Artifactory Self-Managed Releases

This section contains the Release Notes for Artifactory Self-Managed releases.

To view a self-managed release's release notes, select the version from the table of contents.

📘

Note

Release notes for previous releases that have passed their end-of-life date (18 months after the initial release) can be found in Artifactory End of Life.

Important Self-Managed Changes

This section contains crucial notices for Self-Managed users using SAML SSO and basic authentication. Before upgrading, make sure to review the changes and take the necessary actions.

From version 7.104.5

• Multiple SAML SSO Provider Configurations

  The JFrog Platform now supports multiple configurations for SAML SSO providers. Enabling multiple SAML SSO configurations can help large organizations streamline the login and authentication processes for multiple platforms, resulting in a faster and more convenient authentication experience.

📘

Note

Before creating multiple SAML configurations, JFrog recommends deleting the old configuration and reconfiguring it with a different setting name other than Default. If you reconfigure your SAML configuration, you must also update the relevant information in the Identity Provider server.

• Enabling SSO Disables Basic Authentication By Default

  Enabling single sign-on authentication now disables internal password authentication by default. For more information, see Disable Basic Authentication Method.

From version 7.98.7

⚠️

Breaking Change for SAML SSO

As notified in SAML SSO configuration, if you have configured SAML authentication in your environment, make sure to configure a Custom Base URL to prevent a 500 error.

• Migration of SAML Authentication Provider from Artifactory Service to Access Service

  As part of enhancements to the JFrog Access Service, which is becoming the primary service for authentication providers, the functionality for the SAML authentication provider has moved to the Access Service.

⚠️

Breaking Change for synchronizeLdapGroups User Plugin

Following the migration of SAML SSO from Artifactory service to Access service, the deprecated user plugin synchronizeLdapGroups will no longer be used for SAML SSO user login. As an alternative, the functionality of the plugin has been implemented as part of the provider. For more information, see Enabling Synchronization of LDAP Groups for SAML SSO.

Artifactory 7.133

This section includes all the Artifactory 7.133 releases.

Artifactory 7.133.12 Self-Managed

Released: 2 March 2026

Resolved Issues

Artifactory 7.133.10 Self-Managed

Released: 18 February 2026

Resolved Issues

Artifactory 7.133.8 Self-Managed

Released: 10 February 2026

🚧

Intended Change in Artifactory’s Response to Improper Configuration of a Smart Remote Repository

To properly configure a smart remote repository using the ​Create Repository API​​, the URL of an Artifactory instance must be used as the URL of the remote repository, and the attribute ​contentSynchronisation​ must have ​enabled = true​ in the ​Repository Configuration JSON​​. ​ Currently, if a user wants to create a smart remote repository and enables ​contentSynchronisation​​, but does not set the URL of an Artifactory instance as the URL of the remote repository, Artifactory responds by creating a regular (not smart) remote repository, sends a 200 success message, and disables ​contentSynchronisation​​. The user does not receive any indication that the smart remote repository that the user tried to create is actually a regular remote repository or that ​contentSynchronisation​​ is disabled. ​ Starting from May 12, 2026, Artifactory will respond differently to this scenario. Instead of creating a regular remote repository, Artifactory will respond with a 400 error message, and no repository will be created.

🚧

Artifactory to Stop Allowing Importing a Backup of Repositories with the -cache Suffix

Artifactory does not allow creating a repository with the -cache suffix, because -cache is a reserved string that Artifactory uses internally to create a -cache repository for every remote repository. However, currently Artifactory allows importing a backup of repositories even if there are repositories in that backup with a -cache suffix. Starting from May 12, 2026, Artifactory will no longer allow a backup of repositories if there are repositories in that backup containing the -cache suffix. Ensure that by May 12, 2026, you do not have any repositories with the -cache suffix to be backed up for the backup to run successfully.

Note that renaming existing repositories is not possible. Therefore, if you need to rename a repository because it has the -cache suffix, the most efficient way to do this is to create a new repository, copy the contents of the repository with the -cache suffix into it, then delete the old repository.

Resolved Issues

Artifactory 7.133.6 Self-Managed

Released: 3 February 2026

Resolved Issues

Artifactory 7.133.3 Self-Managed

Released: 22 January 2026

⚠️

Breaking Change for JFrog Platform Logging

From this Artifactory version, two system properties (​​audit:enabled​ and ​db:batch-size​​) will be moved from the ​Access YAML​ configuration file to the ​System YAML​​ configuration file, and their values will be reverted to the default value.

This should not impact your environments. However, note that if you have defined a different value for either of these variables or wish to edit them, you can now find and edit them in the ​system.yaml​ file, located in the ​$JFROG_HOME/artifactory/var/etc​​ folder.

More information about the parameters to be changed:

Parameter name in Access YAML (removed)	Parameter name in System YAML (added)	Description	Default value
Audit: enabled:	logging: audit: enabled:	Toggle logging of changes in Access configuration. It is highly recommended to keep this enabled.	true
db: batch-size:	database: batchSize:	Control the number of records in each batch when performing actions on Access resources.	100

❗️

​Transition Default AWS SDK from v1 to v2 (Q2 Update)

In preparation for the sunset of AWS SDK v1 by Amazon Web Services, JFrog Artifactory will transition its default AWS SDK from v1 to v2 by June 30, 2026. This is a proactive step to ensure customers are positioned for long-term stability, security updates, and new features as v1 reached end-of-support at the end of 2025.

Why is JFrog making this change?

• End of Support for v1:​​ Amazon Web Services announced that SDK v1 reached end-of-support at the end of 2025. After this date, v1 no longer receives new features, availability improvements, or security updates.
• Security and Compliance:​​ Continuing to use v1 beyond 2025 exposes environments to potential security risks due to the lack of ongoing updates.
• Feature Parity and Optimization:​​ Integration with v2 allows users to leverage the latest AWS features and optimizations for a more robust and efficient storage solution.

JFrog strongly recommends that all Artifactory customers currently using SDK v1 transition to SDK v2 at this point in time and not postpone this unnecessarily. For instructions on how to do this, see ​Integrate Artifactory with AWS SDK v2 for S3 Storage.

📘

Timeline for the Sunset of JFrog Legacy Repository Federation

We are officially announcing the sunset plan for Legacy Repository Federation as we transition to the next-generation Artifactory Federation Service (RTFS). Please take note of the following timeline for this change:

Timelines

January 2026 (Current Status)

Official declaration of the sunset plan to all customers.

Migration Window (Now through Mid-2027)

An 18-month period during which customers are requested to migrate to the new Artifactory Federation Service.
We encourage all users to begin planning their transition to take advantage of RTFS's superior architecture and enhanced capabilities.

July 2027 (Deprecation)

The actual removal of Legacy Federation from the codebase of new releases.

Note: Older releases will continue to be supported based on JFrog standard support policies.

Important Information

Database Requirements

Please be aware that the new RTFS service explicitly requires a PostgreSQL database connection. However, this requirement applies only to the RTFS service itself; your main Artifactory installation remains completely unaffected and continues to support all currently available databases.

Implementation Options

• If your Artifactory already uses PostgreSQL, you can use the same database instance.
• If your Artifactory uses a different database, you only need to introduce a separate PostgreSQL instance for the RTFS service. There is no need to migrate your entire Artifactory installation.

Why This Change?

The Artifactory Federation Service (RTFS) represents the next generation of repository federation with:

• Superior standalone microservice architecture designed to reduce impact on Artifactory
• All new features (including Unidirectional Sync) are being developed exclusively for RTFS
• Already the default for all JFrog SaaS customers
• Validated by leading enterprise customers with improved stability and performance

Migration Support

The migration from Legacy Federation to RTFS is designed to be seamless:

• Automatic migration tools are provided to ensure configuration and data integrity
• No downtime required during migration
• Hybrid mode supported (RTFS and Legacy can coexist during transition)
• Full rollback capabilities during the transition window
• You do not need to migrate all sites simultaneously

Important

Please note the following regarding certificates:

• The Artifactory Federation Service (RTFS) supports self-signed certificates and certificates signed by a custom Certificate Authority (CA) starting from Artifactory version 7.133.4.
• Customers running earlier versions must upgrade to a supported version to use self-signed or custom CA certificates with RTFS.

Note: This sunset applies to Self-Hosted environments only.

For detailed information about RTFS features, migration procedures, and FAQs, please refer to the Artifactory Federation Service documentation.

📘

Filebeat Removal

Removed the Filebeat component from all JFrog product installers as part of the JFrog Insight deprecation process.

Action Required: If you utilize the bundled Filebeat application for purposes other than JFrog Insight, you must install a standalone version of Filebeat before upgrading to this version to prevent service disruption.

​New Features

• Application metrics now available to SaaS users​​​

  Users working in SaaS (Cloud) environments can now receive a wide variety of application-related metrics (based on the Open Metrics standard) using a new REST API. For more information, see ​Get Artifactory Application Metrics API​​.

• ​​New REST API for preparing evidence for deployment to Artifactory​​ ​ The new ​Prepare Evidence​ REST API simplifies the evidence creation process for users who do not use the JFrog CLI. The API request contains the ​predicate​​, which is a JSON containing claims about the defined evidence subject (for example, a build or artifact), and can include an optional markdown version. The API returns a payload that conforms to the in-toto attestation standard used by the JFrog platform. After signing the payload, you can deploy the evidence to the JFrog platform using the ​Deploy Evidence​ REST API. For more information, see ​Create Evidence using REST APIs​​.

Feature Enhancements

​​Release Lifecycle Management​​

• ​Release Bundle v2 creation dry run​​ ​ You can now use the Create Release Bundle v2 ​REST API​ to perform a dry run, which simulates the creation of the Release Bundle and performs all the necessary validations, but without persistence. For more information, see ​Perform a Release Bundle v2 Creation Dry Run​​.
• New REST API for deleting the tag from a Release Bundle v2 version​​ ​ To improve the user experience, you can use a new, dedicated REST API to delete a tag from a Release Bundle v2 version. For more information, see Delete Release Bundle v2 Version Tag API​​.
• Query parameter for returning all errors during Release Bundle v2 creation​​ ​ To help debug issues you may encounter during Release Bundle v2 creation, a new ​fail_fast​ query parameter has been added to the ​Create Release Bundle v2 REST API. When set to ​false​​, the API will return validation errors that occur during creation as a group instead of failing after the first error. For more information, see ​Release Bundle v2 Creation Errors Collected by System API​​.
• RLM promotion rollback from platform UI​​ ​ To improve the user experience, you can now roll back a Release Bundle v2 version promotion from the platform UI. For more information, see ​Promotion Rollback​​. Please note that the UI icon for deleting a promotion has been removed, as rollback replaces this functionality.
• ​​Audit trail maintained when promoting duplicate Release Bundle artifacts​​ ​ Previously during Release Bundle v2 promotions, the system skipped artifacts that already existed in the target stage. This behavior prevented the target stage from being updated with evidence associated with those artifacts. This enhancement guarantees that all associated evidence is copied to the target stage, ensuring a complete and verifiable audit trail throughout your SDLC.
• ​​Improved performance when creating Release Bundles from builds with dependencies​​ ​ To enhance the user experience, we have implemented significant performance enhancements when creating Release Bundle v2 versions from builds that contain dependencies.

​​Platform UI​​

• ​​Significantly Improved Package Details User Interface​​ ​ The Package Details user interface (UI) has been significantly improved, and now displays valuable information about package versions in a more user-friendly format, including:
  • When the Package Details view is initially displayed, details on the latest version or tag of the package appear.
  • Use of native terminology, based on the package context (for example, tags for Docker/OCI packages, versions for other package types).
  • Quick selection of a package version, allowing you to easily find the version you need.
  • An All Versions view, allowing quick impact analysis across all versions to see vulnerabilities and where versions are stored.
  • Multi-client install commands: Installation commands are provided for all officially supported clients in every package type.
  • More install commands for more package types: The new UI introduces 35 new install commands to help developers use the packages they are looking for.
  • Context-sensitive Information tabs, displaying important version information according to the package type. For more information, see ​​The Package Details User Interface.
• Significant Improvements in the Repositories User Interface​​ ​ The Repositories user interface has been significantly re-designed, making it much more user-friendly and efficient. When initially opening the Repositories list, there are options to view the 20 most recently viewed repositories and to view inactive repositories. Filtering capability has been added, so that you can now filter the Repositories list according to Repository type, package type, URL (for remote repositories), Project association, stage, and repositories that have a replication (for local and remote repositories). For more information, see ​​View Repositories​​.
• ​​Date picker to improve Builds page performance​​ ​ To improve performance, the Builds page now features a date picker that displays only those builds within a defined timeframe. The default value is the last 7 days. Users can choose a different timeframe as needed.
• ​​Improved performance of Build Versions page in platform UI​​ ​ Pagination has been added to the Build Versions page in the platform UI, which makes it faster and more convenient to use when the selected build contains many existing versions.
• User Management - Permissions​​ ​ Updated the tooltip for the ​Include All Builds​ checkbox to clarify that selecting this option includes all builds and preserves any defined exclude patterns. For more information, see ​Add Builds.
• ​​Added a Warning Message When Deleting a SCIM Token​​ ​ The JFrog Platform now displays a warning message when attempting to delete a SCIM token, as deletion might disconnect authentication provider integrations.

​​Package Management and Repositories​​

• Support for .dsc Source packages in local Debian repositories​​ ​ Local Debian repositories now support Debian source packages. After configuring your ​sources.list​ file for source packages, you can deploy the component source package files one by one to your local repository and resolve them as a single package using apt-get source. For more information, see ​Connect Debian to Artifactory​​.

• Performance optimizations in NuGet package manager

  Artifactory now offers a newer implementation of the NuGet package manager in Self-Managed Artifactory deployments. The new implementation significantly improves performance and efficiency with the following benefits:

  • Improved package resolution speed and download efficiency
  • Resolved legacy memory-related issues
  • Reduced JVM heap memory usage To enable the new NuGet handler, add the following property to the Artifactory system properties file: artifactory.package.handler.nuget=true​.

  The new handler is opt-in for Self-Managed Artifactory deployments at this time, but it will be the default NuGet handler for all customers in an upcoming release. The new handler is already implemented in SaaS versions of Artifactory.

  📘

  Note

  To ensure optimal performance, it is recommended Artifactory 7.125.0 or later before enabling this feature.​

• ​​New REST APIs for VCS Remote Repositories to Obtain Data from Subgroup Repositories​​ ​ New REST APIs have been added for VCS remote repositories to obtain data from subgroup repositories. Four new APIs have been added that allow you to:

  • ​​Download a VCS Branch from a Subgroup Repository API
  • ​​Download a VCS Tag from a Subgroup Repository API
  • ​​Download a File in a VCS Branch in a Subgroup Repository API
  • ​​Download a File in a VCS Tag in a Subgroup Repository API Also, the legacy APIs ​​Get VCS Tags​​ and ​Get VCS Branches can be used to obtain VCS tags and branches from subgroup repositories. ​ Currently, branches and tags can be downloaded only in the ​tar.gz​​ format. ​ In this Artifactory version, these APIs can be used to obtain data from the Google Source Git Provider.

• Google Source Git Provider for VCS Remote Repositories​​ ​ Support has been added in the Artifactory user interface for the Google Source Git Provider for VCS remote repositories. For more information, see ​Use VCS to Proxy Git Providers​​.

• ​​Improvements in VCS Remote Repositories APIs​​ ​ The user organization can now be used as the repository for downloading VCS tags, branches, files in a tag, and files in a branch. For more information, see ​Download a VCS Tag API​​, ​Download a VCS Branch API, ​Download File within a VCS Tag API​​, and ​Download File within a VCS Branch.

• Supported Clients and Versions

  • ​​Support for Kiro with AI Editor Extension repositories​​ ​ You can now set up AI Editor Extension Repositories in Artifactory to securely proxy and cache the Kiro extension marketplace, and configure your Kiro IDE to download extensions from the Artifactory cache. For more information, see ​Get Started with AI Editor Extensions​​.
  • Support for ​pnpm​​ client with npm repositories​​ ​ You can now configure the ​pnpm​ client to connect to npm repositories in Artifactory and use it to manage npm packages. For more information, see ​pnpm CLI.
  • Support for ​uv​​ client with PyPI repositories​​ ​ You can now configure the ​uv​ client to connect to PyPI repositories in Artifactory and use it to manage Python packages. For more information, see ​uv client. ​
  • ​​Support for Yarn Modern with npm repositories​​ ​ Artifactory now supports natively managing npm packages with Yarn V2+ (Modern). For more information, see ​Connect Yarn to Artifactory.

• ​​JFrog CLI commands for setting up IDEs with AI Editor Extension and JetBrains Plugins repositories​​ ​ The new ​jf ide setup​ command automates the process of connecting your IDE to an AI Editor Extensions or JetBrains Plugins repository in Artifactory. You can run the single command to configure any supported client, instead of manually granting permissions and editing configuration files. For more information, see ​Connect IDE to Artifactory for AI Editor Extensions and Connect JetBrains IDE to Artifactory for JetBrains.

• ​​Curation Support Added for PHP Composer Remote Repositories​​ ​ Artifactory now ensures security compliance for Composer repositories protected by JFrog Curation. If a package is blocked by security policy, Artifactory automatically prevents the Composer client from falling back to external source URLs to download.

• ​​Added Support for the Range Header in Download Requests for PyPI Repositories​​ ​ Artifactory now supports ​Range​​ requests when downloading Python packages from local, remote, and virtual PyPI repositories. This improves compatibility with the UV package manager and prevents redundant full-package downloads, reduces unnecessary download counts, and improves performance.

• Added Support for Proxying the GitHub Enterprise Cloud Private Registry for Go Remote Repositories​​ ​ Support has been added for proxying the GitHub Enterprise Cloud private registry (<comanyName>ghe.com) for Go remote repositories.

• ​​Curation Support Added for PHP Composer Remote Repositories​​ ​ Artifactory now ensures security compliance for Composer repositories protected by JFrog Curation. If a package is blocked by security policy, Artifactory automatically prevents the Composer client from falling back to external source URLs to download. ​ This feature requires Xray version 3.137.0 or above.

• URL Auto-Correct Added to Procedure for Creating a Smart Remote Repository​​ ​ An auto-correct feature was added to the procedure for creating a smart remote repository for certain package types, to ensure that a correct URL is used. For more information, see ​Configure a Smart Remote Repository​​.

• Bridge URLs in Remote Repositories​​ ​ Bridge URLs can now be used in remote repositories without additional configuration.

Retention and Cleanup Policies​​

• ​​Retention Policies - Package Version Pattern Filtering​​ ​ Cleanup and Smart Archiving retention policies now support Include and Exclude Package Version Patterns. For more information, see ​Cleanup Policies and ​Smart Archiving​​.
• ​​Improved the Run reports generated by Retention Policies for packages (Cleanup and Smart Archiving)​​ ​ The reports now include ​Package Path​​, ​Created Date​​, ​Modified Date​​, and ​Last Downloaded Date​ columns under ​Run Detailed Summary​ to facilitate better validation and auditing of deleted or archived packages. For more information, see ​Smart Archiving Run Report Overview, ​Restore Run Report Overview​ and ​Cleanup Run Report Overview.

​​Workers​​

• Updated Payload Code Sample for "Before Download Request Worker"​​ ​ The payload code sample for ​Before Download Request Worker​ has been updated for backward compatibility and to avoid compilation errors. The redundant ​repoPath​ object has been removed from the root of the event request, and the ​headers​ object is now identified as ​requestHeaders​​. For more information, see ​Before Download Request Worker Code Sample.

​​Evidence​​

• ​​Evidence system enhancements​​
  • ​​Cosign v3​​: The Evidence system now supports automatic evidence creation using the Sigstore bundle format. This includes compatibility with both the ​cosign sign​​ and ​cosign attest​​ commands with the ​new-bundle-format​​ flag. Support remains in place for in-toto attestations (DSSE) created with the legacy Cosign v2 ​attest​​ command.
  • ​​PSS padding​​: To simply integration with different systems that produce attestations, the Evidence system now supports secure PSS (Probabilistic Signature Scheme) padding for signatures when creating evidence with APIs​​. PKCS#1 v1.5 padding is still supported.
  • ​​Base64 URL encoding​​: The Evidence system now supports Base64 URL encoding for the DSSE signature. Standard Base64 encoding is still supported.
• New REST APIs for evidence queries​​ ​ Two new REST APIs are available for performing evidence queries. They are intended for users who prefer traditional REST APIs for integration with their existing automation tools instead of using GraphQL. For more information, see ​Search Evidence (REST API) and ​Get Evidence by ID (REST API).
• ​​Evidence GraphQL API for returning evidence by ID​​ ​ You can now use GraphQL to return the details of a specific evidence item using its ID instead of using its path. For more information, see ​Get Evidence by ID (GraphQL).

​​User Integrations​​

• Support for Regex in OIDC Integration Dynamic Mapping​​ ​ The JFrog Platform OIDC integration now supports dynamic mapping creation using regular expressions (regex), which automates and streamlines the process for various use cases.

​​Platform Management

• Added a Warning Message When Deleting a SCIM Token ​​ ​ The JFrog Platform now displays a warning message when attempting to delete a SCIM token, as deletion might disconnect authentication provider integrations.
• **​​​Support for New SCIM REST API Endpoints​​ **​ The JFrog Platform now supports getting more information about your SCIM configuration and schemas via REST API. For more information, see ​Get Resource Types API, ​[→Get Service Provider Configuration]​​, ​Get Schemas API​​, and ​Get Schema by ID.
• New Support for Password Control Via REST API​​ ​ The JFrog Platform Access service now enables you to expire and un-expire all passwords via REST API. For more information, see ​Expire Password for All Users API​ and ​Un-Expire Password for All Users API​​.
• ​​Support for Filtering Tokens by Scope via REST API​​ ​ The JFrog Platform now supports filtering the results of the Get Tokens REST API using the scope parameter to get token results for a specific scope, such as group. For more information, see ​Get Tokens API​​.
• Added Support for Project Admin Permissions​​ ​ The JFrog Platform now offers more granular control over project admin permissions, enabling you to grant ​Manage Resources​​ permissions to project admins while preventing them from creating or managing remote repositories.
• Logging of Administration Configuration Changes​​ ​ The JFrog Platform now supports logging of any changes made to the access configuration, such as enabling anonymous access, in the Access ​audit trail log​​.
• ​Support for Webhook Target Validation​​ ​ The JFrog Platform now supports creating a whitelist to allow private domains or IP addresses to be used as Webhook targets without needing to disable Artifactory validation.****

Storage​​

• ​​Support Added for Decompressing .xz and tar.xz Files​​

  Artifactory now supports decompressing ​​.xz​​ and ​tar.xz​​ files, similar to the already supported decompression for ​.zip​​, ​.tar​​, and ​.gz​​ files.

Helm Charts

• The Artifactory Helm chart now supports Azure Workload Identity authentication through the new useInstanceCredentials parameter. This authentication method replaces the legacy saasTokens and accountKey configurations. For more information, see Azure Workload Identity
• The Artifactory Helm chart now includes the rtfs.customCertificatesSecretName parameter for the RTFS service. This ensures custom certificates are properly copied to the RTFS container’s trusted certificates folder.

Resolved Issues

Artifactory 7.125

This section includes all the Artifactory 7.125 releases.

Artifactory 7.125.12 Self-Managed

Released: 27 January 2026

Resolved Issues

Artifactory 7.125.11 Self-Managed

Released: 13 January 2025

Resolved Issues

Artifactory 7.125.10 - Self-Managed

Released: 30 December 2025

Resolved Issues

Artifactory 7.125.9 Self-Managed

Released: 16 December, 2025

Resolved Issues

Artifactory 7.125.8 Self-Managed

Released: 4 December 2025

Feature Enhancements

• Database Optimizations

  • Optimized Artifactory's shift events operation by refactoring the internal database process to use bulk inserts, significantly reducing database round trips and improving performance
  • Optimized the performance of node event deletion in Artifactory when using an Oracle Database by adding an optional system property to utilize the primary key index. See Oracle for Artifactory.

Resolved Issues

Artifactory 7.125.7 Self-Managed

Released: 18 November, 2025

Feature Enhancements

• Retention Policies - Package Version Pattern Filtering

  Cleanup and Smart Archiving retention policies now support Include and Exclude Package Version Patterns. For more information, see Cleanup Policies and Smart Archiving.

Resolved Issues

Artifactory 7.125.6 Self-Managed

Released: 4 November, 2025

Resolved Issues

Artifactory 7.125.4 Self-Managed

Released: 30 October, 2025

New Features

• Support for Sigstore bundle attestations

  Artifactory now supports the automatic conversion of OCI Sigstore bundle attestations into JFrog evidence.

• New Parent Manifests API

  A Parent Manifests API has been added, which allows you to discover all parent manifest lists associated with a specific Docker manifest. For more information, see Find Parent Manifest Lists.

• New Platform Auditor User Type

  The JFrog Platform now supports a Platform Auditor user role that allows users to view the entire JFrog Platform Web UI but not perform any actions, which can be useful for auditing or compliance monitoring. To use this feature, enable the following feature flag in your system configuration file:

  accessPlatformAuditor: true

  For more information, see The Platform Auditor.

• Support for signed attestations in OCI images

  The Evidence Collection service can take signed, 3rd-party attestations uploaded to Artifactory as OCI images and convert them automatically into JFrog evidence. For example, this new feature can successfully convert attestations created using the cosign attest command. For the automatic conversion to work, the attestations must conform to both the DSSE and in-toto standards.

• Cleanup - Builds

  Artifactory now supports a build cleanup policy to delete unintended builds. For more information, see Cleanup Policies.

• New Remote Repository Types for IDE Plugins

  Two new remote repository types, AI Editor Extensions and JetBrains Plugins, are now available to proxy IDE plugin marketplaces. The AI Editor Extensions repository supports proxying extension marketplaces for VSCode, Cursor, and Windsurf. This repository type is integrated with JFrog Curation to enable policy-based blocking of unwanted plugins. The JetBrains Plugins repository supports proxying the JetBrains Marketplace for JetBrains IDEs such as IntelliJ IDEA and PyCharm.

  With both repository types, you can browse and install extensions and plugins natively within each IDE.

  The repositories are available to customers with an Ultimate bundle subscription.

• New Remote Repository Type for Bazel Modules

  The new Bazel Modules remote repository type supports caching and proxying the Bazel Central Registry (BCR) in Artifactory. This repository type is designed to support module dependency maknagement in accordance with Bazel 9 requirements. Maintaining a secure cache and proxy of the BCR ensures that developers pull only approved and vetted dependencies, enhancing security and streamlining the development process. For more information, see Bazel Modules Repositories.

• Update Password Policy Via REST API

  The JFrog Platform now supports creating and updating your instance’s password policy via REST API, for easier access for Cloud instances. For more information, see Password Policy.

• Artifactory Now Natively Supports the Terraform Provider Registry Protocol

  Artifactory now natively supports the HashiCorp Terraform Provider Registry Protocol, acting as a fully compliant Provider Origin Registry for both Terraform and OpenTofu. This enhancement simplifies client configuration, enhances security with GPG verification, and provides smarter protocol-aware proxying. This new method applies to local, virtual, and federated repositories and adds to the network_mirror approach. For more information, see Documentation.

Feature Enhancements

• Storage

  • Support for AWS SDK v2 in S3 Storage

    Artifactory's S3 binary storage provider now supports AWS SDK v2. This integration allows you to leverage the latest AWS features and optimizations for a more robust and efficient storage solution, while maintaining full backward compatibility with your existing S3 configurations. AWS SDK v2 receives all active development, new features, and security updates, ensuring your storage integration remains up-to-date. For more information, click here.

❗️

Important

Amazon Web Services has decided to make SDK v1 end-of-life at the end of 2025. Therefore, JFrog strongly recommends that all Artifactory customers currently using SDK v1 transition to SDK v2 at this point in time.

• Support for Azure Workload Identity

  Artifactory now supports authentication with Azure Blob Storage using Azure Workload Identity. This method provides a secure, secret-less authentication mechanism for applications running on Azure Kubernetes Service (AKS). It leverages federated identity credentials, eliminating the need to manage and rotate secrets such as SAS tokens or storage account keys within your Artifactory configuration. For more information, click here.

• Data Sharding Improvements

  Improvements were made in thread synchronization in sharding and s3-sharding providers.

• Daily Cleanup Job Added for Cache FS _pre folder

  A daily job is now triggered on startup to cleanup old dbRecord*.bin files in the cache provider’s _pre folder. The configurations for this job can be modified in the binarystore.xml file under the cache-fs provider. For more information, see Cached Filesystem Binary Provider.

• Additional Configuration for GCP Internal Actions

  The ability to configure readTimeout was added to Google Cloud Platform (GCP) internal actions.

• Project Administration

  • Support for webhooks for project-related builds

    Artifactory now supports the creation of webhooks for builds associated with specific projects. This enables you to receive notifications whenever a build in a particular project is uploaded, promoted, or deleted. To create a build webhook for a specific project, you must be working within the scope of the project (as opposed to All Projects).

    For specific guidelines about creating a build webhook for a specific project, see Domain: Build.

• Evidence Management

  • Evidence propagation to Federation members

    This release enhances the Evidence service to enable evidence propagation to all Federation members, regardless of whether they contain the relevant public key for verification. Evidence verification, however, is performed only on those members that have the public key. For more information, see Verify Evidence.

  • Evidence for artifacts in virtual repositories displayed in Artifacts tree

    You can now view evidence related to artifacts in a virtual repository in the Artifacts tree. This is particularly useful when attaching evidence to a Docker image created in a tool such as GitHub Actions. In such cases, users typically work with the Docker image as part of a virtual repository in Artifactory. The virtual repository must contain at least one local repository to house the evidence. For more information, see View the Artifact Evidence Table.

  • Improvements to evidence graph

    The design of the Release Bundle evidence graph has been improved to make it easier to distinguish between the various elements (builds, packages, etc.) that comprise the Release Bundle. For more information, see View Release Bundle v2 Evidence.

• Federation

  • Enhanced metadata propagation during RTFS Full Sync operations

    The Artifactory Federation Service (RTFS) now supports the propagation of artifact creation time metadata during a Full Sync operation. To enable this feature:

    1. Set the following Artifactory system property to true on the target members:

       artifactory.federated.mirror.events.upload.info.propagate.enabled

    2. Use a new REST API to enable the propagation of this specific metadata. For more information, see Propagate Creation Time Metadata during Full Sync API.

• Updated Artifactory Worker Events

  Updated the following Artifactory Worker events:

  • After Copy: The following fields are removed from the Sample Payload:

    contentLength, trustServerChecksums, servletContextUrl, skipJarIndexing and disableRedirect.

  • After Delete: The following field is removed from the Sample Payload:

    headers

  • After Property Create: The following fields are removed from the Sample Payload:

    contentLength, trustServerChecksums, servletContextUrl, skipJarIndexing, disableRedirect and headers.

  • After Move: The following fields are removed from the Sample Payload:

    contentLength, trustServerChecksums, servletContextUrl, skipJarIndexing and disableRedirect.

  • Before Move: The following fields are removed from the Sample Payload:

    contentLength, trustServerChecksums, servletContextUrl, skipJarIndexing and disableRedirect.

  • Before Download Request: The following fields are added in the response:

    modifiedRepoPath, expired and headers.

  • Before Create: The following fields are removed from the Sample Payload:

    contentLength, trustServerChecksums, servletContextUrl, skipJarIndexing and disableRedirect.

  • Before Copy: The following fields are removed from the Sample Payload:

    contentLength, trustServerChecksums, servletContextUrl, skipJarIndexing and disableRedirect.

  • Before Property Create: The following fields are removed from the Sample Payload:

    contentLength, trustServerChecksums, servletContextUrl, skipJarIndexing and disableRedirect.

  • Before Property Delete: The following fields are removed from the Sample Payload:

    contentLength, trustServerChecksums, servletContextUrl, skipJarIndexing and disableRedirect.

  • After Property Delete: The following fields are removed from the Sample Payload:

    contentLength, trustServerChecksums, servletContextUrl, skipJarIndexing and disableRedirect.

  • Updated the following Worker Events with repoType Input Parameter:

    • Before Property Replication
    • Before File Replication
    • Before Statistics Replication
    • Before Directory Replication
    • Before Delete Replication

• Smart Archiving

  • Skips Restore of Artifacts with the Same Name and Path

    The restore process now skips any artifact that already exists in the target location, preventing accidental overwrites. The existing file will be preserved, and the skipped operation will be noted in the logs and the CSV report.

  • Supported Archive Packages Search for Project Admins

    Project Admins will now see and be able to use the Archive Search feature. The search results are automatically scoped, ensuring they can only view archived packages that belong to the projects they manage.

• API Updates

  • Filtering added to Get All Repository Configurations API

    You can now use query parameters to filter the results of the Get All Repository Configurations API. You can filter by package type (for example, docker, maven) and repository type (for example, local or remote).

  • Change in API response for Release Bundle v2 tags

    To correct inconsistent behavior, the following API endpoints have changed the response for Release Bundle v2 tags from bundle_tag and release_bundle_tag to a standard response of tag:

    • Create Release Bundle v2 Version
    • Assign Tag to Release Bundle v2 Version API
    • Get Release Bundle v2 Versions API

  • Improved Get Federation Sync State REST API performance

    The performance of the REST API that returns the synchronization state of all Federated repositories in the JPD has been improved.

📘

Note

This API endpoint is relevant for users operating the legacy Federation service, not the Artifactory Federation Service (RTFS).

• Package Management and Repositories

  • Virtual Repositories for Hugging Face Packages

    Virtual repositories can now be created for Hugging Face packages.

    • Local and remote Hugging Face repositories that are associated with a virtual Hugging Face repository must have the Machine Learning Repository Structure.
    • Hugging Face datasets and models can be resolved from a virtual Hugging Face repository only with the snapshot_download API and not by using libraries.

    For more information, see Create a Hugging Face Repository and Resolve Hugging Face Packages.

  • RPM Package Settings

    Added support for Administrators to enable/disable RPM package settings for the following:

    • Recommends Tags
    • SHA256

    For enabling/disabling these settings, see Enable/Disable RPM Package Settings.

  • Improvement to the Vendor Folder for the Private Go Registry and the Go Proxy

    Checksums in the private Go registry and the Go proxy are now aligned for the Go version 1.24 vendor folder.

  • NuGet Package Updates

    • Curation Support for NuGet Virtual Repositories

      Extended JFrog Curation capabilities to support NuGet virtual repositories, providing a powerful, centralized way to secure your NuGet package consumption.

    • NuGet Package - Now Supports .NET CLI

      NuGet packages now include support for the .NET CLI.

    • Optimized NuGet Version

      Tightened validation to require all NuGet packages to use strict Semantic Versioning (SemVer 2.0). See specification.

    • Nuget Packages - Rate Limit

      Introduced a new rate-limiting mechanism for search APIs to prevent excessive calls and ensure service stability.

  • Upgraded Gradle Set Me Up Wizard

    The Gradle Set Me Up wizard has been upgraded to support Gradle 9.

  • Improvement in VCS Remote Repositories

    The GitHub Server option for Git providers was added for VCS remote repositories. For more information, see Create a VCS Repository.

  • Added Enforcement of Custom Configurations for Certain Remote Docker Repositories

    When creating a remote Docker repository for an Azure Container Registry (*.azurecr.io) or a Microsoft Container Registry (https://mcr.microsoft.com/), Artifactory makes the following default configuration:

    • Disable URL Normalization = true

    When creating a remote Docker repository for a Chainguard Registry (http://cgr.dev/chainguard), Artifactory makes the following default configuration:

    • Block Mismatching Mime Types = true

    These default configurations are set upon remote repository creation and can be canceled afterwards. For more information, see Other Advanced Settings for Remote Repositories.

  • Improved npm Search

    It is now possible to search for up to three search terms in npm local repositories when using the "npm search" command.

  • Enhanced Support for npm Audit

    In addition to npm virtual repositories, npm Audit is now also enabled by default on npm remote repositories that support npm Audit directly. For more information, see Use npm Audit.

  • Improved Resolving of Subgroups When Accessing Subgroups in Gitlab with Go Remote Repositories

    When accessing subgroups in GitLab with Go remote repositories (by selecting the Resolve Subgroups checkbox, as explained here), Artifactory now resolves the correct dependency version even if the URL contents contain both subgroups and submodules.

  • New Setting Added to Complete a List Manifest Image Overwrite

    A new setting has been added under Package Settings called Complete list manifest image overwrite. When this setting is enabled, overwriting a list manifest image will asynchronously overwrite all of its sub-manifests.

• Release Lifecycle Management

  • Expanded support for distributing and exporting Release Bundle v2 versions

    To make distributing and exporting Release Bundle v2 versions easier, you can now use JFrog Distribution with Release Bundle v2 versions signed with the default key in Artifactory. To support this change, the default key type has been changed from RSA to GPG, and the name of the default key has been changed to default-lifecycle-key. For more information, see Create Signing Keys for Release Bundles (v2).

  • Improved visibility for nested Release Bundles

    The Release Bundle v2 content graph now provides a clear, visual representation of nested Release Bundles. Seeing the complete hierarchy enables you to understand how the Release Bundle is constructed, even when it contains other Release Bundles. For more information, see View Release Bundle v2 Evidence.

  • Improved aggregated Release Bundle creation

    Artifactory has improved its handling of aggregated Release Bundles (meaning, a Release Bundle v2 version that is comprised of other Release Bundle versions). If the Release Bundle version you are trying to create contains multiple Release Bundles with the same artifact but different metadata (evidence or properties), Artifactory will create the version successfully using the newer version of the artifact.

  • Change of status code when creating Release Bundle v2 from build with missing artifact

    To improve reporting accuracy, errors caused by missing artifacts during Release Bundle v2 creation will be returned as a 422 error (SC_UNPROCESSABLE_ENTITY) rather than a different status code that triggered unnecessary monitoring alerts. The 422 status code represents the event more accurately as it is the expected behavior when an artifact cannot be found.

  • Performance Improvement in Release Bundle v2 Promotion Flow

    The performance of the promotion flow for Release Bundle v2 versions has been improved.

  • Source environment included in Release Bundle v2 promotion GET API results

    The Get Release Bundle v2 Promotions API and Get Release Bundle v2 Version Promotions API now include the source environment in their responses. This enables you to see at a glance the name of the environment from which the Release Bundle version was promoted.

  • Redesigned presentation of Release Bundle v2 contents

    The Content tab for Release Bundle v2 versions has been redesigned to show each package and standalone artifact included in the version (known as "releasables") and their source (for example, a build or a different Release Bundle). For more information, see View the Contents of a Release Bundle v2 Version.

  • Release Bundle v2 versions now associated with stages and lifecycles

    This version replaces environments with the concept of stages and lifecycles, to provide users with more flexibility and control over their SDLC. Administrators can create global and project stages as needed and assign them to different SDLC categories, such as Code and Promote. The administrator then adds selected stages to the lifecycle to represent the progression of release candidates through your SDLC. For more information, see Stages & Lifecycle.

  • Support for webhooks for project-related Release Bundles

    Artifactory now supports the creation of webhooks for Release Bundle v2 versions associated with specific projects. This enables you to receive notifications whenever a Release Bundle in a particular project is uploaded, promoted, or deleted. To create a Release Bundle webhook for a specific project, you must be working within the scope of the project (as opposed to All Projects).

    For guidelines about creating a Release Bundle v2 webhook for a specific project, see Domain: Release Bundle v2.

  • Created-by information provided for Sigstore evidence

    To improve understanding and traceability, the API response when creating and deploying Sigstore evidence now includes the username associated with the JFrog token instead of ‘internal’.

  • More accurate error messages during Release Bundle promotion

    To improve user understanding, validation errors during the Release Bundle v2 promotion process will now return a BAD REQUEST error message (HTTP 400) rather than a generic HTTP 500 error.

  • Release Bundle v2 auto-creation feature removed

    The Release Bundle v2 auto-creation feature, which was introduced to help customers transition from build promotion to the expanded feature set offered by Release Lifecycle Management, has been removed from the platform UI after having served its purpose.

  • Viewing Release Bundles distributed to Edge nodes

    To align the platform UI with the REST API, only admin users are permitted to view distributed Release Bundle versions (v1 and v2) in the Received tab on Edge nodes. For more information, see View Release Bundles on Edge Nodes.

• Cleanup and Retention Policies

  • Adding days/weeks selection for Time-based Policy Condition - Cleanup Release Bundle V2

    Enhanced RB V2 cleanup functionality with the addition of days/weeks selection for policy condition. You can now configure cleanup conditions, specifying days/weeks for the RB V2. For more information, see Create Cleanup Policy - Release Bundle V2.

  • Retention Policies - Cleanup & Smart Archiving

    The Stop All Runs action is now restricted to Platform Admins only. Project Admins no longer have access to this action.

  • Run Cleanup policies and Garbage Collection (GC) Simultaneously

    Enabled cleanup policies to run more reliably by making them health-aware. Jobs will now run concurrently with other tasks only if the system is HEALTHY and will automatically stop if load increases, ensuring system stability.

    This can be toggled by the system property: artifactory.retention.system.health.aware.job.enabled

• Artifact Management

  • Improved Artifact Lifecycle Management

    Artifactory now updates the creation timestamp of an artifact when it is copied or moved to a new repository to the current date and time of the operation. Previously, the original creation timestamp was retained when moving or copying an artifact to another repository, which led to incorrect assumptions about the artifact's age and relevance in the new location. The "last modified" timestamp remains unchanged to preserve the integrity of the artifact's last update. This enhancement helps in the effective adoption of cleanup policies and aligns with industry standards. To ensure backward compatibility, this feature is implemented behind a feature flag and is disabled by default.

  • New Metadata Properties Added to the manifest.json

    Metadata properties for the operating system and the operating system architecture will now be added to the manifest.json after pushing or caching a new image. These new properties are set in docker.os and docker.architecture, respectively.

  • Prevent accidental removal of referenced sub-architectures in multi-arch images

    Starting from this Artifactory version, when deleting a multi-architecture image, any sub-architecture variant that is still referenced by another image will be preserved.

  • Context retention in Artifacts browser

    When you copy or move artifacts in the Artifacts browser, the UI no longer moves automatically to the destination path of the operation but remains in its original context. To move to the destination path after the copy or move operation is complete, click the Go to path link in the confirmation message.

  • UI Support for Debian Source Package Search

    Added support for Debian Source package search.

• Caching

  • Improved Change Artifacts count UI widget caching mechanism

    Improvements were made to the Change Artifacts count UI widget caching mechanism.

  • Daily Cleanup Job Added for Cache FS _pre folder

    A daily job is now triggered on startup to cleanup old dbRecord*.bin files in the cache provider’s _pre folder. The configurations for this job can be modified in the binarystore.xml file under the cache-fs provider.

• Platform UI

  • Redesigned platform UI for Release Lifecycle Management

    The platform UI for Release Lifecycle Management has been redesigned to provide a clearer, more consolidated view of your Release Bundles. The new design centralizes all critical information for each Release Bundle version, including its timeline, contents, security scans, evidence, and properties, in an accessible and intuitive interface. For more information, see Release Lifecycle Management.

  • Improved visibility of OCI/Docker multi-arch images in the platform UI

    To reduce visual clutter and improve comprehension, Artifactory now makes it easier to manage OCI/Docker multi-arch images in the platform UI. For example, if you have a multi-arch image called my-image:1.0.0 that supports amd64 and arm64 architectures, Artifactory contains 3 distinct package versions, one for the manifest list and one for each architecture:

    • my-image:1.0.0
    • my-image:sha256__f2ca1bb6c7....
    • my-image:sha256__1a8a5828e8....

    Artifactory now displays the version for the manifest list only in the platform UI and suppresses the individual architecture versions (named according to their image tags). This enables you to focus on the multi-arch image as a single entity. Please note that all package versions will be returned when listing the content via the REST APIs.

  • Platform UI support for displaying larger evidence files

    The platform UI can now display evidence files up to a maximum size of 3000 lines (compared to 1500 lines in previous versions). Larger evidence files can be downloaded with a single click. For more information, see View Evidence.

  • Support for Easy Copying of Administration Values

    The JFrog Platform WebUI now supports a Copy button, allowing you to copy values in the Administration module pages with a single click.

    The following values will now be easily copiable:

    • Token ID under Access Tokens
    • Name under Projects, Users, Groups, Permissions, Project Members, Webhooks, and Manage Integrations
    • Auth URL under OAuthSSO
    • URL under Webhooks
    • Group Name under Crowd/ Jira
    • Provider URL under Manage Integrations
    • Project Key under Projects

• Platform Configuration

  • Support for Updating the Access Bootstrap YAML File

    The JFrog Platform now supports making changes to the access.security.bootstrap.yml file without creating a new configuration or modifying the existing Artifactory YAML file. For more information, see Access Bootstrap YAML File.

  • Improved Configuration Descriptor Validation

    Configuration descriptor validation was improved to increase system stability.

  • Traefik Version Upgrade

    The Traefik version embedded in the Router microservice was upgraded from v2 to v3. This should not impact operation. Though if you your deployment depends on specific functionality, review their upgrade notes

Resolved Issues

Artifactory 7.117

This section includes all the Artifactory 7.117 releases.

Artifactory 7.117.19 Self-Managed

Released: 23 October 2025

Resolved Issues

Artifactory 7.117.18 Self-Managed

Released: 7 October 2025

Feature Enhancements

• Maintenance Release

  Released a fix for CVE-2025-41249. For more information see Artifactory Fixed Security Vulnerabilities.

Resolved Issues

Artifactory 7.117.17 Self-Managed

Released: 24 September 2025

Resolved Issues

Artifactory 7.117.16 Self-Managed

Released: 16 September 2025

Resolved Issues

Artifactory 7.117.15 Self-Managed

Released: 2 September 2025

Resolved Issues

Artifactory 7.117.14 Self-Managed

Released: 19 August 2025

Resolved Issues

Artifactory 7.117.12 Self-Managed

Released: 5 August 2025

Resolved Issues

Artifactory 7.117.10 Self-Managed

Released: 31 July 2025

Resolved Issues

Artifactory. 7.117.8 Self-Managed

Released: 19 July 2025

❗️

Known Issue in this Version

During startup and regular operation, the Artifactory Frontend service attempts to download resources from the public internet endpoint https://grpc.qwak.ai. Therefore, JFrog recommends avoiding the upgrade to this version if your organization's environment restricts access to this endpoint. For more information, see Artifactory Known Issues.

Resolved Issues

Artifactory 7.117.7 Self-Managed

Released: 25 July 2025

❗️

Known Issue in this Version

During startup and regular operation, the Artifactory Frontend service attempts to download resources from the public internet endpoint https://grpc.qwak.ai. Therefore, JFrog recommends avoiding the upgrade to this version if your organization's environment restricts access to this endpoint. For more information, see Artifactory Known Issues.

Artifactory 7.117.5 Self-Managed

Released: 24 July 2025

New Features

⚠️

Known Issues in this Version

• During startup and regular operation, the Artifactory Frontend service attempts to download resources from the public internet endpoint https://grpc.qwak.ai .Therefore, JFrog recommends avoiding the upgrade to this version if your organization's environment restricts access to this endpoint. For more information, see Artifactory Known Issues.
• When upgrading existing Artifactory installations that have Router TLS enabled (router.tlsEnabled: true) in the system.yaml file, a common issue has been identified. The upgrade process might fail because the Router service fails to start, displaying the following error: Error during the build of the default TLS configuration: unknown TLS options: default. For more information, see Artifactory Known Issues.

⚠️

Breaking Change for Access REST APIs

From this version, Access REST API responses will be returned as compact JSON and not as pretty-printed JSON. Note that some automatic parsers that rely on the formatting will require an update.

• New REST API: Get Projects List for a Global Role

  The JFrog Platform now supports getting a paginated list of projects where a specific global role is used. For more information, see Get Project List for a Global Role API.

Feature Enhancements

⚠️

Breaking Change for Artifactory Federation Service

The version of the Artifactory Federation Service (RTFS) that comes with this Artifactory release changes the context path from /artifactory/service/rtfs to /rtfs. This is a breaking change for users who have multiple sites (JPDs) using RTFS. (Users who run RTFS on only one site, and sites that use the legacy Federation service, are unaffected by this change.)

Users in Self-Managed environments who have sites running an older version of RTFS should upgrade them to the new version of RTFS as soon as possible to accommodate the new context path. As an interim solution, a set of commands can be added as a workaround to bridge the context path differences between sites using the new version of RTFS and sites using an older version, as described below.

Nginx Configuration

Add this command to the Nginx configuration of a site using the new version of RTFS:

location /artifactory/ {
    if ($request_uri ~ ^/artifactory/service/rtfs/(.*) $ ) {
      proxy_pass       http://router/rtfs/$1;
      break;
    }
    if ( $request_uri ~ ^/artifactory/(.*) $ ) {
      proxy_pass       http://artifactory/artifactory/$1;
    }
    proxy_pass         http://artifactory/artifactory/;
  }

This command instructs Nginx to redirect requests from sites that use the old RTFS context path to the new context path.

Add this command to the Nginx configuration of a site using the old version of RTFS:

location /rtfs/ {
  if ($request_uri ~ ^/rtfs/(.*) $ ) {
      proxy_pass       http://router/artifactory/service/rtfs/$1;
      break;
    }

This command instructs Nginx to redirect requests from sites that use the new RTFS context path to the old context path.

Apache Configuration

Use the following Apache rewrite rule to redirect requests between sites that have a mix of old and new context paths:

RewriteRule "^/artifactory/service/rtfs/(.*) $" "balancer://artifactory/artifactory/service/rtfs/$1" [P,L]

Important Migration Note

When migrating from the legacy Federation service to RTFS, be sure to use version 2.0 of the CLI, which implements the new context path.

• Release Bundles

  • Create Release Bundle v2 version from multiple sources

    You can now create a Release Bundle v2 version from multiple sources, for example, a combination of artifacts, builds, and existing Release Bundles. For more information, see Create Release Bundle v2 Version.

  • Create a Release Bundle v2 version from packages

    You can now create a Release Bundle v2 version by defining one or more packages to include in the Release Bundle. The Release Bundle can include packages of every type supported by Artifactory. For more information, see Create Release Bundle v2 Version.

  • Create a Release Bundle v2 version using items in remote-cache repositories

    You can now create a Release Bundle v2 version that includes packages and artifacts located in remote-cache repositories. For more information about Release Bundle creation, see Create Release Bundle v2 Version.

  • SBOMs containing remote-cache dependencies

    Release Bundle v2 versions created from build-info can now include build dependencies located in remote-cache repositories, provided you have used the option for including dependencies in the Release Bundle. If this option has not been used, the remote-cache dependencies will not be included in the Release Bundle, but the SBOM used by Xray will still contain metadata about those dependencies.

