We are using Snyk for vulnerability checks in our build pipelines. The spring boot version that is being used in the project is 2.6.6
and the versions of all other dependencies are hence inherited. During the vulnerability check, Snyk suggests to upgrade spring-boot-starter-web version to 3.0.2
, which is a major release version upgrade. (2 -> 3). We have a restriction on upgrading the spring-boot version.
Will there be any possible issue that may occur, How to handle such change suggestions?
The two biggest changes in Spring Boot 3.0 that are likely to impede an upgrade are the Java 17 and Jakarta EE 9 baselines. You can prepare for the former by using Spring Boot 2.x and upgrading to Java 17 if you haven't already done so. You cannot really prepare for the latter, other than by limiting your usage of Jakarta EE APIs. When the time comes to upgrade to Spring Boot 3.0 you will have to change import statements from javax.*
to jakarta.*
for things like JPA. If you have third-party dependencies that use Jakarta EE APIs they will also have to be upgraded to EE 9 compatible versions.
Snyk is right that you should upgrade from 2.6.6 as it is no longer supported. I do not agree with its suggestion to jump to 3.0.2. Instead, I would upgrade to 2.7.x (2.7.10 is the latest 2.7 version at the time of writing) and Java 17. Once there, you can then consider an upgrade to 3.0.x when you are ready. Note that open source support for 2.7.x ends in November so you should be planning an upgrade to 3.0.x before the end of the year.