{"slug": "spring-news-roundup-point-releases-of-boot-security-integration-modulith-and-ai", "title": "Spring News Roundup: Point Releases of Boot, Security, Integration, Modulith and Spring AI 2.0", "summary": "Spring ecosystem saw multiple point releases during the week of June 8, 2026, including Spring Boot 4.1.0, Spring Security 7.1.0, and Spring AI 2.0 GA, delivering bug fixes, dependency upgrades, and new features such as Spring gRPC support and Kotlin 2.3.20 compatibility.", "body_md": "There was a flurry of activity in the Spring ecosystem during the week of June 8th, 2026, highlighting point releases of: Spring Boot, Spring Security, Spring Session, Spring Integration, Spring Modulith, Spring AMQP and Spring Vault; and GA releases of Spring AI 2.0 and Spring Data 2026.0.0.\n\n#### Spring Boot\n\nThe [release](https://spring.io/blog/2026/06/10/spring-boot-4) of [Spring Boot](https://spring.io/projects/spring-boot) 4.1.0 delivers bug fixes, documentation improvements, dependency upgrades and new features such as: support for [Spring gRPC](https://spring.io/projects/spring-grpc); the addition of a public constructor to the class that accepts a string to describe the cause of the exception; and a reduction in memory consumption upon repeated calls the\n\n[InvalidConfigurationPropertyValueException](https://docs.spring.io/spring-boot/api/java/org/springframework/boot/context/properties/source/InvalidConfigurationPropertyValueException.html)\n\n**method defined in the**\n\n`toByteArray()`\n\n**interface. More details on this release may be found in the**\n\n[WritableJson](https://docs.spring.io/spring-boot/api/java/org/springframework/boot/json/WritableJson.html)\n\n[release notes](https://github.com/spring-projects/spring-boot/releases/tag/v4.1.0)and this InfoQ\n\n[news story](https://infoq.com/news/2026/06/spring-boot-4-1).\n\n#### Spring Data\n\nThe [release](https://spring.io/blog/2026/06/09/spring-data-2026-0-0-generally-available) of [Spring Data](https://spring.io/projects/spring-data) 2026.0.0 ships with new features such as: compatibility with [Kotlin](https://kotlinlang.org/) 2.3.20 and [Vavr](https://vavr.io/) 0.11.0; new annotated Redis [publish/subscribe](https://github.com/spring-projects/spring-data-examples/blob/083ff1c38c9c77339828accf106f2c8f4b8bb511/redis/pubsub-listener/README.md) message listeners; and type-safe property paths. Further details on this release may be found in the [wiki](https://github.com/spring-projects/spring-data-commons/wiki/Spring-Data-2026.0-Release-Notes) page.\n\n#### Spring Security\n\nThe [release](https://spring.io/blog/2026/06/09/spring-security-releases-2026-06) of [Spring Security](https://spring.io/projects/spring-security) 7.1.0 provides bug fixes, dependency upgrades and new features such as: a new functional interface that may be used as an assignment target for a lambda expression or method reference; and a new\n\n[InetAddressMatcher](https://docs.spring.io/spring-security/reference/api/java/org/springframework/security/util/matcher/InetAddressMatcher.html)\n\n**method, added to the**\n\n`anyOf()`\n\n**class, that returns an instance of the**\n\n[AllRequiredFactorsAuthorizationManager](https://docs.spring.io/spring-security/reference/api/java/org/springframework/security/authorization/AllRequiredFactorsAuthorizationManager.html)\n\n**interface to grant access to a user who satisfies one of several different combinations of authentication factors. More details on this release may be found in the**\n\n[AuthorizationManager](https://docs.spring.io/spring-security/reference/api/java/org/springframework/security/authorization/AuthorizationManager.html)\n\n[release notes](https://github.com/spring-projects/spring-security/releases/tag/7.1.0)and this\n\n[what's new](https://docs.spring.io/spring-security/reference/whats-new.html)page.\n\n#### Spring Session\n\nThe [release](https://spring.io/blog/2026/06/09/spring-session-releases-2026-06) of [Spring Session](https://spring.io/projects/spring-session) 4.1.0 delivers bug fixes and notable dependency upgrades such as: Spring Boot 4.1.0; Spring Security 7.1.0; Spring Framework 7.0.8; Spring Data 2025.1.6; Project Reactor 2025.0.6; Jackson 3.1.4; and Testcontainers 2.0.5. Further details on this release may be found in the [release notes](https://github.com/spring-projects/spring-session/releases/tag/4.1.0).