Comment From: dpeger
@philwebb Is this ticket going to be downported to 2.3.x and 2.4.x branches as well?
The latest release versions still reference json-smart:2.3 which might be problematic as the security finding CVE-2021-27568 has (for whatever reason) a 9.1 score and thus is rated critical.
Comment From: wilkinsona
@dpeger No, this change will only be made in 2.5 as we don't upgrade to new major or minor versions of dependencies in maintenance releases of Spring Boot. You can opt in to the new minor version of json-smart with Spring Boot 2.4.x if you wish to do so by overriding the version in your Maven or Gradle configuration.
Comment From: dpeger
@wilkinsona thanks for the clarification. Version 2.3.1 of json-smart has just been released. As far as I understood this patch-version update will automatically be included in the spring-boot maintenance branches. Correct?
Comment From: snicoll
@dpeger 2.3.x and 2.4.xhave dependency management for json-smart 2.3 so both of them will be upgraded to 2.3.1 (or later in that line, if available). There is no need for a comment, an issue, or a PR as we have a semi-automated process for this.