The Play Team is happy to announce the release of Play 2.8.15.

📗 What is new?

The following are the relevant changes of this bugfix release.

🐞 Fixed Spring4Shell (CVE-2022-22965)

This RCE vulnerability might affect Play Java users that deploy their applications as a war file (e.g. in Tomcat).
More details can be found here: A note on Spring4Shell for Play Java users

🐞 About CVE-2020-36518 in Jackson and Play 2.8.x

Please see https://github.com/playframework/playframework/discussions/11222

☕ Experimental support for Java 17

You should now be able to run your Play applications with Java 17, but to do so, you have to make some adjustments.

⚠️ Even though people report running their Play 2.8.15+ apps on Java 17 without issues, support for Java 17 is experimental. ⚠️
⚠️ Make sure to test your application thoroughly before putting it into production. ⚠️

• If you are using Guice you have to make use of the latest version:

  // In your build.sbt add:
  libraryDependencies ++= Seq(
    "com.google.inject"            % "guice"                % "5.1.0",
    "com.google.inject.extensions" % "guice-assistedinject" % "5.1.0"
  )

• If you are using the Java routing DSL you have to upgrade typetools (see #10055 and #10814):

  // In your build.sbt add:
  libraryDependencies += "net.jodah" % "typetools" % "0.6.3"

• Avoid using jnotify for the FileWatchService (like in this removed test)
• To be able to run tests using OneServerPerTestWithComponents or GuiceOneServerPerTest (see #11209):

  // In your build.sbt add:
  Test / javaOptions ++= Seq(
    "--add-exports=java.base/sun.security.x509=ALL-UNNAMED",
    "--add-opens=java.base/sun.security.ssl=ALL-UNNAMED"
  )
  // Test / fork := true // This is the default anyway, just a reminder in case you changed it to false before

If you run into any other issues please let us know by opening a bug report, thanks!

📖 Following pull requests got merged for this release

• #11214 [2.8.x] Upgrade Spring to fix Spring4Shell vulnerability by @mkurz
• #11215 [2.8.x] Adjust welcome message for experimental Java 17 support by @mkurz
• #11210 Remove -XX:MaxPermSize, breaks on Java 17 by @mkurz
• #11207 [2.8.x] Update dependencies before next 2.8.x release by @mkurz
• #11206 [2.8.x] Partial support for Java17 by @mkurz
• #11205 [2.8.x] Fix docs: Passing request to WebSocket action not supported (backport #11172) by @mkurz
• #11202 [2.8.x] Reverts #11109 (downgrade ssl-config back to 0.4.x) by @mkurz
• #11200 typing error by @Sanabria13
• #11195 Doc fix: Body needs to be redirected with POST by @mkurz
• #11175 Update jquery dependency to 3.6.0 version by @morellik
• #11178 [2.8.x] Make the "please donate" message more friendly (backport #11177) by @jxtps
• #11129 Remove old or abandoned 3rd party play modules from module directory by @Max-AR
• #11149 [2.8.x] Update release drafter workflow by @mkurz
• #11146 [2.8.x] Rename master branch to main by @mkurz
• #11140 [2.8.x] Cleanup .github folder by @mkurz
• #11130 [2.8.x] Remove iteratees docs by @Max-AR
• #11117 [2.8.x] Renamed Boxfuse to CloudCaptain by @axelfontaine
• #11119 [2.8.x] change uri parse path error from warn to debug (backport #10151) by @fusuiyi123
• #11116 [2.8.x] Make sure to append -SNAPSHOT for sonatype by @mkurz
• #11109 [2.8.x] Use ssl-config to 0.6.0 by @mkurz

For more details see the full list of changes and the 2.8.15 milestone.

❤️ Thanks to our premium sponsors!

If you find this OSS project useful for work, please consider asking your company to support it by becoming a sponsor.
You can also individually sponsor the project by becoming a backer.

🙇 Thanks to our contributors

Finally, thanks to the community for their help with detailed bug reports, discussions about new features and pull request reviews. This project is only possible due to the help we had from amazing contributors.
Special thanks to all code contributors who helped with this particular release (they are listed below)!