Changes since 25.2.0-alpha12
New features
-
Add JsFunction value type for composable executeJs
Commit · Pull request · IssueLets server code build a JS function value with captured parameters and pass it as an executeJs parameter, removing the need to string-concatenate framework boilerplate around user-supplied JS. Captures may themselves be Elements or other JsFunctions; the codec encodes them recursively as @v-fn, and the client reifies the value as a callable function with the captures pre-bound.
-
Only install npm packages that have been available more than a day
Commit · Pull requestBumps the default from 0 to 1 to enable the supply-chain delay by default while keeping the window short enough that the same-day Vaadin upgrade pain is at least bounded. Users can still opt out by setting the option to 0.
-
Support delaying installation of recently published npm packages
Commit · Pull requestAdds a minimum package age check (default disabled) so that npm, pnpm and bun are instructed not to install package versions newer than the configured threshold. This mitigates supply-chain attacks where a compromised version is briefly published to the registry. The threshold is exposed via Options#withMinimumPackageAgeDays(int); setting it to 0 disables the check.
Fixes
-
Prevent EOVERRIDE conflict when upgrading vaadin.version
Commit · Pull request · Issue -
Load Image/IFrame sources when disabled
Commit · Pull request · IssueWhen an
ImageorIFramebacked by aDownloadHandlerlives inside a disabled component, the browser receives a 403 and the resource never loads.Image.setSrc(DownloadHandler)andIFrame.setSrc(DownloadHandler)now allow the resource to be served regardless of the owner's enabled state, since these sources are fetched passively as part of rendering rather than as a user action.