[Security] Bump version.spring_framework from 4.0.9.RELEASE to 5.1.5.RELEASE

[dependabot-preview]

Bumps version.spring_framework from 4.0.9.RELEASE to 5.1.5.RELEASE.

Updates spring-context from 4.0.9.RELEASE to 5.1.5.RELEASE

Release notes

Sourced from spring-context's releases.

v5.1.5.RELEASE

⭐ New Features

• Fix for ScriptUtils failure when '--' occurs inside a multi-line comment on the same line as '*/' #22392
• InjectionPoint autowiring throws exception for Resource beans autowired by name #22359
• PathMatchingResourcePatternResolver may double-wrap jar: URLs #22346
• mariadb-java-client 2.4.0 productName changed: breaks Spring Batch #22344
• SpringEL should not throw IllegalAccessError for invalid assignment #22336
• Avoid duplicate call to findAnnotations in DefaultListableBeanFactory.findAnnotationOnBean #22318
• Load-time weaving support for WildFly 13+ #22297
• org.springframework.web.client.HttpMessageConverterExtractor#extractData fails to detect empty body when content-length header is missing #22265
• Deprecate JibxMarshaller #22249
• DefaultExceptionHandler logs warning cannot be disabled [SPR-17628] #22159
• Support for null literal in Jackson2JsonDecoder [SPR-17510] #22042

🪲 Bug Fixes

• IllegalArgumentException when overriding empty 'excludeFilters' array on ComponentScan #22405
• Transactional beans not getting proxied when being initialized during failed circular reference attempt #22370
• CompositeLog does not log exceptions at ERROR level #22364
• ApplicationContext.refresh() causes stale listeners to be added to ApplicationEventMulticaster #22325
• ApplicationListenerMethodAdapter does not find Ordered annotation for dynamic proxies #22307
• NPE in AbstractHandlerMethodMapping when trace logging is enabled and a handler's class loader does not provide package information #22306
• Incomplete fix for MethodParameter.isOptional() ArrayIndexOutOfBoundsException #22303
• Wrap DecodingException thrown by WebFlux functional endpoints #22290
• Fix truncation of response body in AbstractMessageConverterMethodProcessor #22287
• DataBuffer.write(CharSequence charSequence, Charset charset) fails on empty string with java.lang.IllegalStateException: Current state = RESET, new state = FLUSHED #22262
• Add tests for SpringBeanContainer (Hibernate ORM integration) and fix the behavior when requesting named beans #22260
• ServerSentEventHttpMessageReader leaves a leading space on field decoding [SPR-17511] #22043

📔 Documentation

• Enhance documentation for @PostConstruct/PreDestroy and Required #22348
• Improve spring-context-indexer documentation #22339
• Testing chapter of reference manual refers to old version of PetClinic #22288
• Correct issues in Spring MVC section #22282
• Clarify documentation about Spring MVC views rendered with Jackson versus JsonView #22280
• Spring MVC documentation has incorrect WebFlux reference #22270
• Use try-with-resources in Spring 5 documentations #22269
• Document effect of DirtiesContext when used with constructor injection [SPR-17654] #22183
• Add note to Scope documentation on SimpleTransactionScope [SPR-17651] #22180
• Document effect of preemptive timeouts on transactional tests [SPR-17647] #22176
• Document synchronous use of WebClient [SPR-17644] #22173
• Error in CORS WebFilter documentation of web-reactive #19841

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• [benelog](https://github.com/benelog)

... (truncated)

Commits

• 45eb23b Release version 5.1.5.RELEASE
• d703ca9 Upgrade to Reactor Californium SR5
• 106a757 Polishing
• 8637540 Expose empty annotation array as empty AnnotationAttributes array
• 5bb1c3e Deprecate SqlXmlObjectMappingHandler
• 2a0a002 Improve Kotlin documentation
• 514f7e3 Add link to Kotlin sample for Spring Cloud GCP
• cdd0456 Upgrade to Tomcat 9.0.16 and Log4J 2.11.2
• 9f03d15 Upgrade to Checkstyle 8.17 and Mockito 2.24
• ba0c48b Polishing
• Additional commits viewable in compare view

Updates spring-web from 4.0.9.RELEASE to 5.1.5.RELEASE. This update includes security fixes.

Vulnerabilities fixed

Sourced from The Sonatype OSS Index.

[CVE-2015-5211] Improper Input Validation
Under some situations, the Spring Framework 4.2.0 to 4.2.1, 4.0.0 to 4.1.7, 3.2.0 to 3.2.14 and older unsupported versions is vulnerable to a Reflected File Download (RFD) attack. The attack involves a malicious user crafting a URL with a batch script extension that results in the response being downloaded rather than rendered and also includes some input reflected in the response.

Affected versions: [3.2.0, 3.2.14]; [4.0.0, 4.0.9]; [4.1.0, 4.1.7]; [4.2.0, 4.2.1]

Sourced from The Sonatype OSS Index.

[CVE-2015-3192] Improper Restriction of Operations within the Bounds of a Memory Buffer
Pivotal Spring Framework before 3.2.14 and 4.x before 4.1.7 do not properly process inline DTD declarations when DTD is not entirely disabled, which allows remote attackers to cause a denial of service (memory consumption and out-of-memory errors) via a crafted XML file.

Affected versions: [3.2.0, 3.2.13]; [4.0.0, 4.1.6]

Release notes

Sourced from spring-web's releases.

v5.1.5.RELEASE

⭐ New Features

• Fix for ScriptUtils failure when '--' occurs inside a multi-line comment on the same line as '*/' #22392
• InjectionPoint autowiring throws exception for Resource beans autowired by name #22359
• PathMatchingResourcePatternResolver may double-wrap jar: URLs #22346
• mariadb-java-client 2.4.0 productName changed: breaks Spring Batch #22344
• SpringEL should not throw IllegalAccessError for invalid assignment #22336
• Avoid duplicate call to findAnnotations in DefaultListableBeanFactory.findAnnotationOnBean #22318
• Load-time weaving support for WildFly 13+ #22297
• org.springframework.web.client.HttpMessageConverterExtractor#extractData fails to detect empty body when content-length header is missing #22265
• Deprecate JibxMarshaller #22249
• DefaultExceptionHandler logs warning cannot be disabled [SPR-17628] #22159
• Support for null literal in Jackson2JsonDecoder [SPR-17510] #22042

🪲 Bug Fixes

• IllegalArgumentException when overriding empty 'excludeFilters' array on ComponentScan #22405
• Transactional beans not getting proxied when being initialized during failed circular reference attempt #22370
• CompositeLog does not log exceptions at ERROR level #22364
• ApplicationContext.refresh() causes stale listeners to be added to ApplicationEventMulticaster #22325
• ApplicationListenerMethodAdapter does not find Ordered annotation for dynamic proxies #22307
• NPE in AbstractHandlerMethodMapping when trace logging is enabled and a handler's class loader does not provide package information #22306
• Incomplete fix for MethodParameter.isOptional() ArrayIndexOutOfBoundsException #22303
• Wrap DecodingException thrown by WebFlux functional endpoints #22290
• Fix truncation of response body in AbstractMessageConverterMethodProcessor #22287
• DataBuffer.write(CharSequence charSequence, Charset charset) fails on empty string with java.lang.IllegalStateException: Current state = RESET, new state = FLUSHED #22262
• Add tests for SpringBeanContainer (Hibernate ORM integration) and fix the behavior when requesting named beans #22260
• ServerSentEventHttpMessageReader leaves a leading space on field decoding [SPR-17511] #22043

📔 Documentation

• Enhance documentation for @PostConstruct/PreDestroy and Required #22348
• Improve spring-context-indexer documentation #22339
• Testing chapter of reference manual refers to old version of PetClinic #22288
• Correct issues in Spring MVC section #22282
• Clarify documentation about Spring MVC views rendered with Jackson versus JsonView #22280
• Spring MVC documentation has incorrect WebFlux reference #22270
• Use try-with-resources in Spring 5 documentations #22269
• Document effect of DirtiesContext when used with constructor injection [SPR-17654] #22183
• Add note to Scope documentation on SimpleTransactionScope [SPR-17651] #22180
• Document effect of preemptive timeouts on transactional tests [SPR-17647] #22176
• Document synchronous use of WebClient [SPR-17644] #22173
• Error in CORS WebFilter documentation of web-reactive #19841

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• [benelog](https://github.com/benelog)

... (truncated)

Commits

• 45eb23b Release version 5.1.5.RELEASE
• d703ca9 Upgrade to Reactor Californium SR5
• 106a757 Polishing
• 8637540 Expose empty annotation array as empty AnnotationAttributes array
• 5bb1c3e Deprecate SqlXmlObjectMappingHandler
• 2a0a002 Improve Kotlin documentation
• 514f7e3 Add link to Kotlin sample for Spring Cloud GCP
• cdd0456 Upgrade to Tomcat 9.0.16 and Log4J 2.11.2
• 9f03d15 Upgrade to Checkstyle 8.17 and Mockito 2.24
• ba0c48b Polishing
• Additional commits viewable in compare view

Updates spring-tx from 4.0.9.RELEASE to 5.1.5.RELEASE

Release notes

Sourced from spring-tx's releases.

v5.1.5.RELEASE

⭐ New Features

• Fix for ScriptUtils failure when '--' occurs inside a multi-line comment on the same line as '*/' #22392
• InjectionPoint autowiring throws exception for Resource beans autowired by name #22359
• PathMatchingResourcePatternResolver may double-wrap jar: URLs #22346
• mariadb-java-client 2.4.0 productName changed: breaks Spring Batch #22344
• SpringEL should not throw IllegalAccessError for invalid assignment #22336
• Avoid duplicate call to findAnnotations in DefaultListableBeanFactory.findAnnotationOnBean #22318
• Load-time weaving support for WildFly 13+ #22297
• org.springframework.web.client.HttpMessageConverterExtractor#extractData fails to detect empty body when content-length header is missing #22265
• Deprecate JibxMarshaller #22249
• DefaultExceptionHandler logs warning cannot be disabled [SPR-17628] #22159
• Support for null literal in Jackson2JsonDecoder [SPR-17510] #22042

🪲 Bug Fixes

• IllegalArgumentException when overriding empty 'excludeFilters' array on ComponentScan #22405
• Transactional beans not getting proxied when being initialized during failed circular reference attempt #22370
• CompositeLog does not log exceptions at ERROR level #22364
• ApplicationContext.refresh() causes stale listeners to be added to ApplicationEventMulticaster #22325
• ApplicationListenerMethodAdapter does not find Ordered annotation for dynamic proxies #22307
• NPE in AbstractHandlerMethodMapping when trace logging is enabled and a handler's class loader does not provide package information #22306
• Incomplete fix for MethodParameter.isOptional() ArrayIndexOutOfBoundsException #22303
• Wrap DecodingException thrown by WebFlux functional endpoints #22290
• Fix truncation of response body in AbstractMessageConverterMethodProcessor #22287
• DataBuffer.write(CharSequence charSequence, Charset charset) fails on empty string with java.lang.IllegalStateException: Current state = RESET, new state = FLUSHED #22262
• Add tests for SpringBeanContainer (Hibernate ORM integration) and fix the behavior when requesting named beans #22260
• ServerSentEventHttpMessageReader leaves a leading space on field decoding [SPR-17511] #22043

📔 Documentation

• Enhance documentation for @PostConstruct/PreDestroy and Required #22348
• Improve spring-context-indexer documentation #22339
• Testing chapter of reference manual refers to old version of PetClinic #22288
• Correct issues in Spring MVC section #22282
• Clarify documentation about Spring MVC views rendered with Jackson versus JsonView #22280
• Spring MVC documentation has incorrect WebFlux reference #22270
• Use try-with-resources in Spring 5 documentations #22269
• Document effect of DirtiesContext when used with constructor injection [SPR-17654] #22183
• Add note to Scope documentation on SimpleTransactionScope [SPR-17651] #22180
• Document effect of preemptive timeouts on transactional tests [SPR-17647] #22176
• Document synchronous use of WebClient [SPR-17644] #22173
• Error in CORS WebFilter documentation of web-reactive #19841

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• [benelog](https://github.com/benelog)

... (truncated)

Commits

• 45eb23b Release version 5.1.5.RELEASE
• d703ca9 Upgrade to Reactor Californium SR5
• 106a757 Polishing
• 8637540 Expose empty annotation array as empty AnnotationAttributes array
• 5bb1c3e Deprecate SqlXmlObjectMappingHandler
• 2a0a002 Improve Kotlin documentation
• 514f7e3 Add link to Kotlin sample for Spring Cloud GCP
• cdd0456 Upgrade to Tomcat 9.0.16 and Log4J 2.11.2
• 9f03d15 Upgrade to Checkstyle 8.17 and Mockito 2.24
• ba0c48b Polishing
• Additional commits viewable in compare view

Updates spring-webmvc from 4.0.9.RELEASE to 5.1.5.RELEASE. This update includes security fixes.

Vulnerabilities fixed

Sourced from The Sonatype OSS Index.

[CVE-2015-5211] Improper Input Validation
Under some situations, the Spring Framework 4.2.0 to 4.2.1, 4.0.0 to 4.1.7, 3.2.0 to 3.2.14 and older unsupported versions is vulnerable to a Reflected File Download (RFD) attack. The attack involves a malicious user crafting a URL with a batch script extension that results in the response being downloaded rather than rendered and also includes some input reflected in the response.

Affected versions: [3.2.0, 3.2.14]; [4.0.0, 4.0.9]; [4.1.0, 4.1.7]; [4.2.0, 4.2.1]

Release notes

Sourced from spring-webmvc's releases.

v5.1.5.RELEASE

⭐ New Features

• Fix for ScriptUtils failure when '--' occurs inside a multi-line comment on the same line as '*/' #22392
• InjectionPoint autowiring throws exception for Resource beans autowired by name #22359
• PathMatchingResourcePatternResolver may double-wrap jar: URLs #22346
• mariadb-java-client 2.4.0 productName changed: breaks Spring Batch #22344
• SpringEL should not throw IllegalAccessError for invalid assignment #22336
• Avoid duplicate call to findAnnotations in DefaultListableBeanFactory.findAnnotationOnBean #22318
• Load-time weaving support for WildFly 13+ #22297
• org.springframework.web.client.HttpMessageConverterExtractor#extractData fails to detect empty body when content-length header is missing #22265
• Deprecate JibxMarshaller #22249
• DefaultExceptionHandler logs warning cannot be disabled [SPR-17628] #22159
• Support for null literal in Jackson2JsonDecoder [SPR-17510] #22042

🪲 Bug Fixes

• IllegalArgumentException when overriding empty 'excludeFilters' array on ComponentScan #22405
• Transactional beans not getting proxied when being initialized during failed circular reference attempt #22370
• CompositeLog does not log exceptions at ERROR level #22364
• ApplicationContext.refresh() causes stale listeners to be added to ApplicationEventMulticaster #22325
• ApplicationListenerMethodAdapter does not find Ordered annotation for dynamic proxies #22307
• NPE in AbstractHandlerMethodMapping when trace logging is enabled and a handler's class loader does not provide package information #22306
• Incomplete fix for MethodParameter.isOptional() ArrayIndexOutOfBoundsException #22303
• Wrap DecodingException thrown by WebFlux functional endpoints #22290
• Fix truncation of response body in AbstractMessageConverterMethodProcessor #22287
• DataBuffer.write(CharSequence charSequence, Charset charset) fails on empty string with java.lang.IllegalStateException: Current state = RESET, new state = FLUSHED #22262
• Add tests for SpringBeanContainer (Hibernate ORM integration) and fix the behavior when requesting named beans #22260
• ServerSentEventHttpMessageReader leaves a leading space on field decoding [SPR-17511] #22043

📔 Documentation

• Enhance documentation for @PostConstruct/PreDestroy and Required #22348
• Improve spring-context-indexer documentation #22339
• Testing chapter of reference manual refers to old version of PetClinic #22288
• Correct issues in Spring MVC section #22282
• Clarify documentation about Spring MVC views rendered with Jackson versus JsonView #22280
• Spring MVC documentation has incorrect WebFlux reference #22270
• Use try-with-resources in Spring 5 documentations #22269
• Document effect of DirtiesContext when used with constructor injection [SPR-17654] #22183
• Add note to Scope documentation on SimpleTransactionScope [SPR-17651] #22180
• Document effect of preemptive timeouts on transactional tests [SPR-17647] #22176
• Document synchronous use of WebClient [SPR-17644] #22173
• Error in CORS WebFilter documentation of web-reactive #19841

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• [benelog](https://github.com/benelog)

... (truncated)

Commits

• 45eb23b Release version 5.1.5.RELEASE
• d703ca9 Upgrade to Reactor Californium SR5
• 106a757 Polishing
• 8637540 Expose empty annotation array as empty AnnotationAttributes array
• 5bb1c3e Deprecate SqlXmlObjectMappingHandler
• 2a0a002 Improve Kotlin documentation
• 514f7e3 Add link to Kotlin sample for Spring Cloud GCP
• cdd0456 Upgrade to Tomcat 9.0.16 and Log4J 2.11.2
• 9f03d15 Upgrade to Checkstyle 8.17 and Mockito 2.24
• ba0c48b Polishing
• Additional commits viewable in compare view

