DAPR 1.6 uses Spring Boot Starter Web with vulnerability

[sujitp149]

Ask your question here

DAPR 1.6 uses spring-boot-starter-web/2.3.5.RELEASE which has vulnerability. Any plans to upgrade the Spring Boot Starter Web version without vulnerability as many organization don't allow any artifacts with open vulnerability ?

[pravinpushkar]

@sujitp149 Thanks for reporting this. We can try bumping the version to 2.7.3. Please feel free to submit a PR, we can see if that is breaking anything.

[rowi1de]

Out of curiosity: why is spring-boot-starter-web included and not spring-boot-starter-webflux, as all methods seem to be non-blocking?

[artursouza]

Out of curiosity: why is spring-boot-starter-web included and not spring-boot-starter-webflux, as all methods seem to be non-blocking?

Great point, I think we should offer webflux but it should probably be a new artifact so it does not break existing users.

[artursouza]

I have added the PR above to the release. I will keep this open to confirm that it will really remove the vulnerability. If not, we will need to upgrade to a new major version in the next release.