Releases: apache/struts
Releases · apache/struts
Struts 7.0.0
What's Changed
- WW-5486 Fixes exposing params added by ServletDispatcherResult by @lukaszlenart in #1123
- WW-5484 Marks the DWR plugin as deprecated by @lukaszlenart in #1126
- WW-5463 Exposes final location as request attribute FORWARD_SERVLET_PATH by @lukaszlenart in #1127
- Always run Sonar scan against the master branch by @lukaszlenart in #921
- Skip Sonar scan on PRs created by Dependabot by @lukaszlenart in #1130
- Uses AND instead of OR to check Sonar prerequisites by @lukaszlenart in #1131
- Merge master into 7.x.x 2024-11-29 by @lukaszlenart in #1134
- Struts 7.0.x by @lukaszlenart in #792
- WW-5405 Prepares to rename master branch into main by @lukaszlenart in #1136
- Bump github/codeql-action from 3.27.5 to 3.27.7 by @dependabot in #1145
- NOJIRA Uses proper filed declarations and fixes generics by @lukaszlenart in #1137
- WW-5405 Uses proper links to build statuses by @lukaszlenart in #1146
Dependencies
- Bump github/codeql-action from 3.27.0 to 3.27.1 by @dependabot in #1125
- Upgrade maven to 3.9.9 and wrapper to 3.3.2 by @sepe81 in #1129
- Bump github/codeql-action from 3.27.1 to 3.27.4 by @dependabot in #1128
- Bump maven-surefire-plugin.version from 3.5.1 to 3.5.2 by @dependabot in #1121
- Bump github/codeql-action from 3.27.4 to 3.27.5 by @dependabot in #1132
- Bump jackson.version from 2.18.0 to 2.18.2 by @dependabot in #1135
- Bump org.apache.maven.plugins:maven-project-info-reports-plugin from 3.7.0 to 3.8.0 by @dependabot in #1122
- Bump org.apache.maven.plugins:maven-dependency-plugin from 3.8.0 to 3.8.1 by @dependabot in #1138
- Bump actions/setup-java from 3 to 4 by @dependabot in #1143
- Bump com.thoughtworks.xstream:xstream from 1.4.20 to 1.4.21 by @dependabot in #1144
- Bump log4j2.version from 2.24.1 to 2.24.2 by @dependabot in #1139
Full Changelog: STRUTS_7_0_0_M10...STRUTS_7_0_0
Struts 6.7.0
What's Changed
- WW-5470 Bump log4j2.version from 2.23.1 to 2.24.1 by @dependabot in #1064
- WW-5469 Bump jackson.version from 2.17.2 to 2.18.0 by @dependabot in #1062
- WW-5471 Marks Sitemesh plugin as deprecated by @lukaszlenart in #1075
- Potential mitigation for WW-5466 by @JCgH4164838Gh792C124B5 in #1068
- WW-3714 Deprecate and repackage common APIs part 1 by @kusalk in #1079
- WW-3714 Deprecate and repackage common APIs part 2 by @kusalk in #1081
- WW-3714 Deprecate and repackage common APIs part 2.5 by @kusalk in #1087
- WW-3714 Deprecate and repackage common APIs part 3 by @kusalk in #1082
- WW-3714 Deprecate and repackage common APIs part 4 by @kusalk in #1083
- WW-3714 Deprecate and repackage common APIs part 5 by @kusalk in #1084
- WW-3714 Deprecate and repackage common APIs part 6 by @kusalk in #1085
- WW-5477 Bump org.apache.commons:commons-lang3 from 3.15.0 to 3.17.0 by @dependabot in #1094
- WW-5476 Deprecates tag's parameters as replaced with attributes by @lukaszlenart in #1096
- WW-5468 Backport @StrutsParameter fix for ModelDriven Actions by @kusalk in #1104
- WW-5478 Deprecate DefaultResultFactory by @kusalk in #1105
- WW-5480 Warn against potential templating bug by @kusalk in #1108
- WW-3714 Move new Result class into result package by @kusalk in #1109
- WW-5459 Move new Action class into action package by @kusalk in #1115
- WW-5459 Deprecate and repackage ActionChainResult by @kusalk in #1116
- WW-3714 Ensure correct delegation of deprecated API methods by @kusalk in #1117
- WW-5484 Marks the DWR plugin as deprecated by @lukaszlenart in #1126
Dependencies
- Bump github/codeql-action from 3.26.8 to 3.26.12 by @dependabot in #1073
- Bump actions/upload-artifact from 4.4.0 to 4.4.3 by @dependabot in #1074
- Bump commons-logging:commons-logging from 1.3.3 to 1.3.4 by @dependabot in #1061
