0.8.0

Upgrading from an earlier version?

If you are upgrading an existing deployment, review the upgrade notes first.

Features (10)

1. Retention Rules (Beta)
   Create custom retention rules to control when packages are deleted and keep storage clean automatically. Learn more in Retention Rules.

2. Expanded Vulnerability Scanning Coverage
   Scanning now supports npm, NuGet, Composer, Cargo, and Gems in addition to Docker, PyPI, Maven, Go, RPM, and Debian.

3. All in One Deployment
   Run RepoFlow with a single command in one Docker container. This is great for development and testing, but not recommended for production.

4. Local Filesystem Storage
   Use a mounted volume (e.g., /data) as a storage backend for development and testing. Not recommended for production.

5. PyPI Checksums & uv Compatibility
   Added checksum support for PyPI repositories, enabling full compatibility with tools like uv.

6. Faster API Responses
   Optimized request handling for about 10 ms faster responses, especially noticeable during large installs. Requests authenticated with personal access tokens are faster by an additional ~8 ms.

7. Helm NGINX Overrides
   You can now override the NGINX configuration directly from the Helm chart for advanced self-hosted customization.

8. New API v1 (recommended)

   • Added a new v1 API with much better documentation and broader capabilities than the legacy API.
   • Legacy API (non breaking):
     • List repository packages with offset and limit.
     • Versions listing now includes per version download counts.
     • Workspace metadata now returns more fields and accepts id as well as name.

9. Helm NGINX & Hasura
   Added a new Helm chart option to enable health checks for NGINX and Hasura.

10. Official Version Sorting by Package Type
    Package versions are now sorted using the official versioning standard of the package type when available. For example, npm packages are sorted using SemVer. When no official standard exists, versions continue to be ordered by creation date, preserving the previous behavior.

Improvements (18)

1. Settings buttons are now proper links, so they can open in a new tab.

2. System Settings statistics loading animation is smoother.

3. Tab navigation now supports arrow keys.

4. Leaner font files for faster page loading.

5. License error messaging is clearer (e.g., expired/invalid licenses).

6. Switch components have a larger clickable area.

7. Documentation pages now have updated icons and OpenGraph previews.

8. New favicons for the platform and docs.

9. Indexing package logs are more informative when smart search is enabled.

10. General UI polish across settings and navigation.

11. RepoFlow now automatically cleans up old scheduled task history to reduce database clutter. By default, history is kept for 30 days, and you can change the retention period using the new environment variable: SCHEDUAL_TASKS_HISTORY_DAYS_LIMIT.

12. Improve the “Address mismatch” error page: show a clearer explanation and include a direct link to the configured frontend URL.

13. When multiple requests for the same file arrive close together, RepoFlow now downloads and caches it only once, reducing duplicate remote downloads, storage writes, and database load.

14. Repository API requests (requests made by package clients like npm and Docker) now always return content length when possible, to support progress bars in CLI clients.

15. The COOKIE_SECURE environment variable is now automatically derived from FRONTEND_URL by default. It can still be explicitly overridden by setting COOKIE_SECURE in the server environment.

16. RepoFlow CLI now verifies the RepoFlow Server connection on startup, validates the environment configuration, and warns when the CLI and server versions are not aligned.

17. Added support for configuring the AWS S3 storage class used for newly created objects via the new S3_STORAGE_CLASS environment variable.

18. Enhanced the RepoFlow Docs 404 page for better clarity and navigation.

Bug Fixes (22)

1. Fixed PyPI uploads returning 500 when the user lacked permissions (Twine, etc.).

2. S3_REGION now applies whenever set, not only when S3_IS_AWS_S3=true.

3. Corrected the PyPI upload tutorial URL for uv.

4. Fixed PyPI file API sometimes returning incomplete listings.

5. Adjusted PyPI HTML to comply with PEP 503 (removes warnings in older pip versions).

6. PyPI name/version parsing now reads wheel/egg/source metadata and only falls back to filenames when needed.

7. Workspace count in System Settings now refreshes after creating a repository.

8. Helm chart now allows overriding NGINX configuration without breaking.

9. Cargo sparse index proxy now forwards short crate names (1–3 letters) correctly.

10. Public Docker repositories with view-only permissions no longer block authenticated pushes.

11. Added safeguards so failed S3 uploads aren’t left referenced in the DB.

12. Smart search now cleans up results for packages that no longer exist after abrupt shutdowns.

13. Keyboard navigation on the repositories dashboard now ignores background elements when popups (e.g., upload) are open.

14. Package metadata APIs now return 404 (instead of 500) when requesting a non existent package.

15. Fixed an issue where RPM files were sometimes not cached in remote repositories.

16. Fixed an issue where Maven remote repositories returned an incorrect status code when a requested file did not exist upstream.

17. Fixed an issue where Maven and Debian remote repositories logged remote asset URLs with a missing slash (/) in debug logs. This was a logging issue only and did not affect repository functionality.

18. Fixed an issue where, in rare cases, Redis was not fully initialized before the server attempted to use it. The server now waits for Redis to be ready, just like with other services.

19. Fixed an issue where retry logic for remote repositories did not trigger on network errors, which could occur when the remote repository was temporarily unavailable or under heavy load.

20. Fixed an issue in the RepoFlow CLI where packages were not uploaded in their original order when migrating from Nexus 3, which could cause incorrect version ordering after migration.

21. Fixed an issue where, when basic auth sign-up was disabled, system admins saw a generic error when creating users. RepoFlow now allows system admins to create users even when sign-up is disabled, and shows a UI warning explaining that limitation.

22. Fixed missing error feedback when OIDC was configured with an invalid well-known URL.

Upgrade notes

Note:
As with every update, ensure HASURA_UPGRADE_ON_START is enabled (it’s on by default).

API changes

We are working on the first official v1 release of the API. It is largely compatible with the existing API while introducing clearer standards and several new endpoints. The existing API is now deprecated and will be removed in future releases.

Updated default server environment variables

1. The default value of S3_USE_PRE_SIGNED_URL has been changed to false.
   (Note: both Helm chart and Docker Compose deployments already used false as the default. This update only affects cases where the variable was not explicitly defined.)

2. The default value of S3_REGION has been changed from us-east-1 to having no default value.

Docker Compose

This release includes a major update (separate secrets.env and updated NGINX config). When upgrading, follow the deployment steps and update your existing setup accordingly.

Create retention rule

Create a retention rule using conditions, sorting, and scheduling.

Dry run

Preview what would be deleted before enabling the rule.

Vulnerability scanning (npm)

Vulnerability scanning (NuGet)