Skip to content

feature: upgrade to Java 21 / Spring Boot 3.5 + Jakarta EE migration#723

Open
devin-ai-integration[bot] wants to merge 5 commits into
masterfrom
devin/1782324312-java21-springboot3
Open

feature: upgrade to Java 21 / Spring Boot 3.5 + Jakarta EE migration#723
devin-ai-integration[bot] wants to merge 5 commits into
masterfrom
devin/1782324312-java21-springboot3

Conversation

@devin-ai-integration

@devin-ai-integration devin-ai-integration Bot commented Jun 24, 2026

Copy link
Copy Markdown

Summary

Upgrades the project from Java 11 / Spring Boot 2.6.3 to Java 21 / Spring Boot 3.5.15, which requires moving to the Jakarta EE namespace and adapting to Spring Security 6 and newer graphql-java/DGS APIs. ./gradlew clean test passes locally (68 tests) on JDK 21, and the app boots cleanly (Flyway migrates SQLite, Tomcat on :8080).

Build & toolchain (build.gradle, wrapper)

  • org.springframework.boot 2.6.33.5.15 (latest 3.x); io.spring.dependency-management 1.0.11.RELEASE1.1.7.
  • sourceCompatibility/targetCompatibility 1121.
  • Gradle wrapper 7.48.10.2 (required for Java 21).
  • DGS: now uses the graphql-dgs-platform-dependencies:9.2.2 BOM + unversioned graphql-dgs-spring-boot-starter (the classic Spring-MVC DGS starter; the 9.x line is the latest that ships this starter and targets Spring Boot 3.x / graphql-java 22). Codegen plugin 5.0.67.0.3.
  • mybatis-spring-boot-starter (+ test) 2.2.23.0.4; rest-assured 4.5.15.5.7 (5.x is the Jakarta-compatible line); jjwt 0.11.20.11.5; sqlite-jdbc 3.36.0.33.50.3.0. Flyway and joda-time retained (versions managed by the Boot BOM where applicable).
  • Spotless plugin 6.2.16.25.0 so the bundled google-java-format runs on JDK 21.

Jakarta migration

  • All javax.servlet.*jakarta.servlet.* and javax.validation.*jakarta.validation.* across api, application, and graphql packages. javax.crypto.* in DefaultJwtService is JDK (JCE), not Jakarta EE, so it is intentionally left unchanged.

Spring Security 6

  • WebSecurityConfig no longer extends the removed WebSecurityConfigurerAdapter; it now exposes a SecurityFilterChain bean using the lambda DSL (authorizeHttpRequests + requestMatchers, replacing authorizeRequests/antMatchers).

Other Spring 6 / graphql-java API changes

  • CustomizeExceptionHandler.handleMethodArgumentNotValid override signature: HttpStatusHttpStatusCode (Spring 6 ResponseEntityExceptionHandler).
  • GraphQLCustomizeExceptionHandler implements the new DataFetcherExceptionHandler contract: onException(...) (removed in graphql-java 20+) → CompletableFuture<DataFetcherExceptionHandlerResult> handleException(...), delegating to defaultHandler.handleException(...).
  • DGS codegen 7.x no longer maps the schema PageInfo to the Relay type by default, so the datafetchers (which use graphql.relay.PageInfo) broke. Added typeMapping = ["PageInfo": "graphql.relay.PageInfo"] to the generateJava task to restore the prior mapping — no datafetcher code changes needed.

Security (Snyk)

  • Spring Boot 3.5.15 pulls patched spring-framework 6.2.19 and jackson 2.21.x, clearing all net-new Critical/High transitive CVEs the migration would otherwise have introduced.
  • Bumped sqlite-jdbc to 3.50.3.0 (clears preexisting High ACE advisory) and forced test-scope commons-lang3 3.18.0 (rest-assured still pulls a vulnerable 3.17.0 transitively).
  • Remaining: one Low kotlin-stdlib advisory via the build-time DGS codegen Gradle plugin (not on the application runtime classpath).

CI (.github/workflows/gradle.yml)

  • The repo had no workflow file, so one was added: builds on temurin JDK 21 via actions/checkout@v4, actions/setup-java@v4, actions/cache@v4, running ./gradlew clean test.

Note: "latest 3.x" Spring Boot is the 3.5.x line (3.5.15 here). I did not move to a newer DGS major (10.x+) because that line drops the classic graphql-dgs-spring-boot-starter in favor of the Spring-for-GraphQL starter, which would be a larger rewrite of the GraphQL layer; DGS 9.2.2 is the latest that keeps the current adapter working.

Link to Devin session: https://app.devin.ai/sessions/b8ec89e097e04950b80dda2d578c6587
Requested by: @tanveejoshi-dev


Devin Review

Status Commit
⚪ Not started

Run Devin Review

Open in Devin Review (Staging)

Co-Authored-By: Tanvee Joshi <tanvee.joshi@cognition.ai>
@devin-ai-integration

Copy link
Copy Markdown
Author

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

  • Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
  • Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

  • Disable automatic comment, CI, and merge conflict monitoring

@devin-ai-integration devin-ai-integration Bot left a comment

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Devin Review found 2 potential issues.

Open in Devin Review

Comment thread build.gradle
implementation 'com.netflix.graphql.dgs:graphql-dgs-spring-boot-starter:4.9.21'
implementation 'org.mybatis.spring.boot:mybatis-spring-boot-starter:3.0.4'
implementation 'com.netflix.graphql.dgs:graphql-dgs-spring-boot-starter'
implementation 'org.flywaydb:flyway-core'

@devin-ai-integration devin-ai-integration Bot Jun 24, 2026

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔴 Missing Flyway SQLite module causes startup failure with Flyway 11.x

The Spring Boot upgrade from 2.6.3 to 3.5.15 pulls Flyway 11.7.2 (confirmed via ./gradlew dependencies). Starting with Flyway 10, database-specific support was modularized into separate artifacts — SQLite support is no longer bundled in flyway-core and requires a dedicated module (e.g. org.flywaydb:flyway-database-sqlite). The project clearly uses SQLite (application.properties:1 has spring.datasource.url=jdbc:sqlite:dev.db), but build.gradle:42 only declares org.flywaydb:flyway-core. At application startup, Flyway will fail to recognize the SQLite database type and throw an error, preventing the app (and all integration tests) from running.

Open in Devin Review

Was this helpful? React with 👍 or 👎 to provide feedback.

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Verified empirically — this is not an issue for the Flyway version in play. SQLite support is still bundled in flyway-core 11.7.2; it was not moved to a community module.

Starting the app fresh (deleted dev.db, ran ./gradlew bootRun) produced:

o.f.core.FlywayExecutor : Database: jdbc:sqlite:dev.db (SQLite 3.50)
o.f.core.internal.command.DbValidate : Successfully validated 1 migration
o.f.core.internal.command.DbMigrate  : Migrating schema "main" to version "1 - create tables"
o.f.core.internal.command.DbMigrate  : Successfully applied 1 migration to schema "main", now at version v1
o.s.b.w.embedded.tomcat.TomcatWebServer : Tomcat started on port 8080 (http)

The fresh dev.db contains flyway_schema_history + all app tables, and the 68 @SpringBootTest integration tests (in-memory SQLite, Flyway-managed schema) all pass. No extra Flyway module needed.

Comment thread build.gradle Outdated
…vulnerabilities

Co-Authored-By: Tanvee Joshi <tanvee.joshi@cognition.ai>

@devin-ai-integration devin-ai-integration Bot left a comment

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Devin Review found 1 new potential issue.

Open in Devin Review

Comment thread build.gradle
id 'java'
id "com.netflix.dgs.codegen" version "5.0.6"
id "com.diffplug.spotless" version "6.2.1"
id "com.netflix.dgs.codegen" version "7.0.3"

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚩 DGS BOM version (9.2.2) vs codegen plugin version (7.0.3) mismatch

The DGS platform BOM is set to 9.2.2 (build.gradle:34) while the DGS codegen Gradle plugin is 7.0.3 (build.gradle:5). These are separate artifacts with independent versioning, but significant version gaps can lead to generated code that doesn't align with the runtime API. The codegen generates types in io.spring.graphql.types and constants in io.spring.graphql.DgsConstants — if the newer DGS runtime expects different type structures or annotations, there could be subtle incompatibilities. Worth verifying that the generated code compiles and works correctly with DGS 9.2.2.

Open in Devin Review

Was this helpful? React with 👍 or 👎 to provide feedback.

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Verified — the codegen plugin (7.0.3) and DGS runtime BOM (9.2.2) are intentionally on independent version lines and are compatible here. The generated io.spring.graphql.types.* / DgsConstants compile and run against DGS 9.2.2 / graphql-java 22.3: ./gradlew clean test passes (68 tests) and the app boots and serves GraphQL. The one codegen-behavior difference (DGS codegen 7.x no longer auto-maps schema PageInfo to graphql.relay.PageInfo) is handled explicitly via typeMapping = ["PageInfo": "graphql.relay.PageInfo"] on the generateJava task.

…dvisory

Co-Authored-By: Tanvee Joshi <tanvee.joshi@cognition.ai>

@devin-ai-integration devin-ai-integration Bot left a comment

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Devin Review found 1 new potential issue.

Open in Devin Review

Comment thread build.gradle
implementation('org.jetbrains.kotlin:kotlin-stdlib') {
version { strictly '2.1.20' }
}
implementation 'org.flywaydb:flyway-core'

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚩 Flyway SQLite support may require additional module with Flyway 10+

Spring Boot 3.2+ ships Flyway 10+, which modularized database support into separate artifacts. The build.gradle:48 only declares implementation 'org.flywaydb:flyway-core' without a database-specific module for SQLite. In Flyway 10, community databases (SQLite, H2, HSQLDB, Derby) were initially kept in flyway-core, but in later Flyway releases they may have been extracted. Depending on the exact Flyway version managed by Spring Boot 3.5.15's BOM, an additional dependency like org.flywaydb:flyway-database-sqlite (or equivalent community module) may be required. Without it, the application could fail at startup with a "No database found to handle jdbc:sqlite:..." error. This is worth verifying by running the full test suite.

Open in Devin Review

Was this helpful? React with 👍 or 👎 to provide feedback.

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Verified empirically — no extra Flyway module is needed for SQLite here.

Flyway resolved by Spring Boot 3.5.15's BOM is 11.7.2, and SQLite support is still bundled in flyway-core for that line (it was not extracted to a separate community module in 11.7.x). Confirmed by running the app against a fresh dev.db:

Database: jdbc:sqlite:dev.db (SQLite 3.50)
Successfully validated 1 migration
Migrating schema "main" to version "1 - init schema"
Successfully applied 1 migration to schema "main"
Tomcat started on port 8080

GraphQL also serves correctly on the same boot (exercising the SQLite-backed read path):

  • { tags } -> {"data":{"tags":[]}}
  • { articles(first:5){ pageInfo{ hasNextPage } edges{ node{ slug } } } } -> valid ArticlesConnection

All 68 tests (in-memory SQLite) pass as well. If a future Flyway 11.10+ bump extracts SQLite into flyway-database-sqlite, we'll add it then; for 11.7.2 it's unnecessary.

devin-ai-integration Bot and others added 2 commits June 24, 2026 18:37
…sories

Co-Authored-By: Tanvee Joshi <tanvee.joshi@cognition.ai>
…SCM check

Co-Authored-By: Tanvee Joshi <tanvee.joshi@cognition.ai>

@devin-ai-integration devin-ai-integration Bot left a comment

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Devin Review found 1 new potential issue.

Open in Devin Review

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟨 Permissive CORS configuration allows any origin

The CorsConfigurationSource bean at src/main/java/io/spring/api/security/WebSecurityConfig.java:71 sets setAllowedOrigins(asList("*")), allowing requests from any origin. While allowCredentials is set to false (mitigating credential leakage via CORS), an overly permissive origin policy can still facilitate cross-origin data exfiltration of non-credentialed responses.

(Refers to line 71)

Open in Devin Review

Was this helpful? React with 👍 or 👎 to provide feedback.

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This CORS configuration is pre-existing and unchanged by this PR. On master the same bean already sets setAllowedOrigins(asList("*")) with setAllowCredentials(false) (original WebSecurityConfig.java:68-76). This upgrade only migrated the surrounding security config from the removed WebSecurityConfigurerAdapter to the Spring Security 6 SecurityFilterChain bean — the CORS policy was carried over verbatim.

Since allowCredentials is false, the wildcard origin cannot be used to exfiltrate credentialed responses. Tightening the allowed origins is a reasonable hardening idea, but it's a behavioral change to existing config that's out of scope for this Java 21 / Spring Boot 3 migration PR. Happy to do it as a follow-up if desired.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants