Skip to main content

Mango 5.7.x Release Notes

Release notes for all Mango 5.7.x patch releases. The latest release in this series is 5.7.0 (April 28, 2026).

Mango 5.7.0 — April 28, 2026

access-control

  • New validations added to the license in the BE and FE. The user is now notified when attempt to add a new camera and attempt view the live feed from a camera without license.

access-control, maintenance-events

  • Events can now be uniquely identified by a combination of event type and reference type, improving event tracking and querying.

bacnet-ds

  • BBMD registration failures can now be handled by a single handler, simplifying error handling and improving BACnet network management.

  • A community contribution allowing simplified enhancement of character encoding support to BACnet4J has been reviewed and incorporated, improving internationalization.

  • No change made as the reported problem was not reproducible.

  • Fixed a bug where alarm acknowledgements (and other event handling) was only being routed to intrinsic types. They are now also being routed to algorithmic and alarm types.

  • BACnetArray objects can now be resized by writing to index 0, aligning with the BACnet specification for array size management.

  • BACnet read-all-properties requests now include proprietary (vendor-specific) properties in the response, improving interoperability with third-party devices.

  • Community-reported issues in the BACnet4J GitHub repository have been reviewed, with applicable fixes incorporated into this release.

  • Removed the sending of a NAK from BACnet4J as this is not required according to the BACnet specification section 5.4.4.2 / 5.4.5.4.

  • Previously in BACnet4J there was the possibility of an infinite loop while parsing APDU data if that data were specifically malformed. This has been changed so that the code will raise an exception instead.

  • Previously attempting to write e.g. state text to a multistate object would fail because BACnet4J was incorrectly casting the value to a list instead of the required array. This would have been the case for any writable BACnetArray property. The code has been changed so that the proper type is now used. This may cause problems in client code though, where properties that were previously returned as SequenceOf are now being returned as BACnetArray, especially if methods in SequenceOf such as add() or remove() are subsequently used. These methods result in an error with a BACnetArray since this type has restrictions regarding how it can be resized.

  • Dependabot dependency update PRs for BACnet4J have been reviewed and merged, bringing the commons-lang3 library up to date with the latest security patches.

  • There were a number of instances where calling code can get stuck waiting for a ServiceFuture that will never be completed. A set of changes have been implemented to address all possible ways that a ServiceFutureImpl can be created and returned, but not completed, by the DefaultTransport. These changes include:

    • A seemingly forgotten initialization check in one of the overloads for LocalDevice::send.
    • Prevents requests from being added to the outgoing queue in DefaultTransport after terminate() has been called.
    • Prevents orphaned futures due to receiving duplicate SegmentAcks.
    • Prevents orphaned futures due to a timeout after receiving the first two segment windows of a ComplexAck.
    • Completes all futures in the delayedOutgoing queue in DefaultTransport during terminate().
    • Guard against spurious wakeups in ServiceFutureImpl::get.
    • Completion of a ServiceFutureImpl notifies all threads waiting on ServiceFutureImpl::get.

    Also, logic has been added in RequestUtils for handling RejectAPDUException the same way AbortAPDUException is handled when RejectReason is RejectReason.bufferOverflow.

bacnet-ds, http-ds, modbus-ds, mqtt-client-ds, persistent-pub-ds

  • Fixed a bug where exporting published points would result in missing data in the exported file.

chronicle-point-value-cache

  • The chroniclePointValueCache module now uses Chronicle Map's recoverPersistedTo automatically whenever an existing database file is found on startup, rather than requiring recover=true to be set explicitly. This means the cache will self-heal after a JVM crash that left segment write locks set in the file — previously this would prevent the cache from opening and required manual intervention (deleting the file or setting the recovery flag). The chroniclePointValueCache.recover property defaults to true and can be set to false to opt out of recovery and always open with createPersistedTo instead.

cloud-connect

  • Fixed a bug where a single Cloud Connect client with an invalid character (such as whitespace) in its GUID would cause the entire Client List to fail with an HTTP 500 error. Leading and trailing whitespace in the GUID is now trimmed, and if the client URL still cannot be constructed the affected client is listed without a URL instead of breaking the list for all other clients.

controlcore-ds, envcan-ds, log4j-ds, mango-iotools, mangoes-configuration

  • The following modules have been removed and will not be supported in Mango 5.7.0. Please uninstall the Control Core, Environment Canada Data Source, log4jDS, MangoES Configuration, and MangoIOTools modules before attempting to upgrade to 5.7.0.

core

  • PropertyConverter implementations have been reviewed and made consistent, reducing the risk of serialization/deserialization bugs across modules.

  • The Mango Docker image has been rebased onto Azul's official Docker Hub azul-zulu base image (Debian 13). The mango user and group inside the container remain at UID/GID 1000, so existing data volumes and bind mounts require no changes.

  • gRPC services are now accessible to all users by default, rather than only superadmin users. Note that some gRPC services such as com.radixiot.mango.persistent.v2.PersistentTcp have their own permission configuration and still require superadmin permission.

  • Dependency Upgrades (5.7.0)

    Major Library Updates

    • Spring Framework 6.2 → 7.0
    • Spring Security 6.5 → 7.0
    • Jetty 12.1 (EE10 → EE11)
    • H2 (embedded DB) 2.3.232 → 2.4.240
    • Flyway 11.14 → 11.20
    • Jackson 2.19 → 2.21
    • Log4j2 2.25.2 → 2.25.4
    • gRPC 1.76 → 1.80
    • jOOQ 3.19.27 → 3.19.31
    • PostgreSQL driver 42.7.8 → 42.7.10
    • BouncyCastle 1.81 → 1.83

    H2 Database File Migration

    H2 2.4.240 uses a different internal database format (build 240) than the previous version (build 232). On first startup, Mango will automatically migrate the database by:

    1. Dumping the old database to a compressed SQL file in the backup directory.
    2. Restoring the dump into a new database file named for the new build.

    The dump file is retained in the backup directory after the upgrade. If Mango finds an existing dump file on startup (e.g. from a previous failed upgrade), it will abort and log an error pointing to the backup file location.

    This also fixes a performance regression introduced in H2 2.4.240 for bulk point value deletes.

    Configuration Changes (mango.properties)

    The Jetty default servlet file-mapping property has been replaced:

    • Old (boolean, still supported for backwards compatibility): web.defaultServlet.useFileMappedBuffer=true
    • New (minimum file size in bytes): web.defaultServlet.minMappedFileSize=-

    A value of -1 delegates to Jetty's default threshold (1 MB), meaning only files larger than 1 MB will be served using memory-mapped buffers. Set to Integer.MAX_VALUE to disable memory mapping entirely. On Windows, memory mapping is disabled by default to avoid file locking issues.

    Notes for Module and Plugin Developers

    Spring Framework 7.0 and Spring Security 7.0 are major version upgrades. Any third-party modules or plugins must be recompiled against the new APIs. Key breaking changes:

    • Jetty has moved from EE10 to EE11 (jakarta.servlet 6.1). Modules that directly use Jetty or servlet APIs will need to be updated.
    • Spring Security now tracks authentication factors via FactorGrantedAuthority. Sessions authenticated with a username and password carry a PASSWORD_AUTHORITY granted authority. Custom security expressions or authentication providers that inspect the authentication object may need to be updated.
    • Spring JDBC template method signatures changed: the Object[] args array now comes after the callback/extractor argument, not before.

  • The gRPC-Web proxy now uses a dedicated grpcweb client channel so its timeouts can be configured independently of the default in-process gRPC channel. Unary and streaming gRPC methods now have separate configurable deadlines (grpc.channel.<name>.deadline and grpc.channel.<name>.streaming-deadline), and individual gRPC methods can declare their own default deadline in their proto definitions via the com.radixiot.mango.grpc.deadline method option. Default deadlines are 30 seconds for unary calls and 10 minutes for streaming gRPC-Web calls; streaming methods may opt out entirely (for example, StreamPointValues has no deadline so long-lived real-time streams are no longer cut off).

  • gRPC client channels (including the gRPC publisher, the gRPC-Web gateway, and any channels obtained from the certificate utilities) now run on Mango's shared executor pools instead of gRPC's internal pools. This ensures the Spring Security authentication context is propagated correctly from the client to the server on in-process gRPC calls, and consolidates gRPC thread usage under Mango's centralized thread pool management. The StreamEvents gRPC method is also now configured with no deadline so long-running event streams are not cut off.

  • Module/script developers: Internal refactor — the legacy ModuleRegistry has been removed and module definitions (data sources, publishers, event detectors, event handlers, system actions, permissions, etc.) are now managed directly by Spring as beans. Module developers can now use constructor injection in their definitions and obtain them through the corresponding registry beans (DataSourceDefinitionRegistry, PublisherDefinitionRegistry, EventDetectorRegistry, EventHandlerRegistry, SystemActionRegistry, SystemInfoRegistry, PermissionRegistry). The @ConditionalDefinition annotation has been removed in favor of Spring's standard Condition mechanism, and AbstractTimer no longer extends Clock (use InstantSource or the injected timeSource instead).

  • Module/script developers: Large internal refactor of Mango's startup to move initialization out of the static Common/Lifecycle classes and into the Spring application context. CoreModule.INSTANCE and many Common static fields and methods have been removed (including Common.envProps, Common.getVersion(), Common.getTranslations(), Common.getLocale(), and the module classloader accessors); dependencies such as MangoProperties, Translations, AbstractTimer, Freemarker, the JSON context, and the Jetty web server are now obtained via Spring injection instead of global singletons. The Providers registry, SimulationTimerProvider, PropagatingEvent, and the static startup/shutdown task lists have also been removed. Async request processing has been corrected for Jetty 12 and Spring 6. The test framework now uses the same Spring-driven bootstrap as production, so tests more accurately reflect runtime behavior.

  • Module/script developers: Module ModuleElementDefinition classes now receive their dependencies via constructor injection rather than field injection, allowing final fields and making the dependency graph explicit. Supporting cleanup: Common.envProps and Common.paths have been removed in favor of the injected Spring Environment/MangoProperties and path beans; the loadOrder module property has been removed (Spring now determines construction order); the Module class has been simplified and upgrade logic moved to ModulesLifecycle; the InstantSource clock/timer reference was renamed to timeSource; and the database schema definition comparator now correctly considers transitive dependencies when ordering schema upgrades.

  • Changed the audit change detection code to allow the normal JSON conversion to convert to maps of string and JsonValue. This will automatically include the use of ClassConverter implementations, as well futureproof the code against other (albeit unlikely) serialization innovations. This greatly simplifies the difference-finding engine, but required the addition of equals/hashcode methods to all JsonValue subclasses.

  • Extensions of AbstractEventTypeModel will need to be refactored to replace fromVo/toVo methods with a rest mapper extending AbstractEventTypeModelMapping.

  • AbstractVoModel no longer has a generic type, and AbstractEventTypeModel now only has 2 generic types (from 3).

  • Common.getBean and <Dao>.getInstance have been deprecated. Use Spring injection instead.

  • A new version of IDataPoint.getExtendedName() has been added that takes the SystemSettingsDao as a parameter. The existing version of the method now calls the new, and the result will no longer have tag information. To include tag information in this string, calls to getExtendedName() should be replaced with calls to getExtendedName(SystemSettingsDao), or with a comma-delimited list of tag names to be included, e.g. getExtendedName("k1,k2,k3").

  • Long-lived gRPC streams are now tracked and automatically cancelled when the associated user is modified or deleted. This is because the user permissions may be different, and so the gRPC stream access may have changed. The stream can be reconnected by the client, depending on the changes made to the user.

  • A new gRPC endpoint has been added for creating user comments on events, enabling comment functionality in gRPC-based clients.

  • Fixed file store path validation to correctly handle symbolic links, preventing access errors when the file store directory or its files are accessed through symlinks.

  • From 5.7.0 Mango now fetches and installs upgrades directly from a Maven repository. Triggering an upgrade in the UI resolves the bundle, verifies it, and installs it automatically. Official Radix IoT releases are available at https://maven.radixiot.run/mango.

    • All downloaded artifacts are verified using PGP signatures before installation. Radix IoT's public key is bundled in the core JAR and applied automatically to official releases.
    • Signature and checksum validation can each be set to fail (default), warn, or ignore via store.upgrade.signaturePolicy and store.upgrade.checksumPolicy.
    • Modules uploaded manually via the REST API are now subject to the same signature check, controlled separately by store.upload.signaturePolicy (defaults to fail). Set it to warn or ignore when testing locally-built, unsigned modules during development.
    • Private, password-protected repositories are supported for distributing custom bundles and modules. Configure the repository URL, artifact ID, credentials, and a custom signing key in mango.properties using store.upgrade.url, store.upgrade.artifactId, store.upgrade.username/password, and store.upgrade.additionalSignatureKey.
    • Upgrade versions are filtered by release channel — only stable versions are offered by default. Pre-release channels (alpha, beta, rc) can be enabled in the UI. Use store.upgrade.maxVersion to cap the highest version offered.

  • The jdk.management module has been added to the Mango Docker image, enabling JMX monitoring and management capabilities in containerized deployments.

  • MySQL row-by-row result streaming removed — the legacy MySQL streaming mode (returning Integer.MIN_VALUE as fetch size to trigger row-by-row streaming) has been dropped. MySQL now always uses cursor-based fetching (useCursorFetch=true) when a positive db.fetchSize is configured.

  • Added configurable connect and read timeouts for OAuth2/OIDC HTTP clients — new properties oauth2.client.connectTimeout (default: 30s) and oauth2.client.readTimeout (default: 30s) apply to all OAuth2/OIDC HTTP clients.

core, haystack-ds-pub, http-ds

  • Remove CSRF protection exceptions for the HTTP DS (/httpds) and Haystack (/haystack) servlets. The standard Mango CSRF protection mechanisms (XSRF-TOKEN cookie and X-XSRF-TOKEN header) are now required to access these endpoints when using HTTP session authentication.

core, lang-de, lang-en, lang-es, lang-fi, lang-nl, lang-pt, lang-zh

  • All language modules have been removed. Translation files are now distributed with each module. The following languages are now distributed with Mango and have been (largely) machine translated:
    • Czech
    • Dutch
    • Finnish
    • French
    • German
    • Portuguese
    • Simplified Chinese
    • Spanish
  • Mango now supports customizing and overriding UI translations without modifying core installation files. Administrators can place custom .properties files in the <mango_paths_data>/translations/ directory to override any built-in text strings — useful for renaming terminology, adjusting labels to match organizational conventions, or supporting locales not included out of the box. Override files follow the standard Java resource bundle naming convention: i18n.properties applies to all locales, while locale-specific files such as i18n_fr.properties or i18n_es_MX.properties apply only to the matching locale. Override files take precedence over the defaults shipped with Mango and its modules.

core, ma-bootstrap

  • Fixed a startup failure that prevented Mango from booting when launched through MangoBootstrap, caused by a conflict between Mango's custom classloader and the common ForkJoinPool. The bootstrap now uses a Java agent to append library JARs directly to the system classloader. Fork mode also now honors the bin/mango.vmoptions file (or a custom VM options file via the paths.vm.options property) and forwards mango.* system properties to the forked process.

core, mango-api

  • Mango JWT authentication tokens can now be created and renewed using an existing Mango JWT token, enabling automated scripts to maintain fresh short-lived credentials without requiring username/password re-authentication. This behavior is opt-in and must be enabled by setting authentication.mango-jwt.allowTokenCreation=true in mango.properties. When enabled, only password and Mango JWT authentication are permitted to create tokens — OAuth2/OIDC authenticated sessions are blocked.
  • The validity period of a newly created token cannot exceed the validity period of the token used to create it (an error is returned if a longer expiry is requested); superadmin users creating tokens for other users are subject to the same duration limit. All Mango JWT tokens now include a not before (nbf) claim, which is used to calculate the allowed validity period.

core, mango-nosql-database

  • TimeOutTask no longer automatically schedules itself via its constructor; if you use this class in your private module code you must update your code to schedule the task with the BackgroundProcessing interface.
  • The POST /rest/latest/mango-nosql/reload-links REST API now returns an error if you try and use priority=LOW, you must use MEDIUM or LOW priority.