- Bump org.apache.maven.plugins:maven-project-info-reports-plugin from 3.6.2 to 3.7.0 by @dependabot in #1065
- Bump github/codeql-action from 3.26.12 to 3.26.13 by @dependabot in #1090
- Bump maven-surefire-plugin.version from 3.5.0 to 3.5.1 by @dependabot in #1092
- Bump org.apache.maven.plugins:maven-failsafe-plugin from 3.3.1 to 3.5.1 by @dependabot in #1095
- Bump org.apache.maven.doxia:doxia-core from 1.12.0 to 2.0.0 by @dependabot in #1093
- Bump github/codeql-action from 3.26.13 to 3.27.0 by @dependabot in #1102
- Bump asm.version from 9.7 to 9.7.1 by @dependabot in #1098
- Bump github/codeql-action from 3.27.0 to 3.27.1 by @dependabot in #1125
Full Changelog: STRUTS_6_6_1...STRUTS_6_7_0
Struts 7.0.0-M10
What's Changed
- WW-5411 Delete more deprecated code by @kusalk in #1002
- WW-5448 Bump org.apache.commons:commons-lang3 from 3.14.0 to 3.15.0 by @dependabot in #1000
- WW-5411 General code clean up using modern language features by @kusalk in #1003
- WW-5411 WW-5386 Delete final deprecated code by @kusalk in #1004
- WW-5449 Make Velocity Tools dependency optional for Velocity plugin by @kusalk in #1005
- WW-5451 Fixes NPE when iterator starts with null by @lukaszlenart in #1008
- WW-5454 Log warnings on startup for disabled critical security features by @kusalk in #1010
- WW-5453 Rename VelocityManager interface and default implementation by @kusalk in #1009
- WW-4062 Cache OgnlException thrown on compilation by @kusalk in #1013
- WW-4062 Further optimisation of OgnlException caching by @kusalk in #1021
- WW-5450 Uses existing Jakarta constants instead of free hand strings by @lukaszlenart in #1034
- WW-5461 Extends UploadedFile with inputName field by @lukaszlenart in #1040
- WW-5461 Extends UploadedFile with inputName field by @lukaszlenart in #1041
- WW-5458 Replaces e.printStackTrace() with proper logger by @lukaszlenart in #1043
- WW-5297 Fixes checking nonce of invalidated session by @lukaszlenart in #1060
- WW-5470 Bump log4j2.version from 2.23.1 to 2.24.1 by @dependabot in #1064
- WW-5469 Bump jackson.version from 2.17.2 to 2.18.0 by @dependabot in #1062
- WW-5468 Exempt ModelDriven Actions from @StrutsParameter requirement by @kusalk in #1072
- WW-5471 Marks Sitemesh plugin as deprecated by @lukaszlenart in #1075
- WW-5473 Fixes examining multiple HttpServletWrappers to find MultiPartRequestWrapper by @lukaszlenart in #1078
- WW-5465 Renames tag parameters to attributes by @lukaszlenart in #1067
- Potential mitigation for WW-5466 by @JCgH4164838Gh792C124B5 in #1068
- WW-5472 Removes Struts Sitemesh plugin by @lukaszlenart in #1077
- WW-5209 Upgrade to Jakarta Bean Validation 3.1.0 by @lukaszlenart in #1089
- WW-5427 Upgrades Freemarker incompatible_improvements to version 2.3.33 by @lukaszlenart in #1088
- WW-3714 Deprecate and repackage common APIs part 1 by @kusalk in #1079
- WW-3714 Deprecate and repackage common APIs part 2 by @kusalk in #1081
- WW-3714 Deprecate and repackage common APIs part 2.5 by @kusalk in #1087
- WW-3714 Deprecate and repackage common APIs part 3 by @kusalk in #1082
- WW-3714 Deprecate and repackage common APIs part 4 by @kusalk in #1083
- WW-3714 Deprecate and repackage common APIs part 5 by @kusalk in #1084
- WW-3714 Deprecate and repackage common APIs part 6 by @kusalk in #1085
- WW-5476 Deprecates tag's parameters as replaced with attributes by @lukaszlenart in #1096
- WW-5468 Backport @StrutsParameter fix for ModelDriven Actions by @kusalk in #1104
- WW-3714 Moves all classes from com.opensymphony.xwork2 into org.apache.struts2 by @lukaszlenart in #1036
- WW-5478 Deprecate DefaultResultFactory by @kusalk in #1105
- WW-5480 Warn against potential templating bug by @kusalk in #1108
- WW-5479 Delete deprecated DefaultResultFactory by @kusalk in #1107
- WW-3714 Move new Result class into result package by @kusalk in #1111
- WW-3714 Move new Result class into result package by @kusalk in #1109
- WW-5459 Moves Action & ActionChainResult into proper packages by @lukaszlenart in #1112
- WW-5459 Move new Action class into action package by @kusalk in #1115
- WW-5459 Deprecate and repackage ActionChainResult by @kusalk in #1116
- WW-3714 Ensure correct delegation of deprecated API methods by @kusalk in #1117
- WW-5481 Extract text related classes into org.apache.struts2.text by @lukaszlenart in #1113
- WW-5482 Extract locale related classes into org.apache.struts2.locale by @lukaszlenart in #1114
Dependencies
- Bump github/codeql-action from 2.22.11 to 3.25.15 by @dependabot in #1011
- Bump actions/upload-artifact from 4.3.4 to 4.3.5 by @dependabot in #1012
- Bump org.apache.maven.plugins:maven-project-info-reports-plugin from 3.5.0 to 3.6.2 by @dependabot in #997
- Bump org.owasp:dependency-check-maven from 9.2.0 to 10.0.3 by @dependabot in #998
- Bump ossf/scorecard-action from 2.3.3 to 2.4.0 by @dependabot in #1006
- Bump actions/upload-artifact from 4.3.5 to 4.3.6 by @dependabot in #1014
- Bump github/codeql-action from 3.25.15 to 3.26.0 by @dependabot in #1015
- Bump commons-logging:commons-logging from 1.3.0 to 1.3.3 by @dependabot in #1016
- Bump org.apache.maven.plugins:maven-wrapper-plugin from 3.2.0 to 3.3.2 by @dependabot in #1017
- Bump org.codehaus.mojo:versions-maven-plugin from 2.16.2 to 2.17.1 by @dependabot in #1018
- Bump org.apache.maven.plugins:maven-failsafe-plugin from 3.3.0 to 3.3.1 by @dependabot in #1019
- Bump github/codeql-action from 3.26.0 to 3.26.2 by @dependabot in #1026
- Bump maven-surefire-plugin.version from 3.3.1 to 3.4.0 by @dependabot in #1022
- Bump org.easymock:easymock from 5.2.0 to 5.4.0 by @dependabot in #1020
- Bump org.apache.maven.plugins:maven-release-plugin from 3.0.1 to 3.1.1 by @dependabot in #1025
- Bump slf4j.version from 2.0.13 to 2.0.16 by @dependabot in #1028
- Bump org.apache.commons:commons-compress from 1.26.2 to 1.27.1 by @dependabot in #1031
- Bump actions/upload-artifact from 4.3.6 to 4.4.0 by @dependabot in #1037
- Bump github/codeql-action from 3.26.2 to 3.26.6 by @dependabot in #1038
- Bump spring.platformVersion from 5.3.37 to 5.3.39 by @dependabot in #1030
- Bump org.jfree:jfreechart from 1.5.4 to 1.5.5 by @dependabot in #1049
- Bump maven-surefire-plugin.version from 3.4.0 to 3.5.0 by @dependabot in #1046
- Bump org.assertj:assertj-core from 3.25.3 to 3.26.3 by @dependabot in #1047
- Bump org.apache.maven.plugins:maven-dependency-plugin from 3.6.1 to 3.8.0 by @dependabot in #1048
- Bump org.awaitility:awaitility from 4.2.1 to 4.2.2 by @dependabot in #1050
- Bump org.apache.maven.plugins:maven-site-plugin from 3.12.1 to 3.20.0 by @dependabot in #1053
- Bump org.owasp:dependency-check-maven from 10.0.3 to 10.0.4 by @dependabot in #1054
- Bump org.codehaus.mojo:exec-maven-plugin from 3.3.0 to 3.4.1 by @dependabot in #1057
- Bump github/codeql-action from 3.26.6 to 3.26.8 by @dependabot in #1058
- Bump github/codeql-action from 3.26.8 to 3.26.12 by @dependabot in #1073
- Bump actions/upload-artifact from 4.4.0 to 4.4.3 by @dependabot in #1074
- Bump commons-logging:commons-logging from 1.3.3 to 1.3.4 by @dependabot in #1061
- Bump org.apache.maven.plugins:maven-project-info-reports-plugin from 3.6.2 to 3.7.0 by @dependabot in #1065
- Bump github/codeql-action from 3.26.12 to 3.26.13 by @dependabot in #1090
- Bump maven-surefire-plugin.version from 3.5.0 to 3.5.1 by @dependabot in #1092
- Bump org.apache.maven.plugins:maven-failsafe-plugin from 3.3.1 to 3.5.1 by @dependabot in #1095
- Bump org.apache.maven.doxia:doxia-core from 1.12.0 to 2.0.0 by @dependabot in #1093
- Bump github/codeql-action from 3.26.13 t...
Struts 6.6.1
What's Changed
- WW-5448 Bump org.apache.commons:commons-lang3 from 3.14.0 to 3.15.0 by @dependabot in #1000
- WW-5451 Fixes NPE when iterator starts with null by @lukaszlenart in #1008
- WW-4062 Cache OgnlException thrown on compilation by @kusalk in #1013
- WW-4062 Further optimisation of OgnlException caching by @kusalk in #1021
- WW-5461 Extends UploadedFile with inputName field by @lukaszlenart in #1040
- WW-5297 Fixes checking nonce of invalidated session by @lukaszlenart in #1060
Dependecies
- Bump github/codeql-action from 2.22.11 to 3.25.15 by @dependabot in #1011
- Bump actions/upload-artifact from 4.3.4 to 4.3.5 by @dependabot in #1012
- Bump org.apache.maven.plugins:maven-project-info-reports-plugin from 3.5.0 to 3.6.2 by @dependabot in #997
- Bump org.owasp:dependency-check-maven from 9.2.0 to 10.0.3 by @dependabot in #998
- Bump ossf/scorecard-action from 2.3.3 to 2.4.0 by @dependabot in #1006
- Bump actions/upload-artifact from 4.3.5 to 4.3.6 by @dependabot in #1014
- Bump github/codeql-action from 3.25.15 to 3.26.0 by @dependabot in #1015
- Bump commons-logging:commons-logging from 1.3.0 to 1.3.3 by @dependabot in #1016
- Bump org.apache.maven.plugins:maven-wrapper-plugin from 3.2.0 to 3.3.2 by @dependabot in #1017
- Bump org.codehaus.mojo:versions-maven-plugin from 2.16.2 to 2.17.1 by @dependabot in #1018
- Bump org.apache.maven.plugins:maven-failsafe-plugin from 3.3.0 to 3.3.1 by @dependabot in #1019
- Bump github/codeql-action from 3.26.0 to 3.26.2 by @dependabot in #1026
- Bump maven-surefire-plugin.version from 3.3.1 to 3.4.0 by @dependabot in #1022
- Bump org.easymock:easymock from 5.2.0 to 5.4.0 by @dependabot in #1020
- Bump org.apache.maven.plugins:maven-release-plugin from 3.0.1 to 3.1.1 by @dependabot in #1025
- Bump slf4j.version from 2.0.13 to 2.0.16 by @dependabot in #1028
- Bump org.apache.commons:commons-compress from 1.26.2 to 1.27.1 by @dependabot in #1031
- Bump actions/upload-artifact from 4.3.6 to 4.4.0 by @dependabot in #1037
- Bump github/codeql-action from 3.26.2 to 3.26.6 by @dependabot in #1038
- Bump spring.platformVersion from 5.3.37 to 5.3.39 by @dependabot in #1030
- Bump org.jfree:jfreechart from 1.5.4 to 1.5.5 by @dependabot in #1049
- Bump maven-surefire-plugin.version from 3.4.0 to 3.5.0 by @dependabot in #1046
- Bump org.assertj:assertj-core from 3.25.3 to 3.26.3 by @dependabot in #1047
- Bump org.apache.maven.plugins:maven-dependency-plugin from 3.6.1 to 3.8.0 by @dependabot in #1048
- Bump org.awaitility:awaitility from 4.2.1 to 4.2.2 by @dependabot in #1050
- Bump org.apache.maven.plugins:maven-site-plugin from 3.12.1 to 3.20.0 by @dependabot in #1053
- Bump org.owasp:dependency-check-maven from 10.0.3 to 10.0.4 by @dependabot in #1054
- Bump org.codehaus.mojo:exec-maven-plugin from 3.3.0 to 3.4.1 by @dependabot in #1057
- Bump github/codeql-action from 3.26.6 to 3.26.8 by @dependabot in #1058
Full Changelog: STRUTS_6_6_0...STRUTS_6_6_1
Struts 7.0.0-M9
What's Changed
- WW-5441 Bump net.sf.jasperreports:jasperreports to 6.21.3 by @kusalk in #985
- WW-5428 Stop further excessive logging in DevMode by @kusalk in #987
- WW-5443 Bump Spring dependencies to 5.3.37 by @kusalk in #990
- WW-5442 Enforce allowlist for OgnlReflectionProvider by @kusalk in #988
- WW-5440 Fix OGNL allowlist compat with Convention plugin by @kusalk in #986
Dependencies
- Bump jackson.version from 2.17.1 to 2.17.2 by @dependabot in #993
- Bump maven-surefire-plugin.version from 3.2.5 to 3.3.1 by @dependabot in #994
Full Changelog: STRUTS_7_0_0_M8...STRUTS_7_0_0_M9
Struts 6.6.0
What's Changed
- WW-5406 Ensure Action excluded patterns are reinjected by @kusalk in #910
- WW-5407 Extend SecurityMemberAccess proxy detection to other proxies by @jefferyxhy in #911
- WW-5408 add option to not fallback to empty namespace when unresolved by @jefferyxhy in #912
- WW-5406 Fix injection order issue for excluded patterns by @kusalk in #917
- WW-5409 introduce final attribute to package element which make them unextendable by @jefferyxhy in #914
- WW-5417 bump ognl version to fix security issue by @jefferyxhy in #915
- WW-5418 Forbid Enums and Jasper classes by @kusalk in #916
- WW-5421 Bump asm.version from 9.6 to 9.7 by @dependabot in #907
- WW-5420 Upgrades commons-text to ver. 1.12.0 by @lukaszlenart in #924
- WW-5419 Fixes support for loading Tiles definitions by @lukaszlenart in #920
- WW-5400 Extend default configuration options for the CSP interceptor. by @eschulma in #913
- WW-5422 Fixes support for trimable locale string in request by @lukaszlenart in #931
- WW-5414 Always call afterInvocation even in case of exception by @lukaszlenart in #932
- WW-5415 Fixes accessing public constructors via expression by @lukaszlenart in #933
- INFRA-25666 Disables review by code owners by @lukaszlenart in #945
- WW-5425 Bump jackson.version from 2.16.1 to 2.17.1 by @dependabot in #944
- WW-5426 Bump org.freemarker:freemarker from 2.3.32 to 2.3.33 by @dependabot in #953
- WW-5424 Fixes ClassCastException when using short var name in s:set tag by @lukaszlenart in #946
- Disables required reviewers option by @lukaszlenart in #947
- WW-5412 Upgrades struts-master to ver 15 by @lukaszlenart in #948
- WW-5400 Simplifies how CspSettings is created by @lukaszlenart in #956
- WW-5250 Addresses TODO in test and stops using Mock Objects by @lukaszlenart in #957
- WW-5310 Fixes broken support for Fragments in <s:url/> tag by @lukaszlenart in #968
- WW-5429 Log parameter annotation issues at ERROR level when in DevMode by @kusalk in #969
- WW-5431 Marks unused constants as deprecated by @lukaszlenart in #971
- WW-5437 Swap order of sysStrSubstitutor and envStrSubstitutor in substitute method by @stefansielaff in #977
- WW-5428 Allowlist capability should resolve Hibernate proxies when disableProxyObjects is not set by @kusalk in #967
- WW-5439 Move DevMode security configuration to SecurityMemberAccess by @kusalk in #979
- WW-5428 Stop excessive logging in DevMode by @kusalk in #982
- WW-5441 Bump net.sf.jasperreports:jasperreports to 6.21.3 by @kusalk in #985
- WW-5428 Stop further excessive logging in DevMode by @kusalk in #987
- WW-5443 Bump Spring dependencies to 5.3.37 by @kusalk in #990
- WW-5442 Enforce allowlist for OgnlReflectionProvider by @kusalk in #988
- WW-5440 Fix OGNL allowlist compat with Convention plugin by @kusalk in #986
Dependencies
- Bump org.assertj:assertj-core from 3.25.2 to 3.25.3 by @dependabot in #909
- Bump actions/upload-artifact from 4.3.1 to 4.3.2 by @dependabot in #923
- Bump org.codehaus.mojo:versions-maven-plugin from 2.16.1 to 2.16.2 by @dependabot in #922
- Bump org.codehaus.mojo:exec-maven-plugin from 3.1.0 to 3.2.0 by @dependabot in #925
- Bump actions/upload-artifact from 4.3.2 to 4.3.3 by @dependabot in #926
- Bump org.apache.maven.plugins:maven-failsafe-plugin from 3.0.0-M6 to 3.2.5 by @dependabot in #905
- Bump org.apache.maven.plugins:maven-source-plugin from 3.3.0 to 3.3.1 by @dependabot in #934
- Bump slf4j.version from 2.0.12 to 2.0.13 by @dependabot in #936
- Bump org.apache.maven.plugins:maven-project-info-reports-plugin from 3.0.0 to 3.5.0 by @dependabot in #938
- Bump ossf/scorecard-action from 2.3.1 to 2.3.3 by @dependabot in #939
- Bump org.jacoco:jacoco-maven-plugin from 0.8.11 to 0.8.12 by @dependabot in #940
- Bump org.apache.maven.plugins:maven-assembly-plugin from 3.6.0 to 3.7.1 by @dependabot in #950
- Bump org.apache.commons:commons-compress from 1.26.0 to 1.26.2 by @dependabot in #961
- Bump org.owasp:dependency-check-maven from 8.4.2 to 9.2.0 by @dependabot in #962
- Bump commons-validator:commons-validator from 1.8.0 to 1.9.0 by @dependabot in #958
- Bump org.apache.felix:org.apache.felix.main from 6.0.3 to 7.0.5 by @dependabot in #960
- Bump org.apache.maven.plugins:maven-enforcer-plugin from 3.4.1 to 3.5.0 by @dependabot in #965
- Bump org.codehaus.mojo:exec-maven-plugin from 3.2.0 to 3.3.0 by @dependabot in #966
- Bump org.apache.maven.plugins:maven-failsafe-plugin from 3.2.5 to 3.3.0 by @dependabot in #976
- Bump actions/upload-artifact from 4.3.3 to 4.3.4 by @dependabot in #978
- Bump jackson.version from 2.17.1 to 2.17.2 by @dependabot in #993
- Bump maven-surefire-plugin.version from 3.2.5 to 3.3.1 by @dependabot in #994
New Contributors
- @jefferyxhy made their first contribution in #911
- @eschulma made their first contribution in #913
- @stefansielaff made their first contribution in #977
Full Changelog: STRUTS_6_4_0...STRUTS_6_6_0
Struts 7.0.0-M8
What's Changed
- WW-5310 Fixes broken support for Fragments in <s:url/> tag by @lukaszlenart in #968
- WW-5429 Log parameter annotation issues at ERROR level when in DevMode by @kusalk in #969
- WW-5430 Uses Freemarker native support for JakartaEE instead of manually transforming the artifacts by @lukaszlenart in #970
- WW-5431 Marks unused constants as deprecated by @lukaszlenart in #971
- Bump commons-validator:commons-validator from 1.8.0 to 1.9.0 by @dependabot in #958
- Bump org.apache.felix:org.apache.felix.main from 6.0.3 to 7.0.5 by @dependabot in #960
- Bump org.apache.maven.plugins:maven-enforcer-plugin from 3.4.1 to 3.5.0 by @dependabot in #965
- Bump org.codehaus.mojo:exec-maven-plugin from 3.2.0 to 3.3.0 by @dependabot in #966
- WW-5437 Swap order of sysStrSubstitutor and envStrSubstitutor in substitute method by @stefansielaff in #977
- WW-5428 Allowlist capability should resolve Hibernate proxies when disableProxyObjects is not set by @kusalk in #967
- WW-5439 Move DevMode security configuration to SecurityMemberAccess by @kusalk in #979
- Merge master to 7.0.x, 2024-07-08 by @kusalk in #980
- Bump org.apache.maven.plugins:maven-failsafe-plugin from 3.2.5 to 3.3.0 by @dependabot in #976
- Bump actions/upload-artifact from 4.3.3 to 4.3.4 by @dependabot in #978
- WW-5411 Delete deprecated method/classes by @kusalk in #981
- WW-5428 Stop excessive logging in DevMode by @kusalk in #982
- Merge master to 7.0.x, 2024-07-09 by @kusalk in #983
- WW-5438 Fixes scope of Weld dependencies by @lukaszlenart in #984
New Contributors
- @stefansielaff made their first contribution in #977
Full Changelog: STRUTS_7_0_0_M7...STRUTS_7_0_0_M8
Struts 7.0.0-M7
What's Changed
- WW-5406 Ensure Action excluded patterns are reinjected by @kusalk in #910
- WW-5407 Extend SecurityMemberAccess proxy detection to other proxies by @jefferyxhy in #911
- WW-5408 add option to not fallback to empty namespace when unresolved by @jefferyxhy in #912
- WW-5406 Fix injection order issue for excluded patterns by @kusalk in #917
- WW-5409 introduce final attribute to package element which make them unextendable by @jefferyxhy in #914
- WW-5417 bump ognl version to fix security issue by @jefferyxhy in #915
- WW-5418 Forbid Enums and Jasper classes by @kusalk in #916
- Bump org.assertj:assertj-core from 3.25.2 to 3.25.3 by @dependabot in #909
- Forward merge master to 7.0.0 by @kusalk in #918
- Bump actions/upload-artifact from 4.3.1 to 4.3.2 by @dependabot in #923
- Bump org.codehaus.mojo:versions-maven-plugin from 2.16.1 to 2.16.2 by @dependabot in #922
- WW-5353 Stronger security defaults for 7.0 by @kusalk in #919
- Bump org.codehaus.mojo:exec-maven-plugin from 3.1.0 to 3.2.0 by @dependabot in #925
- Bump actions/upload-artifact from 4.3.2 to 4.3.3 by @dependabot in #926
- WW-5421 Bump asm.version from 9.6 to 9.7 by @dependabot in #907
- Bump org.apache.maven.plugins:maven-failsafe-plugin from 3.0.0-M6 to 3.2.5 by @dependabot in #905
- WW-5420 Upgrades commons-text to ver. 1.12.0 by @lukaszlenart in #924
- [WW-5419] Fixes support for loading Tiles definitions by @lukaszlenart in #920
- WW-5400 Extend default configuration options for the CSP interceptor. by @eschulma in #913
- Bump org.apache.maven.plugins:maven-source-plugin from 3.3.0 to 3.3.1 by @dependabot in #934
- Bump slf4j.version from 2.0.12 to 2.0.13 by @dependabot in #936
- Bump org.apache.maven.plugins:maven-project-info-reports-plugin from 3.0.0 to 3.5.0 by @dependabot in #938
- Bump ossf/scorecard-action from 2.3.1 to 2.3.3 by @dependabot in #939
- WW-5422 Fixes support for trimable locale string in request by @lukaszlenart in #931
- WW-5414 Always call afterInvocation even in case of exception by @lukaszlenart in #932
- WW-5415 Fixes accessing public constructors via expression by @lukaszlenart in #933
- INFRA-25666 Disables review by code owners by @lukaszlenart in #945
- Bump org.jacoco:jacoco-maven-plugin from 0.8.11 to 0.8.12 by @dependabot in #940
- WW-5425 Bump jackson.version from 2.16.1 to 2.17.1 by @dependabot in #944
- Bump org.apache.maven.plugins:maven-assembly-plugin from 3.6.0 to 3.7.1 by @dependabot in #950
- WW-5426 Bump org.freemarker:freemarker from 2.3.32 to 2.3.33 by @dependabot in #953
- [WW-5424] Fixes ClassCastException when using short var name in s:set tag by @lukaszlenart in #946
- Disables required reviewers option by @lukaszlenart in #947
- [WW-5412] Upgrades struts-master to ver 15 by @lukaszlenart in #948
- Bump org.apache.commons:commons-compress from 1.26.0 to 1.26.2 by @dependabot in #961
- Bump org.owasp:dependency-check-maven from 8.4.2 to 9.2.0 by @dependabot in #962
- [WW-5423] Fixes returning null instead of empty array in case of non-existing param by @lukaszlenart in #954
- WW-5400 Simplifies how CspSettings is created by @lukaszlenart in #956
- WW-5250 Addresses TODO in test and stops using Mock Objects by @lukaszlenart in #957
- Merge master 2024-06-10 by @lukaszlenart in #963
New Contributors
- @jefferyxhy made their first contribution in #911
- @eschulma made their first contribution in #913
Full Changelog: STRUTS_7_0_0_M6...STRUTS_7_0_0_M7
Struts 7.0.0-M6
What's Changed
- WW-5397 Bump net.sf.jasperreports:jasperreports from 6.20.6 to 6.21.0 by @dependabot in #843
- Updates link to build status on Jenkins by @lukaszlenart in #878
- Bump org.apache.maven.doxia:doxia-core from 1.9.1 to 1.12.0 by @dependabot in #879
- Bump slf4j.version from 2.0.11 to 2.0.12 by @dependabot in #880
- Bump org.apache.maven.doxia:doxia-module-markdown from 1.9.1 to 1.12.0 by @dependabot in #883
- WW-5398 Bump commons-validator:commons-validator from 1.6 to 1.8.0 by @dependabot in #882
- [WW-5399] Bump org.apache.commons:commons-compress from 1.25.0 to 1.26.0 by @dependabot in #884
- Bump maven-surefire-plugin.version from 3.0.0-M7 to 3.2.5 by @dependabot in #886
- Fix original file upload to use actual file name rather than uploadxxx.tmp by @gregh3269 in #893
- [WW-5401] Improves logging around wrapping request and detecting multipart request by @lukaszlenart in #892
- WW-5364 Fix potential NPE in XmlDocConfigurationProvider by @kusalk in #894
- Converts multiple file uploads example to use Action based upload by @lukaszlenart in #895
- WW-5251 Reinstate deleted interfaces with transparent compat by @kusalk in #898
- Enables required review by codeowners by @lukaszlenart in #899
- WW-5251 Fix deprecated interface method signature by @kusalk in #900
- WW-5402 Auto loads Tiles definitions from classpath by @lukaszlenart in #896
- Uses proper context name in branch protection rule by @lukaszlenart in #901
- WW-5404 Bump log4j2.version from 2.21.1 to 2.23.1 by @dependabot in #902
- WW-5390 Fixes creating assembly and attaching sources when preparing a new release by @lukaszlenart in #903
Full Changelog: STRUTS_7_0_0_M3...STRUTS_7_0_0_M6
Struts 6.4.0
What's Changed
- WW-5341 Ensure exclusion list applies to objects from all ClassLoaders by @kusalk in #741
- WW-5342 Add option to block use of default package by @kusalk in #742
- WW-5339 Misc clean up in CompoundRootAccessor and OgnlValueStackTest by @kusalk in #745
- WW-5340 Preliminary refactor of OgnlUtil by @kusalk in #746
- [WW-5346] replace BeanManager::createInjectionTarget by @hepptho in #754
- WW-5340 Introducing OGNL Guard by @kusalk in #747
- WW-5348 Allow overriding of logging behaviour in DefaultAcceptedPatternsChecker by @kusalk in #757
- [WW-5338] Removes deprecated OgnlTool by @lukaszlenart in #758
- [WW-5344] Un-deprecates Sitemesh plugin and upgrades Sitmesh to ver 2.5.0 by @lukaszlenart in #759
- WW-5340 Mild refactor StrutsOgnlGuard for easier subclassing by @kusalk in #760
- WW-5349 Remove Struts core dependency on OGNL VarRefs by @kusalk in #763
- WW-5354 Ensure ActionSupport fields are not parameter injectable by @kusalk in #765
- WW-5355 Integrate W-TinyLfu cache and use by default by @kusalk in #766
- Improved the StrutsUrlDecoder so that charset retrieval is performed only once. by @mygreen in #773
- WW-5358 Expand exclusion lists by @kusalk in #774
- WW-5350 Refactor SecurityMemberAccess by @kusalk in #780
- [WW-5333] Refactors AttributeMap by @lukaszlenart in #779
- WW-5363 Velocity: read chained contexts before ValueStack by @kusalk in #789
- WW-5350 Implement OGNL Allowlist capability by @kusalk in #781
- WW-5363 Remove redundant method from VelocityManager by @kusalk in #793
- WW-5343 Make SecurityMemberAccess an extensible bean by @kusalk in #791
- WW-5364 Automatically populate OGNL allowlist by @kusalk in #800
- WW-5339 Add option to block custom OGNL maps by @kusalk in #806
- [WW-5370] Makes HttpParameters case-insensitive by @lukaszlenart in #807
- [WW-5371] Modern upload by @lukaszlenart in #808
- WW-5364 Add missing system allowlist classes by @kusalk in #815
- [WW-5373] Update JavaDoc CspReportAction.java by @assachs in #814
- [WW-5328] Removes deprecated setters by @lukaszlenart in #811
- [WW-5362] Removes type attribute out of <s:script/> tag by @lukaszlenart in #812
- WW-5378 Add option to NOT fallback to context lookup when finding value on OgnlValueStack by @kusalk in #821
- WW-5364 Add String.class to system allowlist by @kusalk in #828
- WW-5381 Introduce RootAccessor interface for extension point by @kusalk in #823
- WW-5379 Implement alternative mechanism for Velocity directives to obtain ValueStack by @kusalk in #822
- WW-5352 Repackage ParametersInterceptor and related classes by @kusalk in #829
- WW-5381 Introduce extension point for CompoundRootAccessor by @kusalk in #824
- [WW-5383] Updates RegEx to excludes JARs by default by @lukaszlenart in #830
- WW-5382 Fix stale injections in Dispatcher by @kusalk in #826
- WW-5381 Introduce extension point for MethodAccessor by @kusalk in #825
- WW-5352 Refactor ParametersInterceptor by @kusalk in #831
- [WW-5365] Reverts changes introduced in WW-5192 to allow evaluate the value attribute of Radio tag by @lukaszlenart in #835
- WW-5352 Clean up OgnlValueStackTest by @kusalk in #841
- [WW-5387] Fixes remove() signature by @lukaszlenart in #844
- [WW-5369] Re-define minimal library set by @lukaszlenart in #847
- [WW-5374] Allows to prepend reportUri with Servlet context by @lukaszlenart in #845
- [WW-5357] Adds support for disabled attribute to anchor tag by @lukaszlenart in #848
- WW-5352 Introducing the StrutsParameter annotation by @kusalk in #832
- [WW-5360] Introduces additional countStr & indexStr to allow to ignore conversion by @lukaszlenart in #852
- WW-5391 Add interface for VelocityManager extension point by @kusalk in #867
- WW-5394 Use request encoding by @aleksandr-m in #872
- s:file shows server/file location WW-5396 by @gregh3269 in #876
- [WW-5401] Improves logging around wrapping request and detecting multipart request by @lukaszlenart in #892
- WW-5364 Fix potential NPE in XmlDocConfigurationProvider by @kusalk in #894
- WW-5251 Reinstate deleted interfaces with transparent compat by @kusalk in #898
- WW-5251 Fix deprecated interface method signature by @kusalk in #900
- WW-5402 Auto loads Tiles definitions from classpath by @lukaszlenart in #896
- WW-5390 Fixes creating assembly and attaching sources when preparing a new release by @lukaszlenart in #903
Dependencies
- Moves all CI notifications to commits@ list by @lukaszlenart in #748
- Bump actions/checkout from 3 to 4 by @dependabot in #751
- Bump actions/upload-artifact from 3.1.2 to 3.1.3 by @dependabot in #752
- Bump actions/cache from 3.3.1 to 3.3.2 by @dependabot in #753
- Split SonarCloud into separate action by @kusalk in #755
- [WW-5347] Upgrades to commons-digester3 ver 3.2 by @lukaszlenart in #756
- Bump ossf/scorecard-action from 2.2.0 to 2.3.0 by @dependabot in #762
- Bump org.jfree:jfreechart from 1.5.1 to 1.5.4 by @dependabot in #740
- Add JDK 21 build by @kusalk in #764
- Fix conflicting dependencies by @kusalk in #767
- Bump org.codehaus.mojo:versions-maven-plugin from 2.7 to 2.16.1 by @dependabot in #768
- Bump org.owasp:dependency-check-maven from 7.2.0 to 8.4.2 by @dependabot in #771
- Bump ossf/scorecard-action from 2.3.0 to 2.3.1 by @dependabot in #775
- Bump junit:junit from 4.13.1 to 4.13.2 by @dependabot in #776
- Bump org.jacoco:jacoco-maven-plugin from 0.8.8 to 0.8.11 by @dependabot in #777
- Bump slf4j.version from 2.0.7 to 2.0.9 by @dependabot in #783
- Bump net.sf.jasperreports:jasperreports from 6.20.5 to 6.20.6 by @dependabot in #784
- Uses the new notifications@ list for all the messages form Github by @lukaszlenart in #788
- Send Jenkins notifications to the notifications@ list by @lukaszlenart in #790
- Bump jackson.version from 2.15.3 to 2.16.0 by @dependabot in #796
- Bump actions/setup-java from 3 to 4 by @dependabot in #804
- Builds Struts 7 as part of the main pipeline by @lukaszlenart in #813
- Bump github/codeql-action from 2 to 3 by @dependabot in #817
- Bump actions/upload-artifact from 3.1.3 to 4.0.0 by @dependabot in #816
- Bump org.apache.commons:commons-compress from 1.23.0 to 1.24.0 by @dependabot in #818
- Stops cleaning nightlies to allow to coexist different versions by @lukaszlenart in #834
- Bump org.apache.maven.plugins:maven-release-plugin from 3.0.0-M1 to 3.0.1 by @dependabot in #837
- Reduces log level to debug to reduce noise in the logs by @lukaszlenart in #838
- Bump actions/upload-artifact from 4.0.0 to 4.1.0 by @dependabot in #842
- Bump org.apache.commons:commons-compress from 1.23.0 to 1.25.0 by @dependabot in #820
- Extends sleep period to avoid breaking a build by @lukaszlenart in #849
- Upgrade maven to 3.9.6 and wrappe...