Vaadin 7.7.17 was the last public open-source version of the Vaadin 7 framework. We guaranteed 5 years of maintenance from the release date. Official support for Vaadin 7 ended in February 2019.
Vaadin Prime customers can continue to get support up until 2029 by purchasing Extended Maintenance. Vaadin will fix issues in the framework and widgets, ensuring that your applications and end-customers don’t feel any negative impact.
- Vaadin 7 Core framework.
- All Vaadin 7-specific Pro add-ons (for example, Touchkit for Vaadin 7).
- All official Core Add-ons (for example CDI, Spring, ContextMenu, etc.).
- New feature development for Vaadin 7 (Enterprise subscribers only). Enterprise customers can use Expert on Demand (EoD) support hours for this.
- Your internal web framework that powers your critical business web applications is built on Vaadin 7.
- You have a customer-facing web application built on Vaadin 7 and still have binding support agreements with your customers.
- The cost of migrating to a more recent Vaadin version is more than the cost of extended maintenance.
Types of maintenance tasks
The Vaadin support team will perform two types of maintenance tasks:
- Proactive tasks
- Automated integration testing on Vaadin 7-supported browsers.
- 3rd party library monitoring for security alerts etc.
- Security impact monitoring of any new features added to Vaadin 7 (through EoD etc.). The security impact is reviewed through the normal review processes.
- Reactive maintenance tasks
- Responding to bug fix and warranty priorities for Vaadin 7.
- Responding to Expert Chat requests for Vaadin 7-related issues.
- If Vaadin receives a report for a security flaw, Vaadin will fix the issue, and then communicate the incident to all affected customers (through a private mailing list).
- Expert Chat can be used for Vaadin 7-related communication.
Bug Fixes and feature releases in the Framework since version 7.7.17
Under the extended maintenance service, Vaadin has already released the following versions to our customers:
- A fix to preserve push messages in cache until they are seen by client
- A fix to prevent concurrent disconnect and push operations
- A change to close push connection immediately after refresh.
- License updated to VCL-1
- Updated server-MPR artifact POM not to leak vaadin-server as transitive dependency
- Added support for Vaadin Multiplatform Runtime version 24+ by adding packages
vaadin-server-mpr-jakarta. This is only needed for MPR 24+, and is NOT guaranteed to work as generic Jakarta support (even though it does so at the moment) as we may add MPR specific functionality or even hard MPR dependencies in the future.
- Extracted portlet-related parts to a new module
- Update license checker to version 1.11.2
- A check for bundle resources in order not to fail with OSGi
- Update license checker to version 1.9.0
- Update Jsoup to version 1.15.3
- Update license checker to version 1.5.2
- Update license metainfo CVDL4
- Update Jetty version for security
- Update Atmosphere version to 2.2.13.vaadin4. See: https://github.com/Atmosphere/atmosphere/pull/2335
- Don't serve directories as static files
- Update license checker version to 1.2.2
- Add JNA dependencies for license checker
- Ensure resize and dragging curtains are removed when a Window is closed (see issue #10514).
- fix: Update Vaadin7 to use atmosphere-runtime 2.2.13.vaadin3. Fixes possible lock not being released due unhandled exception.
- Update to Jsoup 1.14.3
- fix: Update Vaadin7 to use atmosphere-runtime 2.2.13.vaadin2. Fixes issues with thread leakage and UUIDBroadcasterCache concurrency
- Add MPR UI id request parameter, which is needed in new version of MPR
- fix: set Vaadin session attribute using lock in reinitializeSession
- Update to Jsoup 1.14.2
- fix: Prevent possible deadlock in findOrCreateVaadinSession.
- Remove buildhelpers module and its dependencies, dead code removal. Module existence can cause issues with Ivy + Ant projects.
- Clear thread local instances on connection lost in push handler. Fixes minor memory leak.
- Clear out ClientCache when UI is detached to prevent a minor memory leak
- Updated license checker version to give more intuitive error message.
- Fixed Table/TreeTable styles so that cell border does not grow row height, which breaks things (fixes e.g. issue #12251)
- Updated Jetty version to 9.4.38.v20210224 to avoid false positive vulnerability alert in dependency check of BOM.
- Fix: use time-constant comparison for CSRF tokens (CVE-2021-31403)
- Fix: use time-constant comparison for security tokens (CVE-2021-31403)
- Made checkAtmosphereSupport() non-static. This was needed to enable bug fix in Multiplatform Runtime Product.
- Changed license from Apache 2.0 to CVDLv4.
- Fixed issue when ComboBox does not select or add a new value when typing fast and tabbing out (issue #6671).
- Fixed regression in Grid. Adding columns when there are hidden columns could throw IndexOutOfBounds exception.
- Fixed EmailValidator regexp pattern not to halt on malicious input (issue #7757). (CVE-2020-36320)
- Use APPLICATION scope for the session lock with Portlets. This fixes deadlock issue when multiple portlets on the same page.
- Fixing issue with Push stopping working in some circumstances.
- Fix issue where Chrome refused to select text in Table.
- Fix issue with Grid resizing (issue #11893).
- Fix Push reconnect issue with Websockets (e.g. issue #7190).
- Fix issue with incorrect column selector position with Multiplatform runtime.
- Fixed XSS vulnerability with Grid header captions.
- Added feature to disable touch detection in Table / TreeTable (implemented via DoD hours).
- Fixed ComboBox autocompletion issue with Chrome.
- Fixed Firefox 67+ issue with global variable called "u2f".
- Fixed XSS vulnerability with Panel caption.
- Fixed Grid issue: enabling/disabling multisect multiple times broke sorting.
- Fixed broken keyboard navigation with Firefox 65+ in MenuBar, Slider, DateField, Tree, and Table.
Bug Fixes and feature releases in the Pro products
- Fix issue with duplicate icon in date picker
- Fix compatibility with Safari on iOS 16
- Application cache manifest is deprecated
- Fix to work with Jsoup 1.14.2.
- Fixes NPE and another potential exception that can happen in production mode.
- Use service worker, local storage aka PWA when using newer Firefox / Android versions.
- Added support for service worker, local storage aka PWA when using newer Chrome / Android versions. Newest Chrome / Android removed support for AppCache, which rendered TouchKit unfunctional.
- Fix path issue when deployed to Windows servers.
How to access the releases
Starting with 7.7.23, the extended maintenance releases are deployed to Maven Central. You will need a license to use the extended support releases - the license file and the instructions on how to use it can be found here: https://vaadin.com/pro/validate-license
List of supported technologies
Vaadin 7 is compatible with Java 6 and newer up to Java 8. Java 9 and above are explicitly not supported. Vaadin 7 is especially supported on the following operating systems:
- Mac OS X
Vaadin Framework 7 requires Java Servlet API 3.0 but also supports later versions up to Servlet 4.0 and should work with any Java application server that conforms to the standard. The following application servers are supported:
- Apache Tomcat 5-8.5
- Apache TomEE 1.7 and 7.0
- Oracle WebLogic Server 10.3-12.2
- IBM WebSphere Application Server 7-9
- JBoss Application Server 4-7
- Wildfly 8-13
- Jetty 5-9
- Glassfish 2-4
Vaadin 7 supports the JSR-286 Portlet specification and all portals that implement the specification should work. The following portals are supported:
- Liferay Portal 5.2-6.2
- GateIn Portal 3
- eXo Platform 3
- IBM WebSphere Portal 8
Vaadin Framework 7 supports the following desktop browsers:
- Mozilla Firefox: latest
- Mozilla Firefox ESR: latest 3 ESR releases
- Internet Explorer 11: latest
- EdgeHTML: latest
- Chromium Edge: latest
- Safari on Mac: latest
- Google Chrome: latest
Additionally, Vaadin supports the built-in browsers in the following mobile operating systems:
- iOS: latest 3 iOS releases
- Android: latest 3 Android releases with Chrome
- Vaadin SQL Container supports the following databases: