There was a flurry of activity in the Spring ecosystem during the week of April 21st, 2025, highlighting first release candidates of Spring Boot, Spring Data 2025.0.0, Spring Security, Spring Authorization Server, Spring Session, Spring Integration, Spring Modulith and Spring Web Services. There were also second milestone releases of Spring Data 2025.1.0 and Spring for Apache Kafka and a first milestone release of Spring Vault.
Spring Boot
The first release candidate of Spring Boot 3.5.0 delivers bug fixes, improvements in documentation, dependency upgrades and new features such as: new annotations, @ServletRegistration and @FilterRegistration, as an annotation-based alternative to registering servlet and filter beans using the ServletRegistrationBean and FilterRegistrationBean classes; and new classes that support Docker credential stores and helpers. More details on this release may be found in the release notes.
The release of Spring Boot 3.4.5 and 3.3.11 (announced here and here, respectively) provide bug fixes, improvements in documentation and dependency upgrades. More importantly, the Spring Boot team has disclosed that these two releases, along with versions 3.2.14, 3.1.16 and 2.7.25, address CVE-2025-22235, a vulnerability in which the overloaded to() method, defined in the EndpointRequest class creates an incorrect null/** matcher, under certain conditions, if the actuator endpoint is not exposed. Further details on these releases may be found in the release notes for version 3.4.5 and version 3.3.11.
Spring Data
The first release candidate of Spring Data 2025.0.0 features: refinements to the Hibernate Query Language (HQL), Elastic Query Language (EQL) and Jakarta Persistence Query Language (JPQL) to resolve various query issues; and new deprecation warnings for intended breaking changes, such as the removal of support for JMX, planned for Spring Data 4.0. This version aligns with Spring Boot 3.5.0-RC1 and the Spring Data team plans a GA release in May 2025.
The second milestone release of Spring Data 2025.1.0 ships with support for JSpecify on sub-projects: Spring Data Commons, Spring Data JPA, Spring Data MongoDB, Spring Data LDAP, Spring Data Cassandra, Spring Data KeyValue, and Spring Data Elasticsearch. There was also a breaking change with a significant rewrite of the QueryEnhancer interface such that configuration via the the spring.data.jpa.query.native.parser property is no longer available. Configuration is now possible via the @EnableJpaRepositories annotation. More details on this release may be found in the release notes.
Spring Security
The first release candidate of Spring Security 6.5.0 delivers bug fixes, dependency upgrades and new features such as: refinements to the implementation of the OAuth 2.0 Demonstrating Proof of Possession (DPoP) specification that include a new AuthenticationEntryPoint interface that returns the WWW-Authenticate header upon failure of a DPoP authentication; and refinements to the PathPatternRequestMatcher class to use a servlet in the path pattern instead of implementing the RequestMatcher interface for the servlet. Further details on this release may be found in the release notes and what's new guide.
The release of Spring Security 6.4.5 and 6.3.9 (announced here and here, respectively) provide bug fixes, improvements in documentation and dependency upgrades. More importantly, the Spring Security team has disclosed that these two releases, along with versions 6.2.11, 6.1.15, 6.0.17, 5.8.19 and 5.7.17, address CVE-2025-22234, a follow up to CVE-2025-22228, whee the the timing attack mitigation, implemented in DaoAuthenticationProvider class, had been inadvertently broken. More details on these releases may be found in the release notes for version 6.4.5 and version 6.3.9.
Spring Authorization Server
The first release candidate of Spring Authorization Server 1.5.0 provides dependency upgrades and new features such as: the addition of authorization server metadata for the OAuth 2.0 DPoP and Pushed Authorization Requests (PAR) specifications; and a new REQUEST_URI constant, defined in the Spring Security OAuth2ParameterNames class, to facilitate flow in PAR. Further details on this release may be found in the release notes.
Spring Session
The first release candidate of Spring Session 3.5.0 ships with bug fixes, dependency upgrades and new features: a new CompositeHttpSessionIdResolver class, an implementation of the HttpSessionIdResolver interface, that iterates over a given collection of delegate instances of the HttpSessionIdResolver; and an optimization of the JdbcIndexedSessionRepository class to only start JDBC transactions only when there are session updates with a JDBC-based repository. More details on this release may be found in the release notes.
Spring Integration
The first release candidate of Spring Integration 6.5.0 provides bug fixes, improvements in documentation, dependency upgrades and new features such as: discontinued use of the logger.error() method in the TcpSendingMessageHandler class that was deemed unnecessary; and a new LockRequestHandlerAdvice class, based on the LockRegistry interface, that maintains mutual access to underlying services. Further details on this release may be found in the release notes.
Spring Modulith
The first release candidate of Spring Modulith 1.4.0 delivers bug fixes, dependency upgrades and improvements such as: performance improvements in use of the DefaultEventPublicationRegistry class and the publishEvent() method defined in the Spring Framework AbstractApplicationContext class; and state change detection for instances of the Scenario class should only accept non-empty collections by default. More details on this release may be found in the release notes.
Spring for Apache Kafka
The second milestone release of Spring for Apache Kafka 4.0.0 provides bug fixes, improvements in documentation, dependency upgrades and new features such as: client dependency upgrades to Apache Kafka 4.0.0; and an optimization in the MessagingMessageListenerAdapter class that now returns null from the invoke() method, defined in the DelegatingInvocableHandler class, that avoids an unnecessary instance return of the InvocationResult class. Further details on this release may be found in the release notes.
Spring Web Services
The first release candidate of Spring Web Services 4.1.0 ships with bug fixes, improvements in documentation, dependency upgrades and new features such as: support for configuring arbitrary options for Apache Web Services Security for Java (WSS4J) via the Wss4jSecurityInterceptor class; and the ability to create custom implementations of the MethodArgumentResolver and MethodReturnValueHandler interfaces. More details on this release may be found in the release notes.
Spring Vault
The first milestone release of Spring Vault 3.2.0 available delivers bug fixes, improvements in documentation, dependency upgrades and new features such as: support for Instance Metadata Service Version 2 (IMDSv2) on AWS EC2; and the ability to use the Github token authentication mechanism. Further details on this release may be found in the release notes.