Summary
Dependabot is generating alerts for org.springframework.boot:spring-boot:4.1.0 against both GHSA-8v8j-3hxp-93wr and GHSA-wwpq-f5c3-7hvx.
Problem
Both advisories explicitly define the vulnerable range as >= 4.0.0, < 4.0.6 for the 4.x branch.
4.1.0 > 4.0.6 — it is mathematically outside the vulnerable range. Spring Boot 4.1.0 was released after 4.0.6 and includes the fixes for both CVEs.
The advisory descriptions confirm this:
Impact
Repositories using Spring Boot 4.1.0 (the latest release) receive incorrect CRITICAL and HIGH Dependabot alerts for vulnerabilities that do not affect them.
Expected behaviour
Dependabot should not flag spring-boot:4.1.0 since 4.1.0 >= 4.0.6.
Suggestion
If the advisory is correct as written and the scanner is the bug, please fix the version comparison logic.
If 4.1.x is also affected (which the advisory text contradicts), please add a separate vulnerable range >= 4.1.0, < 4.1.x with an explicit patched version.
Summary
Dependabot is generating alerts for
org.springframework.boot:spring-boot:4.1.0against both GHSA-8v8j-3hxp-93wr and GHSA-wwpq-f5c3-7hvx.Problem
Both advisories explicitly define the vulnerable range as
>= 4.0.0, < 4.0.6for the 4.x branch.4.1.0 > 4.0.6— it is mathematically outside the vulnerable range. Spring Boot4.1.0was released after4.0.6and includes the fixes for both CVEs.The advisory descriptions confirm this:
Impact
Repositories using Spring Boot
4.1.0(the latest release) receive incorrect CRITICAL and HIGH Dependabot alerts for vulnerabilities that do not affect them.Expected behaviour
Dependabot should not flag
spring-boot:4.1.0since4.1.0 >= 4.0.6.Suggestion
If the advisory is correct as written and the scanner is the bug, please fix the version comparison logic.
If
4.1.xis also affected (which the advisory text contradicts), please add a separate vulnerable range>= 4.1.0, < 4.1.xwith an explicit patched version.