Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

build(deps): bump thymeleaf from 3.0.12.RELEASE to 3.0.15.RELEASE #2603

Merged
merged 1 commit into from Sep 18, 2022
Merged

build(deps): bump thymeleaf from 3.0.12.RELEASE to 3.0.15.RELEASE #2603

merged 1 commit into from Sep 18, 2022

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github May 30, 2022

Bumps thymeleaf from 3.0.12.RELEASE to 3.0.15.RELEASE.

Changelog

Sourced from thymeleaf's changelog.

3.1.0.M2

  • Refactored project structure: merged thymeleaf-spring, thymeleaf-testing and thymeleaf-dist into main "thymeleaf" repository.
  • Added Maven multiproject infrastructure: added thymeleaf-parent, thymeleaf-lib and thymeleaf-testing-lib pom artifacts.
  • Added project-wide BOM (thymeleaf-parent) for the unified management of dependency and plugin versions.
  • Removed website content from "dist" (thymeleaf-dist) in favour of the thymeleaf.github.com repository.
  • Refactored build and release procedure: replaced use of maven-release-plugin with maven-deploy-plugin.
  • Fixed missing null checks in web interfaces causing NPEs.
  • Fixed explanatory error message for removed expression utility objects.
  • Fixed type/member restriction application in order to avoid being too restrictive on valid interfaces.

3.1.0.M1

  • Support Servlet 5.0 (jakarta.) namespace besides Servlet < 5 (javax.).
  • Support Spring 6.0 (6.0.0-SNAPSHOT): new lib module thymeleaf-spring6.
  • Removed support for Spring 3.x and Spring 4.x.
  • Removed web-API based expression security objects (#request, #response, #session, #servletContext).
  • Set minimum JDK compatibility level to JDK 8 project-wide (JDK 17 for thymeleaf-spring6).
  • Seggregated Spring support in thymeleaf-testing into specific modules: thymeleaf-testing-spring5 and thymeleaf-testing-spring6.

3.0.15

  • Fix expression parsing inconsistency provoked by empty literal substitutions.
  • Block calling methods of blocked classes in expressions.
  • Block static and constructor access to certain classes.

3.0.14

  • Fixed inconsistent restricted variable access check due to caching.
  • Improved detection of restricted expression execution scenarios.
  • Improved detection of restricted usages of view names in direct request input.

3.0.13

  • Fixed CVE-2021-43466: Specific scenarios in template injection may lead to remote code execution.
  • Fixed incorrect double-unescaping of request parameters breaking processing of forms during restricted mode checks.
  • Fixed SpringStandardDialect not allowing the use of a custom IStandardConversionService.

... (truncated)

Commits
  • a29417f [maven-release-plugin] prepare release thymeleaf-3.0.15.RELEASE
  • 49e35a4 Adapted expression blacklisting to 3.0 expectations: specifically blacklist a...
  • 2c86d93 Allowed calling methods on request, response and session objects (only for 3.0)
  • 7c6a3d5 Adapted ExpressionUtils code back to JDK 6
  • 0685b3d Forbid calling methods on blacklisted classes
  • ea67148 Added ACL-based restrictions on what classes can be referenced in expressions
  • b4051d3 Modified processing of literal substitutions: avoid empty expressions
  • b94d4ed [maven-release-plugin] prepare for next development iteration
  • c2643c6 [maven-release-plugin] prepare release thymeleaf-3.0.14.RELEASE
  • 08f474f Improved detection of restricted scenarios
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
build(deps): bump thymeleaf from 3.0.12.RELEASE to 3.0.15.RELEASE
a610f68 
Bumps [thymeleaf](https://github.com/thymeleaf/thymeleaf) from 3.0.12.RELEASE to 3.0.15.RELEASE.
- [Release notes](https://github.com/thymeleaf/thymeleaf/releases)
- [Changelog](https://github.com/thymeleaf/thymeleaf/blob/3.1-master/ChangeLog.txt)
- [Commits](thymeleaf/thymeleaf@thymeleaf-3.0.12.RELEASE...thymeleaf-3.0.15.RELEASE)

---
updated-dependencies:
- dependency-name: org.thymeleaf:thymeleaf
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file java Pull requests that update Java code labels May 30, 2022
@dependabot dependabot bot changed the base branch from 2.x to 3.x September 6, 2022 14:49
@jknack jknack added this to the 3.0.0-alpha.1 milestone Sep 18, 2022
@jknack jknack merged commit f868324 into 3.x Sep 18, 2022
@dependabot dependabot bot deleted the dependabot/maven/org.thymeleaf-thymeleaf-3.0.15.RELEASE branch September 18, 2022 14:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file java Pull requests that update Java code
Projects
None yet
Milestone
3.0.0.M1
Development

Successfully merging this pull request may close these issues.

None yet
1 participant
@jknack