chore: upgrade springboot to 4.0.5 (main) (#8717) (CP: 25.0) by vaadin-bot · Pull Request #8728 · vaadin/platform

vaadin-bot · 2026-03-30T13:39:56Z

This PR cherry-picks changes from the original PR #8717 to branch 25.0.

No description provided in the original PR.

github-actions · 2026-03-30T14:32:38Z

🚫 Vulnerabilities:
- Vulnerabilities in: pkg:maven/org.codehaus.plexus/plexus-utils@3.6.0 [CVE-2025-67030] (osv-bomber,osv-scan)
  ·
- Vulnerabilities in: pkg:npm/serialize-javascript@6.0.2 [GHSA-5c6j-r48x-rmvq, CVE-2026-34043] (osv-bomber,oss-bomber,osv-scan)
  ·
- Vulnerabilities in: pkg:npm/glob@11.1.0 [CVE-2025-64756] (oss-bomber)
  ·
🟠 Known Vulnerabilities:
- Vulnerabilities in: pkg:maven/me.friwi/jcef-api@jcef-ca49ada%2Bcef-135.0.20%2Bge7de5c3%2Bchromium-135.0.7049.85 [CVE-2024-21639, CVE-2024-21640, CVE-2024-9410] (owasp)
  👌 Wait for the update from the jcefmaven community. Meanwhile the swing-kit is supposed to be used with fixed websites and not to browse the internet, we have a check for that, so the only possible attacker would be the same person that created the swing application, aka our customer devs. so this vulnerability is not classified by us as critical issue
  · cpe:2.3:a:chromiumembedded:chromium_embedded_framework::::::::
  · cpe:2.3:a:ada:ada::::::::
📔 No Core License Issues
📔 No License Issues
🟠 Changes in 25.0-SNAPSHOT since V25.0.8
- 1 packages removed (1 external, 0 vaadin)
- 22 packages modified (22 external, 0 vaadin)
- 878 packages same (650 external, 228 vaadin)

chore: upgrade springboot to 4.0.5 (#8717)

e7a098e

ZheSun88 approved these changes Mar 30, 2026

View reviewed changes

ZheSun88 merged commit 0c3ad6a into 25.0 Mar 30, 2026
3 of 4 checks passed

ZheSun88 deleted the cherry-pick-8717-to-25.0-1774877993776 branch March 30, 2026 14:41