diff --git a/README.md b/README.md
index 1e978c09d4..13c93cb0bb 100644
--- a/README.md
+++ b/README.md
@@ -20,6 +20,7 @@ Rhino is licensed under the [MPL 2.0](./LICENSE.txt).
| Rhino 1.7.9 | March 15, 2018 |
| Rhino 1.7.10 | April 9, 2018 |
| Rhino 1.7.11 | May 30, 2019 |
+| Rhino 1.7.11 | January 13, 2020 |
[Release Notes](./RELEASE-NOTES.md) for recent releases.
@@ -84,7 +85,7 @@ mavenReleaseRepo=
Rhino can run as a stand-alone interpreter from the command line:
```
-java -jar buildGradle/libs/rhino-1.7.11.jar -debug -version 200
+java -jar buildGradle/libs/rhino-1.7.12.jar -debug -version 200
Rhino 1.7.9 2018 03 15
js> print('Hello, World!');
Hello, World!
diff --git a/RELEASE-NOTES.md b/RELEASE-NOTES.md
index 82daa75f6b..0121fc8cda 100644
--- a/RELEASE-NOTES.md
+++ b/RELEASE-NOTES.md
@@ -1,3 +1,99 @@
+# Rhino 1.7.12
+## January 13, 2020
+
+### XML external entities disabled by default
+
+As of this release, Rhino makes "XML external entity injections" more difficult
+by disabling fetching of external DTDs and stylesheets by default,
+as recommended in the (OWASP Cheat Sheet)
+[https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.md].
+Even though this may break some existing projects, the fact that this
+vulnerability is in the OWASP top 10 makes it important enough to change
+the default.
+
+Developers who still need this old capability can re-enable it by setting the
+Context feature flag FEATURE_ENABLE_XML_SECURE_PARSING to false. (The default
+is true.)
+
+### New JAR for embedding use cases
+
+This release also includes a second JAR artifact, "rhino-runtime.jar". This is
+simply the existing Rhino JAR with the "tools" source directory excluded.
+This directory includes the Rhino shell as well as the default "Global"
+object, which includes capabilities to load and process external source
+code.
+
+Since some automated source-scanning tools mark these capabilties as insecure,
+this new JAR provides a way to only include the parts of Rhino that embedders
+typically need without pulling in additional capabilities.
+
+Developers who typically embed "rhino.jar" might consider embedding "rhino-runtime.jar"
+instead if they do not need all this.
+
+Thanks to the following developers for the contributions below!
+
+Aditya Pal (1):
+* Fix syntax error for comments in array (#607)
+
+Chris Smith (1):
+* Adding secure configuration for XML parsers (#600)
+
+Gregory Brail (12):
+* Update versions for 1.7.12 release.
+* Fix a code generation bug for generators.
+* Fix "fall through" comment.
+* Fix static analysis around NaN values.
+* More isNaN fixes and one rounding bug.
+* Make XML processor configuration more robust.
+* Enable SpotBugs plugin.
+* Fix minor static analysis findings.
+* Increase Travis timeout.
+* Disable more flaky "BigO" tests.
+* Fix handling of "return" in iterators.
+* Undo setting some members "final".
+
+Ivan Di Francesco (1):
+* Fix warnings (#596)
+
+Roland Praml (2):
+* FIX: NativeJavaObject.getDefaultValue recognizes numbers correctly
+* #511 fixing InterfaceAdapter abstract name lookup.
+
+Stijn Kliemesch (7):
+* Private static method ScriptRuntime.enumInitOrder(Context,IdEnumeration) no longer expects given IdEnumeration's property obj to be of type ScriptableObject specifically, only of type SymbolScriptable.
+* Added testclass IterableTest to test iterable implementations, currently with one testcase for a host object, specifically one that uses Array Iterator.
+* Added more tests to IterableTest.
+* Fix for #616 (#617)
+* Fixes for calling several Object.prototype members.
+* Fixed dynamic scoping for implementations of Object.create and Object.defineProperties
+* Testcase for dynamic scoping and Object.create.
+
+nename0 (2):
+* Fix Array.include return a wrapped Boolean
+* implement Array.includes to align to specs
+
+RBRi (20):
+* fix for Map/Set working with ConsString as key also; closes #583
+* fix propertyIsEnumerable when using an index to access string; closes #582
+* ignore surplus search/match/replace parameters; closes #581
+* add support for setPrototypeOf
+* fixed imports
+* RangeError should be throw if the argument of Number.prototype.toFixed is less than 0 fixes #587
+* fix interpreter fallback when using streams (fixes #592)
+* Parser already always reads the reader into a string. Move this reader handling to the Context to be able to fall back to the interpreter in all cases.
