Release Notes

Overview

This page presents release notes for JFrog Artifactory describing the main fixes and enhancements made to each version as it is released. For a complete list of changes in each version, please refer to the JIRA Release Notes linked at the end of the details for each release.

If you need release notes for earlier versions of Artifactory, please refer to the Release Notes in the Artifactory 5.x User Guide.

Download

For an Artifactory Pro or Artifactory Enterprise installation, click to download the latest version of JFrog Artifactory Pro.

For an Artifactory OSS installation, click to download the latest version of JFrog Artifactory OSS.

Previous Versions

Previous versions of JFrog Artifactory Pro and JFrog Artifactory OSS are available for download on JFrog Bintray.

Click to download previous versions of JFrog Artifactory Pro.

Click to download previous versions of JFrog Artifactory OSS as a ZIP or RPM.

Upgrade Notice

Artifactory 5.5 implements a database schema change to natively support SHA-256 checksums. This change affects the upgrade procedure for an Enterprise Artifactory HA cluster (upgrading an Artifactory Pro or OSS installation is not affected).

For an Artifactory Enterprise HA cluster, if your current version is 5.4.6, you may proceed with the normal upgrade procedure described in Upgrading an Enterprise HA Cluster.

If your current version is below 5.4.6, there are two options to upgrade to the latest version (5.5 and above): a two-phase option with zero downtime or a single phase option that incurs downtime.

For details, please refer to the Upgrade Notice under the release notes for Artifactory 5.5.1.

Longer upgrade time

Due to the changes implemented in version 5.5, upgrading to this version or above from version 5.4.6 or below may take longer than usual and depends on the database you are using.

For an Artifactory Pro installation and for the Primary node of an Artifactory HA cluster, if you use MySQL database, the upgrade may take up to 5 minutes for each 1 million artifacts in your repositories for a typical setup. If you are using one of the other supported databases, the extra upgrade time will be less noticeable and should only take several seconds longer than usual.

Installation and Upgrade

For installation instructions please refer to Installing Artifactory.

To upgrade to this release from your current installation please refer to Upgrading Artifactory.

To receive automatic notifications whenever there is a new release of Artifactory, please watch us on Bintray.

Known Issues

For a list of known issues in the different versions of Artifactory, please refer to Known Issues.

Artifactory 5.11

Released: May 2, 2018

Highlights

Go Registries

Artifactory now provides native support for Go registries, giving you full control over deployment and resolution of Go source control packages. You can create secure and private local Go registries with fine-grained access control, remote repositories to proxy remote Go resources and cache downloaded Go packages to keep you independent of the network and remote resources. Virtual repositories let you set up a Go registry with a single URL through which to manage the resolution and deployment of all your Go packages.

Support for Go repositories is currently integrated with the vgo client which can be downloaded from the vgo GitHub Repository.

CSRF Protection

Artifactory can now prevent CSRF attacks by using a new custom header, X-Requested-With, for internal UI calls. This feature is disabled by default because it may require a change in your proxy server (if you are using one) to ensure it does not filter out this header. The feature can be enabled by modifying a system property and restarting Artifactory. For details, please refer to CSRF Protection under Configuring Security.

Allow Crowd Users to Access Their Profile Page

Artifactory users who are created by logging in via Crowd can now be given access to their profile page through a configuration in Artifactory. These users can now access a set of functions such as setting their SSH public key, configuring their JFrog Bintray credentials, and updating their password.

Issues Resolved

Fixed an issue with RPM repositories which sometimes caused download requests to fail in. The issue occurred when in some cases, uploading an RPM package would result in deletion of the newly generated metadata files (primary, other, filelists) instead of the old ones. This, in turn, would cause download requests for certain RPM packages to fail.
Fixed an issue with NPM repositories in which presence of a corrupt package or metadata file caused indexing to be aborted rather than just skipping the corrupt file and continuing.
Fixed an issue which caused a memory leak in some cases when working with HTTP SSO.
Fixed an issue that caused initialization of replication to fail on systems with many event-based push replications configured.
Fixed an issue in which it would take Artifactory a long time to generate the information displayed in the Admin module under Advanced | Storage Summary, or the response for the Get Storage Summary Info REST API endpoint.
Fixed an issue which would sometimes cause deployment of artifacts to fail when the Storage Quota Control feature was enabled.
Fixed an issue in which an Artifactory instance trying to resolve packages from a remote repository in another Artifactory instance, which itself was proxying a remote repository in another Artifactory instance, would sometimes fail.

For a complete list of changes please refer to our JIRA Release Notes.

For an Artifactory Pro or Artifactory Enterprise installation, click to download this latest version of JFrog Artifactory Pro.

For Artifactory OSS, click to download this latest version of JFrog Artifactory OSS.

Artifactory 5.11.5

Released: November 29, 2018

Issues Resolved

Fixed an issue in which under certain circumstances, an unauthorized user may be able to send malformed REST API calls to Artifactory that execute under the identity of another user. JFrog would like to thank the Adobe Security Team for reporting this issue and for working with JFrog to help protect our customers.

Artifactory 5.11.6

Released: March 12, 2019

Issue Resolved

Fixed an issue whereby under certain circumstances, users could gain access to security APIs that are otherwise exposed only to administrators.
JFrog would like to thank CipherTechs for reporting this issue and for working with JFrog to help protect our customers.

Artifactory 5.11.7

Released: July 22, 2019

Issue Resolved

Fixed an issue where in some circumstances, user can take actions that should otherwise be permitted only for an Admin user.

Artifactory 5.11.8

Released: December 2, 2019

Issue Resolved

Fixed an issue whereby under certain circumstances, a user with either Deploy or Annotate permissions could perform remote code executions.
Frog would like to thank Atredis Partners for reporting this issue and for working with JFrog to help protect our customers.

Artifactory 5.10

Released: March 27, 2018

System Import

Previously, when performing a system import, all security entities (users, groups, permissions and access tokens) on the receiving instance would be removed in addition to configurations, repositories and artifacts. From this version, when doing a system import, existing security entities are maintained and imported security entities are merged with them. As before, other entities (configurations, repositories and artifacts) are removed.

Highlights

Package Native UI

To complement Artifactory's universal support for all major package types, version 5.10 offers a new Package Viewer that provides a native experience with the a look and feel that is customized for a specific package type. Once you select a package type, Package Viewer will only search for packages of the selected type using the search term entered. More significantly, the details provided in the search results are also specific to the package type. For example, when searching for Docker images, the Package Viewer will search for Docker tags, and you can drill down into each search result to see details of the layers comprising the tag. Currently, the Package Viewer supports Docker with additional formats to be added in forthcoming releases.

For more details, please refer to Viewing Packages.

MariaDB

In addition to the set of databases currently supported, from version 5.10, Artifactory also supports MariaDB.

Xray Integration

Artifactory 5.10, jointly released with JFrog Xray 1.12, presents significant changes in how these two complementary applications are integrated to improve usability and stability including:

a new mechanism for reporting scan status
configuring download blocking through Xray

Upgrade Xray first

For this joint release of JFrog Artifactory 5.10 and JFrog Xray 1.12, we strongly recommend first upgrading your Xray installation to version 1.12 and only then upgrading Artifactory.

Scan Status - Breaking Change

Previously, Artifactory displayed the scan status (e.g., last scan time, highest severity of any vulnerabilities found etc.) of an artifact as a set of properties that Xray attached to each artifact it scanned. Upon upgrading to version 5.10, these properties will be removed, and instead, Artifactory will display an artifact's scan status by querying Xray and displaying the results on-demand when the artifact is selected in the Tree Browser. To support this behavior, the artifact's scan status is now displayed in a separate Xray information tab.

This is a breaking change which restricts compatibility of Artifactory and Xray versions as described in the following table:

Xray Version

1.12+

<1.12

Artifactory
Version

5.10+

Since both Artifactory and Xray are upgraded, the new integration is fully functional as designed.

In this combination, the integration will not work since the new version of Artifactory will query Xray for scan status, however, the old version of Xray does not have the required REST API endpoints.

<5.10

This combination is supported. Artifactory will continue to display each artifact's scan status, however, it will use previous mechanism that uses properties.

If neither Artifactory nor Xray are upgraded, the integration will work using the previous mechanism that displayed scan status as a set of properties on the artifact.

Download Blocking

From this version, configuration of Download Blocking is moved from Artifactory to Xray. For details, please refer to Download Blocking in the JFrog Xray User Guide. In addition, when trying to download a complete folder, if any of the artifacts in the folder are blocked for download, then downloading the folder will fail.

Feature Enhancements

NuGet Performance Improvements

Performance of indexing Nuget repositories has been improved.

Retrying Database Connections

From this version, if Artifactory fails to connect to the database, it will retry several times before dropping the connection.

Pagination for Docker

Artifactory now supports pagination when calling the List Docker Repositories and List Docker Tags REST API endpoints on virtual repositories.

Issues Resolved

Fixed an issue with the native browser in which Artifactory would encode space characters to a ‘+’ character resulting in incorrect URLs for paths that included spaces.
Fixed an issue in which for users with a realm that is LDAP, SAML, HTTP SSO and OAuth, their Last Logged In field would remain empty after logging in to Artifactory.
Fixed an issue in which LDAP users who were trying to authenticate against Artifactory with bad credentials would be removed from the LDAP groups they were associated with.
Fixed an issue with Bower repositories in which registering a package from GitHub using SSH would fail with an "Unable to determine coordinates from url" error. The following is an example that would cause this error:
```
bower register <package name> ssh://git@github.com/<repo>/<package>
```
Fixed an issue in which when uploading multiple files from the UI to a virtual repository, non-admin users would fail with a "Forbidden UI REST call from user <x>" error.
Fixed an issue in which the custom expires_in field of refreshable access tokens created by non-admin users would be erased, and upon refreshing a token, the expires_in field would be set with the default value of 3600 seconds.
Fixed an issue with Docker registries in which when promoting a Docker tag properties annotating the tag would not be promoted with it.
Fixed an issue with npm repositories in which resolving an npm package using npm install would fail if the package was present in both a local and remote-cache repository, but have a different checksum in each.
Fixed an issue in which the ‘Test Connection’ button in remote repositories would not work when the URL to which the connection was being tested was a private npm repository.
Fixed an issue in which user plugin event deletion would not be detected so the user plugin would not be deleted from the database and would be reloaded again.
Fixed an issue that prevented users from certain organizations authenticated via Crowd SSO from logging in to Artifactory.

For a complete list of changes please refer to our JIRA Release Notes.

For an Artifactory Pro or Artifactory Enterprise installation, click to download this latest version of JFrog Artifactory Pro.

For Artifactory OSS, click to download this latest version of JFrog Artifactory OSS.

Artifactory 5.10.1

Released: March 29, 2018

Issues Resolved

This is patch fixes these issues that were discovered in version 5.10:

Fixed an issue in which an Artifactory configured with MariaDB as the database did not start.
Fixed an issue whereby enabling the Auto Redirect Login Link To SAML Login setting in the SAML configuration, did not redirect to the SAML login URL, and the Login button in Artifactory became unresponsive.
Fixed an issue whereby Xray users failed to be authenticated using SAML authentication.
Fixed an issue whereby under certain circumstances, authentication between Artifactory and Xray failed, leading to failure between Artifactory and Xray. This caused certain operations to fail such as scanning an artifact or a build.

For a complete list of changes, please refer to our JIRA Release Notes.

Artifactory 5.10.2

Released: April 12, 2018

Issues Resolved

Fixed an issue in which after upgrading to Artifactory 5.10.x, in some cases, installing and searching for packages in NuGet repositories would fail.

For a complete list of changes, please refer to our JIRA Release Notes.

Page Contents

Artifactory 5.10.3

Release: April 18, 2018

Using PyPI Remote Repositories?

If you are using PyPI remote repositories, you need to upgrade to this patch to overcome a breaking change introduced to the public PyPI repository.

Issues Resolved

PyPI is undergoing changes and the PyPI administrators have announced that by April 30th, the current URL at which the index is available will be deprecated, and the PyPI public repository will only be available at http://pypi.org.

In addition, the internal structure of the PyPI index is changing.

These are breaking changes if you are using Artifactory remote PyPI repositories that proxy the PyPI index at its current URL of http://pypi.python.org.

This patch addresses these changes and allows you to continue working with remote PyPI repositories.

Important notes:

We strongly recommend upgrading to this patch only if you are using remote PyPI repositories that proxy the public PyPI index at http://pypi.python.org
As part of the change PyPI have introduced, the index is now located under http://pypi.org and the binaries (packages) are stored under a different URL: (https://files.pythonhosted.org).
In this patch, Artifactory aligns with the changes introduced on PyPI, both new index structure and the new URL, by adding the Registry URL field, which specifies the location where the repository index file resides, to the remote PyPI repository configuration.

To continue working with PyPI remote repositories, follow these instructions:

Upgrade to Artifactory 5.10.3 or above.
For all Artifactory PyPI remote repositories that are configured with the URL of https://pypi.python.org
- Change the URL field to https://files.pythonhosted.org
- Change the the Registry URL field to https://pypi.org

Note: upon upgrading to this version, the Registry URL of all of the remote PyPI repositories will be set to the same value as repository's URL.
If the index file and the binaries are stored in the same URL, you should not make any changes in these remote PyPI repositories.

In addition to this patch, to accommodate users running older versions of Artifactory, we have also released 5.8.9 and 5.9.5 with the same fix.

For a complete list of changes, please refer to our JIRA Release Notes.

Artifactory 5.10.4

Released: April 26, 2018

Issues Resolved

Fixed an issue in which user login would sometimes fail when there was more than one LDAP configuration set up (e.g. different OUs)
Fixed an issue in which downloading artifacts from a remote repository would fail when the repository was configured to work with a proxy, and the proxy server was configured in Artifactory with a username and password.
Fixed an issue that caused a degradation in PyPI API performance when a Derby database has node_props table containing many entries.
Fixed an issue in which LDAP users would be removed from the LDAP groups they were associated with when trying to authenticate against Artifactory with bad credentials or while experiencing connection issues.

For a complete list of changes, please refer to our JIRA Release Notes.

Artifactory 5.10.5

Released: November 29, 2018

Issues Resolved

Fixed an issue in which under certain circumstances, an unauthorized user may be able to send malformed REST API calls to Artifactory that execute under the identity of another user. JFrog would like to thank the Adobe Security Team for reporting this issue and for working with JFrog to help protect our customers.

Artifactory 5.10.6

Released: 12 March, 2019

Issue Resolved

Fixed an issue whereby under certain circumstances, users could gain access to security APIs that are otherwise exposed only to administrators.
JFrog would like to thank CipherTechs for reporting this issue and for working with JFrog to help protect our customers.

Artifactory 5.9

Released: February 18, 2018

Highlights

Audit trail Log

Artifactory will maintain an audit trail log that records all actions related to permissions, users, groups and access tokens. This enables auditing and tracking of all security related actions allowing you to enforce different security policies in your organization. Some examples of actions that will be recorded in the audit trail log are:

creating a new user
adding a user to a group
changing a user password
adding a user to a Permission Target

The audit trail log is enabled by default and can be disabled. For more details, please refer to Audit Trail Log.

