Spring One Preview, 40% of GitHub Copilot Code Has Security Holes, Kotlin 1.5.30, and Hibernate ORM 5.3.22.
Welcome to my weekly newsletter “How To Build Java Applications Today”! I read all the Java newsletters so you don’t have to! And it’s “Java news with a smile”.
It's the dog days of summer, news-wise - nothing's happening in Java land these days! Even the Quarkus guys didn't muster the energy to put out a new release! Of course, this will all change this week as the Spring Framework 6.0 gets its day in the sun at Spring One (Sep 1-2). Read below for more!
My next conference talk is at the "Java Forum Stuttgart" in Germany. It's an online conference again this year. I have fond memories - I lived in Stuttgart and gave my first conference talk there two years ago!
So I spent last week working on my "usual talk" - how Java developers should build front-ends today - and recording it. It was about 48 minutes raw. That included waiting three times for my cat to stop scratching at the door. 🐱 And me repeating sentences multiple times, sometimes even a whole slide! The end result is 38 minutes and 4 seconds long - with a little intro, an outro, and some credits.
I’m a full-stack Java developer with 22 years of experience: Spring Boot, Angular, Flutter. I'm looking for a project in January 2022, in Milton Keynes, London, or remote. I’ll work as a contractor or fixed-term employee but don’t take permanent positions.
Interested? Then check out my resume & work samples!
Spring 6 will be revealed this Wednesday. I expect its GraalVM support to be the highlight, with Java 11 as the new baseline.
The annual conference for the dominating Java frameworks starts this Wednesday: Spring One. It's a free online conference again this year.
And it's one of these conferences where the Spring framework gets a new major version: Juergen "Spring" Hoeller will unveil Spring Framework 6.0 on Wednesday. I'm looking forward to finding out three things: Themes, Spring Native, and Java version.
"Themes" is what Juergen Holler calls overarching initiatives or goals for a new Spring version. Spring 5.0, for instance, had functional style, reactive architectures, HTTP/2, Servlet 4, and Kotlin as themes (timed YouTube link). It also had Java modularity (Jigsaw) as a theme, but I don't think that went anywhere. But it's apparently on the table again for version 6.0 as Juergen revealed the “introduction of module-info definitions across the codebase” last April (see issue #35).
So what could the themes be for Spring 6.0?
The elephant in the room is built-in support for GraalVM - building small & fast native applications. Spring needs that to fight off the likes of Quarkus and Micronaut. Last year, Pivotal said that Spring Boot 3 and Spring 6 are “expected to provide first-class support for native application deployment” (time-coded YouTube link). Spring Native will do that.
But Spring Native is still in beta and still listed under "spring-projects-experimental". Will Spring Native be ready for Spring 6.0? We'll know on Wednesday. Will Spring Native be competitive with Quarkus (in May, a Spring Native app used 126 MB, Quarkus just 15 MB)? We'll find that out later this fall.
The next point of interest is the baseline Java version for Spring 6.0. If it uses Java modules, it's got to be Java 9+. And because the vast majority of organizations only use LTS Java releases, it's either Java 11 or Java 17. I bet on Java 11: Spring 5.0 in 2017 used Java 8, which was 3.5 years old at that point. Java 11 is now 3 years old, and Java 17 is not even out for another two weeks. I'd love to be proven wrong here! Java 17 as the baseline would push modern Java adoption forward but hold Spring 6 adoption back - it takes a while to migrate from Java 8 or earlier to Java 17.
Now, most of us don't use the Spring Framework directly but use it through Spring Boot. The current beta is Spring Boot 2.6 which relies on Spring 5.3. So when's Spring Boot 3 going to appear? Next Spring is my best bet - Spring Boot 2.5 appeared on May 20 this year.
In July, GitHub previewed an "AI pair programmer" (see issue #44). It would implement a method after a (human) programmer defined a method signature and described what that method would do in a comment. So are the machines about to take our jobs?
Researchers created 1.692 programs with GitHub Copilot. And 40% of them had security holes. Pew, that's a relief - i surely that must disqualify GitHub Copilot from serious use! Machines bad, humans good, we Java developers keep our jobs, yay, confetti…
Now before we get too cocky: How did Copilot learn? Here's what I wrote in July: "GitHub trained it with - you guessed it - code from GitHub repositories." So Copilot learned the security vulnerabilities from us humans!
Maybe some of those vulnerabilities have been fixed by now, but the Copilot never picked that up. Or perhaps the vulnerabilities weren't identified as such when the original code was written. Either way, I think there's no place for Schadenfreude about the shortcomings of Copilot here!
The announcement includes a video about the new features.
This release updates 12 dependencies and adds —the
Karsten Silz is the author of this newsletter. He is a full-stack web & mobile developer with 22 years of Java experience, author, speaker, and marathon runner. Karsten got a Master's degree in Computer Science at the Dresden University of Technology (Germany) in 1996.
Karsten has worked in Europe and the US. He co-founded a software start-up in the US in 2004. Karsten led product development for 13 years and left after the company was sold successfully. He co-founded the UK SaaS start-up "Your Home in Good Hands" as CTO in 2020. Since 2019, Karsten also works as a contractor in the UK.