  • Release Bundle v2 – support for SBOMs with remote dependencies

    Previously, Release Bundle v2 did not include information about dependencies from remote repositories, which prevented the generation of a complete SBOM (software bill of materials) by Xray. This limitation hoas now been removed, which means that information about these dependencies will be included in the SBOM, and Xray (version 3.121.7 and above) can scan them. Having a complete SBOM increases transparency and security by providing insight into all components involved in the Release Bundle, and helps with auditing and compliance.

📘

Note

Although information about remote dependencies is included in the SBOM, the dependencies themselves are not included in the Release Bundle in the current version.

• Source environment of Release Bundle v2 promotions

  The source environment of a Release Bundle v2 promotion is now included in the API response, making it easier for users to identify the start and end points of the promotion. For more information about promotion, see Promote Release Bundle v2 Version.

• Adding properties to Release Bundle v2 versions

  You can now add properties and property sets to Release Bundle v2 versions. Properties are user-defined, key-value pairs that are added to the Release Bundle v2 version's manifest file. For more information, see Add Properties to a Release Bundle v2 Version.

• New search and filtering options for Release Lifecycle Management kanban board

  The Release Lifecycle Management kanban board now features options for searching through and filtering the displayed Release Bundle versions. These options make it easier for you to focus on the versions of greatest interest.

• Release Bundle v2 promotion rollback

  You can now use the REST API to roll back the latest promotion of a Release Bundle v2 version. Rollback deletes the contents of the latest promotion (including its artifacts, properties, and evidence) and restores the version to its previous environment, including the properties and evidence it contained when the version was first created. For more information, see Promotion Rollback.

• Release Bundle v2 version supports plus sign character

  You can now include a plus sign (+) when defining the version of a Release Bundle v2. This change was made to achieve alignment with the SemVer 2.0.0 specification. For more information, see Create Release Bundle v2 Version.

• Assigning a tag when creating a Release Bundle v2 version

  You can now assign a tag when creating a Release Bundle v2 version with the REST API. Use the tag to identify the version quickly. For example, you can create tags such as nightly-build, release-candidate, bugfix-2025-33124, and so on. The tag will appear on the card for the Release Bundle version on the Release Lifecycle stages board.

📘

Note

You can continue using the Assign Tag API to tag existing Release Bundle versions.

• Version counter on Release Lifecycle stages board

  The Release Lifecycle stages board now includes a counter so that you can see at a glance how many versions of the selected Release Bundle currently exist.

• Improved error codes during Release Bundle v2 creation

  Artifactory will now return 404 when an artifact or package is missing from the defined artifact or package list during Release Bundle v2 creation. In addition, Artifactory will return 403 when an artifact or package is filtered out due to a user permissions issue.

• Evidence provider logo displayed on stages board

  Each evidence item displayed on the Release Lifecycle stages board now includes a logo to indicate the provider of that evidence, whether it is evidence provided by the JFrog platform or evidence originating from other providers, such as GitHub or Sonar. The logo is also displayed prominently when the contents of the evidence item are opened.

• Cleanup and Retention Policies

  • Support for Composer Packages in Cleanup Policies and Smart Archiving

    Cleanup Policies and Smart Archiving now support Composer package type.

  • Support for Chef and Puppet Packages in Cleanup Policies

    Cleanup Policies now support Chef and Puppet package types.

  • Support for N versions in Retention Policies

    Cleanup Policies and Smart Archiving now support N versions for Docker, OCI and Helm OCI. For more information, see Cleanup Supported Packages and Smart Archiving Supported Packages.

  • API Run Summary Reports for Cleanup and Smart Archiving

    Added new API endpoints for cleanup and smart archiving that provide detailed run summary reports in JSON format. For more details, refer toView Package Cleanup Policy Run Summary Report API and View Smart Archiving Policy Run Summary Report API.

  • Smart Archiving Packages: Evidence

    Added support for the archival of evidence associated with any packages. This enhancement ensures that relevant evidence is preserved as part of your archiving strategy, streamlining your package management process. For more information, refer to Smart Archiving.

  • Property-based Policy Condition - Smart Archiving Packages

    Enhanced package-archivie functionality with the addition of a property-based policy condition. You can now include or exclude specific package versions from archive by applying a property-based policy condition. This allows for more granular control over which packages are retained or archived during archive actions. For more information, see Create Smart Archiving Policy.

• Packages and Repositories

  • Default Socket Timeout for Federated Repositories

    The default socket timeout for Federated repositories has been changed to 300000 milliseconds (5 minutes). This value can be adjusted, if required, using an Artifactory system property. For more information, see Increase the Predefined Socket Timeout for Larger Repositories.

  • CocoaPods Smart Repositories

    The CocoaPods Settings section has been removed from the smart repository creation page. Smart repositories automatically inherit configuration from their source repository, making manual settings unnecessary.

  • Cocoapods CDN Smart Repository Support

    Added smart repositories support for CocoaPods CDN.

  • Improvement in Promoting Docker Images

    Starting from this Artifactory version, when Docker image promotion overrides an existing image tag in the target repository, shared layers from other tags of the same image will not be deleted. In versions prior to 7.117.1, these shared layers may be deleted.

  • Support for Oracle 23c

    Artifactory is now certified to work with the Oracle 23c database.

  • Improved Get Federation Sync State REST API performance

    The performance of the REST API that returns the synchronization state of all Federated repositories in the JPD has been improved.

📘

Note

This API endpoint is relevant for users operating the legacy Federation service, not the Artifactory Federation Service (RTFS).

• JFrog Platform

  • Removal and Backup of Mission Control Plugins

    The following Mission Control plugins, which were created during the initial days specifically for Mission Control, are no longer required by any JFrog products. As a result, these plugins will be removed in this version and backup files are created with a .backup extension.

    • internalUser.groovy
    • ldapSettingsConfig.groovy
    • ldapGroupsConfig.groovy
    • haClusterDump.groovy
    • repoLayoutsConfig.groovy
    • proxiesConfig.groovy
    • propertySetsConfig.groovy
    • requestRouting.groovy
    • httpSsoConfig.groovy
    • pluginsConfig.groovy

    For more information, see User Plugins documentation.

  • Support for Reading Permissions Scoped Tokens

    It is now possible for non-admin users to use the Get Projects List API, Get Project Users API, Get Repository Configuration API , HA License Information API , and Get Storage Summary Info API endpoints using a scoped token. For more information, see Create Scoped Token.

  • Secure Cloud Storage Credentials in Helm

    We have introduced a new feature that allows you to supply cloud storage identity and credentials as a Kubernetes secret within your values.yaml file for Artifactory Helm deployments. This capability extends to:

    • AWS S3V3: Securely provide your AWS S3V3 access keys and secret keys.
    • Azure Blob Storage: Securely provide your Azure storage account name and access key.

  • Improved Builds table

    The Builds table features two important enhancements:

    • The maximum of 100 builds displayed in the table has been removed. The table can now display all the builds that exist in your Artifactory instance.
    • A search window has been added to make it easier to focus on the builds of greatest importance to you. (This new search window works in coordination with the platform search window at the top of the UI.)

  • Additions to Artifactory Request Log (JSON version)

    The JSON version of the Artifactory request log has been enhanced to include additional metrics for improved tracking of request and response performance. These enhancements provide insights into response timing, data size, processing duration, and request specifications.

  • Expanded support for scoped tokens in Deploy Evidence API

    The Deploy Evidence REST API now supports scoped tokens based on specified artifacts in addition to its previous support for scoped tokens based on a specified repository. In both cases, the scoped token must include the Annotate action. For more information, see Create Scoped Token.

  • Filter Users and Groups by Role Within a Repository Via REST API The JFrog Platform now supports filtering users and groups by role within a specific repository via REST API. For example, you can easily retrieve a list of admins for a specific repository to streamline permissions management. For more information, see Get User List API and Get a List of Groups API.

  • Allow Granting Manage Permissions in Permissions V2

    The JFrog Platform now supports allowing users with manage permissions to grant manage and other permissions to other users in Permissions V2, although it is not recommended. For more information, see Permissions.

  • Add Unlimited Groups to a Reference Token in SAML The JFrog Platform now supports adding an unlimited number of groups in SAML user-scoped reference tokens, as the number of groups does not affect the payload. For more information, see Create Token.

  • Improved Robustness of Binary Uploads to Google Cloud Storage (GCS)

    The robustness of binary uploads to GCS has been improved by enhancing recovery mechanisms.

  • Daily Notification Emails for Token Expiration

    The JFrog Platform now supports setting intervals for email notifications about tokens that are about to expire, either once or daily during the notice period. For more information, see Token Expiration Notification.

  • JFrog Platform WebUI Breadcrumbs

    From Artifactory version 7.116.3, breadcrumbs allowing you to orient yourself in the JFrog Platform WebUI will gradually be rolled out to all pages. For more information, see JFrog Platform Navigation.

• Workers

  • Get Worker Code Samples with Worker Code Gallery

    The JFrog Platform now supports populating new Workers with GitHub code samples, directly from the JFrog Platform WebUI. For more information, see Configure Workers in the UI.

  • Rerun Worker Runs

    The JFrog Platform now supports a Rerun feature to troubleshoot Worker runs. For more information, see Workers Troubleshooting.

  • Updated Type Definitions for Event-Driven Workers' Response

    Refined TypeScript type definitions for event-driven workers' response to improve the developer experience.

Resolved Issues

Artifactory 7.111

This section includes all the Artifactory 7.111 releases.

Artifactory 7.111.12 Self-Managed

Released: 13 July 2025

⚠️

Breaking Change for Artifactory Federation Service

The version of the Artifactory Federation Service (RTFS) that comes with this Artifactory release changes the context path from /artifactory/service/rtfs to /rtfs. This is a breaking change for users who have multiple sites (JPDs) using RTFS. (Users who run RTFS on only one site, and sites that use the legacy Federation service, are unaffected by this change.)

Users in Self-Managed environments who have sites running an older version of RTFS should upgrade them to the new version of RTFS as soon as possible to accommodate the new context path. As an interim solution, a set of commands can be added as a workaround to bridge the context path differences between sites using the new version of RTFS and sites using an older version, as described below.

Nginx Configuration

Add this command to the Nginx configuration of a site using the new version of RTFS:

location /artifactory/ {
    if ($request_uri ~ ^/artifactory/service/rtfs/(.*) $ ) {
      proxy_pass       http://router/rtfs/$1;
      break;
    }
    if ( $request_uri ~ ^/artifactory/(.*) $ ) {
      proxy_pass       http://artifactory/artifactory/$1;
    }
    proxy_pass         http://artifactory/artifactory/;
  }

This command instructs Nginx to redirect requests from sites that use the old RTFS context path to the new context path.

Add this command to the Nginx configuration of a site using the old version of RTFS:

location /rtfs/ {
  if ($request_uri ~ ^/rtfs/(.*) $ ) {
      proxy_pass       http://router/artifactory/service/rtfs/$1;
      break;
    }

This command instructs Nginx to redirect requests from sites that use the new RTFS context path to the old context path.

Apache Configuration

Use the following Apache rewrite rule to redirect requests between sites that have a mix of old and new context paths:

RewriteRule "^/artifactory/service/rtfs/(.*) $" "balancer://artifactory/artifactory/service/rtfs/$1" [P,L]

Important Migration Note

When migrating from the legacy Federation service to RTFS, be sure to use version 2.0 of the CLI, which implements the new context path.

Feature Enhancements

• Improved Get Federation Sync State REST API performance

  The performance of the REST API that returns the synchronization state of all Federated repositories in the JPD has been improved.

📘

Note

This API endpoint is relevant for users operating the legacy Federation service, not the Artifactory Federation Service (RTFS).

Resolved Issues

Artifactory 7.111.11 Self-Managed

Released: 3 July 2025

Resolved Issues

Artifactory 7.111.10 Self-Managed

Released: 17 June 2025

Resolved Issues

Artifactory 7.111.9 Self-Managed

Released: 3 June 2025

Resolved Issues

Artifactory 7.111.8 Self-Managed

Released: 20 May 2025

Feature Enhancements

• Default Socket Timeout for Federated Repositories

  The default socket timeout for Federated repositories has been changed to 300,000 milliseconds (5 minutes). This value can be adjusted, if required, using an Artifactory system property. For more information, see Increase the Predefined Socket Timeout for Larger Repositories.

Resolved Issues

Artifactory 7.111.7 Self-Managed

Released: 8 May 2025

Resolved Issues

Artifactory 7.111.4 Self-Managed

Released: 23 April 2025

Important Announcements

• Pre-Upgrade Checks for Bundled PostgreSQL

  If you are using the bundled postgresql with the Artifactory Helm chart during the upgrade to Artifactory version 7.111, it is essential to perform some pre-upgrade checks to ensure a smooth upgrade.

⚠️

Breaking Changes in Bundled PostgreSQL Upgrade

Starting from Artifactory version 7.111.x, the bundled postgresql chart is upgraded to version 15.5.20. This update is available in the latest artifactory and artifactory-ha Helm charts.

If you upgrade Artifactory from any older version to 7.111.x directly, there may be some challenges during the upgrade if you are using the bundled postgresql in the Helm chart. Customers using an external postgresql will not be affected.

For more information about the pre-upgrade checks to be performed, see Pre-Upgrade Checks for Bundled PostgreSQL in Artifactory.

• Verify Database Configurations for Go Services

  If you have customized the database URL for the Metadata microservice, it is essential to configure the Evidence database URL as well for a smooth upgrade, as both are GO services.

⚠️

Database Configuration Checks for Smooth Upgrade

Similar to Metadata, Evidence is also a Go service with a direct connection to the Artifactory database. Note that, JFrog provides a JDBC to Go URL converter within the Artifactory application to facilitate this connection.

However, in some cases, the converter may be unable to connect, which could affect Go services like Metadata and Evidence.

Customers who have previously configured metadata.database.url must also add evidence.database.url before upgrading to version 7.111.x. This step is essential to maintain database connectivity after the upgrade.

New Features

• Packages: Hex Repositories

  Hex repositories in Artifactory allow you to deploy and resolve Hex packages. For more information, refer to Hex Repositories. (GA for all customers)

• Packages: NVIDIA NIM Models

  JFrog Artifactory now integrates with NVIDIA NIM, allowing you to cache NVIDIA NIM models in Artifactory via a remote repository. NVIDIA NIM is a set of microservices designed to accelerate the deployment of foundation models across any cloud or data center, ensuring data security. It provides production-grade runtimes with ongoing security updates and stable APIs, backed by enterprise-grade support. For more information, refer to NVIDIA NIM Repositories.

• API Key Deprecation Control

  As part of the deprecation process, API Key has reached End of Life in Q4.24. This version includes a checkbox in the JFrog platform UI allowing you to control the API Key usage deprecation. This checkbox will be deselected by default: to block API key usage in your environment, select the Disable API Key Usage checkbox under Administration > Security > General. For more information, see JFrog API Key Deprecation Process.

• New Service - JFConfig

  We have added a new service to our Self-Managed instances. JFConfig is a service that can be used by other JFrog services to store configuration in a key-value format in DB in a centralized way.

  For more information, see Artifactory Product.

• Support readOnlyRootFilesystem in Artifactory ContainersH

  Support has been added for readOnlyRootFilesystem in Artifactory containers, which is a Kubernetes security context feature. This feature enhances security by allowing Artifactory to operate in environments where containers are configured with readOnlyRootFilesystem=true. In this configuration, the entire file system of the container is set to read-only, preventing modifications to files or directories. This setting serves as a security measure to protect the application and its data from unauthorized changes.

  For more information on how to configure this setting, see Configure readOnlyRootFilesystem in Artifactory Containers.

• Enable Logging to STDOUT and STDERR

  In the Artifactory Helm charts, container logs are supported through STDOUT and STDERR. This feature can be enabled by setting the feature flag logging.logToStdoutJson=true. When the feature is enabled, container logs will be output in JSON format via console logging, while service logs inside the container will be available only in text format, such as artifactory-service.log.

Feature Enhancements

• Packages and Repositories

  • New Machine Learning Layout for Hugging Face Repositories

    All new Hugging Face repositories are now created with the new unified Machine Learning layout. Users can also migrate legacy Hugging Face repositories to the new Machine Learning layout on a manual basis. The Hugging Face repositories legacy layout will be deprecated in July 2025 when all repositories with the legacy layout will be automatically upgraded to the Machine Learning layout. For more information, click here.

  • Added Support for Chocolatey and PowerShell Clients in Nuget Repositories

    • Added support for PowerShell (minimum version 1.0.5) to interact with NuGet repositories.
    • Added support for Chocolatey (minimum version 1.2.0) to interact with Nuget repositories.

    For more information, see NuGet Repositories.

  • Hex Virtual Repositories

    Artifactory now supports Hex Virtual Repository. A Hex virtual repository aggregates Hex local and remote repositories, enabling more efficient package management. To learn more, see Hex Repositories.

  • Easier Configuration of the NimModel Redirect Download Form

    The NimModel redirect download form can now be configured through the User Interface.

  • Complete Docker and OCI List Manifest Image Overwrite

    When overwriting a list.manifest file with a new one, all previous sub-manifests will be removed, enhancing storage efficiency and reducing the need for manual cleanup. For more information, click here.

