This is an automated email from the ASF dual-hosted git repository. garydgregory pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/commons-jexl.git
commit 66ae9f406de8b60a02ca2dad87b1fb7329ee8740 Author: Gary Gregory <[email protected]> AuthorDate: Sun Jun 28 22:51:53 2026 +0000 Prepare for the next release candidate --- README.md | 4 ++-- RELEASE-NOTES.txt | 48 +++++++++++++++-------------------------- src/changes/changes.xml | 2 +- src/site/xdoc/download_jexl.xml | 26 +++++++++++----------- 4 files changed, 33 insertions(+), 47 deletions(-) diff --git a/README.md b/README.md index b3fa8f4b..954c1c34 100644 --- a/README.md +++ b/README.md @@ -45,7 +45,7 @@ Apache Commons JEXL [](https://github.com/apache/commons-jexl/actions/workflows/maven.yml) [](https://search.maven.org/artifact/org.apache.commons/commons-jexl3) -[](https://javadoc.io/doc/org.apache.commons/commons-jexl3/3.6.4) +[](https://javadoc.io/doc/org.apache.commons/commons-jexl3/3.7.0) [](https://github.com/apache/commons-jexl/actions/workflows/codeql-analysis.yml) [](https://api.securityscorecards.dev/projects/github.com/apache/commons-jexl) @@ -68,7 +68,7 @@ Alternatively, you can pull it from the central Maven repositories: <dependency> <groupId>org.apache.commons</groupId> <artifactId>commons-jexl3</artifactId> - <version>3.6.4</version> + <version>3.7.0</version> </dependency> ``` diff --git a/RELEASE-NOTES.txt b/RELEASE-NOTES.txt index a1eebf3d..f3ea8178 100644 --- a/RELEASE-NOTES.txt +++ b/RELEASE-NOTES.txt @@ -1,33 +1,29 @@ Apache Commons JEXL 3.7.0 Release Notes -======================================== +--------------------------------------- The Apache Commons JEXL team is pleased to announce the release of Apache Commons JEXL 3.7.0. Introduction -============ +------------ -Apache Commons JEXL is a library that enables scripting features in Java applications and frameworks. +Apache Commons JEXL is a library that enables scripting features in Java applications and frameworks.. This is a feature and maintenance release. Java 8 or later is required. Compatibility with previous releases -===================================== - -Version 3.7.0 is source and binary compatible with 3.6.x but changes default runtime and -parse-time behavior (see below). +------------------------------------ +Version 3.7.0 is source and binary compatible with 3.6.x but changes the default runtime and parse-time behavior (see below). -Breaking change in 3.7.0 -========================= +Behavior breaking change in 3.7.0 +--------------------------------- -Two defaults change: +o The default permissions is now "SECURE": a minimum allow-list covering only safe java.lang + value types, java.math, and java.util. Everything else is denied unless explicitly composed in. - o The default permissions become SECURE — a minimum allow-list covering only safe java.lang - value types, java.math, and java.util. Everything else is denied unless explicitly composed in. - - o The default features disable new(...), global side-effects, pragmas, and annotations, and enable - lexical scoping; loops remain available to scripts (but never to expressions). Scripts using a - disabled construct will throw JexlException.Feature at parse time with the default engine. +o The default features disable new(...), global side-effects, pragmas, and annotations, and enable + lexical scoping; loops remain available to scripts (but never to expressions). Scripts using a + disabled construct will throw JexlException.Feature at parse time with the default engine. To restore the previous (3.6.x) defaults, load the bundled jexl.yaml via JexlConfigLoader: @@ -37,23 +33,12 @@ To restore the previous (3.6.x) defaults, load the bundled jexl.yaml via JexlCon Use JexlPermissions.logging() to discover which reflective elements the new algorithm denies. - New features -============ - -o JEXL-465: Add JexlConfigLoader to build a JexlEngine from a YAML configuration (permissions, - features, arithmetic, namespaces, imports). -o JEXL-464: Default permissions are SECURE and default features harden parse-time behavior - (disable new, global side-effects, pragmas and annotations; enable lexical scoping; - loops remain available to scripts). -o JEXL-463: Add JexlPermissions.logging() to wrap a permission set and log which reflective - elements are allowed or denied. - - -Fixed Bugs -========== +------------ -o JEXL-462: JexlPermissions.RESTRICTED must ensure a better level of isolation. +o JEXL-465: Add JexlConfigLoader to build a JexlEngine from a YAML configuration (permissions, features, arithmetic, namespaces, imports). +o JEXL-464: Default permissions are SECURE and default features harden parse-time behavior (disable new, global side-effects, pragmas and annotations; enable lexical scoping; loops remain available to scripts). +o JEXL-463: Add JexlPermissions.logging() to wrap a permission set and log which reflective elements are allowed or denied. Historical list of changes: https://commons.apache.org/proper/commons-jexl/changes.html @@ -68,6 +53,7 @@ Download page: https://commons.apache.org/proper/commons-jexl/download_jexl.cgi Have fun! -Apache Commons Team +------------------------------------------------------------------------------ Apache Commons JEXL 3.6.4 Release Notes --------------------------------------- diff --git a/src/changes/changes.xml b/src/changes/changes.xml index d04a5a9d..e7b91a54 100644 --- a/src/changes/changes.xml +++ b/src/changes/changes.xml @@ -27,7 +27,7 @@ <author email="[email protected]">Commons Developers</author> </properties> <body> - <release version="3.7.0" date="YYYY-MM-DD" description="This is a feature and maintenance release. Java 8 or later is required."> + <release version="3.7.0" date="2026-06-28" description="This is a feature and maintenance release. Java 8 or later is required."> <!-- ADD --> <action dev="henrib" type="add" issue="JEXL-465">Add JexlConfigLoader to build a JexlEngine from a YAML configuration (permissions, features, arithmetic, namespaces, imports).</action> <action dev="henrib" type="add" issue="JEXL-464">Default permissions are SECURE and default features harden parse-time behavior (disable new, global side-effects, pragmas and annotations; enable lexical scoping; loops remain available to scripts).</action> diff --git a/src/site/xdoc/download_jexl.xml b/src/site/xdoc/download_jexl.xml index 2470c589..29ee2a09 100644 --- a/src/site/xdoc/download_jexl.xml +++ b/src/site/xdoc/download_jexl.xml @@ -115,32 +115,32 @@ limitations under the License. </p> </subsection> </section> - <section name="Apache Commons JEXL 3.6.4 "> + <section name="Apache Commons JEXL 3.7.0 "> <subsection name="Binaries"> <table> <tr> - <td><a href="[preferred]/commons/jexl/binaries/commons-jexl-3.6.4-bin.tar.gz">commons-jexl-3.6.4-bin.tar.gz</a></td> - <td><a href="https://downloads.apache.org/commons/jexl/binaries/commons-jexl-3.6.4-bin.tar.gz.sha512";>sha512</a></td> - <td><a href="https://downloads.apache.org/commons/jexl/binaries/commons-jexl-3.6.4-bin.tar.gz.asc";>pgp</a></td> + <td><a href="[preferred]/commons/jexl/binaries/commons-jexl-3.7.0-bin.tar.gz">commons-jexl-3.7.0-bin.tar.gz</a></td> + <td><a href="https://downloads.apache.org/commons/jexl/binaries/commons-jexl-3.7.0-bin.tar.gz.sha512";>sha512</a></td> + <td><a href="https://downloads.apache.org/commons/jexl/binaries/commons-jexl-3.7.0-bin.tar.gz.asc";>pgp</a></td> </tr> <tr> - <td><a href="[preferred]/commons/jexl/binaries/commons-jexl-3.6.4-bin.zip">commons-jexl-3.6.4-bin.zip</a></td> - <td><a href="https://downloads.apache.org/commons/jexl/binaries/commons-jexl-3.6.4-bin.zip.sha512";>sha512</a></td> - <td><a href="https://downloads.apache.org/commons/jexl/binaries/commons-jexl-3.6.4-bin.zip.asc";>pgp</a></td> + <td><a href="[preferred]/commons/jexl/binaries/commons-jexl-3.7.0-bin.zip">commons-jexl-3.7.0-bin.zip</a></td> + <td><a href="https://downloads.apache.org/commons/jexl/binaries/commons-jexl-3.7.0-bin.zip.sha512";>sha512</a></td> + <td><a href="https://downloads.apache.org/commons/jexl/binaries/commons-jexl-3.7.0-bin.zip.asc";>pgp</a></td> </tr> </table> </subsection> <subsection name="Source"> <table> <tr> - <td><a href="[preferred]/commons/jexl/source/commons-jexl-3.6.4-src.tar.gz">commons-jexl-3.6.4-src.tar.gz</a></td> - <td><a href="https://downloads.apache.org/commons/jexl/source/commons-jexl-3.6.4-src.tar.gz.sha512";>sha512</a></td> - <td><a href="https://downloads.apache.org/commons/jexl/source/commons-jexl-3.6.4-src.tar.gz.asc";>pgp</a></td> + <td><a href="[preferred]/commons/jexl/source/commons-jexl-3.7.0-src.tar.gz">commons-jexl-3.7.0-src.tar.gz</a></td> + <td><a href="https://downloads.apache.org/commons/jexl/source/commons-jexl-3.7.0-src.tar.gz.sha512";>sha512</a></td> + <td><a href="https://downloads.apache.org/commons/jexl/source/commons-jexl-3.7.0-src.tar.gz.asc";>pgp</a></td> </tr> <tr> - <td><a href="[preferred]/commons/jexl/source/commons-jexl-3.6.4-src.zip">commons-jexl-3.6.4-src.zip</a></td> - <td><a href="https://downloads.apache.org/commons/jexl/source/commons-jexl-3.6.4-src.zip.sha512";>sha512</a></td> - <td><a href="https://downloads.apache.org/commons/jexl/source/commons-jexl-3.6.4-src.zip.asc";>pgp</a></td> + <td><a href="[preferred]/commons/jexl/source/commons-jexl-3.7.0-src.zip">commons-jexl-3.7.0-src.zip</a></td> + <td><a href="https://downloads.apache.org/commons/jexl/source/commons-jexl-3.7.0-src.zip.sha512";>sha512</a></td> + <td><a href="https://downloads.apache.org/commons/jexl/source/commons-jexl-3.7.0-src.zip.asc";>pgp</a></td> </tr> </table> </subsection>
