There are several instances where I would like to override the version of a transitivity dependency version for a library that has security vulnerabilities. But it's tough to determine which version I can upgrade to without breaking anything.
For example. I am using Spring Boot Starter 1.5.22 which depends on snakeyaml 1.17.
| | +--- org.springframework.boot:spring-boot-starter:1.5.22.RELEASE
| | | \--- org.yaml:snakeyaml:1.17
In the following page where it lists the dependencies such as the snakeyaml one, there is a column that says "updates:"
https://mvnrepository.com/artifact/org.springframework.boot/spring-boot-starter/1.5.22.RELEASE
Does this indicate that overriding Snakeyaml to version 2.0 whilst retaining Spring Boot 1.5.7 will not break anything?
Note I'm asking GENERALLY, not restricted to this example. To put the question another way, where is the "updates" column version being sourced from? Is it merely displaying the latest published version of the transitive dependency (but not making any claims about its compatibility?)
