Bump org.springframework.boot from 3.5.7 to 4.0.0

[dependabot]

Bumps org.springframework.boot from 3.5.7 to 4.0.0.

Release notes

Sourced from org.springframework.boot's releases.

v4.0.0

Full release notes for Spring Boot 4.0 are available on the wiki. There is also a migration guide to help you upgrade from Spring Boot 3.5.

⭐ New Features

• Change tomcat and jetty runtime modules to starters #48175
• Rename spring-boot-kotlin-serialization to align with the name of the Kotlinx module that it pulls in #48076

🐞 Bug Fixes

• Error properties are a general web concern and should not be located beneath server.* #48201
• With both Jackson 2 and 3 on the classpath, @JsonTest fails due to duplicate jacksonTesterFactoryBean #48198
• Gradle war task does not exclude starter POMs from lib-provided #48197
• spring.test.webclient.mockrestserviceserver.enabled is not aligned with its module's name #48193
• SslMeterBinder doesn't register metrics for dynamically added bundles if no bundles exist at bind time #48182
• Properties bound in the child management context ignore the parent's environment prefix #48177
• ssl.chain.expiry metrics doesn't update for dynamically registered SSL bundles #48171
• Starter for spring-boot-micrometer-metrics is missing #48161
• Elasticsearch client's sniffer functionality should not be enabled by default #48155
• spring-boot-starter-elasticsearch should depend on elasticsearch-java #48141
• Auto-configuration exclusions are checked using a different class loader to the one that loads auto-configuration classes #48132
• New arm64 macbooks fail to bootBuildImage due to incorrect platform image #48128
• Properties for configuring an isolated JsonMapper or ObjectMapper are incorrectly named #48116
• Buildpack fails with recent Docker installs due to hardcoded version in URL #48103
• Image building may fail when specifying a platform if an image has already been built with a different platform #48099
• Default values of Kotlinx Serialization JSON configuration properties are not documented #48097
• Custom XML converters should override defaults in HttpMessageConverters #48096
• Kotlin serialization is used too aggressively when other JSON libraries are available #48070
• PortInUseException incorrectly thrown on failure to bind port due to Netty IP misconfiguration #48059
• Auto-configured JCacheMetrics cannot be customized #48057
• WebSecurityCustomizer beans are excluded by WebMvcTest #48055
• Deprecated EnvironmentPostProcessor does not resolve arguments #48047
• RetryPolicySettings should refer to maxRetries, not maxAttempts #48023
• Devtools Restarter does not work with a parameterless main method #47996
• Dependency management for Kafka should not manage Scala 2.12 libraries #47991
• spring-boot-mail should depend on jakarta.mail:jakarta.mail-api and org.eclipse.angus:angus-mail instead of org.eclipse.angus:jakarta.mail #47983
• spring-boot-starter-data-mongodb-reactive has dependency on reactor-test #47982
• Support for ReactiveElasticsearchClient is in the wrong module #47848

📔 Documentation

• Removed property spring.test.webclient.register-rest-template is still documented #48199
• Mention support for detecting AWS ECS in "Deploying to the Cloud" #48170
• Revise AWS section of "Deploying to the Cloud" in reference manual #48163
• Fix typo in PortInUseException Javadoc #48134
• Correct section about required setters in "Type-safe Configuration Properties" #48131
• Use since attribute in configuration properties deprecation consistently #48122
• Document EndpointJsonMapper and management.endpoints.jackson.isolated-json-mapper #48115
• Document support for configuring servlet context init parameters using properties #48112
• Some configuration properties are not documented in the appendix #48095

... (truncated)

Commits

• 1c0e08b Release v4.0.0
• 3487928 Merge branch '3.5.x'
• 29b8e96 Switch make-default in preparation for Spring Boot 4.0.0
• 88da0dd Merge branch '3.5.x'
• 56feeaa Next development version (v3.5.9-SNAPSHOT)
• 3becdc7 Move server.error properties to spring.web.error
• 2b30632 Merge branch '3.5.x'
• 4f03b44 Merge branch '3.4.x' into 3.5.x
• 3d15c13 Next development version (v3.4.13-SNAPSHOT)
• dc140df Upgrade to Spring Framework 7.0.1
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[claude]

Pull Request Review: Spring Boot 4.0.0 Upgrade

Summary

This PR upgrades Spring Boot from version 3.5.7 to 4.0.0, a major version upgrade that includes breaking changes. The PR also updates the GitHub Actions workflow to use the newer Anthropic API key authentication method.

---

Changes Overview

1. Spring Boot Upgrade (build.gradle)

• org.springframework.boot plugin version: 3.5.7 → 4.0.0

2. GitHub Actions Update (.github/workflows/claude-code-review.yml)

• Replaced claude_code_oauth_token with anthropic_api_key ✅
• This aligns with the updated authentication method for the claude-code-action

---

Critical Considerations for Spring Boot 4.0

⚠️ Major Version Upgrade Implications

Spring Boot 4.0 includes Spring Framework 7.0, which brings significant changes:

1. Baseline Requirements:

   • Java 17 minimum (already configured ✅)
   • Jakarta EE 10+ (already using Jakarta packages ✅)

2. Potential Breaking Changes:

   • Error handling properties moved: server.error.* properties are now spring.web.error.*
     • Action needed: Search your configuration files for server.error properties and update them
   • Starter dependencies restructured: Some starters have been reorganized
   • Spring Security changes: While your code uses modern Spring Security configuration (no deprecated WebSecurityConfigurerAdapter), there may be subtle behavior changes
   • Session management: Potential changes in session handling behavior

3. Dependencies Requiring Attention:

   • Thymeleaf extras: thymeleaf-extras-springsecurity6:3.1.3.RELEASE may need updating to a Spring Security 7 compatible version
   • Third-party libraries should be verified for Spring Boot 4.0 compatibility

---

Recommendations

🔴 High Priority - Must Do Before Merge:

1. Run the full test suite to catch any breaking changes:

   ./gradlew testAll

2. Check for configuration property changes: Search for server.error in your configuration files (application.yml, application.properties) and migrate to spring.web.error.*

3. Review dependency compatibility: Update or verify these dependencies:

   • thymeleaf-extras-springsecurity6 → may need thymeleaf-extras-springsecurity7
   • io.spring.dependency-management plugin version 1.1.7 → consider updating to latest

4. Integration testing: Test OAuth2 login flows, as Spring Security 7 may have subtle behavioral changes

🟡 Medium Priority - Recommended:

1. Update unused springBootVersion variable: Line 20 in build.gradle shows springBootVersion = '3.5.5' which is now outdated and unused

2. Review Spring Boot 4.0 migration guide: The official migration guide at https://github.com/spring-projects/spring-boot/wiki/Spring-Boot-4.0-Migration-Guide should be reviewed for any framework-specific changes

3. Verify actuator endpoints: If using actuator, test all endpoints as some may have changed

🟢 Low Priority - Nice to Have:

1. Consider updating other dependencies: While this PR focuses on Spring Boot, consider updating other dependencies in a follow-up PR
2. Review deprecation warnings during build for proactive maintenance

---

Code Quality Assessment

✅ Positive aspects:

• The codebase is already using modern Spring Security configuration (no WebSecurityConfigurerAdapter)
• Already using Jakarta EE packages (not javax.*)
• Java 17 baseline is configured
• Comprehensive test suite exists (37 test classes found)
• GitHub Actions workflow update is correct

⚠️ Concerns:

• This is a major version jump that may introduce runtime behavior changes not caught by compilation
• No evidence in the PR of testing or verification
• Dependabot PRs are automated and don't include compatibility testing

---

Security Considerations

✅ No security concerns introduced by this change
✅ GitHub Actions secret migration to ANTHROPIC_API_KEY is appropriate

---

Verdict

❌ NOT READY TO MERGE without verification

Required actions before merge:

1. ✅ Run full test suite: ./gradlew testAll
2. ✅ Search and update any server.error.* configuration properties
3. ✅ Manual integration testing of key flows (login, registration, OAuth2)
4. ✅ Review and update Thymeleaf Security dependency if needed
5. ✅ Verify all tests pass on both JDK 17 and 21

Once these verifications are complete and tests pass, this upgrade can be merged.

---

Additional Resources

• Spring Boot 4.0 Release Notes
• Spring Boot 4.0 Migration Guide
• Spring Framework 7.0 What's New

---

Review completed by Claude Sonnet 4.5 🤖

[claude]

PR Review: Spring Boot 3.5.7 → 4.0.0 Upgrade

This PR upgrades the Spring Boot dependency from 3.5.7 to 4.0.0, which is a major version upgrade. Overall, the implementation is well-executed with careful attention to the breaking changes. Here's my detailed review:

---

✅ Strengths

1. Comprehensive Migration: The PR addresses all major breaking changes from Spring Boot 4:

   • Updated security configuration for Spring Security 7
   • Migrated to modular test annotations with new package locations
   • Added new test starters required by Spring Boot 4

2. Security Configuration Improvements (WebSecurityConfig.java:286):

   • Correctly removed deprecated SecurityExpressionHandler<FilterInvocation> and DefaultWebSecurityExpressionHandler
   • Properly updated methodSecurityExpressionHandler to static method with parameter injection (Spring Security 7 pattern)
   • This follows the recommended migration path

3. Excellent Feature Addition (UserProfileUpdateDto.java):

   • New DTO separates profile updates from password updates
   • Fixes a real usability issue where users couldn't update their name without providing password fields
   • Proper validation with @NotBlank and @Size constraints
   • Good JavaDoc explaining the rationale

4. Dependency Management:

   • Pinned spring-retry:2.0.12 for compatibility
   • Added required Spring Boot 4 modular test starters
   • Version bump to 4.0.0-SNAPSHOT is appropriate

---

⚠️ Issues & Concerns

1. CRITICAL: Missing Test Updates for UserProfileUpdateDto

The UserAPIUnitTest.java still uses UserDto in the updateUser_success() test (line 490-491), but the actual endpoint now expects UserProfileUpdateDto. This will cause:

• Compilation issues or validation failures
• Test may pass incorrectly if using UserDto with password fields

Fix Required:

// In UserAPIUnitTest.java:487-492
UserProfileUpdateDto updateDto = new UserProfileUpdateDto();
updateDto.setFirstName("UpdatedFirst");
updateDto.setLastName("UpdatedLast");

The test also needs to import the new DTO class.

2. Missing Test Coverage

The PR introduces a new DTO but doesn't verify:

• That password/email fields are NOT accepted in profile updates
• Validation behavior for @NotBlank and @Size constraints
• Edge cases (null values, empty strings, exceeding 50 characters)

Recommendation: Add validation tests for UserProfileUpdateDto to ensure it properly rejects invalid input.

