Lucee 7.0.4.34-RC Available for Testing

This build includes 33 fixes and improvements since 7.0.4, covering classloader stability, datasource pooling, Maven dependency handling, OSGi/extension reload, mail TLS, and several new language features (limitEvaluation, configMerge, AI passthrough).

Lucee 7.0 is the active stable release.

Download: https://download.lucee.org/

Docker and Installers Bundle

• Java 21.0.11+10-LTS
• Tomcat 11.0.22

Extension Bumps

• mysql-jdbc 9.5.0 → 9.6.0
• postgresql-jdbc 42.7.7 → 42.7.9
• administrator 1.0.0.6 → 1.0.0.7
• documentation 1.0.0.5 → 1.0.0.6
• s3 2.0.3.0 → 2.0.3.1
• pdf 2.0.0.3-SNAPSHOT → 2.0.1.0
• image 3.0.0.6 → 3.0.1.1
• esapi 3.0.0.14-RC → 3.0.0.14 (final)
• scheduler-classic 1.0.0.0 → 1.0.0.1

Changelog

Lucee Server Changelogs - 7.0

Language & Features

• LDEV-5690 - allow safe variable dereferencing with limitEvaluation: simple variable reads still work, function calls and assignments still blocked
• LDEV-6227 - new built-in function configMerge()
• LDEV-6215 - add passthrough support for AI engines (custom HTTP headers for Claude, Gemini, OpenAI)
• LDEV-6256 - split function aliases on comma so a function can register multiple aliases; expose alias/aliasOf in getFunctionData()

Datasource & Connection Pool

• LDEV-6291 - prepareStatement(sql,type,concurrency) was calling the 4-arg overload, passing concurrency as holdability (invalid on strict drivers)
• LDEV-6293 - getSystemMetrics(): fix waiters counted as idle, key per-pool stats by name+user, expose username
• LDEV-6294 - isValid() pool validation timeout was misconfigured as 1000 seconds; now 1 second as intended
• LDEV-6296 - prevent duplicate connection pool when cfquery passes credentials that match the datasource

Classloader, OSGi & Extensions

• LDEV-6226 - fix cross-classloader method resolution in Clazz and Reflector.like() when types are name-equivalent across classloaders
• LDEV-6240 - do not evict RPC classloaders during idle sweep; stabilise BundleClassLoader factory key by symbolic name + version; periodic RPC/ directory cleanup (1GB cap)
• LDEV-6255 - JavaSettingsImpl produced inconsistent ClassLoader pool IDs causing class identity conflicts under reload-on-change
• LDEV-6266 - fix startup failure “Could not initialize class org.apache.logging.log4j.core.LoggerContext” by suppressing trace-level logging in EnvClassLoader
• LDEV-5956 - stale RHExtension instance cache caused “extension file does not exist” on repeated installs
• LDEV-6301 - restore ConcurrentHashMap in ComponentPathCache; concurrent component loading could fail with invalid component definition

Maven Support

• LDEV-6286 - fix POM.getInstance() race via ConcurrentHashMap + computeIfAbsent
• LDEV-6270 - support Maven-based cache class definitions alongside OSGi bundles
• LDEV-6283 - admin cache provider Maven support (persist maven coordinates from the form)
• LDEV-6250 - remove overly strict Maven version validation (real Maven coordinates like v4-rev20260213-2.0.0 are valid)

Threading

• LDEV-6281 - mark background threads as daemon so the JVM can exit cleanly (RamCache controler, CPULogger, RetireOutputStream, PageSourcePoolWatcher, StatmentClose, LogAllThreads)
• LDEV-6238 - improve generated thread name (reduce anonymous thread name collisions in ThreadTag)

Mail / TLS

• LDEV-5893 - stop re-enabling deprecated TLS protocols on the SMTP STARTTLS path; respect the JDK’s jdk.tls.disabledAlgorithms

ORM

• LDEV-6239 - add missing dbcreate parser cases for create, create-drop, validate
• LDEV-6269 - admin: flip ORM recommendation back to Lucee Hibernate Ext

Gateway

• LDEV-6246 - gateway started twice on config reload; addEntries now synchronised and prunes orphaned gateways

Config & Security

• LDEV-6222 - invoke ConfigListener.onLoadWebContext() for web contexts (regression in 7.0)
• LDEV-6242 - load custom file-access directories from config on startup (security manager)
• LDEV-6220 - regression: out.log spam from ConfigFactoryImpl config-file reads; added lucee.system.log.level sysprop/env floor (defaults to WARN)

Bug Fixes & Logging

• LDEV-6310 - QoQ regression: stored-null column cells lost null in expressions under FNS=off
• LDEV-6248 - null guard in getFile() to prevent NPE on invalid log paths
• LDEV-6210 - improve mapping log entry (corrupt .lar archive surfaces a clear message instead of a raw ZipException)
• LDEV-6213 - error template rendering failure now logged at appropriate level
• LDEV-6010 - typo fix: CachedWithinId → CachedWithinFlush

Roadmap

Testing

Please give this RC a spin and report any issues on the forum.

any feedback?

In dev I upgraded from 7.0.1.98 RC, placing 7.0.4.34-RC.lco in the patches folder and restarting Lucee:

sudo wget -P /opt/lucee/tomcat/lucee-server/patches "https://cdn.lucee.org/7.0.4.34-RC.lco" && sudo /opt/lucee/lucee_ctl restart

Unable to run any tests due to breaking change for this site-wide code which I have in a UDF:

objHtmlPolicyBuilder = CreateObject("java", "org.owasp.html.HtmlPolicyBuilder");

lucee.runtime.exp.NativeException: cannot load class through its string name, because no definition for the class with the specified name [org.owasp.html.HtmlPolicyBuilder] could be found; failed to load class with multiple classloaders, every cause in the stacktrace represents a classloader

I verified that the OWASP extension is still installed and I even updated it from 3.0.0.14 to 3.0.0.14-RC then restarted Lucee again, but the error persists.

I don’t think that class is available any more in the extension. You can pull it from Maven easily though:

objHtmlPolicyBuilder = CreateObject( "java", "org.owasp.html.HtmlPolicyBuilder", { maven: [ "com.googlecode.owasp-java-html-sanitizer:owasp-java-html-sanitizer:20260313.1"] } )

@Julian_Halliwell that worked perfectly, thanks!

@Zackster all of my tests passed with 7.0.4.34-RC, thanks!

Based on all the lack of bug reports, I reckon we are ready to release?

still stable here!

We’ve been running it in production for a couple of days now - no issues yet! Thank you!

Published