Since patch recipes are now included with the CLI, is it necessary to release/cut new CLI versions every time a CVE is patched or a new hotfix is released in the Spring enterprise repository?

• Application Advisor
• Tanzu Spring Essentials 
• Tanzu Spring

No, new versions of the CLI are not required for every CVE patch or enterprise repository update. The CLI is designed with two distinct commands to handle different update cadences:

1. advisor patch apply (available in an upcoming release)

   • Purpose: Used specifically for hotfixes and patch versions.
   • Behavior: It calculates if new patch versions exist for the consumed artifacts.
   • Dependency Alignment: This command does not require an "upgrade plan" resolution, meaning it does not need to align complex dependencies; it simply targets the latest patch for existing artifacts.

2. advisor upgrade-plan apply:

   • Purpose: Used for minor and major version upgrades.
   • Behavior: This command manages the transition to newer feature releases which may involve breaking changes or dependency realignment.

Key Implementation Details:

• Repository Access: The Maven settings.xml for the environment running the CLI must be configured with the Broadcom Enterprise Repository (or a local proxy) to resolve the proper versions of commercial artifacts.
• Version Preference: For versions that are out of Open Source Software (OSS) support, the tool is designed to recommend a jump to the latest available enterprise hotfix/patch before suggesting a move to a new minor or major version.
• Workflow Integration: Customers typically maintain two different pipelines or workflows—one for patch apply (higher frequency for security compliance) and one for upgrade-plan apply (lower frequency for feature upgrades).

Accessing Spring Enterprise Release Notes and Changelogs - https://knowledge.broadcom.com/external/article/436475