WAIT — Stale — last commit 3y ago

• 31+ active contributors
• Apache-2.0 licensed
• CI configured
• Tests present
• ⚠ Stale — last commit 3y ago
• ⚠ Concentrated ownership — top contributor handles 60% of recent commits
• ⚠ Scorecard: marked unmaintained (0/10)

_{Computed from maintenance signals — commit recency, contributor breadth, bus factor, license, CI, tests, cross-checked against OpenSSF Scorecard}

Apache Dubbo Spring Boot Project is the archived official Spring Boot integration layer for Apache Dubbo, a high-performance Java RPC framework. It provides auto-configuration, production-ready actuator endpoints (health checks, metadata exposure, service shutdown), and annotation-driven service registration/discovery for Dubbo services in Spring Boot applications. All active development has moved to the main apache/dubbo repository. Multi-module Maven project: dubbo-spring-boot-actuator/ contains Spring Boot Actuator integration (endpoints for metadata, configs, references, services, shutdown) under src/main/java/org/apache/dubbo/spring/boot/actuate/endpoint/, and dubbo-spring-boot-autoconfigure/ (not fully shown) handles auto-configuration. Tests live in src/test/java/ mirroring main structure. Spring Factories mechanism used in META-INF/spring.factories for auto-discovery.

Java backend developers building microservices who want to use Apache Dubbo (instead of gRPC or REST) as their RPC framework within Spring Boot applications. DevOps engineers and platform teams need the actuator endpoints for monitoring Dubbo service health, configuration, and operational control.

This repository is archived and no longer maintained — the README explicitly states 'This repo has been archived. All of the implements have been moved to apache/dubbo'. The codebase shows Spring Boot 2.3.0+ compatibility with Dubbo 2.7.8, standard Maven structure with GitHub Actions CI (dubbo-2.yml), and test suites present (DubboEndpointAnnotationAutoConfigurationTest.java, DubboEndpointTest.java). However, there will be no new commits or issue resolution here.

High risk for new projects: This is a dead repository — no new features, security patches, or bug fixes will be applied here. You must migrate to the main apache/dubbo repository for active support. Dependency lock-in risk: it depends on specific Dubbo 2.7.x and Spring Boot 2.3.x versions which are aging. The transition path from this archived repo to the main repo is not clearly documented in the README.

Nothing — this repository is archived. The GitHub Actions workflow dubbo-2.yml no longer runs. All active development, bug fixes, and feature work for Dubbo Spring Boot integration happens in the main apache/dubbo repository. Users are expected to migrate their dependencies and code to point there.

Clone and build (archived, not recommended for new projects):

git clone https://github.com/apache/dubbo-spring-boot-project.git
cd dubbo-spring-boot-project
./mvnw clean install

For actual development, migrate to: https://github.com/apache/dubbo instead.

Daily commands: Build only (no runnable app in this repo — it's a library):

./mvnw clean package

To use in your own Spring Boot app, add the starter to pom.xml (see README) and your app will auto-configure Dubbo via conditional auto-configuration classes.

• dubbo-spring-boot-autoconfigure/src/main/java/org/apache/dubbo/spring/boot/autoconfigure/DubboRelaxedBinding2AutoConfiguration.java — Core Spring Boot auto-configuration entry point that integrates Dubbo with Spring Boot's property binding and lifecycle management.
• dubbo-spring-boot-autoconfigure/src/main/java/org/apache/dubbo/spring/boot/autoconfigure/BinderDubboConfigBinder.java — Implements property binding logic that maps Spring Boot application properties into Dubbo configuration objects.
• dubbo-spring-boot-actuator/src/main/java/org/apache/dubbo/spring/boot/actuate/endpoint/DubboMetadataEndpoint.java — Primary actuator endpoint exposing Dubbo runtime metadata for production monitoring and troubleshooting.
• dubbo-spring-boot-actuator/src/main/resources/META-INF/spring.factories — Spring Boot auto-configuration registry that enables actuator endpoints and health checks on application startup.
• dubbo-spring-boot-autoconfigure/src/main/resources/META-INF/spring.factories — Spring Boot auto-configuration registry that registers core Dubbo auto-configuration classes.
• dubbo-spring-boot-compatible/actuator/src/main/java/org/apache/dubbo/spring/boot/actuate/health/DubboHealthIndicator.java — Spring Boot Health endpoint integration that reports Dubbo service provider/consumer health status.
• README.md — Project documentation noting that this repository is archived and implementations have moved to apache/dubbo.

Add a new Dubbo Actuator Endpoint

1. Create a new endpoint class in dubbo-spring-boot-actuator/src/main/java/org/apache/dubbo/spring/boot/actuate/endpoint/ extending from Spring Boot's endpoint base with @Endpoint annotation. (dubbo-spring-boot-actuator/src/main/java/org/apache/dubbo/spring/boot/actuate/endpoint/DubboMetadataEndpoint.java)
2. Implement @ReadOperation methods to expose read-only metadata endpoints via HTTP GET. (dubbo-spring-boot-actuator/src/main/java/org/apache/dubbo/spring/boot/actuate/endpoint/DubboServicesMetadataEndpoint.java)
3. Register the endpoint in dubbo-spring-boot-actuator/src/main/resources/META-INF/dubbo-endpoints-default.properties with endpoint ID and name. (dubbo-spring-boot-actuator/src/main/resources/META-INF/dubbo-endpoints-default.properties)
4. Add auto-configuration class in dubbo-spring-boot-actuator/src/main/java/org/apache/dubbo/spring/boot/actuate/autoconfigure/ to conditionally register the endpoint. (dubbo-spring-boot-actuator/src/main/java/org/apache/dubbo/spring/boot/actuate/autoconfigure/DubboEndpointAnnotationAutoConfiguration.java)
5. Write integration tests in dubbo-spring-boot-actuator/src/test/java/org/apache/dubbo/spring/boot/actuate/endpoint/ validating endpoint exposure and data format. (dubbo-spring-boot-actuator/src/test/java/org/apache/dubbo/spring/boot/actuate/endpoint/DubboEndpointTest.java)

Add Support for New Dubbo Configuration Property

1. Add property binding logic in BinderDubboConfigBinder to map the new Spring Boot property (e.g., dubbo.foo.bar) to Dubbo config objects. (dubbo-spring-boot-autoconfigure/src/main/java/org/apache/dubbo/spring/boot/autoconfigure/BinderDubboConfigBinder.java)
2. Ensure DubboRelaxedBinding2AutoConfiguration registers the binder during Spring Boot startup via auto-configuration. (dubbo-spring-boot-autoconfigure/src/main/java/org/apache/dubbo/spring/boot/autoconfigure/DubboRelaxedBinding2AutoConfiguration.java)
3. Add test cases in BinderDubboConfigBinderTest to validate property resolution from application.properties or application.yml files. (dubbo-spring-boot-autoconfigure/src/test/java/org/apache/dubbo/spring/boot/autoconfigure/BinderDubboConfigBinderTest.java)

Add a Health Check for Dubbo Components

1. Create health indicator class in dubbo-spring-boot-compatible/actuator/src/main/java/org/apache/dubbo/spring/boot/actuate/health/ extending HealthIndicator. (dubbo-spring-boot-compatible/actuator/src/main/java/org/apache/dubbo/spring/boot/actuate/health/DubboHealthIndicator.java)
2. Implement health() method to query Dubbo runtime state (e.g., check if providers/consumers are available). (dubbo-spring-boot-compatible/actuator/src/main/java/org/apache/dubbo/spring/boot/actuate/health/DubboHealthIndicator.java)
3. Add configuration properties in DubboHealthIndicatorProperties to allow runtime tuning of health check thresholds. (dubbo-spring-boot-compatible/actuator/src/main/java/org/apache/dubbo/spring/boot/actuate/health/DubboHealthIndicatorProperties.java)
4. Register the health indicator in DubboHealthIndicatorAutoConfiguration to auto-wire into Spring Boot's health composite. (dubbo-spring-boot-compatible/actuator/src/main/java/org/apache/dubbo/spring/boot/actuate/autoconfigure/DubboHealthIndicatorAutoConfiguration.java)

