The Wire · Showcase
SPRING INTEGRATION FIXES CORS DEFAULTS TO MATCH MVC, SPRING AI SHEDS CLOUD BINDINGS
By RepoJournal · Filed · About Spring
Spring Integration shipped a critical CORS alignment fix that brings HTTP and WebFlux modules into sync with Spring MVC's stricter defaults, while Spring AI removes a deprecated cloud bindings dependency in a significant API cleanup.
The CORS fix [1] addresses a security-relevant mismatch where Spring Integration was allowing origins and credentials that Spring MVC now blocks by default. This auto-cherrypicks to 7.0.x and 6.5.x branches, meaning your existing integrations may need configuration review if you rely on permissive CORS settings. Over in Spring AI, the removal of spring-ai-spring-cloud-bindings [2] signals a strategic move away from cloud-specific binding patterns; if you're using those bindings for Kubernetes or CloudFoundry deployments, migration planning starts now. Spring GraphQL also shipped a fix for a JSON syntax error in GraphiQL's XSRF support [4] that was silently breaking token injection on cookie presence. The rest of the briefing is maintenance work: Spring Integration adds message_store pattern support [3], Spring AMQP improves ack failure visibility with warn-level logging [5], and PostgreSQL driver gets bumped to 42.7.11 [6].
Action items
- → Review CORS configuration in Spring Integration HTTP/WebFlux modules against new Spring MVC defaults spring-projects/spring-integration [plan]
- → Plan migration away from spring-ai-spring-cloud-bindings if currently in use spring-projects/spring-ai [plan]
- → Test GraphiQL XSRF token flow if you rely on cookie-based CSRF protection spring-projects/spring-graphql [monitor]
- → Update PostgreSQL driver to 42.7.11 in integration-samples builds spring-projects/spring-integration-samples [plan]
References
- [1] GH-10988: Align HTTP Cross-Origin with Spring MVC ↗ spring-projects/spring-integration
- [2] Remove spring-ai-spring-cloud-bindings spring-projects/spring-ai
- [3] Add message_store pattern in `IntegrationPatternType` ↗ spring-projects/spring-integration
- [4] Fix JSON syntax error in GraphiQL XSRF support spring-projects/spring-graphql
- [5] GH-3418: Warn on ack failure in the `AbstractAdaptableMessageListener` spring-projects/spring-amqp
- [6] Bump PostgreSQL version to `42.7.11` spring-projects/spring-integration-samples
FAQ
- What changed in Spring on May 20, 2026?
- Spring Integration shipped a critical CORS alignment fix that brings HTTP and WebFlux modules into sync with Spring MVC's stricter defaults, while Spring AI removes a deprecated cloud bindings dependency in a significant API cleanup.
- What should Spring teams do about it?
- Review CORS configuration in Spring Integration HTTP/WebFlux modules against new Spring MVC defaults • Plan migration away from spring-ai-spring-cloud-bindings if currently in use • Test GraphiQL XSRF token flow if you rely on cookie-based CSRF protection
- Which Spring repositories shipped on May 20, 2026?
- spring-projects/spring-integration, spring-projects/spring-ai, spring-projects/spring-graphql, spring-projects/spring-amqp, spring-projects/spring-integration-samples