Changelog

Private Packagist Self-Hosted

Documentation

Features

Articles

Private Packagist Self-Hosted

→ Subscribe to release notifications by email

Upcoming Release

Not scheduled, yet

Security Fixes

The organization log page is no longer accessible to all users in an organization. It can now only be accessed by members with admin access.
Billing users cannot add packages from mirrored third-party repositories anymore. Even before this fix they were only allowed to add packages by name from existing repositories. They were not able to modify repositories.

Security Hardening

Cache-Control headers are now set to prevent storing potentially private data in the browser. (Thanks for the report Priyanshu Parmar)
Connecting and disconnecting third-party user accounts and making an email the new primary email now requires you to enter your password.
In addition to ending all active authenticated sessions for a user when they change their password, username or email, we now also end all sessions where the user has not yet completed authentication due to an unfilfilled MFA requirement.
The number of subrepository collaborator invitations that can be sent in an organization is now rate limited.

Features

The security filter on the package list now also allows you to filter for abandoned packages.

Changes

The organization log now contains entries when a team is granted "All packages access" or that access is revoked.

Bugfixes

A mirrored repository only defining security advisories for a package, like Drupal does for drupal/core, no longer prevents automatic mirroring of that package.
Resolved an out of memory issue when editing a credential that is used by over 5000 packages.
It's no longer possible to rename the Billing team. (Thanks for the report Zeeshan Beg x Dracula)

2.0.2-pl1 (Kubernetes) / 1.12.4-pl1 (Replicated Native)

Apr 16, 2024

Bugfixes

Supported Replicated versions: ">=2.56.2 <2.57.0"

2.0.2 (Kubernetes) / 1.12.4 (Replicated Native)

Mar 21, 2024

Security Fixes

Team memberships for the Owners team cannot be managed via API anymore to avoid admins promoting themselves to owners. (Thanks for the report Anees Khan)
Disconnecting a user from connected OAuth accounts is now CSRF protected. (Thanks for the report Anees Khan)
Added CSRF protection when Granting and revoking "All package access" for teams, triggering a package update, downloading a package archive, promoting a synchronization to primary, and resending email address confirmations. (Thanks for the report Sahil Negi)

Security Hardening

Enabling and disabling multi-factor authentication will now automatically log you out of all other sessions.
Clear-Site-Data header is now set on logout to delete all potentially private data stored in the browser. (Thanks for the report cyberyash)
Forms requiring the current user's password or MFA code are now protected against brute force attacks. (Thanks for the report cyberyash)
Users cannot use their own username, email or full name as a password anymore.
The number of invitations that can be sent in an organization per time is now limited. Invitation emails no longer render user input as links. (Thanks for the report cyberyash)
Changing the primary user email now clears any pending password reset requests. (Thanks for the report Khan Mamun)
Links in email verification emails now expire after two hours or once clicked. (Thanks for the report Khan Mamun)
Deleting an organization, subrepository, or user account now requires the user to enter their password to confirm. (Thanks for the report cyberyash)
The number of newly added emails to the profile in quick succession is now limited.
The password reset token is no longer stored in the URL when setting a new password. This avoid leaking the token to third parties.

Features

Integrations with Bitbucket Data Center / Server v7.21 or newer now support Application Links using OAuth 2.
The availability of packages in new subrepositories can now be set via API when creating or editing a package.

Changes

PostgreSQL upgrade from 9.6 to 12. Depending on the size of your database, this will cause increased disk IO and might take a few minutes during which the application won't be available. The Replicated Management Console may show the wrong state Stopped on the dashboard after running the update. But if the Cluster section shows all containers except packagist-postgres-update as running, you can ignore the displayed state.
Deleting an integration will now first show a page with information about how the integration is used.
Names, descriptions, usernames and full names can no longer contain '<' and '>' characters.
Filter lists like synchronizations, credentials, and mirrored repositories are now alphabetically ordered.
The Composer authentication section now also shows how to store authentication in a local auth.json file.
The navigation within organizations has been restructured.

Bugfixes

Subrepository collaborators no longer get links in the top-level navigation dropdown that lead to a 404 not found error.
The subrepository overview page shows the install statistics again. It always showed 0 values even if the subrepository had installs.
Synchronizations with Bitbucket Data Center / Server now show the full display name and correct link to the Bitbucket Data Center / Server project.
The organization and subrepository search in the navigation is now case-insensitive.
Members of the Admins team in an organization can no longer remove members of the Owners team on the members page.
Fixed an issue where the configuration for sending emails wasn't correctly applied to the application and a wrong port was used.

Supported Replicated versions: ">=2.56.2 <2.57.0"

1.12.3-pl2 (Replicated Native)

Jan 29, 2024

Bugfixes

Allows Private Packagist to run with Replicated versions 2.56.0 again.

Supported Replicated versions: ">=2.56.0 <2.57.0"

2.0.1 (Kubernetes) / 1.12.3 (Replicated Native)

Jan 24, 2024

Security Fixes

Reset password request links now expire after two hours or as soon as the password is changed rather than being valid forever. (Thanks for the report to Arslan)

Features

Security monitoring now reports security advisories provided by all configured mirrored third-party repositories.
Security issues now display the issue severity in the UI and email notifications if available.
Added API endpoints to view, open, and close security issues.
Organizations can now require that members log in with a particular OAuth method to access Private Packagist.
Update Review comments now show the license when a package is added or the license is changed.
You can now opt notification channels into receiving notifications when security issues are closed due to withdrawal of the respective advisories.

Changes

Disconnecting your account from a third-party service that grants you access to one or more organizations will now require additional confirmation.
Organization log entries for editing a package now contain information on renames, when the name was edited.
Organization log entries for org.join and org.leave now indicate which user added the user to the organization or removed the user from the organization.
The organization log now contains entries indicating that the user that created the organization joined the organization and is part of the Owners and All Members teams.
The API key can now only be viewed once after creation. Only the description can be edited.
New versions on the custom package edit form are now added to the top instead of the bottom.
Resetting a password for a user with MFA enabled now requires entering an MFA code when setting the new password.
The add package from synchronization dialog now shows if a repository has a composer.json file but no name is defined.
An advisory database removing security advisories now marks security issues as closed instead of removing them.
The organization list in the top-level navigation dropdown now contains a searchable list of subrepositories.
The package list now shows when a package was last updated and shows "pending" if the package hasn't been updated yet.
The organization log can now be searched for packages by using the full package name in the search field.
Package versions for custom packages now automatically set the release date when the version gets added. The date can also be manually set via the custom package edit form.
Package versions for uploaded artifact files now have a release date set to the time the artifact was uploaded.

Bugfixes

Adding a package from synchronization previously only had a bulk add option and an Add subdirectory button leading to the multi-package repository creation screen, resulting in erroneously created multi-package repositories. Now, there is also an Add package button for each individual repository.
Viewing the list of members of a subrepository no longer results in a 500 error when any subrepository member had their access to the subrepository assigned through a single team.
Clicking on a team name under Available Teams within a subrepository no longer shows only a message "Content missing" instead of showing the team members.
Organization synchronization runs receiving a 200 text/html response instead of a JSON response from Bitbucket, GitHub, or GitLab APIs will now display an error message and be retried later instead of being stuck.
Package versions without a release date defined no longer show the current date and time as release date.
Synchronized VCS repositories that are also published on packagist.org are no longer counted twice in the package count on the synchronization settings page.
Adding a package no longer results in a CSRF token error when the organization has more than 1000 teams.
Deleting individual users in the admin panel no longer just redirects. Only deleting users via "Delete selected users" was working.

Supported Replicated versions: ">=2.56.2 <2.57.0"

2.0.0 (Kubernetes) / 1.12.2 (Replicated Native)

Oct 30, 2023

Features

Read-only and update authentication tokens can now be created and regenerated with an expiration date after which the tokens will stop working.
Organizations can now configure that read-only and update authentication tokens expire after a certain amount of days.
Security Monitoring now uses the audit ignore config from the project's composer.json to automatically close ignored issues.
Added API endpoints to view and edit which branches to monitor for security issues.
Organizations can now configure that user authentication tokens expire and automatically regenerate on a regular basis.
Notification channels can now receive notifications for changes to the state of a security issue.
The teams page now has a search field and a filter by synchronization to easier find teams.

Changes

New read-only and update authentication tokens now use a new token format with a packagist_ort_ or packagist_out prefix respectively.
New user authentication tokens now use a new token format with a packagist_uut_ prefix.
The changelog page of a package now links to the source of the changelog information.
Read-only and update authentication tokens are now write-only. They can only be viewed once after creation and regeneration. Only the description can be edited.
Members of organizations that enforce MFA for the current login method can no longer access the profile page or other organizations they are a member of. Instead, members are asked to immediately set up MFA.
Synchronized VCS repositories without a composer.json file that are older than one year are now only checked once every 24 hours for new composer.json files instead of on every push to reduce the number of API requests.
Making changes to how members found through a synchronization are handled in the organization member settings will now add an entry to the organization log.
The custom package edit form now automatically collapses all versions if there are more than two versions.
Packages returned by the API now contain a webView link to the package page on Private Packagist.

Bugfixes

Switching between the form and JSON tab for custom packages is now significantly faster.
Manually overriding a package name via the edit package form no longer causes Composer commands to error with a message that the package doesn't exist or permissions might be misconfigured.

Supported Replicated versions: ">=2.56.1 <2.57.0"

1.12.1

Sep 1, 2023

Security Fixes

Multi-factor authentication was not required after login via OAuth when an organization or user had opted to require it. Multi-Factor authentication was correctly required as configured at all times for users logging in with email/password.

Bugfixes

Adding a mirrored third-party repository that doesn't return valid JSON on the packages.json endpoint now shows an error message instead of just reloading the form.

Supported Replicated versions: >=2.56.0 <2.57.0

1.12.0-pl2

Aug 24, 2023

Bugfixes

Synchronizations using a credential with a port in the domain name but matching the integration domain no longer cause a credential domain mismatch error.

Supported Replicated versions: >=2.56.0 <2.57.0

1.12.0-pl1

Aug 23, 2023

Bugfixes

Using Bitbucket Server OAuth to log in no longer causes a server error.

Supported Replicated versions: >=2.56.0 <2.57.0

1.12.0

Aug 23, 2023

Features

Added an API endpoint to fetch a single team.
Added an API endpoint to fetch all synchronizations.
New "Access All Packages" permission can be granted to teams (via UI or API). Controls whether the team has access to all non-synchronized organization packages. Revoking this access will not remove access to packages the team has access to at the time.
The packages page now shows private packages, mirrored packages, and packages from subrepositories in a single list with a number of filters.
Browsing all packages of a mirrored third-party repository will now show them filtered on the packages page.
The list of packages is now paginated, addressing performance issues while loading the page for organizations with thousands of packages.
GET API endpoints can now be accessed without generating the full signature using the Authorization: PACKAGIST-TOKEN header.
Install statistics are now available when fetching subrepositories via the API.
The user management page in the admin panel now lets you filter by active and inactive users. It shows the number of found users for each search, and allows multiple users to be deleted at once.
The list of organization teams is now paginated, addressing performance issues while loading the page for organizations with thousands of teams.

Changes

Organization and subrepository renames (name or short name for URLs) now create entries in the organization log.
Creating, editing, and deleting a multi-package repository now creates an entry in the organization log.
Synchronization errors are not displayed anymore while a synchronization is running which may resolve them.
After editing a package users are redirected back to the package page instead of the package list.
Subrepository members with edit permissions can now also add all organization packages to which they have edit access to a subrepository.
Synchronization runs list which repositories were added to or removed from a team.
Synchronization runs list which members were added to or removed from a team.
Log entries are now created for mirrored third-party repositories when creating/deleting, editing/changing permissions, and adding/removing from a subrepository.
The list to add organization packages to a subrepository now also shows the package URL and states if the package is abandoned or part of a multi-package repository.
Notification channels can no longer be created on the organization security settings page, use the notification channel settings page instead.
Synchronization runs now list which users were added to the list of removed synchronized members.
Regenerating read-only or update authentication tokens now adds an entry to the organization log.
Added missing organization log entries for adding, editing, and deleting notification channels, as well as adding and removing notification channels from subrepositories.
Custom package definition submitted via the API no longer requires the top level "package" key, similar to submitting it via UI.
Users that are deactivated, blocked, or banned in GitLab are removed as organization members in Private Packagist when synchronized, as opposed to remaining members without the ability to log in.
Users will now be logged out when their OAuth token expires and cannot be refreshed.

