Broadcom Inc. Expands Investment in Spring and Java Ecosystem Security and Releases Largest Set of Spring Security Updates

Broadcom Inc. announced significant security investments for the Spring and Java ecosystem, relied on by over half of Fortune 500 companies. Broadcom?s Tanzu business released the largest set of Spring security updates to open source in Spring?s 23-year history. Broadcom is extending its proven clean-room build architecture, foundational to Bitnami, to build the Java dependencies for the entire Spring ecosystem.

These investments aim to protect the integrity of Spring and prepare Broadcom?s customers for the continued rise in AI-enabled security threats. Broadcom?s Spring engineering team has significantly scaled its investment in advanced AI-assisted security analysis, including frontier model?based scanning and validation workflows to proactively identify vulnerabilities, assess remediation paths, and validate fixes across the dependency ecosystem. Tanzu Spring now provides customers with day zero access to validated common vulnerabilities and exposures (CVE) patch-only releases via the Spring Enterprise Repository before patches are released to open source.

CVE-only patches isolate the security fix from any other change, allowing customers to remediate faster, shrinking the window of exposure. By utilizing Tanzu Spring?s private artifact repositories, customers can be confident that the artifacts are the official, validated patches from Broadcom, the steward of Spring. Broadcom will continue to issue CVEs for all versions of every Spring project under open source support and older versions under Tanzu Spring enterprise support.

Broadcom?s VMware Tanzu Spring enterprise support includes: Certified source for secure spring libraries; Commercial-first release of patches for both current and older, enterprise supported versions; Access to dependent Java binaries; Automated, deterministic upgrades with Spring Application Advisor; Exclusive Tanzu Spring components for governance and security; 24x7 support, hands-on expertise and access to the Spring team. Tanzu Spring customers will now have access to: Secured, SLSA Level 3?validated software supply chain for Java dependencies; Coverage that spans the full transitive dependency graph managed by the Spring Boot bill of materials; Thousands of secured dependencies, built and tested across every supported Spring version. Spring Boot 4.0 alone manages 1,768 of them; across the full supported portfolio, that totals more than 100,000 validated dependency builds.

This extensive investment to provide Spring customers with a clean room-built, verifiable software supply chain across all supported versions of Spring represents a leap forward in strengthening trust, transparency, and resilience across one of the world?s most widely adopted Java application development platforms. This capability gives customers validated dependencies across both current and end-of-life Spring versions, helping customers reduce software supply chain risk while continuing to benefit from the productivity and consistency of Spring Boot's dependency management model. Broadcom enables customers to assess their application estate, both in source code and running applications, and deterministically recommend and implement upgrades. Broadcom offers capabilities like Tanzu Platform, Tanzu Build Service and buildpacks that better secure the build and deployment of Java applications and allow a single fix to propagate across the application portfolio.