Improved UI Performance

Artifactory has undergone significant changes in the UI implementation to improve performance in the Tree Browser.

Enhanced Password Encryption Security

Artifactory will now use 128-Bit AES for password encryption which is a more secure algorithm than the previously used PBEwithSHA1AndDESede. New installations will use the new encryption algorithms, however, if you are upgrading to this version, the encryption algorithm does not automatically change. Following an upgrade, to change the encryption algorithm from PBEwithSHA1AndDESede to the new A128-bit AES, simply deactivate key encryption using the Deactivate Artifactory Key Encryption REST API endpoint, and then re-enable it using the Activate Artifactory Key Encryption REST API.

Feature Enhancements

Respecting Cache-Control Headers

Artifactory will now return a “Cache-Control: no-store” header for all expirable metadata files.

This means that if you have a proxy cache (e.g. Nginx) between Artifactory and the client, the proxy will always go to Artifactory to fetch these metadata files and will not cache them.

Issues Resolved

Publishing to an npm repository with a tag.
When publishing a new version with a tag to an npm repository, the version would also automatically be assigned the "latest" tag. This meant that running npm install package would install the "tagged" version even though it was explicitly given a different tag and should, therefore, not have been identified as the "latest". For example, when using npm publish --tag=beta , the published version would incorrectly get the "latest" tag. This is now fixed and Artifactory will only assign a published version with the "latest" tag if no other tag is explicitly specified in npm publish command.
Fixed an issue in which when distributing a Docker image to JFrog Bintray through a distribution repository in Artifactory, the operation would succeed the first time, however would fail if you tried to redistribute the same image through the distribution repository.
Fixed an issue in which Helm charts whose representation did not comply with the SemVer 2 specification would not be served. For example, the Helm client would not be able to resolve a chart named myPackage-0.1, however, a chart named myPackage-0.1.0 would work.
Fixed an issue in which resolving an npm package from an npm remote repository in Artifactory that proxied an npm repository in JFrog Bintray, would fail.
Fixed an issue in which when pushing several Docker images with common layers in high concurrency, some of the push requests would fail.
Fixed an issue in which the Storage Summary for a cache-fs filestore would show the maximum available and used values incorrectly. Instead of displaying values for the cache, the values for the whole file system were displayed instead. This has now been fixed and the Storage Summary for a cache-fs filestore correctly displays the actual and maximum available cache size.
Fixed an issue with the use of filestore sharding in an HA cluster. When an HA cluster with two or more nodes used the sharding-cluster binary provider, if you deployed an artifact to one of the secondary nodes while the primary node was down, the artifact would not get copied over to the primary node, even if the redundancy was set to 2 or more.
Fixed an issue with metadata calculation for npm repositories. When triggering a metadata calculation using the REST API or through the UI, if the repository contained an npm package with faulty or corrupt metadata that Artifactory couldn't parse, the whole process of metadata calculation would stop without calculating metadata for packages that came after the faulty package.
Fixed an issue in which, for Maven repositories, when LDAP users would try to download the settings.xml from the Set Me Up page, the password field would not be populated and remain blank.
Fixed an issue in which when using the Distribute Artifact REST API endpoint with an unauthorized user, Artifactory returned a 500 error. Artifactory will now return error 403, as expected.

For a complete list of changes please refer to our JIRA Release Notes.

Artifactory 5.9.1

Released: March 6, 2018

Issues Resolved

The search functionality for npm packages, through the npm client using the "npm search" command, has been fixed for both remote and virtual repositories. And now works for all repository types.

Important Notice

To enable the "npm search" to search according to a package name, description and keyword, it is required to recalculate the metadata for all relevant npm repositories (including local and remote cache).
This can be done from the Artifactory UI by right clicking on the repository and selecting ‘Recalculate Index’, or by executing the Calculate Npm Repository Metadata REST API.

For a complete list of changes please refer to our JIRA Release Notes.

Artifactory 5.9.3

Released: March 21, 2018

Issues Resolved

Fixed an issue with Artifactory instances running versions 5.9.0 and above which displayed the following behavior: in some cases certain users would not be able to login to Artifactory, retrieving the list of users through the UI or the REST API would fail with an exception, and Backups and System Exports would fail. For details, please refer to the relevant JIRA item in the link below.

For a complete list of changes please refer to our JIRA Release Notes.

Artifactory 5.9.5

Release: April 18, 2018

Using PyPI Remote Repositories?

If you are using PyPI remote repositories, you need to upgrade to this patch to overcome a breaking change introduced to the public PyPI repository.

Issues Resolved

PyPI is undergoing changes and the PyPI administrators have announced that by April 30th, the current URL at which the index is available will be deprecated, and the PyPI public repository will only be available at http://pypi.org.

In addition, the internal structure of the PyPI index is changing.

These are breaking changes if you are using Artifactory remote PyPI repositories that proxy the PyPI index at its current URL of http://pypi.python.org.

This patch addresses these changes and allows you to continue working with remote PyPI repositories.

Important notes:

We strongly recommend upgrading to this patch only if you are using remote PyPI repositories that proxy the public PyPI index at http://pypi.python.org
As part of the change PyPI have introduced, the index is now located under http://pypi.org and the binaries (packages) are stored under a different URL: (https://files.pythonhosted.org).
In this patch, Artifactory aligns with the changes introduced on PyPI, both new index structure and the new URL.

To continue working with PyPI remote repositories, follow these instructions:

Upgrade to Artifactory 5.9.5 or 5.10.3 and above.
For all Artifactory PyPI remote repositories that are configured with the URL of https://pypi.python.org
- Change the URL field to https://pypi.org

Note: upon upgrading to this version, the Registry URL of all of the remote PyPI repositories will be set to the same value as repository's URL.
If the index file and the binaries are stored in the same URL, you should not make any changes in these remote PyPI repositories.

For a complete list of changes, please refer to our JIRA Release Notes.

Artifactory 5.9.7

Released: April 30, 2018

Issues Resolved

Fixed an issue that caused a degradation in PyPI API performance when a Derby database has node_props table containing many entries.

For a complete list of changes, please refer to our JIRA Release Notes.

Artifactory 5.9.8

Released: November 29, 2018

Issues Resolved

Fixed an issue in which under certain circumstances, an unauthorized user may be able to send malformed REST API calls to Artifactory that execute under the identity of another user. JFrog would like to thank the Adobe Security Team for reporting this issue and for working with JFrog to help protect our customers.

Artifactory 5.9.9

Released: 12 March, 2019

Issue Resolved

Fixed an issue whereby under certain circumstances, users could gain access to security APIs that are otherwise exposed only to administrators.
JFrog would like to thank CipherTechs for reporting this issue and for working with JFrog to help protect our customers.

Artifactory 5.8

Released: January 1, 2018

Highlights

Helm Chart Repositories

Artifactory now natively supports Helm Chart repositories, giving you full control of your deployment process to Kubernetes. You can create secure and private local Helm chart repositories with fine-grained access control. Remote Helm chart repositories proxy remote Helm chart resources and cache downloaded Helm charts to keep you independent of the network and the remote resource, and virtual Helm chart repositories give you a single URL through which to manage the resolution and deployment of all your Helm charts.

YAML Configuration File

Applying configuration changes to Artifactory can now be done using an easy to use YAML configuration file. Run a single or multiple configuration changes as needed, to create, update and delete any elements in the your Artifactory instance. For example, creating new repositories, setting up replication, and modifying any specific configuration changes.

Multiple Secure Private Docker Registries Without a Reverse Proxy

Artifactory has supported multiple secure private Docker registries since the early days of Docker, however that support required the use of a reverse proxy. From version 5.8, the need for a reverse proxy is removed, and you can create and use multiple Docker registries out-of-the-box without the need for any reverse proxy configuration. All you need to do is select the Repository Path

Feature Enhancements

Automatically associate a HTTP SSO user to an LDAP Group

Artifactory will now accept users logging in through HTTP SSO to be associated with existing LDAP groups. HTTP SSO users will now inherit the permissions specified in the corresponding LDAP group in Artifactory. This is supported for both HTTP SSO users that are internally created in Artifactory and also for transient users.

Issues Resolved

Fixed an issue where overwriting an existing artifact would permanently delete it. These artifacts will now be sent to the trash can, available to be recovered if needed.
Fixed an issue in which enabling the External Dependency Rewrite configuration in npm virtual repositories, caused some npm packages, such as "equals", to not be resolved with an npm 500 error displayed in the logs. This occurred only for packages where dependencies were declared in the following format:
https://github.com/<repo>/<...>
Fixed an issue where adding a keypair in the Signing Keys UI admin component, caused the remote repo admin page in the UI to appear as empty without any fields.
Fixed an issue with an incorrect response for cached Chef cookbooks.
Fixed an issue where the metadata for some PyPI packages, such as nose 1.3.3 and above, would not be extracted correctly and incorrect information would be displayed in the UI for the package. This would happen only for packages that had multiple PKG-INFO file, causing Artifactory to identify the wrong PKG-INFO package metadata file.
Fixed an issue in which adding more than 1,000 users to a group using Oracle DB would fail with an ‘error updating groups’ or a ‘maximum number of expressions in a list is 1000’ SQLSyntaxErrorException.
Fixed an issue where some Debian packages were not added to the Debian repository index.
Fixed an issue where running an npm search against an npm repository failed to return packages that contained the maintainers field in the package.json in the following structure:
“maintainers” : { "name": "john", "email": "john@company.com" }
Fixes to remediate CVE-2017-7525 and CVE-2017-15095 vulnerabilities.

For a complete list of changes please refer to our JIRA Release Notes.

Artifactory 5.8.1

Released: January 4, 2018

Issues Resolved

Fixed an issue in which an upgrade from versions below 5.7, to versions 5.7 and above with the Artifactory Key Encryption activated, failed with the following error:
Couldn't convert configs encryption: javax.crypto.BadPaddingException: Given final block not properly padded : Couldn't convert configs encryption
Fixed an issue, for HA setups, in which an upgrade process with the following steps failed with the following error:
Encrypted password found and no Master Key file exists at /clusterhome/ha-etc/security/artifactory.key
Steps:
1. upgrade to version 5.x (below 5.7), from version 4.x with NFS and the Artifactory Key Encryption deactivated
2. upgrade to version 5.7 and above, with the Artifactory Key Encryption activated

For a complete list of changes please refer to our JIRA Release Notes.

Artifactory 5.8.2

Released: January 8, 2018

Issues Resolved

Fixed an issue with HA clusters in which in rare cases, when modifying files that are synced through the database (for example, adding/modifying user plugins, changing the Artifactory Encryption Key, or modifying Artifactory system properties), the changes would not be propagated to the secondary nodes in the cluster.

For a complete list of changes please refer to our JIRA Release Notes.

Artifactory 5.8.3

Released: January 9, 2018

Issues Resolved

Fixed an issue in which pushing or pulling from an Artifactory Docker registry would fail when using Docker client version 1.12 or below and while the reverse proxy is configured to listen on ports 443/80.

For a complete list of changes please refer to our JIRA Release Notes.

Artifactory 5.8.4

Released: February 7, 2018

Issues Resolved

Fixed an issue with Artifactory Docker registries in which in some cases, file descriptors created following a HEAD request for a Docker manifest, would not be closed at the end of the request, but only when garbage collection was run.

For a complete list of changes please refer to our JIRA Release Notes.

Artifactory 5.8.9

Release: April 18, 2018

Using PyPI Remote Repositories?

If you are using PyPI remote repositories, you need to upgrade to this patch to overcome a breaking change introduced to the public PyPI repository.

Issues Resolved

PyPI is undergoing changes and the PyPI administrators have announced that by April 30th, the current URL at which the index is available will be deprecated, and the PyPI public repository will only be available at http://pypi.org.

In addition, the internal structure of the PyPI index is changing.

These are breaking changes if you are using Artifactory remote PyPI repositories that proxy the PyPI index at its current URL of http://pypi.python.org.

This patch addresses these changes and allows you to continue working with remote PyPI repositories.

Important notes:

We strongly recommend upgrading to this patch only if you are using remote PyPI repositories that proxy the public PyPI index at http://pypi.python.org
As part of the change PyPI have introduced, the index is now located under http://pypi.org and the binaries (packages) are stored under a different URL: (https://files.pythonhosted.org).
In this patch, Artifactory aligns with the changes introduced on PyPI, both new index structure and the new URL.

To continue working with PyPI remote repositories, follow these instructions:

Upgrade to Artifactory 5.8.9, 5.9.5 or 5.10.3 and above.
For all Artifactory PyPI remote repositories that are configured with the URL of https://pypi.python.org
- Change the URL field to https://pypi.org

Note: upon upgrading to this version, the Registry URL of all of the remote PyPI repositories will be set to the same value as repository's URL.
If the index file and the binaries are stored in the same URL, you should not make any changes in these remote PyPI repositories.

Additional Issues Resolved

Fixed an issue that caused initialization of event replication to fail on systems with many event-based push replications configured.

For a complete list of changes, please refer to our JIRA Release Notes.

Artifactory 5.8.10

Released: April 30, 2018

Issues Resolved

Fixed an issue that caused a degradation in PyPI API performance when a Derby database has node_props table containing many entries.

For a complete list of changes, please refer to our JIRA Release Notes.

Artifactory 5.8.12

Released: November 29, 2018

Issues Resolved

Fixed an issue in which under certain circumstances, an unauthorized user may be able to send malformed REST API calls to Artifactory that execute under the identity of another user. JFrog would like to thank the Adobe Security Team for reporting this issue and for working with JFrog to help protect our customers.

Artifactory 5.8.14

Released: 12 March, 2019

Issue Resolved

Fixed an issue whereby under certain circumstances, users could gain access to security APIs that are otherwise exposed only to administrators.
JFrog would like to thank CipherTechs for reporting this issue and for working with JFrog to help protect our customers.

Artifactory 5.7

Released: December 20, 2017

Using PostgreSQL?

Before upgrading to this version, you need to ensure that your PostgreSQL JDBC driver is version 9.4 build 1202 or higher.

To update your driver, simply place the new driver JAR file in $ARTIFACTORY_HOME/tomcat/lib.

Highlights

Improved HA Installation and Upgrade Process

The HA installation and setup process has been redesigned to create a simple and even more secure infrastructure for your Artifactory HA clusters. Through the use of a Master Key, Artifactory adds a new security layer that replaces the previously used Bootstrap bundle mechanism, which is now deprecated.

With this release, Artifactory will handle all configuration and encrypted security related files. To create new Artifactory nodes in a cluster, administrators will only need to supply a single Master Key and db.properties file, used by all nodes in the cluster.

Existing Artifactory installations will be upgraded to this new infrastructure automatically when updating from version 5.x and up.

Sort, Filter and Add Favorite Repositories in the UI Tree

View only the repositories you need by customizing the Artifact Repository Browser with your favorite repositories, and applying sort and filter options. Use as many different favorite, sort and filter combinations to narrow down the Artifact tree to display exactly what you need.

Feature Enhancements

Promote Build to Virtual Repository REST API

Promoting builds to a virtual repository is now supported, in addition to the previously supported local repositories, using the Build Promotion REST API. Upon build promotion to a virtual repository, the files will be promoted (copied/moved) to the Default Deployment Repository that is configured as part of the virtual repository.

Support for AWS SSE-KMS

Added support for AWS SSE-KMS (Key Management Service) for your S3 Object Storage. This allows you to set an AWS KMS encryption key on the S3 bucket that your Artifactory uses as an object store.

Support for LZMA and XZ Index Compression Formats in Debian Repositories

Artifactory now lets you create LZMA (.lzma) and XZ (.xz) compression Debian indices, in addition to the already supported Gzip (.gzip) and Bzip2 (.bz2) extensions. The Bzip2 index file can be disabled if it's not needed.

Improved AQL Performance

Significant performance improvement for AQL queries when searching artifacts according to build name and number.

Improved Concurrent Configuration Changes Performance

Performance improvement when concurrently applying configuration changes to the Config Descriptor file.

Issues Resolved

Fixed an issue in which users, associated with groups that are configured with admin privileges, could not perform admin-only actions through REST API when using an API key for authentication.
Fixed an issue in which deploying a large NuGet package (larger than 2GB) would fail with an OutOfMemory exception.
Fixed an issue in which TCP connections were not being closed when push replication was configured with an incorrect target URL or bad credentials, causing unresponsiveness. The TCP connections were not being closed on the source Artifactory (the instance where artifacts were replicated from).
Fixed an issue where when clients (such as Yum clients) tried to fetch sqlite.bz2 files from Yum virtual repositories, it took longer than expected since it triggered a synchronous calculation, even though Artifactory does not aggregate sqlite files. Artifactory responses to YUM clients in returning sqlite.bz2 files will now be faster.
Fixed an issue where the email address of users imported into Artifactory from a Crowd server was not updated in Artifactory when it was updated on the Crowd server.
Fixed an issue in which resolving artifacts from a remote repository with a URL that contained spaces in it did not work.
Fixed an issue when aborted upload processes, to an Artifactory with a filestore configuration on the cloud (S3/GCP/Azure), would leave a partial file in the Eventual folder that would not get cleaned up.
Fixed an issue in which an API key created by exernally authenticated users (eg. OAuth) would not get inserted correctly into code snippets generated by the Set Me Up page.
Fixed an issue with the indexing rpm metadata files which caused clients (such as Yum clients) to fetch the src.rpm file instead of the rpm package file. This would happen when the RPM repository contained both source and corresponding package.
Fixed an issue where "NA" was recorded in the access log instead of the user id for denied login attempts. The user id will now be displayed.
For example: [DENIED LOGIN] for john/0:0:0:0:0:0:0:1
Fixed an issue in which include and exclude patterns would be ignored on local NuGet repositories.
Fixed an issue in which deploying files that contained a colon in the artifact name, ‘:’ or %3a (encoded or decoded), would fail with an 409 error.

For a complete list of changes please refer to our JIRA Release Notes.

Artifactory 5.7.1

Released: December 22, 2017

Issues Resolved

Fixed an issue in which, when upgrading to version 5.7.0, if you have more than 2 Docker repositories that are configured using the ports method, an exception is generated during the upgrade process. Artifactory does start up, but you are unable to save the configuration descriptor unless you remove the configuration.

For a complete list of changes please refer to our JIRA Release Notes.

Artifactory 5.7.2

Released: December 24, 2017

Issues Resolved

Fixed an issue that prevented upgrading to version 5.7.x with an MS SQL database (version 2014 and below) when you have an artifact with a property and value whose combined length is greater than 900 characters.

For a complete list of changes please refer to our JIRA Release Notes.

Artifactory 5.7.3

Released: November 29, 2018

Issues Resolved

Fixed an issue in which under certain circumstances, an unauthorized user may be able to send malformed REST API calls to Artifactory that execute under the identity of another user. JFrog would like to thank the Adobe Security Team for reporting this issue and for working with JFrog to help protect our customers.

Artifactory 5.7.4

Released: 12 March, 2019

Issue Resolved

Fixed an issue whereby under certain circumstances, users could gain access to security APIs that are otherwise exposed only to administrators.
JFrog would like to thank CipherTechs for reporting this issue and for working with JFrog to help protect our customers.

Artifactory 5.6

Released: November 15, 2017

Upgrade Notice

Before Upgrading to Artifactory 5.6.0

The Artifactory Security Replication User Plugin (securityReplication.groovy) has not yet been updated to support 5.6.0. We’re working on a new version that will be available soon.

If you are using this plugin and need to upgrade to Artifactory 5.6.0, please contact support@jfrog.com.
For Artifactory HA installations, single-phase upgrades (with downtime) from version 4.x to version 5.6 without going through version 5.4.6 fails. Please refer to the Upgrade Notice in the Artifactory 5.5 Release Notes.
There is a known issue in which running apt-get update on Ubuntu Trusty (14.04) against Debian repositories fails with the following error: Sub-process https received a segmentation fault

A fix for this issue is available in version 5.6.1 and we therefore recommend upgrading to 5.6.1.

Highlights

Improved Debian Performance

Significant improvement in performance when indexing Debian repositories.

Feature Enhancements

Tomcat Version Upgrade

The Tomcat bundled with Artifactory has been upgraded to version 8.5.23.

Get Distribution Repository Details

The Get Repositories REST API now also includes distribution repositories. To get the distribution repositories details only, you can add type=distribution as a query param.

UI Performance Improvement

Performance of displaying the environment and system variables data in the Builds module in the UI has been significantly improved.

Downloading a Folder for Anonymous Users

Admin users can now also enable folder download configuration for anonymous users, in addition to internal users.

Limit REST API Search Results

Added the ability to limit the number of API search results for internal users, previously available only for anonymous users. To add a limit, edit the artifactory.system.properties file with artifactory.search.limitAnonymousUsersOnly=false (default is true), and a limit artifactory.search.userQueryLimit (default is 1000).

Applicable to the following REST API calls

Artifact Search, Archive Entries Search, GAVC Search, Property Search, Checksum Search (limited by UI max results), Artifacts Not Downloaded Since, Artifacts With Date in Date Range, Artifacts Created in Date Range.

Filter Expirable Access Tokens

Added an option to filter the expirable tokens in the Access Tokens page in the Artifactory UI.

Issues Resolved

Fixed an issue allowing unsupported special characters to be used in the key field when adding properties via REST API, as already enforced in the UI.
The following characters are forbidden: )(}{][*+^$\/~`!@#%&<>;=,±§ and the Space character.
Fixed an issue where a file with the same filename and filepath of a file that was previously deleted, could not be deleted a second time. For this scenario, the latest file deleted will now be under the file path in the trash.
Fixed an issue where NuGet package names containing a hyphen character "-" would be automatically considered as pre-release packages which allowed users without Delete/Overwrite permissions to overwrite them.
For example: Sample-Package.1.0.0.nupkg
Artifactory is now aligned with the NuGet spec, and these packages will only be considered as pre-release if the hyphen character follows the version number.
For example: Sample-Package.1.0.0-RC.nupkg
Fixed an issue where installing an npm package, with the following date format (2010-11-09T23:36:08Z) in its metadata file, would fail with an IllegalArgumentException.
Fixed an issue in which installing an npm package from a virtual repository would fail if the package did not have the time closure in the package.json.
Fixed an issue in which users imported from Crowd and associated to a group with admin privilages would be created in Artifactory with the “Can Update Profile” option disabled. This option will now be enabled for this usecase.
Fixed an issue in which users associated to a group imported from SAML and associated with admin privileges were not granted the appropriate admin privilages.
Fixed an issue where uploading a Conan package that contains declared environment variables with the "=" character, the package would be deployed without its metadata.
For Example: conan install lib/1.0@user/stable -e MYFLAG="one==tricky==value" --build

For a complete list of changes please refer to our JIRA Release Notes.

Artifactory 5.6.1

Released: November 22, 2017

Issues Resolved

Fixed an issue in which a single-phase upgrade of an HA cluster with downtime (by adding the artifactory.upgrade.allowAnyUpgrade.forVersion system property) from a version below 5.0 directly to version 5.6.0 would fail. Note that the recommended two-phase upgrade with zero downtime was not affected.
Fixed an issue in which when logging into Artifactory, if the group name sent in a SAML assertion as a SAML attribute was in mixed-case (i.e., at least one character is not lower-case), and the corresponding group in Artifactory was all in lower case, then the SAML user would not inherit the permissions associated with that group. This affected both internal groups and imported LDAP groups.
Fixed an issue in which running apt-get update on Ubuntu Trusty (14.04) against Debian repositories would fail with the following error:
Sub-process https received a segmentation fault

For a complete list of changes please refer to our JIRA Release Notes.

Artifactory 5.6.2

Released: November 27, 2017

Issues Resolved

Fixed a critical issue in which a user would sometimes lose permissions due to a collision between an update action and a "GET" operation that occurred concurrently.
Fixed an issue that prevented connection to Artifactory through SSH. This also resulted in JFrog CLI not being able to work with Artifactory.

For a complete list of changes please refer to our JIRA Release Notes.

Artifactory 5.6.3

Released: December 18, 2017

Issues Resolved

Fixed an issue in which deployment of an artifact which already existed in Artifactory would result in its SHA-256 value being null. This would cause the indexing of repository types like Debian and Git LFS to be incorrect since they rely on artifacts' SHA-256 value.
Fixed a performance issue in which users being authenticated via external means (e.g. LDAP) would sometimes experience unusually long authentication time due to a large number of database queries causing an increased load on the database.

For a complete list of changes please refer to our JIRA Release Notes.

Artifactory 5.6.8

Released: November 29, 2018

Issues Resolved

Fixed an issue in which under certain circumstances, an unauthorized user may be able to send malformed REST API calls to Artifactory that execute under the identity of another user. JFrog would like to thank the Adobe Security Team for reporting this issue and for working with JFrog to help protect our customers.

Artifactory 5.6.9

Released: 12 March, 2019

Issue Resolved

Fixed an issue whereby under certain circumstances, users could gain access to security APIs that are otherwise exposed only to administrators.
JFrog would like to thank CipherTechs for reporting this issue and for working with JFrog to help protect our customers.

Artifactory 5.5

Released: September 25, 2017

Due to a critical issue discovered in this version, you should not install it. Instead, you should upgrade to version 5.5.1 or later.

Upgrade Notice

For an Artifactory HA installation, there are two options to upgrade to version 5.5 from a version below 5.4.6

This note only refers to upgrading Artifactory Enterprise HA installations.

Artifactory 5.5 implements a database schema change to natively support SHA-256 checksums. If your current version is 5.4.6, you may proceed with the normal upgrade procedure described in Upgrading an Enterprise HA Cluster.

If your current version is below 5.4.6, to accommodate this change, you may select one of the following two upgrade options:

Two-phase, zero downtime
In this option, you first need to upgrade your HA cluster to version 5.4.6. Once this upgrade is completed, you can then proceed to upgrade your HA cluster to version 5.5. In both phases, you follow the normal upgrade procedure described in Upgrading an Enterprise HA Cluster.
One phase with downtime
This option requires you to add a system property to your primary node during the upgrade procedure. For details, please refer to Upgrading an Enterprise HA Cluster.
If you try upgrading directly to version 5.5 without adding this system property, the upgrade will fail and the following message will be logged in the artifactory.log file:
To upgrade your HA installation to this version, you first need to upgrade to version 5.4.6 which implements changes required to accommodate a database schema change.

Highlights

Event-based Pull Replication

JFrog Artifactory now supports event based pull replication, in addition to the already supported event based push replication. This configuration allows your remote Artifactory instances get updated in near-real-time by a pull replication that's triggered by any changes made to your local repositories, such as new or deleted artifacts. This is great for automation purposes where you want to make your artifacts available in all of your instances as soon as they are deployed.

As a best practice, setting a Cron expression for regularly scheduled replication is still required in addition to event-based replication. This will ensure that all of the artifacts in your repository are synced and up to date, which is important in case of an event sync failure (for example, due to maintenance operations).

Native Support for SHA-256 Checksums

Artifactory now supports SHA-256 checksums. This improved algorithm to calculate checksums enables a more secure environment for your binaries letting you use SHA-256 checksums to validate the integrity of downloaded artifacts. You can also use the SHA-256 value for a variety of features as described in SHA-256 Support. Whenever a new artifact is deployed, in addition to automatically calculating its MD5 and SHA1 checksums, Artifactory will now also calculate and store its SHA-256 checksum. The SHA-256 value can be used when searching for artifacts, or displayed as output for AQL queries in the same way SHA1 and MD5 checksums are used from both the UI and the REST API.

From version 5.5, Artifactory will automatically calculate the SHA-256 checksums for new artifacts deployed to your instance. . Depending on the number of artifacts in your system, this process may take some time. To help you monitor the process, progress and status messages will be printed to a dedicated log file, sha256_migration.log, with some additional general messages to the artifactory.log file.

To maintain backward compatibility with existing scripts, the Set Item SHA256 Checksum REST API endpoint is still supported.

Feature Enhancements

Improve Performance on RPM Repositories

The performance of metadata calculation on RPM repositories has been significantly enhanced by performing different metadata calculations in parallel making resolving and deploying packages with RPM repositories much faster.

Improve Performance of NuGet Repositories

NuGet repository performance has been significantly improved when resolving dependencies or searching for artifacts. The improved performance is especially significant for repositories that host many artifacts.

Keep Multiple Versions of Metadata Files on RPM Repositories

Artifactory will now maintain previous metadata file versions on RPM repositories (primary, other, filelists) making them available for download while new ones are being generated.

This is very useful when RPM metadata is updated very frequently. If a client working with an Artifactory RPM repository downloads the repomd.xml file, and the rest of the metadata files (primary, other, filelists) expire in the meantime, the expired version of these files will still be available allowing the client to complete the required download.

Retrieve Plugin Source Code by Name

Artifactory now provides access to the Groovy source code of user plugins through the Retrieve Plugin Code REST API endpoint.

Allow LDAP Users to Access Profile Page

You can now configure Artifactory to allow new users who are created by logging in via LDAP to be able to access their profile page. This means that these users can now access a set of functions such as generating their API key, setting their SSH public key, configuring their JFrog Bintray credentials, and updating their password.

Support Additional MIME types in the UI

Artifactory now supports additional MIME types to allow viewing .log, .yml and .yaml files directly in the UI (as opposed to having to download them first). These file types are now added to the preconfigured mimetypes.xml file.

Enable Password Encryption by Default

For new Artifactory installations, Artifactory automatically generates a Master Encryption Key and then uses it to encrypt all passwords hosted on the instance. Decrypting passwords and encrypting them back is possible through the REST API.

To maintain consistent behavior for existing installations, upgrading to this new version will not automatically encrypt passwords.

Configurable Web Session Timeout

You can now configure Artifactory's UI session timeout using the artifactory.ui.session.timeout.minutes system property.

