Dependency warning issues

[AbduNG]

The Spring app I am building is raising vulnerability flags on the following spring-boot-starter sub-dependencies:

org.springframework:spring-core:jar:6.1.11:compile
org.springframework:spring-context:jar:6.1.11:compile

Full mvn dependency:tree log for this dependency:

[INFO] +- org.springframework.boot:spring-boot-starter:jar:3.3.5:compile
[INFO] |  +- org.springframework.boot:spring-boot:jar:3.3.2:compile
[INFO] |  |  \- org.springframework:spring-context:jar:6.1.11:compile
[INFO] |  |     +- org.springframework:spring-aop:jar:6.1.11:compile
[INFO] |  |     +- org.springframework:spring-beans:jar:6.1.11:compile
[INFO] |  |     +- org.springframework:spring-expression:jar:6.1.11:compile
[INFO] |  |     \- io.micrometer:micrometer-observation:jar:1.13.2:compile
[INFO] |  |        \- io.micrometer:micrometer-commons:jar:1.13.2:compile
[INFO] |  +- org.springframework.boot:spring-boot-autoconfigure:jar:3.3.2:compile
[INFO] |  +- jakarta.annotation:jakarta.annotation-api:jar:2.1.1:compile
[INFO] |  +- org.springframework:spring-core:jar:6.1.11:compile
[INFO] |  |  \- org.springframework:spring-jcl:jar:6.1.11:compile
[INFO] |  \- org.yaml:snakeyaml:jar:2.2:compile

And when upgrading to the latest version of the parent dependency this wasn't resolved, how can I undress this issue because these transitive dependencies would break my app if they were excluded.

[bclozel]

6.1.11 is vulnerable to https://spring.io/security/cve-2024-38820, so I think you'll need to upgrade to the latest maintenance version.