3. commons-text Version Update

implementation 'org.apache.commons:commons-text:1.15.0'

The diff shows this was updated from 1.14.0 → 1.15.0, but this wasn't mentioned in the commit messages. While minor, it's worth noting as it could introduce behavior changes.

4. Potential Runtime Issue: Error Properties Migration

According to Spring Boot 4.0.0 release notes, error properties moved from server.error.* to spring.web.error.*. The PR doesn't show configuration file updates. Verify that:

• No application properties use the old server.error.* format
• Documentation/README reflects this change

---

🔍 Code Quality & Best Practices

1. Follows Repository Guidelines ✅:

   • Uses Lombok @Data annotation
   • Proper JavaDoc for public classes
   • Follows naming conventions
   • Clean code structure

2. Security ✅:

   • No security vulnerabilities introduced
   • Proper validation on DTO fields
   • Separation of concerns (profile vs. password updates)

3. Performance ✅:

   • No performance concerns
   • Modular test starters may improve test performance

---

📋 Recommendations

Before Merging:

1. ❗ Update UserAPIUnitTest.java to use UserProfileUpdateDto instead of UserDto in profile update tests
2. ❗ Add validation tests for the new UserProfileUpdateDto
3. ✅ Verify CI passes - Check that all tests run successfully with the new Spring Boot 4 configuration
4. ✅ Check application properties for deprecated server.error.* properties

Nice to Have:

1. Add integration tests demonstrating the profile update flow end-to-end
2. Consider adding a CHANGELOG entry documenting the Spring Boot 4 upgrade
3. Document any breaking changes for library consumers (e.g., if they override security configuration)

---

📊 Summary

Category	Rating	Notes
Code Quality	⭐⭐⭐⭐	Clean, well-structured
Security	⭐⭐⭐⭐⭐	No issues, improves separation
Test Coverage	⭐⭐⭐	Missing test updates for new DTO
Documentation	⭐⭐⭐⭐	Good JavaDoc, clear commit messages
Migration Completeness	⭐⭐⭐⭐	Covers major changes well

Overall: Excellent migration work with one critical test fix needed before merge.

---

🎯 Action Items

1. Fix test in UserAPIUnitTest.java (lines 488-493)
2. Run ./gradlew testAll to verify JDK 17 & 21 compatibility
3. Verify no server.error.* properties remain in config files

Great work on this major version upgrade! The security configuration changes and the new UserProfileUpdateDto are particularly well-implemented. 🚀

[claude]

Spring Boot 4.0 Upgrade Review

This is a major version upgrade from Spring Boot 3.5.7 to 4.0.0, which includes breaking changes. Here's my detailed analysis:

---

✅ Positive Changes

1. New UserProfileUpdateDto (Excellent Improvement)

• File: src/main/java/com/digitalsanctuary/spring/user/dto/UserProfileUpdateDto.java
• Why it's good: Separates profile updates from password-related DTOs, following the Principle of Least Privilege
• Security benefit: The /updateUser endpoint no longer accepts password fields, reducing attack surface
• Code quality: Clean implementation with proper validation annotations

2. Security Configuration Improvements

• File: src/main/java/com/digitalsanctuary/spring/user/security/WebSecurityConfig.java:286
• Removed deprecated DefaultWebSecurityExpressionHandler (Spring Security 7 change)
• methodSecurityExpressionHandler is now properly declared as static and uses dependency injection
• This aligns with Spring Security 7's updated configuration patterns

3. Test Infrastructure Updates

• Correctly migrated to Spring Boot 4's modular test infrastructure
• Import path updates: @DataJpaTest, @AutoConfigureMockMvc, etc.
• Added proper test dependencies (spring-boot-starter-data-jpa-test, etc.)

4. Documentation Updates

• File: README.md
• Excellent documentation of version differences and migration path
• Clear guidance on Java version requirements (17 vs 21)
• Helpful table comparing Spring Boot 3.5 vs 4.0

---

⚠️ Critical Issues to Address

1. Java Version Mismatch (BLOCKER)

• File: build.gradle:26
• Issue: Toolchain still set to Java 17, but Spring Boot 4.0 requires Java 21+

java {
    toolchain {
        languageVersion = JavaLanguageVersion.of(17)  // ❌ Should be 21
    }
}

• Fix Required:

java {
    toolchain {
        languageVersion = JavaLanguageVersion.of(21)
    }
}

• Impact: This will cause build/runtime failures with Spring Boot 4.0

2. Outdated Thymeleaf Security Dependency

• File: build.gradle:44

compileOnly 'org.thymeleaf.extras:thymeleaf-extras-springsecurity6:3.1.3.RELEASE'

• Issue: Spring Security 7 requires thymeleaf-extras-springsecurity7
• Fix Required:

compileOnly 'org.thymeleaf.extras:thymeleaf-extras-springsecurity7:3.2.0.RELEASE'

3. Missing Test Updates for UserProfileUpdateDto

• File: src/test/java/com/digitalsanctuary/spring/user/api/UserAPIUnitTest.java
• Issue: The updateUser endpoint tests still use UserDto instead of UserProfileUpdateDto
• Impact: Tests may fail or not properly validate the new DTO
• Recommendation: Update tests to use UserProfileUpdateDto and add test cases for validation

