Update spring-boot to 4.1.0 and spotbugs-gradle-plugin to 6.5.8#1923
Merged
mokuzon merged 3 commits intoJun 30, 2026
Merged
Conversation
…o 6.5.8 Combine renovate PRs #1914 and #1912 and fix their CI failures. spring-boot-gradle-plugin 4.1.0 brings Hibernate Validator 9.x, which removed the internal API org.hibernate.validator.internal.engine.path.PathImpl .createPathFromString that BotPropertiesValidatorTest relied on. Replace the internal-API usage with a filter on the property path string so the test no longer depends on Hibernate Validator internals. spotbugs-gradle-plugin 6.5.8 bundles SpotBugs 4.10.x, which reports CT_CONSTRUCTOR_THROW for WebhookParser constructors that validate arguments with Objects.requireNonNull. Suppress this pattern in the exclude filter, consistent with the already-suppressed THROWS_METHOD_THROWS_* patterns.
SpotBugs 4.10.x (bundled in spotbugs-gradle-plugin 6.5.6+) reports CT_CONSTRUCTOR_THROW for the WebhookParser constructors, which validate arguments with Objects.requireNonNull and can therefore throw, leaving a partially-initialized object exposed to a finalizer attack. Make the class final so it can no longer be subclassed, which eliminates the attack vector at its root instead of suppressing the warning. BREAKING CHANGE: WebhookParser is now final and can no longer be extended. This is intended for the next major release.
These classes have the same CT_CONSTRUCTOR_THROW issue as WebhookParser: their constructors validate arguments with Objects.requireNonNull and can throw, leaving a partially-initialized object exposed to a finalizer attack. Making them final eliminates the attack vector and lets the global CT_CONSTRUCTOR_THROW suppression stay removed. BREAKING CHANGE: HttpRequestBody and HttpResponseBody are now final and can no longer be extended. This is intended for the next major release.
Yang-33
approved these changes
Jun 30, 2026
Contributor
Author
|
@Yang-33 Was this a mistake? |
Contributor
|
so sorry, that was mistake. I just wanted to close other PRs. |
Contributor
|
you can remove NO-ISSUE prefix if possible, because the github.com/line/line-bot-sdk-* doesn't have any ticket |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Combines the two Renovate dependency PRs #1914 and #1912 into a single PR and resolves the CI failures both were hitting.
Warning
This PR contains breaking changes (three classes are now
final) and is intended for the next major release.Why CI was failing & how it is fixed
#1914 (spring-boot 4.1.0) — test compilation error
Spring Boot 4.1.0 upgrades Hibernate Validator to 9.x, which removed the internal API
org.hibernate.validator.internal.engine.path.PathImpl.createPathFromString.BotPropertiesValidatorTestimported and called it statically, so the test source failed to compile (symbol: method createPathFromString(String), 4 errors).Fix: drop the dependency on the Hibernate Validator internal class and filter on the property path's string representation instead:
#1912 (spotbugs 6.5.8) —
spotbugsMainfailedspotbugs-gradle-plugin 6.5.6+ bundles SpotBugs core 4.10.x, which reports
CT_CONSTRUCTOR_THROWfor constructors that validate arguments withObjects.requireNonNull(...): such a constructor can throw and leave a partially-initialized object exposed to a finalizer attack.Across all modules this affects exactly three classes. Rather than suppress the pattern, make each class
finalso it can no longer be subclassed, which eliminates the finalizer-attack vector at its root:com.linecorp.bot.parser.WebhookParsercom.linecorp.bot.client.base.http.HttpRequestBodycom.linecorp.bot.client.base.http.HttpResponseBodyBREAKING CHANGE: the three classes above are now
finaland can no longer be extended.