Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Java 17 was a breaking change for Java users as it now blocks illegal reflective access. Both Adobe and Lucee have been slow to address this. Lucee 5.3.10 mostly seems to run on Java 17, but only the public beta of ColdFusion 2023 (Fortuna) supports Java 17. You may want to start testing Java 17 out, so the CommandBox CLI and its servers seem to have basic support for running on Java 17 now. Note, you may need to add additional JVM args to any servers based on the specific Java libraries you use.
We've bumped library versions such as Redhat Undertow to stay current with recent CVE fixes.
If you have a project and want all packages of a certain type to use a different-than-normal default install location, you can override each package type just for that project. Create an installPathConventions key in the containing package's box.json which is an object containing keys for each package type you wish to override package install paths for.
Read more: https://commandbox.ortusbooks.com/package-management/installing-packages/installation-path
You can get recursive file listings now in a tree view by using the --tree flag
In task runners and custom commands, you can now tap into the same tree printer that the "package list" and "ls --tree" use to output your own ASCII trees.
which outputs
Read More: https://commandbox.ortusbooks.com/task-runners/printing-tree
There is also a print helper method for task runners and custom commands as well as a CLI command you can use that accepts an array or list of simple values and prints them in a column format based on the widest value and the available terminal width.
Read More: https://commandbox.ortusbooks.com/task-runners/task-output/printing-columns
This command will accepted piped text and strip any ANSI formatting from it. Especially useful if piping the text to a native OS binary which doesn't handle formatting well.
We've introduced a new command for piping text onto your native operating system's clipboard.
Here's the full list of all the changes in CommandBox 5.9.0.
The notable updates include:
Updated version of JBoss Undertow, which contains security fixes
Updated version of Lucee to 5.3.10 which also contains library security updates
New "artifacts prune" command to remove older artifacts that haven't been used recently
Improved "upgrade" command which can also update new jars (you'll be able to use this in the NEXT update!)
Support for PFX cert file for server SSL
And here are the full release notes:
COMMANDBOX-1475 Server shutdowns aren't always done cleanly
COMMANDBOX-1474 Don't prompt on already-running server when terminal isn't interactive
COMMANDBOX-1472 Globber copyTo() command mishandles *nix leading slash
COMMANDBOX-1470 preServerStart can no longer affect server.json env var replacements
COMMANDBOX-1467 Servers can no longer override rest mappings
COMMANDBOX-1465 Corruption in interactive job output
COMMANDBOX-1464 Can't set XNIO socket settings or Sequence types
COMMANDBOX-1463 Command chaining has a code path where "job" variable is not defined
COMMANDBOX-1462 cfpm breaks in single server mode
COMMANDBOX-1473 Allow Undertow's resource manager file system watcher to be disabled
COMMANDBOX-1468 Customize Undertow's enabled SSL protocols
COMMANDBOX-1476 Update to Lucee 5.3.9.141 stable
We know this stuff may seem boring, but it's super important to ensure you stay safe and secure on the latest versions of our bundled libraries. We updated the following libs in this release:
org.lucee:lucee 5.3.9.141 -> 5.3.9.160
io.undertow:undertow-servlet 2.2.17.Final -> 2.2.19.Final
io.undertow:undertow-websockets-jsr 2.2.17.Final -> 2.2.19.Final
net.minidev:json-smart-mini 1.0.8 -> 1.3.2
commons-cli:commons-cli 1.2 -> 1.5.0
org.jooq:joox 1.2.0 -> 1.6.2
org.apache.logging.log4j:log4j-slf4j-impl 2.17.1 -> 2.18.0
org.apache.logging.log4j:log4j-core 2.17.1 -> 2.18.0
org.jboss.logging:jboss-logging 3.4.1.Final -> 3.4.3.Final
Over half of the tickets in this release were bug fixes to keep the CLI running smoothly on all operating systems. You can check out the full list of ticket below to see the screws we tightened.
CommandBox servers have an exciting new weapon in their arsenal, and that is a new system of security that allows you to protect certain parts of your site from the general public. This could be CF admins, private dashboards, or a subfolder of sensitive files.
You'll find a new section in the server.json called web.security where these settings live. You can leverage the power of our Server Rule predicates to match whatever requests you want to secure, based on folder, HTTP method, remote IP, HTTP headers and more.
That authPredicate would require authorization for any pages in the Lucee admin unless you were on localhost. NOTE: path-prefix is case sensitive, so on Windows you'd want to use a regex() based check such as regex( pattern='^/lucee/admin/.*', case-sensitive=false )
When a request is marked as requiring authentication, you can enable one or more auth mechanisms to challenge the user as discussed below.
Read more on Server Security Here.
https://commandbox.ortusbooks.com/embedded-server/configuring-your-server/security
CommandBox has supported basic auth for a while, but it was a simple all-or-nothing implementation. Basic auth has been revamped and rolled into the new security system. If no authPredicate is defined, it will still apply to the whole site. But when an authPredicate is declared in your server.json, it will only kick in for those pages.
We've also moved the basic auth settings in server.json to here:
Don't worry, the old location still works too for now. We won't remove support for it until the next major release of CommandBox. If both the settings exist (Ex: web.basicAuth.enable and web.security.basicAuth.enable), the new location will be given precedence.
Read more on Basic Auth Security Here.
Adding support for client SSL certs was one of our largest undertakings and is a very exciting new feature for government shops who use PKI based authentication, often times in the form of DoD CAC (cards) which are physical cards containing a private PKI cert that identifies the user. This feature was one of the last reasons to need IIS or Apache in your mix, but now CommandBox can do it all!
Client certs have two part-- first is the ability of the web server to prompt the user's browser to ask for a client cert to send. This requires configuring a trust store or a list of trusted CA certs to accept. When the user sends a cert, it automatically makes a number of CGI and request variables available to your CF code. You can configure your SSL connection to accept or require client certs like so:
Some of the CGI variables which are automatically created when a client cert is present are
CGI.SSL_CLIENT_CERT - PEM-encoded cert (base 64 string)
CGI.CERT_SUBJECT - The Subject distinguished name of the client cert (CN=foo, O=bar, OU=baz)
CGI.CERT_SERIALNUMBER - The serial number of the cert in the format 91-7e-5f-a5-b2-20-a1-8b-4c-d0-40-3b-1c-a1-a8-58
CGI.CERT_ISSUER - The Issuer distinguished name of the client cert (CN=foo, O=bar, OU=baz)
CGI.SSL_CLIENT_VERIFY - Matches Apache HTTP. Values will be "SUCCESS" or "NONE"
The second part of client certs is the ability to use that client cert information as an authentication mechanism to enforce your authPredicate automatically. (When CommandBox's security system is unable to authorize a user, it stops the request before it ever even reaches CF!)
When authorizing based on client certs, you can have 4 levels of checks:
Any user with a cert is allowed. (Remember, the client cert must always be trusted by one of your configured trusted CA certs)
Subject Distinguished Name (DN) matches one or more complete or partial DNs you specify
Issuer Distinguished Name (DN) matches one or more complete or partial DNs you specify
Or disable the web.security.clientCert.enabled setting and allow all requests to reach CF where you can write your own checks.
CommandBox also supports SSL Renegotiation which allows you to not force the client cert right away until the user gets to a page on the site that kicks in the authPredicate and then their browser will prompt them then. This is a popular configuration since the user can hit your login page first and then be prompted for their cert once they login.
The configuration for all this looks like this:
Read more on Client Cert Auth security Here.
loadModules()As Task Runners become more popular and people combine them with more modules to perform their operations, you run into the need to load a list of modules all at the same time which may have interdependencies. There is now a new loadModules() method available to Task Runners which accepts an array of module paths. Each module is first registered, and then each module is activated.
Read more here:
https://commandbox.ortusbooks.com/task-runners/loading-ad-hoc-modules#loading-multiple-modules
JLine - 3.19.0
jGit - 5.11.0.202103091610-r
Launch4j - 3.14
JANSI - 2.3.2
When you configure libDirs for a server, CommandBox used to only load jar files found in the root. Now it will include sub directories which gives you more flexibility around how to install your jars.
In the previous release, we introduced a new helper for printing ASCII Art tables in your custom commands and task runners. We've taken this a step further and wrapped the table printer utiilty in a new command so you can use it from the CLI directly. We've also expanded its functionality to accept ANY data in as JSON and it will marshall it into a query for you. This means it can be a query, an array of structs, an array or arrays, and more. You can now get quick and easy visualization of any data right from the CLI or in builds.
As if the previous command isn't cool enough, we've also added a new "sql" command which will also accept any sort of data as JSON, marshall it into a query object and allow you to alias, filter, order, and limit the rows on the fly using CFML's query of queries!
The sql command works very nicely with the new tablePrinter command, and truly makes JSON a first class citizen of the CommandBox CLI.
We've made a small adjustment to the print.table() helper that was introduced in CommandBox 5.3.1 as follows. The old method signature is
And the new method signature is:
The parameters to the new printTable command matches the NEW method signature of the print.table() helper as well.
When working with XML in the REPL, formatting is now applied when the XML is printed out to the console, making it easier to read (same as JSON)
COMMANDBOX-1320 Server stop doesn't message user when it fails
COMMANDBOX-1319 Stop loading cfusion/lib in system class loader
COMMANDBOX-1318 5.3.0 errors with commandbox-dotenv 1.x versions due to WireBox change
COMMANDBOX-1314 When building Lucee war from local jars, seeded web.xml file is ignored
COMMANDBOX-1311 Table printer error with no rows
COMMANDBOX-1310 update '{slug}' fails as it is trying to print the package version and its dependencies.
COMMANDBOX-1308 Relative Web Alias Behavior (regression)
COMMANDBOX-1307 jq doesn't resolve file paths to current working directory
COMMANDBOX-1303 CFEngine adobe - Could not initialize class coldfusion.vfs.VFile when using s3 protocol
COMMANDBOX-1328 Improve performance of piping large strings to "cfml" command
COMMANDBOX-1317 Format XML in REPL
COMMANDBOX-1316 Change default CLI JSON representation of query to array of structs
COMMANDBOX-1306 Allow upgrade command to pull stable versions when CLI is a prerelease version
COMMANDBOX-1305 Update bundled java libraries
COMMANDBOX-1302 app.libDirs does not load jars/classes recursively from sub folders
COMMANDBOX-1210 Allow for relative URLs when defining trayoption elements
COMMANDBOX-1194 Add Libraries To Runwar Necessary For URLRewrite Proxy
COMMANDBOX-1324 New "printTable" command to add CLI usage of table printer
COMMANDBOX-1323 New "sql" command to filter tabular data with SQL
COMMANDBOX-1321 Add --verbose to 'server stop' to see raw output
COMMANDBOX-1309 Add printTable command that proxies to print.table() helper
When you start an Adobe or Lucee CF Engine, the WAR CommandBox uses has a stock web.xml baked into it. Sometimes you may want to add custom servlets, servlet mappings, etc into your server. You can override the stock web.xml in part or in total with a file of your own which you specify in the server.json like so:
More info here:
https://commandbox.ortusbooks.com/embedded-server/configuring-your-server/web.xml-overrides
In addition to quoting parameter values, parameter names can also be quoted. This is useful when setting keys into settings or JSON files that have spaces, hyphens or special characters. Each of these examples are now supported:
More info here:
https://commandbox.ortusbooks.com/usage/parameters
Lucee Server has been updated to 5.3.8.201 and JBoss Undertow has been updated to 2.2.10.Final. The Lucee update, as usual, applies to the CLI as well as the default server you get when you run server start.
When you install a Jar via HTTP URL and the version number is baked into the URL, the jar endpoint now makes more assumptions about what the version of the package is that allows it to optimize the update checks and eliminate unnecessary downloads.
More info here:
https://commandbox.ortusbooks.com/package-management/code-endpoints/jar-via-http#semantic-versioning
Here are some fun commands for user interactivity in the shell. You can use these as part of a recipe or a nice "one-liner".
The ask command is similar to the ask() method in Task Runners. It requires an interactive terminal and will ask the user a question and return their answer. It is meant to be changed with other commands.
or with default values
or with masked input
Or fun stuff like this
The confirm command will ask the user a yes/no question and return a passing or failing exit code from the command based on the answer.
Remember the && operator will only execute the second command if the first command returns an exit code of 0.
More info here:
https://commandbox.ortusbooks.com/helpful-commands/ask-and-confirm
You can easily forget all servers which have not been started for a certain period of time with the server prune command. It accepts the number of days that need to have passed since a server was last started in order to prune it.
More info here:
https://commandbox.ortusbooks.com/embedded-server/manage-servers#prune-old-servers
Here are the full release notes for CommandBox 5.4.0
COMMANDBOX-1364 Cancelling a prompt with active job doesn't clear job logs
COMMANDBOX-1361 Param tab completion is off-by-one when piping
COMMANDBOX-1360 Can't list files in directory with brackets ( [ or ] ) in the name
COMMANDBOX-1356 forgebox timeout is too small when publishing packages
COMMANDBOX-1354 dir command returns no results in drive root
COMMANDBOX-1353 Summary over 200 chars in box.json causes error when publishing
COMMANDBOX-1352 Addition of Apache logging classes breaks 3rd party libs using it
COMMANDBOX-1350 Installing a system module as one-off command doesn't clear wirebox metadata cache
COMMANDBOX-1348 Commenting server rules doesn't work correctly in text files
COMMANDBOX-1346 CommandDSL doesn't handle struct args
COMMANDBOX-1344 create a server prune command
COMMANDBOX-1339 Server start can hang when CF engine blows up
COMMANDBOX-1338 Tab complete doesn't work after a pipe
COMMANDBOX-1337 Working dir of server custom menu items doesn't default properly
COMMANDBOX-1336 Error when setting failing exist code in Task Runner
COMMANDBOX-1334 updating commandbox to 5.3.1 via Homebrew breaks with a java error
COMMANDBOX-1333 Rewrite rule with query string doubles up question mark
COMMANDBOX-1332 printTable column validation breaks with spaces in list
COMMANDBOX-1330 Directory listing not showing folders properly when names are numeric
COMMANDBOX-1230 Certain Java installs fail version check
COMMANDBOX-1366 ask and confirm command to capture user input from shell
COMMANDBOX-1365 Improve version handling in JAR endpoint
COMMANDBOX-1351 Update to Lucee 5.3.8
COMMANDBOX-1347 Support dots in struct keys with set/show/clear commands
COMMANDBOX-1342 printTable custom header names for non-array input
COMMANDBOX-1331 Add printTable check for data with no columns
COMMANDBOX-1329 Sort column names in printTable --debug
COMMANDBOX-1362 Set env vars directly in server.json for local one-off overrides
COMMANDBOX-1011 Support web.xml Overrides
COMMANDBOX-1363 Update to Undertow 2.2.10.Final
To be more useful, CommandBox now bundles the following system modules
They will be automatically installed (or updated) when you start the CLI for the first time. You can still update or uninstall them, just like any system module. Note: If you have any of these modules currently linked into the CommandBox core, any uncommitted changes will be overwritten when you upgrade box. Please unlink the repos first before upgrading.
The CommandBox Update Check modules can be disabled if you don't like it via
It will also automatically obey the offlineMode Config Setting.
CommandBox will automatically set the content type in the HTTP response for common static file types. If you come across a file extension that doesn't have the correct type, you can set it like so in your server.json:
Which creates the following
In the above example, hitting a file such as foo.log would come back with a text/plain content type header.
This setting will override any <mime-mapping> tag in your web.xml file.
More Info: https://commandbox.ortusbooks.com/embedded-server/configuring-your-server/mime-types
If you are authenticated to ForgeBox in the CLI, you can synchronize your config settings to and from your ForgeBox account. This is a great way to get up and running on a new PC or keep multiple CommandBox installs in sync. In addition to synchronizing your Config Settings, this feature will also track your installed system modules, such as CFConfig, etc.
This command will push your local settings and modules up to your ForgeBox account.
By default, the settings are "merged" so new local settings will be added to ForgeBox, but nothing will be removed. To remove config that only exists on ForgeBox, you can use the --overwrite flag to force a full sync.
This command will pull your settings and modules from your ForgeBox account and set/install them locally.
By default, the settings are "merged" so missing settings will be added locally, and missing system modules will be installed, but nothing will be removed. To remove config and modules that only exist locally, you can use the --overwrite flag to force a full sync. This will remove local config settings and uninstall local system modules which were not on ForgeBox.
This command will not change anything, but gives you a full report of all settings which are different between your local CommandBox CLI and ForgeBox. It will show you "Remote Only," "Local Only," and "Changed" settings and modules. Use this to see what you're about to change before pushing or pulling.
Read More: https://commandbox.ortusbooks.com/config-settings/setting-sync
This is the same as onServerInstall, but it only runs the VERY FIRST time a CF engine is installed. This is helpful if you want to install Lucee extensions or ACF modules and only need to do it the first time. This interceptor is easier than using onServerInstall and inspecting the installDetails.initialInstall flag.
This has been an experimental feature of CommandBox servers for a while, but we've finalized the feature and added a proper setting to enable it in server.json. By default, the web server in CommandBox will follow the case sensitivity of the underlying file system. So, when on Windows /FiLe.TxT will still load an actual file called /file.txt. But on Linux, the case in the browser would need to match that of the file system. CommandBox allows you to force case sensitivity to be ON or OFF for a server, overriding the server's file system.
To force CommandBox's web server to be case sensitive, even on operating systems like Windows, use the following setting. There is a nominal performance benefit in doing this, and it can allow a Windows CommandBox server to mimic a Linux server for testing.
To force CommandBox's web server to be case insensitive, even on operating systems like Linux, use the following setting. There is a nominal performance overhead in doing this, and it can allow a Linux CommandBox server to mimic a Windows IIS server. In this mode, CommandBox will use an internal cache of file system lookups to improve performance. If there are two files of the same name using different case, then you will get whatever file is found first.
If using CommandBox's SSL, you can now use a PFX file (PKCS #8 format) which contains the public and private key in one file.
More Info: https://commandbox.ortusbooks.com/embedded-server/configuring-your-server/ssl-certs
Most of the Server Rule predicates are case-sensitive, which poses a problem when using them for security on Windows since they will only match one specific spelling of a folder or file. We have added "-nocase" versions of several popular predicates which perform case-insensitive checks.
regex-nocase()
path-suffix-nocase()
path-prefix-nocase()
path-nocase()
equals-nocase()
contains-nocase()
Undertow's reverse-proxy() handler would not connect to a back-end server using SSL. We've given up on RedHat fixing this any time soon, and added a new load-balanced-proxy() handler which works with SSL.
Due to long-standing bugs in the Lucee evaluate() function that seem like they'll never get fixed, we've finally put a workaround in the REPL, which captures the return value of member functions chained to literals and expressions using closures. Ex:
There is already a Config Setting for the preferred browser when opening up sites. You can now customize this on a per-server basis with this server.json setting
You can now control the Log4j appender layout for CommandBox servers, which includes formats such as JSON, which allows your server logs to be automatically imported into Elastic Search
Read More: https://commandbox.ortusbooks.com/embedded-server/configuring-your-server/console-log-layout
There is a helpful command called forgebox version-debug which will show you what version of a package will be installed without actually installing it. It can also be useful to test a semver range and see what packages it matches.
Read More: https://commandbox.ortusbooks.com/package-management/installing-packages/debug-installation
COMMANDBOX-1537 Experimental feature force insensitive web server has stopped working in some cases
COMMANDBOX-1541 Hide Felix error messages in console on startup
COMMANDBOX-1542 Custom tray options calling box with space in path fail
COMMANDBOX-1550 Add load-balanced-proxy() handler to replace Undertow's broken reverse-proxy() because they refuse to fix it
COMMANDBOX-1551 Capture return value from some REPL expressions because Lucee refuses to fix evaluate()'s parser
COMMANDBOX-1552 Two instance of CLI cause class loading issues from OSGI bundles
COMMANDBOX-1559 server start port check doesn't take web.http.enable into accout
COMMANDBOX-1434 CommandBox settings sync feature
COMMANDBOX-1539 Add onServerInitialInstall package/server script
COMMANDBOX-1540 Add `.webp` as a default mime type for CommandBox to support this new image format
COMMANDBOX-1543 Formalize setting for case sensitivity of web server
COMMANDBOX-1549 Add "nocase" versions of regex(), path-suffix(), path-prefix(), equals(), contains(), and path() predicates
COMMANDBOX-1555 Improve forgebox whoami command
COMMANDBOX-1556 Allow CommandBox to customize console appender Layout
COMMANDBOX-1562 New "forgebox version-debug" command
COMMANDBOX-1566 Bundle super helpful modules in box core
COMMANDBOX-1567 onConfigSettingSave and onEndpointLogin interception announcements
COMMANDBOX-1034 Ability to pass file name to "more" command
COMMANDBOX-1345 Add a method in server.json to add MIME type mappings to Undertow
COMMANDBOX-1393 Improve message when starting second server with single server mode enabled
COMMANDBOX-1538 system setting serverinfo namespace use interceptdata if running inside of server script
COMMANDBOX-1544 Allow `web.webroot` to be changed in single server mode
COMMANDBOX-1545 Authentication failures don't send custom error pages
COMMANDBOX-1547 Add directory param to coldbox watch-reinit command
COMMANDBOX-1548 Support PKCS #8 format private keys
COMMANDBOX-1554 Allow preferredBrowser to be set on a per-server basis
COMMANDBOX-1557 Add file and directory completion to the ID param of the install command
COMMANDBOX-1558 Add installExtension() for commands and task runners to install Lucee extensions on the fly to the CLI
COMMANDBOX-1560 Update Lucee to 5.3.10.120 in CLI core
COMMANDBOX-1561 Improve upgrade command
COMMANDBOX-1564 Load libdirs in system classloader
COMMANDBOX-1565 Check for default branch of "main" in Git endpoint
COMMANDBOX-1357 Try removing JAX API classes from runwar
COMMANDBOX-1546 Update to Undertow 2.2.22-Final
COMMANDBOX-1553 Update bundled JRE to jdk-11.0.18+10
COMMANDBOX-1563 Remove stopgap for COMMANDBOX-1459
There is a fix for a regression introduced in 5.4.0 where updating the version of a CF engine doesn't work without forgetting the server first.
There is also an important security improvement to CommandBox servers. Thanks to Abram Adams for reporting this to Ortus so we could address it.
Note, the details of the security improvement have been tracked privately.
Java path shows up twice in "server info --verbose"
Updating server in-place keeps old web.xml path
recipe with multiple "install" instructions fails
Add additional interceptData to server interceptors
Update to WireBox 6.5.2
Immediately activate modules after installation
Improve multiselect DSL
Add JSON and Properties output for info command
This is a very small release with two changes.
Update to Lucee 5.4.3.2
Update bundled JRE to 11.0.20+8
Note Lucee 5.4.3.2 contains critical security patches which are outlined here:
https://dev.lucee.org/t/lucee-critical-security-alert-august-15th-2023-cve-2023-38693/12893
The new Lucee version affects the core CLI runtime as well as the default server you get when running "server start" with no cfengine specified. Possible compatibility issues related to the major bump in Lucee version:
This Lucee version does not include Hibernate, so the Ortus Hibernate extension is installed. We will stop doing this in 6.0
This Lucee version has strict XML parsing settings on by default which may affect any servers you start which parse XML containing DTDs.
If you do run into XML errors, this code may help you in your Application.cfc, which allows DTDs, but still disallows XML external entities (XEE).
COMMANDBOX-1609 Update bundled JRE to 11.0.20+8
COMMANDBOX-1610 Update to Lucee 5.4.3.2
Bug
COMMANDBOX-1374 Some installs unnecessarily write to the box.json
COMMANDBOX-1370 ConfigService::settingExists() fails in race conditions due to non-varscoped variables in JSONService
COMMANDBOX-1372 Support excludePaths in watcher DSL and watch command
COMMANDBOX-1369 Ensure Adobe wars have a seeds.properties file
COMMANDBOX-1368 Add tab complete for "env clear" command
COMMANDBOX-1367 Ignore empty startScript on server start
In this section you will find the release notes for the 5.x version of CommandBox.
Version 5.9.1 - August 2023
Version 5.9.0 - May 2023
Version 5.8.0 - April 2023
Version 5.7.0 - December 2022
Version 5.6.0 - September 2022
Version 5.5.2 - May 2022
Version 5.5.1 - May 2022
Version 5.4.2 - October 2021
Version 5.4.1 - September 2021
Version 5.4.0 - August 2021
Version 5.3.0 - May 2021
Version 5.2.1 - Dec 2020
Version 5.2.0 - Nov 2020
Version 5.1.1 - June 2020
Version 5.1.0 - May 2020
Version 5.0.0 - Mar 2020
ModCFML is a popular standard for running a CF server behind IIS or Apache web server and allowing your virtual hosts configured in the web servers to control the web root of the CF server so you can run more than one site on a single CF instance. CommandBox has historically only had a single web root per server, but now you can use a single CommandBox instance to power as many Adobe CF or Lucee Server sites as you like. CommandBox's ModCFML just needs to be enabled and can work with BonCode, mod_cfml or Nginx.
server.json
Read more here: https://commandbox.ortusbooks.com/embedded-server/modcfml-support
CommandBox's core is now 100% free of 1.x versions of the Log4j library. Note, if you start an older Lucee server or any Adobe ColdFusion server, they may still have Log4j 1.x bundled with them.
Many of the java libraries have been updated
JRE-bundled version ships with Java 11.0.15+10
Undertow updated to 2.2.17.Final
Lucee updated to 5.3.9.133
JGit updated to 5.13.0.202109080827-r
JLine updated to 3.21.0
Runwar updated to 4.7.4
Log4j updated to 2.17.1
Does what it says. Looks like this:
server.json
Read More Here: https://commandbox.ortusbooks.com/embedded-server/configuring-your-server/ad-hoc-java-system-properties
JVM args and Runwar args can now be set an array of strings which prevents you from needing to escape or quote anything.
Old way (still works)
New way
Read More Here: https://commandbox.ortusbooks.com/embedded-server/configuring-your-server/jvm-args#ad-hoc-jvm-args
There is now a handy little handler you can put in your server rules to view a console dump of all the header data related to your request and response.
server.json
The java API has been moved from AdoptOpenJDK to the Eclipse Adoptium project. This is basically the same project, it just changed names.
Opposite of assertTrue. Returns a passing (0) or failing (1) exit code whether falsy parameter passed. Truthy values are "yes", "true" and positive integers. All other values are considered falsy
Opposite of assertEqual. Returns a passing (0) or failing (1) exit code whether both parameters DO NOT match. Comparison is case insensitive.
You can have more than two chained commands, and the command chain will keep executing so long as the next part is compatible with the previous exit code. Ex:
We now set the JAVA_HOME for the cfpm command if it doesn't exist
An Adobe server no longer needs to be the default server for that web root
If cfpm is run as part of a package or server script, it will default to the using the server currently doing something
Previous versions of Launch4j only used the Windows registry to find the installed version of java. The following environment variables are now also checked in this order to attempt to find a JRE to use.
JAVA_HOME
JRE_HOME
JDK_HOME
PATH
Does the same basic thing as the tail command, but it reads from the top of the file or input.
For better security, CommandBox servers will not automatically obey X-Forwarded-For HTTP headers unless you enable it.
Only enable this setting if your CommandBox server is behind a trusted proxy which always sets this header. Otherwise, a malicious client could spoof a trusted IP an bypass IP access control.
Both of these commands will now do the same thing. The second one used to error with version not found.
XML formatting is now a first-class citizen of the print helper and the REPL. You can pass a parsed XML doc and they will be formatted upon display.
Due to lack of Java 9+ support in the Java library that creates tray icons, we've disabled the tray icon by default on MacOS. If you want to brave the possibility of it not working or spilling errors in the console, you can re-enable it like so:
Hopefully when the library gets updated, we'll be able to re-enable the tray icon by default.
Here is the complete list of all tickets closed in this release
This release was primarily to address a regression in 5.1.0 affecting Mac OS users who tried to start Lucee servers. If you see an error similar to this on a Lucee server and you're running a Mac and CommandBox 5.1.0, then this release will fix it for you.
If you are upgrading from CommandBox 5.1.0, there are only a handful of tickets which are listed below. If you are updating from an earlier version of CommandBox, please check out our 5.0.0 and 5.1.0 release blogs.
[COMMANDBOX-1107] - Overzealous gitignore matching of parent directories when zipping up for ForgeBox storage
[COMMANDBOX-1173] - Enabling SSL results in some CFHTTP requests to fail.
[COMMANDBOX-1178] - writedump failing in Lucee
[COMMANDBOX-1179] - File globbing matching partial file names
[COMMANDBOX-1181] - Allow for verbose startup without debug logging of requests
Java 14 is now supported in CommandBox 5.1.0. In order to support Java 14, we had to stop using Pack200 which means the binary sizes have grown a little. The good news is CommandBox will start up a little faster on its first run since there's less to unpack now.
You can start up a lightweight server that only serves static files now with CommandBox.
https://commandbox.ortusbooks.com/v/5.1.0/embedded-server/start-html-server
In pursuit of the smallest possible Docker images, we have CommandBox light which is built on Lucee Light. We also have a box "thin" binary you can swap out with the full self-extracting binary when using CommandBox in custom docker images. Check out Pete Freitag's Minibox image to see both of these in use in a super tiny 78 Meg docker image. More docs here:
https://commandbox.ortusbooks.com/v/5.1.0/setup/light-and-thin-binaries
If you're using box in an integration where you want it to start up in a specific working directory, there is a new bootstrap CLI arg for that.
https://commandbox.ortusbooks.com/v/5.1.0/usage/execution#custom-working-directory
You've always been able to specify custom menu items in your server.json or global config settings, but we've kicked it up a notch. Not only can you contribute to existing sub menus now, you can execute arbitrary native commands synchronously or async.
Here's the full list of tickets closed down in the 5.1.0 release.
[COMMANDBOX-1121] - Runwar deadlocks when using Lucee server warmup flag
[COMMANDBOX-1122] - Server start console output isn't always formatted correctly
[COMMANDBOX-1125] - Boolean env var causes error on server start
[COMMANDBOX-1127] - Output of foreach can't be piped
[COMMANDBOX-1133] - Lucee Extension install doesn't recognize Lucee Light
[COMMANDBOX-1135] - Package unlink command misspelled parameter moduleDirectory as moduleDrectory
[COMMANDBOX-1137] - Package link command misspelled parameter moduleDirectory as moduleDrectory
[COMMANDBOX-1140] - Tab complete doesn't work on Windows paths with backslashes
[COMMANDBOX-1144] - CommandBox Watcher shows error on Ctrl-C
[COMMANDBOX-1148] - Extension management doesn't "recognize" a Lucee server started with --dryRun
[COMMANDBOX-1151] - Downgrading a package with install doesn't work without --force
[COMMANDBOX-1152] - The run command doesn't always seem to kill interactive binaries
[COMMANDBOX-1154] - Relative paths incorrect in drive root on *nix
[COMMANDBOX-1166] - Using a warPath of ./ gets normalized to "" and then ignored in subsequent starts
[COMMANDBOX-1176] - native commands with * can fail due to missing regex escape
[COMMANDBOX-1177] - Incorrect serverInfo for a server that hasn't started
[COMMANDBOX-1015] - Allow arbitrary actions for menu items
[COMMANDBOX-1019] - Allow to start a pure HTML server
[COMMANDBOX-1130] - Update ColdBox Templates to new standards
[COMMANDBOX-1145] - Allow default working dir of box to be overridden
[COMMANDBOX-1146] - Create box-thin binaries that don't bundle any libs
[COMMANDBOX-1147] - Create CommandBox Light built that uses Lucee Light jar
[COMMANDBOX-1153] - Add two new methods to commands for working with async futures: getCurrentThread() getThreadName()
[COMMANDBOX-1170] - TestBox run commands now support the outputFormats argument to allow you to output post-test reports in many formats
[COMMANDBOX-1171] - TestBox revamped UI for the CLI reporter
[COMMANDBOX-1172] - Add Java info debug to box binary
[COMMANDBOX-1102] - Add Java version as info log
[COMMANDBOX-1080] - Provide way to disable server instance icon in MacOS dock
[COMMANDBOX-1126] - Add --full flag to dir command to output full path
[COMMANDBOX-1129] - Rework the server list command so it is more performant
[COMMANDBOX-1132] - Bump to Lucee 5.3.6.61
[COMMANDBOX-1134] - Tab complete for sort options in dir command
[COMMANDBOX-1143] - Have the ProgressableDownloader send an Accept header
[COMMANDBOX-1150] - Don't overwrite lucee-server.xml file when updating libs
[COMMANDBOX-1155] - Auto-detect *unix distros with non-bash shells
[COMMANDBOX-1156] - Copy lco files so Lucee server can start on CommandBox Light
[COMMANDBOX-1168] - Reset console window title after `run` executes a process
There are a number of pretty exciting new features and a pile of bug fixes. And as usual, input from the community via Pull Requests. Huge thanks to Pete Freitag, Kai Koenig, Matthew Clemente, Bobby Hartsfield, Scott Steinbeck, Daniel Mejia, and Miguel Mathus! Here's an overview of the new stuff in 5.2.0
We know library updates are boring, but they are important and we want you to know we take them seriously. Keeping up-to-date ensure you have the latest fixes and security updates from all the third-party libs we bundle in CommandBox.
Here's an overview of what we updated in CommandBox 5.2.0.
Upgraded Runwar from 4.1.2 to 4.3.8
Upgraded JBoss Undertow from 2.0.27.Final to 2.2.0
Upgraded UrlRewritesFilter to Ortus fork 5.0.1 with custom fixes
Upgraded jboss-logging from 3.2.1.Final to 3.4.1.Final
Upgraded jboss-logging-annotations from 2.1.0 to 2.2.1.Final
Upgraded JCabi Log from 0.18 to 0.18.1
Upgraded Apache HttpClient from 4.2.6 to 4.5.12
Upgraded Apache httpmime from 4.2.6 to 4.5.12
Removed unused JOpt Simple 5.0-beta-1
Removed unused Gson 1.2.3
The Undertow bump is a minor update, but a pretty big deal. Ortus sent three pull requests to the core Undertow project fixing bugs and adding predicate logging. All of our pulls were accepted and merged into the core Undertow project and released in the 2.2 release.
Read more about library updates here:
https://ortussolutions.atlassian.net/browse/COMMANDBOX-1064
This is a feature that we expect to grow in the future. We've started it out simple, yet powerful but left a lot of room to build on it. The two main goals here are
Make CommandBox secure-by-default so a server shoved in production comes nice and locked down
Makes it very easy for you to toggle off all the security stuff for development
CommandBox now has profiles you can assign to a server when you start it to configure the default settings. This is to provide easy secure-by-default setups for your production servers, and to make it easier to switch between a development mode and production mode.
There are 3 currently supported profiles. Custom profiles will be added as a future feature.
Production - Locked down for production hosting
Development - Lax security for local development
None - For backwards compat and custom setups. Doesn't apply any web server rules
In production mode, CommandBox will block access to your CF admin to all external traffic, will block all common config files such as box.json or .env and will block, the "TRACK" and "TRACE" HTTP verbs
You can set the profile for your server in your server.json
Or you can specify it when starting the server like so:
If a profile is not set, CommandBox looks for an environment variable called "environment" or it checks to see if the site is bound on localhost to try and guess the correct profile for you.
We've also added some new flags in your server.json to fully customize how your profile behaves.
Read more about Server Profiles here:
https://commandbox.ortusbooks.com/embedded-server/configuring-your-server/server-profiles
This is huge-- probably the biggest chunk of work, and it's actually what makes the server profiles above even possible! It's always been possible to perform basic lock downs with a custom rewrite file, but we've exposed an amazing built-in functionality of Undertow called the Predicate language. It allows you to create ad-hoc rules that apply to your server to provide any of the following:
Security - Block paths, IPs, or users
URL rewrites - Rewrite incoming URLs to something different
Modifying HTTP requests on the fly - Set headers, cookies, or response codes
An example of a server rule using Undertow's predicate language to block access to any box.json files looks like this:
One of the best things about these rules, is they don't have to be in a single monolithic XML file. Instead they can come from
An array of ad-hoc definitions in your server.json file or config server defaults
one or more external JSON or text file specified in your server.json or config server defaults
Built in CommandBox server profiles (see above)
Custom 3rd party CommandBox modules that contribute rules on-the-fly (time to get creative!)
Here's some examples of what can be in your server.json
There are TON of built in predicates and handlers your rules can use. We've documented some of them here:
CommandBox also registers some custom rules in Undertow you can use for your CF apps:
There are lots of new docs on this. Read more about Server Rules here:
https://commandbox.ortusbooks.com/embedded-server/configuring-your-server/server-rules
The more we use Task Runners for builds, scheduled tasks, and utilities, we've seen the need to have lifecyle events in the same manner as the preHandler and postHandler sort of stuff in ColdBox MVC. Now if a task runner has methods of this name, they will be executed automatically.
preTask - Before any target in the task
postTask - After any target in the task
aroundTask - Wraps execution of any target in the task
pre- Before a specific target
post- After a specific target
around - Wraps execution of a specific target
onComplete - Fires regardless of exit status
onSuccess - Fires when task runs without failing exit code or exception
onFail - Fires if exit code is failing after the action is done (always fires along with onError, but does not receive an exception object). Use this to respond generally to failures of the job.
onError - fires only if an unhandled exception is thrown and receives exception object. Use this to respond to errors in the task. Does not fire for interrupted exceptions
onCancel - Fires when the task is interrupted with Ctrl-C
The lifecycle methods are very powerful and can be controlled via whitelist and blacklists to control what targets they execute for. "Around" events are very easy to use thanks to the use of closure. There's a lot more details in the docs.
Read more about Task Runner Lifecyle events here:
https://commandbox.ortusbooks.com/task-runners/lifecycle-events
The default namespace when using the $ {foo} system setting expansion syntax is box environment variable, Java system properties, and OS environment variables.
It is also possible to leverage built-in namespaces to allow expansions that reference:
server.json properties
box.json properties
arbitrary JSON file properties
Config settings (like the config show command)
Server info properties (like the server info property=name command)
Other properties in the same JSON file
This gives you a lot more power now to be able to create dynamic configuration in your JSON files and even from the command line. Here are some examples:
And one of the coolest things is this implementation is driven by a new onSystemSettingExpansion interception point and completely extendable! That means you can write a module that powers something hypothetical like this:
Read more about System Setting namespaces here:
https://commandbox.ortusbooks.com/usage/system-setting-expansion-namespaces
CommandBox has had the ability to enable/disable GZip compression in Undertow for a while. Now you can fully control when it activates based on the type or size of file, etc. This feature utilizes the same Undertow predicate language that we introduced above.
Read more about GZip Compression Control here:
https://commandbox.ortusbooks.com/embedded-server/configuring-your-server/gzip-compression
This is a fun one. There are some specific commands that make use of the Watcher library in CommandBox such as testbox watch and coldbox watch-reinit. However, there is also now a generic watch command that will run any arbitrary command of your choosing when a path matching your file globbing pattern is added/updated/deleted. Use this to build custom watchers on-the-fly without needing to touch any CFML code to write a Task Runner.
That command will echo out "config files updated!" every time a JSON file gets changed in the current directory. Here's a more complex one:
That one will list every new file that's added in this directory and all sub directories.
Read more about the generic watch command here:
https://commandbox.ortusbooks.com/usage/watch-command
There are a handful of features in CommandBox that will open URLs for you in your default browser. We've had requests to allow the browser in use to be customized, so we've reworked all of that logic, consolidating it in some places and now you can control what browser CommandBox uses. To change the default browser for all URL opening functions use this:
Supported browsers are:
firefox
chrome
opera
edge (Windows and Mac only)
ie (Windows only)
safari (Mac only)
konqueror (Linux only)
epiphany (Linux only)
And you can even dial in a browser on demand for the browse and server open commands.
Read more about setting the default browser here:
https://commandbox.ortusbooks.com/config-settings/misc-settings#preferredbrowser
Here are some honorable mentions.
The CommandBox Tuckey rewrites allow an .htaccess file that uses the mod_rewrite style syntax of rewrites. Previously, use of flags such as these didn't work:L
https://ortussolutions.atlassian.net/browse/COMMANDBOX-1221
We've added a "restart" option to the tray icon that does exactly what you think it does.
There's a new trick supported in CommandBox's shell that we've borrowed that allows you to change directories and go "up" more than one directory with less typing:
https://ortussolutions.atlassian.net/browse/COMMANDBOX-1209
You can now pipe the output of a previous command in CommandBox directly to a native binary like so:
In this case, clip is a Windows binary that will read the standard input and place that text on the clipboard.
We work hard to make every CommandBox upgrade backwards compatible. There's a couple things that you may notice different in this release. They're both done to put security first and can be modified to get your original behavior back.
Since the CF Administrator is now blocked for traffic not coming from localhost when in production mode, you may need to explicitly open up the CF admin to make it accessible again if you needed it open to the public on a production server. Even with the profile set to production, you can activate just the CF admin like so:
The web server built into CommandBox will now only serve static files if their extension is found in a whitelist of acceptable files. This is to prevent prying eyes from hitting files they shouldn't be able to access on your server. The current list of valid extensions is:
If you have a common static file you need to serve, you can add your own custom extensions to the list like so:
And if you think we've missed an obvious one that deserves to be added to the default list, please let us know.
Here's the full list of tickets in the 5.2.0-RC.1 release.
[COMMANDBOX-1138] - Tuckey UrlRewrite DTD version issues
[COMMANDBOX-1141] - when installing a package which doesn't exist, commandbox claims forgebox is unreachable
[COMMANDBOX-1199] - Remove mail-4.1.1.jar from runwar's lib dir
[COMMANDBOX-1201] - "testbox run" output garbled on Windows (wrong encoding)
[COMMANDBOX-1205] - UndertowOptions and XNIOOptions don't work for Long type
[COMMANDBOX-1206] - HTTP endpoint leaves a zip file in the CommandBox temp folder
[COMMANDBOX-1213] - url rewrite no longer works
[COMMANDBOX-1218] - Piping a command into run does not execute interactivley
[COMMANDBOX-1221] - Support flags on .htaccess file for Tuckey rewrites
[COMMANDBOX-126] - Restart server via tray icon
[COMMANDBOX-1012] - Stop expanding /WEB-INF paths in servlet init params
[COMMANDBOX-1021] - Allow configuring default browser to use when opening a URL
[COMMANDBOX-1084] - Add a preInstallAll and postInstallAll interception points when running an `install` command
[COMMANDBOX-1167] - Add Task Runner lifecycle events
[COMMANDBOX-1197] - Generic watch command
[COMMANDBOX-1200] - When starting an already-started server, offer to open the existing one instead
[COMMANDBOX-1209] - Add directory expansion command for going back multiple directories
[COMMANDBOX-1214] - Add built-in predicates and handlers for undertow for easier lockdown
[COMMANDBOX-1215] - Add "profile" setting to help default security settings
[COMMANDBOX-1220] - Allow standard input to be piped to native binaries
[COMMANDBOX-1064] - review all the runwar dependencies and check for outdated ones
[COMMANDBOX-1044] - Block TRACE HTTP Verb by default
[COMMANDBOX-1094] - Implement web server rules in Undertow
[COMMANDBOX-1103] - Add an option to console log output without ANSI codes
[COMMANDBOX-1109] - Migrate to AdoptOpenJDK API v3
[COMMANDBOX-1131] - Move ANSI logging format from Runwar to CommandBox
[COMMANDBOX-1157] - Automated flag negation hint is the same as the hint for the flag itself
[COMMANDBOX-1182] - Default server menu actions working directory to web root
[COMMANDBOX-1183] - Expand working directory when specified for a menu item
[COMMANDBOX-1191] - Validate incoming version for bump command
[COMMANDBOX-1192] - Programmatic skipping of package install via interceptor
[COMMANDBOX-1193] - Adding support for installing lex files from file or unc paths
[COMMANDBOX-1195] - Add File Filtering For GZIP Compression
[COMMANDBOX-1196] - Allow default server java version to be cleared
[COMMANDBOX-1198] - Add setSystemSetting() to BaseCommand
[COMMANDBOX-1202] - "testbox run" command - show tag context for global bundle exceptions
[COMMANDBOX-1203] - Add --trayEnable flag to server start
[COMMANDBOX-1204] - Allow ${} system setting expansions to have extendable namespaces
[COMMANDBOX-1208] - Improve verbose output of JVM args if args contain " - " in them
[COMMANDBOX-1217] - forgeboxstorage default ignores are over-aggresive
[COMMANDBOX-1219] - If native command is piped into RUN, allow the output to be piped again
[COMMANDBOX-1185] - Load predicates in Runwar
[COMMANDBOX-1186] - Pass Predicates as part of Server Start in CommandBox
[COMMANDBOX-1187] - Add default server rules/predicates in CommandBox for default lockdown
[COMMANDBOX-1188] - Improve logging in Undertow for execution of predicate handlers
[COMMANDBOX-1189] - Track/address Undertow tickets
Every Config Setting can be overridden by convention by creating environment variables in the shell where you run box. This is ideal for CI builds where you want to easily set ForgeBox API keys, or tweak settings for your build.
More Info: https://commandbox.ortusbooks.com/config-settings/env-var-overrides
Every server setting can be overridden by convention by creating environment variables in the shell where you run box. This is ideal for CI builds where you want to easily set ports, or tweak settings for your build.
More Info: https://commandbox.ortusbooks.com/embedded-server/configuring-your-server/env-var-overrides
CommandBox now has out-of-the-box support for the HTTP/2 protocol. It is always enabled by default and browsers will use it when you're serving over HTTPS.
Thanks to a massive effort from Scott Steinbeck, the CFML world has a new CF implementation of the JMES spec, which is what powers the popular "jq" (or JSON Query) bash command. We've plugged this new library into CommandBox and exposed it in the following ways.
We've added a new jq command which behaves roughly like the bash counterpart. You can pipe in JSON, or read the JSON from a file and apply a JSON query against it which can be used to filter, massage, rewrite, map, or filter the JSON into a new JSON object.
We've also added the ability to specify powerful jq filters to the "package show", "server show", and "config show" commands directly. Just prefix your filter with the text "jq:" like so:
The jq command and JMES spec are very powerful and probably do much more than you realize! Make sure you check out the docs for more ideas.
More Info: https://commandbox.ortusbooks.com/usage/jq-command
CommandBox's AJP listener (provided by Undertow) is already protected against the Ghostcat vulnerability. However, if you would like to set up an AJP secret as well to ensure all requests coming into the AJP listener are from a trusted source, you can do this by setting the web.ajp.secret property.
For this to work, you must also configure your AJP proxy in your web server to send the same secret!
We've updated the version of WireBox inside the CLI and now have access to the AsyncManager for sweet threading and scheduled task support.
CommandBox is using an AsyncManager scheduled task thread now to redraw interactive jobs and progress bars. Look out for some new eye candy hiding in your server starts and package installs!
More Info: https://commandbox.ortusbooks.com/task-runners/threading-async#asyncmanager
The print helper in commands and Task Runners has a new toy that will print ASCII representations of tabular data thanks to a pull request from Eric Peterson. You can see it in the output of the outdated command.
And you can use it in your Task Runners like so:
When scaffolding ColdBox handlers, we have support for ColdBox 6.x REST Handlers now.
You can enable extra Resource Manager Logging when troubleshooting file system issues:
You can force case sensitivity on a Windows server:
You can force case Insensitivity on a Linux server:
You can enable a cache of file system lookups of servlet paths. This is only for production and will eliminate repeated file system hits by your CF engine, such as checking for an Application.cfc file on every request, or testing where the servlet context root is. Standard Adobe ColdFusion installations have a similar cache of "real" paths from the servlet context that is tied to a setting in the administrator called "Cache Webserver paths" but that setting is not available and does not work on CommandBox servers for some reason. This setting would apply to any CF engine.
More Info: https://commandbox.ortusbooks.com/embedded-server/configuring-your-server/experimental-features
When using a CommandBox web server in production, you may wish to force your users to visit your site over HTTPS for security (and for HTTP/2 to work). However, it is desirable to still have your web server listening on HTTP so a user just typing your address in his browser can still connect to HTTP and then redirect. CommandBox can be configured to redirect all HTTP traffic over to HTTPS with the following setting.