---

🔍 Security Considerations

1. Positive Security Changes

• ✅ Profile update now uses dedicated DTO without password fields
• ✅ Spring Security 7 brings enhanced security defaults
• ✅ Proper audit logging maintained in UserAPI.java:155

2. Areas to Monitor

• CSRF Configuration: Ensure disableCSRFURIsArray patterns still work correctly with Spring Security 7
• OAuth2 Configuration: Spring Security 7 has changes to OAuth2 configuration - test thoroughly
• Session Management: Verify session handling still works as expected

---

🧪 Test Coverage Concerns

1. Missing Integration Tests

   • No tests verifying Spring Boot 4.0 compatibility
   • Need to test with Java 21 runtime

2. Test Recommendations:

   • Add tests for UserProfileUpdateDto validation
   • Integration tests for the updated security configuration
   • Test OAuth2 flows if using that feature
   • Verify backward compatibility if users are upgrading from 3.5.x

---

📊 Performance Considerations

• Spring Boot 4.0 includes performance improvements
• Virtual threads support (if using Java 21+)
• Consider enabling virtual threads for improved concurrency:

spring.threads.virtual.enabled=true

---

🚀 Migration Path Recommendations

For Library Users:

1. Breaking Change: This is a MAJOR version bump - communicate clearly to users
2. Version Strategy: Consider maintaining a 3.5.x branch for users not ready for Java 21
3. Migration Guide: The README updates are excellent - consider adding:
   • Common migration issues
   • Breaking changes specific to your framework
   • Example upgrade path from 3.5.x to 4.0.x

---

📝 Summary

Category	Status
Code Quality	✅ Good
Security	✅ Improved
Test Coverage	⚠️ Needs updates
Java Version	❌ BLOCKER
Dependencies	⚠️ Thymeleaf needs update
Documentation	✅ Excellent

---

🎯 Action Items (Priority Order)

1. [CRITICAL] Fix Java toolchain version in build.gradle (17 → 21)
2. [HIGH] Update thymeleaf-extras-springsecurity6 → thymeleaf-extras-springsecurity7
3. [HIGH] Update unit tests to use UserProfileUpdateDto
4. [MEDIUM] Add integration tests for Spring Boot 4.0 compatibility
5. [MEDIUM] Test OAuth2 flows thoroughly
6. [LOW] Consider virtual threads configuration

---

Overall Assessment: This is a well-executed upgrade with one critical blocker (Java version) that must be fixed before merging. The new UserProfileUpdateDto is an excellent security improvement. Once the Java version is corrected and tests are updated, this should be good to merge.

Review performed by Claude Code - Automated PR Review

[claude]

Spring Boot 4.0 Migration Review

Thank you for this comprehensive Spring Boot 4.0 upgrade! This is a significant migration that handles the framework changes well. Here's my detailed review:

---

✅ Strengths

1. Excellent Documentation Updates

   • The README now clearly distinguishes between Spring Boot 4.0 and 3.5 versions
   • Version compatibility matrix is very helpful
   • Migration notes about Spring Security 7 and package changes are well documented

2. Proper Spring Security 7 Migration

   • Correctly removed deprecated DefaultWebSecurityExpressionHandler
   • Updated methodSecurityExpressionHandler to static method with parameter injection (src/main/java/com/digitalsanctuary/spring/user/security/WebSecurityConfig.java:286)
   • Proper cleanup of deprecated SecurityExpressionHandler<FilterInvocation> bean

3. Good API Design Improvement

   • New UserProfileUpdateDto separates profile updates from password validation (src/main/java/com/digitalsanctuary/spring/user/dto/UserProfileUpdateDto.java)
   • This fixes a real usability issue where updating names required password fields

4. Comprehensive Test Configuration

   • Added new Spring Boot 4 modular test starters (build.gradle:77-79)
   • Updated test annotations to new package locations correctly

---

⚠️ Issues & Concerns

1. Critical: Java Version Mismatch (build.gradle:26)

Your build.gradle still specifies Java 17:

java {
    toolchain {
        languageVersion = JavaLanguageVersion.of(17)
    }
}

Problem: Spring Boot 4.0 requires Java 21 as a minimum. This could cause:

• Runtime failures on Java 17 environments
• Confusion since README says Java 21 is required
• CI/CD issues if build uses Java 17

Recommendation: Update to:

java {
    toolchain {
        languageVersion = JavaLanguageVersion.of(21)
    }
}

2. Potential Compatibility Issue: Thymeleaf Extras (build.gradle:44)

compileOnly 'org.thymeleaf.extras:thymeleaf-extras-springsecurity6:3.1.3.RELEASE'

Problem: You're using thymeleaf-extras-springsecurity6 with Spring Security 7. While this might work due to backwards compatibility, it's not ideal.

Recommendation: Verify if thymeleaf-extras-springsecurity7 is available and upgrade if so. If staying on security6 extras, add a comment explaining why.

3. Unused Property in build.gradle (build.gradle:20)

ext {
    springBootVersion = '3.5.5'
    lombokVersion = '1.18.42'
}

Problem: springBootVersion is defined but never used, and the value (3.5.5) doesn't match the actual version (4.0.0).

Recommendation: Remove this unused property to avoid confusion.

4. Security: Password Comparison (src/main/java/com/digitalsanctuary/spring/user/api/UserAPI.java:200)

The code comment at line 195-199 justifies using equals() for password comparison:

if (!savePasswordDto.getNewPassword().equals(savePasswordDto.getConfirmPassword())) {

Analysis: The comment is technically correct that timing attacks aren't a concern here since both values come from the same user request. However, this is a best practice violation that could be flagged by security scanners.

