[Security] Bump version.spring_framework from 4.0.9.RELEASE to 5.1.5.RELEASE

[dependabot-preview[bot]]

Bumps version.spring_framework from 4.0.9.RELEASE to 5.1.5.RELEASE.

Updates spring-context from 4.0.9.RELEASE to 5.1.5.RELEASE

Release notes

*Sourced from [spring-context's releases](https://github.com/spring-projects/spring-framework/releases).* > ## v5.1.5.RELEASE > ## :star: New Features > > - Fix for ScriptUtils failure when '--' occurs inside a multi-line comment on the same line as '*/' [#22392](https://github-redirect.dependabot.com/spring-projects/spring-framework/pull/22392) > - InjectionPoint autowiring throws exception for [**Resource**](https://github.com/Resource) beans autowired by name [#22359](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22359) > - PathMatchingResourcePatternResolver may double-wrap jar: URLs [#22346](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22346) > - mariadb-java-client 2.4.0 productName changed: breaks Spring Batch [#22344](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22344) > - SpringEL should not throw IllegalAccessError for invalid assignment [#22336](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22336) > - Avoid duplicate call to findAnnotations in DefaultListableBeanFactory.findAnnotationOnBean [#22318](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22318) > - Load-time weaving support for WildFly 13+ [#22297](https://github-redirect.dependabot.com/spring-projects/spring-framework/pull/22297) > - org.springframework.web.client.HttpMessageConverterExtractor#extractData fails to detect empty body when content-length header is missing [#22265](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22265) > - Deprecate JibxMarshaller [#22249](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22249) > - DefaultExceptionHandler logs warning cannot be disabled [SPR-17628] [#22159](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22159) > - Support for null literal in Jackson2JsonDecoder [SPR-17510] [#22042](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22042) > > ## :beetle: Bug Fixes > > - IllegalArgumentException when overriding empty 'excludeFilters' array on [**ComponentScan**](https://github.com/ComponentScan) [#22405](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22405) > - [**Transactional**](https://github.com/Transactional) beans not getting proxied when being initialized during failed circular reference attempt [#22370](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22370) > - CompositeLog does not log exceptions at ERROR level [#22364](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22364) > - ApplicationContext.refresh() causes stale listeners to be added to ApplicationEventMulticaster [#22325](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22325) > - ApplicationListenerMethodAdapter does not find [**Ordered**](https://github.com/Ordered) annotation for dynamic proxies [#22307](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22307) > - NPE in AbstractHandlerMethodMapping when trace logging is enabled and a handler's class loader does not provide package information [#22306](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22306) > - Incomplete fix for MethodParameter.isOptional() ArrayIndexOutOfBoundsException [#22303](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22303) > - Wrap DecodingException thrown by WebFlux functional endpoints [#22290](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22290) > - Fix truncation of response body in AbstractMessageConverterMethodProcessor [#22287](https://github-redirect.dependabot.com/spring-projects/spring-framework/pull/22287) > - DataBuffer.write(CharSequence charSequence, Charset charset) fails on empty string with java.lang.IllegalStateException: Current state = RESET, new state = FLUSHED [#22262](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22262) > - Add tests for SpringBeanContainer (Hibernate ORM integration) and fix the behavior when requesting named beans [#22260](https://github-redirect.dependabot.com/spring-projects/spring-framework/pull/22260) > - ServerSentEventHttpMessageReader leaves a leading space on field decoding [SPR-17511] [#22043](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22043) > > ## :notebook_with_decorative_cover: Documentation > > - Enhance documentation for @PostConstruct/PreDestroy and [**Required**](https://github.com/Required) [#22348](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22348) > - Improve spring-context-indexer documentation [#22339](https://github-redirect.dependabot.com/spring-projects/spring-framework/pull/22339) > - Testing chapter of reference manual refers to old version of PetClinic [#22288](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22288) > - Correct issues in Spring MVC section [#22282](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22282) > - Clarify documentation about Spring MVC views rendered with Jackson versus [**JsonView**](https://github.com/JsonView) [#22280](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22280) > - Spring MVC documentation has incorrect WebFlux reference [#22270](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22270) > - Use try-with-resources in Spring 5 documentations [#22269](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22269) > - Document effect of [**DirtiesContext**](https://github.com/DirtiesContext) when used with constructor injection [SPR-17654] [#22183](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22183) > - Add note to Scope documentation on SimpleTransactionScope [SPR-17651] [#22180](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22180) > - Document effect of preemptive timeouts on transactional tests [SPR-17647] [#22176](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22176) > - Document synchronous use of WebClient [SPR-17644] [#22173](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22173) > - Error in CORS WebFilter documentation of web-reactive [#19841](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/19841) > > ## :heart: Contributors > > We'd like to thank all the contributors who worked on this release! > > - [[**benelog**](https://github.com/benelog)](https://github.com/benelog) > ... (truncated)

