Update vulnerable Spring framework packages to v2.6.6 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
org.springframework.boot:spring-boot-test (source)	2.6.3 -> 2.6.6
org.springframework.boot:spring-boot-actuator (source)	2.6.3 -> 2.6.6
org.springframework.boot:spring-boot-autoconfigure (source)	2.6.3 -> 2.6.6
org.springframework.boot:spring-boot (source)	2.6.3 -> 2.6.6

This PR upgrades one or more Spring framework packages to fix a critical vulnerability.

---

Release Notes

spring-projects/spring-boot

v2.6.6

Compare Source

🐞 Bug Fixes

• MustacheAutoConfiguration in a Servlet web application fails with a ClassNotFoundException when Spring MVC is not on the classpath #​30475

📔 Documentation

• Javadoc of org.springframework.boot.gradle.plugin.ResolveMainClassName.setClasspath(Object) is inaccurate #​30469
• Document that @DefaultValue can be used on a record component #​30465
• Remove redundant Javadoc #​30446

🔨 Dependency Upgrades

• Upgrade to Jackson Bom 2.13.2.20220328 #​30478
• Upgrade to Spring Framework 5.3.18 #​30492

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @​quaff
• @​vikeychen
• @​eddumelendez
• @​candrews

v2.6.5

Compare Source

📣 Noteworthy

• This release upgrades to Kafka 3.0.1 which enables idempotence by default. See the updated Spring Boot 2.6 release notes for further details.

⭐ New Features

• Add EIGHTEEN to JavaVersion enum #​30132

🐞 Bug Fixes

• ConfigurationPropertyName#equals is not symmetric when adapt has removed trailing characters from an element #​30392
• Thymeleaf auto-configuration in a reactive application can fail due to duplicate templateEngine beans #​30385
• server.tomcat.keep-alive-timeout is not applied to HTTP/2 #​30321
• Setting spring.mustache.enabled to false has no effect #​30256
• bootWar is configured eagerly #​30213
• Actuator @ReadOperation on Flux cancels request after first element emitted #​30161
• Unnecessary allocations in Prometheus scraping endpoint #​30125
• No metrics are bound for R2DBC ConnectionPools that have been wrapped #​30100
• Condition evaluation report entry for a @ConditionalOnSingleCandidate that does not match due to multiple primary beans isn't as clear as it could be #​30098
• Generated password are logged without an "unsuitable for production use" note #​30070
• Dependency management for Netty tcNative is incomplete leading to possible version conflicts #​30038
• Files in META-INF are not found when deploying a Gradle-built executable war to a servlet container #​30036
• Dependency management for Apache Kafka is incomplete #​30031
• spring-boot-configuration-processor fails compilation due to @DefaultValue with a long value and generates invalid metadata for byte and short properties with out-of-range default values #​30022

📔 Documentation

• Add Apache Kafka to the description of the Messaging section #​30389
• Default value of spring.thymeleaf.reactive.media-types is not documented #​30387
• Clarify type matching that is performed when using @MockBean and @SpyBean #​30382
• Fix links to Spring Security Reference Guide in Accessing the H2 Console in a Secured Application #​30349
• Document how to access the H2 Console in a secured web application #​30346
• Add Netty in "Enable HTTP Response Compression" #​30344
• Fix JsonSerializer example in reference guide #​30330
• WebSockets section missing in reference guide #​30231
• Include default Dev Tools properties in the reference documentation #​30166
• Document the WebSocket-related exclusions that are required to use Jetty 10 #​30149
• Fix typo #​30120
• Add documentation for spring.profiles.include #​30114
• Document when config data properties are invalid #​30113
• Document the scalar types supported by MapBinder #​30111
• Document how to rely on ServletContext with an embedded container setup #​30109
• Anchor tag for Spring HATEOAS does not redirect properly #​30106
• Clarify that build plugins or the CLI does not have an auto-compile feature #​30093
• Document how to structure configurations so that @Bean methods are included in slice tests #​30091
• Remove non-existent spring.data.cassandra.connection.connection-timeout property from the documentation #​30080
• Clarify actuator security documentation #​30065
• Use Gradle's task configuration avoidance APIs in the main reference docs #​30059
• Use Gradle's task configuration avoidance APIs in the Gradle Plugin's reference docs #​30057
• Improve property placeholder documentation to mention environment variables and default values #​30050
• Polish web examples in reference doc #​30048
• Add links to Spring Boot for Apache Geode to the reference documentation #​30018
• Document plugging in custom sanitisation rules with a SanitizingFunction bean #​29950

🔨 Dependency Upgrades

• Upgrade to Couchbase Client 3.2.6 #​30237
• Upgrade to Dropwizard Metrics 4.2.9 #​30238
• Upgrade to Groovy 3.0.10 #​30239
• Upgrade to Hibernate 5.6.7.Final #​30338
• Upgrade to Hibernate Validator 6.2.3.Final #​30241
• Upgrade to Jackson Bom 2.13.2 #​30242
• Upgrade to Kafka 3.0.1 #​30243
• Upgrade to Lettuce 6.1.8.RELEASE #​30339
• Upgrade to Log4j2 2.17.2 #​30244
• Upgrade to Logback 1.2.11 #​30245
• Upgrade to Micrometer 1.8.4 #​30178
• Upgrade to Neo4j Java Driver 4.4.5 #​30326
• Upgrade to Netty 4.1.75.Final #​30246
• Upgrade to Netty tcNative 2.0.51.Final #​30247
• Upgrade to R2DBC Bom Arabba-SR13 #​30340
• Upgrade to Reactor 2020.0.17 #​30176
• Upgrade to Spring AMQP 2.4.3 #​30180
• Upgrade to Spring Data 2021.1.3 #​30179
• Upgrade to Spring Framework 5.3.17 #​30177
• Upgrade to Spring Integration 5.5.10 #​30183
• Upgrade to Spring Kafka 2.8.4 #​30181
• Upgrade to Spring Retry 1.3.2 #​30248
• Upgrade to Spring WS 3.1.3 #​30182
• Upgrade to Tomcat 9.0.60 #​30249

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @​cmabdullah
• @​fml2
• @​hpoettker
• @​octylFractal
• @​62mkv
• @​m-semnani
• @​izeye
• @​stokpop
• @​larsgrefer
• @​wonwoo
• @​abelsromero
• @​hak7a3
• @​PPakSang

v2.6.4

Compare Source

🐞 Bug Fixes

• Default JmxAutoConfiguration changes JConsole hierarchy for multi-property @ManagedResource object names #​29970
• The active profiles log message is ambiguous when a profile's name contains a comma #​29915
• @SpyBean causes BeanCurrentlyInCreationException when there are circular references #​29909
• Failed application contexts are not deregistered from SpringApplicationShutdownHook #​29905
• Gradle Plugin triggers eager configuration of some tasks #​29817
• MimeMapping for ots has a trailing space in its mime type #​29750
• A fat jar built with Gradle moves META-INF beneath BOOT-INF/classes while Maven leaves it at the jar's root #​29748
• Dependency management for Liquibase does not include its liquibase-cdi module #​29741
• server.tomcat.use-relative-redirects=true not honored when server.forward-headers-strategy=framework #​29731
• Ignore invalid stream types when reading log update events #​29691
• bootJar, bootRun, and bootWar do not pick up changes to the main source set's runtime classpath that are made after Boot's plugin has been applied #​29679
• WebSessionIdResolverAutoConfiguration should only be active in a reactive web application #​29669
• ErrorPageSecurityFilter cannot be destroyed in a Servlet 3.1 compatible container #​29558
• Health Web Endpoint Extension Failed to Initialize When Some Conditions Hit #​29532

📔 Documentation

• Document that placeholders in @DefaultValue annotations are not resolved #​29980
• Clarify relation of import path to resultant properties in configtree import data #​29978
• bootRun example should use mainClass, rather than main which was deprecated in Gradle 7.1 #​29966
• Rectify incorrect sanitizing regex example provided in how-to docs #​29959
• "Customizing the Banner" should make it more obvious that any environment property can be used #​29934
• Update javadoc to reflect move from WebSecurityConfigurerAdapter to SecurityFilterChain #​29901
• Link directly to the Integration Properties section of the appendix when cross-referencing Kafka properties #​29807
• Update documentation to reflect Hibernate's CamelCaseToUnderscoresNamingStrategy now being used by default #​29743
• Add documentation for WebMvc.fn #​29728
• Move appendix subsections under appendix section #​29689
• In Gradle plugin docs, replace classifier (deprecated) with archiveClassifier in examples #​29685
• Warn about the dangers of early bean initialization when using @ConditionalOnExpression #​29616
• Rename Boxfuse to CloudCaptain #​29539
• Upgrade version of gradle-git-properties in reference doc #​29537

🔨 Dependency Upgrades

• Upgrade to ActiveMQ 5.16.4 #​29937
• Upgrade to AppEngine SDK 1.9.95 #​29938
• Upgrade to Artemis 2.19.1 #​29784
• Upgrade to Couchbase Client 3.2.5 #​29785
• Upgrade to Dropwizard Metrics 4.2.8 #​29786
• Upgrade to Glassfish JAXB 2.3.6 #​29787
• Upgrade to Hibernate 5.6.5.Final #​29788
• Upgrade to Hibernate Validator 6.2.2.Final #​29789
• Upgrade to HttpClient5 5.1.3 #​29790
• Upgrade to Jetty 9.4.45.v20220203 #​29791
• Upgrade to Jetty Reactive HTTPClient 1.1.11 #​29939
• Upgrade to Johnzon 1.2.16 #​29793
• Upgrade to Json-smart 2.4.8 #​29794
• Upgrade to Maven Javadoc Plugin 3.3.2 #​29795
• Upgrade to Micrometer 1.8.3 #​29718
• Upgrade to MongoDB 4.4.2 #​29796
• Upgrade to Neo4j Java Driver 4.4.3 #​29797
• Upgrade to Netty 4.1.74.Final #​29798
• Upgrade to Netty tcNative 2.0.50.Final #​29974
• Upgrade to Postgresql 42.3.3 #​29941
• Upgrade to Reactor 2020.0.16 #​29717
• Upgrade to SLF4J 1.7.36 #​29801
• Upgrade to Spring Batch 4.3.5 #​29724
• Upgrade to Spring Data 2021.1.2 #​29721
• Upgrade to Spring Framework 5.3.16 #​29719
• Upgrade to Spring Integration 5.5.9 #​29963
• Upgrade to Spring Kafka 2.8.3 #​29722
• Upgrade to Spring LDAP 2.3.6 #​29720
• Upgrade to Spring Security 5.6.2 #​29723
• Upgrade to Spring Session 2021.1.2 #​29725
• Upgrade to Thymeleaf 3.0.15.RELEASE #​29802
• Upgrade to Tomcat 9.0.58 #​29803
• Upgrade to Undertow 2.2.16.Final #​29804

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @​dreis2211
• @​UbaidurRehman1
• @​mhalbritter
• @​quaff
• @​axelfontaine
• @​lachlan-roberts
• @​jvalkeal
• @​mihailcornescu
• @​izeye
• @​larsgrefer
• @​halcyon22
• @​polarbear567
• @​gcoppex
• @​terminux

---

Configuration

📅 Schedule: "" (UTC).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, click this checkbox.

---

This PR has been generated by WhiteSource Renovate. View repository job log here.