  • Support Added for the PyPI JSON API in Remote and Virtual Repositories

    Artifactory now supports PyPI’s JSON API in remote and virtual repositories.

  • Support Added for PyPI JSON API in Local Repositories

    Artifactory now supports the PyPI JSON API in local repositories with most attributes. The following attributes (JSON keys) are not supported:

    • Deprecated keys (releases, downloads, has_sig, bugtrack_url) as described in PyPI JSON API
    • The following info sub keys: description_content_type, dynamic, license_expression, license_files, maintainer, maintainer_email, project_urls, provides_extra, requires_dist
    • Vulnerabilities key

  • Permissions Added for Using Zapping Cache on Remote Repositories

    The Zapping Cache action on remote repositories now requires Manage or Delete permissions, either via the UI or API. This change is backward-compatible. For more information on UI changes, click here, and for API changes, click here.

  • Repositories can now be assigned to more than one environment

    For more information, see Assign Environments to Repositories.

  • Added Tags for RPM local repositories

    Added support for the Recommends and Suggests dependency tags in the primary.xml metadata of RPM local repositories enhancing package management for clients like dnf and yum by recognizing optional dependencies.

    Feature Flag Control: The inclusion of Recommends tags in primary.xml can now be configurable via a feature flag

    yum.local.install.recommended.dependencies.enabled.

    To learn more, refer to Install RPM Packages Using Yum.

  • Added Support for Listing Folder Items in Conan Smart Remote Repositories

    • A new setting, List Folder Items, is now available for Conan Smart Remote Repositories.
    • Enabling the List Remote Artifacts checkbox during repository creation allows folder items to be listed.

  • Improved Access for Go Remote Repositories

    Go remote repositories now support the ability to access subgroups in GitLab.

  • Bearer Authentication for Remote Repositories

    Added Bearer Authentication support for remote repositories.

  • Properties Tab for RPM Remote Packages

    Added functionality to calculate and display the properties of an RPM package after it is downloaded from a remote RPM repository. The package properties are now shown in the Properties tab on the UI.

  • RPM Repositories - SHA-256 checksums have been integrated into Local and Virtual repositories

    Added SHA-256 checksums to the repomd.xml files of local and virtual repositories. This improvement ensures package integrity verification aligns with remote repositories' security standards.

    Local repositories previously do not have SHA-256 checksums in their repomd.xml files, increasing the risk of undetected package tampering or corruption.

    Enable SHA-256 for enhanced security in package integrity verification. To enable SHA-256 checksums, update the configuration by setting yum.local.repomd.calculate.sha2.enabled = true

  • Improved Performance of the Repository Selection Field in Set-Me-Up

    The performance of the repository selection field in Set-Me-Up has been improved by promoting a search-first approach.

  • Improvement to Maven Set-Me-Up Placeholders

    Maven set-me-up placeholders will now automatically populate.

• Cleanup Policies

  • Support for Vagrant and Hex in Cleanup and Archive

    • Vagrant packages are now supported in Cleanup and Archive.
    • Hex packages are now supported in Cleanup and Archive.

  • Support for Alpine and SBT in Cleanup and Archive

    • Alpine packages are now supported in Cleanup and Archive.
    • SBT packages are now supported in Cleanup and Archive.

  • Improved Cleanup Release Bundle V2 Report

    The Cleanup Release Bundle V2 report has been improved. For more information, refer to Cleanup Run Report Overview.

  • Support for Conda in Cleanup and Archive

    Conda packages are now supported in Cleanup and Archive.

  • Policy Conditions - Cleanup Packages

    • Adding Property-based Policy Condition

      Enhanced package-cleanup functionality with the addition of a property-based policy condition. You can now include or exclude specific package versions from cleanup by applying a property-based policy condition. This allows for more granular control over which packages are retained or removed during cleanup actions. For more information, see Create Cleanup Policy - Package.

    • Adding days/weeks selection for Time-based Policy Condition

      Enhanced package-cleanup functionality with the addition of days/weeks selection for Time-based policy condition. You can now configure by specifying Time-based cleanup conditions based on days/weeks for the packages. For more information, see Create Cleanup Policy - Package.

• Federation

  • Compile list of inconsistent Federated repositories

    A new API enables you to return a list of all Federated repositories in your local Artifactory instance that have a configuration mismatch with one or more remote members. After getting the list of mismatches, you can use the Synchronize Federated Member Configuration REST API on each mismatch to synchronize the members. For more information, see Get List of Inconsistent Federated Repositories API.

  • New API for removing Federation members

    A new REST API enables you to remove a member from all repository Federations to which it belongs. This can be used, for example, when a site is taken out of commission. This API removes the member on this site from all the Federations in which it was a part. For more information, see Remove Federation Member API.

• Release Lifecycle Management

  • Improved Release Lifecycle Management Kanban board

    The Release Lifecycle Management kanban board has been redesigned to provide more information at a glance, including clear indications of failed promotions. For more information, see Promote a Release Bundle v2 Version in the Platform UI.

  • Auto-creation of Release Bundle v2 versions after build promotion

    By default, Artifactory now creates a Release Bundle v2 version automatically when you promote a build using the JFrog CLI or REST API. It also promotes the Release Bundle to the environment associated with the build's target repository, if defined. Both copy promotions and move promotions are supported. Having a Release Bundle provides better visibility and control over your release candidate as it progresses through your SDLC.

    • Creating project-specific environments during build promotion

      When promoting a build, if the target repository (targetRepo) is part of a project, a project-specific environment is created for the auto-created Release Bundle v2. The environment is named after the status value of the build.

    • Giving build status priority over an existing target environment during build promotion

      If the status is defined for a build, the environment represented by that status is always given priority during promotion. For example, if an environment assigned to the targetRepo matches the status, the auto-created Release Bundle v2 is promoted to that environment. (That is, it is given priority over other environments that might also be assigned to the targetRepo.) If no environment exists for the status, a new environment is created for the promoted Release Bundle v2 with the name of the status, even when other environments are available.

  • Searching for distributed Release Bundle versions containing a specific artifact

    The Get Release Bundle v2 Versions with a Specific Artifact REST API (introduced in 7.107.1) has a new query parameter has a new query parameter that can return distributed Release Bundle versions (origin=target) containing the artifact in addition to created Release Bundle versions (origin=source). This new query parameter makes it possible to run the API on Edge nodes in addition to standard Artifactory instances.

  • Moving artifacts during Release Bundle v2 promotion

    When promoting a Release Bundle v2 version, you can optionally move the contents of the Release Bundle from the source to the destination instead of copying them (the behavior until now). For example, if you promote a Release Bundle v2 version from the DEV environment to the QA environment and select the Move option, the artifacts are removed from the repositories associated with DEV and moved to the repositories associated with QA. The option to move artifacts can be executed using the JFrog CLI, API, or platform UI.

  • Release Bundle v2 version creation using artifacts in virtual repositories

    You can now create a Release Bundle v2 version using artifacts located in a virtual repository, provided the source path of the artifacts points to a local repository (not a remote repository) aggregated by the virtual repository. This feature is relevant when creating a Release Bundle version from a list of artifacts.

  • Support for SemVer sorting in Release Bundle v2 APIs

    SemVer sorting support has been added to the Get Release Bundle v2 Versions API and Get Release Bundle v2 Versions in a Specific Environment API. This support is limited to the 1000 latest records and does not support pagination. This option pulls the latest 1000 records only and does not support pagination. Versions that do not conform to SemVer rules are sorted afterward lexicographically.

  • New API for returning all Release Bundle v2 versions containing a specified artifact

    A new REST API endpoint is available that returns a list of Release Bundle v2 versions containing a specified artifact. The origin query parameter enables you to distinguish between versions created on a device (origin=source) as opposed to versions distributed to a device (origin=target). This enables you to run this API on Edge nodes in addition to standard Artifactory instances. For more information, see Get Release Bundle v2 Versions by Artifact API.

  • New API for returning all Release Bundle v2 promotions containing a specified artifact

    A new REST API endpoint is available that returns a list of promoted Release Bundle v2 versions containing a specified artifact. For more information, see Get Release Bundle v2 Version Promotions with a Specific Artifact API.

  • New API for returning all Release Bundle v2 versions in a specified environment

    A new REST API endpoint is available that returns all Release Bundle v2 versions associated with a specified environment, for example, DEV or PROD. For more information, see Get Release Bundle v2 Versions in a Specific Environment API.

  • New API for adding tags to Release Bundle v2 versions

    You can now add a descriptive tag to a Release Bundle v2 version via REST API to help identify Release Bundle versions quickly. The tag will appear on the stages board in the platform UI to enhance visibility and organization. For example, you can create tags such as nightly-build, release-candidate, bugfix-2025-33124, and so on. For more information, see Assign Tag to Release Bundle v2 Version API.

  • Get Release Bundle v2 Versions API returns tag information

    The Get Release Bundle v2 Versions REST API now returns the descriptive tag assigned to a Release Bundle version. For more information about tagging, see Assign Tag to Release Bundle v2 Version API.

  • Increased limits for Release Bundle v2 names and versions

    The maximum length of the name (release_bundle_name), version (release_bundle_version), and creator (created_by) of a Release Bundle v2 has been increased to 255 characters when working with the REST API.

  • New promotion icons on RLM Kanban board and timeline

    New icons have been introduced to the Release Lifecycle Management stages board and timeline. These icons indicate at a glance what type of Release Bundle promotion was performed (copy artifacts or move artifacts). Hovering over the icon provides a tooltip reminder. For more information, see Promote a Release Bundle v2 Version in the Platform UI.

• Evidence

  • Evidence management – support for additional databases and installation types

    The Evidence service now supports all databases that Artifactory supports. For the complete list, see Artifactory Database Requirements. In addition, the Evidence service is now enabled by default for all installation types. For more information, see Installing Artifactory.

  • Attach external evidence to artifacts in the local part of a virtual repository

    You can now attach external evidence to artifacts located in a local repository that is aggregated inside a virtual repository. For more information about attaching external evidence, see Evidence Service.

  • Changes to Evidence GraphQL APIs

    The repositoryKey and path fields have been deprecated from the Get Evidence API and Search Evidence API, and subject (which contains repositoryKey, path, name, and sha256) has been added.

  • Viewing Evidence in the Packages Screen

    You can now view a list of the evidence files associated with a specific package version in a selected repository. For more information, see View the Package Evidence Table.

  • Enable Evidence for All Installations

    Starting from Artifactory version 7.111, Evidence service is available for all installations.

• JFrog Platform

  • Performance Improvements with Artifactory Helm Charts bundled with Nginx

    A number of performance improvements have been made when using Artifactory Helm Charts bundled with Nginx. These items can be configured in the Helm chart's values.yaml file. The enhancements include:

    • Improved performance with throughput improvements of up to 59%
    • Increased number of available Nginx workers connections: from 1024 to 8192 (worker_connections 8192)
    • Auto-scaling of the number of workers: based on the number of available CPUs (worker_processes auto)
    • The ability to use keep-alives: for reusing the Nginx > Artifactory connections

  • Added Memory Target Trigger to Artifactory Charts using HPA

    Custom metrics support for Horizontal Pod Autoscaler (HPA) has been incorporated into the Artifactory Helm chart. With these metrics, you can configure custom auto-scaling behavior for HPA.

    For the Artifactory chart, HPA will function only when the replica count is a minimum of 2 (i.e., in High Availability mode). For the Artifactory HA chart, HPA will operate as expected.

    For more information, see Add Memory Target Trigger to Artifactory Charts using HPA.

  • Improved Project Navigation

    The Projects navigation menu now includes UI usability enhancements: it is now located in the sidebar and highlights Projects filtering to clarify context switching between Project and All Projects scope.

  • Blocking Blob Uploads If a Digest Does Not Match the Blob’s SHA-256 Checksum

    Added a flag to block blob uploads if a provided digest does not match the blob’s SHA-256 checksum. This flag is disabled by default but can be enabled as needed.

  • Docker Repository Key Length Limitation on Cloud Platforms

    Artifactory cloud customers using the Docker Subdomain method will now receive a warning when creating a repository if their repository key is too long for DNS record creation. This could lead to accessibility issues if DNS is not managed internally. However, exceeding the character count does not prevent creating the repository. For more information, click here.

  • Support for Triggering Partial Reindexing of Helm Charts

    Added support for triggering partial reindexing of Helm charts, enabling more efficient and targeted index.yaml updates. This improvement reduces processing time and resource usage. For more information, see Helm Charts Partial Re-Indexing .

  • Access Token Expiration Email Now Points to the CNAME Domain

    The JFrog platform will send users Access token expiration reminder emails which include the CNAME URL instead of the JFrog instance URL.

  • SCIM Token Expiry Configuration

    The JFrog Platform now supports the creation of SCIM tokens with configurable expiry times. To learn more, see Generate a Scoped Token for SCIM.

  • Get Token Last Used Information

    The JFrog Platform now supports getting a token’s ‘last used’ timestamp when using Get Tokens and Get Token By ID API REST APIs.

  • Support for Reading Permissions Scoped Tokens

    It is now possible for non-admin users to use the Get User List API, Get a List of Groups API, and Get All Permissions API endpoints using a scoped token. For more information, see Create Scoped Token.

  • Maximum placed on bad checksum search responses

    Responses to the Bad Checksum Search REST API are now limited to a maximum of 10,000 results.

• Storage

  • New Metric for Obtaining Shard Accessibility Status

    For Artifactory instances configured to use shards, a new metric (jfsh_shard_accessibility_status_total) has been introduced for obtaining the accessibility status of each shard. The possible values are:

    • 1: a shard is accessible
    • 0: a shard is inaccessible
    • -1: a timeout occurred while checking the accessibility status of a shard

    For more information, click here.

  • New Metric for Counting Binaries Not Cached Due to Their Large Size

    A new metric (jfsh_cache_bypass_large_binary_total) has been added for counting binaries that were not cached due to their large size. For more information, click here.

• Supported Worker Features

  • New Worker Event: Before Token Expiry

    JFrog now supports creating event-driven workers to trigger before a token expires. Learn more

  • Alt Response event is now supported.

  • Alt All Responses event is now supported.

  • Alt Remote Content event is now supported.

  • After Download Error event is now supported.

  • Before Download Request event is now supported.

  • Before Build Info Save event is now supported.

Resolved Issues

Artifactory 7.104

This section includes all the Artifactory 7.104 releases.

Artifactory 7.104.15 Self-Managed

Released: 9 April 2025

Resolved Issues

Artifactory 7.104.14 Self-Managed

Released: 27 March 2025

Resolved Issues

Artifactory 7.104.13 Self-Managed

Released: 24 March 2025

Resolved Issues

Artifactory 7.104.12 Self-Managed

Released: 12 March 2025

Feature Enhancements

• Maximum placed on bad checksum search responses

  Responses to the Bad Checksum Search REST API are now limited to a maximum of 10,000 results.

• Permissions Added for Using Zapping Cache on Remote Repositories

  The Zapping Cache action on remote repositories now requires Manage or Delete permissions, either via the UI or API. This change is backward-compatible. For more information on UI changes, click here, and for API changes, click here.

Resolved Issues

Artifactory 7.104.10 Self-Managed

Released: 26 February 2025

Resolved Issues

Artifactory 7.104.9 Self-Managed

Released: 20 February 2025

⚠️

Known Issue in this Version

There is a known issue that causes an infinite loop when searching for packages by name in the top search bar on the Packages screen. Users should avoid installing this version and move directly to version 7.104.10.

Resolved Issues

Artifactory 7.104.7 Self-Managed

Released: 13 February 2025

Resolved Issues

Artifactory 7.104.6 Self-Managed

Released: 1 February 2025

Resolved Issues

Artifactory 7.104.5 Self-Managed

Released: 29 January 2025

Important Announcements

• Updated Minimum System Requirements

  To support the new services for our self-Managed customers, we have increased the minimum system resources required to run JFrog Artifactory.

⚠️

Warning

Review the resources and make adjustments to your environment to ensure effective support for the new services in JFrog Artifactory. For more information, see System Requirements.

• Java 21 Compatibility

  Artifactory now officially supports JDK 21. All Artifactory distributions are pre-packaged with JDK 21.

⚠️

Breaking Change for Groovy

Java 21 is compatible with Groovy version 4.x, which includes several improvements and breaking changes compared to Groovy 3. If you have developed custom JFrog user plugins using Groovy, review your code and ensure it is compatible with Groovy 4.x.

If you are using the Promotion User plugin, ensure that you are using the latest plugin version. For more information, see Upgrade Notice: Groovy 4 Compatibility.

⚠️

Breaking Change for LDAP Authentication Rollback

Starting from Artifactory version 7.71.x, LDAP authentication has been moved to the Access Service.

The LDAP implementation on the Artifactory service will only work if the Secure LDAP Search (Poisoning Protection) feature is enabled. If you have rolled back to the previous implementation, you must remove this rollback. This will help you to avoid conflicts.

If you are using LDAP authentication via Access Service, you will not have any impact.

• New Services - Topology and One Model

  We have added some new services for our Self-Managed instances:

  • JFrog Topology is a service registry that streamlines platform topology management.
  • One Model is a service that acts as a centralized hub for all GraphQL APIs. This also includes a third-party service called Apollo Router.

