Vaadin Flow 25.2.0-alpha8

Changes since 25.2.0-alpha7

All changes

New features

• Upgrade to TypeScript 6.0.2
  Commit · Pull request

• Add Geolocation API
  Commit · Pull request

  Adds a per-UI Geolocation facade (UI.getGeolocation()) that wraps the browser's Geolocation API with a one-shot get(...) request, a reactive track(Component) session, and an availabilitySignal() reporting capability/permission state. - Results use sealed types designed for exhaustive pattern matching: GeolocationOutcome (GeolocationPosition | GeolocationError) for one-shot reads, and GeolocationResult (adds GeolocationPending) for the tracker's signal before the first fix arrives. - Availability is delivered synchronously — seeded in the bootstrap handshake and kept in sync via a vaadin-geolocation-availability-change DOM event — so application code can read it (or bind to it) without an extra round-trip.

• Add support for accepting hidden fields in Binder
  Commit · Pull request

  Adds setAcceptHiddenFields(boolean) to Binder. setAcceptHiddenFields(true) makes Binder apply bindings for hidden fields by default in same way as with pre-Vaadin 25.

Fixes

• Rewrite relative url() paths when inlining @Stylesheet imports in production bundle
  Commit · Pull request · Issue

  When a CSS file referenced by @Stylesheet contains @import statements that pull in other CSS files with relative url(...) references, the production build inlined the imports but left the urls untouched. After inlining, the browser resolves those urls relative to the entry file, breaking image paths. Add a new build-time entry point that rewrites url(...) references so each one is expressed relative to the entry CSS file's folder. Absolute urls, protocol urls (http, https, data, ftp, file) and urls whose resolved target falls outside the entry's base folder (e.g. npm package siblings) are left untouched.

• Expose vaadin.eagerServerLoad in Spring properties metadata
  Commit · Pull request

  Add eagerServerLoad to VaadinConfigurationProperties so Spring Boot can generate configuration metadata and IDE autocomplete for the documented vaadin.eagerServerLoad property. ## Description Please list all relevant dependencies in this section and provide summary of the change, motivation and context. ## Type of change - [ ] Bugfix - [x] Feature ## Checklist - [x] I have read the contribution guide: https://vaadin.com/docs/latest/guide/contributing/overview/ - [x] I have added a description following the guideline. - [x] The issue is created in the corresponding repository and I have referenced it. - [x] I have added tests to ensure my change is effective and works as intended. - [x] New and existing tests are passing locally with my change. - [x] I have performed self-review and corrected misspellings. #### Additional for Feature type of change - [ ] Enhancement / new feature was discussed in a corresponding GitHub issue and Acceptance Criteria were created.

Vaadin Flow 25.2.0-alpha7

Changes since 25.2.0-alpha6

All changes

Fixes

• Sanitize percent characters in resource URLs
  Commit · Pull request · Issue

  Jetty 12 rejects URLs containing %25 (percent-encoded percent) as ambiguous URI path encoding, causing downloads to fail with HTTP 400 when filenames contain "%" characters. Add UrlUtil.sanitizeForUrl() that replaces "%" with "_" in the URL path segment. The actual download filename from Content-Disposition is unaffected since each resource has a unique ID for lookup. ---------

• Have Babel do the JSX dev transform so source locations stay accurate
  Commit · Pull request

  There are three parts here 1. The react JSX transform records information where in the source an element is used, e.g.

  hello
  2. We write location info for react components such as export default function HelloWorldView() { -> we add HelloWorldView.__debugSourceDefine= {...} with the source location of that function 3. We use a preact signal transform that wraps components to track signal reads In Vite 8 the JSX transform (1.)  is run through the Vite react plugin through OXC. We use Babel to run 2 and 3. Both the JSX element source info and function source info need to be based on the original source file because Copilot uses it to find the source location to edit. 1. The first PR ran Babel before Vite 8 + OXC and we modified the source when storing HelloWorldView..__debugSourceDefine -> Element source info was wrong 2. The second PR changed Babel to run after Vite 8 + OXC  and did not use the result from Vite 8 but read the files again from disk -> both source infos correct but @preact/signals-react-transform got the OXC transformed result and its logic stopped working (signal updates did not re-render) 3. The third PR changed Babel to run before Vite 8 + OXC again, removed reading from disk as the locations are correct and then it used retainLines so it would not break Element source info -> Still breaks column info even though row info is retained and Copilot does not work 4. This PR runs Babel before Vite 8 + OXC but also make Babel do the React JSX transform. Then we are back to pretty much what we had with Vite 7 where it all happens in Babel and all info should be correct. Put more technically: Previous iterations had Babel run post-OXC, or pre-OXC with retainLines (both broken: retainLines preserves line numbers but not columns, so inserted statements push JSX to higher column numbers in Babel's output; the post-OXC approach saw already-transformed code). Move the JSX dev transform into Babel itself via @babel/plugin-transform-react-jsx-development with the custom jsxImportSource. Babel now emits _jsxDEV(...) calls whose embedded lineNumber/columnNumber come straight from its AST loc — which refers to the original source. Babel's printer can freely reformat the file afterwards because OXC no longer looks at JSX source positions. ---------

Vaadin Flow 25.2.0-alpha6

Changes since 25.2.0-alpha5

All changes

New features

• Improve license error for unoptimized bundle
  Commit · Pull request · Issue

  When optimizeBundle is disabled the bytecode scanner is skipped and every commercial component on the classpath is treated as used, so the existing license error wrongly states "Your application contains the following commercial components" even when the application does not reference any of them. This is common for projects that pull the com.vaadin:vaadin umbrella artifact directly or transitively. Detect the disabled optimizeBundle case in BuildFrontendUtil.validateLicenses and throw a LicenseException whose message explains the classpath-level detection and gives concrete workarounds: re-enable optimizeBundle, replace com.vaadin:vaadin with com.vaadin:vaadin-core when declared as a direct dependency, or identify and exclude the transitive pull via mvn dependency:tree / ./gradlew dependencyInsight. A new validateLicenses(PluginAdapterBuild, ...) overload reads the flag; the PluginAdapterBase overload is deprecated and delegates to it.

Fixes

• Run Babel pre-OXC so React source locations and signals transform work correctly
  Commit · Pull request

  Flow's Vite config runs two Babel-based transforms on .tsx files: adding __debugSourceDefine to React function components for dev tooling, and @preact/signals-react-transform which wraps components to track signal reads. Both currently run AFTER OXC (in a custom enforce:'post' Vite plugin) which causes two problems: 1. Babel AST loc values refer to OXC-transformed code, not the original source, so __debugSourceDefine gets wrong line numbers. A workaround read the original file from disk to find function positions via regex. 2. @preact/signals-react-transform runs on already-transformed JSX calls and can no longer identify components reliably. Signal reads stop triggering re-renders. Switch to @rolldown/plugin-babel with its default enforce:'pre' so Babel sees the original source code. To prevent Babel's printer from shifting lines (which would break OXC's subsequent JSX source locations), set retainLines:true on the Babel transform. This keeps inserted statements on the same line as nearby code, so the file layout OXC sees matches the original. The readFileSync workaround in the source location plugin is removed; Babel AST loc is now accurate. Signals transform once again runs on raw JSX and correctly wraps components.

• Fix potential deadlock in AtmospherePushConnection disconnect
  Commit · Pull request · Issue

Vaadin Flow 2.13.4

Changes since 2.13.3

All changes

Fixes

• Fix potential deadlock in AtmospherePushConnection disconnect (CP: 2.13)
  Commit · Pull request · Issue

Vaadin Flow 25.2.0-alpha5

Changes since 25.2.0-alpha4

All changes

Fixes

• Fix React source locations for Vite 8 compatibility
  Commit · Pull request

  Two changes to fix source location tracking when using Vite 8/Rolldown: 1. Replace @rolldown/plugin-babel with a custom Vite plugin using @babel/core directly. The @rolldown/plugin-babel hardcodes enforce:'pre', making Babel run before @vitejs/plugin-react (OXC). This caused OXC to see Babel-modified code and produce wrong line numbers in jsxDEV() source info. The custom plugin uses enforce:'post' so Babel runs after OXC. 2. Update addFunctionComponentSourceLocationBabel to read the original source file from disk instead of using Babel AST positions. When running after OXC, Babel's AST loc values refer to the transformed code, not the original. Reading the file directly ensures __debugSourceDefine always contains correct original line numbers.

Vaadin Flow 25.0.10

Changes since 25.0.9

All changes

Fixes

• Prevent deletion of app-shell-imports by frontend cleanup task (#24118) (CP: 25.0)
  Commit · Pull request

  TaskRemoveOldFrontendGeneratedFiles deletes files in the frontend generated folder that are not recognized as known generated files. The app-shell-imports.js and app-shell-imports.d.ts files were missing from the known files list, causing them to be deleted when vaadinPrepareFrontend runs without the index generation task, for example when IntelliJ IDEA triggers a Gradle compilation while the dev server is running with hot deploy. Add APP_SHELL_IMPORTS_NAME and APP_SHELL_IMPORTS_D_TS_NAME to the known files list. Also improve test coverage by verifying all known file types, including Hilla generated files. Related to #24108

• Add package.json overrides for workbox dependencies (#24008) (CP:25.0)
  Commit · Pull request

  Cherry-pick of 90eb196 from main, adapted for 25.0: - Files in flow-build-tools/ on main mapped to flow-server/ on 25.0 - JUnit 5 assertions/annotations converted to JUnit 4 - temporaryFolder.getRoot() preserved (JUnit 4 TemporaryFolder) - Removed checkJacksonCompatibility test (method not on 25.0) - Kept vaadinBundlesPlugin import (25.0-specific) ---------

• Add popover attribute to system error container (#24093) (CP: 25.0)
  Commit · Pull request

  This PR cherry-picks changes from the original PR #24093 to branch 25.0. --- #### Original PR description > E.g. Dialog can obscure the message > > Fixes #24094 >

• Filter hop-by-hop headers in dev server proxy (#24092) (CP: 25.0)
  Commit · Pull request

  The dev server proxy in AbstractDevServerRunner forwarded all HTTP headers between the browser and the Vite dev server, including hop-by-hop headers that must not be forwarded by a proxy per RFC 9110 Section 7.6.1. It also forwarded the upstream Content-Length which may not match the actual bytes after HttpURLConnection decoding, causing broken responses on some servlet containers. This change filters hop-by-hop headers and Content-Length from proxied requests and responses, and avoids closing the output stream after sendError(). Related to #23564

• Preserve slot attribute for initially invisible elements (#24037) (CP: 25.0)
  Commit · Pull request

  This PR cherry-picks changes from the original PR #24037 to branch 25.0. --- #### Original PR description > When a component is set invisible before being attached, Flow's client-side binding skips all attribute binding. This means structural attributes like "slot" are never applied to the DOM, breaking CSS selectors that depend on them (e.g. Aura theme's structural selectors for AppLayout drawer). > > On the server side, StateNode.collectChanges() now emits the slot attribute even for invisible nodes, without consuming the feature's change tracker so the full attribute set is still sent on visibility change. On the client side, > SimpleElementBindingStrategy applies the slot attribute to the DOM during initial bind of invisible elements. The attribute name is defined once in NodeProperties.SLOT_ATTRIBUTE and referenced by both server and client. > > Fixes vaadin/web-components#11212 ---------

• Add missing registerStyles import to generated app-shell-imports.js (#23975)
  Commit · Pull request · Issue

  The generated app-shell-imports.js file was missing the THEMABLE_MIXIN_IMPORT line (import { css, unsafeCSS, registerStyles }), causing ReferenceError: registerStyles is not defined at startup in production mode when @CssImport with themeFor was used on an AppShellConfigurator. Also ensures import statements are moved to the top of the generated app shell file, consistent with other generated import files.

