Bump the backend-prod group across 3 directories with 10 updates

[dependabot]

Bumps the backend-prod group with 10 updates in the / directory:

Package	From	To
org.springframework.boot:spring-boot-starter-parent	3.5.11	3.5.13
software.amazon.awssdk:s3	2.42.7	2.42.26
org.springframework.security:spring-security-config	6.5.8	6.5.9
org.springframework.security:spring-security-core	6.5.8	6.5.9
org.springframework.security:spring-security-crypto	6.5.8	6.5.9
com.fasterxml.jackson.datatype:jackson-datatype-jdk8	2.21.1	2.21.2
org.flywaydb:flyway-mysql	12.0.3	12.3.0
org.mariadb.jdbc:mariadb-java-client	3.5.7	3.5.8
org.projectlombok:lombok	1.18.42	1.18.44
com.fasterxml.jackson.datatype:jackson-datatype-hibernate6	2.21.1	2.21.2

Bumps the backend-prod group with 1 update in the /client directory: org.springframework.boot:spring-boot-starter-parent.
Bumps the backend-prod group with 10 updates in the /server directory:

Package	From	To
org.springframework.boot:spring-boot-starter-parent	3.5.11	3.5.13
software.amazon.awssdk:s3	2.42.7	2.42.26
org.springframework.security:spring-security-config	6.5.8	6.5.9
org.springframework.security:spring-security-core	6.5.8	6.5.9
org.springframework.security:spring-security-crypto	6.5.8	6.5.9
com.fasterxml.jackson.datatype:jackson-datatype-jdk8	2.21.1	2.21.2
org.flywaydb:flyway-mysql	12.0.3	12.3.0
org.mariadb.jdbc:mariadb-java-client	3.5.7	3.5.8
org.projectlombok:lombok	1.18.42	1.18.44
com.fasterxml.jackson.datatype:jackson-datatype-hibernate6	2.21.1	2.21.2

Updates org.springframework.boot:spring-boot-starter-parent from 3.5.11 to 3.5.13

Release notes

Sourced from org.springframework.boot:spring-boot-starter-parent's releases.

v3.5.13

⚠️ Attention Required

• Jackson has been upgraded to 2.21.2 in response to the Jackson team ending support for Jackson 2.19.x and 2.20.x. #49365

🐞 Bug Fixes

• WebSocket messaging's task executors are only auto-configured and stompWebSocketHandlerMapping is only forced to be eager when using Jackson #49750
• Metadata annotation processor ignores method-level @NestedConfigurationProperty when using constructor binding #49734
• Override of property in external 'application.properties' or 'application.yaml' is ignored #49724
• Some sliced tests that import TransactionAutoConfiguration do not import TransactionManagerCustomizationAutoConfiguration #49716
• NativeImageResourceProvider does not find Flyway migration scripts in subdirectories #49661
• @GraphQlTest does not include @ControllerAdvice #49660

📔 Documentation

• Fix incorrect indefinite articles in Javadoc #49723
• Add some more Kotlin examples and trivial style fixes #49710

🔨 Dependency Upgrades

• Upgrade to Hibernate 6.6.45.Final #49757
• Upgrade to jOOQ 3.19.31 #49758
• Upgrade to Netty 4.1.132.Final #49759
• Upgrade to Tomcat 10.1.53 #49760
• Upgrade to Undertow 2.3.24.Final #49761
• Upgrade to Zipkin Reporter 3.5.3 #49756

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​Joowon-Seo, @​deejay1, @​dlwldnjs1009, and @​ljrmorgan

v3.5.12

🐞 Bug Fixes

• EndpointRequest request matcher for health groups is too complex #49648
• "/cloudfoundryapplication" web path is not limited to Actuator #49645
• RSocket exposes duplicate endpoint for websocket setups #49592
• Fix EndpointRequest.toLinks() when base-path is '/' #49591
• SpringBootContextLoader mentions class that no longer exists in message for classes or locations assertion #49518
• "spring.main.cloud-platform=none" does not disable cloud features #49478
• Using @AutoConfigureWebTestClient prevents separate configuration of spring.test.webtestclient.timeout from taking effect #49340
• Ordering of 'spring.config.import' is inconsistent when defined in environment or system properties #49324
• RouterFunctions descriptions in Actuator do not support nesting #49289
• Maven plugin does not set '-parameters' option when processing AOT code #49268
• SSL support with Docker Compose does not work as documented #49210
• Docker fails when a 'tcp://' address ends with a slash (for example 'tcp://docker:2375/') #49055

