build(deps): Bump org.springframework:spring-web from 7.0.7 to 7.0.8

[dependabot]

Bumps org.springframework:spring-web from 7.0.7 to 7.0.8.

Release notes

Sourced from org.springframework:spring-web's releases.

v7.0.8

⚠️ Security Fixes

This maintenance release fixes a high number of CVEs, you can learn more about this in the "Spring and Security In The Times Of AI" blog post. Here is the full list of 16 CVEs:

• CVE-2026-41838 "Spring Framework Predictable Session ID in WebSocket Module"
• CVE-2026-41839 "Spring Framework Escalation via Session Fixation in WebFlux"
• CVE-2026-41840 "Spring Framework Denial of Service via Multipart Requests in WebFlux"
• CVE-2026-41841 "Spring Framework Information Disclosure via Static Resource Cache in Spring MVC and WebFlux"
• CVE-2026-41842 "Spring Framework Denial of Service via Versioned Resources in Spring MVC and WebFlux"
• CVE-2026-41843 "Spring Framework Path Traversal via Versioned Static Resources in Spring MVC and WebFlux"
• CVE-2026-41844 "Spring Framework Open Redirect in Spring MVC and WebFlux"
• CVE-2026-41845 "Spring Framework Cross-site Scripting via JavaScriptUtils"
• CVE-2026-41846 "Spring Framework Cross-site Scripting via JSP Form Tags"
• CVE-2026-41848 "Spring Framework Denial of Service via AntPathMatcher"
• CVE-2026-41850 "Spring Framework Algorithmic Denial of Service via SpEL Expressions"
• CVE-2026-41851 "Spring Framework Denial of Service via Unbounded Cache in SpEL"
• CVE-2026-41852 "Spring Framework Arbitrary Method Invocation in SpEL Expressions"
• CVE-2026-41853 "Spring Framework Multipart Request Smuggling in Spring MVC and WebFlux"
• CVE-2026-41854 "Spring Framework Server-Side Request Forgery via UriComponentsBuilder"
• CVE-2026-41855 "Spring Framework Unsafe Deserialization via Jackson JMS Converters"

⭐ New Features

• Include zone ID in CronTrigger's equals/hashCode implementations #36871
• Expose ClassLoader from DefaultDeserializer #36833
• Use immutable map for SEPARATORS static field in DefaultPathContainer #36821
• Eagerly compute exit descriptors for negative literals #36801
• Revise property accessor algorithms #36800
• Improve path pattern matching #36799
• Refine default view name resolution #36793
• Refine Jackson JMS converters #36791
• Improve ABNF rule checks in RfcUriParser #36787
• Restrict SpringVersion.getVersion() to "major.minor.patch" format #36785
• Runtime compatibility with JPA 4.0 M4 and corresponding Hibernate 8.0 snapshots #36784
• Allow specifying the charset to use in ExchangeFilterFunctions#basicAuthentication #36777
• Use CollectionUtils to initialize HashMap in DefaultUriBuilderFactory #36763
• Improve error messages in SpEL #36756
• Improve pattern caching in SpEL #36755
• Avoid ResolvableType#forType contention for implicit cache cleanup #36745
• Switch to JdkIdGenerator for WebSocket Sessions #36740
• Detect custom deserialized NullValue instances in AbstractValueAdaptingCache #36727
• LiteWebJarsResourceResolver does not resolve directories #36726
• Warn against unsafe static resource locations in MVC and WebFlux #36692
• Consistent compatibility with Woodstox as an alternative to Xerces #36682
• Improve principal checks for SockJS session #36681
• Set host header consistently in STOMP relay CONNECT frames #36673
• Support Micrometer context propagation in Kotlin Flow #36667
• Reliable detection of broadcast messages in UserDestinationMessageHandler #36662

... (truncated)

Commits

• 9e8cea3 Release v7.0.8
• 2c18c33 Track operations during SpEL expression evaluation
• 83667f8 Ensure getters have non-void return types in SpEL
• 7a8917b Improve additional error messages in SpEL
• 7baa865 Further improve pattern caching in SpEL
• 12b44f2 Avoid too many character access attempts in AntPathMatcher
• e8f1024 Ensure consistent JSP tag attribute processing
• a1826b7 Refine JavaScriptUtils#javaScriptEscape
• 7add524 Prevent special prefixes in default view name resolution
• 9bec52b Add trusted packages to MappingJackson2MessageConverter
• Additional commits viewable in compare view

Most Recent Ignore Conditions Applied to This Pull Request

Dependency Name	Ignore Conditions
org.springframework:spring-web	[>= 5.a, < 6]

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[velo]

Required CircleCI remains failing after the allowed three concrete fix attempts, so this cannot be approved or merged. I fixed the outdated Request.create calls in JavaLoggerTest and LoggerRebufferTest, formatted those updates, then fixed Slf4jLoggerTest by adding the missing feign.Util import and updating its Request.create calls. The current failure is now validation/src/test/java/feign/validation/BeanValidationMethodInterceptorTest.java:79: String cannot be converted to Request.Body. Per maintainer policy, I am stopping after three attempts rather than pushing another change.

[velo]

@dependabot rebase

[dependabot]

Looks like this PR has been edited by someone other than Dependabot. That means Dependabot can't rebase it - sorry!

If you're happy for Dependabot to recreate it from scratch, overwriting any edits, you can request @dependabot recreate.