The Problem:
Spring Boot 2.7 EOL is approaching, and companies need to find a way to continue receiving updates and support for their applications built with this version. Upgrading to Spring Boot 3.0 is not a feasible option in the immediate future. Will adding a dependency to the Spring Framework BOM in conjunction with "org.springframework.boot:spring-boot-dependencies:2.7.x" in the project provide an effective mitigation strategy until the upgrade to Spring Boot 3.0 can be completed? Consider that this approach would only cover vulnerabilities addressed in Spring Framework 5.3, leaving numerous other dependencies within "spring-boot-dependencies" that would require manual updates.
The Solutions:
Solution 1: Staying with Spring Boot 2.x/Spring Framework 5.y
Approach:
If you’re unable to upgrade to Spring Boot 3.0 and Spring Framework 6 right away, you can continue using Spring Boot 2.7 and Spring Framework 5.y. This option allows you to keep using your existing codebase while still being able to receive security updates and bug fixes.
Benefits:
Drawbacks:
Solution 2: Migrate to Spring Boot 3.0 and Spring Framework 6
Approach:
If you’re ready to make the switch, you can migrate your project to Spring Boot 3.0 and Spring Framework 6. This option will give you access to the latest features and improvements in Spring Boot and Spring Framework, as well as security updates and bug fixes.
Benefits:
Drawbacks:
Solution 3: Switch to Commercial Support
Approach:
If you need continued support for Spring Boot 2.7 and Spring Framework 5.y beyond their end-of-life dates, you can purchase commercial support from SpringSource. This option will give you access to security updates, bug fixes, and technical support from SpringSource engineers.
Benefits:
Drawbacks:
Q&A
Can Spring Boot 3.0 be used with Spring Framework 5.y?
No, this is not supported and will probably break your code.
What are the options for staying at Spring Boot 2.x/5.y?
Continue using Spring Boot 2.7 or update Spring Framework versions using <spring.version>
.
What is the recommended migration path to Spring Boot 3.x/6.x?
Update to Java 17, run migration tooling, update dependencies, and test thoroughly.