Sourced from thymeleaf's changelog.

3.1.0.M2

• Refactored project structure: merged thymeleaf-spring, thymeleaf-testing and thymeleaf-dist into main "thymeleaf" repository.
• Added Maven multiproject infrastructure: added thymeleaf-parent, thymeleaf-lib and thymeleaf-testing-lib pom artifacts.
• Added project-wide BOM (thymeleaf-parent) for the unified management of dependency and plugin versions.
• Removed website content from "dist" (thymeleaf-dist) in favour of the thymeleaf.github.com repository.
• Refactored build and release procedure: replaced use of maven-release-plugin with maven-deploy-plugin.
• Fixed missing null checks in web interfaces causing NPEs.
• Fixed explanatory error message for removed expression utility objects.
• Fixed type/member restriction application in order to avoid being too restrictive on valid interfaces.

3.1.0.M1

• Support Servlet 5.0 (jakarta.) namespace besides Servlet < 5 (javax.).
• Support Spring 6.0 (6.0.0-SNAPSHOT): new lib module thymeleaf-spring6.
• Removed support for Spring 3.x and Spring 4.x.
• Removed web-API based expression security objects (#request, #response, #session, #servletContext).
• Set minimum JDK compatibility level to JDK 8 project-wide (JDK 17 for thymeleaf-spring6).
• Seggregated Spring support in thymeleaf-testing into specific modules: thymeleaf-testing-spring5 and thymeleaf-testing-spring6.

3.0.15

• Fix expression parsing inconsistency provoked by empty literal substitutions.
• Block calling methods of blocked classes in expressions.
• Block static and constructor access to certain classes.

3.0.14

• Fixed inconsistent restricted variable access check due to caching.
• Improved detection of restricted expression execution scenarios.
• Improved detection of restricted usages of view names in direct request input.

3.0.13

• Fixed CVE-2021-43466: Specific scenarios in template injection may lead to remote code execution.
• Fixed incorrect double-unescaping of request parameters breaking processing of forms during restricted mode checks.
• Fixed SpringStandardDialect not allowing the use of a custom IStandardConversionService.

... (truncated)

• a29417f [maven-release-plugin] prepare release thymeleaf-3.0.15.RELEASE
• 49e35a4 Adapted expression blacklisting to 3.0 expectations: specifically blacklist a...
• 2c86d93 Allowed calling methods on request, response and session objects (only for 3.0)
• 7c6a3d5 Adapted ExpressionUtils code back to JDK 6
• 0685b3d Forbid calling methods on blacklisted classes
• ea67148 Added ACL-based restrictions on what classes can be referenced in expressions
• b4051d3 Modified processing of literal substitutions: avoid empty expressions
• b94d4ed [maven-release-plugin] prepare for next development iteration
• c2643c6 [maven-release-plugin] prepare release thymeleaf-3.0.14.RELEASE
• 08f474f Improved detection of restricted scenarios
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)