GH-5048: updated spring dependency to fix CVEs

[barthanssens]

GitHub issue resolved: #5048

Briefly describe the changes proposed in this PR:

Just a bump in (patch release) version number for Spring Framework

---

PR Author Checklist (see the contributor guidelines for more details):

• my pull request is self-contained
• I've added tests for the changes I made
• I've applied code formatting (you can use mvn process-resources to format from the command line)
• I've squashed my commits where necessary
• every commit message starts with the issue number (GH-xxxx) followed by a meaningful description of the change

[barthanssens]

automated check fails on (unrelated) urlrewrite library
CQ request pending: https://gitlab.eclipse.org/eclipsefdn/emo-team/iplab/-/issues/15467

[hmottestad]

The spring version should probably match the spring version used in spring-boot. You can update spring-boot to 2.7.18 which uses spring 5.3.31. I think that that version also fixes the CVE.

Spring-boot version should probably be specified in the root pom. At the moment it's defined here:

rdf4j/spring-components/pom.xml

Line 16 in 52b4106

<spring.boot.version>2.7.16</spring.boot.version>

[barthanssens]

good idea

Though probably not the only place, since the rdf4j-server.war also includes spring 5.x jars in the WEB-INF/lib, but not springboot (do we actually used Spring there ?)

[hmottestad]

Spring is used in the server. Spring-boot is not used in either the server or workbench. But spring-boot is used in its own sub-module where there are some spring-boot related things and also an example app.

Most people I know only use spring-boot now a days. Some might use a different framework, but I've not heard of anyone that has started a new project with just spring and not spring boot. So it's a good thing to have.

[hmottestad]

I didn't know that we have our own jars in the web-inf for spring. That doesn't sound like a good idea.