Sourced from org.springframework.boot:spring-boot-starter-parent's releases.

v4.0.6

:lady_beetle: Bug Fixes

• Default security is misconfigured when spring-boot-actuator-autoconfigure is present and spring-boot-health is not #50188
• Elasticsearch Rest5Client auto-configuration misconfigures underlying HTTP client #50187
• ApplicationPidFileWriter does not handle symlinks correctly #50185
• RandomValuePropertySource is not suitable for secrets #50183
• Cassandra auto-configuration misconfigures CqlSessionBuilder #50180
• ApplicationTemp does not handle symlinks correctly #50178
• Remote DevTools performs comparison incorrectly #50176
• spring.rabbitmq.ssl.verify-hostname is applied inconsistently #50174
• Whole number values are ignored when configuring min and max expected values and SLO boundaries for a distribution summary meter #50077
• Classic starters are missing several modules #50071
• Module spring-boot-resttestclient is missing from spring-boot-starter-test-classic #50069
• Annotations like @Ssl don't work on @Bean methods when using @ServiceConnection #50064
• EnversRevisionRepositoriesRegistrar should reuse @EnableEnversRepositories rather than configuring the JPA counterpart #50039
• WebFlux Cloud Foundry links endpoint includes query string from received request in resolved links #50017
• Imports on a containing test class are ignored when a nested class has imports #50012
• With spring.jackson.use-jackson2-defaults set to true, FAIL_ON_UNKNOWN_PROPERTIES is enabled #49951
• 500 response from env endpoint when supplied pattern is invalid #49946
• Reactive MongoDB starter has a transitive dependency on the synchronous MongoDB driver #49945
• HTTP method is lost when configuring excludes in EndpointRequest #49943
• Honor HttpMethod for reactive additional endpoint paths #49880
• Docker Compose support doesn't work with apache/artemis image #49869
• Docker Compose support doesn't work with apache/activemq image #49866
• Spring Security's PathPatternRequestMatcher.Builder is not auto-configured when using WebMvcTest and spring-boot-security-test #49854
• API versioning path strategy should be applied path last as it is not meant to yield #49800

:notebook_with_decorative_cover: Documentation

• Update docs to encourage Java fundamentals for beginners that prefer to learn that way #50146
• HTTP Service Interface Clients still document that API versioning can be configured via properties #50126
• Link to the observability section of the Lettuce documentation is broken #50097
• Javadoc for StaticResourceLocation.FAVICON doesn't describe icons location #50085
• MySamlRelyingPartyConfiguration is missing a Kotlin sample #50024
• Incorrect default value for management.httpexchanges.recording.include in configuration metadata #50019
• Link to the Kubernetes documentation when discussing startup probes #50015
• Typo in JdbcSessionAutoConfiguration Javadoc #49873
• Clarify that configuration property default values are not available through the Environment #49851
• Document the need for Liquibase and Flyway starters #49839
• Kafka documentation refers to deprecated JSON serializer and deserializer classes #49826

:hammer: Dependency Upgrades

• Upgrade to Elasticsearch Client 9.2.8 #50027
• Upgrade to Groovy 5.0.5 #49911
• Upgrade to Hibernate 7.2.12.Final #50134
• Upgrade to Jackson Bom 3.1.2 #50051
• Upgrade to Jaxen 2.0.1 #50104
• Upgrade to Jaybird 6.0.5 #49914

... (truncated)

• 8821ad2 Release v4.0.6
• 9e4048a Merge branch '3.5.x' into 4.0.x
• 20bb11c Next development version (v3.5.15-SNAPSHOT)
• 98daa8e Merge branch '3.5.x' into 4.0.x
• 9dc5aa2 Polish
• 874f629 Fix default security with actuator but without health
• e41b3bf Enable hostname verification for SSL connections to Elasticsearch
• ef8527b Merge branch '3.5.x' into 4.0.x
• f533a45 Do not follow symlinks when writing PID file
• 4a7bd33 Merge branch '3.5.x' into 4.0.x
• Additional commits viewable in compare view

Sourced from org.springframework.ai:spring-ai-bom's releases.

Spring AI 1.1.5 Release Notes

🎯 Highlights

This release includes 9 bug fixes, 3 documentation improvements, 11 other improvements.

⚠️ Upgrading Notes

• The Pixtral 12B model has been removed and Pixtral Large is deprecated. Update your model configuration to use the currently recommended Pixtral models to avoid issues in future releases. 447d2a4

📢 Noteworthy

• The Pixtral 12B model has been removed and the Pixtral Large model is now deprecated. Integration tests have been updated to use the recommended replacement models. Users relying on these models should migrate to the recommended alternatives. 447d2a4

🪲 Bug Fixes

• Fixed the CosmosDB vector store's doDelete method to properly parameterize queries, preventing potential SQL injection vulnerabilities and improving correctness. 6039e57
• Fixed an issue where conversationId was not correctly applied in the VectorStoreChatMemoryAdvisor filter, which could cause incorrect memory retrieval across conversations. 3cccfdf
• Corrected key handling in the vector store filter expression converter to ensure filter expressions are properly evaluated. 01386e2
• Resolved test non-determinism in the BedrockConverse streaming token usage tests, improving test reliability. 4747a3c
• Corrected the test class naming to properly apply the integration test suffix, ensuring proper test categorization and execution. #5853
• Corrected string parsing logic for the toolChoice field in OpenAiSdkChatModel to ensure proper handling of tool choice configurations. aeb33b0 via #5735
• Fixed an issue where the extra_body parameter was incorrectly included in outgoing OpenAI API requests, which could cause unexpected behavior. 4c0120c
• Resolved issues with Javadoc generation and configuration to ensure API documentation is correctly produced. 0a71804
• Corrected the test bypass condition so integration tests are properly skipped when required API keys are not configured in the environment. bc26dc1

📓 Documentation

• Updated the README to include a note about CPU architecture requirements or compatibility information. a21e988
• Added documentation explaining how MCP servers can re-publish tools from MCP clients, clarifying the tool propagation model in multi-server setups. #5778
• Improved documentation to clarify the intended usage and behavior of the extra_body parameter in OpenAI API requests. 3d4d75b

🔨 Dependency Upgrades

• Updated the Spring Boot dependency to version 3.5.14, incorporating the latest bug fixes and improvements from the Spring Boot team. eb4c9a5
• Updated the Spring Boot dependency to version 3.5.13 as an intermediate upgrade. 9b902f8
• Updated document parsing dependencies: Apache Tika upgraded to 3.3.0, jsoup to 1.22.1, and Apache PDFBox to 3.0.7 for improved document processing capabilities and bug fixes. f25fc52

🔩 Build Updates

• Updated GitHub Actions workflow dependencies to their latest versions to improve CI/CD reliability and security. 9b70b38
• Changed the PR check workflow to use mvn package instead of mvn test for more efficient pull request validation. 7d2e455
• Integration tests are now skipped in the CI pipeline to improve build performance, and the release notes generation workflow has been removed. #5688
• The project has been bumped to the next development version 1.1.5-SNAPSHOT following the release. 400dc42

🔐 Security

• Hardened the default cache directory used for transformer models to prevent unauthorized access or tampering with cached model files. aac6b80
• Fixed a potential denial-of-service vulnerability where a malformed PDF could cause excessive memory allocation during document parsing. b61ac6a

🙏 Contributors

Thanks to all contributors who made this release possible:

• Daniel Garnier-Moiroux (@​Kehrlann)
• David Frizelle (@​dafriz)
• Emmanuel Essien-nta (@​essien)
• Eric Bottard (@​ericbottard)

... (truncated)

• See full diff in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions