* Update dependencies

atmosphere-runtime: 2.2.13.vaadin3
jsoup: 1.14.3

* Update Atmosphere version in Constants.java

Co-authored-by: Anna Koskinen <Ansku@users.noreply.github.com>

* Update Vaadin7 to use atmosphere-runtime 2.2.13.vaadin2

* Update Constants.java

* Chrome 94 (#12434)

* Added logging for generateArchetype in BuildHelpers

* Chrome 94 screenshot changes and version number

Co-authored-by: Olli Tietäväinen <ollit@vaadin.com>

* Add MPR UI id request parameter

* Update test

* Update test

* fix: set Vaadin session attribute using lock in reinitializeSession

* Add unit test

* Revert

* Add unit test

Backport to Java 6

* Add imports

* More Java 6

Adopted from https://github.com/vaadin/flow/pull/8567

Authored-by: Tatu Lund <tatu@vaadin.com>

Implemented with a listener rather than direct call from UI.detach() in
order to avoid new public API, since the whole feature has been marked
for removal. This doesn't yet prevent the cache or the type map from
getting slightly bloated during the UI's lifetime.

See: #3705

Cherry-picked from: #12199

This hardens the framework against a theoretical timing attack based on
comparing how quickly a request with an invalid CSRF token is rejected.

Backporting of #12188

This is the same as #12190, but also applied for the upload security key
and the push id since both of those are also used to protect against
cross-site attacks. In addition, documentation for the push id is
clarified to point out its role.

Backporting of #12189

Cherry pick https://github.com/vaadin/framework/pull/12131

* Change license from Apache-2 to CVDLv4

* Update header for checkstyle

* Add license checker

* Fix reference header

* Fix license header

* Update Chrome version

Fixes: https://github.com/vaadin/framework/issues/7757

onConnect was allways called with websocket = false. I think this is wrong, since if there was connection loss in websocket, now connection cannot be re-established in websocket mode.

Fixes: https://github.com/vaadin/framework/issues/7190

Cherry pick of https://github.com/vaadin/framework/pull/11884

* Use APPLICATION_SCOPE for the session lock

To be able to do this, relevant methods in VaadinService are made protected so
that VaadinPortletService can override them.

The Vaadin session itself is also stored in APPLICATION_SCOPE. The default
scope is PORTLET_SCOPE, so lock would otherwise not be in sync with
the session.

Cherry pick of https://github.com/vaadin/framework/pull/11644

* Fixes #11601. Add toggle for disabling touch detection on table multiselect.

* fix tests

* Improve VMenuBar click handling logic

Backport to V7:
During `updateFromUIDL` inside MenuBarConnector we empty and re-instantiate the components of MenuBar. When we are modifying the Menubar from the BlurEventListener of another component, we ,by this, remove widgets, therefore clickEvent is not fired and the action of the MenuItem is not proceed as a result. (The BlurEvent is fired before the click event in the chain of events. )

To improve the situation, we catch onMouseDown event , which is fired before BlurEvent,by assigning mouseDown flag to true. Then if no click event has yet happened, we delay the execution of update inside `updateFromUIDL` by default 500 ms. Then if click event occurs, it proceeds normally. The time can be increased/decreased using setter.

There is no delay, if we are clicking on the MenuBar as usual or no Blur listener is set.

This change allows setting descriptions preserving the action from the MenuItem

(cherry picked from commit 22cc85c76f)

* Improve VMenuBar click handling logic

Add missing files from the first commit

Backported to V7:
(cherry picked from commit 22cc85c)

* Fix #11246

Take zero pageLength into account when calculating filtered ComboBox contents.

* Create ComboboxPageLengthZeroFilterTest.java

* add UI tests for fix

Fixes #9471

When finished with upload, streamVariable should be disposed.
Now StreamVariable is removed also from streamVariableToSeckey.
https://github.com/vaadin/framework/issues/10695 #10695

* Add fallback resolvers for CurrentInstance

This allow applications to inject custom default instances when the
current instances cannot be found by regular means.

For example, when VaadinServlet.getCurrent() would return null, a
fallback resolver could be invoked to properly create the servlet and
return it.

* Make the setting of CurrentInstanceFallbackResolvers protected

* Remove the default constructor. Improve test.

* Made setFallbackResolver public again

* Rename the method to defineFallbackResolver, and make it throw when a
type is used twice

* Make the method thread-safe

* Make the method thread-safe in a Java 6 way

* Thread safety with ConcurrentHashMap API instead of just Map

* Improve test with fake classes.

* Clear the test state after it has been run.

* Open methods to allow custom static file serving logic

The methods serveStaticResources and serveStaticResourcesInVAADIN have
been changed from private to protected to allow subclasses to change how
static files are served.

* Prevent killing UI if heartbeats are pending (#10371)

Fixes #9663

* fixed Java 1.8 syntax -> 1.6

* added missing javadocs and since tags

* fix formatting of javadocs

UIDL might contain sensitive information that we should prevent from
being stored anywhere.

Ignore null intermediate properties in setValue().

Add additional class names and style to components and error indicators to distinguish different error levels.

Vaadin 7 solution for #3139

By using a separate id we can avoid sending the sessions
CSRF token as a GET parameter when initializing a push connection.

Cherry-picked from #8700 to the 7.7 branch.

There's an intermittently happening issue with both Table and TreeTable, which results in row data disappearing.
This change removes a method which is probably a vestigial one from over five years ago and other changes are handling the things the method used to perform. Currently the method removes rows deemed unnecessary from the row buffer. The problem is, those rows are visible to the user and removing causes row contents to be lost.
Also included are manually runnable test cases which demonstrate that this removal actually prevents the issue from happening.

Fixes #7964
Fixes #5030

Fixes #7261
Fixes #5178
Fixes #4409

As there is no "request end" call after invoking UI.access() from a background thread,
the connector map was not earlier properly cleaned afterwards. If you toggled visibility of a
component from the background thread, the tracker state became inconsistent.

If this becomes a performance problem, it could probably be optimized to that cleanup
is done in request end and only at the end of access if not inside a request.

Backported from master
Fixes #9693

Unregister old NavigationStateManager before setting new one (backport of #9410).

Fixes #9406

Remove unnecessary warning on server log when using shortcut on disabled connector.

Fixes #6951

Immediately clean connectors which the client side does not know about

Fixes #9303

Fixes #9009

Fixes #8775