fix(security): patch Thymeleaf SSTI, Actuator auth bypass, and logback CVE-2026-1225

[dtoxvanilla1991]

Summary

Supersedes #228 (which has branch conflicts and a Snyk failure because it only upgrades logback to 1.5.20 instead of the latest patched version 1.5.32).

This PR fixes all CVE vulnerabilities identified across the playground modules.

Changes

Dependency	From	To	CVE / Reason
org.thymeleaf:thymeleaf	3.1.3.RELEASE	3.1.4.RELEASE	SSTI (CRITICAL)
org.thymeleaf:thymeleaf-spring6	3.1.3.RELEASE	3.1.4.RELEASE	SSTI (CRITICAL)
spring-boot-starter-actuator	3.5.5 / 3.5.6	3.5.12	Auth bypass (HIGH)
ch.qos.logback:logback-classic	1.5.19	1.5.32	CVE-2026-1225 ACE (HIGH)

Modules affected

• playground/kinde-springboot-starter-example
• playground/kinde-springboot-thymeleaf-full-example
• playground/kinde-springboot-pkce-client-example - thymeleaf explicit override added (was getting 3.1.3 transitively via Spring Boot 3.5.x BOM)

Notes

• No breaking changes. Only dependency version bumps in playground modules.
• Build verified: mvn clean test-compile passes on all affected modules.

Closes #228

Summary by CodeRabbit

• Chores
  • Updated dependencies across multiple example Spring Boot projects to improve stability and compatibility.
  • Added explicit Thymeleaf template engine dependencies to projects requiring template rendering support.
  • Patched security and maintenance updates for logging and actuator components.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR updates Maven dependencies across three Spring Boot playground examples, upgrading spring-boot-starter-actuator to version 3.5.12, Thymeleaf artifacts to 3.1.4.RELEASE, logback-classic to 1.5.32, and adding explicit Thymeleaf core dependencies to two projects.

Changes

Cohort / File(s)	Summary
PKCE Client Example playground/kinde-springboot-pkce-client-example/pom.xml	Adds explicit dependencies on Thymeleaf core and Thymeleaf Spring 6 integration, both pinned to version 3.1.4.RELEASE.
Starter Example playground/kinde-springboot-starter-example/pom.xml	Upgrades spring-boot-starter-actuator (3.5.6→3.5.12), Thymeleaf artifacts (3.1.3.RELEASE→3.1.4.RELEASE), and logback-classic (1.5.19→1.5.32).
Thymeleaf Full Example playground/kinde-springboot-thymeleaf-full-example/pom.xml	Upgrades spring-boot-starter-actuator to 3.5.12 and adds explicit Thymeleaf core and Spring 6 integration dependencies at version 3.1.4.RELEASE.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 Three gardens grow with spring so bright,
Dependencies updated, versions set just right,
Thymeleaf blooms and actuators hum,
Logback's latest dance has just begun!
Hop hop, all is well, the code's alive! 🌱

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main security-focused changes: patching Thymeleaf SSTI, Actuator auth bypass, and logback CVE vulnerabilities across playground modules.
Linked Issues check	✅ Passed	The PR fulfills issue #228's objective by updating logback-classic from 1.5.19 to 1.5.32 and additionally addresses other critical CVEs (Thymeleaf SSTI and Actuator auth bypass) through dependency version bumps.
Out of Scope Changes check	✅ Passed	All changes are scoped to Maven dependency version updates in playground module pom.xml files; no unrelated code modifications or scope creep detected.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/security-cve-logback-and-deps

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[dtoxvanilla1991]

@coderabbitai review please.

[coderabbitai]

@dtoxvanilla1991, I'll start a review of the changes right away!

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@playground/kinde-springboot-pkce-client-example/pom.xml`:
- Around line 30-39: Remove the explicit Thymeleaf dependencies that conflict
with the starter: delete the <dependency> entries for org.thymeleaf:thymeleaf
and org.thymeleaf:thymeleaf-spring6 (both version 3.1.4.RELEASE) because
spring-boot-starter-thymeleaf (3.5.5) already provides them transitively;
alternatively, if Thymeleaf is not used at all, remove the
spring-boot-starter-thymeleaf entry instead—ensure you keep only one source of
Thymeleaf to avoid version conflicts.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: ffae76ef-2a36-4b28-b67f-a63e3f3de20e

📥 Commits

Reviewing files that changed from the base of the PR and between 5efb815 and b45a551.

📒 Files selected for processing (3)

• playground/kinde-springboot-pkce-client-example/pom.xml
• playground/kinde-springboot-starter-example/pom.xml
• playground/kinde-springboot-thymeleaf-full-example/pom.xml