Spring Framework 5.3.39 will be included in Jenkins 2.473 and later as part of pull request 9612.

I propose that we backport it to Jenkins 2.462.2 so that we reduce the risk of warnings from scanners.

Since the update is not yet included in a weekly release, it is not yet eligible for a backport. I've opened this issue so that the backport idea can be discussed. Basil Crow stated in a GitHub comment that he does not feel strongly either way about a backport.

Benefits of a backport

Most recent release as end of life arrives - The backport will assure that we are using the most recent version of Spring Framework 5.3.x as we approach the 31 Aug 2024 end of life of Spring Framework 5.3.x. That will reduce the risk of complaints from scanners that we are using an outdated 5.3.x version.

Low risk - The 5.3.38 Spring Framework changelog includes a backported new feature that is not used by Jenkins and 6 bug fixes. As far as I can tell, none of the bug fixes apply to Jenkins. 5 of the 6 bug fixes are known to be in areas that are not used by Jenkins (spring web and automated tests). The 1 bug fix that might involve Jenkins is a backport of ConversionService cannot convert primitive array to array of Object. I found no usage of a Spring ConversionService in a GitHub search of the jenkinsci GitHub organization.

Low risk - The 5.3.39 Spring Framework changelog includes a single entry that does not affect Jenkins.

Risks of a backport

Undetected issues - There could be undetected issues in the Spring Framework that cause issues. I believe the risk of undetected issues is low. We updated from Spring Framework 5.3.36 to 5.3.37 in 2.462.1 and have not had any issue reports related to that upgrade.

Limited testing - Since it will arrive in a weekly release 20 Aug 2024, it will be available in a weekly before the 2.462.2 release candidate is created on 21 Aug 2024, but it will have limited testing. I believe the two weeks of the release candidate testing and the weekly releases that will precede 2.462.2 will give good confidence that the new release is safe to include in Jenkins 2.462.2 on 4 Sep 2024.