Menu
I know that Spring Boot 2.7 is ending its non-commercial support at 2023-11-24. The support for Spring Framework 5.3 is ending more than one year later at 2024-12-31.
So for a project, which can't be upgraded to Spring Boot 3.0 in the short term, is it a good practice to add a dependency to the Spring Framework BOM in addition to org.springframework.boot:spring-boot-dependencies:2.7.x in the meantime?
This would of course only mitigate vulnerabilities fixed in Spring Framework 5.3, spring-boot-dependencies has many more dependencies that would need to be updated manually.
781
asked Sep 12 '25 04:09
Spring Boot is somewhat tightly coupled with Spring Framework. Hence, you cannot use Spring Boot 3.x together with Spring Framework 5.y. Doing so will probably break some stuff and isn't supported at all.
This leaves you with 3 possibilities:
You can continue using Spring Boot 2.7.
If you want to use newer versions of Spring Framework (future updates), you can use <spring.version> with future 5.y versions even though you are using the old Spring Boot 2.x version.
While that would mean using an unsupported version of Spring Boot, most of what you are using is probably Spring Framework which you can update this way.
Also, they would still publish public updates to Spring Boot in response to commercial update requests.
You might still want to start updating sooner than later so you can switch to a newer version earlier.
At some point, you'll need to migrate anyways.
Even though you say you can't update the project, you will need to do so eventually.
Of course, you could also pay for commercial support but you will still need to migrate at some point.
189
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