Checksum-Based Storage with S3 Object Store

Artifactory's checksum-based storage stores files in folders named after the first two characters of their checksum. When using S3 object storage, this feature has been enhanced allowing you to configure the number of characters that should be used to name the folder. For example, you can configure your S3 binary provider to store objects under folders named after the first 4 characters of their checksum.

Issues Resolved

Fixed an issue in which Artifactory would return an error when trying to resolve an npm package because it would fail to parse an npm dependency declaration that was presented in an unexpected format.
Fixed an issue in which the Set Me Up screen for virtual repositories that aggregated only remote repositories would be blank.
Fixed an issue that caused batch download from a virtual Git LFS repository, that aggregated more than one repository, to fail.
Fixed an issue in which the Build Artifacts Search REST API endpoint would not return Artifacts that had been promoted to it from a different repository correctly.
Fixed an issue in which resolving private Docker images from a Docker remote repository that points to Docker hub failed when passwords in Artifactory were encrypted.
Fixed an issue in which NuGet virtual repositories that aggregated several repositories would omit results when searching for a package.
Fixed an issue that would sometimes cause a NullPointerException to be thrown when there were many deployments on a Maven repository that had a watch configured on it. The NullPointerException would cause metadata calculation to stop and was due to the multiple deployments causing a race condition.

For a complete list of changes please refer to our JIRA Release Notes.

Artifactory 5.5.1

Released: September 26, 2017

This version replaces version 5.5.0 in which a critical issues was discovered.

Upgrade Notice

For an Artifactory HA installation, there are two options to upgrade to version 5.5.1 and above from a version below 5.4.6

This note only refers to upgrading Artifactory Enterprise HA installations.

Artifactory versions 5.5.1 implements a database schema change to natively support SHA-256 checksums. If your current version is 5.4.6, you may proceed with the normal upgrade procedure described in Upgrading an Enterprise HA Cluster.

If your current version is below 5.4.6, to accommodate this change, you may select one of the following two upgrade options:

Two-phase, zero downtime
In this option, you first need to upgrade your HA cluster to version 5.4.6. Once this upgrade is completed, you can then proceed to upgrade your HA cluster to version 5.5.1 and above. In both phases, you follow the normal upgrade procedure described in Upgrading an Enterprise HA Cluster.
One phase with downtime
This option requires you to add a system property to your primary node during the upgrade procedure. For details, please refer to Upgrading an Enterprise HA Cluster.
If you try upgrading directly to version 5.5.1 or above without adding this system property, the upgrade will fail and the following message will be logged in the artifactory.log file:
To upgrade your HA installation to this version, you first need to upgrade to version 5.4.6 which implements changes required to accommodate a database schema change.

For a complete list of changes please refer to our JIRA Release Notes.

Artifactory 5.5.2

Released: October 29, 2017

Highlights

Support for Acquire-By-Hash flag in Debian Repositories

Hash sum mismatch errors may sometimes cause apt-get update requests to Debian repositories to fail due to rotation of Debian metadata files. Artifactory now overcomes this issue by storing historical versions of the metadata files by their checksum and supporting the Acquire-By-Hash flag for Debian repositories. This allows Debian clients to download package metadata files by their checksum.

This is very useful when Debian metadata is updated very frequently. If a client working with an Artifactory Debian repository downloads the metadata files, and they expire in the meantime, the expired version of these files will still be available allowing the client to complete the required download.

Bypassing HEAD requests for remote repositories

Artifactory remote repositories normally send a HEAD request to a remote resource before downloading an artifact that should be cached. In some cases, the remote resource rejects the HEAD request even though downloading artifacts is allowed. Through the remote repository configuration, Artifactory now lets you specify that remote repositories should skip sending HEAD requests before downloading artifacts to cache.

Feature Enhancements

Automatically Rewriting External Dependencies in NPM Registries

Artifactory now supports rewriting external dependencies for various Git and GiHub URLs. For a full list of supported URLs, please refer to Automatically Rewriting External Dependencies

Issues Resolved

Bitbucket Server version 5.1.0 deprecated the Bitbucket Archive Plugin which remote repositories for package formats that use a Git provider in Artifactory relied on. These include Bower, VCS, CocoaPods and PHP Composer. As a result, when upgrading to Bitbucket 5.1.0, these remote repositories stopped working. This has now been fixed by adding an option to choose “Stash / Private Bitbucket (Prior to 5.1.0)” as the Git provider in the remote repository configuration for these package formats while the “Stash/Private Bitbucket” option covers Bitbucket Server version 5.1.0 and above.
Fixed an issue in which when executing the /api/search/latestVersion REST API endpoint, Artifactory would erroneously query remote repositories. This has now fixed, so Artifactory will only search in remote repositories (in addition to local and remote repository caches) when remote = 1 is added as query param.
Fixed an issue in which authenticating against Artifactory Docker registries while HTTP SSO is set would fail. This has now been fixed so you can work with Artifactory Docker registries while HTTP SSO is enabled.
Fixed an issue in which when a REST API call included a “Range” header, the ETag returned would incorrectly include the Range provided in the header as a suffix. In turn, different clients would interpret this as a file modification. Artifactory now returns the correct ETag.
Fixed an issue in which system import or replication of an artifact that includes a “:” (colon) character would fail. For example, before this fix, replicating a Docker image with a LABEL that included a colon would fail.
Fixed an issue in which running npm search against an npm registry would fail if one of the packages in the results would be in the following structure: “maintainers” : “<user name> <user email>”, because Artifactory was expecting the structure to be:
"maintainers": [ {"name": "<user name>", "email": "<user email" } ]
Fixed an issue in which a 500 error with be returned when running one of the following REST API endpoints on Docker registries while and using an API key for authentication:
```
/api/storage
/api/docker/{repo-key}/v2/{image name}/tags/list
/api/docker/{repo-key}/v2/_catalog		
```
Fixed an issue which caused checksum deploy to sometimes fail with a 500 error. A common manifestation of this issue was replications that would fail for certain artifacts. When this error occurred, a stack trace similar to the below could be seen in the log files.
```
java.lang.NullPointerException: null
at org.artifactory.repo.db.DbStoringRepoMixin.shouldProtectPathDeletion(DbStoringRepoMixin.java:814)
at org.artifactory.repo.db.DbStoringRepoMixin.shouldProtectPathDeletion(DbStoringRepoMixin.java:792)
```

For a complete list of changes please refer to our JIRA Release Notes.

Artifactory 5.4

Released: June 20, 2017

Due to a known issue with this version, after upgrading an Artifactory HA cluster from version 5.x to 5.4.x, new nodes that you add to your Artifactory HA cluster will not start up. For a workaround, please refer to RTFACT-14530.

Highlights

Access Tokens as a Separate Service

The management of Access Tokens, which were introduced in Artifactory 5.0, has moved to a separate service named Access. which is installed as a separate web application. This change has no impact on how access tokens are used, however, the Artifactory installation file structure now also includes an added WAR file, access.war, under the $ARTIFACTORY_HOME/webapps folder. Artifactory communicates with the Access Service over HTTP and assumes it is running in the same Tomcat using the context path of "access".

Using access tokens through the new Access service is backwards compatible, so tokens created with earlier versions can be used for authentication with this latest version of Artifactory.

Breaking Change: Note that the change is not forwards compatible, so tokens created from version 5.4 and above cannot be used for authentication with versions previous to 5.4. This may impact a circle of trust in which some instances are running versions below 5.4 while others are running version 5.4 and above.

Running Artifactory as a service?

If you are running Artifactory as a service, once you complete the steps to upgrade to this version or later, and have replaced all files removed during the upgrade process, you need to run the InstallService script as described at the end of the upgrade instructions.

Support for Microsoft Azure Blob Storage

JFrog Artifactory now supports Azure Blob Storage as a new object storage provider to store artifacts. Azure Blob Storage offers massively scalable enterprise storage for Artifactory supporting unstructured data of any type with strong consistency, object mutability, geo-redundancy and more. This new option opens up the opportunity to co-locate Artifactory and its storage together with all the other services that you use on the Microsoft Azure platform.

Secure Connection to Remote Repositories via SSL/TLS Client Certificates

Artifactory now supports client certificates for remote repositories facilitating secure connections with remote resources that require them (e.g., Red Hat Network that requires a Red Hat client certificate for authentication). This means that Artifactory will now be able to send the client certificate when attempting to connect to the remote resource over HTTPS.

Feature Enhancements

RPM repositories have been enhanced to give you control over whether the RPM file lists metadata file should be indexed by Artifactory or not. Disabling indexing of the file lists metadata improves the performance of RPM repositories with many artifacts when different clients try to resolve packages from the repository. Note that for new RPM repositories, indexing the file lists metadata file is disabled by default, however, when upgrading from previous versions to 5.4.0 and above, indexing for RPM repositories that already existed will remain enabled to maintain consistent behavior with the previous version.
Artifactory now supports the npm login command as a way to authenticate the NPM client. Basic authentication is also still supported.
Previously, Artifactory was not able handle decoded slash characters in NPM scoped packages, so you had to modify your reverse proxy so that it wouldn't decode the slash. Artifactory now handles decoded slash characters correctly out-of-the-box, so there is no longer any need to modify your reverse proxy.
Artifactory can now be configured to add Debian packages' MD5 checksum to the Packages metadata file in order to comply with the requirement of some tools (e.g. Aptly) that the MD5 is available for validation of the package.
The Control Build Retention REST API endpoint now accepts a query param to make deleting old builds an asynchronous process. When set, the API response acknowledges the request and outputs errors, if any, to the log.
The default value of the lenientLimit parameter for a Sharding-Cluster Binary Provider has been modified to be 1. This will allow users to continue uploading to a cluster node even if it is the only active node without having to reconfigure this parameter. Note that for filestores configured with a custom chain, the lenientLimit parameter will remain 0 to maintain consistency with previous versions. Therefore, the lenientLimit parameter will only default to 1 when using built-in templates.
Using the Create Token REST API endpoint, access tokens can now be created to provide the same access privileges that are given to the group of which the logged in user is a member.

Issues Resolved

Fixed an issue in which performing a full system import on an Artifactory HA cluster would fail. The full system import on an Artifactory HA cluster has been changed and is fully described under System Import and Export for an HA Cluster.
Fixed an issue in which Python metadata calculation would fail if the metadata version in the METADATA or PKG-INFO files was set to 1.2.
Fixed an issue in which when Enable Dependency Rewrite was enabled for NPM repositories, Artifactory would only rewrite dependencies specified in the "dependencies" element of the package.json file and would skip the dependencies listed in the optionalDependencies and devDependencies elements.
Fixed an issue in which Artifactory would fail to install npm packages that contained square brackets ('[' or ']') in the "description" field of the package.json file.
Fixed an issue in which externally authenticated users (i.e. those not created in Artifactory) logging in through an external provider (e.g. LDAP) would not be able to complete artifact downloads that took a long time since the LDAP token used for authentication with Artifactory would expire. This was fixed by exposing the artifactory.artifactory.tokens.cache.idleTimeSecs system property that managed this timeout and increasing its default value from 5 minutes to 10 minutes.
Fixed an issue in which existing repositories enabled for indexing by JFrog Xray did not trigger indexing automatically and required you to manually trigger indexing through the JFrog Xray UI or using the REST API.
Fixed an issue in which using mvn site-deploy with the maven-site-plugin to upload a site to Artifactory would fail when the site's URL contained a dot ('.') in its path (e.g. libs-snapshot-local/./file.jar)
Fixed an issue in which NuGet virtual repositories that aggregated more than one local or remote repository would omit results or return duplicate results when searching for a package.
Fixed an issue in which Artifactory 5.x would not display certain builds in the UI because it failed to parse dates presented in ISO 8601format (e.g. 2016-09-08T21:02:17.781+03:00)
Fixed an issue in which upload to a repository would fail, if an event-based replication defined for the repository failed for any reason. Following the fix, uploading a file to the repository succeeds even if replication fails.

For a complete list of changes please refer to our JIRA Release Notes.

Artifactory 5.4.1

Released: June 22, 2017

Issues Resolved

Fixed an issue in which the schema version of a Docker image manifest would change from 2 to 1 when the image was distributed from Artifactory to JFrog Bintray.
Fixed an issue that caused batch downloads from a virtual Git LFS repository that aggregated both local and remote repositories to fail.
This happened when Artifactory would find one of the files in an aggregated local repository (and therefore should have stopped searching for it), but would still go on to search for it in the aggregated remote repositories. If the file did not exist in any of the remote repositories, Artifactory would not serve the file.

For a complete list of changes please refer to our JIRA Release Notes.

Artifactory 5.4.2

Released: June 30, 2017

Issues Resolved

Fixed an issue in which Artifactory failed to start up when Tomcat was configured to only serve HTTPS content, or was configured to serve both HTTP and HTTPS, but on different ports.
Fixed an issue in which when an Artifactory HA installation's filestore configuration used the eventual-cluster binary provider (for example, when using one of the cloud storage providers), in rare cases, when uploading files involving a large number of transactions, Artifactory would indicate that files were successfully uploaded to storage, when in fact, the uploads failed.
Fixed an issue in which Artifactory was unable to connect to the Access Service (and as a result failed to start) when Tomcat was configured with a self signed chain certificate.

For a complete list of changes please refer to our JIRA Release Notes.

Artifactory 5.4.3

Released: July 3, 2017

Due to a known issue with this version, after upgrading an Artifactory HA cluster from version 5.x to 5.4.x, new nodes that you add to your Artifactory HA cluster will not start up. For a workaround, please refer to RTFACT-14530.

Issues Resolved

Fixed an issue in which uploading or downloading files to Artifactory using access tokens may have failed with error 500. This happened when running Artifactory 5.4.2 and using access tokens with a subject that was longer than 64 characters.
Fixed an issue in which upgrading an RPM or Debian installation of Artifactory that use the systemd init system would have fail with a “The currently installed Artifactory version does not have the same layout as this DEB!” error.

For a complete list of changes please refer to our JIRA Release Notes.

Artifactory 5.4.4

Released: July 6, 2017

Issues Resolved

Fixed an issue in which after upgrading an Artifactory HA cluster from version 5.x to 5.4.x, new nodes that were added to the Artifactory HA cluster would not start up.

For a complete list of changes please refer to our JIRA Release Notes.

Artifactory 5.4.5

Released: July 18, 2017

Highlights

Puppet Repositories Support librarian-puppet and r10k

Artifactory's support for Puppet repositories has been significantly upgraded by introducing support for librarian-puppet and r10k allowing extended configuration management with these popular Puppet clients. In addition, Artifactory also exposes new REST API endpoints to retrieve Puppet modules and releases to facilitate automated configuration management using Puppet.

For a complete list of changes please refer to our JIRA Release Notes.

Artifactory 5.4.6

Released: August 7, 2017

Feature Enhancements

Support Pagination for Docker v2 APIs

Artifactory now supports pagination when listing Docker image tags and retrieving a registry's catalog using the REST API.
This can be useful for automation purposes and Docker clients that use pagination parameters.

