We are preparing for a release of Eclipse Lyo 5.1.0. We just published ‘5.1.0-alpha’ version of all artifacts to Central. Changes included are listed under
https://github.com/eclipse/lyo/blob/575b1d2575322ccc02c73678bf96fdf89f654c9a/CHANGELOG.md#unreleased .
The release was accelerated by a CVE-triggered release of Jena. The biggest change is the decoupling of the last Wink-dependent code into 'oslc4j-core-wink’ and of the Servlet-independent code where possible to 'lyo-core-model’ to enable building Lyo apps
in Servlet-free environments. We are also planning to switch to building JVM 11 compatible bytecode using JDK 17 in this release, given the ample evidence from other OSS projects that the bytecode is indeed fully compatible if configured correctly. With this,
some old issues with the Javadoc generation have been resolved, notably the search & navigation to the results now works well:
https://download.eclipse.org/lyo/docs/all/5.1.0-alpha/apidocs/index.html .
In a first for Lyo, we have also published ‘5.0.1.CR’ version (available on Central). Notably, this was done
after publishing ‘5.1.0-alpha’ (apologies with the separator confusion, we will try to stick to the dots from now on for non-SNAPSHOT qualifiers) and not off the ‘master’ branch, but off ‘maint-5.0’. With this, we’ve put to test the CI improvements we
made some time ago to enable releasing backported fixes to older versions of Lyo via ‘maint-*’ branches. The only change in this version (compared to '5.0.0.Final') is the Jena version change:
https://github.com/eclipse/lyo/blob/maint-5.0/CHANGELOG.md .
I would like to clarify that we are still limited by our dependencies in terms of maintain older versions of Lyo. Most importantly, Jena refuses to maintain older version due to a shortage of dev resources. In theory, we could follow
https://reload4j.qos.ch/ and
create a fork of Jena that would only backport security-related commits to older Jena versions. I am thinking of CVE-2021-39239 primarily (impacts the security of parsing RDF/XML inputs), see
https://jena.apache.org/about_jena/security-advisories.html for
a full list.