Update vaadin.version to v25.2.0

[xdev-renovate]

This PR contains the following updates:

Package	Type	Update	Change
com.vaadin:vaadin-bom (source)	import	minor	25.1.3 → 25.2.0
com.vaadin:vaadin-maven-plugin (source)	build	minor	25.1.3 → 25.2.0

---

Release Notes

vaadin/platform (com.vaadin:vaadin-bom)

v25.2.0: Vaadin 25.2.0

Compare Source

Upgrading · Docs · Get Started

New and Noteworthy Since Vaadin 25.1

Flow

• Geolocation — Java API over the browser Geolocation API for "find a store near me", courier tracking, and location-stamped forms. Geolocation.getPosition(...) for one-shot reads, Geolocation.watchPosition(...) for continuous tracking exposed as a signal. Watches auto-stop on detach. Sealed result types (GeolocationPosition / GeolocationError, plus GeolocationPending for the watcher) make permission-denied, unavailable, and timeout exhaustive to handle. (Live demo)
• Clipboard — Write text and HTML to the clipboard from a button click or context-menu action. Bind via Clipboard.onClick(component), then .writeText(...), .writeText(field, ...), or .write(ClipboardContent.create().text(...).html(...)). Success/error callbacks available, and the per-gesture browser trust requirement is handled for you.
• Fullscreen — Take the whole page, or a single component, into fullscreen from a user action; exit programmatically from server-side code (no gesture needed); and observe a read-only state signal (UNKNOWN / UNSUPPORTED / NOT_FULLSCREEN / FULLSCREEN). Browser-initiated exit (e.g. the Esc key) is reflected in the signal, a single-component fullscreen is restored to its original DOM position on exit, and overlays keep working. Optional success/failure callbacks surface browser rejections.
• Screen Wake Lock — Keep the device screen awake while a view is shown — for dashboards, kiosks, signage, presentations, and scanning stations. Acquire and release are idempotent; the lock is transparently re-acquired when the tab becomes visible again after the browser drops it on hide. Read-only active and availability signals plus typed error callbacks (unsupported, not-allowed, unknown), with an already-known-unsupported state reported without a wasted round-trip.
• Web Share — Open the operating system's native share sheet from a user action to share any combination of title, text, and/or URL. Each field can be a static literal or bound to live component state (a text field, the page URL), read on the client at share time. A read-only support signal (SUPPORTED / UNSUPPORTED / UNKNOWN) lets apps show a fallback where sharing is unavailable; user cancellation is surfaced distinctly from a real failure.
• Screen Orientation — Read the current orientation (type + angle) as a read-only signal, seeded at bootstrap so a real value is available before user code runs, with portrait/landscape helpers. Lock or unlock the orientation with completion and typed-error callbacks (not-supported, security, abort, unknown). Degrades gracefully on partial/legacy browsers by retaining the last known value.
• Page Visibility — Expose the tab's visibility and focus state — distinguishing visible-and-focused, visible-but-not-focused, and hidden — as a read-only signal, seeded at bootstrap and debounced so it settles on the final state. Lets applications reactively pause and resume polling, animations, and live updates when the user switches away from or back to the tab. Pairs naturally with UI.triggerAfter for deferred server-side work.
• Deferred server-side callbacks — UI.triggerAfter(Duration, SerializableRunnable) runs a task on the server after a browser-side timer elapses without enabling push; the returned Registration cancels the client timer so a cancelled task never runs.
• Route hierarchy and dynamic page titles — Routes can declare a parent, forming a navigation hierarchy. Page titles can be generated dynamically for any route from its target class and route parameters, without instantiating the view — so the titles of routes that are not on screen (a whole breadcrumb trail or menu) can be resolved. A router-state signal updates on every completed navigation, letting breadcrumbs, menus and other reactive UI track the current location.
• Signals improvements — Bulk insert into list signals in one change event (ListSignal.insertAllFirst/insertAllLast/insertAllAt, SharedListSignal equivalents), helpers to read all items at once.
• Html component sanitization — New Html(String, SerializableSupplier<Safelist>) (and InputStream / Signal<String>) constructors sanitize content through a jsoup Safelist, so untrusted HTML can be rendered safely without callers pre-sanitizing.
• Drag and drop: drop position — Drop events now carry coordinates (DropEvent.getOffsetX()/getOffsetY(), drag-start offsets, extended DragStartEvent/DragEndEvent) so an item can be placed where it was actually dropped.
• Request diagnostics — Register a SessionLockListener or RpcInvocationListener on VaadinService to observe session-lock request/acquire/release and each client-to-server RPC invocation — useful for diagnosing lock contention and tracing which invocation holds the lock.
• Triggers and actions (preview) — A framework that arms a client-side trigger (a click, a timeout, an element resize, ...) to run a client-side action (download, open in a new tab, read/write the clipboard, enter fullscreen, invoke a server callback, ...) without a server round trip. It already powers Clipboard, Fullscreen, Screen Wake Lock and UI.triggerAfter. It is intended as low level API to build higher level features on.
• Frontend tooling — Upgraded to Vite 8

---

Hilla

• Explicit endpoint-source configuration — The Maven and Gradle plugins gained a sourceClasses parameter (alongside mainClass) to point endpoint discovery at specific classes, for projects where automatic scanning does not find the endpoints

---

Design System

AI-powered Charts and Grids (Pro)

Preview release. AI-assisted Charts and Grids.

New in existing components

• Multi-Select Combo Box — collapse all chips into a single overflow chip (setCollapseChips(true)).
• Combo Box — auto-scroll to and focus the selected item on open (setFocusSelectedItem(true)), plus new scrollToIndex().
• Menu Bar and Context Menu — items support tooltips; disabled items can show them via a feature flag.
• Upload — separate setAcceptedMimeTypes(...) and setAcceptedFileExtensions(...), with server-side enforcement on UploadManager.
• Breadcrumbs — new component (Lumo + Aura themes), with overflow collapse.
• Dashboard — fixed row height support.
• Popover — setTabFocusEnabled(false) to skip the popover in tab order.

Now stable (was preview)

• Master-Detail Layout (API changes since 25.1)
• Slider (API changes since 25.1)
• Badge
• Message List attachments
• Modular Upload components

---

Copilot

See the Vaadin Copilot documentation.

• Annotate and comment on views — leave comments on any view, attach components for context, and either act on them or hand them to the built-in AI. Comments are saved in a readable project file for async, AI-assisted workflows.
• Customizable components palette — add and reorder named sections, collapse or hide unused ones. Setup is remembered per project.
• Redesigned Aura global theme editor — edit and shuffle the Aura theme directly from Copilot
• More edit-mode polish — redesigned edit-context indicator with sticky header, icon gallery (including menu-item icons), refined alignment and properties panels, compact theme, and new-version notifications.

---

Testing

Load testing with TestBench (Pro)

Turn existing TestBench (or Playwright) E2E tests into k6 load tests. The toolchain runs your test through a recording proxy, captures the traffic, and generates a k6 script that handles Vaadin specifics (JSESSIONID, CSRF/Hilla CSRF, UI/Push IDs, dynamic node IDs).

Highlights:

• Maven plugin (testbench-converter-plugin): k6:record, k6:convert, k6:run, plus start/stop-server mojos.
• HAR-timing-aware think-time injection for realistic user simulation.
• Declarative ramp-up / steady / ramp-down profiles instead of fixed VU counts.
• Custom thresholds (p95/p99/abortOnFail) and response checks.
• Optional warm-up run before measured load.
• HTML report + JSON results, CSV-backed value collections.

📖 Docs · ⏯️
Example project

Browserless testing

Browserless tests gain:

• Multi-user / multi-tab tests against one shared app in a single test.
• JUnit 5 extensions — no base class required.
• Playwright-style typed locator API; find fields by label (withLabel/withAriaLabel), placeholder, test ID, or typed theme variant (withTheme(ThemeVariant)).
• New find / findInView methods replacing the $ / $view DSL.
• Geolocation simulator for positions, permission states, errors, and watch
  sessions — no real device needed.
• Separate browserless-test-spring module for spring support. (Migration guide)

Breaking changes & upgrade notes

Security & framework defaults (Flow)

• URL scheme validation — Anchor.setHref(...), IFrame.setSrc(...) and Page.open(...) now reject unsafe schemes (e.g. javascript:) with IllegalArgumentException. The allow-list is configurable via a com.vaadin.safeUrlSchemes parameter; escape hatches Anchor.setUnsafeHref(...), IFrame.setUnsafeSrc(...) and Page.openUnsafe(...) bypass validation when you really need to.
• X-Frame-Options: SAMEORIGIN sent by default — clickjacking protection is on by default. Applications embedded in frames on other origins must set the frameOptions init parameter to an empty value to disable the header.
• npm install delay (supply-chain hardening) — by default only npm packages published more than one day ago are installed (npm --before / pnpm --min-release-age). Projects that depend on freshly published packages must raise/lower npm.minimumFrontendPackageAgeDays.
• @StyleSheet URLs resolve against the context root — a bare @StyleSheet("styles.css") now resolves to the servlet context root (implicit context://), fixing 404s under non-root servlet mappings. Apps that relied on the old servlet-path resolution will see changed URLs.

Flow

• Gradle: vaadinPrepareFrontend no longer runs automatically in development — it is detached from processResources, so IDE-triggered builds no longer regenerate/delete frontend files. Invoke the task explicitly if you relied on the implicit run.
• HasOrderedComponents deprecated (for removal in 26) — replace/indexOf/getComponentCount/getComponentAt are now available directly on HasComponents.
• Maven plugin properties are now prefixed with vaadin. (deprecation).

Components

• Slider split into typed components — Slider/RangeSlider are removed and replaced by IntegerSlider/IntegerRangeSlider (Integer values) and DecimalSlider/DecimalRangeSlider (Double values); the value type now governs min/max/step. Decimal slider theme-variant constants gained a Decimal prefix.
• MasterDetailLayout API realigned with web component 2.0 — the ExpandingArea API and MasterDetailLayoutVariant are removed; use expandMaster/expandDetail flags and the new setMasterSize/setDetailSize overloads (with an expand flag and explicit overlay size). OverlayContainment.VIEWPORT is renamed PAGE; a detail-placeholder slot was added.
• Menu tooltips — MenuBar.setTooltipText(MenuItem, String) is deprecated (for removal in 26) in favor of per-item setTooltipText and the new tooltip-aware addItem(...) overloads.
• Upload — setAcceptedFileTypes(...) is deprecated in favor of separate setAcceptedMimeTypes(...) / setAcceptedFileExtensions(...).

Testing / Browserless

• Spring support extracted to browserless-test-spring. Spring projects must change the dependency to browserless-test-spring
• $ / $view deprecated in favor of find / findInView.
• Decimal slider testers renamed — SliderTester → DecimalSliderTester, RangeSliderTester → DecimalRangeSliderTester

Quarkus

• Push dispatched on worker threads by default — the extension now ships quarkus.websocket.dispatch-to-worker=true, so inbound Push frames run on the Quarkus worker pool instead of the Vert.x event loop.

Changelogs

• Flow (25.2.0) and Hilla (25.2.0)
• Design System
  • Web Components (25.2.0)
  • Flow Components (25.2.0)
• TestBench (25.2.0)
• Browserless Test(1.1.0)
• Feature Pack(25.0.0)
• Modernization Toolkit (Documentation)
  • Feature Pack (Documentation)
  • Dragonfly (Documentation)
  • Modernization Toolkit Analyzer (Analyzer for Eclipse, Analyzer for Maven)
• Multiplatform Runtime (MPR) (8.0.1)
• Router (2.0.1)
• Vaadin Kits
  • AppSec Kit (4.0.2)
  • Azure Kit (1.0.0)
  • Collaboration Engine (7.0.0)
  • Copilot (25.2.0)
  • Kubernetes Kit (3.1.1)
  • Observability Kit (4.1.1)
  • SSO Kit (4.1.3)
  • Swing Kit (3.0.1)

Official add-ons and plugins:

• Spring add-on (25.2.0)
• CDI add-on (16.1.0)
• Maven plugin (25.2.0)
• Gradle plugin (25.2.0)
• Quarkus plugin (3.2.0)

Upgrading guides

• Upgrading to Vaadin 25

Support

Vaadin 25 is the latest stable version, with extended support options available (release model).

Vaadin also provides commercial support and warranty.

Supported technologies

Desktop browser	Chrome (evergreen). Firefox (evergreen). Firefox Extended Support Release (ESR). Safari 17 or newer (latest minor version in each major series). Edge (Chromium, evergreen).
Mobile browser	Chrome (evergreen) for Android (4.4 or newer). Safari 17 for iOS or newer (latest minor version in each major series).
Development OS	Windows macOS Linux
IDE	Any IDE or editor that works with the language of your choice should work well. Our teams often use IntelliJ, Eclipse, VS Code among others. Vaadin IDE plugins (IntelliJ and VS Code) support the IDE versions released during the last 12 months Vaadin Designer supports the following IDEs: Eclipse from Photon and upwards JetBrains IntelliJ IDEA from 2017 upwards
Java	Version 21 of any JDK or JRE
Maven	Version 3.8 or newer
Gradle	Version 8.14 or newer
Application server	Vaadin Flow requires Java Servlet API 6.1 and Java 21 or newer. It is tested on: Apache Tomcat 11 Open Liberty 23 RedHat JBoss EAP 8.1 To work with RedHat JBoss EAP 8.0, the following content needs to be added under WEB-INF folder as jboss-deployment-structure.xml Workaround for supporting RedHat JBoss EAP 8.0 <jboss-deployment-structure> <deployment> <exclude-subsystems> <subsystem name="jaxrs" /> </exclude-subsystems> </deployment> </jboss-deployment-structure> WildFly 36 + Latest WildFly versions are still using Jackson 2, in order to work with Vaadin 25, the following content needs to be added under WEB-INF folder as jboss-deployment-structure.xml Workaround for supporting WildFly 36 <jboss-deployment-structure> <deployment> <exclude-subsystems> <subsystem name="jaxrs" /> </exclude-subsystems> </deployment> </jboss-deployment-structure> Workaround for supporting WildFly 37+ <jboss-deployment-structure> <deployment> <exclusions> <module name="com.fasterxml.jackson.core.jackson-annotations"/> </exclusions> </deployment> </jboss-deployment-structure> Jetty 12 Payara Server 6 Payara Micro 6
Node.js	Version 24 or newer
Spring Boot	Version 4.1 or newer

Known issues and limitations

Flow	The Template-in-Template feature has some limitations
Flow	You might need to run mvn vaadin:clean-frontent when upgrade your project from 25.1 to 25.2. One fix has been made to flow

v25.1.8: Vaadin 25.1.8

Compare Source

This is a maintenance release for Vaadin 25.1. See 25.1.0 release notes for details and resources.

Changes since 25.1.7

• Flow: 25.1.10 → 25.1.11
• Hilla: 25.1.6 → 25.1.7
• Flow Components: 25.1.7 → 25.1.8
• Copilot: 25.1.6 → 25.1.7 → 25.1.8
• SSO Kit: 4.1.2 → 4.1.3
• CDI add-on: 16.0.1 → 16.0.2

Unchanged Modules

• Web Components: 25.1.4
• TestBench: 10.1.2
• Browserless Test: 1.0.0
• Multiplatform Runtime (MPR): 8.0.1
• Router: 2.0.1
• Collaboration Engine: 7.0.0
• Kubernetes Kit: 3.1.1
• Observability Kit: 4.1.1
• Quarkus plugin: 3.1.3
• AppSec Kit: 4.0.2 (docs)
• Azure Kit: 1.0.0 (docs)
• Swing Kit: 3.0.1 (docs)

v25.1.7: Vaadin 25.1.7

Compare Source

This is a maintenance release for Vaadin 25.1. See 25.1.0 release notes for details and resources.

Changes since 25.1.6

• Flow: 25.1.7 → 25.1.8, 25.1.9 → 25.1.10
• Hilla: 25.1.5 → 25.1.6
• Web Components: 25.1.3 → 25.1.4
• Flow Components: 25.1.6 → 25.1.7
• Copilot: 25.1.5 → 25.1.6
• Quarkus plugin: 3.1.2 → 3.1.3

Unchanged Modules

• TestBench: 10.1.2
• Browserless Test: 1.0.0
• Multiplatform Runtime (MPR): 8.0.1
• Router: 2.0.1
• Collaboration Engine: 7.0.0
• Kubernetes Kit: 3.1.1
• Observability Kit: 4.1.1
• SSO Kit: 4.1.2
• CDI add-on: 16.0.1
• AppSec Kit: 4.0.2 (docs)
• Azure Kit: 1.0.0 (docs)
• Swing Kit: 3.0.1 (docs)

Note:

We are aware of the following CVEs (CVE-2026-43515, CVE-2026-43513, CVE-2026-43514, CVE-2026-42498, CVE-2026-41284, CVE-2026-43512, CVE-2026-41293) from Tomcat, which is a transitive dependency from SpringBoot 4.0.6. Tomcat is a runtime deployment choice made by application developers, which Vaadin does not use or depend on. You can be upgraded on the application side to Tomcat 9.0.118+, 10.1.55+ or 11.0.22+. The corresponding updates will come in their next releases (SpringBoot 4.0.7).

v25.1.6: Vaadin 25.1.6

Compare Source

This is a maintenance release for Vaadin 25.1. See 25.1.0 release notes for details and resources.