• Prevent duplicated CSS imports in web component generated file (#23984)
  Commit · Pull request · Issue

  When a CSS file is referenced by both a regular component and a WebComponentExporter (or AppShellConfigurator), the generated web component imports file contained duplicate import statements and duplicate style registrations for the same CSS. This happened because the web component output merges multiple independently generated files, and the existing string-based deduplication could not recognize that two imports for the same file were equivalent. The fix detects duplicate CSS file imports after merging and unifies their variable references so that identical style registrations are properly deduplicated, while preserving distinct registrations when the same CSS file is intentionally used with different configurations.

Vaadin Flow 25.2.0-alpha4

Changes since 25.2.0-alpha3

All changes

Breaking changes

• Stop auto-running vaadinPrepareFrontend in development mode
  Commit · Pull request · Issue

  IDE-triggered Gradle builds (e.g. IntelliJ compiling on file change) were running vaadinPrepareFrontend via processResources, which interfered with the running Vite dev server and broke hotdeploy. Since Vaadin 25, the dev server handles frontend preparation at runtime, so the task no longer needs to run automatically. The previous behavior can be restored by setting alwaysExecutePrepareFrontend = true.

New features

• Add help goal for maven plugin
  Commit · Pull request

  Adds generation of help goal for the Flow maven plugin. Also renamed execution identifier to avoid double execution of the descriptor goal.

• Expose application properties via Options for TypeScriptBootstrapModifier consumers
  Commit · Pull request · Issue

  TypeScriptBootstrapModifier implementations (e.g., Copilot) need access to application properties to conditionally modify bootstrap TypeScript. Currently, the Copilot script is injected in dev mode regardless of whether Copilot is enabled in the project configuration. Add withApplicationConfiguration to Options and property accessor methods (getApplicationStringProperty, getApplicationBooleanProperty) that return Optional.empty() when configuration is unavailable (build time). Wire ApplicationConfiguration from DevModeInitializer.

Fixes

• Respect user opt-out when adding overrides
  Commit · Pull request

  Adjust the checks for user opt-out in package.json overrides, so that an existing override for new entries added by Vaadin is considered as an opt-out, so that the existing user value is kept. This behavior satisfies the previously existing NodeUpdatePackagesNpmVersionLockingTest.shouldNotUpdatesOverrides_whenHasUserModification test.

• Prevent deletion of app-shell-imports by frontend cleanup task
  Commit · Pull request

  TaskRemoveOldFrontendGeneratedFiles deletes files in the frontend generated folder that are not recognized as known generated files. The app-shell-imports.js and app-shell-imports.d.ts files were missing from the known files list, causing them to be deleted when vaadinPrepareFrontend runs without the index generation task, for example when IntelliJ IDEA triggers a Gradle compilation while the dev server is running with hot deploy. Add APP_SHELL_IMPORTS_NAME and APP_SHELL_IMPORTS_D_TS_NAME to the known files list. Also improve test coverage by verifying all known file types, including Hilla generated files. Related to #24108

• Add package.json overrides for workbox dependencies
  Commit · Pull request

  • Add PwaConfiguration parameter to TaskUpdateVite constructor - Remove service worker plugin and its imports from vite.generated.ts when offline build is not enabled - Use FrontendDependenciesScanner in TaskGeneratePackageJson to generate correct dev dependencies - Enhance TaskUpdatePackages for proper override handling - Move all workbox dependencies to workbox/package.json and only add when offline sw build is needed - Add overrides for workbox dependencies to package.json - Add overrides support to NodeUpdater - Remove empty vaadin.overrides from package.json

• Add popover attribute to system error container
  Commit · Pull request

  E.g. Dialog can obscure the message

• Remove duplicate CI run for main branch merges
  Commit · Pull request

  Summary - Remove main from the push trigger branches in validation.yml to avoid duplicate CI runs - Since merge queue is enabled on main, every merge triggers both a merge_group and a push event for the same commit, causing two full CI runs (build + unit tests + integration tests) - Direct pushes to main are not possible (branch protection), so the push trigger for main is redundant - Other branches (25.1, 25.0, 24.10, etc.) still need the push trigger as they do not use merge queue ## Context When a PR merges via the merge queue, GitHub fires two events for the same commit (example vs example). The concurrency groups differ between the two events (gh-readonly-queue/main/... vs main), so they do not cancel each other and both run to completion. merge_group workflow run uses the same commit hash as the merged commit, so Bender should be able to match against it. This should be verified after merging.

