Spring Security 5.8.14 will be included in Jenkins 2.473 and later as part of pull request 9634.

I propose that we backport it to Jenkins 2.462.2 so that we reduce the risk of warnings from scanners.

Since the update is not yet included in a weekly release, it is not yet eligible for a backport. I've opened this issue so that the backport idea can be discussed.

Benefits of a backport

Most recent release as end of life arrives - The backport will assure that we are using the most recent version of Spring Security 5.8.x as we approach the 31 Aug 2024 end of life of Spring Security 5.8.x. That will reduce the risk of complaints from scanners that we are using an outdated 5.8.x version.

Low risk - The 5.8.14 Spring Security changelog includes a dependency updates, 2 documentation fixes, and a fix in an area that Jenkins does not use.

Risks of a backport

Undetected issues - There could be undetected issues in the Spring Security that cause issues. I believe the risk of undetected issues is low.

Limited testing - Since it will arrive in a weekly release 20 Aug 2024, it will be available in a weekly before the 2.462.2 release candidate is created on 21 Aug 2024, but it will have limited testing. I believe the two weeks of the release candidate testing and the weekly releases that will precede 2.462.2 will give good confidence that the new release is safe to include in Jenkins 2.462.2 on 4 Sep 2024.