Issues Resolved

Fixed an issue in which when resolving a package from an npm repository, Artifactory would throw a deserialize error to the log file if one of the package's dependencies in the corresponding package.json file was declared using the following format:“<dependency_name>” : { “version” : “<version_number>” }.
For example: the "deep-diff" package uses this format. As a result, the npm client would fail to resolve the package.
Fixed an issue that prevented using Git LFS client v1.x with Git LFS repositories in Artifactory when using SSH.
Fixed an issue in which NuGet virtual repositories that aggregated several repositories would omit search results when searching for a package.

For a complete list of changes please refer to our JIRA Release Notes.

Artifactory 5.3

Released: May 11, 2017

Due to a critical issue, if you are upgrading from a version below 4.4.1 directly to version 5.3, Artifactory will fail to start up. A patch has been released, and if your current version is below 4.4.1 you should upgrade to Artifactory 5.3.1.

Highlights

Grant Admin Privileges to a Group of Users

Artifactory now supports granting Admin privileges to a group of users which greatly improves the user experience since previously you could only provide Admin privileges to users individually.

This allows you to import a group from your LDAP or Crowd server and grant Admin privileges to the whole group in a single action.

Automatically Associate a SAML SSO User to an Artifactory Group

Artifactory will now accept a custom SAML attribute that can be mapped to existing groups (including imported LDAP groups). If a SAML user has the custom SAML attribute he will now inherit the permission specified in the corresponding group in Artifactory for the current login session.

Feature Enhancements

Performance of displaying data in the Builds module in Artifactory UI has been significantly improved. This creates a much better user experience, especially for Artifactory instances with many builds or when viewing a project with many builds.
When importing users via SAML SSO, the users' email addresses are now also fetched and populate the corresponding field in their Artifactory user profile.
The installation script that installs Artifactory as a service has been enhanced to use systemd on Linux distributions that support it. The script will automatically detect if systemd is supported, and if not, will use init.d as currently implemented.
In the Tree Browser, when selecting the Effective Permissions tab for the selected repository, you may now view the permission targets associated with that repository.
Previously, virtual repositories would only provide a General tab with basic information about selected artifacts. Now, virtual repositories provide additional tabs that show all data about artifacts selected similar to the data that is provided when selecting the artifacts directly from the aggregated local or remote repositories.

Issues Resolved

Fixed an issue that prevented using Git LFS client v2.x with Git LFS repositories in Artifactory when using SSH.
Fixed a resource leak that was introduced when "Enable Dependency Rewrite" was enabled in virtual NPM repositories. This issue may have caused depletion of different resources such as open file handles, database connections and storage streams.
Fixed an issue that prevented pushing or pulling Docker images that had foreign layers when the image also had a "history" field in its config.json file.
Fixed an issue that caused a login failure when the "List Contents" permission in Active Directory was enabled for an Admin, but not for the user that was attempting to log in.
Fixed an issue related to Maven repositories in which the wrong artifact may have been retrieved for a download request since Artifactory did not consider the full path beyond the GAV coordinates.

For a complete list of changes please refer to our JIRA Release Notes.

Artifactory 5.3.1

Released: May 24, 2017

Highlights

This is a patch that fixes a critical issue that was discovered in version 5.3.0 in which after upgrading from a version below Artifactory 4.4.1 directly to Artifactory 5.3.0, Artifactory failed to start up.

Note that this issue did not affect upgrades from Artifactory 4.4.1 and above.

For a complete list of changes please refer to our JIRA Release Notes.

Artifactory 5.3.2

Released: June 7, 2017

Issues Resolved

Fixed an issue in which, when upgrading an Artifactory HA cluster with 2 or more nodes, from version 5.x to version 5.3.x, Artifactory would throw a HazelcastSerializationException when displaying the UI. In the process of upgrading the cluster, you will still encounter this issue from nodes that have not yet been upgraded.

For a complete list of changes please refer to our JIRA Release Notes.

Artifactory 5.2

Released: March 28, 2017

Main Updates

Improved the performance of property search when using PostgreSQL.
This will significantly improve Docker operations on Artifactory Docker registries as the property search mechanism is used upon searching for Docker layers.
Improved the performance of Docker layers search mechanism on Artifactory Docker registries. This will be mostly significant when working with Docker layers that are being used by thousands of Docker images.
The Tomcat bundled with Artifactory has been upgraded to version 8.0.41.
Artifactory now regards the content.xml.xz and the artifacts.xml.xz files on a remote P2 repository as expirable resources, so whenever there is a metadata change in one of these files, Artifactory will use the updated file instead of the expired one.
When working with Conan repositories, Artifactory now supports variables with multiple values in the conanfile.txt file. This enables Artifactory to fully extract [env] variables with multiple values and assign all those values to the corresponding property annotating the package in Artifactory.
Fixed an issue in which deploying multiple files to a virtual repository through the UI would fail.
Fixed a bug related to remote Docker registries in Artifactory that left connections and input streams open following docker pull operations.
Fixed an issue related to Debian repositories. Artifactory now adds an empty line at the end of the Packages file to fully support Debian tools such as debootstrap.
Fixed an issue related to Debian repositories in which the Components section in the generated Release file was named "Component" when there was indeed only one component. This has been fixed by naming the section "Components", regardless of the number of components. Following the fix, Artifactory now fully support tools such as debootstrap.
Fixed an issue occurring in Artifactory HA clusters. When a node was stopped for any reason, its state as reported by the UI remained as Running. This has now been fixed so the state for a stopped node is displayed as Unavailable.

For a complete list of changes please refer to our JIRA Release Notes.

Artifactory 5.2.1

Released: April 13, 2017

Highlights

Access Tokens

Authentication using access tokens has undergone two significant enhancements.

Any valid user in Artifactory can now create access tokens for personal use whereas previously only an Artifactory admin could create access tokens. This removes the burden of creating and managing access tokens for all users from the admin's shoulder, and gives non-admin users more freedom to operate within their ecosystem.
An Artifactory administrator can now create access tokens with admin privileges whereas previously, access privileges were specified by inclusion in different groups. This enhances the integration of external applications which may need admin privileges to work seamlessly with Artifactory.

Feature Enhancements

When upgrading an Artifactory HA installation from version 4.x to version 5.x, managing the bootstrap bundle has been improved to become an automatic and seamless process. Artifactory will now create the bootstrap bundle on the primary node automatically, and extract it to the secondary nodes, so there is no longer any need to create and copy the bootstrap bundle manually.
Control Build Retention : A new REST endpoint that lets you specify parameters for build retention has been added. Previously build retention could only be specified when uploading new build info. This enhancement provides an easy way to configure cleanup procedures for different jobs, and reduces the risk of timing out when deploying heavy build info.
By default, the "latest" version of an NPM package is the one with the highest SemVer version number. NPM repositories have now been enhanced so you can override the default behavior by setting a system property to assign a "latest" tag to the package that was most recently uploaded.
The Artifactory Docker image now comes with the PostgreSQL driver built in, so there is no need to mount it separately or build it into a separate Docker image.

Issues Resolved

Artifactory is now aligned with the Docker spec and returns an authentication challenge for each Docker endpoint (even when anonymous access is enabled). This means that when using internal Artifactory Docker endpoints, you must first retrieve an authentication token which must then be used for all subsequent calls by your Docker client.
Fixed an issue in which NuGet virtual repositories that aggregated more than one local or remote repository may have omitted results when searching for a package.
When an Artifactory user with no "Delete" permissions was trying to deploy a build while specifying build retention, Artifactory would try and delete old builds and return a 500 error. This has now been fixed, and Artifactory will, instead, return a 403 error.
Fixed an issue in which Artifactory failed to pull a Docker image according to the digest of the manifest file from a remote Docker registry.
Fixed an issue in which aborting a download of a folder as an archive could leave open connections that were not closed which in turn would prevent further download of folders.
This has now been fixed so download slots are freed and the connection is closed properly.

For a complete list of changes please refer to our JIRA Release Notes.

Artifactory 5.1

Released: February 21, 2017

Configuration Management with Chef

Artifactory meets the heart of DevOps adding full support for configuration management with Chef. Share and distribute proprietary Cookbooks in local Chef Cookbook repositories, and proxy remote Chef supermarkets and cache remote cookbooks locally with remote repositories. Virtual Cookbook repositories let you access multiple Cookbook repositories through a single URL overcoming the limitation of the Knife client that can only access one repository at a time.

Configuration Management with Puppet

Artifactory now also fully supports configuration management with Puppet. Use local Puppet repositories to share and distribute proprietary Puppet modules, and use remote Puppet repositories to proxy and cache Puppet Forge and other remote Puppet resources. Use a virtual Puppet repository so the Puppet client can access multiple repositories from a single URL.

Main Updates

Support configuration management with Chef through Chef Cookbook repositories. Artifactory fully supports the Knife client for authenticated access, and also supports Berkshelf for anonymous access. Authenticated access for Berkshelf will be added in a forthcoming release.
Support configuration management with Puppet through Puppet repositories. Full support for Puppet command line along with local, remote and virtual repositories for hosting and provisioning Puppet modules.
For Artifactory administrators, a list of common actions is available from the top ribbon in the Artifactory UI for quick and easy access. This makes it easy to do things like creating repositories, adding users, adding groups and more.
Artifactory can now be run as a standalone instance in a Kubernetes cluster. For details, please refer to JFrog's examples using Docker on GitHub.
Artifactory now supports disabling UI access (i.e. the user may only access Artifactory through the REST API) through the addition of the disableUIAccess element in the Security Configuration JSON.
The default order of repository types in the tree browser has been changed to show virtual and distribution repositories first, as these are accessed more frequently, and then local and remote repositories.
Modified NGINX reverse proxy configuration generated by Artifactory to enable using NPM scoped packages.
A performance issue with the login and logout procedure has been fixed, so the time to login or logout is now significantly reduced.
A bug in which duplicate files simultaneously uploaded to a sharded filestore occasionally caused deletion of the files, was fixed.
A bug in permissions management that disabled the Admin module after removing the default "Anything" and "Anonymous" permissions, was fixed.
Fixed an issue when upgrading Artifactory 4.x to 5.x in which the IAM role settings for S3 object storage in the binarystore.xml were not correctly migrated to the upgrade has been fixed.

For a complete list of changes please refer to our JIRA Release Notes

Artifactory 5.1.2

Released: March 8, 2017

Note: Due to a critical issue found when uploading files larger than 100MB to S3 compatible storage, this version has been removed from JFrog Bintray.

Main Updates

Fixed a performance issue related to the "Most Downloaded Artifacts" widget on the Artifactory Home Page which, when refreshed, could cause the Artifactory database to stall on instances with a large number of artifacts.
Added support for Conan client v0.20.0 which includes a new section in the conanfile to allow adding environment variables and custom properties. These are indexed in Artifactory as properties and can be used in searches.
Improved performance of queries for artifacts which include an underscore character ("_") in their name. This is especially important for resolution of Docker images since all Docker layers include an underscore in the layer name.

For a complete list of changes please refer to our JIRA Release Notes.

Artifactory 5.1.3

Released: March 9, 2017

Main Updates

Fixed issue related to uploading files larger than 100MB to S3 bucket.
Fixed issue causing display wrong information in “Most Downloaded Artifacts” when working with OraleDB.

For a complete list of changes please refer to our JIRA Release Notes.

Artifactory 5.1.4

Released: March 19, 2017

Main Updates

Fixed an issue preventing Artifactory from starting up following an upgrade to version 5.x on Windows when Artifactory is configured with a Keystore.

For a complete list of changes please refer to our JIRA Release Notes.

Artifactory 5.0

Released: January 31, 2017

Improvements in Artifactory HA

Cloud Native Storage: Artifactory HA infrastructure has undergone significant changes and now fully supports cloud native storage. We have completely removed the requirement for using a Network File System (NFS). This release introduces a new type of binary provider that manages distribution of files and configuration across the cluster nodes. This new functionality supports scaling out your storage by relying on object storage solutions or using the nodes' filesystem without the limitations of a traditional NFS, while enjoying other benefits such as distributed storage and redundancy.
Removal of Sticky Sessions: Artifactory no longer requires that the load balancer used in the Artifactory HA network configuration support session affinity (sticky sessions). You may need to change or remove NGINX configurations that related to sticky sessions.
Cluster License Management: Managing licenses for an Artifactory HA cluster is much simpler in Artifactory 5.x. Instead of registering a license per node, just upload all your cluster license keys to any cluster node, and Artifactory will transparently allocate them as new nodes are added to and removed from the cluster. This allows automatic provisioning of cluster nodes without the need to deal with manually assigning a license for each node.

Compatibility with JFrog Mission Control

If you are managing your Artifactory licenses through JFrog Mission Control, Cluster License Management will also be supported in Mission Control, starting from version 1.8, scheduled for release with the next release of Artifactory which is scheduled for February 2017.

To perform a clean installation of Artifactory HA, please refer to HA Installation and Setup.

To upgrade your current installation of Artifactory HA, please refer to Upgrading Artifactory HA.

Running Artifactory as a Docker Container

Installing and running the Artifactory Docker image has been greatly simplified. Essentially it is now a matter of running docker pull and then docker run, while passing in mounted volumes to maintain persistence.

Access Tokens

Artifactory 5.0 introduces access tokens as a new and flexible means of authentication allowing cross-instance authentication, authenticating both users and non-users, providing time-based access control and group-level access control.

Enriched and Simplified Onboarding Experience

When starting up for the first time, Artifactory presents two new ways to get you through basic setup and configuration so you can get started immediately. The first is the Onboarding Wizard that creates default repositories for package types you select, sets up a reverse proxy, sets the Admin password and more. The second is a YAML Configuration File in which you can configure the same parameters that the wizard is used for. For example, once you have configured your first instance of Artifactory through the Onboarding Wizard, you can generate the YAML Configuration File from it and use that to spin up additional instances with the same initial configuration.

New Home Screen

The Artifactory Home Screen has been completely redesigned in version 5.0. The new Home Screen provides quick and easy access to some of the most common actions taken by users including searching for artifacts using any of the search methods available, creating new repositories, displaying the "Set Me Up" dialog for any repository, showing information on the latest builds and downloaded artifacts and more.

Breaking Changes

Artifactory HA Infrastructure has Undergone Several Changes

Removal of NFS requirement: Previously, Artifactory HA required setting up a mount that was used by the $CLUSTER_HOME folder to synchronize configuration and binary files between the cluster nodes. This requirement is now removed. Configuration files are maintained in the database, and binaries may be stored on alternative storage such as local storage on each node or on a cloud storage provider. To learn how to migrate your filestore from NFS to alternative storage, please refer to Migrating Data from NFS.
Bootstrap Bundle: When setting up an HA cluster, you need to create a bootstrap bundle on the primary node, and then copy it to each secondary node you add to the cluster before starting it up.
License Management: Artifactory HA licenses are now fully managed through the Cluster License Manager.
Unlicensed Nodes: When adding and starting up a node, if a valid license is not available to the Cluster License Manager, the node will continue to run, but will remain unlicensed and return a 503 error to any requests it receives. To keep your HA cluster running until the node is licensed, you can modify your reverse proxy configuration to redirect requests to the next upstream if a 503 error is received by adding
proxy_next_upstream http_503 non_idempotent;.

