Released: 13 January, 2026
Feature Enhancements
Smart Remote Repository URL validation
When you create or update an existing Smart Remote repository using the REST APIs, Artifactory will validate the URL to ensure that it is correct, including the prefix required by many package types. For more information about the URL prefix, see Configure a Smart Remote Repository.
Added a Warning Message When Deleting a SCIM Token
The JFrog Platform now displays a warning message when attempting to delete a SCIM token, as deletion might disconnect authentication provider integrations.
Evidence system enhancements
Cosign v3: The Evidence system now supports automatic evidence creation using the Sigstore bundle format. This includes compatibility with both the
cosign signandcosign attestcommands with thenew-bundle-formatflag. Support remains in place for in-toto attestations (DSSE) created with the legacy Cosign v2attestcommand.PSS padding: To simply integration with different systems that produce attestations, the Evidence system now supports secure PSS (Probabilistic Signature Scheme) padding for signatures when creating evidence with the REST APIs. PKCS#1 v1.5 padding is still supported.
Base64 URL encoding: The Evidence system now supports Base64 URL encoding for the DSSE signature. Standard Base64 encoding is still supported.
Support for .dsc Source Packages in Local Debian Repositories
Local Debian repositories now support Debian source packages. After configuring your sources.list file for source packages, you can deploy the component source package files one by one to your local repository and resolve them as a single package using apt-get source. For more information, see Connect Debian to Artifactory.
Resolved Issues
RTDEV-70880 | Storage | Medium | Fixed an issue whereby AWS SDK v2 with the KMS client-side failed to decrypt large objects. |
RTDEV-70712 | Packages | Medium | Fixed an issue whereby the Artifactory Maven indexer left indexer files open on the JVM even after they were deleted. |
RTDEV-70121 | Packages | Medium | Fixed an issue whereby Go repositories failed to resolve nested submodules hosted in a monorepo structure on GitHub. |
RTDEV-69867 | General | Medium | Fixed an issue whereby the JFConnect client did not adhere to the custom router port configuration, thus causing Artifactory to fail upon initialization when the custom router port was set. |
RTDEV-65263 | General | Medium | Fixed an issue whereby restoring the root folder of a repository deleted any properties that were set on the root folder. |
RTDEV-64246 | Storage | Low | Fixed an issue whereby binaries pruning was not running when the rootFoldersNameLength wasn't set as the default. |
RPG-1994 | General | Medium | Fixed an issue whereby, when using the router metrics REST API endpoint, the JFrog Platform did not include the |
JA-19208 | Authentication Providers | Medium | Fixed an issue related to the OIDC integration whereby, when setting two identity mappings with the same name, the JFrog Platform returned a 500 error. |
JA-18801 | User Management | Medium | Fixed an issue related to the Administration module on the JFrog Platform UI whereby, when a non-admin user with Manage Resources permissions attempted to access the Permissions page, the JFrog Platform returned an error. |
JA-18797 | User Interface | Medium | Fixed an issue related to LDAP whereby, when trying to set up a repository as an LDAP user, the JFrog Platform returned a Forbidden error. |
JA-18497 | General | Low | Fixed an issue related to logging whereby, after upgrading Artifactory to version 7.117.16 or later, a warning was logged in the Artifactory log file related to BeforeTokenExpiryWorkerNotifyTask that was unnecessary. |
JIRA Issue | Component | Severity | Description |
|---|