Changelogs

• Flow (25.1.7) and Hilla (25.1.5)
• Design System
  • Web Components (25.1.3)
  • Flow Components (25.1.6)
• TestBench (10.1.2)
• Browserless Test(1.0.0)
• Feature Pack(25.0.0)
• Modernization Toolkit (Documentation)
  • Feature Pack (Documentation)
  • Dragonfly (Documentation)
  • Modernization Toolkit Analyzer (Analyzer for Eclipse, Analyzer for Maven)
• Multiplatform Runtime (MPR) (8.0.1)
• Router (2.0.1)
• Vaadin Kits
  • AppSec Kit (4.0.2)
  • Azure Kit (1.0.0)
  • Collaboration Engine (7.0.0)
  • Copilot (25.1.5)
  • Kubernetes Kit (3.1.1)
  • Observability Kit (4.1.1)
  • SSO Kit (4.1.2)
  • Swing Kit (3.0.1)

Official add-ons and plugins:

• Spring add-on (25.1.7)
• CDI add-on (16.0.1)
• Maven plugin (25.1.6)
• Gradle plugin (25.1.6)
• Quarkus plugin (3.1.2)

Note:

We are aware of the following CVEs (CVE-2026-43515, CVE-2026-43513, CVE-2026-43514, CVE-2026-42498, CVE-2026-41284, CVE-2026-43512, CVE-2026-41293) from Tomcat, which is a transitive dependency from SpringBoot 4.0.6. Tomcat is a runtime deployment choice made by application developers, which Vaadin does not use or depend on. You can be upgraded on the application side to Tomcat 9.0.118+, 10.1.55+ or 11.0.22+. The corresponding updates will come in their next releases (SpringBoot 4.0.7).

v25.1.5: Vaadin 25.1.5

Compare Source

This is a maintenance release for Vaadin 25.1. See 25.1.0 release notes for details and resources.

Notable Changes

Do not use org.zeroturnaround:zt-exec in vaadin-maven-plugin to run Vite, as it might expose the environment by printing it when Vite exits with a failure.

Changelogs

• Flow (25.1.5) and Hilla (25.1.4)
• Design System
  • Web Components (25.1.2)
  • Flow Components (25.1.5)
• TestBench (10.1.1)
• Browserless Test(1.0.0)
• Feature Pack(25.0.0)
• Modernization Toolkit (Documentation)
  • Feature Pack (Documentation)
  • Dragonfly (Documentation)
  • Modernization Toolkit Analyzer (Analyzer for Eclipse, Analyzer for Maven)
• Multiplatform Runtime (MPR) (8.0.1)
• Router (2.0.1)
• Vaadin Kits
  • AppSec Kit (4.0.2)
  • Azure Kit (1.0.0)
  • Collaboration Engine (7.0.0)
  • Copilot (25.1.4)
  • Kubernetes Kit (3.1.0)
  • Observability Kit (4.1.0)
  • SSO Kit (4.1.1)
  • Swing Kit (3.0.1)

Official add-ons and plugins:

• Spring add-on (25.1.5)
• CDI add-on (16.0.1)
• Maven plugin (25.1.5)
• Gradle plugin (25.1.5)
• Quarkus plugin (3.1.1)

v25.1.4: Vaadin 25.1.4

Compare Source

This is a maintenance release for Vaadin 25.1. See 25.1.0 release notes for details and resources.

Changelogs

• Flow (25.1.4) and Hilla (25.1.3)
• Design System
  • Web Components (25.1.2)
  • Flow Components (25.1.4)
• TestBench (10.1.1)
• Browserless Test(1.0.0)
• Feature Pack(25.0.0)
• Modernization Toolkit (Documentation)
  • Feature Pack (Documentation)
  • Dragonfly (Documentation)
  • Modernization Toolkit Analyzer (Analyzer for Eclipse, Analyzer for Maven)
• Multiplatform Runtime (MPR) (8.0.1)
• Router (2.0.1)
• Vaadin Kits
  • AppSec Kit (4.0.2)
  • Azure Kit (1.0.0)
  • Collaboration Engine (7.0.0)
  • Copilot (25.1.3)
  • Kubernetes Kit (3.1.0)
  • Observability Kit (4.1.0)
  • SSO Kit (4.1.1)
  • Swing Kit (3.0.1)

Official add-ons and plugins:

• Spring add-on (25.1.4)
• CDI add-on (16.0.1)
• Maven plugin (25.1.4)
• Gradle plugin (25.1.4)
• Quarkus plugin (3.1.1)

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate.