chore: pin Spring/Hibernate majors in renovate config#2948
Merged
bjagg merged 1 commit intoApr 27, 2026
Conversation
Problem: Renovate keeps opening major-bump PRs (Spring 5/6, Spring Security 5+, Hibernate 5+) because the Maven Central versions newer than what we pin in gradle.properties show up as available, and [security] flags in those PRs amplify the noise. Each major is a coordinated migration we are not ready for, and we close them by hand every cycle. Recent examples: uPortal-Project#2937, uPortal-Project#2940, uPortal-Project#2941, uPortal-Project#2942. Goal: encode the migration constraints in renovate.json so Renovate stops offering majors that won't be merged. Stays consistent with the same pinning pattern applied across the portlet repos in the recent sweep (AnnouncementsPortlet, basiclti-portlet, FeedbackPortlet, NotificationPortlet, etc.). Changes: - renovate.json: add three packageRules entries with allowedVersions - org.springframework:* / .data:* / .webflow:* → < 5.0 (Spring 5+ requires a coordinated API migration; Spring 6+ adds Jakarta EE + Java 17 on top.) - org.springframework.security:* / .oauth:* → < 5.0 (Bound to the Spring Framework 4.3.x line; moves in lockstep.) - org.hibernate:* / org.hibernate.orm:* → < 5.0 (Hibernate 5+ has API + EntityManager changes; 6+ renames the groupId and needs Jakarta EE + Java 17.) Notes: did not pin Spring LDAP (2.x is current line, 2.4.4 bump in uPortal-Project#2938 is a minor), Springfox (2.10.0 bump in uPortal-Project#2935 is also a minor), or Guava (uPortal-Project#2939 to v32 is plausible — resource-server already runs guava 32). These can flow through normally. Closes uPortal-Project#2937, uPortal-Project#2940 (duplicates). Closes uPortal-Project#2941, uPortal-Project#2942 (won't migrate this release). Refs uPortal-Project#2938, uPortal-Project#2935, uPortal-Project#2939 (allowed to proceed normally).
This was referenced Apr 27, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
allowedVersionsconstraints torenovate.jsonmatching how the rest of the fleet is pinned, so Renovate stops opening major-bump PRs for Spring 5/6, Spring Security 5+, and Hibernate 5+.Why
uPortal is on Spring Framework 4.3.30, Spring Security 4.2.20, and Hibernate 4.2.21. Each of those majors requires a coordinated migration we have not scheduled. Renovate keeps surfacing these as
[security]PRs, which we close every cycle by hand:springversion (major)springsecurityversion to v5 (major)hibernate-core to v5hibernate-core to v5(duplicate of fix(deps): update dependency org.hibernate:hibernate-core to v5 [security] #2940)This PR encodes the constraint so they stop coming through.
Pins added
org.springframework:*/.data:*/.webflow:*< 5.0org.springframework.security:*/.oauth:*< 5.0org.hibernate:*/org.hibernate.orm:*< 5.0Not pinned (allowed to proceed normally)
Pattern consistency
Same shape as the renovate.json files added across the portlet repos in the April sweep (AnnouncementsPortlet, basiclti-portlet, FeedbackPortlet, NotificationPortlet, CalendarPortlet, etc.).
Test plan
python3 -c "import json; json.load(open('renovate.json'))"— JSON valid🤖 Generated with Claude Code