Commits

- [`45eb23b`](https://github.com/spring-projects/spring-framework/commit/45eb23bd21f0b91332c7489e2e872d1ab1df2f9b) Release version 5.1.5.RELEASE - [`d703ca9`](https://github.com/spring-projects/spring-framework/commit/d703ca95d7755a71bba1f5f69f37916b2a90ca9e) Upgrade to Reactor Californium SR5 - [`106a757`](https://github.com/spring-projects/spring-framework/commit/106a7570981b83af3bf4855207e290de5fc30718) Polishing - [`8637540`](https://github.com/spring-projects/spring-framework/commit/8637540678637c306d38f0681b8c057c791c5c94) Expose empty annotation array as empty AnnotationAttributes array - [`5bb1c3e`](https://github.com/spring-projects/spring-framework/commit/5bb1c3e1e31772a30a7fdef74e60f39a6bb65f29) Deprecate SqlXmlObjectMappingHandler - [`2a0a002`](https://github.com/spring-projects/spring-framework/commit/2a0a002bd3c34f8ce22561fcdc2b968b7b309c8f) Improve Kotlin documentation - [`514f7e3`](https://github.com/spring-projects/spring-framework/commit/514f7e33289d6bc83d48bb4e07d3a52032e68961) Add link to Kotlin sample for Spring Cloud GCP - [`cdd0456`](https://github.com/spring-projects/spring-framework/commit/cdd0456aa41e025eb9778161f27fc0d4ef8025f5) Upgrade to Tomcat 9.0.16 and Log4J 2.11.2 - [`9f03d15`](https://github.com/spring-projects/spring-framework/commit/9f03d158ce1ebb476a1f26e2f7a29ad26460e76d) Upgrade to Checkstyle 8.17 and Mockito 2.24 - [`ba0c48b`](https://github.com/spring-projects/spring-framework/commit/ba0c48b93347749e72f8d6f74ea1b11a504b241b) Polishing - Additional commits viewable in [compare view](https://github.com/spring-projects/spring-framework/compare/v4.0.9.RELEASE...v5.1.5.RELEASE)

Updates spring-web from 4.0.9.RELEASE to 5.1.5.RELEASE. This update includes security fixes.

Vulnerabilities fixed

*Sourced from [The Sonatype OSS Index](https://ossindex.sonatype.org/vuln/5c31df94-6945-4798-8b6c-b807dba2712b).* > **[CVE-2015-5211] Improper Input Validation** > Under some situations, the Spring Framework 4.2.0 to 4.2.1, 4.0.0 to 4.1.7, 3.2.0 to 3.2.14 and older unsupported versions is vulnerable to a Reflected File Download (RFD) attack. The attack involves a malicious user crafting a URL with a batch script extension that results in the response being downloaded rather than rendered and also includes some input reflected in the response. > > Affected versions: [3.2.0, 3.2.14]; [4.0.0, 4.0.9]; [4.1.0, 4.1.7]; [4.2.0, 4.2.1] *Sourced from [The Sonatype OSS Index](https://ossindex.sonatype.org/vuln/567af0d7-0b7d-40bc-be29-461aa5116f2e).* > **[CVE-2015-3192] Improper Restriction of Operations within the Bounds of a Memory Buffer** > Pivotal Spring Framework before 3.2.14 and 4.x before 4.1.7 do not properly process inline DTD declarations when DTD is not entirely disabled, which allows remote attackers to cause a denial of service (memory consumption and out-of-memory errors) via a crafted XML file. > > Affected versions: [3.2.0, 3.2.13]; [4.0.0, 4.1.6]

Release notes

*Sourced from [spring-web's releases](https://github.com/spring-projects/spring-framework/releases).* > ## v5.1.5.RELEASE > ## :star: New Features > > - Fix for ScriptUtils failure when '--' occurs inside a multi-line comment on the same line as '*/' [#22392](https://github-redirect.dependabot.com/spring-projects/spring-framework/pull/22392) > - InjectionPoint autowiring throws exception for [**Resource**](https://github.com/Resource) beans autowired by name [#22359](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22359) > - PathMatchingResourcePatternResolver may double-wrap jar: URLs [#22346](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22346) > - mariadb-java-client 2.4.0 productName changed: breaks Spring Batch [#22344](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22344) > - SpringEL should not throw IllegalAccessError for invalid assignment [#22336](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22336) > - Avoid duplicate call to findAnnotations in DefaultListableBeanFactory.findAnnotationOnBean [#22318](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22318) > - Load-time weaving support for WildFly 13+ [#22297](https://github-redirect.dependabot.com/spring-projects/spring-framework/pull/22297) > - org.springframework.web.client.HttpMessageConverterExtractor#extractData fails to detect empty body when content-length header is missing [#22265](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22265) > - Deprecate JibxMarshaller [#22249](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22249) > - DefaultExceptionHandler logs warning cannot be disabled [SPR-17628] [#22159](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22159) > - Support for null literal in Jackson2JsonDecoder [SPR-17510] [#22042](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22042) > > ## :beetle: Bug Fixes > > - IllegalArgumentException when overriding empty 'excludeFilters' array on [**ComponentScan**](https://github.com/ComponentScan) [#22405](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22405) > - [**Transactional**](https://github.com/Transactional) beans not getting proxied when being initialized during failed circular reference attempt [#22370](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22370) > - CompositeLog does not log exceptions at ERROR level [#22364](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22364) > - ApplicationContext.refresh() causes stale listeners to be added to ApplicationEventMulticaster [#22325](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22325) > - ApplicationListenerMethodAdapter does not find [**Ordered**](https://github.com/Ordered) annotation for dynamic proxies [#22307](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22307) > - NPE in AbstractHandlerMethodMapping when trace logging is enabled and a handler's class loader does not provide package information [#22306](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22306) > - Incomplete fix for MethodParameter.isOptional() ArrayIndexOutOfBoundsException [#22303](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22303) > - Wrap DecodingException thrown by WebFlux functional endpoints [#22290](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22290) > - Fix truncation of response body in AbstractMessageConverterMethodProcessor [#22287](https://github-redirect.dependabot.com/spring-projects/spring-framework/pull/22287) > - DataBuffer.write(CharSequence charSequence, Charset charset) fails on empty string with java.lang.IllegalStateException: Current state = RESET, new state = FLUSHED [#22262](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22262) > - Add tests for SpringBeanContainer (Hibernate ORM integration) and fix the behavior when requesting named beans [#22260](https://github-redirect.dependabot.com/spring-projects/spring-framework/pull/22260) > - ServerSentEventHttpMessageReader leaves a leading space on field decoding [SPR-17511] [#22043](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22043) > > ## :notebook_with_decorative_cover: Documentation > > - Enhance documentation for @PostConstruct/PreDestroy and [**Required**](https://github.com/Required) [#22348](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22348) > - Improve spring-context-indexer documentation [#22339](https://github-redirect.dependabot.com/spring-projects/spring-framework/pull/22339) > - Testing chapter of reference manual refers to old version of PetClinic [#22288](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22288) > - Correct issues in Spring MVC section [#22282](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22282) > - Clarify documentation about Spring MVC views rendered with Jackson versus [**JsonView**](https://github.com/JsonView) [#22280](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22280) > - Spring MVC documentation has incorrect WebFlux reference [#22270](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22270) > - Use try-with-resources in Spring 5 documentations [#22269](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22269) > - Document effect of [**DirtiesContext**](https://github.com/DirtiesContext) when used with constructor injection [SPR-17654] [#22183](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22183) > - Add note to Scope documentation on SimpleTransactionScope [SPR-17651] [#22180](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22180) > - Document effect of preemptive timeouts on transactional tests [SPR-17647] [#22176](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22176) > - Document synchronous use of WebClient [SPR-17644] [#22173](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22173) > - Error in CORS WebFilter documentation of web-reactive [#19841](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/19841) > > ## :heart: Contributors > > We'd like to thank all the contributors who worked on this release! > > - [[**benelog**](https://github.com/benelog)](https://github.com/benelog) > ... (truncated)

Commits

- [`45eb23b`](https://github.com/spring-projects/spring-framework/commit/45eb23bd21f0b91332c7489e2e872d1ab1df2f9b) Release version 5.1.5.RELEASE - [`d703ca9`](https://github.com/spring-projects/spring-framework/commit/d703ca95d7755a71bba1f5f69f37916b2a90ca9e) Upgrade to Reactor Californium SR5 - [`106a757`](https://github.com/spring-projects/spring-framework/commit/106a7570981b83af3bf4855207e290de5fc30718) Polishing - [`8637540`](https://github.com/spring-projects/spring-framework/commit/8637540678637c306d38f0681b8c057c791c5c94) Expose empty annotation array as empty AnnotationAttributes array - [`5bb1c3e`](https://github.com/spring-projects/spring-framework/commit/5bb1c3e1e31772a30a7fdef74e60f39a6bb65f29) Deprecate SqlXmlObjectMappingHandler - [`2a0a002`](https://github.com/spring-projects/spring-framework/commit/2a0a002bd3c34f8ce22561fcdc2b968b7b309c8f) Improve Kotlin documentation - [`514f7e3`](https://github.com/spring-projects/spring-framework/commit/514f7e33289d6bc83d48bb4e07d3a52032e68961) Add link to Kotlin sample for Spring Cloud GCP - [`cdd0456`](https://github.com/spring-projects/spring-framework/commit/cdd0456aa41e025eb9778161f27fc0d4ef8025f5) Upgrade to Tomcat 9.0.16 and Log4J 2.11.2 - [`9f03d15`](https://github.com/spring-projects/spring-framework/commit/9f03d158ce1ebb476a1f26e2f7a29ad26460e76d) Upgrade to Checkstyle 8.17 and Mockito 2.24 - [`ba0c48b`](https://github.com/spring-projects/spring-framework/commit/ba0c48b93347749e72f8d6f74ea1b11a504b241b) Polishing - Additional commits viewable in [compare view](https://github.com/spring-projects/spring-framework/compare/v4.0.9.RELEASE...v5.1.5.RELEASE)

Updates spring-tx from 4.0.9.RELEASE to 5.1.5.RELEASE

Release notes

*Sourced from [spring-tx's releases](https://github.com/spring-projects/spring-framework/releases).* > ## v5.1.5.RELEASE > ## :star: New Features > > - Fix for ScriptUtils failure when '--' occurs inside a multi-line comment on the same line as '*/' [#22392](https://github-redirect.dependabot.com/spring-projects/spring-framework/pull/22392) > - InjectionPoint autowiring throws exception for [**Resource**](https://github.com/Resource) beans autowired by name [#22359](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22359) > - PathMatchingResourcePatternResolver may double-wrap jar: URLs [#22346](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22346) > - mariadb-java-client 2.4.0 productName changed: breaks Spring Batch [#22344](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22344) > - SpringEL should not throw IllegalAccessError for invalid assignment [#22336](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22336) > - Avoid duplicate call to findAnnotations in DefaultListableBeanFactory.findAnnotationOnBean [#22318](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22318) > - Load-time weaving support for WildFly 13+ [#22297](https://github-redirect.dependabot.com/spring-projects/spring-framework/pull/22297) > - org.springframework.web.client.HttpMessageConverterExtractor#extractData fails to detect empty body when content-length header is missing [#22265](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22265) > - Deprecate JibxMarshaller [#22249](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22249) > - DefaultExceptionHandler logs warning cannot be disabled [SPR-17628] [#22159](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22159) > - Support for null literal in Jackson2JsonDecoder [SPR-17510] [#22042](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22042) > > ## :beetle: Bug Fixes > > - IllegalArgumentException when overriding empty 'excludeFilters' array on [**ComponentScan**](https://github.com/ComponentScan) [#22405](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22405) > - [**Transactional**](https://github.com/Transactional) beans not getting proxied when being initialized during failed circular reference attempt [#22370](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22370) > - CompositeLog does not log exceptions at ERROR level [#22364](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22364) > - ApplicationContext.refresh() causes stale listeners to be added to ApplicationEventMulticaster [#22325](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22325) > - ApplicationListenerMethodAdapter does not find [**Ordered**](https://github.com/Ordered) annotation for dynamic proxies [#22307](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22307) > - NPE in AbstractHandlerMethodMapping when trace logging is enabled and a handler's class loader does not provide package information [#22306](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22306) > - Incomplete fix for MethodParameter.isOptional() ArrayIndexOutOfBoundsException [#22303](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22303) > - Wrap DecodingException thrown by WebFlux functional endpoints [#22290](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22290) > - Fix truncation of response body in AbstractMessageConverterMethodProcessor [#22287](https://github-redirect.dependabot.com/spring-projects/spring-framework/pull/22287) > - DataBuffer.write(CharSequence charSequence, Charset charset) fails on empty string with java.lang.IllegalStateException: Current state = RESET, new state = FLUSHED [#22262](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22262) > - Add tests for SpringBeanContainer (Hibernate ORM integration) and fix the behavior when requesting named beans [#22260](https://github-redirect.dependabot.com/spring-projects/spring-framework/pull/22260) > - ServerSentEventHttpMessageReader leaves a leading space on field decoding [SPR-17511] [#22043](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22043) > > ## :notebook_with_decorative_cover: Documentation > > - Enhance documentation for @PostConstruct/PreDestroy and [**Required**](https://github.com/Required) [#22348](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22348) > - Improve spring-context-indexer documentation [#22339](https://github-redirect.dependabot.com/spring-projects/spring-framework/pull/22339) > - Testing chapter of reference manual refers to old version of PetClinic [#22288](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22288) > - Correct issues in Spring MVC section [#22282](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22282) > - Clarify documentation about Spring MVC views rendered with Jackson versus [**JsonView**](https://github.com/JsonView) [#22280](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22280) > - Spring MVC documentation has incorrect WebFlux reference [#22270](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22270) > - Use try-with-resources in Spring 5 documentations [#22269](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22269) > - Document effect of [**DirtiesContext**](https://github.com/DirtiesContext) when used with constructor injection [SPR-17654] [#22183](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22183) > - Add note to Scope documentation on SimpleTransactionScope [SPR-17651] [#22180](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22180) > - Document effect of preemptive timeouts on transactional tests [SPR-17647] [#22176](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22176) > - Document synchronous use of WebClient [SPR-17644] [#22173](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22173) > - Error in CORS WebFilter documentation of web-reactive [#19841](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/19841) > > ## :heart: Contributors > > We'd like to thank all the contributors who worked on this release! > > - [[**benelog**](https://github.com/benelog)](https://github.com/benelog) > ... (truncated)

