Tag Archives: Spring Boot

Spring Boot — convention-over-configuration framework for building Spring-based Java applications

Spring

Surviving the AI Vulnerability Wave: How to Automate Spring Boot Dependency Patches

Leave a comment

Something changed in the Spring ecosystem over the last year. AI-powered vulnerability scanners now monitor the CVE feeds, the Spring Security advisories, and the transitive dependency graphs of public repositories continuously — and they file patch requests the moment a fixable version lands. If you maintain more than a handful of Spring Boot services, you have probably noticed your pull-request queue filling with dependency bumps faster than any human can review them. Manual upgrades, one POM at a time, are no longer a sustainable remediation strategy. This guide shows how to build an automated dependency patching pipeline for Spring Boot: bot-driven update PRs, automated regression testing that decides whether a bump is safe, and canary deployments that catch the failures your tests miss.

Why Manual Spring Boot Patching No Longer Scales

A single Spring Boot application pulls in 150–300 transitive dependencies through its starters. Each of those is an independent source of CVEs. When a vulnerability lands in something deep in the graph — a Netty buffer, a SnakeYAML parser, a Tomcat connector — the fix usually arrives as a patch release that you inherit by bumping a single managed version. The problem is volume: across a fleet of services, the number of safe, boring, necessary upgrades per week now exceeds what a team can hand-review without either rubber-stamping (dangerous) or falling behind (also dangerous).

  • The scanners do not sleep. Automated tooling files patch PRs within hours of a CVE disclosure, not days.
  • Most bumps are trivial — but not all. The 95% that are pure patch releases are safe to automate; the 5% that quietly change behaviour are what an automated test gate exists to catch.
  • Falling behind compounds. Skip patches for two quarters and your “simple” upgrade becomes a multi-version migration with breaking changes.

The answer is not to review faster. It is to let bots open the PRs, let your test suite decide which ones are safe, and reserve human attention for the minority that actually need it.

Continue reading Surviving the AI Vulnerability Wave: How to Automate Spring Boot Dependency Patches
Java

Spring Framework 6 to 7 Migration Guide: Breaking Changes, Deprecated APIs, and Upgrade Checklist

Leave a comment

I have spent the last few months taking a mid-sized Spring service from Spring Framework 6.2 to Spring Framework 7.0, and the thing nobody tells you up front is this: most of the migration content you find is actually about Spring Boot. Boot 4 gets all the headlines. But Boot 4 sits on top of Framework 7, and the changes that broke my build, my tests, and (twice) my production behaviour came from the core framework — bean lifecycle, AOT metadata, the Jakarta cutover, and a pile of quietly removed APIs.

This guide is about the layer underneath Boot. If you maintain a library, a non-Boot Spring application, or you just want to understand why Boot 4 forces certain changes, this is the migration you need to read. Framework 7.0 went GA on 13 November 2025, and everything below is verified against the official 7.0 release notes — not guessed from a beta.

Continue reading Spring Framework 6 to 7 Migration Guide: Breaking Changes, Deprecated APIs, and Upgrade Checklist
Java, Spring, Uncategorized

Spring Security 5 to 6 to 7 Migration: SecurityFilterChain, Lambda DSL, and the Silent Authorization Changes

Leave a comment

Of every breaking change in the Spring Boot 2 → 3 era, the removal of WebSecurityConfigurerAdapter generated the most confused stack traces I’ve debugged — because security configuration is the one place where “it compiles and runs” tells you almost nothing about whether it still protects anything. This guide migrates Spring Security 5 configurations to the 6.x component model (Spring Boot 3.x), covers what tightens further in Spring Security 7 (Spring Boot 4), and flags the places where a mechanical conversion quietly changes your authorization behaviour.

Continue reading Spring Security 5 to 6 to 7 Migration: SecurityFilterChain, Lambda DSL, and the Silent Authorization Changes

Java, Spring, Uncategorized

RestTemplate to RestClient Migration Guide: Method Mapping, Error Handling, and the exchange() Trap

Leave a comment

Spring Boot 4 finally forced the issue: RestTemplate, in maintenance mode since Spring 5, is out of the recommended path, and codebases full of getForObject() and exchange() calls need a plan. The good news is that RestClient (introduced in Spring 6.1 / Boot 3.2) was designed as the synchronous successor, so this migration is mostly mechanical — if you know the method-by-method mapping and the three places where behaviour quietly differs. This guide gives you both.

Continue reading RestTemplate to RestClient Migration Guide: Method Mapping, Error Handling, and the exchange() Trap

Spring, Spring Cloud, Uncategorized

Zuul to Spring Cloud Gateway Migration: Routes, Filters, and the Blocking-Call Traps

Leave a comment

The first time I ported a Zuul gateway to Spring Cloud Gateway, the routes took an afternoon — and the filters took two weeks. That ratio surprises every team that attempts this migration, because the route configuration looks superficially similar while the filter model is a different universe: Zuul 1 is a blocking servlet filter chain, Spring Cloud Gateway runs on Netty with Project Reactor, and a single hidden blocking call in a ported filter can stall your entire gateway. This guide covers the route conversion, the filter-by-filter port, and the blocking-call traps, in that order.

Continue reading Zuul to Spring Cloud Gateway Migration: Routes, Filters, and the Blocking-Call Traps

Spring, Spring Cloud, Uncategorized

Spring Cloud Netflix to Modern Alternatives: The Complete Migration Guide (2026)

Leave a comment

In 2020 I published a dozen tutorials on this site covering Eureka, Hystrix, Zuul, Ribbon, and Feign — the Spring Cloud Netflix stack. They were accurate then. Today, most of that stack is dead: Netflix put Hystrix into maintenance mode back in 2018, Zuul 1 and Ribbon followed, and the Spring team removed them from the Spring Cloud release train entirely. If you are still running any of these libraries on Spring Boot 2.x, this guide maps every Netflix component to its modern replacement and shows you the actual migration steps — including the parts that break.

Continue reading Spring Cloud Netflix to Modern Alternatives: The Complete Migration Guide (2026)

AI & Machine Learning, Java

Serverless AI Inference in Java: AWS Lambda vs Azure Functions vs Cloud Run

Leave a comment

I spent several weeks running Java AI inference handlers across all three major clouds — AWS Lambda, Azure Functions, and Google Cloud Run — testing cold start behaviour, token cost at scale, and multi-model routing under realistic load. The short version: the right choice depends on which layer is your bottleneck, and the three clouds diverge more sharply than any generic “serverless comparison” post will tell you.

This post covers everything I found: measured cold start numbers with sources, honest cost models at 50k–100k requests/day, multi-model routing patterns, observability trade-offs, and runnable Java code for RAG endpoints and function-based agents. Skip to the Winner Section if you want the bottom line immediately.

About This Post

Benchmarks compiled from: AWS Lambda Java 25 launch post (Liberty Mutual case study), inside.java JEP walkthrough, aws-samples/serverless-graalvm-demo, Quarkus native Cloud Run benchmarks from the official Quarkus GCP guide, and hands-on testing. Cost figures are calculated from public pricing pages as of May 2026 — verify with your provider’s calculator before committing.

Continue reading Serverless AI Inference in Java: AWS Lambda vs Azure Functions vs Cloud Run