Skip to content

chore(deps): update all dependencies (major) #31

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
github-actions wants to merge 5 commits into
base: main
Choose a base branch
from
Open

chore(deps): update all dependencies (major) #31

github-actions wants to merge 5 commits into from

Conversation

@github-actions
Copy link
Contributor

@github-actions github-actions bot commented Dec 15, 2025
edited
Loading

This PR contains the following updates:

Package Type Update Change
@types/node (source) devDependencies major 24.10.125.0.3
tesseract.js dependencies major 6.0.17.0.0
org.springframework.boot:spring-boot-starter-parent (source) parent major 3.5.84.0.1

Release Notes

naptha/tesseract.js (tesseract.js)

v7.0.0

Compare Source

What's Changed
  • Significant improvements to recognition speed (by @​fanchenkong1 in #​1039)
    • A new relaxedsimd build takes advantage of the latest WASM and hardware capabilities.
    • Upgrading from v6 to v7 reduces runtimes by ~15-35% (depending on device and use-case). The highest uplifts are currently seen on the latest Intel processors.
  • Dropped support for Node.js v14.
  • Various minor changes
New Contributors

Full Changelog: naptha/tesseract.js@v6.0.1...v7.0.0

spring-projects/spring-boot (org.springframework.boot:spring-boot-starter-parent)

v4.0.1

Compare Source

⚠️ Noteworthy changes

  • Hibernate has been upgraded to 7.2.0.Final in response to Hibernate 7.1 moving to limited support
  • spring-boot-starter-kotlin-serialization has been renamed to to spring-boot-starter-kotlinx-serialization-json and spring-boot-starter-kotlin-serialization-test has been renamed to spring-boot-starter-kotlinx-serialization-json-test. This change aligns the starters' names with those of their respective modules
  • Using TestRestTemplate now requires a dependency on spring-boot-restclient

🐞 Bug Fixes

  • JsonMixinModuleEntriesBeanRegistrationAotProcessor does not handle deprecated code #​48564
  • JdbcSessionAutoConfiguration may not match when using the auto-configured DataSource #​48552
  • @ServiceConnection for LgtmStackContainer fails when logging endpoint is configured due to multiple OtlpLoggingConnectionDetails beans #​48536
  • WebApplicationType does not consider modules when deduced from classpath #​48517
  • Spring Session auto-configuration fails in a war deployment as ServerProperties is not available #​48493
  • Opentelemetry logging export requires actuator module #​48488
  • RabbitHealthIndicator reports an error when version is missing from the connection's server properties #​48487
  • Actuator Info class has inconsistent nullability annotations and cannot be built with null value #​48480
  • Profiles retained during AOT processing are not configured in a native image #​48476
  • Security matchers and WebServerNamespace resolution can fail with NoClassDefFoundError when used in a traditional WAR deployment #​48388
  • HealthEndpointGroupMembershipValidator does not consider reactive health indicators causing NoSuchHealthContributorException to be thrown #​48387
  • spring.jackson.default-property-inclusion is not applied to content inclusion #​48343
  • TestRestTemplate.getRootUri() returns empty string #​48330
  • Redis health check reports an error when redis_version is missing from the INFO response #​48328
  • Parent's MeterRegistry beans are closed when child context closes #​48325
  • HttpMessageConverters picks up converter beans for both client and server #​48310
  • Conditions to auto-configure a RestClient are outdated with the modularization #​48308
  • A custom JwtTypeValidator that replaces the default can no longer be configured #​48301
  • PropertiesRestClientHttpServiceGroupConfigurer has highest precedence, preventing other configurers from being ordered ahead of it #​48296
  • SpringBootTest.UseMainMethod.WHEN_AVAILABLE and ALWAYS are incompatible with package-private or parameter-less main method #​48275
  • Conditions to auto-configure RestClient-based HTTP service clients are outdated with the modularization #​48274
  • Starter for Kotlinx Serialization Json is misnamed #​48262
  • ApplicationServletEnvironment is no longer configured in war deployments #​48254
  • RestClient.Builder bean present in @SpringBootTest due to spring-boot-starter-webmvc-test, but missing at runtime without restclient starter #​48253
  • ProblemDetail is rendered to XML incorrectly #​48222

📔 Documentation

  • Harmonize Kotlin example for HTTP Service client support #​48577
  • Document HttpMessageConverters detection changes in 4.0.1 #​48574
  • Improve javadoc for when to use class names rather than class references #​48569
  • Documentation has an outdated reference to the Jackson Kotlin Module #​48534
  • Caching documentation should clarify how to use a no-op implementation to run a test suite #​48532
  • Document that the default rolling policy for Log4j2 requires logging.file.path to be set #​48527
  • Review documentation and migration guide about changes in @AutoConfigureCache #​48522
  • License header in build samples is displayed in the reference documentation #​48478
  • Configuring Two DataSources How-To code sample is inconsistent #​48449
  • Fix links to source files on GitHub #​48398
  • Documentation contains broken links to GitHub source files #​48394
  • Document that org.aspectj.weaver.Advice must be on the classpath to enable support for Micrometer's annotations #​48360
  • Correct the annotation in the Kotlin @ConfigurationPropertiesSource example #​48357
  • Polish TestRestTemplate examples in the reference guide #​48336
  • Documentation missing for LocalTestWebServer #​48333
  • Update "Creating Your Own Starter" following modularisation #​48317
  • Fix links to javadoc in the reference documentation #​48300
  • Update references for RestTemplateCustomizer and RestTemplateBuilder classes in documentation #​48295
  • Remove modules section of the README following modularisation #​48291
  • Wrong number in Graceful Shutdown chapter #​48284
  • Mention new spring-boot-h2console module when describing how to use H2 Console #​48278
  • Clarify that @EnableBatchProcessing turns off all batch auto-configuration, including schema initialization #​48266
  • Documented replacements for spring.jackson.generator and spring.jackson.parser are inverted #​48255
  • Document the need for a JdbcDialect bean when using Spring Data JDBC and AOT #​48240
  • Update reference documentation as Spring Batch's resourceless infrastructure means that it no longer always requires a DataSource #​48233
  • Kotlin auto-configuration examples are not annotated with @AutoConfiguration #​48228
  • Revise "Use Liquibase for test-only migrations" section in reference manual #​48219
  • Infinispan Cache Documentation is outdated #​48218
  • Removed max-attempts properties metadata don't have replacement #​48206
  • Polish documentation on testing web applications and the various testing clients that are available #​47948

🔨 Dependency Upgrades

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​Nhahan, @​arey, @​banseok1216, @​berry120, @​candrews, @​dmitrysulman, @​geopark021, @​hktechn0, @​igslznev, @​jwalter, @​kzander91, @​michaldo, @​mzeijen, @​ngocnhan-tran1996, @​noojung, @​scottfrederick, @​vpavic, and @​youngledo

v4.0.0

Compare Source

Full release notes for Spring Boot 4.0 are available on the wiki. There is also a migration guide to help you upgrade from Spring Boot 3.5.

⭐ New Features

  • Change tomcat and jetty runtime modules to starters #​48175
  • Rename spring-boot-kotlin-serialization to align with the name of the Kotlinx module that it pulls in #​48076

