Loading... Background job is running.
Private Packagist Self-Hosted
- Quick Start Guide
- Private Networks and Firewalls
- Using Private Packagist in a Composer project
- Using Private Packagist in a CI/CD environment
- API Documentation
- Security Monitoring
- Update Review
- Synchronization FAQ
- Private Composer Packages
- Mirroring Composer Packages
- GitHub, Bitbucket, GitLab and Other Integrations
- Security Monitoring
- Update Review
- Dependency License Review
- Subrepository Setup
- Vendors: Customer Setup
Private Packagist Self-Hosted
Not scheduled, yet
- Read-only and update authentication tokens can now be created and regenerated with an expiration date after which the tokens will stop working.
- Organizations can now configure that read-only and update authentication tokens expire after a certain amount of days.
- Security Monitoring now uses the audit ignore config from the project's composer.json to automatically close ignored issues.
- Added API endpoints to view and edit which branches to monitor for security issues.
- Organizations can now configure that user authentication tokens expire and automatically regenerate on a regular basis.
- The changelog page of a package now links to the source of the changelog information.
- Read-only and update authentication tokens are now write-only. They can only be viewed once after creation and regeneration. Only the description can be edited.
Sep 1, 2023
- Multi-factor authentication was not required after login via OAuth when an organization or user had opted to require it. Multi-Factor authentication was correctly required as configured at all times for users logging in with email/password.
- Adding a mirrored third-party repository that doesn't return valid JSON on the packages.json endpoint now shows an error message instead of just reloading the form.
Supported Replicated versions: >=2.56.0 <2.57.0
Aug 24, 2023
- Synchronizations using a credential with a port in the domain name but matching the integration domain no longer cause a credential domain mismatch error.
Supported Replicated versions: >=2.56.0 <2.57.0
Aug 23, 2023
- Using Bitbucket Server OAuth to log in no longer causes a server error.
Supported Replicated versions: >=2.56.0 <2.57.0
Aug 23, 2023
- Added an API endpoint to fetch a single team.
- Added an API endpoint to fetch all synchronizations.
- New "Access All Packages" permission can be granted to teams (via UI or API). Controls whether the team has access to all non-synchronized organization packages. Revoking this access will not remove access to packages the team has access to at the time.
- The packages page now shows private packages, mirrored packages, and packages from subrepositories in a single list with a number of filters.
- Browsing all packages of a mirrored third-party repository will now show them filtered on the packages page.
- The list of packages is now paginated, addressing performance issues while loading the page for organizations with thousands of packages.
- GET API endpoints can now be accessed without generating the full signature using the Authorization: PACKAGIST-TOKEN header.
- Install statistics are now available when fetching subrepositories via the API.
- The user management page in the admin panel now lets you filter by active and inactive users. It shows the number of found users for each search, and allows multiple users to be deleted at once.
- The list of organization teams is now paginated, addressing performance issues while loading the page for organizations with thousands of teams.
- Organization and subrepository renames (name or short name for URLs) now create entries in the organization log.
- Creating, editing, and deleting a multi-package repository now creates an entry in the organization log.
- Synchronization errors are not displayed anymore while a synchronization is running which may resolve them.
- After editing a package users are redirected back to the package page instead of the package list.
- Subrepository members with edit permissions can now also add all organization packages to which they have edit access to a subrepository.
- Synchronization runs list which repositories were added to or removed from a team.
- Synchronization runs list which members were added to or removed from a team.
- Log entries are now created for mirrored third-party repositories when creating/deleting, editing/changing permissions, and adding/removing from a subrepository.
- The list to add organization packages to a subrepository now also shows the package URL and states if the package is abandoned or part of a multi-package repository.
- Notification channels can no longer be created on the organization security settings page, use the notification channel settings page instead.
- Synchronization runs now list which users were added to the list of removed synchronized members.
- Regenerating read-only or update authentication tokens now adds an entry to the organization log.
- Added missing organization log entries for adding, editing, and deleting notification channels, as well as adding and removing notification channels from subrepositories.
- Custom package definition submitted via the API no longer requires the top level "package" key, similar to submitting it via UI.
- Users that are deactivated, blocked, or banned in GitLab are removed as organization members in Private Packagist when synchronized, as opposed to remaining members without the ability to log in.
- Users will now be logged out when their OAuth token expires and cannot be refreshed.
- Adding GitHub Enterprise Server as an integration via the Private Packagist admin panel no longer errors if the rate limit endpoint requires authentication.
- Adding a new mirrored third-party repository to an organization no longer produces a server error if the HTTP call to validate the mirrored repository errored with a cURL error, e.g. a request timeout.
- Login via OAuth for users that are only part of a single organization directly redirects again to the organization instead of the organization list.
- The error message for failing Bitbucket synchronization states the missing OAuth scopes for the credential again.
- Downloading archive files from the package view page after switching versions works again.
- Organization log entries for synchronization created and deleted now contain additional information about the synchronized remote organization.
- New package entries in the organization log now use clearer values in the "Triggered By" column instead of the generic "Background Job".
- Added missing organization log entries for teams that are created and deleted during a synchronization run.
- Adding a package with its dependencies to a subrepository, didn't add all dependencies to the subrepostory in case over 1000 transitive dependencies where shown.
- Creating a subrepository now adds packages via a background job, avoiding potential request timeouts.
- Resolved an out of memory issue when adding a package with dependencies to a subrepository.
- A log entry is added when a credential is created during synchronization setup.
- Promoting a user to Owner on GitHub or Administrator on Bitbucket can no longer remove the user from synchronized organizations.
- Versions longer than 255 characters, e.g. branch names longer than 251 characters, are now truncated to 255 characters and no longer cause the background worker to keep crashing and reduce the number of available workers.
- Mirrored third-party repositories returning an empty dist URL as part of the package metadata will no longer break Composer commands.
- The confirm dialog shown when deleting a multi-package repository now only lists each package name once, even if some packages were added to subrepositories.
- The packages list now correctly shows errors with the webhook setup, even if the webhook was successfully setup before.
- Composer 1 commands could produce a server error in case the organization had several thousands of packages causing Composer commands to fail.
- The list of authentication tokens always showed 0 for installs in the last 30 days. This now shows the correct number again.
- Multi-Packages showed a wrong webhook URL on the package page that would return a 404 response when used to trigger a package update.
- The package page now keeps showing the hook URL if the webhook was manually configured.
- Fixed the update review comment link for Bitbucket, GitHub, and GitLab releases for versions where the git tag doesn't match the version specified in the composer.json file.
- Adding a new multi-package repository to an organization will now link to the existing configuration if there is already a multi-package repository with the same URL in the organization.
- Organizations that enforce MFA for login, no longer enforce MFA once they are deleted.
- Prevent errors when users double submit the grant team access to packages button
- Security Alert emails now only show up to 250 security issues to avoid memory issues while generating the emails.
- Creating new teams via the API using a name that is already in use, no longer returns a 500 error response.
- The API error response now indicates which property fails the validation if an invalid value is sent for an enum type.
- Improved the render time of the profile page for users that are part of an organization with a lot of subrepositories.
- A successful login via email and password for a user with MFA enabled redirected back to the login page if a first login was not successful. This now redirects to the MFA screen.
- Adding teams to a subrepository right after the subrepository was created, could lead to teams not having access to all packages in the subrepository.
- Fetching an artifact file with a non-numeric ID from the API no longer returns a 500 response.
- GitHub synchronization runs now state if they fail because of an expired GitHub personal access token.
- Deleting a package assigned to over 50 subrepositories now deletes the package via background job to prevent memory issues.
- Log entries are now created when teams are added or removed from a subrepository.
- Log entries are now created when the permissions for a team are changed within a subrepository.
- Adding a package to multiple subrepositories at once can no longer result in a 500 error.
- Synchronizations with Bitbucket Server now detect maintenance mode and retry synchronization runs later.
- Links to files on the changelog page for packages using GitHub releases now point to the correct URL on github.com and no longer to a 404 error page.
- Creating packages for new VCS repositories in the remote organization created while an organization is being synchronized, is no longer delayed until after the synchronization run is finished.
- Creating an integration with a base URL that is missing the host part no longer results in an error.
- Form to invite members in the Self-Hosted Management Portal no longer returns a "Method Not Allowed" error.
- Usernames are now limited to a length of 50 characters.
- Package links shown for a version were missing the constraint information if the constraint was self.version.
- Deleting a team that has access to multiple subrepositories no longer results in a 500 error.
- Synchronized GitHub organizations where members have access to all repositories no longer require a full synchronization run for all synchronized members to have access to new repositories.
- Editing the dist URL for a custom JSON package now removes the stored dist file and fetches the file from the new URL.
- A search term not matching any VCS repositories on the add package from synchronization dialog no longer removes the search bar.
- Mirroring new packages in a subrepository at the same time as removing the mirrored third-party repository from the subrepository no longer causes an error when accessing the packages list.
- Inviting the same user multiple times to the same team no longer results in a 500 error.
- The form for custom packages now shows clearer that you can either upload a file or define a URL in the dist section of each version.
- Using bitbucket.org OAuth to register a new account no longer errors if the registration form wasn't submitted for longer than an hour. The OAuth access token expired and couldn't be refreshed without errors.
- Renaming a package and immediately using that package in a Composer command does not result in server errors anymore.
- Accessing package versions with more than five digits as major version no longer shows an error page.
- Creating a new integration with a name that only consists of spaces no longer results in a 500 error page, but rather an explanation.
- Security advisories defining an invalid affected version constraint no longer cause the package page or the security advisories page of a package to return a 500 response.
- Deleting a package while a background job updates the package will now queue the delete task until the package update finished to avoid server errors.
- The last used date for authentication tokens is now correctly updated.
- Organizations with synchronizations from two Bitbucket Server instances with identically named projects and groups are no longer missing teams in Private Packagist.
Supported Replicated versions: >=2.56.0 <2.57.0
Dec 2, 2022
- Synchronizations with Bitbucket Server were only synchronizing users with direct access to the project. This includes again users with access via a group.
Supported Replicated versions: >=2.54.0 <2.55.0
Nov 14, 2022
- Resolved an issue that prevented creating new integrations via the Private Packagist Admin Panel.
Supported Replicated versions: >=2.54.0 <2.55.0
Nov 11, 2022
- Added new API endpoints to manage teams and team memberships.
- The API now returns the date a package version was released, if known.
- Log entries for added and edited packages now show additional information such as clone URL, which mirrored third-party repository it was mirrored from, if it's part of a multi-package repository, etc.
- Package access for synchronized teams can now be resynchronized directly on the team's packages tab.
- The package list now also shows the VCS repository URL and a GitHub/GitLab/Bitbucket icon for private packages.
- A permanently-dismissable notice is shown for all users that have yet to enable multi-factor authentication.
- Existing organization members can now be added to other organization teams by username as well as email address.
- After registration, users are asked to enable multi-factor authentication. This is only shown once.
- Older GitLab versions issued OAuth access tokens without a refresh token. Since GitLab 15.3, these tokens can now expire, preventing us from fetching GitLab Groups that can be used for synchronizations. If necessary we now show a message to log out and log in again to resolve the issue.
- GitHub synchronization no longer skips teams called "Teams" after GitHub fixed a bug in their API, removes workaround from the previous release.
- Connecting to a new OAuth account on the synchronizations page now redirects back to the synchronizations page and no longer to the profile page.
- Improved the render time of the synchronizations page for Self-Hosted installations that have been running for a long time with multiple synchronizations.
- Resolved an issue during the cleanup of deleted organizations and subrepositories that would cause the background worker to keep crashing and reduce the number of available workers.
- The check for leaked passwords using haveibeenpwned.com on the change password and registration form no longer renders HTML tags in the error message.
- When a subrepository is granted access to an organization's package, a log entry is created in the subrepository's log in addition to the existing log entry in the organization.
- The packages list renders faster now for organizations with a large amount of repositories on GitHub, GitLab, or Bitbucket.
- The packages list renders faster now for subrepositories when the organization has a large amount of private packages.
- Sending weekly and monthly security summaries no longer causes out of memory errors for organizations with a lot of open security issues.
- Resolved an issue that prevented the removal of mirrored third party repositories from a subrepository if it contained packages from this mirror.
- Packages no longer state that they are missing credentials to set up a webhook if they have credentials assigned for a platform where we don't support the automatic setup of webhooks.
- Changing the URL of a synchronized package now also correctly disassociates the package from the synchronization with the previous URL.
- Fixed a bug that prevented create, edit and delete of integrations in setup mode without being logged in.
- Renaming an organization or subrepository twice in short succession no longer triggers an error.
- Requesting a new mirrored package via "composer require" or "composer update" that needs authentication now shows a helpful warning instead of erroring with a 503 response if there is no authentication configured for the mirrored third party repository on Private Packagist.
- The security monitoring settings page no longer shows "no limit" as selected option to limit monitored projects when the form is submitted with another value.
- Fixed a bug where selecting too many packages to add to a subrepository would cause an nginx buffer overflow error.
- Install statistics for organizations and subrepositories older than two years are now correctly calculated as daily averages.
- Accessing a package that has several hundred versions could result in a 500 error. This has been resolved.
- Update jobs for packages from GitLab repositories are now delayed if necessary to run at most every 30 seconds to avoid fetching stale cached data from the GitLab API.
- Deleting a package, then adding a package with the same name from packagist.org can no longer lead to a stale local Composer cache when using Composer 2.
Supported Replicated versions: >=2.54.0 <2.55.0
Jul 27, 2022
- Multi-factor authentication has been added to user accounts. Organization owners and admins can enforce MFA for their members.
- Security notifications are now cumulated across all projects, resulting in fewer emails on discovery of new security vulnerabilities in multiple projects
- The upcoming Composer 2.4 security features (audit command and security advisory listing on update) are now supported by Private Packagist for all private and mirrored packages
- Added a button to the profile page so that users can delete their account themselves
- Credentials are linked to all their usages on the credentials page
- The Update Review detail page on Private Packagist linked from pull request comments now displays relevant security advisory information like the comment already did.
- When configuring an integration with Bitbucket Data Center / Server, Private Packagist will now validate the base URL by sending a test request to Bitbucket
- When viewing a synchronized package the synchronization is now listed in the right-hand side metadata
- More specific titles were added to most pages
- Organization, subrepository and customer forms show the whole url for their short names
- Fixed the link on the synchronizations page to the Bitbucket Data Center / Server project
- Archive job no longer crashes in a loop for multi-package repositories when a commit reference points to a nonexistent package sub folder
- Synchronization job for organizations no longer crashes for GitLab 403 API responses when trying to access resources the credentials do not have access to
- Fixed the diff link in Update Review comments for changed packages containing Composer download URLs (dist URLs) pointing to GitHub release URLs
- Fixed that user roles weren't merged correctly, causing admin accounts to lose permissions while connecting another account via OAuth
- Notifications for abandoned or released packages in subrepositories were not sent
- Corrected the name for Bitbucket Data Center / Server credentials from app password to personal access token
- Prevented validation errors when editing synchronization settings while someone else creates the first subrepository in an organization
- Editing credentials now also triggers background jobs to locate packages in multi-package repositories again using the modified credentials
- Synchronizations with GitLab no longer create duplicate admin and owner teams
- Synchronization runs no longer fail if Bitbucket returns the same user id multiple times when checking permissions for a repository
- Resynchronize button on the teams or settings page is now unblocked when synchronization jobs have expired
- Added quotes to the Composer command on the user authentication page for usernames containing spaces
- Prevented a 500 error when deleteing, recreating and deleting a subrepository by the same name again in a short time window
- Submit button wasn't shown when adding integrations and the URL was pasted from the clipboard
- Fixed a bug in OAuth connect, which could lead to a user receiving 500 errors on all pages. This was triggered by a user connecting their existing account to an OAuth service, which is used to synchronize an organization.
- Custom packages webhook status is now "not supported" and no longer "missing credentials"
- Fixed a temporary 500 error shown on the package monitoring page briefly after a vulnerable dependency is removed
- On package deletion audit log entries are no longer created for deleted subrepositories that used to contain the package
- Stopped VCS pushes from triggering a background job crashing in an infinite loop on GitLab 404 exceptions, when credentials have insufficient permissions to access a group
- Using composer search for a package name without a slash no longer errors because Private Packagist's Composer API now returns an empty list instead of a 404 error
- Files that were uploaded via custom package form or when adding a package through uploaded files are kept 7 instead of 2 days, if the form is not submitted
- If login errors because host cannot be resolved or there are SSL errors or connection timed out, then there is now a specific error message instead of "HTTP request failed"
- If Slack notifications hit the rate limit there is now a random delay between 30 and 780 seconds for all retries
- Notifications for abandoned or released packages in subrepositories were sent to notification channels only configured to receive security alerts
- When a new member was added to a synchronized GitHub organization, they were only added to their initial team, but not others like "all members" until a full synchronization run corrected the access within 12 hours
- Update Review comments could not be created when an invalid dependency package version was stored in the composer.lock file
- Deleting an organization is done in a single transaction to prevent job crashing in an infinite loop
- When editing a synchronized package and assigning new credentials, the package update will no longer revert the package back to using the outdated credentials.
- Form validation errors for organization and subrepository short names are shown right next to their input field
- Workaround a GitHub API bug by skipping synchronization of teams literally called "teams" to allow GitHub synchronization to complete
Supported Replicated versions: >=2.53.7 <2.54.0
May 27, 2022
- Added a new option for synchronizations with GitLab groups to skip synchronization of projects shared with the group
- Added billing history showing payment method and invoice address, along with plan and license information, to the Self-Hosted portal on Packagist.com
- Update Review comments now indicate package versions that have security advisories, including a message if an update introduces package versions with known vulnerabilities.
- Glob expressions for repositories containing multiple packages now support brace expansion (eg,
- Security Advisories now indicate all advisory databases that they were found in (GitHub or Friends of PHP)
- A more helpful error message is displayed when a synchronization with Bitbucket Server results in an unauthorized access API error (due to invalid credentials)
- The list of integrations on the Private Packagist admin panel is now styled more consistently with the rest of the application
- Reaching API rate limits when adding packages from a synchronization with Bitbucket will now cause it to retry by cloning instead of using the API
- Username and avatar are now displayed in the Add Synchronization modal to indicate the connected accounts
- Correctly store triggered-by information in the audit log for both adding and removing packages from a subrepository
- After editing a private package with a configured webhook, Private Packagist now assumes that the webhook is not set up until a delivery is successfully received
- Fixed detection of premium subscription for synchronization with gitlab.com. This caused Private Packagist to skip setting up webhooks because it assumed package webhooks were not necessary
- Mirrored packages without a vendor name can no longer be added via the add package dialog
- Resolved an issue with submitting a weak password on the registration page that caused a 500 error
- Updated the link to create HTTP access tokens on Bitbucket Server, and the link to create app passwords on Bitbucket
- Fixed a race condition where package initialization was triggered by both an organization and subrepository synchronization, causing the package to not get added to any subrepositories
- Better detection of Zip and Tar archives when uploading Package Archives via the API; now all types uploadable via the UI can be uploaded to the API
- Update Review comments will not be updated on pull requests that have been closed/merged, even if they are edited
- The last owner of an organization during a synchronization cannot be removed anymore, even if that owner is not connected to the synchronized service
- When a package contained several thousand Composer patches, a database error occurred during a package update, new patch information was not added and therefore not available to the UI.
- When downloading composer.lock files over 1MB from GitHub, they now return a 200 instead of 403 which caused functionality such as update review to fail. We now retry downloads using different API call for large files
- Bitbucket API requests resulting in the Bitbucket-specific status code 555 are now retried, similar to a 500 status code
- composer.json files are no longer automatically added to the ignore list when they get deleted from a multi-package repository
- Fixed a bug that caused packages to become inaccessible when changing the URL of an existing package to the URL of a VCS repository that is also available on packagist.org
- Submitting certain invalid package names via the "Add Mirrored Packages" form could result in a 500 response. This is no longer the case
- Added missing version information when fetching individual subrepository packages mirrored from packagist.org via the API
Supported Replicated versions: >=2.53.6 <2.54.0
April 13, 2022
- Resolves an issue that prevented the packagist-ui container to start when upgrading from a version before 1.11.0 because of a faulty migration
April 13, 2022
- Resolves a argument injection vulnerability which allowed maintainers of private packages to run shell commands on the packagist-worker container via the readme property of the composer.json in the default branch of a Mercurial repository and create files via the name of the default branch of a git repository. We do not believe this to have been exploited prior to the publication of this release. (CVE-2022-24828)
- Decreased the maximum file size for JSON responses from mirrored third-party repositories from 256MB to 128MB to avoid memory issues during the automatic mirroring of new dependencies.
- The log output of the background workers is now available when accessing docker logs of the packagist-worker container. The logs were previously only available in a log file inside the container.
- API endpoints returning security advisories now also include the Packagist security advisory ID for each advisory
- The update review feature on GitHub and GitLab now uses the HEAD sha instead of the merge commit to generate the composer.lock diff. This resolves a bug where the comment would get updated with incorrect information when the pull request was closed.
- Packages that rely on git to fetch updated version information did not detect changes of the default branch after the package was added. This functionality has been added.
- Deleting a package in a subrepository that is part of a multi-package repository also deleted the package from the organization package list. This no longer happens.
- Updated the GitLab rate limit detection to handle cases where GitLab doesn't return any rate limit headers
- Adjusted the triggered by column for audit log entries of type "org.package.delete" that were displaying UI instead of job or sync even though they were caused by a background worker
- Mirroring new dependencies via Composer could result in a 500 response by the Private Packagist server if one of the mirrored third party repositories returned invalid JSON with a non-terminating string
- Using a read-only authentication token with Composer 1 didn't show a message that an update token should be used when trying to mirror new dependencies. This has been added again
- Improved the error output when adding mirrored third party repositories with unsupported query parameters to show the actual URL that was called to access the repository.
- Updated the link in the Private Packagist admin section to set up an integration on GitLab to match URL changes on GitLab
- Added support for mirroring packages from mirrored third party repositories that return a list of packages, where the package keys don't match the fully qualified package name, in the packages.json response
Supported Replicated versions: >=2.53.2 <2.54.0
March 25, 2022
- Resolved an issue with security monitoring that would trigger multiple alerts if an advisory was available in multiple databases.
- Adjusted the package update mechanism to handle an unannounced API change by Bitbucket. Bitbucket's change prevented falling back to Git for VCS repositories when access to the API was denied. As a consequence Bitbucket packages relying on SSH keys may not have updated anymore.
- Resolved an issue that prevented creating a synchronization in a subrepository with existing credentials
- Resolved an issue that caused synchronizations with a self-hosted GitLab instance using GitLab admin credentials to error.
- Synchronizations with a GitLab Group no longer show a wrong webhook state if the credentials belong to a member without owner permissions
- Updated the GitLab group webhook logic to match changes in the GitLab API that now expects a PUT instead of POST request to update an existing hook.
- Unsubscribing from security alerts for a package that has since been deleted no longer shows an error page. Instead, this now tells the user that the package has been deleted.
- Resolved an issue that prevented manually resending notification deliveries and notification email verifications via the UI.
- Updates for packages with security monitoring enabled no longer error if the default branch suddenly contains a composer.lock file with invalid JSON.
Supported Replicated versions: >=2.53.2 <2.54.0
March 16, 2022
- The SMTP server custom port option was ignored when setting up the email configuration for Private Packagist. This has been resolved.
- Resolved a race condition when setting up a new Private Packagist Self-Hosted instance that would create two configuration objects, causing a server error when accessing the Private Packagist UI.
- Setting up a multi-package repository with repository type "git" would store version information from a wrong directory for some packages.
- Creating a new Bitbucket Server integration resulted in a server error. This has been resolved.
Supported Replicated versions: >=2.53.2 <2.54.0
March 10, 2022
- Private Packagist Enterprise is now Private Packagist Self-Hosted
- Introducing Update Review: Private Packagist comments on your pull requests with all composer.lock changes displayed in a clear and easy to scan table
- API credentials can now have a description
- Added API endpoints to manage authentication tokens
- Synchronizations with GitLab now also recognize individual repository collaborators
- Security advisories for a package are now visible on the package page
- Package versions affected by a security advisory are now highlighted on the package page
- Security issue notifications webhooks can now be configured to dispatch a separate request for each issue. This allows you to integrate webhooks with Jira.
- Adding packages by URL now allows you to override the package name to import packages under an old name
- Added support for VCS repositories using the svn+ssh protocol
- Packages hosted on AWS code commit now show how to set up a hook to keep the package updated
- Adding packages with the JSON import functionality now also allows you to use github/gitlab/bitbucket as repository type
- Changing the number of licensed maximum number of users doesn't require a restart of the application anymore
- Private Packagist will now show in the UI if an update is available for your Private Packagist Self-Hosted instance
- Various performance and memory improvements to automatic mirroring. This will speed up your composer update and require commands
- Adding packages to a subrepository via the "Add Package" dialog now also allows you to add all private dependencies of the package you add
- Synchronizations with GitHub and GitLab have an option to skip archived VCS repositories. This option is enabled by default for new synchronizations.
- You can edit the description or the username of a credential without re-entering the password or access token
- Packages mirrored from a third party vendor's repository on packagist.com will now detect new versions within minutes of their release
- When adding a package from a VCS repository without a composer.json in the root directory, you will now get the option to add the repository as multi-package repository
- Increased the maximum file size for package archives from 128MB to 256MB
- Synchronized GitLab repositories with visibility "internal" are now treated the same way as "public" repositories and are available to all members of the organization
- Importing VCS repositories from bitbucket.org doesn't require adding the .git suffix anymore
- Updated the synchronizations page to better display all relevant information for organizations with multiple synchronizations
- Synchronized VCS repositories can now be added as multi-package repositories via the "Add Package" dialog
- Updated the naming of Bitbucket Data Center / Server to remove all references to Atlassian Stash
- Added a link to set up mirrored third party repositories from the add package form
- The verify email banner is now only shown once after login and on the profile page
- The source and user columns in the organization log have been merged
- The security vulnerabilities summary email is now limited to 1000 security issues
- Accessing mirrored packages from third party repositories other than packagist.org through the web interface returned a 500 response outside of subrepositories. This has been resolved.
- The creation of archives from source is now skipped if the package uses checksum verification to avoid errors during composer install
- Mirroring new packages during a Composer command will now wait longer for a result instead of returning an error after one minute
- Added a retry mechanism to HTTP calls during the package update process to reduce the risk of random failures
- The automatic mirroring now handles invalid responses returned from asset-packagist.org and will no longer mirror non-existing packages
- Registration via OAuth now shows a helpful message if the OAuth token expired before an account was registered
- The organization log was missing the user entry for some actions. They are now shown.
- Significantly reduced the time it takes to store archives for big git repositories
- Packages now show an error message if the domain of the credential assigned to the package cannot be used during the archive process
- Mirrored third party repositories incorrectly using integers instead of strings for version numbers no longer result in failing package updates
- Deleting a package via API while the package is updated will no longer return a 500 response
- Packages hosted on GitLab now show a clear message if the credentials don't have enough permissions to setup webhooks
- Made it clearer that the svn protocol is not supported. Https or svn+ssh should be used instead.
- Editing a non-installable package now properly resets its state and makes the package installable if possible
- Resolved an issue with multi-package repositories using SVN that could cause a background worker to get stuck if the SVN repository contained an empty trunk directory.
- Mirrored packages that were removed from the mirrored third party repository showed two messages saying that they were abandoned. They only show one message now.
- Synchronizations with GitLab now handle credentials that expire during a run
- Security issues no longer re-trigger alerts if certain properties change e.g. a CVE was added to an existing issue
- Added handling to renaming the default branch for security monitoring. This will no longer re-trigger alerts.
- The security monitoring setup for a package no longer gets stuck if the default branch is not the topmost sorted branch.
- Resolved an issue that prevented setting up a synchronization with bitbucket.org
- Resolved an issue where versions would temporarily disappear if GitHub, GitLab or Bitbucket returned a 5XX response when fetching branches or tags
- Packages imported from bitbucket.org now show a message if an OAuth scope is missing to setup webhooks
- Packages with a markdown changelog are now properly parsed even if the filename doesn't end on .md
- Resolved issues with HTML forms that would show an incorrect state when the browser back button was used after submit
- Packages using other archive types than ZIP displayed errors that an archive could not be created after the package was initialized. This has been resolved.
- Added error handling for cURL errors when fetching the changelog information of packages
- The archive generation for phpstan/phpstan is now skipping the generation from source as this could take several minutes
- Synchronizations with Bitbucket now correctly handle deleted repositories that were not fully removed on Bitbucket
- Resolved an issue where security issues were not removed from a package when the composer.lock file was deleted
- Added validation that all VCS repositories require a non-empty URL to avoid unhelpful error messages
- Adding and editing a mirrored third-party repository was not applying a maximum response size and could result in a PHP fatal error. This has now been fixed.
- Updated the wording explaining why certain words cannot be used as names for subrepositories
- The API documentation page no longer uses a JS library hosted on an external domain
- Install statistics pages showing graphs no longer use a JS library hosted on an external domain
- Submitting the add organization form twice would result in an unexpected error. This has been addressed.
- Synchronizations with GitLab no longer result in errors if they have users assigned with "Minimal access" permissions in GitLab
- The add synchronization modal could prevent users from creating new credentials when credentials for the same authentication type on a different domain existed
- Synchronizations with GitLab now correctly import permissions in the case where a user has access to a subgroup via inherited permissions from the parent group and at the same time via another group that was invited to the subgroup
- Using a short name with upper case letters when creating a subrepository will automatically transform them to lower case instead of showing an error
- Login via OAuth with Bitbucket Server could reset the stored access token which would prevent setting up new synchronizations by that user
- New packages added via a synchronization with Bitbucket Server failed to set up a webhook on Bitbucket Server to get notified about updates
- Opening the add synchronization modal without a configured integration will now list instructions to add an integration instead of showing a blank modal
Supported Replicated versions: >=2.53.2 <2.54.0
October 22, 2021
- Collaborators can now be added to subrepositories. They can only access selected subrepositories, but don't have access to the organization
- Added API endpoints to list all security issues for a package or an organization
- Added a filter by security issue state to the packages list API endpoint
- The modal to add packages from a synchronization and the modal to add packages from an organization to a subrepository now allow you to add multiple packages at once
- The package page now displays a link to the changelog and lists changelog information with the version information
- The synchronization page now lists active synchronization runs and their current progress
- For packages using a Composer patches plugin like cweagans/composer-patches, the package page now lists patches information defined in the composer.json
- We now support GitLab group webhooks for groups with a GitLab Premium subscription, this will now find new repositories when they are created and not only once the daily full synchronization runs.
- A new log section can be found on the organization settings page, displaying activity in the organization
- Installation statistics are now available for organization authentication tokens and on your profile page for your personal authentication token.
- Existing packages can now be edited to be turned into multi-packages (multiple packages in a single repository) without having to recreate them.
- Non-synchronized organization members can now be removed from the organization and all teams at once on the members page
- To avoid losing Composer access to a Private Packagist organization, organizations with a primary synchronization, where none of the owners have a Private Packagist account, are disabled
- For synchronizations with GitLab the "Master" team was renamed to "Maintainer"
- Synchronizations with GitLab now detect when another group was invited as a member to the synchronized group
- When initializing a VCS repository with multiple composer.json files, the initialization result for each directory with a composer.json is now shown
- The user authentication page now shows when the user token was last used
- Package updates that trigger an API rate limit will now instantly be retried via git clone
- The credentials page now shows a warning if any of your stored GitHub API tokens are about to expire or already expired.
- For Bitbucket App Passwords we now recommend enabling the pull request scope to be able to benefit from the upcoming pull request comment feature
- Ordering changes on the third party mirrored repository page can now be undone.
- A single Bitbucket Server instance can now be connected to multiple Private Packagist instances
- When creating a synchronization with Bitbucket Server we now detect if the credential user is a global admin without being a direct member of the synchronized project to avoid them being removed from the organziation by the synchronization.
- Resolved a bug that would prevent packages accessible in subrepositories from receiving updated metadata information when using Composer 2
- A successful user registration will now redirect to the page a user was initially trying to access e.g. when clicking on an invite link in an email
- On the credentials page the link to create a GitLab API token was updated to match the latest GitLab version
- Synchronization errors now show additional information like the endpoints that caused the synchronization run to fail
- The subrepository access page for credentials now shows a tooltip why some credentials cannot be removed from a subrepository
- The subrepositories link on the package page was pointing to a non-existing page. This has been resolved.
- When creating a synchronization with a GitLab subgroup the name now matches the full path of the subgroup
- Misconfigured OAuth integrations will now show proper error messages when trying to log in. For example, if the client id or secret is invalid
- Failed login attempts with bitbucket.org now also show error messages by Bitbucket
- Credentials created when setting up a synchronization in a subrepository were not stored in the organization, which could lead to errors when later assigning additional credentials to the subrepository
- The Composer instructions to set up authentication using the Composer command displayed an invalid command if the username contained a space. This has been resolved
- The password strength indicator on the registration form was rendering invalid HTML when submitting a weak password
- Fixed an issue that the license page could not be shown if one of the packages contained a null byte in the license field in the composer.json
- Resolved an issue where package updates would error when renaming a package that is part of a multi-package repository
- For multi-package repositories that are not synchronized multiple webhooks were set up which could lead to API rate limit issues caused by too many background jobs
- Resolved an issue where usernames with leading or trailing whitespace could cause unique key violations.
- Adjusted OAuth authentication with Bitbucket Server to handle cases where Bitbucket username didn't match the username slug. This for instance happens when the username contains the @ symbol
- We now cleanup unused Bitbucket team webhooks
- Resolved an issue where multi-package repositories with GitLab would not search for composer.json files in all directories
- Cleaned up the package update and initialize error output to not leak any GitHub tokens using the new format
- Packages, where only the casing of the name changed, were marked as abandoned. This has been resolved and will be fixed for all existing packages with their next update.
- Packages, which have not been fully initialized, now show a "waiting for update" security monitoring state instead of "disabled"
- Refresh expired Bitbucket OAuth tokens with the refresh tokens to avoid issues during user account registration
- In case the archive background job takes longer than expected we will first return a redirect response to Composer to be able to wait longer for the archive to finish. This will help for instance with large Bitbucket repositories that cannot be downloaded as ZIP files from Bitbucket.
- The API no longer returns a 500 error in cases where a called URL is not available. This now returns a 404 response.
- Package archive jobs for packages of type "metapackage" could trigger an error. Those archive jobs are now skipped.
- Disabled the download button on the package page for packages of type "metapackage"
Supported Replicated versions: >=2.53.1 <2.54.0
May 5, 2021
- Added support for bearer token credentials
- Deprecated HTTP header credentials. Please contact us if you are still using them for another purpose than a bearer token which will be automatically converted.
- Added additional validation and filtering of output for CVE-2021-29472 to prevent malicious source URLs and references from being delivered to outdated Composer clients
- Resolved an issue that prevented packages from updating if the composer.json contains patch information in an unknown data format
- The link to mirror a package in the security alert emails was missing the href attribute
Supported Replicated versions: >=2.51.0 <2.52.0
April 27, 2021
- Database migration to cleanup Drupal packages drupal/php and drupal/recaptcha will no longer fail if updating from Private Packagist 1.10.0 or older
Supported Replicated versions: >=2.51.0 <2.52.0
April 27, 2021
- Resolves a command injection security vulnerability in Composer which could have allowed logged in users or third party package maintainers to run shell commands on the packagist-worker container. We do not believe this to have been exploited prior to publication of this release. (CVE-2021-29472)
- Packages in public repositories are now available to all members of an organization instead of just those with explicitly assigned repository permissions
- Private packages can now be marked as abandoned via the UI
- The current synchronization run now shows a detailed progress report
- Package versions returned by the API are now sorted the same way they are shown in the UI
- The default accessibility of multi-repository packages in subrepositories can now be set on the add and edit package form
- Added support for the new GitHub API token format
- Added better handling for invalid values in the license field in the composer.json file
- Added handling for additional cURL error codes explaining how to resolve the errors
- Automatic mirroring for packages from third-party mirrored repositories using providers and providers-url did not work.
- Resolved a bug that prevented the package search from working if a VCS repository that was not yet added as a package had a number as a description
- The subrepositories filter on the packages page did not persist in the URL. This has been resolved
- Increased the body max size of incoming requests to 25M to handle large GitHub webhook payloads
- GitLab returning a 520 status code will now retry the synchronization run instead of triggering an error
Supported Replicated versions: >=2.51.0 <2.52.0
March 16, 2021
- Abandoned package notifications: Receive notifications when a package is marked as abandoned
- Packages which have their composer.json file in a subdirectory, rather than the root directory, can now be installed with Composer like all other packages
- Synchronizations with Bitbucket now support all Bitbucket workspaces including former user accounts
- The package search now only searches the package name by default. The package description can still be searched as well by selecting the checkbox below the search field.
- Background workers will now automatically restart once they use 450M of memory
- Subrepository URLs have been updated to not use the word "projects" anymore
- Improved the performance of fetching dependents of a package. Please note this will only become active two weeks after the release was installed to allow for enough time to migrate data in the background.
- Packages part of a multi-package repository will now show the README file of their subfolder if available and otherwise fall back to the root directory
- Organizations synchronized with a GitLab Group will now prevent any of its GitLab subgroups from being synchronized. The parent group already imports all data from all subgroups
- Clarified the webhook state of a package that "no delivery received" can be resolved by pushing to the VCS repository.
- The repository name of a collaborator team is now a link to the VCS repository
- Renamed Bitbucket Teams to workspaces to match the naming on bitbucket.org
- Clarified that a missing composer.lock is not an error but instead means that the package cannot be analyzed via security monitoring
- Resolved an issue that prevented automatic mirroring of new packages when using an HTTP proxy
- Fixed an issue which caused an invalid Composer cache when automatically mirroring new packages with Composer 2. This caused an error message saying the package name for a particular package version could not be found in the cached JSON file.
- Security advisories removed from the FriendsOfPHP/security-advisories database will now also be removed from Private Packagist
- Package updates that fail while initializing the Composer driver now show a more detailed error message instead of a generic "Package data could not be downloaded" message.
- Overall improve the error handling for package updates and mirroring to handle cases like SSL timeouts
- Login and registration via Bitbucket Server failed without explanation if an endpoint returned an empty response. This was caused for instance by a 2FA app installed on Bitbucket Server.
- Resolved an issue where automatic mirroring would fail if a mirrored third-party repository returned empty metadata for a provider URL.
- Submitting a JSON string rather than an object on the custom JSON package form now displays an error message instead of triggering a server error without an explanation.
- Packages which have both, dist and source information available will now show both errors if a background archive job failed
- Resolved an issue where organizations created via synchronization where the remote organization has a name longer than 20 characters would prevent the organization from being edited
- Fixed an issue that could cause Replicated to fail to prune images when too many app releases are installed due to timeouts
- Fixed an issue that could cause the replicated-ui container to fail to start up after a Replicated upgrade
- Creating subrepositories for organizations with lots of packages could result in request timeouts. This has been addressed.
- Fetching a user's GitHub organizations displayed a rate limit error instead of an access error in case the access token has no permissions anymore
- The archive background worker did not clean up all files if jobs were triggered for archive files larger than 128MB
Supported Replicated versions: >=2.51.0 <2.52.0
February 3, 2021
- The user search in Private Packagist admin panel now supports search by username and email instead of username only
- Synchronizations now show a link to all packages managed by that synchronization and the host e.g. github.com in addition to the type e.g. GitHub
- Requests triggered by Composer commands that interact with mirrored third party repositories like search and automatic mirroring will now check those mirrored third party repositories in parallel. This significantly reduces the time it takes to perform those requests for organizations with multiple mirrored third party repositories.
- Synchronizations with GitHub now delete teams and add collaborators to repositories immediately via GitHub webhook instead of only when the next full synchronization runs within 24 hours
- New passwords are stored as argon2i hash and old ones will be upgraded from bcrypt the next time a user logs in using username and password
- Sample payloads for webhook notifications have been added to the documentation
- The limit of adding one email per week to a user has been removed
- Synchronizations with a GitLab subgroup now show the full path and name instead of only the name
- Emails sent from Private Packagist now contain a note telling the recipient where they can change their email
- The default frequency of security reminder summaries has been changed from weekly to monthly. This applies to new users and notification channels only
- License names of non SPDX licenses are no longer converted to lower case
- The package description on the package list page has been limited to two lines
- Synchronization background jobs will now only be marked as timed out after 90m instead of 10m
- The default request timeout for mirrored third party repositories has been increased from 5s to 15s
- The packages page doesn't hide the number of private/mirrored packages anymore when searching or applying filters
- The filename of the downloaded archive file from the package page now contains the package name
- Resolved an issue in the file downloader that caused the archive generation to take several minutes when downloading archives from github.com bigger than 5MB
- Reduced memory usage for processing package updates in background jobs for packages which are used in subrepositories
- Setting up a GitLab synchronization with a GitLab API token that belongs to a user who is not a member of the GitLab Group will now show an error message explaining the problem
- The webhook status tooltip of packages added through synchronization no longer shows 1990-01-01 as the most recent hook call if the hook hasn't been called yet.
- The resynchronization button shown on the teams page is now disabled while a synchronization is running.
- When setting up a new synchronization only credentials that can be used will be suggested to set up a new synchronization
- Attempting to delete the primary synchronization will now show an error message instead of a 500 error
- Users can no longer disconnect from an OAuth service if they are the only active owner in an organization that uses that service for its primary synchronization
- The subrepository overview page no longer shows a subrepositories counter
- The custom JSON package form will remember the edit mode when submitting a custom JSON package that results in an error or when using the browser back button
- Adding multiple files to a custom JSON package could trigger a message that one file exceeds the file limit even though it is smaller than the limit if the size of all added files combined exceeded the limit. This has been resolved
- Synchronizations with Bitbucket didn't detect repositories as packages as soon as the composer.json file was added if they did not have a branch named master. They were only imported with the daily synchronization run
- Abandoned packages mirrored from packagist.org were not shown as abandoned on the package overview page
- Removed two unreliable and unnecessary checks in the application health check which could cause a cryptic error message to be shown in the replicated admin console despite it working correctly
November 18, 2020
- Added an API endpoint to upload a new file to an existing artifact package
- Package release notifications: Receive notifications for every new version a package publishes
- The team members page for synchronized teams now clearly states that memberships are managed through GitHub, GitLab, or Bitbucket and shows where to manage the team
- Security notification summaries are now spaced out over 30 minutes to reduce the rate of emails sent over a short period
- Added an icon next to package names to copy them to the clipboard
- Artifact packages now ignore the "__MACOSX" folder in ZIP archives generated by the macOS ZIP utility when searching for a composer.json file
- If you saw redis noscript errors in the logs on startup, these were expected on startup and we now indicate so with a note, so there is no confusion over them
- Webhooks are now unregistered on connected code hosting platforms when a package or an organization is deleted
- Packages copied to a subrepository now have a disabled edit button explaining that they can only be edited on the organization level
- Editing or creating custom JSON packages now fully saves the state of the form on error, including the editing mode (JSON/interactive form) and the selection of teams with access
- When a mirrored Composer repository returned an empty gzip encoded HTTP response (e.g. for an HTTP 403 error) when mirroring a new package or updating it, we previously simply displayed "Connection failed." but now the status code is correctly recognized and an appropriate message displayed
- Placeholders in version specific package archive/download errors are now replaced correctly
- Hitting the API rate limit when creating a new multi-package no longer crashes the background worker preventing intialization of the package
- Prevent the same path of a multi-package repository from being initialized multiple times. This will now correctly display a duplicate package error message
- Fixed a bug on the security monitoring page that would prevent showing a link to the commit in which the security issue was found and would only show the text instead
- Make sure form error messages that may contain user input are filtered to prevent XSS vulnerabilities. Due to the Content Security Policy this wasn't exploitable in any harmful way, so not listed as a security issue
- Added a workaround for mirroring packages from Yoast's repository, which returns an invalid response on their Composer 2 metadata endpoint
- When attempting to composer require or mirror a non-existent package, Private Packagist no longer returns an invalid response to Composer 2
- Package updates for packages with an invalid version number will now show a more appropriate error message instead of the previous wrong error message that states an authentication error
- Duplicate name for a notification channel on the same organization is now handled by displaying an error message and preventing a 500 error
- Connecting an account using OAuth to an remote account tied to an email address in use by another Private Packagist user will now show an appropriate error message on how to proceed
- Removing a primary synchronization will now remove inactive user accounts from the Owners and Admins teams
- OAuth login error messages now correctly replace placeholders with their respective values
- Some links when viewing a mirrored package in a subrepository incorrectly pointed to organization level pages
- Updating the repository URL of a VCS package in the organization will now update the URL in all subrepositories. Moreover, the found duplicate packages with the changed URLs which are not installable will be removed.
- Uploading artifacts with an empty composer.json will now show an appropriate error message rather than failing to parse an empty JSON string
- Security monitoring setup isn't shown on artifact packages because it's not supported
October 6, 2020
- Package dependencies (require, require-dev, replace, etc.) were not shown as links even if the linked package was available in the organization
- Dependents of a package were calculated only using dev versions. This now also uses the latest stable release
- The pages listing dependents of and suggestions for a package were missing the navigation tab for subrepositories
- Security alerts were sent out twice for packages that were first added to a subrepository before they were added to the organization
- The package page now states if the credential used does not have the required scopes to set up a webhook
- Artifacts with mime type application/gzip and application/bzip2 can now also be uploaded
- Artifacts of type tar with an unnamed "." folder are not supported and the file upload displays an error explaining this
October 5, 2020
- Subrepository quick access: most recently visited subrepositories are shown on organization overview
- You can now upload zip, tar.gz, or tar.bz2 archives without composer.json files when creating a custom package
- Full compatibility with Composer 2.0
- Validation of require and require-dev constraints matches the latest changes in Composer
- Dist URLs in lock files have been updated to contain an additional r character to avoid empty filenames if no reference is provided. This means your lock file URLs will change on the next Composer update
- The packages page now shows license information for the default branch
- The team delete button has been moved to the settings page
- HTTP header credentials allow a "Token" header to be set
- Packages added by URL from GitHub with a composer.json file not in the root directory failed to initialize
- Updated the button text for login by email to indicate how to register an account
- Improved retry handling in background workers to fetch the latest changes from packagist.org to avoid uncaught exceptions
- The Bitbucket App credentials form now states that to use the credential for a synchronization the user needs to have admin access
- Removed a not reliable consistency check for Zip files that could prevent valid Zip files from being installed
- The package update process would miss changes to a package if only the dist URL of a package changed
- The render time of the license review page has been improved
- The license review page was listing certain renamed OSI approved licenses twice
- Logged in users can no longer access the registration page
August 24, 2020
- You can now upload zip, tar.gz or tar.bz2 archives containing code and a composer.json file by adding an artifact package to your organization
- You can now receive security notifications when a security vulnerability is found in one of your dependencies by analyzing your composer.lock files. Notifications can be sent via email, Slack, Microsoft Teams or webhook
- Added API endpoints to list packages a team has access to, grant teams access to a list of packages and remove access to a package from a team
- You can now bulk update which subrepositories have access to a certain package from the manage subrepository access page
- Added support for the new Composer 2 list endpoint
- Added API endpoints to create artifact packages
- You can now grant team access to all packages at once by selecting "Select All" in the team packages page
- You can now download the archive file for each package version from the package view page
- The package name letter case changes in composer.json will be reflected in package name data on the package first update
- Adjusted version sorting on the package view page to use the branch alias if one is provided
- Increased the priority for synchronization jobs created via the UI in order to receive faster feedback for the synchronization run
- Package files are now verified to be valid zip or tar archives. In case of an invalid archive file, you'll see an error message via Composer and on the package view page
- Refreshed the subrepository list page design. The page now includes a filter for security monitoring and package installs
- Users with the package edit permission can now access the subrepository access page
- Archiving or un-archiving a GitHub repository will update the package abandoned state accordingly
- Credentials which are in used and cannot be deleted will now show a tooltip in addition to the disabled delete button
- Only admins will now be able to view inactive members in team membership lists
- The list of mirrored repositories on the add package from a mirror page now uses the same ordering of repositories as the mirrored repositories page
- Package errors (e.g. dist file is too large) shown on the package view page will now show the first error, and a link to show more errors if any. Clicking on any versions with package errors will list all the version errors
- While creating a GitLab credential, a notice message will ask you to select the required API scopes
- Added documentation for Composer 2.0 compatibility with Private Packagist
- Creating a credential with Bitbucket API Keys as an authentication type now shows a deprecation notice. Bitbucket Api Keys may not exist for the user's Bitbucket team and as an alternative you can use Bitbucket App Passwords
- Added a few improvements to the add a custom package form. The package type is now set to "library" by default and added helpful text hints for the other form fields
- The package list page synchronization filter now displays the external service name (e.g. GitHub)
- The synchronization now automatically detects if a VCS repository is transfered from one synchronization to another on the same service e.g. from one github.com organization to another github.com organization
- Bitbucket Server API response pagination did not work correctly, so synchronization may have only imported partial lists of repositories, users and other information from projects
- Avoid leaking of known_hosts file path if a host key has changed and show a more suitable error message instead
- You can now delete credentials that were assigned to a deleted subrepository
- Users who deactivated an OAuth account connection and are then deleted from a synchronized team will now be removed automatically in a synchronization run
- In case a user isn't part of any organization on a service they connected to via OAuth, a more descriptive error message will be shown on create organization or synchronization
- Synchronization error messages now correctly replace placeholders with their respective values
- The packagist.org mirrored repository can now be prioritzed like any other repository in organization settings
June 23, 2020
- Fixed a bug that prevented new packages to be automatically mirrored if a proxy server was set up
- If a proxy server was set up it was not possible to edit the global configuration form in the Private Packagist admin panel
- The status for packages with manually setup webhooks on the package list now correctly shows that the webhook is set up with the date the hook URL was last called
- The list of mirrored repositories was not showing an entry for Packagist.org if no additional mirrored third party repositories were defined in an organization
- The disk inodes health check reported an error for long device names
June 22, 2020
- Improved performance for Composer 2 through use of the new Composer repository protocol
- The generic package hook endpoint now supports AWS SNS subscription confirmation, enabling easier integration with AWS CodeCommit
- Added API endpoints to fetch dependents of a package
- The package API endpoint now returns the package's configuration values: type, URL, customJson, and mirroredRepository
- The package API endpoint now returns installation statistics
- You can now customize the SMTP server port in the Replicated Admin Console
- You can now select the order in which mirrored third party repositories are searched to mirror new packages you require.