  For more information, see Artifactory Product.

• New Validation for Creating and Updating Repositories

  There is a new validation for creating and updating repositories.

New Features

• Evidence service

  JFrog's new Evidence service generates an audit trail that documents all the security, quality, and operational steps taken to produce a production-ready software release. It enriches artifacts, packages, builds, and Release Bundles with signed attestation metadata (based on the in-toto Attestation Framework) that can be tracked and verified easily for governance and compliance. The Evidence service enables you to seamlessly consolidate information from all the tools and platforms used in software development into a trusted single source of truth. It also integrates seamlessly with Release Lifecycle Management, providing a graphical interface for viewing the evidence generated at each stage of your SDLC.

  Artifactory creates signed evidence automatically when Release Bundles are promoted and distributed. When used in conjunction with JFrog Xray, additional evidence is created in the form of SBOMs and vulnerability reports.

  In addition, Enterprise+ users can attach externally-produced evidence to artifacts, packages, builds, and Release Bundles using the JFrog CLI.

  For more information, see Evidence Management.

❗️

Important

The current release of the Evidence service is subject to the following limitations in Self-Managed environments:

• Kubernetes is required. Support for non-Kubernetes installations is planned for late Q1 2025.
• The Evidence service requires PostgreSQL 12 or later. (Please note that Artifactory can continue working with any supported database. There is no need to migrate Artifactory to PostgreSQL to support the Evidence service.)

• Artifactory Federation Service

  To meet the growing needs of customers, JFrog has moved the Federated repositories feature into a standalone, multi-tenant service to ensure the timely synchronization of huge volumes of artifact metadata between customer sites. The new standalone service offers the following benefits:

  • Scalability: The Federation service is designed from the ground up to grow as the needs of our customers grow.

  • Automatic Federation recovery: The Federation service features an improved auto-healing mechanism that can identify synchronization problems between members due to an exhausted queue (a queue that has exceeded the maximum number of attempts to send metadata events to other members), reset the failed events, and retry synchronization. This capability is particularly useful in the event a Full Sync operation is interrupted by a restart of one of the Artifactory instances that host a Federation member. For more information, see Federation Recovery and Auto-Healing.

  • Improved monitoring using the Federation dashboard: The new Federation dashboard enables you to:

    • Understand the health status of all your repository Federations at a glance. The dashboard makes it particularly easy to see how many repositories are in error or delayed. For more information, see View the Status of All Repository Federations.
    • Drill down into a selected Federation to see the state of each member at a glance. For more information, see View the Status of a Selected Repository Federation.
    • Give selected repositories priority to system resources to help ensure all their metadata events are synchronized with other Federation members. For more information, see Prioritize Federated Repository API.

❗️

Important

The current release of the standalone Artifactory Federation service is subject to the following limitations in Self-Managed environments:

• Kubernetes is required. For more information, see Installing Artifactory Federation Service. Support for non-Kubernetes installations for early adopters is planned for late Q2 2025.
• The Artifactory Federation service requires PostgreSQL 12 or later. (Please note that Artifactory can continue working with any supported database. There is no need to migrate Artifactory to PostgreSQL to support the Artifactory Federation service.)
• Providing support for other databases is under consideration.

• Using the Federation Comparison Tool on Federated Repositories

  Users who have the Artifactory Federation Service installed can use the Federation Comparison Tool to compare the state of a Federated repository with one or more remote members to detect missing artifacts in those remote members. This enables you to simulate the results of a Full Sync operation before you perform it. The Federation Comparison tool is invoked using a new query parameter in the Federated Repository Full Sync API. For more information, see Use the Federation Comparison Tool.

• Machine Learning Repositories

  Machine Learning Repositories with the FrogML SDK is a local management framework tailored for machine learning projects, serving as a central storage for models and artifacts, featuring a robust version control system. It offers local repositories and an SDK for effortless model deployment and resolution.

  Machine Learning Repositories offer the following benefits to your system:

  • Secure Storage: Protect your proprietary information by deploying models and additional resources to Artifactory local repositories, giving you fine-grain control of the access to your models.
  • Easy Collaboration: Share and manage your machine learning projects with your team efficiently.
  • Easy Version Control: The Machine Learning Repositories SDK (FrogML) provides a user-friendly system to track changes to your projects. You can name, categorize (using namespaces), and keep track of different versions of your work.

  For information on Machine Learning Repositories, click here.

• Helm Enforce Layout

  Helm Enforce Layout is designed to maintain the integrity and organization of Helm charts within your repositories. It consists of two key functionalities that promote structure and reduce errors during deployments:

  • Preventing duplicate chart paths: Prevents the deployment of charts with the same name and version to different paths within the same repository, by ensuring that only a single instance of a chart is indexed. This maintains the integrity and accessibility of Helm charts, ensuring that users can easily identify and deploy the desired version without confusion.
  • Enforcing chart names and versions: Ensures that the chart name and version specified in the packaged file name match the values in Chart.yaml and adhere to Semantic Versioning (SemVer) standards adopted by the Helm official specification. Enforcing these rules promotes uniformity, allowing teams to adopt clear naming conventions that foster better collaboration and understanding of changes across different versions.

  For more information on Helm Enforce Layout, click here.

📘

Note

Helm Enforce Layout is forward-compatible only, it will not work on repositories created prior to Artifactory 7.104.2. This means that even if you upgrade to Artifactory 7.104.2, any repositories created prior to the upgrade are not compatible with this feature. Enforcement is set only upon repository creation.

• Cleanup Policies: Release Bundle v2

  JFrog Cleanup Policies for Release Bundle v2 enable Platform and Project Administrators to define and customize policies based on specific criteria for removing unused Release Bundles across their JFrog platform. This provides optimal system performance. Administrators can customize a repeatable cleanup process that aligns with their organization's requirements by setting specific criteria and rules. For more information, refer to CLEANUP POLICIES API.

Feature Enhancements

• Packages and Repositories

  • New REST API for Checking Repository Existence

    A new REST API has been added to check whether a repository exists based on the project key and repository type. For more information, click here.

  • Improvements to Conan Reindexing Speed on Large Repositories

    The process for reindexing large Conan repositories has been optimized and is now half the time from what it was previously. Added Conan packages are available for indexing immediately even during the reindexing process.

  • Added Clients for PyPI Repositories

    PyPI repositories now support Poetry and Twine clients. For more information, click here.

  • Updating multiple repositories using a batch request

    It is now possible to update the configuration of multiple repositories using a single batch request. The request can contain a mixture of package types (for example, Docker and Maven) and repository types (for example, local and remote). For more information, see Update Multiple Repositories API.

  • Viewing contents of Release Bundle v2 versions by package type

    The window for viewing the contents of a Release Bundle v2 version has been redesigned to organize the contents according to package type. You can drill down from a package type to individual packages and from there, click a link to see the individual artifacts. For more information, see View the Contents of a Release Bundle v2 Version.

  • Promoting Release Bundle v2 versions to virtual repositories

    You can now promote a Release Bundle v2 version to a virtual repository, provided it contains at least one local repository assigned to the same environment as the virtual repository (or no environment at all). For more information about promotion, see Promote a Release Bundle v2 Version in the Platform UI.

  • Virtual repositories can include repositories not assigned or shared to the same project

    You can now edit a virtual repository configuration that contains local and remote repositories which are not assigned to, or shared with, the same project as the virtual repository. If such repositories are aggregated, a message appears in the UI. Click the button next to the message to display a list of these repositories. You can export this list to a CSV file. For more information, see Virtual Repositories and Projects.

📘

Note

Users who can perform actions on the virtual repository (based on their assigned roles in the relevant project) are not automatically granted permissions to aggregated repositories not assigned or shared with the same project.

• Storage

  • Improved Retry Mechanism for the google-storage-v2 Provider

    The google-storage-v2 provider now supports an improved retry mechanism when Google Cloud Storage returns 50x errors during binary download. The retry behavior is controlled by the maxRetries and retryIntervalMillis configuration parameters. For more information, click here.

  • Improved Optimize System Storage REST API

    The Optimize System Storage REST API now triggers the balancing mechanism immediately instead of raising a flag to indicate that Artifactory should run the balancing mechanism in the next Full Garbage Collection cycle. If balancing is already running, the API skips the process. For more information, see the Optimize System Storage REST API documentation.

• Release Lifecycle Management

  • New Content tab in Release Lifecycle Management timeline

    The Release Lifecycle Management timeline contains a new Content tab that lists the artifacts in the selected Release Bundle v2 version. For more information, see View the Contents of a Release Bundle v2 Version.

  • Support for default key creation for Release Bundles v2 via REST API

    It is now possible to create a Release Bundle v2 using the REST API without specifying an existing signing key. In such cases, Artifactory creates a default GPG key that is used to sign the Release Bundle. This default key is then used for future Release Bundles unless a different key is selected during Release Bundle creation. The default key created by Artifactory is displayed in the Keys Management table.

📘

Note

In the current release, a default key is created only when creating the Release Bundle v2 using the REST API. It is still mandatory to select an existing signing key when using the JFrog CLI or platform UI.

• Support for default key creation for Release Bundles v2 in the platform UI

  It is no longer mandatory to select a signing key when creating a Release Bundle v2 with the platform UI. If you do not select a key, Artifactory uses a default GPG key that it creates automatically. The default key is then used for future Release Bundles unless a different key is selected during Release Bundle creation. The default key created by Artifactory is displayed in the Keys Management table.

📘

Note

Support for the default key will be added to the JFrog CLI in an upcoming release.

• Federated Repositories

  • Performance enhancement for Federated repositories

    A new system property enables event properties to be fetched in bulk from the database, which improves overall performance when mirroring among Federation members. For more information, see Configure Federated Repositories for Bulk Mirroring and Parallel Processing.

  • Converting Federated repositories back to local

    You can now convert a Federated repository back to a local repository using a REST API, provided it is not part of a Federation containing additional members. For more information, see Convert Federated Repository to a Local Repository API.

• OCI and Docker Related Changes

  • Enhanced Docker List Tags REST API Compatibility

    The Docker List Tags REST API has been enhanced to support both the full and shorthand conventions for referencing official Docker images. Users can now retrieve tags using either the complete path (including /library/) or the shorter version without it. For more information about the API see List Docker Tags API.

  • Enhanced Webhook Event Support for OCI and Docker Images

    In this release, the Webhook events functionality for Docker images has been expanded to include support for OCI repositories and images. These enhancements made include:

    • Support for OCI Repositories: Webhook events can now be triggered for OCI repositories, broadening the integration capabilities.
    • Support for OCI Images: Events related to OCI images are now fully supported, ensuring that actions on these images are captured.
    • New image_type Key: A new image_type key has been added to the event action payload, indicating whether the action was performed on an OCI or Docker image.

    For more information, click here.

  • Additional Keys Added to the Webhook Promoted Event in the Docker Domain

    The Image Promotion Webhook in the Docker domain has been expanded with two additional keys:

    • targetRepo: The repository where the image is promoted to.
    • targetTag: The new tag of the promoted image.

JFrog Platform

• Setting upper limits on property updates

  A new system parameter has been introduced (artifactory.max.artifacts.set.properties.recursive) for setting an upper limit on the number of artifacts on which recursive property updates can be performed. For example, if you revise a folder property and the folder contains more items than the limit defined in this system parameter, the operation will fail. This property can be used to throttle the number of update requests, which can put a heavy load on the database and in extreme cases lead to crashes. By default, this feature is off. There is no default value when turned on.

• Platform Chart 11.x Release

  We have released the JFrog Platform Helm Chart 11.x, which includes some of the important changes:

  • Removal of Insight and Pipelines: We have removed the Insights and Pipelines chart dependencies from the JFrog Platform chart 11.x.
  • Upgrade of Bitnami PostgreSQL and RabbitMQ Helm Charts: Upgraded the RabbitMQ chart version and the image version of PostgreSQL and RabbitMQ.

  The JFrog Platform chart 11.x also includes multiple breaking changes. For more information, see Platform chart 11.x: Breaking Changes.

• OIDC Multiple Token Scopes

  The Jfrog Platform now supports adding multiple scopes to OIDC identity mapping tokens, enabling you to use both user and group scopes for the same token.

• Enabling SSO Disables Basic Authentication By Default

  Enabling single sign-on authentication now disables internal password authentication by default. For more information, see Disable Basic Authentication Method.

• Improvements in Obtaining AQL Results

  The Search AQL API was improved such that AQL results are complete and not missing properties. A notification is now provided informing the client when the AQL limit has been reached.

• Improved Performance for the Fetching Process

  Performance of the fetching process has been improved, based on the count of manifests relative to the Max Unique Tags configuration.

• Cleanup Policies

  • Terraform: Terraform packages are now supported in Cleanup.
  • Terraform BE Packages : Terraform BE packages are now supported in Cleanup and Archive.
  • CocoaPods: CocoaPod packages are now supported in Cleanup.
  • Hugging Face: Hugging Face packages are now supported in Cleanup.
  • OCI: Helm OCI and OCI packages are now supported in Cleanup and Archive.
  • Cargo: Cargo packages are now supported in Cleanup and Archive.
  • Frog ML: Frog ML models are now supported in Cleanup and Archive.
  • Ansible: Ansible packages are now supported in Cleanup and Archive.

• Support for Scheduled Workers

  JFrog now supports creating scheduled workers to trigger at predefined times or intervals, which you can define using Cron expressions. Learn more

• Worker Events

  • Replication: Before Directory Replication event is now supported.
  • Storage: After Copy event is now supported.
  • Storage: After Property Delete event is now supported.
  • Storage: After Property Create event is now supported.
  • Storage:beforeCreate: beforeCreate event is now supported.
  • Storage:beforeCopy: beforeCopy event is now supported.
  • Before Build Info Save: Before Build Info Save event is now supported.
  • Before Download Request: Before Download Request event is now supported.

Resolved Issues

Artifactory 7.98

This section includes all the Artifactory 7.98 releases.

Artifactory 7.98.19 Self-Managed

Released: 11 May 2025

Resolved Issues

Artifactory 7.98.18 Self-Managed

Released: 27 March 2025

Resolved Issues

Artifactory 7.98.17 Self-Managed

Released: 18 March 2025

Resolved Issues

Artifactory 7.98.15 Self-Managed

Released: 1 February 2025

Resolved Issues

Artifactory 7.98.14 Self-Managed

Released: 21 January 2025

Resolved Issues

Artifactory 7.98.13 Self-Managed

Released: 6 January 2025

Resolved Issues

Artifactory 7.98.12 Self-Managed

Released: 24 December, 2024

Resolved Issues

Artifactory 7.98.11 Self-Managed

Released: 16 December 2024

Resolved Issues

⚠️

Known Issue with Pull Replications

There is a known issue whereby properties generated locally by Artifactory are deleted during pull replications when the properties are unchanged from the previous replication execution. The current workaround is to add a custom property to the package. This is sufficient to prevent the locally-generated properties from being deleted.

Artifactory 7.98.10 Self-Managed

Released: 9 December 2024

Resolved Issues

Artifactory 7.98.9 Self-Managed

Released: 25 November 2024

Resolved Issues

Artifactory 7.98.8 Self-Managed

Released: 6 November 2024

Resolved Issues

Artifactory 7.98.7 Self-Managed

Released: 29 October 2024

Important Announcements

📘

Note

Artifactory Release Notes Structural Update

The Artifactory Release Notes (that appear in the JFrog Release Notes) has been updated to separate the Self-Managed and SaaS Releases into separate areas. Self-Managed content for minor releases now lists aggregated bugs and features previously only reported as part of Cloud Releases. This enables users to better see content only relevant to their deployment type, and for Self-Managed users to more easily review the changes between versions, providing better visibility in preparation for upgrade.

📘

Note

JFrog Workers Release Notes

We are pleased to announce that JFrog Workers is now in general availability with separate release notes, see JFrog Workers Release Information.

⚠️

Classic Navigation Sunset

The classic navigation has reached its end of life, therefore users will no longer be able to switch back to the classic navigation. For more information about how navigation menus are organized, see JFrog Platform Navigation.

⚠️

API Key Creation is Disabled

The creation of new API keys has now been disabled. You can use identity tokens instead, which replace API keys and offer enhanced security. The usage of API Keys will be disabled at the end of Q4 2024. For more information, see JFrog API Key Deprecation Process.

⚠️

Breaking Change for Oracle 11 Users

Artifactory has replaced the Oracle-specific ROWNUM pseudo-column with the SQL-standard FETCH FIRST clause when generating AQL queries that include the ORDER BY clause. This change breaks compatibility with users of Oracle 11 and earlier (which are Oracle versions not officially supported by Artifactory).

⚠️

Breaking Change when Using Get User Details API for Details of Non-Logged-In Users

When retrieving user details for non-logged-in users via the Rest API, a random date in the distant past was returned, now a null value will be returned. Previously, if a user never logged, in the response to the Get User Details API, the value of last_logged_in was 1970-01-01T00:00:00.000Z. Now, if a user never logged in, the value of last_logged_in will be null.

⚠️

Breaking Change for SAML SSO

As notified in SAML SSO configuration, if you have configured SAML authentication in your environment, make sure to configure a Custom Base URL to prevent a 500 error.

⚠️

Known Issue in Tomcat 10.1

Apache Tomcat version 10.1 that is bundled in Artifactory 7.98.7 contains an issue whereby, when sending HEAD requests where the resource size is unknown, the server returns a content-length=0 header, instead of omitting the header.

New Features

• Cleanup Policies

  JFrog Cleanup Policies enable Platform and Project Administrators to define and customize policies based on specific criteria for removing unused binaries from across their JFrog platform. This provides control over storage utilization and ensures optimal system performance. By setting specific criteria and rules, administrators can customize a repeatable cleanup process that aligns with their organization's requirements. For more information, click here.

  Also, this release includes a number of internal database indexing enhancements that improve performance during the cleanup process. JFrog recommends creating database indexes prior to upgrading, as explained in the article Database Index Optimizations for Improved Cleanup Policy Performance.

• Support for GitHub Enterprise in Self-Managed Environments

  Users working in a Self-Managed environment can now select GitHub Enterprise as the Git provider for Go remote repositories. When using this option, you should configure the Go remote repository with the URL of the GitHub Enterprise server located at your site. This feature requires Enterprise Server 3.10 and above.

• Upgrade to Apache Tomcat 10.1.x

  The Apache Tomcat version bundled with Artifactory has been upgraded to version 10.1.x.

• Support for Multi-Architecture Tag Deletion

  Artifactory now supports deleting multi-architecture Docker and OCI image tags with one action. For more information, see Delete Multi-Architecture Docker Tags.

• Support for PostgreSQL 16

  Artifactory is now certified to work with the PostgreSQL 16 database.

Feature Enhancements

• Significant Changes to the Packages User Interface

  Significant changes have been made to the Packages User Interface (UI). From the Packages home page, you can now view a list of the most recently viewed packages, and an upgraded filter option has been added that allows you to create refined filters on the packages list to easily see the packages that interest you. After creating the filter, you can save it as a customized view for later use and reference. For more information, click here.

• Authentication Related Enhancements

  • OpenID Connect Integration

    The JFrog Platform now includes project support, multiple values, wildcard values, and dynamic mapping for OpenID Connect integrations. Project Admins can now create identity mappings associated with specific projects. Multiple values and wildcard values are now supported for JSON Claims in identity mappings associated with OpenID Connect Integrations. Identity mappings can contain dynamic mappings that support the verification or modification of a username or group name in the token subject based on a pattern.

  • Multiple SAML SSO Provider Configurations

    Starting from Artifactory version 7.98.7, the JFrog Platform now supports multiple configurations for SAML SSO providers. Enabling multiple SAML SSO configurations can help large organizations streamline the login and authentication processes for multiple platforms, resulting in a faster and more convenient authentication experience.

📘

Note

Before creating multiple SAML configurations, JFrog recommends deleting the old configuration and reconfiguring it with a different setting name other than Default. If you reconfigure your SAML configuration, you must also update the relevant information in the Identity Provider server.

• Migration of SAML Authentication Provider from Artifactory Service to Access Service

  As part of enhancements to the JFrog Access Service, which is becoming the primary service for authentication providers, the functionality for the SAML authentication provider has moved to the Access Service.

⚠️

Breaking Change for synchronizeLdapGroups User Plugin

Following the migration of SAML SSO from Artifactory service to Access service, the deprecated user plugin synchronizeLdapGroups will no longer be used for SAML SSO user login. As an alternative, the functionality of the plugin has been implemented as part of the provider. For more information, see Enabling Synchronization of LDAP Groups for SAML SSO.

• Temporary Login Suspension Moved to Access Service

  As part of enhancements to the JFrog Access Service, which is becoming the primary service for authentication and authorization, the implementation of Temporary Login Suspension has been moved to the Access Service starting from Artifactory version 7.98.x. For more information, see User Lock and Login Suspension.

• Proxy support for OAuth Authentication Provider

  The OAuth authentication provider now supports the platform default proxy. To enable this functionality, select the Use Default Proxy Configuration checkbox in the Provider Settings section.

• Support for OIDC Forward Proxy Configuration

  The JFrog Platform OIDC integration now supports the configuration of a forward proxy. For more information, see Manage Proxy Servers.

• Release Bundles Enhancements

  • Cannot modify or delete files that belong to a promoted Release Bundle v2

    To protect the immutability of Release Bundle v2, users are now blocked from modifying or deleting a file that belongs to a promoted Release Bundle. Users must first delete the promotion or delete the Release Bundle version altogether before the files can be modified or deleted.

  • Release Bundles v2 protected from expired GPG keys

    When a user attempts to create, promote, or distribute a Release Bundle v2 version, the action is now blocked if the GPG key has expired.

  • Adding pagination to Release Bundle v2 Version Details REST API

    The REST API for getting Release Bundle v2 version details now includes the ability to paginate the results using the offset and limit query parameters. In addition, the response now includes the total_artifacts_count.

  • Improved UI for deleting Release Bundle v2 versions and promotions

    The UI offers improved options for deleting Release Bundle v2 versions and promotions, including versions distributed to Edge nodes.

• Federated Repository Related Enhancements

  • Improved Federated Repository validation

    There is an improved validation check when creating Federated repositories that provides a clear error message if a Federated repository with the same name already exists on a different Federation member.

  • Federation recovery and auto-healing of binary tasks

    The auto-healing mechanism used by Artifactory to recover synchronization of metadata events among repository Federation members now includes support for binary tasks as well. The mechanism will check periodically for any binary tasks that are in a retry or error state and use the checksum to identify whether the file was deleted from its source. If the binary was deleted, the task is deleted.

  • Change to Federated Repository Artifactory System Parameter:

    • Old name (7.90.5): artifactory.federated.mirror.events.metadata.enabled
    • New name (7.92.3 and above): artifactory.federated.mirror.events.upload.info.propagate.enabled

• Cargo Related Enhancements

  • Cargo index/config.json REST API Aligned with the Cargo Specs

    The Cargo index/config.json REST API has been aligned to the Cargo specs so that it now returns a response even if a user has no permissions on a repository and invokes an auth-challenge.

  • Improved Cargo Status Code Responses

    Cargo status code responses are now aligned with the cargo registry according to the Cargo specification.

  • Improvements to authenticated requests on Cargo repositories

    Authenticated requests on Cargo repositories are now allowed with anonymous access.

• Hugging Face Related Enhancements

  • The Hugging Face readme.md file is now accessible

    The Hugging Face readme.md file can now be viewed with an MD viewer for Hugging Face packages.

  • Support for Hugging Face Modifying Deployment Expiration

    Artifactory now supports using a system property to modify the expiration time for models and datasets deployment, so that you can upload larger models without encountering errors.

• Projects Support for Webhooks

  Artifactory now supports creating and viewing webhooks associated with a specific project.

• Artifactory Performance Improvement

  This version includes improvements in response time with a reduction of up to 12%. This results in an overall improvement in performance.

• Added option to configure an absolute path for tempDir for certain binary providers

  It is now possible to configure an absolute path for tempDir (_pre folder) for the following binary providers: cache-fs, s3-storage-v3, azure-blob-storage-v2, and file-system (or state-aware when using sharding). Before this change, tempDir was always relative to the baseDataDir, and if tempDir had an absolute path in binarystore.xml (for example: /tmp), tempDir was set to $BASEDATADIR/filestore/tmp. Now, it will be set to /tmp, which will be a breaking change. To revert to the old behavior, use a relative path "tmp". Configuring an absolute path allows for improved performance when baseDataDir is located in a NFS.

• Reduced Calls to the Database When Interacting with Virtual Generic Repositories

  The number of calls to the database was significantly reduced when interacting with a virtual generic repository containing more than 3 sub-repositories, which results in improved system performance.

• Logging Outgoing Requests

  Introduced logging for outgoing requests in the JFConnect service to enhance debugging capabilities.

• Significant Improvements in Deploying Artifacts from Archives

  The Deploy Artifacts from Archive REST API now supports deploying artifacts in parallel threads as well as sequentially, significantly reducing the time it takes to deploy. For more information, see Deploy Artifacts from Archive API.

• Improved Failure Retry Mechanism When Working With Google Cloud Storage

  The google-storage-v2 provider now supports an improved retry mechanism when Google Cloud Storage returns 50x errors. Two new parameters have been added to the provider (maxRetries and retryIntervalMillis) to allow configuring this. For more information, click here.

• List Docker Images REST API Performance Improvements

  The REST API List Docker Images now delivers faster results and uses less resources. For more information, see List Docker Images API.

• Support for PyPI Etag Headers

  Artifactory now supports Etag headers for Pypi Package Indexes, minimizing the bandwidth used for installation flows.

• Table of public keys now includes the key type

  The table of public keys available to administrators in the Public Keys tab of the Keys Management window now includes the key type. For more information, see Manage Public Keys.

• Tree Browser Performance Improvements

  The following performance improvements were made in the artifacts tree/native browser. For information on this change and why the List Remote Folder Items function is turned off by default, see Why Remote Folder Listing Is No Longer Available:

  • Expanding a folder with a long list of artifacts is now much faster. The displayed list of artifacts is now limited to a maximum of 20K. Artifacts that are not displayed are accessible through the Search.

  • Display of repository and artifact details is now faster

  • Improvements to Metadata Retrieval Performance Performance of metadata retrieval was improved following recent changes made to the npm client.

  • Improvements to Tree Browser Performance

    For users with limited permissions, loading the list of repositories at the root level of the tree browser is now much faster

    Improvements were made to tree browser performance such that the time it takes to list artifacts from remote repositories was significantly reduced. For more information, see Why Remote Folder Listing Is No Longer Available.

Resolved Issues

Artifactory 7.90

This section includes all the Artifactory 7.90 releases.

Artifactory 7.90.19 Self-Managed

Released: 2 February 2025

Resolved Issues

Artifactory 7.90.17 Self-Managed

Released: 25 November, 2024

Resolved Issues

Artifactory 7.90.15 Self-Managed

Released: 21 October 2024

Resolved Issues

Artifactory 7.90.14 Self-Managed

Released: 8 October, 2024

⚠️

Warning

When upgrading to Artifactory 7.90.14 from a previous version, API Key creation is enabled, even if you had disabled API Key creation in the previous version.

Feature Enhancements

• Cargo index/config.json API Aligned with the Cargo Specs

  The Cargo index/config.json API has been aligned to the Cargo specs so that it now returns a response even if a user has no permissions on a repository and invokes an auth-challenge.

Resolved Issues

Artifactory 7.90.13 Self-Managed

Released: 25 September, 2024

Resolved Issues

Artifactory 7.90.10 Self-Managed

Released: 11 September, 2024

Resolved Issues

Artifactory 7.90.9 Self-Managed

Released: 28 August, 2024

Feature Enhancements

• Performance Improvements

  The following performance improvements were made in the artifacts tree/native browser:

  • For users with limited permissions, loading the list of repositories at the root level of the tree browser is now much faster
  • Expanding a folder with a long list of artifacts is now much faster. The displayed list of artifacts is now limited to a maximum of 20K. Artifacts that are not displayed are accessible through the Search
  • Display of repository and artifact details is now faster

Resolved Issues

Artifactory 7.90.8 Self-Managed

Released: 14 August, 2024

Resolved Issues

Artifactory 7.90.7 Self-Managed

Released: 9 August, 2024

New Feature

• Deploy Large Files Using Multi-Part Upload

  Artifactory now implements a fast and reliable multi-part upload approach for large files with the JFrog CLI. The new multi-part upload is designed so that in the case of an upload failure a retry mechanism resumes uploads from the point of failure, thus preserving all content that was uploaded before the failure. In contrast, with the standard upload, an upload failure will result in the loss of all data and require a restart from the beginning.

  Multi-part Upload is available using S3 and GCP storage types. The default value for the minimum file size requiring multi-part upload is 200 MB, although this value can be changed. For more information, click here.

Change to Existing Feature

The system property for synchronizing metadata in Federated repositories (introduced in release 7.90.5) has been renamed:

• Old name (7.90.5 & 7.90.6): artifactory.federated.mirror.events.metadata.enabled
• New name (7.90.7 and above): artifactory.federated.mirror.events.upload.info.propagate.enabled

Resolved Issues

Artifactory 7.90.6 Self-­Managed

Released: 05 August, 2024

⚠️

Known Issue in this Version

Artifactory version 7.90.6 has an issue that affects Pub package deployments due to a Tomcat upgrade. To avoid this issue, customers are advised to upgrade to Artifactory 7.90.7. For more information, see Artifactory Known Issues.

Resolved Issues

Artifactory 7.90.5 Self-Managed

Released: 25 July, 2024

This topic describes the new features, feature enhancements, and resolved issues that are part of the Artifactory 7.90.5 release for Self-Managed environments. It includes all improvements since Artifactory 7.84.

Highlights

⚠️

Known Issue in this Version

Upgrading self-maanaged deployments from version 7.71 directly to 7.90 or higher fails due to a problematic Artifactory revision number in 7.71 causing converters not to run. To avoid this issue, upgrade to Artifactory version 7.90.7 or above.

• New Platform Navigation

  JFrog is launching the new platform UI navigation for Self-Managed instances.

  This will be the default experience when using version number 7.90.x.

  To find out more about this change, see JFrog Platform Navigation.

⚠️

Classic UI Navigation Sunset

Classic UI navigation is planned to be deprecated with the Self-Managed release of October 2024.

For more information, see JFrog Platform Deprecations.

• Support for Ansible Repositories

  You can now use Artifactory to manage and store your Ansible collections (including Roles, Playbooks, Plugins, Modules, etc.), providing full flexibility and usability. You can store and distribute your own collections through secure local repositories, and cache remote resources from the Ansible Galaxy registry for reliable access. For more information, see Ansible Repositories.

• Support for Hugging Face Datasets

  Artifactory now supports storing and caching of Hugging Face ML datasets, allowing you to manage all stages of the ML development lifecycle. For more information, see Hugging Face Repositories.

• Individual JVM for Access Service

  The Access service will now run on a dedicated Java Virtual Machine (JVM), separated from the main Artifactory JVM. While the Access JVM will utilize additional resources, this change is anticipated to decrease the memory usage of the Artifactory JVM. Additional configuration steps might be required for customers using the Derby database. For more information, see Individual JVM for Access Service

• Breaking Change for JFrog Access REST API Endpoints

⚠️

Warning

As a result of the Individual JVM for Access Service, the previously used Access REST API endpoint, https://<JFROG_PLATFORM_URL>/artifactory/api/access, is no longer supported, and you must now use the new endpoint, https://<JFROG_PLATFORM_URL>/access.

If your Access Federation URL is currently configured with https://<JFROG_PLATFORM_URL>/artifactory/api/access, update it to prevent service interruptions.

• Major Performance Improvements for Alpine

  This version includes up to an 87% improvement in the response time in Alpine-related use cases, such as downloading from a virtual repository.

• Reduced Load When Reading Global Exclude Properties

  An improvement was introduced in this version to reduce the load when reading global exclude properties. Any properties added to the artifactory.repo.includeExclude.globalExcludes parameter are now controlled by the flag artifactory.repo.default.includeExclude.globalExcludes.empty.list, which is set to true by default. When this flag is true, the list is treated as empty, meaning that the global exclude patterns are not considered. Therefore, it is necessary to set artifactory.repo.default.includeExclude.globalExcludes.empty.list = false for the global exclude patterns to be taken into account.

New Features

• Security Hardening for Artifactory Container Images

  As part of JFrog's commitment to maintain the security and reliability of our products, JFrog Artifactory container images are now enforced with read-only permission to webapps and conf folders located in the app/artifactory/tomcat and app/access/tomcat directories.

• Support for PyPI Name Normalization and Enforce Layout

  Artifactory now supports the PyPI package features name normalization and enforce layout, as specified in PEP-440. These features help you keep a consistent naming method for PyPI packages and avoid issues. For more information, see Use PyPI File Path Name Normalization, Use PyPI Enforce Layout, and Using Both PyPI File Path Naming Normalization and Enforce Layout.

• Support for OCI Referrers API

  You can view the connection between images and their related information, such as signatures and attestations, for better visibility and management. For more information, see Use Referrers REST API to Discover OCI References.

• Get Status of Repository Project API

  A new API allows users to obtain the status of a repository and whether it was assigned and/or shared to a project, to multiple projects, or to all projects. For more information, see Get Status of Project Repository API.

Feature Enhancements

Installation

• Improved User Experience for Helm Installations

  Artifactory now supports the following Helm improvements:

  • The nginx.artifactoryConf and nginx.mainConf fields have been reallocated to the 'files' directory.
  • The artifactory.openMetrics field has been renamed as artifactory.metrics.
  • Added nginx.hosts field to use as server_name directive on the embedded Nginx instead of ingress.hosts field.
  • Changed migration.enabled flag to false by default. For Artifactory 6.x to 7.x migration, this flag needs to be set to true.

Authentication

• Temporary Login Suspension Configuration Moved to Access Service

  As part of enhancements to the JFrog Access Service to make it the primary service for Authentication and Authorization, from Artifactory version 7.90, the configuration management for Temporary Login Suspension has moved to the Access Service. For more information, see User Lock and Login Suspension.

