Skip to content

chore(release): change log for version 20.0.0#3986

Open
GMishx wants to merge 1 commit intomainfrom
chore/release/20.0
Open

chore(release): change log for version 20.0.0#3986
GMishx wants to merge 1 commit intomainfrom
chore/release/20.0

Conversation

@GMishx
Copy link
Member

@GMishx GMishx commented Mar 25, 2026

Changelog in preparation for Release 20.0.0 of backend.

This PR is in preparation for the release 20.0.0
This PR also serves as an intimation of merge freeze and a request for testing for finding new bugs.

If until 27/03/2026, there are no comments on this PR, will proceed with the release.

Thank you everyone involved for their hard work and make this release possible!

@GMishx
chore(release): change log for version 20.0.0
e3256f8 
Signed-off-by: Gaurav Mishra <mishra.gaurav@siemens.com>
KoukiHama
KoukiHama approved these changes Mar 25, 2026
View reviewed changes
Copy link
Member

@KoukiHama KoukiHama left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@Aman-Cool
Copy link
Contributor

Aman-Cool commented Mar 25, 2026

Hey @GMishx @KoukiHama, did a quick pass through the codebase looking for regressions before this ships.

The one blocker I found; mergeReleases silently leaving ghost releases when packages were linked, is already fixed in 29af0f8, so nothing blocking here.

Two things worth noting though: anyone who ran release merges on rc-2 with packages attached probably has dirty data in CouchDB and should reconcile before upgrading. And the INHERIT_ATTACHMENT_USAGES feature has a duplicate accumulation bug + incorrectly promotes non-license-info usages; it's off by default so low blast radius, but maybe worth a known-issues note in the announcement.

Good work everyone, nice to see the security patches land 🙌

@GMishx
Copy link
Member Author

GMishx commented Mar 26, 2026

Nice observation Aman. However, no one has updated their SW360 since the last 18 release, so can be safe in assuming no harm.

@Shivamrut
Copy link
Contributor

Shivamrut commented Mar 26, 2026

Hey @GMishx! I don’t have full clarity on the intended design here, so please treat the below as a guess. If I’m off base, I’d appreciate a correction. I’m mainly trying to get this straight.

One thing stood out:

GET /api/reports/download is permitAll in ResourceServerConfiguration, while the token query param is passed straight through to ExcelExporter.downloadExcelSheet() as a filesystem path. So the endpoint doesn’t behave like an opaque download id. It’s effectively “read this path if it exists,” with no JWT/READ check. The user query param is resolved via getUserByEmail, which fabricates a stub User when lookup fails, so it isn’t a reliable gate either.

Why it might matters: anyone who can hit that URL (for example an internet-facing deployment, mis-routed traffic, a compromised client on the VPN, or another issue that exposes the link) might be able to pull files the JVM can read, such as configs or secrets.

Please check if this is of any real concern. Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@KoukiHama KoukiHama KoukiHama approved these changes

@arunazhakesan arunazhakesan Awaiting requested review from arunazhakesan arunazhakesan is a code owner

@ag4ums ag4ums Awaiting requested review from ag4ums ag4ums is a code owner

Assignees

No one assigned

Labels

needs code review

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@GMishx @Aman-Cool @Shivamrut @KoukiHama