[Snyk] Upgrade org.thymeleaf.extras:thymeleaf-extras-springsecurity5 from 3.0.4.RELEASE to 3.1.3.RELEASE#5
Conversation
…om 3.0.4.RELEASE to 3.1.3.RELEASE Snyk has created this PR to upgrade org.thymeleaf.extras:thymeleaf-extras-springsecurity5 from 3.0.4.RELEASE to 3.1.3.RELEASE. See this package in maven: org.thymeleaf.extras:thymeleaf-extras-springsecurity5 See this project in Snyk: https://app.snyk.io/org/r4devopsdotcom/project/4288e90f-f21f-499f-9be2-cbb7492d3f78?utm_source=github&utm_medium=referral&page=upgrade-pr
…om 3.0.4.RELEASE to 3.1.3.RELEASE Snyk has created this PR to upgrade org.thymeleaf.extras:thymeleaf-extras-springsecurity5 from 3.0.4.RELEASE to 3.1.3.RELEASE. See this package in maven: org.thymeleaf.extras:thymeleaf-extras-springsecurity5 See this project in Snyk: https://app.snyk.io/org/r4devopsdotcom/project/4288e90f-f21f-499f-9be2-cbb7492d3f78?utm_source=github&utm_medium=referral&page=upgrade-pr
There was a problem hiding this comment.
Pull request overview
This PR upgrades the thymeleaf-extras-springsecurity5 dependency from version 3.0.4.RELEASE to 3.1.3.RELEASE to address a medium-severity Cross-site Scripting (XSS) vulnerability (SNYK-JAVA-ORGTHYMELEAFEXTRAS-572299).
Changes:
- Updated
thymeleaf-extras-springsecurity5version from 3.0.4.RELEASE to 3.1.3.RELEASE in pom.xml
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| <dependency> | ||
| <groupId>org.thymeleaf.extras</groupId> | ||
| <artifactId>thymeleaf-extras-springsecurity5</artifactId> | ||
| <version>3.0.4.RELEASE</version> | ||
| <version>3.1.3.RELEASE</version> | ||
| </dependency> |
There was a problem hiding this comment.
This dependency upgrade has a critical compatibility issue. Spring Boot 3.0.6 (line 8) uses Spring Security 6 by default, but thymeleaf-extras-springsecurity5 version 3.1.3.RELEASE is designed for Spring Security 5.x.
For Spring Boot 3.x with Spring Security 6, you should use thymeleaf-extras-springsecurity6 instead. This will require changing both the artifactId and version. For example:
- artifactId: thymeleaf-extras-springsecurity6
- version: 3.1.2.RELEASE (or later)
While the application may currently work because the Thymeleaf Security extras are not actively used in the templates (no sec: namespace found), this mismatch could cause runtime issues if security-specific Thymeleaf features are used in the future.
…om 3.0.4.RELEASE to 3.1.3.RELEASE Snyk has created this PR to upgrade org.thymeleaf.extras:thymeleaf-extras-springsecurity5 from 3.0.4.RELEASE to 3.1.3.RELEASE. See this package in maven: org.thymeleaf.extras:thymeleaf-extras-springsecurity5 See this project in Snyk: https://app.snyk.io/org/r4devopsdotcom/project/4288e90f-f21f-499f-9be2-cbb7492d3f78?utm_source=github&utm_medium=referral&page=upgrade-pr
rogeliocisternas
deleted the
snyk-upgrade-a36323ede59b56be7a5f7e5cca0a9fc8
branch
2 participants
Snyk has created this PR to upgrade org.thymeleaf.extras:thymeleaf-extras-springsecurity5 from 3.0.4.RELEASE to 3.1.3.RELEASE.
ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.
The recommended version is 8 versions ahead of your current version.
The recommended version was released a year ago.
Issues fixed by the recommended upgrade:
SNYK-JAVA-ORGTHYMELEAFEXTRAS-572299
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.
For more information: