Skip to content

Update spring-boot to 4.1.0 and spotbugs-gradle-plugin to 6.5.8#1923

Merged
mokuzon merged 3 commits into
masterfrom
users/mokuson/NO-ISSUE/update-spring-boot-and-spotbugs
Jun 30, 2026
Merged

Update spring-boot to 4.1.0 and spotbugs-gradle-plugin to 6.5.8#1923
mokuzon merged 3 commits into
masterfrom
users/mokuson/NO-ISSUE/update-spring-boot-and-spotbugs

Conversation

@mokuzon

@mokuzon mokuzon commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

Summary

Combines the two Renovate dependency PRs #1914 and #1912 into a single PR and resolves the CI failures both were hitting.

Warning

This PR contains breaking changes (three classes are now final) and is intended for the next major release.

Why CI was failing & how it is fixed

#1914 (spring-boot 4.1.0) — test compilation error

Spring Boot 4.1.0 upgrades Hibernate Validator to 9.x, which removed the internal API org.hibernate.validator.internal.engine.path.PathImpl.createPathFromString. BotPropertiesValidatorTest imported and called it statically, so the test source failed to compile (symbol: method createPathFromString(String), 4 errors).

Fix: drop the dependency on the Hibernate Validator internal class and filter on the property path's string representation instead:

.filteredOn(violation -> violation.getPropertyPath().toString().equals("channelToken"))

#1912 (spotbugs 6.5.8) — spotbugsMain failed

spotbugs-gradle-plugin 6.5.6+ bundles SpotBugs core 4.10.x, which reports CT_CONSTRUCTOR_THROW for constructors that validate arguments with Objects.requireNonNull(...): such a constructor can throw and leave a partially-initialized object exposed to a finalizer attack.

Across all modules this affects exactly three classes. Rather than suppress the pattern, make each class final so it can no longer be subclassed, which eliminates the finalizer-attack vector at its root:

  • com.linecorp.bot.parser.WebhookParser
  • com.linecorp.bot.client.base.http.HttpRequestBody
  • com.linecorp.bot.client.base.http.HttpResponseBody

BREAKING CHANGE: the three classes above are now final and can no longer be extended.

…o 6.5.8

Combine renovate PRs #1914 and #1912 and fix their CI failures.

spring-boot-gradle-plugin 4.1.0 brings Hibernate Validator 9.x, which
removed the internal API org.hibernate.validator.internal.engine.path.PathImpl
.createPathFromString that BotPropertiesValidatorTest relied on. Replace the
internal-API usage with a filter on the property path string so the test no
longer depends on Hibernate Validator internals.

spotbugs-gradle-plugin 6.5.8 bundles SpotBugs 4.10.x, which reports
CT_CONSTRUCTOR_THROW for WebhookParser constructors that validate arguments
with Objects.requireNonNull. Suppress this pattern in the exclude filter,
consistent with the already-suppressed THROWS_METHOD_THROWS_* patterns.
@mokuzon mokuzon marked this pull request as draft June 30, 2026 04:28
mokuzon added 2 commits June 30, 2026 13:39
SpotBugs 4.10.x (bundled in spotbugs-gradle-plugin 6.5.6+) reports
CT_CONSTRUCTOR_THROW for the WebhookParser constructors, which validate
arguments with Objects.requireNonNull and can therefore throw, leaving a
partially-initialized object exposed to a finalizer attack.

Make the class final so it can no longer be subclassed, which eliminates
the attack vector at its root instead of suppressing the warning.

BREAKING CHANGE: WebhookParser is now final and can no longer be extended.
This is intended for the next major release.
These classes have the same CT_CONSTRUCTOR_THROW issue as WebhookParser:
their constructors validate arguments with Objects.requireNonNull and can
throw, leaving a partially-initialized object exposed to a finalizer attack.
Making them final eliminates the attack vector and lets the global
CT_CONSTRUCTOR_THROW suppression stay removed.

BREAKING CHANGE: HttpRequestBody and HttpResponseBody are now final and can
no longer be extended. This is intended for the next major release.
@mokuzon mokuzon marked this pull request as ready for review June 30, 2026 05:31
@mokuzon mokuzon self-assigned this Jun 30, 2026
@mokuzon mokuzon requested a review from a team June 30, 2026 05:31
@mokuzon mokuzon marked this pull request as draft June 30, 2026 05:42
@mokuzon mokuzon requested review from a team and removed request for a team June 30, 2026 05:42
@mokuzon mokuzon marked this pull request as ready for review June 30, 2026 05:43
@Yang-33 Yang-33 closed this Jun 30, 2026
@Yang-33 Yang-33 deleted the users/mokuson/NO-ISSUE/update-spring-boot-and-spotbugs branch June 30, 2026 07:30
@mokuzon mokuzon restored the users/mokuson/NO-ISSUE/update-spring-boot-and-spotbugs branch June 30, 2026 08:28
@mokuzon mokuzon reopened this Jun 30, 2026
@mokuzon

mokuzon commented Jun 30, 2026

Copy link
Copy Markdown
Contributor Author

@Yang-33 Was this a mistake?
The PR was approved, but it has been closed.

@mokuzon mokuzon enabled auto-merge June 30, 2026 08:30
@Yang-33

Yang-33 commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

so sorry, that was mistake. I just wanted to close other PRs.

@Yang-33 Yang-33 changed the title NO-ISSUE: update spring-boot to 4.1.0 and spotbugs-gradle-plugin to 6.5.8 Update spring-boot to 4.1.0 and spotbugs-gradle-plugin to 6.5.8 Jun 30, 2026
@Yang-33

Yang-33 commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

you can remove NO-ISSUE prefix if possible, because the github.com/line/line-bot-sdk-* doesn't have any ticket

@mokuzon mokuzon added this pull request to the merge queue Jun 30, 2026
Merged via the queue into master with commit f790e87 Jun 30, 2026
19 checks passed
@mokuzon mokuzon deleted the users/mokuson/NO-ISSUE/update-spring-boot-and-spotbugs branch June 30, 2026 08:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants