Artifactory 7.125.4 Self-Hosted (Self-Managed)

Support for AWS SDK v2 in S3 Storage

Artifactory's S3 binary storage provider now supports AWS SDK v2. This integration allows you to leverage the latest AWS features and optimizations for a more robust and efficient storage solution, while maintaining full backward compatibility with your existing S3 configurations. AWS SDK v2 receives all active development, new features, and security updates, ensuring your storage integration remains up-to-date. For more information, click here.Integrate Artifactory with AWS SDK v2 for S3 Storage

Support for Azure Workload Identity

Artifactory now supports authentication with Azure Blob Storage using Azure Workload Identity. This method provides a secure, secret-less authentication mechanism for applications running on Azure Kubernetes Service (AKS). It leverages federated identity credentials, eliminating the need to manage and rotate secrets such as SAS tokens or storage account keys within your Artifactory configuration. For more information, click here.Azure Workload Identity

Data Sharding Improvements

Improvements were made in thread synchronization in sharding and s3-sharding providers.

Daily Cleanup Job Added for Cache FS _pre folder

A daily job is now triggered on startup to cleanup old dbRecord*.bin files in the cache provider’s _pre folder. The configurations for this job can be modified in the binarystore.xml file under the cache-fs provider. For more information, see Cached Filesystem Binary Provider.Cached Filesystem Binary Provider

Additional Configuration for GCP Internal Actions

The ability to configure readTimeout was added to Google Cloud Platform (GCP) internal actions.

Support for webhooks for project-related builds

Artifactory now supports the creation of webhooks for builds associated with specific projects. This enables you to receive notifications whenever a build in a particular project is uploaded, promoted, or deleted. To create a build webhook for a specific project, you must be working within the scope of the project (as opposed to All Projects).WebhooksProjects

For specific guidelines about creating a build webhook for a specific project, see Domain: Build.Domain: Build

Evidence propagation to Federation members

This release enhances the Evidence service to enable evidence propagation to all Federation members, regardless of whether they contain the relevant public key for verification. Evidence verification, however, is performed only on those members that have the public key. For more information, see Verify Evidence.Evidence Management

Evidence for artifacts in virtual repositories displayed in Artifacts tree

You can now view evidence related to artifacts in a virtual repository in the Artifacts tree. This is particularly useful when attaching evidence to a Docker image created in a tool such as GitHub Actions. In such cases, users typically work with the Docker image as part of a virtual repository in Artifactory. The virtual repository must contain at least one local repository to house the evidence. For more information, see View the Artifact Evidence Table.View the Artifact Evidence Table

Improvements to evidence graph

The design of the Release Bundle evidence graph has been improved to make it easier to distinguish between the various elements (builds, packages, etc.) that comprise the Release Bundle. For more information, see View Release Bundle v2 Evidence.View Release Bundle v2 Evidence

Enhanced metadata propagation during RTFS Full Sync operations

The Artifactory Federation Service (RTFS) now supports the propagation of artifact creation time metadata during a Full Sync operation. To enable this feature:

After CopyAfter Copy Worker Code Sample: The following fields are removed from the Sample Payload:

contentLength, trustServerChecksums, servletContextUrl, skipJarIndexing and disableRedirect.

After DeleteAfter Delete Worker Code Sample: The following field is removed from the Sample Payload:

headers

After Property CreateAfter Create Property Worker Code Sample: The following fields are removed from the Sample Payload:

contentLength, trustServerChecksums, servletContextUrl, skipJarIndexing, disableRedirect and headers.

After MoveAfter Move Worker Code Sample: The following fields are removed from the Sample Payload:

contentLength, trustServerChecksums, servletContextUrl, skipJarIndexing and disableRedirect.

Before MoveDocker Compose Installation: The following fields are removed from the Sample Payload:

contentLength, trustServerChecksums, servletContextUrl, skipJarIndexing and disableRedirect.

Before Download Request: The following fields are added in the response:

modifiedRepoPath, expired and headers.

Before Create: The following fields are removed from the Sample Payload:

contentLength, trustServerChecksums, servletContextUrl, skipJarIndexing and disableRedirect.

Before Copy: The following fields are removed from the Sample Payload:

contentLength, trustServerChecksums, servletContextUrl, skipJarIndexing and disableRedirect.

Before Property Create: The following fields are removed from the Sample Payload:

contentLength, trustServerChecksums, servletContextUrl, skipJarIndexing and disableRedirect.

Before Property Delete: The following fields are removed from the Sample Payload:

contentLength, trustServerChecksums, servletContextUrl, skipJarIndexing and disableRedirect.

After Property Delete: The following fields are removed from the Sample Payload:

contentLength, trustServerChecksums, servletContextUrl, skipJarIndexing and disableRedirect.

Updated the following Worker Events with repoType Input Parameter:

Skips Restore of Artifacts with the Same Name and Path

The restore process now skips any artifact that already exists in the target location, preventing accidental overwrites. The existing file will be preserved, and the skipped operation will be noted in the logs and the CSV report.

Supported Archive Packages Search for Project Admins

Project Admins will now see and be able to use the Archive Search feature. The search results are automatically scoped, ensuring they can only view archived packages that belong to the projects they manage.

Filtering added to Get All Repository Configurations API

You can now use query parameters to filter the results of the Get All Repository Configurations API. You can filter by package type (for example, docker, maven) and repository type (for example, local or remote).Get All Repository Configurations

Change in API response for Release Bundle v2 tags

To correct inconsistent behavior, the following API endpoints have changed the response for Release Bundle v2 tags from bundle_tag and release_bundle_tag to a standard response of tag:

Improved Get Federation Sync State REST API performance

The performance of the REST API that returns the synchronization state of all Federated repositories in the JPD has been improved.Get Federation Sync State

Virtual Repositories for Hugging Face Packages

Virtual repositories can now be created for Hugging Face packages.

For more information, see Create a Hugging Face Repository and Resolve Hugging Face Packages.Create a Hugging Face RepositoryResolve Hugging Face Packages

RPM Package Settings

Added support for Administrators to enable/disable RPM package settings for the following:

For enabling/disabling these settings, see Enable/Disable RPM Package Settings.Enable/Disable RPM Package Settings

Improvement to the Vendor Folder for the Private Go Registry and the Go Proxy

Checksums in the private Go registry and the Go proxy are now aligned for the Go version 1.24 vendor folder.

NuGet Package Updates

Upgraded Gradle Set Me Up Wizard

The Gradle Set Me Up wizard has been upgraded to support Gradle 9.

Improvement in VCS Remote Repositories

The GitHub Server option for Git providers was added for VCS remote repositories. For more information, see Create a VCS Repository.Create a VCS Repository

Added Enforcement of Custom Configurations for Certain Remote Docker Repositories

When creating a remote Docker repository for an Azure Container Registry (*.azurecr.io) or a Microsoft Container Registry (https://mcr.microsoft.com/), Artifactory makes the following default configuration:

When creating a remote Docker repository for a Chainguard Registry (http://cgr.dev/chainguard), Artifactory makes the following default configuration:

These default configurations are set upon remote repository creation and can be canceled afterwards. For more information, see Other Advanced Settings for Remote Repositories.Other Advanced Settings for Remote Repositories

Improved npm Search

It is now possible to search for up to three search terms in npm local repositories when using the "npm search" command.

Enhanced Support for npm Audit

In addition to npm virtual repositories, npm Audit is now also enabled by default on npm remote repositories that support npm Audit directly. For more information, see Use npm Audit.Use npm Audit

Improved Resolving of Subgroups When Accessing Subgroups in Gitlab with Go Remote Repositories

When accessing subgroups in GitLab with Go remote repositories (by selecting the Resolve Subgroups checkbox, as explained here), Artifactory now resolves the correct dependency version even if the URL contents contain both subgroups and submodules.Proxy GitLab with Go

New Setting Added to Complete a List Manifest Image Overwrite

A new setting has been added under Package Settings called Complete list manifest image overwrite. When this setting is enabled, overwriting a list manifest image will asynchronously overwrite all of its sub-manifests.

Expanded support for distributing and exporting Release Bundle v2 versions

To make distributing and exporting Release Bundle v2 versions easier, you can now use JFrog Distribution with Release Bundle v2 versions signed with the default key in Artifactory. To support this change, the default key type has been changed from RSA to GPG, and the name of the default key has been changed to default-lifecycle-key. For more information, see Create Signing Keys for Release Bundles (v2).Create Signing Keys for Release Bundles (v2)

Improved visibility for nested Release Bundles

The Release Bundle v2 content graph now provides a clear, visual representation of nested Release Bundles. Seeing the complete hierarchy enables you to understand how the Release Bundle is constructed, even when it contains other Release Bundles. For more information, see View Release Bundle v2 Evidence.View Release Bundle v2 Evidence

Improved aggregated Release Bundle creation

Artifactory has improved its handling of aggregated Release Bundles (meaning, a Release Bundle v2 version that is comprised of other Release Bundle versions). If the Release Bundle version you are trying to create contains multiple Release Bundles with the same artifact but different metadata (evidence or properties), Artifactory will create the version successfully using the newer version of the artifact.

Change of status code when creating Release Bundle v2 from build with missing artifact

To improve reporting accuracy, errors caused by missing artifacts during Release Bundle v2 creation will be returned as a 422 error (SC_UNPROCESSABLE_ENTITY) rather than a different status code that triggered unnecessary monitoring alerts. The 422 status code represents the event more accurately as it is the expected behavior when an artifact cannot be found.

Performance Improvement in Release Bundle v2 Promotion Flow

The performance of the promotion flow for Release Bundle v2 versions has been improved.

Source environment included in Release Bundle v2 promotion GET API results

The Get Release Bundle v2 Promotions and Get Release Bundle v2 Version Promotions REST APIs now include the source environment in their responses. This enables you to see at a glance the name of the environment from which the Release Bundle version was promoted.Get Release Bundle v2 PromotionsGet Release Bundle v2 Version Promotions

Redesigned presentation of Release Bundle v2 contents

The Content tab for Release Bundle v2 versions has been redesigned to show each package and standalone artifact included in the version (known as "releasables") and their source (for example, a build or a different Release Bundle). For more information, see View the Contents of a Release Bundle v2 Version.View the Contents of a Release Bundle v2 Version

Release Bundle v2 versions now associated with stages and lifecycles

This version replaces environments with the concept of stages and lifecycles, to provide users with more flexibility and control over their SDLC. Administrators can create global and project stages as needed and assign them to different SDLC categories, such as Code and Promote. The administrator then adds selected stages to the lifecycle to represent the progression of release candidates through your SDLC. For more information, see Stages & Lifecycle.Stages & Lifecycle

Support for webhooks for project-related Release Bundles

Artifactory now supports the creation of webhooks for Release Bundle v2 versions associated with specific projects. This enables you to receive notifications whenever a Release Bundle in a particular project is uploaded, promoted, or deleted. To create a Release Bundle webhook for a specific project, you must be working within the scope of the project (as opposed to All Projects).WebhooksProjects

For guidelines about creating a Release Bundle v2 webhook for a specific project, see Domain: Release Bundle v2.Domain: Release Bundle v2

Created-by information provided for Sigstore evidence

To improve understanding and traceability, the API response when creating and deploying Sigstore evidence now includes the username associated with the JFrog token instead of ‘internal’.

More accurate error messages during Release Bundle promotion

To improve user understanding, validation errors during the Release Bundle v2 promotion process will now return a BAD REQUEST error message (HTTP 400) rather than a generic HTTP 500 error.

Release Bundle v2 auto-creation feature removed

The Release Bundle v2 auto-creation feature, which was introduced to help customers transition from build promotion to the expanded feature set offered by Release Lifecycle Management, has been removed from the platform UI after having served its purpose.Release Lifecycle Management

Viewing Release Bundles distributed to Edge nodes

To align the platform UI with the REST API, only admin users are permitted to view distributed Release Bundle versions (v1 and v2) in the Received tab on Edge nodes. For more information, see View Release Bundles on Edge Nodes.View Release Bundles on Edge Nodes

Adding days/weeks selection for Time-based Policy Condition - Cleanup Release Bundle V2

Enhanced RB V2 cleanup functionality with the addition of days/weeks selection for policy condition. You can now configure cleanup conditions, specifying days/weeks for the RB V2. For more information, see Create Cleanup Policy - Release Bundle V2.Create Cleanup Policy - Release Bundle V2

Retention Policies - Cleanup & Smart Archiving

The Stop All Runs action is now restricted to Platform Admins only. Project Admins no longer have access to this action.

Run Cleanup policies and Garbage Collection (GC) Simultaneously

Enabled cleanup policies to run more reliably by making them health-aware. Jobs will now run concurrently with other tasks only if the system is HEALTHY and will automatically stop if load increases, ensuring system stability.

This can be toggled by the system property: artifactory.retention.system.health.aware.job.enabled

Improved Artifact Lifecycle Management

Artifactory now updates the creation timestamp of an artifact when it is copied or moved to a new repository to the current date and time of the operation. Previously, the original creation timestamp was retained when moving or copying an artifact to another repository, which led to incorrect assumptions about the artifact's age and relevance in the new location. The "last modified" timestamp remains unchanged to preserve the integrity of the artifact's last update. This enhancement helps in the effective adoption of cleanup policies and aligns with industry standards. To ensure backward compatibility, this feature is implemented behind a feature flag and is disabled by default.

New Metadata Properties Added to the manifest.json

Metadata properties for the operating system and the operating system architecture will now be added to the manifest.json after pushing or caching a new image. These new properties are set in docker.os and docker.architecture, respectively.

Prevent accidental removal of referenced sub-architectures in multi-arch images

Starting from this Artifactory version, when deleting a multi-architecture image, any sub-architecture variant that is still referenced by another image will be preserved.

Context retention in Artifacts browser

When you copy or move artifacts in the Artifacts browser, the UI no longer moves automatically to the destination path of the operation but remains in its original context. To move to the destination path after the copy or move operation is complete, click the Go to path link in the confirmation message.

UI Support for Debian Source Package Search

Added support for Debian Source package search.

Improved Change Artifacts count UI widget caching mechanism

Improvements were made to the Change Artifacts count UI widget caching mechanism.

Daily Cleanup Job Added for Cache FS _pre folder

A daily job is now triggered on startup to cleanup old dbRecord*.bin files in the cache provider’s _pre folder. The configurations for this job can be modified in the binarystore.xml file under the cache-fs provider.

Redesigned platform UI for Release Lifecycle Management

The platform UI for Release Lifecycle Management has been redesigned to provide a clearer, more consolidated view of your Release Bundles. The new design centralizes all critical information for each Release Bundle version, including its timeline, contents, security scans, evidence, and properties, in an accessible and intuitive interface. For more information, see Release Lifecycle Management.Release Lifecycle Management

Improved visibility of OCI/Docker multi-arch images in the platform UI

To reduce visual clutter and improve comprehension, Artifactory now makes it easier to manage OCI/Docker multi-arch images in the platform UI. For example, if you have a multi-arch image called my-image:1.0.0 that supports amd64 and arm64 architectures, Artifactory contains 3 distinct package versions, one for the manifest list and one for each architecture:

Artifactory now displays the version for the manifest list only in the platform UI and suppresses the individual architecture versions (named according to their image tags). This enables you to focus on the multi-arch image as a single entity. Please note that all package versions will be returned when listing the content via the REST APIs.

Platform UI support for displaying larger evidence files

The platform UI can now display evidence files up to a maximum size of 3000 lines (compared to 1500 lines in previous versions). Larger evidence files can be downloaded with a single click. For more information, see View Evidence.View Evidence

Support for Easy Copying of Administration Values

The JFrog Platform WebUI now supports a Copy button, allowing you to copy values in the Administration module pages with a single click.

The following values will now be easily copiable:

Support for Updating the Access Bootstrap YAML File

The JFrog Platform now supports making changes to the access.security.bootstrap.yml file without creating a new configuration or modifying the existing Artifactory YAML file. For more information, see Access Bootstrap YAML File.Access Bootstrap YAML File

Improved Configuration Descriptor Validation

Configuration descriptor validation was improved to increase system stability.

Traefik Version Upgrade

The Traefik version embedded in the Router microservice was upgraded from v2 to v3. This should not impact operation. Though if you your deployment depends on specific functionality, review their upgrade notes