Release Notes

Each security-for-flow milestone ships with a dedicated release-notes document covering scope, new SPIs, breaking changes, and mutation-coverage numbers. The latest published release on Maven Central is 00.72.00.

00.72.00 — Latest

Developer-experience release: typed fluent bootstrap (VaadinSecurity / RestSecurity / StandaloneSecurity), dependency-free @SecurityAutoService processor, Vaadin starter (@SecureRoute + SecuredUi), secret-free diagnostics. 22 modules. No new security primitives.

00.71.00

Credential-security stack (ships in the 00.72 line): JDK-only PBKDF2 core, optional Argon2id / bcrypt / scrypt, post-KDF HMAC pepper, compare-and-swap CredentialStore, atomic password change, single-use reset, breached-password checks (HIBP), abuse detection, ASVS / NIST / CWE traceability.

00.70.00

2026-05-31 · Konzept-V00.70 closed: multi-tenancy, 11 persistence-store SPIs + Eclipse Store reference, SecurityVersion drift detection, Policy API, @Secured method-security processor, role hierarchy, account lifecycle, API keys, rate limiting, Phase-8 Vaadin components.

00.60.00

2026-05-14 · Konzept-V00.60 closed: audit / brute-force / session / action SPIs stable, fourth adapter security-standalone, Vaadin Browserless tests, mutation push across the reactor.

00.51.00

2026-05-08 · Multi-module split: security-core / security-vaadin / security-rest, REST adapter, two-tier demo demo-vaadin-rest-client, first-run bootstrap, central LogoutService.

Versioning policy

The project uses MM.mm.pp numeric versions (e.g. 00.60.00, 00.51.00). The leading double-zero is intentional — it documents the pre-1.0 phase of public consumption. SPIs are stable in the sense declared per release; experimental ones are marked @ExperimentalSecurityApi.

Maven coordinates always carry the full triplet, e.g.:

<dependency>
  <groupId>com.svenruppert</groupId>
  <artifactId>security-core</artifactId>
  <version>00.72.00</version>
</dependency>