Apache Commons JEXL 3.7.0 Release Notes
---------------------------------------

The Apache Commons JEXL team is pleased to announce the release of Apache Commons JEXL 3.7.0.

Introduction
------------

Apache Commons JEXL is a library that enables scripting features in Java applications and frameworks..

This is a feature and maintenance release. Java 8 or later is required.

Compatibility with previous releases
------------------------------------

Version 3.7.0 is source and binary compatible with 3.6.x but changes the default runtime and parse-time behavior (see below).

Behavior breaking change in 3.7.0
---------------------------------

o The default permissions is now "SECURE": a minimum allow-list covering only safe java.lang
  value types, java.math, and java.util. Everything else is denied unless explicitly composed in.

o The default features disable new(...), global side-effects, pragmas, and annotations, and enable
  lexical scoping; loops remain available to scripts (but never to expressions). Scripts using a
  disabled construct will throw JexlException.Feature at parse time with the default engine.

To restore the previous (3.6.x) defaults, load the bundled jexl.yaml via JexlConfigLoader:

    try (InputStream in = getClass().getResourceAsStream("/jexl.yaml")) {
        JexlEngine engine = JexlConfigLoader.load(in).create();
    }

Use JexlPermissions.logging() to discover which reflective elements the new algorithm denies.

New features
------------

o JEXL-465:  Add JexlConfigLoader to build a JexlEngine from a YAML configuration (permissions, features, arithmetic, namespaces, imports). 
o JEXL-464:  Default permissions are SECURE and default features harden parse-time behavior (disable new, global side-effects, pragmas and annotations; enable lexical scoping; loops remain available to scripts). 
o JEXL-463:  Add JexlPermissions.logging() to wrap a permission set and log which reflective elements are allowed or denied. 


Historical list of changes: https://commons.apache.org/proper/commons-jexl/changes.html

For complete information on Apache Commons JEXL, including instructions on how to submit bug reports,
patches, or suggestions for improvement, see the Apache Commons JEXL website:

https://commons.apache.org/proper/commons-jexl/

Download page: https://commons.apache.org/proper/commons-jexl/download_jexl.cgi

Have fun!
-Apache Commons Team

------------------------------------------------------------------------------

Apache Commons JEXL 3.6.4 Release Notes
---------------------------------------

The Apache Commons JEXL team is pleased to announce the release of Apache Commons JEXL 3.6.4.

Introduction
------------

Apache Commons JEXL is a library that enables scripting features in Java applications and frameworks..

This is a feature and maintenance release. Java 8 or later is required.


Fixed Bugs
----------

o JEXL-462:  JexlPermissions.RESTRICTED must ensure a better level of isolation. 



Historical list of changes: https://commons.apache.org/proper/commons-jexl/changes.html

For complete information on Apache Commons JEXL, including instructions on how to submit bug reports,
patches, or suggestions for improvement, see the Apache Commons JEXL website:

https://commons.apache.org/proper/commons-jexl/

Download page: https://commons.apache.org/proper/commons-jexl/download_jexl.cgi

Have fun!
-Apache Commons Team

------------------------------------------------------------------------------

Apache Commons JEXL 3.6.3 Release Notes
---------------------------------------

The Apache Commons JEXL team is pleased to announce the release of Apache Commons JEXL 3.6.3.

Introduction
------------

Apache Commons JEXL is a library that enables scripting features in Java applications and frameworks..

This is a feature and maintenance release. Java 8 or later is required.


Fixed Bugs
----------

o JEXL-461:  Updates/improvements to the site documentation for JEXL Syntax. Thanks to David Costanzo. 
o JEXL-459:  Empty/size functions swallow all exceptions with no trace. Thanks to Mirek Hankus. 
o JEXL-458:  Improve permissions expressivity Thanks to Daniil Averin. 
o JEXL-457:  Reduce default exposure for RESTRICTED JexlPermissions Thanks to Daniil Averin. 
o JEXL-456:  Change in template parser behavior. Thanks to Vincent Bussol. 
o          Fix the @return tags in the Javadoc for JexlArithmetic.toBigInteger() overloads (#403). Thanks to David Costanzo. 

Changes
-------

o          Bump org.apache.commons:commons-parent from 96 to 102. Thanks to Gary Gregory. 
o          Bump commons-logging:commons-logging from 1.3.5 to 1.4.0. Thanks to Gary Gregory. 
o          Bump com.google.code.gson:gson from 2.13.2 to 2.14.0. Thanks to Gary Gregory. 


Historical list of changes: https://commons.apache.org/proper/commons-jexl/changes.html

For complete information on Apache Commons JEXL, including instructions on how to submit bug reports,
patches, or suggestions for improvement, see the Apache Commons JEXL website:

https://commons.apache.org/proper/commons-jexl/

Download page: https://commons.apache.org/proper/commons-jexl/download_jexl.cgi

Have fun!
-Apache Commons Team

------------------------------------------------------------------------------


==============================================================================
Release 3.6.1
==============================================================================

Version 3.6.1 is a minor release.

Compatibility with previous releases
=====================================
Version 3.6.1 is source and binary compatible with 3.6.

Bugs Fixed
==========

o JEXL-452:  Debug setting in Engine shows class/method/line even when set to false.
o JEXL-451:  Restore JexlSandbox permission capabilities on Object.class.
o JEXL-450:  Disable instantiation of internal classes in RESTRICTED mode.
o JEXL-449:  Inconsistency on nature of curly-bracket syntactic elements regarding annotations.

Changes
=======

o            Bump org.apache.commons:commons-parent from 91 to 93 #391, #396.
             Thanks to Gary Gregory, Dependabot.
o            Bump org.apache.commons:commons-lang3 from 3.17.0 to 3.20.0. Thanks to Gary Gregory.


==============================================================================
Release 3.6.0
==============================================================================

Version 3.6.0 is a minor release.

Compatibility with previous releases
=====================================
Version 3.6.0 is source and binary compatible with 3.5.

What's new
==========
Switch / case statements and expressions have been added to JEXL.

New Features
============

o JEXL-440:  Switch/case statement and expression.

Bugs Fixed
==========

o JEXL-448:  Engines caching misses local variables handling and global eviction capability.
o JEXL-447:  Regression in script-defined functions.
o JEXL-446:  ClassTool module inspection is too strict.
o JEXL-442:  Local variables are not resolved in interpolation string expression.
o JEXL-441:  Tokenization error if "\n" in template expression.
o JEXL-439:  When using reference capture, incorrect scoping when local variable redefines a captured symbol.
o JEXL-437:  Semicolons not actually optional between function calls on separate lines.

Changes
=======

o            Bump org.apache.commons:commons-parent from 81 to 91. Thanks to Gary Gregory.
o            Bump org.apache.commons:commons-lang3 from 3.17.0 to 3.19.0. Thanks to Gary Gregory.
o            Bump com.google.code.gson:gson from 2.13.1 to 2.13.2. Thanks to Gary Gregory.


==============================================================================
Release 3.5.0
==============================================================================

Version 3.5.0 is a minor release.

Compatibility with previous releases
=====================================
Version 3.5.0 is source and binary compatible with 3.4.

What's new in 3.5.0
====================
Operator overloading has been enhanced so that overloading compare() will benefit all comparison operators.
A feature flag has been introduced to allow pass-by-reference of captured variables closely mimicking
EcmaScript behavior.

New Features
============

o JEXL-438:  Allow parser factory specification.
o JEXL-428:  Make Comparable object high priority while comparing.
o JEXL-427:  Avoid coercing logical expressions to boolean.
o JEXL-426:  Enable pass-by-reference for Captured Variables.

Bugs Fixed
==========

o JEXL-436:  The increment (decrement) operator does not check for null operand.
o JEXL-435:  Changed behavior of empty operator overloading.
o JEXL-434:  The safe-access array operator is not safe.
o JEXL-433:  Debugger does not accept empty return statement.
o JEXL-432:  Namespace functors are not cleared when the classloader is updated.
o JEXL-431:  Parse error with variables declared in a catch clause.
o JEXL-429:  Ternary expression regression.
o JEXL-425:  Multiline format literals does not always return string.

Changes
=======

o            Bump org.apache.commons:commons-parent from 71 to 79. Thanks to Gary Gregory.
o            Bump commons-logging:commons-logging from 1.3.2 to 1.3.5.
o            Bump org.apache.commons:commons-lang3 from 3.14.0 to 3.17.0. Thanks to Gary Gregory.
o            Bump com.google.code.gson:gson from 2.11.0 to 2.13.0. Thanks to Dependabot, Gary Gregory.


==============================================================================
Release 3.4
==============================================================================

Version 3.4 is a minor release.

Compatibility with previous releases
=====================================
Version 3.4 is source and binary compatible with 3.3.

What's new in 3.4
==================
Features and permissions are easier to define through new methods.
Some new syntaxes are introduced (thus the new minor): try/catch/finally (including with resources),
an array-access safe navigation (x?[y]), strict equality/inequality operators (===, !==) and
more permissive structured literals.

New Features
============

o JEXL-423:  Add support for instanceof / !instanceof.
o JEXL-422:  Add strict equality (===) and inequality (!==) operators.
o JEXL-421:  ArrayBuilder: array type should reflect common class of its entries.
o JEXL-419:  Add permission syntax to allow class/method/field.
o JEXL-418:  Add try-catch-finally support.
o JEXL-408:  Using JexlFeatures is tedious.
o JEXL-404:  Support array-access safe navigation (x?[y]).
o JEXL-401:  Captured variables should be read-only.
o JEXL-398:  Allow 'trailing commas' or ellipsis while defining array, map and set literals.

Bugs Fixed
==========

o JEXL-420:  Error while comparing float and string value.
o JEXL-417:  JexlArithmetic looses precision during arithmetic operator execution.
o JEXL-416:  Null-valued pragma throws NPE in 3.3.
o JEXL-415:  Incorrect template eval result.
o JEXL-414:  SoftCache may suffer from race conditions.
o JEXL-412:  Ambiguous syntax between namespace function call and map object definition.
o JEXL-410:  JexlFeatures: ctor does not enable all features.
o JEXL-409:  Disable LEXICAL should disable LEXICAL_SHADE.
o JEXL-405:  Recursive functions corrupt evaluation frame if reassigned.
o JEXL-403:  Exception while evaluating template literal used in array assignment in loop.
o JEXL-402:  Parse failed with empty return value.

Changes
=======

o            Bump commons-parent from 57 to 70. Thanks to Gary Gregory, Dependabot.
o            Bump org.ow2.asm:asm from 9.5 to 9.7. Thanks to dependabot.
o            Bump commons-logging from 1.2 to 1.3.2. Thanks to Gary Gregory, Dependabot.
o            Bump com.google.code.gson:gson from 2.10.1 to 2.11.0. Thanks to Gary Gregory, Dependabot.


==============================================================================
Release 3.3
==============================================================================

Version 3.3 is a minor release.

Compatibility with previous releases
=====================================
Version 3.3 is source and binary compatible with 3.2.
However, the default setting for permissions that determine which packages, classes and methods are accessible
to scripts has been reduced to a very narrow set. When migrating from previous version of JEXL, this may result
in breaking your application behavior; this breaking change requires remediation in your code.
Despite the obvious inconvenience - our sincere apologies on the matter -, how much functional and semantic power is
accessible through scripts has a real impact on your application security and stability; that potential risk requires
an informed review and conscious choice on your end.
To mitigate the change, you can revert to the previous behavior with one line of code (see JexlPermissions,
JexlBuilder and JexlScriptEngine) or use this opportunity to reduce exposure. Whether Files, URLs, networking,
processes, class-loaders or reflection classes or whether loops or side effects are accessible are part of your
choice to make.

What's new in 3.3
==================
JEXL 3.3 brings the ability to configure permissions on libraries in the manner pioneered
with the @NoJexl annotation on source code. This is achieved through a crude but light mechanism akin to
a security manager that controls what JEXL can introspect and thus expose to scripts.
Used in conjunction with options (JexlOptions) and features (JexlFeatures), the permissions (JexlPermissions)
allow fine-tuning the end-user freedom and scripting integration through syntactic and semantic sanitation.
JEXL 3.3 also adds some syntactic (ECMAScript) features (let, const, =>, for, ...) to further reduce
the skill set required to write scripts.

New Features
============

o JEXL-392:  Enable namespace declaration based on scripts.
o JEXL-391:  Improve in/=~ operator when arguments are arrays and collections.
o JEXL-390:  Pragmas should not be statements.
o JEXL-389:  Improve parsing timings.
o JEXL-385:  Support disabling fortran-style relational operators syntax.
o JEXL-382:  Simplify grammar and lexical state management.
o JEXL-380:  Multiple values per pragma key.
o JEXL-379:  Allow new to use class identifier.
o JEXL-373:  Add support for prefix/postfix increment/decrement operators.
o JEXL-372:  Add support for 'standard' for loop.
o JEXL-369:  Add 'let' and 'const' variable declarations.
o JEXL-367:  Named function and fat-arrow (=>) lambda syntax.
o JEXL-366:  Fail to evaluate string and number comparison.
o JEXL-365:  Lambda expressions.
o JEXL-363:  Allow retrieving captured variables in script.
o JEXL-360:  Add missing bitshift operators (>>, >>>, <<).
o JEXL-359:  Allow per-operator arithmetic handling of null arguments.
o JEXL-357:  Configure accessible packages/classes/methods/fields.

Bugs Fixed
==========

o JEXL-386:  Non-inheritable permissions on interfaces are ignored in an inheritable sandbox.
o JEXL-384:  Improve control over JexlArithmetic null argument handling.
o JEXL-378:  Incremental operator and decremental operator do not honor the side-effect flag.
o JEXL-376:  Introspector captures methods on non-exported classes (modules, java9+).
o JEXL-375:  Cannot access enums by their name when using sandbox.
o JEXL-374:  No exception if dereferencing null object using safe(false) and antish(false).
o JEXL-371:  Override of a protected method with public visibility is not callable.
o JEXL-370:  Cannot check if variable is defined using ObjectContext if the value is null.
o JEXL-368:  Namespace functor resolution is not cached.
o JEXL-364:  Evaluator options not propagated in closures.
o JEXL-362:  JexlInfo position reporting is off.
o JEXL-361:  Null may be used as operand silently even in arithmetic strict(true) mode.
o JEXL-354:  #pragma does not handle negative integer or real literals.
o JEXL-353:  Documentation error for not-in/not-match operator.
