https://security.snyk.io/vuln/SNYK-JAVA-COMSQUAREUPOKHTTP3-2958044
I understand that I can probably do ext['okhttp3.version'] = '4.9.3' to update okhttp3 in my 2.6.x setup.
But I expect this to be bumped into spring boot release to be sure that it doesn't affect anything, taking into account that it's updated in 2.7.x.
Thanks.
Comment From: nikoncode
Spring boot 2.6.x locks version to 3.14.9 even in the last release 2.6.10
Comment From: philwebb
As a mater of policy, we only upgrade at the patch level once a release is out. See https://github.com/spring-projects/spring-boot/wiki/Supported-Versions#third-party-dependencies for details.
Comment From: snicoll
Our third-party policy is available on the wiki. The upgrade is discussed in this issue.