Bugfixes

Adding GitHub Enterprise Server as an integration via the Private Packagist admin panel no longer errors if the rate limit endpoint requires authentication.
Adding a new mirrored third-party repository to an organization no longer produces a server error if the HTTP call to validate the mirrored repository errored with a cURL error, e.g. a request timeout.
Login via OAuth for users that are only part of a single organization directly redirects again to the organization instead of the organization list.
The error message for failing Bitbucket synchronization states the missing OAuth scopes for the credential again.
Downloading archive files from the package view page after switching versions works again.
Organization log entries for synchronization created and deleted now contain additional information about the synchronized remote organization.
New package entries in the organization log now use clearer values in the "Triggered By" column instead of the generic "Background Job".
Added missing organization log entries for teams that are created and deleted during a synchronization run.
Adding a package with its dependencies to a subrepository, didn't add all dependencies to the subrepostory in case over 1000 transitive dependencies where shown.
Creating a subrepository now adds packages via a background job, avoiding potential request timeouts.
Resolved an out of memory issue when adding a package with dependencies to a subrepository.
A log entry is added when a credential is created during synchronization setup.
Promoting a user to Owner on GitHub or Administrator on Bitbucket can no longer remove the user from synchronized organizations.
Versions longer than 255 characters, e.g. branch names longer than 251 characters, are now truncated to 255 characters and no longer cause the background worker to keep crashing and reduce the number of available workers.
Mirrored third-party repositories returning an empty dist URL as part of the package metadata will no longer break Composer commands.
The confirm dialog shown when deleting a multi-package repository now only lists each package name once, even if some packages were added to subrepositories.
The packages list now correctly shows errors with the webhook setup, even if the webhook was successfully setup before.
Composer 1 commands could produce a server error in case the organization had several thousands of packages causing Composer commands to fail.
The list of authentication tokens always showed 0 for installs in the last 30 days. This now shows the correct number again.
Multi-Packages showed a wrong webhook URL on the package page that would return a 404 response when used to trigger a package update.
The package page now keeps showing the hook URL if the webhook was manually configured.
Fixed the update review comment link for Bitbucket, GitHub, and GitLab releases for versions where the git tag doesn't match the version specified in the composer.json file.
Adding a new multi-package repository to an organization will now link to the existing configuration if there is already a multi-package repository with the same URL in the organization.
Organizations that enforce MFA for login, no longer enforce MFA once they are deleted.
Prevent errors when users double submit the grant team access to packages button
Security Alert emails now only show up to 250 security issues to avoid memory issues while generating the emails.
Creating new teams via the API using a name that is already in use, no longer returns a 500 error response.
The API error response now indicates which property fails the validation if an invalid value is sent for an enum type.
Improved the render time of the profile page for users that are part of an organization with a lot of subrepositories.
A successful login via email and password for a user with MFA enabled redirected back to the login page if a first login was not successful. This now redirects to the MFA screen.
Adding teams to a subrepository right after the subrepository was created, could lead to teams not having access to all packages in the subrepository.
Fetching an artifact file with a non-numeric ID from the API no longer returns a 500 response.
GitHub synchronization runs now state if they fail because of an expired GitHub personal access token.
Deleting a package assigned to over 50 subrepositories now deletes the package via background job to prevent memory issues.
Log entries are now created when teams are added or removed from a subrepository.
Log entries are now created when the permissions for a team are changed within a subrepository.
Adding a package to multiple subrepositories at once can no longer result in a 500 error.
Synchronizations with Bitbucket Server now detect maintenance mode and retry synchronization runs later.
Links to files on the changelog page for packages using GitHub releases now point to the correct URL on github.com and no longer to a 404 error page.
Creating packages for new VCS repositories in the remote organization created while an organization is being synchronized, is no longer delayed until after the synchronization run is finished.
Creating an integration with a base URL that is missing the host part no longer results in an error.
Form to invite members in the Self-Hosted Management Portal no longer returns a "Method Not Allowed" error.
Usernames are now limited to a length of 50 characters.
Package links shown for a version were missing the constraint information if the constraint was self.version.
Deleting a team that has access to multiple subrepositories no longer results in a 500 error.
Synchronized GitHub organizations where members have access to all repositories no longer require a full synchronization run for all synchronized members to have access to new repositories.
Editing the dist URL for a custom JSON package now removes the stored dist file and fetches the file from the new URL.
A search term not matching any VCS repositories on the add package from synchronization dialog no longer removes the search bar.
Mirroring new packages in a subrepository at the same time as removing the mirrored third-party repository from the subrepository no longer causes an error when accessing the packages list.
Inviting the same user multiple times to the same team no longer results in a 500 error.
The form for custom packages now shows clearer that you can either upload a file or define a URL in the dist section of each version.
Using bitbucket.org OAuth to register a new account no longer errors if the registration form wasn't submitted for longer than an hour. The OAuth access token expired and couldn't be refreshed without errors.
Renaming a package and immediately using that package in a Composer command does not result in server errors anymore.
Accessing package versions with more than five digits as major version no longer shows an error page.
Creating a new integration with a name that only consists of spaces no longer results in a 500 error page, but rather an explanation.
Security advisories defining an invalid affected version constraint no longer cause the package page or the security advisories page of a package to return a 500 response.
Deleting a package while a background job updates the package will now queue the delete task until the package update finished to avoid server errors.
The last used date for authentication tokens is now correctly updated.
Organizations with synchronizations from two Bitbucket Server instances with identically named projects and groups are no longer missing teams in Private Packagist.

Supported Replicated versions: >=2.56.0 <2.57.0

1.11.6-pl2

Dec 2, 2022

Bugfixes

Synchronizations with Bitbucket Server were only synchronizing users with direct access to the project. This includes again users with access via a group.

Supported Replicated versions: >=2.54.0 <2.55.0

1.11.6-pl1

Nov 14, 2022

Bugfixes

Resolved an issue that prevented creating new integrations via the Private Packagist Admin Panel.

Supported Replicated versions: >=2.54.0 <2.55.0

1.11.6

Nov 11, 2022

Features

Added new API endpoints to manage teams and team memberships.

Changes

The API now returns the date a package version was released, if known.
Log entries for added and edited packages now show additional information such as clone URL, which mirrored third-party repository it was mirrored from, if it's part of a multi-package repository, etc.
Package access for synchronized teams can now be resynchronized directly on the team's packages tab.
The package list now also shows the VCS repository URL and a GitHub/GitLab/Bitbucket icon for private packages.
A permanently-dismissable notice is shown for all users that have yet to enable multi-factor authentication.
Existing organization members can now be added to other organization teams by username as well as email address.
After registration, users are asked to enable multi-factor authentication. This is only shown once.

Bugfixes

Older GitLab versions issued OAuth access tokens without a refresh token. Since GitLab 15.3, these tokens can now expire, preventing us from fetching GitLab Groups that can be used for synchronizations. If necessary we now show a message to log out and log in again to resolve the issue.
GitHub synchronization no longer skips teams called "Teams" after GitHub fixed a bug in their API, removes workaround from the previous release.
Connecting to a new OAuth account on the synchronizations page now redirects back to the synchronizations page and no longer to the profile page.
Improved the render time of the synchronizations page for Self-Hosted installations that have been running for a long time with multiple synchronizations.
Resolved an issue during the cleanup of deleted organizations and subrepositories that would cause the background worker to keep crashing and reduce the number of available workers.
The check for leaked passwords using haveibeenpwned.com on the change password and registration form no longer renders HTML tags in the error message.
When a subrepository is granted access to an organization's package, a log entry is created in the subrepository's log in addition to the existing log entry in the organization.
The packages list renders faster now for organizations with a large amount of repositories on GitHub, GitLab, or Bitbucket.
The packages list renders faster now for subrepositories when the organization has a large amount of private packages.
Sending weekly and monthly security summaries no longer causes out of memory errors for organizations with a lot of open security issues.
Resolved an issue that prevented the removal of mirrored third party repositories from a subrepository if it contained packages from this mirror.
Packages no longer state that they are missing credentials to set up a webhook if they have credentials assigned for a platform where we don't support the automatic setup of webhooks.
Changing the URL of a synchronized package now also correctly disassociates the package from the synchronization with the previous URL.
Fixed a bug that prevented create, edit and delete of integrations in setup mode without being logged in.
Renaming an organization or subrepository twice in short succession no longer triggers an error.
Requesting a new mirrored package via "composer require" or "composer update" that needs authentication now shows a helpful warning instead of erroring with a 503 response if there is no authentication configured for the mirrored third party repository on Private Packagist.
The security monitoring settings page no longer shows "no limit" as selected option to limit monitored projects when the form is submitted with another value.
Fixed a bug where selecting too many packages to add to a subrepository would cause an nginx buffer overflow error.
Install statistics for organizations and subrepositories older than two years are now correctly calculated as daily averages.
Accessing a package that has several hundred versions could result in a 500 error. This has been resolved.
Update jobs for packages from GitLab repositories are now delayed if necessary to run at most every 30 seconds to avoid fetching stale cached data from the GitLab API.
Deleting a package, then adding a package with the same name from packagist.org can no longer lead to a stale local Composer cache when using Composer 2.

Supported Replicated versions: >=2.54.0 <2.55.0

1.11.5

Jul 27, 2022

Features

Multi-factor authentication has been added to user accounts. Organization owners and admins can enforce MFA for their members.
Security notifications are now cumulated across all projects, resulting in fewer emails on discovery of new security vulnerabilities in multiple projects
The upcoming Composer 2.4 security features (audit command and security advisory listing on update) are now supported by Private Packagist for all private and mirrored packages
Added a button to the profile page so that users can delete their account themselves
Credentials are linked to all their usages on the credentials page

Changes

The Update Review detail page on Private Packagist linked from pull request comments now displays relevant security advisory information like the comment already did.
When configuring an integration with Bitbucket Data Center / Server, Private Packagist will now validate the base URL by sending a test request to Bitbucket
When viewing a synchronized package the synchronization is now listed in the right-hand side metadata
More specific titles were added to most pages
Organization, subrepository and customer forms show the whole url for their short names

Bugfixes

Fixed the link on the synchronizations page to the Bitbucket Data Center / Server project
Archive job no longer crashes in a loop for multi-package repositories when a commit reference points to a nonexistent package sub folder
Synchronization job for organizations no longer crashes for GitLab 403 API responses when trying to access resources the credentials do not have access to
Fixed the diff link in Update Review comments for changed packages containing Composer download URLs (dist URLs) pointing to GitHub release URLs
Fixed that user roles weren't merged correctly, causing admin accounts to lose permissions while connecting another account via OAuth
Notifications for abandoned or released packages in subrepositories were not sent
Corrected the name for Bitbucket Data Center / Server credentials from app password to personal access token
Prevented validation errors when editing synchronization settings while someone else creates the first subrepository in an organization
Editing credentials now also triggers background jobs to locate packages in multi-package repositories again using the modified credentials
Synchronizations with GitLab no longer create duplicate admin and owner teams
Synchronization runs no longer fail if Bitbucket returns the same user id multiple times when checking permissions for a repository
Resynchronize button on the teams or settings page is now unblocked when synchronization jobs have expired
Added quotes to the Composer command on the user authentication page for usernames containing spaces
Prevented a 500 error when deleteing, recreating and deleting a subrepository by the same name again in a short time window
Submit button wasn't shown when adding integrations and the URL was pasted from the clipboard
Fixed a bug in OAuth connect, which could lead to a user receiving 500 errors on all pages. This was triggered by a user connecting their existing account to an OAuth service, which is used to synchronize an organization.
Custom packages webhook status is now "not supported" and no longer "missing credentials"
Fixed a temporary 500 error shown on the package monitoring page briefly after a vulnerable dependency is removed
On package deletion audit log entries are no longer created for deleted subrepositories that used to contain the package
Stopped VCS pushes from triggering a background job crashing in an infinite loop on GitLab 404 exceptions, when credentials have insufficient permissions to access a group
Using composer search for a package name without a slash no longer errors because Private Packagist's Composer API now returns an empty list instead of a 404 error
Files that were uploaded via custom package form or when adding a package through uploaded files are kept 7 instead of 2 days, if the form is not submitted
If login errors because host cannot be resolved or there are SSL errors or connection timed out, then there is now a specific error message instead of "HTTP request failed"
If Slack notifications hit the rate limit there is now a random delay between 30 and 780 seconds for all retries
Notifications for abandoned or released packages in subrepositories were sent to notification channels only configured to receive security alerts
When a new member was added to a synchronized GitHub organization, they were only added to their initial team, but not others like "all members" until a full synchronization run corrected the access within 12 hours
Update Review comments could not be created when an invalid dependency package version was stored in the composer.lock file
Deleting an organization is done in a single transaction to prevent job crashing in an infinite loop
When editing a synchronized package and assigning new credentials, the package update will no longer revert the package back to using the outdated credentials.
Form validation errors for organization and subrepository short names are shown right next to their input field
Workaround a GitHub API bug by skipping synchronization of teams literally called "teams" to allow GitHub synchronization to complete

Supported Replicated versions: >=2.53.7 <2.54.0

1.11.4

May 27, 2022

Features

Added a new option for synchronizations with GitLab groups to skip synchronization of projects shared with the group
Added billing history showing payment method and invoice address, along with plan and license information, to the Self-Hosted portal on Packagist.com
Update Review comments now indicate package versions that have security advisories, including a message if an update introduces package versions with known vulnerabilities.
Glob expressions for repositories containing multiple packages now support brace expansion (eg, {one,two}/composer.json).

Changes

Security Advisories now indicate all advisory databases that they were found in (GitHub or Friends of PHP)
A more helpful error message is displayed when a synchronization with Bitbucket Server results in an unauthorized access API error (due to invalid credentials)
The list of integrations on the Private Packagist admin panel is now styled more consistently with the rest of the application
Reaching API rate limits when adding packages from a synchronization with Bitbucket will now cause it to retry by cloning instead of using the API
Username and avatar are now displayed in the Add Synchronization modal to indicate the connected accounts

Bugfixes

Correctly store triggered-by information in the audit log for both adding and removing packages from a subrepository
After editing a private package with a configured webhook, Private Packagist now assumes that the webhook is not set up until a delivery is successfully received
Fixed detection of premium subscription for synchronization with gitlab.com. This caused Private Packagist to skip setting up webhooks because it assumed package webhooks were not necessary
Mirrored packages without a vendor name can no longer be added via the add package dialog
Resolved an issue with submitting a weak password on the registration page that caused a 500 error
Updated the link to create HTTP access tokens on Bitbucket Server, and the link to create app passwords on Bitbucket
Fixed a race condition where package initialization was triggered by both an organization and subrepository synchronization, causing the package to not get added to any subrepositories
Better detection of Zip and Tar archives when uploading Package Archives via the API; now all types uploadable via the UI can be uploaded to the API
Update Review comments will not be updated on pull requests that have been closed/merged, even if they are edited
The last owner of an organization during a synchronization cannot be removed anymore, even if that owner is not connected to the synchronized service
When a package contained several thousand Composer patches, a database error occurred during a package update, new patch information was not added and therefore not available to the UI.
When downloading composer.lock files over 1MB from GitHub, they now return a 200 instead of 403 which caused functionality such as update review to fail. We now retry downloads using different API call for large files
Bitbucket API requests resulting in the Bitbucket-specific status code 555 are now retried, similar to a 500 status code
composer.json files are no longer automatically added to the ignore list when they get deleted from a multi-package repository
Fixed a bug that caused packages to become inaccessible when changing the URL of an existing package to the URL of a VCS repository that is also available on packagist.org
Submitting certain invalid package names via the "Add Mirrored Packages" form could result in a 500 response. This is no longer the case
Added missing version information when fetching individual subrepository packages mirrored from packagist.org via the API

Supported Replicated versions: >=2.53.6 <2.54.0

1.11.3-pl1

April 13, 2022

Bugfixes

Resolves an issue that prevented the packagist-ui container to start when upgrading from a version before 1.11.0 because of a faulty migration

1.11.3

April 13, 2022

Security Fixes

Resolves a argument injection vulnerability which allowed maintainers of private packages to run shell commands on the packagist-worker container via the readme property of the composer.json in the default branch of a Mercurial repository and create files via the name of the default branch of a git repository. We do not believe this to have been exploited prior to the publication of this release. (CVE-2022-24828)

Changes

Decreased the maximum file size for JSON responses from mirrored third-party repositories from 256MB to 128MB to avoid memory issues during the automatic mirroring of new dependencies.
The log output of the background workers is now available when accessing docker logs of the packagist-worker container. The logs were previously only available in a log file inside the container.
API endpoints returning security advisories now also include the Packagist security advisory ID for each advisory

Bugfixes

The update review feature on GitHub and GitLab now uses the HEAD sha instead of the merge commit to generate the composer.lock diff. This resolves a bug where the comment would get updated with incorrect information when the pull request was closed.
Packages that rely on git to fetch updated version information did not detect changes of the default branch after the package was added. This functionality has been added.
Deleting a package in a subrepository that is part of a multi-package repository also deleted the package from the organization package list. This no longer happens.
Updated the GitLab rate limit detection to handle cases where GitLab doesn't return any rate limit headers
Adjusted the triggered by column for audit log entries of type "org.package.delete" that were displaying UI instead of job or sync even though they were caused by a background worker
Mirroring new dependencies via Composer could result in a 500 response by the Private Packagist server if one of the mirrored third party repositories returned invalid JSON with a non-terminating string
Using a read-only authentication token with Composer 1 didn't show a message that an update token should be used when trying to mirror new dependencies. This has been added again
Improved the error output when adding mirrored third party repositories with unsupported query parameters to show the actual URL that was called to access the repository.
Updated the link in the Private Packagist admin section to set up an integration on GitLab to match URL changes on GitLab
Added support for mirroring packages from mirrored third party repositories that return a list of packages, where the package keys don't match the fully qualified package name, in the packages.json response

Supported Replicated versions: >=2.53.2 <2.54.0

1.11.2

March 25, 2022

Bugfixes

Resolved an issue with security monitoring that would trigger multiple alerts if an advisory was available in multiple databases.
Adjusted the package update mechanism to handle an unannounced API change by Bitbucket. Bitbucket's change prevented falling back to Git for VCS repositories when access to the API was denied. As a consequence Bitbucket packages relying on SSH keys may not have updated anymore.
Resolved an issue that prevented creating a synchronization in a subrepository with existing credentials
Resolved an issue that caused synchronizations with a self-hosted GitLab instance using GitLab admin credentials to error.
Synchronizations with a GitLab Group no longer show a wrong webhook state if the credentials belong to a member without owner permissions
Updated the GitLab group webhook logic to match changes in the GitLab API that now expects a PUT instead of POST request to update an existing hook.
Unsubscribing from security alerts for a package that has since been deleted no longer shows an error page. Instead, this now tells the user that the package has been deleted.
Resolved an issue that prevented manually resending notification deliveries and notification email verifications via the UI.
Updates for packages with security monitoring enabled no longer error if the default branch suddenly contains a composer.lock file with invalid JSON.

Supported Replicated versions: >=2.53.2 <2.54.0

1.11.1

March 16, 2022

Bugfixes

The SMTP server custom port option was ignored when setting up the email configuration for Private Packagist. This has been resolved.
Resolved a race condition when setting up a new Private Packagist Self-Hosted instance that would create two configuration objects, causing a server error when accessing the Private Packagist UI.
Setting up a multi-package repository with repository type "git" would store version information from a wrong directory for some packages.
Creating a new Bitbucket Server integration resulted in a server error. This has been resolved.

Supported Replicated versions: >=2.53.2 <2.54.0

1.11.0

March 10, 2022

Features

Private Packagist Enterprise is now Private Packagist Self-Hosted
Introducing Update Review: Private Packagist comments on your pull requests with all composer.lock changes displayed in a clear and easy to scan table
API credentials can now have a description
Added API endpoints to manage authentication tokens
Synchronizations with GitLab now also recognize individual repository collaborators
Security advisories for a package are now visible on the package page
Package versions affected by a security advisory are now highlighted on the package page
Security issue notifications webhooks can now be configured to dispatch a separate request for each issue. This allows you to integrate webhooks with Jira.
Adding packages by URL now allows you to override the package name to import packages under an old name
Added support for VCS repositories using the svn+ssh protocol
Packages hosted on AWS code commit now show how to set up a hook to keep the package updated
Adding packages with the JSON import functionality now also allows you to use github/gitlab/bitbucket as repository type

Changes

Changing the number of licensed maximum number of users doesn't require a restart of the application anymore
Private Packagist will now show in the UI if an update is available for your Private Packagist Self-Hosted instance
Various performance and memory improvements to automatic mirroring. This will speed up your composer update and require commands
Adding packages to a subrepository via the "Add Package" dialog now also allows you to add all private dependencies of the package you add
Synchronizations with GitHub and GitLab have an option to skip archived VCS repositories. This option is enabled by default for new synchronizations.
You can edit the description or the username of a credential without re-entering the password or access token
Packages mirrored from a third party vendor's repository on packagist.com will now detect new versions within minutes of their release
When adding a package from a VCS repository without a composer.json in the root directory, you will now get the option to add the repository as multi-package repository
Increased the maximum file size for package archives from 128MB to 256MB
Synchronized GitLab repositories with visibility "internal" are now treated the same way as "public" repositories and are available to all members of the organization
Importing VCS repositories from bitbucket.org doesn't require adding the .git suffix anymore
Updated the synchronizations page to better display all relevant information for organizations with multiple synchronizations
Synchronized VCS repositories can now be added as multi-package repositories via the "Add Package" dialog
Updated the naming of Bitbucket Data Center / Server to remove all references to Atlassian Stash
Added a link to set up mirrored third party repositories from the add package form
The verify email banner is now only shown once after login and on the profile page
The source and user columns in the organization log have been merged
The security vulnerabilities summary email is now limited to 1000 security issues

Bugfixes

Accessing mirrored packages from third party repositories other than packagist.org through the web interface returned a 500 response outside of subrepositories. This has been resolved.
The creation of archives from source is now skipped if the package uses checksum verification to avoid errors during composer install
Mirroring new packages during a Composer command will now wait longer for a result instead of returning an error after one minute
Added a retry mechanism to HTTP calls during the package update process to reduce the risk of random failures
The automatic mirroring now handles invalid responses returned from asset-packagist.org and will no longer mirror non-existing packages
Registration via OAuth now shows a helpful message if the OAuth token expired before an account was registered
The organization log was missing the user entry for some actions. They are now shown.
Significantly reduced the time it takes to store archives for big git repositories
Packages now show an error message if the domain of the credential assigned to the package cannot be used during the archive process
Mirrored third party repositories incorrectly using integers instead of strings for version numbers no longer result in failing package updates
Deleting a package via API while the package is updated will no longer return a 500 response
Packages hosted on GitLab now show a clear message if the credentials don't have enough permissions to setup webhooks
Made it clearer that the svn protocol is not supported. Https or svn+ssh should be used instead.
Editing a non-installable package now properly resets its state and makes the package installable if possible
Resolved an issue with multi-package repositories using SVN that could cause a background worker to get stuck if the SVN repository contained an empty trunk directory.
Mirrored packages that were removed from the mirrored third party repository showed two messages saying that they were abandoned. They only show one message now.
Synchronizations with GitLab now handle credentials that expire during a run
Security issues no longer re-trigger alerts if certain properties change e.g. a CVE was added to an existing issue
Added handling to renaming the default branch for security monitoring. This will no longer re-trigger alerts.
The security monitoring setup for a package no longer gets stuck if the default branch is not the topmost sorted branch.
Resolved an issue that prevented setting up a synchronization with bitbucket.org
Resolved an issue where versions would temporarily disappear if GitHub, GitLab or Bitbucket returned a 5XX response when fetching branches or tags
Packages imported from bitbucket.org now show a message if an OAuth scope is missing to setup webhooks
Packages with a markdown changelog are now properly parsed even if the filename doesn't end on .md
Resolved issues with HTML forms that would show an incorrect state when the browser back button was used after submit
Packages using other archive types than ZIP displayed errors that an archive could not be created after the package was initialized. This has been resolved.
Added error handling for cURL errors when fetching the changelog information of packages
The archive generation for phpstan/phpstan is now skipping the generation from source as this could take several minutes
Synchronizations with Bitbucket now correctly handle deleted repositories that were not fully removed on Bitbucket
Resolved an issue where security issues were not removed from a package when the composer.lock file was deleted
Added validation that all VCS repositories require a non-empty URL to avoid unhelpful error messages
Adding and editing a mirrored third-party repository was not applying a maximum response size and could result in a PHP fatal error. This has now been fixed.
Updated the wording explaining why certain words cannot be used as names for subrepositories
The API documentation page no longer uses a JS library hosted on an external domain
Install statistics pages showing graphs no longer use a JS library hosted on an external domain
Submitting the add organization form twice would result in an unexpected error. This has been addressed.
Synchronizations with GitLab no longer result in errors if they have users assigned with "Minimal access" permissions in GitLab
The add synchronization modal could prevent users from creating new credentials when credentials for the same authentication type on a different domain existed
Synchronizations with GitLab now correctly import permissions in the case where a user has access to a subgroup via inherited permissions from the parent group and at the same time via another group that was invited to the subgroup
Using a short name with upper case letters when creating a subrepository will automatically transform them to lower case instead of showing an error
Login via OAuth with Bitbucket Server could reset the stored access token which would prevent setting up new synchronizations by that user
New packages added via a synchronization with Bitbucket Server failed to set up a webhook on Bitbucket Server to get notified about updates
Opening the add synchronization modal without a configured integration will now list instructions to add an integration instead of showing a blank modal

Supported Replicated versions: >=2.53.2 <2.54.0

1.10.8

October 22, 2021

Features

Collaborators can now be added to subrepositories. They can only access selected subrepositories, but don't have access to the organization
Added API endpoints to list all security issues for a package or an organization
Added a filter by security issue state to the packages list API endpoint
The modal to add packages from a synchronization and the modal to add packages from an organization to a subrepository now allow you to add multiple packages at once
The package page now displays a link to the changelog and lists changelog information with the version information
The synchronization page now lists active synchronization runs and their current progress
For packages using a Composer patches plugin like cweagans/composer-patches, the package page now lists patches information defined in the composer.json
We now support GitLab group webhooks for groups with a GitLab Premium subscription, this will now find new repositories when they are created and not only once the daily full synchronization runs.
A new log section can be found on the organization settings page, displaying activity in the organization
Installation statistics are now available for organization authentication tokens and on your profile page for your personal authentication token.
Existing packages can now be edited to be turned into multi-packages (multiple packages in a single repository) without having to recreate them.
Non-synchronized organization members can now be removed from the organization and all teams at once on the members page

Changes

To avoid losing Composer access to a Private Packagist organization, organizations with a primary synchronization, where none of the owners have a Private Packagist account, are disabled
For synchronizations with GitLab the "Master" team was renamed to "Maintainer"
Synchronizations with GitLab now detect when another group was invited as a member to the synchronized group
When initializing a VCS repository with multiple composer.json files, the initialization result for each directory with a composer.json is now shown
The user authentication page now shows when the user token was last used
Package updates that trigger an API rate limit will now instantly be retried via git clone
The credentials page now shows a warning if any of your stored GitHub API tokens are about to expire or already expired.
For Bitbucket App Passwords we now recommend enabling the pull request scope to be able to benefit from the upcoming pull request comment feature
Ordering changes on the third party mirrored repository page can now be undone.
A single Bitbucket Server instance can now be connected to multiple Private Packagist instances
When creating a synchronization with Bitbucket Server we now detect if the credential user is a global admin without being a direct member of the synchronized project to avoid them being removed from the organziation by the synchronization.

Bugfixes

Resolved a bug that would prevent packages accessible in subrepositories from receiving updated metadata information when using Composer 2
A successful user registration will now redirect to the page a user was initially trying to access e.g. when clicking on an invite link in an email
On the credentials page the link to create a GitLab API token was updated to match the latest GitLab version
Synchronization errors now show additional information like the endpoints that caused the synchronization run to fail
The subrepository access page for credentials now shows a tooltip why some credentials cannot be removed from a subrepository
The subrepositories link on the package page was pointing to a non-existing page. This has been resolved.
When creating a synchronization with a GitLab subgroup the name now matches the full path of the subgroup
Misconfigured OAuth integrations will now show proper error messages when trying to log in. For example, if the client id or secret is invalid
Failed login attempts with bitbucket.org now also show error messages by Bitbucket
Credentials created when setting up a synchronization in a subrepository were not stored in the organization, which could lead to errors when later assigning additional credentials to the subrepository
The Composer instructions to set up authentication using the Composer command displayed an invalid command if the username contained a space. This has been resolved
The password strength indicator on the registration form was rendering invalid HTML when submitting a weak password
Fixed an issue that the license page could not be shown if one of the packages contained a null byte in the license field in the composer.json
Resolved an issue where package updates would error when renaming a package that is part of a multi-package repository
For multi-package repositories that are not synchronized multiple webhooks were set up which could lead to API rate limit issues caused by too many background jobs
Resolved an issue where usernames with leading or trailing whitespace could cause unique key violations.
Adjusted OAuth authentication with Bitbucket Server to handle cases where Bitbucket username didn't match the username slug. This for instance happens when the username contains the @ symbol
We now cleanup unused Bitbucket team webhooks
Resolved an issue where multi-package repositories with GitLab would not search for composer.json files in all directories
Cleaned up the package update and initialize error output to not leak any GitHub tokens using the new format
Packages, where only the casing of the name changed, were marked as abandoned. This has been resolved and will be fixed for all existing packages with their next update.
Packages, which have not been fully initialized, now show a "waiting for update" security monitoring state instead of "disabled"
Refresh expired Bitbucket OAuth tokens with the refresh tokens to avoid issues during user account registration
In case the archive background job takes longer than expected we will first return a redirect response to Composer to be able to wait longer for the archive to finish. This will help for instance with large Bitbucket repositories that cannot be downloaded as ZIP files from Bitbucket.
The API no longer returns a 500 error in cases where a called URL is not available. This now returns a 404 response.
Package archive jobs for packages of type "metapackage" could trigger an error. Those archive jobs are now skipped.
Disabled the download button on the package page for packages of type "metapackage"

Supported Replicated versions: >=2.53.1 <2.54.0

1.10.7

May 5, 2021

Features

Added support for bearer token credentials

Changes

Deprecated HTTP header credentials. Please contact us if you are still using them for another purpose than a bearer token which will be automatically converted.

Bugfixes

Added additional validation and filtering of output for CVE-2021-29472 to prevent malicious source URLs and references from being delivered to outdated Composer clients
Resolved an issue that prevented packages from updating if the composer.json contains patch information in an unknown data format
The link to mirror a package in the security alert emails was missing the href attribute

Supported Replicated versions: >=2.51.0 <2.52.0

1.10.6-pl1

April 27, 2021

Bugfixes

Database migration to cleanup Drupal packages drupal/php and drupal/recaptcha will no longer fail if updating from Private Packagist 1.10.0 or older

Supported Replicated versions: >=2.51.0 <2.52.0

1.10.6

April 27, 2021

Security Fixes

Resolves a command injection security vulnerability in Composer which could have allowed logged in users or third party package maintainers to run shell commands on the packagist-worker container. We do not believe this to have been exploited prior to publication of this release. (CVE-2021-29472)

Features

Packages in public repositories are now available to all members of an organization instead of just those with explicitly assigned repository permissions
Private packages can now be marked as abandoned via the UI
The current synchronization run now shows a detailed progress report

Changes

Package versions returned by the API are now sorted the same way they are shown in the UI
The default accessibility of multi-repository packages in subrepositories can now be set on the add and edit package form
Added support for the new GitHub API token format

Bugfixes

Added better handling for invalid values in the license field in the composer.json file
Added handling for additional cURL error codes explaining how to resolve the errors
Automatic mirroring for packages from third-party mirrored repositories using providers and providers-url did not work.
Resolved a bug that prevented the package search from working if a VCS repository that was not yet added as a package had a number as a description
The subrepositories filter on the packages page did not persist in the URL. This has been resolved
Increased the body max size of incoming requests to 25M to handle large GitHub webhook payloads
GitLab returning a 520 status code will now retry the synchronization run instead of triggering an error

Supported Replicated versions: >=2.51.0 <2.52.0

1.10.5

March 16, 2021

Features

Abandoned package notifications: Receive notifications when a package is marked as abandoned
Packages which have their composer.json file in a subdirectory, rather than the root directory, can now be installed with Composer like all other packages

Changes

Synchronizations with Bitbucket now support all Bitbucket workspaces including former user accounts
The package search now only searches the package name by default. The package description can still be searched as well by selecting the checkbox below the search field.
Background workers will now automatically restart once they use 450M of memory
Subrepository URLs have been updated to not use the word "projects" anymore
Improved the performance of fetching dependents of a package. Please note this will only become active two weeks after the release was installed to allow for enough time to migrate data in the background.
Packages part of a multi-package repository will now show the README file of their subfolder if available and otherwise fall back to the root directory
Organizations synchronized with a GitLab Group will now prevent any of its GitLab subgroups from being synchronized. The parent group already imports all data from all subgroups
Clarified the webhook state of a package that "no delivery received" can be resolved by pushing to the VCS repository.
The repository name of a collaborator team is now a link to the VCS repository
Renamed Bitbucket Teams to workspaces to match the naming on bitbucket.org
Clarified that a missing composer.lock is not an error but instead means that the package cannot be analyzed via security monitoring

Bugfixes

Resolved an issue that prevented automatic mirroring of new packages when using an HTTP proxy
Fixed an issue which caused an invalid Composer cache when automatically mirroring new packages with Composer 2. This caused an error message saying the package name for a particular package version could not be found in the cached JSON file.
Security advisories removed from the FriendsOfPHP/security-advisories database will now also be removed from Private Packagist
Package updates that fail while initializing the Composer driver now show a more detailed error message instead of a generic "Package data could not be downloaded" message.
Overall improve the error handling for package updates and mirroring to handle cases like SSL timeouts
Login and registration via Bitbucket Server failed without explanation if an endpoint returned an empty response. This was caused for instance by a 2FA app installed on Bitbucket Server.
Resolved an issue where automatic mirroring would fail if a mirrored third-party repository returned empty metadata for a provider URL.
Submitting a JSON string rather than an object on the custom JSON package form now displays an error message instead of triggering a server error without an explanation.
Packages which have both, dist and source information available will now show both errors if a background archive job failed
Resolved an issue where organizations created via synchronization where the remote organization has a name longer than 20 characters would prevent the organization from being edited
Fixed an issue that could cause Replicated to fail to prune images when too many app releases are installed due to timeouts
Fixed an issue that could cause the replicated-ui container to fail to start up after a Replicated upgrade
Creating subrepositories for organizations with lots of packages could result in request timeouts. This has been addressed.
Fetching a user's GitHub organizations displayed a rate limit error instead of an access error in case the access token has no permissions anymore
The archive background worker did not clean up all files if jobs were triggered for archive files larger than 128MB

Supported Replicated versions: >=2.51.0 <2.52.0

1.10.4

February 3, 2021

Features

The user search in Private Packagist admin panel now supports search by username and email instead of username only
Synchronizations now show a link to all packages managed by that synchronization and the host e.g. github.com in addition to the type e.g. GitHub

Changes

Requests triggered by Composer commands that interact with mirrored third party repositories like search and automatic mirroring will now check those mirrored third party repositories in parallel. This significantly reduces the time it takes to perform those requests for organizations with multiple mirrored third party repositories.
Synchronizations with GitHub now delete teams and add collaborators to repositories immediately via GitHub webhook instead of only when the next full synchronization runs within 24 hours
New passwords are stored as argon2i hash and old ones will be upgraded from bcrypt the next time a user logs in using username and password
Sample payloads for webhook notifications have been added to the documentation
The limit of adding one email per week to a user has been removed
Synchronizations with a GitLab subgroup now show the full path and name instead of only the name
Emails sent from Private Packagist now contain a note telling the recipient where they can change their email
The default frequency of security reminder summaries has been changed from weekly to monthly. This applies to new users and notification channels only
License names of non SPDX licenses are no longer converted to lower case
The package description on the package list page has been limited to two lines
Synchronization background jobs will now only be marked as timed out after 90m instead of 10m
The default request timeout for mirrored third party repositories has been increased from 5s to 15s
The packages page doesn't hide the number of private/mirrored packages anymore when searching or applying filters
The filename of the downloaded archive file from the package page now contains the package name

Bugfixes

Resolved an issue in the file downloader that caused the archive generation to take several minutes when downloading archives from github.com bigger than 5MB
Reduced memory usage for processing package updates in background jobs for packages which are used in subrepositories
Setting up a GitLab synchronization with a GitLab API token that belongs to a user who is not a member of the GitLab Group will now show an error message explaining the problem
The webhook status tooltip of packages added through synchronization no longer shows 1990-01-01 as the most recent hook call if the hook hasn't been called yet.
The resynchronization button shown on the teams page is now disabled while a synchronization is running.
When setting up a new synchronization only credentials that can be used will be suggested to set up a new synchronization
Attempting to delete the primary synchronization will now show an error message instead of a 500 error
Users can no longer disconnect from an OAuth service if they are the only active owner in an organization that uses that service for its primary synchronization
The subrepository overview page no longer shows a subrepositories counter
The custom JSON package form will remember the edit mode when submitting a custom JSON package that results in an error or when using the browser back button
Adding multiple files to a custom JSON package could trigger a message that one file exceeds the file limit even though it is smaller than the limit if the size of all added files combined exceeded the limit. This has been resolved
Synchronizations with Bitbucket didn't detect repositories as packages as soon as the composer.json file was added if they did not have a branch named master. They were only imported with the daily synchronization run
Abandoned packages mirrored from packagist.org were not shown as abandoned on the package overview page
Removed two unreliable and unnecessary checks in the application health check which could cause a cryptic error message to be shown in the replicated admin console despite it working correctly

1.10.3

November 18, 2020

Features

Added an API endpoint to upload a new file to an existing artifact package
Package release notifications: Receive notifications for every new version a package publishes

Changes

The team members page for synchronized teams now clearly states that memberships are managed through GitHub, GitLab, or Bitbucket and shows where to manage the team
Security notification summaries are now spaced out over 30 minutes to reduce the rate of emails sent over a short period
Added an icon next to package names to copy them to the clipboard
Artifact packages now ignore the "__MACOSX" folder in ZIP archives generated by the macOS ZIP utility when searching for a composer.json file
If you saw redis noscript errors in the logs on startup, these were expected on startup and we now indicate so with a note, so there is no confusion over them
Webhooks are now unregistered on connected code hosting platforms when a package or an organization is deleted
Packages copied to a subrepository now have a disabled edit button explaining that they can only be edited on the organization level

Bugfixes

Editing or creating custom JSON packages now fully saves the state of the form on error, including the editing mode (JSON/interactive form) and the selection of teams with access
When a mirrored Composer repository returned an empty gzip encoded HTTP response (e.g. for an HTTP 403 error) when mirroring a new package or updating it, we previously simply displayed "Connection failed." but now the status code is correctly recognized and an appropriate message displayed
Placeholders in version specific package archive/download errors are now replaced correctly
Hitting the API rate limit when creating a new multi-package no longer crashes the background worker preventing intialization of the package
Prevent the same path of a multi-package repository from being initialized multiple times. This will now correctly display a duplicate package error message
Fixed a bug on the security monitoring page that would prevent showing a link to the commit in which the security issue was found and would only show the text instead
Make sure form error messages that may contain user input are filtered to prevent XSS vulnerabilities. Due to the Content Security Policy this wasn't exploitable in any harmful way, so not listed as a security issue
Added a workaround for mirroring packages from Yoast's repository, which returns an invalid response on their Composer 2 metadata endpoint
When attempting to composer require or mirror a non-existent package, Private Packagist no longer returns an invalid response to Composer 2
Package updates for packages with an invalid version number will now show a more appropriate error message instead of the previous wrong error message that states an authentication error
Duplicate name for a notification channel on the same organization is now handled by displaying an error message and preventing a 500 error
Connecting an account using OAuth to an remote account tied to an email address in use by another Private Packagist user will now show an appropriate error message on how to proceed
Removing a primary synchronization will now remove inactive user accounts from the Owners and Admins teams
OAuth login error messages now correctly replace placeholders with their respective values
Some links when viewing a mirrored package in a subrepository incorrectly pointed to organization level pages
Updating the repository URL of a VCS package in the organization will now update the URL in all subrepositories. Moreover, the found duplicate packages with the changed URLs which are not installable will be removed.
Uploading artifacts with an empty composer.json will now show an appropriate error message rather than failing to parse an empty JSON string
Security monitoring setup isn't shown on artifact packages because it's not supported

