Release Notes for XWiki 15.6-rc-1
This is the release notes for XWiki Commons, XWiki Rendering and XWiki Platform. They share the same release notes as they are released together and have the same version.
This release provides two improvments on the features introduced in previous release: the capability to insert image using only keyboard with Quick Action, and an improved security vulnerability scanner allowing to not only display vulnerabilities from installed extensions, but also from core extensions. On top of those, several minor improvments have been brought as well as bug fixes including security fixes. Finally, some clean up has been performed: various deprecated plugins have been removed from the core extensions. Ensure to read the backward compatibility section.
New and Noteworthy (since XWiki 15.5)
Full list of issues fixed and Dashboard for XWiki 15.6-rc-1.
For Users
Quick Image Insertion
You can now search for and insert images using the keyboard, by typing / (slash) and selecting the image Quick Action. This opens a drop down that lists latest images uploaded to the page and to the whole wiki. You can also upload new images directly from the drop down. Checkout the CKEditor Integration documentation for more information.
Miscellaneous
Set email grouping strategy per scheduler: The email grouping strategy can be defined at different levels (per wiki, and per user) and is specific for a given scheduler, using a new dedicated XObject XWiki.Notifications.Code.NotificationEmailGroupingStrategyPreferenceClass.
So an admin can add one or severals xobjects in XWiki.XWikiPreferences for defining the different strategies for each scheduler, at wiki level: the xobject needs to contain the name of the strategy to use, and the name of scheduler (hourly, daily, weekly or live).
This value can be overridden by a user if they perform adding the same type of xobject in their own user profile.Improved contrast for the "Decline" button in invitations.
The Application panel has been improved for low width displays.
For Admins
Improved Security Vulnerabilities scanner
On XWiki 15.5 the Security Vulnerabilities Application was limited to installed extensions. The scan now includes core extensions as well as dependencies provided by the environment (e.g., the servlet engine).
Environment vulnerabilities are listed in a separate tab.
Miscellaneous
Security Vulnerabilities Reviews: The Security Vulnerabilities Application now takes into account vulnerabilities reviews maintained by the XWiki Development Team
Those reviews provide a more in-depth analysis of the security vulnerabilities found by the security scan. Known vulnerabilities that are analyzed as safe are displayed in a small font and will not raised the security notification.
Vulnerabilities with available reviews have a button next to them in the security listing Live Data, allowing to display the details of the reviews.
See the XWiki Security Policy for more details about our review process and to know where to reach us for questions.
Security Vulnerabilities name display: The display of the extension names on the extension security vulnerabilities is now improved to take into account the limited horizontal space of the administration.
Improved contrast on the "Excluded page" None element, in the Look & Feel -> Navigation Panels administration subsection.
More robust security cache: The security cache has been made robust against the disposal of structurally important entries by storing them also outside the cache as long as they're still needed by entries in the cache to avoid cascading disposal of large parts of the cache. If you've had problems with users seeing access denied sometimes, this might be the improvement you've been looking forward to. Also, if you've configured a very high size for the security cache to avoid these problems, it should be possible to reduce these limits now. The documentation provides some hints how to choose a reasonable security cache size. However, as with every change to code that is critical to performance and security, there is a risk for regressions even though we have extensive tests. In particular if you're maintaining a larger instance of XWiki, it is advised to monitor memory usage and performance after the upgrade to see if there are any irregularities. Also, please check that access restrictions are still working, in particular, if they involve nested groups. As always, please open a bug report or create a forum post if you're noticing anything unusual.
For Developers
No changes!
Upgrades
The following runtime dependencies have been upgraded (they have a different release cycle than XWiki Commons, XWiki Rendering and XWiki Platform):
- dompurify 3.0.3
- RssReader 3.4.5
- Apache PDF Box 2.0.29
- Docker Java 3.3.2
- Liquibase 4.23.0
- Snappy 1.1.10.1
- Calcite 1.34.0
- Hadoop 3.2.4
- Avatica 1.23.0
- Netty 4.1.94.Final
- Groovy 3.0.18
- Guava 32.1.1-jre
- Checker Qual 3.36.0
- JBoss Logging 3.5.3
- JGroups 5.2.16
- Maven 3.9.3
- Commons Codec 1.16.0
- Bouncy Castle 1.75
- Maven Resolver 1.9.13
- Error Prone Annotations 2.20.0
Translations
The following translations have been updated:
Tested Browsers & Databases
Here is the list of browsers we support and how they have been tested for this release:
Browser | Tested on: | |
---|---|---|
Mozilla Firefox 116 | Not Tested | |
Google Chrome 116 | Not Tested | |
Microsoft Edge 116 | Jira Tickets Marked as Fixed in the Release Notes | |
Safari 16 | Not Tested |
Here is the list of databases we support and how they have been tested for this release:
Database | Tested on: | |
---|---|---|
HyperSQL 2.7.2 | Not Tested | |
MariaDB 11.1 | Jira Tickets Marked as Fixed in the Release Notes | |
MySQL 8.1 | Not Tested | |
PostgreSQL 16 | Not Tested | |
Oracle 19c | Not Tested |
Here is the list of Servlet Containers we support and how they have been tested for this release:
Servlet Container | Tested on: | |
---|---|---|
Tomcat 9.0.82 | Jira Tickets Marked as Fixed in the Release Notes | |
Jetty 10.0.15 (XWiki Standalone packaging) | Not Tested | |
Jetty 10.0.15 | Not Tested |
Security Issues
Security issues are not listed in issue lists or dashboards to avoid disclosing ways to use them, but they will appear automatically in them once they're disclosed. See the XWiki Security Policy for more details.
Known issues
Backward Compatibility and Migration Notes
General Notes
- When upgrading make sure you compare and merge the following XWiki configuration files since some parameters may have been modified, removed or added:
- xwiki.cfg
- xwiki.properties
- web.xml
- hibernate.cfg.xml
- Add xwiki.store.migration=1 in xwiki.cfg so that XWiki will attempt to automatically migrate your current database to any new schema. Make sure you backup your Database before doing anything.
Issues specific to XWiki 15.6-rc-1
- The RSS Macro has been removed from XWiki Standard and moved as a Contrib Extensionn as it wasn't a core feature. If you're upgrading from a version < 15.6, you'll just need to upgrade the RSS Macro Extension using the Extension Manager to get the latest version coming from contrib.
- The Charting Plugin has been removed from XWiki Standard and moved to XWiki Attic. The main reason was that it has not been supported for many years and was using some old techbology (plugin). It was also not a core feature. In addition, it's been replaced by the Chart Macro, and more recently by the Chart.js macro.
- The SVG Plugin has been removed from XWiki Standard. It was using some old technology (plugin) and not maintained. It was also not a core feature. In addition, there are now more recent solutions, including using the HTML macro.
- The SVG Rasterizing API has been removed from XWiki Standard and moved as a Contrib extension. If you're upgrading from a version < 15.6, and if you were using that API, you'll need to upgrade it using the Extension Manager to get the latest version coming from contrib. It was also not a core feature. In addition, if you were using the Java API, you'll need to change the packages from org.xwiki.platform.svg to org.xwiki.contrib.svg.
- The Diff plugin API has been removed from XWiki Standard and moved to the XWiki Attic. The main reason was that it has not been supported for many years and was using some old techbology (plugin). In addition, it's been replaced by a newer Diff API.
- The Autotag plugin has been removed from XWiki Standard and moved to XWiki Attic. The main reason was that it has not been supported for many years and was using some old techbology (plugin). It was also not a core feature.
- The Graphviz plugin has been removed from XWiki Standard and moved to XWiki Attic. The main reason was that it has not been supported for many years and was using some old techbology (plugin). It was also not a core feature.
- The property refactoring.rename.useAtomicRename is no longer available and the old code relying on it has been removed.
API Breakages
The following APIs were modified since XWiki 15.5:
Real breakages
Real backward compatibility breakages that we have unwillingly accepted to do for the reasons mentioned in each violation below.
- We voted to remove this old and unmaintained plugin for which there are alternatives.
- Violation type:java.class.removed
- Code:## Old:
class com.xpn.xwiki.plugin.svg.SVGPlugin
- Violation type:
- We voted to remove this old and unmaintained plugin for which there are alternatives.
- Violation type:java.class.removed
- Code:## Old:
class com.xpn.xwiki.plugin.svg.SVGPluginApi
- Violation type:
- We voted to remove this old and unmaintained plugin for which there are alternatives.
- Violation type:java.class.removed
- Code:## Old:
class com.xpn.xwiki.web.SVGAction
- Violation type:
Unstable APIs
Not real backward compatibility breakages since they were done on APIs marked @Unstable (a.k.a Young APIs). Thus it's part of the contract that they can be broken until they become stable. They're listed purely for reference in case you decided to still use them (and thus agreed to be broken).
- Young API. Provides a method to get access to the extension vulnerabilities URL
- Violation type:java.method.addedToInterface
- Code:## Old:
## New:
method java.lang.String org.xwiki.extension.security.ExtensionSecurityConfiguration::getReviewsURL()
- Violation type:
Credits
The following people have contributed code and translations to this release (sorted alphabetically):
- Dorian OUAKLI
- Gankov Andrey
- Jarle Sandmo
- Manuel Leduc
- Marius Dumitru Florea
- Michael Hamann
- Nikita Petrenko
- Oana-Lavinia Florean
- Sereza7
- Simon Urli
- Simpel
- Thomas Mortagne
- Vincent Massol
- dependabot[bot]
- xrichard