Skip to content

fix(deps): update dependency org.jasig.portlet.notification:notification-portlet-api to v4.8.4#359

Open
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/org.jasig.portlet.notification-notification-portlet-api-4.x
Open

fix(deps): update dependency org.jasig.portlet.notification:notification-portlet-api to v4.8.4#359
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/org.jasig.portlet.notification-notification-portlet-api-4.x

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate Bot commented May 5, 2026
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
org.jasig.portlet.notification:notification-portlet-api 4.8.24.8.4 age confidence

Release Notes

Jasig/NotificationPortlet (org.jasig.portlet.notification:notification-portlet-api)

v4.8.4: NotificationPortlet v4.8.4

Compare Source

Two-fix patch on top of v4.8.3.

Fixes

  • Pin jjwt-impl and jjwt-jackson at runtime (#​695)

    Every request to /NotificationPortlet/api/v2/notifications came back 403 Forbidden in 4.8.x deployments — even with a valid uPortal-issued OIDC bearer token. The <notification-icon> and <notification-list> web components both render off this endpoint, so they silently surfaced as empty in the portal.

    At INFO log level, SoffitApiPreAuthenticatedProcessingFilter only said "The following Bearer token is unusable". Turning the package up to DEBUG revealed the real cause:

    io.jsonwebtoken.lang.UnknownClassException: Unable to load class named
[io.jsonwebtoken.impl.DefaultJwtParser] from the thread context, current,
or system/application ClassLoaders. Have you remembered to include the
jjwt-impl.jar in your runtime classpath?

    The deployed WAR shipped only jjwt-api-0.11.5.jar. JJWT 0.10+ split into three jars — jjwt-api (interfaces), jjwt-impl (runtime implementation, where DefaultJwtParser lives), jjwt-jackson (JSON parsing). uPortal-soffit-core (the chain that brings JJWT into this project) declares the impl and jackson jars as runtimeOnly. Gradle does not propagate runtimeOnly transitive dependencies through the deprecated compile configuration this project still uses, so neither impl nor jackson reached this WAR's runtime classpath. Jwts.parser() threw on first call, the filter swallowed it as "Bearer token is unusable", Spring Security returned 403.

    Fixed by declaring runtimeOnly \"io.jsonwebtoken:jjwt-impl:\${jjwtVersion}\" and runtimeOnly \"io.jsonwebtoken:jjwt-jackson:\${jjwtVersion}\" directly on notification-portlet-webapp, with jjwtVersion=0.11.5 pinned in gradle.properties to match the version uPortal-soffit-core ships transitively.

  • Bump uPortalVersion to 5.17.5 (#​694)

    Aligns with the 2026-05 fleet wave and picks up the Bootstrap 5 include de-duplication in the respondr skin (uPortal v5.17.5).

Upgrade notes

No configuration changes required. Drop-in replacement for v4.8.3.

v4.8.3: NotificationPortlet 4.8.3

Compare Source

Patch release — single fix on top of v4.8.2.

Fix

The obsolete ch.qos.logback.classic.selector.servlet.ContextDetachingSCL listener has been removed from notification-portlet-webapp/src/main/webapp/WEB-INF/web.xml (PR #​693). The class was part of Logback's J2EE selector machinery and was removed in Logback 1.3.x.

Today the listener still loads cleanly because NotificationPortlet bundles Logback 1.1.11 (pinned by Spring Boot 1.5.22, which is itself EOL since 2019). But every other portlet in the fleet that bumped Logback to 1.3+ during the 2026-05 fleet release wave hit ClassNotFoundException at context startup with this exact listener — and NotificationPortlet would hit the same wall the moment its Spring Boot or Logback is bumped.

The listener also has no functional value here. The original loggingSeparation guidance (the URL in the deleted comment) was for using LoggerContextSelector with hot-deploy of separate webapps, which is not how this portal's logging is set up.

Compatibility

  • Drop-in upgrade for any deployment running v4.8.2.
  • No dep changes, no schema changes, no API contract changes.
  • Java 11, Tomcat 8.5/9.x as before.

Out of scope

  • Full Logback / Spring Boot modernization is a separate, much larger effort. Spring Boot 1.5 ships Logback 1.1.x and slf4j 1.7.x; bumping just Logback in isolation breaks Boot's auto-config because the version is effectively pinned by the Spring Boot generation. The Spring Boot 1.5 → 2.7 (or alternative) migration is tracked outside this patch.

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot force-pushed the renovate/org.jasig.portlet.notification-notification-portlet-api-4.x branch from 63a342b to 02867e9 Compare May 5, 2026 08:43
@renovate renovate Bot changed the title fix(deps): update dependency org.jasig.portlet.notification:notification-portlet-api to v4.8.3 fix(deps): update dependency org.jasig.portlet.notification:notification-portlet-api to v4.8.4 May 5, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants