- Split the settings dialog into a resizable two-pane layout (left:
resources/HTML/CSS/JS tabs; right: live preview) using split.js,
with a fullscreen toggle that resets the tab animation duration to
avoid jank during expand.
- Split ContainerFunctionEditorCompleter into HTML- and Angular-mode
variants so the autocomplete suggests `container` only in HTML
mode (Angular mode has no container argument).
- Mark the widget with previewWidth/previewHeight 100% and
overflowVisible: true in its controllerScript typeParameters so
the basic config preview fills its slot.
Spring Boot 3.5.14 ships an ImportsContextCustomizer change that
double-registers legacy @SpyBean fields, causing "Duplicate spy definition"
failures during ApplicationContext load in tests that mix @SpyBean and
@MockitoSpyBean across the test class hierarchy. Pin the test artifacts
to 3.5.13 until 3.5.15+ is released with a fix; runtime stays on 3.5.14
so the CVE fixes remain in effect.
- Restructure HTML Container settings into a mat-tab-group (Resources /
HTML / CSS / JavaScript) instead of a single resources expansion panel
followed by stacked editor blocks. Each editor tab uses [fillHeight]
so the editors fill the panel.
- Wire fill-height plumbing: tb-widget-settings host h-full, basic and
advanced settings @HostBinding('style.height')='100%', advanced panel
switched from inline height:100% to flex-1, mat-content height:100%.
- Register html_container in widget_bundles/html_widgets.json so the
widget appears in the HTML Widgets bundle.
- Replace the placeholder html-card image reference with a dedicated
html-container.png asset and embedded data.
- Add 'JavaScript' translation key for the new tab label.
Under `mvn -T<n>` with the three yarn-using modules (ui-ngx,
msa/web-ui, msa/js-executor), concurrent yarn 1.x processes contend
on the shared `~/.cache/yarn`. The `--mutex network` flag was applied
only to `yarn install`, so `yarn run pkg` could overlap with another
module's install. Intermittent failures observed on CI:
`/bin/sh: 1: tsc: not found` during `yarn run pkg`, caused by
incomplete typescript extraction into per-module node_modules.
Fix at two layers:
1. Maven reactor chain (primary): add reactor-only pom <dependency>
entries (type=pom, scope=provided, wildcard exclusions) to form
ui-ngx -> msa/web-ui -> msa/js-executor
so the MultiThreadedBuilder schedules them strictly serial,
regardless of -T thread count. msa/web-ui already had a real
dependency on ui-ngx; only one new fake link was needed.
2. Yarn-level mutex (defense in depth): add `--mutex network` to
`yarn run pkg` (msa/web-ui, msa/js-executor) and
`yarn run build:prod` (ui-ngx), so single-module builds outside the
reactor chain (`mvn -pl msa/<module>`) still serialize against any
other yarn process on the agent.
Comment in msa/pom.xml updated: the previous "Modules order is
important..." note was misleading - module order in the reactor does
not enforce serialization under -T; the dependency edges do.
Remove the no-longer-used ViewContainerRef injection and the commented-
out fallback branches now that initAngularComponent uses the
angularContainer view container exclusively.
- Group tomcat, commons-lang3 version properties under spring-boot.version
- Drop thymeleaf override (PE-only dependency, not present in CE)
- Drop lz4 plumbing: kafka-clients 3.9.2 and cassandra-all 5.0.7 now transitively ship at.yawk.lz4:lz4-java, making the Dec 2025 CVE hack obsolete
- Fill description and tags for the HTML Container widget type JSON.
- Add basic config component (plain HTML / Angular mode editor).
- Add advanced settings component and shared common settings.
New static widget that replaces the dashboard layout with configurable
HTML, CSS, and JavaScript and exposes the WidgetContext to the user
script. Use for custom complex visualizations or actions when system
widgets are not enough.
Moved NioEventLoopGroup allocations into the try block so that a
constructor failure for the second group no longer leaks the first.
Channel close failures during cleanup now attach via addSuppressed
instead of replacing the original BindException. Narrowed the outer
catch from Throwable to Exception, removing the brittle (Error) cast
that would have masked any direct Throwable subclass.
The base image thingsboard/openjdk17:bookworm-slim ships a customized
/etc/java-17-openjdk/security/java.security. When apt-get install pulls
in a newer openjdk-17-jre-headless to satisfy cassandra's java11-runtime
dependency, dpkg blocks on a non-interactive conffile prompt and the
build fails. The ensuing "cassandra depends on java11-runtime" error is
just the cascade from openjdk-17-jre-headless never finishing configure.
Pass --force-confdef --force-confold so dpkg silently keeps the base
image's customized conffile and the upgrade completes.
Creates missing system images from application/src/main/data/resources/images
during LTS patch startup, mirroring the upgrade-path loadSystemResources logic.
Existing system images in the DB are left untouched.
Root pom.xml wired <skipAssembly>${pkg.skip.zip}</skipAssembly> at the
plugin-level <configuration> of maven-assembly-plugin inside the
always-active `packaging` profile's <pluginManagement>. Maven merges
plugin-level <configuration> into every execution of that plugin, so
-Dpkg.skip.zip=true (and the -Dpkg.skip=true alias that activates it)
suppressed any maven-assembly-plugin execution across the reactor -
not only the intended Windows ZIP execution.
In CE lts-4.2/4.3 this is latent (no CE module declares a non-ZIP
assembly execution), but it breaks downstream forks that do. PE's
rule-node-twilio-sms, for instance, declares a custom make-assembly
execution producing the classified -rule-node.jar consumed by
application's copy-pe-rule-nodes step; under -Dpkg.skip.zip=true that
assembly silently became a no-op and the downstream build failed to
resolve the classified artifact.
tools/pom.xml already sidesteps this via `combine.self="override"` on
its own <pluginManagement> - earlier evidence that the placement was
fragile.
Move <skipAssembly> into the `assembly` execution's own <configuration>
so it scopes only to the Windows ZIP execution.
Verified via mvn help:effective-pom on application/: with the fix,
<skipAssembly>true</skipAssembly> no longer appears at plugin-level
<configuration>, only inside the `assembly` <execution>.
Several testSaveProtoDeviceProfileWithInvalidRpcRequestSchema* tests
intermittently fail with:
org.thingsboard.server.dao.exception.TenantNotFoundException: Tenant
with id <fresh-tenant-uuid> not found
when the tenant created in @Before has not yet been populated in the
tenant profile cache by the time the request hits the partition-lookup
path (DefaultTenantRoutingInfoService -> TbTenantProfileCache ->
TenantService#findTenantById). The underlying request is idempotent
(the schema is invalid so it is rejected with 400 regardless of
retries), so wrap the doPost + status assertion in Awaitility with
Mockito.reset inside the retry block: only the last attempt's
invocations are visible to the subsequent verify* assertions.
Applies to all testSaveDeviceProfileWithInvalidRpcRequestProtoSchema
callers, including the currently-muted
testSaveProtoDeviceProfileWithInvalidRpcRequestSchemaRequestIdDateType.
Igor Kulikov
Viacheslav Klimov
Oleksandra Matviienko
dashevchenko
Sergey Matvienko
Vladyslav Prykhodko
Maksym Tsymbarov
Andrii Landiak