Skip to content

BE: Chore: Bump Spring Boot to 3.5.3 #1143

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

BE: Chore: Bump Spring Boot to 3.5.3 #1143

wants to merge 2 commits into from

Conversation

yeikel
Copy link
Collaborator

@yeikel yeikel commented Jun 21, 2025
edited
Loading

What changes did you make? (Give an overview)

  • Upgraded Spring Boot to the latest version (3.5.3) to fetch the latest bug fixes and features as well as fixing CVE-2025-41234
  • Removed several dependency overrides that are no longer necessary since they were upgraded by Spring
  • Removed the explicit inclusion of Junit5 , as it is provided transitively by spring-boot-starter-test. Keeping it explicitly declared leads to version conflicts, which goes against the JUnit project's recommendations for Spring Boot.

How Has This Been Tested? (put an "x" (case-sensitive!) next to an item)

  • Covered by existing automation

Checklist (put an "x" (case-sensitive!) next to all the items, otherwise the build will fail)

  • I have performed a self-review of my own code
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation (e.g. ENVIRONMENT VARIABLES)
  • My changes generate no new warnings (e.g. Sonar is happy)
  • I have added tests that prove my fix is effective or that my feature works
  • New and existing unit tests pass locally with my changes
  • Any dependent changes have been merged

A picture of a cute animal (not mandatory but encouraged)

image

@yeikel yeikel requested a review from a team as a code owner June 21, 2025 04:49
@kapybro kapybro bot added status/triage Issues pending maintainers triage status/triage/manual Manual triage in progress status/triage/completed Automatic triage completed and removed status/triage Issues pending maintainers triage labels Jun 21, 2025
@yeikel yeikel marked this pull request as draft June 21, 2025 04:54
@yeikel yeikel force-pushed the patch-2 branch 6 times, most recently from 4be01c4 to 9a741e6 Compare June 22, 2025 20:37
@yeikel yeikel marked this pull request as ready for review June 22, 2025 20:45
yeikel
yeikel commented Jun 22, 2025
View reviewed changes
gradle/libs.versions.toml Outdated
@@ -21,7 +21,6 @@ lombok = '1.18.34'
odd-oddrn-generator = '0.1.17'
odd-oddrn-client = '0.1.41'
cel = '0.3.0'
junit = '5.11.2'
mockito = '5.16.0'
Copy link
Collaborator Author

@yeikel yeikel Jun 22, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

JUnit 5, in particular, was causing a direct conflict that might be resolved by upgrading or aligning versions. However, since it’s brought in transitively by one our direct test dependencies, maintaining version alignment doesn't seem worth pursuing.

Mockit and assertj are also included transitively and technically falls into the same category, but it didn’t cause any issues during this upgrade.

Overall, reducing the number of explicitly managed dependencies isn’t a bad idea, so I’m open to removing them as well.

@Haarolean What do you think?

yeikel
yeikel commented Jun 22, 2025
View reviewed changes
api/build.gradle
Comment on lines +56 to +58
runtimeOnly(libs.micrometer.registry.prometheus){
exclude group: 'com.google.protobuf', module: 'protobuf-java' because("Micrometer uses protobuf-java 4.x, which is incompatible with protobuf-java 3.x used by various dependencies of this project. See https://github.com/prometheus/client_java/issues/1431")
}
Copy link
Collaborator Author

@yeikel yeikel Jun 22, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This may cause issues for anyone using this functionality, but there does not seem to be a clear fix for this other than prometheus/client_java#1431

None of our tests seem to be flagging this right now but it may be a matter of coverage

@Haarolean What do you think?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For now, I pushed b57acf5 which we can revert as needed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
status/triage/completed Automatic triage completed status/triage/manual Manual triage in progress
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@yeikel