Please refer to Configuring a Reverse Proxy where you can generate a new Reverse Proxy Configuration that includes the modification needed.

Black Duck Code Center Integration Deprecated

Artifactory's direct integration with Black Duck Code Center has been deprecated. To continue using the Black Duck service, you can connect Artifactory to JFrog Xray which has integrated with Black Duck as an external provider of issues and vulnerabilities.

Global /repo Repository Deprecated

The Artifactory /repo repository endpoint is being deprecated. As part of the deprecation, any requests to the global /repo repository will no longer be valid, regardless to the value of the artifactory.repo.global.disabled system property. If you believe this deprecation will affect existing build jobs or scripts that are referencing the global repo, due to the deprecation, you will now be able to create your own standard Virtual Repository and call it “repo”, since the name will no longer be reserved.

Change in Startup and Shutdown Scripts

The startup and shutdown scripts have changed in Artifactory 5.0. Previously, these scripts used to create the "Artifactory" user as a standard user. To improve security, the user is now created without a login shell and the execution scripts use "su -s" (instead of "su -l") which means that the Artifactory user will not be available for any purpose other than for startup and shutdown.

Set Item Properties REST API Endpoint Changed

The version of Tomcat used in Artifactory 5.0 has been upgraded to 8.0.39. This version of Tomcat no longer supports unencoded URLs, so the REST API endpoints which used a pipe character ("|") as a separator have undergone corresponding changes so you can use a semicolon (";") as a separator instead, or use escaping to represent a pipe as %7C. Any scripts that use these endpoints may have to be changed to support the new specification. For details, please refer to Set Item Properties as an example.

Session ID Cookie Changed

Your Artifactory session ID is now stored in a SESSION cookie (instead of a JSESSIONID cookie).

Main Updates

Artifactory can now be installed in a High Availability configuration without needing an NFS.
Cluster License Manager for Artifactory HA installations automatically manages licensing for your cluster nodes. This will also be supported by JFrog Mission Control in its forthcoming release.
Greatly simplified Artifactory Docker image installation.
Authentication using Access Tokens.
Greatly simplified onboarding using either a UI wizard or a YAML file.
Home Screen has been redesigned with a new look and feel for easy access to common actions and a rich user experience.
Search has been redesigned and is now available as a separate module for easy access from anywhere.
UI notifications in Artifactory have been improved for clarity.
Monitoring Storage is updated with a new look and feel.
Removed the requirement for session affinity in the load balancer used in an Artifactory HA cluster.
Direct integration with Black Duck has been deprecated. You may continue using Black Duck through JFrog Xray.
Global /repo repository has been deprecated.
Artifactory Tomcat version was upgraded to 8.0.39.
From version 5, the YUM package type is replaced with RPM. i.e. what used to be a YUM repository is now referred to as an RPM repository. YUM will continue to be supported as a package type when creating repositories through the REST API for backward compatibility.
Users who are logged in through a SAML server can be associated with LDAP groups through the use of a user plugin. Use this user plugin as a reference as an example of a user plugin.
LDAP login performance was improved by narrowing Arifactory's search filter so it only searches through groups that have been imported to Artifactory rather than the full set of LDAP groups.
Added support for Docker manifest to reference remote layers by URL that will be pulled by the Docker engine before running the image.
Added metadata validation for Debian packages to ensure Debian repositories are not corrupted by malformed packages.
Fixed an issue in which Docker images which were imported to Artifactory and then exported sometimes failed to produce the correct schema.
Fixed an issue regarding email notifications for backups so that now, a notification is sent for both manual and automatic scheduled backups if the backup fails.
Fixed an issue in which downloading from a virtual Git LFS repository would fail if the file would not exist in the first positioned repository in the list.
Fixed an issue in which YUM metadata GPG signing was skipped if the passwords in Artifactory were encrypted.
Fixed an issue in which Git LFS repositories that require authentication will fail push requests when Anonymous Access is enabled.

For a complete list of changes please refer to our JIRA Release Notes.

Artifactory 5.0.1

Released: February 7, 2017

Main Updates

A memory leak that was discovered in the new cluster license manager implementation has been fixed. This issue may have caused Artifactory to stop responding and is now resolved.
A limitation in Artifactory HA, that potentially prevented you from accessing large support bundles, and prevented Artifactory from starting up, has been removed. Now, you can access the support bundle for any node in an HA cluster regardless of its size.
An issue preventing Artifactory from starting up when using IBM JDK 8 has been fixed.

For a complete list of changes please refer to our JIRA Release Notes.

Artifactory 4.16

Released: January 16, 2017

Support for Xray CI/CD Integration

As a critical link between JFrog Xray and Jenkins CI (more CI servers will be added in future releases), Artifactory adds support for Xray's CI/CD integration allowing you to fail build jobs if vulnerabilities are found in the build. Artifactory acts as an intermediary between Jenkins and JFrog Xray.

You can configure the Jenkins Pipeline to send a synchronous request to Xray to scan a build that has been uploaded to Artifactory. Artifactory passes the request on to Xray which scans the builds in accordance with Watches you defined, and respond with an indication to fail the build job if an alert is triggered.

Xray CI/CD integration is supported from Artifactory 4.16, JFrog Xray 1.6 and Jenkins Artifactory Plugin 2.9.0.

Main Updates

Add support for JFrog Xray CI/CD integration allowing you to fail build jobs if the build scan triggered an alert.
Fix a bug that caused a memory leak related to JFrog Mission Control DR configuration.
Fix an issue in which createdBy and modifiedBy fields were missing after running an import.
When a build is deleted, whether through the UI, via REST API or due to a build retention policy, Artifactory now sends a corresponding event to Xray so it can remove that build from its database and avoid triggering alerts for deleted builds.
A fix has been put in place to prevent a security vulnerability (CVE-2016-10036) that may have been exploited through a web UI API endpoint, which potentially allowed unauthorized uploading of files to unexposed locations in the Artifactory host.
JFrog would like to thank Alessio Sergi of Verizon Enterprise Solutions for reporting this issue and for working with JFrog to help protect our customers.

Artifactory 4.16.1

Released: March 15, 2017

Main Updates

The Tomcat bundled with Artifactory has been upgraded to version 8.0.41.

For a complete list of changes please refer to our JIRA Release Notes.

Artifactory 4.15

Released: December 13, 2016

Conan Repositories

Artifactory brings binary repositories to the world of C/C++ development with support for Conan repositories. By supporting the Conan client, Artifactory offers enterprise grade repository management supporting high-availability, fine-grained access control, multi-site development, CI integration and more. Providing an in-house local repository for C/C++ binaries, Artifactory is a secure, robust source of dependencies and a target to efficiently upload packages built through Conan. C/C++ development will never be the same again.

Main Updates

Add support for Conan repositories.
Significantly improved performance in Artifactory installations serving thousands of users related to the intensive permission validation process. For example, this should solve slow NuGet search issues in these Artifactory installations.
Fixed an issue in which changing the severity specified for download blocking for a repository, or removing it altogether, did not update Xray correctly and the change was not registered.
Fixed an issue in which the JSON returned from Get Repository Replication Configuration was not always compatible with REST API endpoints used to set repository replication configuration.

For a complete list of changes please refer to our JIRA Release Notes.

Artifactory 4.14

Released: October 20, 2016

PHP Composer Repositories

Artifactory now supports development with PHP as a fully-fledged PHP Composer repository. Create local repositories to host your internal PHP packages, or proxy remote resources that host PHP index files or PHP binary packages.

Main Updates

Support PHP Composer local and remote repositories.
Artifactory can now issue a warning before running a backup if there is insufficient disk space.
Performance when simultaneously calculating Debian metadata for multiple distributions in multiple repositories has been improved.

Known Issues

In case DR instance is manage by JFrog Mission Control there is a risk of a memory leak which may cause the Artifactory service to stop responding.
Related issues are RTFACT-12854, RTFACT-13358.

For a complete list of changes please refer to our JIRA Release Notes.

Artifactory 4.14.1

Released: November 1, 2016

Main Updates

Fixed an issue related to clean up of YUM metadata index files.
Fixed a distribution issue related to packages with special characters (e.g. ':') in the package or version name.

Known Issues

In case DR instance is manage by JFrog Mission Control there is a risk of a memory leak which may cause the Artifactory service to stop responding.
Related issues are RTFACT-12854, RTFACT-13358.

For a complete list of changes please refer to our JIRA Release Notes.

Artifactory 4.14.2

Released: November 27, 2016

Main Updates

LDAP login performance improved
Login performance has now been improved by only searching attributes that have been configured in the LDAP Group setting rather than for the entire set of attributes. This is especially noticeable when user belongs to many groups.
Npm search issue fix
Due to breaking changes in npm client behavior, from version 4.0 of the Npm client, searching through Artifactory was failing. This was because the client could not parse the response with the "_updated" field of searches that used "since" . This has now been fixed by removing the field from the response for partial searches.
NuGet search issue fix
When the results of NuGet package search required pagination, several results were omitted. This was due to a mismatch between how Artifactory returned each page of the results (using a "$skip" parameter), and how the NuGet client expected the result (based on the "$top" parameter. This has now been fixed by aligning Artifactory with the NuGet client so no results are omitted.

For a complete list of changes please refer to our JIRA Release Notes.

Artifactory 4.14.3

Released: December 7, 2016

Using Previous Encryption Keys

If Artifactory is unable to decrypt data with the current Master Key (the contents of the artifactory.key file), you can now set the artifactory.security.master.key.numOfFallbackKeys property in the artifactory.system.properties file which specifies the number of previous keys Artifactory should try and use to decrypt data .

Main Updates

Enable Artifactory to use previous Master Keys keys to decrypt data.

Known Issues

In case DR instance is manage by JFrog Mission Control there is a risk of a memory leak which may cause the Artifactory service to stop responding.
Related issues are RTFACT-12854, RTFACT-13358.

For a complete list of changes please refer to our JIRA Release Notes .

Artifactory 4.13

Released: September 21, 2016

Xray Enhancements

Global enable/disable: Globally enable or disable the Xray integration
Download blocking: When connected to JFrog Xray, Artifactory can be configured per repository to block download of artifacts that have not yet been scanned, or those that have been scanned and identified to include issues of a given severity
Scan specific artifact or path: Initiate scanning and indexing of a specific artifact or path selected in the tree browser

JMX MBeans to support monitoring of log appenders for log analytics

Artifactory now implements MBeans that let you monitor appenders that send log information to Sumo Logic for log analytics.

Main Updates

Enhancements to the Xray integration including globally enabling or disabling the integration, download blocking and specific artifact/path scanning.
JMX MBeans that monitor appenders that send log data to Sumo Logic for log analytics.

For a complete list of changes please refer to our JIRA Release Notes.

Artifactory 4.13.1

Released: October 13, 2016

Main Updates

An issue, in which Bower packages downloaded from virtual repositories were returned "flat" rather than in their original structure, has been fixed.
The system logs are refreshed periodically. An administrator can now pause the countdown to refresh the system log.
The order in which different repository types are sorted in the tree browser can now be set by a system property.
Performance when managing Groups and Users for permission targets has been improved.

Known Issues

In case DR instance is manage by JFrog Mission Control there is a risk of a memory leak which may cause the Artifactory service to stop responding.
Related issues are RTFACT-12854, RTFACT-13358.

For a complete list of changes please refer to our JIRA Release Notes.

Artifactory 4.13.2

Released: October 18, 2016

Main Updates

Fixed security issue and minor bugs.

Known Issues

In case DR instance is manage by JFrog Mission Control there is a risk of a memory leak which may cause the Artifactory service to stop responding.
Related issues are RTFACT-12854, RTFACT-13358.

For a complete list of changes please refer to our JIRA Release Notes.

Artifactory 4.12.0.1

Released: August 29, 2016

Note: This release replaces version 4.12.0 due to a critical issue that was found.

JMX MBeans

To monitor resource usage, Artifactory now implements JMX MBeans that monitor HTTP connections. This exposes a variety of new parameters that you can monitor such as remote repositories, JFrog Xray client connection, distribution repositories, replication queries, HA event propagation and more.

YUM Virtual Repositories

With support for virtual YUM repositories, you can both download and upload RPMs using a single URL.

Main Updates

Support YUM Virtual Repositories.
JMX MBeans support has been expanded to allow monitoring HTTP connections.
A remote repository and its corresponding cache are now collated in the Artifact Repository Browser and displayed together rather than in separate sections.
As a convenience feature, you can now filter users to be removed from a group or repositories to be removed from a permission target.
Hazelcast interface matching has been disabled, allowing you to run Artifactory HA cluster nodes under different Docker hosts.
A targetInfo variable has been added to the Replication User Plugin context allowing you to specify the target Artifactory URL and repository.
Performance of RubyGems api/dependencies queries has been improved.
Push replication now supports synchronizing download stats (for local repositories). To avoid inadvertent deletion artifacts, this is recommended when setting up replication for disaster recovery.

Known Issues

When pushing existing docker layers to using to deploy to virtual layers will be uploaded to the wrong path. The path with be prefixed with the target local repository key.
Note that pull command will continue to work as expected.
Related issue is RTFACT-12396, fixed in version 4.12.1.
RubyGems dependency query might cause unexpected DB behavior when working with a very large sets of artifacts.
Related issue is RTFACT-12480, fixed in version 4.12.2.

For a complete list of changes please refer to our JIRA Release Notes.

Artifactory 4.12.1

Released: September 7, 2016

Main Updates

Fix an issue that caused existing Docker layers to be uploaded to the wrong path when deploying to a virtual repository.
This patch will also include a conversion to move layers from the wrong path to the correct path.
Fix "AWS EC2 IAM SessionCredentials" refresh token process, when using IAM role and time is set to any time zone other than GMT.

Known Issues

RubyGems dependency query might cause unexpected DB behavior when working with a very large sets of artifacts.
Related issue is RTFACT-12480, fixed in version 4.12.2.

For a complete list of changes please refer to our JIRA Release Notes.

Artifactory 4.12.2

Released: September 14, 2016

Main Updates

Fix an issue causing DB to behave unexpectedly when using /api/gem/dependencies query on RubyGems repositories with a very large set of artifacts.
Fix an internal server error on "Artifacts Not Downloaded Since" REST api.

For a complete list of changes please refer to our JIRA Release Notes.

Artifactory 4.11

Released: July 31, 2016

JFrog Xray Integration

The first official version of JFrog Xray, version 1.0 has been co-released with this version of Artifactory. JFrog Xray 1.0 supports Artifactory 4.11, and above.

To integrate JFrog Artifactory 4.11 with JFrog Xray 1.0 you need to take the following steps:

If you are doing a clean installation of JFrog Artifactory 4.11, follow the usual instructions under Installing Artifactory, and then install JFrog Xray as described in the JFrog Xray User Guide.
If you are upgrading from a previous version of JFrog Artifactory to which you had connected the JFrog Xray preview version, please follow these instructions to create a clean environment for installation.

Performance

This version presents several improvements in performance including deletion of an artifact's properties, garbage collection and data import and restoring artifacts from the trash can.

Main Updates

Performance when making many changes (e.g. Delete all) to an artifact's properties has been greatly improved.
Performance of the trash can has been greatly improved both when deleting artifacts or restoring them from the trash can.
Garbage collection and data import performance has been greatly improved by separating these two actions in different threads.
For artifacts that are indexed by JFrog Xray, the General tab in the tree browser now displays Xray indexing and status information.
Repository Configuration REST API endpoint has been updated to provide caller with the same information that is available, according to that user's permissions, when querying a repository through the UI .
A fix has been put in place to prevent a security issue due to "LDAP Attribute Poisoning" (CVE-2016-6501).
JFrog would like to thank Alvaro Munoz and Oleksandr Mirosh of Hewlett Packard Enterprise for reporting this issue and for working with JFrog to help protect our customers.

Known Issues

Null pointer exception error is thrown when a property has a NULL value (RTFACT-12058).
This might be caused by YUM metadata calculation when a YUM group is being used causing the vendor value to be NULL.
As a workaround for this issue you can set the following system property artifactory.node.properties.replace.all=true under $ARTIFACTORY_HOME/etc/artifactory.system.properties and restart Artifactory service. (in case you are using High Availability set up this change need to be done on each node).
Make sure to change the value back to false after you upgrade to a later version since this issue is already fixed and leaving it to true will result in Artifactory not using the new properties update mechanism.

For a complete list of changes please refer to our JIRA Release Notes.

Artifactory 4.11.1

Released: August 14, 2016

Improvements to Docker Registries

Several improvements have been made for Docker registries in Artifactory.

Pull replication for remote Docker repositories, that was previously not possible due to a limitation in the Docker client, has now been enabled for images created with the manifest schema v2.
Storage of Docker images has been optimized so that Artifactory will not duplicate layers of a Docker image that is pushed if those layers already exist elsewhere in Artifactory.

Main Updates

In addition to listing files in Amazon S3 storage, Artifactory can now also list files in Google S3 storage.
Pull replication has now been enabled for Docker registries for images created with manifest schema v2.
When pushing a Docker image that contains layers that already exist, Artifactory will using the existing layers rather than storing an additional copy.
Artifactory now supports GPG signing for YUM metadata
AQL can now be invoked from user plugins related to search.
Artifactory is now available for installation as a Debian distribution for Xenial (Ubuntu 16.04).

Known Issues

When pushing existing docker layers to using to deploy to virtual layers will be uploaded to the wrong path. The path with be prefixed with the target local repository key.
Note that pull command will continue to work as expected.
Related issue is RTFACT-12396, fixed in version 4.12.1.

For a complete list of changes please refer to our JIRA Release Notes.

Artifactory 4.11.2

Released: August 17, 2016

Main Updates

Fix sending unnecessary delete event to Xray when overriding file with the same checksum.

For a complete list of changes please refer to our JIRA Release Notes.

Artifactory 4.10

Released: July 19, 2016

Log Analytics

This version introduces the capability for integration with Sumo Logic Log Analytics. Artifactory creates an account with Sumo Logic so you can view advanced analytics of your Artifactory logs to discover performance bottlenecks, attempts at unauthorized server access and more.

Docker Image Cleanup

You can now configure how many snapshots of each docker image tag Artifactory should store before deleting old snapshots to avoid them accumulating and bloating your filestore.

Main Updates

Integration with Sumo Logic for Log Analytics.
Configure Artifactory to automatically cleanup old tags of Docker images by limiting the number of unique tags stored in any Docker registry in Artifactory.
Performance of Maven metadata calculation has been improved to accommodate many delete operations on a Maven repository.
A new navigation menu with major improvements in the Admin module allowing you quickly filter and navigate to a specific category. The full menu is displayed on a mouse-over, and you can enter a search term to emphasize the item you are looking for.
Support retagging a Docker image as part of the Docker promotion REST API, enabling you to easily rename and retag an image without having to pull and push it again. This is very useful when using promotion to manage your CI pipeline.

For a complete list of changes please refer to our JIRA Release Notes.

Artifactory 4.9

Released: July 3, 2016

JFrog Xray Integration

This version introduces the capability for full integration with JFrog Xray, Universal Artifact Analysis, that reveals a variety of issues at any stage of the software application lifecycle. By scanning binary artifacts and their metadata, recursively going through dependencies at any level, JFrog Xray provides radical transparency and unprecedented insight into issues that may be lurking within your software architecture.

Main Updates

Artifactory JFrog Xray integration.
You can now restrict a user to accessing Artifactory only through the REST API.
Deprecated "Force Authentication"configuration field has been removed from Docker repository configuration that was used to enable the docker login command. Currently all Docker repositories support both authenticated and anonymous access according to the permission configuration making this field obsolete.This is especially useful for users representing different tools that interact with Artifactory such as CI servers, build tools, etc.
Artifactory now supports custom Atlassian Crowd authentication tokens.
Artifactory OAuth integration now supports passing in query params as part of the authorization URL.
AQL and Artifactory public API, have been enhanced to support reporting detailed remote download statistics for smart remote repositories.
When deploying archives to Artifactory using the REST API, you can specify that they should be exploded in an atomic operation through the X-Explode-Archive-Atomic header.
Removed support for deprecated artifactory.security.useBase64 flag in artifactory.system.properties and as a consequence artifactory.security.authentication.encryptedPassword.surroundChars.
In order to trigger generation of a new encrypted password, compatible with Artifactory version 4.9.0 and above, users are required to access their user profile page and obtain a new encrypted password.

For a complete list of changes please refer to our JIRA Release Notes.

Artifactory 4.9.1

Released: July 14, 2016

Main Updates

Improves performance when editing a user's details for a system with a large number of users.

For a complete list of changes please refer to our JIRA Release Notes.

Artifactory 4.8

Released: May 23, 2016

Distribution Repository

A new repository type designed to let you push your software out to customers and users quickly and easily through JFrog Bintray. Once set up, access to Bintray is managed by Artifactory so all you need to do is put your artifacts in your distribution repository, and they automatically get pushed to Bintray for distribution.

Main Updates

Distribution Repository
Recalculation of metadata for different repository types (Ruby Gems, Npm, Bower, NuGet, Debian, YUM, Pypi, CocoaPods, Opkg) can now be triggered by users with the set of permissions assumed by Manage (i.e. Manage + Delete/Overwrite + Deploy/Cache + Annotate + Read). Previously this required admin permissions. Known limitation: triggering metadata recalculation for virtual repositories through the Artifactory UI still requires admin privileges.
When rewriting external dependencies for npm or Bower repositories, shorthand dependencies that are GitHub URLs will be matched by all patterns that contain "github.com"

For a complete list of changes please refer to our JIRA Release Notes.

Artifactory 4.8.1

Released: May 23, 2016

Change in OSS license

From version 4.8.1, Artifactory OSS is licensed under AGPL 3.0 (previously LGPL 3.0).

Distribution Repositories

Added support for distribution dry run as well as support for both named and unnamed capture groups when specifying repositories and paths for distribution provides enormous flexibility in how you upload files to Bintray.

Tree Performance Improvements

Major improvement in tree loading time when working on large scale tree with thousands of entries.

Main Updates

Improvements to Distribution Repository
1. Offer enormous flexibility in how you upload files to Bintray by supporting both named and unnamed capture groups.
2. Added dry run option before executing distribution.
The Tree Browser has undergone many changes under the hood to significantly improve behavior and performance when heavily populated with many items.
Artifactory will now reject repository names that would conflict and create duplicate entries in the Tree Browser.
Resolved RubyGems error caused by version comparator method.

For a complete list of changes please refer to our JIRA Release Notes.

Artifactory 4.8.2

Released: May 23, 2016

Main Updates

Conversion of the Docker manifest schema from v2 to v1 when pulling an image from a remote repository that proxies DockerHub. This issue caused Docker client below version 1.10.0 to fail pulling images uploaded with client version 1.10.0 and higher.
In a High Availability configuration, Artifactory fails to delete a repository if a download from the repository is in progress while the repository is being deleted.
Allow disabling maven auto-data calculation upon delete event. This will allow performing massive deletes.

For a complete list of changes please refer to our JIRA Release Notes.

Artifactory 4.7

Released: March 31, 2016

Remote and Virtual Git LFS Repositories

Artifactory is the only repository manager that supports remote and virtual Git LFS repositories. Use remote repositories to easily share your binary assets between teams across your organization by proxying Git LFS repositories on other Artifactory instances or on GitHub. Wrap all your local and remote Git LFS repositories in a virtual repository allowing your Git LFS client to upload and download binary assets using a single URL.

Artifactory Query Language

AQL has two great new features!

Added a new Promotion domain. This allows you to run queries on builds according to details on their promotion status. For example, find the latest build with that has been promoted to "release" status.

In addition, we now support running queries across multiple domains, for example items.find().include("archive.entry","artifact.module.build"). This is especially useful since permissions can now be supported for domains which until now where available for admins only.

Authentication for Docker Repositories

We have removed the need to configure separate repositories for anonymous and authenticated users. Previously when anonymous access was enabled, Docker repositories allowed unauthenticated access, but in order to support authenticated access, using docker login for example, you had to use the "Force Authentication" flag. This limitation is now removed and anonymous users can pull and push, according to configured permissions, to all repositories, including ones checked with the "Force Authentication" flag.

As a result, the "Force authentication" checkbox in Docker repository settings is deprecated. It is currently left in the UI in a checked and immutable state for reference only, and will be removed in a future version.

NOTE: Anonymous users can continue working with existing repositories where "Force Authentication" was set to false. In a later version when this configuration will be removed, authenticated users will be able to work with those repositories as well.

Block Mismatched Mime-types in Remote Repositories

Added support to validate that a returned artifact matches the expected Mime-Type. For example, if you request a POM file but receive an HTML file, Artifactory will block the file from being cached. When such a mismatch is detected, Artifactory will return a 409 error to the client.

By default Artifactory will block HTML and XHTML Mime-Types. You can override this configuration from the Advanced tab in the remote repository configuration to specify the list of Mime-Types to block.

Support for AWS IAM Role with S3

There's no need to save your credentials in a text file. As another way to authenticate when using AWS S3, you can now use an IAM role instead of saving the credentials in the $ARTIFACTORY_HOME/etc/storage.properties file.

Main Updates

Remote and virtual Git LFS repositories
Promotion domain for AQL and cross domain queries for non-privileged users displaying any accessible field from any domain.
Anonymous and authenticated users can access the same docker repository.
Push Docker tags to Bintray directly from the Artifactory UI.
Support for IAM role with S3.
Improved node recovery mechanism when working in High Availability setup.
Major improvements in YUM resulting in up to 100% improvement in performance while using much less resources.
Block mismatched Mime-Types from being cached in remote repository.

For a complete list of changes please refer to our JIRA Release Notes.

Artifactory 4.7.1

Released: April 4, 2016

Main Updates

A fix for compatibility issue with Visual Studio 2015 update

For a complete list of changes please refer to our JIRA Release Notes.

Artifactory 4.7.2

Released: April 4, 2016

Main Updates

Change PyPI repository behavior to be case insensitive and handle '-' and '_' as the same character when comparing package name.
To support disaster recovery in JFrog Mission Control, you can now globally block replication regardless of configuration in specific repositories.
Configure login link to automatically redirect users to the SAML login page.
AQL supports specifying time intervals relative to when queries are run.
Add support for the NuGet --reinstall command.
Add support for the Npm --tag command.
Add support for AWS version parameter in Filestore Configuration.
Exposed a method to get or set user properties in Artifactory's Public API.

For a complete list of changes please refer to our JIRA Release Notes.

Known Issues

Existing PyPI packages will not available until triggering an index recalculation and setting the relevant metadata to support the new PyPI implementation.
This issue is resolved in Artifactory 4.7.3 that will trigger index recalculation when upgrading from an older version for all PyPI repositories.
Related issue - RTFACT-9865 .
Upgrading to pip client 8.1.2 will introduce an issue with installing packages which contain '.' in the package name. This is due to an a chance in pip client behavior that was supposed to included in 8.0.0 but only manifested in 8.1.2 due to a bug in pip client.
Related issue - RTFACT-10133.

Artifactory 4.7.3

Released: April 17, 2016

Main Updates

Improved migration of existing PyPI packages to new PyPI implementation.

For a complete list of changes please refer to our JIRA Release Notes.

Known Issues

In case there is a conflict is artifacts resolution that can be as a result of the block-mime types, or trying to resolve a maven snapshot version from a repository configured to only handle releases repository virtual repository will return a 409 (conflict) error code. Gradle clients do not handle this error gracefully and will not try to resolve artifacts from the next repository configured in the build.gradle file.
This issue was resolved in Artifactory 4.7.4 that reverted this improvement.
Related issue - RTFACT-9880.

Artifactory 4.7.4

Released: April 20, 2016

Main Updates

Resolution from virtual repository might result in 409 error which can cause unexpected behavior if client doesn't handle error gracefully.

For a complete list of changes please refer to our JIRA Release Notes.

Related issue - RTFACT-9880.

Artifactory 4.7.5

Released: May 1, 2016

Main Updates

Added support for SHA-256 hashing for Debian packages.
Maven performance has been significantly improved especially when performing multiple delete operations to use significantly less resources.
Conversion of Docker manifest V2 schema to V1 scheme no longer requires deleting the signing key.
Fixed an issue with Hazelcast timing out due to file locking in Artifactory HA.
Added a new REST API to schedule an immediate pull, push, or multi-push replication. This replaces the old replication REST API which has been deprecated.
Fixed a compatibility issue with NuGet V2 requesting framework dependencies.
NOTE: You need to invoke a reindexing of your NuGet repositories once, via the UI or using the REST API, for the fix to take effect.
Tree browser performance has been significantly improved, especially when browsing heavily annotated repositories.
The workflow related to disabling the internal password for externally authenticated users (for example, via LDAP) has been improved.
You can now deploy artifacts with multi-value properties. For existing artifacts, you can add multi-value properties or edit them through the UI.

For a complete list of changes please refer to our JIRA Release Notes.

Artifactory 4.7.6

Released: May 9, 2016

Main Updates

Significantly improved performance of Maven metadata calculation on path which contains a large number of versions.
Disable the /repo repository for new Artifactory SaaS instances provisioned.
NOTE: For existing customers this change will take effect next time the artifactory.system.properties is re-created. This can happen when an Artifactory server is migrated to another region, or during certain maintenance operations.

For a complete list of changes please refer to our JIRA Release Notes.

Artifactory 4.7.7

Released: May 15, 2016

Main Updates

Fixed PyPI compatibility issue. Package names will be normalized as described in PyPI spec (PEP 503).
After upgrading an automatic reindex will be triggered for all PyPI repositories.

For a complete list of changes please refer to our JIRA Release Notes.

Artifactory 4.6

Released: March 13, 2016

Filestore Management

This release presents great advances in filestore management with the following features:

Advanced Filestore Configuration: A new mechanism that lets you customize your filestore with any number of binary providers giving you the most flexible filestore management capability available today.