1.10.2

October 6, 2020

Bugfixes

Package dependencies (require, require-dev, replace, etc.) were not shown as links even if the linked package was available in the organization
Dependents of a package were calculated only using dev versions. This now also uses the latest stable release
The pages listing dependents of and suggestions for a package were missing the navigation tab for subrepositories
Security alerts were sent out twice for packages that were first added to a subrepository before they were added to the organization
The package page now states if the credential used does not have the required scopes to set up a webhook
Artifacts with mime type application/gzip and application/bzip2 can now also be uploaded
Artifacts of type tar with an unnamed "." folder are not supported and the file upload displays an error explaining this

1.10.1

October 5, 2020

Features

Subrepository quick access: most recently visited subrepositories are shown on organization overview
You can now upload zip, tar.gz, or tar.bz2 archives without composer.json files when creating a custom package

Changes

Full compatibility with Composer 2.0
Validation of require and require-dev constraints matches the latest changes in Composer
Dist URLs in lock files have been updated to contain an additional r character to avoid empty filenames if no reference is provided. This means your lock file URLs will change on the next Composer update
The packages page now shows license information for the default branch
The team delete button has been moved to the settings page
HTTP header credentials allow a "Token" header to be set

Bugfixes

Packages added by URL from GitHub with a composer.json file not in the root directory failed to initialize
Updated the button text for login by email to indicate how to register an account
Improved retry handling in background workers to fetch the latest changes from packagist.org to avoid uncaught exceptions
The Bitbucket App credentials form now states that to use the credential for a synchronization the user needs to have admin access
Removed a not reliable consistency check for Zip files that could prevent valid Zip files from being installed
The package update process would miss changes to a package if only the dist URL of a package changed
The render time of the license review page has been improved
The license review page was listing certain renamed OSI approved licenses twice
Logged in users can no longer access the registration page

1.10.0

August 24, 2020

Features

You can now upload zip, tar.gz or tar.bz2 archives containing code and a composer.json file by adding an artifact package to your organization
You can now receive security notifications when a security vulnerability is found in one of your dependencies by analyzing your composer.lock files. Notifications can be sent via email, Slack, Microsoft Teams or webhook
Added API endpoints to list packages a team has access to, grant teams access to a list of packages and remove access to a package from a team
You can now bulk update which subrepositories have access to a certain package from the manage subrepository access page
Added support for the new Composer 2 list endpoint
Added API endpoints to create artifact packages
You can now grant team access to all packages at once by selecting "Select All" in the team packages page
You can now download the archive file for each package version from the package view page

Changes

The package name letter case changes in composer.json will be reflected in package name data on the package first update
Adjusted version sorting on the package view page to use the branch alias if one is provided
Increased the priority for synchronization jobs created via the UI in order to receive faster feedback for the synchronization run
Package files are now verified to be valid zip or tar archives. In case of an invalid archive file, you'll see an error message via Composer and on the package view page
Refreshed the subrepository list page design. The page now includes a filter for security monitoring and package installs
Users with the package edit permission can now access the subrepository access page
Archiving or un-archiving a GitHub repository will update the package abandoned state accordingly
Credentials which are in used and cannot be deleted will now show a tooltip in addition to the disabled delete button
Only admins will now be able to view inactive members in team membership lists
The list of mirrored repositories on the add package from a mirror page now uses the same ordering of repositories as the mirrored repositories page
Package errors (e.g. dist file is too large) shown on the package view page will now show the first error, and a link to show more errors if any. Clicking on any versions with package errors will list all the version errors
While creating a GitLab credential, a notice message will ask you to select the required API scopes
Added documentation for Composer 2.0 compatibility with Private Packagist
Creating a credential with Bitbucket API Keys as an authentication type now shows a deprecation notice. Bitbucket Api Keys may not exist for the user's Bitbucket team and as an alternative you can use Bitbucket App Passwords
Added a few improvements to the add a custom package form. The package type is now set to "library" by default and added helpful text hints for the other form fields
The package list page synchronization filter now displays the external service name (e.g. GitHub)
The synchronization now automatically detects if a VCS repository is transfered from one synchronization to another on the same service e.g. from one github.com organization to another github.com organization

Bugfixes

Bitbucket Server API response pagination did not work correctly, so synchronization may have only imported partial lists of repositories, users and other information from projects
Avoid leaking of known_hosts file path if a host key has changed and show a more suitable error message instead
You can now delete credentials that were assigned to a deleted subrepository
Users who deactivated an OAuth account connection and are then deleted from a synchronized team will now be removed automatically in a synchronization run
In case a user isn't part of any organization on a service they connected to via OAuth, a more descriptive error message will be shown on create organization or synchronization
Synchronization error messages now correctly replace placeholders with their respective values
The packagist.org mirrored repository can now be prioritzed like any other repository in organization settings

1.9.11

June 23, 2020

Bugfixes

Fixed a bug that prevented new packages to be automatically mirrored if a proxy server was set up
If a proxy server was set up it was not possible to edit the global configuration form in the Private Packagist admin panel
The status for packages with manually setup webhooks on the package list now correctly shows that the webhook is set up with the date the hook URL was last called
The list of mirrored repositories was not showing an entry for Packagist.org if no additional mirrored third party repositories were defined in an organization
The disk inodes health check reported an error for long device names

1.9.10

June 22, 2020

Features

Improved performance for Composer 2 through use of the new Composer repository protocol
The generic package hook endpoint now supports AWS SNS subscription confirmation, enabling easier integration with AWS CodeCommit
Added API endpoints to fetch dependents of a package
The package API endpoint now returns the package's configuration values: type, URL, customJson, and mirroredRepository
The package API endpoint now returns installation statistics
You can now customize the SMTP server port in the Replicated Admin Console
You can now select the order in which mirrored third party repositories are searched to mirror new packages you require.
The job API endpoint now also returns a message property with additional information about why a job failed

Changes

Docker Hub must be accessible from the server to update Replicated to the latest version
Weak and short passwords can no longer be used to sign up for Private Packagist. An optional integration with haveibeenpwned.com which prevents usage of leaked passwords can also be enabled in the global configuration section in the Private Packagist admin panel
The API documentation and endpoints have been updated to reflect the naming changes to Private Packagist subrepositories
VCS repositories added from a Bitbucket Server synchronization will now be accessed via git over HTTP if available instead of git over ssh
FireGento mirrored third party repositories now display a warning if a repo.magento.com credential is missing. The credential is required to download certain packages
The primary indicator for synchronizations is only displayed if there is more than one synchronization
Deleting a package will now automatically check if there is an uninstallable package with the same name and mark it installable immediately
Synchronizations with GitHub will get immediately notified about member and permission changes
It is now possible to create multiple authentication tokens with update access for subrepositories.
There is now a 128MB limit for package archives. Package versions with a bigger dist file can no longer be installed
The package page now lists recent archive errors
The team page shows the number of private and mirrored packages a team has access to
Grouped mirrored packages on the package list page into a single section and added a filter to show packages in selected mirrored third party repositories.
Added an option to force the "git" repository type for VCS packages created via the API

Bugfixes

If Bitbucket Server's web interface and its Git server run on different subdomains, webhooks for packages created by a synchronization were not set up.
The member count on the subrepositories list now only includes active members
Deleting a mirrored third party repository while a Composer command is running and mirroring dependencies from this repository will no longer result in 500 status codes.
Fixed a bug that would prevent the manage subrepository access page to load for a package which was previously assigned to a now-deleted subrepository
The link to the GitLab hook settings on the package page has been updated to reflect changes in GitLab
Handle additional network related exceptions in background workers and automatically retry those jobs
The package page for not installable packages with a duplicate name now lists the URL to identify the repository
It is no longer possible to create custom JSON packages with empty version strings or with multiple identical versions
Added a cleanup process to reduce the cache size private mirrored third party repositories use if they return a different JSON file path after each change
Package updates for mirrored packages which have been removed from the remote repository now fail and display an error message
Added automatic retries for failed package archive status checks. This caused composer install commands to fail
Having multiple packages with the same URL but different names in an organziation could cause package updates to fail because of cache interference
The username and avatar of deactivated organization members will also be updated if they change on the external service e.g. on GitHub.
Copying multiple packages to a subrepository at once will no longer result in a timeout
Connecting your account to an additional OAuth application from the add synchronization modal will reopen the modal after the account was connected
Update jobs for VCS packages without any branches will no longer fail
Custom JSON packages now validate that the normalized version matches the version property if both are set
Mirrored third party repositories created or edited via API will be validated identically to creating them in the UI
The Packagist Enterprise UI will no longer attempt to download fonts from Google Fonts
Changing the password or primary email of a user invalidates all other sessions for that user
If the job to automatically mirror replaced packages cannot find the replaced package it will retry at least once to prevent race conditions where packages become available in a mirrored third party repository shortly after the replacement definition has been added

1.9.9

March 23, 2020

Security Fixes

Resolves a security vulnerability in Replicated where sensitive data was exposed via an improperly secured API

Bugfixes

The composer require command no longer fails on the first try, if you require a package which needs to be mirrored for the first time in your organization from a mirrored third party repository other than packagist.org
If a mirrored third party repository returns invalid JSON data during a package update, the background worker processing the update will not crash and restart anymore

1.9.8

March 19, 2020

Features

You can now create a custom package using a form to configure your composer.json metadata instead of manually entering JSON
The Replicated Admin Console dashboard now includes additional metrics for monitoring Private Packagist: Background Jobs Processed, Maximum Background Jobs Process Time, Maximum Background Jobs Wait Time, Background Jobs Queue Length and Package Installs

Changes

Increased PHP memory limit from 128MB to 512MB to prevent reaching the limit when dealing with large JSON structures during Composer operations
The request timeout for Composer JSON endpoints has been increased to 180 seconds to provide enough time to check multiple slow external mirrored repositories for unknown packages, yet to be mirrored, without resulting in a timeout error for users
Packages that have been archived in GitHub will be marked as abandoned
GitHub API requests no longer use access tokens in query parameters, but always use the appropriate HTTP header
You can now also install packages via Composer which use the previously unsupported file types gzip, xz, phar, and file
If a git mirror sync operation fails, it is now added as an error to the update log and the package won’t update. Previously the respective version with an error or all versions would have been removed without errors until an additional update succeeded
When you add a package, all replaced packages in its composer.json are automatically mirrored as well. This mirroring process is now retried multiple times if any of the mirrored repositories are not available

Bugfixes

Add an error to the update package log in case of rate limit / HTTP 5xx errors during package update
When a new package is mirrored from packagist.org we now immediately trigger mirroring for all packages it replaces to prevent problems with installing these replaced packages. Previously the replaced packages were only mirrored when the original packagist.org package was updated for the first time
When creating a new credential, the username won't be pre-filled anymore, since the suggestion was often incorrect
Fixed a bug which prevented switching the package type from Subversion to other types
If you configured a package mirrored from packagist.org to be enabled by default in new subrepositories and then created a subrepository, the mirrored package was incorrectly marked as uninstallable through Composer in the new subrepository. You can delete and recreate the package as a workaround. When you create new subrepositories the package will now be created correctly
The Bitbucket API can return a 404 error response containing an HTML body. Previously this would have lead to synchronization jobs failing without any visible error. If you experienced this, your users, teams, permissions and repositories would not have been synchronized until the error disappeared again. The error is now logged and the synchronization marked as failed if it occurs
When you edit a package and then delete it immediately, before the changes have been processed, you will now see an appropriate message rather than the background job running until it eventually reaches a timeout
Filtering by active users in the User Explorer in the Private Packagist admin panel now works
Tooltips for package update errors in the package list now correctly replace placeholders with their respective values

1.9.7

January 24, 2020

Features

You can now create authentication tokens with full update access including the automatic creation of mirrored packages, which are counted as regular users
A new organization drop down in the top navigation makes it easier to switch between organizations, and you can always see which repository you're currently working on

Changes

Errors triggered by a package zip download are displayed by newer composer versions
An organization can now create multiple SSH keys which can be used to grant Private Packagist access to multiple individual vcs repositories on the same version control platform.
Packages automatically updated via webhooks will be updated at least once per week
The settings page to create a new credential always displays all form fields
Package data returned from the API also contains the webhook url to trigger an update for the package
Authentication tokens assigned to a particular team now show a link to all packages accessible by the token
Removed the option to trigger an update for all packagist.org mirrored packages via UI to prevent instances being unnecessarily slowed down
Reduced the overall amount of memory necessary for redis
GitLab subgroups on the create organization page and add synchronization modal are now hidden but can be revealed to improve usability for long lists.
Not yet connected code hosting platforms are now listed on the add organization page and the add synchronization modal

Bugfixes

The package search is now case insensitive
Synchronizations with groups on GitLab servers running version 12.6.0 or newer now support more than 100 projects per group
Organizations with multiple synchronizations can now see information about the last runs for all their synchronizations
Resolved a race condition which lead to some cache entries not being invalidated
Authentication tokens previously used by now deleted subrepositories are no longer listed on the organization settings page
Fixed a bug which caused development versions to temporarily disappear for VCS repositories if we encountered a rate limit or server error while trying to access a composer.json file of a modified branch
All Bitbucket 5XX status codes received during a synchronization run are now automatically retried
Expired Bitbucket OAuth tokens can no longer lead to a registration failure
Bitbucket VCS repositories in an invalid state can no longer crash the synchronization
The automatic webhook setup for GitLab VCS repositories no longer uses a slow endpoint
Triggering multiple deletes for the same mirrored third party repository no longer leads to errors
A composer.json file containing invalid UTF-8 characters will no longer prevent an update for the entire package
Background workers now automatically try to reconnect on redis connection errors
Improved the handling of race conditions for long-running Bitbucket synchronizations to prevent errors when VCS repositories are added or removed during the run
Errors encountered because a mirrored third party repository returned invalid JSON during the automatic mirroring now display a warning message
Usernames sent to the Composer repository which contain non-UTF-8 characters no longer result in 500 errors
Fixed a bug which prevented the abandoned status of a package from being updated
Added additional information for packages that fail to be initialized using git clone
Regular packages in subrepositories which are not installable in the organization can now be installed in the subrepository
If the Bitbucket API fails because Private Packagist IPs need to be allowed in Bitbucket, an error message with information on how to do this is now shown
Accessing API endpoints in the browser without authentication returned a 500 error instead of a 401 error
The name of integrations is now correctly displayed on the organization create page and the add synchronization modal

1.9.6

November 13, 2019

Features

The packages page has been rebuilt to offer various filters to find packages and displays more package information to quickly detect problems
The packages page now also lists packages with a duplicate name showing a warning that they cannot be installed
All packages which are replaced in the composer.json of any package you add, are now automatically mirrored to prevent problems with their automatic mirroring during composer update.

Changes

To avoid confusion with the Composer package type project, we renamed Private Packagist projects in the Agency Add-On to Subrepositories
Initializing a Bitbucket git repository with a url like https://bitbucket.org/acme/repository will now automatically transform the url into a valid git url e.g. https://bitbucket.org/acme/repository.git
The packages page now explains what mirrored packages are and why they appear in the list of packages
The list of organizations for a user now also shows organizations which they have been removed from
Running a composer command with a read-only token now shows a message that no new packages will be automatically mirrored
When trying to automatically mirror a new package composer will now always show a warning if one or more mirrored third party repositories are not available

Bugfixes

Replicated fixed an issue with the Replicated admin console that would require a manual refresh of the browser after replicated upgrades.
Replicated improved error messaging on the Replicated admin console for upgrade failures.
Editing a package will now fully clear its cache
Corrected the install statistics of an organization to also include installs of all subrepositories
Updated the screenshots to set up a GitLab integration with recent ones
The list of last synchronization runs showed an old run if all recent runs failed
Synchronizations with bitbucket.org could fail in case a repository was in an unavailable state
Fixed the synchronization with GitHub to grant everyone access to public repositories in the organization
Package updates which failed because of an HTTP call now display the url which was called and status code returned
Synchronizations failing because of a server error now display the url which was called and status code returned
Improved the error handling for interactions with mirrored third party repositories to display more helpful error messages
With automatic mirroring the package composer/magento will now be mirrored from packagist.org even if repo.magento.com is set up as a mirrored third party repository because repo.magento.com is missing never versions

1.9.5

October 14, 2019

Changes

The update process now requires the domain d2g7dkkfx863il.cloudfront.net to be accessible if your firewall blocks external traffic

Bugfixes

A regression in 1.9.4 resulted in new user account registrations failing for all OAuth integrations
Corrected the link to the replicated console if Private Packagist Enterprise is running on a non-standard port
Hid the settings link for Owners and Admins teams on the team detail pages as these pages do not provide any functionality for these teams

1.9.4

October 11, 2019

Features

Packages marked as abandoned are now visible as such in the UI and show the suggested replacement

Changes

Organization synchronization runs are now visible in the UI as soon as they are triggered

Bugfixes

Enabled projects on organizations created before version 1.7.0
Database migration for deactivated_user table can no longer fail and prevent application startup
Improved the memory usage when adding Private Packagist organization as mirrored third party repository
The link to the mirrored third party repository on the package page now links to the details page of the mirrored third party repository
Display an actionable message in case a host cannot be resolved while trying to access an Integration API endpoint
Credentials now correctly store who created them when they are automatically created via a mirrored third party repository
Synchronization runs failed when multiple teams assigned to projects were deleted in the same run
Added a cleanup to reduce the cache size satis-like mirrored third party repositories use
Additional SSL certificates added in the replicated console are available to all Packagist processes now
Ensured usernames created through synchronization cannot begin or end with spaces

1.9.3

September 17, 2019

Features

Added a new team permission which lets team members create projects
A new config option in the Replicated Console allows you to select the level of TLS security and backward compatibility based on Mozilla's Old and Intermediate config recommendations, it's recommended you change this to intermediate if your HTTP clients are compatible
Added install graphs for overall organization installs over time

Changes

The package add dialog now has an option to select/deselect all teams to make it easier to select the teams which should have access to the package
Synchronized collaborator teams without members are now hidden in the UI
The automatic calculation of the number of background workers and FPM worker pools has been improved to no longer consume too much memory
Lowered the amount of jobs created by automatically skipping initialization attempts of packages with a name which already exists
Synchronization runs are now tracked in the UI as soon as you start them

Bugfixes

Mirrored packages which were manually added to a project would get stuck during the initialization and never receive any version data
Synchronizations were prevented from being deleted in case one of the synchronized teams was assigned to a project
The PostgreSQL connection limit is now automatically adjusted upward if the host machine has enough memory to start more background worker processes

1.9.2

August 13, 2019

Changes

Enable all API endpoints on Enterprise installations
The organization members page now offers options to remove and reactivate members in bulk
Improved display of package install numbers for large values
Added an additional credential type "Magento Third Party Public Key/Private Key"

Bugfixes

Download counts now work inside of projects
Replaced an unsupported Bitbucket.org v1 API endpoint with a v2 endpoint which prevented the creation of a Bitbucket synchronization after the v1 shut down
Improved the network error handling for Bitbucket.org by always retrying failed synchronizations and displaying an error message when trying to add a package from a synchronized team fails
When using the Private Packagist Enterprise API calling an endpoint with an unsupported HTTP method will now return a 405 error instead of a 500 error
Adjusted the error message which appears when one tries to add a VCS repository as mirrored third party repository: Use add package by URL
Fixed the handling of Bitbucket URLs in the format of "bitbucket.org:organization/repository.git"

1.9.1

June 27, 2019

Changes

User accounts are now deleted from Private Packagist Enterprise when all organization memberships of the user have been removed through synchronization processes. The behavior can be disabled in the admin panel.
Added support for repositories which have a composer.json in any branch and/or tag but not the default branch
All public repositories added via a synchronization are now available to all members in the organization
Added additional configuration options for adding svn repositories as packages
The composer setup instructions now also list cli commands that can be used instead of the JSON snippets

Bugfixes

Fixed a bug which would prevent login or registration for users due to a ReCaptcha mechanism which was not fully disabled
Fixed the deletion of user accounts which were deactivated via the admin panel
Improved how we detect updates for packages mirrored via packagist.org to reduce the delay until a new or updated version becomes available
The random offset added to the timeframe between synchronization runs is now relative to the total time between synchronization runs. Previously short time frames of e.g. 15 minutes could still have ended up taking 2 hours due to the random offset.
The about page now shows the trial license expiration date in human readable form
Resolved an issue with synchronization which deactivated existing organization members in rare scenarios
Improved how general errors during the OAuth authentication are handled by displaying an error message and preventing a 500 error

1.9.0

June 7, 2019

Features

New team permission which lets non-admin team members add packages and add, edit and remove credentials and mirrored third party repositories
The package add dialog now allows you to select teams with access, rather than having to set permissions separately later
Added API endpoints to manage project packages
Added an API endpoint to fetch organizations´ ssh access keys

Changes

The user profile now also shows the username and id of all connected OAuth accounts, e.g. GitHub, GitLab, Bitbucket
Improved the user list in the admin panel to be able to filter for active users only
Synchronizations with Bitbucket now recognize individual repository collaborators
New organization members found during synchronization can now be deactivated automatically
Display informative error messages if a zip download fails during composer install (requires composer >=1.8.5)
Improved the navigation on mobile devices
Improved the restart time for the docker containers
Rename disable synchronization to delete synchronization and clearly state that deleting the synchronization will remove teams, users and their permissions
Custom packages are now fully validated on form submit and more detailed error message are shown
Credentials now show for which domain they apply
Enable the API endpoint to fetch a single package's info on all organizations
If a Bitbucket app password for synchronization has been created by a non-Administrator the error message now clearly indicates the problem
Synchronization API access error messages now display HTTP status codes to help debug
Added forgot password links to all password fields on the profile pages
Cache expiration times are now more randomly distributed to avoid regenerating all package metadata at the same time during a composer install
When adding a new package fails because a remote file cannot be accessed a more detailed error message is now displayed

Bugfixes

Updated the Bitbucket integration to be fully compatible with the latest Bitbucket API changes
Fixed a bug where renaming the Bitbucket workspace ID of a Bitbucket Team synchronized with Private Packagist would prevent further synchronizations
Packages added via synchronization inside a project in some cases did not grant all project members access
Credentials for a URL with a non-standard port can now be used to set up webhooks
Fixed zip downloads for package urls without a path e.g. https://composer.example.com/?package=test&version=1.0
Using HTTP auth as part of a third party mirror repository URL no longer fails but automatically creates a credential entry
No more immediate reloads after a successful job finishes to provide enough reading time
Fixed an issue where users logging in via a password manager would sometimes land on an error page
Improved the package search by trimming off additional whitespace
Registration will not silently fail due to very long passwords anymore
If Bitbucket returns an empty response there are now additional request retries
Fixed race conditions in synchronization process leading to incorrect or incomplete data
We now always propagate new version information for packagist.org mirrored packages to all projects using them
Deleting or replacing credentials inside a project did not work in some cases
We now correctly handle errors caused by invalid third party repository URLs
If a remote VCS repository changes its URL synchronization now immediately updates the package URL
Improved handling of GitHub API rate limits while adding a new package

1.8.5

March 29, 2019

Bugfixes

Database migration for organization_sync_run table can no longer fail and prevent application startup

1.8.4

March 29, 2019

Features

Added an option to override the default request timeout for mirrored Composer repositories
Added on option to override the number of running background worker processes to the replicated console

Changes

Improved the performance of package updates by caching versions without a composer.json
Renamed the Owners/Admins Team option for authentication tokens to 'All packages'
The authentication tokens page now displays when the token was last used
Adjusted the Bitbucket API usage to avoid deprecated v1 endpoints where possible
Allow non-synchronized teams to be deleted in organizations with synchronizations
New improved footer design
Owners and Admins teams are now always shown for everyone

Bugfixes

Ensure that synchronizations can be removed from organizations
Editing a mirrored third party repository inside a project failed
Fixed validation of SSH URLs when adding packages, which prevented creating packages
Fixed a bug that prevented authentication tokens to be created in projects
Improve the package update handling in case the package gets deleted while the update is running
Handle various GitHub related errors during a synchronization and reschedule the failed jobs
Handle various exceptions during package archive and reschedule the jobs
Improve the handling of authentication exceptions during oauth login with GitHub
Handle the case where a package is deleted while a background job is setting up a webhook for the same package
GitLab synchronizations now work for subgroups with access tokens which do not have access to the parent group
Adding a new synchronization to an existing organization will now inform the user once the first synchronization run finished
Package statistics now also include the current day in the graph
Handle exceptions on composer search in case the mirrored third party repository returns invalid json
Increase the default timeout for http requests for GitLab to 30s
Flush the composer version cache for a package when the repository url changes
Improvements to request timeout handling in background worker for Bitbucket
Fixed an issue where multiple organizations synchronized with the same Team on Bitbucket would overwrite each others webhooks
Fixed a bug that prevented teams with authentication tokens from being deleted
Download stats for packages mirrored from Packagist.org will now display the correct values for every organization
Fixed a bug that rendered the pagination on the Users Explorer in the admin section unusable
Fixed a bug that prevented package statistics to load for packages which have been in Private Packagist since before 2018
Improve memory handling in background workers by regularly clearing the doctrine and monolog caches
Prevent more than two package updates for the same package to be queued at the same time
Records of finished jobs are now deleted on a daily basis
Long mirrored third party repository URLs no longer overlap with other page content
Avoid a full synchronization if a new repository/package was detected via webhook call

1.8.3

February 5, 2019

Features

Added host system admin command packagist package:update-all --overwrite-data=true command to schedule updates rewriting all versions for all packages

Bugfixes

Ensure that update jobs which overwrite existing version data disable composer version cache
Do not duplicate display of mirrored packages copied from an organization into projects without generally making the mirror available to the project

1.8.2

February 4, 2019

Bugfixes

Fix bug introduced in 1.8.1 leading to failing package updates on Enterprise installations

1.8.1

February 1, 2019

Features

Added a search field when adding packages from synchronized repositories and when adding packages from the parent organization to a project

Changes

Performance improvements to editing credentials, renaming organizations and projects, and deleting packages
No longer displaying a warning about a missing hook for custom JSON packages which cannot be updated without editing the JSON

Bugfixes

Fix download URLs on package update for Enterprise instances which changed their repo hostname and had old download URLs cached from before July 2018
Detect SSL certificate problems with integrated service (GitHub, Bitbucket, GitLab etc.) and display them to users
Fixed race condition which could lead to failed downloads of packages which are just being mirrored for the first time
Ensured the last owner of an organization can never be deleted by a synchronization run
Members of new teams found during synchronization are now added immediately, rather than only on the second synchronization run

1.8.0

January 18, 2019

Features

Synchronizations can now be configured on a per-project basis
Synchronizations now list runs during the previous 48 hours and what exactly changed on each run, e.g. new users or repositories

Changes

Integrations can now be created even if the validation fails
Updating a credential now triggers an update for all associated packages and synchronizations
The team member pages now show more information about each user
API rate limit errors during login now show which API rate limit was reached
Adding organization packages to a project now happens without page reload
Improved the flow to set up a new synchronization for an existing organization
When importing packages from JSON you can now select credentials to be applied
You can now switch which of your synchronizations should be the primary one
Improved typography and spacing across all pages
Synchronizations can now be triggered by all members of an organization
The organizations overview page now shows an option to reauthenticate if your oauth token is not valid anymore
Synchronizations show which credential is used to make requests to the external service
Added functionality to update the credential description
The project settings on the organization settings page are now hidden until the first project is created
Setting up a mirror with http auth in the url will now automatically create a credential and assign it to the mirror
Packages where the last update failed will now display the error until the issue is resolved

Bugfixes

Deleting a mirror now runs in a background task to avoid UI timeouts
Ensure the registration doesn't break if the email is already used by another user
The license review page won't timeout anymore for organizations with projects
Handle API limits for Bitbucket when new repositories are added
Adjusted the messaging in the organization add synchronization modal if the user has no connected accounts
Deleting a team with authentication tokens will now always work, the authentication tokens will remain but without package access
The list of dependent packages does not contain duplicates anymore
Disabled the browser autocomplete functionality on all credential input fields
Sync settings concering project assignment could not be saved for synchronizations which did not target GitHub
Requesting a password for a non-existing user won't result in an error anymore
Detect and handle GitLab maintenance windows
Handle the case where a credential has no Bitbucket oauth scopes assigned

1.7.0

December 3, 2018

Features

Private Packagist for Agencies: Support for projects in each organization with a separate Composer repository, including options for mirrors, credentials and tokens to be defined for just one or a set of projects
Packages mirrored from packagist.org are now updated automatically within a few seconds of changes on packagist.org rather than only twice a day
composer search is now supported for all packages available through Private Packagist: private and mirrored third party packages can be found
Bitbucket Team hooks are now set up automatically to detect new packages when you create new repositories
Added a link to Admin page in the top nav, and link to Replicated console from admin page

Changes

Managing access to packages for teams now sorts the dropdown of packages and lets you search through them
Reduce worker memory consumption by merging infrequently running tasks into a single process
Log full stack traces on PHP errors
Improved the package update log output to better display authentication issues
Package updates which fail because of external API limits are now retried once the limit resets

Bugfixes

Ensure email from address is always set correctly on all SMTP configurations instead of falling back to contact@packagist.com
Reduce the number of errors displayed on all pages to 1 if multiple syncs are broken
Display exactly which scopes are missing if synchronization fails because of missing OAuth scopes
Select correct scopes by default when creating a GitHub access token
Load correct error handler configuration for logging on the Composer repo

1.6.2

November 21, 2018

Bugfixes

Database migration for team table can no longer fail and prevent application startup (only happened on fresh installs if no organizations existed)

1.6.1

November 14, 2018

Features

Package detail page now shows information on the mirror if the package was mirrored
Allow specifying a custom timeout value for requests to each integration
Allow deactivating users in organizations even if they did not create a Private Packagist account yet

Changes

Document that GitLab webhooks may require a configuration change to allow requests to a local network if Private Packagist is running in the same network
Speed up updates of private packages with large numbers of tags with new cache
Allow disconnecting the last third party authentication provider if email authentication is enabled
Deleting synchronization now disables but stores all authentication tokens for later reuse
Allow reusing existing credentials in the organization when setting up synchronization
read only authentication tokens no longer receive a lazy providers URL pattern in packages.json to speed up package lookups
Ignore Bitbucket repositories which the team admin does not have access to, instead of failing the sync process
Correctly detect permission errors returned by Bitbucket and presend them in an actionable way
Unified metadata storage and update processes for mirrored packagist.org packages across organizations to improve performance
Changed internal configuration of Composer to better expose error messages returned by external repositories, e.g. API rate limits
Deleting all packages in a mirror now runs in a background task to avoid UI timeouts
Improved queries used in org synchronization reduce disk i/o on the db
Detect and warn about credentials applied to a package with a URL that does not match the credential domain
Log errors with more details on repo console commands
Detect GitLab connection failures and retry jobs later
Use a lower timeout for GitHub calls than the client library default
Bitbucket Server: Detect and warn about our SSH key already being assigned to another user breaking our automatic setup
Full name for users is automatically prefilled on third party authentication if available
Verify API scopes of GitHub tokens and give appropriate error message if any are missing
Set SSH timeout to 10 seconds to prevent broken git clones over SSH from taking a very long time before they timeout

Bugfixes

Replicated no longer corrupts the snapshot database on upgrade
Replicated now works with docker configured to use write only log drivers
Correctly detect and store webhook state for bitbucket.org packages
Ensure disabled users will not be reactivated through a synchronization in organizations with multiple syncs
Prevent issues resulting from double submission of user disable form
Fixed data fetching for bitbucket.org repositories with a default branch containing a slash in its name
Password reset was not possible in some configurations
Take no proxy list into account if the environment variable uses a lower case name
Synchronization for GitHub integrations may not automatically have run once a day

1.6.0

August 20, 2018

Features

Email/password based registration and login, needs to be enabled on /admin/ page under Global Settings
Email verification configurable per integration to set trust for emails provided by third party authentication mechanisms
Improved profile page with list of emails from third parties and manually defined ones, each with verification state and option to use as default address
Display README contents on package overview pages

Changes

If a user's API rate limit on a third party service prevents login, display a specific error message explaining this circumstance
Team overview page lists package counts next to permissions now, so it's easier to spot teams which assign permissions to an incomplete set of packages
Improve Enterprise setup experience by automatically granting the first created user admin permissions
Automatically fill in bitbucket usernames in credential creation forms to simplify setup
Improved documentation layout and added enterprise troubleshooting section

Bugfixes

Convert proxy URLs to correct protocol URLs for PHP streams
Automatically send full URIs to HTTP proxies for unencrypted HTTP, but relative paths for encrypted HTTPS to avoid problems with some specific proxy software
Revert modified user agent in proxy code which preventing mirroring from third party repositories blocking based on user agents
Disabled erroneously enabled but broken vendor/customer functionality on Private Packagist Enterprise

1.5.7

August 7, 2018

Features

Respect the host system's PROXY environment variables which are used by replicated inside of Private Packagist and allow the definition of hostnames which should not go through the proxy on the admin page
Added an option to change the frequency of organization synchronization below the default 20 hours, watch out for rate limit issues if you reduce this value
Provide a CLI admin command to update all packages in an organization
Archives for the latest tages of new packages are now created immediately to speed up the first use of composer update
add missing links to profile page to allow editing username and email easily
Composer token last usage is now tracked precise to a 5 minute window

Changes

Improved validation of Enterprise Integration setup values for GitHub Enterprise, Bitbucket Server and self-hosted GitLab with improved error messages
Provide a more specific error message if a package already exists when you are adding it with a link to the package
Use streaming responses for large JSON files to reduce memory consumption
Upgraded Replicated to version 2.25.1
Increased timeout for mirrored repository responses to 5 seconds to allow slower repositories to be mirrored, may slow down composer updates when adding new packages
Reduced default php socket timeout to 10 seconds to provide useful error messages if any external requests time out
moved automatic webhook creation into a worker process with automatic retries to improve reliability

Bugfixes

Do not store URLs to Private Packagist in cache, so hostname changes take effect without manual regeneration of stored data
Synchronization of an organization with GitHub no longer stops if a repository with individual collaborators is archives
Display a link using custom integration domains for creating credentials instead of always using github.com, gitlab.com, bitbucket.org
metapackages without code no longer trigger archive creation errors
License overview no longer displays package names to a user which they do not have access to
GitLab scope missing error is now explained to users instead of crashing background workers
Fix internal communication between containers for SSL certificates which are not valid for IP addresses used on the internal network, could have resulted in empty download statistics
Fix internal SSL communication between containers when using Replicated's self signed certificate
Fix worker crash if synchronization setup is disabled while synchronization is running
Validate informational domain field for credentials

1.5.6

Release skipped

1.5.5

Release skipped

1.5.4

June 7, 2018

Features

Let users know that they have to accept GitLab's new ToS if this is preventing them from logging in or synchronizing their organization

Changes

Automatically generated credential names are no longer unique across all orgsnizations
GitHub push hooks will trigger initialization of packages that do not exist yet
Catch GitLab API Limit errors and display a message to users
Reduce amount of data requested from GitLab by using new subgroup API endpoints if available as of GitLab 10.3
During successful synchronization the user who set up the synchronization will not be removed from owners if no other owner has an active Private Packagist account

Bugfixes

Package updates triggered by a push hook are retried after 30 seconds instead of being cancelled, if another update is already running, as a result tags pushed separately immediately after commits should now show up on Packagist faster
Regression preventing successful synchronization with GitHub Enterprise
Warn users about problems if gitlab sync credential is empty
Handle Bitbucket 50x errors the same as 500 during synchronization API calls
Attempt to retrieve smaller pieces of information with more API calls from Bitbucket if large endpoints return 500 errors for internal timeouts at Bitbucket
Catch 401 errors from GitLab and turn into useful message for users
Enterprise preflight checks test listening on 0.0.0.0 for ports 80/443 now to avoid issues with machines without a detectable public ip
Custom package validation now properly checks that at least one package was defined

1.5.3

May 9, 2018

Bugfixes

Fix installation of webhooks on Bitbucket Server if no webhooks are present yet

1.5.2

May 8, 2018

Bugfixes

Repo container won't start up if restarted without old temporary directory present

1.5.1

May 8, 2018

Features

Automatically configure webhooks on Bitbucket Server (requires version 5.4 or above)

Changes

Reorganized organization teams page layout
Separate packagist temporary data from permanent distribution files to decrease snapshot size, we recommend you use SFTP or S3 snapshots only and that you define a new empty directory to create snapshots in starting with this release to reset the differential storage mechanism
Composer repository now returns a 401 if auth is missing to ask for interactive authentication input
Upgraded to Replicated 2.20.2 with improvements to snapshot creation and restore

Bugfixes

Fix key generation for Bitbucket Server and provide more detailed error messages in case of problems
Ensure packages with manually defined JSON always update all metadata on edits
Detect and ignore deleted package situation when processing a package update
Prevent signup errors if people double click the signup button
Catch 502 responses from GitLab and treat them as timeouts and retry later
Catch empty responses from Bitbucket and treat them as timeouts and retry later
If bitbucket permission API endpoint fails, try retrieving info for each team and repository individually
Use correct organization name for listed vcs repositories if an org is synchronized with multiple targets
Fix audit log entry creation for admin self-deletion
Ensure synchronized users are always created with a unique username
Find composer.json information on GitLab projects with a default branch other than master
Correctly disable all synchronizations if an integration on which they are based is deleted

1.5.0

Mar 16, 2018

Features

Management console option to enter additional TLS/SSL certificates Private Packagist Enterprise should trust for connections to your VCS repositories
Option to trigger an update for all packages mirrored from a particular third party Composer repository
GitHub synchronization now supports granting external collaborators package permissions
Synchronization now automatically creates packages from repositories which you add a composer.json to after sync skipped the repository for lack of a composer.json

Changes

Restoring an Enterprise instance from a snapshot no longer requires to run any custom commands to restore the PostgreSQL database
If a GitLab subgroup is synchronized with a Private Packagist organization, we now search all parent groups for members with inherited permissions
Increased default timeout for talking to GitLab instances to 30 seconds
Reaching the Bitbucket rate limit now triggers a 1 hour block on all requests sent to the Bitbucket API to restore the limit fully
Bitbucket requests are retried automatically on server errors because it reports timeouts as 500 Internal Server Error
Performance improvements to Composer repository JSON delivery
Provide a specific error message if someone attempts to add a package with the same name as a package that already exists
Setup mode now allows deleting the admin user account
Disabled auto-complete on password fields for external credentials
Upgrade to Replicated 2.17.0 amongst other things improving snapshots and restore

Bugfixes

Worker processes do not fail to start up anymore if Redis is taking too long to load data into memory
Modified Redis backup/restore process will no longer cause extremely slow or incomplete snapshots
Fix GitLab Composer behavior to ensure correct commit instead of branch is used for dist generation when targeting specific commits on branches
Updating the credentials on a mirrored Composer repository now ensures that all packages already mirrored from the same repository start using the updated credentials
Bitbucket Server configuration uses readonly instead of disabled fields for values to be copied now and made it impossible to reset client id / public key to empty
Do not log anything and do not return an error on metapackages which do not have a source or dist specified
Invitation email to new users now links to correct login/registration page instead of always referring to GitHub
Fix local build file cleanup to prevent disk from eventually getting too full
Fix mirroring of packages with names using capital letters (should be avoided and is invalid on packagist.org)
Prevent error on editing an organization if no platform was selected for the organization

