Releases: groovy/GMavenPlus
4.0.1
4.0.0
Bugs
None
Enhancements
- Support Java 22 and 23 (#302)
- Multiple dependency upgrades, including some that fixed CVEs
- Added a warning about using SecurityManager to prevent
System.exit()calls. JEP 411 deprecated SecurityManager in Java 17, for future removal. It is unclear what it will be replaced with for the use case of preventingSystem.exit()usages. JDK-8199704 is one possibility.
Potentially breaking changes
- Updated the required Maven version to 3.6.3 to conform to the compatibility plan (#309)
Notes
None
3.0.2
Bugs
[#280] The 3.0.1 jar was corrupt (thanks @eugene-sadovsky for reporting this!).
Enhancements
- [#279] Fix CVE-2023-42503.
Potentially breaking changes
None.
Notes
The CVE fixed were related to dependencies of the plugin. While I haven't done an analysis of whether they were exploitable (since this is a Maven plugin and not an application), it seems unlikely.
Contributors
Assets 2
3.0.1
Bugs
- [#276] Fix that enabling
skipBytecodeCheckcauses the Groovy version to be reported as not supporting the goal (thanks for reporting this @jgenoctr!).
Enhancements
- [#264] Support targeting Java 21 bytecode (thanks @bmarwell!).
- [#253] Fix CVE-2020-8908 and CVE-2023-2976.
- Fix CVE-2023-37460 (242baa8 and 623a56f).
Potentially breaking changes
None.
Notes
The CVEs fixed were related to dependencies of the plugin. While I haven't done an analysis of whether they were exploitable (since this is a Maven plugin and not an application), it seems unlikely.
Contributors
Assets 2
3.0.0
Bugs
Enhancements
- [#239] Require Maven 3.2.5.
Potentially breaking changes
Maven's compatibility plan marked Maven versions older than 3.2.5 as EOL in March 2023. Therefore, we now require 3.2.5 to move forward with the rest of the ecosystem.
Notes
Fixing the validation warnings removed some Maven dependencies from the plugin's classpath (instead of using the ones from Maven itself). I'm not aware of any negative consequences of this, but it's possible certain specialized use cases might encounter changes in behavior.
Contributors
Assets 2
2.1.0
2.0.0
Bugs
None.
Enhancements
- [#210] Improve error messages when Groovy classes can't be located (avoiding the
NullPointerExceptions that were causing confusion and instead throwing our own exception). - [#221] apache/groovy@8d19017#diff-5522480b605c81fc7dd50f58b857f5fc8802ea69229742441c6fdef328846062 caused an exception to be thrown for Groovy 4.0.0-RC-1 and newer when binding properties in a script/console/shell and
bindPropertiesToSeparateVariablesis false. The error logging when this happens has been improved. - [#223] Support
5,6,7,8, and1.9arguments totargetBytecodeso that validation doesn't unexpectedly fail since it uses themaven.compiler.targetproperty and these arguments are valid for javac.
Potentially breaking changes
This release requires Java 8 and drops support for Java 7. This was necessary to update dependencies which fix vulnerabilities. Specifically, in maven-archiver. At the time of release, the following dependencies were not compatible with Java 7
- org.apache.commons:commons-compress
- org.codehaus.plexus:plexus-archiver
- org.apache.maven:maven-archiver
- org.codehaus.plexus:plexus-io
- org.codehaus.plexus:plexus-utils
This is not the first breaking release, but it is the first breaking release to follow the semver conventions.
Notes
None.
1.13.1
1.13.0
1.12.1
Bugs
- [#186] Certain AST transformations had classloader issues because 1.12.0 was no longer setting the context classloader.
Enhancements
- Update Jansi to 2.x.
Potentially breaking changes
The Jansi upgrade should generally be compatible, but could cause issues with scripts that were using Jansi 1.x specific classes.
Notes
None.