VMware has released Spring Boot 2.6. As the second and last feature release of 2021, it improves Docker image building, provides more health and management information, and allows testing Spring MVC applications with the WebTestClient interface. This release also updates dependencies, such as Spring Security 5.6, Spring Data 2021.1, Spring Kafka 2.8, Hibernate 5.6, Kotlin 1.6, and JUnit 5.8.
Fixing the Log4Shell Vulnerability
A serious vulnerability was recently discovered in the popular Log4j library that allows attackers to remotely execute malicious code. The Spring Boot team has reported that users would only be affected if Log4j was chosen as their default logging library. More details on the Log4j vulnerability may be found in this InfoQ news story.
Spring Boot 3 Looms Large
VMware is currently overhauling Spring and Spring Boot. Spring 6 will require Java 17 and Jakarta EE 9 as minimal versions and provide first-class support for Java modules and native compilation. Natively compiled Java applications start much faster and use less memory at runtime. Spring 6 will also bake observability into Spring and drop outdated features and third-party integrations. Spring Boot 3 will use Spring 6 and is expected for the end of 2022 at the earliest.
Spring Native creates native executables for Spring applications. Its 0.11 release relies on GraalVM 21.3 and Spring Boot 2.6.
The announcement called out Spring Boot 2.4.13 as the last open-source release of Spring Boot 2.4. That shows a shorter lifetime of Spring Boot releases in the new, six-month release cadence: Spring Boot 2.2 had 456 days, Spring Boot 2.3 had 391 days, and Spring Boot 2.4 is down to 371 days. This trend is expected to continue with Spring 6 and Spring Boot 3, as VMware recently explained:
Spring Framework 6 users are strongly encouraged to join our stream of feature releases, not expecting to stay on 6.0.x for long but rather making the 6.1, 6.2, etc. upgrades a part of their regular usage model.
Commercial support is still available for Spring Boot releases 2.2 and above.
Spring Boot 2.6.1 followed just ten days after the 2.6 release. Spring Boot versions 2.3, 2.4, and 2.5 took 2-3 times longer until their first point release: 28 days, 29 days, and 20 days respectively.
Noteworthy Changes in the Release
Building Docker image sees various improvements: Images can get additional tags, the network driver of the container that runs the Cloud Native Buildpacks builder process can be configured, and the volume names that buildpacks use to cache image layers can be customized.
Health groups can now use an additional path on either the main or management port to improve security. Kubernetes liveness and readiness checks will benefit from this feature. Health groups can also include or exclude parts of a CompositeHealthContributor interface.
Spring Boot exposes new metrics, such as the start time of the application, the time to application readiness, free and total disk space for the partition of the current working directory, thread pool statistics, and Jetty connection and SSL statistics. Spring Boot is now able to export metrics to the Dynatrace v2 API.
Spring Boot offers auto-configuration for Spring Data Envers and Spring AMQP's new spring-rabbit-stream module now. Spring Integration PollerMetadata (which polls an unbounded number of messages) can now be customized through spring.integration.poller.* properties.
Log4j2's composite configuration can now be used: Setting the logging.log4j2.config.override property to a comma-separated list of configuration files will override the main configuration. Applications can set the "SameSite" attribute on session cookies of a servlet application.
The application's messages.properties is now used when resolving {parameters} in Bean Validation messages. The session properties for reactive servers are available under server.reactive.session and offer parity with the servlet versions.
The new annotation @WebServiceServerTest creates a test with @Endpoint beans and auto-configures a MockWebServiceClient bean to test web service endpoints.
The wait and maxAttempts properties of the Maven plugin's start goal can now be configured from the command line. And specific properties can be excluded from the build-info.properties generated by the Spring Boot Maven or Gradle plugins.
This release also provides updates to Spring HATEOAS 1.4, Spring AMQP 2.4, and Spring Session 2021.1.0. Other noteworthy non-Spring updates are database drivers, Micrometer 1.8, and Mockito 4.0.
The release notes list all upgrades and noteworthy changes.