Filestore Sharding: Through filestore sharding, Artifactory offers the most flexible and reliable way to scale your filestore indefinitely.

Google Cloud Storage: Artifactory now supports another option for enterprise-grade storage with Google Cloud Storage.

AWS S3 object store: Artifactory now supports server-side encryption for AWS S3 object store.

Using Docker with AOL

From this version, there is no limitation on the number of Docker repositories you can create on AOL. You can now access Docker repositories on AOL through {account_name}-{repo-key}.jfrog.io

Bundled Tomcat Version

The Tomcat bundled with Artifactory has been upgraded to version 8.0.32.

Artifactory as a Bower Registry

Artifactory is now a private Bower registry as well as a repository for Bower packages. You can now use the bower register commands to register your packages to any remote or virtual Bower repository in Artifactory proxying your internal VCS server (e.g. Stash, Git, BitBucket).

Main Updates

This release includes the following main updates:

Advanced Filestore Configuration.
Filestore Sharding.
Support Google Cloud Storage.
Artifactory now supports server side encryption for AWS S3 object store.
The bundled Tomcat in which Artifactory runs has been upgraded to version 8.0.32.
The simple-default repository layout used in generic repositories has been updated.
Unlimited Docker repositories on AOL.
Enhanced Docker Info tab showing detailed information on Docker images.
When searching with the Artifactory UI, Artifactory performs prefix matching for search terms in all the different search modes.
Artifactory is now a private Bower registry as well as a repository for Bower packages.
The number of characters in MSSQL properties' values is now limited to 900 characters.

For a complete list of changes please refer to our JIRA Release Notes.

Artifactory 4.6.1

Released: March 21, 2016

Main Updates

A fix, to accommodate a change in the Docker client, that enables re-pushing existing layers when working with Docker 1.10.

For a complete list of changes please refer to our JIRA Release Notes.

Artifactory 4.5

Released: February 14, 2016

CocoaPods repositories

Manage your dependencies for Apple OS development through Artifactory. Artifactory supports CocoaPods with local and remote repositories.

Main Updates

CocoaPods Repositories.

For a complete list of changes please refer to our JIRA Release Notes.

Artifactory 4.5.1

Released: February 18, 2016

OAuth Security Fix

This release fixes a security vulnerability related to OAuth.

YUM performance

YUM memory management had undergone additional tuning to further improve performance.

Main Updates

OAuth security fix.
YUM performance tuning.

For a complete list of changes please refer to our JIRA Release Notes.

Artifactory 4.5.2

Released: February 28, 2016

This is a minor update that provides several bug fixes.

For a complete list of changes please refer to our JIRA Release Notes.

Artifactory 4.4

Released: January 4, 2016

Security

Artifactory 4.4 brings more advancements to security capabilities including:

Preventing brute force attacks at identity theft with increasingly delayed responses to repeated failed attempts at authentication, and locking out users after repeated failed login attempts.
SSH Authentication for Git LFS and Artifactory CLI
OAuth support for Docker client

Opkg Repositories

Artifactory is now a fully fledged Opkg repository, and generates index files that are fully compliant with the Opkg client. Create local repositories for your internal ipk packages, or proxy remote Opkg repositories. Provide GPG signatures for use with the Opkg client, and manage them using the UI or through REST API.

Trash Can

Artifactory now provides a trash can that prevents accidental deletion of important artifacts from the system. All items deleted are now stored for a specified period of time configured by the Artifactory administrator, before being permanently removed.

Main Updates

Local and remote Opkg repositories.
Deletion protection with a Trash Can.
SSH Authentication for Git LFS and Artifactory CLI.
OAuth authentication for the Docker Client. In addition, users can be granted access to their profile page using OAuth instead of having to type in their passwords.
Scan RubyGems to extract their licenses and display them as properties.
To combat unauthorized logins that use brute force, an administrator can configure user locking. In addition, Artifactory also implements temporary login suspension for unauthorized REST API access.
Extract Docker labels and create corresponding properties on the image's manifest.json file.
Support for Virtual Repositories and Inserting User Credentials in Set Me Up dialogs.

For a complete list of changes please refer to our JIRA Release Notes.

Artifactory 4.4.1

Released: January 13, 2016

Password Expiration Policy

An Artifactory administrator can now force all users to change their password periodically by enabling a password expiration policy.

Externally Authenticated Users

An Artifactory administrator can now enable users, who are authenticated using external means such as SAML SSO, OAuth or HTTP SSO, to access their profile and generate an API Key or modify their password.

Apache Reverse Proxy Configuration

In addition to NGINX, Artifactory now also provides you with the code snippet you need to configure Apache as your reverse proxy. Just feed in your reverse proxy settings, including your handling of Docker repositories, and Artifactory will generate the configuration script you can just plug into your Apache reverse proxy server.

Main Updates

Password expiration policy
Allow users authenticated by SAML SSO, OAuth, or HTTP SSO to access their profile and generate an API Key or modify their password.
Reverse proxy configuration for Apache.

For a complete list of changes please refer to our JIRA Release Notes.

Artifactory 4.4.2

January 18, 2016

In addition to several bug fixes, this minor update fixes an issue with backward compatibility for S3 Object Store when upgrading to Artifactory v4.3 and above.

This version also presents a significant improvement in download performance.

For a complete list of changes please refer to our JIRA Release Notes.

Artifactory 4.4.3

February 8, 2016

Basic Authentication

You can now use your API key as your password for basic authentication. This means that clients that cannot provide the API key in a header, can still be authenticated with the API key by including it instead of the password in the basic authentication credentials.

List Docker images

Using the List Docker Images REST API, you can get a list of images in your Docker repositories.

YUM Performance Improvements

Major improvements in performance when working with YUM repositories, showing up to 300% faster indexing of RPM packages.

Main Updates

This release includes the following main updates:

Compatibility with Docker v1.10 and the Docker Manifest v2 schema.
Major improvements in performance when working with YUM repositories.
Use your API key for basic authentication.
API key header changed to X-JFrog-Art-Api.
REST API to enable or disable replication tasks.
When authenticated externally, an admin can allow you to access your API key, Bintray credentials and SSH public key without having to unlock your profile.
REST API to list Docker repositories using /_catalog end point.

For a complete list of changes please refer to our JIRA Release Notes.

Artifactory 4.3

November 22, 2015

API Keys

You may now authenticate REST API calls with an API key that you can create and manage through your profile page or through the REST API.

Package Search

Run a search based on a specific packaging format with dedicated search parameters for the selected format. Performance is improved since search is restricted to repositories with the specified format only.

Support Zone

Generate the information that our support team needs to provide the quickest resolution for your support tickets.

Dependency rewrite for Bower and NPM

Remove the dependence on external artifact resources for Bower and Npm. When downloading a Bower or Npm package, Artifactory will analyze the package metadata to evaluate if it needs external dependencies. If so, Artifactory will download the dependencies, host them in a remote repository cache, and then rewrite the dependency specification in the original package's metadata and point it to the new location within Artifactory.

Improved support for S3 object store

JFrog S3 object store now supports S3 version 4 allowing you to sign AWS with Signature v4. Multi-part upload and very large files over 5 GB in size are now also supported.

Main Updates

Authentication using API keys.
Package search.
Convenient Support Zone page for submitting support requests.
Improved support for S3 object store with support for S3 version 4.
Automatic rewrite of external dependencies for Npm and Bower repositories.
HTTP request object is now accessible from Realms closures in user plugins ( RTFACT-8514 ).
REST API to download a complete release from VCS repositories.

For a complete list of changes please refer to our JIRA Release Notes.

Artifactory 4.3.1

December 6, 2015

Reverse Proxy

Artifactory now provides a mechanism to generate reverse proxy configuration for NGNIX. This is very helpful when using clients, like Docker, that require a reverse proxy.

Support Google Cloud Storage (GCS)

Artifactory now supports GCS as a storage provider for you Artifactory instance.

Git LFS Batch API

Artifactory now supports batch calls from the Git LFS client allowing batch multiple file uploads.

Main Updates

Reverse proxy configuration generator
Google Cloud Storage
Batch file uploads for Git LFS repositories

For a complete list of changes please refer to our JIRA Release Notes.

Artifactory 4.3.2

December 8, 2015

This is a minor update that provides several bug fixes.

For a complete list of changes please refer to our JIRA Release Notes.

Artifactory 4.3.3

December 21, 2015

Propagating Query Params

When issuing requests through generic remote repositories in Artifactory, you may include query params in the request, and Artifactory will propagate the parameters in its request to the remote resource.

Source Absence Detection for Smart Remote Repositories

You can configure whether Artifactory should indicate when an item cached in a smart remote repository has been deleted from the repository at the remote Artifactory instance.

Main Updates

Query params may now be propagated to generic remote repositories
Source absence detection for smart remote repositories is now configurable.

For a complete list of changes please refer to our JIRA Release Notes.

Artifactory 4.2

October 18, 2015

In addition to implementing several bug fixes and minor improvements, this release introduces a Debian Artifactory installation and Deploy to Virtual repositories .

Debian Installation

Artifactory can now be installed as a Debian package.

Deploy to Virtual

Artifactory now supports deploying artifacts to a virtual repository via REST API. All you need to do is specify a local repository aggregated within the virtual repository that will be the deploy target.

OAuth Login

Artifactory now supports login and authentication using OAuth providers. Currently, Google, Open ID and GitHub Enterprise are supported.

Artifactory Query Language (AQL)

AQL has been greatly extended to include several additional domains, including Build and Archive.Entry as primary domains, giving you much more flexibility in building queries.

Main Updates

Artifactory installation as a Debian package
Deploy artifacts to a virtual repository
Authentication using OAuth providers
AQL has been extended to include additional domains
Improvements to Smart Remote Repositories
REST API to retrieve storage information
Overwrite NuGet pre-release packages without delete permissions
Pushing Docker images to Bintray is now also supported for Docker V2 repositories
Several minor improvements to the UI

For a complete list of changes please refer to our JIRA Release Notes.

Artifactory 4.2.1

November 1, 2015

OAuth Provider

Cloud Foundry UAA is now supported as an OAuth provider.

SHA256

In addition to SHA1 and MD5, SHA2 checksums are now supported also.

Main Updates

Artifactory now supports Cloud Foundry UAA for OAuth authentication.
Since Artifactory now fully supports the Bower client, support for older versions of Bower (below v1.5) that were using bower-art-resolver beta version is now deprecated.
Internet Explorer compatibility issues have been fixed.
Artifactory's HTTP client has been upgraded to version 4.5.
Automatic license analysis is now also triggered when deploying RPMs.
SHA256 calculation is now available, on demand via the UI or via REST API.
Several minor improvements to the UI.

For a complete list of changes please refer to our JIRA Release Notes.

Artifactory 4.2.2

November 5, 2015

This is a minor update that provides several bug fixes.

For a complete list of changes please refer to our JIRA Release Notes.

Artifactory 4.1

October 18, 2015

In addition to implementing several bug fixes and minor improvements, this release introduces Smart Remote Repositories and Virtual Docker Repositories.

Smart Remote Repositories

Define a repository in a remote Artifactory instance as your remote repository and enjoy advanced features such as automatic detection, synchronized properties and delete indications.

Virtual Docker Repositories

Aggregate all of your Docker repositories under a single Virtual Docker Repository, and access all of your Docker images through a single URL.

Main Updates

Support for Smart Remote Repositories
Docker enhancements with virtual Docker repositories and detailed Docker image info
Context sensitive help
Custom message
Stash search results
Enhanced AQL supporting queries in the Build domain
Downloading a folder from the UI and REST API
Ability to browse the content of tag and tar.gz files
Full support for Bower (out of Beta)
Several minor improvements to the UI

For a complete list of changes please refer to our JIRA Release Notes.

Artifactory 4.1.2

September 20, 2015

This is a minor update that provides a fix for clients, such as Maven, that do not use preemptive authentication.

For a complete list of changes please refer to our JIRA Release Notes.

Artifactory 4.1.3

September 27, 2015

This is a minor update that provides a fix for Docker Login with anonymous access.

For a complete list of changes please refer to our JIRA Release Notes.

Artifactory 4.0

JFrog is excited to announce the release of Artifactory 4.0. This release presents major changes in Artifactory providing a fresh look 'n feel with a completely revamped user interface and many other changes described below.

New User Interface

JFrog-Artifactory's user interface has been rebuilt from scratch to provide the following benefits:

Intuitive: Configuration wizards for easy repository management
Fresh and modern: New look and feel providing a rich user experience
Set Me Up: Convenient code snippets to support simple copy/paste integration with software clients and CI tools
Context-focused repositories: Repositories are optimized to calculate metadata for single package types
Easy access control: Easily implement your access policies with intuitive user, group and permission management
Smart tables: Group and filter any data that is presented in tables

Groovy 2.4 for User Plugins

JFrog Artifactory 4 supports Groovy 2.4 letting you enjoy the latest Groovy language features when writing User Plugins.

We strongly recommend you verify that all of your current User Plugins continue to work seamlessly with this version of Groovy.

Tomcat 8 as the Container

JFrog Artifactory 4.0 only supports Tomcat 8 as its container for both RPM and standalone versions. If you are currently using a different container (e.g. Websphere, Weblogic or JBoss), please refer to Upgrading When Using External Servlet Containers for instructions on how to migrate to Tomcat 8.

System Requirements

Java

JFrog Artifactory 4.0 requires Java 8

Browsers

JFrog Artifactory 4. 0 has been tested with the latest versions of Google Chrome, Firefox, Internet Explorer and Safari.

Breaking Changes

User Plugins

Some features of Groovy 2.4 are not backward compatible with Groovy 1.8. As a result, plugins based on Groovy 1.8 may need to be upgraded to support Groovy 2.4.

Multiple Package Type Repositories

JFrog Artifactory 4.0 requires you to specify a single package type for each repository. For the specified package type, Artifactory will calculate metadata and work seamlessly with the corresponding package format client. For example, a repository specified as Docker will calculate metadata for Docker images and work transparently with the Docker client.

Artifactory will not prevent you from uploading packages of a different format to any repository, however, metadata for those packages will not be calculated, and the corresponding client for those packages will not recognize the repository. For example, if you upload a Debian package to a NuGet repository, Debian metadata will not be calculated for that package, and the Debian client will not recognize the NuGet repository.

You may specify a repository as Generic and upload packages of any type, however, for this type of repository, Artifactory will not calculate any metadata and will effectively behave as a simple file system. These repositories are not recognized by clients of any packaging format.

If your system currently includes repositories that support several package types, please refer Single Package Type Repositories to learn how to migrate them to single package type repositories.

Artifactory 4.0.1

August 9, 2015

This is a minor update that provides significant enhancements to our support for Docker, additional UI improvements as well as several bug fixes.

For a complete list of changes please refer to our JIRA Release Notes.

Artifactory 4.0.2

August 12, 2015

This is a minor update that provides support for the latest Docker client 1.8.

For a complete list of changes please refer to our JIRA Release Notes.

Previous Release Notes

For release notes of previous versions of JFrog Artifactory, please refer to Release Notes under the Artifactory 3.x User Guide