Artifactory 7.49.3 Cloud | Self-Hosted

JFrog Release Information


Released: 28 December, 2022


Users with Federated repositories should refrain from upgrading to this version and instead upgrade directly to Artifactory version 7.49.6. For more information, see Known Issues.

Breaking Change - Security Hardening When Distributing to a Remote JPD

As part of a JFrog Distribution security enhancement, the following changes have been implemented in the core Artifactory:

  • The “_intransit” repository is now a system repository; the “_intransit” repository will no longer be visible as a repository in an Artifactory/Edge, and the user will not have access to this repository (even an admin).

  • The “_intransit” repository can contain only artifacts that are part of a distributed Release Bundle. The option “allow only artifacts that are part of a bundle” is always enabled.

  • Uploading artifacts and manipulation of the “_intransit” repository is allowed only for the Distribution service (no other users, including admins, will be able to perform this upload).

NuGet V2 APIs Deprecation Notice

With the decision by NuGet for EoL/EoS for Nuget V2 and transition to V3, and JFrog's emphasis on keeping its code up-to-date, the following two NuGet APIs will be deprecated towards the end of Q1, 2023:



If you continue to use NuGet V2, you can use the /search API instead.

Feature Enhancements

Internal Database Indexing Enhancements

This release includes a number of internal database indexing enhancements to support the Federated monitoring feature.

Federated Repository Multi-Version Support

Artifactory 7.49.3 introduces multi-version support, which enables the members of a Federation to run different versions of Artifactory, even if the version at one site includes configuration features and values that are not supported on the versions running at other sites. Thanks to multi-version support, future upgrades after 7.49.3 can be performed on one site at a time, eliminating the need for simultaneous upgrades across all locations.

Whenever an instance with a new Artifactory version is introduced to the Federation, the configurations of the other members are retrieved and a negotiation process checks for new and upgraded features that are not supported on the older versions. If there are new features that older versions do not support, the new feature is disabled. For upgraded features, a default value is chosen that is supported on all member versions.

Multi-version support requires Artifactory 7.49.3 and above. Therefore, it is a prerequisite of this feature to upgrade all Federated repository members to Artifactory 7.49.3. After this has been done, multi-version support is enabled for all versions going forward.

Federated Repository Monitoring

This new feature enables you to monitor the status of Federated repositories using a set of dedicated REST APIs. Use these APIs to get the status of the Federation for a specific repository, including task status, pending event status, server lag time, and the number of fully (binary and metadata) and artificially (metadata only) replicated artifacts. In addition, you can use these APIs to get a list of Federation mirror lag times and a list of unsynchronized mirrors.

For more details, see Monitor Federated Repositories.Working with Federated Repositories

The new monitoring features become available after the one-time database optimization process (which is part of the upgrade to this version) is complete.

New Platform Security APIs

These new Security APIs replace the previous Security APIs, which are planned to be deprecated at a later stage. The new APIs address aspects of JFrog Platform security and access, such as users, groups, permissions, tokens, and more. For more information, see Security REST APIs.ARTIFACTORY SECURITYARTIFACTORY SECURITY

Platform-specific REST APIs Moved to a Dedicated Page

All REST APIs that are not specific to Artifactory - but are relevant to the JFrog Platform as a whole - have been moved to their own documentation page called JFrog Platform REST API. Here you will find all the APIs that were previously on the Artifactory page, including Security, System and Configuration, Support, Access, Projects, Router, and Webhooks. You will also find links from the existing Artifactory API page to the relevant sections on the new page.JFrog Platform REST APIs

npm Package Enhancements

  • Support for npm-audit bulk REST API RTFACT-26435

    Added support for npm-audit bulk REST API commands in order to support npm-audit fix.

  • npm Deprecation Flow Improvements

    Simplified the npm deprecation handling. Now, npm deprecations will be reflected in the package.json file, and the npm client will return an appropriate error in the case of lacking permissions.


    If you have a large number of deprecated npm packages, upgrading Artifactory will cause Artifactory to start with a few seconds delay.

New RubyGems REST API

The new RubyGems REST API endpoint returns the list of versions for a given RubyGems package. For more information, see Get RubyGem Version List.Get RubyGem Version List

New Zap Cache API

The new API endpoint allows you to zap cache for an artifact or repository. For more information, see Zap Cache.Advanced SettingsZap Cache

Support for Traefik Metrics

JFrog now supports enabling Prometheus Traefik metrics and tracing on the JFrog Router. For more information, see the Traefik documentation.

