Release v1.8.3

[Piedone]

This is needed to patch https://osv.dev/vulnerability/GHSA-65x7-c272-7g7r and https://nvd.nist.gov/vuln/detail/CVE-2024-29992. Already covered in main.

Prepare the project

Do some housekeeping on GitHub in the main repo.

• Close remaining issues for the version (including merging corresponding pull requests if suitable) or assign them to the next one. - Not needed.
• Assign all issues that were closed for an upcoming version (including a wildcard version like "1.0.x") to this version (milestone). - Not needed.

Prepare the code

Update the source so everything looks like on the new version.

• Create a release/<version name> branch out of main, e.g. release/1.8.
• Check the release_ci workflow is using the expected .NET version to build the Docker images.
• Update the OrchardCore.Commons.props file with <VersionSuffix></VersionSuffix> such that preview build numbers are not injected in packages. Verify the VersionPrefix tag matches the released version.
• Update module versions in src/OrchardCore/OrchardCore.Abstractions/Modules/Manifest/ManifestConstants.cs.
• Update the version in the command lines in from all documentation files.
• Create a new milestone. - Not needed.

Test the release

Make sure everything works all right.

• Make sure that OrchardCore.Samples works. - Not needed.
• Test the guides with the NuGet packages from the Cloudsmith feed (branches under release/ are automatically published too). Test at least the following guides: - Not needed.
  • Creating a modular ASP.NET Core application
  • Creating an Orchard Core CMS website
  • Creating a new decoupled CMS Website
• If there's a more recent major version of Red Hat Enterprise Linux (like v10 after v9) that Orchard Core was certified for, then re-certify it. See Orchard's Red Hat Ecosystem Catalog profile for the version it was certified for, the Red hat Customer Portal for the latest released version, and [https://docs.orchardcore.net/en/latest/docs/topics/red-hat-ecosystem-catalog-certification/](our certification guide) for the steps to renew the certification. - Not needed.

Prepare and publish Orchard Core Translations - Not needed, localized strings didn't change.

Update everything in the Translations project. Only do this once all the code changes are done since localized strings can change until then.

• Update .po files with PoExtractor. This will also update Crowdin.
• Publish the new version on NuGet.
• Update the OrchardCore.Translations.All package reference in the main repo's src/OrchardCore.Build/Dependencies.props file to refer to the new NuGet package.

Prepare the documentation

Update the docs so they contain information about the new release so once the release is out you'll just need to point to new information.

• Create a new Draft Release with a tag vx.y.z that is created when the release is published. Auto-generate release notes. - Not needed, only a published release.
• Create release notes in a specific documentation section. You can take the previous release notes as a template.
  • Overview of the release's highlights and goals. What do you want people to remember this release for?
  • Prerequisites. What framework version do you need, anything else to work with Orchard?
  • Upgrade steps, any migration necessary from previous versions, breaking changes.

Publish the release

Do the harder parts of making the release public. This should come after everything above is done.

• Merge release/<version name> to main.
  • Merges to main need two approvals so you'll need to create a pull request.
  • Merge it as a merge commit, not squash merge.
• Publish the Draft release.
• Test the guides with the packages now automatically published to NuGet. Test at least the following guides: - Not needed for this patch release.
  • Creating a modular ASP.NET Core application
  • Creating an Orchard Core CMS website
  • Creating a new decoupled CMS Website
• Update Try Orchard Core.

Publicize the release

Let the whole world know about our shiny new release. Savor this part! These steps will make the release public so only do them once everything else is ready.

• Update the documentation to mention the version in all places where the latest version is referenced, for example, but not limited to (do a search for the package version string): Status in the root README, CLI templates, commands, the Creating a new decoupled CMS Website guide.
• Update the tagged release on GitHub: Change its title to something more descriptive (e.g. "Orchard Core 1.0.0 RC 2"), add a link in its description to the release notes in the documentation (something like For details on this version see the [release notes in the documentation](link here).).
• Tweet
• Post to the Orchard Core LinkedIn group
• Post to the Orchard Core Facebook page

After the release is done - Not needed.

• Create a new milestone with the next release number.
• Create a new release notes documentation file for the next version in the OrchardCore.Docs project. (e.g, /releases/1.8.0.md).
• Update the OrchardCore.Commons.props file with the next release number, and <VersionSuffix>preview</VersionSuffix> such that preview builds use the new one.

[Piedone]

I'm also updating the release publishing guide at the same time. @MikeAlhayek why do we actually need a release branch? It seems to me that we only ever commit to it once. We don't need a branch for that, rather only a tag, what we add anyway.

[Piedone]

Ah, so we can target PRs on it.

[Piedone]

Can you please update Try Orchard Core @agriffard?

[Piedone]

@sebastienros please tweet this from OrchardCMS (or adjust as you see fit):

The Orchard Core community released v1.8.3! This is a security release, updating vulnerable versions of the Azure.Identity and SixLabors.ImageSharp.Web packages.

See the release notes here: https://docs.orchardcore.net/en/latest/docs/releases/1.8.3/. We recommend that you update your applications immediately.

[agriffard]

Can you please update Try Orchard Core @agriffard?

I will, but currently I have this error running it locally :

Unable to find a stable package OrchardCore.FileStorage.AmazonS3 with version (>= 1.8.3)
  - Found 137 version(s) in OrchardCoreDev [ Nearest version: 1.9.0-preview-18033 ]
  - Found 9 version(s) in nuget.org [ Nearest version: 1.8.2 ]
  - Found 0 version(s) in C:\Program Files\dotnet\library-packs	TryOrchardCore.Web

[Piedone]

Thank you!

That's out though: https://www.nuget.org/packages/OrchardCore.FileStorage.AmazonS3/1.8.3. So, my guess is that this is some caching issue. I've seen this happening with fresh NuGets. Most possibly you just need to wait like 30 minutes, and restart VS to be sure.

[agriffard]

https://try.orchardcore.net/ updated to 1.8.3

[Piedone]

That was quick, thank you!

[sabifa]

Thanks for the update!

Unfortunately it seems like that some OC packages are still using an old version of Azure.Identity (1.10.3) which has a open security vulnerability:

This issue is fixed with version 1.11.0: https://osv.dev/vulnerability/GHSA-wvxc-855f-jvrv

[agriffard]

https://orchardcore.net/ updated to 1.8.3.
Portfolio updated to the latest ones appearing on ShowOrchard.
Links added in top bar.

[Piedone]

@sabifa where Orchard Core uses Azure.Identity directly, the latest version is referenced. What your tool shows is that Microsoft.Data.SqlClient v5.2.0 depends on Azure.Identity>= 1.10.3. OC uses that package implicitly via YesSql, which we use for data access. Thus, if you only use packages from Orchard Core that depend on YesSql but not directly on Azure.Identity (what only two of them do) then, depending on the rest of your application, v1.10.3 may be resolved.

I don't think we can feasibly do anything with this.

@agriffard great, looks very nice!

[Piedone]

@sebastienros please? #15824 (comment)

[sabifa]

@Piedone Thanks for the clarification!

[Piedone]

I timed out on Twitter.