Bump org.springframework:spring-framework-bom from 7.0.7 to 7.0.8

[dependabot]

Bumps org.springframework:spring-framework-bom from 7.0.7 to 7.0.8.

Release notes

Sourced from org.springframework:spring-framework-bom's releases.

v7.0.8

⚠️ Security Fixes

This maintenance release fixes a high number of CVEs. You can learn more about this in the "Spring and Security In The Times Of AI" blog post. Here is the full list of 16 CVEs:

• CVE-2026-41838 "Spring Framework Predictable Session ID in WebSocket Module"
• CVE-2026-41839 "Spring Framework Escalation via Session Fixation in WebFlux"
• CVE-2026-41840 "Spring Framework Denial of Service via Multipart Requests in WebFlux"
• CVE-2026-41841 "Spring Framework Information Disclosure via Static Resource Cache in Spring MVC and WebFlux"
• CVE-2026-41842 "Spring Framework Denial of Service via Versioned Resources in Spring MVC and WebFlux"
• CVE-2026-41843 "Spring Framework Path Traversal via Versioned Static Resources in Spring MVC and WebFlux"
• CVE-2026-41844 "Spring Framework Open Redirect in Spring MVC and WebFlux"
• CVE-2026-41845 "Spring Framework Cross-site Scripting via JavaScriptUtils"
• CVE-2026-41846 "Spring Framework Cross-site Scripting via JSP Form Tags"
• CVE-2026-41848 "Spring Framework Denial of Service via AntPathMatcher"
• CVE-2026-41850 "Spring Framework Algorithmic Denial of Service via SpEL Expressions"
• CVE-2026-41851 "Spring Framework Denial of Service via Unbounded Cache in SpEL"
• CVE-2026-41852 "Spring Framework Arbitrary Method Invocation in SpEL Expressions"
• CVE-2026-41853 "Spring Framework Multipart Request Smuggling in Spring MVC and WebFlux"
• CVE-2026-41854 "Spring Framework Server-Side Request Forgery via UriComponentsBuilder"
• CVE-2026-41855 "Spring Framework Unsafe Deserialization via Jackson JMS Converters"

⭐ New Features

• Include zone ID in CronTrigger's equals/hashCode implementations #36871
• Expose ClassLoader from DefaultDeserializer #36833
• Use immutable map for SEPARATORS static field in DefaultPathContainer #36821
• Track operations during SpEL expression evaluation #36801
• Ensure getters have non-void return types in SpEL #36800
• Avoid too many character access attempts in AntPathMatcher #36799
• Refine default view name resolution #36793
• Refine Jackson JMS converters #36791
• Improve ABNF rule checks in RfcUriParser #36787
• Restrict SpringVersion.getVersion() to "major.minor.patch" format #36785
• Runtime compatibility with JPA 4.0 M4 and corresponding Hibernate 8.0 snapshots #36784
• Allow specifying the charset to use in ExchangeFilterFunctions#basicAuthentication #36777
• Use CollectionUtils to initialize HashMap in DefaultUriBuilderFactory #36763
• Improve error messages in SpEL #36756
• Improve pattern caching in SpEL #36755
• Avoid ResolvableType#forType contention for implicit cache cleanup #36745
• Switch to JdkIdGenerator for WebSocket Sessions #36740
• Detect custom deserialized NullValue instances in AbstractValueAdaptingCache #36727
• LiteWebJarsResourceResolver does not resolve directories #36726
• Warn against unsafe static resource locations in MVC and WebFlux #36692
• Consistent compatibility with Woodstox as an alternative to Xerces #36682
• Improve principal checks for SockJS session #36681
• Set host header consistently in STOMP relay CONNECT frames #36673
• Support Micrometer context propagation in Kotlin Flow #36667
• Reliable detection of broadcast messages in UserDestinationMessageHandler #36662

... (truncated)

Commits

• 9e8cea3 Release v7.0.8
• 2c18c33 Track operations during SpEL expression evaluation
• 83667f8 Ensure getters have non-void return types in SpEL
• 7a8917b Improve additional error messages in SpEL
• 7baa865 Further improve pattern caching in SpEL
• 12b44f2 Avoid too many character access attempts in AntPathMatcher
• e8f1024 Ensure consistent JSP tag attribute processing
• a1826b7 Refine JavaScriptUtils#javaScriptEscape
• 7add524 Prevent special prefixes in default view name resolution
• 9bec52b Add trusted packages to MappingJackson2MessageConverter
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 97.79%. Comparing base (413a8ba) to head (0febc25).

Additional details and impacted files

@@            Coverage Diff            @@
##             master    #6694   +/-   ##
=========================================
  Coverage     97.79%   97.79%           
  Complexity     7325     7325           
=========================================
  Files          1015     1015           
  Lines         21508    21508           
  Branches       1416     1416           
=========================================
  Hits          21033    21033           
  Misses          359      359           
  Partials        116      116           

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.