• Filter hop-by-hop headers in dev server proxy
  Commit · Pull request

  The dev server proxy in AbstractDevServerRunner forwarded all HTTP headers between the browser and the Vite dev server, including hop-by-hop headers that must not be forwarded by a proxy per RFC 9110 Section 7.6.1. It also forwarded the upstream Content-Length which may not match the actual bytes after HttpURLConnection decoding, causing broken responses on some servlet containers. This change filters hop-by-hop headers and Content-Length from proxied requests and responses, and avoids closing the output stream after sendError(). Related to #23564

• Encode location query parameter in init request to preserve +
  Commit · Pull request

  Re-add encodeURIComponent() around the location parameter in the init request query string. Without encoding, a literal + in the URL path (e.g. /+/dashboard) is interpreted as a space by the servlet container's query parameter decoding, resulting in InvalidLocationException: Relative path cannot start with / The encodeURIComponent was removed in #22791 to preserve %2F in wildcard parameters, but this is not needed: double-encoding (%2F becomes %252F) is correctly undone by the servlet's single query parameter decode.

• Log Vite build failure only once instead of on every request
  Commit · Pull request

  When the Vite dev server fails to start, the exception was re-thrown on every subsequent HTTP request, flooding the log with identical stack traces. Now the error is thrown once and subsequent requests gets the error in the browser instead.

Vaadin Flow 25.1.3

Changes since 25.1.2

All changes

Fixes

• Re-enable upgrading override versions (#24137) (CP: 25.1)
  Commit · Pull request

  This PR cherry-picks changes from the original PR #24137 to branch 25.1.

Vaadin Flow 25.1.2

Changes since 25.1.1

All changes

Fixes

• Respect user opt-out when adding overrides (#24123) (CP: 25.1)
  Commit · Pull request

  This PR cherry-picks changes from the original PR #24123 to branch 25.1.

• Prevent deletion of app-shell-imports by frontend cleanup task (#24118) (CP: 25.1)
  Commit · Pull request

  This PR cherry-picks changes from the original PR #24118 to branch 25.1.

• Add package.json overrides for workbox dependencies (#24008) (CP: 25.1)
  Commit · Pull request

  This PR cherry-picks changes from the original PR #24008 to branch 25.1.

• Add popover attribute to system error container (#24093) (CP: 25.1)
  Commit · Pull request

  This PR cherry-picks changes from the original PR #24093 to branch 25.1.

• Filter hop-by-hop headers in dev server proxy (#24092) (CP: 25.1)
  Commit · Pull request

  This PR cherry-picks changes from the original PR #24092 to branch 25.1.

• Log Vite build failure only once instead of on every request (#24085) (CP: 25.1)
  Commit · Pull request

  This PR cherry-picks changes from the original PR #24085 to branch 25.1.

• Prevent multiple effect invocations when reading the same signal multiple times (#23978) (CP: 25.1)
  Commit · Pull request

  This PR cherry-picks changes from the original PR #23978 to branch 25.1.

• Preserve slot attribute for initially invisible elements (#24037) (CP: 25.1)
  Commit · Pull request

  This PR cherry-picks changes from the original PR #24037 to branch 25.1.

• Fix signal effect dispatching for test environments (#24041) (CP: 25.1)
  Commit · Pull request

  This PR cherry-picks changes from the original PR #24041 to branch 25.1.

Vaadin Flow 24.10.2

Changes since 24.10.1

All changes

Fixes

• Filter hop-by-hop headers in dev server proxy (#24092) (CP: 24.10)
  Commit · Pull request

  The dev server proxy in AbstractDevServerRunner forwarded all HTTP headers between the browser and the Vite dev server, including hop-by-hop headers that must not be forwarded by a proxy per RFC 9110 Section 7.6.1. It also forwarded the upstream Content-Length which may not match the actual bytes after HttpURLConnection decoding, causing broken responses on some servlet containers. This change filters hop-by-hop headers and Content-Length from proxied requests and responses, and avoids closing the output stream after sendError(). Related to #23564