Skip to main content

0.8.5

Upgrading from an earlier version?

If you are upgrading an existing deployment, review the upgrade notes first.

Features (6)

  1. Expanded API v1 coverage
    Added many new API v1 endpoints across packages, repositories, workspaces, and users, expanding support for management, access control, and repository policies. See the API v1 docs

  2. Major performance improvements
    RepoFlow performance has been significantly improved, with up to 40% faster response times across API endpoints.

  3. Improved LDAP setup with automatic testing and better logs
    LDAP configuration now includes an integrated test flow that automatically validates each step and provides detailed diagnostics, showing exactly what passed, failed, or was skipped, while saving logs alongside the process.

  4. Azure Blob Storage + Google Cloud Storage
    RepoFlow can now use Azure Blob Storage or Google Cloud Storage as a storage backend (see Server Environment Variables). Google Cloud Storage was previously supported only via the S3-compatible Object Storage API; it is now supported directly as well.

  5. Outbound proxy support
    Configure outbound networking via HTTP_PROXY, HTTPS_PROXY, and NO_PROXY, with optional startup validation using OUTGOING_PROXY_STARTUP_CHECK. For corporate or internal TLS, you can also provide a custom CA. See Server Environment Variables.

  6. Automatic vulnerability scanning
    RepoFlow can now scan packages automatically after upload and on a scheduled basis. Read more in Server Environment Variables.

Improvements (10)

  1. Improved the RepoFlow CLI migration output to clearly indicate which files were skipped and the reason for each skip. Migration performance was also improved with better concurrency handling.

  2. Added PKCE support for OIDC. By default, the server automatically detects and uses PKCE when available. This can be controlled using the OIDC_PKCE_MODE server environment variable.

  3. When enabling OIDC refresh tokens as personal access tokens, users are now created automatically, even before their first authentication in the UI.

  4. Improved CORS handling. Some routes are now always allowed to ensure the client can properly notify users when accessing an incorrect URL.

  5. Requests blocked by CORS are now logged more clearly.

  6. Added copy buttons to all code sections across the UI.

  7. Updated package page navigation titles: "More Versions" → "Versions", and "Security Scan" → "Vulnerabilities" for better clarity.

  8. The package page now shows an at-a-glance view of the number of versions, vulnerabilities, and dependencies.

  9. The server Docker image is now smaller and more efficient.

  10. The server now supports running as a non-root user.

Bug Fixes (26)

  1. Maven checksum endpoints now work correctly when STORAGE_USE_PRE_SIGNED_URL=true.

  2. Fixed a typo in the Helm chart default values.yaml. The incorrect key torageClassName was corrected to storageClassName under server.vulnerabilitiesScanning.
    Note: storageClassName already worked correctly when specified properly.

  3. Fixed an issue in API v1 where adding repository members allowed a workspace admin to be added as a repository member. Since workspace admins already have full permissions across all repositories in their workspace, this behavior was unintended and has now been corrected.

  4. Fixed a UI bug that occasionally hid the delete button in tables.

  5. Fixed an issue where selecting one checkbox could affect other checkboxes.

  6. Fixed multiple Redis caching issues to improve correctness and reliability.

  7. Fixed an LDAP lookup issue where the server occasionally failed to find a user even though the account existed.

  8. Fixed a UI bug where the total count was not updated after deleting a workspace.

  9. Fixed a bug where the RepoFlow server sometimes logged credentials using the "info" logger instead of the "auth" logger. The auth logger is disabled by default but can be enabled to debug authentication issues.

  10. Fixed a bug that prevented tools like Cosign and Notation from signing Docker containers correctly. This functionality now works. Note that it is not fully supported yet, as signatures currently appear as separate versions in the UI. Official support and improved UX are planned.

  11. Fixed a UI bug where confirmation popup text could overflow and become partially hidden.

  12. Fixed an issue when uploading Docker image tar files through the UI. Some rare Docker images previously failed to upload correctly.

  13. Fixed a UI issue where fast scrolling inside a select popup could briefly reveal background elements behind it.

  14. Fixed a bug where the Go API could sometimes return HTTP 500 instead of 404 when requesting a non-existent artifact from a remote repository.

  15. Fixed a bug where NuGet package uploads failed due to authentication when the repository was public with “can view” permissions.

  16. Fixed an issue where failed NuGet uploads returned HTTP 200 even when errors occurred. The server now returns more appropriate HTTP status codes while still including detailed upload results in the response body.

  17. Fixed an issue causing certain rare npm packages to fail during upload through the RepoFlow API (npm publish was not affected).

  18. Fixed a bug in RPM package extraction that could sometimes crash the server.

  19. Fixed an issue where RPM package extraction could fail for valid package files.

  20. Fixed an issue where RPM package scanning sometimes failed to detect packages and returned an error.

  21. Fixed an issue where RPM repository primary.xml sometimes reported an incorrect package size, which caused dnf to fail during package installation.

  22. Fixed an issue where RPM virtual repositories did not include remote repositories in the generated XML when STORAGE_USE_PRE_SIGNED_URL was enabled (disabled by default).

  23. Fixed an issue where RPM virtual repositories did not resolve underlign remote reposiotry primary.xml file correctly.

  24. Fixed an issue where the RepoFlow server incorrectly required all S3 environment variables to be set, even when S3_IS_AWS_S3=true, although some of them are not required.

  25. Fixed an issue in Universal repositories where packages with multi-segment names could be uploaded but not resolved correctly through the repository URL. Universal package paths such as team/platform/tool now resolve correctly. API v1 now also validates Universal package names more strictly: they cannot start or end with /, cannot contain consecutive /, and are limited to 512 characters.

  26. Fixed an issue in Docker repositories that occurred when uploading a manifest list using Podman.

Upgrade notes

  1. The environment variable S3_USE_PRE_SIGNED_URL was renamed to STORAGE_USE_PRE_SIGNED_URL (the default remains false).

  2. The legacy repository deletion API has been removed. Repository deletion is now supported only through API v1.

  3. The storage monitoring URL changed from /health/object-storage to /health/storage, as RepoFlow now supports additional storage backends.

  4. HASURA_UPGRADE_METADATA_FOLDER is no longer needed and has no effect on RepoFlow.

  5. Helm chart probe default values have changed.

  6. Updated the Hasura engine Docker image from v2.48.1 to v2.48.10.

  7. Node.js was upgraded from v22 to v24.