github vaadin/flow 25.1.6
Vaadin Flow 25.1.6
on GitHub

2 hours ago

Changes since 25.1.5

All changes

New features

  • Support delaying installation of recently published npm packages (#24334) (CP: 25.1)
    Commit · Pull request

    Adds a minimum package age check (default disabled) so that npm, pnpm and bun are instructed not to install package versions newer than the configured threshold. This mitigates supply-chain attacks where a compromised version is briefly published to the registry. The threshold is exposed via Options#withMinimumPackageAgeDays(int); setting it to 0 disables the check.

  • Expose application properties via Options for TypeScriptBootstrapModifier consumers (#24073) (CP: 25.1)
    Commit · Pull request

    TypeScriptBootstrapModifier implementations (e.g., Copilot) need access > to application properties to conditionally modify bootstrap TypeScript. Currently, the Copilot script is injected in dev mode regardless of > whether Copilot is enabled in the project configuration.
    Add withApplicationConfiguration to Options and property accessor > methods (getApplicationStringProperty, getApplicationBooleanProperty) that return Optional.empty() when configuration is unavailable (build > time). Wire ApplicationConfiguration from DevModeInitializer.
    Fixes #24055

Fixes

  • Load Image/IFrame sources when disabled (#24346) (CP: 25.1)
    Commit · Pull request · Issue

    When an Image or IFrame backed by a DownloadHandler lives inside a disabled component, the browser receives a 403 and the resource never loads. Image.setSrc(DownloadHandler) and IFrame.setSrc(DownloadHandler) now allow the resource to be served regardless of the owner's enabled state, since these sources are fetched passively as part of rendering rather than as a user action.

  • Loading state muting based on trigger events (#24230) (CP: 25.1)
    Commit · Pull request

    This change reverts the eager removal of loading state introduced by #23229, as it causes the indication to disappear during ongoing loading. As a replacement, it re-introduces debouncing tracking of active requests, and adds event-based silencing of the loading indication to avoid flashing the indicator for high-frequency UI interactions.
    In addition, instead of setting loading state using ConnectionState.setState() directly, the proper connection state methods (loadingStarted(), loadingFinished()) are used to avoid interference with loading state for requests from other sources outside Flow client.

  • Package json hash difference between linux and windows (#24321) (CP: 25.1)
    Commit · Pull request

    Windows and Linux generated a different hash for the package json content as jackson default indenter used system line separator.
    Fixes #24305

  • NPE when web push subscription is expired (#24310) (CP: 25.1)
    Commit · Pull request

    When the push service reports a subscription as expired, WebPush.sendNotification threw NullPointerException instead of the intended WebPushException.
    Remove a leftover reference to an unassigned HttpResponse local variable that was no longer populated after the migration to com.interaso.webpush.
    Fixes #24306 >

  • Install pnpm deps in hoisted mode + declare @babel/types (#24288) (CP: 25.1)
    Commit

    Adjusted for 25.1's dep-graph: @babel/types is pinned to 7.28.5 to match @babel/preset-react's version on this branch (main pins to 7.29.0 to match @babel/core which is not declared on 25.1). @babel/core and @babel/plugin-transform-react-jsx-development from the main commit are not added — they are not declared as direct deps on 25.1 and the React function location plugin only imports @babel/types. The .npmrc and FrontendTools changes that switch pnpm to hoisted mode apply unchanged.

  • Wrong existence check in getStaticResource (#24283) (CP: 25.1)
    Commit · Pull request

    On Jetty 12.1.9, requests for static resources packaged inside a JAR (e.g. vaadinPush.js from flow-push) fail with FileSystemNotFoundException. VaadinServletService.getStaticResource verifies the URL returned by ServletContext.getResource via Path.of(url.toURI()), which for a jar:file:...!/entry URI requires the JAR's NIO FileSystem to already be mounted in the JVM-wide cache. Jetty 12.1.8 incidentally kept those filesystems mounted during resource resolution; 12.1.9 no longer does, so getFileSystem throws and the existing catch (URISyntaxException) lets the unchecked exception escape, producing HTTP 500.
    Probe the URL with URL.openStream() instead. JarURLConnection and FileURLConnection use java.util.jar.JarFile / java.io.File directly and are independent of the NIO FileSystems cache, so the check works uniformly for file: and jar:file: URLs and on every Jetty 12 build. The catch is broadened to IOException, covering both missing files (the original Jetty 12 workaround) and missing JAR entries.

Check out latest releases or
releases around vaadin/flow 25.1.6

Don't miss a new flow release

NewReleases is sending notifications on new releases.

Get notifications