dependabot[bot] opened a new pull request, #7282: URL: https://github.com/apache/myfaces-tobago/pull/7282
Bumps [org.glassfish:jakarta.faces](https://github.com/eclipse-ee4j/mojarra) from 4.0.16 to 4.0.17. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/eclipse-ee4j/mojarra/releases";>org.glassfish:jakarta.faces's releases</a>.</em></p> <blockquote> <h2>4.0.17</h2> <h2>What's Changed</h2> <ul> <li>Backport of CSP-related changes by <a href="https://github.com/jasondlee";><code>@jasondlee</code></a> in <a href="https://redirect.github.com/eclipse-ee4j/mojarra/pull/5606";>eclipse-ee4j/mojarra#5606</a></li> <li>Make sure CSP backport passes the 4.0 TCK by <a href="https://github.com/BalusC";><code>@BalusC</code></a> in <a href="https://redirect.github.com/eclipse-ee4j/mojarra/pull/5716";>eclipse-ee4j/mojarra#5716</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/eclipse-ee4j/mojarra/compare/4.0.15-RELEASE...4.0.17-RELEASE";>https://github.com/eclipse-ee4j/mojarra/compare/4.0.15-RELEASE...4.0.17-RELEASE</a></p> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/eclipse-ee4j/mojarra/blob/master/RELEASE.md";>org.glassfish:jakarta.faces's changelog</a>.</em></p> <blockquote> <h1>Releasing a new Mojarra version</h1> <p>The release pipeline is the single <a href="https://github.com/eclipse-ee4j/mojarra/blob/master/Jenkinsfile";><code>Jenkinsfile</code></a> at the repo root, run as a Jenkins pipeline job. It does, in one run:</p> <ol> <li><strong>Prepare</strong> — checkout, JDK selection, version resolution (impl, and on 5.0+ also <code>jakarta.faces-api</code> via the <code>faces/</code> submodule), CSP-backport TCK exclusion fallback for 4.0.17+ / 4.1.8+ (mirrors <code>compute-csp-backport-flags</code> in the TCK pom for the existing TCK zips that predate the script).</li> <li><strong>Build & install</strong> — single Maven reactor (<code>-pl impl -am</code>); on 5.0+ adds <code>-Papi</code> to also build <code>jakarta.faces-api</code> from the submodule. Tags are created locally; pushes happen later.</li> <li><strong>TCK</strong> — downloads the published TCK zip from <code>download.eclipse.org/jakartaee/faces/<branch>/</code>, runs the TCK against the locally-installed impl, fails the build on any TCK failure or error, then renders <code>summary.txt</code> (passed/failed/error counts, SHAs of TCK zip and the produced impl jar, JDK and OS info). Pass/fail counts are aggregated from two sources: per-module <code>target/failsafe-reports/failsafe-summary.xml</code> (covers new-TCK <em>and</em> old-tck-selenium since both are failsafe-driven), and the JavaTest harness's "Completed running N tests" / "Number of Tests Passed/Failed/Errors" lines in <code>run.log</code> (covers old-tck on 4.x when <code>SKIP_OLD_TCK</code> is unchecked). Archives <code>run.log</code> and <code>summary.txt</code>. Selenium/Chrome is provided by the agent pod (<code>eclipsecbijenkins/basic-ubuntu-chrome</code>); branches whose TCK pins a CDP major outside Selenium's fudge range ( e.g. 4.0 pins CDP v108) skip the BaseITNG suite via <code>-Dtest.selenium=false</code> per <code>BRANCH_CONFIG.seleniumEnabled</code>.</li> <li><strong>Deploy to Maven Central</strong> <em>(skipped on <code>DRY_RUN</code>)</em> — <code>mvn deploy -Dcentral.autoPublish=true</code>, so the bundle auto-publishes on success rather than parking in the Portal staging area.</li> <li><strong>Bump to next snapshot</strong> <em>(GA only)</em> — <code>versions:set</code> to the next <code>-SNAPSHOT</code> and commit on the release branch (and the <code>faces/</code> submodule on 5.0+). Skipped on milestone/RC runs so the source branch keeps its current <code>-SNAPSHOT</code>.</li> <li><strong>Publish to GitHub</strong> <em>(skipped on <code>DRY_RUN</code>)</em> — push the release branch and tag (and the same for the <code>jakarta.faces-api</code> submodule on 5.0+); on GA runs, also open & squash-merge a PR back to the source branch as <code><version> has been released</code>, close the matching milestone, open the next snapshot's milestone, and draft+publish a GitHub release at the just-pushed tag with auto-generated notes prepended by a one-line summary, the Maven Central link, and the closed-milestone link. On milestone/RC runs only the tag is pushed; PR-merge, milestones, and GitHub release creation are all skipped.</li> </ol> <p>Maven Central deploy and GitHub push only run after the TCK passes, so a failed TCK leaves no half-published external state.</p> <h2>How to run</h2> <p>In the example below we assume releasing <strong>Mojarra 4.0.17</strong>.</p> <ol> <li>Sanity-check the version isn't already in <a href="https://repo1.maven.org/maven2/org/glassfish/jakarta.faces/";>Maven Central</a> — if it is, bump the version in <code>pom.xml</code> first.</li> <li>Go to <a href="https://ci.eclipse.org/mojarra/";>Mojarra CI</a> and <a href="https://ci.eclipse.org/mojarra/login?from=%2Fmojarra%2F";>log in</a>.</li> <li>Open the <a href="https://ci.eclipse.org/mojarra/job/mojarra-release/";><code>mojarra-release</code></a> job and click <strong>Build with parameters</strong>. For a normal release set only <code>RELEASE_LINE</code>; every other parameter can be left at its default and is auto-inferred: <ul> <li><code>RELEASE_LINE</code> = <code>4.0</code> (choices: <code>4.0</code>, <code>4.1</code>, <code>5.0</code>)</li> </ul> </li> <li><em>(Optional)</em> In case you wish to fine-tune the run, override one or more of: <ul> <li><code>MILESTONE_VERSION</code> — leave blank for a GA release; set to <code>M1</code> / <code>M2</code> / <code>RC1</code> / etc. for a milestone or release candidate. When set, the release version is auto-derived as <code><pom-base>-<MILESTONE_VERSION></code> (e.g. <code>5.0.0-M2</code>), tagged exactly that (no <code>-RELEASE</code> suffix), and the source branch is left untouched: PR-merge, milestone management, GitHub release creation, and snapshot bump are all skipped.</li> <li><code>JDK</code> — build JDK. Default: per-branch (see table below).</li> <li><code>TCK_JDK</code> — JDK that runs the TCK (the GlassFish container can need a newer one than the spec). Default: per-branch.</li> <li><code>TCK_VERSION</code>, <code>GF_VERSION</code> — TCK and GlassFish coordinate versions. Default: per-branch.</li> <li><code>GF_BUNDLE_URL</code> — alternative GlassFish zip URL. If set, also set <code>GF_VERSION</code> to match the artifact version inside the zip.</li> <li><code>API_RELEASE_VERSION</code> — 5.0+ only. Default: stripped from <code>faces/api/pom.xml</code>. Ignored when <code>impl/pom.xml</code> already pins <code>jakarta.faces-api</code> to a GA version (impl-only patch release, no new API artifact cut), or when <code>MILESTONE_VERSION</code> is set.</li> <li><code>RUN_TCK</code> — uncheck to skip the TCK stage. Default: checked.</li> <li><code>SKIP_OLD_TCK</code> — check to skip the old-tck JavaTest modules on 4.0/4.1 (excluded from the reactor entirely via <code>-pl</code>; cuts nearly 3 hours off the TCK run). No-op on 5.0+ where these modules no longer exist. The old-tck-selenium failsafe-driven modules are unaffected. Default: unchecked.</li> <li><code>DRY_RUN</code> — check to do everything except Maven Central deploy and GitHub push. Default: checked. Useful for rehearsals.</li> <li><code>TEST_RUN</code> — only meaningful as a sub-toggle of <code>DRY_RUN</code>: filters the TCK to a tiny representative subset (one failsafe IT + one sigtest IT + one old-tck-selenium IT, plus one old-tck JavaTest path when <code>SKIP_OLD_TCK</code> is unchecked). Drops run time to ~10 min. Hard-gated: silently ignored when <code>DRY_RUN</code> is unchecked, since the run is not TCK-conformant and must never produce a published release. Default: unchecked.</li> </ul> </li> <li>Click <strong>Build</strong>.</li> <li>Wait for the run to finish. The build description shows a one-line summary, e.g. <code>4.0 → 4.0.17 (impl-only) (JDK11, GF 7.0.25, TCK 4.0.3)</code>. Optional toggles surface as comma-separated suffixes (<code>, old-TCK skipped</code>, <code>, test-run</code>, <code>, milestone</code>, <code>, dry-run</code>).</li> <li>On success, verify: <ul> <li>Artifact in <a href="https://repo1.maven.org/maven2/org/glassfish/jakarta.faces/";>Maven Central</a> (may take up to an hour to surface).</li> <li>Release branch <code>4.0.17</code> and tag <code>4.0.17-RELEASE</code> on <a href="https://github.com/eclipse-ee4j/mojarra/branches/active";>GitHub</a> (GA only; milestone runs only push the tag). Once everything checks out, the release branch can be deleted (the squash-merge doesn't auto-delete it).</li> <li>The squash-merged "Mojarra 4.0.17 has been released" commit landed on the <code>4.0</code> source branch, the <code>4.0.17</code> release branch is closed, and the GitHub release at <code>4.0.17-RELEASE</code> is published with auto-generated notes (GA only).</li> <li>Closed milestone <code>4.0.17</code> and a fresh open milestone for the next snapshot (GA only).</li> <li>On 5.0+ releases that also cut the API: matching tag in <a href="https://github.com/jakartaee/faces/tags";>jakartaee/faces</a> for the <code>jakarta.faces-api</code> version.</li> </ul> </li> </ol> <h2>Per-branch defaults</h2> <p>Maintained in <code>BRANCH_CONFIG</code> at the top of the <code>Jenkinsfile</code>. Adding a new release line means adding one entry there. Current entries:</p> <table> <thead> <tr> <th>Release</th> <th>Impl branch</th> <th>API branch</th> <th>Build JDK</th> <th>TCK JDK</th> <th>API version</th> <th>TCK version</th> <th>GF version</th> <th>Selenium</th> </tr> </thead> <tbody> <tr> <td><code>4.0</code></td> <td><code>4.0</code></td> <td>— (bundled)</td> <td>11</td> <td>11</td> <td>4.0.1</td> <td>4.0.3</td> <td>7.0.25</td> <td>off</td> </tr> <tr> <td><code>4.1</code></td> <td><code>4.1</code></td> <td>— (bundled)</td> <td>17</td> <td>21</td> <td>4.1.0</td> <td>4.1.0</td> <td>8.0.1</td> <td>on</td> </tr> <tr> <td><code>5.0</code></td> <td><code>master</code></td> <td><code>5.0</code></td> <td>17</td> <td>21</td> <td>5.0.0</td> <td>5.0.0</td> <td>9.0.0-M2</td> <td>on</td> </tr> </tbody> </table> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/eclipse-ee4j/mojarra/commit/53d87a6f3b3a113bd4910628d136c6d2da884f83";><code>53d87a6</code></a> Prepare release 4.0.17</li> <li><a href="https://github.com/eclipse-ee4j/mojarra/commit/5d98fee177b5998566e54c66bb8c9c870fffc8c2";><code>5d98fee</code></a> Skip deploy on parent pom; align central-release profile with master</li> <li><a href="https://github.com/eclipse-ee4j/mojarra/commit/b8f2b19739d97001972abd0bbe17999926fccd63";><code>b8f2b19</code></a> Fix <a href="https://redirect.github.com/eclipse-ee4j/mojarra/issues/5606";>#5606</a>: hasForm must skip iteration</li> <li><a href="https://github.com/eclipse-ee4j/mojarra/commit/be4cef67c7e6dfe70d5d60d273fc1e4bd72515bf";><code>be4cef6</code></a> Merge pull request <a href="https://redirect.github.com/eclipse-ee4j/mojarra/issues/5716";>#5716</a> from eclipse-ee4j/make_sure_csp_backport_passes_the_...</li> <li><a href="https://github.com/eclipse-ee4j/mojarra/commit/09efd700a0096a93d76e3f21baac8ae552e5fc3d";><code>09efd70</code></a> Fix <a href="https://redirect.github.com/eclipse-ee4j/mojarra/issues/5606";>#5606</a>: this one is a real Mojarra bug which only surfaced after CSP</li> <li><a href="https://github.com/eclipse-ee4j/mojarra/commit/846f274ecaca46d0643eb4de111ebae983169e2e";><code>846f274</code></a> Fix <a href="https://redirect.github.com/eclipse-ee4j/mojarra/issues/5606";>#5606</a>: render="<a href="https://github.com/all";><code>@all</code></a>" must also run CSP scripts</li> <li><a href="https://github.com/eclipse-ee4j/mojarra/commit/61bb8849ca0d87d3fbc4e3a1e24fa2ebf14bf51d";><code>61bb884</code></a> Fix <a href="https://redirect.github.com/eclipse-ee4j/mojarra/issues/5606";>#5606</a>: shouldWriteIdAttribute should always be true for UICommand</li> <li><a href="https://github.com/eclipse-ee4j/mojarra/commit/790f631dc140849b0f842ddb740903d7d85942b5";><code>790f631</code></a> Fix <a href="https://redirect.github.com/eclipse-ee4j/mojarra/issues/5606";>#5606</a>: the h:commandLink script must be rendered AFTER end tag</li> <li><a href="https://github.com/eclipse-ee4j/mojarra/commit/7ee6f7430f7bd8a3d07aa07f84a1af036d8cd2cb";><code>7ee6f74</code></a> Fix <a href="https://redirect.github.com/eclipse-ee4j/mojarra/issues/5606";>#5606</a>: Restore YUI Compressor because 4.0 TCK still uses HtmlUnit</li> <li><a href="https://github.com/eclipse-ee4j/mojarra/commit/902948b9b41fa8b2bf84d95f14e52b6ddf817927";><code>902948b</code></a> Fixed <code>ReferenceError: "mojarra" is not defined</code> in corner case when</li> <li>Additional commits viewable in <a href="https://github.com/eclipse-ee4j/mojarra/compare/4.0.16-RELEASE...4.0.17-RELEASE";>compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