Commits

- [`45eb23b`](https://github.com/spring-projects/spring-framework/commit/45eb23bd21f0b91332c7489e2e872d1ab1df2f9b) Release version 5.1.5.RELEASE - [`d703ca9`](https://github.com/spring-projects/spring-framework/commit/d703ca95d7755a71bba1f5f69f37916b2a90ca9e) Upgrade to Reactor Californium SR5 - [`106a757`](https://github.com/spring-projects/spring-framework/commit/106a7570981b83af3bf4855207e290de5fc30718) Polishing - [`8637540`](https://github.com/spring-projects/spring-framework/commit/8637540678637c306d38f0681b8c057c791c5c94) Expose empty annotation array as empty AnnotationAttributes array - [`5bb1c3e`](https://github.com/spring-projects/spring-framework/commit/5bb1c3e1e31772a30a7fdef74e60f39a6bb65f29) Deprecate SqlXmlObjectMappingHandler - [`2a0a002`](https://github.com/spring-projects/spring-framework/commit/2a0a002bd3c34f8ce22561fcdc2b968b7b309c8f) Improve Kotlin documentation - [`514f7e3`](https://github.com/spring-projects/spring-framework/commit/514f7e33289d6bc83d48bb4e07d3a52032e68961) Add link to Kotlin sample for Spring Cloud GCP - [`cdd0456`](https://github.com/spring-projects/spring-framework/commit/cdd0456aa41e025eb9778161f27fc0d4ef8025f5) Upgrade to Tomcat 9.0.16 and Log4J 2.11.2 - [`9f03d15`](https://github.com/spring-projects/spring-framework/commit/9f03d158ce1ebb476a1f26e2f7a29ad26460e76d) Upgrade to Checkstyle 8.17 and Mockito 2.24 - [`ba0c48b`](https://github.com/spring-projects/spring-framework/commit/ba0c48b93347749e72f8d6f74ea1b11a504b241b) Polishing - Additional commits viewable in [compare view](https://github.com/spring-projects/spring-framework/compare/v4.0.9.RELEASE...v5.1.5.RELEASE)

Updates spring-webmvc from 4.0.9.RELEASE to 5.1.5.RELEASE. This update includes security fixes.

Vulnerabilities fixed

*Sourced from [The Sonatype OSS Index](https://ossindex.sonatype.org/vuln/5c31df94-6945-4798-8b6c-b807dba2712b).* > **[CVE-2015-5211] Improper Input Validation** > Under some situations, the Spring Framework 4.2.0 to 4.2.1, 4.0.0 to 4.1.7, 3.2.0 to 3.2.14 and older unsupported versions is vulnerable to a Reflected File Download (RFD) attack. The attack involves a malicious user crafting a URL with a batch script extension that results in the response being downloaded rather than rendered and also includes some input reflected in the response. > > Affected versions: [3.2.0, 3.2.14]; [4.0.0, 4.0.9]; [4.1.0, 4.1.7]; [4.2.0, 4.2.1]

Release notes

*Sourced from [spring-webmvc's releases](https://github.com/spring-projects/spring-framework/releases).* > ## v5.1.5.RELEASE > ## :star: New Features > > - Fix for ScriptUtils failure when '--' occurs inside a multi-line comment on the same line as '*/' [#22392](https://github-redirect.dependabot.com/spring-projects/spring-framework/pull/22392) > - InjectionPoint autowiring throws exception for [**Resource**](https://github.com/Resource) beans autowired by name [#22359](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22359) > - PathMatchingResourcePatternResolver may double-wrap jar: URLs [#22346](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22346) > - mariadb-java-client 2.4.0 productName changed: breaks Spring Batch [#22344](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22344) > - SpringEL should not throw IllegalAccessError for invalid assignment [#22336](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22336) > - Avoid duplicate call to findAnnotations in DefaultListableBeanFactory.findAnnotationOnBean [#22318](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22318) > - Load-time weaving support for WildFly 13+ [#22297](https://github-redirect.dependabot.com/spring-projects/spring-framework/pull/22297) > - org.springframework.web.client.HttpMessageConverterExtractor#extractData fails to detect empty body when content-length header is missing [#22265](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22265) > - Deprecate JibxMarshaller [#22249](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22249) > - DefaultExceptionHandler logs warning cannot be disabled [SPR-17628] [#22159](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22159) > - Support for null literal in Jackson2JsonDecoder [SPR-17510] [#22042](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22042) > > ## :beetle: Bug Fixes > > - IllegalArgumentException when overriding empty 'excludeFilters' array on [**ComponentScan**](https://github.com/ComponentScan) [#22405](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22405) > - [**Transactional**](https://github.com/Transactional) beans not getting proxied when being initialized during failed circular reference attempt [#22370](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22370) > - CompositeLog does not log exceptions at ERROR level [#22364](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22364) > - ApplicationContext.refresh() causes stale listeners to be added to ApplicationEventMulticaster [#22325](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22325) > - ApplicationListenerMethodAdapter does not find [**Ordered**](https://github.com/Ordered) annotation for dynamic proxies [#22307](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22307) > - NPE in AbstractHandlerMethodMapping when trace logging is enabled and a handler's class loader does not provide package information [#22306](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22306) > - Incomplete fix for MethodParameter.isOptional() ArrayIndexOutOfBoundsException [#22303](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22303) > - Wrap DecodingException thrown by WebFlux functional endpoints [#22290](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22290) > - Fix truncation of response body in AbstractMessageConverterMethodProcessor [#22287](https://github-redirect.dependabot.com/spring-projects/spring-framework/pull/22287) > - DataBuffer.write(CharSequence charSequence, Charset charset) fails on empty string with java.lang.IllegalStateException: Current state = RESET, new state = FLUSHED [#22262](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22262) > - Add tests for SpringBeanContainer (Hibernate ORM integration) and fix the behavior when requesting named beans [#22260](https://github-redirect.dependabot.com/spring-projects/spring-framework/pull/22260) > - ServerSentEventHttpMessageReader leaves a leading space on field decoding [SPR-17511] [#22043](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22043) > > ## :notebook_with_decorative_cover: Documentation > > - Enhance documentation for @PostConstruct/PreDestroy and [**Required**](https://github.com/Required) [#22348](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22348) > - Improve spring-context-indexer documentation [#22339](https://github-redirect.dependabot.com/spring-projects/spring-framework/pull/22339) > - Testing chapter of reference manual refers to old version of PetClinic [#22288](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22288) > - Correct issues in Spring MVC section [#22282](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22282) > - Clarify documentation about Spring MVC views rendered with Jackson versus [**JsonView**](https://github.com/JsonView) [#22280](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22280) > - Spring MVC documentation has incorrect WebFlux reference [#22270](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22270) > - Use try-with-resources in Spring 5 documentations [#22269](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22269) > - Document effect of [**DirtiesContext**](https://github.com/DirtiesContext) when used with constructor injection [SPR-17654] [#22183](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22183) > - Add note to Scope documentation on SimpleTransactionScope [SPR-17651] [#22180](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22180) > - Document effect of preemptive timeouts on transactional tests [SPR-17647] [#22176](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22176) > - Document synchronous use of WebClient [SPR-17644] [#22173](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22173) > - Error in CORS WebFilter documentation of web-reactive [#19841](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/19841) > > ## :heart: Contributors > > We'd like to thank all the contributors who worked on this release! > > - [[**benelog**](https://github.com/benelog)](https://github.com/benelog) > ... (truncated)