... (truncated)

Commits

• 4a4c79f Release v3.5.13
• 696a60e Full auto-configure transaction management in slice tests
• 4b37ecb Upgrade to Undertow 2.3.24.Final
• 32a51d5 Upgrade to Tomcat 10.1.53
• 0934296 Upgrade to Netty 4.1.132.Final
• 851ddda Upgrade to jOOQ 3.19.31
• ef876fe Upgrade to Hibernate 6.6.45.Final
• 2841d87 Upgrade to Zipkin Reporter 3.5.3
• 025b527 Fix WebSocketMessagingAutoConfiguration in the absence of Jackson
• 3282672 Make DevTools tests more tolerant to wrapped DataSource
• Additional commits viewable in compare view

Updates software.amazon.awssdk:s3 from 2.42.7 to 2.42.26

Updates org.springframework.security:spring-security-config from 6.5.8 to 6.5.9

Release notes

Sourced from org.springframework.security:spring-security-config's releases.

6.5.9

⭐ New Features

• Update Link to CSRF Docs in FAQ #18616

🪲 Bug Fixes

• Fix GrantedAuthority.authority null in AuthoritiesAuthorizationManager #18544
• saveAuthenticationRequest should read relayState from authenticationRequest #18872
• Add Missing OnCommitedResponseWrapper Header Overrides #18798
• Clarify Resource Server startup expectations #18518
• Correct Reference to Clear-Site-Data Directive enum #18273
• Fix CookieRequestCache parameters #18857
• Fix Flaky Crypto Tests #18841
• Fix Jackson Deserializer for AuthenticationExtensionsClientOutputs #18896

🔨 Dependency Upgrades

• Bump @antora/collector-extension from 1.0.2 to 1.0.3 in /docs #18854
• Bump actions/upload-artifact from 6.0.0 to 7.0.0 #18809
• Bump ch.qos.logback:logback-classic from 1.5.29 to 1.5.32 #18749
• Bump com.fasterxml.jackson:jackson-bom from 2.18.5 to 2.18.6 #18779
• Bump io.projectreactor:reactor-bom from 2024.0.15 to 2024.0.16 #18876
• Bump org-apache-maven-resolver from 1.9.25 to 1.9.26 #18750
• Bump org-apache-maven-resolver from 1.9.26 to 1.9.27 #18791
• Bump org.apache.maven:maven-resolver-provider from 3.9.12 to 3.9.13 #18860
• Bump org.apache.maven:maven-resolver-provider from 3.9.13 to 3.9.14 #18886
• Bump org.hibernate.orm:hibernate-core from 6.6.42.Final to 6.6.43.Final #18780
• Bump org.hibernate.orm:hibernate-core from 6.6.43.Final to 6.6.44.Final #18829
• Bump org.springframework:spring-framework-bom from 6.2.16 to 6.2.17 #18903

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​Hann244, @​Khyojae, @​ghusta, @​itsmevichu, @​qihaiyan, @​rwinch, @​therepanic, and @​ziqin

Commits

• 0c54a55 Release 6.5.9
• 01ff3b0 Add Workflow for Deferring Issues
• 33e6f4b Merge Fix Jackson Deserializer for AuthenticationExtensionsClientOutputs
• cdd4b36 Update Antora UI Spring to v0.4.26
• 7672f76 Bump io.projectreactor:reactor-bom from 2024.0.15 to 2024.0.16
• 3db4999 Bump org.apache.maven:maven-resolver-provider from 3.9.13 to 3.9.14
• a708d2f Bump org.springframework:spring-framework-bom from 6.2.16 to 6.2.17
• e726c05 Fix Jackson 2 deserializer for AuthenticationExtensionsClientOutputs
• a7039fb Test Jackson 2 deserializer with unknown primitive WebAuthn ext
• 88ea668 Test Jackson 2 deserializer with unknown obj/arr WebAuthn ext
• Additional commits viewable in compare view

Updates org.springframework.security:spring-security-core from 6.5.8 to 6.5.9

Release notes

Sourced from org.springframework.security:spring-security-core's releases.

