vaadin/flow 25.0.7

Vaadin Flow 25.0.7

on GitHub

Changes since 25.0.6

All changes

Fixes

• Populate ActiveStyleSheetTracker during page load for CSS live reload without HotSwap Agent (#23603)
  Commit · Pull request · Issue

  ActiveStyleSheetTracker was only populated by StyleSheetHotswapper.onInit(), which requires a HotSwap Agent. Without one, the tracker stayed empty and PublicResourcesLiveUpdater's file watcher silently skipped all CSS updates. Register active @Stylesheet URLs during normal dev-mode page loading: - AppShellRegistry.createSettings() tracks AppShell stylesheets - UIInternals.addComponentDependencies() tracks component stylesheets Both paths are guarded by !isProductionMode() for zero production overhead. Also simplify the live reload integration test to rely on the file watcher instead of manually triggering reload via button clicks.

• IndexOutOfBoundsException when serializing arrays in JacksonSerializer (#23600)
  Commit · Pull request · Issue

  When serializing Java arrays, JacksonSerializer was using ArrayNode.set(i, value) on a newly created ArrayNode. In Jackson, set() expects an existing element at the given index, leading to an IndexOutOfBoundsException for new arrays. This change switches to ArrayNode.add(value) to correctly populate the array. Additionally, support for deserializing JSON arrays back into Java arrays was added to ensure symmetry in JacksonSerializer.

• Use raw request URI for baseHref calculation to support encoded slashes (#23569) (CP: 25.0)
  Commit · Pull request · Issue

  The previous fix for encoded slashes (%2F) in wildcard route parameters (commit b0c121b) set urlPathHelper.setUrlDecode(false) in ForwardingRequestWrapper, which made getPathInfo() return percent-encoded paths for all requests. This broke static resource serving for files with spaces in their names and potentially affected other getPathInfo() consumers like DAUUtils. Instead of disabling URL decoding globally, fix the actual site where the raw path matters: BootstrapHandlerHelper.getServiceUrl(). This method uses getCancelingRelativePath() to count path segments for the baseHref, which must use the raw URI so that %2F is not mistaken for a real path separator. The fix computes the raw path info by stripping the context path and servlet path from the request URI, preserving the original encoding. This allows reverting setUrlDecode(false) so that getPathInfo() returns properly decoded paths for all consumers. The 25.0 branch does not have JUnit 6 as a dependency, so the cherry-picked test class fails to compile. Convert to JUnit 4 imports and make the class and test methods public.

• Restore backwards-compatible 2-parameter constructors for BlurEvent and FocusEvent (#23500)
  Commit · Pull request

  The 3-parameter constructors with @eventdata broke backwards compatibility for code that directly instantiates these events. Re-add the original (Component, boolean) constructors alongside the @eventdata variants, matching the pattern used by ClickEvent, KeyDownEvent, etc.

• Update tailwind path (#23481)
  Commit · Pull request · Issue

  Make the tailwind template import target not ./ but from Frontend so we do not get faulty imports in generated.

• Prevent NPE in ShortcutRegistration when lifecycleOwner is null (#23465)
  Commit · Pull request · Issue

  Add null guard in fireShortcutEvent() to handle the case where a KeyDown event fires after the shortcut's lifecycle owner has been detached and remove() has set lifecycleOwner to null.

• Detect theme component CSS changes even without theme.json (#23452)
  Commit · Pull request · Issue

  themeShadowDOMStylesheetsChanged only scanned for components/ folders in themes discovered via theme.json. Themes without a theme.json (but with a components/ directory) were silently skipped, so the dev bundle was never rebuilt to include their component styles. Always include the main theme name when scanning for components/ folders, regardless of whether theme.json exists.

• Set required Java and Maven versions in flow-maven-plugin (#23434)
  Commit · Pull request

  Prevents potential issues with Maven versions >= 3.9.12 if a Java version newer than the supported one is used to package the Maven plugin.

• Pass javaResourceFolder to Options in DevModeInitializer (#23440) (CP: 25.0)
  Commit · Pull request · Issue

  DevModeInitializer was creating an Options object without setting javaResourceFolder, causing TaskUpdateSettingsFile to overwrite it with an empty string. This broke legacy theme component styles in Gradle dev mode because the Vite theme plugin couldn't find vaadin-featureflags.properties in the correct location.

• Remove Content-Type header from heartbeat requests and responses (#23225)
  Commit · Pull request · Issue

  Heartbeat requests and responses both have empty bodies, so the with Web Application Firewalls (WAFs). WAFs struggle to validate text/plain requests with no body content, triggering false positive security alerts in SOC monitoring systems. Changes: - Server: Remove Content-Type header from successful heartbeat responses in HeartbeatHandler (empty body = no content type needed) - Client: Remove Content-Type from heartbeat POST requests in Heartbeat.java (request body is null) - Tests: Add verification that Content-Type is not set while Cache-Control remains in place The original Content-Type header was added in 2013 to fix Firefox issue vaadin/framework#4167, where Firefox tried to parse the empty response as HTML and threw errors. This is no longer relevant because: 1. Vaadin's client code never reads the response body, avoiding any parsing that would trigger browser errors 2. Modern browsers handle empty responses without Content-Type 3. HTTP best practices recommend no Content-Type for empty bodies The Cache-Control: no-cache header is retained as it's still required for iOS 6 Safari compatibility (vaadin/framework#3226).