springboot Upgrade to Hibernate Validator 6.1.0.Final

Comment From: breun

@wilkinsona This update of Hibernate Validator fixes CVE-2019-10219. Shouldn't this also be bumped for Spring Boot 2.2.x and 2.1.x?

Comment From: wilkinsona

Unfortunately not, no. We do not apply major or minor dependency upgrades to maintenance releases of Spring Boot.

In this case the vulnerability only applies to @SafeHtml. If you are not using it, then you are not affected. If you are, then you can override the version to 6.1.0.Final or later. Alternatively, you could ask the Hibernate Validator team to back port the fix to 6.0.x, thereby allowing you to avoid the problem without the additional risk of upgrading to a new minor version.

Comment From: breun

I'm not using @SafeHtml myself, but users of the internal Spring Boot based framework I develop might be.

Minor version updates should be backwards compatible. If only every library used semantic versioning... But yeah, Spring Boot itself doesn't either of course. :)