SpringBoot spring-boot-starter-validation 2.5.0 is not working with hibernate-validator 7.0.1.Final

I try to combine

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-validation</artifactId>
    <version>2.5.0</version>
</dependency>

<dependency>
   <groupId>org.hibernate.validator</groupId>
   <artifactId>hibernate-validator</artifactId>
   <version>7.0.1.Final</version>
</dependency>

Caused by: org.springframework.beans.factory.NoSuchBeanDefinitionException: No qualifying bean of type 'org.springframework.validation.beanvalidation.LocalValidatorFactoryBean' available: expected at least 1 bean which qualifies as autowire candidate. Dependency annotations: {@org.springframework.beans.factory.annotation.Autowired(required=true)}

I guess because of the name changes in hibernate-validator (I'm not sure since when) ... the service name is now this:

/META-INF/services/jakarta.validation.spi.ValidationProvider

Spring is searching for

META-INF/services/javax.validation.spi.ValidationProvider

Would it be an idea to have support for both?

Comment From: bclozel

Spring Boot will support the jakarta namespace as soon as Spring Framework supports it. This is currently scheduled for Spring Framework 6.0 (meaning, Spring Boot 3.0).

Comment From: rifqifakhirin

springboot 2.5.0 support for hibernate-validator 6.2.0.final, just change the hibernate-validator version in dependency to make validation work again

Comment From: ahoehma

springboot 2.5.0 support for hibernate-validator 6.2.0.final, just change the hibernate-validator version in dependency to make validation work again

haha i came back to here because today i did another update-check for my app :)

for hibernate-validator 6.2.0.final I have a vulnerable findings ... so thats why I need a newer version.

Comment From: snicoll

I am not aware of a CVE in 6.2.0.Final and this is the latest version in that line. This would have to be redirected to the team managing this project and we can upgrade in due course accordingly.

Comment From: bclozel

There were false positives on reports for CVE-2020-10693, but it seems detection is now fixed. Is that the CVE you're referring to?

Comment From: ahoehma

@bclozel yes this was my CVE ... works now.