Recommendation: Consider using MessageDigest.isEqual() or a constant-time comparison anyway to avoid security tool false positives and set a better example. If keeping as-is, the comment is sufficient justification.

---

🔍 Additional Observations

1. Test Annotations Package Migration: Well executed. All five test annotation files correctly updated to new Spring Boot 4 modular packages.

2. Version Consistency: gradle.properties correctly updated to 4.0.0-SNAPSHOT.

3. Documentation Completeness: The README's migration guide is excellent and should help users significantly.

4. Backwards Compatibility: Good approach maintaining a 3.5.x version for users not ready to move to Java 21.

---

🎯 Recommendations Priority

Must Fix Before Merge:

• ❗ Update Java toolchain to version 21 (build.gradle:26)

Should Fix:

• ⚠️ Remove or update unused springBootVersion property
• ⚠️ Verify Thymeleaf Security extras version compatibility

Nice to Have:

• 💡 Consider constant-time password comparison despite the valid comment
• 💡 Add integration tests that specifically validate Spring Boot 4.0 features

---

📊 Overall Assessment

This is a well-executed migration with excellent documentation. The code changes properly handle Spring Security 7's breaking changes, and the new UserProfileUpdateDto is a genuine improvement. The main blocker is the Java version mismatch between documentation and build configuration.

Recommendation: Fix the Java version issue, then this is ready to merge! 🚀

---

📝 Testing Checklist

Before merging, please verify:

• Tests pass with Java 21 (not Java 17)
• All Spring Security 7 endpoints work correctly
• Profile update endpoint works with new DTO
• OAuth2 login still functions (since entry point handling changed in Security 7)
• Role hierarchy enforcement works with new static method pattern

[claude]

Pull Request Review: Spring Boot 4.0.0 Upgrade

This is a major version upgrade from Spring Boot 3.5.7 to 4.0.0, bringing significant framework changes including Spring Security 7 and Jackson 3. The PR is well-executed overall with good attention to breaking changes and comprehensive test coverage improvements.

✅ Strengths

1. Excellent Documentation Updates

• Comprehensive README.md updates clearly documenting version compatibility
• Helpful migration guidance for both Spring Boot 4.0 and 3.5 users
• Clear explanation of breaking changes (Java 21 requirement, Spring Security 7, Jackson 3)
• Well-structured version compatibility matrix

2. Good Security Configuration Updates

• WebSecurityConfig.java: Properly removed deprecated DefaultWebSecurityExpressionHandler
• Updated methodSecurityExpressionHandler() to static method with dependency injection (Spring Security 7 requirement)
• Follows Spring Boot 4.0 security best practices

3. Strong Test Coverage Improvements

• UserAPIUnitTest.java: Added 5 new validation test cases for the profile update endpoint
• Excellent edge case coverage: blank fields, null fields, max length validation
• Tests properly use LocalValidatorFactoryBean for validation testing
• Good use of nested test structure for organization

4. Better API Design

• UserProfileUpdateDto: New dedicated DTO separates profile updates from user registration
• Follows Single Responsibility Principle - profile updates no longer require password fields
• Proper validation annotations (@NotBlank, @Size)

5. Proper Spring Boot 4.0 Modular Test Infrastructure

• Added new test starters: spring-boot-starter-data-jpa-test, spring-boot-webmvc-test, spring-boot-jdbc-test
• Updated test annotations to use new package locations (org.springframework.boot.data.jpa.test.autoconfigure, etc.)
• Added hibernate-validator explicitly for validation testing

---

⚠️ Concerns & Issues

1. CRITICAL: Java Toolchain Version Mismatch

Location: build.gradle:24-27

java {
    toolchain {
        languageVersion = JavaLanguageVersion.of(17)  // ❌ Still set to Java 17!
    }
}

Issue: Spring Boot 4.0.0 requires Java 21, but the build is configured to use Java 17. This creates a critical inconsistency:

• The README correctly states Java 21 is required
• The dependency upgrade to Spring Boot 4.0 requires Java 21
• But the actual build will use Java 17, which may cause runtime issues

Recommendation: Update to Java 21:

java {
    toolchain {
        languageVersion = JavaLanguageVersion.of(21)
    }
}

2. MEDIUM: Unused Spring Boot Version Variable

Location: build.gradle:19-22

ext {
    springBootVersion = '3.5.5'  // ❌ Outdated and unused
    lombokVersion = '1.18.42'
}

Issue: This variable doesn't match the actual Spring Boot version (4.0.0) and isn't used anywhere in the build file.

Recommendation: Either update it to '4.0.0' or remove it entirely if unused.

3. LOW: Explicit Version for spring-retry

Location: build.gradle:52, 72

The PR adds explicit version 2.0.12 for spring-retry:

compileOnly 'org.springframework.retry:spring-retry:2.0.12'

Observation: This bypasses Spring Boot's dependency management. While this may be intentional to ensure a specific version, it could lead to version conflicts.

Question: Is this explicit version necessary? If so, consider documenting why in a comment.

4. LOW: Test Validation Expectations Changed

Location: UserAPIUnitTest.java:237, 251

Previous code expected HTTP 500 with specific error codes for validation failures. The new code expects HTTP 400 (Bad Request), which is actually more correct for validation errors.

