This is the consolidated list of changes between Tapestry included in version 5.3.6. Tapestry 5.3.6 is a drop-in replacement for prior Tapestry 5.3 releases. To upgrade, just update the Maven dependency in you POM file (or download the new JAR file) and the new version will just work. However, please review the How to Upgrade instructions before upgrading.
This is a very modest bug fix release. Importantly, the bundled version of Prototype has been downgraded back to version 1.7, as the new version was causing a number of issues, especially under Internet Explorer.
The main improvement is security related; Tapestry will now integrate a hash-based message authentication code into an serialized Java object data stored on the client; generally, this means the t:formdata hidden field used by the Form component.
When you first run your application under 5.3.6, you will see an alert and a console error concerning the HMAC configuration. You should update your application's configuration to set a unique value for configuration symbol tapestry.hmac-passphrase.
Jira issues
Release Notes - Tapestry 5 - Version 5.3.6
Bug
- [TAP5-986] - A request can fail with an NPE in some cases, when a Tapestry page is acting as the servlet container error page
- [TAP5-1735] - Most packages lack package-level javadocs
- [TAP5-1903] - Client-side exception when a Zone containing a Form with an Upload component is re-rendered
- [TAP5-2008] - Serialized object data stored on the client should be HMAC signed and validated
- [TAP5-2009] - Downgrade bundled Prototype version back to 1.7
- [TAP5-2010] - Broken links in Javadoc pages
Improvement
- [TAP5-1996] - Add Severity.SUCCESS enum for alerts