Struts 6.6.0
What's Changed
- WW-5406 Ensure Action excluded patterns are reinjected by @kusalk in #910
- WW-5407 Extend SecurityMemberAccess proxy detection to other proxies by @jefferyxhy in #911
- WW-5408 add option to not fallback to empty namespace when unresolved by @jefferyxhy in #912
- WW-5406 Fix injection order issue for excluded patterns by @kusalk in #917
- WW-5409 introduce final attribute to package element which make them unextendable by @jefferyxhy in #914
- WW-5417 bump ognl version to fix security issue by @jefferyxhy in #915
- WW-5418 Forbid Enums and Jasper classes by @kusalk in #916
- WW-5421 Bump asm.version from 9.6 to 9.7 by @dependabot in #907
- WW-5420 Upgrades commons-text to ver. 1.12.0 by @lukaszlenart in #924
- WW-5419 Fixes support for loading Tiles definitions by @lukaszlenart in #920
- WW-5400 Extend default configuration options for the CSP interceptor. by @eschulma in #913
- WW-5422 Fixes support for trimable locale string in request by @lukaszlenart in #931
- WW-5414 Always call afterInvocation even in case of exception by @lukaszlenart in #932
- WW-5415 Fixes accessing public constructors via expression by @lukaszlenart in #933
- INFRA-25666 Disables review by code owners by @lukaszlenart in #945
- WW-5425 Bump jackson.version from 2.16.1 to 2.17.1 by @dependabot in #944
- WW-5426 Bump org.freemarker:freemarker from 2.3.32 to 2.3.33 by @dependabot in #953
- WW-5424 Fixes ClassCastException when using short var name in s:set tag by @lukaszlenart in #946
- Disables required reviewers option by @lukaszlenart in #947
- WW-5412 Upgrades struts-master to ver 15 by @lukaszlenart in #948
- WW-5400 Simplifies how CspSettings is created by @lukaszlenart in #956
- WW-5250 Addresses TODO in test and stops using Mock Objects by @lukaszlenart in #957
- WW-5310 Fixes broken support for Fragments in <s:url/> tag by @lukaszlenart in #968
- WW-5429 Log parameter annotation issues at ERROR level when in DevMode by @kusalk in #969
- WW-5431 Marks unused constants as deprecated by @lukaszlenart in #971
- WW-5437 Swap order of sysStrSubstitutor and envStrSubstitutor in substitute method by @stefansielaff in #977
- WW-5428 Allowlist capability should resolve Hibernate proxies when disableProxyObjects is not set by @kusalk in #967
- WW-5439 Move DevMode security configuration to SecurityMemberAccess by @kusalk in #979
- WW-5428 Stop excessive logging in DevMode by @kusalk in #982
- WW-5441 Bump net.sf.jasperreports:jasperreports to 6.21.3 by @kusalk in #985
- WW-5428 Stop further excessive logging in DevMode by @kusalk in #987
- WW-5443 Bump Spring dependencies to 5.3.37 by @kusalk in #990
- WW-5442 Enforce allowlist for OgnlReflectionProvider by @kusalk in #988
- WW-5440 Fix OGNL allowlist compat with Convention plugin by @kusalk in #986
Dependencies
- Bump org.assertj:assertj-core from 3.25.2 to 3.25.3 by @dependabot in #909
- Bump actions/upload-artifact from 4.3.1 to 4.3.2 by @dependabot in #923
- Bump org.codehaus.mojo:versions-maven-plugin from 2.16.1 to 2.16.2 by @dependabot in #922
- Bump org.codehaus.mojo:exec-maven-plugin from 3.1.0 to 3.2.0 by @dependabot in #925
- Bump actions/upload-artifact from 4.3.2 to 4.3.3 by @dependabot in #926
- Bump org.apache.maven.plugins:maven-failsafe-plugin from 3.0.0-M6 to 3.2.5 by @dependabot in #905
- Bump org.apache.maven.plugins:maven-source-plugin from 3.3.0 to 3.3.1 by @dependabot in #934
- Bump slf4j.version from 2.0.12 to 2.0.13 by @dependabot in #936
- Bump org.apache.maven.plugins:maven-project-info-reports-plugin from 3.0.0 to 3.5.0 by @dependabot in #938
- Bump ossf/scorecard-action from 2.3.1 to 2.3.3 by @dependabot in #939
- Bump org.jacoco:jacoco-maven-plugin from 0.8.11 to 0.8.12 by @dependabot in #940
- Bump org.apache.maven.plugins:maven-assembly-plugin from 3.6.0 to 3.7.1 by @dependabot in #950
- Bump org.apache.commons:commons-compress from 1.26.0 to 1.26.2 by @dependabot in #961
- Bump org.owasp:dependency-check-maven from 8.4.2 to 9.2.0 by @dependabot in #962
- Bump commons-validator:commons-validator from 1.8.0 to 1.9.0 by @dependabot in #958
- Bump org.apache.felix:org.apache.felix.main from 6.0.3 to 7.0.5 by @dependabot in #960
- Bump org.apache.maven.plugins:maven-enforcer-plugin from 3.4.1 to 3.5.0 by @dependabot in #965
- Bump org.codehaus.mojo:exec-maven-plugin from 3.2.0 to 3.3.0 by @dependabot in #966
- Bump org.apache.maven.plugins:maven-failsafe-plugin from 3.2.5 to 3.3.0 by @dependabot in #976
- Bump actions/upload-artifact from 4.3.3 to 4.3.4 by @dependabot in #978
- Bump jackson.version from 2.17.1 to 2.17.2 by @dependabot in #993
- Bump maven-surefire-plugin.version from 3.2.5 to 3.3.1 by @dependabot in #994
New Contributors
- @jefferyxhy made their first contribution in #911
- @eschulma made their first contribution in #913
- @stefansielaff made their first contribution in #977
Full Changelog: STRUTS_6_4_0...STRUTS_6_6_0