Although we review our dependencies from time to time, and some of them (Spring, for example) on a regular basis because they are critical direct dependencies, there are others which are either peripheral or indirect that we haven't reviewed in years. At the time of writing, for example, the v4 snapshots include some artifacts that are a decade old.
We should perform a deep review of all our shipped dependencies, transitively, before shipping v4 of the IdP.