Updates spring-orm from 4.0.9.RELEASE to 5.1.5.RELEASE

Release notes

Sourced from spring-orm's releases.

v5.1.5.RELEASE

⭐ New Features

• Fix for ScriptUtils failure when '--' occurs inside a multi-line comment on the same line as '*/' #22392
• InjectionPoint autowiring throws exception for Resource beans autowired by name #22359
• PathMatchingResourcePatternResolver may double-wrap jar: URLs #22346
• mariadb-java-client 2.4.0 productName changed: breaks Spring Batch #22344
• SpringEL should not throw IllegalAccessError for invalid assignment #22336
• Avoid duplicate call to findAnnotations in DefaultListableBeanFactory.findAnnotationOnBean #22318
• Load-time weaving support for WildFly 13+ #22297
• org.springframework.web.client.HttpMessageConverterExtractor#extractData fails to detect empty body when content-length header is missing #22265
• Deprecate JibxMarshaller #22249
• DefaultExceptionHandler logs warning cannot be disabled [SPR-17628] #22159
• Support for null literal in Jackson2JsonDecoder [SPR-17510] #22042

🪲 Bug Fixes

• IllegalArgumentException when overriding empty 'excludeFilters' array on ComponentScan #22405
• Transactional beans not getting proxied when being initialized during failed circular reference attempt #22370
• CompositeLog does not log exceptions at ERROR level #22364
• ApplicationContext.refresh() causes stale listeners to be added to ApplicationEventMulticaster #22325
• ApplicationListenerMethodAdapter does not find Ordered annotation for dynamic proxies #22307
• NPE in AbstractHandlerMethodMapping when trace logging is enabled and a handler's class loader does not provide package information #22306
• Incomplete fix for MethodParameter.isOptional() ArrayIndexOutOfBoundsException #22303
• Wrap DecodingException thrown by WebFlux functional endpoints #22290
• Fix truncation of response body in AbstractMessageConverterMethodProcessor #22287
• DataBuffer.write(CharSequence charSequence, Charset charset) fails on empty string with java.lang.IllegalStateException: Current state = RESET, new state = FLUSHED #22262
• Add tests for SpringBeanContainer (Hibernate ORM integration) and fix the behavior when requesting named beans #22260
• ServerSentEventHttpMessageReader leaves a leading space on field decoding [SPR-17511] #22043

📔 Documentation

• Enhance documentation for @PostConstruct/PreDestroy and Required #22348
• Improve spring-context-indexer documentation #22339
• Testing chapter of reference manual refers to old version of PetClinic #22288
• Correct issues in Spring MVC section #22282
• Clarify documentation about Spring MVC views rendered with Jackson versus JsonView #22280
• Spring MVC documentation has incorrect WebFlux reference #22270
• Use try-with-resources in Spring 5 documentations #22269
• Document effect of DirtiesContext when used with constructor injection [SPR-17654] #22183
• Add note to Scope documentation on SimpleTransactionScope [SPR-17651] #22180
• Document effect of preemptive timeouts on transactional tests [SPR-17647] #22176
• Document synchronous use of WebClient [SPR-17644] #22173
• Error in CORS WebFilter documentation of web-reactive #19841

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• [benelog](https://github.com/benelog)

... (truncated)

Commits

• 45eb23b Release version 5.1.5.RELEASE
• d703ca9 Upgrade to Reactor Californium SR5
• 106a757 Polishing
• 8637540 Expose empty annotation array as empty AnnotationAttributes array
• 5bb1c3e Deprecate SqlXmlObjectMappingHandler
• 2a0a002 Improve Kotlin documentation
• 514f7e3 Add link to Kotlin sample for Spring Cloud GCP
• cdd0456 Upgrade to Tomcat 9.0.16 and Log4J 2.11.2
• 9f03d15 Upgrade to Checkstyle 8.17 and Mockito 2.24
• ba0c48b Polishing
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge
• @dependabot reopen will reopen this PR if it is closed
• @dependabot ignore this [patch|minor|major] version will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
• @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

• Update frequency (including time of day and day of week)
• Automerge options (never/patch/minor, and dev/runtime dependencies)
• Pull request limits (per update run and/or open at any time)
• Out-of-range updates (receive only lockfile updates, if desired)
• Security updates (receive only security updates, if desired)

Finally, you can contact us by mentioning @dependabot.