Pedestal Versions Save

A change has been made to the path-params-decoder to address the breaking change in 0.6.0; by making the decoder idempotent, it is no longer a breaking change.

This release simply updates Jetty dependencies to address recently discovered CVEs.

Upgrade dependencies to fix CVEs:

• aws-java-sdk-xray
• jetty (various)
• tomcat-embed-jasper & tomcat-embed-core

Full release notes in the CHANGELOG; this covers some minor breaking changes.

The emphasis for this release was primarily about addressing CVEs in dependencies; internally, we also shifted the build from Leiningen to Clojure CLI (aka deps.edn). Finally, documentation and examples were updated and refreshed.

What's Changed

• The leading slash results in 404 Not Found by @umair-symplr in https://github.com/pedestal/pedestal/pull/705
• #696: Remove sync io from go blocks by @aredington in https://github.com/pedestal/pedestal/pull/706
• Improve log overriding by @aredington in https://github.com/pedestal/pedestal/pull/715
• replace some uses of deprecated defroutes, fix sample 'chain-providers' by @tbcs in https://github.com/pedestal/pedestal/pull/531
• improve csrf interceptor by @lucywang000 in https://github.com/pedestal/pedestal/pull/648
• URL Decode path parameters by default by @hlship in https://github.com/pedestal/pedestal/pull/733
• Fix reflection warnings in io.pedestal.http.route by @hlship in https://github.com/pedestal/pedestal/pull/731
• Mark io.pedestal.interceptor.helpers as deprecated by @hlship in https://github.com/pedestal/pedestal/pull/742
• #610: Regression: url-for for routes with an url-param as the first path part by @bonkydog in https://github.com/pedestal/pedestal/pull/746

New Contributors

• @phmeier-nubank made their first contribution in https://github.com/pedestal/pedestal/pull/707
• @umair-symplr made their first contribution in https://github.com/pedestal/pedestal/pull/705
• @stonedz made their first contribution in https://github.com/pedestal/pedestal/pull/690
• @lucywang000 made their first contribution in https://github.com/pedestal/pedestal/pull/648
• @hlship made their first contribution in https://github.com/pedestal/pedestal/pull/723
• @mtsbarbosa made their first contribution in https://github.com/pedestal/pedestal/pull/716
• @claj made their first contribution in https://github.com/pedestal/pedestal/pull/691
• @NazarDunets made their first contribution in https://github.com/pedestal/pedestal/pull/747

Full Changelog: https://github.com/pedestal/pedestal/compare/0.5.10...0.6.0

This release addresses the following issues:

• #695 Address critical dependency vulnerabilities (i.e., Jetty) and update to the latest core.async version.
• #693 BREAKING CHANGE: Update Pedestal's OpenTracing-related protocol implementations by removing the extension of TraceSpan, TraceSpanLog, TraceSpanLogMap and TraceSpanBaggage to Scope. This aligns Pedestal's OpenTracing support with OpenTracing version 0.33. Affected implementations should be changed to interact with spans directly, as per the Pedestal Tracing sample, as opposed to going through the Scope instance.
• PR #686 Adds a missing arity to TraceOrigin/-span for nils.
• PR #684 Updates the SSLContextFactory used for configuring Jetty. This context factory supports more complicated SSL setups.

This release addresses the following issues:

• #497 Websocket handlers should handle flow control/backpressure asynchronously
• #662 Override logger should be optional when using io.pedestal.log/log
• #672 Critical Vulnerability in Eclipse Jetty 9.4.18.v20190429 (CVE-2020-27216)
• #678 print-method generates an invalid edn when printing interceptors without name
• #683 Incorrect arity 5 for io.pedestal.http.route.definition.table/syntax-error

• The fast-resource interceptor now passes on context correctly. Resolves #658
• Pedestal now supports overriding the Jetty thread pool. #655.
• Fix FileChannel/open usage in fast-resource. Resolves #651.
• Clearer error messaging when the AWS XRay tracer is not registered. #617.
• Fix error suppression bug. See PR #645.
• Use openjdk Docker image in service template. Resolves #642.
• The test ServletHttpRequest now returns a StringBuffer on getRequestURL.
• Fix override-logger usage in log function. Resolves #638.
• Fix setting initial tags in X-Ray segment/subsegment. Resolves #626.
• Add test support for HttpServletResponse SendError.
• Fix tracing examples and updates some samples.

• Fixes the Template resource 'leiningen/new/pedestal_service/.gitignore' not found. error encountered when running lein pedestal-service [app-name] with the Pedestal 0.5.6 release.

For a full list of changes, please see this comparison of 0.5.6...0.5.7

• Resolves Pedestal dependencies have CVEs of high/critical severity #619
• It is now possible to override the service configuration's HttpConfiguration (jetty only) #615.
• The url-for :strict-path-params? option is now more strict. nil values are not allowed. Addresses #602.
• Bumped dependencies (see PR #620 for details)

For a full list of changes, please see this comparison of 0.5.5...0.5.6

Thanks to everyone who helped on all changes that went into 0.5.5.

Samples

• Added a json-api sample.

Bugfixes

• Pedestal.log now adheres to recent ns spec changes allowing its use with Clojure 1.10. Addresses issue #603.
• Fix for pedestal.log's distributed tracing support when passing a map to log/log-span.
• Fix async termination. Addresses issue #581.
• Fix recursive loop error in API Gateway async utilities.

For a full list of changes, please see this comparison of 0.5.4...0.5.5