Hi Shawn, I guess you could override the versions of the following jars to 5.3.22:
[INFO] | +- org.springframework:spring-aop:jar:5.3.21:compile > [INFO] | +- org.springframework:spring-beans:jar:5.3.21:compile > [INFO] | +- org.springframework:spring-context:jar:5.3.21:compile > [INFO] | +- org.springframework:spring-expression:jar:5.3.21:compile > [INFO] | \- org.springframework:spring-web:jar:5.3.21:compile It's not ideal but otherwise there might be a small risk of incompatibility between spring-core 5.3.22 and the other 5.3.21 jars. Anyway I'll leave it up to you, if you're happy with it as it stands I am +1 on the release. Colm. On Wed, Jul 20, 2022 at 5:18 PM Shawn McKinney <[email protected]> wrote: > > > > On Jul 20, 2022, at 8:43 AM, Shawn McKinney <[email protected]> wrote: > > > > I’d need to be convinced that going with a previous version of spring > > security to match the core is advisable due to all of the CVE’s. In any > > case, there isn’t a a 5.3.22 spring core version. > > Err, the other way around. … There isn’t a spring security core version that > matches up with spring core. > > Going with a previous spring security release means picking up CVE’s. As most > of their previous releases are flagged with vulnerabilities: > > https://mvnrepository.com/artifact/org.springframework.security/spring-security-core > > Meaning we need to use the latest of each. What am I missing here? > > Thanks > > — > Shawn > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
