mp911de
commented
1 year ago During our 3.0 development cycle, we realized that the Spring Boot 2.x development line is going to end at version 2.7, and we decided to rather focus on the 3.x development line instead of adding yet another 2.x release.
Once we no longer maintain branches, the branch labels remain within the repository and are not removed and that is why you still see 2.x branches.
You can remediate the dependency issue on your side by upgrading to a newer Spring 5 dependency version, as Spring dependencies within a particular generation should generally be considered drop-in replacements.
With sufficient waiting, eventually, every dependency will get their CVE reports. The currently only supported Spring Vault generation is 3.x, version 2.3 is EOL.
What's the reason there's no final release yet of 2.4.0? The most recent 2.x version of this repo uses an outdated spring-beans version <5.2.20 which has this critical vulnerability: https://www.cve.org/CVERecord?id=CVE-2022-22965
Is there a reason 2.4.0 has no final version yet as this would fix this issue.