Deprecate springboot 3.4 and 3.5

[javier-aliaga]

Deprecate Spring Boot 3.4 and 3.5 support

Context

Spring Boot 3.4.x reaches OSS end-of-life on 2025-11-20 and Spring Boot 3.5.x on 2026-05-22. The Dapr Java SDK currently targets Spring Boot 3.4.x (springboot.version=3.4.13) across the sdk-springboot, dapr-spring, and related modules.

Maintaining support for EOL Spring Boot versions creates an ongoing maintenance burden:

• Transitive CVEs — many CVEs in the SDK dependency tree (tomcat-embed, logback, netty, commons-compress) originate from the Spring Boot BOM. Each patch release requires manual version overrides in the parent pom to work around what the BOM ships.
• BOM shadowing — child modules that re-import the Spring Boot BOM can silently undo parent-level security overrides (e.g., netty-bom), as seen in [1.16] Fix/bump deps CVE 1.16 #1717.
• Testing matrix — supporting multiple Spring Boot major versions (3.x and 4.x) doubles the integration test surface.

Proposal

1. release-1.17 (current): add a deprecation notice for Spring Boot 3.4 support in the docs and release notes.
2. release-1.18: drop Spring Boot 3.4 support. Minimum supported version becomes Spring Boot 3.5.
3. release-1.19: drop Spring Boot 3.5 support. Minimum supported version becomes Spring Boot 4.0.

Migration path

• Users on Spring Boot 3.4 should upgrade to 3.5 (drop-in compatible).
• Users on Spring Boot 3.5 should plan migration to Spring Boot 4.0 following the Spring Boot 4.0 migration guide.
• The dapr-spring-boot-4-autoconfigure and related SB4 modules are already available for early adopters.

Benefits

• Reduced CVE surface from transitive Spring Boot dependencies
• Simplified BOM management (single Spring Boot version in parent pom)
• Smaller CI/CD matrix
• Aligns with Spring's own support policy

Open questions

• Should we align the deprecation timeline with Spring's EOL dates or move faster?
• Do we have telemetry or community feedback on which Spring Boot versions are most used with the Dapr SDK?
• Should we provide a compatibility matrix in the docs?

[javier-aliaga]

@dapr/maintainers-java-sdk thoughts on this, should will be more aggresive and remove support for springboot 3.5 in next release?

[siri-varma]

@javier-aliaga Is there a way to know what version of spring are most of our customers using ? That would be the answer to our question I think.

If there are very few users, then I don't see a problem with dropping support for 3.5 as well.

[javier-aliaga]

Probably all of them are in 3.5, 4.0 was released in 1.17, I think it is safer to keep 3.5 until 1.19. But maybe for 1.18 we need to make 4.0 as our primary version

[siri-varma]

sounds like a plan