fix(deps): update uportalversion to v5.17.9

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
org.jasig.portal:uPortal-spring	5.17.5 → 5.17.9
org.jasig.portal:uPortal-soffit-renderer	5.17.5 → 5.17.9

---

Release Notes

uPortal-Project/uPortal (org.jasig.portal:uPortal-spring)

v5.17.9: uPortal v5.17.9

Compare Source

Patch release on top of v5.17.8. Removes two out-of-support / vulnerability-prone transitive dependencies (log4j-core and AWS SDK v1), fixes JGroups discovery-table growth and a LESS skin path bug, and adds a Gradle release-cut script.

Security

• Drop transitive log4j-core, bridge log4j2 to slf4j (#​2999)

  grouperClient pulled org.apache.logging.log4j:log4j-core onto the runtime classpath transitively. uPortal logs through slf4j/logback, so log4j-core was unused and a standing CVE surface (the Log4Shell-family vulnerabilities all live in log4j-core). Excludes log4j-core globally and adds the log4j-to-slf4j bridge so any log4j2 API calls (e.g. from grouperClient) still route to slf4j.

• Migrate dynamic-skin S3 storage to AWS SDK v2 (#​3000)

  The dynamic-skin S3 storage backend used AWS SDK v1 (com.amazonaws:aws-java-sdk-s3), which AWS has placed out of security support. Migrates to software.amazon.awssdk:s3 2.46.7 (v2 builder API, headObject existence check, try-with-resources client) with no change to stored object layout or returned URLs.

Fixes

• Clear JDBC_PING table on view change (#​3001)

  The JGroups JDBC_PING discovery table accumulated stale rows: a node terminated abruptly (e.g. kill -9) never deregistered, so its row lingered across restarts. Sets clear_table_on_view_change="true" so the coordinator wipes the table on each view change and live members re-register.

• Use @import (inline) for bootstrap.css in common.less (#​2997)

  LESS treats @import "x.css" as a passthrough, emitting a literal CSS @import whose relative path resolves incorrectly at runtime (404). The (inline) keyword embeds the file at compile time, where the path resolves. Affects skins still on the LESS compilation path.

Tooling

• Add release-uportal.sh (#​2986)

  A Gradle release preflight + cut script at the repo root, mirroring the Maven ecosystem release process: tree/upstream sync checks, signing-key + keyserver verification, license-header scan, non-interactive version flags, and the post-release upstream tag push.

Docs

• Trim AGENTS.md under 200 lines (#​2993)

Upgrade notes

• Drop-in for deployers on uPortal-start ≤ 5.17.8. No required action for the common case.
• log4j2: if your deployment relied on log4j-core being on the classpath (e.g. a custom log4j2 appender config), note that log4j-core is now excluded; log4j2 API calls are routed to slf4j/logback via the bridge.
• Dynamic-skin S3 backend (opt-in; off by default): AWS SDK v2 resolves the region strictly via the default provider chain (AWS_REGION / profile / instance metadata) and fails fast if none is set, whereas v1 sometimes defaulted to us-east-1. Deployers who enabled the S3 skin storage backend should set a region explicitly. Deployers on the default filesystem skin storage are unaffected.

v5.17.8: uPortal v5.17.8

Compare Source

Patch release on top of v5.17.7, completing uPortal core's side of the resource-server consolidation. Swaps every internal /ResourceServingWebapp/ reference in skin descriptors, admin JSPs, and chrome assets onto /resource-server/, and trims a set of 2008–2015 utility-lib webjar dependencies that are either CVE-prone or native-replaceable on modern browsers.

Refactor

• Consolidate skin + JSP onto /resource-server/ (#​2983)

  Moves uPortal core's skin descriptors, admin JSPs, and chrome-asset references off the legacy /ResourceServingWebapp/ context onto /resource-server/. Drops a bundle of 2008–2015 utility libraries (lodash 4.17.4, modernizr 2.6.2, normalize.css 2.1.2, four polyfill webjars) that were either CVE-prone, native-replaceable on modern browsers, or both. Also removes dead <rs:compressJs> taglib wrappers (already a no-op upstream now that minification has moved to esbuild).

  Two commits land together: the main consolidation (~30 files: JSP cleanup, SCSS path swaps, tango/famfamfam icon URL swaps, dead webjar deps removed) and a finishing touch in respondr/common/common_skin.xml for the three resource="true" entries (underscore, backbone, jquery-plugins/rating) that the first pass missed. All three libs are served at byte-identical relative paths under the modern overlay.

Docs

• Prefer keys.openpgp.org over keyserver.ubuntu.com (#​2984)

  Brings the release-guide keyserver instructions in line with the Maven ecosystem release guide. The Central Publisher Portal queries keys.openpgp.org first when validating signatures; a key only on keyserver.ubuntu.com will fail signature validation non-deterministically. Includes the email-confirmation caveat for identity packets and a per-session verification curl.

• Manual NOTICE/license review step pre-Testing (#​2985)

  Adds a "Review NOTICE and License Headers" section to the release guide between "Review Dependencies" and "Testing". Cross-links to the Maven release guide's automated equivalent (which Gradle uPortal lacks today) and provides a quick grep heuristic for missing Apache license headers on changed files.

Upgrade notes

• Deployers running uPortal-start ≤ 5.17.7: drop-in replacement. /ResourceServingWebapp/ is no longer requested by uPortal core, but the path itself is still served by the overlay until resource-server 1.5.4 ships and uPortal-start retires ResourceServingWebapp. Browsers will see network requests cleanly addressed to /resource-server/.
• Deployers tracking the resource-server consolidation: this release is the uPortal-side complement of the Wave 1 portlet releases shipped today (SimpleContentPortlet 3.4.3, FeedbackPortlet 1.3.2, NewsReaderPortlet 5.1.5). With v5.17.8 in place, all core and portlet consumers are aligned for the upcoming resource-server 1.5.4 release where the legacy JS bundles ship.
• Skin overlays with custom paths: if your deployment skin references the dropped utility-lib webjars (lodash 4.17.4, modernizr 2.6.2, normalize.css 2.1.2, fetch/promise/array.from/url-search-params polyfills), declare them explicitly in your overlay's pom.xml/gradle.properties. The defaults no longer pull them in.

v5.17.7: uPortal v5.17.7

Single-fix patch on top of v5.17.5. Supersedes v5.17.6, which was a botched version-bump-only release (no functional changes from v5.17.5); deployers should skip 5.17.6 and consume 5.17.7 instead.

Fixes

• Deprecate the LESS pipeline in the respondr skin (#​2982)

  uPortal-webapp/src/main/webapp/media/skins/respondr/common/common.less still pulled in five sub-files — variables.less, mixins.less, regions.less, gallery.less, tags.less — that were removed during the Bootstrap 5 / SCSS migration. Any consumer running compileLess against this skin failed with "file not found" on the first dropped import, blocking uPortal-start's quickstart build (the symptom that surfaced this was compileLess0 failing on uPortal-start PR #​694).

  This change comments out the five orphaned @import lines, swaps the Bootstrap LESS import for the compiled bootstrap.css (so the file still produces usable CSS), and tags each entry with a DEPRECATED banner pointing at the SCSS pipeline as the supported path forward. The file itself is kept rather than deleted so any skin overlay still referencing it continues to compile during the deprecation window.

Upgrade notes

No configuration or deployment changes required. Drop-in replacement for v5.17.5. The respondr LESS pipeline remains compiled but is now formally deprecated — new skin work should target the SCSS pipeline.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.