1.4.3

Jan 17, 2018

Changes

Synchronized packages will always use the credentials associated with the sync now

Bugfixes

Do not attempt to bind to [::] on Enterprise hosts with IPv6 disabled
Skip synchronization entirely for organizations that no longer exist on GitHub
Fix webhook installation on non-primary synchronizations
Properly apply deactivated user list to non-primary synchronizations

1.4.2

Jan 10, 2018

Bugfixes

Fix form submission for secondary GitHub synchronization default permission settings

1.4.1

Jan 10, 2018

Bugfixes

Fix regression on some package pages and in background workers attempting to resolve non-existent default integration configuration leading to 500 errors
Fix incorrect determination of mailer host configuration resulting in broken health checks

1.4.0

Jan 8, 2018

Features

Synchronize multiple external GitHub orgs, Bitbucket teams, GitLab groups with a single Private Packagist organization
Multiple organizations can be synchronized with the same GitHub/Bitbucket/GitLab organization
Allow disabling the creation of new organizations for anyone who is not a Private Packagist Admin user

Changes

Synchronized team names have been updated to reflect their origin to clarify context when using synchronization with multiple sources
Do not allow deleting an organization on Private Packagist if the GitHub app has not been uninstalled yet
Improved 500 error message on Enterprise installations
Upgraded Replicated to 2.15.0
Upgraded Nginx to 1.13.8

Bugfixes

Remove non-existent option from worker command calls, fixing issues with cache invalidation and download stats
Fix potential constraint violation when disabling synchronization on an organization
Don't display broken remote organization avatar if none is defined
Return proper error code and message if an archive cannot be created before the request timeout ends
Properly handle API rate limits in vcs synchronization worker

1.3.12

Jan 2, 2018

Features

Allow defining multiple mirrored Composer repositories with the same URL but different credentials

Changes

Lower timeouts (2 seconds) on retrieving data from mirrored Composer repositories
Clarify synchronization error messages, more specific and instructional
Upgraded to PHP 7.2
Upgraded Replicated to 2.14.0

1.3.11

Dec 13, 2017

Changes

Update UI structure for mirrored repositories in organization settings to match other settings
Improved error messages in case Bitbucket API Limits are encountered
Do not warn about SSL requirement for package URLs unless a user attempted to use a non-SSL http URL

Bugfixes

Fix regression in form input for default member permission for synchronized GitHub organizations
Display a helpful error message in case a Bitbucket organization cannot be loaded due to token issues instead of a 500 error on org settings

1.3.10

Dec 11, 2017

Changes

Increased timeouts on port listen startup events during docker orchestration

1.3.9

Dec 11, 2017

Bugfixes

Regression in GitHub Enterprise API client pagination

1.3.8

Dec 11, 2017

Bugfixes

Prevent 404 during Bitbucket privilege check in synchronization
Correctly follow pagination URLs on GitHub Enterprise API in all cases (second fix)

1.3.7

Dec 8, 2017

Changes

Add new denormalized columns and indexes to improve performance of dependent/suggesters calculation for packages

Bugfixes

Correctly follow pagination URLs on GitHub Enterprise API in all cases
Don't include non-existing nginx log files in support bundle to prevent timeouts in support bundle generation

1.3.6

Dec 6, 2017

Features

Permanently display the most recent synchronization failure message and info on last successful run

Changes

No requirement for 20GB on the root filesystem anymore, you should have at least 10GB mounted on /data and 10GB available to the system and replicated however
Only administrators of Bitbucket Teams can setup synchronization with a Private Packagist organization

Bugfixes

Increase nginx server_names_hash_bucket_size to 64
Make sure temporary files are always cleaned up after creating an archive even in case of errors
Catch some unexpected potential errors returned by Bitbucket during synchronization, log them and retry later

1.3.5

Nov 30, 2017

Features

Provide a manual option in org settings for default package access for all members on synchronized GitHub organizations because the GitHub API does not yet expose this setting to applications
Synchronize packages in shared projects on GitLab into the Private Packagist organization like regular projects

Bugfixes

If the owner of a GitLab sync auth token is not a member of the synchronized group, attempt to load all GitLab group info (only up to 20 API page requests)

1.3.4

Nov 28, 2017

Features

Errors and warnings in package update logs are now highlighted and indicated with a warning symbol
For organizations synchronized with GitHub, create a team containing all members which are not in any team

Changes

Allow deleting a credential currently in use by packages and mirrored repositories with an option to replace it with a different existing credential
Retry synchronization jobs after a delay if they failed due to reaching a GitHub or Bitbucket rate limit
Prevent the addition of non-SSL repository URLs upfront rather than erroring during update jobs later
Logging in composer repository application is triggered at lower notice level now
Don't retry gitlab API requests after 5 attempts that all timed out
Schedule even github packages which have an oauth token for 12 hour updates in case the webhook isn't set up
Added a view button for mirrored composer repositories on the organization settings page
Improve debugging output in case the synchronized gitlab group cannot be found during synchronization
Made database migration state detection more robust and removed error output on startup
Updated Replicated to 2.13.1

Bugfixes

Prevent race condition that could lead to broken zip files created for download from packages on Bitbucket or GitLab
GitHub organization listing is no longer limited to 30 (API pagination)

1.3.3

Oct 13, 2017

Bugfixes

Fix regression introduced for archive creation in last release

1.3.2

Oct 13, 2017

Features

Allow users to regenerate their personal auth token on the profile page

Changes

Improve guidance through Integration setup in Enterprise admin panel
Enterprise Setup now checks for availability of ports 80 and 443
PHP base image upgrade

Bugfixes

Request correct scope on login with self-hosted GitLab CE OAauth
Skip the account merge dialog if a user tries to login in a browser tab after having logged in on another one
Prevent error when deleting users in Enterprise Setup mode without being logged in
Fix race condition during archive generation that could lead to incorrect zip contents on download

1.3.1

Sep 25, 2017

Features

Option to delete organizations from the Enterprise admin panel without joining an organization as an owner
Organization memberlist now shows all inactive users who will become members as soon as they activate their Private Packagist account by logging in

Changes

Package update errors now differentiate between HTTP errors that may be caused by permission issues and errors caused by other networking problems, e.g. timeouts
Postgres password is now read-only on the Enterprise Management Console as it was not supposed to be modified
GitLab subgroup names are now display with the full hierarchy path when creating a new organization

Bugfixes

Prevent race condition when a user tries to setup synchronization again before previous background job finished
The dialog to create an organization from GitLab groups now lists all groups rathern than just the first 20
Prevent error when deleting a user while logged out in Enterprise setup mode

1.3.0

Sep 21, 2017

Changes

Upgraded GitLab API client library, we now require GitLab API v4 - this means GitLab versions lower than 9.0 are no longer compatible

1.2.7

Sep 20, 2017

Bugfixes

Allow X-Forwarded-For headers on http requests to the Enterprise health check

1.2.6

Sep 19, 2017

Features

Add SMTP connection check button to Enterprise management console settings screen

Bugfixes

Ensure users are no longer tied to an integration after it's been deleted
Prevent synchronization from failing if teams get renamed to names of other now deleted teams

1.2.5

Sep 13, 2017

Features

Team package access page now lists synchronized packages without access to clarify which permissions are handled in external systems
GitLab subgroups now have individual teams for different types of access (Developer, Reporter, Owner, ...)
Bitbucket Server Integration Setup form now has detailed list of required settings for different dialogs

Changes

Team renames are tracked on GitLab and GitHub, Bitbucket as no team identifier other than the name
Increased timeouts for GitLab requests to 15 seconds to circumvent their rate limiting bugs

Bugfixes

GitLab permissions are now correctly inherited to subroups if they are unchanged from the parent
Prevent invalid composer.json on master branch from crashing package updates on other branches/tags

1.2.4

Sep 8, 2017

Bugfixes

Ensure internal random secret value is never modified on updates to prevent hook URLs from changing

1.2.3

Sep 7, 2017

Bugfixes

Fix URL added in previous release in specific cases

1.2.2

Sep 7, 2017

Bugfixes

Always show manual hook URL for packages where hook is not managed automatically

1.2.1

Sep 7, 2017

Bugfixes

Skip unnecessary query on executing workers, resulting in filling up postgres error log

1.2.0

Sep 5, 2017

New Features

Package rename handling: new package is automatically added if the package name changes in composer.json on the default branch of an existing package
Team members can view which packages their own team has access to (previously for admins only)
View full repository paths for GitLab subgroups
Support for Typo3 Composer Repository and t3x archive files
Shift-clicking update button on view package page force updates all versios

Changes

Deleting a user in Enterprise Admin Panel requires confirmation
Better error reporting in user interface during synchronized org creation failures
Performance of team overview page improved for very large organizations
Updated to latest version of Composer for improved GitLab compatibility (API v4) and full subgroup support
Updated Replicated to 2.11.1
Improved signal handling in worker processes
Team page directly links to full member management page

Bugfixes

Prevent deadlock in cache busting worker process
Mount the composer working directory into the ui container to allow manual adding mirrored packages from the web interface
Request OAuth Scopes on every GitLab request, fixes compatibility with new GitLab version and removes extra confirmation dialog on login
User account merging can no longer result in error for users with audit log entries
Deleting an integration properly disconnects synchronized organizations from the third party service
Properly clear permission cache on package deletion (low impact, as package data was gone anyway)

1.1.3

Aug 4, 2017

New Features

Option to disable email entirely for Enterprise
GitLab subgroup support

Bugfixes

Handle GitHub Abuse responses appropriately
Fix suggested GitLab authentication URL
Do not attempt to mirror a package name that also exists publically but current user has no access to
Avoid duplicate initialization of packages

1.1.2

Jul 25, 2017

Changes

Upgraded Replicated to 1.9.3

1.1.1

Jul 24, 2017

New Features

Ability to search and delete user accounts completely on admin page
Display github rate limit issue warnings on package initialization
Support for nested Bitbucket and GitLab repository URLs

Changes

Higher timeouts and better handling of timeouts for Bitbucket and GitLab
Warn users when trying to use readonly tokens to mirror new packages
More reliable error logging on the repo container
Unified job queue with priorities replaces workers separated by job type
Allow organization admins to manage synchronization, not just owners
Avoid probing for composer.json on VcsRepos that are known to work already
Updated GitHub links to use new apps path (formerly integrations)

Bugfixes

track state of packages correctly after sync has been disabled on an organization
No more 403 page after removing yourself from an organization
Prevent duplication of synchronized repositories in add package screen
Package renames now invalidate cache of of composer metadata
Unreachable mirrored third party repositories now trigger warning instead of 500 error on composer repo
No 403 erros for non-admins when viewing package details of a package in their team

1.1.0

Jun 15, 2017

New Features

Allow editing of authentication token descriptions

Changes

Remap all internally used ports to uncommon numbers to avoid conflicts with other services on host
Report Webhook error states on package details page
Use internal network only for internal API calls to avoid reliance on DNS or public certs
Switched all containers to alpine to reduce size and improve compatibility
Added more detailed logging to external API interaction in case of errors
More detailed logging of all error states in docker process stdout / support bundle

Bugfixes

Removed potential race condition in database setup for Private Packagist Enterprise
Synchronize team memberships when manually adding a package in the synchronized organization
Validate from mail address in dashboard settings
Ensure hostname for ui and repo are distinct in dashboard settings
other minor changes and dependency updates

1.0.15

May 18, 2017

Bugfixes

Fix regressions in background workers
Fix python patch for supervisord

1.0.14

May 17, 2017

Bugfixes

Patching Python for RHEL 7.2 compatibility to run supervisord

1.0.13

May 17, 2017

Changes

System Updates Bugfixes
RHEL supervisord/python random syscall workaround

1.0.12

May 8, 2017

New Features

Store user join/leave activity on organizations

Bugfixes

Organizations will not be created with a number suffix in their name unless necessary
Fix deletion of organizations which resulted in a 500 error
Per-organization seat-based notification emails are disabled
Improve Bitbucket token issue error handling
Ensure admin teams definitely always have access to all synchronized packages

1.0.11

Apr 23, 2017

Bugfixes

Fix GitHub Enterprise automatic webhook setup (differs from github.com)
Automatically correct webhook setup on manual package update if not present or incorrect

1.0.10

Apr 20, 2017

New Features

New Organization Explorer in the Admin Panel
Allow Deletion of Integrations
Collect supervisord process log files in support bundle

Bugfixes

Fix an organization synchronization error
Allow all images in Content Security Policy to allow for external avatars
Improve display of Installation Counts

1.0.9

Apr 19, 2017

New Features

HTTP Port is now configurable to something other than 80

1.0.8

Apr 19, 2017

Bugfixes

Fix regression in GitHub Enterprise API Access
Improve Startup Time of nginx container

1.0.7

Apr 19, 2017

New Features

Added HTTPS Port Selection to allow custom HTTPS Ports

1.0.0

Mar 30, 2017

First stable release