Vaadin 7 extended maintenance

Fact Sheet

Vaadin 7.7.17 was the last public open-source version of the Vaadin 7 framework. Vaadin guarantees 5 years of maintenance from the release date of long-term release (LTS) versions. Official support for Vaadin 7 ended in February 2019.

Vaadin Prime subscription customers get access to Vaadin 7 version that extends the support for up until 2029. Vaadin will fix issues in the framework and widgets, ensuring that your applications and end-customers don’t feel any negative impact.


  • Vaadin 7 Core framework.
  • All Vaadin 7-specific Pro add-ons (for example, Touchkit for Vaadin 7).
  • All official Core Add-ons (for example CDI, Spring, ContextMenu, etc.).
  • New feature development for Vaadin 7 (Enterprise subscribers only). Enterprise customers can use Expert on Demand (EoD) support hours for this.

Common use-cases

  • Your internal web framework that powers your critical business web applications is built on Vaadin 7. 
  • You have a customer-facing web application built on Vaadin 7 and still have binding support agreements with your customers. 
  • The cost of migrating to a more recent Vaadin version is more than the cost of extended maintenance.

Types of maintenance tasks

The Vaadin support team will perform two types of maintenance tasks:

  • Proactive tasks
    • Automated integration testing on Vaadin 7-supported browsers.
    • 3rd party library monitoring for security alerts etc.
    • Security impact monitoring of any new features added to Vaadin 7 (through EoD etc.). The security impact is reviewed through the normal review processes.
  • Reactive maintenance tasks
    • Responding to bug fix and warranty priorities for Vaadin 7.
    • Responding to Expert Chat requests for Vaadin 7-related issues.


  • If Vaadin receives a report for a security flaw, Vaadin will fix the issue, and then communicate the incident to all affected customers (through a private mailing list).
  • Expert Chat can be used for Vaadin 7-related communication.

Bug Fixes and feature releases in the Framework since version 7.7.17

Under the extended maintenance service, Vaadin has already released the following versions to our customers:

Vaadin 7.7.28

  • fix: Update Vaadin7 to use atmosphere-runtime 2.2.13.vaadin2. Fixes issues with thread leakage and UUIDBroadcasterCache concurrency
  • Add MPR UI id request parameter, which is needed in new version of MPR
  • fix: set Vaadin session attribute using lock in reinitializeSession
  • Update to Jsoup 1.14.2

Vaadin 7.7.27

  • fix: Prevent possible deadlock in findOrCreateVaadinSession.

Vaadin 7.7.26

  • Remove buildhelpers module and its dependencies, dead code removal. Module existence can cause issues with Ivy + Ant projects.

Vaadin 7.7.25

  • Clear thread local instances on connection lost in push handler. Fixes minor memory leak.
  • Clear out ClientCache when UI is detached to prevent a minor memory leak
  • Updated license checker version to give more intuitive error message.
  • Fixed Table/TreeTable styles so that cell border does not grow row height, which breaks things (fixes e.g. issue #12251)
  • Updated Jetty version to 9.4.38.v20210224 to avoid false positive vulnerability alert in dependency check of BOM.

Vaadin 7.7.24

  • Fix: use time-constant comparison for CSRF tokens (CVE-2021-31403)
  • Fix: use time-constant comparison for security tokens (CVE-2021-31403)

Vaadin 7.7.23

  • Made checkAtmosphereSupport() non-static. This was needed to enable bug fix in Multiplatform Runtime Product.
  • Changed license from Apache 2.0 to CVDLv4.

Vaadin 7.7.22

  • Fixed issue when ComboBox does not select or add a new value when typing fast and tabbing out (issue #6671).
  • Fixed regression in Grid. Adding columns when there are hidden columns could throw IndexOutOfBounds exception.
  • Fixed EmailValidator regexp pattern not to halt on malicious input (issue #7757). (CVE-2020-36320)

Vaadin 7.7.21

  • Use APPLICATION scope for the session lock with Portlets. This fixes deadlock issue when multiple portlets on the same page.
  • Fixing issue with Push stopping working in some circumstances.
  • Fix issue where Chrome refused to select text in Table.
  • Fix issue with Grid resizing (issue #11893).
  • Fix Push reconnect issue with Websockets (e.g. issue #7190).
  • Fix issue with incorrect column selector position with Multiplatform runtime.

Vaadin 7.7.20

  • Fixed XSS vulnerability with Grid header captions.
  • Added feature to disable touch detection in Table / TreeTable (implemented via DoD hours).

Vaadin 7.7.19

  • Fixed ComboBox autocompletion issue with Chrome.
  • Fixed Firefox 67+ issue with global variable called "u2f". 
  • Fixed XSS vulnerability with Panel caption.

Vaadin 7.7.18

  • Fixed Grid issue: enabling/disabling multisect multiple times broke sorting.
  • Fixed broken keyboard navigation with Firefox 65+ in MenuBar, Slider, DateField, Tree, and Table.

Bug Fixes and feature releases in the Pro products

TouchKit 4.2.4

  • Fix to work with Jsoup 1.14.2.

TouchKit 4.2.3

  • Fixes NPE and another potential exception that can happen in production mode.

TouchKit 4.2.2

  • Use service worker, local storage aka PWA when using newer Firefox / Android versions.

TouchKit 4.2.1

  • Added support for service worker, local storage aka PWA when using newer Chrome / Android versions. Newest Chrome / Android removed support for AppCache, which rendered TouchKit unfunctional.
  • Fix path issue when deployed to Windows servers.

How to access the releases

Maven access

Starting with 7.7.23, the extended maintenance releases are deployed to Maven Central. You will need a license to use the extended support releases - the license file and the instructions on how to use it can be found here:

List of supported technologies

Vaadin 7 is compatible with Java 6 and newer up to Java 8. Java 9 and above are explicitly not supported. Vaadin 7 is especially supported on the following operating systems:

  • Windows
  • Linux
  • Mac OS X

Vaadin Framework 7 requires Java Servlet API 3.0 but also supports later versions and should work with any Java application server that conforms to the standard. The following application servers are supported:

  • Apache Tomcat 5-8.5
  • Apache TomEE 1.7 and 7.0
  • Oracle WebLogic Server 10.3-12.2
  • IBM WebSphere Application Server 7-9
  • JBoss Application Server 4-7
  • Wildfly 8-13
  • Jetty 5-9
  • Glassfish 2-4

Vaadin 7 supports the JSR-286 Portlet specification and all portals that implement the specification should work. The following portals are supported:

  • Liferay Portal 5.2-6.2
  • GateIn Portal 3
  • eXo Platform 3
  • IBM WebSphere Portal 8

Vaadin Framework 7 supports the following desktop browsers:

  • Mozilla Firefox: latest
  • Mozilla Firefox ESR: latest 3 ESR releases
  • Internet Explorer 11: latest
  • EdgeHTML: latest
  • Chromium Edge: latest
  • Safari on Mac: latest
  • Google Chrome: latest

Additionally, Vaadin supports the built-in browsers in the following mobile operating systems:

  • iOS: latest 3 iOS releases
  • Android: latest 3 Android releases with Chrome
  • Vaadin SQL Container supports the following databases:
  • MySQL
  • Oracle
  • PostgreSQL

Contact us

Extended maintenance is part of the Prime subscription. Let us together build the support package you need. Contact our team to get started!