uPortal v5.17.8 and other portlet releases this week!
17 views
Skip to first unread message
Benito Gonzalez
May 15, 2026, 2:24:32 AM (yesterday) May 15
to Developers, uPortal, uPortal Community, uPortal Steering Committee, Bill Smith
Hi folks,
Wrapping up a coordinated five-release wave focused on the resource-server
consolidation — the cleanup that moves every frontend asset path in the
community uPortal stack off /ResourceServingWebapp/ and onto
/resource-server/. All five releases ship together so the path swap is
invariant across the deployed surface:
- uPortal v5.17.7
- uPortal v5.17.8
- SimpleContentPortlet 3.4.3
- FeedbackPortlet 1.3.2
- NewsReaderPortlet 5.1.5
All five are drop-in upgrades — no schema changes, no portlet-API contract
changes, no preferences migrations. Deployers should bump them together;
the uPortal-start side is already aligned via PR #694
(gradle.properties.example).
What changed substantively:
- uPortal core (v5.17.7 + v5.17.8): respondr LESS pipeline formally
deprecated (#2982); skin descriptors, admin JSPs, and chrome icons all
now reference /resource-server/ rather than /ResourceServingWebapp/
(#2983). The latter PR also drops a bundle of 2008–2015 utility
libraries that were either CVE-prone or native-replaceable on modern
browsers — lodash 4.17.4, modernizr 2.6.2, normalize.css 2.1.2, four
polyfill webjars (fetch, promise, array.from, url-search-params).
- SimpleContentPortlet 3.4.3: configureContent.jsp now consumes CKEditor
4.22.1 as a webjar — replaces the CKEditor 4.3.2 sources that the legacy
overlay carried. Multiple historical XSS CVEs cleared in the swap.
(4.22.1 is the last free CKEditor 4; 4.23+ is paid LTS.) Drops the
resource-server-content overlay dependency.
- NewsReaderPortlet 5.1.5: replaces Handlebars 3.0.3 with a small native
template renderer covering {{var}} / {{#each}} / {{#if}} — the subset
the portlet actually uses. Drops the resource-server-content overlay.
- FeedbackPortlet 1.3.2: drops the resource-server-content overlay (the
portlet was pulling it in for a handful of lingering lodash + dead-lib
references not actually exercised at runtime).
What's next: resource-server 1.5.4 is the breaking-change release in the
consolidation — it flips DEFAULT_RESOURCE_CONTEXT and deletes the legacy
bundles (lodash, bootstrap-namespaced, ckeditor 4.3.2, datatables 1.9.4,
lesscss, fetch / promise polyfills, and a few more). With this wave in
place, no consumer in the community fleet still references those paths,
so resource-server 1.5.4 should be a clean drop-in once it ships.
Deployers running local customizations should grep their overlays for
/ResourceServingWebapp/ ahead of that release; uPortal-start now ships
docs/access-log-audit.md describing how to grep the runtime Tomcat access
log to catch any production stragglers (Referer field added to the
default log pattern in the same PR).
Tooling: the Maven portlet release procedure is now scripted as
release-portlet.sh in each Maven portlet repo (SimpleContent, Feedback,
NewsReader on this round; CalendarPortlet, Bookmarks, Announcements,
et al next). It encodes the documented preflight checks — keyserver
reachability on keys.openpgp.org, POM hygiene (no stale OSSRH URLs,
<developers> block present), NOTICE/license drift, artifact-id sanity —
before the destructive release plugin runs. Gradle equivalent for uPortal
is open in PR #2986. Doc updates from the wave: uPortal #2984 (prefer
keys.openpgp.org over keyserver.ubuntu.com), #2985 (manual NOTICE/license
review step), uportal-project.github.io #100 (non-interactive Maven
release flags), uPortal-start #700 (access-log audit recipes).
JasigWidgetPortlets reminder: the portlet bundle is retired as of last
week — see the previous announcement for the migration story.
Release notes for each release are on the GitHub Releases page of the
respective repo.
Thanks to @Naenyn for the frontend-modernization work that's been the
throughline across the consolidation, and to everyone who reviewed PRs
across the four repos this wave touched.
Wrapping up a coordinated five-release wave focused on the resource-server
consolidation — the cleanup that moves every frontend asset path in the
community uPortal stack off /ResourceServingWebapp/ and onto
/resource-server/. All five releases ship together so the path swap is
invariant across the deployed surface:
- uPortal v5.17.7
- uPortal v5.17.8
- SimpleContentPortlet 3.4.3
- FeedbackPortlet 1.3.2
- NewsReaderPortlet 5.1.5
All five are drop-in upgrades — no schema changes, no portlet-API contract
changes, no preferences migrations. Deployers should bump them together;
the uPortal-start side is already aligned via PR #694
(gradle.properties.example).
What changed substantively:
- uPortal core (v5.17.7 + v5.17.8): respondr LESS pipeline formally
deprecated (#2982); skin descriptors, admin JSPs, and chrome icons all
now reference /resource-server/ rather than /ResourceServingWebapp/
(#2983). The latter PR also drops a bundle of 2008–2015 utility
libraries that were either CVE-prone or native-replaceable on modern
browsers — lodash 4.17.4, modernizr 2.6.2, normalize.css 2.1.2, four
polyfill webjars (fetch, promise, array.from, url-search-params).
- SimpleContentPortlet 3.4.3: configureContent.jsp now consumes CKEditor
4.22.1 as a webjar — replaces the CKEditor 4.3.2 sources that the legacy
overlay carried. Multiple historical XSS CVEs cleared in the swap.
(4.22.1 is the last free CKEditor 4; 4.23+ is paid LTS.) Drops the
resource-server-content overlay dependency.
- NewsReaderPortlet 5.1.5: replaces Handlebars 3.0.3 with a small native
template renderer covering {{var}} / {{#each}} / {{#if}} — the subset
the portlet actually uses. Drops the resource-server-content overlay.
- FeedbackPortlet 1.3.2: drops the resource-server-content overlay (the
portlet was pulling it in for a handful of lingering lodash + dead-lib
references not actually exercised at runtime).
What's next: resource-server 1.5.4 is the breaking-change release in the
consolidation — it flips DEFAULT_RESOURCE_CONTEXT and deletes the legacy
bundles (lodash, bootstrap-namespaced, ckeditor 4.3.2, datatables 1.9.4,
lesscss, fetch / promise polyfills, and a few more). With this wave in
place, no consumer in the community fleet still references those paths,
so resource-server 1.5.4 should be a clean drop-in once it ships.
Deployers running local customizations should grep their overlays for
/ResourceServingWebapp/ ahead of that release; uPortal-start now ships
docs/access-log-audit.md describing how to grep the runtime Tomcat access
log to catch any production stragglers (Referer field added to the
default log pattern in the same PR).
Tooling: the Maven portlet release procedure is now scripted as
release-portlet.sh in each Maven portlet repo (SimpleContent, Feedback,
NewsReader on this round; CalendarPortlet, Bookmarks, Announcements,
et al next). It encodes the documented preflight checks — keyserver
reachability on keys.openpgp.org, POM hygiene (no stale OSSRH URLs,
<developers> block present), NOTICE/license drift, artifact-id sanity —
before the destructive release plugin runs. Gradle equivalent for uPortal
is open in PR #2986. Doc updates from the wave: uPortal #2984 (prefer
keys.openpgp.org over keyserver.ubuntu.com), #2985 (manual NOTICE/license
review step), uportal-project.github.io #100 (non-interactive Maven
release flags), uPortal-start #700 (access-log audit recipes).
JasigWidgetPortlets reminder: the portlet bundle is retired as of last
week — see the previous announcement for the migration story.
Release notes for each release are on the GitHub Releases page of the
respective repo.
Thanks to @Naenyn for the frontend-modernization work that's been the
throughline across the consolidation, and to everyone who reviewed PRs
across the four repos this wave touched.
Best,
- B
Benito J. Gonzalez
Software Architect
Unicon, Inc.
Email: bgon...@unicon.net
GitHub: bjagg
GitLab: bjagg
BitBucket: bgon...@unicon.net
Reply all
Reply to author
Forward
0 new messages