Archive status: This repo will not receive patches or updates; migrations to apache/dubbo must be manual and non-trivial. Version lock: Designed for Dubbo 2.7.x and Spring Boot 2.3.x; Dubbo 3.x may have breaking changes. Metadata exposure: DubboMetadataEndpoint and similar endpoints expose internal service configuration and reference details — ensure actuator endpoints are secured behind authentication in production (no built-in security visible). Spring Factories ordering: Endpoint auto-configuration depends on spring.factories ordering; misconfiguration can cause silent non-registration. No environment variables shown; all configuration via application.properties/yml.

• Spring Boot Auto-Configuration — This entire project is built on Spring Boot's @Configuration and @ConditionalOn* mechanisms to auto-register Dubbo beans and actuator endpoints without explicit XML configuration
• Spring Boot Actuator Endpoints — The dubbo-spring-boot-actuator module exposes custom endpoints (DubboMetadataEndpoint, DubboServicesMetadataEndpoint) following Actuator patterns for operational observability
• Service Registration & Discovery (RPC pattern) — Dubbo's core capability is automatic service registration and client-side discovery; Spring Boot auto-config hides Dubbo's registry complexity
• Remote Procedure Call (RPC) Framework — Dubbo is an RPC framework optimized for performance in microservices; understanding RPC invocation semantics (blocking, timeout, retry) is essential for troubleshooting
• Spring Factories SPI (Service Provider Interface) — The spring.factories file in META-INF/ uses Spring's SPI mechanism for auto-discovery of DubboEndpointAnnotationAutoConfiguration without requiring @ComponentScan
• Conditional Bean Registration — CompatibleOnEnabledEndpointCondition and similar classes use @Conditional to enable/disable Dubbo endpoints based on configuration and classpath, enabling flexible deployment
• Graceful Shutdown / Lifecycle Management — DubboShutdownEndpoint manages coordinated service shutdown in containerized environments; understanding Dubbo's shutdown semantics prevents in-flight request loss

• apache/dubbo — The main active Apache Dubbo repository where all Spring Boot integration has been moved; this archived repo should be considered deprecated in favor of that
• alibaba/spring-cloud-alibaba — Provides Spring Cloud integration for Alibaba Dubbo; users needing Spring Cloud service discovery + Dubbo should compare this integration
• spring-projects/spring-boot — Core Spring Boot framework that Dubbo Spring Boot Project depends on; auto-configuration and actuator patterns are defined here
• grpc/grpc-java — Alternative RPC framework with Spring Boot integration; organizations evaluating RPC options compare Dubbo and gRPC integration approaches
• spring-projects/spring-cloud — Spring Cloud ecosystem provides distributed tracing, config servers, service discovery that Dubbo users may layer on top

To work on one of these in Claude Code or Cursor, paste: Implement the "<title>" PR idea from CLAUDE.md, working through the checklist as the task list.

Add comprehensive integration tests for DubboShutdownEndpoint

The DubboShutdownEndpoint.java exists but there are no corresponding integration tests in the test directory. This endpoint handles graceful shutdown of Dubbo services - a critical production feature. Adding tests would validate shutdown behavior, timeout handling, and ensure safe service termination in Spring Boot contexts.

• [ ] Create DubboShutdownEndpointTest.java in dubbo-spring-boot-actuator/src/test/java/org/apache/dubbo/spring/boot/actuate/endpoint/
• [ ] Test shutdown endpoint invocation with various Dubbo service states
• [ ] Test timeout and force-shutdown scenarios
• [ ] Add integration tests validating graceful shutdown prevents in-flight request loss

Add unit tests for DubboConfigsMetadataEndpoint and DubboReferencesMetadataEndpoint

While DubboEndpointTest.java exists, the test coverage for metadata endpoints (DubboConfigsMetadataEndpoint, DubboReferencesMetadataEndpoint, DubboPropertiesMetadataEndpoint) appears incomplete. These endpoints expose critical Dubbo configuration metadata that operators rely on for monitoring and debugging.

