Spring Security SpringBootWebSecurityConfiguration should have been deprecated before being made package-private, right?

Describe the bug

Through Spring Boot 2.3.9.RELEASE, org.springframework.boot.autoconfigure.security.servlet.SpringBootWebSecurityConfiguration was a public class, with no deprecation.

In 2.4.0, the keyword "public" was dropped, making it package-private.

I assume this is an improvement and 3 SRs into 2.4.x is too late to change.

But isn't the policy is that class and methods that should no longer be used as of future release X are to be deprecated in release X-1 (or is it X-2)? I think this qualifies, and so was a miss.

Side note

FWIW, my particular problem is a @Configuration class in a library (which I didn't write), itself conditional (another class is used for Webflux):

@ConditionalOnWebApplication(type = ConditionalOnWebApplication.Type.SERVLET)

with this additional annotation:

@AutoConfigureBefore({SecurityAutoConfiguration.class, UserDetailsServiceAutoConfiguration.class,
        SecurityFilterAutoConfiguration.class, SpringBootWebSecurityConfiguration.class})

(I'm not sure what the issue listing SpringBootWebSecurityConfiguration solved, back when the library was updated for Spring Boot 2.0, but I'm removing mention of SpringBootWebSecurityConfiguration and proceeding from there.)

To Reproduce

Add @AutoConfigureBefore(SpringBootWebSecurityConfiguration.class) to some configuration class.

Expected behavior

Well, best case would be the absence of compilation errors like this:

... org.springframework.boot.autoconfigure.security.servlet.SpringBootWebSecurityConfiguration is not public in org.springframework.boot.autoconfigure.security.servlet; cannot be accessed from outside package

But more to the point, I would have expected to see this class deprecated (with a comment explaining that it was to be made package-private, not removed) prior to this change.

Example

This is really just a plea for developers to be more cautious about making classes and methods less public.

Comment From: jgrandja

@larrywest SpringBootWebSecurityConfiguration lives in Spring Boot. Can you please log the issue here.

Comment From: larrywest

@jgrandja whoops, my mistake — thanks!