Broadcom released Spring Boot 4.1 on June 10 with gRPC auto-configuration, HTTP-client SSRF mitigation, and Kotlin 2.3. The release also adds lazy datasource connections, async context propagation for @Async methods, and improved OpenTelemetry support.
Broadcom released Spring Boot 4.1 on June 10, delivering gRPC auto-configuration, HTTP-client SSRF mitigation, and Kotlin 2.3 upgrades. The release also adds lazy datasource connections, async context propagation for @Async methods, and OpenTelemetry improvements.
Broadcom moved the release dates twice, first from May 11-22 to June 1-5, then to June 8-12. The delay marks the first since Spring Boot settled into a twice-yearly cadence of May and November back in May 2020.
Spring Boot 4.0, released in November 2025 alongside Spring Framework 7.0, was a generational reset: Jakarta EE 11 baseline, Jackson 3, split auto-configured JARs, null safety with JSpecify, API versioning, and Gradle 9 support. The Spring team's Q&A with InfoQ covers the 4.0 generation in depth.
Spring Boot 4.1 is incremental, building on Spring Framework 7.0.x. While Spring Boot 4 maintains the JDK 17 baseline from Spring Boot 3, one new feature requires Java 21: jOOQ 3.20.
gRPC Auto-Configuration
Spring Boot 4.1 includes Spring gRPC auto-configuration for both server and client applications. It supports standalone Netty and Servlet HTTP/2 transports. The release adds @GrpcAdvice for centralized exception handling and an auto-configured ObservationGrpcServerInterceptor that supports custom server-side observation conventions for metrics and tracing.
Applications previously had to wire gRPC manually or rely on third-party starters. The new auto-configuration eliminates that boilerplate.
SSRF Mitigation
HTTP client SSRF (server-side request forgery) mitigation is new in version 4.1. An InetAddressFilter blocks outbound requests from reactive and blocking clients to configured address ranges through whitelisting or blacklisting. The filter reduces the risk of an application being used as a proxy for internal network attacks.
Kotlin and Async Improvements
The Kotlin baseline moves from version 2.2 to 2.3, which supports Java 25 and includes an experimental unused return value checker.
Setting spring.datasource.connection-fetch=lazy wraps the pooled DataSource in a LazyConnectionDataSourceProxy. The proxy defers the physical database connection until a SQL statement runs, producing faster startup and lower connection pool pressure.
@Async methods now propagate Micrometer context across threads automatically. Trace IDs and spans follow the work into thread-pool tasks without extra wiring.
OpenTelemetry and JPA Changes
OpenTelemetry support gains several improvements: a management.opentelemetry.enabled property that toggles between true and false, OTLP exemplar support, and SSL bundles for OTLP exporters. Spring Boot 4.1 reads most OpenTelemetry environment variables.
The new spring.jpa.bootstrap property enables asynchronous background Spring Data JPA bootstrap, which can reduce startup time for applications with large JPA models.
Redis and Actuator Updates
Spring Boot 4.1 auto-configures Spring Data Redis listener endpoints, registering a default RedisMessageListenerContainer when none is present.
The /actuator/info endpoint's ProcessInfo section gains six new fields: uptime, startTime, currentTime, timezone, locale, and workingDirectory.
Jackson property behavior is now configurable via spring.jackson.read.* and spring.jackson.write.* for CBOR, JSON, and XML formats.
Breaking Changes and Deprecations
The Maven plugin now requires maven.test.skip=true to skip AOT processing of tests. The -DskipTests flag no longer works for that purpose. Empty YAML objects are now retained in PropertySource, and the Reactor client builder no longer sets proxyWithSystemProperties by default.
Spring Boot 4.1 removes all APIs deprecated in 4.0, including the layertools JAR mode (use tools mode instead). New deprecations include Apache Derby support (the project is now retired), Dynatrace V1 API properties (in favor of V2), and DevTools LiveReload (no replacement).
Dependency Upgrades
Spring Boot 4.1 includes updated Spring dependencies: Micrometer 1.17, Reactor 2025.0.6, and Spring GraphQL 2.0.4.
Third-party upgrades include gRPC Java 1.80.0, Hibernate Validator 9.1, MySQL 9.7.0, MongoDB 5.8.0, Flyway 12.4.0, OpenTelemetry 1.62, and Mockito 5.22.0.
Most Spring projects ship releases alongside Spring Boot 4.1: Spring AI 2.0, Spring Modulith 2.1.0, Spring Security 7.1.0, Spring LDAP 4.1.0, Spring Integration 7.1.0, Spring Data 2026.0.0, Spring for Apache Kafka 4.1.0, Spring AMQP 4.1.0, Spring Session 4.1.0, Spring Vault 4.1.0, Spring HATEOAS 3.1.0, and Spring Cloud 2025.1.2.
What's Next
Spring Boot 4.2 is expected in November 2026. It will deliver the spring-boot-amqp module and its related starters, which were originally intended for Spring Boot 4.1 but pulled in the milestone 4 release. The module will support AMQP 1.0 via QPid Proton.
The release notes describe all changes in detail.
Comments
Please log in or register to join the discussion