Upgrading Spring Boot version from 3.0.x to 3.3.x

Amit LandeAmit Lande
2 min read

The spring boot version 3.0.6 comes with tomcat-embed-core version 10.1.8 which comes with CVE vulnerabilities.
Our security scan spotted this vulnerability and ask us to fix it before going live. Hence, we decided to upgrade our spring boot version.
The vulnerability free version of tomcat-embed-core near to 10.1.8 is 10.1.35 and latest spring boot version supporting it is 3.3.9. Hence, we decided to upgrade to spring boot version 3.3.9.

Library

Old Version

New Version

Changes

Springboot.version
(for group id org.springframework.boot)

3.0.6

3.3.9

Logback-core, logback-classic

1.4.7

1.5.15

The tag <timeBasedFileNamingAndTriggeringPolicy/> needs to be removed in logback.xml file. You can use <maxFileSize/> tag directly inside <fileNamePattern/> tag only.

Spring-bean

6.0.3

6.1.15

spring-integration-jms

5.5.17

6.1.4

The get() method of IntegrationComponentSpec class needs to be change to getObject().

Guava

31.1-jre

33.4.8-jre

Javax.jms-api 

2.0.1

Jakarta.jms-api (3.1.0)

Change all javax. Imports to Jakarta 

Sol-jms

10.19.0

Sol-jms-jakarta (10.20.0)

Change all javax. Imports to Jakarta 

spring-jms

5.3.2

6.1.15

Here are some tips:

  1. Always use maven dependency tree command when you upgrade any library version.
    \> mvn dependency:tree

  2. I have used GitHub Copilot for resolving most of the dependency issues and resolving errors.

    Here are some of my prompts to copilot:

    • Do we need spring-boot-starter-logging if logback lib is present?

    • Why the error: java.lang.NoClassDefFoundError: ch/qos/logback/core/util/StatusPrinter2

    • What spring bean version compatible with spring boot 3.3.9

    • What about spring-jms version?

    • What solace-jms-spring-boot-autoconfigure version to use?

    • create connectionfactory instance to set in setTargetConnectionFactory method (this is for solace jms configuration)

    • sol-jms version 10.19.0 not using jakarta, suggest me supporting version

  3. Only successful build doesn’t mean all ok, you need to run the app after every successful build.

  4. Always use https://mvnrepository.com/ to search libraries and check vulnerability free libraries.

0
Subscribe to my newsletter

Read articles from Amit Lande directly inside your inbox. Subscribe to the newsletter, and don't miss out.

statusprinter2GitHubcopilotupgradeSpringbootprompts

Written by

Amit Lande
Amit Lande