Merge branch 'master' into feature/JENKINS-75675

basil · web-flow · commit bd316aafcdd8 · 2025-08-14T16:07:06.000-07:00
diff --git a/bom/pom.xml b/bom/pom.xml
@@ -63,7 +63,7 @@ THE SOFTWARE.
       <dependency>
         <groupId>org.springframework</groupId>
         <artifactId>spring-framework-bom</artifactId>
-        <version>6.2.9</version>
+        <version>6.2.10</version>
         <type>pom</type>
         <scope>import</scope>
       </dependency>
diff --git a/core/src/main/java/hudson/PluginManager.java b/core/src/main/java/hudson/PluginManager.java
@@ -220,6 +220,14 @@ public abstract class PluginManager extends AbstractModelObject implements OnMas
      */
     /* private final */ static int CHECK_UPDATE_ATTEMPTS;
 
+    /**
+     * Class name prefixes to skip in the class loading
+     */
+    private static final String[] CLASS_PREFIXES_TO_SKIP = {
+            "SimpleTemplateScript",  // cf. groovy.text.SimpleTemplateEngine
+            "groovy.tmp.templates.GStringTemplateScript", // Leaks on classLoader in some cases, see JENKINS-75879
+    };
+
     static {
         try {
             // Secure initialization
@@ -2407,8 +2415,10 @@ public UberClassLoader(List<PluginWrapper> activePlugins) {
 
         @Override
         protected Class<?> findClass(String name) throws ClassNotFoundException {
-            if (name.startsWith("SimpleTemplateScript")) { // cf. groovy.text.SimpleTemplateEngine
-                throw new ClassNotFoundException("ignoring " + name);
+            for (String namePrefixToSkip : CLASS_PREFIXES_TO_SKIP) {
+                if (name.startsWith(namePrefixToSkip)) {
+                    throw new ClassNotFoundException("ignoring " + name);
+                }
             }
             return loaded.computeIfAbsent(name, this::computeValue).orElseThrow(() -> new ClassNotFoundException(name));
         }
diff --git a/core/src/main/resources/lib/form/helpLink.jelly b/core/src/main/resources/lib/form/helpLink.jelly
@@ -29,12 +29,12 @@ THE SOFTWARE.
     a spacer if none is available.
 
     The help link is rendered as a table cell with an (?) icon.
-    If the user clicks it, the content of the HTML fragment at the given URL 
+    If the user clicks it, the content of the HTML fragment at the given URL
     is rendered in the area designated as <f:helpArea> by the caller,
     usually in a row beneath the item with help.
-    
+
     The alternative spacer is just an empty table cell.
-    
+
     This tag was introduced to ensure that the space reserved for help items
     is consistent over the UI whether or not help exists.
 
@@ -49,14 +49,14 @@ THE SOFTWARE.
       ]]>
     </st:attribute>
     <st:attribute name="featureName">
-      Name of the feature described by the help text, used for constructing the 
+      Name of the feature described by the help text, used for constructing the
       icon's alt attribute. Optional.
     </st:attribute>
   </st:documentation>
   <j:choose>
     <j:when test="${attrs.url!=null}">
       <j:set var="altText" value="${attrs.featureName != null ? '%Help for feature:' + ' ' + attrs.featureName : '%Help'}" />
-      <a href="#" class="jenkins-help-button" tooltip="${altText}" helpURL="${rootURL}${attrs.url}">
+      <a href="#" class="jenkins-help-button" aria-label="${altText}" helpURL="${rootURL}${attrs.url}">
         <!-- .jenkins-help-button span element is required as it's restyled in CSS -->
         <span>?</span>
       </a>
diff --git a/package.json b/package.json
@@ -23,9 +23,9 @@
     "lint": "yarn lint:js && yarn lint:css"
   },
   "devDependencies": {
-    "@babel/cli": "7.28.0",
-    "@babel/core": "7.28.0",
-    "@babel/preset-env": "7.28.0",
+    "@babel/cli": "7.28.3",
+    "@babel/core": "7.28.3",
+    "@babel/preset-env": "7.28.3",
     "@eslint/js": "9.33.0",
     "babel-loader": "10.0.0",
     "clean-webpack-plugin": "4.0.0",
diff --git a/pom.xml b/pom.xml
@@ -98,7 +98,7 @@ THE SOFTWARE.
     <spotless.check.skip>false</spotless.check.skip>
     <!-- Make sure to keep the jetty-ee9-maven-plugin version in war/pom.xml in sync with the Jetty release in Winstone: -->
     <winstone.version>8.13</winstone.version>
-    <node.version>24.5.0</node.version>
+    <node.version>24.6.0</node.version>
   </properties>
 
   <!--
diff --git a/test/src/test/java/jenkins/security/Security2779Test.java b/test/src/test/java/jenkins/security/Security2779Test.java
@@ -28,19 +28,11 @@ void setUp(JenkinsRule rule) {
         j = rule;
     }
 
-    @Test
-    void noXssInHelpLinkPanel() throws Exception {
-        noCrossSiteScriptingInHelp("#link-panel a");
-    }
-
     @Test
     void noXssInHelpIconPanel() throws Exception {
-        noCrossSiteScriptingInHelp("#icon-panel svg");
-    }
-
-    private void noCrossSiteScriptingInHelp(String selector) throws Exception {
-        final AtomicInteger alerts = new AtomicInteger();
-        final JenkinsRule.WebClient webClient = j.createWebClient();
+        var selector = "#icon-panel svg";
+        var alerts = new AtomicInteger();
+        var webClient = j.createWebClient();
         webClient.setAlertHandler((AlertHandler) (p, s) -> alerts.addAndGet(1));
         final HtmlPage page = webClient.goTo(URL_NAME);
         page.executeJavaScript("document.querySelector('" + selector + "')._tippy.show()");
diff --git a/yarn.lock b/yarn.lock