- The job API endpoint now also returns a message property with additional information about why a job failed
- Docker Hub must be accessible from the server to update Replicated to the latest version
- Weak and short passwords can no longer be used to sign up for Private Packagist. An optional integration with haveibeenpwned.com which prevents usage of leaked passwords can also be enabled in the global configuration section in the Private Packagist admin panel
- The API documentation and endpoints have been updated to reflect the naming changes to Private Packagist subrepositories
- VCS repositories added from a Bitbucket Server synchronization will now be accessed via git over HTTP if available instead of git over ssh
- FireGento mirrored third party repositories now display a warning if a repo.magento.com credential is missing. The credential is required to download certain packages
- The primary indicator for synchronizations is only displayed if there is more than one synchronization
- Deleting a package will now automatically check if there is an uninstallable package with the same name and mark it installable immediately
- Synchronizations with GitHub will get immediately notified about member and permission changes
- It is now possible to create multiple authentication tokens with update access for subrepositories.
- There is now a 128MB limit for package archives. Package versions with a bigger dist file can no longer be installed
- The package page now lists recent archive errors
- The team page shows the number of private and mirrored packages a team has access to
- Grouped mirrored packages on the package list page into a single section and added a filter to show packages in selected mirrored third party repositories.
- Added an option to force the "git" repository type for VCS packages created via the API
- If Bitbucket Server's web interface and its Git server run on different subdomains, webhooks for packages created by a synchronization were not set up.
- The member count on the subrepositories list now only includes active members
- Deleting a mirrored third party repository while a Composer command is running and mirroring dependencies from this repository will no longer result in 500 status codes.
- Fixed a bug that would prevent the manage subrepository access page to load for a package which was previously assigned to a now-deleted subrepository
- The link to the GitLab hook settings on the package page has been updated to reflect changes in GitLab
- Handle additional network related exceptions in background workers and automatically retry those jobs
- The package page for not installable packages with a duplicate name now lists the URL to identify the repository
- It is no longer possible to create custom JSON packages with empty version strings or with multiple identical versions
- Added a cleanup process to reduce the cache size private mirrored third party repositories use if they return a different JSON file path after each change
- Package updates for mirrored packages which have been removed from the remote repository now fail and display an error message
- Added automatic retries for failed package archive status checks. This caused composer install commands to fail
- Having multiple packages with the same URL but different names in an organziation could cause package updates to fail because of cache interference
- The username and avatar of deactivated organization members will also be updated if they change on the external service e.g. on GitHub.
- Copying multiple packages to a subrepository at once will no longer result in a timeout
- Connecting your account to an additional OAuth application from the add synchronization modal will reopen the modal after the account was connected
- Update jobs for VCS packages without any branches will no longer fail
- Custom JSON packages now validate that the normalized version matches the version property if both are set
- Mirrored third party repositories created or edited via API will be validated identically to creating them in the UI
- The Packagist Enterprise UI will no longer attempt to download fonts from Google Fonts
- Changing the password or primary email of a user invalidates all other sessions for that user
- If the job to automatically mirror replaced packages cannot find the replaced package it will retry at least once to prevent race conditions where packages become available in a mirrored third party repository shortly after the replacement definition has been added
March 23, 2020
- Resolves a security vulnerability in Replicated where sensitive data was exposed via an improperly secured API
- The composer require command no longer fails on the first try, if you require a package which needs to be mirrored for the first time in your organization from a mirrored third party repository other than packagist.org
- If a mirrored third party repository returns invalid JSON data during a package update, the background worker processing the update will not crash and restart anymore
March 19, 2020
- You can now create a custom package using a form to configure your composer.json metadata instead of manually entering JSON
- The Replicated Admin Console dashboard now includes additional metrics for monitoring Private Packagist: Background Jobs Processed, Maximum Background Jobs Process Time, Maximum Background Jobs Wait Time, Background Jobs Queue Length and Package Installs
- Increased PHP memory limit from 128MB to 512MB to prevent reaching the limit when dealing with large JSON structures during Composer operations
- The request timeout for Composer JSON endpoints has been increased to 180 seconds to provide enough time to check multiple slow external mirrored repositories for unknown packages, yet to be mirrored, without resulting in a timeout error for users
- Packages that have been archived in GitHub will be marked as abandoned
- GitHub API requests no longer use access tokens in query parameters, but always use the appropriate HTTP header
- You can now also install packages via Composer which use the previously unsupported file types gzip, xz, phar, and file
- If a git mirror sync operation fails, it is now added as an error to the update log and the package won’t update. Previously the respective version with an error or all versions would have been removed without errors until an additional update succeeded
- When you add a package, all replaced packages in its composer.json are automatically mirrored as well. This mirroring process is now retried multiple times if any of the mirrored repositories are not available
- Add an error to the update package log in case of rate limit / HTTP 5xx errors during package update
- When a new package is mirrored from packagist.org we now immediately trigger mirroring for all packages it replaces to prevent problems with installing these replaced packages. Previously the replaced packages were only mirrored when the original packagist.org package was updated for the first time
- When creating a new credential, the username won't be pre-filled anymore, since the suggestion was often incorrect
- Fixed a bug which prevented switching the package type from Subversion to other types
- If you configured a package mirrored from packagist.org to be enabled by default in new subrepositories and then created a subrepository, the mirrored package was incorrectly marked as uninstallable through Composer in the new subrepository. You can delete and recreate the package as a workaround. When you create new subrepositories the package will now be created correctly
- The Bitbucket API can return a 404 error response containing an HTML body. Previously this would have lead to synchronization jobs failing without any visible error. If you experienced this, your users, teams, permissions and repositories would not have been synchronized until the error disappeared again. The error is now logged and the synchronization marked as failed if it occurs
- When you edit a package and then delete it immediately, before the changes have been processed, you will now see an appropriate message rather than the background job running until it eventually reaches a timeout
- Filtering by active users in the User Explorer in the Private Packagist admin panel now works
- Tooltips for package update errors in the package list now correctly replace placeholders with their respective values
January 24, 2020
- You can now create authentication tokens with full update access including the automatic creation of mirrored packages, which are counted as regular users
- A new organization drop down in the top navigation makes it easier to switch between organizations, and you can always see which repository you're currently working on
- Errors triggered by a package zip download are displayed by newer composer versions
- An organization can now create multiple SSH keys which can be used to grant Private Packagist access to multiple individual vcs repositories on the same version control platform.
- Packages automatically updated via webhooks will be updated at least once per week
- The settings page to create a new credential always displays all form fields
- Package data returned from the API also contains the webhook url to trigger an update for the package
- Authentication tokens assigned to a particular team now show a link to all packages accessible by the token
- Removed the option to trigger an update for all packagist.org mirrored packages via UI to prevent instances being unnecessarily slowed down
- Reduced the overall amount of memory necessary for redis
- GitLab subgroups on the create organization page and add synchronization modal are now hidden but can be revealed to improve usability for long lists.
- Not yet connected code hosting platforms are now listed on the add organization page and the add synchronization modal
- The package search is now case insensitive
- Synchronizations with groups on GitLab servers running version 12.6.0 or newer now support more than 100 projects per group
- Organizations with multiple synchronizations can now see information about the last runs for all their synchronizations
- Resolved a race condition which lead to some cache entries not being invalidated
- Authentication tokens previously used by now deleted subrepositories are no longer listed on the organization settings page
- Fixed a bug which caused development versions to temporarily disappear for VCS repositories if we encountered a rate limit or server error while trying to access a composer.json file of a modified branch
- All Bitbucket 5XX status codes received during a synchronization run are now automatically retried
- Expired Bitbucket OAuth tokens can no longer lead to a registration failure
- Bitbucket VCS repositories in an invalid state can no longer crash the synchronization
- The automatic webhook setup for GitLab VCS repositories no longer uses a slow endpoint
- Triggering multiple deletes for the same mirrored third party repository no longer leads to errors
- A composer.json file containing invalid UTF-8 characters will no longer prevent an update for the entire package
- Background workers now automatically try to reconnect on redis connection errors
- Improved the handling of race conditions for long-running Bitbucket synchronizations to prevent errors when VCS repositories are added or removed during the run
- Errors encountered because a mirrored third party repository returned invalid JSON during the automatic mirroring now display a warning message
- Usernames sent to the Composer repository which contain non-UTF-8 characters no longer result in 500 errors
- Fixed a bug which prevented the abandoned status of a package from being updated
- Added additional information for packages that fail to be initialized using git clone
- Regular packages in subrepositories which are not installable in the organization can now be installed in the subrepository
- If the Bitbucket API fails because Private Packagist IPs need to be allowed in Bitbucket, an error message with information on how to do this is now shown
- Accessing API endpoints in the browser without authentication returned a 500 error instead of a 401 error
- The name of integrations is now correctly displayed on the organization create page and the add synchronization modal
November 13, 2019
- The packages page has been rebuilt to offer various filters to find packages and displays more package information to quickly detect problems
- The packages page now also lists packages with a duplicate name showing a warning that they cannot be installed
- All packages which are replaced in the composer.json of any package you add, are now automatically mirrored to prevent problems with their automatic mirroring during composer update.
- To avoid confusion with the Composer package type project, we renamed Private Packagist projects in the Agency Add-On to Subrepositories
- Initializing a Bitbucket git repository with a url like
https://bitbucket.org/acme/repositorywill now automatically transform the url into a valid git url e.g.
- The packages page now explains what mirrored packages are and why they appear in the list of packages
- The list of organizations for a user now also shows organizations which they have been removed from
- Running a composer command with a read-only token now shows a message that no new packages will be automatically mirrored
- When trying to automatically mirror a new package composer will now always show a warning if one or more mirrored third party repositories are not available
- Replicated fixed an issue with the Replicated admin console that would require a manual refresh of the browser after replicated upgrades.
- Replicated improved error messaging on the Replicated admin console for upgrade failures.
- Editing a package will now fully clear its cache
- Corrected the install statistics of an organization to also include installs of all subrepositories
- Updated the screenshots to set up a GitLab integration with recent ones
- The list of last synchronization runs showed an old run if all recent runs failed
- Synchronizations with bitbucket.org could fail in case a repository was in an unavailable state
- Fixed the synchronization with GitHub to grant everyone access to public repositories in the organization
- Package updates which failed because of an HTTP call now display the url which was called and status code returned
- Synchronizations failing because of a server error now display the url which was called and status code returned
- Improved the error handling for interactions with mirrored third party repositories to display more helpful error messages
- With automatic mirroring the package composer/magento will now be mirrored from packagist.org even if repo.magento.com is set up as a mirrored third party repository because repo.magento.com is missing never versions
October 14, 2019
- The update process now requires the domain d2g7dkkfx863il.cloudfront.net to be accessible if your firewall blocks external traffic
- A regression in 1.9.4 resulted in new user account registrations failing for all OAuth integrations
- Corrected the link to the replicated console if Private Packagist Enterprise is running on a non-standard port
- Hid the settings link for Owners and Admins teams on the team detail pages as these pages do not provide any functionality for these teams
October 11, 2019
- Packages marked as abandoned are now visible as such in the UI and show the suggested replacement
- Organization synchronization runs are now visible in the UI as soon as they are triggered
- Enabled projects on organizations created before version 1.7.0
- Database migration for
deactivated_usertable can no longer fail and prevent application startup
- Improved the memory usage when adding Private Packagist organization as mirrored third party repository
- The link to the mirrored third party repository on the package page now links to the details page of the mirrored third party repository
- Display an actionable message in case a host cannot be resolved while trying to access an Integration API endpoint
- Credentials now correctly store who created them when they are automatically created via a mirrored third party repository
- Synchronization runs failed when multiple teams assigned to projects were deleted in the same run
- Added a cleanup to reduce the cache size satis-like mirrored third party repositories use
- Additional SSL certificates added in the replicated console are available to all Packagist processes now
- Ensured usernames created through synchronization cannot begin or end with spaces
September 17, 2019
- Added a new team permission which lets team members create projects
- A new config option in the Replicated Console allows you to select the level of TLS security and backward compatibility based on Mozilla's Old and Intermediate config recommendations, it's recommended you change this to intermediate if your HTTP clients are compatible
- Added install graphs for overall organization installs over time
- The package add dialog now has an option to select/deselect all teams to make it easier to select the teams which should have access to the package
- Synchronized collaborator teams without members are now hidden in the UI
- The automatic calculation of the number of background workers and FPM worker pools has been improved to no longer consume too much memory
- Lowered the amount of jobs created by automatically skipping initialization attempts of packages with a name which already exists
- Synchronization runs are now tracked in the UI as soon as you start them
- Mirrored packages which were manually added to a project would get stuck during the initialization and never receive any version data
- Synchronizations were prevented from being deleted in case one of the synchronized teams was assigned to a project
- The PostgreSQL connection limit is now automatically adjusted upward if the host machine has enough memory to start more background worker processes
August 13, 2019
- Enable all API endpoints on Enterprise installations
- The organization members page now offers options to remove and reactivate members in bulk
- Improved display of package install numbers for large values
- Added an additional credential type "Magento Third Party Public Key/Private Key"
- Download counts now work inside of projects
- Replaced an unsupported Bitbucket.org v1 API endpoint with a v2 endpoint which prevented the creation of a Bitbucket synchronization after the v1 shut down
- Improved the network error handling for Bitbucket.org by always retrying failed synchronizations and displaying an error message when trying to add a package from a synchronized team fails
- When using the Private Packagist Enterprise API calling an endpoint with an unsupported HTTP method will now return a 405 error instead of a 500 error
- Adjusted the error message which appears when one tries to add a VCS repository as mirrored third party repository: Use add package by URL
- Fixed the handling of Bitbucket URLs in the format of "bitbucket.org:organization/repository.git"
June 27, 2019
- User accounts are now deleted from Private Packagist Enterprise when all organization memberships of the user have been removed through synchronization processes. The behavior can be disabled in the admin panel.
- Added support for repositories which have a composer.json in any branch and/or tag but not the default branch
- All public repositories added via a synchronization are now available to all members in the organization
- Added additional configuration options for adding svn repositories as packages
- The composer setup instructions now also list cli commands that can be used instead of the JSON snippets
- Fixed a bug which would prevent login or registration for users due to a ReCaptcha mechanism which was not fully disabled
- Fixed the deletion of user accounts which were deactivated via the admin panel
- Improved how we detect updates for packages mirrored via packagist.org to reduce the delay until a new or updated version becomes available
- The random offset added to the timeframe between synchronization runs is now relative to the total time between synchronization runs. Previously short time frames of e.g. 15 minutes could still have ended up taking 2 hours due to the random offset.
- The about page now shows the trial license expiration date in human readable form
- Resolved an issue with synchronization which deactivated existing organization members in rare scenarios
- Improved how general errors during the OAuth authentication are handled by displaying an error message and preventing a 500 error
June 7, 2019
- New team permission which lets non-admin team members add packages and add, edit and remove credentials and mirrored third party repositories
- The package add dialog now allows you to select teams with access, rather than having to set permissions separately later
- Added API endpoints to manage project packages
- Added an API endpoint to fetch organizations´ ssh access keys
- The user profile now also shows the username and id of all connected OAuth accounts, e.g. GitHub, GitLab, Bitbucket
- Improved the user list in the admin panel to be able to filter for active users only
- Synchronizations with Bitbucket now recognize individual repository collaborators
- New organization members found during synchronization can now be deactivated automatically
- Display informative error messages if a zip download fails during composer install (requires composer >=1.8.5)
- Improved the navigation on mobile devices
- Improved the restart time for the docker containers
- Rename disable synchronization to delete synchronization and clearly state that deleting the synchronization will remove teams, users and their permissions
- Custom packages are now fully validated on form submit and more detailed error message are shown
- Credentials now show for which domain they apply
- Enable the API endpoint to fetch a single package's info on all organizations
- If a Bitbucket app password for synchronization has been created by a non-Administrator the error message now clearly indicates the problem
- Synchronization API access error messages now display HTTP status codes to help debug
- Added forgot password links to all password fields on the profile pages
- Cache expiration times are now more randomly distributed to avoid regenerating all package metadata at the same time during a composer install
- When adding a new package fails because a remote file cannot be accessed a more detailed error message is now displayed
- Updated the Bitbucket integration to be fully compatible with the latest Bitbucket API changes
- Fixed a bug where renaming the Bitbucket workspace ID of a Bitbucket Team synchronized with Private Packagist would prevent further synchronizations
- Packages added via synchronization inside a project in some cases did not grant all project members access
- Credentials for a URL with a non-standard port can now be used to set up webhooks
- Fixed zip downloads for package urls without a path e.g. https://composer.example.com/?package=test&version=1.0
- Using HTTP auth as part of a third party mirror repository URL no longer fails but automatically creates a credential entry
- No more immediate reloads after a successful job finishes to provide enough reading time
- Fixed an issue where users logging in via a password manager would sometimes land on an error page
- Improved the package search by trimming off additional whitespace
- Registration will not silently fail due to very long passwords anymore
- If Bitbucket returns an empty response there are now additional request retries
- Fixed race conditions in synchronization process leading to incorrect or incomplete data
- We now always propagate new version information for packagist.org mirrored packages to all projects using them
- Deleting or replacing credentials inside a project did not work in some cases
- We now correctly handle errors caused by invalid third party repository URLs
- If a remote VCS repository changes its URL synchronization now immediately updates the package URL
- Improved handling of GitHub API rate limits while adding a new package
March 29, 2019
- Database migration for
organization_sync_runtable can no longer fail and prevent application startup
March 29, 2019
- Added an option to override the default request timeout for mirrored Composer repositories
- Added on option to override the number of running background worker processes to the replicated console
- Improved the performance of package updates by caching versions without a composer.json
- Renamed the Owners/Admins Team option for authentication tokens to 'All packages'
- The authentication tokens page now displays when the token was last used
- Adjusted the Bitbucket API usage to avoid deprecated v1 endpoints where possible
- Allow non-synchronized teams to be deleted in organizations with synchronizations
- New improved footer design
- Owners and Admins teams are now always shown for everyone
- Ensure that synchronizations can be removed from organizations
- Editing a mirrored third party repository inside a project failed
- Fixed validation of SSH URLs when adding packages, which prevented creating packages
- Fixed a bug that prevented authentication tokens to be created in projects
- Improve the package update handling in case the package gets deleted while the update is running
- Handle various GitHub related errors during a synchronization and reschedule the failed jobs
- Handle various exceptions during package archive and reschedule the jobs
- Improve the handling of authentication exceptions during oauth login with GitHub
- Handle the case where a package is deleted while a background job is setting up a webhook for the same package
- GitLab synchronizations now work for subgroups with access tokens which do not have access to the parent group
- Adding a new synchronization to an existing organization will now inform the user once the first synchronization run finished
- Package statistics now also include the current day in the graph
- Handle exceptions on composer search in case the mirrored third party repository returns invalid json
- Increase the default timeout for http requests for GitLab to 30s
- Flush the composer version cache for a package when the repository url changes
- Improvements to request timeout handling in background worker for Bitbucket
- Fixed an issue where multiple organizations synchronized with the same Team on Bitbucket would overwrite each others webhooks
- Fixed a bug that prevented teams with authentication tokens from being deleted
- Download stats for packages mirrored from Packagist.org will now display the correct values for every organization
- Fixed a bug that rendered the pagination on the Users Explorer in the admin section unusable
- Fixed a bug that prevented package statistics to load for packages which have been in Private Packagist since before 2018
- Improve memory handling in background workers by regularly clearing the doctrine and monolog caches
- Prevent more than two package updates for the same package to be queued at the same time
- Records of finished jobs are now deleted on a daily basis
- Long mirrored third party repository URLs no longer overlap with other page content
- Avoid a full synchronization if a new repository/package was detected via webhook call
February 5, 2019
- Added host system admin command
packagist package:update-all --overwrite-data=truecommand to schedule updates rewriting all versions for all packages
- Ensure that update jobs which overwrite existing version data disable composer version cache
- Do not duplicate display of mirrored packages copied from an organization into projects without generally making the mirror available to the project
February 4, 2019
- Fix bug introduced in 1.8.1 leading to failing package updates on Enterprise installations
February 1, 2019
- Added a search field when adding packages from synchronized repositories and when adding packages from the parent organization to a project
- Performance improvements to editing credentials, renaming organizations and projects, and deleting packages
- No longer displaying a warning about a missing hook for custom JSON packages which cannot be updated without editing the JSON
- Fix download URLs on package update for Enterprise instances which changed their repo hostname and had old download URLs cached from before July 2018
- Detect SSL certificate problems with integrated service (GitHub, Bitbucket, GitLab etc.) and display them to users
- Fixed race condition which could lead to failed downloads of packages which are just being mirrored for the first time
- Ensured the last owner of an organization can never be deleted by a synchronization run
- Members of new teams found during synchronization are now added immediately, rather than only on the second synchronization run
January 18, 2019
- Synchronizations can now be configured on a per-project basis
- Synchronizations now list runs during the previous 48 hours and what exactly changed on each run, e.g. new users or repositories
- Integrations can now be created even if the validation fails
- Updating a credential now triggers an update for all associated packages and synchronizations
- The team member pages now show more information about each user
- API rate limit errors during login now show which API rate limit was reached
- Adding organization packages to a project now happens without page reload
- Improved the flow to set up a new synchronization for an existing organization
- When importing packages from JSON you can now select credentials to be applied
- You can now switch which of your synchronizations should be the primary one
- Improved typography and spacing across all pages
- Synchronizations can now be triggered by all members of an organization
- The organizations overview page now shows an option to reauthenticate if your oauth token is not valid anymore
- Synchronizations show which credential is used to make requests to the external service
- Added functionality to update the credential description
- The project settings on the organization settings page are now hidden until the first project is created
- Setting up a mirror with http auth in the url will now automatically create a credential and assign it to the mirror
- Packages where the last update failed will now display the error until the issue is resolved
- Deleting a mirror now runs in a background task to avoid UI timeouts
- Ensure the registration doesn't break if the email is already used by another user
- The license review page won't timeout anymore for organizations with projects
- Handle API limits for Bitbucket when new repositories are added
- Adjusted the messaging in the organization add synchronization modal if the user has no connected accounts
- Deleting a team with authentication tokens will now always work, the authentication tokens will remain but without package access
- The list of dependent packages does not contain duplicates anymore
- Disabled the browser autocomplete functionality on all credential input fields
- Sync settings concering project assignment could not be saved for synchronizations which did not target GitHub
- Requesting a password for a non-existing user won't result in an error anymore
- Detect and handle GitLab maintenance windows
- Handle the case where a credential has no Bitbucket oauth scopes assigned
December 3, 2018
- Private Packagist for Agencies: Support for projects in each organization with a separate Composer repository, including options for mirrors, credentials and tokens to be defined for just one or a set of projects
- Packages mirrored from packagist.org are now updated automatically within a few seconds of changes on packagist.org rather than only twice a day
- composer search is now supported for all packages available through Private Packagist: private and mirrored third party packages can be found
- Bitbucket Team hooks are now set up automatically to detect new packages when you create new repositories
- Added a link to Admin page in the top nav, and link to Replicated console from admin page
- Managing access to packages for teams now sorts the dropdown of packages and lets you search through them
- Reduce worker memory consumption by merging infrequently running tasks into a single process
- Log full stack traces on PHP errors
- Improved the package update log output to better display authentication issues
- Package updates which fail because of external API limits are now retried once the limit resets
- Ensure email from address is always set correctly on all SMTP configurations instead of falling back to firstname.lastname@example.org
- Reduce the number of errors displayed on all pages to 1 if multiple syncs are broken
- Display exactly which scopes are missing if synchronization fails because of missing OAuth scopes
- Select correct scopes by default when creating a GitHub access token
- Load correct error handler configuration for logging on the Composer repo
November 21, 2018
- Database migration for team table can no longer fail and prevent application startup (only happened on fresh installs if no organizations existed)
November 14, 2018
- Package detail page now shows information on the mirror if the package was mirrored
- Allow specifying a custom timeout value for requests to each integration
- Allow deactivating users in organizations even if they did not create a Private Packagist account yet
- Document that GitLab webhooks may require a configuration change to allow requests to a local network if Private Packagist is running in the same network
- Speed up updates of private packages with large numbers of tags with new cache
- Allow disconnecting the last third party authentication provider if email authentication is enabled
- Deleting synchronization now disables but stores all authentication tokens for later reuse
- Allow reusing existing credentials in the organization when setting up synchronization
- read only authentication tokens no longer receive a lazy providers URL pattern in packages.json to speed up package lookups
- Ignore Bitbucket repositories which the team admin does not have access to, instead of failing the sync process
- Correctly detect permission errors returned by Bitbucket and presend them in an actionable way
- Unified metadata storage and update processes for mirrored packagist.org packages across organizations to improve performance
- Changed internal configuration of Composer to better expose error messages returned by external repositories, e.g. API rate limits
- Deleting all packages in a mirror now runs in a background task to avoid UI timeouts
- Improved queries used in org synchronization reduce disk i/o on the db
- Detect and warn about credentials applied to a package with a URL that does not match the credential domain
- Log errors with more details on repo console commands
- Detect GitLab connection failures and retry jobs later
- Use a lower timeout for GitHub calls than the client library default
- Bitbucket Server: Detect and warn about our SSH key already being assigned to another user breaking our automatic setup
- Full name for users is automatically prefilled on third party authentication if available
- Verify API scopes of GitHub tokens and give appropriate error message if any are missing
- Set SSH timeout to 10 seconds to prevent broken git clones over SSH from taking a very long time before they timeout
- Replicated no longer corrupts the snapshot database on upgrade
- Replicated now works with docker configured to use write only log drivers
- Correctly detect and store webhook state for bitbucket.org packages
- Ensure disabled users will not be reactivated through a synchronization in organizations with multiple syncs
- Prevent issues resulting from double submission of user disable form
- Fixed data fetching for bitbucket.org repositories with a default branch containing a slash in its name
- Password reset was not possible in some configurations
- Take no proxy list into account if the environment variable uses a lower case name
- Synchronization for GitHub integrations may not automatically have run once a day
August 20, 2018
- Email/password based registration and login, needs to be enabled on /admin/ page under Global Settings
- Email verification configurable per integration to set trust for emails provided by third party authentication mechanisms
- Improved profile page with list of emails from third parties and manually defined ones, each with verification state and option to use as default address
- Display README contents on package overview pages
- If a user's API rate limit on a third party service prevents login, display a specific error message explaining this circumstance
- Team overview page lists package counts next to permissions now, so it's easier to spot teams which assign permissions to an incomplete set of packages
- Improve Enterprise setup experience by automatically granting the first created user admin permissions
- Automatically fill in bitbucket usernames in credential creation forms to simplify setup
- Improved documentation layout and added enterprise troubleshooting section
- Convert proxy URLs to correct protocol URLs for PHP streams
- Automatically send full URIs to HTTP proxies for unencrypted HTTP, but relative paths for encrypted HTTPS to avoid problems with some specific proxy software
- Revert modified user agent in proxy code which preventing mirroring from third party repositories blocking based on user agents
- Disabled erroneously enabled but broken vendor/customer functionality on Private Packagist Enterprise
August 7, 2018
- Respect the host system's PROXY environment variables which are used by replicated inside of Private Packagist and allow the definition of hostnames which should not go through the proxy on the admin page
- Added an option to change the frequency of organization synchronization below the default 20 hours, watch out for rate limit issues if you reduce this value
- Provide a CLI admin command to update all packages in an organization
- Archives for the latest tages of new packages are now created immediately to speed up the first use of composer update
- add missing links to profile page to allow editing username and email easily
- Composer token last usage is now tracked precise to a 5 minute window
- Improved validation of Enterprise Integration setup values for GitHub Enterprise, Bitbucket Server and self-hosted GitLab with improved error messages
- Provide a more specific error message if a package already exists when you are adding it with a link to the package
- Use streaming responses for large JSON files to reduce memory consumption
- Upgraded Replicated to version 2.25.1
- Increased timeout for mirrored repository responses to 5 seconds to allow slower repositories to be mirrored, may slow down composer updates when adding new packages
- Reduced default php socket timeout to 10 seconds to provide useful error messages if any external requests time out
- moved automatic webhook creation into a worker process with automatic retries to improve reliability
- Do not store URLs to Private Packagist in cache, so hostname changes take effect without manual regeneration of stored data
- Synchronization of an organization with GitHub no longer stops if a repository with individual collaborators is archives
- Display a link using custom integration domains for creating credentials instead of always using github.com, gitlab.com, bitbucket.org
- metapackages without code no longer trigger archive creation errors
- License overview no longer displays package names to a user which they do not have access to
- GitLab scope missing error is now explained to users instead of crashing background workers
- Fix internal communication between containers for SSL certificates which are not valid for IP addresses used on the internal network, could have resulted in empty download statistics
- Fix internal SSL communication between containers when using Replicated's self signed certificate
- Fix worker crash if synchronization setup is disabled while synchronization is running
- Validate informational domain field for credentials
June 7, 2018
- Let users know that they have to accept GitLab's new ToS if this is preventing them from logging in or synchronizing their organization
- Automatically generated credential names are no longer unique across all orgsnizations
- GitHub push hooks will trigger initialization of packages that do not exist yet
- Catch GitLab API Limit errors and display a message to users
- Reduce amount of data requested from GitLab by using new subgroup API endpoints if available as of GitLab 10.3
- During successful synchronization the user who set up the synchronization will not be removed from owners if no other owner has an active Private Packagist account
- Package updates triggered by a push hook are retried after 30 seconds instead of being cancelled, if another update is already running, as a result tags pushed separately immediately after commits should now show up on Packagist faster
- Regression preventing successful synchronization with GitHub Enterprise
- Warn users about problems if gitlab sync credential is empty
- Handle Bitbucket 50x errors the same as 500 during synchronization API calls
- Attempt to retrieve smaller pieces of information with more API calls from Bitbucket if large endpoints return 500 errors for internal timeouts at Bitbucket
- Catch 401 errors from GitLab and turn into useful message for users
- Enterprise preflight checks test listening on 0.0.0.0 for ports 80/443 now to avoid issues with machines without a detectable public ip
- Custom package validation now properly checks that at least one package was defined
May 9, 2018
- Fix installation of webhooks on Bitbucket Server if no webhooks are present yet
May 8, 2018
- Repo container won't start up if restarted without old temporary directory present
May 8, 2018
- Automatically configure webhooks on Bitbucket Server (requires version 5.4 or above)
- Reorganized organization teams page layout
- Separate packagist temporary data from permanent distribution files to decrease snapshot size, we recommend you use SFTP or S3 snapshots only and that you define a new empty directory to create snapshots in starting with this release to reset the differential storage mechanism
- Composer repository now returns a 401 if auth is missing to ask for interactive authentication input
- Upgraded to Replicated 2.20.2 with improvements to snapshot creation and restore
- Fix key generation for Bitbucket Server and provide more detailed error messages in case of problems
- Ensure packages with manually defined JSON always update all metadata on edits
- Detect and ignore deleted package situation when processing a package update
- Prevent signup errors if people double click the signup button
- Catch 502 responses from GitLab and treat them as timeouts and retry later
- Catch empty responses from Bitbucket and treat them as timeouts and retry later
- If bitbucket permission API endpoint fails, try retrieving info for each team and repository individually
- Use correct organization name for listed vcs repositories if an org is synchronized with multiple targets
- Fix audit log entry creation for admin self-deletion
- Ensure synchronized users are always created with a unique username
- Find composer.json information on GitLab projects with a default branch other than master
- Correctly disable all synchronizations if an integration on which they are based is deleted
Mar 16, 2018
- Management console option to enter additional TLS/SSL certificates Private Packagist Enterprise should trust for connections to your VCS repositories
- Option to trigger an update for all packages mirrored from a particular third party Composer repository
- GitHub synchronization now supports granting external collaborators package permissions
- Synchronization now automatically creates packages from repositories which you add a composer.json to after sync skipped the repository for lack of a composer.json
- Restoring an Enterprise instance from a snapshot no longer requires to run any custom commands to restore the PostgreSQL database
- If a GitLab subgroup is synchronized with a Private Packagist organization, we now search all parent groups for members with inherited permissions
- Increased default timeout for talking to GitLab instances to 30 seconds
- Reaching the Bitbucket rate limit now triggers a 1 hour block on all requests sent to the Bitbucket API to restore the limit fully
- Bitbucket requests are retried automatically on server errors because it reports timeouts as 500 Internal Server Error
- Performance improvements to Composer repository JSON delivery
- Provide a specific error message if someone attempts to add a package with the same name as a package that already exists