• [ ] Expand DubboEndpointTest.java or create dedicated test classes for metadata endpoints in dubbo-spring-boot-actuator/src/test/
• [ ] Test correct serialization of Dubbo service configs and reference metadata
• [ ] Validate endpoint responses with various configuration scenarios (registry, protocol, timeout settings)
• [ ] Add tests for edge cases like missing or malformed configurations

Add GitHub Actions workflow for JDK 11+ and Spring Boot 2.7+ compatibility testing

The existing dubbo-2.yml workflow likely tests against baseline versions, but given this is an archived repo with implementations moved to apache/dubbo, there's no visible multi-version matrix testing. Adding explicit JDK and Spring Boot version matrix tests would help contributors validate backward/forward compatibility and catch breaking changes early.

• [ ] Create or enhance .github/workflows/dubbo-2.yml to include a matrix build strategy
• [ ] Add test matrix for JDK 8, 11, 17+ versions
• [ ] Add test matrix for Spring Boot 2.6.x, 2.7.x, 3.x versions
• [ ] Ensure BinderDubboConfigBinder.java and DubboRelaxedBinding2AutoConfiguration.java are tested across all matrix combinations

• Add missing Javadoc to public methods in DubboMetadataEndpoint.java, DubboConfigsMetadataEndpoint.java, and DubboShutdownEndpoint.java — these are operational classes that lack documentation for API users
• Extend test coverage for DubboEndpointTest.java to cover negative cases: verify behavior when Dubbo services are not registered, when metadata is empty, and when actuator endpoints are disabled via properties
• Create example Spring Boot application in an examples/ directory demonstrating @EnableDubbo + actuator endpoint usage (health check, metadata retrieval, graceful shutdown) with application.yml configuration — currently no runnable demo in the repo

The Apache Dubbo Spring Boot Project presents moderate security concerns, primarily due to its archived status with no active maintenance. Critical vulnerabilities include lack of ongoing security patching and potential exposure of sensitive operational endpoints (metadata, configuration, shutdown) without explicit authentication enforcement. The actuator module exposes internal configuration details that could enable information disclosure attacks. While the project structure follows Apache standards, security configurations for endpoint access control and sensitive data protection are not evident in the provided files. Users should migrate to the actively maintained apache/dubbo repository and implement explicit Spring Security configurations for any operational endpoints before production use.

• High · Archived Repository - No Active Security Maintenance — Repository root / README.md. The repository has been archived and all implementations have been moved to apache/dubbo. This means the project is no longer actively maintained, and security vulnerabilities discovered will not receive timely patches or updates. Fix: Migrate to the official apache/dubbo repository for ongoing security updates and maintenance. Do not use this archived project in production.
• Medium · Optional Dependency Without Version Lock — dubbo-spring-boot-actuator/pom.xml. The spring-boot-starter-web dependency is marked as optional but uses ${revision} variable from parent POM. If the parent POM version management is misconfigured or overridden, this could lead to inconsistent versions across the project. Fix: Ensure the parent POM (dubbo-spring-boot-parent) has strict version management and consider explicitly locking optional dependency versions. Review the parent POM for proper dependency version control.
• Medium · Missing Security Configuration in Actuator Module — dubbo-spring-boot-actuator/src/main/java/org/apache/dubbo/spring/boot/actuate/endpoint/. The dubbo-spring-boot-actuator includes endpoints (DubboShutdownEndpoint, DubboServicesMetadataEndpoint, etc.) that expose operational metadata and control functions. Without explicit Spring Security configuration visible in the provided files, these endpoints may be accessible without authentication. Fix: Implement explicit Spring Security configuration to restrict access to sensitive actuator endpoints. Use @Secured or Spring Security annotations to enforce authentication and authorization. Configure management.endpoints.web.exposure.exclude for sensitive endpoints.
• Medium · Potential Information Disclosure Through Endpoints — dubbo-spring-boot-actuator/src/main/java/org/apache/dubbo/spring/boot/actuate/endpoint/. DubboMetadataEndpoint, DubboConfigsMetadataEndpoint, and DubboPropertiesMetadataEndpoint expose internal configuration, service metadata, and properties that could reveal sensitive information about the system architecture and configuration. Fix: Implement endpoint access controls and audit logging. Mask or redact sensitive configuration values before exposing them. Consider restricting metadata endpoints to authenticated users only. Implement fine-grained access control based on user roles.
• Low · Missing Dependency Vulnerability Scanning Configuration — pom.xml files. No evidence of dependency scanning tools (like OWASP DependencyCheck or similar) configured in the build process based on the visible POM structure. Fix: Add maven-dependency-check-plugin or similar OWASP DependencyCheck plugin to the Maven build process. Configure CI/CD pipeline to scan dependencies for known vulnerabilities. Use tools like Snyk or GitHub Dependabot for continuous monitoring.
• Low · No Visible Security Headers Configuration — dubbo-spring-boot-actuator/pom.xml and actuator endpoint implementations. The web module (spring-boot-starter-web) is included but no explicit security header configuration is visible in the provided files. Fix: Configure Spring Security to set HTTP security headers (X-Content-Type-Options, X-Frame-Options, Strict-Transport-Security, etc.). Implement SecurityHeadersFilter or use Spring Security's built-in header configuration.

