spring-cloud-openfeign-dependencies 3.1.5 declares "bad" version of spring-security-oauth2-client

With version 3.1.5 of spring-cloud-openfeign that ships with Spring Cloud 2021.0.5, the spring-cloud-openfeign-dependencies POM pins the version of spring-security-oauth2-client to 5.7.3.

This causes the following issues:

When importing the spring-cloud-dependencies POM in a Spring Boot 2.6.x Maven project, it will resolve the version of spring-security-oauth2-client as 5.7.3, which is
- probably incompatible with Spring Security 5.6.x that is used by spring-boot-starter-security from Spring Boot 2.6.x
- still affected by CVE-2022-31690, which was fixed by Spring Security 5.6.9 and 5.7.5.
When importing the spring-cloud-dependencies POM in a Spring Boot 2.7.x Maven project, the same happens - even if overwriting the Maven property spring-security.version with 5.7.5 in the application Maven POM itself - an thus will also introduce CVE-2022-31690.

As a work around, the second problem can be fixed by not only overwriting the Maven property spring-security.version, but also declaring a dependency management for spring-security-oauth2-client using this version in the application Maven POM itself.

We don't know what to do in the first situation:

Should we overwriting the Maven property spring-security.version with 5.6.9 in the application Maven POM itself and also declaring a dependency management for spring-security-oauth2-client using this version? Would this be compatible with spring-cloud-openfeign 3.1.5, which says it wants to use spring-security-oauth2-client 5.7.3?
Should we overwriting the Maven property spring-security.version with 5.6.9 in the application Maven POM itself and declaring a dependency management for spring-security-oauth2-client using 5.7.5? Would this be OK or cause problems in the 5.6.9 Spring Security stack?

spring-cloud / spring-cloud-openfeign

spring-cloud-openfeign-dependencies 3.1.5 declares "bad" version of spring-security-oauth2-client #786