🐞 Bug Fixes

  • Error properties are a general web concern and should not be located beneath server.* #​48201
  • With both Jackson 2 and 3 on the classpath, @JsonTest fails due to duplicate jacksonTesterFactoryBean #​48198
  • Gradle war task does not exclude starter POMs from lib-provided #​48197
  • spring.test.webclient.mockrestserviceserver.enabled is not aligned with its module's name #​48193
  • SslMeterBinder doesn't register metrics for dynamically added bundles if no bundles exist at bind time #​48182
  • Properties bound in the child management context ignore the parent's environment prefix #​48177
  • ssl.chain.expiry metrics doesn't update for dynamically registered SSL bundles #​48171
  • Starter for spring-boot-micrometer-metrics is missing #​48161
  • Elasticsearch client's sniffer functionality should not be enabled by default #​48155
  • spring-boot-starter-elasticsearch should depend on elasticsearch-java #​48141
  • Auto-configuration exclusions are checked using a different class loader to the one that loads auto-configuration classes #​48132
  • New arm64 macbooks fail to bootBuildImage due to incorrect platform image #​48128
  • Properties for configuring an isolated JsonMapper or ObjectMapper are incorrectly named #​48116
  • Buildpack fails with recent Docker installs due to hardcoded version in URL #​48103
  • Image building may fail when specifying a platform if an image has already been built with a different platform #​48099
  • Default values of Kotlinx Serialization JSON configuration properties are not documented #​48097
  • Custom XML converters should override defaults in HttpMessageConverters #​48096
  • Kotlin serialization is used too aggressively when other JSON libraries are available #​48070
  • PortInUseException incorrectly thrown on failure to bind port due to Netty IP misconfiguration #​48059
  • Auto-configured JCacheMetrics cannot be customized #​48057
  • WebSecurityCustomizer beans are excluded by WebMvcTest #​48055
  • Deprecated EnvironmentPostProcessor does not resolve arguments #​48047
  • RetryPolicySettings should refer to maxRetries, not maxAttempts #​48023
  • Devtools Restarter does not work with a parameterless main method #​47996
  • Dependency management for Kafka should not manage Scala 2.12 libraries #​47991
  • spring-boot-mail should depend on jakarta.mail:jakarta.mail-api and org.eclipse.angus:angus-mail instead of org.eclipse.angus:jakarta.mail #​47983
  • spring-boot-starter-data-mongodb-reactive has dependency on reactor-test #​47982
  • Support for ReactiveElasticsearchClient is in the wrong module #​47848

📔 Documentation

  • Removed property spring.test.webclient.register-rest-template is still documented #​48199
  • Mention support for detecting AWS ECS in "Deploying to the Cloud" #​48170
  • Revise AWS section of "Deploying to the Cloud" in reference manual #​48163
  • Fix typo in PortInUseException Javadoc #​48134
  • Correct section about required setters in "Type-safe Configuration Properties" #​48131
  • Use since attribute in configuration properties deprecation consistently #​48122
  • Document EndpointJsonMapper and management.endpoints.jackson.isolated-json-mapper #​48115
  • Document support for configuring servlet context init parameters using properties #​48112
  • Some configuration properties are not documented in the appendix #​48095
  • Clarify how warnings about soon-to-expire SSL certificates are reported #​48063
  • Document how to use ContextPropagatingTaskDecorator for propagating trace context over thread boundaries #​48053
  • Document the level of support for the OpenTelemetry APIs #​47960
  • Document that you need to build with Java 25 for buildpack build-image Graal support #​45501

🔨 Dependency Upgrades

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​K-jun98, @​TerryTaoYY, @​filiphr, @​hojooo, @​linw-bai, @​nosan, @​scottfrederick, @​stevearmstrong-dev, @​stewue, and @​vpavic

v3.5.9

Compare Source

🐞 Bug Fixes

  • RabbitHealthIndicator reports an error when version is missing from the connection's server properties #​48486
  • Profiles retained during AOT processing are not configured in a native image #​48475
  • NullPointerException in UndertowWebServer.destroy() when using @DirtiesContext and Citrus Spring Boot Simulator #​48450
  • Redis health check reports an error when redis_version is missing from the INFO response #​48326
  • Parent's MeterRegistry beans are closed when child context closes #​48324
  • SpringBootTest.UseMainMethod.WHEN_AVAILABLE and ALWAYS are incompatible with package-private or parameter-less main method #​48271

📔 Documentation

  • Documentation has an outdated reference to the Jackson Kotlin Module #​48533
  • Caching documentation should clarify how to use a no-op implementation to run a test suite #​48531
  • Document that the default rolling policy for Log4j2 requires logging.file.path to be set #​48526
  • License header in build samples is displayed in the reference documentation #​48477
  • Configuring Two DataSources How-To code sample is inconsistent #​48448
  • Improve javadoc for when to use class names rather than class references #​48395
  • Document that org.aspectj.weaver.Advice must be on the classpath to enable support for Micrometer's annotations #​48359
  • Polish TestRestTemplate examples in the reference guide #​48335
  • Fix links to javadoc in the reference documentation #​48299
  • Clarify that @EnableBatchProcessing turns off all batch auto-configuration, including schema initialization #​48265
  • Kotlin auto-configuration examples are not annotated with @AutoConfiguration #​48227
  • Infinispan Cache Documentation is outdated #​48217
  • Revise "Use Liquibase for test-only migrations" section in reference manual #​48169

🔨 Dependency Upgrades

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​banseok1216, @​berry120, @​dmitrysulman, @​geopark021, @​noojung, @​scottfrederick, @​vpavic, and @​youngledo

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

@mucsi96 mucsi96 closed this Dec 15, 2025
@mucsi96 mucsi96 reopened this Dec 15, 2025
@claude
Copy link

claude bot commented Dec 29, 2025

Pull Request Review - Dependency Updates

This PR contains major version upgrades for several critical dependencies. While dependency updates are important for security and features, these particular upgrades require careful attention due to breaking changes.

📋 Summary of Changes

Spring Boot: 3.5.8 → 4.0.1 (Major)
@types/node: 24.10.1 → 25.0.3 (Major)
tesseract.js: 6.0.1 → 7.0.0 (Major)
Spring Cloud Azure: 6.0.0 → 7.0.0-beta.1 (Major, Beta)
Spring AI: 1.1.1 → 2.0.0-M1 (Major, Milestone)
Hypersistence Utils: hibernate-63 → hibernate-71 (Hibernate 7 support)

⚠️ Critical Concerns

1. Beta and Milestone Dependencies in Production

The PR introduces pre-release versions that should not be used in production:

  • spring-cloud-azure-dependencies: 7.0.0-beta.1 (Beta)
  • spring-ai-bom: 2.0.0-M1 (Milestone)

Impact: Beta and milestone releases are not production-ready and may contain bugs or breaking API changes.

Recommendation:

  • For production use, stick with stable releases only
  • If you need Spring Boot 4.0 support, wait for stable releases of Azure/AI libraries
  • Consider postponing the Spring Boot 4.0 upgrade until dependencies stabilize

2. Spring Boot 3.x → 4.0 Breaking Changes

Spring Boot 4.0 is built on Spring Framework 7.0 and Jakarta EE 11, bringing significant breaking changes:

Key Breaking Changes:

  • Jakarta EE 11: Namespace changes may affect libraries
  • Java 21 minimum: Already met (✓)
  • Hibernate 7.x: Major ORM changes
  • Security configuration: Potential API changes
  • Property migrations: Several properties moved/renamed (e.g., server.error.*spring.web.error.*)

Files at Risk:

  • SecurityConfiguration.java:11 - Uses Azure AD autoconfiguration which is in beta
  • All JPA entities and repositories - Hibernate 6 → 7 upgrade
  • Configuration properties across the application

Recommendation:

  • Thoroughly review the Spring Boot 4.0 Migration Guide
  • Test all authentication flows (Azure AD integration)
  • Verify all JPA queries and entity behaviors
  • Check for deprecated property usage

3. Limited Test Coverage Visibility

The PR shows E2E tests are running but:

  • No indication if tests are passing/failing
  • No evidence of manual testing of authentication flows
  • No verification of Azure integration with beta library

Recommendation:

  • Ensure all E2E tests pass before merging
  • Manually test critical paths: authentication, card creation, PDF processing
  • Test Azure AD integration specifically

🔍 Specific Technical Concerns

Spring AI 2.0.0-M1

Milestone releases of Spring AI may have:

  • API changes in chat client interfaces
  • Breaking changes in model response handling
  • Changes to OpenAI, ElevenLabs, Anthropic, or Google integrations

Files to Review:

  • ChatClientService.java
  • TranslationService.java
  • AudioService.java
  • All AI-related controllers

Hypersistence Utils Hibernate 71

The change from hypersistence-utils-hibernate-63 to hypersistence-utils-hibernate-71 indicates Hibernate 7 support:

  • JSONB handling may have changed
  • Custom types behavior could differ
  • Performance characteristics may vary

Files to Review:

  • All entities using JSONB (Card entity specifically)
  • Custom type mappings

Tesseract.js 7.0

Positive changes:

  • ✅ 15-35% performance improvement
  • ✅ Better WASM support
  • ⚠️ Dropped Node.js 14 support (not an issue with your Node.js version)

Low risk change for mock servers.

📝 Code Quality Observations

Positive:

  • Consistent updates across all package.json files
  • Proper lockfile updates included
  • Version constraints maintained

Neutral:

  • No code changes required (yet) - suggests CI might not have caught breaking changes
  • Clean diff focused only on version bumps

🎯 Recommendations

Before Merging:

  1. Replace beta/milestone dependencies with stable versions:

    <!-- Wait for stable releases or stay on Spring Boot 3.x -->
<version>3.5.8</version>

  2. If proceeding with Spring Boot 4.0:

    • Add comprehensive testing plan
    • Review migration guide thoroughly
    • Test on staging environment first
    • Document all configuration changes needed

  3. Verify E2E tests:

    • Confirm all tests pass
    • Add test coverage for Azure AD auth if missing
    • Test AI integrations (OpenAI, ElevenLabs, Google, Anthropic)

  4. Manual testing checklist:

    • User authentication (Azure AD)
    • Card creation and review
    • PDF processing
    • Translation service
    • Audio generation
    • Image generation

  5. Monitor for issues:

    • Set up error tracking for production
    • Plan rollback strategy
    • Monitor database query performance (Hibernate 7 changes)

🏁 Final Verdict

❌ Do Not Merge in current state.

Reasoning:

  • Beta and milestone dependencies are not production-safe
  • Major framework upgrade requires more validation
  • Insufficient evidence of testing

Suggested Path Forward:

Option A (Conservative - Recommended):
Stay on Spring Boot 3.5.x until Spring Cloud Azure and Spring AI have stable 4.0-compatible releases.

Option B (If Spring Boot 4.0 is critical):

  1. Replace beta dependencies with stable versions or remove features
  2. Create comprehensive test plan
  3. Deploy to staging for extended testing
  4. Document all breaking changes encountered
  5. Merge only after validation period

Review completed using repository coding standards from CLAUDE.md and AGENTS.md

@claude
Copy link

claude bot commented Dec 29, 2025

PR Review: Dependency Updates

I've reviewed this dependency update PR. Here's my analysis:

📦 Dependencies Updated

Spring Boot (3.5.8 → 4.0.1) - Major version upgrade
tesseract.js (6.0.1 → 7.0.0) - Major version upgrade
@types/node (24.10.1 → 25.0.3) - Major version upgrade
Angular packages (21.0.3 → 21.0.6) - Patch version upgrades

⚠️ Critical Findings - Action Required

1. Spring Boot 4.0 Major Version Upgrade

This is a breaking change that requires careful migration. Based on the Spring Boot 4.0 release notes, key changes include:

Breaking Changes:

  • Hibernate upgraded to 7.2.0.Final (from 7.1.x which is now in limited support)
  • Spring Framework 7.0.2 (major version change)
  • Jakarta EE 11 baseline
  • Modularization changes affecting autoconfiguration
  • Property changes: server.error.* properties moved (no longer under server.*)
  • Spring Batch changes requiring @EnableBatchProcessing review
  • Jackson property naming changes
  • Test infrastructure changes (TestRestTemplate now requires spring-boot-restclient dependency)

Files to Review:

  • server/src/main/resources/application.yml:43-45 - Check if you're using any server.error.* properties
  • All @Service, @Controller, @Repository classes - verify compatibility with Spring 7.0
  • JPA entities - ensure compatibility with Hibernate 7.2
  • Azure integration code - verify compatibility with Spring Cloud Azure 7.0.0-beta.1

Migration Steps Recommended:

  1. Review the official Spring Boot 4.0 Migration Guide
  2. Run the application locally and monitor for deprecation warnings
  3. Verify Azure AD integration still works (Spring Security 7.0 has changes)
  4. Test database operations with Hibernate 7.2

2. tesseract.js 7.0 Upgrade

Impact: Used in mock_anthropic_server/src/ocr.ts:2

Changes:

  • ~15-35% performance improvements (good!)
  • Dropped Node.js v14 support
  • New relaxedsimd build for better WASM support

Code Review:
The usage in ocr.ts looks straightforward and should be compatible. The API (createWorker, worker.recognize, worker.terminate) appears unchanged based on the release notes.

Testing Needed:

  • Verify OCR functionality in mock server still works
  • Performance may improve for image text extraction tests

3. @types/node Major Version

Lower Risk: Type definitions only, but verify:

  • TypeScript compilation still works in mock_anthropic_server
  • No type errors introduced in Node.js API usage

✅ Lower Risk Updates

Angular 21.0.3 → 21.0.6: Patch release, likely bug fixes. Low risk.

🧪 Testing Recommendations

Since the project emphasizes E2E testing with Playwright, I recommend:

  1. Run full E2E test suite to catch integration issues:

    cd test
npm test

  2. Manual verification checklist:

    • Application starts without errors
    • Authentication flow works (Azure AD with Spring Security 7.0)
    • Database operations work (Hibernate 7.2)
    • PDF processing works
    • AI integrations work (OpenAI, ElevenLabs, Google Gemini, Anthropic)
    • OCR in mock server works (tesseract.js)
    • Actuator endpoints accessible

  3. Backend tests:

    cd server
./mvnw test

📝 Code Quality Notes

Positive:

  • Clean, automated dependency management (appears to be Renovate bot)
  • Lock files properly updated
  • No obvious security vulnerabilities in changelog

Concerns:

  • No migration code or configuration updates included
  • No test evidence that the app works with Spring Boot 4.0
  • Spring Cloud Azure is still on 7.0.0-beta.1 - verify compatibility with Spring Boot 4.0

🔐 Security Considerations

Good:

  • Spring Boot 4.0.1 includes multiple security patches
  • Spring Security 7.0.2 included
  • All dependency upgrades include security fixes

Note:
Check if any CVEs were addressed that affect your application.

📋 Recommendations

Before Merging:

  1. DO NOT merge without testing - Spring Boot 4.0 is a major breaking change
  2. ✅ Run full test suite (E2E + backend unit tests)
  3. ✅ Test locally with all integrations (Azure AD, DB, AI services)
  4. ✅ Review Spring Boot 4.0 migration guide
  5. ✅ Consider staging environment deployment first
  6. ✅ Update any deprecated API usages found during testing

After Merging:

  • Monitor application logs for warnings/errors
  • Watch for performance changes (should improve with tesseract.js 7.0)
  • Update documentation if any config changes needed

🎯 Summary

Risk Level: HIGH due to Spring Boot 4.0 major version upgrade

This PR updates multiple dependencies with significant breaking changes. While dependency updates are important, the Spring Boot 3.x → 4.x migration requires careful testing and potentially code changes. The PR should not be merged without:

  1. Running the full test suite
  2. Manual verification of core functionality
  3. Reviewing and addressing Spring Boot 4.0 breaking changes
  4. Updating application code/config as needed

Consider splitting this into:

  • One PR for Spring Boot 4.0 (with migration work)
  • Separate PR for other updates

This allows for easier rollback if issues arise.

@github-actions
Copy link
Contributor Author

github-actions bot commented Jan 5, 2026

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mucsi96