This is the consolidated list of changes between Tapestry versions 5.3.5 and 5.3.6. Tapestry 5.3.6 is a drop-in replacement for prior Tapestry 5.3 releases. To upgrade, just update the Maven dependency in your POM file (or download the new JAR file) and the new version will just work. However, please review the How to Upgrade instructions before upgrading.

This is a very modest bug fix release. Importantly, the bundled version of Prototype has been downgraded back to version 1.7, as the new version was causing a number of issues, especially under Internet Explorer.

The main improvement is security related; Tapestry will now integrate a hash-based message authentication code (HMAC) into serialized Java object data stored on the client (generally, this means the t:formdata hidden field used by the Form component).

When you first run your application under 5.3.6, you will see an alert and a console error concerning the HMAC configuration. You should update your application's configuration to set a unique, private value for the tapestry.hmac-passphrase configuration symbol.

And, as with any Tapestry upgrade, be sure to change your application's version number.

Bugs Fixed

[TAP5-986] - A request can fail with an NPE in some cases, when a Tapestry page is acting as the servlet container error page

[TAP5-1735] - Most packages lack package-level javadocs

[TAP5-1903] - Client-side exception when a Zone containing a Form with an Upload component is re-rendered

[TAP5-2008] - Serialized object data stored on the client should be HMAC signed and validated

[TAP5-2009] - Downgrade bundled Prototype version back to 1.7

[TAP5-2010] - Broken links in Javadoc pages

Improvements Made