The Wire · Showcase
ESBUILD PATCHES CRITICAL HTTP REQUEST FLAW IN SPRING SECURITY
By RepoJournal · Filed · About Spring
Spring Security shipped an emergency esbuild bump overnight that closes a local development server vulnerability allowing backslash injection in HTTP requests.
The esbuild update from 0.25.0 to 0.28.1 [1] addresses GHSA-g7r4-m6w7-qqqr, a security issue where the development server was accepting malformed HTTP requests containing backslash characters that should have been rejected. This matters if you're running Spring Security's JavaScript toolchain in local development. Ship this upgrade before your next build. In parallel, Spring Integration quietly bumped protobuf-bom to 4.35.1 [2], a patch release with no breaking changes. On the reliability front, Spring Integration merged a retry harness for TcpOutboundGatewayTests that was cherry-picked to the 7.0.x branch [3], stabilizing flaky timeout tests. Spring Boot fixed a subtle auto-config bug [4] where SpringReactiveOpaqueTokenIntrospector was loading without WebFlux on the classpath, causing ClassNotFoundException on BodyInserters.
Action items
- → Upgrade esbuild in spring-security to 0.28.1 before next deploy spring-projects/spring-security [immediate]
- → Merge protobuf-bom 4.35.1 to spring-integration spring-projects/spring-integration [plan]
- → Review Spring Boot 50764 fix if you use SpringReactiveOpaqueTokenIntrospector without WebFlux spring-projects/spring-boot [monitor]
References
- [1] Bump esbuild from 0.25.0 to 0.28.1 in /javascript ↗ spring-projects/spring-security
- [2] Bump com.google.protobuf:protobuf-bom from 4.35.0 to 4.35.1 ↗ spring-projects/spring-integration
- [3] RetryingTest for TcpOutboundGatewayTests.testGoodNetGWTimeout spring-projects/spring-integration
- [4] Stop auto-config of SpringReactiveOpaqueTokenIntrospector w/o WebFlux spring-projects/spring-boot
FAQ
- What changed in Spring on June 14, 2026?
- Spring Security shipped an emergency esbuild bump overnight that closes a local development server vulnerability allowing backslash injection in HTTP requests.
- What should Spring teams do about it?
- Upgrade esbuild in spring-security to 0.28.1 before next deploy • Merge protobuf-bom 4.35.1 to spring-integration • Review Spring Boot 50764 fix if you use SpringReactiveOpaqueTokenIntrospector without WebFlux
- Which Spring repositories shipped on June 14, 2026?
- spring-projects/spring-security, spring-projects/spring-integration, spring-projects/spring-boot