JHipster release v6.3.0
This release fixes an important security vulnerability:
- Please read the security advisory here.
- Are you vulnerable? if you use JWT, session or UAA authentication, and more importantly if you use our system to send a link to reset passwords, then you are affected. The algorithm used isn't cryptographically secure, which means that an attacker could guess a reset link, and hence take over any account in the system.
- How to fix the issue you probably don't need to upgrade JHipster, as this just affects a few generated files, so this can be done manually. The issue is in the generated
RandomUtil
class. Here is this class in our sample application generated with JHipster v6.2.0 and here is the updated version, using JHipster v6.3.0. So all you need to do is copy the new file, which usesSecureRandom
, and replace the older file. - How this issue was handled This issue was found by Jonathan Leitschuh, and was fixed in the next couple of hours by Frederik Hahne. Please note that we gave a $500 bug bounty to Jonathan as well as a $300 bug bounty to Frederik. For obvious security reasons, only the JHipster core dev team knew about this issue during that period. We then waited one day in order to inform everyone, including doing an advisory on our Twitter account so that our users are not caught up with a surprise emergency release.
- What will happen next This is the first time we used the "security advisory" feature from GitHub. We certainly learned a lot, and we will provide in the very near future a clear path to report security advisories to the team.
What's new in this release
Apart from the security vulnerability, this is a minor release of JHipster v6 with 247 closed tickets and merged pull requests.
Here are the most significant ones:
- Upgrade to Spring Boot 2.1.8 and Spring Cloud Greenwich SR3
- All Docker images have been upgraded to their latest versions
- Migration from Tslint to Eslint (#10187 and #10213). The JHipster ESlint configuration is now externalized in a new repository at https://github.com/jhipster/eslint-config-jhipster #10358
- Created Jar is now non executable by default #10282
- Enforce architecture constraints with ArchUnit #10274
- Add a new Feign Client sub-generator based on OpenAPIGenerator #9548
- Liquibase can use different credentials than the one in the application (so the running application cannot change the current schema)
- Add support for Caffeine Cache #10303
- Enhance Google App Engine generator with Java 11, Jar support and more (#10284 and #10336)
- Fix the AWS generator monolith flow #10376
- Fix admin logs screen in Angular jhipster/ng-jhipster#97
- Fix interactions between main generator and blueprint when one is installed globally and the other locally #10257
- Fix issues with Istio URLs #10135
Closed tickets and merged pull requests
As always, you can check all closed tickets and merged pull requests here.
How to upgrade
Automatic upgrade
For an automatic upgrade, use the JHipster upgrade sub-generator on an existing application:
Upgrade your version of JHipster:
npm update -g generator-jhipster
And then run the upgrade sub-generator:
jhipster upgrade
Manual upgrades
For a manual upgrade, first upgrade your version of JHipster with:
npm update -g generator-jhipster
If you have an existing project, it will still use the JHipster version with which it was generated.
To upgrade your project, you must first delete its node_modules
folder and then run:
jhipster
You can also update your project and all its entities by running
jhipster --with-entities
You can also update your entities one-by-one by running again the entity sub-generator, for example if your entity is named Foo
jhipster entity Foo
Help and bugs
If you find any issue with this release, don't hesitate to:
- Add a bug on our bug tracker
- Post a question on Stack Overflow
If the issue you have is an urgent bug or security issue, please:
- Contact @jhipster on Twitter