jmeter references a vulnerable version of the sprint framework. My customer blocks access to all vulnerable versions of spring thus making it imposible for me to run jmeter from within the jmeter-maven-plugin (which downloads all jmeter dependencies automagically). When will there be a release using a safe version of spring framework (>= 5.3.18) Regards René
JMeter itself does not need Spring and is not bundled with it. It is probably a dependency from ActiveMQ (which we include for testing JMS). If you are on Java 9+ you can replace the bad jars following the documentation of the jmeter maven plugins site: https://github.com/jmeter-maven-plugin/jmeter-maven-plugin/wiki/Adding-Excluding-libraries-to-from-the-classpath Questions on the usage of jmeter maven plugin, are better asked on their forums.
This issue has been migrated to GitHub: https://github.com/apache/jmeter/issues/5659