RepoJournal
Spring

@spring-projects

Spring Framework, Spring Boot, and the JVM enterprise layer

Pick a date

The Wire · Showcase

SPRING BOOT FIXES MAIL SECURITY GAP, SPRING AI RESTORES PDF HANDLING

By RepoJournal · Filed · About Spring

Spring Boot 4.0.7 patches a hostname verification bypass in MailSender auto-configuration while Spring AI closes a critical regression that broke PDF document parsing in Claude and GPT models.

Spring Boot 4.0.7 landed overnight with a security fix for MailSender auto-configuration that was silently disabling hostname verification [1]. This is the kind of silent-fail security issue that ships undetected in production. Spring AI simultaneously shipped a fix restoring PDF media mapping in OpenAiChatModel [2], which broke in the 2.0 rewrite onto the official OpenAI SDK. PDFs were falling through to base64 text instead of parsed documents. Spring AI also fixed MCP integration test flakiness [3] by gracefully closing servers, tuning timeouts to 60s, and standardizing container images. Across the stack, Spring Integration hardened two critical bugs: a multibyte character offset issue in DatagramPacketMessageMapper [4] that corrupted UDP messages with non-ASCII headers, and a Math.abs() overflow in PartitionedDispatcher [5] that crashed with Integer.MIN_VALUE. Spring Boot dependency management got realigned [7], removing Protobuf Common Protos management to let gRPC Java control the version transitively. Spring AI replaced deprecated Jackson methods [6], migrating from asText() to asString() and switching to jspecify annotations for null safety.

Action items

References

  1. [1] (4.0.x): Bump org.springframework.boot from 4.0.6 to 4.0.7 ↗ spring-projects/spring-credhub
  2. [2] Restore PDF media mapping in `OpenAiChatModel` spring-projects/spring-ai
  3. [3] Fix MCP integration tests flakiness spring-projects/spring-ai
  4. [4] GH-11115: Fix multibyte ack-header offset in DatagramPacketMessageMapper spring-projects/spring-integration
  5. [5] GH-11114: Fix `PartitionedDispatcher` for `Integer.MIN_VALUE` spring-projects/spring-integration
  6. [6] Replace deprecated JsonNode methods and null-safe annotations spring-projects/spring-ai
  7. [7] Remove dependency management for Protobuf Common Protos spring-projects/spring-boot

FAQ

What changed in Spring on June 16, 2026?
Spring Boot 4.0.7 patches a hostname verification bypass in MailSender auto-configuration while Spring AI closes a critical regression that broke PDF document parsing in Claude and GPT models.
What should Spring teams do about it?
Upgrade Spring Boot to 4.0.7 immediately if using MailSender auto-configuration • Update Spring AI to latest if handling PDF documents in chat models • Patch Spring Integration 7.x for UDP multibyte and partition dispatcher fixes
Which Spring repositories shipped on June 16, 2026?
spring-projects/spring-credhub, spring-projects/spring-ai, spring-projects/spring-integration, spring-projects/spring-boot

For your repos

The showcase is a teaser.
Your wire is the product.

Same engine. Different stack. Below: what changes when the wire is yours.

Showcase wire

  • 14 famous open source orgs
  • One wire per day
  • Public, generic
  • Read on the web, when you remember

Your wire

  • Up to 1,500 of your repos - orgs, deps, vendors
  • Morning and evening briefs
  • Action items routed to your team
  • Slack delivery, email, breaking-news CVE alerts

Want a hands-on demo first? Ask a current user for an invite link.