Hi team,
We are currently using Spring Boot 3.0.
Since spring boot 3.0, when loading a class from the java package (e.g., java.lang.String),
the definePackageIfNecessary function unnecessarily opens jar connections in BOOT-INF/lib.
Upon reviewing the changes between Boot 2.7 and 3.0, we found that the method was changed from ClassLoader::getPackage() to ClassLoader::getDefinedPackages() in the JDK, causing this lookup when the package is not defined.
We also noticed that in Spring Boot 3.2, a patch was applied to avoid defining the java package.
While we would prefer to use the latest version of Spring Boot, we are currently in a situation where we need to stick with Spring Boot 3.0.
How can we resolve this issue in the meantime?
Comment From: wilkinsona
OSS for Spring Boot 3.0 has ended. Commercial support, which could potentially lead to a backport of the change in 3.2 to a commercial-only 3.0.x release, is available.
Comment From: zacscoding
@wilkinsona I checked the support period incorrectly. Thank you!