RepoJournal
Spring

@spring-projects

Spring Framework, Spring Boot, and the JVM enterprise layer

Pick a date

The Wire · Showcase

ESBUILD PATCHES CRITICAL HTTP REQUEST FLAW IN SPRING SECURITY

By RepoJournal · Filed · About Spring

Spring Security shipped an emergency esbuild bump overnight that closes a local development server vulnerability allowing backslash injection in HTTP requests.

The esbuild update from 0.25.0 to 0.28.1 [1] addresses GHSA-g7r4-m6w7-qqqr, a security issue where the development server was accepting malformed HTTP requests containing backslash characters that should have been rejected. This matters if you're running Spring Security's JavaScript toolchain in local development. Ship this upgrade before your next build. In parallel, Spring Integration quietly bumped protobuf-bom to 4.35.1 [2], a patch release with no breaking changes. On the reliability front, Spring Integration merged a retry harness for TcpOutboundGatewayTests that was cherry-picked to the 7.0.x branch [3], stabilizing flaky timeout tests. Spring Boot fixed a subtle auto-config bug [4] where SpringReactiveOpaqueTokenIntrospector was loading without WebFlux on the classpath, causing ClassNotFoundException on BodyInserters.

Action items

References

  1. [1] Bump esbuild from 0.25.0 to 0.28.1 in /javascript ↗ spring-projects/spring-security
  2. [2] Bump com.google.protobuf:protobuf-bom from 4.35.0 to 4.35.1 ↗ spring-projects/spring-integration
  3. [3] RetryingTest for TcpOutboundGatewayTests.testGoodNetGWTimeout spring-projects/spring-integration
  4. [4] Stop auto-config of SpringReactiveOpaqueTokenIntrospector w/o WebFlux spring-projects/spring-boot

FAQ

What changed in Spring on June 14, 2026?
Spring Security shipped an emergency esbuild bump overnight that closes a local development server vulnerability allowing backslash injection in HTTP requests.
What should Spring teams do about it?
Upgrade esbuild in spring-security to 0.28.1 before next deploy • Merge protobuf-bom 4.35.1 to spring-integration • Review Spring Boot 50764 fix if you use SpringReactiveOpaqueTokenIntrospector without WebFlux
Which Spring repositories shipped on June 14, 2026?
spring-projects/spring-security, spring-projects/spring-integration, spring-projects/spring-boot

For your repos

The showcase is a teaser.
Your wire is the product.

Same engine. Different stack. Below: what changes when the wire is yours.

Showcase wire

  • 14 famous open source orgs
  • One wire per day
  • Public, generic
  • Read on the web, when you remember

Your wire

  • Up to 1,500 of your repos - orgs, deps, vendors
  • Morning and evening briefs
  • Action items routed to your team
  • Slack delivery, email, breaking-news CVE alerts

Want a hands-on demo first? Ask a current user for an invite link.