[Traubenfuchs]

It's pretty much the same in Javaland with maven and spring.

Create a new project with the latest spring version, and maven will warn you.

At this point I consider this worthless noise.

[weinzierl]

I think Spring doesn't consider vulnerabilities in one of their components to be a Spring vulnerability. At least they do not release an updated version until the next scheduled patch version, not even in the paid version.

You can either wait and accept being vulnerable or update the component yourself and therefore run an unsupported and untested configuration. Doomed if you do, doomed if you don't.