Given that a security issue has been fixed in 42.4.1: see https://jdbc.postgresql.org/. Version 42.5.0 has been released as well, but I don't know what the policy regarding major/minor/patch dependency upgrades in Spring Boot.
Wouldn't it be a good idea to upgrade the driver in the 2.6 and 2.7 branch as well, by the way?
Comment From: bclozel
Closing as a duplicate of #32126 - we'll upgrade to 42.4.2 for the next Spring Boot 3.0 milestone automatically (as mentioned in our issue template).
Comment From: dalbani
Thanks for the quick reaction. Sorry for the duplicate, I only checked open bugs before creating mine.
Comment From: dalbani
@bclozel: just a quick question if I may, what's exactly the "automated process"?
Because main still currently uses 42.4.0, which is thus affected by the CVE: https://github.com/spring-projects/spring-boot/blob/main/spring-boot-project/spring-boot-dependencies/build.gradle#L1141.
Comment From: bclozel
@dalbani it's actually a semi-automated process. We run periodically a tool called bomr in our build and this upgrades all our managed dependencies (taking exclusions into account).
Our next milestone is in 20+ days, we'll run the tool in due course.