6.5.9

⭐ New Features

• Update Link to CSRF Docs in FAQ #18616

🪲 Bug Fixes

• Fix GrantedAuthority.authority null in AuthoritiesAuthorizationManager #18544
• saveAuthenticationRequest should read relayState from authenticationRequest #18872
• Add Missing OnCommitedResponseWrapper Header Overrides #18798
• Clarify Resource Server startup expectations #18518
• Correct Reference to Clear-Site-Data Directive enum #18273
• Fix CookieRequestCache parameters #18857
• Fix Flaky Crypto Tests #18841
• Fix Jackson Deserializer for AuthenticationExtensionsClientOutputs #18896

🔨 Dependency Upgrades

• Bump @antora/collector-extension from 1.0.2 to 1.0.3 in /docs #18854
• Bump actions/upload-artifact from 6.0.0 to 7.0.0 #18809
• Bump ch.qos.logback:logback-classic from 1.5.29 to 1.5.32 #18749
• Bump com.fasterxml.jackson:jackson-bom from 2.18.5 to 2.18.6 #18779
• Bump io.projectreactor:reactor-bom from 2024.0.15 to 2024.0.16 #18876
• Bump org-apache-maven-resolver from 1.9.25 to 1.9.26 #18750
• Bump org-apache-maven-resolver from 1.9.26 to 1.9.27 #18791
• Bump org.apache.maven:maven-resolver-provider from 3.9.12 to 3.9.13 #18860
• Bump org.apache.maven:maven-resolver-provider from 3.9.13 to 3.9.14 #18886
• Bump org.hibernate.orm:hibernate-core from 6.6.42.Final to 6.6.43.Final #18780
• Bump org.hibernate.orm:hibernate-core from 6.6.43.Final to 6.6.44.Final #18829
• Bump org.springframework:spring-framework-bom from 6.2.16 to 6.2.17 #18903

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​Hann244, @​Khyojae, @​ghusta, @​itsmevichu, @​qihaiyan, @​rwinch, @​therepanic, and @​ziqin

Commits

• 0c54a55 Release 6.5.9
• 01ff3b0 Add Workflow for Deferring Issues
• 33e6f4b Merge Fix Jackson Deserializer for AuthenticationExtensionsClientOutputs
• cdd4b36 Update Antora UI Spring to v0.4.26
• 7672f76 Bump io.projectreactor:reactor-bom from 2024.0.15 to 2024.0.16
• 3db4999 Bump org.apache.maven:maven-resolver-provider from 3.9.13 to 3.9.14
• a708d2f Bump org.springframework:spring-framework-bom from 6.2.16 to 6.2.17
• e726c05 Fix Jackson 2 deserializer for AuthenticationExtensionsClientOutputs
• a7039fb Test Jackson 2 deserializer with unknown primitive WebAuthn ext
• 88ea668 Test Jackson 2 deserializer with unknown obj/arr WebAuthn ext
• Additional commits viewable in compare view

Updates org.springframework.security:spring-security-crypto from 6.5.8 to 6.5.9

Release notes

Sourced from org.springframework.security:spring-security-crypto's releases.

6.5.9

⭐ New Features

• Update Link to CSRF Docs in FAQ #18616

🪲 Bug Fixes

• Fix GrantedAuthority.authority null in AuthoritiesAuthorizationManager #18544
• saveAuthenticationRequest should read relayState from authenticationRequest #18872
• Add Missing OnCommitedResponseWrapper Header Overrides #18798
• Clarify Resource Server startup expectations #18518
• Correct Reference to Clear-Site-Data Directive enum #18273
• Fix CookieRequestCache parameters #18857
• Fix Flaky Crypto Tests #18841
• Fix Jackson Deserializer for AuthenticationExtensionsClientOutputs #18896

🔨 Dependency Upgrades

• Bump @antora/collector-extension from 1.0.2 to 1.0.3 in /docs #18854
• Bump actions/upload-artifact from 6.0.0 to 7.0.0 #18809
• Bump ch.qos.logback:logback-classic from 1.5.29 to 1.5.32 #18749
• Bump com.fasterxml.jackson:jackson-bom from 2.18.5 to 2.18.6 #18779
• Bump io.projectreactor:reactor-bom from 2024.0.15 to 2024.0.16 #18876
• Bump org-apache-maven-resolver from 1.9.25 to 1.9.26 #18750
• Bump org-apache-maven-resolver from 1.9.26 to 1.9.27 #18791
• Bump org.apache.maven:maven-resolver-provider from 3.9.12 to 3.9.13 #18860
• Bump org.apache.maven:maven-resolver-provider from 3.9.13 to 3.9.14 #18886
• Bump org.hibernate.orm:hibernate-core from 6.6.42.Final to 6.6.43.Final #18780
• Bump org.hibernate.orm:hibernate-core from 6.6.43.Final to 6.6.44.Final #18829
• Bump org.springframework:spring-framework-bom from 6.2.16 to 6.2.17 #18903

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​Hann244, @​Khyojae, @​ghusta, @​itsmevichu, @​qihaiyan, @​rwinch, @​therepanic, and @​ziqin

Commits

• 0c54a55 Release 6.5.9
• 01ff3b0 Add Workflow for Deferring Issues
• 33e6f4b Merge Fix Jackson Deserializer for AuthenticationExtensionsClientOutputs
• cdd4b36 Update Antora UI Spring to v0.4.26
• 7672f76 Bump io.projectreactor:reactor-bom from 2024.0.15 to 2024.0.16
• 3db4999 Bump org.apache.maven:maven-resolver-provider from 3.9.13 to 3.9.14
• a708d2f Bump org.springframework:spring-framework-bom from 6.2.16 to 6.2.17
• e726c05 Fix Jackson 2 deserializer for AuthenticationExtensionsClientOutputs
• a7039fb Test Jackson 2 deserializer with unknown primitive WebAuthn ext
• 88ea668 Test Jackson 2 deserializer with unknown obj/arr WebAuthn ext
• Additional commits viewable in compare view

Updates com.fasterxml.jackson.datatype:jackson-datatype-jdk8 from 2.21.1 to 2.21.2

Updates org.flywaydb:flyway-mysql from 12.0.3 to 12.3.0

Updates org.mariadb.jdbc:mariadb-java-client from 3.5.7 to 3.5.8

Release notes

Sourced from org.mariadb.jdbc:mariadb-java-client's releases.

MariaDB Connector/Java 3.5.8

3.5.8 (Apr 2026)

Full Changelog

Issues Resolved

• CONJ-1305 - XAResource.isSameRM() incorrectly returns true when rewriteBatchedStatements differs between connections
• CONJ-1303 - Statement.cancel() fails to kill running query during result streaming

Other

• CONJ-1298 - Performance improvement: avoid decoding extended format

Changelog

Sourced from org.mariadb.jdbc:mariadb-java-client's changelog.

3.5.8 (Apr 2026)

Full Changelog

Issues Resolved

• CONJ-1305 - XAResource.isSameRM() incorrectly returns true when rewriteBatchedStatements differs between connections
• CONJ-1303 - Statement.cancel() fails to kill running query during result streaming

Other

• CONJ-1298 - Performance improvement: avoid decoding extended format

Commits

• 26b34a2 Merge branch 'develop'
• 06d6efe bump CI actions/checkout@v5
• a86a83c bump 3.5.8
• 975f991 [misc] refactor TimestampCodec to implement Codec directly and extract shared...
• 75bb509 [misc] code formatting cleanup
• 4c0b6a0 [misc] refactor TimestampCodec to extend UtilDateCodec and extract common dat...
• a5b7fb1 [misc] convert Reader and Writer from interfaces to final class implementatio...
• d31eb06 [misc] convert ReadableByteBuf from interface to final class implementation, ...
• 11d45a9 [misc] optimize binary row decoder null bitmap checks and simplify signed Big...
• 5aad14c [misc] optimize BigInt column decoding and improve type safety in codec inter...
• Additional commits viewable in compare view

Updates org.projectlombok:lombok from 1.18.42 to 1.18.44

Changelog

Sourced from org.projectlombok:lombok's changelog.

v1.18.44 (March 11th, 2026)

• FEATURE: @Jacksonized now supports both Jackson2 and Jackson3; you'll get a warning until you configure which one (or even both!) you want lombok to generate. #3950.
• BUGFIX: On JDK25, val and @ExtensionMethod could sometimes cause erroneous errors (in that you see errors but compilation succeeds anyway) using javac. #3947.
• BUGFIX: @Jacksonized + fields marked transient would result in those transient fields being serialised which is surprising (and thus undesired) behaviour. #3936.

Commits

• 17c78fe [version] pre-release version bump
• 1edca70 [test][@Jacksonized] Test emission of warning when not choosing jackson ver...
• e789e82 [test] Update the generation of eclipse test targets from JDK14 to JDK25.
• a54cecd [trivial][changelog]
• 3db0a6c [bugfix][@Jacksonized] javac handler of jacksonized checked for existing ja...
• 12572fc [test] Adjusted tests to the new 'jackson version is a list' config key setup.
• 0e9699c [changelog] Document implementation of Jackson3 support: #3950.
• d441be1 [jacksonized] infrastructure for previous merge resolution: Changed to the co...
• d62b2d5 Merge branch 'master' into cachescrubber-gh-3950
• f49f0fe [test] Remove tests for deprecated @Logger(access = MODULE). They're deprec...
• Additional commits viewable in compare view

Updates com.fasterxml.jackson.datatype:jackson-datatype-hibernate6 from 2.21.1 to 2.21.2

Commits

• 12efbf7 [maven-release-plugin] prepare release jackson-datatype-hibernate-parent-2.21.2
• 30e1cba Prep for 2.21.2 release
• 5face60 Post-release dep version bump
• 9f38595 [maven-release-plugin] prepare for next development iteration
• See full diff in compare view

Updates org.springframework.boot:spring-boot-starter-parent from 3.5.11 to 3.5.13

Release notes

Sourced from org.springframework.boot:spring-boot-starter-parent's releases.

v3.5.13

⚠️ Attention Required

• Jackson has been upgraded to 2.21.2 in response to the Jackson team ending support for Jackson 2.19.x and 2.20.x. #49365

🐞 Bug Fixes

• WebSocket messaging's task executors are only auto-configured and stompWebSocketHandlerMapping is only forced to be eager when using Jackson #49750
• Metadata annotation processor ignores method-level @NestedConfigurationProperty when using constructor binding #49734
• Override of property in external 'application.properties' or 'application.yaml' is ignored #49724
• Some sliced tests that import TransactionAutoConfiguration do not import TransactionManagerCustomizationAutoConfiguration #49716
• NativeImageResourceProvider does not find Flyway migration scripts in subdirectories #49661
• @GraphQlTest does not include @ControllerAdvice #49660

📔 Documentation

• Fix incorrect indefinite articles in Javadoc #49723
• Add some more Kotlin examples and trivial style fixes #49710

🔨 Dependency Upgrades

• Upgrade to Hibernate 6.6.45.Final #49757
• Upgrade to jOOQ 3.19.31 #49758
• Upgrade to Netty 4.1.132.Final #49759
• Upgrade to Tomcat 10.1.53 #49760
• Upgrade to Undertow 2.3.24.Final #49761
• Upgrade to Zipkin Reporter 3.5.3 #49756

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​Joowon-Seo, @​deejay1, @​dlwldnjs1009, and @​ljrmorgan

v3.5.12

🐞 Bug Fixes

• EndpointRequest request matcher for health groups is too complex #49648
• "/cloudfoundryapplication" web path is not limited to Actuator #49645
• RSocket exposes duplicate endpoint for websocket setups #49592
• Fix EndpointRequest.toLinks() when base-path is '/' #49591
• SpringBootContextLoader mentions class that no longer exists in message for classes or locations assertion #49518
• "spring.main.cloud-platform=none" does not disable cloud features #49478
• Using @AutoConfigureWebTestClient prevents separate configuration of spring.test.webtestclient.timeout from taking effect #49340
• Ordering of 'spring.config.import' is inconsistent when defined in environment or system properties #49324
• RouterFunctions descriptions in Actuator do not support nesting #49289
• Maven plugin does not set '-parameters' option when processing AOT code #49268
• SSL support with Docker Compose does not work as documented #49210
• Docker fails when a 'tcp://' address ends with a slash (for example 'tcp://docker:2375/') #49055

... (truncated)

Commits

• 4a4c79f Release v3.5.13
• 696a60e Full auto-configure transaction management in slice tests
• 4b37ecb Upgrade to Undertow 2.3.24.Final
• 32a51d5 Upgrade to Tomcat 10.1.53
• 0934296 Upgrade to Netty 4.1.132.Final
• 851ddda Upgrade to jOOQ 3.19.31
• ef876fe Upgrade to Hibernate 6.6.45.Final
• 2841d87 Upgrade to Zipkin Reporter 3.5.3
• 025b527 Fix WebSocketMessagingAutoConfiguration in the absence of Jackson
• 3282672 Make DevTools tests more tolerant to wrapped DataSource
• Additional commits viewable in compare view

Updates software.amazon.awssdk:s3 from 2.42.7 to 2.42.26

Updates org.springframework.security:spring-security-config from 6.5.8 to 6.5.9

Release notes

Sourced from org.springframework.security:spring-security-config's releases.

6.5.9

⭐ New Features

• Update Link to CSRF Docs in FAQ #18616

🪲 Bug Fixes

• Fix GrantedAuthority.authority null in AuthoritiesAuthorizationManager #18544
• saveAuthenticationRequest should read relayState from authenticationRequest #18872
• Add Missing OnCommitedResponseWrapper Header Overrides #18798
• Clarify Resource Server startup expectations #18518
• Correct Reference to Clear-Site-Data Directive enum #18273
• Fix CookieRequestCache parameters #18857
• Fix Flaky Crypto Tests #18841
• Fix Jackson Deserializer for AuthenticationExtensionsClientOutputs #18896

🔨 Dependency Upgrades

• Bump @antora/collector-extension from 1.0.2 to 1.0.3 in /docs #18854
• Bump actions/upload-artifact from 6.0.0 to 7.0.0 #18809
• Bump ch.qos.logback:logback-classic from 1.5.29 to 1.5.32 #18749
• Bump com.fasterxml.jackson:jackson-bom from 2.18.5 to 2.18.6 #18779
• Bump io.projectreactor:reactor-bom from 2024.0.15 to 2024.0.16 #18876
• Bump org-apache-maven-resolver from 1.9.25 to 1.9.26 #18750
• Bump org-apache-maven-resolver from 1.9.26 to 1.9.27 #18791
• Bump org.apache.maven:maven-resolver-provider from 3.9.12 to 3.9.13 #18860
• Bump org.apache.maven:maven-resolver-provider from 3.9.13 to 3.9.14 #18886
• Bump org.hibernate.orm:hibernate-core from 6.6.42.Final to 6.6.43.Final #18780
• Bump org.hibernate.orm:hibernate-core from 6.6.43.Final to 6.6.44.Final #18829
• Bump org.springframework:spring-framework-bom from 6.2.16 to 6.2.17 #18903

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​Hann244, @​Khyojae, @​ghusta, @​itsmevichu, @​qihaiyan, @​rwinch, @​therepanic, and @​ziqin

Commits

• 0c54a55 Release 6.5.9
• 01ff3b0 Add Workflow for Deferring Issues
• 33e6f4b Merge Fix Jackson Deserializer for AuthenticationExtensionsClientOutputs
• cdd4b36 Update Antora UI Spring to v0.4.26
• 7672f76 Bump io.projectreactor:reactor-bom from 2024.0.15 to 2024.0.16
• 3db4999 Bump org.apache.maven:maven-resolver-provider from 3.9.13 to 3.9.14
• a708d2f Bump org.springframework:spring-framework-bom from 6.2.16 to 6.2.17
• e726c05 Fix Jackson 2 deserializer for AuthenticationExtensionsClientOutputs
• a7039fb Test Jackson 2 deserializer with unknown primitive WebAuthn ext
• 88ea668 Test Jackson 2 deserializer with unknown obj/arr WebAuthn ext
• Additional commits viewable in compare view

Updates org.springframework.security:spring-security-core from 6.5.8 to 6.5.9

Release notes

Sourced from org.springframework.security:spring-security-core's releases.

6.5.9

⭐ New Features

• Update Link to CSRF Docs in FAQ #18616

🪲 Bug Fixes

• Fix GrantedAuthority.authority null in AuthoritiesAuthorizationManager #18544
• saveAuthenticationRequest should read relayState from authenticationRequest #18872
• Add Missing OnCommitedResponseWrapper Header Overrides #18798
• Clarify Resource Server startup expectations #18518
• Correct Reference to Clear-Site-Data Directive enum #18273
• Fix CookieRequestCache parameters #18857
• Fix Flaky Crypto Tests #18841
• Fix Jackson Deserializer for AuthenticationExtensionsClientOutputs #18896

🔨 Dependency Upgrades

• Bump @antora/collector-extension from 1.0.2 to 1.0.3 in /docs #18854
• Bump actions/upload-artifact from 6.0.0 to 7.0.0 #18809
• Bump ch.qos.logback:logback-classic from 1.5.29 to 1.5.32 #18749
• Bump com.fasterxml.jackson:jackson-bom from 2.18.5 to 2.18.6 #18779
• Bump io.projectreactor:reactor-bom from 2024.0.15 to 2024.0.16 #18876
• Bump org-apache-maven-resolver from 1.9.25 to 1.9.26 #18750
• Bump org-apache-maven-resolver from 1.9.26 to 1.9.27 #18791
• Bump org.apache.maven:maven-resolver-provider from 3.9.12 to 3.9.13 #18860
• Bump org.apache.maven:maven-resolver-provider from 3.9.13 to 3.9.14 #18886
• Bump org.hibernate.orm:hibernate-core from 6.6.42.Final to 6.6.43.Final #18780
• Bump org.hibernate.orm:hibernate-core from 6.6.43.Final to 6.6.44.Final #18829
• Bump org.springframework:spring-framework-bom from 6.2.16 to 6.2.17 #18903

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​Hann244, @​Khyojae, @​ghusta, @​itsmevichu, @​qihaiyan, @​rwinch, @​therepanic, and @​ziqin

Commits

• 0c54a55 Release 6.5.9
• 01ff3b0 Add Workflow for Deferring Issues
• 33e6f4b Merge Fix Jackson Deserializer for AuthenticationExtensionsClientOutputs
• cdd4b36 Update Antora UI Spring to v0.4.26
• 7672f76 Bump io.projectreactor:reactor-bom from 2024.0.15 to 2024.0.16
• 3db4999 Bump org.apache.maven:maven-resolver-provider from 3.9.13 to 3.9.14
• a708d2f Bump org.springframework:spring-framework-bom from 6.2.16 to 6.2.17
• e726c05 Fix Jackson 2 deserializer for AuthenticationExtensionsClientOutputs
• a7039fb Test Jackson 2 deserializer with unknown primitive WebAuthn ext
• 88ea668 Test Jackson 2 deserializer with unknown obj/arr WebAuthn ext
• Additional commits viewable in compare view

Updates org.springframework.security:spring-security-crypto from 6.5.8 to 6.5.9

Release notes

Sourced from org.springframework.security:spring-security-crypto's releases.

6.5.9

⭐ New Features

• Update Link to CSRF Docs in FAQ #18616

🪲 Bug Fixes

• Fix GrantedAuthority.authority null in AuthoritiesAuthorizationManager #18544
• saveAuthenticationRequest should read relayState from authenticationRequest #18872
• Add Missing OnCommitedResponseWrapper Header Overrides #18798
• Clarify Resource Server startup expectations #18518
• Correct Reference to Clear-Site-Data Directive enum #18273
• Fix CookieRequestCache parameters #18857
• Fix Flaky Crypto Tests #18841
• Fix Jackson Deserializer for AuthenticationExtensionsClientOutputs #18896

🔨 Dependency Upgrades

• Bump @antora/collector-extension from 1.0.2 to 1.0.3 in /docs #18854
• Bump actions/upload-artifact from 6.0.0 to 7.0.0 #18809
• Bump ch.qos.logback:logback-classic from 1.5.29 to 1.5.32 #18749
• Bump com.fasterxml.jackson:jackson-bom from 2.18.5 to 2.18.6 #18779
• Bump io.projectreactor:reactor-bom from 2024.0.15 to 2024.0.16 #18876
• Bump org-apache-maven-resolver from 1.9.25 to 1.9.26 #18750
• Bump org-apache-maven-resolver from 1.9.26 to 1.9.27 #18791
• Bump org.apache.maven:maven-resolver-provider from 3.9.12 to 3.9.13 #18860
• Bump org.apache.maven:maven-resolver-provider from 3.9.13 to 3.9.14 #18886
• Bump org.hibernate.orm:hibernate-core from 6.6.42.Final to 6.6.43.Final #18780
• Bump org.hibernate.orm:hibernate-core from 6.6.43.Final to 6.6.44.Final #18829
• Bump org.springframework:spring-framework-bom from 6.2.16 to 6.2.17 #18903

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​Hann244, @​Khyojae, @​ghusta, @​itsmevichu, @​qihaiyan, @​rwinch, @​therepanic, and @​ziqin

Commits

• 0c54a55 Release 6.5.9
• 01ff3b0 Add Workflow for Deferring Issues
• 33e6f4b Merge Fix Jackson Deserializer for AuthenticationExtensionsClientOutputs
• cdd4b36 Update Antora UI Spring to v0.4.26