[Security] Bump spring.version from 5.1.7.RELEASE to 5.3.9

[dependabot-preview]

Bumps spring.version from 5.1.7.RELEASE to 5.3.9.
Updates spring-test from 5.1.7.RELEASE to 5.3.9

Release notes

Sourced from spring-test's releases.

v5.3.9

⭐ New Features

• Configure CommonsMultipartResolver to support specific HTTP methods #27161
• Allow BeanDefinitionBuilder to set an instance supplier with a ResolvableType #27160
• Reason of @ResponseStatus on handler method is not resolved by MessageSource #27156
• ResourceHandlerRegistry#getHandlerMapping should initialize handler once in outer loop #27153
• Set synthetic flag using BeanDefinitionBuilder #27141
• BeanCreationException error message should always include declaring class of constructor (or factory method) #27139
• Improve Jetty 10 check in JettyClientHttpResponse #27136
• Jetty10RequestUpgradeStrategy use an old jetty 9 class HandshakeRFC6455 #27121
• ClassNotFoundException using Jetty 10 and its reactive client #27112
• Use StringBuilder.append(char) where possible #27098
• Consider "wss" and "https" for secure flag in Forwarded header checks #27097
• SynchronossPartHttpMessageReader should only create temp directory when needed #27092
• Implement equals, hashCode, & toString in BeanMethod and *Metadata types #27076
• Remove logging dependency in BeanUtils #27070
• Exclude sealed interfaces from auto-proxying (for JDK 17 compatibility) #27027
• Blockhound error when running with transaction with a TransactionOperator #26955
• Configure StandardServletMultipartResolver to only support multipart/form-data #26826
• Add a way to set executeExistingDelayedTasksAfterShutdown from ThreadPoolTaskScheduler #26719
• Apply dynamic changes in ThreadPoolTaskExecutor before setting local value #26700

🪲 Bug Fixes

• JettyHttpHandlerAdapter is not aware of Server[Request|Response]Wrapper #27146
• {*path} pattern (CaptureTheRestPathElement) includes undocumented leading slash in @PathVariable path #27132
• NoSuchMethodError when invoke JettyWebSocketSession.getRemoteAddress in jetty 10 #27120
• CronExpression is still broken on spring-context-5.3.8 #27117
• SimpleMethodMetadataReadingVisitor.Source.toString() omits separator for method arguments #27095
• DefaultPathSegment allows shared empty parameters map to be mutated #27064
• AOP auto-proxying with proxyTargetClass=true and introduction advice does not work for JDK proxy targets #27044
• ServletRequestDataBinder assumes Standard servlet multipart handling #26999
• DataClassRowMapper should not override Kotlin init properties #26569

📔 Documentation

• Add Javadoc @since to BeanDefinitionBuilder.setSynthetic() #27155
• Fix link to Javadoc API #27151
• Added description for HandlerInterceptor #27122
• Fix typo in core-beans.adoc #27113
• Fix typo in BeanDefinitionDsl.kt #27105
• Improve docs for getContentAsByteArray method of ContentCachingRequestWrapper #27068
• Fix explanation on default settings for content negotiation in reference doc #27067
• Document that any @Valid* annotation triggers validation in the reference manual #27050
• Improve RequestPartMethodArgumentResolver Javadoc #27043
• Improve RequestResponseBodyMethodProcessor Javadoc #27042
• Clarify that baseName in ResourceBundleMessageSource does not support multiple locations #27038
• Link alternate documentation formats #27015

... (truncated)

Commits

• f9b6e94 Release v5.3.9
• bb816c1 Use MessageSource in HandlerMethod for error reason
• 33f3aa9 Upgrade to AspectJ 1.9.7 and EclipseLink 2.7.9
• e1f51cb Check both https and wss in forwarded header checks
• 6ec7cff Upgrade to Kotlin 1.5.21
• 4bc6f40 Upgrade to Reactor 2020.0.9
• bf27904 Document ResourceBundle limitations
• 95d7f88 Deprecate LastModified
• 25131eb Resource handler initialized only once
• 0267b00 Minor update to Javadoc for HandlerInterceptor#postHandle
• Additional commits viewable in compare view

Updates spring-webmvc from 5.1.7.RELEASE to 5.3.9 This update includes a security fix.

Vulnerabilities fixed

Sourced from The GitHub Security Advisory Database.

High severity vulnerability that affects org.springframework:spring-webmvc and org.springframework:spring-webflux In Spring Framework, versions 5.2.x prior to 5.2.3, versions 5.1.x prior to 5.1.13, and versions 5.0.x prior to 5.0.16, an application is vulnerable to a reflected file download (RFD) attack when it sets a "Content-Disposition" header in the response where the filename attribute is derived from user supplied input.

Affected versions: >= 5.1.0, < 5.1.13

Release notes

Sourced from spring-webmvc's releases.

v5.3.9

⭐ New Features

• Configure CommonsMultipartResolver to support specific HTTP methods #27161
• Allow BeanDefinitionBuilder to set an instance supplier with a ResolvableType #27160
• Reason of @ResponseStatus on handler method is not resolved by MessageSource #27156
• ResourceHandlerRegistry#getHandlerMapping should initialize handler once in outer loop #27153
• Set synthetic flag using BeanDefinitionBuilder #27141
• BeanCreationException error message should always include declaring class of constructor (or factory method) #27139
• Improve Jetty 10 check in JettyClientHttpResponse #27136
• Jetty10RequestUpgradeStrategy use an old jetty 9 class HandshakeRFC6455 #27121
• ClassNotFoundException using Jetty 10 and its reactive client #27112
• Use StringBuilder.append(char) where possible #27098
• Consider "wss" and "https" for secure flag in Forwarded header checks #27097
• SynchronossPartHttpMessageReader should only create temp directory when needed #27092
• Implement equals, hashCode, & toString in BeanMethod and *Metadata types #27076
• Remove logging dependency in BeanUtils #27070
• Exclude sealed interfaces from auto-proxying (for JDK 17 compatibility) #27027
• Blockhound error when running with transaction with a TransactionOperator #26955
• Configure StandardServletMultipartResolver to only support multipart/form-data #26826
• Add a way to set executeExistingDelayedTasksAfterShutdown from ThreadPoolTaskScheduler #26719
• Apply dynamic changes in ThreadPoolTaskExecutor before setting local value #26700

🪲 Bug Fixes

• JettyHttpHandlerAdapter is not aware of Server[Request|Response]Wrapper #27146
• {*path} pattern (CaptureTheRestPathElement) includes undocumented leading slash in @PathVariable path #27132
• NoSuchMethodError when invoke JettyWebSocketSession.getRemoteAddress in jetty 10 #27120
• CronExpression is still broken on spring-context-5.3.8 #27117
• SimpleMethodMetadataReadingVisitor.Source.toString() omits separator for method arguments #27095
• DefaultPathSegment allows shared empty parameters map to be mutated #27064
• AOP auto-proxying with proxyTargetClass=true and introduction advice does not work for JDK proxy targets #27044
• ServletRequestDataBinder assumes Standard servlet multipart handling #26999
• DataClassRowMapper should not override Kotlin init properties #26569

📔 Documentation

• Add Javadoc @since to BeanDefinitionBuilder.setSynthetic() #27155
• Fix link to Javadoc API #27151
• Added description for HandlerInterceptor #27122
• Fix typo in core-beans.adoc #27113
• Fix typo in BeanDefinitionDsl.kt #27105
• Improve docs for getContentAsByteArray method of ContentCachingRequestWrapper #27068
• Fix explanation on default settings for content negotiation in reference doc #27067
• Document that any @Valid* annotation triggers validation in the reference manual #27050
• Improve RequestPartMethodArgumentResolver Javadoc #27043
• Improve RequestResponseBodyMethodProcessor Javadoc #27042
• Clarify that baseName in ResourceBundleMessageSource does not support multiple locations #27038
• Link alternate documentation formats #27015

... (truncated)

Commits

• f9b6e94 Release v5.3.9
• bb816c1 Use MessageSource in HandlerMethod for error reason
• 33f3aa9 Upgrade to AspectJ 1.9.7 and EclipseLink 2.7.9
• e1f51cb Check both https and wss in forwarded header checks
• 6ec7cff Upgrade to Kotlin 1.5.21
• 4bc6f40 Upgrade to Reactor 2020.0.9
• bf27904 Document ResourceBundle limitations
• 95d7f88 Deprecate LastModified
• 25131eb Resource handler initialized only once
• 0267b00 Minor update to Javadoc for HandlerInterceptor#postHandle
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
• @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

• Update frequency (including time of day and day of week)
• Pull request limits (per update run and/or open at any time)
• Automerge options (never/patch/minor, and dev/runtime dependencies)
• Out-of-range updates (receive only lockfile updates, if desired)
• Security updates (receive only security updates, if desired)