Skip to content

Upgrade Spring Boot from 2.6.3 to 3.5.10#10

Open
devin-ai-integration[bot] wants to merge 2 commits into
masterfrom
devin/1769727419-upgrade-spring-boot
Open

Upgrade Spring Boot from 2.6.3 to 3.5.10#10
devin-ai-integration[bot] wants to merge 2 commits into
masterfrom
devin/1769727419-upgrade-spring-boot

Conversation

@devin-ai-integration

@devin-ai-integration devin-ai-integration Bot commented Jan 29, 2026

Copy link
Copy Markdown

Upgrade Spring Boot from 2.6.3 to 3.5.10

Summary

This PR upgrades the application from Spring Boot 2.6.3 to 3.5.10, which is a major version upgrade requiring significant code changes due to breaking API changes in Spring Boot 3.x.

Key changes:

  • Java version: 11 → 17 (required by Spring Boot 3)
  • Namespace migration: All javax.* imports migrated to jakarta.* (Jakarta EE 10)
  • Spring Security 6: Replaced deprecated WebSecurityConfigurerAdapter with SecurityFilterChain bean and lambda-based configuration
  • JJWT 0.12.x: Updated JWT service to use new parser API (parser().verifyWith() instead of parserBuilder())
  • DGS Framework: 4.9.21 → 9.2.2 with updated DataFetcherExceptionHandler interface (now async)
  • Gradle: 7.4 → 8.14

Dependency updates:

  • MyBatis Spring Boot Starter: 2.2.2 → 3.0.4
  • rest-assured: 4.5.1 → 5.5.0
  • joda-time: 2.10.13 → 2.13.0
  • sqlite-jdbc: 3.36.0.3 → 3.47.2.0

Configuration changes:

  • Added spring.main.allow-bean-definition-overriding=true for Spring Boot 3 compatibility
  • Updated mybatis.mapper-locations to use classpath: prefix
  • Removed mybatis.configuration.default-statement-timeout (incompatible with MyBatis 3.0.4)

Updates since last revision

  • Fixed CI workflow to use Java 17 (was failing because Spring Boot 3 requires JDK 17+)
  • Downgraded MyBatis Spring Boot Starter from 4.0.1 to 3.0.4 to fix NullPointerException in MybatisProperties.CoreConfiguration.applyTo
  • All 68 tests now pass

Review & Testing Checklist for Human

  • Review security configuration: The WebSecurityConfig.java was completely rewritten from WebSecurityConfigurerAdapter to SecurityFilterChain - verify all endpoints have correct access rules
  • Test authentication flow: Verify login/registration works and JWT tokens are generated/validated correctly (critical change in DefaultJwtService.java with new JJWT API)
  • Test GraphQL endpoints: Verify /graphql and /graphiql work correctly with the new DGS version and async exception handler

Recommended test plan:

  1. Start the application: ./gradlew bootRun
  2. Test POST /users (registration) - should return JWT token
  3. Test POST /users/login (authentication)
  4. Test GET /articles and GET /tags endpoints
  5. Test creating an article with authentication
  6. Verify GraphQL queries work at /graphiql

Notes

  • Local testing confirmed: Application starts successfully, user registration returns JWT tokens, REST endpoints respond correctly
  • Added src/test/resources/application.properties with test-specific configuration
  • Made DuplicatedUsernameValidator and DuplicatedEmailValidator importable in test configuration

Link to Devin run: https://app.devin.ai/sessions/2436d73fecce434987a7a4ab44b8b689
Requested by: Sam Fertig (@samfert-codeium)

Major changes:
- Update Spring Boot from 2.6.3 to 3.5.10
- Update Java compatibility from 11 to 17
- Migrate javax.* imports to jakarta.* namespace (Jakarta EE 10)
- Update Spring Security configuration for Spring Security 6
  - Replace WebSecurityConfigurerAdapter with SecurityFilterChain
  - Use new lambda-based configuration style
  - Replace antMatchers with requestMatchers
- Update DGS framework from 4.9.21 to 9.2.2
- Update DGS codegen plugin from 5.0.6 to 6.3.0
- Update JJWT from 0.11.2 to 0.12.6
  - Use new parser API (parser().verifyWith() instead of parserBuilder())
  - Use Keys.hmacShaKeyFor() for key generation
- Update MyBatis Spring Boot Starter from 2.2.2 to 4.0.1
- Update Gradle wrapper from 7.4 to 8.14
- Update other dependencies to compatible versions:
  - rest-assured: 4.5.1 -> 5.5.0
  - joda-time: 2.10.13 -> 2.13.0
  - sqlite-jdbc: 3.36.0.3 -> 3.47.2.0
  - spotless: 6.2.1 -> 6.25.0
  - dependency-management: 1.0.11.RELEASE -> 1.1.7

Code changes:
- Fix GraphQLCustomizeExceptionHandler for new DataFetcherExceptionHandler API
- Fix CustomizeExceptionHandler for HttpStatusCode parameter type
- Fix ArticleDatafetcher and CommentDatafetcher to use generated PageInfo type
- Add test configuration for Spring Boot 3 compatibility
- Make DuplicatedUsernameValidator public for test imports

Co-Authored-By: Sam Fertig <sam.fertig@codeium.com>
@devin-ai-integration

Copy link
Copy Markdown
Author

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

  • Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
  • Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

  • Disable automatic comment and CI monitoring

- Update CI workflow to use Java 17 (required by Spring Boot 3)
- Downgrade MyBatis Spring Boot Starter from 4.0.1 to 3.0.4 to fix
  NullPointerException in MybatisProperties.CoreConfiguration.applyTo
- Remove mybatis.configuration.default-statement-timeout property
- Add classpath: prefix to mybatis.mapper-locations
- Add spring.main.allow-bean-definition-overriding=true for bean override

Co-Authored-By: Sam Fertig <sam.fertig@codeium.com>
@sonarqubecloud

Copy link
Copy Markdown

Quality Gate Failed Quality Gate failed

Failed conditions
2 Security Hotspots
B Maintainability Rating on New Code (required ≥ A)

See analysis details on SonarQube Cloud

Catch issues before they fail your Quality Gate with our IDE extension SonarQube for IDE

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants