build(deps)(deps): bump org.springframework.boot from 3.5.3 to 4.0.6 in /easy-paging-demo#19
Conversation
Bumps [org.springframework.boot](https://github.com/spring-projects/spring-boot) from 3.5.3 to 4.0.6. - [Release notes](https://github.com/spring-projects/spring-boot/releases) - [Commits](spring-projects/spring-boot@v3.5.3...v4.0.6) --- updated-dependencies: - dependency-name: org.springframework.boot dependency-version: 4.0.6 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
LabelsThe following labels could not be found: Please fix the above issues or remove invalid values from |
…tifies (#37) After yesterday's dependabot.yml went live, Dependabot opened 18 individual PRs to bump every demo from Spring Boot 3.5.3 → 4.0.6 and Gradle wrapper 8.10.2 → 9.5.1 (#19-#36). The grouped PRs (e.g. #18 for spring-boot patch/minor) worked correctly; what didn't was that default group semantics excluded `version-update:semver-major`, so major bumps escaped grouping and landed as individual PRs per demo. Beyond the noise, the real problem is that the demos must mirror the Spring Boot baseline each *starter* was certified against — per its README: > Spring Boot 3.3+ on Java 21+ (built/tested against 3.5) easy-paging-spring-boot-starter has not (yet) published a release certified against Spring Boot 4 / Spring Framework 7 / Jakarta EE 11. Auto-bumping demos to SB4 would silently advertise an unverified combination to anyone who clones a demo as a starting point. This commit adds an `ignore` block that holds majors for: - org.springframework.boot:* (the BOM driver) - io.spring.dependency-management - org.springframework:* and org.springframework.cloud:* (transitively pulled in; majors can land off the SB cadence) - gradle (wrapper) — each major needs hand verification of deprecations-now-errors before going green across 9 demos Patch/minor bumps still flow through (and group correctly — PR #18 already proved that path), so security fixes within the 3.5.x line land normally. Lift these holds when each starter publishes its SB4-compatible release line; the demos can then be upgraded together in one intentional PR per starter, not piecemeal by a robot. Follow-up: - Merge PR #18 (grouped patch/minor across 9 demos) and PRs #14-#17 (github-actions minors) since they're inside policy. - Close PRs #19-#36 (18 stragglers); the new policy guarantees they won't reappear on the next Dependabot run.
|
Superseded by #37 ( |
jlc488
deleted the
dependabot/gradle/easy-paging-demo/org.springframework.boot-4.0.6
branch
|
OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting If you change your mind, just re-open this PR and I'll resolve any conflicts on it. |
1 participant
Bumps org.springframework.boot from 3.5.3 to 4.0.6.
Release notes
Sourced from org.springframework.boot's releases.
... (truncated)
Commits
8821ad2Release v4.0.69e4048aMerge branch '3.5.x' into 4.0.x20bb11cNext development version (v3.5.15-SNAPSHOT)98daa8eMerge branch '3.5.x' into 4.0.x9dc5aa2Polish874f629Fix default security with actuator but without healthe41b3bfEnable hostname verification for SSL connections to Elasticsearchef8527bMerge branch '3.5.x' into 4.0.xf533a45Do not follow symlinks when writing PID file4a7bd33Merge branch '3.5.x' into 4.0.xDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)