Due to security vulnerability concerns, we are considering upgrading to the most recent stable version of the Flowable engine. On Maven, only version 7.1.0 is currently available. However, the Git repository lists versions 7.2.0 and 7.3.0 as well. Are either of these versions viable options for an upgrade, aside from 7.1.0? Thank you!
No, Flowable 7.1.0 is the latest, see Releases · flowable/flowable-engine · GitHub
Where do you see the other versions? https://mvnrepository.com/artifact/org.flowable/flowable-engine doesn’t have them, for example
Ah, I see now. I was mistakenly looking directly at the Git branch 7.2.0.
Apologies for the confusion, and thank you, Joram!
Hi Joram and all,
I wanted to check if there’s any big risk of compatibility issues if we move from Spring Boot 3.3.4 to a newer minor version (like 3.3.x) while using Flowable 7.1.0. I saw a note about Spring Boot 3.3.6 update in the Flowable Work 3.17 Release Notes, but I’m not entirely sure if this applies to our case.
The reason for the upgrade is that our security tools flagged a few vulnerabilities in the current version (3.3.4):
- org.apache.tomcat.embed:tomcat-embed-core-10 .1.30
(CVE-2024-52316, CVE-2024-50379, CVE-2024-56337) - Maven-org.springframework.security:spring-security-web-6 .3.3
(CVE-2024-38821) - Maven-org.springframework:spring-webmvc-6 .1.13
(CVE-2024-38819)
Do you think upgrading to a newer minor version of Spring Boot 3.3.x would be a bit risk for Flowable 7.1.0 ? (Nowadays there is available Spring Boot 3.3.8)
Also, if there’s a new Flowable version coming out soon, it might be worth waiting for that instead. Do you have any idea when the next release is expected?
Thanks
Hey @toni.gamez,
Usually Flowable is compatible with newer minor versions of Spring Boot. So in this case Flowable 7.1.0 is using Spring Boot 3.3.4, upgrading to 3.3.6 or even newer should not be a problem for you.
At the moment I can’t say exactly when the next release of Flowable will be.
Cheers,
Filip
1 Like