The Wire · Showcase
SPRING ECOSYSTEM TIGHTENS DEPENDENCY CHAIN WITH BUILD AND TEST FIXES
By RepoJournal · Filed · About Spring
Gradle 9.6.1 rolls across Spring Boot, Security, and LDAP while Logback 1.5.37 lands critical vulnerability patches for conditional configuration processing.
The Spring projects are moving in lockstep on foundational tooling. Gradle 9.6.1 [1] [5] ships improved Configuration Cache hit rates and CLI rendering options, now deployed to spring-ldap, spring-security, and spring-boot build chains. Matching the cadence, JUnit 6.1.1 [2] [6] rolled into spring-ldap and spring-security test suites with platform, Jupiter, and Vintage updates. On the logging front, Logback 1.5.37 [3] [7] addresses vulnerabilities in conditional configuration processing based on Java expression evaluation, now patching both spring-session and spring-security. Spring Boot polished unnecessary `@Nullable` annotations from local variable declarations [8] [9] [10] [11], recognizing that nullability can be inferred from assignment patterns rather than explicit markup. Minor driver updates continue: DB2 jcc bumped to 12.1.5.0 [4] in spring-session without breaking changes flagged.
Action items
- → Merge Gradle 9.6.1 wrapper updates across projects before next release spring-projects/spring-boot [plan]
- → Verify Logback 1.5.37 patch applied and test conditional configuration in prod scenarios spring-projects/spring-security [plan]
- → Review and adopt `@Nullable` removal patterns from Spring Boot PR into your local codebases spring-projects/spring-boot [monitor]
References
- [1] Bump gradle-wrapper from 9.6.0 to 9.6.1 ↗ spring-projects/spring-ldap
- [2] Bump org.junit:junit-bom from 6.1.0 to 6.1.1 ↗ spring-projects/spring-ldap
- [3] Bump ch.qos.logback:logback-core from 1.5.36 to 1.5.37 ↗ spring-projects/spring-session
- [4] Bump com.ibm.db2:jcc from 12.1.4.0 to 12.1.5.0 ↗ spring-projects/spring-session
- [5] Bump gradle-wrapper from 9.6.0 to 9.6.1 ↗ spring-projects/spring-security
- [6] Bump org.junit:junit-bom from 6.1.0 to 6.1.1 ↗ spring-projects/spring-security
- [7] Bump ch.qos.logback:logback-classic from 1.5.36 to 1.5.37 ↗ spring-projects/spring-security
- [8] Merge pull request #50866 from quaff spring-projects/spring-boot
- [9] Polish "Remove unnecessary `@Nullable`s from local variable declarations" spring-projects/spring-boot
- [10] Remove unnecessary `@Nullable`s from local variable declarations spring-projects/spring-boot
- [11] Remove @Nullable from local variable declarations ↗ spring-projects/spring-boot
FAQ
- What changed in Spring on June 29, 2026?
- Gradle 9.6.1 rolls across Spring Boot, Security, and LDAP while Logback 1.5.37 lands critical vulnerability patches for conditional configuration processing.
- What should Spring teams do about it?
- Merge Gradle 9.6.1 wrapper updates across projects before next release • Verify Logback 1.5.37 patch applied and test conditional configuration in prod scenarios • Review and adopt `@Nullable` removal patterns from Spring Boot PR into your local codebases
- Which Spring repositories shipped on June 29, 2026?
- spring-projects/spring-ldap, spring-projects/spring-session, spring-projects/spring-security, spring-projects/spring-boot