Lucee 7.0.2.106 Stable Release

news release
1

This Lucee 7.0.2 release is a maintenance release, focussing on

  • classloader / memory stability
  • datasource connection pool fixes
  • component inheritance fixes
  • performance
  • robustness

image

Docker and Installers Bundle

  • Java 21.0.10+7-LTS
  • Tomcat 11.0.18

Support Lucee

Lucee is open source and free to use! If Lucee is valuable to your organisation, please consider supporting the project β€” contributions of code, documentation, and sponsorship all help keep Lucee moving forward.

Changelog

Classloader & Memory Management

The biggest area of work in this release β€” resolving long-standing classloader stability issues that caused ClassNotFoundException errors and memory pressure under load.

  • LDEV-5903 β€” Major classloader rework: fix PageSourcePool not being flushed, apply inspectTemplate on all application mappings, replace PhysicalClassLoader when threshold reached, use SoftReference for loaders, use identity hash code for classloader mapping
  • LDEV-6107 β€” Fix stale className references after classloader flush causing ClassNotFoundException, refactor dynamic invocation to support reflection vs runtime class creation, add lucee.dynamic.invocation env var to control behaviour
  • LDEV-1109 β€” Pin RAM resource directories with HardRef to prevent garbage collection from making RAM drives disappear
  • LDEV-6090 β€” Flush existing classloader from factory on revert

Datasource & Connection Pool

Complete overhaul of connection pool defaults and behaviour to eliminate connection leaks, deadlocks, and thread starvation.

  • LDEV-5962 β€” Fix pool config: correct maxTotal default from 0, set maxWaitMillis to 30 seconds
  • LDEV-5963 β€” Wire idleTimeout to minEvictableIdleTimeMillis so idle connections are actually evicted
  • LDEV-5964 β€” Reuse connection in store() to prevent nested borrow deadlock
  • LDEV-5965 β€” Return false when datasource connection validation throws exception instead of propagating
  • LDEV-5966 β€” Return connection to pool on timeout instead of closing directly
  • LDEV-5991 β€” Change default datasource idle timeout to 10 minutes
  • LDEV-6051 β€” Default maxIdle to connectionLimit for better connection reuse
  • LDEV-6066 β€” Streamline verifyDatasource
  • LDEV-6108 β€” Unhide GetSystemMetrics() as an official BIF for monitoring datasource connection pools
  • LDEV-5972 β€” Refactor modern MSSQL approach

Session Management

  • LDEV-5930 β€” Fix session component property loss in storage scopes
  • LDEV-5942 β€” sessionRotate() now rotates JSESSIONID for J2EE sessions, gracefully handle fake JEE sessions under JSR-223
  • LDEV-6046 β€” sessionInvalidate() properly de-activates old session when using database storage

Component & Inheritance

  • LDEV-6056 β€” Fix super.method() resolution in deep component hierarchies with same-named components across different mappings
  • LDEV-6055 β€” Fix misleading β€˜private’ in super.method() error message
  • LDEV-5913 β€” Fix closure regression: properly resolve current component
  • LDEV-5894 β€” Fix closure-in-closure resolution
  • LDEV-6004 β€” Fix regression: Property.getDefault() should return null for unset defaults
  • LDEV-5821 β€” Fix property metadata regressions, optimise cfproperty attribute handling

OSGi & Extensions

  • LDEV-6075 β€” Fix StackOverflowError in OSGi bundle loading caused by circular dependencies
  • LDEV-5917 β€” Boot delegate java.* packages in OSGi config
  • LDEV-5885 β€” Lock down extension manipulation to single thread
  • LDEV-5955 / LDEV-5957 β€” Fix extension startup hook handling and lifecycle
  • LDEV-6012 β€” Add fallback OSGi mapping for sun.jna
  • LDEV-5905 β€” Lock down file access to installed extension files and cache them
  • LDEV-6088 β€” Add test to check and report extension bundle problems
  • LDEV-6161 – ESAPI Extension v2 β†’ v3: OWASP Encoder Migration

Configuration & Deployment

  • LDEV-6091 β€” Add mode attribute to javasettings in Application.cfc ("replace", "extend", "inherit") to control whether Application.cfc JavaSettings replace or merge with CFConfig settings (default is still merge/extend)
  • LDEV-6105 β€” Add configurable Maven download policy (ignore/warn/error) with separate startup and runtime settings
  • LDEV-5863 β€” Add forced sync to config file writes to prevent Docker read race condition
  • LDEV-5976 β€” Fix error merging cfconfig.json
  • LDEV-5931 β€” Fix local file access security in single mode
  • LDEV-5849 β€” Add LUCEE_TAG_POPULATE_LOCALSCOPE environment variable
  • LDEV-5860 β€” Add Gradle-style support with extension definition in environment variables
  • LDEV-6116 β€” Extended SecretProvider API: add SecretProviderSet(), SecretProviderRemove(), SecretProviderList(), SecretProviderListNames() BIFs, plus FileSecretProvider with JSON and env file format support
  • LDEV-5851 β€” Call extension providers async, disable Maven extension provider by default
  • LDEV-5850 β€” Improve SysProp / Env Var documentation

Admin

  • LDEV-6085 β€” Fix scopeCascadingType and templateCharset not saving
  • LDEV-5853 β€” Admin search page: show message when extension isn’t installed
  • LDEV-5854 β€” Admin ORM page: link to extension when no engine is installed
  • LDEV-5947 β€” Admin overview shouldn’t show alphas for stable releases, improve CSS
  • LDEV-5915 β€” Fix web context label name in admin
  • LDEV-6065 β€” Force null support=false for the admin
  • LDEV-6068 / LDEV-6069 β€” Refactor admin update version handling, fix extension version comparison
  • LDEV-5856 β€” Update monitor installation to use new JSON config structure
  • LDEV-5899 β€” Fix admin updateMappings with type=server updating wrong config
  • LDEV-5900 β€” Add errorVariable for admin compileMapping and createArchive

CFML Language & Functions

  • LDEV-6058 β€” Enable val() as a member function
  • LDEV-5954 β€” query.addParam now supports arrays when list=true
  • LDEV-5339 β€” Add IsThreadInterrupted() and ThreadInterrupted() functions
  • LDEV-6010 β€” Add cachedwithinId() and cachedwithinFlush() BIFs for selective cache invalidation of queries, functions, and HTTP results
  • LDEV-5634 β€” QoQ now throws on invalid columns
  • LDEV-6063 β€” cfflush no longer sets Connection: close header
  • LDEV-5997 β€” AI response listener streaming support (Gemini), including binary parts and multi-part content types
  • LDEV-296 β€” Throw error when unsupported initMethod is used
  • LDEV-5845 β€” Update SQL parser to support FROM join syntax for HSQLDB fallback

AST & Compiler

  • LDEV-5836 β€” Add isBuiltIn to createExpression and CFML tag AST nodes for identifying custom tags
  • LDEV-5839 β€” Add mode argument to astFromString with offset script wrapping
  • LDEV-5855 β€” Add named argument support for astFromString
  • LDEV-5898 β€” Fix NPE with AST for for loops
  • LDEV-6023 β€” Improve parser TemplateException with better context
  • LDEV-5927 β€” Validate javasettings is valid JSON at compile time
  • LDEV-5763 β€” Throw compiler error when javasettings isn’t a JSON string

HTTP

  • LDEV-5904 β€” Fix HTTP timeout handling
  • LDEV-5932 β€” Fix cfhttp compression support with GET requests
  • LDEV-5869 β€” Cookie parsing now correctly handles values containing =
  • Cap HTTP connection timeout at 20 seconds to prevent DNS/handshake hangs

Performance

  • LDEV-6097 β€” Cache NativeException and create CatchBlock only once per PageException (see Known Issues β€” LDEV-6135)
  • LDEV-5907 β€” Use non-sync HashMap for named args and sized structs
  • LDEV-5950 β€” Use ConcurrentHashMap.newKeySet() for treeNode
  • LDEV-5951 β€” Pre-size internal query structs and arrays
  • LDEV-5910 β€” Faster cfdirectory attribute reading on Windows
  • LDEV-5844 β€” Resource execution log buffering, avoid out of memory with large execution logs
  • LDEV-5935 β€” Reduce XML logging overhead

Bug Fixes

  • LDEV-5889 β€” lucee.preserve.case logic was reversed
  • LDEV-6043 β€” Fix DecimalFormat bug
  • LDEV-5730 β€” Fix JSession casting bug
  • LDEV-5876 β€” Wrap jakarta/javax exception if needed
  • LDEV-6120 β€” Look for Jakarta-specific tag class first
  • LDEV-6073 β€” Add formtag-form to lucee-context.lar
  • LDEV-5909 β€” Fix CommandBox tray icon by removing java.awt.headless=true setting
  • LDEV-5437 β€” Fix relative path resolution outside mappings
  • LDEV-6057 β€” Handle null values in datasource connection string replacement
  • LDEV-5873 β€” Fix udfs.clear() in pageContext.release() needing additional check
  • LDEV-5884 β€” Fix version comparison copy-paste bug
  • LDEV-6048 β€” Fix loader LUCEE_VERSION warning check
  • LDEV-5605 β€” Fix exception line numbers for inline and sub components
  • LDEV-5659 β€” Fix OSGi version qualifier range comparison using wrong variable
  • LDEV-5891 β€” Fix NPE in admin datasource verification when connection returns null
  • LDEV-5939 β€” Validate directory is specified for delete/rename operations
  • LDEV-5943 β€” Fix inspect auto defaults
  • LDEV-6098 β€” Revert the removal of apache.commons.lang
  • LDEV-2390 β€” Fix times loop with break and continue

Error Messages & Logging

  • LDEV-3892 β€” Add context to β€œcan’t cast complex object struct” exceptions with scopes
  • LDEV-5906 β€” Improve missing argument name exception
  • LDEV-5875 β€” Add extra logging for component loading errors
  • LDEV-6129 β€” Additional logging for ORM session exceptions
  • LDEV-5921 β€” Improve logging checks
  • LDEV-5830 β€” Log extension downloads, reduce read timeout to 20 seconds
  • LDEV-5901 β€” Add tag attribute groups for more organized documentation

Other

  • LDEV-6021 β€” Check application context for default caches
  • LDEV-6020 β€” Order argument keys for cache key creation
  • LDEV-5859 β€” Change .exl file naming to requestId-pcId-serverStartTime, add parent thread info to child execution logs
  • LDEV-5870 β€” Allow unknown tags in AST
  • LDEV-5122 β€” Refactor core internal downloaders to use common class with Maven repo support

Extensions Bundled

With 7.0.2, we now support Maven GAV Syntax for Extensions

Key extensions:

  • MySQL JDBC 9.5.0
  • MSSQL JDBC 13.2.1
  • PostgreSQL JDBC 42.7.7
  • JTDS JDBC 1.3.1
  • Administrator 1.0.0.6
  • S3 2.0.3.0
  • PDF 2.0.1.0
  • Image 3.0.0.6
  • ESAPI 3.0.0.14

Upgrading

This is a significant release with connection pool default changes β€” if you have existing datasource configurations, review your connection pool settings after upgrading. The new defaults (maxIdle = connectionLimit, idle timeout = 10 minutes) are more sensible for most workloads but may differ from your tuned values.

JavaSettings: A new mode attribute is available in Application.cfc javasettings ("replace", "extend", "inherit") to control how Application.cfc JavaSettings interact with CFConfig settings. The default behaviour (merge/extend) is unchanged.

If you’re running on Docker, the config file sync improvements (LDEV-5863) should resolve race conditions on container startup.

Known Issues

The following regressions have been identified and are already fixed on the 7.0.3 branch. A 7.0.3 RC is expected shortly.

  • LDEV-6135 β€” Thread corruption in the NativeException LRU cache introduced by the LDEV-6097 caching optimisation β€” can cause unexpected exceptions under concurrent load
  • LDEV-6138 β€” Connection leak in releaseConnection() for unmanaged connections
  • LDEV-6139 β€” ORM releaseORM() doesn’t call closeAll() when flushAll() throws, leaking ORM sessions
  • LDEV-6132 β€” JavaSettings ClassLoader not reused when file contents haven’t changed (now uses file checksums as cache key)
  • LDEV-6133 β€” Idle ClassLoaders not being cleaned up
  • LDEV-6147 β€” ExtensionProvider preferring SNAPSHOTs over releases

Roadmap

7 Likes