Commits

- [`45eb23b`](https://github.com/spring-projects/spring-framework/commit/45eb23bd21f0b91332c7489e2e872d1ab1df2f9b) Release version 5.1.5.RELEASE - [`d703ca9`](https://github.com/spring-projects/spring-framework/commit/d703ca95d7755a71bba1f5f69f37916b2a90ca9e) Upgrade to Reactor Californium SR5 - [`106a757`](https://github.com/spring-projects/spring-framework/commit/106a7570981b83af3bf4855207e290de5fc30718) Polishing - [`8637540`](https://github.com/spring-projects/spring-framework/commit/8637540678637c306d38f0681b8c057c791c5c94) Expose empty annotation array as empty AnnotationAttributes array - [`5bb1c3e`](https://github.com/spring-projects/spring-framework/commit/5bb1c3e1e31772a30a7fdef74e60f39a6bb65f29) Deprecate SqlXmlObjectMappingHandler - [`2a0a002`](https://github.com/spring-projects/spring-framework/commit/2a0a002bd3c34f8ce22561fcdc2b968b7b309c8f) Improve Kotlin documentation - [`514f7e3`](https://github.com/spring-projects/spring-framework/commit/514f7e33289d6bc83d48bb4e07d3a52032e68961) Add link to Kotlin sample for Spring Cloud GCP - [`cdd0456`](https://github.com/spring-projects/spring-framework/commit/cdd0456aa41e025eb9778161f27fc0d4ef8025f5) Upgrade to Tomcat 9.0.16 and Log4J 2.11.2 - [`9f03d15`](https://github.com/spring-projects/spring-framework/commit/9f03d158ce1ebb476a1f26e2f7a29ad26460e76d) Upgrade to Checkstyle 8.17 and Mockito 2.24 - [`ba0c48b`](https://github.com/spring-projects/spring-framework/commit/ba0c48b93347749e72f8d6f74ea1b11a504b241b) Polishing - Additional commits viewable in [compare view](https://github.com/spring-projects/spring-framework/compare/v4.0.9.RELEASE...v5.1.5.RELEASE)

Updates spring-orm from 4.0.9.RELEASE to 5.1.5.RELEASE

Release notes

*Sourced from [spring-orm's releases](https://github.com/spring-projects/spring-framework/releases).* > ## v5.1.5.RELEASE > ## :star: New Features > > - Fix for ScriptUtils failure when '--' occurs inside a multi-line comment on the same line as '*/' [#22392](https://github-redirect.dependabot.com/spring-projects/spring-framework/pull/22392) > - InjectionPoint autowiring throws exception for [**Resource**](https://github.com/Resource) beans autowired by name [#22359](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22359) > - PathMatchingResourcePatternResolver may double-wrap jar: URLs [#22346](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22346) > - mariadb-java-client 2.4.0 productName changed: breaks Spring Batch [#22344](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22344) > - SpringEL should not throw IllegalAccessError for invalid assignment [#22336](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22336) > - Avoid duplicate call to findAnnotations in DefaultListableBeanFactory.findAnnotationOnBean [#22318](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22318) > - Load-time weaving support for WildFly 13+ [#22297](https://github-redirect.dependabot.com/spring-projects/spring-framework/pull/22297) > - org.springframework.web.client.HttpMessageConverterExtractor#extractData fails to detect empty body when content-length header is missing [#22265](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22265) > - Deprecate JibxMarshaller [#22249](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22249) > - DefaultExceptionHandler logs warning cannot be disabled [SPR-17628] [#22159](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22159) > - Support for null literal in Jackson2JsonDecoder [SPR-17510] [#22042](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22042) > > ## :beetle: Bug Fixes > > - IllegalArgumentException when overriding empty 'excludeFilters' array on [**ComponentScan**](https://github.com/ComponentScan) [#22405](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22405) > - [**Transactional**](https://github.com/Transactional) beans not getting proxied when being initialized during failed circular reference attempt [#22370](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22370) > - CompositeLog does not log exceptions at ERROR level [#22364](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22364) > - ApplicationContext.refresh() causes stale listeners to be added to ApplicationEventMulticaster [#22325](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22325) > - ApplicationListenerMethodAdapter does not find [**Ordered**](https://github.com/Ordered) annotation for dynamic proxies [#22307](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22307) > - NPE in AbstractHandlerMethodMapping when trace logging is enabled and a handler's class loader does not provide package information [#22306](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22306) > - Incomplete fix for MethodParameter.isOptional() ArrayIndexOutOfBoundsException [#22303](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22303) > - Wrap DecodingException thrown by WebFlux functional endpoints [#22290](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22290) > - Fix truncation of response body in AbstractMessageConverterMethodProcessor [#22287](https://github-redirect.dependabot.com/spring-projects/spring-framework/pull/22287) > - DataBuffer.write(CharSequence charSequence, Charset charset) fails on empty string with java.lang.IllegalStateException: Current state = RESET, new state = FLUSHED [#22262](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22262) > - Add tests for SpringBeanContainer (Hibernate ORM integration) and fix the behavior when requesting named beans [#22260](https://github-redirect.dependabot.com/spring-projects/spring-framework/pull/22260) > - ServerSentEventHttpMessageReader leaves a leading space on field decoding [SPR-17511] [#22043](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22043) > > ## :notebook_with_decorative_cover: Documentation > > - Enhance documentation for @PostConstruct/PreDestroy and [**Required**](https://github.com/Required) [#22348](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22348) > - Improve spring-context-indexer documentation [#22339](https://github-redirect.dependabot.com/spring-projects/spring-framework/pull/22339) > - Testing chapter of reference manual refers to old version of PetClinic [#22288](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22288) > - Correct issues in Spring MVC section [#22282](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22282) > - Clarify documentation about Spring MVC views rendered with Jackson versus [**JsonView**](https://github.com/JsonView) [#22280](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22280) > - Spring MVC documentation has incorrect WebFlux reference [#22270](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22270) > - Use try-with-resources in Spring 5 documentations [#22269](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22269) > - Document effect of [**DirtiesContext**](https://github.com/DirtiesContext) when used with constructor injection [SPR-17654] [#22183](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22183) > - Add note to Scope documentation on SimpleTransactionScope [SPR-17651] [#22180](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22180) > - Document effect of preemptive timeouts on transactional tests [SPR-17647] [#22176](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22176) > - Document synchronous use of WebClient [SPR-17644] [#22173](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/22173) > - Error in CORS WebFilter documentation of web-reactive [#19841](https://github-redirect.dependabot.com/spring-projects/spring-framework/issues/19841) > > ## :heart: Contributors > > We'd like to thank all the contributors who worked on this release! > > - [[**benelog**](https://github.com/benelog)](https://github.com/benelog) > ... (truncated)

Commits

- [`45eb23b`](https://github.com/spring-projects/spring-framework/commit/45eb23bd21f0b91332c7489e2e872d1ab1df2f9b) Release version 5.1.5.RELEASE - [`d703ca9`](https://github.com/spring-projects/spring-framework/commit/d703ca95d7755a71bba1f5f69f37916b2a90ca9e) Upgrade to Reactor Californium SR5 - [`106a757`](https://github.com/spring-projects/spring-framework/commit/106a7570981b83af3bf4855207e290de5fc30718) Polishing - [`8637540`](https://github.com/spring-projects/spring-framework/commit/8637540678637c306d38f0681b8c057c791c5c94) Expose empty annotation array as empty AnnotationAttributes array - [`5bb1c3e`](https://github.com/spring-projects/spring-framework/commit/5bb1c3e1e31772a30a7fdef74e60f39a6bb65f29) Deprecate SqlXmlObjectMappingHandler - [`2a0a002`](https://github.com/spring-projects/spring-framework/commit/2a0a002bd3c34f8ce22561fcdc2b968b7b309c8f) Improve Kotlin documentation - [`514f7e3`](https://github.com/spring-projects/spring-framework/commit/514f7e33289d6bc83d48bb4e07d3a52032e68961) Add link to Kotlin sample for Spring Cloud GCP - [`cdd0456`](https://github.com/spring-projects/spring-framework/commit/cdd0456aa41e025eb9778161f27fc0d4ef8025f5) Upgrade to Tomcat 9.0.16 and Log4J 2.11.2 - [`9f03d15`](https://github.com/spring-projects/spring-framework/commit/9f03d158ce1ebb476a1f26e2f7a29ad26460e76d) Upgrade to Checkstyle 8.17 and Mockito 2.24 - [`ba0c48b`](https://github.com/spring-projects/spring-framework/commit/ba0c48b93347749e72f8d6f74ea1b11a504b241b) Polishing - Additional commits viewable in [compare view](https://github.com/spring-projects/spring-framework/compare/v4.0.9.RELEASE...v5.1.5.RELEASE)

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot ignore this [patch|minor|major] version` will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language - `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com): - Update frequency (including time of day and day of week) - Automerge options (never/patch/minor, and dev/runtime dependencies) - Pull request limits (per update run and/or open at any time) - Out-of-range updates (receive only lockfile updates, if desired) - Security updates (receive only security updates, if desired) Finally, you can contact us by mentioning @dependabot.