Comment From: philwebb

I assume this is https://snyk.io/vuln/SNYK-JAVA-NETMINIDEV-1078499

It looks like 2.4.2 was released April 4th. We'll upgrade to that version in Spring Boot 2.5.x (It should happen automatically but I've opened #25946 to make sure we don't miss it). As mentioned on the wiki we only upgrade patch releases of third-party dependencies in released versions of Spring Boot.

Comment From: breun

@philwebb https://nvd.nist.gov/vuln/detail/CVE-2021-27568 gives this CVE a base score of '9.1 critical'. Maybe this could be enough reason to upgrade it in Spring Boot 2.4.x after all?

Comment From: philwebb

@breun Thanks for the suggestion, but Spring Boot has quite a large number of dependencies and I don't think it would be practical for us to refine the policy based on how critical the CVEs are. If you can't upgrade to Spring Boot 2.5, you should still be able to override json-smart.version in your build and pick the latest version.