core, meta-ds, scripting-ds

  • Provide runtimeContext script variable for use in legacy Nashorn scripting environment (Meta data source, scripting data source); this can be used to obtain Spring beans, e.g. runtimeContext.getBean(DesiredClass.class), as a replacement for the removed Common.getBean() method. Only scripts with the "superadmin" role can access this variable by default.
  • Provide a services script variable to access all services in the legacy Nashorn scripting environment. All scripts have access to this by default.
  • Remove static fields and methods from the Common class; if you rely on this class in your scripts you will need to test and verify that the fields/methods you use are still present.
    • Removed static fields/methods include but are not limited to: runtimeManager, eventManager, backgroundProcessing, timer, serialPortManager.
    • Removed static fields/methods include but are not limited to: getBean(), getRuntimeContext(), getHttpClient().
    • Your scripts should be modified to access services via the services variable, or getting a Spring bean via runtimeContext.getBean() (superadmin role scripts only).
    • DBUpgrade classes are now scanned by Spring and automatically injected with dependencies. Please ensure your DBUpgrade classes are in a package which is scanned by Spring (e.g. com.radixiot.mango) or configure scanning for your package.
  • Remove DAO getInstance() methods. If you previously accessed DAOs in scripts using DAO.getInstance() or DAO.instance you must modify your scripts to use the new runtimeContext variable, e.g. runtimeContext.getBean(DataPointDao.class), or use the service instead, e.g. services.dataPointService.

ems

  • Fixed issues regarding platform manager dropdown options and how it would not auto select based on cases like no item selected, no cookies, no url params.

excel-reports

  • Add optional bookend support to Excel Report time series; when enabled, synthetic values are inserted at the start and end of each time period to ensure the report spans the full configured range.
  • Fixed bug in Excel Reports when filling cells with a Formula was not working; now we clear the formula before setting the value.

haystack-ds-pub, http-ds

  • The HTTP receiver datasource endpoint located at /httpds now requires a system permission to access it. This permission defaults to superadmin only but can be configured to allow access to anonymous (unauthenticated) users. In addition to this top level system permission, the "Set point value" permission is checked for each point which is being set. Users should update their HTTP clients which are sending data to /httpds to use a JWT authentication token in the "Authorization" header. Please consult the built-in help for more information.
  • Fix several bugs in the Haystack servlet located at /haystack which prevented it from working.

mango-nosql-database

  • Improve the performance of the "reload links" functionality of the NoSQL (ias-tsdb) database.
  • Upgrade ias-tsdb to version 1.9.0.
  • Expose more NoSQL database settings in default mango.properties.

mqtt-client-ds

  • Fixed missing validation of CA certificates, client certificates, and private keys when saving an MQTT data source, preventing misconfigurations from being silently accepted.

opc-ua

  • A new OPC UA data source module has been added, enabling Mango to connect to and collect data from OPC UA servers.
  • A data source supporting OPC UA was added.
  • The REST API to manage OPC UA data sources has been added.
  • Provide the server-side functionality for an OPC UA node explorer feature.
  • The OPC UA node explorer now individually retrieves the child nodes of a given node instead of starting an indeterminate retrieval of all nodes of a server in a single request.
  • OPC UA data source configuration now allows the fetching of a list of server endpoints, instead of separate security policy and security mode dropdowns, simplifying setup.
  • OPC UA data sources now support a configurable timeout setting, giving users control over how long the system waits for device responses.
  • A new certificate file store UI has been added, allowing users to manage SSL/TLS certificates directly from the Mango interface.

persistent-pub-ds

  • Fixed an issue where the gRPC publisher could silently stop forwarding point-lifecycle events (such as point initialization/termination) to the data source. Data sources now reliably receive these events.
  • Fixed gRPC publisher reconnect delay bug that caused publishers to skip delays after 1000+ failures.
  • gRPC data source disconnect errors when no linked data source created converted to warning.

pi-ui

  • The Event Protobuf definitions have been enhanced to include base reference types, enabling richer event data in gRPC communications.

snmp-ds

  • Modified the SNMP4J integration to allow SHA and MD5 authentication protocols. Also, a default starting OID for the walk was provided, and the error message for when this is missing was clarified.

ui

  • Fixed width on Events Page when view is 975px or less.
  • Fixed issue where some event types were not filtered correctly based on the event selection.
  • Fixed missing chart boundary values when point's default rollup is None.
  • Fixed bug in menu items where a system permission description would be saved instead of the key.
  • Changed name in admin home > system card > modules text to "Module upgrades available".

watchlist

  • Fixes a problem where Jackson fails to serialize data that includes seroJson's JsonValue subclasses.