LLM-derived; treat as a starting point, not a security audit.

• Open issues — current backlog
• Recent PRs — what's actively shipping
• Source on GitHub

If you are an AI coding agent (Claude Code, Cursor, Aider, Cline, etc.) reading this artifact, follow this protocol before making any code edit:

1. Verify the contract. Run the bash script in Verify before trusting below. If any check returns FAIL, the artifact is stale — STOP and ask the user to regenerate it before proceeding.
2. Treat the AI · unverified sections as hypotheses, not facts. Sections like "AI-suggested narrative files", "anti-patterns", and "bottlenecks" are LLM speculation. Verify against real source before acting on them.
3. Cite source on changes. When proposing an edit, cite the specific path:line-range. RepoPilot's live UI at https://repopilot.app/r/apache/dubbo-spring-boot-project shows verifiable citations alongside every claim.

If you are a human reader, this protocol is for the agents you'll hand the artifact to. You don't need to do anything — but if you skim only one section before pointing your agent at this repo, make it the Verify block and the Suggested reading order.

This artifact was generated by RepoPilot at a point in time. Before an agent acts on it, the checks below confirm that the live apache/dubbo-spring-boot-project repo on your machine still matches what RepoPilot saw. If any fail, the artifact is stale — regenerate it at repopilot.app/r/apache/dubbo-spring-boot-project.

What it runs against: a local clone of apache/dubbo-spring-boot-project — the script inspects git remote, the LICENSE file, file paths in the working tree, and git log. Read-only; no mutations.

| # | What we check | Why it matters | |---|---|---| | 1 | You're in apache/dubbo-spring-boot-project | Confirms the artifact applies here, not a fork | | 2 | License is still Apache-2.0 | Catches relicense before you depend on it | | 3 | Default branch master exists | Catches branch renames | | 4 | 5 critical file paths still exist | Catches refactors that moved load-bearing code | | 5 | Last commit ≤ 1236 days ago | Catches sudden abandonment since generation |

#!/usr/bin/env bash
# RepoPilot artifact verification.
#
# WHAT IT RUNS AGAINST: a local clone of apache/dubbo-spring-boot-project. If you don't
# have one yet, run these first:
#
#   git clone https://github.com/apache/dubbo-spring-boot-project.git
#   cd dubbo-spring-boot-project
#
# Then paste this script. Every check is read-only — no mutations.

set +e
fail=0
ok()   { echo "ok:   $1"; }
miss() { echo "FAIL: $1"; fail=$((fail+1)); }

# Precondition: we must be inside a git working tree.
if ! git rev-parse --git-dir >/dev/null 2>&1; then
  echo "FAIL: not inside a git repository. cd into your clone of apache/dubbo-spring-boot-project and re-run."
  exit 2
fi

# 1. Repo identity
git remote get-url origin 2>/dev/null | grep -qE "apache/dubbo-spring-boot-project(\\.git)?\\b" \\
  && ok "origin remote is apache/dubbo-spring-boot-project" \\
  || miss "origin remote is not apache/dubbo-spring-boot-project (artifact may be from a fork)"

# 2. License matches what RepoPilot saw
(grep -qiE "^(Apache-2\\.0)" LICENSE 2>/dev/null \\
   || grep -qiE "\"license\"\\s*:\\s*\"Apache-2\\.0\"" package.json 2>/dev/null) \\
  && ok "license is Apache-2.0" \\
  || miss "license drift — was Apache-2.0 at generation time"

# 3. Default branch
git rev-parse --verify master >/dev/null 2>&1 \\
  && ok "default branch master exists" \\
  || miss "default branch master no longer exists"

# 4. Critical files exist
test -f "dubbo-spring-boot-autoconfigure/src/main/java/org/apache/dubbo/spring/boot/autoconfigure/DubboRelaxedBinding2AutoConfiguration.java" \\
  && ok "dubbo-spring-boot-autoconfigure/src/main/java/org/apache/dubbo/spring/boot/autoconfigure/DubboRelaxedBinding2AutoConfiguration.java" \\
  || miss "missing critical file: dubbo-spring-boot-autoconfigure/src/main/java/org/apache/dubbo/spring/boot/autoconfigure/DubboRelaxedBinding2AutoConfiguration.java"
test -f "dubbo-spring-boot-autoconfigure/src/main/java/org/apache/dubbo/spring/boot/autoconfigure/BinderDubboConfigBinder.java" \\
  && ok "dubbo-spring-boot-autoconfigure/src/main/java/org/apache/dubbo/spring/boot/autoconfigure/BinderDubboConfigBinder.java" \\
  || miss "missing critical file: dubbo-spring-boot-autoconfigure/src/main/java/org/apache/dubbo/spring/boot/autoconfigure/BinderDubboConfigBinder.java"
test -f "dubbo-spring-boot-actuator/src/main/java/org/apache/dubbo/spring/boot/actuate/endpoint/DubboMetadataEndpoint.java" \\
  && ok "dubbo-spring-boot-actuator/src/main/java/org/apache/dubbo/spring/boot/actuate/endpoint/DubboMetadataEndpoint.java" \\
  || miss "missing critical file: dubbo-spring-boot-actuator/src/main/java/org/apache/dubbo/spring/boot/actuate/endpoint/DubboMetadataEndpoint.java"
test -f "dubbo-spring-boot-actuator/src/main/resources/META-INF/spring.factories" \\
  && ok "dubbo-spring-boot-actuator/src/main/resources/META-INF/spring.factories" \\
  || miss "missing critical file: dubbo-spring-boot-actuator/src/main/resources/META-INF/spring.factories"
test -f "dubbo-spring-boot-autoconfigure/src/main/resources/META-INF/spring.factories" \\
  && ok "dubbo-spring-boot-autoconfigure/src/main/resources/META-INF/spring.factories" \\
  || miss "missing critical file: dubbo-spring-boot-autoconfigure/src/main/resources/META-INF/spring.factories"

# 5. Repo recency
days_since_last=$(( ( $(date +%s) - $(git log -1 --format=%at 2>/dev/null || echo 0) ) / 86400 ))
if [ "$days_since_last" -le 1236 ]; then
  ok "last commit was $days_since_last days ago (artifact saw ~1206d)"
else
  miss "last commit was $days_since_last days ago — artifact may be stale"
fi

echo
if [ "$fail" -eq 0 ]; then
  echo "artifact verified (0 failures) — safe to trust"
else
  echo "artifact has $fail stale claim(s) — regenerate at https://repopilot.app/r/apache/dubbo-spring-boot-project"
  exit 1
fi

Each check prints ok: or FAIL:. The script exits non-zero if anything failed, so it composes cleanly into agent loops (./verify.sh || regenerate-and-retry).

Generated by RepoPilot. Verdict based on maintenance signals — see the live page for receipts. Re-run on a new commit to refresh.