHOT to 6.2.20-SNAPSHOT.

Release notes

Sourced from org.springframework:spring-framework-bom's releases.

v6.2.19

⚠️ Security Fixes

This maintenance release fixes a high number of CVEs. You can learn more about this in the "Spring and Security In The Times Of AI" blog post. Here is the full list of 16 CVEs:

  • CVE-2026-41838 "Spring Framework Predictable Session ID in WebSocket Module"
  • CVE-2026-41839 "Spring Framework Escalation via Session Fixation in WebFlux"
  • CVE-2026-41840 "Spring Framework Denial of Service via Multipart Requests in WebFlux"
  • CVE-2026-41841 "Spring Framework Information Disclosure via Static Resource Cache in Spring MVC and WebFlux"
  • CVE-2026-41842 "Spring Framework Denial of Service via Versioned Resources in Spring MVC and WebFlux"
  • CVE-2026-41843 "Spring Framework Path Traversal via Versioned Static Resources in Spring MVC and WebFlux"
  • CVE-2026-41844 "Spring Framework Open Redirect in Spring MVC and WebFlux"
  • CVE-2026-41845 "Spring Framework Cross-site Scripting via JavaScriptUtils"
  • CVE-2026-41846 "Spring Framework Cross-site Scripting via JSP Form Tags"
  • CVE-2026-41848 "Spring Framework Denial of Service via AntPathMatcher"
  • CVE-2026-41850 "Spring Framework Algorithmic Denial of Service via SpEL Expressions"
  • CVE-2026-41851 "Spring Framework Denial of Service via Unbounded Cache in SpEL"
  • CVE-2026-41852 "Spring Framework Arbitrary Method Invocation in SpEL Expressions"
  • CVE-2026-41853 "Spring Framework Multipart Request Smuggling in Spring MVC and WebFlux"
  • CVE-2026-41854 "Spring Framework Server-Side Request Forgery via UriComponentsBuilder"
  • CVE-2026-41855 "Spring Framework Unsafe Deserialization via Jackson JMS Converters"

⭐ New Features

  • Avoid too many character access attempts in AntPathMatcher #36886
  • Track operations during SpEL expression evaluation #36887
  • Ensure getters have non-void return types in SpEL #36888
  • Expose ClassLoader from DefaultDeserializer #36839
  • Refine default view name resolution #36794
  • Refine Jackson JMS converters #36792
  • Improve ABNF rule checks in RfcUriParser #36788
  • Detect custom deserialized NullValue instances in AbstractValueAdaptingCache #36728
  • Warn against unsafe static resource locations in MVC and WebFlux #36693
  • Consistent compatibility with Woodstox as an alternative to Xerces #36683

🐞 Bug Fixes

  • Data is lost for joined DataBuffer in DataBufferUtils #36874
  • CronExpression skips days on midnight DST gap #36873
  • Concurrency issue against shared cookie field in CookieLocaleResolver#setLocaleContext #36870
  • Server Sent Event does not support multi-line comments #36867
  • Regression in 6.2.0+: ConfigurationClassParser incorrectly removes component-scanned bean when the same class is also registered under a different name via XML #36849
  • Bean Background Bootstrap and Lazy Init #36847
  • Fix JSP tag processing #36798
  • Fix script processing capabilities #36796
  • Parsing failure for MIME type with quoted parameter values #36734
  • Circular dependency between supplier-created beans is silently ignored on startup #36732
  • Non-deterministic "Body token not expected" in org.springframework.http.codec.multipart.PartGenerator #36722
  • Regression on value class parameter handling #36720
  • Cache collisions in CachingResourceResolver #36718

... (truncated)

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
Bump org.springframework:spring-framework-bom
7a5ac88 
Bumps [org.springframework:spring-framework-bom](https://github.com/spring-projects/spring-framework) from 6.2.19-SNAPSHOT to 6.2.20-SNAPSHOT.
- [Release notes](https://github.com/spring-projects/spring-framework/releases)
- [Commits](https://github.com/spring-projects/spring-framework/commits)

---
updated-dependencies:
- dependency-name: org.springframework:spring-framework-bom
  dependency-version: 6.2.20-SNAPSHOT
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added the type: dependency-upgrade Pull requests that update a dependency file label Jun 10, 2026
@artembilan

artembilan commented Jun 10, 2026

Copy link
Copy Markdown
Member

Wrong. Must be 6.2.19 GA

@artembilan artembilan closed this Jun 10, 2026
@dependabot @github

dependabot Bot commented on behalf of github Jun 10, 2026

Copy link
Copy Markdown
Contributor Author

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.

@dependabot dependabot Bot deleted the dependabot/gradle/6.5.x/org.springframework-spring-framework-bom-6.2.20-SNAPSHOT branch June 10, 2026 01:51
@github-actions github-actions Bot added status: invalid Not reproducable or not relevant to the current state of the project and removed type: dependency-upgrade Pull requests that update a dependency file labels Jun 10, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

status: invalid Not reproducable or not relevant to the current state of the project

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@artembilan