- Setup mode now allows deleting the admin user account
- Disabled auto-complete on password fields for external credentials
- Upgrade to Replicated 2.17.0 amongst other things improving snapshots and restore
- Worker processes do not fail to start up anymore if Redis is taking too long to load data into memory
- Modified Redis backup/restore process will no longer cause extremely slow or incomplete snapshots
- Fix GitLab Composer behavior to ensure correct commit instead of branch is used for dist generation when targeting specific commits on branches
- Updating the credentials on a mirrored Composer repository now ensures that all packages already mirrored from the same repository start using the updated credentials
- Bitbucket Server configuration uses readonly instead of disabled fields for values to be copied now and made it impossible to reset client id / public key to empty
- Do not log anything and do not return an error on metapackages which do not have a source or dist specified
- Invitation email to new users now links to correct login/registration page instead of always referring to GitHub
- Fix local build file cleanup to prevent disk from eventually getting too full
- Fix mirroring of packages with names using capital letters (should be avoided and is invalid on packagist.org)
- Prevent error on editing an organization if no platform was selected for the organization
Jan 17, 2018
- Synchronized packages will always use the credentials associated with the sync now
- Do not attempt to bind to [::] on Enterprise hosts with IPv6 disabled
- Skip synchronization entirely for organizations that no longer exist on GitHub
- Fix webhook installation on non-primary synchronizations
- Properly apply deactivated user list to non-primary synchronizations
Jan 10, 2018
- Fix form submission for secondary GitHub synchronization default permission settings
Jan 10, 2018
- Fix regression on some package pages and in background workers attempting to resolve non-existent default integration configuration leading to 500 errors
- Fix incorrect determination of mailer host configuration resulting in broken health checks
Jan 8, 2018
- Synchronize multiple external GitHub orgs, Bitbucket teams, GitLab groups with a single Private Packagist organization
- Multiple organizations can be synchronized with the same GitHub/Bitbucket/GitLab organization
- Allow disabling the creation of new organizations for anyone who is not a Private Packagist Admin user
- Synchronized team names have been updated to reflect their origin to clarify context when using synchronization with multiple sources
- Do not allow deleting an organization on Private Packagist if the GitHub app has not been uninstalled yet
- Improved 500 error message on Enterprise installations
- Upgraded Replicated to 2.15.0
- Upgraded Nginx to 1.13.8
- Remove non-existent option from worker command calls, fixing issues with cache invalidation and download stats
- Fix potential constraint violation when disabling synchronization on an organization
- Don't display broken remote organization avatar if none is defined
- Return proper error code and message if an archive cannot be created before the request timeout ends
- Properly handle API rate limits in vcs synchronization worker
Jan 2, 2018
- Allow defining multiple mirrored Composer repositories with the same URL but different credentials
- Lower timeouts (2 seconds) on retrieving data from mirrored Composer repositories
- Clarify synchronization error messages, more specific and instructional
- Upgraded to PHP 7.2
- Upgraded Replicated to 2.14.0
Dec 13, 2017
- Update UI structure for mirrored repositories in organization settings to match other settings
- Improved error messages in case Bitbucket API Limits are encountered
- Do not warn about SSL requirement for package URLs unless a user attempted to use a non-SSL http URL
- Fix regression in form input for default member permission for synchronized GitHub organizations
- Display a helpful error message in case a Bitbucket organization cannot be loaded due to token issues instead of a 500 error on org settings
Dec 11, 2017
- Increased timeouts on port listen startup events during docker orchestration
Dec 11, 2017
- Regression in GitHub Enterprise API client pagination
Dec 11, 2017
- Prevent 404 during Bitbucket privilege check in synchronization
- Correctly follow pagination URLs on GitHub Enterprise API in all cases (second fix)
Dec 8, 2017
- Add new denormalized columns and indexes to improve performance of dependent/suggesters calculation for packages
- Correctly follow pagination URLs on GitHub Enterprise API in all cases
- Don't include non-existing nginx log files in support bundle to prevent timeouts in support bundle generation
Dec 6, 2017
- Permanently display the most recent synchronization failure message and info on last successful run
- No requirement for 20GB on the root filesystem anymore, you should have at least 10GB mounted on /data and 10GB available to the system and replicated however
- Only administrators of Bitbucket Teams can setup synchronization with a Private Packagist organization
- Increase nginx server_names_hash_bucket_size to 64
- Make sure temporary files are always cleaned up after creating an archive even in case of errors
- Catch some unexpected potential errors returned by Bitbucket during synchronization, log them and retry later
Nov 30, 2017
- Provide a manual option in org settings for default package access for all members on synchronized GitHub organizations because the GitHub API does not yet expose this setting to applications
- Synchronize packages in shared projects on GitLab into the Private Packagist organization like regular projects
- If the owner of a GitLab sync auth token is not a member of the synchronized group, attempt to load all GitLab group info (only up to 20 API page requests)
Nov 28, 2017
- Errors and warnings in package update logs are now highlighted and indicated with a warning symbol
- For organizations synchronized with GitHub, create a team containing all members which are not in any team
- Allow deleting a credential currently in use by packages and mirrored repositories with an option to replace it with a different existing credential
- Retry synchronization jobs after a delay if they failed due to reaching a GitHub or Bitbucket rate limit
- Prevent the addition of non-SSL repository URLs upfront rather than erroring during update jobs later
- Logging in composer repository application is triggered at lower notice level now
- Don't retry gitlab API requests after 5 attempts that all timed out
- Schedule even github packages which have an oauth token for 12 hour updates in case the webhook isn't set up
- Added a view button for mirrored composer repositories on the organization settings page
- Improve debugging output in case the synchronized gitlab group cannot be found during synchronization
- Made database migration state detection more robust and removed error output on startup
- Updated Replicated to 2.13.1
- Prevent race condition that could lead to broken zip files created for download from packages on Bitbucket or GitLab
- GitHub organization listing is no longer limited to 30 (API pagination)
Oct 13, 2017
- Fix regression introduced for archive creation in last release
Oct 13, 2017
- Allow users to regenerate their personal auth token on the profile page
- Improve guidance through Integration setup in Enterprise admin panel
- Enterprise Setup now checks for availability of ports 80 and 443
- PHP base image upgrade
- Request correct scope on login with self-hosted GitLab CE OAauth
- Skip the account merge dialog if a user tries to login in a browser tab after having logged in on another one
- Prevent error when deleting users in Enterprise Setup mode without being logged in
- Fix race condition during archive generation that could lead to incorrect zip contents on download
Sep 25, 2017
- Option to delete organizations from the Enterprise admin panel without joining an organization as an owner
- Organization memberlist now shows all inactive users who will become members as soon as they activate their Private Packagist account by logging in
- Package update errors now differentiate between HTTP errors that may be caused by permission issues and errors caused by other networking problems, e.g. timeouts
- Postgres password is now read-only on the Enterprise Management Console as it was not supposed to be modified
- GitLab subgroup names are now display with the full hierarchy path when creating a new organization
- Prevent race condition when a user tries to setup synchronization again before previous background job finished
- The dialog to create an organization from GitLab groups now lists all groups rathern than just the first 20
- Prevent error when deleting a user while logged out in Enterprise setup mode
Sep 21, 2017
- Upgraded GitLab API client library, we now require GitLab API v4 - this means GitLab versions lower than 9.0 are no longer compatible
Sep 20, 2017
- Allow X-Forwarded-For headers on http requests to the Enterprise health check
Sep 19, 2017
- Add SMTP connection check button to Enterprise management console settings screen
- Ensure users are no longer tied to an integration after it's been deleted
- Prevent synchronization from failing if teams get renamed to names of other now deleted teams
Sep 13, 2017
- Team package access page now lists synchronized packages without access to clarify which permissions are handled in external systems
- GitLab subgroups now have individual teams for different types of access (Developer, Reporter, Owner, ...)
- Bitbucket Server Integration Setup form now has detailed list of required settings for different dialogs
- Team renames are tracked on GitLab and GitHub, Bitbucket as no team identifier other than the name
- Increased timeouts for GitLab requests to 15 seconds to circumvent their rate limiting bugs
- GitLab permissions are now correctly inherited to subroups if they are unchanged from the parent
- Prevent invalid composer.json on master branch from crashing package updates on other branches/tags
Sep 8, 2017
- Ensure internal random secret value is never modified on updates to prevent hook URLs from changing
Sep 7, 2017
- Fix URL added in previous release in specific cases
Sep 7, 2017
- Always show manual hook URL for packages where hook is not managed automatically
Sep 7, 2017
- Skip unnecessary query on executing workers, resulting in filling up postgres error log
Sep 5, 2017
- Package rename handling: new package is automatically added if the package name changes in composer.json on the default branch of an existing package
- Team members can view which packages their own team has access to (previously for admins only)
- View full repository paths for GitLab subgroups
- Support for Typo3 Composer Repository and t3x archive files
- Shift-clicking update button on view package page force updates all versios
- Deleting a user in Enterprise Admin Panel requires confirmation
- Better error reporting in user interface during synchronized org creation failures
- Performance of team overview page improved for very large organizations
- Updated to latest version of Composer for improved GitLab compatibility (API v4) and full subgroup support
- Updated Replicated to 2.11.1
- Improved signal handling in worker processes
- Team page directly links to full member management page
- Prevent deadlock in cache busting worker process
- Mount the composer working directory into the ui container to allow manual adding mirrored packages from the web interface
- Request OAuth Scopes on every GitLab request, fixes compatibility with new GitLab version and removes extra confirmation dialog on login
- User account merging can no longer result in error for users with audit log entries
- Deleting an integration properly disconnects synchronized organizations from the third party service
- Properly clear permission cache on package deletion (low impact, as package data was gone anyway)
Aug 4, 2017
- Option to disable email entirely for Enterprise
- GitLab subgroup support
- Handle GitHub Abuse responses appropriately
- Fix suggested GitLab authentication URL
- Do not attempt to mirror a package name that also exists publically but current user has no access to
- Avoid duplicate initialization of packages
Jul 25, 2017
- Upgraded Replicated to 1.9.3
Jul 24, 2017
- Ability to search and delete user accounts completely on admin page
- Display github rate limit issue warnings on package initialization
- Support for nested Bitbucket and GitLab repository URLs
- Higher timeouts and better handling of timeouts for Bitbucket and GitLab
- Warn users when trying to use readonly tokens to mirror new packages
- More reliable error logging on the repo container
- Unified job queue with priorities replaces workers separated by job type
- Allow organization admins to manage synchronization, not just owners
- Avoid probing for composer.json on VcsRepos that are known to work already
- Updated GitHub links to use new apps path (formerly integrations)
- track state of packages correctly after sync has been disabled on an organization
- No more 403 page after removing yourself from an organization
- Prevent duplication of synchronized repositories in add package screen
- Package renames now invalidate cache of of composer metadata
- Unreachable mirrored third party repositories now trigger warning instead of 500 error on composer repo
- No 403 erros for non-admins when viewing package details of a package in their team
Jun 15, 2017
- Allow editing of authentication token descriptions
- Remap all internally used ports to uncommon numbers to avoid conflicts with other services on host
- Report Webhook error states on package details page
- Use internal network only for internal API calls to avoid reliance on DNS or public certs
- Switched all containers to alpine to reduce size and improve compatibility
- Added more detailed logging to external API interaction in case of errors
- More detailed logging of all error states in docker process stdout / support bundle
- Removed potential race condition in database setup for Private Packagist Enterprise
- Synchronize team memberships when manually adding a package in the synchronized organization
- Validate from mail address in dashboard settings
- Ensure hostname for ui and repo are distinct in dashboard settings
- other minor changes and dependency updates
May 18, 2017
- Fix regressions in background workers
- Fix python patch for supervisord
May 17, 2017
- Patching Python for RHEL 7.2 compatibility to run supervisord
May 17, 2017
- System Updates Bugfixes
- RHEL supervisord/python random syscall workaround
May 8, 2017
- Store user join/leave activity on organizations
- Organizations will not be created with a number suffix in their name unless necessary
- Fix deletion of organizations which resulted in a 500 error
- Per-organization seat-based notification emails are disabled
- Improve Bitbucket token issue error handling
- Ensure admin teams definitely always have access to all synchronized packages
Apr 23, 2017
- Fix GitHub Enterprise automatic webhook setup (differs from github.com)
- Automatically correct webhook setup on manual package update if not present or incorrect
Apr 20, 2017
- New Organization Explorer in the Admin Panel
- Allow Deletion of Integrations
- Collect supervisord process log files in support bundle
- Fix an organization synchronization error
- Allow all images in Content Security Policy to allow for external avatars
- Improve display of Installation Counts
Apr 19, 2017
- HTTP Port is now configurable to something other than 80
Apr 19, 2017
- Fix regression in GitHub Enterprise API Access
- Improve Startup Time of nginx container
Apr 19, 2017
- Added HTTPS Port Selection to allow custom HTTPS Ports
Mar 30, 2017
First stable release
Login to create an organization and start your free trial!