To help the Spring community navigate an unprecedented surge in AI-detected security threats, Broadcom's Tanzu business released the largest set of Spring security updates to open source in Spring's 23-year history. Additionally, for customers, Broadcom is extending its proven clean-room build architecture, foundational to Bitnami, to build the Java dependencies for the entire Spring ecosystem. These investments aim to protect the integrity of Spring and prepare Broadcom's customers for the continued rise in AI-enabled security threats.

Recent federal action establishing a national clearinghouse to coordinate and prioritize software vulnerability remediation underscores the core challenge: threat discovery is accelerating, and the bottleneck has shifted to the speed of remediation.

"Spring is one of the most widely adopted application development frameworks in the world, and as its steward, we have a deep responsibility for its security," said Purnima Padmanabhan, Vice President and General Manager, Tanzu Division, Broadcom. "Because we maintain Spring and are the sole committers, we can better secure it at the source for everyone who depends on it. This investment is about two things we will never separate: the health of the Spring community and the security of our customers who trust Spring to run their business."

Recent advancements in foundation models have driven an explosion of newly-detected security vulnerabilities while shrinking the time-to-exploit window following vulnerability disclosure. The number of monthly security advisories reported to Broadcom by the Spring community alone increased over 1700% from March to April 2026. As a response, Broadcom's Spring engineering team has significantly scaled its investment in advanced AI-assisted security analysis, including frontier model–based scanning and validation workflows to proactively identify vulnerabilities, assess remediation paths, and validate fixes across the dependency ecosystem.

Day Zero access to validated, CVE-only patches for Tanzu Spring customers

In addition to these security initiatives, Tanzu Spring now provides customers with day zero access to validated common vulnerabilities and exposures (CVE) patch-only releases via the Spring Enterprise Repository before patches are released to open source. CVE-only patches isolate the security fix from any other change, allowing customers to remediate faster, shrinking the window of exposure. By utilizing Tanzu Spring's private artifact repositories, customers can be confident that the artifacts are the official, validated patches from Broadcom, the steward of Spring. As always, Broadcom will continue to issue CVEs for all versions of every Spring project under open source support and older versions under Tanzu Spring enterprise support. Broadcom's VMware Tanzu Spring enterprise support includes:

Certified source for secure spring libraries
Commercial-first release of patches for both current and older, enterprise supported versions
Access to dependent Java binaries
Automated, deterministic upgrades with Spring Application Advisor
Exclusive Tanzu Spring components for governance and security
24x7 support, hands-on expertise and access to the Spring team
Securing the Java Software Supply Chain for Spring

As part of this expanded investment in securing the Spring ecosystem and its dependencies, Tanzu Spring customers will now have access to:

Secured, SLSA Level 3–validated software supply chain for Java dependencies.
Coverage that spans the full transitive dependency graph managed by the Spring Boot bill of materials.
Thousands of secured dependencies, built and tested across every supported Spring version. Spring Boot 4.0 alone manages 1,768 of them; across the full supported portfolio, that totals more than 100,000 validated dependency builds.

This extensive investment to provide Spring customers with a clean room-built, verifiable software supply chain across all supported versions of Spring represents a leap forward in strengthening trust, transparency, and resilience across one of the world's most widely adopted Java application development platforms. This capability gives customers validated dependencies across both current and end-of-life Spring versions, helping customers reduce software supply chain risk while continuing to benefit from the productivity and consistency of Spring Boot's dependency management model.

Broadcom is also committed to helping customers apply patches faster to keep up with today's AI-enabled security threats. Broadcom enables customers to assess their application estate, both in source code and running applications, and deterministically recommend and implement upgrades. Broadcom offers capabilities like Tanzu Platform, Tanzu Build Service and buildpacks that better secure the build and deployment of Java applications and allow a single fix to propagate across the application portfolio.