renovatebot(deps): update spring security to v6.5.0-rc1 #6759

renovate · 2025-04-22T00:18:07Z

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
org.springframework.security:spring-security-web (source)	`6.5.0-M3` -> `6.5.0-RC1`
org.springframework.security:spring-security-test (source)	`6.5.0-M3` -> `6.5.0-RC1`
org.springframework.security:spring-security-crypto (source)	`6.5.0-M3` -> `6.5.0-RC1`
org.springframework.security:spring-security-core (source)	`6.5.0-M3` -> `6.5.0-RC1`
org.springframework.security:spring-security-config (source)	`6.5.0-M3` -> `6.5.0-RC1`

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

Release Notes

spring-projects/spring-security (org.springframework.security:spring-security-web)

`v6.5.0-RC1`

Compare Source

⭐ New Features

Add AuthenticationEntryPoint for DPoP #16900
Add DestinationPathPatternMessageMatcher #16635
Add link to docs zip file to the reference #16800
Add MatchResult to MessageMatcher #16766
Add not null validation for UserDetailsChecker in AbstractUserDetailsAuthenticationProvider #16710
Add RelayState-based Authentication Request Respository #14793
Add request_uri in OAuth2ParameterNames #16947
Add support for access token in body parameter as per rfc 6750 Sec. 2.2 #15819
Add Support Postgres To JdbcUserCredentialRepository #16839
Add support ResolvableTypeProvider to AuthorizationEvent #16762
Add toString to IpAddressMatcher #16818
Add XML support for HttpsRedirectFilter #16775
Allow retrieving username from SAML Assertion Attributes #12136
Deprecate ConfigAttribute #16774
Deprecate SecurityConfig #16773
Deprecate SecurityMetadataSource and implementations #16772
Deprecate usages of PathMatcher in Web Socket support #16500
Ensure ID Token is updated after refresh token #16589
Explain behaviour with XMLHttpRequest on 401 response #16280
Fix attribute name in http.adoc #16790
Improve entity fetching from db #16727
Include AuthenticationRequest in AuthenticationException #16505
Jackson deserialization of ClientAuthenticationMethods should recognize all values #16826
Make DPoP IatClaimValidator public to allow configuring clock and clockSkew #16921
Method Security templates support use deep non-aliased attributes #16550
OAuth2 Client Authentication section of docs uses deprecated classes #16925
PathPatternRequestMatcher Include Optional Servlet Path in the pattern #16765
Polish Pattern Matching Usage #16493
Prepare oauth2-client deprecations for removal in Spring Security 7 #16913
Prepare Request Matching for Spring Framework Changes #16417
Prevent downgraded usage of DPoP-bound access tokens #16937
Removed Unnecessary Code in Documentation #16739
Replace dynamic error message with static "Access Denied" #16528
Saml2WebSsoAuthenticationFilter should allow requests through when SAMLResponse is absent #16000
Simplify Response Validation in OpenSaml5AuthenticationProvider #16915
Support Customizing Set of OpenSAML Validators #15578
Update HandlerMappingIntrospector Usage in Cache filter support #16536
Update DeferredCsrfToken to implement Supplier #16905
Update HandlerMappingIntrospector Usage in CORS support #16657
Update HandlerMappingIntrospector Usage in CORS support #16501
Update ServerOAuth2AuthorizedClientExchangeFilterFunction javadoc #16789
Update test object factories to Tests naming convention #16686
Use SpringCacheBasedTicketCache in cas.adoc #16847
Use Tests naming convention for WebAuthn test object factories #16865
🪲 Bug Fixes
- [Docs] Broken link on Spring MVC Test Integration page #16791
- ServerBearerTokenAuthenticationConverter validates parameters when not enabled #16902
- Annotation templates should pick up deep non-aliased attributes #16312
- Clarify WebInvocationPrivilegeEvaluator JavaDoc #16788
- Fix typo and inline code formatting in documentation #16717
- Fix typo code tag #16740
- Fix typos Open SAML 5 Javadoc referencing Open SAML 4 #16729
- Fix WebAuthn saves Anonymous PublicKeyCredentialUserEntity #16821
- PathPatternRequestMatcher should not fail when the RequestPath cache is empty #16796
- Polish Documentation #16835
- Polish javadoc #16908
- RequestMatcherDelegatingWebInvocationPrivilegeEvaluator fails with PathPatternRequestMatcher #16771
- Restore Migration and Preparation Steps #16873
- Typo in Base64StringKeyGenerator exception message #16868
- Update kotlin.adoc to add required spread operator(*) #16859
- WebFlux reference links to Servlet docs #16792
- XML config does not apply request-handler-ref to CsrfAuthenticationStrategy #16845
🔨 Dependency Upgrades
- Bump ch.qos.logback:logback-classic from 1.5.17 to 1.5.18 #16768
- Bump com.google.code.gson:gson from 2.12.1 to 2.13.0 #16930
- Bump com.webauthn4j:webauthn4j-core from 0.28.6.RELEASE to 0.29.0.RELEASE #16864
- Bump Gradle Wrapper from 8.10.2 to 8.13 #16648
- Bump io.freefair.gradle:aspectj-plugin from 8.13 to 8.13.1 #16823
- Bump io.micrometer:context-propagation from 1.1.2 to 1.1.3 #16932
- Bump io.micrometer:micrometer-observation from 1.14.5 to 1.14.6 #16933
- Bump io.mockk:mockk from 1.13.17 to 1.14.0 #16917
- Bump io.projectreactor:reactor-bom from 2023.0.16 to 2023.0.17 #16943
- Bump io.spring.gradle:spring-security-release-plugin from 1.0.3 to 1.0.4 #16918
- Bump org-aspectj from 1.9.22.1 to 1.9.23 #16737
- Bump org-aspectj from 1.9.22.1 to 1.9.24 #16931
- Bump org.hibernate.orm:hibernate-core from 6.6.12.Final to 6.6.13.Final #16897
- Bump org.htmlunit:htmlunit from 4.11.0 to 4.11.1 #16831
- Bump org.jetbrains.kotlinx:kotlinx-coroutines-bom from 1.10.1 to 1.10.2 #16910
- Bump org.junit:junit-bom from 5.12.1 to 5.12.2 #16929
- Bump org.mockito:mockito-bom from 5.16.1 to 5.17.0 #16898
- Bump org.seleniumhq.selenium:htmlunit3-driver from 4.29.0 to 4.30.0 #16830
- Bump org.seleniumhq.selenium:selenium-java from 4.30.0 to 4.31.0 #16896
- Bump org.springframework.ldap:spring-ldap-core from 3.2.11 to 3.2.12 #16956
- Bump org.springframework:spring-framework-bom from 6.2.5 to 6.2.6 #16955
🔩 Build Updates
- Bump @springio/asciidoctor-extensions from 1.0.0-alpha.16 to 1.0.0-alpha.17 in /docs #16807
- Bump spring-io/spring-doc-actions from 0.0.19 to 0.0.20 #16893
- Release 6.5.0-RC1 #16974
❤️ Contributors

Thank you to all the contributors who worked on this release:

@Chu3laMan, @MartinEmrich, @OrangeDog, @amm0124, @ayoubAnbara, @evgeniycheban, @filiphr, @franticticktick, @jonah1und1, @kse-music, @kwondh5217, @mapsu, @msamborski-orbis, @ngocnhan-tran1996, @pat-mccusker, @pogihae, @vasanth-79, @wtigerhyunsu, and @yhao3

Configuration

📅 Schedule: Branch creation - "after 5pm,before 9am" in timezone America/Los_Angeles, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.
- If you want to rebase/retry this PR, check this box
This PR was generated by Mend Renovate. View the repository job log.

renovatebot(deps): update spring security to v6.5.0-rc1

0282ba9

renovate bot added Bot Operations carried out by automated bots, such as RenovateBot, etc Renovate labels Apr 22, 2025

apereocas-bot added this to the 7.3.0-RC1 milestone Apr 22, 2025

apereocas-bot added Gradle Build & Release Dependencies & Modules Skip CI labels Apr 22, 2025

apereocas-bot approved these changes Apr 22, 2025

View reviewed changes

apereocas-bot merged commit 078df9a into master Apr 22, 2025
2 checks passed

apereocas-bot deleted the renovate/spring-security branch April 22, 2025 00:18

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

renovatebot(deps): update spring security to v6.5.0-rc1 #6759

renovatebot(deps): update spring security to v6.5.0-rc1 #6759

renovatebot(deps): update spring security to v6.5.0-rc1 #6759

renovatebot(deps): update spring security to v6.5.0-rc1 #6759

Conversation

Release Notes

v6.5.0-RC1

⭐ New Features

🪲 Bug Fixes

🔨 Dependency Upgrades

🔩 Build Updates

❤️ Contributors

Configuration

`v6.5.0-RC1`