Artifactory 7.49.3 Cloud | Self-Hosted

JFrog Release Information

Content Type
Release Notes
ft:sourceType
Paligo

Released: 28 December, 2022

Important

Users with Federated repositories should refrain from upgrading to this version and instead upgrade directly to Artifactory version 7.49.6. For more information, see Known Issues.

Breaking Change - Security Hardening When Distributing to a Remote JPD

As part of a JFrog Distribution security enhancement, the following changes have been implemented in the core Artifactory:

  • The “_intransit” repository is now a system repository; the “_intransit” repository will no longer be visible as a repository in an Artifactory/Edge, and the user will not have access to this repository (even an admin).

  • The “_intransit” repository can contain only artifacts that are part of a distributed Release Bundle. The option “allow only artifacts that are part of a bundle” is always enabled.

  • Uploading artifacts and manipulation of the “_intransit” repository is allowed only for the Distribution service (no other users, including admins, will be able to perform this upload).

NuGet V2 APIs Deprecation Notice

With the decision by NuGet for EoL/EoS for Nuget V2 and transition to V3, and JFrog's emphasis on keeping its code up-to-date, the following two NuGet APIs will be deprecated towards the end of Q1, 2023:

/GetUpdates()

/GetUpdates()/$count

If you continue to use NuGet V2, you can use the /search API instead.

Feature Enhancements

Internal Database Indexing Enhancements

This release includes a number of internal database indexing enhancements to support the Federated monitoring feature.

Federated Repository Multi-Version Support

Artifactory 7.49.3 introduces multi-version support, which enables the members of a Federation to run different versions of Artifactory, even if the version at one site includes configuration features and values that are not supported on the versions running at other sites. Thanks to multi-version support, future upgrades after 7.49.3 can be performed on one site at a time, eliminating the need for simultaneous upgrades across all locations.

Whenever an instance with a new Artifactory version is introduced to the Federation, the configurations of the other members are retrieved and a negotiation process checks for new and upgraded features that are not supported on the older versions. If there are new features that older versions do not support, the new feature is disabled. For upgraded features, a default value is chosen that is supported on all member versions.

Multi-version support requires Artifactory 7.49.3 and above. Therefore, it is a prerequisite of this feature to upgrade all Federated repository members to Artifactory 7.49.3. After this has been done, multi-version support is enabled for all versions going forward.

Federated Repository Monitoring

This new feature enables you to monitor the status of Federated repositories using a set of dedicated REST APIs. Use these APIs to get the status of the Federation for a specific repository, including task status, pending event status, server lag time, and the number of fully (binary and metadata) and artificially (metadata only) replicated artifacts. In addition, you can use these APIs to get a list of Federation mirror lag times and a list of unsynchronized mirrors.

For more details, see Monitor Federated Repositories.Working with Federated Repositories

The new monitoring features become available after the one-time database optimization process (which is part of the upgrade to this version) is complete.

New Platform Security APIs

These new Security APIs replace the previous Security APIs, which are planned to be deprecated at a later stage. The new APIs address aspects of JFrog Platform security and access, such as users, groups, permissions, tokens, and more. For more information, see Security REST APIs.ARTIFACTORY SECURITYARTIFACTORY SECURITY

Platform-specific REST APIs Moved to a Dedicated Page

All REST APIs that are not specific to Artifactory - but are relevant to the JFrog Platform as a whole - have been moved to their own documentation page called JFrog Platform REST API. Here you will find all the APIs that were previously on the Artifactory page, including Security, System and Configuration, Support, Access, Projects, Router, and Webhooks. You will also find links from the existing Artifactory API page to the relevant sections on the new page.JFrog Platform REST APIs

npm Package Enhancements

  • Support for npm-audit bulk REST API RTFACT-26435

    Added support for npm-audit bulk REST API commands in order to support npm-audit fix.

  • npm Deprecation Flow Improvements

    Simplified the npm deprecation handling. Now, npm deprecations will be reflected in the package.json file, and the npm client will return an appropriate error in the case of lacking permissions.

    Note

    If you have a large number of deprecated npm packages, upgrading Artifactory will cause Artifactory to start with a few seconds delay.

New RubyGems REST API

The new RubyGems REST API endpoint returns the list of versions for a given RubyGems package. For more information, see Get RubyGem Version List.Get RubyGem Version List

New Zap Cache API

The new API endpoint allows you to zap cache for an artifact or repository. For more information, see Zap Cache.Advanced Settings for Remote RepositoriesZap Cache

Support for Traefik Metrics

JFrog now supports enabling Prometheus Traefik metrics and tracing on the JFrog Router. For more information, see the Traefik documentation.

To enable this feature, create a traefic.toml file in the ${JF_PRODUCT_HOME}/var/etc/router/ path, containing the following content:

[metrics]
  [metrics.prometheus]
   entryPoint = "api"

Restart Artifactory, and scrape the metrics using a Prometheus curl command, for example: curl -v 127.0.0.1:8049/metrics.

Renaming Projects

Project names can now be edited.

Updates to the Swift Repository SetMeUp

The Swift SetMeUp in the JFrog Platform UI now includes instructions for enabling support for HTTP. For more information, see Swift Registry.Swift Registry

Project Key Minimum Length Changed RTFACT-26881

The minimum length for a project key was reduced from 3 characters to 2.

Repositories Configuration

From this version, Repository Configuration changes are done via REST API and not via the Global Configuration Descriptor. This change will improve performance for JFrog instances with a large number of repositories and will shorten the time needed to make configuration changes. For more information, see Repositories Configuration.Artifactory Configuration Descriptors

Quick Search DB Improvements RTFACT-21652

Improved performance for Quick Search in the PostgreSQL database by approximately 70%, decreasing the loading time from five minutes to around 30 seconds.

For Self-Hosted instances: before upgrading, make sure that you have created your PostgreSQL Artifactory database user with appropriate permissions. For more information, see Create the PostgreSQL DatabasePostgreSQL for Artifactory

Project Key Maximum Length Changed RTFACT-27356

The maximum length for a project key was increased from 10 characters to 20.

Resolved Issues

JIRA Issue

Description

RTFACT-27406

Fixed an issue whereby, Local and Federated repositories could be created with the same name.

RTFACT-27146

Fixed an issue whereby, the log level of the SAS TOKEN Authentication event was WARN instead of DEBUG.

RTFACT-27270

Fixed an issue whereby, resolving a Maven artifact containing periods from a Virtual repository using a custom Ivy layout and then restarting the Artifactory node, Artifactory did not translate the request path and returned a 404 error.

RTFACT-27517

Fixed an issue whereby, Artifactory returned a "Username length exceeds maximum length of 58 characters" error when adding a member to a Federated repository using a URL longer than 58 characters.

RTFACT-27285

Fixed an issue whereby, retrieving artifact effective permissions was not optimized.

RTFACT-27492

Fixed an issue whereby Artifactory was missing overriding SQL functionalities, which caused database hints to not be evaluated.

RTFACT-27468

Fixed an issue whereby, reference tokens generated for REST API commands with the header X-JFrog-Art-Api returned a 403 error.

RTFACT-29203

Fixed an issue whereby, the npm Artifactory client returned an error if the bundledDependencies parameter was used.

RTFACT-27445

Fixed an issue whereby, an npm package named latest could not be resolved from Artifactory Remote repository if the request was decoded.

RTFACT-27500

Fixed an issue whereby, if the same artifact was uploaded to Artifactory simultaneously by two processes, it caused the second process to fail.

RTFACT-27390

Fixed an issue whereby, when creating an RPM Virtual repository index, Artifactory returned an error if the aggregated RPM Remote repository index file names contained upper-case characters.

RTFACT-26214

Fixed an issue whereby, when entering an invalid GPG keypair name or alias, Artifactory later failed to start and did not display an error message.

RTFACT-27284

Fixed an issue whereby, the Artifactory configuration descriptor URL in the schema XML file was incorrect.

RTFACT-26823

Fixed an issue with synced SAML groups whereby, when uploading an artifact from one node and trying to deploy it from a different node, Artifactory returned an error.

RTFACT-27336

Fixed an issue whereby, when attempting to start a node with a very large license bucket, Artifactory failed to load.

RTFACT-27416

Fixed an issue whereby, downloading Go packages that do not exist in the Go Virtual repositories, containing a Remote GitHub proxy, returned a Go .mod type file instead of a 404 error.

RTFACT-27363

Fixed an issue whereby, downloading Cocoapods packages from a Smart Remote repository using the JFrog Platform UI or API returned a 404 error.

RTFACT-26509

Fixed an issue in Helm indexing whereby, a chart with a trailing quote in the appVersion parameter caused the indexing to break.

RTFACT-26591

Fixed an issue whereby, under some circumstances, Artifactory did not index specific Alpine APK packages.

RTFACT-27479

Fixed an issue whereby, resolving PyPI packages with limited permissions in a repository containing include/ exclude patterns, returned a 403 error.

RTDEV-3521

Fixed an issue whereby, users with permissions for Remote repositories but not to Local repositories, who try to access a Virtual repository, received a 403 error from npm-audit.

RTDEV-28665

Fixed an issue whereby, running npm login to Artifactory failed when using an access token.

RTDEV-27161

Fixed an issue whereby, under certain circumstances, sending concurrent docker promote requests deleted the Docker image from the target repositories.

RTDEV-3094

Fixed an issue whereby, the Go versions list displayed an incorrect time format of 12 hours instead of 24 hours.

RTDEV-27777

Fixed an issue related to Virtual Maven repositories containing Remote and Local repositories with Priority resolution enabled. When the user tried to download the latest package version from a Remote repository, they received an error.

RTDEV-28200

Fixed an issue whereby, under certain circumstances, downloading Docker v2 tags list caused Artifactory to be unresponsive.

RTDEV-28253

Fixed an issue whereby, installing packages from a Go Remote repository failed when the flag storeArtifactsLocally was disabled.

RTDEV-28520

Fixed an issue whereby, the wrong Federated repositories were marked as inconsistent, and the issue could not be fixed by a push configuration.

JFUI-11349

Fixed an issue whereby, the Add button in the Federated Repositories page in the WebUI was not functioning.

RTDEV-28055

Fixed an issue whereby, the WebUI Artifacts page failed to display long lists of artifacts or repositories.

RTDEV-28137

Fixed an issue in the Artifact Browser page in the WebUI whereby, when a Filter Repositories search returned no results, the path did not remain on the latest selected node in the tree browser.

RTDEV-28054

Fixed an issue whereby, selecting the No Proxy checkbox in the Remote repository advanced settings tab in the WebUI, caused the previously saved network-related fields to be removed from the Remote repository Basic settings tab.

RTDEV-27183

Fixed an issue whereby, users trying to view the Debian package info tab received a 'Forbidden' error if the user did not have access to all the repositories within the Virtual repository, even if they had read permissions for the package.

RTDEV-28276

Fixed an issue whereby, Google OAuth did not work as expected due to issues in the HttpURLConnection class.

RTDEV-28227

Fixed an issue whereby, in the Artifactory WebUI property search, when hovering on a result and clicking Show in Tree, Artifactory did not work as expected.

RTDEV-28168

Fixed an issue whereby, GPG keys configured in repositories could not be replaced via the WebUI.

RTDEV-5069

Fixed an issue whereby, Artifactory did not support asset-packagist.org for Composer Remote repositories.

JA-3351

Fixed an issue whereby, when the not-match-old password policy was enabled, adding new users via the WebUI or Rest API was blocked.

JA-3227

Fixed an issue whereby, users were limited to sorting by name in the Users page in the WebUI.

RTDEV-27695

Fixed an issue whereby, the option to Enable Direct Cloud Storage Download forRPM Remote repositories was missing from the JFrog Platform UI.

RTDEV-28042

Fixed an issue whereby, the JFrog Platform UI did not display all of the property sets included in a repository.

RTDEV-27934

Fixed an issue whereby, creating more than one Remote repository using pull replication, pointing to the same Local repository, created multiple replication channels with identical names.

RTDEV-27899

Fixed an issue whereby, users with limited permissions to Local or Remote Swift repositories with Priority Resolution enabled, who proceeded to install a package from a Virtual Swift repository, still received the package from the repository.

RTDEV-27837

Fixed an issue whereby, the pagination controls on the Repositories page in the JFrog Platform UI were hidden.

RTDEV-27806

Fixed an issue whereby, failed login attempts with a username containing capital letters were not registered as login attempts.

RTDEV-28312

Fixed an issue whereby, on rare occasions, when restarting Artifactory Cloud or when creating repositories, it returned a 'ServerFailedException' error.

RTDEV-28139

Fixed an issue whereby, when artifactory instances of different versions tried to connect, the connection stayed open which caused a leak.

RTDEV-28135

Fixed an issue whereby, entering invalid characters in the Backup Key field in the Backups page was allowed.

RTDEV-25078

Fixed an issue whereby, creating a backup in the JFrog Platform UI or API, and enabling the Exclude New Repositories feature, caused included repositories to be moved to the excluded repositories column.

RTDEV-28411

Fixed an issue whereby, when making a GET request to the /api/search/usage endpoint without specifying a repository, Artifactory returned a 404 error.

RTDEV-28254

Fixed an issue whereby, the repository configuration V2 REST API command for Federated repositories did not return all necessary fields.

RTDEV-28352

Fixed an issue whereby, the Artifactory Cold Storage Instance UI did not load.

RTDEV-28331

Fixed an issue whereby, when making a GET request to the /api/search/usage endpoint to retrieve all the artifacts that were not downloaded since a given timestamp, Artifactory returned a 404 error.

RTDEV-28045

Fixed an issue whereby, Filestore configuration with the Azure Blob Storage V2 binary provider template did not work in self-hosted Artifactory installation because account key authentication was not accepted.

RTDEV-28450

Fixed an issue whereby, the Storage Monitoring page did not show Storage Space Limit when the limit was reached.

RTDEV-28383

Fixed an issue whereby, when trying to create a Federated repository in an environment with no custom base URL, Artifactory returned an error.

JA-4111

Fixed an issue whereby, 'admin' was removed from the Edit Profile URL (the page is accessible also to non-admins).

JA-4477

Fixed an issue whereby, users could not edit a permission target even when they had 'Manage' permissions for the permission target.

JA-3709

Fixed an issue whereby, resources in the permission target view were not visible for non-Admin users with Manage permission.

Known Issues in this Version

  • When the  syncDeletes  and  enableEventReplication  properties in repository replication are enabled, disabling  syncDeletes  via REST API also disables  enableEventReplication. 

  • For customers with Federated repositories, the repositories become disabled after upgrading a JPD on which Artifactory 7.49.3 or 7.49.5 was previously installed. 

    For more information about both known issues, see Known Issues.