spring-boot dependencies and security fixes

Question

im using spring boot in a recommended way, that is by adding

classpath("org.springframework.boot:spring-boot-gradle-plugin:${springBootVersion}")

and then adding dependencies i need, like:

compile('org.springframework.boot:spring-boot-starter-web')

That dependency pulls some predefined version of tomcat that will host my microservice.

but what happens when there is a security fix for tomcat released? does spring team track all the security issues in all the project they use and bump spring-boot version when new fix is released? or do i have to track it by myself and control dependencies (like tomcat) manually instead of using 'the spring-boot way'?

Answer 1

Whenever we release a new version of Spring Boot, we update the managed dependency versions to the latest appropriate release of that dependency. Appropriate means that we won't, for example, move to a new major or minor version of a dependency in a maintenance release of Spring Boot.

Generally speaking, a new version of a managed dependency (even if it contains a security fix) won't trigger the release of a new version of Spring Boot. It's impossible for us to know exactly how a dependency is being used and if the fix is relevant to all, some, or even any of Spring Boot's users.

This means that you do need to keep track of security vulnerabilities yourself. If a vulnerability affects you and Spring Boot has not yet updated its managed version then you can easily override that version in your build script. For example, if you are using Gradle:

ext['tomcat.version']='8.0.36'

Or Maven:

<properties>
    <tomcat.version>8.0.36</tomcat.version>
</properties>