fix(deps): update uportal-libs.version to v5.17.8

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
org.jasig.portal:uPortal-spring	5.17.5 → 5.17.8
org.jasig.portal:uPortal-api-search	5.17.5 → 5.17.8

---

Release Notes

uPortal-Project/uPortal (org.jasig.portal:uPortal-spring)

v5.17.8: uPortal v5.17.8

Compare Source

Patch release on top of v5.17.7, completing uPortal core's side of the resource-server consolidation. Swaps every internal /ResourceServingWebapp/ reference in skin descriptors, admin JSPs, and chrome assets onto /resource-server/, and trims a set of 2008–2015 utility-lib webjar dependencies that are either CVE-prone or native-replaceable on modern browsers.

Refactor

• Consolidate skin + JSP onto /resource-server/ (#​2983)

  Moves uPortal core's skin descriptors, admin JSPs, and chrome-asset references off the legacy /ResourceServingWebapp/ context onto /resource-server/. Drops a bundle of 2008–2015 utility libraries (lodash 4.17.4, modernizr 2.6.2, normalize.css 2.1.2, four polyfill webjars) that were either CVE-prone, native-replaceable on modern browsers, or both. Also removes dead <rs:compressJs> taglib wrappers (already a no-op upstream now that minification has moved to esbuild).

  Two commits land together: the main consolidation (~30 files: JSP cleanup, SCSS path swaps, tango/famfamfam icon URL swaps, dead webjar deps removed) and a finishing touch in respondr/common/common_skin.xml for the three resource="true" entries (underscore, backbone, jquery-plugins/rating) that the first pass missed. All three libs are served at byte-identical relative paths under the modern overlay.

Docs

• Prefer keys.openpgp.org over keyserver.ubuntu.com (#​2984)

  Brings the release-guide keyserver instructions in line with the Maven ecosystem release guide. The Central Publisher Portal queries keys.openpgp.org first when validating signatures; a key only on keyserver.ubuntu.com will fail signature validation non-deterministically. Includes the email-confirmation caveat for identity packets and a per-session verification curl.

• Manual NOTICE/license review step pre-Testing (#​2985)

  Adds a "Review NOTICE and License Headers" section to the release guide between "Review Dependencies" and "Testing". Cross-links to the Maven release guide's automated equivalent (which Gradle uPortal lacks today) and provides a quick grep heuristic for missing Apache license headers on changed files.

Upgrade notes

• Deployers running uPortal-start ≤ 5.17.7: drop-in replacement. /ResourceServingWebapp/ is no longer requested by uPortal core, but the path itself is still served by the overlay until resource-server 1.5.4 ships and uPortal-start retires ResourceServingWebapp. Browsers will see network requests cleanly addressed to /resource-server/.
• Deployers tracking the resource-server consolidation: this release is the uPortal-side complement of the Wave 1 portlet releases shipped today (SimpleContentPortlet 3.4.3, FeedbackPortlet 1.3.2, NewsReaderPortlet 5.1.5). With v5.17.8 in place, all core and portlet consumers are aligned for the upcoming resource-server 1.5.4 release where the legacy JS bundles ship.
• Skin overlays with custom paths: if your deployment skin references the dropped utility-lib webjars (lodash 4.17.4, modernizr 2.6.2, normalize.css 2.1.2, fetch/promise/array.from/url-search-params polyfills), declare them explicitly in your overlay's pom.xml/gradle.properties. The defaults no longer pull them in.

v5.17.7: uPortal v5.17.7

Single-fix patch on top of v5.17.5. Supersedes v5.17.6, which was a botched version-bump-only release (no functional changes from v5.17.5); deployers should skip 5.17.6 and consume 5.17.7 instead.

Fixes

• Deprecate the LESS pipeline in the respondr skin (#​2982)

  uPortal-webapp/src/main/webapp/media/skins/respondr/common/common.less still pulled in five sub-files — variables.less, mixins.less, regions.less, gallery.less, tags.less — that were removed during the Bootstrap 5 / SCSS migration. Any consumer running compileLess against this skin failed with "file not found" on the first dropped import, blocking uPortal-start's quickstart build (the symptom that surfaced this was compileLess0 failing on uPortal-start PR #​694).

  This change comments out the five orphaned @import lines, swaps the Bootstrap LESS import for the compiled bootstrap.css (so the file still produces usable CSS), and tags each entry with a DEPRECATED banner pointing at the SCSS pipeline as the supported path forward. The file itself is kept rather than deleted so any skin overlay still referencing it continues to compile during the deprecation window.

Upgrade notes

No configuration or deployment changes required. Drop-in replacement for v5.17.5. The respondr LESS pipeline remains compiled but is now formally deprecated — new skin work should target the SCSS pipeline.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.