To enable this feature, create a traefic.toml file in the ${JF_PRODUCT_HOME}/var/etc/router/ path, containing the following content:

   entryPoint = "api"

Restart Artifactory, and scrape the metrics using a Prometheus curl command, for example: curl -v

Renaming Projects

Project names can now be edited.

Updates to the Swift Repository SetMeUp

The Swift SetMeUp in the JFrog Platform UI now includes instructions for enabling support for HTTP. For more information, see Swift Registry.Swift Registry

Project Key Minimum Length Changed RTFACT-26881

The minimum length for a project key was reduced from 3 characters to 2.

Repositories Configuration

From this version, Repository Configuration changes are done via REST API and not via the Global Configuration Descriptor. This change will improve performance for JFrog instances with a large number of repositories and will shorten the time needed to make configuration changes. For more information, see Repositories Configuration.Artifactory Configuration Descriptors

Quick Search DB Improvements RTFACT-21652

Improved performance for Quick Search in the PostgreSQL database by approximately 70%, decreasing the loading time from five minutes to around 30 seconds.

For Self-Hosted instances: before upgrading, make sure that you have created your PostgreSQL Artifactory database user with appropriate permissions. For more information, see Create the PostgreSQL DatabasePostgreSQL for Artifactory

Project Key Maximum Length Changed RTFACT-27356

The maximum length for a project key was increased from 10 characters to 20.

Resolved Issues

JIRA Issue



Fixed an issue whereby, Local and Federated repositories could be created with the same name.


Fixed an issue whereby, the log level of the SAS TOKEN Authentication event was WARN instead of DEBUG.


Fixed an issue whereby, resolving a Maven artifact containing periods from a Virtual repository using a custom Ivy layout and then restarting the Artifactory node, Artifactory did not translate the request path and returned a 404 error.


Fixed an issue whereby, Artifactory returned a "Username length exceeds maximum length of 58 characters" error when adding a member to a Federated repository using a URL longer than 58 characters.


Fixed an issue whereby, retrieving artifact effective permissions was not optimized.


Fixed an issue whereby Artifactory was missing overriding SQL functionalities, which caused database hints to not be evaluated.


Fixed an issue whereby, reference tokens generated for REST API commands with the header X-JFrog-Art-Api returned a 403 error.


Fixed an issue whereby, the npm Artifactory client returned an error if the bundledDependencies parameter was used.


Fixed an issue whereby, an npm package named latest could not be resolved from Artifactory Remote repository if the request was decoded.


Fixed an issue whereby, if the same artifact was uploaded to Artifactory simultaneously by two processes, it caused the second process to fail.


Fixed an issue whereby, when creating an RPM Virtual repository index, Artifactory returned an error if the aggregated RPM Remote repository index file names contained upper-case characters.


Fixed an issue whereby, when entering an invalid GPG keypair name or alias, Artifactory later failed to start and did not display an error message.


Fixed an issue whereby, the Artifactory configuration descriptor URL in the schema XML file was incorrect.


Fixed an issue with synced SAML groups whereby, when uploading an artifact from one node and trying to deploy it from a different node, Artifactory returned an error.


Fixed an issue whereby, when attempting to start a node with a very large license bucket, Artifactory failed to load.


Fixed an issue whereby, downloading Go packages that do not exist in the Go Virtual repositories, containing a Remote GitHub proxy, returned a Go .mod type file instead of a 404 error.


Fixed an issue whereby, downloading Cocoapods packages from a Smart Remote repository using the JFrog Platform UI or API returned a 404 error.


Fixed an issue in Helm indexing whereby, a chart with a trailing quote in the appVersion parameter caused the indexing to break.


Fixed an issue whereby, under some circumstances, Artifactory did not index specific Alpine APK packages.


Fixed an issue whereby, resolving PyPI packages with limited permissions in a repository containing include/ exclude patterns, returned a 403 error.


Fixed an issue whereby, users with permissions for Remote repositories but not to Local repositories, who try to access a Virtual repository, received a 403 error from npm-audit.


Fixed an issue whereby, running npm login to Artifactory failed when using an access token.


Fixed an issue whereby, under certain circumstances, sending concurrent docker promote requests deleted the Docker image from the target repositories.


Fixed an issue whereby, the Go versions list displayed an incorrect time format of 12 hours instead of 24 hours.


Fixed an issue related to Virtual Maven repositories containing Remote and Local repositories with Priority resolution enabled. When the user tried to download the latest package version from a Remote repository, they received an error.


Fixed an issue whereby, under certain circumstances, downloading Docker v2 tags list caused Artifactory to be unresponsive.


Fixed an issue whereby, installing packages from a Go Remote repository failed when the flag storeArtifactsLocally was disabled.


Fixed an issue whereby, the wrong Federated repositories were marked as inconsistent, and the issue could not be fixed by a push configuration.


Fixed an issue whereby, the Add button in the Federated Repositories page in the WebUI was not functioning.


Fixed an issue whereby, the WebUI Artifacts page failed to display long lists of artifacts or repositories.


Fixed an issue in the Artifact Browser page in the WebUI whereby, when a Filter Repositories search returned no results, the path did not remain on the latest selected node in the tree browser.


Fixed an issue whereby, selecting the No Proxy checkbox in the Remote repository advanced settings tab in the WebUI, caused the previously saved network-related fields to be removed from the Remote repository Basic settings tab.


Fixed an issue whereby, users trying to view the Debian package info tab received a 'Forbidden' error if the user did not have access to all the repositories within the Virtual repository, even if they had read permissions for the package.


Fixed an issue whereby, Google OAuth did not work as expected due to issues in the HttpURLConnection class.


Fixed an issue whereby, in the Artifactory WebUI property search, when hovering on a result and clicking Show in Tree, Artifactory did not work as expected.


Fixed an issue whereby, GPG keys configured in repositories could not be replaced via the WebUI.


Fixed an issue whereby, Artifactory did not support for Composer Remote repositories.


Fixed an issue whereby, when the not-match-old password policy was enabled, adding new users via the WebUI or Rest API was blocked.


Fixed an issue whereby, users were limited to sorting by name in the Users page in the WebUI.


Fixed an issue whereby, the option to Enable Direct Cloud Storage Download forRPM Remote repositories was missing from the JFrog Platform UI.


Fixed an issue whereby, the JFrog Platform UI did not display all of the property sets included in a repository.


Fixed an issue whereby, creating more than one Remote repository using pull replication, pointing to the same Local repository, created multiple replication channels with identical names.


Fixed an issue whereby, users with limited permissions to Local or Remote Swift repositories with Priority Resolution enabled, who proceeded to install a package from a Virtual Swift repository, still received the package from the repository.


Fixed an issue whereby, the pagination controls on the Repositories page in the JFrog Platform UI were hidden.


Fixed an issue whereby, failed login attempts with a username containing capital letters were not registered as login attempts.


Fixed an issue whereby, on rare occasions, when restarting Artifactory Cloud or when creating repositories, it returned a 'ServerFailedException' error.


Fixed an issue whereby, when artifactory instances of different versions tried to connect, the connection stayed open which caused a leak.


Fixed an issue whereby, entering invalid characters in the Backup Key field in the Backups page was allowed.


Fixed an issue whereby, creating a backup in the JFrog Platform UI or API, and enabling the Exclude New Repositories feature, caused included repositories to be moved to the excluded repositories column.


Fixed an issue whereby, when making a GET request to the /api/search/usage endpoint without specifying a repository, Artifactory returned a 404 error.


Fixed an issue whereby, the repository configuration V2 REST API command for Federated repositories did not return all necessary fields.


Fixed an issue whereby, the Artifactory Cold Storage Instance UI did not load.


Fixed an issue whereby, when making a GET request to the /api/search/usage endpoint to retrieve all the artifacts that were not downloaded since a given timestamp, Artifactory returned a 404 error.


Fixed an issue whereby, Filestore configuration with the Azure Blob Storage V2 binary provider template did not work in self-hosted Artifactory installation because account key authentication was not accepted.


Fixed an issue whereby, the Storage Monitoring page did not show Storage Space Limit when the limit was reached.


Fixed an issue whereby, when trying to create a Federated repository in an environment with no custom base URL, Artifactory returned an error.


Fixed an issue whereby, 'admin' was removed from the Edit Profile URL (the page is accessible also to non-admins).


Fixed an issue whereby, users could not edit a permission target even when they had 'Manage' permissions for the permission target.


Fixed an issue whereby, resources in the permission target view were not visible for non-Admin users with Manage permission.

Known Issues in this Version

  • When the  syncDeletes  and  enableEventReplication  properties in repository replication are enabled, disabling  syncDeletes  via REST API also disables  enableEventReplication. 

  • For customers with Federated repositories, the repositories become disabled after upgrading a JPD on which Artifactory 7.49.3 or 7.49.5 was previously installed. 

    For more information about both known issues, see Known Issues.