<![CDATA[DevByAmit]]>https://staticjava.comRSS for NodeSat, 18 Apr 2026 09:02:06 GMT60<![CDATA[Upgrading Spring Boot version from 3.0.x to 3.3.x]]>https://staticjava.com/upgrading-spring-boot-version-from-30x-to-33xhttps://staticjava.com/upgrading-spring-boot-version-from-30x-to-33xFri, 02 May 2025 12:34:32 GMTThe spring boot version 3.0.6 comes with tomcat-embed-core version 10.1.8 which comes with CVE vulnerabilities.
Our security scan spotted this vulnerability and ask us to fix it before going live. Hence, we decided to upgrade our spring boot version.
The vulnerability free version of tomcat-embed-core near to 10.1.8 is 10.1.35 and latest spring boot version supporting it is 3.3.9. Hence, we decided to upgrade to spring boot version 3.3.9.

Library

Old Version

New Version

Changes

Springboot.version
(for group id org.springframework.boot)

3.0.6

3.3.9

Logback-core, logback-classic

1.4.7

1.5.15

The tag <timeBasedFileNamingAndTriggeringPolicy/> needs to be removed in logback.xml file. You can use <maxFileSize/> tag directly inside <fileNamePattern/> tag only.

Spring-bean

6.0.3

6.1.15

spring-integration-jms

5.5.17

6.1.4

The get() method of IntegrationComponentSpec class needs to be change to getObject().

Guava

31.1-jre

33.4.8-jre

Javax.jms-api 

2.0.1

Jakarta.jms-api (3.1.0)

Change all javax. Imports to Jakarta 

Sol-jms

10.19.0

Sol-jms-jakarta (10.20.0)

Change all javax. Imports to Jakarta 

spring-jms

5.3.2

6.1.15

Here are some tips:

  1. Always use maven dependency tree command when you upgrade any library version.
    \> mvn dependency:tree

  2. I have used GitHub Copilot for resolving most of the dependency issues and resolving errors.

    Here are some of my prompts to copilot:

    • Do we need spring-boot-starter-logging if logback lib is present?

    • Why the error: java.lang.NoClassDefFoundError: ch/qos/logback/core/util/StatusPrinter2

    • What spring bean version compatible with spring boot 3.3.9

    • What about spring-jms version?

    • What solace-jms-spring-boot-autoconfigure version to use?

    • create connectionfactory instance to set in setTargetConnectionFactory method (this is for solace jms configuration)

    • sol-jms version 10.19.0 not using jakarta, suggest me supporting version

  3. Only successful build doesn’t mean all ok, you need to run the app after every successful build.

  4. Always use https://mvnrepository.com/ to search libraries and check vulnerability free libraries.

]]>