Comment From: bclozel
There is no need to ask for a dependency upgrade.
As mentioned in our issue template:
You DO NOT need to raise an issue for a managed dependency version upgrade as there's a semi-automatic process for checking managed dependencies for new versions before a release.
We will perform upgrades matching our 3rd party upgrade policy. If this is an urgent matter for you, there is no need to wait for us releasing as you can use a Gradle or Maven build property to override the library version. All version properties are listed in the reference documentation appendix.
Comment From: andersthorbeck
@bclozel So, just to be clear, there is no fast-track to upgrading the managed dependency versions even if there is a CVE which would be fixed by doing so? I ask because I cannot find it explicitly mentioned in the 3rd party upgrade policy you linked to.
Comment From: bclozel
So, just to be clear, there is no fast-track to upgrading the managed dependency versions even if there is a CVE which would be fixed by doing so?
The fast-track option is to override the version in your project - this is the safest option that we officially recommend. If we were to release Spring Boot maintenance versions for every CVE out there 1) there would be a lot of those 2) we would always lack the context of the CVE and how that applies to apps and 3) we would never be as fast as the third party since we learn about those at the same time as everyone else.