If you want to go one step further, you can add a Strict-Transport-Security header to your site. This instructs the browser to automatically use HTTPS every time the user visits your site again.
More Info: https://commandbox.ortusbooks.com/embedded-server/configuring-your-server/https-redirect-hsts
CommandBox won't use ANSI color formatting when running inside of a non-interactive terminal. However, build servers such as Gitlab or Jenkins (via a plugin) support ANSI color sequences. You can force CommandBox to use colored text output with this new setting:
One of the common hangups for people dealing with Lucee Server and Adobe ColdFusion CF Engines versions, is that CommandBox follows the npm-flavor of the semantic version spec and expects
instead of
So we've loosened our sem ver library to treat the 4th number as a build ID if there is no plus sign in the version (instead of just discarding the 4th digit as the spec requires)
Most modern browsers allow you to make up any subdomain you want before localhost such as mySite.localhost and will simply resolve them to localhost (127.0.0.1) even without a hosts file entry. CommandBox now supports using these domains and will bind your server's ports to localhost even without using the commandbox-hostupdater module.
You can customize where CommandBox lives by placing a commandbox.properties file next to the box binary. We have better support for relative paths now so you can have portable CommandBox installations such as a thumb drive.
More Info: https://commandbox.ortusbooks.com/setup/installation
The only known breaking change in this release is if you try to start two servers on the same HTTP port. Previously, CommandBox would just ignore the port on the second server and choose a random port. Due to the confusion that can cause, CommandBox will now throw an error. If you want to override an explicit port locally, set the port to an empty string or a 0 and CommandBox will choose a random port for you. For example, if you are using the commandbox-dotenv module, you can put this line in your project's .env file to override the port in your server.json
If you have a server with the server.json outside of the web root and at least one relative web alias, the alias will not work on the first start of the server. The workaround is to change the web aliases to be relative to the folder that the server.json lives in.
Some users receive the following error when starting CommandBox after updating:
If you see this, it means you have an older version of the commandbox-dotenv module installed that is not compatible with the new version of WireBox inside CommandBox. To fix, delete this folder out of your CommandBox home:
Now the CLI will start and you can install the latest version of dotenv.
Here is the list of all tickets included in the 5.3.0 release.
COMMANDBOX-1301 web server aliases in server.json should be relative to the folder of the server.json
COMMANDBOX-1300 ${Setting: serverinfo.foo not found} expansions don't work in a folder that's not the web root
COMMANDBOX-1291 Re-using same server.json with two names doesn't work
COMMANDBOX-1276 Corrupted WireBox metadata cache file will prevent CommandBox from starting
COMMANDBOX-1275 HTTP2 Additional Port Handling and Flexibility
COMMANDBOX-1271 REPL & Command highlighters don't handle square brackets [] well
COMMANDBOX-1270 JVM arg ending in backslash doesn't work
COMMANDBOX-1268 Coldbox Watch-Reinit Watches Unwanted Folders
COMMANDBOX-1263 Package installation doesn't always optimize duplicate packages
COMMANDBOX-1261 Globber.count() bombs if run after .asQuery()
COMMANDBOX-1259 Starting lucee@1.2.3 will use light-light when using CommandBox Light
COMMANDBOX-1255 Loading class files in task runner doesn't work
COMMANDBOX-1253 variables scope doesn't persist between task dependencies
COMMANDBOX-1250 tokenreplace removes BOM from files
COMMANDBOX-1212 trayOptions.json not respecting serverHomeDirectory
COMMANDBOX-664 Server status not always correct.
COMMANDBOX-1297 Add singleServerHome option to not auto-deploy different versions of servers
COMMANDBOX-1296 Improve error message if version isn't found in ForgeBox
COMMANDBOX-1295 Loosen parsing of build ID in semver
COMMANDBOX-1292 Treat empty HTTP port the same as 0 (chooses random port)
COMMANDBOX-1290 Remove runwar hack that sets java vesrion
COMMANDBOX-1288 Runwar timesout when Lucee's new warmup flag is used
COMMANDBOX-1287 Add option for PID file
COMMANDBOX-1285 Allow generic override of server start settings via env vars or java sys props
COMMANDBOX-1284 Have parser ignore quotes inside a token
COMMANDBOX-1269 Cache "/" path lookup in Runwar's mapped resource manager
COMMANDBOX-1267 Add setters for run() arguments in CommandDSL
COMMANDBOX-1258 Default embedded server only needs to copy lucee.jar
COMMANDBOX-1256 Have outdated also show latest version of a package
COMMANDBOX-1252 Integrate AsyncManager into CommandBox
COMMANDBOX-1251 Upgrade to latest WireBox 6.x
COMMANDBOX-1249 Bundle testbox in testbox module to prevent auto download
COMMANDBOX-1248 Halt server start if asked for port is in use
COMMANDBOX-1246 the git bullet train car disappears while current working directory is not the root project folder
COMMANDBOX-1216 Support AJP secret in Undertow
COMMANDBOX-1169 Rethink the way the screen is redrawn upon extensive installs so it can be fluent on all screen sizes
COMMANDBOX-1136 Can't link package if no modules are installed
COMMANDBOX-1117 New first-class setting to enable HTTP2
COMMANDBOX-1108 Comment out the default environment vars in .env when createing a new coldbox app
COMMANDBOX-1294 Allow server rules to be commented out with #
COMMANDBOX-1293 Allow servers to use random.localhost domains
COMMANDBOX-1289 Integrate JMES JSON filtering
COMMANDBOX-1282 Debug when lucee-extensions don't find Lucee server
COMMANDBOX-1281 Allow JSON service to create implicit arrays
COMMANDBOX-1280 Add config setting to enable ANSI colors in dumb terminals
COMMANDBOX-1279 Allow generic override of config settings via env vars or java sys props
COMMANDBOX-1278 Add --json flag to server list
COMMANDBOX-1277 Add HTTP redirect options
COMMANDBOX-1273 Add optional servlet path cache in Runwar
COMMANDBOX-1262 Allow caching of task runners
COMMANDBOX-1260 Support for generating ColdBox RESTHandlers
COMMANDBOX-1245 Support default module export as @moduleName,
COMMANDBOX-676 Allow commandbox_home to be relative
There is now a new "forgebox logout" command you can use for testing or just to remove your API token from the local CLI.
You can change CommandBox's default tab completion to be an inline list that follows your cursor. This setting requires you to close and re-open the shell to take affect.
Read more here:
https://commandbox.ortusbooks.com/config-settings/misc-settings#tabcompleteinline
We've added better debugging information for Server Profiles. If you add the --verbose flag to your server start, you'll be able to see what profile was detected for your server, and what baked-in rules have been turned on as a result.
We've added a new Single Server Mode you can enable in the CLI to make using CommandBox in Docker images easier.
Read more here:
https://commandbox.ortusbooks.com/embedded-server/single-server-mode
Here are the release notes for the 5.2.1 release.
[COMMANDBOX-1231] - Installing via lex endpoint uses incorrect file extension
[COMMANDBOX-1232] - Location of predicate file is in a folder that the Docker finalization script deletes
[COMMANDBOX-1238] - Command alas for run command doesn't expand properly
[COMMANDBOX-1237] - Add config setting to activate JLine's AUTO_MENU_LIST
[COMMANDBOX-1240] - forgebox logout command
[COMMANDBOX-1227] - verbose server start output for profile and security settings
[COMMANDBOX-1228] - Extend ${} scopes to apply to any getSetting() call or "env show" command
[COMMANDBOX-1229] - Modules aren't unloaded on reload or shutdown
[COMMANDBOX-1233] - Add debug output that shows location of commandbox.properties file on start
[COMMANDBOX-1234] - Add single server mode for CommandBox in a Docker container
[COMMANDBOX-1236] - Add Testbox runner to sensitive paths in production profile
[COMMANDBOX-1241] - Use UTF-8 when reading files with "cat" command
Even though this is a new major version, it should be very backwards compatible. CommandBox proper has no known backwards compatibility issues we're aware of, but note we've bumped libraries like Lucee Server, Undertow, and Java support, so you may notice differences due to these 3rd party lib updates. For example, one in Lucee 5.3 (which now powers your default server) is how page output buffer is handled.
You should be able to simply replace your box.exe binary and run it to get the same in-place upgrade you're used to. If you run into issue, you can try removing the "engine" folder in your ~/.CommandBox folder and try again. If you need to downgrade for any reason, replace the box binary with the old version, remove the "engine", "cfml", and "lib" folders in your CommandBox home and they will get re-created on the next run.
You may also notice the box binary is larger now. From 44 Megs up to 77 Megs. This is a regrettable byproduct of us turning off the Pack200 process we used to run against the Lucee jar. Lucee seems to have some bugs that causes it to re-download a bunch of OSGI bundles when we compress them and we can't figure it out, or get support on the matter, so for now we're just not compressing as much stuff. This was a huge blocker for anyone needing to run CommandBox on a PC with no external internet access as Lucee provides no mechanism to turn off it's auto-download behavior.
And finally, if you have installed any custom OSGI bundles into your CLI, they will be wiped by the upgrade process now. We didn't want to have to to do this, but Lucee has bugs that cause errors when doing in-place upgrades with the old OSGI bundles left in place and we couldn't get it fixed, so this was the only way to ensure in-place upgrades would "just work" without errors. We are leaving the Lucee engine folder, so any settings you may have put into your CLI should remain in place.
There's a lot of new stuff in CommandBox 5.0.0. Here's an overview. One of the biggest new "features" is you can finally use CommandBox on Java 11+. This was not possible in CommandBox 4.x due to the version of Lucee not fully supporting newer versions of Java. Now that Lucee has been bumped to 5.3 (see below) you are free to leave java 8 behind for the CLI. Note if you're using CommandBox to start up older versions of Adobe CF or Lucee/Railo, you may still need to use java 8 specifically for your servers.
Let's start with the library updates. For the most part, all the jars we bundle are a "black box" but in reality, every update is usually for new features, fixes, or security patches. Here's an overview of the new libs:
WireBox 5.6.2
JLine 3.13.0
Runwar 4.0.3 (major bump from 3.x)
JBoss Undertow 2.0.27.Final (major bump from 1.x)
JGit 5.5.1.201910021850-r
Lucee 5.3.4.77("major" bump from 5.2)
AdoptOpenJDK jdk-11.0.6+10 (In the JRE-included download) (major bump from 8.x)
You can now use user/pass or personal access token authentication when cloning Git repos over HTTPS. This has been tested with Github and Gitlab and is an alternative to SSH keys. Please check the docs, as Github and Gitlab both expect slightly different inputs.
There is a new Lex installation endpoint to help you acquire Lucee Extensions your app needs via the "install" command or a dependency in your box.json file. If the current directory has a Lucee server in it, CommandBox will install the extension file directly into your server's "deploy" folder (server context)
The auto-install feature into your server will work on any Lex package, even one coming from ForgeBox:
Tuning your server is easier now. You can configure your Undertow worker-threads setting with first-class server.json property
Which gives you this in your server.json
We've also unlocked a method for you to set ANY valid Undertow option or XNIO option. So if Undertow supports it, you can configure it!
We've added a new experimental feature that lets you create a batch file, powershell script, or bash shell script that directly starts a server with the exact settings that you get from "server start". This is for you to create super-optimzed startups in Docker or Service that bypass the CLI steps and "lock in" the settings. No server.json or CFConfig, or dotenv code will be processed, but you will have a fast streamlined start that is the same every time. Couple this with our new "dryRun" flag on server start that will unpack the CF engine, but not actually start the server, and you can create your customs start script like so:
The Globber helper can now take more than one globbing pattern. This also means every built-in command in CommandBox that takes a globbing pattern, can now take a comma delimited list of patterns. We've also added an exclude list of globbing patterns to the dir command as well.
We've got a couple new handy commands to help you from the command line, "unique" (modeled after the Bash "uniq" command)
And "sort" (modeled after the Bash "sort" command)
The "grep" command has received a "count" parameter if you just want the count of lines that match the regex (or no regex will count all lines)
The tray icon for your servers now has a new option under the "Open" menu that will open up the file system folder where the server home lives. This is nice for finding your CF Engine's log files.
There are a lot of bug fixes and even more enhancements I didn't cover above. You can read the full release notes here:
[] - Remove extra stashes on url paths when servlet init params starts with WEB-INF
[] - Tray Icon not displaying on Debian8
[] - X Window Errors
[] - "Coldbox create resource" uses wrong paths on Windows
[] - urlrewrite.xml has file size of 0 on docker restart but not regular start
[] - CommandBox instances crashing because of TrayIcon rendering
[] - CommandBox always reads STDIN even when in non-interactive mode
[] - Using zsh exits out of CommandBox when running a binary command
[] - Shebang scripts no longer work without .cfm extension
[] - If custom rewrite file is already in correct destination, runwar overwrites it as 0 bytes
[] - worker-threads setting no longer has any affect
[] - Tray icon not showing in Ubuntu 18.04
[] - Undertow error output when starting server
[] - [RUNWAR] Tray menu placeholders such as ${Setting: runwar.port not found} are not replaced in sub menus
[] - regex string index out of bounds exception
[] - URL Rewrites fire incorrect on URL containing a space
[] - Browser doesn't open when server start
[] - Host updater does not work
[] - Server doesn't stop on Windows
[] - ConcurrentModificationException with undertow?
[] - Restrict /dumprunwarrequest to be used only on Unit Testing
[] - Remove trailing slash from Adobe updates path
[] - Default command parameters don't work on commands in namespaces
[] - Command DSL has unexpected behavior with equals sign in positional tokens
[] - Tab complete for negated flags isn't complete
[] - box fails to open in vSphere Web Client console due to outdated JLine jar
[] - Server start doesn't correctly expand relative Java Home directory
[] - slashes into the servlet init param paths
[] - Tray icon doesn't disappear on Windows when server stops from CLI
[] - Install dependency from box.json with env var placeholder gets overwritten with actual value
[] - coldbox create resource command ignores specsDirectory argument
[] - foreach cannot be interrupted with Ctrl-C
[] - validate non-numeric exit codes from the "exit" command
[] - Task Runner's loadModule() fails on path with period
[] - Tasks don't treat return 1 and setExitCode( 1 ) the same
[] - When a task sets a failing exit code, no output is sent to console
[] - Commands that set a failing exit code don't raise proper exception
[] - foreach, grep, and sed only break on chr(10)
[] - Ability to install/uninstall box server services
[] - Server command to explode server war but not start it
[] - Set any valid XNIO option
[] - Add generic feature to set any valid Undertow option
[] - Allow no rest mappings to be supplied
[] - Tab completion for task targets
[] - New TestBox commands: generate visualizer and generate browser
[] - Update ColdBox module templates for 5.0 standards
[] - Expose Undertow worker-threads setting with first-class server.json property
[] - Support HTTPS username/password auth
[] - Option for server start to write file with full start args for direct Runwar call
[] - Add lex endpoint for installing Lucee extensions
[] - Add unique command to filter out duplicates rows of input
[] - Add sort command to sort rows of input
[] - Make sure the build works
[] - Document Setup in the Repo
[] - Vet all changes on Runwar since April 25, 2018.
[] - Enhance Globber to take more than one pattern
[] - Enhance Globber to have exclude patterns
[] - Update CLI to Lucee 5.3 and test Java 11
[] - Change CommandBox build to pull Ortus build of Runwar
[] - Output Runwar version and jar path in "info" command output
[] - Need Config for Max Thread Request at runwar
[] - Enhance dir command with new Globber features
[] - Optimize installation of packages with createPackageDirectory set to false
[] - Improve performance of print buffer by using String Builder internally
[] - Add --count flag to grep command
[] - Update CommandBox to Runwar 4.0.0
[] - Upgrade to JGit 5.5
[] - Tie into FusionReactor to report transactions for tasks, commands, etc.
[] - Default location to forgeboxStorage for package init command
[] - Improve default package naming of jar endpoint
[] - Add option to tray menu to open server home directory
[] - Update to latest WireBox
[] - Stop outputting extra line break for commands with no output