Observation: This is an improvement, but it may indicate a change in error handling behavior that should be verified across the application.

---

🔍 Additional Considerations

Performance

• Parallel Test Execution: Good use of JUnit parallel execution configuration
• Multi-JDK Testing: Excellent support for testing with both JDK 17 and 21

Security

• ✅ No security vulnerabilities introduced
• ✅ Proper validation on all user input fields
• ✅ CSRF protection maintained in tests

Maintainability

• ✅ Clean separation of concerns with new DTO
• ✅ Comprehensive test coverage for new functionality
• ✅ Good use of Lombok to reduce boilerplate

---

📋 Action Items

Must Fix:

1. ❗ Update Java toolchain to version 21 in build.gradle

Should Consider:
2. Update or remove unused springBootVersion variable
3. Document why spring-retry needs explicit version 2.0.12
4. Verify error handling behavior changes are intentional and consistent

Nice to Have:
5. Consider adding integration tests that verify the complete flow with Spring Boot 4.0
6. Consider adding a changelog entry documenting breaking changes

---

🎯 Recommendation

Do not merge until the critical Java toolchain version issue is fixed. Once that's addressed, this is a solid upgrade with good attention to testing and documentation.

Overall Assessment: 8/10

• Well-planned upgrade with comprehensive documentation
• Strong test coverage improvements
• Critical build configuration issue needs resolution
• Minor cleanup items to address

Great work on handling a major framework upgrade! The documentation and test improvements are particularly well done. 👍

[claude]

Spring Boot 4.0 Upgrade Review

This PR upgrades the framework from Spring Boot 3.5.7 to 4.0.0, which is a major version upgrade with significant breaking changes. Overall, the upgrade has been handled well with appropriate code changes and comprehensive test coverage. Here's my detailed review:

---

✅ Strengths

1. Excellent Documentation Updates

The README.md updates are thorough and helpful:

• Clear version matrix showing Spring Boot 4.0 requires Java 21
• Detailed migration notes highlighting breaking changes
• Side-by-side support for both Spring Boot 3.5 and 4.0 versions
• Well-structured upgrade guide with test dependency requirements

2. Proper Security Configuration Updates

The WebSecurityConfig changes correctly address Spring Security 7 requirements:

• Removed deprecated webExpressionHandler() method (lines 279-288)
• Made methodSecurityExpressionHandler() static and uses dependency injection for RoleHierarchy (line 286)
• This aligns with Spring Security 7's updated expression handler patterns

3. Improved API Design

The introduction of UserProfileUpdateDto (src/main/java/com/digitalsanctuary/spring/user/dto/UserProfileUpdateDto.java) is a good architectural improvement:

• Separates profile update concerns from full user registration
• Prevents requiring password fields during profile updates
• Includes proper validation annotations (@NotBlank, @Size)
• Well-documented with clear JavaDoc

4. Comprehensive Test Coverage

The test updates in UserAPIUnitTest.java are excellent:

• Added 5 new validation tests for UserProfileUpdateDto
• Tests cover blank fields, null fields, max length validation, and boundary conditions
• Properly validates that the service is never called when validation fails
• Fixed existing tests to expect validation failures (400 Bad Request) instead of 500 errors

5. Correct Dependency Management

• Upgraded to Java 21 (line 25 in build.gradle)
• Added Spring Boot 4 modular test infrastructure dependencies
• Explicitly specified spring-retry version (2.0.12)
• Added hibernate-validator for validation support
• Included note about thymeleaf-extras-springsecurity6 compatibility (lines 43-45)

---

⚠️ Issues & Recommendations

1. Critical: Missing Spring Security 7 URL Pattern Validation

Spring Security 7 requires all URL patterns to start with /. The current configuration in WebSecurityConfig may fail if any URI patterns don't start with /.

Location: src/main/java/com/digitalsanctuary/spring/user/security/WebSecurityConfig.java:165, 168

Recommendation: Add validation in the URI processing methods:

private String[] splitAndFilterProperty(String property) {
    if (property == null || property.trim().isEmpty()) {
        return new String[0];
    }
    return Arrays.stream(property.split(","))
        .map(String::trim)
        .filter(s -> \!s.isEmpty())
        .peek(uri -> {
            if (\!uri.startsWith("/") && \!uri.equals("/**")) {
                log.warn("URI pattern '{}' does not start with '/' - this may cause issues with Spring Security 7", uri);
            }
        })
        .toArray(String[]::new);
}

2. Potential Issue: Thymeleaf Security Dependency

While the comment (lines 43-45 in build.gradle) notes that thymeleaf-extras-springsecurity6 is compatible with Spring Security 7, this should be verified:

• The artifact version is 3.1.3.RELEASE (potentially old)
• Consider checking if there's an updated version or official guidance from Thymeleaf team

Recommendation: Test thoroughly or update to the latest version if available.

3. Version Mismatch in gradle.properties

The version is set to 4.0.0-SNAPSHOT but the dependency upgrade is for Spring Boot 4.0.0 (already released).

Location: gradle.properties:1

Recommendation: This is fine if you're still developing, but ensure the versioning strategy is clear. Consider using 4.0.0 (without SNAPSHOT) once this PR is merged.

4. Test Dependency: Potential Over-inclusion

The addition of modular test starters is correct for Spring Boot 4, but you may not need all three:

• spring-boot-starter-data-jpa-test
• spring-boot-webmvc-test
• spring-boot-jdbc-test

Recommendation: Review if all three are actually needed, or if they can be consolidated.

5. Missing Migration Notes for Consumers

While the README explains the upgrade, there's no CHANGELOG or migration guide for existing users of this framework.

Recommendation: Consider adding:

• A CHANGELOG.md entry for version 4.0.0
• Breaking changes section for consumers
• Migration steps for projects upgrading from 3.x to 4.x

---

🔒 Security Considerations

1. Good: Password Comparison Still Secure

The comment at line 196-200 in UserAPI.java correctly explains why .equals() is acceptable for comparing two user-provided passwords (no timing attack risk).

2. Good: Validation Enforced

The new UserProfileUpdateDto properly validates input with size limits, preventing potential buffer issues or injection attacks.

3. Note: Spring Security 7 Security Enhancements

Spring Security 7 includes several security improvements. Ensure you're aware of:

• Stricter CSRF protection defaults
• Updated authorization expression handling
• Changes to session management

---

🎯 Performance Considerations

1. Java 21 Performance Benefits

Moving to Java 21 should provide:

• Virtual threads support (if utilized)
• Better GC performance
• Pattern matching improvements

2. Potential Concern: Validator Recreation in Tests

The test code recreates LocalValidatorFactoryBean multiple times. While this is fine for unit tests, it could be optimized by reusing a single instance.

Location: UserAPIUnitTest.java:559, 601, etc.

---

📋 Testing Recommendations

1. Integration Testing: Ensure end-to-end testing with:

   • JDK 21 runtime
   • Real database connections
   • Full Spring Security filter chain

2. Backwards Compatibility: If supporting both 3.5 and 4.0 versions:

   • Test that 3.5 version still works
   • Verify no accidental changes leaked to 3.5 branch

3. Security Testing: Test with:

   • Various URL patterns (with/without leading /)
   • CSRF token validation
   • OAuth2 flows (if enabled)

---

📝 Documentation Suggestions

1. Add a migration guide specifically for developers extending this framework
2. Document any new Spring Boot 4.0 features this framework now supports
3. Update JavaDoc to mention Java 21 requirement in key classes

---

Summary

Overall Assessment: ✅ APPROVE with minor recommendations

This is a well-executed major version upgrade. The code changes are appropriate, test coverage is comprehensive, and documentation updates are thorough. The main concerns are:

1. Ensure URI patterns comply with Spring Security 7 requirements
2. Verify Thymeleaf security extras compatibility
3. Add consumer migration guidance

The new UserProfileUpdateDto is a nice architectural improvement that enhances the API design.

Risk Level: Medium (major version upgrade)
Test Coverage: Excellent
Breaking Changes: Well documented

Great work on this upgrade! 🚀

[claude]

Pull Request Review: Spring Boot 4.0 Upgrade

This PR upgrades the Spring User Framework from Spring Boot 3.5.7 to 4.0.0, which is a significant major version upgrade. I've conducted a thorough review of the changes.

---

✅ Strengths

1. Excellent Migration Documentation

• The new MIGRATION.md file is comprehensive and well-structured
• Includes clear step-by-step upgrade instructions
• Documents breaking changes with before/after examples
• Provides troubleshooting guidance for common issues
• Version compatibility matrix is very helpful

2. Proper Spring Security 7 Compatibility

The security configuration has been correctly updated for Spring Security 7:

• Removed deprecated webExpressionHandler() bean (no longer needed in Spring Security 7)
• Made methodSecurityExpressionHandler() a static bean with parameter injection (required pattern in Spring Security 7)
• Maintained role hierarchy support correctly

3. New UserProfileUpdateDto - Security Improvement

The addition of UserProfileUpdateDto is a security best practice:

• Separates profile updates from password changes
• Reduces attack surface by not requiring password fields for simple profile updates
• Proper validation with @NotBlank and @Size constraints
• Good JavaDoc explaining the purpose

4. Test Infrastructure Updated Correctly

Test annotations have been properly updated for Spring Boot 4.0's modular test infrastructure:

• @DataJpaTest imports from org.springframework.boot.data.jpa.test.autoconfigure
• @AutoConfigureMockMvc imports from org.springframework.boot.webmvc.test.autoconfigure
• New test starter dependencies added (spring-boot-starter-data-jpa-test, spring-boot-webmvc-test, etc.)

5. Comprehensive Test Updates

The test updates show proper attention to validation changes:

• Tests correctly expect 400 Bad Request for validation errors instead of 500 Internal Server Error
• Added hibernate-validator test dependency for proper validation testing
• Test cases updated to match new API contracts

---

⚠️ Issues & Recommendations

1. Critical: Potential Breaking Change for Consumers (High Priority)

The change to UserAPI.updateUserAccount() from accepting UserDto to UserProfileUpdateDto is a breaking API change that will affect all consumers of this library.

Recommendation:

• Consider deprecating the old endpoint rather than changing it immediately
• Add a new endpoint (e.g., /user/updateProfile) that uses UserProfileUpdateDto
• Keep the old /updateUser endpoint with a deprecation notice for one version cycle
• Update migration guide to clearly highlight this as a BREAKING CHANGE

Alternative approach:
If you want to keep the breaking change (which is acceptable in a major version bump), ensure the migration guide prominently features this in a "Breaking Changes" section at the top.