\n\n#### Spring Integration\n\nThe [release](https://spring.io/blog/2026/06/10/spring-integration-7-1-0-released) of [Spring Integration](https://spring.io/projects/spring-integration) 7.1.0 ships with bug fixes, documentation improvements, dependency upgrades and new features such as: disable the ** allowCredentials** element in the Spring Framework\n\n**annotation in favor of the**\n\n[@CrossOrigin](https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/web/bind/annotation/CrossOrigin.html)\n\n**element to align with**\n\n`originPatterns`\n\n[Spring MVC](https://docs.spring.io/spring-framework/reference/web/webmvc.html); and improvements in the constructors for the\n\n**class that removes the exception handling in favor of the the Spring Framework**\n\n[ExpressionEvaluatingMessageProcessor](https://docs.spring.io/spring-integration/docs/7.1.0/api/org/springframework/integration/handler/ExpressionEvaluatingMessageProcessor.html)\n\n**class. More details on this release may be found in the**\n\n[Assert](https://docs.spring.io/spring-framework/docs/7.0.8/javadoc-api/org/springframework/util/Assert.html)\n\n[release notes](https://github.com/spring-projects/spring-integration/releases/tag/v7.1.0)and this\n\n[what's new](https://docs.spring.io/spring-integration/reference/whats-new.html)page.\n\n#### Spring HATEOAS\n\nThe [release](https://spring.io/blog/2026/06/08/spring-hateoas-3-1-GA-3-0-7-and-2-5-3-released) of [Spring HATEOAS](https://spring.io/projects/spring-hateoas) 3.1.0 provides bug fixes, dependency upgrades and new features such as: improved caching in the class such that the cache does not grow beyond 256 entries; and changes to the\n\n[StringLinkRelation](https://github.com/spring-projects/spring-hateoas/blob/main/src/main/java/org/springframework/hateoas/StringLinkRelation.java)\n\n**method, defined in the**\n\n`canWrite()`\n\n**class, that aligns with the same method name defined in the Spring Framework**\n\n[TypeConstrainedJacksonJsonHttpMessageConverter](https://github.com/spring-projects/spring-hateoas/blob/main/src/main/java/org/springframework/hateoas/server/mvc/TypeConstrainedJacksonJsonHttpMessageConverter.java)\n\n**class.**\n\n[AbstractSmartHttpMessageConverter](https://docs.spring.io/spring-framework/docs/7.0.8/javadoc-api/org/springframework/http/converter/AbstractSmartHttpMessageConverter.html)\n\nThis releases also addresses two CVEs:\n\n[CVE-2026-41006](https://spring.io/security/cve-2026-41006), a vulnerability that exposes a security-sensitive property due to a bypass of the Jackson access-control annotations.[CVE-2026-41007](https://spring.io/security/cve-2026-41007), a vulnerability that allows an attacker to supply their own malicious hypermedia due to an unbounded static cache of the aforementionedclass.`StringLinkRelation`\n\nFurther details on this release may be found in the [release notes](https://github.com/spring-projects/spring-hateoas/releases/tag/3.1.0).\n\n#### Spring Modulith\n\nThe [release](https://spring.io/blog/2026/06/11/spring-modulith-2-1-ga-2-0-7-and-1-4-12-released) of [Spring Modulith](https://spring.io/projects/spring-modulith) 2.1.0 delivers bug fixes, dependency upgrades and new features such as: a new set of classes, like , to support event outbox engine with\n\n[NamastackOutboxEventRecorder](https://docs.spring.io/spring-modulith/docs/current/api/org/springframework/modulith/events/namastack/NamastackOutboxEventRecorder.html)\n\n[Namastack](https://github.com/namastack); a new\n\n**class to support event externalization with**\n\n[JobRunrEventExternalizer](https://docs.spring.io/spring-modulith/docs/current/api/org/springframework/modulith/events/jobrunr/JobRunrEventExternalizer.html)\n\n[JobRunr](https://www.jobrunr.io/en/); and a new\n\n**annotation that allows for application module slicing in combination with the Spring Boot slice test annotations. More details on this release may be found in the**\n\n[@ModuleSlicing](https://docs.spring.io/spring-modulith/docs/current/api/org/springframework/modulith/test/ModuleSlicing.html)\n\n[release notes](https://github.com/spring-projects/spring-modulith/releases/tag/2.1.0).\n\n#### Spring AI\n\nThe [release](https://spring.io/blog/2026/06/12/spring-ai-2-0-0-GA-available-now) of [Spring AI](https://spring.io/projects/spring-ai) 2.0.0 ships with bug fixes, documentation improvements, dependency upgrades and new features such as: updates in the Google GenAI models, defined in the enum class, that include deprecations of the\n\n[GoogleGenAiChatModel.ChatModel](https://docs.spring.io/spring-ai/docs/2.0.0/api/org/springframework/ai/google/genai/GoogleGenAiChatModel.ChatModel.html)\n\n**,**\n\n`GEMINI_2_0_FLASH`\n\n**and**\n\n`GEMINI_2_0_FLASH_LIGHT`\n\n**enumerations in favor of a new**\n\n`GEMINI_3_PRO_PREVIEW`\n\n**enumeration; and improved null safety in the**\n\n`GEMINI_3_1_PRO_PREVIEW`\n\n**package by replacing the deprecated methods defined in the Jackson Databind**\n\n[org.springframework.ai.image.observation](https://github.com/spring-projects/spring-ai/tree/main/spring-ai-model/src/main/java/org/springframework/ai/image/observation)\n\n**abstract class. Further details on this release may be found in the**\n\n[JsonNode](https://github.com/FasterXML/jackson-databind/blob/3.x/src/main/java/tools/jackson/databind/JsonNode.java)\n\n[release notes](https://github.com/spring-projects/spring-ai/releases/tag/v2.0.0).\n\n#### Spring AMQP\n\nThe [release](https://spring.io/blog/2026/06/09/spring-amqp-4-1-0-available) of [Spring AMQP](https://spring.io/projects/spring-amqp) 4.1.0 provides bug fixes, dependency upgrades and new features such as: compatibility with [RabbitMQ](https://www.rabbitmq.com/) 4.3.0; a removal of the wildcard character from all Jackson message converters to \"*trust no one*\" by default; and a new ** spring-amqp-client** module that supports interaction with the generic\n\n[AMQP 1.0](https://www.oasis-open.org/standard/amqp/)protocol. More details on this release may be found in the\n\n[release notes](https://github.com/spring-projects/spring-amqp/releases/tag/v4.1.0)and this\n\n[what's new](https://docs.spring.io/spring-amqp/reference/whats-new.html)page.\n\n#### Spring for Apache Kafka\n\nThe [release](https://spring.io/blog/2026/06/09/spring-kafka-4) of [Spring for Apache Kafka](https://spring.io/projects/spring-kafka) 4.1.0 delivers bug fixes, documentation improvements, dependency upgrades and a new feature that adapts the ** setBackOffFunction()**, defined in the\n\n**class, to process messages in batches.**\n\n[FailedRecordProcessor](https://docs.spring.io/spring-kafka/docs/4.1.0/api/org/springframework/kafka/listener/FailedRecordProcessor.html)\n\nThis release also addresses three CVEs:\n\n[CVE-2026-41726](https://spring.io/security/cve-2026-41726), a vulnerability that allows an attacker to send malicious selector headers due to an unbounded consumer heap causing GC thrashing and anexception.`OutOfMemoryError`\n\n[CVE-2026-41727](https://spring.io/security/cve-2026-41727), a vulnerability that allows an attacker to send a record with a maliciousheader to \"`retry_topic-attempts`\n\n*supply an out-of-range attempt count and cause the retry topic router to misidentify where the message was in the retry sequence.*\" This could lead to an arbitrarily long pause that stalls a listener far beyond any intended retry window.[CVE-2026-41731](https://spring.io/security/cve-2026-41731), a vulnerability that allows an attacker to supply malicious header values to instances of theand deprecated[JsonKafkaHeaderMapper](https://docs.spring.io/spring-kafka/docs/4.1.0/api/org/springframework/kafka/support/JsonKafkaHeaderMapper.html)classes against trusted packages, with an implicit trust of all of its subpackages, using a prefix check that caused the consumer to deserialize arbitrary JDK types.[DefaultKafkaHeaderMapper](https://docs.spring.io/spring-kafka/docs/4.1.0/api/org/springframework/kafka/support/DefaultKafkaHeaderMapper.html)\n\nFurther details on this release may be found in the [release notes](https://github.com/spring-projects/spring-kafka/releases/tag/v4.1.0).\n\n#### Spring LDAP\n\nThe [release](https://spring.io/blog/2026/06/08/spring-ldap-releases-2026-06) of [Spring LDAP](https://spring.io/projects/spring-ldap) 4.1.0 ships with many dependency upgrades and a new feature that deprecates methods, ** toEntry()**,\n\n**,**\n\n`toObject()`\n\n**and**\n\n`toList()`\n\n**, in favor of new methods,**\n\n`toStream()`\n\n**,**\n\n`map()`\n\n**,**\n\n`single()`\n\n**,**\n\n`optional()`\n\n**and**\n\n`list()`\n\n**, added to the**\n\n`stream()`\n\n**interface.**\n\n[LdapClient](https://github.com/spring-projects/spring-ldap/blob/main/core/src/main/java/org/springframework/ldap/core/LdapClient.java)\n\nThis release also addresses [CVE-2026-41720](https://spring.io/security/cve-2026-41720), a vulnerability that allows an attacker, with a valid username, to gain authorization by providing an empty or null password due to an implementation of the interface that does not reject such passwords.\n\n[DirContextAuthenticationStrategy](https://github.com/spring-projects/spring-ldap/blob/main/core/src/main/java/org/springframework/ldap/core/support/DirContextAuthenticationStrategy.java)\n\nMore details on this release may be found in the [release notes](https://github.com/spring-projects/spring-ldap/releases/tag/4.1.0) and this [what's new](https://docs.spring.io/spring-ldap/reference/whats-new.html) page.\n\n#### Spring Vault\n\nThe [release](https://spring.io/blog/2026/06/10/spring-vault-4-1-available) of [Spring Vault](https://spring.io/projects/spring-vault) 4.1.0 provides bug fixes, documentation improvements, dependency upgrades and new features such as: new interfaces, and\n\n[VaultClient](https://docs.spring.io/spring-vault/reference/4.1-SNAPSHOT/api/java/org/springframework/vault/client/VaultClient.html)\n\n**, designed to provide an \"**\n\n[ReactiveVaultClient](https://docs.spring.io/spring-vault/reference/4.1-SNAPSHOT/api/java/org/springframework/vault/client/ReactiveVaultClient.html)\n\n*intermediate abstraction layer enforcing relative path handling at its core, preventing unintended absolute path usage*\" when configured with an instance of the\n\n**class; and a new**\n\n[VaultEndpoint](https://docs.spring.io/spring-vault/reference/4.1-SNAPSHOT/api/java/org/springframework/vault/client/VaultEndpoint.html)\n\n**class to simplify consumption of managed secrets. Further details on this release may be found in the**\n\n[ManagedSecret](https://docs.spring.io/spring-vault/reference/4.1-SNAPSHOT/api/java/org/springframework/vault/core/lease/ManagedSecret.html)\n\n[release notes](https://github.com/spring-projects/spring-vault/releases/tag/4.1.0)and this\n\n[wiki](https://github.com/spring-projects/spring-vault/wiki/Spring-Vault-4.1-Release-Notes)page.\n\n#### Spring gRPC\n\nThe [release](https://spring.io/blog/2026/06/10/spring-grpc-1-1-0-available-now) of [Spring gRPC](https://spring.io/projects/spring-grpc) 1.1.0 delivers bug fixes and notable changes such as: the ability to configure in-process channels by name within an application properties file; and the addition of annotation-based exception handling for gRPC services. More details on this release may be found in the [release notes](https://github.com/spring-projects/spring-grpc/releases/tag/v1.1.0).", "url": "https://wpnews.pro/news/spring-news-roundup-point-releases-of-boot-security-integration-modulith-and-ai", "canonical_source": "https://www.infoq.com/news/2026/06/spring-news-roundup-jun08-2026/?utm_campaign=infoq_content&utm_source=infoq&utm_medium=feed&utm_term=global", "published_at": "2026-06-15 14:15:00+00:00", "updated_at": "2026-06-15 14:36:25.500012+00:00", "lang": "en", "topics": ["developer-tools", "ai-tools"], "entities": ["Spring Boot", "Spring Security", "Spring AI", "Spring Data", "Spring Session", "Spring Integration", "Kotlin", "Vavr"], "alternates": {"html": "https://wpnews.pro/news/spring-news-roundup-point-releases-of-boot-security-integration-modulith-and-ai", "markdown": "https://wpnews.pro/news/spring-news-roundup-point-releases-of-boot-security-integration-modulith-and-ai.md", "text": "https://wpnews.pro/news/spring-news-roundup-point-releases-of-boot-security-integration-modulith-and-ai.txt", "jsonld": "https://wpnews.pro/news/spring-news-roundup-point-releases-of-boot-security-integration-modulith-and-ai.jsonld"}}