.webp)
Broadcom has expanded its security investment in the Spring and Java ecosystem, including a broad set of Spring security updates and new measures for paying customers.
Its Tanzu unit has issued what it called the largest batch of Spring security updates released to open source in the framework's 23-year history. Broadcom is also extending its clean-room build approach, already used in Bitnami, to Java dependencies across the Spring ecosystem for customers.
Spring is one of the most widely used Java application development frameworks and, according to Broadcom, is relied on by more than half of Fortune 500 companies. The company said the changes respond to a sharp rise in vulnerabilities identified with the help of artificial intelligence tools, as well as a shrinking gap between disclosure and attempted exploitation.
Broadcom said the number of monthly security advisories reported by the Spring community rose by more than 1700% from March to April 2026. Its engineering teams have also increased spending on AI-assisted security analysis, including model-based scanning and validation workflows designed to identify vulnerabilities, test remediation options, and verify fixes across related dependencies.
Patch access
For Tanzu Spring customers, Broadcom will provide day-zero access to validated CVE patch-only releases through the Spring Enterprise Repository before those patches are made available in open source. These patch-only releases are intended to isolate security fixes from other code changes so customers can apply remediation more quickly.
Broadcom will continue issuing CVEs for all versions of every Spring project still under open source support, as well as older versions covered by Tanzu Spring enterprise support. Enterprise support also includes access to dependent Java binaries, automated upgrades with Spring Application Advisor, additional governance and security components, and 24/7 support.
Broadcom is also expanding its software supply chain work around the Java dependencies used by Spring. Tanzu Spring customers will get access to a software supply chain for Java dependencies validated to SLSA Level 3, with coverage across the full transitive dependency graph managed by the Spring Boot bill of materials.
That includes thousands of dependencies built and tested across every supported Spring version. Spring Boot 4.0 alone manages 1,768 dependencies, while the full supported portfolio amounts to more than 100,000 validated dependency builds, according to Broadcom.
Source security
The clean-room build model is designed to give customers a verifiable source for the Java dependencies beneath Spring applications. Broadcom said the approach will apply to both current and end-of-life Spring versions that remain under support, with the aim of reducing software supply chain risk while preserving Spring Boot's dependency management approach.
The announcement reflects a broader shift in software security, where the challenge is no longer only finding vulnerabilities but fixing them before attackers can move. Broadcom pointed to recent federal action creating a national clearinghouse for coordinating and prioritising software vulnerability remediation as evidence that the bottleneck has shifted from discovery to response.
That matters for Java developers because Spring sits deep inside many business applications, and delays in patching can ripple across large estates of services and internal tools. Broadcom said its wider Tanzu portfolio, including Tanzu Platform, Tanzu Build Service, and buildpacks, is intended to help customers assess source code and running applications, then apply recommended upgrades more consistently.
"Spring is one of the most widely adopted application development frameworks in the world, and as its steward, we have a deep responsibility for its security," said Purnima Padmanabhan, Vice President and General Manager, Tanzu Division, Broadcom.
"Because we maintain Spring and are the sole committers, we can better secure it at the source for everyone who depends on it. This investment is about two things we will never separate: the health of the Spring community and the security of our customers who trust Spring to run their business," Padmanabhan said.