Migrating to IBM DOC 4.4.0.4.9.1

Breaking Changes

Gateway actuator endpoints restricted to health and info

The Spring Boot Actuator endpoints exposed through the gateway are now restricted to health and info. Previously, all endpoints were exposed (include: "*"), which is not suitable for a service reachable through the public gateway.

⚠️ If your application or monitoring stack relies on other actuator endpoints (metrics, prometheus, env, loggers, etc.) being reachable through the gateway, override the configuration in your project to expose them explicitly:

management:
  endpoints:
    web:
      exposure:
        include: health,info,metrics,prometheus   # adjust to your needs

Endpoints exposed directly by other services (not through the gateway) are not affected.

Notable Changes

Migration to Docker Hardened Images for nginx and RabbitMQ

The nginx and RabbitMQ base images shipped with IBM DOC have been migrated to Docker Hardened Images (DHI). DHI brings a reduced CVE surface, distroless or minimal Debian bases, and signed images and SBOMs benefits.

As a consequence:

• The web front end, DBOS console and documentation, and RabbitMQ pods now run as UID/GID 65532 (DHI-native nginx/rabbitmq user) instead of the previous 10001.
• nginx is updated from 1.29.5 to 1.30.
• RabbitMQ is updated from 4.2.4 to 4.2.6.

⚠️ If your Helm values override securityContext.pod for any of the web front end, DBOS console, DBOS documentation, or RabbitMQ, align runAsUser, runAsGroup, and fsGroup with 65532.

Dependency Upgrades

• Spring Boot updated from 4.0.2 to 4.0.6
• Jackson 3 (tools.jackson) pinned to 3.1.2, aligned with the Spring Boot 4.0.6 BOM (was 3.0.4)
• Jackson 2 (com.fasterxml.jackson.core) now explicitly constrained to 2.21.2 (annotations 2.21), aligned with the Spring Boot 4.0.6 BOM — newly enforced in 4.4.0.4.9.1
• Keycloak updated from 26.5.4 to 26.6.1
• OpenAPI Generator updated to 7.21 (Spring Boot 4 / Jackson 3 support)
• nginx updated from 1.29.5 to 1.30
• RabbitMQ updated from 4.2.4 to 4.2.6
• Commons FileUpload pinned to 1.6.0 — fixes CVE-2025-48976 (high-severity DoS in multipart header allocation). No code change is required in custom projects.

Migrating to IBM DOC 4.4.0.4.9.0

Breaking Changes

Improved WebSocket Security

The WebSocket connection now requires a valid, authenticated JWT token on the backend side. On the frontend side, the hard-coded guest/guest user is removed from the JS bundle, and the JWT token is now sent as a query param for WebSocket connections.

⚠️ Custom WebSocket clients must be updated to include a valid JWT bearer token. Connections without a token will be rejected.

Improved authentication for JupyterLab through JupyterHub and Keycloak

IBM DOC now uses JupyterHub to authenticate via Keycloak instead of a hardcoded string password. JupyterHub has been added to the Docker Compose files and to the Helm chart.

⚠️ Note that:

• JupyterHub stores some PostgreSQL data in the new database named jupyterhub.
• JupyterHub must be started to access the JupyterLab server.
• For JupyterLab, on a Kubernetes deployment:
  • CPU resources must be specified using float (50m → 0.05), and
  • Memory resources must be specified using fixed-point numbering (2000Mi → 2000M).

Also, when using a Notebook Visualization widget, access must still be granted.

Notable Changes

Spring upgraded to new major version

Spring Framework has been upgraded to version 7 and Spring Boot to version 4 (see Dependency Upgrades below for precise version numbers). We recommend that you read the migration guide from Spring and check if the custom code of your application needs any changes for working with this newer version. In addition, we recommend that you run your application with the Spring Boot properties migrator once, to ensure that your custom Spring configuration is compatible with this new version of Spring Boot.

During the migration of Gene and DBOS, the following changes were required. We list them to help you if you have the same issues:

• Security matchers
  • Migrated from the deprecated AntPathRequestMatcher to PathPatternRequestMatcher
• Package relocation
  • org.springframework.boot.test.autoconfigure.web.servlet.WebMvcTest -> org.springframework.boot.webmvc.test.autoconfigure.WebMvcTest
  • org.springframework.boot.test.autoconfigure.web.reactive.WebFluxTest -> org.springframework.boot.webflux.test.autoconfigure.WebFluxTest
  • org.springframework.boot.web.client.RestTemplateBuilder -> org.springframework.boot.restclient.RestTemplateBuilder
  • org.springframework.boot.web.client.RestTemplateCustomizer -> org.springframework.boot.restclient.RestTemplateCustomizer
  • org.springframework.security.web.util.matcher.AntPathRequestMatcher -> org.springframework.security.web.servlet.util.matcher.PathPatternRequestMatcher
• Dependency coordinates changes
  • spring-boot-starter-web -> spring-boot-starter-webmvc
  • spring-security:spring-security-test -> spring-boot-starter-security-test
  • spring-boot-starter-test (for WebMVC) -> spring-boot-starter-webmvc-test
  • spring-boot-starter-test (for WebFlux) -> spring-boot-starter-webflux-test
• Test Containers: Test containers are now integrated in Spring Boot
  • The version should be removed when adding the dependency; instead, the dependency should use the Spring BOM for choosing the right version.
  • @DynamicPropertySource and the configuration code are no longer necessary. You can now use @ServiceConnection without configuration code instead.

Secrets in Helm chart

It is now possible to add any secret in the db-gene Helm chart:

# This is an example for an Anthropic API key, but the values allow to create any secret.

secrets:
- name: anthropic-api-key-secret
  enabled: true
  data:
    api-key: "your-api-key-here"

UI Actions: New confirmation modal

In the configurator of widgets implementing Custom Actions, such as the Scenario List, Job List, or Button widget, a dedicated option now allows showing a confirmation dialog before executing the action. By default, no confirmation is needed.

From the Action Manifest of the Gene Action API, Developers can also define title, messages, and validation button labels with i18n translation keys.

End users can override the default behavior of an action when associating it with a UI element (e.g., toolbar button).

Deprecations

Deprecation Removals

In the Execution Service:

• The deprecated methods getRawData() and related utility methods from ScenarioData have been removed.
• The deprecated static methods hasErrorsOrWarnings() and issues() from ScenarioDataExpression have been removed. These methods are no longer needed as scenarios are no longer loaded in execution scripts.

In the Job Widget:

• The deprecated attribute GeneTaskConfiguration.file has been removed from web/web-frontend-base/projects/gene/data/src/lib/modules/open-api/execution/model/gene-job-input.model.ts.

In the Chart Widget:

• The deprecated method buildChart() has been removed from web/web-frontend-base/projects/gene/common-widget/src/lib/gene-chart/model/gene-chart-controller.ts.

Scheduled Removals

The following deprecated classes, attributes, or methods are scheduled for removal in IBM DOC 4.10.11.0.

• The GraphQL APIs should be used instead of: com.decisionbrain.gene.data.util.Column, EntityToDtoConverterService, PageDTOForServices, BatchCollectorService, data-service-dto Gradle module
• Field jobId in GeneTaskEvent
• Method com.decisionbrain.gene.objectmapper.factory.JsonMapperFactory#configureMapper()
• The Gantt component in DayPilot

New Deprecations

No class, attribute, or method has been deprecated in this release.

Dependency Upgrades

• Spring Boot updated from 3.5.7 to 4.0.2, Spring Cloud updated from 2025.0.0 to 2025.1.1, and Spring Framework from 6.2.12 to 7.0.5.
• Apache Commons Text updated from 1.14.0 to 1.15.0
• Apache Commons POI updated from 5.5.0 to 5.5.1
• RabbitMQ updated from 4.2.1 to 4.2.4
• NGINX updated from 1.29.2 to 1.29.5
• AG Grid updated from 34.3.0 to 35.1.0
• Keycloak updated from 26.4.6 to 26.5.4
• MongoDB updated from 8.2.2 to 8.2.5
• PostgreSQL updated from 18.1 to 18.2
• Ngx Quill updated from 28.0.1 to 30.0.1
• Drools updated from 8.44.0 to 10.1.0
• Core-JS updated from 2.5.7 to 3.47.0
• JJWT::Impl updated from 0.11.1 to 0.13.0
• Bouncy Castle constraint updated from 1.80 for 1.81
• Jackson constraint updated from 2.19.2 for 3.0.4
• Log4J constraint updated from 2.24.3 for 2.25.3

Updated Angular dependencies:

• echarts from 5.6.0 to 6.0.0
• ngx-echarts from 19.0.0 to 21.0.0
• angular-gridster2 from 19.0.0 to 21.0.1
• lodash from 4.17.21 to 4.17.23
• quill from 2.0.2 to 2.0.3
• @fullcalendar/angular from 6.1.19 to 6.1.20
• @fullcalendar/core from 6.1.19 to 6.1.20
• @fullcalendar/daygrid from 6.1.19 to 6.1.20
• @fullcalendar/interaction from 6.1.19 to 6.1.20
• @fullcalendar/list from 6.1.19 to 6.1.20
• @fullcalendar/timegrid from 6.1.19 to 6.1.20