2. Security: Thymeleaf Spring Security Dependency (Medium Priority)

Line: build.gradle:44

The comment states:

// Note: thymeleaf-extras-springsecurity6 is compatible with Spring Security 7
// No springsecurity7 artifact exists yet

Concerns:

• This should be verified with the Thymeleaf project
• If this is correct, the comment is helpful
• However, you should test that all Thymeleaf security features work correctly with Spring Security 7

Recommendation:

• Add integration tests that verify Thymeleaf security expressions work correctly
• Monitor for thymeleaf-extras-springsecurity7 release and upgrade when available

3. Testing: Missing Test for New DTO (Medium Priority)

The new UserProfileUpdateDto class doesn't appear to have dedicated unit tests for its validation constraints.

Recommendation:
Add a test class like:

@Test
void testUserProfileUpdateDto_validation() {
    ValidatorFactory factory = Validation.buildDefaultValidatorFactory();
    Validator validator = factory.getValidator();
    
    UserProfileUpdateDto dto = new UserProfileUpdateDto();
    dto.setFirstName("");  // Should fail @NotBlank
    dto.setLastName("a".repeat(51));  // Should fail @Size
    
    Set<ConstraintViolation<UserProfileUpdateDto>> violations = validator.validate(dto);
    assertFalse(violations.isEmpty());
}

4. Code Quality: Remove Dead Code (Low Priority)

Lines: WebSecurityConfig.java:201-207

There's commented-out code for webSecurityCustomizer().

Recommendation:

• Remove commented code - it's preserved in git history
• If the approach might be needed later, document why in the commit message, not in comments

5. Documentation: README Could Be Clearer (Low Priority)

The README now shows both Spring Boot 3.5 and 4.0 installation instructions, which is good, but:

Recommendations:

• Consider adding a prominent callout box at the top: "🚨 Version 4.0 requires Java 21 and includes breaking changes"
• Add a "Should I Upgrade?" section to help users decide
• Consider a compatibility table showing which framework version works with which Spring Boot version

6. Spring Retry Version (Low Priority)

Lines: build.gradle:52, 72

Spring Retry is explicitly versioned at 2.0.12 instead of using Spring Boot's dependency management.

Recommendation:

• Verify this version is compatible with Spring Boot 4.0
• Consider using the version managed by Spring Boot unless there's a specific reason not to
• Document why explicit version is needed if there's a specific reason

---

🔍 Security Considerations

Positive Security Changes:

1. ✅ UserProfileUpdateDto reduces attack surface by not requiring password fields
2. ✅ Spring Security 7 includes security improvements over Security 6
3. ✅ No exposure of sensitive data in new code

Potential Security Concerns:

1. ⚠️ Ensure all URL patterns in user.security.unprotectedURIs configuration start with / (Spring Security 7 requirement) - migration guide correctly documents this
2. ⚠️ Verify CSRF protection still works correctly with Spring Boot 4.0 - consider adding a test

---

🎯 Performance Considerations

No significant performance concerns identified:

• Dependency updates should maintain or improve performance
• Spring Boot 4.0 generally includes performance improvements
• No algorithmic changes that would impact performance

---

📊 Test Coverage Assessment

Good:

• Test annotations properly updated for modular test infrastructure
• Validation behavior tests updated to match new expectations
• Comprehensive test dependencies added

Could Be Improved:

• Add tests for UserProfileUpdateDto validation
• Add integration test verifying Thymeleaf + Spring Security 7 compatibility
• Consider adding tests that verify URL pattern requirements (patterns starting with /)

---

🎓 Code Quality & Best Practices

Follows Repository Guidelines:

• ✅ Proper JavaDoc for new classes
• ✅ Uses Lombok appropriately (@Data on DTOs)
• ✅ Validation annotations used correctly
• ✅ Follows existing naming conventions

Minor Issues:

• ⚠️ Commented-out code should be removed
• ℹ️ Consider extracting validation message strings to constants if used in multiple places

---

✅ Recommended Actions Before Merge

Must Have (Blocking):

1. Decision on API Breaking Change: Decide whether to:

   • Keep the breaking change and prominently document it, OR
   • Deprecate old endpoint and add new one

2. Verify Thymeleaf Compatibility: Ensure thymeleaf-extras-springsecurity6 works correctly with Spring Security 7

Should Have (Recommended):

3. Add validation tests for UserProfileUpdateDto
4. Remove commented-out code from WebSecurityConfig.java
5. Add integration test for Thymeleaf security expressions

Nice to Have:

6. Improve README with "Should I Upgrade?" guidance
7. Review Spring Retry version - use Spring Boot managed version if possible
8. Add CSRF integration test for Spring Boot 4.0

---

📝 Overall Assessment

This is a well-executed major version upgrade. The migration documentation is particularly impressive and will be very helpful for library consumers. The code changes are appropriate for Spring Boot 4.0 compatibility, and the security configuration updates follow best practices for Spring Security 7.

The main concern is the breaking API change, which needs to be either:

1. Clearly documented as a breaking change with migration instructions, OR
2. Handled via deprecation to provide a smoother upgrade path

Recommendation: ✅ Approve with minor changes - Address the breaking change concern and the Thymeleaf compatibility verification, then this is ready to merge.

---

📚 References

• Spring Boot 4.0 Release Notes
• Spring Security 7 Migration Guide
• Repository's CLAUDE.md guidelines: Followed ✅

Great work on this upgrade! 🚀