v2.8.19: Play 2.8.19

Compare Source

The Play Team is happy to announce the release of Play 2.8.19 🥳

📗 What is new?

ping/pong support for WebSockets 🏓

Finally! Check out the documentation:

• WebSockets Play Scala
• WebSockets Play Java

Using Netty, WebSockets time out now ⏳

Another fix for WebSockets ships with this release as well:
If you are using the Netty backend the play.server.http[s].idleTimeout setting will now be honored for WebSocket connections. Until now, when using Netty, a WebSocket connection never timed out. That might even was desirable for some use cases, but now that we have ping/pong support you have to make use of that to keep WebSocket connections open. That is the correct way of doing things and not closing connections after an idle timeout was actually a bug. The akka-http backend was always working correctly and didn't need to be fixed.

Removed the shutdown hook from the default logback config 🪝

If you have

<shutdownHook class="ch.qos.logback.core.hook.DelayingShutdownHook"/>

in your logback config, you should remove that line. Play handles the shutdown of the logger context, the line shown is not necassary anymore since at least Play 2.7 and is a leftover that should have been removed a while ago. More details can be found in the according pull request.

Correctly encode Content-Disposition: form-data; name="..."; filename="..." 🔠

When Play renders a request body containing multipart/form data it will now encode the name and the filename fields according the "WHATWG HTML living standard" section 4.10.21.8. curl, Firefox, Chrome and other libraries like Python's urllib3 follow the same approach. Until now, Play didn't encode those fields which could result in security implications. Just to be clear, this is not about receiving and parsing multipart/form data from a client, but when sending multipart/form data e.g. via ws or when using the RequestBuilder to build a request for testing purposes. Details can be found in pull request #​11571.

A few words on Play's compatibility with sbt 1.8 🔧

Now that sbt 1.8 got released there have been reports that it isn't working out of the box with Play, caused by a version conflict regarding scala-xml, see #​11522. Unfortunately, right now, we don't have a fix for that yet. Even if we bump scala-xml to version 2.x in Play and all its dependencies, we can't currently make sbt 1.8 work with Play because of another problem described in #​11527.
The good news is, that isn't a showstopper if you still want to upgrade to sbt 1.8. You can do that right now by putting

ThisBuild / libraryDependencySchemes += "org.scala-lang.modules" %% "scala-xml" % VersionScheme.Always

in project/plugins.sbt. That is possible because scala-xml 1.x and 2.x are compatible anyway. However, like described in #​11527 you will not be able to use PlayNonBlockingInteractionMode with sbt 1.8 then (which probably not many people do anyway)

Further roadmap 🗺️

...news coming soon...

Merged pull requests

Following pull requests got merged for this release:

• #​11604 [2.8.x] Upgrade netty + netty reactive streams + fix backports by @​mkurz
• #​11603 [2.8.x] Escape Content-Disposition params according to WHATWG HTML living standard (backport #​11571) by @​mkurz
• #​11602 [2.8.x] Add exceptionOverrideClassName Hikari config setting (backport #​11601) by @​benwaffle
• #​11598 [2.8.x] Fix the example code to DiscardingCookie for Results#discardingCookies (backport #​11597) by @​tsuyoshizawa
• #​11593 Update PlayApplicationOverview.md by @​SenthilNayagan
• #​11528 [2.8.x] Upgrade Scalafmt to latest release of 2.4.x serias (backport #​11524) by @​ihostage
• #​11567 [2.8.x] Added play-hmac-signatures (backport #​11559) by @​phelps-sg
• #​11560 [2.8.x] Updating documentation - ConfiguringHttps.md by @​szymond
• #​11552 Update SettingsJDBC.md by @​bmontuelle
• #​11532 [2.8.x] Do not use/recommend shutdownHook in Logback, Play handles that by @​mkurz
• #​11519 [2.8.x] Log websocket communication problems + handle special Netty case by @​mkurz
• #​11521 [2.8.x] Add WebSocket ping/pong support by @​mkurz
• #​11420 [2.8.x] Netty: Websockets should respect play.server.http.idleTimeout by @​mkurz
• #​11518 [2.8.x] Use environment file instead set-output by @​ihostage

For more details see the full list of changes and the 2.8.19 milestone.

❤️ Thanks to our premium sponsors!

If you find this OSS project useful for work, please consider asking your company to support it by becoming a sponsor.
You can also individually sponsor the project by becoming a backer.

🙇 Thanks to our contributors

Finally, thanks to the community for their help with detailed bug reports, discussions about new features and pull request reviews. This project is only possible due to the help we had from amazing contributors.
Special thanks to all code contributors who helped with this particular release (they are listed below)!

v2.8.18: Play 2.8.18

Compare Source

The Play Team is happy to announce the release of Play 2.8.18.

📗 What is new?

This release includes a fix for #​10590 to avoid StackOverflowErrors when sending multipart/form-data requests with many fields as payload. We recommend upgrading as soon as possible.

Following pull requests got merged for this release:

• #​11491 [2.8.x] Upgrade Akka, Netty, Spring, Joda-Time by @​mkurz
• #​11360 To refactor BodyPartParser of Multipart in order to avoid StackOverflowError easily by @​yousuketto
• #​11465 [2.8.x] Update MIME types (backport #​11406) by @​PromanSEW
• #​11464 [2.8.x] Upgrade netty-reactive-streams by @​mkurz
• #​11459 [2.8.x] Latest scala sbt versions by @​mkurz

For more details see the full list of changes and the 2.8.18 milestone.

❤️ Thanks to our premium sponsors!

If you find this OSS project useful for work, please consider asking your company to support it by becoming a sponsor.
You can also individually sponsor the project by becoming a backer.

🙇 Thanks to our contributors

Finally, thanks to the community for their help with detailed bug reports, discussions about new features and pull request reviews. This project is only possible due to the help we had from amazing contributors.
Special thanks to all code contributors who helped with this particular release (they are listed below)!

v2.8.17: Play 2.8.17

Compare Source

The Play Team is happy to announce the release of Play 2.8.17.

📗 What is new?

Following pull requests got merged for this release:

• #​11430 [2.8.x] Update Evolutions.scala (backport #​11345) by @​BlankFX
• #​11419 SLF4J 2 compatibility: avoid direct usage of StaticLoggerBinder by @​jfsoul
• #​11367 link to ScalaCompileTimeDI doc from the DI section of the ScalaWS help by @​ianknowles
• #​11333 [2.8.x] Update branch in message (RedirectHttpsFilter) (backport #​11332) by @​PromanSEW
• #​11320 [2.8.x] Remove 3rd party tools page by @​felipebonezi
• #​11309 Update ImplementingHelloWorld.md by @​ysedira

For more details see the full list of changes and the 2.8.17 milestone.

❤️ Thanks to our premium sponsors!

If you find this OSS project useful for work, please consider asking your company to support it by becoming a sponsor.
You can also individually sponsor the project by becoming a backer.

🙇 Thanks to our contributors

Finally, thanks to the community for their help with detailed bug reports, discussions about new features and pull request reviews. This project is only possible due to the help we had from amazing contributors.
Special thanks to all code contributors who helped with this particular release (they are listed below)!

v2.8.16: Play 2.8.16

Compare Source

The Play Team is happy to announce the release of Play 2.8.16.

📗 What is new?

The following are the relevant changes of this bugfix release:

• Patched a moderate CVE to prevent a denial of service when binding forms to deeply-nested JSON objects. #​11301
• Patched a minor CVE that can sometimes result in developer mode errors showing in production mode. #​11305
• Adds support for the 'bundleresource' protocol, when checking URLs. #​11108

The following pull requests got merged for this release:

• #​11305 [2.8.x] Introduce DevHttpErrorHandler by @​BillyAutrey, @​mkurz
• #​11301 [2.8.x] add depth limit for JSON form binding by @​gmethvin, @​mkurz
• #​11291 [2.8.x] GHA: Also release on publish event + secrets inherit by @​mkurz
• #​11289 [2.8.x] Refactor badges by @​mkurz
• #​11269 [2.8.x] Bump version of sharable workflows to v2 by @​ihostage
• #​11252 [2.8.x] Adding support for checking URL with protocol='bundleresource' existence by @​asaelitz, @​mkurz
• #​11265 [2.8.x] Remove play-enhancer from docs, project is dead by @​PromanSEW
• #​11262 [2.8.x] Switch to GitHub actions by @​mkurz
• #​11228 [2.8.x] Make scripts more userfriendly if running outside of CI by @​mkurz

For more details see the full list of changes and the 2.8.16 milestone.

❤️ Thanks to our premium sponsors!

If you find this OSS project useful for work, please consider asking your company to support it by becoming a sponsor.
You can also individually sponsor the project by becoming a backer.

🙇 Thanks to our contributors

Finally, thanks to the community for their help with detailed bug reports, discussions about new features and pull request reviews. This project is only possible due to the help we had from amazing contributors.
Special thanks to all code contributors who helped with this particular release (they are listed below)!

Something you want to talk about for this release? Join the discussion

v2.8.15: Play 2.8.15

Compare Source

The Play Team is happy to announce the release of Play 2.8.15.

📗 What is new?

The following are the relevant changes of this bugfix release.

🐞 Fixed Spring4Shell (CVE-2022-22965)

This RCE vulnerability might affect Play Java users that deploy their applications as a war file (e.g. in Tomcat).
More details can be found here: A note on Spring4Shell for Play Java users

🐞 About CVE-2020-36518 in Jackson and Play 2.8.x

Please see https://github.com/playframework/playframework/discussions/11222

☕ Experimental support for Java 17

You should now be able to run your Play applications with Java 17, but to do so, you have to make some adjustments.

⚠️ Even though people report running their Play 2.8.15+ apps on Java 17 without issues, support for Java 17 is experimental. ⚠️
⚠️ Make sure to test your application thoroughly before putting it into production. ⚠️

• If you are using Guice you have to make use of the latest version:

  // In your build.sbt add:
  libraryDependencies ++= Seq(
    "com.google.inject"            % "guice"                % "5.1.0",
    "com.google.inject.extensions" % "guice-assistedinject" % "5.1.0"
  )

• If you are using the Java routing DSL you have to upgrade typetools (see #​10055 and #​10814):

  // In your build.sbt add:
  libraryDependencies += "net.jodah" % "typetools" % "0.6.3"

• Avoid using jnotify for the FileWatchService (like in this removed test)
• To be able to run tests using OneServerPerTestWithComponents or GuiceOneServerPerTest (see #​11209):

  // In your build.sbt add:
  Test / javaOptions ++= Seq(
    "--add-exports=java.base/sun.security.x509=ALL-UNNAMED",
    "--add-opens=java.base/sun.security.ssl=ALL-UNNAMED"
  )
  // Test / fork := true // This is the default anyway, just a reminder in case you changed it to false before

If you run into any other issues please let us know by opening a bug report, thanks!

📖 Following pull requests got merged for this release

• #​11214 [2.8.x] Upgrade Spring to fix Spring4Shell vulnerability by @​mkurz
• #​11215 [2.8.x] Adjust welcome message for experimental Java 17 support by @​mkurz
• #​11210 Remove -XX:MaxPermSize, breaks on Java 17 by @​mkurz
• #​11207 [2.8.x] Update dependencies before next 2.8.x release by @​mkurz
• #​11206 [2.8.x] Partial support for Java17 by @​mkurz
• #​11205 [2.8.x] Fix docs: Passing request to WebSocket action not supported (backport #​11172) by @​mkurz
• #​11202 [2.8.x] Reverts #​11109 (downgrade ssl-config back to 0.4.x) by @​mkurz
• #​11200 typing error by @​Sanabria13
• #​11195 Doc fix: Body needs to be redirected with POST by @​mkurz
• #​11175 Update jquery dependency to 3.6.0 version by @​morellik
• #​11178 [2.8.x] Make the "please donate" message more friendly (backport #​11177) by @​jxtps
• #​11129 Remove old or abandoned 3rd party play modules from module directory by @​Max-AR
• #​11149 [2.8.x] Update release drafter workflow by @​mkurz
• #​11146 [2.8.x] Rename master branch to main by @​mkurz
• #​11140 [2.8.x] Cleanup .github folder by @​mkurz
• #​11130 [2.8.x] Remove iteratees docs by @​Max-AR
• #​11117 [2.8.x] Renamed Boxfuse to CloudCaptain by @​axelfontaine
• #​11119 [2.8.x] change uri parse path error from warn to debug (backport #​10151) by @​fusuiyi123
• #​11116 [2.8.x] Make sure to append -SNAPSHOT for sonatype by @​mkurz
• #​11109 [2.8.x] Use ssl-config to 0.6.0 by @​mkurz

For more details see the full list of changes and the 2.8.15 milestone.

❤️ Thanks to our premium sponsors!

If you find this OSS project useful for work, please consider asking your company to support it by becoming a sponsor.
You can also individually sponsor the project by becoming a backer.

🙇 Thanks to our contributors

Finally, thanks to the community for their help with detailed bug reports, discussions about new features and pull request reviews. This project is only possible due to the help we had from amazing contributors.
Special thanks to all code contributors who helped with this particular release (they are listed below)!

v2.8.14

Compare Source

v2.8.13: Play 2.8.13

Compare Source

The Play Team is happy to announce the release of Play 2.8.13.

📗 What is new?

Following pull requests got merged for this release:

• Dev server should not exit when it receives EOF (-1) #​11088 by @​mkurz
• play-ws 2.1.7 #​11083 by @​mkurz
• Bump versions (backport #​11050) #​11076 by @​scala-steward and @​mkurz
• [2.8.x] Add onLoadMessage #​11071 by @​mkurz
• Shutdown dev server when pressing CTRL+C during run #​11064 by @​mkurz
• ConsoleReader should be blocking in sbt 1.4+ since System.in already is non-blocking #​11061 by @​mkurz
• Updating log4j to 2.17 in docs (backport #​11060) #​11062 by @​BillyAutrey
• Updating log4j ref in docs to 2.16.0 (backport #​11053) #​11054 by @​BillyAutrey
• Show latest version of java supported in 2.8 in Requirements.md #​11055 by @​syntapy
• Upgraded version of log4j used in docs to 2.15.0 (backport #​11051) #​11052 by @​jroper

For more details see the full list of changes and the 2.8.13 milestone.

❤️ Thanks to our premium sponsors!

If you find Play useful for work, please consider asking your company to support this Open Source project by becoming a sponsor.
You can also individually sponsor the project by becoming a backer.

🙇 Thanks to our contributors

Finally, thanks to the community for their help with detailed bug reports, discussion about new features, and pull requests review. Play is only possible due to the help we had from amazing contributors.
Special thanks to all code contributors who helped with this particular release (they are listed below)!

v2.8.12

Compare Source

v2.8.11: Play 2.8.11

Compare Source

The Play Team is happy to announce the releases of Play 2.8.11.

This release brings in a new version of Akka Http including security updates.

📗 What is new?

Following pull requests got merged for this release:

• Update play-json and play-ws #​11030 by @​octonato
• update play-ws #​11028 by @​octonato
• use new community sonatype profile #​11024 by @​octonato
• Fixed ###replace: tag that led to incorrect docs #​10789 by @​arid-mangoss
• Clarified the allowedhost blacklist usage in documentation #​10839 by @​FuriousTurtle
• bump guava dependency to fix vulnerability #​10875 by @​johnduffell
• bump: Akka 2.6.17 and Akka HTTP 10.1.15 for Play 2.8.9 #​11019 by @​ennru
• Fix IOException when using sbt thin client (backport #​10890) #​11014 by @​mergify
• Remove Whitesource checks #​11003 by @​ennru
• Travis: remove explicit notifications (backport #​10984) #​11000 by @​mergify
• [2.8x] Fix cron job by upgrading akka + scalaJava8Compat (for Scala 2.13 only) #​10966 by @​mkurz
• Fix variable substitution in evolution warning (backport #​10931) #​10960 by @​mergify
• Fix cron jobs (repo.akka.io not used anymore) (backport #​10961) #​10963 by @​mergify
• Add play-test to PlayImport (backport #​10940) #​10959 by @​mergify
• Set MaxMetaspaceSize to 512m (like it was 4 month ago) (backport #​10877) #​10942 by @​mergify
• fix: change project starter link (backport #​10934) #​10935 by @​mergify
• Stop testing 0.13 #​10932 by @​ignasi35
• [2.8.x] Use sbt 1.5.5 for scripted tests #​10926 by @​mergify
• Update outdated links to scala-sbt.org in the documentation #​10918 by @​kaseken
• Fix tail-recursive deserializer (Lagom's #​3241) (backport #​10840) #​10916 by @​mergify
• Prefer -agentlib:jdwp= over -Xrunjdwp: (backport #​10885) #​10908 by @​mergify
• Run tests against Scala 2.12.14 and 2.13.6 and sbt 1.5.3 (backport #​10880) #​10891 by @​mergify
• Make sure scripted jobs use the same commit like publish-local did (backport #​10855) #​10872 by @​mergify
• [2.8.x] Run scripted tests against sbt 1.5.2 #​10856 by @​mergify
• [2.8.x] Remove bintray leftovers (fixes CRON build) #​10842 by @​mkurz
• [2.8.x] Run tests with sbt 1.5.1 #​10835 by @​mkurz
• Binders for OptionalInt, OptionalLong, OptionalDouble (backport #​10825) #​10830 by @​mergify
• Updated link to OWASP recommended to familiarize with CSRF #​10828 by @​TrevorNathan
• Also run netty http 1.1 microbenchmark encrypted (backport #​10820) #​10824 by @​mergify
• Fix docs: Flash cookie is signed (bp #​10818) #​10821 by @​mergify
• Initialize static Json objectMapper only once (bp #​10808) #​10812 by @​mergify
• Long jobs should appear first on a stage #​10811 by @​ignasi35

For more details see the full list of changes and the 2.8.11 milestone.

🙇 Credits

Finally, thanks to the community for their help with detailed bug reports, discussion about new features, and pull requests review. Play is only possible due to the help we had from amazing contributors.

If you find Play useful for work, please consider to support this Open Source project by becoming a backer or premium sponsor. You can donate to our Open Collective here.

Special thanks to the following contributors who helped with this release:

@​FuriousTurtle, @​PromanSEW, @​TrevorNathan, @​arid-mangoss, @​ennru, @​gmethvin, @​ignasi35, @​johnduffell, @​kaseken, @​mergify, @​mergify[bot], @​mkurz, @​octonato, @​rstento and @​scala-steward

Full Changelog: playframework/playframework@2.8.8...2.8.11

v2.8.10

Compare Source

v2.8.9

Compare Source