Bump thymeleaf from 2.1.4.RELEASE to 3.0.12.RELEASE

[dependabot-preview]

Bumps thymeleaf from 2.1.4.RELEASE to 3.0.12.RELEASE.

Changelog

Sourced from thymeleaf's changelog.

3.0.12

• Fixed #numbers.format*() expression utility methods not producing numbers using the correct digit symbols for locales that use them, in JDK versions where NumberFormat does this (currently >= JDK15).
• Fixed "package-list" not being produced for JavaDoc since JDK 11 started being used for compiling the project.
• Added instantiation of new objects and calls to static classes as forbidden operations in restricted mode.
• Updated OGNL dependency to 3.1.26.
• Updated jackson-databind to 2.11.3 and jackson-datatype to 2.11.3 (due to vulnerabilities in previous versions).

3.0.11

• Updated jackson-databind dependency to 2.9.7 (due to vulnerabilities in previous jackson version).

3.0.10

• Fixed StackOverflowError when inserting content before first element of model in a model processor.
• Improved restricted expression evaluation mode to forbid output of textual data from context variables inside JavaScript event handlers in HTML templates.
• Improved HTML event handler attributes (th:on*) in order to allow processing of their values as fragments of inlined JavaScript (using JAVASCRIPT template mode).
• Improved use of template name abbreviation in logs and exceptions.
• Added "Automatic-Module-Name: thymeleaf" to MANIFEST.MF for Java 9+ JPMS.
• Updated AttoParser dependency to 2.0.5.RELEASE
• Updated Unbescape dependency to 1.1.6.RELEASE

3.0.9

• Fixed hit ratio in StandardCache not being correctly computed (always 1 or 0).
• Improve restricted expression evaluation mode to restrict access to some request features (#request.getParameter(), #request.getParameterValues(), #request.getParameterMap(), #request.getQueryString()).
• Added new scenarios for restricted expression evaluation: th:on*, th:attr, th:src, th:href, default attribute processor, fragment expressions, link expressions (only for URL bases), inlined output expression in TEXT mode.

3.0.8

• Fixed WebEngineContext returning wrong boolean values for ServletContextAttributesMap#isEmpty() and SessionAttributesMap#isEmpty().
• Fixed DateFormat implementation being used for Jackson-based serialization of dates not implementing clone() properly, which could result in thread-safety issues on the underlying SimpleDateFormat instance.
• Fixed JavaScript parser failing on parsing JS regexp or JS template literals that contained unbalanced quotes.
• Improved behaviour when parser-level or prototype-only comment block is not closed at the end of template. An exception is now thrown.
• Updated SLF4j dependency to 1.7.25.

3.0.7

Commits

• 9a9dec1 [maven-release-plugin] prepare release thymeleaf-3.0.12.RELEASE
• 2dc77bb Added 'pack' utility method to StringUtils
• 4654cd2 Updated changelog for #809
• d9bafb0 Minor javadoc modification
• 9b55805 Implemented #809 for OGNL-based scenarios
• 283f70a Fixed #782 - #numbers.format*() expression utility methods not producing numb...
• 30e8b8d Made version parsing mechanism more lenient
• 77d1942 Improved mechanism for internally processing library versions
• 44eefb4 Closes #754 - Block "javascript:" scheme in Link Expressions
• 0b6f046 Apply trim() on link base before processing in order for schemes to be dealt ...
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
• @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

• Update frequency (including time of day and day of week)
• Pull request limits (per update run and/or open at any time)
• Automerge options (never/patch/minor, and dev/runtime dependencies)
• Out-of-range updates (receive only lockfile updates, if desired)
• Security updates (receive only security updates, if desired)