Skip to main content

0.8.8

Upgrading from an earlier version?

If you are upgrading an existing deployment, review the upgrade notes first.

Improvements (6)

  1. Improved the vulnerabilities page to handle large scan result sets more smoothly by virtualizing long vulnerability lists, reducing how many items are rendered at once.

  2. Improved navigation on the vulnerabilities page with clickable severity summaries that jump directly to the matching severity section.

  3. Added a back to top button on the package page to make long pages easier to navigate, especially when reviewing large vulnerability reports.

  4. Improved self-hosting resource usage logs so RepoFlow now clearly separates its own process CPU and memory usage from whole-server CPU and RAM usage, reducing confusion when reading infrastructure logs.

  5. Improved RPM repository compatibility by serving filelists metadata for installs that rely on file-based dependencies.

  6. If LDAP is enabled in system settings, API and package-manager Basic Auth requests can now also authenticate against LDAP. UI LDAP sign-in behavior is unchanged.

Bug Fixes (15)

  1. Fixed the API v1 remote repository creation flow to accept empty cache revalidation values.

  2. Fixed a Helm chart issue where enabling serviceAccount.enabled: true together with serviceAccount.create: true could fail rendering. Service account name resolution is now also handled consistently across chart components.

  3. Fixed npm remote repository downloads for registries that do not follow the standard npm tarball path structure, including GitLab.

  4. Fixed npm remote repository tarball requests to return 404 instead of 500 when the requested package file does not exist in the upstream repository.

  5. Fixed an issue where, when logged into the UI, public repositories were sometimes not displayed for users who did not have direct access, even though the repositories were publicly available.

  6. Fixed RPM repository metadata generation so packages with missing distribution or architecture metadata still produce valid download locations instead of generating broken primary metadata entries.

  7. Fixed RPM vulnerability scanning failures that could affect some RPM packages.

  8. Fixed some remote repositories failing to fetch upstream content even though the upstream repository was reachable.

  9. Fixed RPM package download URLs for local and virtual installs so packages with spaces or special characters in their paths install correctly.

  10. Fixed RPM local and virtual repository metadata refresh behavior so Yum/DNF clients can detect newly uploaded or deleted packages after refreshing repository metadata.

  11. Fixed the repository creation UI to validate repository names the same way as the create repository API.

  12. Disabling basic sign-in now consistently blocks username/password logins across the UI, API, and package manager requests.

  13. Fixed role mapping sometimes failing to apply repository-level permissions for mapped users.

  14. Fixed email sign-in for email addresses normalized during signup.

  15. Fixed npm metadata responses to include package publish time metadata required by newer pnpm versions, and to keep package-manager metadata such as bin, engines, os, and cpu in local and virtual npm repository responses.

Upgrade notes

No manual upgrade steps are required, but please review the following important changes:

  1. If LDAP is already enabled in RepoFlow system settings, API and package-manager Basic Auth requests now also fall back to LDAP by default. If you want to keep the previous API behavior, set ENABLE_LDAP_BASIC_AUTH_FOR_API_CALLS=false. If you want to disable the API-side LDAP cache, set LDAP_BASIC_AUTH_FOR_API_CALLS_CACHE_TTL_IN_SECONDS=0. See server environment variables.

  2. RPM metadata now uses URL-safe package download paths. Legacy path-style RPM download URLs remain supported for compatibility. If an RPM client continues using older cached metadata after upgrading, refresh the repository metadata cache, for example with dnf clean metadata or yum clean metadata.

  3. For local npm repositories, the newly preserved package-manager metadata is read from the uploaded package's package.json, so it fully applies to newly uploaded package versions. Existing versions include these fields only if they were uploaded with NPM_MANIFEST_MODE=full or with the fields listed in NPM_MANIFEST_FIELDS_ALLOWLIST.