fix(deps): update uportal-libs.version to v5.17.8

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
org.jasig.portal:uPortal-api-search	5.17.7 → 5.17.8
org.jasig.portal:uPortal-spring	5.17.7 → 5.17.8

---

Release Notes

uPortal-Project/uPortal (org.jasig.portal:uPortal-api-search)

v5.17.8: uPortal v5.17.8

Compare Source

Patch release on top of v5.17.7, completing uPortal core's side of the resource-server consolidation. Swaps every internal /ResourceServingWebapp/ reference in skin descriptors, admin JSPs, and chrome assets onto /resource-server/, and trims a set of 2008–2015 utility-lib webjar dependencies that are either CVE-prone or native-replaceable on modern browsers.

Refactor

• Consolidate skin + JSP onto /resource-server/ (#​2983)

  Moves uPortal core's skin descriptors, admin JSPs, and chrome-asset references off the legacy /ResourceServingWebapp/ context onto /resource-server/. Drops a bundle of 2008–2015 utility libraries (lodash 4.17.4, modernizr 2.6.2, normalize.css 2.1.2, four polyfill webjars) that were either CVE-prone, native-replaceable on modern browsers, or both. Also removes dead <rs:compressJs> taglib wrappers (already a no-op upstream now that minification has moved to esbuild).

  Two commits land together: the main consolidation (~30 files: JSP cleanup, SCSS path swaps, tango/famfamfam icon URL swaps, dead webjar deps removed) and a finishing touch in respondr/common/common_skin.xml for the three resource="true" entries (underscore, backbone, jquery-plugins/rating) that the first pass missed. All three libs are served at byte-identical relative paths under the modern overlay.

Docs

• Prefer keys.openpgp.org over keyserver.ubuntu.com (#​2984)

  Brings the release-guide keyserver instructions in line with the Maven ecosystem release guide. The Central Publisher Portal queries keys.openpgp.org first when validating signatures; a key only on keyserver.ubuntu.com will fail signature validation non-deterministically. Includes the email-confirmation caveat for identity packets and a per-session verification curl.

• Manual NOTICE/license review step pre-Testing (#​2985)

  Adds a "Review NOTICE and License Headers" section to the release guide between "Review Dependencies" and "Testing". Cross-links to the Maven release guide's automated equivalent (which Gradle uPortal lacks today) and provides a quick grep heuristic for missing Apache license headers on changed files.

Upgrade notes

• Deployers running uPortal-start ≤ 5.17.7: drop-in replacement. /ResourceServingWebapp/ is no longer requested by uPortal core, but the path itself is still served by the overlay until resource-server 1.5.4 ships and uPortal-start retires ResourceServingWebapp. Browsers will see network requests cleanly addressed to /resource-server/.
• Deployers tracking the resource-server consolidation: this release is the uPortal-side complement of the Wave 1 portlet releases shipped today (SimpleContentPortlet 3.4.3, FeedbackPortlet 1.3.2, NewsReaderPortlet 5.1.5). With v5.17.8 in place, all core and portlet consumers are aligned for the upcoming resource-server 1.5.4 release where the legacy JS bundles ship.
• Skin overlays with custom paths: if your deployment skin references the dropped utility-lib webjars (lodash 4.17.4, modernizr 2.6.2, normalize.css 2.1.2, fetch/promise/array.from/url-search-params polyfills), declare them explicitly in your overlay's pom.xml/gradle.properties. The defaults no longer pull them in.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.