The Wire · Showcase
SPRING BOOT 4.1.0 SHIPS WITH SECURITY HARDENING, SPRING TOOLS ADDS CLAUDE CODE PLUGIN
By RepoJournal · Filed · About Spring
Spring Boot 4.1.0 is live with reduced memory overhead and critical mail/Artemis security fixes that shipped backports across three maintenance branches in the same window.
Spring Boot 4.1.0 [1] landed with memory improvements to WritableJson.toByteArray and a new public constructor for InvalidConfigurationPropertyValueException, but the real news is what came with it. The Boot team simultaneously released v3.5.15 [2] and v4.0.7 [3], and both patch two critical security gaps: hostname verification is now enabled by default in Mail auto-configuration [4], and Artemis embedded brokers no longer use predictable temp directories [5]. This coordinated push signals these weren't edge cases. Meanwhile, Spring Tools hit 5.2.0 [7] with an experimental Claude Code Plugin that runs an embedded MCP server to surface Spring Boot-specific tools to the LLM without conflicting with your Java Language Server. Spring AI cleaned house overnight [8][9][10][11], stripping out orphaned documentation sections, obsolete example classes, and deprecated property references that were cluttering the codebase. Spring Session bumped to Boot 4.1.0 [6], and Spring Statemachine docs are now aligned for the v4 release cycle [12].
Action items
- → Upgrade Spring Boot to 4.1.0 (or 3.5.15/4.0.7 if you're on earlier lines) before next prod deploy spring-projects/spring-boot [immediate]
- → Verify Mail hostname verification is working in your environment (it's on by default now) spring-projects/spring-boot [plan]
- → Review Spring AI docs after the pruning - some property references were removed spring-projects/spring-ai [monitor]
- → Test Claude Code Plugin in non-prod if you're using Spring Tools with LLM workflows spring-projects/spring-tools [monitor]
References
- [1] v4.1.0 ↗ spring-projects/spring-boot
- [2] v3.5.15 ↗ spring-projects/spring-boot
- [3] v4.0.7 ↗ spring-projects/spring-boot
- [4] Enable hostname verification by default in Mail auto-config spring-projects/spring-boot
- [5] Fix predictable temp directory in Artemis embedded configuration spring-projects/spring-boot
- [6] Bump org.springframework.boot:spring-boot-gradle-plugin from 4.1.0-SNAPSHOT to 4.1.0 ↗ spring-projects/spring-session
- [7] 5.2.0.RELEASE ↗ spring-projects/spring-tools
- [8] Remove unrelated sections from imageclient.adoc spring-projects/spring-ai
- [9] fix (docs): Fix removed model enable/disable property references in docs spring-projects/spring-ai
- [10] Remove remaining System.out in tests spring-projects/spring-ai
- [11] Remove `internal-tool-execution-enabled` property references from docs spring-projects/spring-ai
- [12] Update whatsnew.adoc for v4 spring-projects/spring-statemachine
FAQ
- What changed in Spring on June 11, 2026?
- Spring Boot 4.1.0 is live with reduced memory overhead and critical mail/Artemis security fixes that shipped backports across three maintenance branches in the same window.
- What should Spring teams do about it?
- Upgrade Spring Boot to 4.1.0 (or 3.5.15/4.0.7 if you're on earlier lines) before next prod deploy • Verify Mail hostname verification is working in your environment (it's on by default now) • Review Spring AI docs after the pruning - some property references were removed
- Which Spring repositories shipped on June 11, 2026?
- spring-projects/spring-boot, spring-projects/spring-session, spring-projects/spring-tools, spring-projects/spring-ai, spring-projects/spring-statemachine