Patch release on top of 3.4.3. Migrates the S3 attachment-storage backend from AWS SDK v1 (out of security support) to AWS SDK v2, and hardens the release tooling.
Dependencies
-
Migrate S3 attachment storage to AWS SDK v2 (#563)
AmazonS3PersistenceStrategypreviously usedcom.amazonaws:aws-java-sdk-s31.12.797. AWS has placed SDK v1 out of security support (deployers were receiving end-of-life warning emails). This change moves the singleputObjectattachment upload tosoftware.amazon.awssdk:s32.46.7 — the v2 builder API (PutObjectRequest.builder+RequestBody.fromBytes), with the client wrapped in try-with-resources since the v2S3Clientholds a connection pool and isAutoCloseable. Stored object key, metadata, and returned URL are unchanged. Adds a Mockito test for the request shape and client close.
Tooling
-
Harden release-portlet.sh preflight (#559)
Run
notice:checkandlicense:check(not justnotice:generate/license:format) during preflight so NOTICE drift and missing license headers are caught before the release plugin runs.
Chores
-
Regenerate NOTICE (#565)
Bring the root
NOTICEup to date with the current dependency set ahead of the release cut.
Upgrade notes
- Drop-in for deployers using database attachment storage (the default). No action needed.
- S3-backed deployers: AWS SDK v2 resolves the region strictly via the default provider chain (
AWS_REGION/ system property / profile / instance metadata) and fails fast if no region is set, whereas v1 sometimes defaulted tous-east-1. Set a region explicitly if you relied on that implicit default. Credentials continue to resolve through the default provider chain.