Bump org.springframework:spring-framework-bom from 6.2.16 to 6.2.19

[dependabot]

Bumps org.springframework:spring-framework-bom from 6.2.16 to 6.2.19.

Release notes

Sourced from org.springframework:spring-framework-bom's releases.

v6.2.19

⚠️ Security Fixes

This maintenance release fixes a high number of CVEs. You can learn more about this in the "Spring and Security In The Times Of AI" blog post. Here is the full list of 16 CVEs:

• CVE-2026-41838 "Spring Framework Predictable Session ID in WebSocket Module"
• CVE-2026-41839 "Spring Framework Escalation via Session Fixation in WebFlux"
• CVE-2026-41840 "Spring Framework Denial of Service via Multipart Requests in WebFlux"
• CVE-2026-41841 "Spring Framework Information Disclosure via Static Resource Cache in Spring MVC and WebFlux"
• CVE-2026-41842 "Spring Framework Denial of Service via Versioned Resources in Spring MVC and WebFlux"
• CVE-2026-41843 "Spring Framework Path Traversal via Versioned Static Resources in Spring MVC and WebFlux"
• CVE-2026-41844 "Spring Framework Open Redirect in Spring MVC and WebFlux"
• CVE-2026-41845 "Spring Framework Cross-site Scripting via JavaScriptUtils"
• CVE-2026-41846 "Spring Framework Cross-site Scripting via JSP Form Tags"
• CVE-2026-41848 "Spring Framework Denial of Service via AntPathMatcher"
• CVE-2026-41850 "Spring Framework Algorithmic Denial of Service via SpEL Expressions"
• CVE-2026-41851 "Spring Framework Denial of Service via Unbounded Cache in SpEL"
• CVE-2026-41852 "Spring Framework Arbitrary Method Invocation in SpEL Expressions"
• CVE-2026-41853 "Spring Framework Multipart Request Smuggling in Spring MVC and WebFlux"
• CVE-2026-41854 "Spring Framework Server-Side Request Forgery via UriComponentsBuilder"
• CVE-2026-41855 "Spring Framework Unsafe Deserialization via Jackson JMS Converters"

⭐ New Features

• Avoid too many character access attempts in AntPathMatcher #36886
• Track operations during SpEL expression evaluation #36887
• Ensure getters have non-void return types in SpEL #36888
• Expose ClassLoader from DefaultDeserializer #36839
• Refine default view name resolution #36794
• Refine Jackson JMS converters #36792
• Improve ABNF rule checks in RfcUriParser #36788
• Detect custom deserialized NullValue instances in AbstractValueAdaptingCache #36728
• Warn against unsafe static resource locations in MVC and WebFlux #36693
• Consistent compatibility with Woodstox as an alternative to Xerces #36683

🐞 Bug Fixes

• Data is lost for joined DataBuffer in DataBufferUtils #36874
• CronExpression skips days on midnight DST gap #36873
• Concurrency issue against shared cookie field in CookieLocaleResolver#setLocaleContext #36870
• Server Sent Event does not support multi-line comments #36867
• Regression in 6.2.0+: ConfigurationClassParser incorrectly removes component-scanned bean when the same class is also registered under a different name via XML #36849
• Bean Background Bootstrap and Lazy Init #36847
• Fix JSP tag processing #36798
• Fix script processing capabilities #36796
• Parsing failure for MIME type with quoted parameter values #36734
• Circular dependency between supplier-created beans is silently ignored on startup #36732
• Non-deterministic "Body token not expected" in org.springframework.http.codec.multipart.PartGenerator #36722
• Regression on value class parameter handling #36720
• Cache collisions in CachingResourceResolver #36718

... (truncated)

Commits

• 6214eae Release v6.2.19
• 76a36df Track operations during SpEL expression evaluation
• 3d47da9 Ensure getters have non-void return types in SpEL
• 519d733 Improve additional error messages in SpEL
• ec89834 Further improve pattern caching in SpEL
• b294371 Avoid too many character access attempts in AntPathMatcher
• 1829b42 Ensure consistent JSP tag attribute processing
• 86d9979 Refine JavaScriptUtils#javaScriptEscape
• 3aaec98 Prevent special prefixes in default view name resolution
• ee4e790 Add trusted packages to MappingJackson2MessageConverter
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)