Bump the safe-patch-updates group across 1 directory with 32 updates

[dependabot]

Bumps the safe-patch-updates group with 32 updates in the / directory:

Package	From	To
org.slf4j:slf4j-api	2.0.17	2.0.18
org.slf4j:slf4j-simple	2.0.17	2.0.18
org.slf4j:jcl-over-slf4j	2.0.17	2.0.18
org.slf4j:jul-to-slf4j	2.0.17	2.0.18
org.postgresql:postgresql	42.7.10	42.7.11
com.auth0:java-jwt	4.5.1	4.5.2
org.glassfish.jersey.core:jersey-common	3.1.11	3.1.12
org.glassfish.jersey.core:jersey-server	3.1.11	3.1.12
org.glassfish.jersey.core:jersey-client	3.1.11	3.1.12
org.glassfish.jersey.containers:jersey-container-servlet	3.1.11	3.1.12
org.glassfish.jersey.inject:jersey-hk2	3.1.11	3.1.12
org.glassfish.jersey.connectors:jersey-apache-connector	3.1.11	3.1.12
org.glassfish.jersey.media:jersey-media-jaxb	3.1.11	3.1.12
org.glassfish.jersey.media:jersey-media-json-jackson	3.1.11	3.1.12
org.glassfish.jaxb:jaxb-runtime	4.0.7	4.0.9
org.springframework:spring-core	6.2.18	6.2.19
org.springframework:spring-context	6.2.18	6.2.19
org.springframework:spring-web	6.2.18	6.2.19
org.springframework:spring-websocket	6.2.18	6.2.19
org.springframework:spring-tx	6.2.18	6.2.19
org.springframework:spring-jdbc	6.2.18	6.2.19
org.springframework:spring-beans	6.2.18	6.2.19
org.thymeleaf:thymeleaf	3.1.4.RELEASE	3.1.5.RELEASE
org.operaton.bpm:operaton-engine	1.1.1	1.1.4
org.operaton.bpm:operaton-engine-spring	1.1.1	1.1.4
org.operaton.bpm.model:operaton-bpmn-model	1.1.1	1.1.4
org.apache.tika:tika-core	3.3.0	3.3.1
org.apache.maven:maven-core	3.9.15	3.9.16
org.apache.maven:maven-plugin-api	3.9.15	3.9.16
org.apache.maven.plugins:maven-surefire-plugin	3.5.5	3.5.6
org.apache.maven.plugins:maven-failsafe-plugin	3.5.5	3.5.6
org.apache.maven.plugins:maven-enforcer-plugin	3.6.2	3.6.3

Updates org.slf4j:slf4j-api from 2.0.17 to 2.0.18

Updates org.slf4j:slf4j-simple from 2.0.17 to 2.0.18

Updates org.slf4j:jcl-over-slf4j from 2.0.17 to 2.0.18

Updates org.slf4j:jul-to-slf4j from 2.0.17 to 2.0.18

Updates org.slf4j:slf4j-simple from 2.0.17 to 2.0.18

Updates org.slf4j:jcl-over-slf4j from 2.0.17 to 2.0.18

Updates org.slf4j:jul-to-slf4j from 2.0.17 to 2.0.18

Updates org.postgresql:postgresql from 42.7.10 to 42.7.11

Release notes

Sourced from org.postgresql:postgresql's releases.

v42.7.11

Security

• fix: Limit SCRAM PBKDF2 iterations accepted from the server. pgjdbc was vulnerable to a client-side denial of service in SCRAM-SHA-256 authentication, where a malicious or compromised PostgreSQL server could specify an extremely large PBKDF2 iteration count, causing the client to consume unbounded CPU and potentially exhaust connection pools. The fix introduces a new scramMaxIterations connection property (defaulting to 100,000) to cap iteration counts before computation begins. See the Security Advisory for more detail. The following CVE-2026-42198 has been issued.

