Description
Expected Behavior
According to the connect2id issue opened by folks working on spring-security in Sept at https://bitbucket.org/connect2id/oauth-2.0-sdk-with-openid-connect-extensions/issues/441/dependency-convergence-failed-for-nimbus , spring-security moved back to v9.24.4 awaiting release of 9.37.3, which was released Dec 8, 2023 (see https://mvnrepository.com/artifact/com.nimbusds/nimbus-jose-jwt/9.37.3). Can spring-security bump to that version safely now to prevent any potential vulns due to https://nvd.nist.gov/vuln/detail/CVE-2023-52428 perhaps?
Current Behavior
Currently spring-security is on a Sept 9, 2022 version of com.nimbusds:nimbus-jose-jwt = 9.24.4.
Context
Would love to see this bump to resolve automated checks we do via a dependency scanner for PCI compliance. Alternative would be if I can use a property to override the version used (ala some of spring-boot), or do a maven exclusion I guess.