Migrated 380k LOC banking platform from Spring Boot 2 to 3 in 14 weeks

A $4B-asset community bank in the southeastern US had been planning a Spring Boot 3 migration since the GA release in November 2022. Two internal attempts had been started and abandoned. The third attempt landed on our desk in January 2025 with an explicit timeline: "we cannot be on Spring Boot 2.7 in production after August 2025" — the date their regulator's compliance audit was scheduled.

The application was 380,000 lines of Java handling consumer accounts, lending, and small-business cash management. It depended on 247 transitive dependencies, of which our initial audit identified 31 as needing explicit attention: 8 had Spring Boot 3 versions but required code changes, 18 had clean upgrades available, and 5 were unmaintained and required either a fork or a replacement.

Week 1-2: dependency audit and OpenRewrite recipe customization for their internal conventions. Week 3-6: jakarta namespace migration on a parallel branch, completed under feature flag rotation so production traffic was unaffected. Week 7-10: Spring Security DSL rewrite with explicit before/after authorization test suite. The team had thin coverage on the security layer and we wrote 340 new tests during this phase. Week 11-12: Micrometer Tracing cutover with full observability validation against the legacy dashboards.

Week 13: production deploy behind feature flag with 5% traffic. Week 14: ramped to 100% over 5 days with no rollback. The audit happened on schedule. The regulator's report had no findings related to the migration. We invoiced the final milestone on August 8, two weeks ahead of the August 22 deadline.