Changes

• fix: Add sources and javadocs to shaded published lib generation @​sehrope (#4043)
• update Changelog and website for release of 42.7.11 @​davecramer (#4042)
• Fix scram fix location in changelog and update published artifact developer list @​sehrope (#4041)
• Restrict test with scram_iterations to v16+ and release notes @​sehrope (#4040)
• chore(deps): update ubuntu:24.04 docker digest to 84e77de @​renovate-bot (#4017)
• test: add tests for QueryExecutor#getTransactionState @​vlsi (#4006)
• chore(deps): update actions/create-github-app-token action to v2.2.2 @​renovate-bot (#3983)
• fix: fix flaky CopyBothResponseTest by using WAL flush LSN @​vlsi (#3979)
• fix: fix flaky replication restart tests by waiting for confirmed_flush_lsn @​vlsi (#3975)
• test: fix flaky LogicalReplicationStatusTest by polling pg_stat_replication @​vlsi (#3974)
• chore: replace Appveyor with ikalnytskyi/action-setup-postgres @​vlsi (#3966)
• test: move test table creation from @​BeforeEach to @​BeforeAll @​vlsi (#3967)
• Return jsonb as PGObject fixes Issue #3926 @​davecramer (#3956)
• Update docker scripts @​davecramer (#3958)
• implement require_auth, this is pretty much how libpq does this. @​davecramer (#3895)
• docs: add SCRAM authentication test setup section to TESTING.md @​emmaeng700 (#3945)
• Add RequireServerVersion annotation for tests @​sehrope (#3939)

🐛 Bug Fixes

• fix: ensure extended protocol messages end with Sync message @​vlsi (#3728)
• fix: enable cursor-based fetching in extended protocol when transaction started via SQL command @​vlsi (#3996)
• fix: retry with SSL on IOException when sslMode=ALLOW @​vlsi (#3973)
• fix: allow fallback to non-SSL connection when sslMode=prefer and sslResponseTimeout kicks in @​vlsi (#3968)
• fix: catch SecurityException from setContextClassLoader on ForkJoinPool workers @​vlsi (#3962)
• fix: use compareTo for LogSequenceNumber comparison @​vlsi (#3961)
• fix: release COPY lock on IOException to prevent connection hang (#3957) @​vlsi (#3960)

🧰 Maintenance

• style: replace @​exception with @​throws in getBoolean javadoc @​vlsi (#4035)
• chore: use @​vlsi/github-actions-random-matrix npm package @​vlsi (#4008)
• chore: use tag names for pinning github actions, pin ikalnytskyi/action-setup-postgres @​vlsi (#4007)
• chore: bump errorprone to 2.48.0 @​vlsi (#4005)
• test: add @​DisableLogger annotation to suppress expected log warnings in tests @​vlsi (#3971)
• chore: suppress deprecations in test code to reduce build verbosity @​vlsi (#3972)
• chore: replace log warning in ConnectionFactory.closeStream with Throwable.addSuppressed @​vlsi (#3970)
• chore: use greedy pairwise coverage for CI matrix generation @​vlsi (#3965)
• chore: use full version tags in GitHub Actions comments @​vlsi (#3963)

⬆️ Dependencies

... (truncated)

Changelog

Sourced from org.postgresql:postgresql's changelog.

[42.7.11] (2026-04-28)

Security

• fix: Limit SCRAM PBKDF2 iterations accepted from the server. pgjdbc was vulnerable to a client-side denial of service in SCRAM-SHA-256 authentication, where a malicious or compromised PostgreSQL server could specify an extremely large PBKDF2 iteration count, causing the client to consume unbounded CPU and potentially exhaust connection pools. The fix introduces a new scramMaxIterations connection property (defaulting to 100,000) to cap iteration counts before computation begins. See the Security Advisory for more detail. The following CVE-2026-42198 has been issued.

Added

• feat: implement require_auth connection property, aligning with libpq behavior [PR #3895](pgjdbc/pgjdbc#3895)

Changed

• chore: replace Appveyor CI with ikalnytskyi/action-setup-postgres [PR #3966](pgjdbc/pgjdbc#3966)
• chore: upgrade Gradle to v9 [PR #3978](pgjdbc/pgjdbc#3978)

Fixed

• fix: ensure extended protocol messages end with Sync message [PR #3728](pgjdbc/pgjdbc#3728)
• fix: enable cursor-based fetching in extended protocol when transaction started via SQL command [PR #3996](pgjdbc/pgjdbc#3996)
• fix: retry with SSL on IOException when sslMode=ALLOW [PR #3973](pgjdbc/pgjdbc#3973)
• fix: make sure the driver honours connectTimeout when retrying the connection [PR #3968](pgjdbc/pgjdbc#3968)
• fix: allow fallback to non-SSL connection when sslMode=prefer and sslResponseTimeout kicks in [PR #3968](pgjdbc/pgjdbc#3968)
• fix: catch SecurityException from setContextClassLoader on ForkJoinPool workers [PR #3962](pgjdbc/pgjdbc#3962)
• fix: use compareTo for LogSequenceNumber comparison to handle unsigned values correctly [PR #3961](pgjdbc/pgjdbc#3961)
• fix: release COPY lock on IOException to prevent connection hang [PR #3957](pgjdbc/pgjdbc#3957)
• fix: return jsonb as PGObject instead of String [PR #3956](pgjdbc/pgjdbc#3956)
• fix: align SSL key file permission check with libpq [PR #3952](pgjdbc/pgjdbc#3952)
• fix: guard connection closed flag with a reentrant lock to protect against concurrent close [PR #3905](pgjdbc/pgjdbc#3905)

Commits

• 78e261f fix: Add sources and javadocs to shaded published lib generation
• 1e09fa0 update Changelog and website for release of 42.7.11 (#4042)
• d479fa5 Fix scram fix location in changelog and update published artifact developer l...
• b04fc46 docs: Add scram max iters fix to changelog
• cf54822 test: Disable scram test on older version without scram_iterations GUC
• 7dbcc79 test: Add SCRAM max iteration tests
• c9d41d1 fix: Limit SCRAM PBKDF2 iterations accepted from the server
• a340cb2 style: replace @​exception with @​throws in getBoolean javadoc
• 77837f8 fix(deps): update dependency org.openrewrite.rewrite:org.openrewrite.rewrite....
• 23af03b chore(deps): update actions/checkout action to v6
• Additional commits viewable in compare view

Updates com.auth0:java-jwt from 4.5.1 to 4.5.2

Release notes

Sourced from com.auth0:java-jwt's releases.

4.5.2

Added

• Chore: Bump update commons-beanutils dependency #761 (tanya732)
• Chore: Update Readme with Java 21 #760 (tanya732)

Changelog

Sourced from com.auth0:java-jwt's changelog.

4.5.2 (2026-04-29)

Full Changelog

Added

• Chore: Bump update commons-beanutils dependency #761 (tanya732)
• Chore: Update Readme with Java 21 #760 (tanya732)

Commits

• 695fd2b Release 4.5.2 (#765)
• 4ac3178 Release 4.5.2
• d056a79 Bump com.fasterxml.jackson.core:jackson-databind from 2.21.2 to 2.21.3 in /li...
• 37f195a Bump com.fasterxml.jackson.core:jackson-databind in /lib
• dba4c93 Chore: Bump update commons-beanutils dependency (#761)
• 84d4c8f Merge branch 'master' into chore/bump-commons-beanutils
• 5c923d4 Chore: Add SCA scan workflow (#762)
• 09a4da5 Merge branch 'master' into chore/add-sca-scan
• ef47e64 Chore: Add SCA scan workflow
• 3fcfbcb Chore: Bump update commons-beanutils dependency
• Additional commits viewable in compare view

Updates org.glassfish.jersey.core:jersey-common from 3.1.11 to 3.1.12

Updates org.glassfish.jersey.core:jersey-server from 3.1.11 to 3.1.12

Updates org.glassfish.jersey.core:jersey-client from 3.1.11 to 3.1.12

Updates org.glassfish.jersey.containers:jersey-container-servlet from 3.1.11 to 3.1.12

Updates org.glassfish.jersey.inject:jersey-hk2 from 3.1.11 to 3.1.12

Updates org.glassfish.jersey.connectors:jersey-apache-connector from 3.1.11 to 3.1.12

Updates org.glassfish.jersey.media:jersey-media-jaxb from 3.1.11 to 3.1.12

Updates org.glassfish.jersey.media:jersey-media-json-jackson from 3.1.11 to 3.1.12

Updates org.glassfish.jersey.core:jersey-server from 3.1.11 to 3.1.12

Updates org.glassfish.jersey.core:jersey-client from 3.1.11 to 3.1.12

Updates org.glassfish.jersey.containers:jersey-container-servlet from 3.1.11 to 3.1.12

Updates org.glassfish.jersey.inject:jersey-hk2 from 3.1.11 to 3.1.12

Updates org.glassfish.jersey.connectors:jersey-apache-connector from 3.1.11 to 3.1.12

Updates org.glassfish.jersey.media:jersey-media-jaxb from 3.1.11 to 3.1.12

Updates org.glassfish.jersey.media:jersey-media-json-jackson from 3.1.11 to 3.1.12

Updates org.glassfish.jaxb:jaxb-runtime from 4.0.7 to 4.0.9

Updates org.springframework:spring-core from 6.2.18 to 6.2.19

Release notes

Sourced from org.springframework:spring-core's releases.

v6.2.19

⚠️ Security Fixes

This maintenance release fixes a high number of CVEs. You can learn more about this in the "Spring and Security In The Times Of AI" blog post. Here is the full list of 16 CVEs:

• CVE-2026-41838 "Spring Framework Predictable Session ID in WebSocket Module"
• CVE-2026-41839 "Spring Framework Escalation via Session Fixation in WebFlux"
• CVE-2026-41840 "Spring Framework Denial of Service via Multipart Requests in WebFlux"
• CVE-2026-41841 "Spring Framework Information Disclosure via Static Resource Cache in Spring MVC and WebFlux"
• CVE-2026-41842 "Spring Framework Denial of Service via Versioned Resources in Spring MVC and WebFlux"
• CVE-2026-41843 "Spring Framework Path Traversal via Versioned Static Resources in Spring MVC and WebFlux"
• CVE-2026-41844 "Spring Framework Open Redirect in Spring MVC and WebFlux"
• CVE-2026-41845 "Spring Framework Cross-site Scripting via JavaScriptUtils"
• CVE-2026-41846 "Spring Framework Cross-site Scripting via JSP Form Tags"
• CVE-2026-41848 "Spring Framework Denial of Service via AntPathMatcher"
• CVE-2026-41850 "Spring Framework Algorithmic Denial of Service via SpEL Expressions"
• CVE-2026-41851 "Spring Framework Denial of Service via Unbounded Cache in SpEL"
• CVE-2026-41852 "Spring Framework Arbitrary Method Invocation in SpEL Expressions"
• CVE-2026-41853 "Spring Framework Multipart Request Smuggling in Spring MVC and WebFlux"
• CVE-2026-41854 "Spring Framework Server-Side Request Forgery via UriComponentsBuilder"
• CVE-2026-41855 "Spring Framework Unsafe Deserialization via Jackson JMS Converters"

⭐ New Features

• Avoid too many character access attempts in AntPathMatcher #36886
• Track operations during SpEL expression evaluation #36887
• Ensure getters have non-void return types in SpEL #36888
• Expose ClassLoader from DefaultDeserializer #36839
• Refine default view name resolution #36794
• Refine Jackson JMS converters #36792
• Improve ABNF rule checks in RfcUriParser #36788
• Detect custom deserialized NullValue instances in AbstractValueAdaptingCache #36728
• Warn against unsafe static resource locations in MVC and WebFlux #36693
• Consistent compatibility with Woodstox as an alternative to Xerces #36683

🐞 Bug Fixes

• Data is lost for joined DataBuffer in DataBufferUtils #36874
• CronExpression skips days on midnight DST gap #36873
• Concurrency issue against shared cookie field in CookieLocaleResolver#setLocaleContext #36870
• Server Sent Event does not support multi-line comments #36867
• Regression in 6.2.0+: ConfigurationClassParser incorrectly removes component-scanned bean when the same class is also registered under a different name via XML #36849
• Bean Background Bootstrap and Lazy Init #36847
• Fix JSP tag processing #36798
• Fix script processing capabilities #36796
• Parsing failure for MIME type with quoted parameter values #36734
• Circular dependency between supplier-created beans is silently ignored on startup #36732
• Non-deterministic "Body token not expected" in org.springframework.http.codec.multipart.PartGenerator #36722
• Regression on value class parameter handling #36720
• Cache collisions in CachingResourceResolver #36718

... (truncated)

Commits

• 6214eae Release v6.2.19
• 76a36df Track operations during SpEL expression evaluation
• 3d47da9 Ensure getters have non-void return types in SpEL
• 519d733 Improve additional error messages in SpEL
• ec89834 Further improve pattern caching in SpEL
• b294371 Avoid too many character access attempts in AntPathMatcher
• 1829b42 Ensure consistent JSP tag attribute processing
• 86d9979 Refine JavaScriptUtils#javaScriptEscape
• 3aaec98 Prevent special prefixes in default view name resolution
• ee4e790 Add trusted packages to MappingJackson2MessageConverter
• Additional commits viewable in compare view

Updates org.springframework:spring-context from 6.2.18 to 6.2.19

Release notes

Sourced from org.springframework:spring-context's releases.

v6.2.19

⚠️ Security Fixes

This maintenance release fixes a high number of CVEs. You can learn more about this in the "Spring and Security In The Times Of AI" blog post. Here is the full list of 16 CVEs:

• CVE-2026-41838 "Spring Framework Predictable Session ID in WebSocket Module"
• CVE-2026-41839 "Spring Framework Escalation via Session Fixation in WebFlux"
• CVE-2026-41840 "Spring Framework Denial of Service via Multipart Requests in WebFlux"
• CVE-2026-41841 "Spring Framework Information Disclosure via Static Resource Cache in Spring MVC and WebFlux"
• CVE-2026-41842 "Spring Framework Denial of Service via Versioned Resources in Spring MVC and WebFlux"
• CVE-2026-41843 "Spring Framework Path Traversal via Versioned Static Resources in Spring MVC and WebFlux"
• CVE-2026-41844 "Spring Framework Open Redirect in Spring MVC and WebFlux"
• CVE-2026-41845 "Spring Framework Cross-site Scripting via JavaScriptUtils"
• CVE-2026-41846 "Spring Framework Cross-site Scripting via JSP Form Tags"
• CVE-2026-41848 "Spring Framework Denial of Service via AntPathMatcher"
• CVE-2026-41850 "Spring Framework Algorithmic Denial of Service via SpEL Expressions"
• CVE-2026-41851 "Spring Framework Denial of Service via Unbounded Cache in SpEL"
• CVE-2026-41852 "Spring Framework Arbitrary Method Invocation in SpEL Expressions"
• CVE-2026-41853 "Spring Framework Multipart Request Smuggling in Spring MVC and WebFlux"
• CVE-2026-41854 "Spring Framework Server-Side Request Forgery via UriComponentsBuilder"
• CVE-2026-41855 "Spring Framework Unsafe Deserialization via Jackson JMS Converters"

⭐ New Features

• Avoid too many character access attempts in AntPathMatcher #36886
• Track operations during SpEL expression evaluation #36887
• Ensure getters have non-void return types in SpEL #36888
• Expose ClassLoader from DefaultDeserializer #36839
• Refine default view name resolution #36794
• Refine Jackson JMS converters #36792
• Improve ABNF rule checks in RfcUriParser #36788
• Detect custom deserialized NullValue instances in AbstractValueAdaptingCache #36728
• Warn against unsafe static resource locations in MVC and WebFlux #36693
• Consistent compatibility with Woodstox as an alternative to Xerces #36683