+* fix imports
+* functions declared as var f = function f() {...} within a function should not impact higher scope variable with the same name
+* functions declared as var f = function f() {...} within a function should not impact higher scope variable with the same name
+* fix Boolean(document.all)
+* many more tests are passing already and some cleanup
+* add tests for built-ins/ThrowTypeError and built-ins/TypedArray
+* add tests for built-ins/TypedArrays
+* fix BYTES_PER_ELEMENT property
+* fix BYTES_PER_ELEMENT prototype property
+* fix TypedArray constructor arity
+* Fix issue with parseInt's handling of leading zeroes
+* #529 (#628)
+
# Rhino 1.7.11
## May 30, 2019
diff --git a/build.gradle b/build.gradle
index f705f81449..1dfadc51f4 100644
--- a/build.gradle
+++ b/build.gradle
@@ -331,4 +331,4 @@ distributions {
}
}
-distZip.dependsOn javadoc, jar
+distZip.dependsOn javadoc, jar, sourceJar, runtimeSourceJar
diff --git a/gradle.properties b/gradle.properties
index 23bc867906..3fb92d3e98 100644
--- a/gradle.properties
+++ b/gradle.properties
@@ -1,6 +1,6 @@
rootProject.name=rhino
group=org.mozilla
-version=1.7.12-SNAPSHOT
+version=1.7.12
buildDir=buildGradle
mavenSnapshotRepo=https://oss.sonatype.org/content/repositories/snapshots
mavenReleaseRepo=https://oss.sonatype.org/service/local/staging/deploy/maven
diff --git a/maven/maven-pom.xml b/maven/maven-pom.xml
index 2292babc6b..799cf94a53 100644
--- a/maven/maven-pom.xml
+++ b/maven/maven-pom.xml
@@ -12,7 +12,7 @@
org.mozilla
rhino
Mozilla Rhino
- 1.7.12-SNAPSHOT
+ 1.7.12
jar
diff --git a/maven/maven-staging-deploy.sh b/maven/maven-staging-deploy.sh
index 6f1b9d6fb2..0e82b7e547 100755
--- a/maven/maven-staging-deploy.sh
+++ b/maven/maven-staging-deploy.sh
@@ -1,51 +1,37 @@
#!/bin/sh
+function deploy {
+ if [ ! -f $1 ]
+ then
+ echo "Missing $1"
+ exit 1
+ fi
+
+ tf=/var/tmp/file.$$.jar
+ rm -f ${tf}
+ cp $1 ${tf}
+
+ mvn gpg:sign-and-deploy-file \
+ -Dfile=${tf} \
+ -DpomFile=${2} \
+ -DrepositoryId=sonatype-nexus-staging \
+ -Durl=https://oss.sonatype.org/service/local/staging/deploy/maven2/ \
+ -Dclassifier=${3}
+
+ rm ${tf}
+}
+
vers=`egrep '^version=' ../gradle.properties | awk -F = '{print $2}'`
+base=${HOME}/.m2/repository/org/mozilla
echo "Deploying ${vers}"
-pom=maven-pom.xml
-jsjar=../buildGradle/libs/rhino-${vers}.jar
-echo "Installing ${jsjar}"
-srczip=../buildGradle/libs/rhino-${vers}-sources.jar
-echo "Sources are ${srczip}"
-doczip=../buildGradle/libs/rhino-${vers}-javadoc.jar
-echo "Javadoc is ${doczip}"
-
-if [ ! -f $jsjar ]
-then
- echo "Missing js.jar"
- exit 1
-fi
-
-if [ ! -f $srczip ]
-then
- echo "Missing rhino-${vers}-sources.zip. Run \"ant source-zip\"."
- exit 2
-fi
-
-if [ ! -f $doczip ]
-then
- echo "Missing javadoc.zip. Run \"ant javadoc\"."
- exit 3
-fi
+rb=${base}/rhino/${vers}
+deploy ${rb}/rhino-${vers}.jar maven-pom.xml
+deploy ${rb}/rhino-${vers}-sources.jar maven-pom.xml sources
+deploy ${rb}/rhino-${vers}-javadoc.jar maven-pom.xml javadoc
-mvn gpg:sign-and-deploy-file \
- -Dfile=${jsjar} \
- -DpomFile=${pom} \
- -DrepositoryId=sonatype-nexus-staging \
- -Durl=https://oss.sonatype.org/service/local/staging/deploy/maven2/
-
-mvn gpg:sign-and-deploy-file \
- -Dfile=${srczip} \
- -DpomFile=${pom} \
- -DrepositoryId=sonatype-nexus-staging \
- -Durl=https://oss.sonatype.org/service/local/staging/deploy/maven2/ \
- -Dclassifier=sources
-
-mvn gpg:sign-and-deploy-file \
- -Dfile=${doczip} \
- -DpomFile=${pom} \
- -DrepositoryId=sonatype-nexus-staging \
- -Durl=https://oss.sonatype.org/service/local/staging/deploy/maven2/ \
- -Dclassifier=javadoc
+rb=${base}/rhino-runtime/${vers}
+deploy ${rb}/rhino-runtime-${vers}.jar maven-runtime-pom.xml
+deploy ${rb}/rhino-runtime-${vers}-sources.jar maven-runtime-pom.xml sources
+deploy ${rb}/rhino-runtime-${vers}-javadoc.jar maven-runtime-pom.xml javadoc
\ No newline at end of file
diff --git a/src/manifest b/src/manifest
index 83a58e8e81..992ccba068 100644
--- a/src/manifest
+++ b/src/manifest
@@ -1,6 +1,6 @@
Manifest-Version: 1.0
Main-Class: org.mozilla.javascript.tools.shell.Main
-Implementation-Version: 1.7.12-SNAPSHOT
-Implementation-Title: Mozilla Rhino 1.7.12-SNAPSHOT
+Implementation-Version: 1.7.12
+Implementation-Title: Mozilla Rhino 1.7.12
Implementation-Vendor: Mozilla Foundation
Implementation-URL: http://www.mozilla.org/rhino