• Project Admin Scoped Access Token

  Now in addition to an API that was released in Artifactory version 7.84, you can also generate project admin access tokens using the JFrog Platform UI. For more information, see Create a Project Admin Scoped Token.

Integrations

• OpenID Connect Integration

  OIDC integration in the JFrog Platform allows you to use services including GitHub Actions and Azure with OpenID Connect to work on the JFrog Platform.

  OpenID Connect Integration now supports Azure.

Database & Storage

• Project Storage Quotas

  You can now view and manage project storage quotas. A table view with project details is now the default All Project View, and a new Storage Quota column with a usage bar has been added. You can now perform actions such as Edit Storage to manage and change the storage quota from the table view. For more information, see Manage Storage Quotas.

• Enhanced Performance for Get Storage Summary Info REST API

  The time needed to return the storage summary information using REST API has been significantly reduced for virtual repositories.

Archiving & Cold Storage

• Additional Package Types Now Support Package Archiving

  Additional package types have been added to support package archiving. The full list of all package types that now support package archiving is: Docker, Maven, npm, Gradle, YUM, generic, NuGet, Conan, and Helm. For more information on package archiving, see Working with Cold Storage.

• Improved Performance with Storage Summary Queries

  A flag was added to the Artifactory System Properties (artifactory.db.operations.totalSize.mysql.noIndex) that changes the storage summary queries (file count and repository table) to not use indexes in MySQL DB and hence improves query performance. By default, this flag is false and can be set to true in the system properties.

Federated Repositories

• Additional synchronized metadata in Federated repositories

  It is now possible to synchronize the following artifact metadata with all Federation members:

  • createdBy: The name of the user who uploaded the artifact to Artifactory (including the suffix 'federated'.) The name is mirrored to other members even if the user does not exist on those members.
  • deploymentDate: Defines when the artifact was deployed. Synchronizing this metadata is important for features such as the Max Unique Snapshot policy in Maven.
  • modifiedDate: Defines when the artifact was last modified.

  A new Artifactory system property controls the inclusion of this metadata:

  artifactory.federated.mirror.events.metadata.enabled

  By default, this flag is set to false. To mirror this metadata to other Federation members, change the flag setting to true on each relevant member. The metadata is mirrored only if the flag is activated on both the source and target JPD.

• Cleanup Job for Removing Orphaned Cursors

  A new job cleans up orphaned cursors from the Federated repository database. This was done to optimize the auto-healing process.

Package Management

• Support for new CocoaPods CLI Commands

  Artifactory now supports using the pod search and pod list commands for virtual CDN repositories.

Resolved Issues

Artifactory 7.84

This section includes all the Artifactory 7.84 releases.

Artifactory 7.84.23 Self-Managed

Released: 2 February 2025

Resolved Issues

Artifactory 7.84.21 Self-Managed

Released: 26 August, 2024

New Features

• Specifying a Dedicated HA Node for Shift Events

  Users working in a Self-Managed HA environment can now designate which node will be responsible for all shift events, which is an internal process used by Artifactory to organize events in the correct order. The node is configured by specifying the system parameter, artifactory.shift.events.isolated.member with the name of the dedicated node on each HA member.

Resolved Issues

Artifactory 7.­84.20 Self-­Managed

Released: 5 August, 2024

Resolved Issues

Artifactory 7.84.18 Self-Managed

Released: 29 July, 2024

Resolved Issues

Artifactory 7.84.17 Self-Managed

Released: 9 July, 2024

Resolved Issues

Artifactory 7.84.16 Self-Managed

Released: 28 June, 2024

Resolved Issues

Artifactory 7.84.15 Self-Managed

Released: 18 June, 2024

⚠️

Known Issue in this Version

Starting from Artifactory version 7.84, AQL searches will undergo throttling, potentially resulting in 429 errors. The default setting for the parameter below will be TRUE. You can opt to set it to FALSE to disable the throttling:

artifactory.aql.queries.limit.enabled

To avoid this issue, upgrade to Artifactory version 7.84.16 or later.

Resolved Issues

Artifactory 7.84.14 Self-Managed

Released: 6 June, 2024

⚠️

Known Issue in this Version

Starting from Artifactory version 7.84, AQL searches will undergo throttling, potentially resulting in 429 errors. The default setting for the parameter below will be TRUE. You can opt to set it to FALSE to disable the throttling:

artifactory.aql.queries.limit.enabled

To avoid this issue, upgrade to Artifactory version 7.84.16 or later.

Resolved Issues

Artifactory 7.84.12 Self-Managed

Released: 23 May, 2024

⚠️

Known Issue in this Version

Starting from Artifactory version 7.84, AQL searches will undergo throttling, potentially resulting in 429 errors. The default setting for the parameter below will be TRUE. You can opt to set it to FALSE to disable the throttling:

artifactory.aql.queries.limit.enabled

To avoid this issue, upgrade to Artifactory version 7.84.16 or later.

Resolved Issues

Artifactory 7.84.11 Self-Managed

Released: 17 May, 2024

⚠️

Known Issue in this Version

Starting from Artifactory version 7.84, AQL searches will undergo throttling, potentially resulting in 429 errors. The default setting for the parameter below will be TRUE. You can opt to set it to FALSE to disable the throttling:

artifactory.aql.queries.limit.enabled

To avoid this issue, upgrade to Artifactory version 7.84.16 or later.

Resolved Issues

Artifactory 7.84.10 Self-Managed

Released: 26 August 2024

This topic describes the new features, feature enhancements, and resolved issues that are part of the Artifactory 7.84.10 release for Self-Managed environments. It includes all improvements since Artifactory 7.77.

❗️

Change to AWS S3 Storage Direct Download Option

From this version and on, the direct download option no longer works with eventual and cluster providers. If you want to continue using direct download, use the s3-storage-v3-direct template.

⚠️

Replicator Sunset

The Replicator service for Release Bundles v1 has been deprecated. For more information, see Artifactory Deprecations.

⚠️

Known Issue in this Version

Starting from Artifactory version 7.84, AQL searches will undergo throttling, potentially resulting in 429 errors. The default setting for the parameter below will be TRUE. You can opt to set it to FALSE to disable the throttling:

artifactory.aql.queries.limit.enabled

To avoid this issue, upgrade to Artifactory version 7.84.16 or later.

⚠️

Cargo Git Indexing Deprecation

Starting at the end of Q2, 2024, Cargo indexing will only be enabled using Sparse indexing, and the use of Git indexing will be discontinued. For more information, see Deprecations in Process.

Highlights

• PostgreSQL is the Recommended Database for Artifactory Installation

  After a comprehensive evaluation of leading database providers' capabilities, scalability, and support, JFrog selected PostgreSQL as the preferred database solution for all its product offerings.

  Organizations can still choose to use any database in the list of Artifactory-supported databases, however, there is a minor new configuration step that will need to be performed for new installations. When installing a new Artifactory instance with any database other than PostgreSQL, you are required to specify the configuration in the system.yaml file.

  For more information, see Choose the right database.

• Major Performance Improvements for PyPI, NuGet, and npm

  This version includes significant reductions in response time, as well as simplified and reduced database calls from the previous Self-Managed version (7.77). These improvements apply to several important use cases, including virtual package resolution and external dependency resolution, among others. We have measured:

  • Up to 24% response time reduction in PyPI-related use cases
  • Up to 23% response time reduction in NuGet-related use cases
  • Up to 84% response time reduction in npm-related use cases

New Features

• APIs for Creating & Retrieving Batches of Repositories

  A new API enables you to create multiple repositories using a batch request. The batch request can contain a mix of different package types and repository types. For more information, see Create Multiple Repositories API . Another new API enables you to retrieve the configurations for a batch of repositories based on the repository names. For more information, see Get Batch of Repositories by Name API.

• Oracle RAC support for Federated repositories

  Customers who use Oracle Real Application Clusters (RAC) must configure the following Artifactory system property to support Federated repositories:

  artifactory.oracle.node.events.sequence.is.no.cache

  Setting this property to true enables a converter that fixes the Oracle node events sequence definition for RAC instances.

📘

Note

For additional prerequisites, see Setup Prerequisites for Federated Repositories.

• Support for OpenTofu Terraform Client

  Artifactory now supports the OpenTofu registry and client, which provides an alternative to Hashicorp’s Terraform Provider Registry.

  For more information, see Configure OpenTofu to Work With Artifactory.

• Support for CocoaPods Virtual Repositories

  Artifactory now supports using CocoaPods virtual repositories, only for repositories using CDN- allowing you to access both local and remote CocoaPods resources through a single URL.

  For more information, see Set Up Virtual CocoaPods Repositories and Use CocoaPods CDN for Virtual Repositories.

• CocoaPods CDN Now Supported for Local Repositories

  CocoaPods CDN expedites the workflow by creating a static copy of the CocoaPods Specs repository, reducing the time required for adding repositories. For more information, see Use CocoaPods CDN.

Feature Enhancements

Installation

• Helm Installation Updates

  • The setSecurityContext field in Helm installation has been renamed as podSecurityContext.
  • Added a dedicated image section for initContainers instead of initContainerImage
  • Added unifiedSecretInstallation flag, which enables single unified secret holding all chart secrets to true by default.

Authentication

• Automatically pair OAuth SSO users with JFrog Platform users

  You can now automatically pair OAuth SSO users when they log in to the JFrog Platform with their JFrog Platform user based on their email address. No configuration change is required to enable the feature. For more information on OAuth SSO, see OAuth SSO.

• Access Token Creation by Project Admins

  Project admins can create access tokens that are tied to the projects in which they hold administrative privileges. For more information, see Access Token Creation by Project Admins.

• Changes to Anonymous Access

  Starting from Artifactory 7.84.3, the anonymous user is removed from the Anything and Any Remote permissions by default. To grant permissions to anonymous users, the best practice is to create a new permission target containing the anonymous user, and to assign it with read-only access to the relevant repositories.

  For more information, see Allow Anonymous Access.

General

• Availability Zone Affinity

  You can configure a preferred availability zone in the router section of the Artifactory System YAML file. If a service is available in the local zone, traffic is sent to this local service. However, if a service is not available locally, traffic is sent to a service in another zone using a round robin strategy.

  For more information, see JFrog Router Service.

Storage

• Storage Improvements

  This release contains the following storage improvements:

  • When using Azure Blob storage with a SAS token, the SAS token is now encrypted at rest in the the binarystore.xml file.
  • When using the state-aware-s3 binary provider, sensitive properties are now encrypted in the same manner as they are for the s3-storage-v3 binary provider.

Federated Repositories

• Federated repository support for projects

  In versions before 7.78.1, new Federation members ignored the association of a Federated repository with a specific project. For example, if a Federated repository in existing members was associated with myProject, new Federation members would lack the project association.

  Starting with version 7.78.1, Artifactory will check whether the associated project in existing members is defined in the site of the new Federation member. If the project exists, the new member will be associated with this project automatically. If the project does not exist, the new member will not be associated with the project.

📘

Note

A current limitation of this feature is that if the project association later changes in one Federation member, this change is not synchronized with the other members.

• Full Sync improvements for Federated repositories

  This release contains an option for generating the file list for a Full Sync operation using multiple SQL queries (paging) instead of a single AQL query. Dividing the database query into pages helps prevent the operation from crashing when retrieving a large file list (by default, more than 400000 artifacts). In addition, several new system properties have been introduced for managing this paging feature. For more information, see System Properties for Full Sync File List Queries. For more information about Full Sync, see Perform Full Sync on Federated Repositories.

• Solutions for resolving 'stuck' Full Sync operations on Federated repositories

  Two new options have been introduced for resolving Full Sync operations that have become 'stuck', meaning the operation persists in the database but is not active in memory. For example, this situation can arise if a user restarts an Artifactory instance while a Full Sync operation is in progress.

  1. A new async task defined in the system.properties file (artifactory.reset.stale.full.sync.job.interval.min) can reset the status of a Full Sync operation that has become 'stuck', enabling the operation to restart.
  2. A new Force Full Sync API enables you to force a Full Sync operation between the Federated repository members, interrupting another Full Sync operation that is already in progress.

• Auto Healing of Federated repositories enabled by default

  The auto-healing mechanism introduced in version 7.71.1 is now permanently enabled for all customers who work with Federated repositories. This mechanism checks Federated repositories at regular intervals for exhausted queues (queues that have exceeded the maximum number of attempts to send events to other Federation members), resets the failed events automatically, and tries again to sync with the target mirror. For more information, see Federation Recovery and Auto-Healing.

• Perform recovery on repository Federation

  It is now possible to perform a recovery operation on an entire Federation at once by leaving off the {repo-key} parameter when invoking the REST API. For more information, see Federation Recovery API.

• Open Metric for Federated Repository status

  A new Open Metric records the number of Federated repositories that have the indicated status. For more information, see Federated Repository Metrics.

• Get Federated Repository Status V2 API

  This enhanced version of the existing API endpoint supports a wider range of statuses. For more information, see Get Federated Repository Status (v2) API.

Release Lifecycle Management

• Updates to Release Lifecycle Management APIs

  Several changes have been made to the Release Lifecycle Management APIs. Among the changes:

  • For all relevant APIs, the status value of PROCESSING has been changed to STARTED.
  • For all relevant APIs, the messages[].source and messages[].created properties have been deprecated.
  • The X-JFrog-Signing-Key-Name request header has been made optional instead of mandatory when promoting a Release Bundle v2 version using the API.

• New menu options for creating Release Bundle v2 versions

  The Actions menu for Release Lifecycle Management now includes options for creating a new version of the selected Release Bundle v2 from builds or other Release Bundles. For more information, see Create a New Version of an Existing Release Bundle.

• Local Deletion of Distributed Release Bundles v2 from Edge Nodes Reported in Source Timeline

  When a distributed Release Bundle v2 version is deleted locally from the target (typically an Edge node), as opposed to being deleted remotely from the source Artifactory, a new service provided by JFrog Distribution informs the source Artifactory of the operation. An event that describes the deletion is then added to the Release Bundle timeline for maximum visibility.

  The behavior of this functionality is configurable in both Distribution (requires 2.24.x and higher) and Artifactory. For more information, see Configure Deleted-at-Target Scraping Service.

• Support for Release Lifecycle Management in Federated Environments

  It is now possible to work with Release Bundles v2 in a Federated environment as part of managing your release lifecycle. This is particularly useful when Federations are employed in a DR (disaster recovery) or Active/Active multi-site framework, as it ensures that your releases (as contained in an immutable Release Bundle) are replicated across all sites. For more information, see Release Lifecycle Management in Federated Environments.

• Project Key Validator for Federated Release Bundle Repositories

  A validator has been added to ensure that Release Bundle repositories related to a specific project can be Federated only if the same project key exists on the other JPDs in the Federation.

• Lifecycle System YAML

  There is a new section in the Artifactory YAML file for configuring parameters related to Release Lifecycle Management. This replaces the Configuration APIs that were used previously and have now been deprecated. For more information, see Lifecycle System YAML.

• Improved Tracking of Distribution Task Progress

  JFrog Distribution now uses an improved method for tracking distribution tasks, which enables more accurate updates about the progress of each task.

Package and Repository Management

• Support for new CocoaPods CLI Commands

  Artifactory now supports using the pod search and pod list commands for local and remote CDN repositories.

• Helm Virtual index.yaml Resolution Improvements

  We have improved our index calculation mechanism for virtual repositories to minimize potential OOM issues. We recommend setting the Metadata Retrieval Cache Period (Sec) in the repository page in the JFrog Platform WebUI to 60 seconds or more. For more information, see Helm Virtual Repository Index Improvements.

• Go Virtual Repositories Performance Improvement

  Added Go Remote VCS repositories requests caching using local cache to reduce remote API calls and avoid rate limits.

• Support for .zip Package Format in CocoaPods Remote CDN Repositories

  Artifactory now supports resolving and caching .zip format packages in CocoaPods remote CDN-enabled repositories, in addition to .tgz format.

User Interface

• Improved Artifact Tree View

  The Artifact Tree view has been significantly improved such that when opening a node on a repository, a specific (configurable) number of artifacts will be displayed instead of the entire contents of the repository. This significantly reduces loading time for repositories containing a large number of artifacts. The default display number is 500, but this number can be changed in the Aritfactory UI. If there are more artifacts to display beyond the current list, a Load more option appears at the end of the list and when clicked displays more items.

  The enhanced Artifact Tree View is available both in a Tree Browser and a Native Browser.

• Display List Manifest Content on the Artifacts Page

  Artifactory now displays the manifests under a list.manifest file directly in the Artifacts page in the JFrog Platform WebUI. For more information, see List Manifest Content.

Xray

• New Default Timeout Value for Blocking Operations After Unfinished Scans

  The default timeout value for the blockUnfinishedScansTimeoutSeconds property has been changed from 600 seconds (10 minutes) to 1800 seconds (30 minutes). This property defines how long Artifactory waits for Xray to finish scanning before blocking operations automatically if the scan is still unfinished.

Resolved Issues

Previous Artifactory Releases

For more information about previous Artifactory releases, see Artifactory End of Life.

To download previous release notes, see the Legacy PDF archive.