🐞 Bug Fixes

• Data is lost for joined DataBuffer in DataBufferUtils #36874
• CronExpression skips days on midnight DST gap #36873
• Concurrency issue against shared cookie field in CookieLocaleResolver#setLocaleContext #36870
• Server Sent Event does not support multi-line comments #36867
• Regression in 6.2.0+: ConfigurationClassParser incorrectly removes component-scanned bean when the same class is also registered under a different name via XML #36849
• Bean Background Bootstrap and Lazy Init #36847
• Fix JSP tag processing #36798
• Fix script processing capabilities #36796
• Parsing failure for MIME type with quoted parameter values #36734
• Circular dependency between supplier-created beans is silently ignored on startup #36732
• Non-deterministic "Body token not expected" in org.springframework.http.codec.multipart.PartGenerator #36722
• Regression on value class parameter handling #36720
• Cache collisions in CachingResourceResolver #36718

... (truncated)

Commits

• 6214eae Release v6.2.19
• 76a36df Track operations during SpEL expression evaluation
• 3d47da9 Ensure getters have non-void return types in SpEL
• 519d733 Improve additional error messages in SpEL
• ec89834 Further improve pattern caching in SpEL
• b294371 Avoid too many character access attempts in AntPathMatcher
• 1829b42 Ensure consistent JSP tag attribute processing
• 86d9979 Refine JavaScriptUtils#javaScriptEscape
• 3aaec98 Prevent special prefixes in default view name resolution
• ee4e790 Add trusted packages to MappingJackson2MessageConverter
• Additional commits viewable in compare view

Updates org.springframework:spring-web from 6.2.18 to 6.2.19

Release notes

Sourced from org.springframework:spring-web's releases.

v6.2.19

⚠️ Security Fixes

This maintenance release fixes a high number of CVEs. You can learn more about this in the "Spring and Security In The Times Of AI" blog post. Here is the full list of 16 CVEs:

• CVE-2026-41838 "Spring Framework Predictable Session ID in WebSocket Module"
• CVE-2026-41839 "Spring Framework Escalation via Session Fixation in WebFlux"
• CVE-2026-41840 "Spring Framework Denial of Service via Multipart Requests in WebFlux"
• CVE-2026-41841 "Spring Framework Information Disclosure via Static Resource Cache in Spring MVC and WebFlux"
• CVE-2026-41842 "Spring Framework Denial of Service via Versioned Resources in Spring MVC and WebFlux"
• CVE-2026-41843 "Spring Framework Path Traversal via Versioned Static Resources in Spring MVC and WebFlux"
• CVE-2026-41844 "Spring Framework Open Redirect in Spring MVC and WebFlux"
• CVE-2026-41845 "Spring Framework Cross-site Scripting via JavaScriptUtils"
• CVE-2026-41846 "Spring Framework Cross-site Scripting via JSP Form Tags"
• CVE-2026-41848 "Spring Framework Denial of Service via AntPathMatcher"
• CVE-2026-41850 "Spring Framework Algorithmic Denial of Service via SpEL Expressions"
• CVE-2026-41851 "Spring Framework Denial of Service via Unbounded Cache in SpEL"
• CVE-2026-41852 "Spring Framework Arbitrary Method Invocation in SpEL Expressions"
• CVE-2026-41853 "Spring Framework Multipart Request Smuggling in Spring MVC and WebFlux"
• CVE-2026-41854 "Spring Framework Server-Side Request Forgery via UriComponentsBuilder"
• CVE-2026-41855 "Spring Framework Unsafe Deserialization via Jackson JMS Converters"

⭐ New Features

• Avoid too many character access attempts in AntPathMatcher #36886
• Track operations during SpEL expression evaluation #36887
• Ensure getters have non-void return types in SpEL #36888
• Expose ClassLoader from DefaultDeserializer #36839
• Refine default view name resolution #36794
• Refine Jackson JMS converters #36792
• Improve ABNF rule checks in RfcUriParser #36788
• Detect custom deserialized NullValue instances in AbstractValueAdaptingCache #36728
• Warn against unsafe static resource locations in MVC and WebFlux #36693
• Consistent compatibility with Woodstox as an alternative to Xerces #36683

🐞 Bug Fixes

• Data is lost for joined DataBuffer in DataBufferUtils #36874
• CronExpression skips days on midnight DST gap #36873
• Concurrency issue against shared cookie field in CookieLocaleResolver#setLocaleContext #36870
• Server Sent Event does not support multi-line comments #36867
• Regression in 6.2.0+: ConfigurationClassParser incorrectly removes component-scanned bean when the same class is also registered under a different name via XML #36849
• Bean Background Bootstrap and Lazy Init #36847
• Fix JSP tag processing #36798
• Fix script processing capabilities #36796
• Parsing failure for MIME type with quoted parameter values #36734
• Circular dependency between supplier-created beans is silently ignored on startup #36732
• Non-deterministic "Body token not expected" in org.springframework.http.codec.multipart.PartGenerator #36722
• Regression on value class parameter handling #36720
• Cache collisions in CachingResourceResolver #36718

... (truncated)

Commits

• 6214eae Release v6.2.19
• 76a36df Track operations during SpEL expression evaluation
• 3d47da9 Ensure getters have non-void return types in SpEL
• 519d733 Improve additional error messages in SpEL
• ec89834 Further improve pattern caching in SpEL
• b294371 Avoid too many character access attempts in AntPathMatcher
• 1829b42 Ensure consistent JSP tag attribute processing
• 86d9979 Refine JavaScriptUtils#javaScriptEscape
• 3aaec98 Prevent special prefixes in default view name resolution
• ee4e790 Add trusted packages to MappingJackson2MessageConverter
• Additional commits viewable in compare view

Updates org.springframework:spring-websocket from 6.2.18 to 6.2.19

Release notes

Sourced from org.springframework:spring-websocket's releases.

v6.2.19

⚠️ Security Fixes

This maintenance release fixes a high number of CVEs. You can learn more about this in the "Spring and Security In The Times Of AI" blog post. Here is the full list of 16 CVEs:

• CVE-2026-41838 "Spring Framework Predictable Session ID in WebSocket Module"
• CVE-2026-41839 "Spring Framework Escalation via Session Fixation in WebFlux"
• CVE-2026-41840 "Spring Framework Denial of Service via Multipart Requests in WebFlux"
• CVE-2026-41841 "Spring Framework Information Disclosure via Static Resource Cache in Spring MVC and WebFlux"
• CVE-2026-41842 "Spring Framework Denial of Service via Versioned Resources in Spring MVC and WebFlux"
• CVE-2026-41843 "Spring Framework Path Traversal via Versioned Static Resources in Spring MVC and WebFlux"
• CVE-2026-41844 "Spring Framework Open Redirect in Spring MVC and WebFlux"
• CVE-2026-41845 "Spring Framework Cross-site Scripting via JavaScriptUtils"
• CVE-2026-41846 "Spring Framework Cross-site Scripting via JSP Form Tags"
• CVE-2026-41848 "Spring Framework Denial of Service via AntPathMatcher"
• CVE-2026-41850 "Spring Framework Algorithmic Denial of Service via SpEL Expressions"
• CVE-2026-41851 "Spring Framework Denial of Service via Unbounded Cache in SpEL"
• CVE-2026-41852 "Spring Framework Arbitrary Method Invocation in SpEL Expressions"
• CVE-2026-41853 "Spring Framework Multipart Request Smuggling in Spring MVC and WebFlux"
• CVE-2026-41854 "Spring Framework Server-Side Request Forgery via UriComponentsBuilder"
• CVE-2026-41855 "Spring Framework Unsafe Deserialization via Jackson JMS Converters"

⭐ New Features

• Avoid too many character access attempts in AntPathMatcher #36886
• Track operations during SpEL expression evaluation #36887
• Ensure getters have non-void return types in SpEL #36888
• Expose ClassLoader from DefaultDeserializer #36839
• Refine default view name resolution #36794
• Refine Jackson JMS converters #36792
• Improve ABNF rule checks in RfcUriParser #36788
• Detect custom deserialized NullValue instances in AbstractValueAdaptingCache #36728
• Warn against unsafe static resource locations in MVC and WebFlux #36693
• Consistent compatibility with Woodstox as an alternative to Xerces #36683

🐞 Bug Fixes

• Data is lost for joined DataBuffer in DataBufferUtils #36874
• CronExpression skips days on midnight DST gap #36873
• Concurrency issue against shared cookie field in CookieLocaleResolver#setLocaleContext #36870
• Server Sent Event does not support multi-line comments #36867
• Regression in 6.2.0+: ConfigurationClassParser incorrectly removes component-scanned bean when the same class is also registered under a different name via XML #36849
• Bean Background Bootstrap and Lazy Init #36847
• Fix JSP tag processing #36798
• Fix script processing capabilities #36796
• Parsing failure for MIME type with quoted parameter values #36734
• Circular dependency between supplier-created beans is silently ignored on startup #36732
• Non-deterministic "Body token not expected" in org.springframework.http.codec.multipart.PartGenerator #36722
• Regression on value class parameter handling #36720
• Cache collisions in CachingResourceResolver #36718

... (truncated)

Commits

• 6214eae Release v6.2.19
• 76a36df Track operations during SpEL expression evaluation
• 3d47da9 Ensure getters have non-void return types in SpEL
• 519d733 Improve additional error messages in SpEL
• ec89834 Further improve pattern caching in SpEL
• b294371 Avoid too many character access attempts in AntPathMatcher
• 1829b42 Ensure consistent JSP tag attribute processing
• 86d9979 Refine JavaScriptUtils#javaScriptEscape
• 3aaec98 Prevent special prefixes in default view name resolution
• ee4e790 Add trusted packages to MappingJackson2MessageConverter
• Additional commits viewable in compare view

Updates org.springframework:spring-tx from 6.2.18 to 6.2.19

Release notes

Sourced from org.springframework:spring-tx's releases.

v6.2.19

⚠️ Security Fixes

This maintenance release fixes a high number of CVEs. You can learn more about this in the "Spring and Security In The Times Of AI" blog post. Here is the full list of 16 CVEs:

• CVE-2026-41838 "Spring Framework Predictable Session ID in WebSocket Module"
• CVE-2026-41839 "Spring Framework Escalation via Session Fixation in WebFlux"
• CVE-2026-41840 "Spring Framework Denial of Service via Multipart Requests in WebFlux"
• CVE-2026-41841 "Spring Framework Information Disclosure via Static Resource Cache in Spring MVC and WebFlux"
• CVE-2026-41842 "Spring Framework Denial of Service via Versioned Resources in Spring MVC and WebFlux"
• CVE-2026-41843 "Spring Framework Path Traversal via Versioned Static Resources in Spring MVC and WebFlux"
• CVE-2026-41844 "Spring Framework Open Redirect in Spring MVC and WebFlux"
• CVE-2026-41845 "Spring Framework Cross-site Scripting via JavaScriptUtils"
• CVE-2026-41846 "Spring Framework Cross-site Scripting via JSP Form Tags"
• CVE-2026-41848 "Spring Framework Denial of Service via AntPathMatcher"
• CVE-2026-41850 "Spring Framework Algorithmic Denial of Service via SpEL Expressions"
• CVE-2026-41851 "Spring Framework Denial of Service via Unbounded Cache in SpEL"
• CVE-2026-41852 "Spring Framework Arbitrary Method Invocation in SpEL Expressions"
• CVE-2026-41853 "Spring Framework Multipart Request Smuggling in Spring MVC and WebFlux"
• CVE-2026-41854 "Spring Framework Server-Side Request Forgery via UriComponentsBuilder"
• CVE-2026-41855 "Spring Framework Unsafe Deserialization via Jackson JMS Converters"

⭐ New Features

• Avoid too many character access attempts in AntPathMatcher #36886
• Track operations during SpEL expression evaluation #36887
• Ensure getters have non-void return types in SpEL #36888
• Expose ClassLoader from DefaultDeserializer #36839
• Refine default view name resolution #36794
• Refine Jackson JMS converters #36792
• Improve ABNF rule checks in RfcUriParser #36788
• Detect custom deserialized NullValue instances in AbstractValueAdaptingCache #36728
• Warn against unsafe static resource locations in MVC and WebFlux #36693
• Consistent compatibility with Woodstox as an alternative to Xerces #36683

🐞 Bug Fixes

• Data is lost for joined DataBuffer in DataBufferUtils #36874
• CronExpression skips days on midnight DST gap