Loading... Background job is running.

Changelog

Private Packagist Self-Hosted

→ Subscribe to release notifications by email

Replicated Native shuts down November 30th, 2024.

To keep using Private Packagist Self-Hosted, you need to migrate to the next iteration of our Self-Hosted product: Private Packagist Self-Hosted Kubernetes.

Upcoming Release

Not scheduled, yet

Security Hardening

  • MFA codes are now immediately invalidated after use. This prevents using MFA codes multiple times in a time window. (Thanks for the report Abhishrey Gupta (crimson-inferno))

Changes

  • To ensure clarity and better distinguish them from VCS repositories, we have renamed Private Packagist subrepositories to suborganizations.

Bugfixes

  • Supplying multiple domains for which the configured proxy should not be used, no longer separates them with "\n" after the form submission on the global configuration page.

2.0.16 (Kubernetes)

December 06, 2024

Bugfixes

  • Resolves an issue that prevented the ui pod from starting when upgrading an instance first setup on version 2.0.13 because of a faulty data migration.

Supported Replicated native versions: ">=2.56.5 <2.57.0" Supported Replicated KOTS versions: "1.121.x"

2.0.15 (Kubernetes)

December 03, 2024

Changes

  • Installations using the Helm chart can now configure the NO_PROXY environment variable via the values.yaml.

Bugfixes

  • Installations that use the built-in storage option in combination with a HTTP proxy server no longer run into "Failed to upload archive" errors.

Supported Replicated native versions: ">=2.56.5 <2.57.0" Supported Replicated KOTS versions: "1.121.x"

2.0.14 (Kubernetes) / 1.12.10 (Replicated Native)

December 02, 2024

Changes

  • This version of Private Packagist Self-Hosted Kubernetes requires KOTS to be upgraded to version 1.121. Follow the steps in our update guide.
  • Installations using the Helm chart should now store any certificate additions as Kubernetes secrets instead of editing values.yaml.
  • Installations using the Helm chart can now configure what Kubernetes service type is used in front of the ui and repo pods.
  • Installations using the Helm chart can now configure additional PostgreSQL connection details via Kubernetes secrets.
  • Installations using the Helm chart can now configure container resource requests and limits through the values.yaml file.
  • The list of security issues of monitored packages now contains links to the dependencies affected by security advisories.

  • Bugfixes

  • Packagist.org mirrored packages no longer show the unrelated "Copied from organization package" link.
  • The link to create a GitLab personal access token has been updated to match newer GitLab installations and will no longer lead to a 404 page on GitLab.
  • Installations using kURL now correctly configure the HTTP_PROXY, HTTPS_PROXY, and NO_PROXY environment variables in the replicated pod.
  • Documented in the Helm chart example values.yaml how to configure the HTTP_PROXY, HTTPS_PROXY, and NO_PROXY environment variables for the replicated pod.
  • The Helm chart no longer needs the storage.google.json secret to exist when not using Google Cloud Storage.
  • Installations using kURL now correctly store certificate additions in all pods resolving any errors when making HTTP requests against services or a proxy with self-signed certificates.
  • Running the command to backup dist and artifact files as part of the migration to Private Packagist Self-Hosted Kubernetes no longer runs into timeout errors if the process takes longer than 60 seconds.
  • Setting up an integration using the names GitHub, GitLab, and Bitbucket no longer displays invalid callback URLs for the platforms GitLab and Bitbucket Data Center/Server.

Supported Replicated native versions: ">=2.56.5 <2.57.0" Supported Replicated KOTS versions: "1.121.x"

2.0.13 (Kubernetes) / 1.12.9 (Replicated Native)

November 15, 2024

Bugfixes

  • Packages using GitHub releases no longer display changelog entries for versions with dev stability out of order.
  • Finding the changelog information for a package will now automatically be retried when receiving status codes like 429 or 5XX.
  • Fixed that OAuth login with GitHub would result in a 500 error when the GitHub API returned a long avatar url for the user.
  • The Helm chart no longer uses the PostgreSQL username and password of the built-in configuration if an external PostgreSQL is configured.
  • The mailer will no longer try to upgrade the connection to STARTTLS if no encryption is configured in Private Packagist.

Supported Replicated native versions: ">=2.56.5 <2.57.0" Supported Replicated KOTS versions: "1.110.x"

2.0.12 (Kubernetes)

November 13, 2024

Bugfixes

  • The default storage class for new installations using kURL is now correctly configured.

Supported Replicated KOTS versions: "1.110.x"

2.0.11 (Kubernetes) / 1.12.8 (Replicated Native)

October 25, 2024

Bugfixes

  • Running the command to backup dist and artifact files as part of the migration to Private Packagist Self-Hosted Kubernetes no longer runs into errors if the folders contain files with a filename longer than 100 characters.
  • The mailer DSN environment variable is now correctly configured when choosing to deploy without email configuration.

Supported Replicated native versions: ">=2.56.5 <2.57.0" Supported Replicated KOTS versions: "1.110.x"

2.0.10 (Kubernetes)

October 22, 2024

Bugfixes

  • Using Google Cloud Storage as a storage for dist and artifact files is now always loading the supplied JSON credential file and no longer causing 500 responses when downloading dist files via Composer.

Supported Replicated KOTS versions: "1.110.x"

2.0.9 (Kubernetes)

October 21, 2024

Bugfixes

  • The health check for the ui pod now takes the configured sslmode into account to verify the PostgreSQL connection. This check previously only worked for connections with sslmode=disabled.

Supported Replicated KOTS versions: "1.110.x"

2.0.8 (Kubernetes)

October 18, 2024

Bugfixes

  • The Helm registry setup instructions in the Self-Hosted portal on Packagist.com now show the correct password.
  • The health check for the repo pod now takes the configured sslmode into account to verify the PostgreSQL connection. This check previously only worked for connections with sslmode=disabled.

Supported Replicated KOTS versions: "1.110.x"

2.0.7 (Kubernetes)

October 18, 2024

Bugfixes

  • Installing Private Packagist Self-Hosted as a Helm chart required users to install version 2.0.6-a1 instead of the 2.0.6 version shown on the Self-Hosted portal on Packagist.com. This now works as expected with version 2.0.7. This release is otherwise identical to 2.0.6.

Supported Replicated KOTS versions: "1.110.x"

2.0.6 (Kubernetes)

October 11, 2024

Bugfixes

  • The Replicated Helm subchart was using an incorrectly formatted image tag, which can cause issues with pulling the image. The Replicated subchart was updated to 1.0.0-beta.29.

Supported Replicated KOTS versions: "1.110.x"

2.0.5 (Kubernetes) / 1.12.7 (Replicated Native)

October 10, 2024

Security Fixes

  • Accepting an email invitation to a non-synchronized organization can no longer be used to join a different team within the organization if you know its id than intended. (Thanks for the report Mohab Mohamed)

Security Hardening

  • The number of organizations that can be created per user is now rate limited.

Features

  • Synchronizations with GitHub now use the new GitHub organization roles to determine which teams and users can access all repositories in the GitHub organization. This feature requires additional GitHub permissions: Please grant the read:org scope to your personal access token.

Changes

  • Package subrepository API endpoints now accept package IDs or package names, making it possible to remove duplicated packages.

Bugfixes

  • Creating a team manually through the UI now adds an entry to the organization log.
  • Synchronization runs with GitHub, GitHub Enterprise Server, Bitbucket and Bitbucket Data Center / Server using scoped API tokens where the HTTP response header value of the scope was longer than 255 characters are no longer stuck running forever.
  • Fixed a race condition where Private Packagist would return outdated package metadata to Composer if a Composer request triggered the metadata to be regenerated while they are being invalidated.
  • Fixed a styling issue on the Security Monitoring page where the list of reasons was not displayed correctly when closing the security issue.
  • Update review comments on Bitbucket weren't recreated after the pull request temporarily had no composer.lock changes and the original comment was removed. This has been resolved.
  • Fixed a bug where connecting your personal account to a third-party service account already in use by another user would result in a 500 error if that user had previously unsubscribed from security notifications for individual packages.
  • The option "Enforce MFA for Login via OAuth" is no longer required to be checked, when setting up Multi-factor Authentication.

Supported Replicated native versions: ">=2.56.5 <2.57.0" Supported Replicated KOTS versions: "1.110.x"

2.0.4 (Kubernetes) / 1.12.6 (Replicated Native)

September 03, 2024

Security Hardening

  • Security related changes to your user account, including password, username, email, Composer authentication token, and MFA changes, will now trigger an email to the primary email address.
  • Users cannot change their password to their current password anymore, when changing it through their profile page.
  • Connecting your Private Packagist account to third-party service accounts now requires your primary email address to be verified. Theoretically an attacker could have otherwise created an account with an email address of a pending organization invitation (not possible with synchronization) and linked it to an OAuth connection which would have persisted attacker access beyond password recovery of a legitimate user on the original email address. (Thanks for the report Mohab mohamed)

Changes

  • While setting up multi-factor authentication you can now configure if it should be enabled for login via OAuth too instead of having to do this in a separate step later.
  • Packages won't be mirrored automatically anymore when an organization's Composer repository URL is used as a mirrored repository URL in another organization on the same Private Packagist Self-Hosted instance.
  • Package API endpoints now accept package IDs or package names, making it possible to remove duplicated packages.
  • The "Add Members" button on the All Organization Members team now explains why there is no invite button for organizations without synchronization.
  • Creating a new organization now shows instructions on how to set up your organization.

Bugfixes

  • Connecting via OAuth with an email address already used by another Private Packagist account now provides an error message explaining the situation.
  • The layout of the package page is no longer displayed too wide when very long commands were shown in the readme of the package.
  • The organization dashboard shows the correct number of teams. Collaborator teams without members are now excluded from the count.
  • Added missing close button to the add synchronization modal.

Supported Replicated native versions: ">=2.56.4 <2.57.0" Supported Replicated KOTS versions: "1.110.x"

2.0.3 (Kubernetes) / 1.12.5 (Replicated Native)

July 05, 2024

Security Fixes

  • Fixed an issue that would have allowed an attacker to import packages from an organization into their own organization, if the package was created with the "git" type and if the attacker knew both the package's full source URL as well as the local file structure on packagist.com servers and the internal identifier used for the organization. To the best of our knowledge after reviewing logs and audit records as far back as we have them, this issue has not been exploited before discovery. (Thanks for the report Maciej Piechota (haqpl))
  • The organization log page is no longer accessible to all users in an organization. It can now only be accessed by members with admin access. (Thanks for the report Satyam Singh)
  • Billing users cannot add packages from mirrored third-party repositories anymore. Even before this fix they were only allowed to add packages by name from existing repositories. They were not able to modify repositories.
  • It's no longer possible to use mirrored repository and notification channel URLs that redirect to insecure http URLs (no TLS). (Thanks for the report Dominik Prodinger and Maciej Piechota (haqpl))
  • Fixed an open redirect issue in the URL for joining a team, required an attacker to send you a modified URL through another channel. (Thanks for the report Julian Hector)
  • Fixed a reflective XSS issue when adding and editing integrations on the organization settings page via the base URL input field. (Thanks for the report Maciej Piechota (haqpl))
  • Fixed a reflective XSS issue when creating a custom package using form tab via the version input field. (Thanks for the report Maciej Piechota (haqpl))
  • Fixed a reflective XSS issue uploading package archives with a malicious composer.json file. (Thanks for the report Maciej Piechota (haqpl))

Security Hardening

  • Cache-Control headers are now set to prevent storing potentially private data in the browser. (Thanks for the report Priyanshu Parmar)
  • Connecting and disconnecting third-party user accounts and making an email the new primary email now requires you to enter your password.
  • In addition to ending all active authenticated sessions for a user when they change their password, username or email, we now also end all sessions where the user has not yet completed authentication due to an unfilfilled MFA requirement. (Thanks for the report Gaurav Dalal (webcipher101))
  • The number of subrepository collaborator invitations that can be sent in an organization is now rate limited. (Thanks for the report Zeeshan Beg x Dracula)
  • OAuth login with GitHub, GitLab, and Bitbucket now uses the OAuth 2 state parameter to prevent potential CSRF attacks. (Thanks for the report Mohan Sri Rama Krishna aka s1r1us)
  • The number of emails that can be added to notification channels in an organization is now rate limited. (Thanks for the report Zeeshan Beg x Dracula)
  • The email address confirmation link no longer automatically logs users into their account. (Thanks for the report Harshita Singh)

Features

  • The security filter on the package list now also allows you to filter for abandoned packages.
  • The Self-Hosted portal on Packagist.com now lists pending invitations for members to join and allows you to cancel an invitation.
  • The members, team members, and subrepository collaborators pages now list pending invitations for members to join and allow you to cancel an invitation. Each invitation can now also only be used once.
  • Added GitLab, GitHub, Bitbucket and Bitbucket Data Center / Server remote ids to API endpoints listing team members.

Changes

  • (Kubernetes) This version of Private Packagist Self-Hosted Kubernetes requires KOTS to be upgraded to version 1.110. Follow the steps in our update guide.
  • The organization log now contains entries when a team is granted "All packages access" or that access is revoked.
  • The organization log now contains entries when an invitation to join the organization or a subrepository is canceled or accepted.
  • Custom package definitions no longer support t3x archive files in dist URLs or via file upload.
  • The organization log now contains additional entries when deleting a synchronization for all the teams and users that were removed from the organization.
  • Users that are deactivated, blocked, or banned and a direct member of a project in GitLab are now removed as organization members in Private Packagist when synchronized, as opposed to be remaining members without the ability to log in.

Bugfixes

  • A mirrored repository only defining security advisories for a package, like Drupal does for drupal/core, no longer prevents automatic mirroring of that package.
  • Resolved an out of memory issue when editing a credential that is used by over 5000 packages.
  • It's no longer possible to rename the Billing team. (Thanks for the report Zeeshan Beg x Dracula)
  • Synchronization runs with Bitbucket workspaces, for which group privileges cannot be fetched via API, are no longer stuck running forever. The permissions are now fetched for each repository instead.
  • Adding a custom, artifact, or VCS package in an organization where all teams the user has access to have "All package access" no longer displays an error message saying that at least one team needs to be selected.
  • In subrepositories of organizations without synchronization, team memberships can no longer be managed by members of the Admins and Owners teams. Team memberships can only be managed on the organization level. (Thanks for the report Zeeshan Beg x Dracula)
  • OAuth login attempts that trigger a 5XX response by the OAuth server now display the URL and status code instead of silently failing.
  • The error message on the package page does not show % placeholders anymore when a webhook URL was refused by the code hosting platform.
  • The create authentication token form no longer disables the option to select the read-only type once an organization had 10 or more tokens.
  • Using a very long password when registering, changing or resetting the password no longer causes the browser to become unresponsive. (Thanks for the report Ishu Manoj Jangra)
  • The MFA emergency disable button in the admin panel no longer skips the confirm dialog if the search was used. A disabled button is shown for users without MFA.
  • Reactivated removed synchronized members are no longer missing access to subrepositories.

Supported Replicated native versions: ">=2.56.4 <2.57.0"
Supported Replicated KOTS versions: "1.110.x"

2.0.2-pl1 (Kubernetes) / 1.12.4-pl1 (Replicated Native)

Apr 16, 2024

Bugfixes

  • Login with Bitbucket Data Center using OAuth 1 was always causing a 500 error on Bitbucket. This is now resolved.

Supported Replicated versions: ">=2.56.2 <2.57.0"

2.0.2 (Kubernetes) / 1.12.4 (Replicated Native)

Mar 21, 2024

Security Fixes

  • Team memberships for the Owners team cannot be managed via API anymore to avoid admins promoting themselves to owners. (Thanks for the report Anees Khan)
  • Disconnecting a user from connected OAuth accounts is now CSRF protected. (Thanks for the report Anees Khan)
  • Added CSRF protection when Granting and revoking "All package access" for teams, triggering a package update, downloading a package archive, promoting a synchronization to primary, and resending email address confirmations. (Thanks for the report Sahil Negi)

Security Hardening

  • Enabling and disabling multi-factor authentication will now automatically log you out of all other sessions.
  • Clear-Site-Data header is now set on logout to delete all potentially private data stored in the browser. (Thanks for the report cyberyash)
  • Forms requiring the current user's password or MFA code are now protected against brute force attacks. (Thanks for the report cyberyash)
  • Users cannot use their own username, email or full name as a password anymore.
  • The number of invitations that can be sent in an organization per time is now limited. Invitation emails no longer render user input as links. (Thanks for the report cyberyash)
  • Changing the primary user email now clears any pending password reset requests. (Thanks for the report Khan Mamun)
  • Links in email verification emails now expire after two hours or once clicked. (Thanks for the report Khan Mamun)
  • Deleting an organization, subrepository, or user account now requires the user to enter their password to confirm. (Thanks for the report cyberyash)
  • The number of newly added emails to the profile in quick succession is now limited.
  • The password reset token is no longer stored in the URL when setting a new password. This avoid leaking the token to third parties.

Features

  • Integrations with Bitbucket Data Center / Server v7.21 or newer now support Application Links using OAuth 2.
  • The availability of packages in new subrepositories can now be set via API when creating or editing a package.

Changes

  • PostgreSQL upgrade from 9.6 to 12. Depending on the size of your database, this will cause increased disk IO and might take a few minutes during which the application won't be available. The Replicated Management Console may show the wrong state Stopped on the dashboard after running the update. But if the Cluster section shows all containers except packagist-postgres-update as running, you can ignore the displayed state.
  • Deleting an integration will now first show a page with information about how the integration is used.
  • Names, descriptions, usernames and full names can no longer contain '<' and '>' characters.
  • Filter lists like synchronizations, credentials, and mirrored repositories are now alphabetically ordered.
  • The Composer authentication section now also shows how to store authentication in a local auth.json file.
  • The navigation within organizations has been restructured.

Bugfixes

  • Subrepository collaborators no longer get links in the top-level navigation dropdown that lead to a 404 not found error.
  • The subrepository overview page shows the install statistics again. It always showed 0 values even if the subrepository had installs.
  • Synchronizations with Bitbucket Data Center / Server now show the full display name and correct link to the Bitbucket Data Center / Server project.
  • The organization and subrepository search in the navigation is now case-insensitive.
  • Members of the Admins team in an organization can no longer remove members of the Owners team on the members page.
  • Fixed an issue where the configuration for sending emails wasn't correctly applied to the application and a wrong port was used.

Supported Replicated versions: ">=2.56.2 <2.57.0"

1.12.3-pl2 (Replicated Native)

Jan 29, 2024

Bugfixes

  • Allows Private Packagist to run with Replicated versions 2.56.0 again.

Supported Replicated versions: ">=2.56.0 <2.57.0"

2.0.1 (Kubernetes) / 1.12.3 (Replicated Native)

Jan 24, 2024

Security Fixes

  • Reset password request links now expire after two hours or as soon as the password is changed rather than being valid forever. (Thanks for the report to Arslan)

Features

  • Security monitoring now reports security advisories provided by all configured mirrored third-party repositories.
  • Security issues now display the issue severity in the UI and email notifications if available.
  • Added API endpoints to view, open, and close security issues.
  • Organizations can now require that members log in with a particular OAuth method to access Private Packagist.
  • Update Review comments now show the license when a package is added or the license is changed.
  • You can now opt notification channels into receiving notifications when security issues are closed due to withdrawal of the respective advisories.

Changes

  • Disconnecting your account from a third-party service that grants you access to one or more organizations will now require additional confirmation.
  • Organization log entries for editing a package now contain information on renames, when the name was edited.
  • Organization log entries for org.join and org.leave now indicate which user added the user to the organization or removed the user from the organization.
  • The organization log now contains entries indicating that the user that created the organization joined the organization and is part of the Owners and All Members teams.
  • The API key can now only be viewed once after creation. Only the description can be edited.
  • New versions on the custom package edit form are now added to the top instead of the bottom.
  • Resetting a password for a user with MFA enabled now requires entering an MFA code when setting the new password.
  • The add package from synchronization dialog now shows if a repository has a composer.json file but no name is defined.
  • An advisory database removing security advisories now marks security issues as closed instead of removing them.
  • The organization list in the top-level navigation dropdown now contains a searchable list of subrepositories.
  • The package list now shows when a package was last updated and shows "pending" if the package hasn't been updated yet.
  • The organization log can now be searched for packages by using the full package name in the search field.
  • Package versions for custom packages now automatically set the release date when the version gets added. The date can also be manually set via the custom package edit form.
  • Package versions for uploaded artifact files now have a release date set to the time the artifact was uploaded.

Bugfixes

  • Adding a package from synchronization previously only had a bulk add option and an Add subdirectory button leading to the multi-package repository creation screen, resulting in erroneously created multi-package repositories. Now, there is also an Add package button for each individual repository.
  • Viewing the list of members of a subrepository no longer results in a 500 error when any subrepository member had their access to the subrepository assigned through a single team.
  • Clicking on a team name under Available Teams within a subrepository no longer shows only a message "Content missing" instead of showing the team members.
  • Organization synchronization runs receiving a 200 text/html response instead of a JSON response from Bitbucket, GitHub, or GitLab APIs will now display an error message and be retried later instead of being stuck.
  • Package versions without a release date defined no longer show the current date and time as release date.
  • Synchronized VCS repositories that are also published on packagist.org are no longer counted twice in the package count on the synchronization settings page.
  • Adding a package no longer results in a CSRF token error when the organization has more than 1000 teams.
  • Deleting individual users in the admin panel no longer just redirects. Only deleting users via "Delete selected users" was working.

Supported Replicated versions: ">=2.56.2 <2.57.0"

2.0.0 (Kubernetes) / 1.12.2 (Replicated Native)

Oct 30, 2023

Features

  • Read-only and update authentication tokens can now be created and regenerated with an expiration date after which the tokens will stop working.
  • Organizations can now configure that read-only and update authentication tokens expire after a certain amount of days.
  • Security Monitoring now uses the audit ignore config from the project's composer.json to automatically close ignored issues.
  • Added API endpoints to view and edit which branches to monitor for security issues.
  • Organizations can now configure that user authentication tokens expire and automatically regenerate on a regular basis.
  • Notification channels can now receive notifications for changes to the state of a security issue.
  • The teams page now has a search field and a filter by synchronization to easier find teams.

Changes

  • New read-only and update authentication tokens now use a new token format with a packagist_ort_ or packagist_out prefix respectively.
  • New user authentication tokens now use a new token format with a packagist_uut_ prefix.
  • The changelog page of a package now links to the source of the changelog information.
  • Read-only and update authentication tokens are now write-only. They can only be viewed once after creation and regeneration. Only the description can be edited.
  • Members of organizations that enforce MFA for the current login method can no longer access the profile page or other organizations they are a member of. Instead, members are asked to immediately set up MFA.
  • Synchronized VCS repositories without a composer.json file that are older than one year are now only checked once every 24 hours for new composer.json files instead of on every push to reduce the number of API requests.
  • Making changes to how members found through a synchronization are handled in the organization member settings will now add an entry to the organization log.
  • The custom package edit form now automatically collapses all versions if there are more than two versions.
  • Packages returned by the API now contain a webView link to the package page on Private Packagist.

Bugfixes

  • Switching between the form and JSON tab for custom packages is now significantly faster.
  • Manually overriding a package name via the edit package form no longer causes Composer commands to error with a message that the package doesn't exist or permissions might be misconfigured.

Supported Replicated versions: ">=2.56.1 <2.57.0"

1.12.1

Sep 1, 2023

Security Fixes

  • Multi-factor authentication was not required after login via OAuth when an organization or user had opted to require it. Multi-Factor authentication was correctly required as configured at all times for users logging in with email/password.

Bugfixes

  • Adding a mirrored third-party repository that doesn't return valid JSON on the packages.json endpoint now shows an error message instead of just reloading the form.

Supported Replicated versions: >=2.56.0 <2.57.0

1.12.0-pl2

Aug 24, 2023

Bugfixes

  • Synchronizations using a credential with a port in the domain name but matching the integration domain no longer cause a credential domain mismatch error.

Supported Replicated versions: >=2.56.0 <2.57.0

1.12.0-pl1

Aug 23, 2023

Bugfixes

  • Using Bitbucket Server OAuth to log in no longer causes a server error.

Supported Replicated versions: >=2.56.0 <2.57.0

1.12.0

Aug 23, 2023

Features

  • Added an API endpoint to fetch a single team.
  • Added an API endpoint to fetch all synchronizations.
  • New "Access All Packages" permission can be granted to teams (via UI or API). Controls whether the team has access to all non-synchronized organization packages. Revoking this access will not remove access to packages the team has access to at the time.
  • The packages page now shows private packages, mirrored packages, and packages from subrepositories in a single list with a number of filters.
  • Browsing all packages of a mirrored third-party repository will now show them filtered on the packages page.
  • The list of packages is now paginated, addressing performance issues while loading the page for organizations with thousands of packages.
  • GET API endpoints can now be accessed without generating the full signature using the Authorization: PACKAGIST-TOKEN header.
  • Install statistics are now available when fetching subrepositories via the API.
  • The user management page in the admin panel now lets you filter by active and inactive users. It shows the number of found users for each search, and allows multiple users to be deleted at once.
  • The list of organization teams is now paginated, addressing performance issues while loading the page for organizations with thousands of teams.

Changes

  • Organization and subrepository renames (name or short name for URLs) now create entries in the organization log.
  • Creating, editing, and deleting a multi-package repository now creates an entry in the organization log.
  • Synchronization errors are not displayed anymore while a synchronization is running which may resolve them.
  • After editing a package users are redirected back to the package page instead of the package list.
  • Subrepository members with edit permissions can now also add all organization packages to which they have edit access to a subrepository.
  • Synchronization runs list which repositories were added to or removed from a team.
  • Synchronization runs list which members were added to or removed from a team.
  • Log entries are now created for mirrored third-party repositories when creating/deleting, editing/changing permissions, and adding/removing from a subrepository.
  • The list to add organization packages to a subrepository now also shows the package URL and states if the package is abandoned or part of a multi-package repository.
  • Notification channels can no longer be created on the organization security settings page, use the notification channel settings page instead.
  • Synchronization runs now list which users were added to the list of removed synchronized members.
  • Regenerating read-only or update authentication tokens now adds an entry to the organization log.
  • Added missing organization log entries for adding, editing, and deleting notification channels, as well as adding and removing notification channels from subrepositories.
  • Custom package definition submitted via the API no longer requires the top level "package" key, similar to submitting it via UI.
  • Users that are deactivated, blocked, or banned in GitLab are removed as organization members in Private Packagist when synchronized, as opposed to remaining members without the ability to log in.
  • Users will now be logged out when their OAuth token expires and cannot be refreshed.

Bugfixes

  • Adding GitHub Enterprise Server as an integration via the Private Packagist admin panel no longer errors if the rate limit endpoint requires authentication.
  • Adding a new mirrored third-party repository to an organization no longer produces a server error if the HTTP call to validate the mirrored repository errored with a cURL error, e.g. a request timeout.
  • Login via OAuth for users that are only part of a single organization directly redirects again to the organization instead of the organization list.
  • The error message for failing Bitbucket synchronization states the missing OAuth scopes for the credential again.
  • Downloading archive files from the package view page after switching versions works again.
  • Organization log entries for synchronization created and deleted now contain additional information about the synchronized remote organization.
  • New package entries in the organization log now use clearer values in the "Triggered By" column instead of the generic "Background Job".
  • Added missing organization log entries for teams that are created and deleted during a synchronization run.
  • Adding a package with its dependencies to a subrepository, didn't add all dependencies to the subrepostory in case over 1000 transitive dependencies where shown.
  • Creating a subrepository now adds packages via a background job, avoiding potential request timeouts.
  • Resolved an out of memory issue when adding a package with dependencies to a subrepository.
  • A log entry is added when a credential is created during synchronization setup.
  • Promoting a user to Owner on GitHub or Administrator on Bitbucket can no longer remove the user from synchronized organizations.
  • Versions longer than 255 characters, e.g. branch names longer than 251 characters, are now truncated to 255 characters and no longer cause the background worker to keep crashing and reduce the number of available workers.
  • Mirrored third-party repositories returning an empty dist URL as part of the package metadata will no longer break Composer commands.
  • The confirm dialog shown when deleting a multi-package repository now only lists each package name once, even if some packages were added to subrepositories.
  • The packages list now correctly shows errors with the webhook setup, even if the webhook was successfully setup before.
  • Composer 1 commands could produce a server error in case the organization had several thousands of packages causing Composer commands to fail.
  • The list of authentication tokens always showed 0 for installs in the last 30 days. This now shows the correct number again.
  • Multi-Packages showed a wrong webhook URL on the package page that would return a 404 response when used to trigger a package update.
  • The package page now keeps showing the hook URL if the webhook was manually configured.
  • Fixed the update review comment link for Bitbucket, GitHub, and GitLab releases for versions where the git tag doesn't match the version specified in the composer.json file.
  • Adding a new multi-package repository to an organization will now link to the existing configuration if there is already a multi-package repository with the same URL in the organization.
  • Organizations that enforce MFA for login, no longer enforce MFA once they are deleted.
  • Prevent errors when users double submit the grant team access to packages button
  • Security Alert emails now only show up to 250 security issues to avoid memory issues while generating the emails.
  • Creating new teams via the API using a name that is already in use, no longer returns a 500 error response.
  • The API error response now indicates which property fails the validation if an invalid value is sent for an enum type.
  • Improved the render time of the profile page for users that are part of an organization with a lot of subrepositories.
  • A successful login via email and password for a user with MFA enabled redirected back to the login page if a first login was not successful. This now redirects to the MFA screen.
  • Adding teams to a subrepository right after the subrepository was created, could lead to teams not having access to all packages in the subrepository.
  • Fetching an artifact file with a non-numeric ID from the API no longer returns a 500 response.
  • GitHub synchronization runs now state if they fail because of an expired GitHub personal access token.
  • Deleting a package assigned to over 50 subrepositories now deletes the package via background job to prevent memory issues.
  • Log entries are now created when teams are added or removed from a subrepository.
  • Log entries are now created when the permissions for a team are changed within a subrepository.
  • Adding a package to multiple subrepositories at once can no longer result in a 500 error.
  • Synchronizations with Bitbucket Server now detect maintenance mode and retry synchronization runs later.
  • Links to files on the changelog page for packages using GitHub releases now point to the correct URL on github.com and no longer to a 404 error page.
  • Creating packages for new VCS repositories in the remote organization created while an organization is being synchronized, is no longer delayed until after the synchronization run is finished.
  • Creating an integration with a base URL that is missing the host part no longer results in an error.
  • Form to invite members in the Self-Hosted Management Portal no longer returns a "Method Not Allowed" error.
  • Usernames are now limited to a length of 50 characters.
  • Package links shown for a version were missing the constraint information if the constraint was self.version.
  • Deleting a team that has access to multiple subrepositories no longer results in a 500 error.
  • Synchronized GitHub organizations where members have access to all repositories no longer require a full synchronization run for all synchronized members to have access to new repositories.
  • Editing the dist URL for a custom JSON package now removes the stored dist file and fetches the file from the new URL.
  • A search term not matching any VCS repositories on the add package from synchronization dialog no longer removes the search bar.
  • Mirroring new packages in a subrepository at the same time as removing the mirrored third-party repository from the subrepository no longer causes an error when accessing the packages list.
  • Inviting the same user multiple times to the same team no longer results in a 500 error.
  • The form for custom packages now shows clearer that you can either upload a file or define a URL in the dist section of each version.
  • Using bitbucket.org OAuth to register a new account no longer errors if the registration form wasn't submitted for longer than an hour. The OAuth access token expired and couldn't be refreshed without errors.
  • Renaming a package and immediately using that package in a Composer command does not result in server errors anymore.
  • Accessing package versions with more than five digits as major version no longer shows an error page.
  • Creating a new integration with a name that only consists of spaces no longer results in a 500 error page, but rather an explanation.
  • Security advisories defining an invalid affected version constraint no longer cause the package page or the security advisories page of a package to return a 500 response.
  • Deleting a package while a background job updates the package will now queue the delete task until the package update finished to avoid server errors.
  • The last used date for authentication tokens is now correctly updated.
  • Organizations with synchronizations from two Bitbucket Server instances with identically named projects and groups are no longer missing teams in Private Packagist.

Supported Replicated versions: >=2.56.0 <2.57.0

1.11.6-pl2

Dec 2, 2022

Bugfixes

  • Synchronizations with Bitbucket Server were only synchronizing users with direct access to the project. This includes again users with access via a group.

Supported Replicated versions: >=2.54.0 <2.55.0

1.11.6-pl1

Nov 14, 2022

Bugfixes

  • Resolved an issue that prevented creating new integrations via the Private Packagist Admin Panel.

Supported Replicated versions: >=2.54.0 <2.55.0

1.11.6

Nov 11, 2022

Features

  • Added new API endpoints to manage teams and team memberships.

Changes

  • The API now returns the date a package version was released, if known.
  • Log entries for added and edited packages now show additional information such as clone URL, which mirrored third-party repository it was mirrored from, if it's part of a multi-package repository, etc.
  • Package access for synchronized teams can now be resynchronized directly on the team's packages tab.
  • The package list now also shows the VCS repository URL and a GitHub/GitLab/Bitbucket icon for private packages.
  • A permanently-dismissable notice is shown for all users that have yet to enable multi-factor authentication.
  • Existing organization members can now be added to other organization teams by username as well as email address.
  • After registration, users are asked to enable multi-factor authentication. This is only shown once.

Bugfixes

  • Older GitLab versions issued OAuth access tokens without a refresh token. Since GitLab 15.3, these tokens can now expire, preventing us from fetching GitLab Groups that can be used for synchronizations. If necessary we now show a message to log out and log in again to resolve the issue.
  • GitHub synchronization no longer skips teams called "Teams" after GitHub fixed a bug in their API, removes workaround from the previous release.
  • Connecting to a new OAuth account on the synchronizations page now redirects back to the synchronizations page and no longer to the profile page.
  • Improved the render time of the synchronizations page for Self-Hosted installations that have been running for a long time with multiple synchronizations.
  • Resolved an issue during the cleanup of deleted organizations and subrepositories that would cause the background worker to keep crashing and reduce the number of available workers.
  • The check for leaked passwords using haveibeenpwned.com on the change password and registration form no longer renders HTML tags in the error message.
  • When a subrepository is granted access to an organization's package, a log entry is created in the subrepository's log in addition to the existing log entry in the organization.
  • The packages list renders faster now for organizations with a large amount of repositories on GitHub, GitLab, or Bitbucket.
  • The packages list renders faster now for subrepositories when the organization has a large amount of private packages.
  • Sending weekly and monthly security summaries no longer causes out of memory errors for organizations with a lot of open security issues.
  • Resolved an issue that prevented the removal of mirrored third party repositories from a subrepository if it contained packages from this mirror.
  • Packages no longer state that they are missing credentials to set up a webhook if they have credentials assigned for a platform where we don't support the automatic setup of webhooks.
  • Changing the URL of a synchronized package now also correctly disassociates the package from the synchronization with the previous URL.
  • Fixed a bug that prevented create, edit and delete of integrations in setup mode without being logged in.
  • Renaming an organization or subrepository twice in short succession no longer triggers an error.
  • Requesting a new mirrored package via "composer require" or "composer update" that needs authentication now shows a helpful warning instead of erroring with a 503 response if there is no authentication configured for the mirrored third party repository on Private Packagist.
  • The security monitoring settings page no longer shows "no limit" as selected option to limit monitored projects when the form is submitted with another value.
  • Fixed a bug where selecting too many packages to add to a subrepository would cause an nginx buffer overflow error.
  • Install statistics for organizations and subrepositories older than two years are now correctly calculated as daily averages.
  • Accessing a package that has several hundred versions could result in a 500 error. This has been resolved.
  • Update jobs for packages from GitLab repositories are now delayed if necessary to run at most every 30 seconds to avoid fetching stale cached data from the GitLab API.
  • Deleting a package, then adding a package with the same name from packagist.org can no longer lead to a stale local Composer cache when using Composer 2.

Supported Replicated versions: >=2.54.0 <2.55.0

1.11.5

Jul 27, 2022

Features

  • Multi-factor authentication has been added to user accounts. Organization owners and admins can enforce MFA for their members.
  • Security notifications are now cumulated across all projects, resulting in fewer emails on discovery of new security vulnerabilities in multiple projects
  • The upcoming Composer 2.4 security features (audit command and security advisory listing on update) are now supported by Private Packagist for all private and mirrored packages
  • Added a button to the profile page so that users can delete their account themselves
  • Credentials are linked to all their usages on the credentials page

Changes

  • The Update Review detail page on Private Packagist linked from pull request comments now displays relevant security advisory information like the comment already did.
  • When configuring an integration with Bitbucket Data Center / Server, Private Packagist will now validate the base URL by sending a test request to Bitbucket
  • When viewing a synchronized package the synchronization is now listed in the right-hand side metadata
  • More specific titles were added to most pages
  • Organization, subrepository and customer forms show the whole url for their short names

Bugfixes

  • Fixed the link on the synchronizations page to the Bitbucket Data Center / Server project
  • Archive job no longer crashes in a loop for multi-package repositories when a commit reference points to a nonexistent package sub folder
  • Synchronization job for organizations no longer crashes for GitLab 403 API responses when trying to access resources the credentials do not have access to
  • Fixed the diff link in Update Review comments for changed packages containing Composer download URLs (dist URLs) pointing to GitHub release URLs
  • Fixed that user roles weren't merged correctly, causing admin accounts to lose permissions while connecting another account via OAuth
  • Notifications for abandoned or released packages in subrepositories were not sent
  • Corrected the name for Bitbucket Data Center / Server credentials from app password to personal access token
  • Prevented validation errors when editing synchronization settings while someone else creates the first subrepository in an organization
  • Editing credentials now also triggers background jobs to locate packages in multi-package repositories again using the modified credentials
  • Synchronizations with GitLab no longer create duplicate admin and owner teams
  • Synchronization runs no longer fail if Bitbucket returns the same user id multiple times when checking permissions for a repository
  • Resynchronize button on the teams or settings page is now unblocked when synchronization jobs have expired
  • Added quotes to the Composer command on the user authentication page for usernames containing spaces
  • Prevented a 500 error when deleteing, recreating and deleting a subrepository by the same name again in a short time window
  • Submit button wasn't shown when adding integrations and the URL was pasted from the clipboard
  • Fixed a bug in OAuth connect, which could lead to a user receiving 500 errors on all pages. This was triggered by a user connecting their existing account to an OAuth service, which is used to synchronize an organization.
  • Custom packages webhook status is now "not supported" and no longer "missing credentials"
  • Fixed a temporary 500 error shown on the package monitoring page briefly after a vulnerable dependency is removed
  • On package deletion organization log entries are no longer created for deleted subrepositories that used to contain the package
  • Stopped VCS pushes from triggering a background job crashing in an infinite loop on GitLab 404 exceptions, when credentials have insufficient permissions to access a group
  • Using composer search for a package name without a slash no longer errors because Private Packagist's Composer API now returns an empty list instead of a 404 error
  • Files that were uploaded via custom package form or when adding a package through uploaded files are kept 7 instead of 2 days, if the form is not submitted
  • If login errors because host cannot be resolved or there are SSL errors or connection timed out, then there is now a specific error message instead of "HTTP request failed"
  • If Slack notifications hit the rate limit there is now a random delay between 30 and 780 seconds for all retries
  • Notifications for abandoned or released packages in subrepositories were sent to notification channels only configured to receive security alerts
  • When a new member was added to a synchronized GitHub organization, they were only added to their initial team, but not others like "all members" until a full synchronization run corrected the access within 12 hours
  • Update Review comments could not be created when an invalid dependency package version was stored in the composer.lock file
  • Deleting an organization is done in a single transaction to prevent job crashing in an infinite loop
  • When editing a synchronized package and assigning new credentials, the package update will no longer revert the package back to using the outdated credentials.
  • Form validation errors for organization and subrepository short names are shown right next to their input field
  • Workaround a GitHub API bug by skipping synchronization of teams literally called "teams" to allow GitHub synchronization to complete

Supported Replicated versions: >=2.53.7 <2.54.0

1.11.4

May 27, 2022

Features

  • Added a new option for synchronizations with GitLab groups to skip synchronization of projects shared with the group
  • Added billing history showing payment method and invoice address, along with plan and license information, to the Self-Hosted portal on Packagist.com
  • Update Review comments now indicate package versions that have security advisories, including a message if an update introduces package versions with known vulnerabilities.
  • Glob expressions for repositories containing multiple packages now support brace expansion (eg, {one,two}/composer.json).

Changes

  • Security Advisories now indicate all advisory databases that they were found in (GitHub or Friends of PHP)
  • A more helpful error message is displayed when a synchronization with Bitbucket Server results in an unauthorized access API error (due to invalid credentials)
  • The list of integrations on the Private Packagist admin panel is now styled more consistently with the rest of the application
  • Reaching API rate limits when adding packages from a synchronization with Bitbucket will now cause it to retry by cloning instead of using the API
  • Username and avatar are now displayed in the Add Synchronization modal to indicate the connected accounts

Bugfixes

  • Correctly store triggered-by information in the organization log for both adding and removing packages from a subrepository
  • After editing a private package with a configured webhook, Private Packagist now assumes that the webhook is not set up until a delivery is successfully received
  • Fixed detection of premium subscription for synchronization with gitlab.com. This caused Private Packagist to skip setting up webhooks because it assumed package webhooks were not necessary
  • Mirrored packages without a vendor name can no longer be added via the add package dialog
  • Resolved an issue with submitting a weak password on the registration page that caused a 500 error
  • Updated the link to create HTTP access tokens on Bitbucket Server, and the link to create app passwords on Bitbucket
  • Fixed a race condition where package initialization was triggered by both an organization and subrepository synchronization, causing the package to not get added to any subrepositories
  • Better detection of Zip and Tar archives when uploading Package Archives via the API; now all types uploadable via the UI can be uploaded to the API
  • Update Review comments will not be updated on pull requests that have been closed/merged, even if they are edited
  • The last owner of an organization during a synchronization cannot be removed anymore, even if that owner is not connected to the synchronized service
  • When a package contained several thousand Composer patches, a database error occurred during a package update, new patch information was not added and therefore not available to the UI.
  • When downloading composer.lock files over 1MB from GitHub, they now return a 200 instead of 403 which caused functionality such as update review to fail. We now retry downloads using different API call for large files
  • Bitbucket API requests resulting in the Bitbucket-specific status code 555 are now retried, similar to a 500 status code
  • composer.json files are no longer automatically added to the ignore list when they get deleted from a multi-package repository
  • Fixed a bug that caused packages to become inaccessible when changing the URL of an existing package to the URL of a VCS repository that is also available on packagist.org
  • Submitting certain invalid package names via the "Add Mirrored Packages" form could result in a 500 response. This is no longer the case
  • Added missing version information when fetching individual subrepository packages mirrored from packagist.org via the API

Supported Replicated versions: >=2.53.6 <2.54.0

1.11.3-pl1

April 13, 2022

Bugfixes

  • Resolves an issue that prevented the packagist-ui container to start when upgrading from a version before 1.11.0 because of a faulty migration

1.11.3

April 13, 2022

Security Fixes

  • Resolves a argument injection vulnerability which allowed maintainers of private packages to run shell commands on the packagist-worker container via the readme property of the composer.json in the default branch of a Mercurial repository and create files via the name of the default branch of a git repository. We do not believe this to have been exploited prior to the publication of this release. (CVE-2022-24828)

Changes

  • Decreased the maximum file size for JSON responses from mirrored third-party repositories from 256MB to 128MB to avoid memory issues during the automatic mirroring of new dependencies.
  • The log output of the background workers is now available when accessing docker logs of the packagist-worker container. The logs were previously only available in a log file inside the container.
  • API endpoints returning security advisories now also include the Packagist security advisory ID for each advisory

Bugfixes

  • The update review feature on GitHub and GitLab now uses the HEAD sha instead of the merge commit to generate the composer.lock diff. This resolves a bug where the comment would get updated with incorrect information when the pull request was closed.
  • Packages that rely on git to fetch updated version information did not detect changes of the default branch after the package was added. This functionality has been added.
  • Deleting a package in a subrepository that is part of a multi-package repository also deleted the package from the organization package list. This no longer happens.
  • Updated the GitLab rate limit detection to handle cases where GitLab doesn't return any rate limit headers
  • Adjusted the triggered by column for organization log entries of type "org.package.delete" that were displaying UI instead of job or sync even though they were caused by a background worker
  • Mirroring new dependencies via Composer could result in a 500 response by the Private Packagist server if one of the mirrored third party repositories returned invalid JSON with a non-terminating string
  • Using a read-only authentication token with Composer 1 didn't show a message that an update token should be used when trying to mirror new dependencies. This has been added again
  • Improved the error output when adding mirrored third party repositories with unsupported query parameters to show the actual URL that was called to access the repository.
  • Updated the link in the Private Packagist admin section to set up an integration on GitLab to match URL changes on GitLab
  • Added support for mirroring packages from mirrored third party repositories that return a list of packages, where the package keys don't match the fully qualified package name, in the packages.json response

Supported Replicated versions: >=2.53.2 <2.54.0

1.11.2

March 25, 2022

Bugfixes

  • Resolved an issue with security monitoring that would trigger multiple alerts if an advisory was available in multiple databases.
  • Adjusted the package update mechanism to handle an unannounced API change by Bitbucket. Bitbucket's change prevented falling back to Git for VCS repositories when access to the API was denied. As a consequence Bitbucket packages relying on SSH keys may not have updated anymore.
  • Resolved an issue that prevented creating a synchronization in a subrepository with existing credentials
  • Resolved an issue that caused synchronizations with a self-hosted GitLab instance using GitLab admin credentials to error.
  • Synchronizations with a GitLab Group no longer show a wrong webhook state if the credentials belong to a member without owner permissions
  • Updated the GitLab group webhook logic to match changes in the GitLab API that now expects a PUT instead of POST request to update an existing hook.
  • Unsubscribing from security alerts for a package that has since been deleted no longer shows an error page. Instead, this now tells the user that the package has been deleted.
  • Resolved an issue that prevented manually resending notification deliveries and notification email verifications via the UI.
  • Updates for packages with security monitoring enabled no longer error if the default branch suddenly contains a composer.lock file with invalid JSON.

Supported Replicated versions: >=2.53.2 <2.54.0

1.11.1

March 16, 2022

Bugfixes

  • The SMTP server custom port option was ignored when setting up the email configuration for Private Packagist. This has been resolved.
  • Resolved a race condition when setting up a new Private Packagist Self-Hosted instance that would create two configuration objects, causing a server error when accessing the Private Packagist UI.
  • Setting up a multi-package repository with repository type "git" would store version information from a wrong directory for some packages.
  • Creating a new Bitbucket Server integration resulted in a server error. This has been resolved.

Supported Replicated versions: >=2.53.2 <2.54.0

1.11.0

March 10, 2022

Features

  • Private Packagist Enterprise is now Private Packagist Self-Hosted
  • Introducing Update Review: Private Packagist comments on your pull requests with all composer.lock changes displayed in a clear and easy to scan table
  • API credentials can now have a description
  • Added API endpoints to manage authentication tokens
  • Synchronizations with GitLab now also recognize individual repository collaborators
  • Security advisories for a package are now visible on the package page
  • Package versions affected by a security advisory are now highlighted on the package page
  • Security issue notifications webhooks can now be configured to dispatch a separate request for each issue. This allows you to integrate webhooks with Jira.
  • Adding packages by URL now allows you to override the package name to import packages under an old name
  • Added support for VCS repositories using the svn+ssh protocol
  • Packages hosted on AWS code commit now show how to set up a hook to keep the package updated
  • Adding packages with the JSON import functionality now also allows you to use github/gitlab/bitbucket as repository type

Changes

  • Changing the number of licensed maximum number of users doesn't require a restart of the application anymore
  • Private Packagist will now show in the UI if an update is available for your Private Packagist Self-Hosted instance
  • Various performance and memory improvements to automatic mirroring. This will speed up your composer update and require commands
  • Adding packages to a subrepository via the "Add Package" dialog now also allows you to add all private dependencies of the package you add
  • Synchronizations with GitHub and GitLab have an option to skip archived VCS repositories. This option is enabled by default for new synchronizations.
  • You can edit the description or the username of a credential without re-entering the password or access token
  • Packages mirrored from a third party vendor's repository on packagist.com will now detect new versions within minutes of their release
  • When adding a package from a VCS repository without a composer.json in the root directory, you will now get the option to add the repository as multi-package repository
  • Increased the maximum file size for package archives from 128MB to 256MB
  • Synchronized GitLab repositories with visibility "internal" are now treated the same way as "public" repositories and are available to all members of the organization
  • Importing VCS repositories from bitbucket.org doesn't require adding the .git suffix anymore
  • Updated the synchronizations page to better display all relevant information for organizations with multiple synchronizations
  • Synchronized VCS repositories can now be added as multi-package repositories via the "Add Package" dialog
  • Updated the naming of Bitbucket Data Center / Server to remove all references to Atlassian Stash
  • Added a link to set up mirrored third party repositories from the add package form
  • The verify email banner is now only shown once after login and on the profile page
  • The source and user columns in the organization log have been merged
  • The security vulnerabilities summary email is now limited to 1000 security issues

Bugfixes

  • Accessing mirrored packages from third party repositories other than packagist.org through the web interface returned a 500 response outside of subrepositories. This has been resolved.
  • The creation of archives from source is now skipped if the package uses checksum verification to avoid errors during composer install
  • Mirroring new packages during a Composer command will now wait longer for a result instead of returning an error after one minute
  • Added a retry mechanism to HTTP calls during the package update process to reduce the risk of random failures
  • The automatic mirroring now handles invalid responses returned from asset-packagist.org and will no longer mirror non-existing packages
  • Registration via OAuth now shows a helpful message if the OAuth token expired before an account was registered
  • The organization log was missing the user entry for some actions. They are now shown.
  • Significantly reduced the time it takes to store archives for big git repositories
  • Packages now show an error message if the domain of the credential assigned to the package cannot be used during the archive process
  • Mirrored third party repositories incorrectly using integers instead of strings for version numbers no longer result in failing package updates
  • Deleting a package via API while the package is updated will no longer return a 500 response
  • Packages hosted on GitLab now show a clear message if the credentials don't have enough permissions to setup webhooks
  • Made it clearer that the svn protocol is not supported. Https or svn+ssh should be used instead.
  • Editing a non-installable package now properly resets its state and makes the package installable if possible
  • Resolved an issue with multi-package repositories using SVN that could cause a background worker to get stuck if the SVN repository contained an empty trunk directory.
  • Mirrored packages that were removed from the mirrored third party repository showed two messages saying that they were abandoned. They only show one message now.
  • Synchronizations with GitLab now handle credentials that expire during a run
  • Security issues no longer re-trigger alerts if certain properties change e.g. a CVE was added to an existing issue
  • Added handling to renaming the default branch for security monitoring. This will no longer re-trigger alerts.
  • The security monitoring setup for a package no longer gets stuck if the default branch is not the topmost sorted branch.
  • Resolved an issue that prevented setting up a synchronization with bitbucket.org
  • Resolved an issue where versions would temporarily disappear if GitHub, GitLab or Bitbucket returned a 5XX response when fetching branches or tags
  • Packages imported from bitbucket.org now show a message if an OAuth scope is missing to setup webhooks
  • Packages with a markdown changelog are now properly parsed even if the filename doesn't end on .md
  • Resolved issues with HTML forms that would show an incorrect state when the browser back button was used after submit
  • Packages using other archive types than ZIP displayed errors that an archive could not be created after the package was initialized. This has been resolved.
  • Added error handling for cURL errors when fetching the changelog information of packages
  • The archive generation for phpstan/phpstan is now skipping the generation from source as this could take several minutes
  • Synchronizations with Bitbucket now correctly handle deleted repositories that were not fully removed on Bitbucket
  • Resolved an issue where security issues were not removed from a package when the composer.lock file was deleted
  • Added validation that all VCS repositories require a non-empty URL to avoid unhelpful error messages
  • Adding and editing a mirrored third-party repository was not applying a maximum response size and could result in a PHP fatal error. This has now been fixed.
  • Updated the wording explaining why certain words cannot be used as names for subrepositories
  • The API documentation page no longer uses a JS library hosted on an external domain
  • Install statistics pages showing graphs no longer use a JS library hosted on an external domain
  • Submitting the add organization form twice would result in an unexpected error. This has been addressed.
  • Synchronizations with GitLab no longer result in errors if they have users assigned with "Minimal access" permissions in GitLab
  • The add synchronization modal could prevent users from creating new credentials when credentials for the same authentication type on a different domain existed
  • Synchronizations with GitLab now correctly import permissions in the case where a user has access to a subgroup via inherited permissions from the parent group and at the same time via another group that was invited to the subgroup
  • Using a short name with upper case letters when creating a subrepository will automatically transform them to lower case instead of showing an error
  • Login via OAuth with Bitbucket Server could reset the stored access token which would prevent setting up new synchronizations by that user
  • New packages added via a synchronization with Bitbucket Server failed to set up a webhook on Bitbucket Server to get notified about updates
  • Opening the add synchronization modal without a configured integration will now list instructions to add an integration instead of showing a blank modal

Supported Replicated versions: >=2.53.2 <2.54.0

1.10.8

October 22, 2021

Features

  • Collaborators can now be added to subrepositories. They can only access selected subrepositories, but don't have access to the organization
  • Added API endpoints to list all security issues for a package or an organization
  • Added a filter by security issue state to the packages list API endpoint
  • The modal to add packages from a synchronization and the modal to add packages from an organization to a subrepository now allow you to add multiple packages at once
  • The package page now displays a link to the changelog and lists changelog information with the version information
  • The synchronization page now lists active synchronization runs and their current progress
  • For packages using a Composer patches plugin like cweagans/composer-patches, the package page now lists patches information defined in the composer.json
  • We now support GitLab group webhooks for groups with a GitLab Premium subscription, this will now find new repositories when they are created and not only once the daily full synchronization runs.
  • A new log section can be found on the organization settings page, displaying activity in the organization
  • Installation statistics are now available for organization authentication tokens and on your profile page for your personal authentication token.
  • Existing packages can now be edited to be turned into multi-packages (multiple packages in a single repository) without having to recreate them.
  • Non-synchronized organization members can now be removed from the organization and all teams at once on the members page

Changes

  • To avoid losing Composer access to a Private Packagist organization, organizations with a primary synchronization, where none of the owners have a Private Packagist account, are disabled
  • For synchronizations with GitLab the "Master" team was renamed to "Maintainer"
  • Synchronizations with GitLab now detect when another group was invited as a member to the synchronized group
  • When initializing a VCS repository with multiple composer.json files, the initialization result for each directory with a composer.json is now shown
  • The user authentication page now shows when the user token was last used
  • Package updates that trigger an API rate limit will now instantly be retried via git clone
  • The credentials page now shows a warning if any of your stored GitHub API tokens are about to expire or already expired.
  • For Bitbucket App Passwords we now recommend enabling the pull request scope to be able to benefit from the upcoming pull request comment feature
  • Ordering changes on the third party mirrored repository page can now be undone.
  • A single Bitbucket Server instance can now be connected to multiple Private Packagist instances
  • When creating a synchronization with Bitbucket Server we now detect if the credential user is a global admin without being a direct member of the synchronized project to avoid them being removed from the organziation by the synchronization.

Bugfixes

  • Resolved a bug that would prevent packages accessible in subrepositories from receiving updated metadata information when using Composer 2
  • A successful user registration will now redirect to the page a user was initially trying to access e.g. when clicking on an invite link in an email
  • On the credentials page the link to create a GitLab API token was updated to match the latest GitLab version
  • Synchronization errors now show additional information like the endpoints that caused the synchronization run to fail
  • The subrepository access page for credentials now shows a tooltip why some credentials cannot be removed from a subrepository
  • The subrepositories link on the package page was pointing to a non-existing page. This has been resolved.
  • When creating a synchronization with a GitLab subgroup the name now matches the full path of the subgroup
  • Misconfigured OAuth integrations will now show proper error messages when trying to log in. For example, if the client id or secret is invalid
  • Failed login attempts with bitbucket.org now also show error messages by Bitbucket
  • Credentials created when setting up a synchronization in a subrepository were not stored in the organization, which could lead to errors when later assigning additional credentials to the subrepository
  • The Composer instructions to set up authentication using the Composer command displayed an invalid command if the username contained a space. This has been resolved
  • The password strength indicator on the registration form was rendering invalid HTML when submitting a weak password
  • Fixed an issue that the license page could not be shown if one of the packages contained a null byte in the license field in the composer.json
  • Resolved an issue where package updates would error when renaming a package that is part of a multi-package repository
  • For multi-package repositories that are not synchronized multiple webhooks were set up which could lead to API rate limit issues caused by too many background jobs
  • Resolved an issue where usernames with leading or trailing whitespace could cause unique key violations.
  • Adjusted OAuth authentication with Bitbucket Server to handle cases where Bitbucket username didn't match the username slug. This for instance happens when the username contains the @ symbol
  • We now cleanup unused Bitbucket team webhooks
  • Resolved an issue where multi-package repositories with GitLab would not search for composer.json files in all directories
  • Cleaned up the package update and initialize error output to not leak any GitHub tokens using the new format
  • Packages, where only the casing of the name changed, were marked as abandoned. This has been resolved and will be fixed for all existing packages with their next update.
  • Packages, which have not been fully initialized, now show a "waiting for update" security monitoring state instead of "disabled"
  • Refresh expired Bitbucket OAuth tokens with the refresh tokens to avoid issues during user account registration
  • In case the archive background job takes longer than expected we will first return a redirect response to Composer to be able to wait longer for the archive to finish. This will help for instance with large Bitbucket repositories that cannot be downloaded as ZIP files from Bitbucket.
  • The API no longer returns a 500 error in cases where a called URL is not available. This now returns a 404 response.
  • Package archive jobs for packages of type "metapackage" could trigger an error. Those archive jobs are now skipped.
  • Disabled the download button on the package page for packages of type "metapackage"

Supported Replicated versions: >=2.53.1 <2.54.0

1.10.7

May 5, 2021

Features

  • Added support for bearer token credentials

Changes

  • Deprecated HTTP header credentials. Please contact us if you are still using them for another purpose than a bearer token which will be automatically converted.

Bugfixes

  • Added additional validation and filtering of output for CVE-2021-29472 to prevent malicious source URLs and references from being delivered to outdated Composer clients
  • Resolved an issue that prevented packages from updating if the composer.json contains patch information in an unknown data format
  • The link to mirror a package in the security alert emails was missing the href attribute

Supported Replicated versions: >=2.51.0 <2.52.0

1.10.6-pl1

April 27, 2021

Bugfixes

  • Database migration to cleanup Drupal packages drupal/php and drupal/recaptcha will no longer fail if updating from Private Packagist 1.10.0 or older

Supported Replicated versions: >=2.51.0 <2.52.0

1.10.6

April 27, 2021

Security Fixes

  • Resolves a command injection security vulnerability in Composer which could have allowed logged in users or third party package maintainers to run shell commands on the packagist-worker container. We do not believe this to have been exploited prior to publication of this release. (CVE-2021-29472)

Features

  • Packages in public repositories are now available to all members of an organization instead of just those with explicitly assigned repository permissions
  • Private packages can now be marked as abandoned via the UI
  • The current synchronization run now shows a detailed progress report

Changes

  • Package versions returned by the API are now sorted the same way they are shown in the UI
  • The default accessibility of multi-repository packages in subrepositories can now be set on the add and edit package form
  • Added support for the new GitHub API token format

Bugfixes

  • Added better handling for invalid values in the license field in the composer.json file
  • Added handling for additional cURL error codes explaining how to resolve the errors
  • Automatic mirroring for packages from third-party mirrored repositories using providers and providers-url did not work.
  • Resolved a bug that prevented the package search from working if a VCS repository that was not yet added as a package had a number as a description
  • The subrepositories filter on the packages page did not persist in the URL. This has been resolved
  • Increased the body max size of incoming requests to 25M to handle large GitHub webhook payloads
  • GitLab returning a 520 status code will now retry the synchronization run instead of triggering an error

Supported Replicated versions: >=2.51.0 <2.52.0

1.10.5

March 16, 2021

Features

  • Abandoned package notifications: Receive notifications when a package is marked as abandoned
  • Packages which have their composer.json file in a subdirectory, rather than the root directory, can now be installed with Composer like all other packages

Changes

  • Synchronizations with Bitbucket now support all Bitbucket workspaces including former user accounts
  • The package search now only searches the package name by default. The package description can still be searched as well by selecting the checkbox below the search field.
  • Background workers will now automatically restart once they use 450M of memory
  • Subrepository URLs have been updated to not use the word "projects" anymore
  • Improved the performance of fetching dependents of a package. Please note this will only become active two weeks after the release was installed to allow for enough time to migrate data in the background.
  • Packages part of a multi-package repository will now show the README file of their subfolder if available and otherwise fall back to the root directory
  • Organizations synchronized with a GitLab Group will now prevent any of its GitLab subgroups from being synchronized. The parent group already imports all data from all subgroups
  • Clarified the webhook state of a package that "no delivery received" can be resolved by pushing to the VCS repository.
  • The repository name of a collaborator team is now a link to the VCS repository
  • Renamed Bitbucket Teams to workspaces to match the naming on bitbucket.org
  • Clarified that a missing composer.lock is not an error but instead means that the package cannot be analyzed via security monitoring

Bugfixes

  • Resolved an issue that prevented automatic mirroring of new packages when using an HTTP proxy
  • Fixed an issue which caused an invalid Composer cache when automatically mirroring new packages with Composer 2. This caused an error message saying the package name for a particular package version could not be found in the cached JSON file.
  • Security advisories removed from the FriendsOfPHP/security-advisories database will now also be removed from Private Packagist
  • Package updates that fail while initializing the Composer driver now show a more detailed error message instead of a generic "Package data could not be downloaded" message.
  • Overall improve the error handling for package updates and mirroring to handle cases like SSL timeouts
  • Login and registration via Bitbucket Server failed without explanation if an endpoint returned an empty response. This was caused for instance by a 2FA app installed on Bitbucket Server.
  • Resolved an issue where automatic mirroring would fail if a mirrored third-party repository returned empty metadata for a provider URL.
  • Submitting a JSON string rather than an object on the custom JSON package form now displays an error message instead of triggering a server error without an explanation.
  • Packages which have both, dist and source information available will now show both errors if a background archive job failed
  • Resolved an issue where organizations created via synchronization where the remote organization has a name longer than 20 characters would prevent the organization from being edited
  • Fixed an issue that could cause Replicated to fail to prune images when too many app releases are installed due to timeouts
  • Fixed an issue that could cause the replicated-ui container to fail to start up after a Replicated upgrade
  • Creating subrepositories for organizations with lots of packages could result in request timeouts. This has been addressed.
  • Fetching a user's GitHub organizations displayed a rate limit error instead of an access error in case the access token has no permissions anymore
  • The archive background worker did not clean up all files if jobs were triggered for archive files larger than 128MB

Supported Replicated versions: >=2.51.0 <2.52.0

1.10.4

February 3, 2021

Features

  • The user search in Private Packagist admin panel now supports search by username and email instead of username only
  • Synchronizations now show a link to all packages managed by that synchronization and the host e.g. github.com in addition to the type e.g. GitHub

Changes

  • Requests triggered by Composer commands that interact with mirrored third party repositories like search and automatic mirroring will now check those mirrored third party repositories in parallel. This significantly reduces the time it takes to perform those requests for organizations with multiple mirrored third party repositories.
  • Synchronizations with GitHub now delete teams and add collaborators to repositories immediately via GitHub webhook instead of only when the next full synchronization runs within 24 hours
  • New passwords are stored as argon2i hash and old ones will be upgraded from bcrypt the next time a user logs in using username and password
  • Sample payloads for webhook notifications have been added to the documentation
  • The limit of adding one email per week to a user has been removed
  • Synchronizations with a GitLab subgroup now show the full path and name instead of only the name
  • Emails sent from Private Packagist now contain a note telling the recipient where they can change their email
  • The default frequency of security reminder summaries has been changed from weekly to monthly. This applies to new users and notification channels only
  • License names of non SPDX licenses are no longer converted to lower case
  • The package description on the package list page has been limited to two lines
  • Synchronization background jobs will now only be marked as timed out after 90m instead of 10m
  • The default request timeout for mirrored third party repositories has been increased from 5s to 15s
  • The packages page doesn't hide the number of private/mirrored packages anymore when searching or applying filters
  • The filename of the downloaded archive file from the package page now contains the package name

Bugfixes

  • Resolved an issue in the file downloader that caused the archive generation to take several minutes when downloading archives from github.com bigger than 5MB
  • Reduced memory usage for processing package updates in background jobs for packages which are used in subrepositories
  • Setting up a GitLab synchronization with a GitLab API token that belongs to a user who is not a member of the GitLab Group will now show an error message explaining the problem
  • The webhook status tooltip of packages added through synchronization no longer shows 1990-01-01 as the most recent hook call if the hook hasn't been called yet.
  • The resynchronization button shown on the teams page is now disabled while a synchronization is running.
  • When setting up a new synchronization only credentials that can be used will be suggested to set up a new synchronization
  • Attempting to delete the primary synchronization will now show an error message instead of a 500 error
  • Users can no longer disconnect from an OAuth service if they are the only active owner in an organization that uses that service for its primary synchronization
  • The subrepository overview page no longer shows a subrepositories counter
  • The custom JSON package form will remember the edit mode when submitting a custom JSON package that results in an error or when using the browser back button
  • Adding multiple files to a custom JSON package could trigger a message that one file exceeds the file limit even though it is smaller than the limit if the size of all added files combined exceeded the limit. This has been resolved
  • Synchronizations with Bitbucket didn't detect repositories as packages as soon as the composer.json file was added if they did not have a branch named master. They were only imported with the daily synchronization run
  • Abandoned packages mirrored from packagist.org were not shown as abandoned on the package overview page
  • Removed two unreliable and unnecessary checks in the application health check which could cause a cryptic error message to be shown in the replicated admin console despite it working correctly

1.10.3

November 18, 2020

Features

  • Added an API endpoint to upload a new file to an existing artifact package
  • Package release notifications: Receive notifications for every new version a package publishes

Changes

  • The team members page for synchronized teams now clearly states that memberships are managed through GitHub, GitLab, or Bitbucket and shows where to manage the team
  • Security notification summaries are now spaced out over 30 minutes to reduce the rate of emails sent over a short period
  • Added an icon next to package names to copy them to the clipboard
  • Artifact packages now ignore the "__MACOSX" folder in ZIP archives generated by the macOS ZIP utility when searching for a composer.json file
  • If you saw redis noscript errors in the logs on startup, these were expected on startup and we now indicate so with a note, so there is no confusion over them
  • Webhooks are now unregistered on connected code hosting platforms when a package or an organization is deleted
  • Packages copied to a subrepository now have a disabled edit button explaining that they can only be edited on the organization level

Bugfixes

  • Editing or creating custom JSON packages now fully saves the state of the form on error, including the editing mode (JSON/interactive form) and the selection of teams with access
  • When a mirrored Composer repository returned an empty gzip encoded HTTP response (e.g. for an HTTP 403 error) when mirroring a new package or updating it, we previously simply displayed "Connection failed." but now the status code is correctly recognized and an appropriate message displayed
  • Placeholders in version specific package archive/download errors are now replaced correctly
  • Hitting the API rate limit when creating a new multi-package no longer crashes the background worker preventing intialization of the package
  • Prevent the same path of a multi-package repository from being initialized multiple times. This will now correctly display a duplicate package error message
  • Fixed a bug on the security monitoring page that would prevent showing a link to the commit in which the security issue was found and would only show the text instead
  • Make sure form error messages that may contain user input are filtered to prevent XSS vulnerabilities. Due to the Content Security Policy this wasn't exploitable in any harmful way, so not listed as a security issue
  • Added a workaround for mirroring packages from Yoast's repository, which returns an invalid response on their Composer 2 metadata endpoint
  • When attempting to composer require or mirror a non-existent package, Private Packagist no longer returns an invalid response to Composer 2
  • Package updates for packages with an invalid version number will now show a more appropriate error message instead of the previous wrong error message that states an authentication error
  • Duplicate name for a notification channel on the same organization is now handled by displaying an error message and preventing a 500 error
  • Connecting an account using OAuth to an remote account tied to an email address in use by another Private Packagist user will now show an appropriate error message on how to proceed
  • Removing a primary synchronization will now remove inactive user accounts from the Owners and Admins teams
  • OAuth login error messages now correctly replace placeholders with their respective values
  • Some links when viewing a mirrored package in a subrepository incorrectly pointed to organization level pages
  • Updating the repository URL of a VCS package in the organization will now update the URL in all subrepositories. Moreover, the found duplicate packages with the changed URLs which are not installable will be removed.
  • Uploading artifacts with an empty composer.json will now show an appropriate error message rather than failing to parse an empty JSON string
  • Security monitoring setup isn't shown on artifact packages because it's not supported

1.10.2

October 6, 2020

Bugfixes

  • Package dependencies (require, require-dev, replace, etc.) were not shown as links even if the linked package was available in the organization
  • Dependents of a package were calculated only using dev versions. This now also uses the latest stable release
  • The pages listing dependents of and suggestions for a package were missing the navigation tab for subrepositories
  • Security alerts were sent out twice for packages that were first added to a subrepository before they were added to the organization
  • The package page now states if the credential used does not have the required scopes to set up a webhook
  • Artifacts with mime type application/gzip and application/bzip2 can now also be uploaded
  • Artifacts of type tar with an unnamed "." folder are not supported and the file upload displays an error explaining this

1.10.1

October 5, 2020

Features

  • Subrepository quick access: most recently visited subrepositories are shown on organization overview
  • You can now upload zip, tar.gz, or tar.bz2 archives without composer.json files when creating a custom package

Changes

  • Full compatibility with Composer 2.0
  • Validation of require and require-dev constraints matches the latest changes in Composer
  • Dist URLs in lock files have been updated to contain an additional r character to avoid empty filenames if no reference is provided. This means your lock file URLs will change on the next Composer update
  • The packages page now shows license information for the default branch
  • The team delete button has been moved to the settings page
  • HTTP header credentials allow a "Token" header to be set

Bugfixes

  • Packages added by URL from GitHub with a composer.json file not in the root directory failed to initialize
  • Updated the button text for login by email to indicate how to register an account
  • Improved retry handling in background workers to fetch the latest changes from packagist.org to avoid uncaught exceptions
  • The Bitbucket App credentials form now states that to use the credential for a synchronization the user needs to have admin access
  • Removed a not reliable consistency check for Zip files that could prevent valid Zip files from being installed
  • The package update process would miss changes to a package if only the dist URL of a package changed
  • The render time of the license review page has been improved
  • The license review page was listing certain renamed OSI approved licenses twice
  • Logged in users can no longer access the registration page

1.10.0

August 24, 2020

Features

  • You can now upload zip, tar.gz or tar.bz2 archives containing code and a composer.json file by adding an artifact package to your organization
  • You can now receive security notifications when a security vulnerability is found in one of your dependencies by analyzing your composer.lock files. Notifications can be sent via email, Slack, Microsoft Teams or webhook
  • Added API endpoints to list packages a team has access to, grant teams access to a list of packages and remove access to a package from a team
  • You can now bulk update which subrepositories have access to a certain package from the manage subrepository access page
  • Added support for the new Composer 2 list endpoint
  • Added API endpoints to create artifact packages
  • You can now grant team access to all packages at once by selecting "Select All" in the team packages page
  • You can now download the archive file for each package version from the package view page

Changes

  • The package name letter case changes in composer.json will be reflected in package name data on the package first update
  • Adjusted version sorting on the package view page to use the branch alias if one is provided
  • Increased the priority for synchronization jobs created via the UI in order to receive faster feedback for the synchronization run
  • Package files are now verified to be valid zip or tar archives. In case of an invalid archive file, you'll see an error message via Composer and on the package view page
  • Refreshed the subrepository list page design. The page now includes a filter for security monitoring and package installs
  • Users with the package edit permission can now access the subrepository access page
  • Archiving or un-archiving a GitHub repository will update the package abandoned state accordingly
  • Credentials which are in used and cannot be deleted will now show a tooltip in addition to the disabled delete button
  • Only admins will now be able to view inactive members in team membership lists
  • The list of mirrored repositories on the add package from a mirror page now uses the same ordering of repositories as the mirrored repositories page
  • Package errors (e.g. dist file is too large) shown on the package view page will now show the first error, and a link to show more errors if any. Clicking on any versions with package errors will list all the version errors
  • While creating a GitLab credential, a notice message will ask you to select the required API scopes
  • Added documentation for Composer 2.0 compatibility with Private Packagist
  • Creating a credential with Bitbucket API Keys as an authentication type now shows a deprecation notice. Bitbucket Api Keys may not exist for the user's Bitbucket team and as an alternative you can use Bitbucket App Passwords
  • Added a few improvements to the add a custom package form. The package type is now set to "library" by default and added helpful text hints for the other form fields
  • The package list page synchronization filter now displays the external service name (e.g. GitHub)
  • The synchronization now automatically detects if a VCS repository is transfered from one synchronization to another on the same service e.g. from one github.com organization to another github.com organization

Bugfixes

  • Bitbucket Server API response pagination did not work correctly, so synchronization may have only imported partial lists of repositories, users and other information from projects
  • Avoid leaking of known_hosts file path if a host key has changed and show a more suitable error message instead
  • You can now delete credentials that were assigned to a deleted subrepository
  • Users who deactivated an OAuth account connection and are then deleted from a synchronized team will now be removed automatically in a synchronization run
  • In case a user isn't part of any organization on a service they connected to via OAuth, a more descriptive error message will be shown on create organization or synchronization
  • Synchronization error messages now correctly replace placeholders with their respective values
  • The packagist.org mirrored repository can now be prioritzed like any other repository in organization settings

1.9.11

June 23, 2020

Bugfixes

  • Fixed a bug that prevented new packages to be automatically mirrored if a proxy server was set up
  • If a proxy server was set up it was not possible to edit the global configuration form in the Private Packagist admin panel
  • The status for packages with manually setup webhooks on the package list now correctly shows that the webhook is set up with the date the hook URL was last called
  • The list of mirrored repositories was not showing an entry for Packagist.org if no additional mirrored third party repositories were defined in an organization
  • The disk inodes health check reported an error for long device names

1.9.10

June 22, 2020

Features

  • Improved performance for Composer 2 through use of the new Composer repository protocol
  • The generic package hook endpoint now supports AWS SNS subscription confirmation, enabling easier integration with AWS CodeCommit
  • Added API endpoints to fetch dependents of a package
  • The package API endpoint now returns the package's configuration values: type, URL, customJson, and mirroredRepository
  • The package API endpoint now returns installation statistics
  • You can now customize the SMTP server port in the Replicated Admin Console
  • You can now select the order in which mirrored third party repositories are searched to mirror new packages you require.
  • The job API endpoint now also returns a message property with additional information about why a job failed

Changes

  • Docker Hub must be accessible from the server to update Replicated to the latest version
  • Weak and short passwords can no longer be used to sign up for Private Packagist. An optional integration with haveibeenpwned.com which prevents usage of leaked passwords can also be enabled in the global configuration section in the Private Packagist admin panel
  • The API documentation and endpoints have been updated to reflect the naming changes to Private Packagist subrepositories
  • VCS repositories added from a Bitbucket Server synchronization will now be accessed via git over HTTP if available instead of git over ssh
  • FireGento mirrored third party repositories now display a warning if a repo.magento.com credential is missing. The credential is required to download certain packages
  • The primary indicator for synchronizations is only displayed if there is more than one synchronization
  • Deleting a package will now automatically check if there is an uninstallable package with the same name and mark it installable immediately
  • Synchronizations with GitHub will get immediately notified about member and permission changes
  • It is now possible to create multiple authentication tokens with update access for subrepositories.
  • There is now a 128MB limit for package archives. Package versions with a bigger dist file can no longer be installed
  • The package page now lists recent archive errors
  • The team page shows the number of private and mirrored packages a team has access to
  • Grouped mirrored packages on the package list page into a single section and added a filter to show packages in selected mirrored third party repositories.
  • Added an option to force the "git" repository type for VCS packages created via the API

Bugfixes

  • If Bitbucket Server's web interface and its Git server run on different subdomains, webhooks for packages created by a synchronization were not set up.
  • The member count on the subrepositories list now only includes active members
  • Deleting a mirrored third party repository while a Composer command is running and mirroring dependencies from this repository will no longer result in 500 status codes.
  • Fixed a bug that would prevent the manage subrepository access page to load for a package which was previously assigned to a now-deleted subrepository
  • The link to the GitLab hook settings on the package page has been updated to reflect changes in GitLab
  • Handle additional network related exceptions in background workers and automatically retry those jobs
  • The package page for not installable packages with a duplicate name now lists the URL to identify the repository
  • It is no longer possible to create custom JSON packages with empty version strings or with multiple identical versions
  • Added a cleanup process to reduce the cache size private mirrored third party repositories use if they return a different JSON file path after each change
  • Package updates for mirrored packages which have been removed from the remote repository now fail and display an error message
  • Added automatic retries for failed package archive status checks. This caused composer install commands to fail
  • Having multiple packages with the same URL but different names in an organziation could cause package updates to fail because of cache interference
  • The username and avatar of deactivated organization members will also be updated if they change on the external service e.g. on GitHub.
  • Copying multiple packages to a subrepository at once will no longer result in a timeout
  • Connecting your account to an additional OAuth application from the add synchronization modal will reopen the modal after the account was connected
  • Update jobs for VCS packages without any branches will no longer fail
  • Custom JSON packages now validate that the normalized version matches the version property if both are set
  • Mirrored third party repositories created or edited via API will be validated identically to creating them in the UI
  • The Packagist Enterprise UI will no longer attempt to download fonts from Google Fonts
  • Changing the password or primary email of a user invalidates all other sessions for that user
  • If the job to automatically mirror replaced packages cannot find the replaced package it will retry at least once to prevent race conditions where packages become available in a mirrored third party repository shortly after the replacement definition has been added

1.9.9

March 23, 2020

Security Fixes

Bugfixes

  • The composer require command no longer fails on the first try, if you require a package which needs to be mirrored for the first time in your organization from a mirrored third party repository other than packagist.org
  • If a mirrored third party repository returns invalid JSON data during a package update, the background worker processing the update will not crash and restart anymore

1.9.8

March 19, 2020

Features

  • You can now create a custom package using a form to configure your composer.json metadata instead of manually entering JSON
  • The Replicated Admin Console dashboard now includes additional metrics for monitoring Private Packagist: Background Jobs Processed, Maximum Background Jobs Process Time, Maximum Background Jobs Wait Time, Background Jobs Queue Length and Package Installs

Changes

  • Increased PHP memory limit from 128MB to 512MB to prevent reaching the limit when dealing with large JSON structures during Composer operations
  • The request timeout for Composer JSON endpoints has been increased to 180 seconds to provide enough time to check multiple slow external mirrored repositories for unknown packages, yet to be mirrored, without resulting in a timeout error for users
  • Packages that have been archived in GitHub will be marked as abandoned
  • GitHub API requests no longer use access tokens in query parameters, but always use the appropriate HTTP header
  • You can now also install packages via Composer which use the previously unsupported file types gzip, xz, phar, and file
  • If a git mirror sync operation fails, it is now added as an error to the update log and the package won’t update. Previously the respective version with an error or all versions would have been removed without errors until an additional update succeeded
  • When you add a package, all replaced packages in its composer.json are automatically mirrored as well. This mirroring process is now retried multiple times if any of the mirrored repositories are not available

Bugfixes

  • Add an error to the update package log in case of rate limit / HTTP 5xx errors during package update
  • When a new package is mirrored from packagist.org we now immediately trigger mirroring for all packages it replaces to prevent problems with installing these replaced packages. Previously the replaced packages were only mirrored when the original packagist.org package was updated for the first time
  • When creating a new credential, the username won't be pre-filled anymore, since the suggestion was often incorrect
  • Fixed a bug which prevented switching the package type from Subversion to other types
  • If you configured a package mirrored from packagist.org to be enabled by default in new subrepositories and then created a subrepository, the mirrored package was incorrectly marked as uninstallable through Composer in the new subrepository. You can delete and recreate the package as a workaround. When you create new subrepositories the package will now be created correctly
  • The Bitbucket API can return a 404 error response containing an HTML body. Previously this would have lead to synchronization jobs failing without any visible error. If you experienced this, your users, teams, permissions and repositories would not have been synchronized until the error disappeared again. The error is now logged and the synchronization marked as failed if it occurs
  • When you edit a package and then delete it immediately, before the changes have been processed, you will now see an appropriate message rather than the background job running until it eventually reaches a timeout
  • Filtering by active users in the User Explorer in the Private Packagist admin panel now works
  • Tooltips for package update errors in the package list now correctly replace placeholders with their respective values

1.9.7

January 24, 2020

Features

  • You can now create authentication tokens with full update access including the automatic creation of mirrored packages, which are counted as regular users
  • A new organization drop down in the top navigation makes it easier to switch between organizations, and you can always see which repository you're currently working on

Changes

  • Errors triggered by a package zip download are displayed by newer composer versions
  • An organization can now create multiple SSH keys which can be used to grant Private Packagist access to multiple individual vcs repositories on the same version control platform.
  • Packages automatically updated via webhooks will be updated at least once per week
  • The settings page to create a new credential always displays all form fields
  • Package data returned from the API also contains the webhook url to trigger an update for the package
  • Authentication tokens assigned to a particular team now show a link to all packages accessible by the token
  • Removed the option to trigger an update for all packagist.org mirrored packages via UI to prevent instances being unnecessarily slowed down
  • Reduced the overall amount of memory necessary for redis
  • GitLab subgroups on the create organization page and add synchronization modal are now hidden but can be revealed to improve usability for long lists.
  • Not yet connected code hosting platforms are now listed on the add organization page and the add synchronization modal

Bugfixes

  • The package search is now case insensitive
  • Synchronizations with groups on GitLab servers running version 12.6.0 or newer now support more than 100 projects per group
  • Organizations with multiple synchronizations can now see information about the last runs for all their synchronizations
  • Resolved a race condition which lead to some cache entries not being invalidated
  • Authentication tokens previously used by now deleted subrepositories are no longer listed on the organization settings page
  • Fixed a bug which caused development versions to temporarily disappear for VCS repositories if we encountered a rate limit or server error while trying to access a composer.json file of a modified branch
  • All Bitbucket 5XX status codes received during a synchronization run are now automatically retried
  • Expired Bitbucket OAuth tokens can no longer lead to a registration failure
  • Bitbucket VCS repositories in an invalid state can no longer crash the synchronization
  • The automatic webhook setup for GitLab VCS repositories no longer uses a slow endpoint
  • Triggering multiple deletes for the same mirrored third party repository no longer leads to errors
  • A composer.json file containing invalid UTF-8 characters will no longer prevent an update for the entire package
  • Background workers now automatically try to reconnect on redis connection errors
  • Improved the handling of race conditions for long-running Bitbucket synchronizations to prevent errors when VCS repositories are added or removed during the run
  • Errors encountered because a mirrored third party repository returned invalid JSON during the automatic mirroring now display a warning message
  • Usernames sent to the Composer repository which contain non-UTF-8 characters no longer result in 500 errors
  • Fixed a bug which prevented the abandoned status of a package from being updated
  • Added additional information for packages that fail to be initialized using git clone
  • Regular packages in subrepositories which are not installable in the organization can now be installed in the subrepository
  • If the Bitbucket API fails because Private Packagist IPs need to be allowed in Bitbucket, an error message with information on how to do this is now shown
  • Accessing API endpoints in the browser without authentication returned a 500 error instead of a 401 error
  • The name of integrations is now correctly displayed on the organization create page and the add synchronization modal

1.9.6

November 13, 2019

Features

  • The packages page has been rebuilt to offer various filters to find packages and displays more package information to quickly detect problems
  • The packages page now also lists packages with a duplicate name showing a warning that they cannot be installed
  • All packages which are replaced in the composer.json of any package you add, are now automatically mirrored to prevent problems with their automatic mirroring during composer update.

Changes

  • To avoid confusion with the Composer package type project, we renamed Private Packagist projects in the Agency Add-On to Subrepositories
  • Initializing a Bitbucket git repository with a url like https://bitbucket.org/acme/repository will now automatically transform the url into a valid git url e.g. https://bitbucket.org/acme/repository.git
  • The packages page now explains what mirrored packages are and why they appear in the list of packages
  • The list of organizations for a user now also shows organizations which they have been removed from
  • Running a composer command with a read-only token now shows a message that no new packages will be automatically mirrored
  • When trying to automatically mirror a new package composer will now always show a warning if one or more mirrored third party repositories are not available

Bugfixes

  • Replicated fixed an issue with the Replicated admin console that would require a manual refresh of the browser after replicated upgrades.
  • Replicated improved error messaging on the Replicated admin console for upgrade failures.
  • Editing a package will now fully clear its cache
  • Corrected the install statistics of an organization to also include installs of all subrepositories
  • Updated the screenshots to set up a GitLab integration with recent ones
  • The list of last synchronization runs showed an old run if all recent runs failed
  • Synchronizations with bitbucket.org could fail in case a repository was in an unavailable state
  • Fixed the synchronization with GitHub to grant everyone access to public repositories in the organization
  • Package updates which failed because of an HTTP call now display the url which was called and status code returned
  • Synchronizations failing because of a server error now display the url which was called and status code returned
  • Improved the error handling for interactions with mirrored third party repositories to display more helpful error messages
  • With automatic mirroring the package composer/magento will now be mirrored from packagist.org even if repo.magento.com is set up as a mirrored third party repository because repo.magento.com is missing never versions

1.9.5

October 14, 2019

Changes

  • The update process now requires the domain d2g7dkkfx863il.cloudfront.net to be accessible if your firewall blocks external traffic

Bugfixes

  • A regression in 1.9.4 resulted in new user account registrations failing for all OAuth integrations
  • Corrected the link to the replicated console if Private Packagist Enterprise is running on a non-standard port
  • Hid the settings link for Owners and Admins teams on the team detail pages as these pages do not provide any functionality for these teams

1.9.4

October 11, 2019

Features

  • Packages marked as abandoned are now visible as such in the UI and show the suggested replacement

Changes

  • Organization synchronization runs are now visible in the UI as soon as they are triggered

Bugfixes

  • Enabled projects on organizations created before version 1.7.0
  • Database migration for deactivated_user table can no longer fail and prevent application startup
  • Improved the memory usage when adding Private Packagist organization as mirrored third party repository
  • The link to the mirrored third party repository on the package page now links to the details page of the mirrored third party repository
  • Display an actionable message in case a host cannot be resolved while trying to access an Integration API endpoint
  • Credentials now correctly store who created them when they are automatically created via a mirrored third party repository
  • Synchronization runs failed when multiple teams assigned to projects were deleted in the same run
  • Added a cleanup to reduce the cache size satis-like mirrored third party repositories use
  • Additional SSL certificates added in the replicated console are available to all Packagist processes now
  • Ensured usernames created through synchronization cannot begin or end with spaces

1.9.3

September 17, 2019

Features

  • Added a new team permission which lets team members create projects
  • A new config option in the Replicated Console allows you to select the level of TLS security and backward compatibility based on Mozilla's Old and Intermediate config recommendations, it's recommended you change this to intermediate if your HTTP clients are compatible
  • Added install graphs for overall organization installs over time

Changes

  • The package add dialog now has an option to select/deselect all teams to make it easier to select the teams which should have access to the package
  • Synchronized collaborator teams without members are now hidden in the UI
  • The automatic calculation of the number of background workers and FPM worker pools has been improved to no longer consume too much memory
  • Lowered the amount of jobs created by automatically skipping initialization attempts of packages with a name which already exists
  • Synchronization runs are now tracked in the UI as soon as you start them

Bugfixes

  • Mirrored packages which were manually added to a project would get stuck during the initialization and never receive any version data
  • Synchronizations were prevented from being deleted in case one of the synchronized teams was assigned to a project
  • The PostgreSQL connection limit is now automatically adjusted upward if the host machine has enough memory to start more background worker processes

1.9.2

August 13, 2019

Changes

  • Enable all API endpoints on Enterprise installations
  • The organization members page now offers options to remove and reactivate members in bulk
  • Improved display of package install numbers for large values
  • Added an additional credential type "Magento Third Party Public Key/Private Key"

Bugfixes

  • Download counts now work inside of projects
  • Replaced an unsupported Bitbucket.org v1 API endpoint with a v2 endpoint which prevented the creation of a Bitbucket synchronization after the v1 shut down
  • Improved the network error handling for Bitbucket.org by always retrying failed synchronizations and displaying an error message when trying to add a package from a synchronized team fails
  • When using the Private Packagist Enterprise API calling an endpoint with an unsupported HTTP method will now return a 405 error instead of a 500 error
  • Adjusted the error message which appears when one tries to add a VCS repository as mirrored third party repository: Use add package by URL
  • Fixed the handling of Bitbucket URLs in the format of "bitbucket.org:organization/repository.git"

1.9.1

June 27, 2019

Changes

  • User accounts are now deleted from Private Packagist Enterprise when all organization memberships of the user have been removed through synchronization processes. The behavior can be disabled in the admin panel.
  • Added support for repositories which have a composer.json in any branch and/or tag but not the default branch
  • All public repositories added via a synchronization are now available to all members in the organization
  • Added additional configuration options for adding svn repositories as packages
  • The composer setup instructions now also list cli commands that can be used instead of the JSON snippets

Bugfixes

  • Fixed a bug which would prevent login or registration for users due to a ReCaptcha mechanism which was not fully disabled
  • Fixed the deletion of user accounts which were deactivated via the admin panel
  • Improved how we detect updates for packages mirrored via packagist.org to reduce the delay until a new or updated version becomes available
  • The random offset added to the timeframe between synchronization runs is now relative to the total time between synchronization runs. Previously short time frames of e.g. 15 minutes could still have ended up taking 2 hours due to the random offset.
  • The about page now shows the trial license expiration date in human readable form
  • Resolved an issue with synchronization which deactivated existing organization members in rare scenarios
  • Improved how general errors during the OAuth authentication are handled by displaying an error message and preventing a 500 error

1.9.0

June 7, 2019

Features

  • New team permission which lets non-admin team members add packages and add, edit and remove credentials and mirrored third party repositories
  • The package add dialog now allows you to select teams with access, rather than having to set permissions separately later
  • Added API endpoints to manage project packages
  • Added an API endpoint to fetch organizations´ ssh access keys

Changes

  • The user profile now also shows the username and id of all connected OAuth accounts, e.g. GitHub, GitLab, Bitbucket
  • Improved the user list in the admin panel to be able to filter for active users only
  • Synchronizations with Bitbucket now recognize individual repository collaborators
  • New organization members found during synchronization can now be deactivated automatically
  • Display informative error messages if a zip download fails during composer install (requires composer >=1.8.5)
  • Improved the navigation on mobile devices
  • Improved the restart time for the docker containers
  • Rename disable synchronization to delete synchronization and clearly state that deleting the synchronization will remove teams, users and their permissions
  • Custom packages are now fully validated on form submit and more detailed error message are shown
  • Credentials now show for which domain they apply
  • Enable the API endpoint to fetch a single package's info on all organizations
  • If a Bitbucket app password for synchronization has been created by a non-Administrator the error message now clearly indicates the problem
  • Synchronization API access error messages now display HTTP status codes to help debug
  • Added forgot password links to all password fields on the profile pages
  • Cache expiration times are now more randomly distributed to avoid regenerating all package metadata at the same time during a composer install
  • When adding a new package fails because a remote file cannot be accessed a more detailed error message is now displayed

Bugfixes

  • Updated the Bitbucket integration to be fully compatible with the latest Bitbucket API changes
  • Fixed a bug where renaming the Bitbucket workspace ID of a Bitbucket Team synchronized with Private Packagist would prevent further synchronizations
  • Packages added via synchronization inside a project in some cases did not grant all project members access
  • Credentials for a URL with a non-standard port can now be used to set up webhooks
  • Fixed zip downloads for package urls without a path e.g. https://composer.example.com/?package=test&version=1.0
  • Using HTTP auth as part of a third party mirror repository URL no longer fails but automatically creates a credential entry
  • No more immediate reloads after a successful job finishes to provide enough reading time
  • Fixed an issue where users logging in via a password manager would sometimes land on an error page
  • Improved the package search by trimming off additional whitespace
  • Registration will not silently fail due to very long passwords anymore
  • If Bitbucket returns an empty response there are now additional request retries
  • Fixed race conditions in synchronization process leading to incorrect or incomplete data
  • We now always propagate new version information for packagist.org mirrored packages to all projects using them
  • Deleting or replacing credentials inside a project did not work in some cases
  • We now correctly handle errors caused by invalid third party repository URLs
  • If a remote VCS repository changes its URL synchronization now immediately updates the package URL
  • Improved handling of GitHub API rate limits while adding a new package

1.8.5

March 29, 2019

Bugfixes

  • Database migration for organization_sync_run table can no longer fail and prevent application startup

1.8.4

March 29, 2019

Features

  • Added an option to override the default request timeout for mirrored Composer repositories
  • Added on option to override the number of running background worker processes to the replicated console

Changes

  • Improved the performance of package updates by caching versions without a composer.json
  • Renamed the Owners/Admins Team option for authentication tokens to 'All packages'
  • The authentication tokens page now displays when the token was last used
  • Adjusted the Bitbucket API usage to avoid deprecated v1 endpoints where possible
  • Allow non-synchronized teams to be deleted in organizations with synchronizations
  • New improved footer design
  • Owners and Admins teams are now always shown for everyone

Bugfixes

  • Ensure that synchronizations can be removed from organizations
  • Editing a mirrored third party repository inside a project failed
  • Fixed validation of SSH URLs when adding packages, which prevented creating packages
  • Fixed a bug that prevented authentication tokens to be created in projects
  • Improve the package update handling in case the package gets deleted while the update is running
  • Handle various GitHub related errors during a synchronization and reschedule the failed jobs
  • Handle various exceptions during package archive and reschedule the jobs
  • Improve the handling of authentication exceptions during oauth login with GitHub
  • Handle the case where a package is deleted while a background job is setting up a webhook for the same package
  • GitLab synchronizations now work for subgroups with access tokens which do not have access to the parent group
  • Adding a new synchronization to an existing organization will now inform the user once the first synchronization run finished
  • Package statistics now also include the current day in the graph
  • Handle exceptions on composer search in case the mirrored third party repository returns invalid json
  • Increase the default timeout for http requests for GitLab to 30s
  • Flush the composer version cache for a package when the repository url changes
  • Improvements to request timeout handling in background worker for Bitbucket
  • Fixed an issue where multiple organizations synchronized with the same Team on Bitbucket would overwrite each others webhooks
  • Fixed a bug that prevented teams with authentication tokens from being deleted
  • Download stats for packages mirrored from Packagist.org will now display the correct values for every organization
  • Fixed a bug that rendered the pagination on the Users Explorer in the admin section unusable
  • Fixed a bug that prevented package statistics to load for packages which have been in Private Packagist since before 2018
  • Improve memory handling in background workers by regularly clearing the doctrine and monolog caches
  • Prevent more than two package updates for the same package to be queued at the same time
  • Records of finished jobs are now deleted on a daily basis
  • Long mirrored third party repository URLs no longer overlap with other page content
  • Avoid a full synchronization if a new repository/package was detected via webhook call

1.8.3

February 5, 2019

Features

  • Added host system admin command packagist package:update-all --overwrite-data=true command to schedule updates rewriting all versions for all packages

Bugfixes

  • Ensure that update jobs which overwrite existing version data disable composer version cache
  • Do not duplicate display of mirrored packages copied from an organization into projects without generally making the mirror available to the project

1.8.2

February 4, 2019

Bugfixes

  • Fix bug introduced in 1.8.1 leading to failing package updates on Enterprise installations

1.8.1

February 1, 2019

Features

  • Added a search field when adding packages from synchronized repositories and when adding packages from the parent organization to a project

Changes

  • Performance improvements to editing credentials, renaming organizations and projects, and deleting packages
  • No longer displaying a warning about a missing hook for custom JSON packages which cannot be updated without editing the JSON

Bugfixes

  • Fix download URLs on package update for Enterprise instances which changed their repo hostname and had old download URLs cached from before July 2018
  • Detect SSL certificate problems with integrated service (GitHub, Bitbucket, GitLab etc.) and display them to users
  • Fixed race condition which could lead to failed downloads of packages which are just being mirrored for the first time
  • Ensured the last owner of an organization can never be deleted by a synchronization run
  • Members of new teams found during synchronization are now added immediately, rather than only on the second synchronization run

1.8.0

January 18, 2019

Features

  • Synchronizations can now be configured on a per-project basis
  • Synchronizations now list runs during the previous 48 hours and what exactly changed on each run, e.g. new users or repositories

Changes

  • Integrations can now be created even if the validation fails
  • Updating a credential now triggers an update for all associated packages and synchronizations
  • The team member pages now show more information about each user
  • API rate limit errors during login now show which API rate limit was reached
  • Adding organization packages to a project now happens without page reload
  • Improved the flow to set up a new synchronization for an existing organization
  • When importing packages from JSON you can now select credentials to be applied
  • You can now switch which of your synchronizations should be the primary one
  • Improved typography and spacing across all pages
  • Synchronizations can now be triggered by all members of an organization
  • The organizations overview page now shows an option to reauthenticate if your oauth token is not valid anymore
  • Synchronizations show which credential is used to make requests to the external service
  • Added functionality to update the credential description
  • The project settings on the organization settings page are now hidden until the first project is created
  • Setting up a mirror with http auth in the url will now automatically create a credential and assign it to the mirror
  • Packages where the last update failed will now display the error until the issue is resolved

Bugfixes

  • Deleting a mirror now runs in a background task to avoid UI timeouts
  • Ensure the registration doesn't break if the email is already used by another user
  • The license review page won't timeout anymore for organizations with projects
  • Handle API limits for Bitbucket when new repositories are added
  • Adjusted the messaging in the organization add synchronization modal if the user has no connected accounts
  • Deleting a team with authentication tokens will now always work, the authentication tokens will remain but without package access
  • The list of dependent packages does not contain duplicates anymore
  • Disabled the browser autocomplete functionality on all credential input fields
  • Sync settings concering project assignment could not be saved for synchronizations which did not target GitHub
  • Requesting a password for a non-existing user won't result in an error anymore
  • Detect and handle GitLab maintenance windows
  • Handle the case where a credential has no Bitbucket oauth scopes assigned

1.7.0

December 3, 2018

Features

  • Private Packagist for Agencies: Support for projects in each organization with a separate Composer repository, including options for mirrors, credentials and tokens to be defined for just one or a set of projects
  • Packages mirrored from packagist.org are now updated automatically within a few seconds of changes on packagist.org rather than only twice a day
  • composer search is now supported for all packages available through Private Packagist: private and mirrored third party packages can be found
  • Bitbucket Team hooks are now set up automatically to detect new packages when you create new repositories
  • Added a link to Admin page in the top nav, and link to Replicated console from admin page

Changes

  • Managing access to packages for teams now sorts the dropdown of packages and lets you search through them
  • Reduce worker memory consumption by merging infrequently running tasks into a single process
  • Log full stack traces on PHP errors
  • Improved the package update log output to better display authentication issues
  • Package updates which fail because of external API limits are now retried once the limit resets

Bugfixes

  • Ensure email from address is always set correctly on all SMTP configurations instead of falling back to contact@packagist.com
  • Reduce the number of errors displayed on all pages to 1 if multiple syncs are broken
  • Display exactly which scopes are missing if synchronization fails because of missing OAuth scopes
  • Select correct scopes by default when creating a GitHub access token
  • Load correct error handler configuration for logging on the Composer repo

1.6.2

November 21, 2018

Bugfixes

  • Database migration for team table can no longer fail and prevent application startup (only happened on fresh installs if no organizations existed)

1.6.1

November 14, 2018

Features

  • Package detail page now shows information on the mirror if the package was mirrored
  • Allow specifying a custom timeout value for requests to each integration
  • Allow deactivating users in organizations even if they did not create a Private Packagist account yet

Changes

  • Document that GitLab webhooks may require a configuration change to allow requests to a local network if Private Packagist is running in the same network
  • Speed up updates of private packages with large numbers of tags with new cache
  • Allow disconnecting the last third party authentication provider if email authentication is enabled
  • Deleting synchronization now disables but stores all authentication tokens for later reuse
  • Allow reusing existing credentials in the organization when setting up synchronization
  • read only authentication tokens no longer receive a lazy providers URL pattern in packages.json to speed up package lookups
  • Ignore Bitbucket repositories which the team admin does not have access to, instead of failing the sync process
  • Correctly detect permission errors returned by Bitbucket and presend them in an actionable way
  • Unified metadata storage and update processes for mirrored packagist.org packages across organizations to improve performance
  • Changed internal configuration of Composer to better expose error messages returned by external repositories, e.g. API rate limits
  • Deleting all packages in a mirror now runs in a background task to avoid UI timeouts
  • Improved queries used in org synchronization reduce disk i/o on the db
  • Detect and warn about credentials applied to a package with a URL that does not match the credential domain
  • Log errors with more details on repo console commands
  • Detect GitLab connection failures and retry jobs later
  • Use a lower timeout for GitHub calls than the client library default
  • Bitbucket Server: Detect and warn about our SSH key already being assigned to another user breaking our automatic setup
  • Full name for users is automatically prefilled on third party authentication if available
  • Verify API scopes of GitHub tokens and give appropriate error message if any are missing
  • Set SSH timeout to 10 seconds to prevent broken git clones over SSH from taking a very long time before they timeout

Bugfixes

  • Replicated no longer corrupts the snapshot database on upgrade
  • Replicated now works with docker configured to use write only log drivers
  • Correctly detect and store webhook state for bitbucket.org packages
  • Ensure disabled users will not be reactivated through a synchronization in organizations with multiple syncs
  • Prevent issues resulting from double submission of user disable form
  • Fixed data fetching for bitbucket.org repositories with a default branch containing a slash in its name
  • Password reset was not possible in some configurations
  • Take no proxy list into account if the environment variable uses a lower case name
  • Synchronization for GitHub integrations may not automatically have run once a day

1.6.0

August 20, 2018

Features

  • Email/password based registration and login, needs to be enabled on /admin/ page under Global Settings
  • Email verification configurable per integration to set trust for emails provided by third party authentication mechanisms
  • Improved profile page with list of emails from third parties and manually defined ones, each with verification state and option to use as default address
  • Display README contents on package overview pages

Changes

  • If a user's API rate limit on a third party service prevents login, display a specific error message explaining this circumstance
  • Team overview page lists package counts next to permissions now, so it's easier to spot teams which assign permissions to an incomplete set of packages
  • Improve Enterprise setup experience by automatically granting the first created user admin permissions
  • Automatically fill in bitbucket usernames in credential creation forms to simplify setup
  • Improved documentation layout and added enterprise troubleshooting section

Bugfixes

  • Convert proxy URLs to correct protocol URLs for PHP streams
  • Automatically send full URIs to HTTP proxies for unencrypted HTTP, but relative paths for encrypted HTTPS to avoid problems with some specific proxy software
  • Revert modified user agent in proxy code which preventing mirroring from third party repositories blocking based on user agents
  • Disabled erroneously enabled but broken vendor/customer functionality on Private Packagist Enterprise

1.5.7

August 7, 2018

Features

  • Respect the host system's PROXY environment variables which are used by replicated inside of Private Packagist and allow the definition of hostnames which should not go through the proxy on the admin page
  • Added an option to change the frequency of organization synchronization below the default 20 hours, watch out for rate limit issues if you reduce this value
  • Provide a CLI admin command to update all packages in an organization
  • Archives for the latest tages of new packages are now created immediately to speed up the first use of composer update
  • add missing links to profile page to allow editing username and email easily
  • Composer token last usage is now tracked precise to a 5 minute window

Changes

  • Improved validation of Enterprise Integration setup values for GitHub Enterprise, Bitbucket Server and self-hosted GitLab with improved error messages
  • Provide a more specific error message if a package already exists when you are adding it with a link to the package
  • Use streaming responses for large JSON files to reduce memory consumption
  • Upgraded Replicated to version 2.25.1
  • Increased timeout for mirrored repository responses to 5 seconds to allow slower repositories to be mirrored, may slow down composer updates when adding new packages
  • Reduced default php socket timeout to 10 seconds to provide useful error messages if any external requests time out
  • moved automatic webhook creation into a worker process with automatic retries to improve reliability

Bugfixes

  • Do not store URLs to Private Packagist in cache, so hostname changes take effect without manual regeneration of stored data
  • Synchronization of an organization with GitHub no longer stops if a repository with individual collaborators is archives
  • Display a link using custom integration domains for creating credentials instead of always using github.com, gitlab.com, bitbucket.org
  • metapackages without code no longer trigger archive creation errors
  • License overview no longer displays package names to a user which they do not have access to
  • GitLab scope missing error is now explained to users instead of crashing background workers
  • Fix internal communication between containers for SSL certificates which are not valid for IP addresses used on the internal network, could have resulted in empty download statistics
  • Fix internal SSL communication between containers when using Replicated's self signed certificate
  • Fix worker crash if synchronization setup is disabled while synchronization is running
  • Validate informational domain field for credentials

1.5.6

Release skipped

1.5.5

Release skipped

1.5.4

June 7, 2018

Features

  • Let users know that they have to accept GitLab's new ToS if this is preventing them from logging in or synchronizing their organization

Changes

  • Automatically generated credential names are no longer unique across all orgsnizations
  • GitHub push hooks will trigger initialization of packages that do not exist yet
  • Catch GitLab API Limit errors and display a message to users
  • Reduce amount of data requested from GitLab by using new subgroup API endpoints if available as of GitLab 10.3
  • During successful synchronization the user who set up the synchronization will not be removed from owners if no other owner has an active Private Packagist account

Bugfixes

  • Package updates triggered by a push hook are retried after 30 seconds instead of being cancelled, if another update is already running, as a result tags pushed separately immediately after commits should now show up on Packagist faster
  • Regression preventing successful synchronization with GitHub Enterprise
  • Warn users about problems if gitlab sync credential is empty
  • Handle Bitbucket 50x errors the same as 500 during synchronization API calls
  • Attempt to retrieve smaller pieces of information with more API calls from Bitbucket if large endpoints return 500 errors for internal timeouts at Bitbucket
  • Catch 401 errors from GitLab and turn into useful message for users
  • Enterprise preflight checks test listening on 0.0.0.0 for ports 80/443 now to avoid issues with machines without a detectable public ip
  • Custom package validation now properly checks that at least one package was defined

1.5.3

May 9, 2018

Bugfixes

  • Fix installation of webhooks on Bitbucket Server if no webhooks are present yet

1.5.2

May 8, 2018

Bugfixes

  • Repo container won't start up if restarted without old temporary directory present

1.5.1

May 8, 2018

Features

  • Automatically configure webhooks on Bitbucket Server (requires version 5.4 or above)

Changes

  • Reorganized organization teams page layout
  • Separate packagist temporary data from permanent distribution files to decrease snapshot size, we recommend you use SFTP or S3 snapshots only and that you define a new empty directory to create snapshots in starting with this release to reset the differential storage mechanism
  • Composer repository now returns a 401 if auth is missing to ask for interactive authentication input
  • Upgraded to Replicated 2.20.2 with improvements to snapshot creation and restore

Bugfixes

  • Fix key generation for Bitbucket Server and provide more detailed error messages in case of problems
  • Ensure packages with manually defined JSON always update all metadata on edits
  • Detect and ignore deleted package situation when processing a package update
  • Prevent signup errors if people double click the signup button
  • Catch 502 responses from GitLab and treat them as timeouts and retry later
  • Catch empty responses from Bitbucket and treat them as timeouts and retry later
  • If bitbucket permission API endpoint fails, try retrieving info for each team and repository individually
  • Use correct organization name for listed vcs repositories if an org is synchronized with multiple targets
  • Fix organization log entry creation for admin self-deletion
  • Ensure synchronized users are always created with a unique username
  • Find composer.json information on GitLab projects with a default branch other than master
  • Correctly disable all synchronizations if an integration on which they are based is deleted

1.5.0

Mar 16, 2018

Features

  • Management console option to enter additional TLS/SSL certificates Private Packagist Enterprise should trust for connections to your VCS repositories
  • Option to trigger an update for all packages mirrored from a particular third party Composer repository
  • GitHub synchronization now supports granting external collaborators package permissions
  • Synchronization now automatically creates packages from repositories which you add a composer.json to after sync skipped the repository for lack of a composer.json

Changes

  • Restoring an Enterprise instance from a snapshot no longer requires to run any custom commands to restore the PostgreSQL database
  • If a GitLab subgroup is synchronized with a Private Packagist organization, we now search all parent groups for members with inherited permissions
  • Increased default timeout for talking to GitLab instances to 30 seconds
  • Reaching the Bitbucket rate limit now triggers a 1 hour block on all requests sent to the Bitbucket API to restore the limit fully
  • Bitbucket requests are retried automatically on server errors because it reports timeouts as 500 Internal Server Error
  • Performance improvements to Composer repository JSON delivery
  • Provide a specific error message if someone attempts to add a package with the same name as a package that already exists
  • Setup mode now allows deleting the admin user account
  • Disabled auto-complete on password fields for external credentials
  • Upgrade to Replicated 2.17.0 amongst other things improving snapshots and restore

Bugfixes

  • Worker processes do not fail to start up anymore if Redis is taking too long to load data into memory
  • Modified Redis backup/restore process will no longer cause extremely slow or incomplete snapshots
  • Fix GitLab Composer behavior to ensure correct commit instead of branch is used for dist generation when targeting specific commits on branches
  • Updating the credentials on a mirrored Composer repository now ensures that all packages already mirrored from the same repository start using the updated credentials
  • Bitbucket Server configuration uses readonly instead of disabled fields for values to be copied now and made it impossible to reset client id / public key to empty
  • Do not log anything and do not return an error on metapackages which do not have a source or dist specified
  • Invitation email to new users now links to correct login/registration page instead of always referring to GitHub
  • Fix local build file cleanup to prevent disk from eventually getting too full
  • Fix mirroring of packages with names using capital letters (should be avoided and is invalid on packagist.org)
  • Prevent error on editing an organization if no platform was selected for the organization

1.4.3

Jan 17, 2018

Changes

  • Synchronized packages will always use the credentials associated with the sync now

Bugfixes

  • Do not attempt to bind to [::] on Enterprise hosts with IPv6 disabled
  • Skip synchronization entirely for organizations that no longer exist on GitHub
  • Fix webhook installation on non-primary synchronizations
  • Properly apply deactivated user list to non-primary synchronizations

1.4.2

Jan 10, 2018

Bugfixes

  • Fix form submission for secondary GitHub synchronization default permission settings

1.4.1

Jan 10, 2018

Bugfixes

  • Fix regression on some package pages and in background workers attempting to resolve non-existent default integration configuration leading to 500 errors
  • Fix incorrect determination of mailer host configuration resulting in broken health checks

1.4.0

Jan 8, 2018

Features

  • Synchronize multiple external GitHub orgs, Bitbucket teams, GitLab groups with a single Private Packagist organization
  • Multiple organizations can be synchronized with the same GitHub/Bitbucket/GitLab organization
  • Allow disabling the creation of new organizations for anyone who is not a Private Packagist Admin user

Changes

  • Synchronized team names have been updated to reflect their origin to clarify context when using synchronization with multiple sources
  • Do not allow deleting an organization on Private Packagist if the GitHub app has not been uninstalled yet
  • Improved 500 error message on Enterprise installations
  • Upgraded Replicated to 2.15.0
  • Upgraded Nginx to 1.13.8

Bugfixes

  • Remove non-existent option from worker command calls, fixing issues with cache invalidation and download stats
  • Fix potential constraint violation when disabling synchronization on an organization
  • Don't display broken remote organization avatar if none is defined
  • Return proper error code and message if an archive cannot be created before the request timeout ends
  • Properly handle API rate limits in vcs synchronization worker

1.3.12

Jan 2, 2018

Features

  • Allow defining multiple mirrored Composer repositories with the same URL but different credentials

Changes

  • Lower timeouts (2 seconds) on retrieving data from mirrored Composer repositories
  • Clarify synchronization error messages, more specific and instructional
  • Upgraded to PHP 7.2
  • Upgraded Replicated to 2.14.0

1.3.11

Dec 13, 2017

Changes

  • Update UI structure for mirrored repositories in organization settings to match other settings
  • Improved error messages in case Bitbucket API Limits are encountered
  • Do not warn about SSL requirement for package URLs unless a user attempted to use a non-SSL http URL

Bugfixes

  • Fix regression in form input for default member permission for synchronized GitHub organizations
  • Display a helpful error message in case a Bitbucket organization cannot be loaded due to token issues instead of a 500 error on org settings

1.3.10

Dec 11, 2017

Changes

  • Increased timeouts on port listen startup events during docker orchestration

1.3.9

Dec 11, 2017

Bugfixes

  • Regression in GitHub Enterprise API client pagination

1.3.8

Dec 11, 2017

Bugfixes

  • Prevent 404 during Bitbucket privilege check in synchronization
  • Correctly follow pagination URLs on GitHub Enterprise API in all cases (second fix)

1.3.7

Dec 8, 2017

Changes

  • Add new denormalized columns and indexes to improve performance of dependent/suggesters calculation for packages

Bugfixes

  • Correctly follow pagination URLs on GitHub Enterprise API in all cases
  • Don't include non-existing nginx log files in support bundle to prevent timeouts in support bundle generation

1.3.6

Dec 6, 2017

Features

  • Permanently display the most recent synchronization failure message and info on last successful run

Changes

  • No requirement for 20GB on the root filesystem anymore, you should have at least 10GB mounted on /data and 10GB available to the system and replicated however
  • Only administrators of Bitbucket Teams can setup synchronization with a Private Packagist organization

Bugfixes

  • Increase nginx server_names_hash_bucket_size to 64
  • Make sure temporary files are always cleaned up after creating an archive even in case of errors
  • Catch some unexpected potential errors returned by Bitbucket during synchronization, log them and retry later

1.3.5

Nov 30, 2017

Features

  • Provide a manual option in org settings for default package access for all members on synchronized GitHub organizations because the GitHub API does not yet expose this setting to applications
  • Synchronize packages in shared projects on GitLab into the Private Packagist organization like regular projects

Bugfixes

  • If the owner of a GitLab sync auth token is not a member of the synchronized group, attempt to load all GitLab group info (only up to 20 API page requests)

1.3.4

Nov 28, 2017

Features

  • Errors and warnings in package update logs are now highlighted and indicated with a warning symbol
  • For organizations synchronized with GitHub, create a team containing all members which are not in any team

Changes

  • Allow deleting a credential currently in use by packages and mirrored repositories with an option to replace it with a different existing credential
  • Retry synchronization jobs after a delay if they failed due to reaching a GitHub or Bitbucket rate limit
  • Prevent the addition of non-SSL repository URLs upfront rather than erroring during update jobs later
  • Logging in composer repository application is triggered at lower notice level now
  • Don't retry gitlab API requests after 5 attempts that all timed out
  • Schedule even github packages which have an oauth token for 12 hour updates in case the webhook isn't set up
  • Added a view button for mirrored composer repositories on the organization settings page
  • Improve debugging output in case the synchronized gitlab group cannot be found during synchronization
  • Made database migration state detection more robust and removed error output on startup
  • Updated Replicated to 2.13.1

Bugfixes

  • Prevent race condition that could lead to broken zip files created for download from packages on Bitbucket or GitLab
  • GitHub organization listing is no longer limited to 30 (API pagination)

1.3.3

Oct 13, 2017

Bugfixes

  • Fix regression introduced for archive creation in last release

1.3.2

Oct 13, 2017

Features

  • Allow users to regenerate their personal auth token on the profile page

Changes

  • Improve guidance through Integration setup in Enterprise admin panel
  • Enterprise Setup now checks for availability of ports 80 and 443
  • PHP base image upgrade

Bugfixes

  • Request correct scope on login with self-hosted GitLab CE OAauth
  • Skip the account merge dialog if a user tries to login in a browser tab after having logged in on another one
  • Prevent error when deleting users in Enterprise Setup mode without being logged in
  • Fix race condition during archive generation that could lead to incorrect zip contents on download

1.3.1

Sep 25, 2017

Features

  • Option to delete organizations from the Enterprise admin panel without joining an organization as an owner
  • Organization memberlist now shows all inactive users who will become members as soon as they activate their Private Packagist account by logging in

Changes

  • Package update errors now differentiate between HTTP errors that may be caused by permission issues and errors caused by other networking problems, e.g. timeouts
  • Postgres password is now read-only on the Enterprise Management Console as it was not supposed to be modified
  • GitLab subgroup names are now display with the full hierarchy path when creating a new organization

Bugfixes

  • Prevent race condition when a user tries to setup synchronization again before previous background job finished
  • The dialog to create an organization from GitLab groups now lists all groups rathern than just the first 20
  • Prevent error when deleting a user while logged out in Enterprise setup mode

1.3.0

Sep 21, 2017

Changes

  • Upgraded GitLab API client library, we now require GitLab API v4 - this means GitLab versions lower than 9.0 are no longer compatible

1.2.7

Sep 20, 2017

Bugfixes

  • Allow X-Forwarded-For headers on http requests to the Enterprise health check

1.2.6

Sep 19, 2017

Features

  • Add SMTP connection check button to Enterprise management console settings screen

Bugfixes

  • Ensure users are no longer tied to an integration after it's been deleted
  • Prevent synchronization from failing if teams get renamed to names of other now deleted teams

1.2.5

Sep 13, 2017

Features

  • Team package access page now lists synchronized packages without access to clarify which permissions are handled in external systems
  • GitLab subgroups now have individual teams for different types of access (Developer, Reporter, Owner, ...)
  • Bitbucket Server Integration Setup form now has detailed list of required settings for different dialogs

Changes

  • Team renames are tracked on GitLab and GitHub, Bitbucket as no team identifier other than the name
  • Increased timeouts for GitLab requests to 15 seconds to circumvent their rate limiting bugs

Bugfixes

  • GitLab permissions are now correctly inherited to subroups if they are unchanged from the parent
  • Prevent invalid composer.json on master branch from crashing package updates on other branches/tags

1.2.4

Sep 8, 2017

Bugfixes

  • Ensure internal random secret value is never modified on updates to prevent hook URLs from changing

1.2.3

Sep 7, 2017

Bugfixes

  • Fix URL added in previous release in specific cases

1.2.2

Sep 7, 2017

Bugfixes

  • Always show manual hook URL for packages where hook is not managed automatically

1.2.1

Sep 7, 2017

Bugfixes

  • Skip unnecessary query on executing workers, resulting in filling up postgres error log

1.2.0

Sep 5, 2017

New Features

  • Package rename handling: new package is automatically added if the package name changes in composer.json on the default branch of an existing package
  • Team members can view which packages their own team has access to (previously for admins only)
  • View full repository paths for GitLab subgroups
  • Support for Typo3 Composer Repository and t3x archive files
  • Shift-clicking update button on view package page force updates all versios

Changes

  • Deleting a user in Enterprise Admin Panel requires confirmation
  • Better error reporting in user interface during synchronized org creation failures
  • Performance of team overview page improved for very large organizations
  • Updated to latest version of Composer for improved GitLab compatibility (API v4) and full subgroup support
  • Updated Replicated to 2.11.1
  • Improved signal handling in worker processes
  • Team page directly links to full member management page

Bugfixes

  • Prevent deadlock in cache busting worker process
  • Mount the composer working directory into the ui container to allow manual adding mirrored packages from the web interface
  • Request OAuth Scopes on every GitLab request, fixes compatibility with new GitLab version and removes extra confirmation dialog on login
  • User account merging can no longer result in error for users with organization log entries
  • Deleting an integration properly disconnects synchronized organizations from the third party service
  • Properly clear permission cache on package deletion (low impact, as package data was gone anyway)

1.1.3

Aug 4, 2017

New Features

  • Option to disable email entirely for Enterprise
  • GitLab subgroup support

Bugfixes

  • Handle GitHub Abuse responses appropriately
  • Fix suggested GitLab authentication URL
  • Do not attempt to mirror a package name that also exists publically but current user has no access to
  • Avoid duplicate initialization of packages

1.1.2

Jul 25, 2017

Changes

  • Upgraded Replicated to 1.9.3

1.1.1

Jul 24, 2017

New Features

  • Ability to search and delete user accounts completely on admin page
  • Display github rate limit issue warnings on package initialization
  • Support for nested Bitbucket and GitLab repository URLs

Changes

  • Higher timeouts and better handling of timeouts for Bitbucket and GitLab
  • Warn users when trying to use readonly tokens to mirror new packages
  • More reliable error logging on the repo container
  • Unified job queue with priorities replaces workers separated by job type
  • Allow organization admins to manage synchronization, not just owners
  • Avoid probing for composer.json on VcsRepos that are known to work already
  • Updated GitHub links to use new apps path (formerly integrations)

Bugfixes

  • track state of packages correctly after sync has been disabled on an organization
  • No more 403 page after removing yourself from an organization
  • Prevent duplication of synchronized repositories in add package screen
  • Package renames now invalidate cache of of composer metadata
  • Unreachable mirrored third party repositories now trigger warning instead of 500 error on composer repo
  • No 403 erros for non-admins when viewing package details of a package in their team

1.1.0

Jun 15, 2017

New Features

  • Allow editing of authentication token descriptions

Changes

  • Remap all internally used ports to uncommon numbers to avoid conflicts with other services on host
  • Report Webhook error states on package details page
  • Use internal network only for internal API calls to avoid reliance on DNS or public certs
  • Switched all containers to alpine to reduce size and improve compatibility
  • Added more detailed logging to external API interaction in case of errors
  • More detailed logging of all error states in docker process stdout / support bundle

Bugfixes

  • Removed potential race condition in database setup for Private Packagist Enterprise
  • Synchronize team memberships when manually adding a package in the synchronized organization
  • Validate from mail address in dashboard settings
  • Ensure hostname for ui and repo are distinct in dashboard settings
  • other minor changes and dependency updates

1.0.15

May 18, 2017

Bugfixes

  • Fix regressions in background workers
  • Fix python patch for supervisord

1.0.14

May 17, 2017

Bugfixes

  • Patching Python for RHEL 7.2 compatibility to run supervisord

1.0.13

May 17, 2017

Changes

  • System Updates Bugfixes
  • RHEL supervisord/python random syscall workaround

1.0.12

May 8, 2017

New Features

  • Store user join/leave activity on organizations

Bugfixes

  • Organizations will not be created with a number suffix in their name unless necessary
  • Fix deletion of organizations which resulted in a 500 error
  • Per-organization seat-based notification emails are disabled
  • Improve Bitbucket token issue error handling
  • Ensure admin teams definitely always have access to all synchronized packages

1.0.11

Apr 23, 2017

Bugfixes

  • Fix GitHub Enterprise automatic webhook setup (differs from github.com)
  • Automatically correct webhook setup on manual package update if not present or incorrect

1.0.10

Apr 20, 2017

New Features

  • New Organization Explorer in the Admin Panel
  • Allow Deletion of Integrations
  • Collect supervisord process log files in support bundle

Bugfixes

  • Fix an organization synchronization error
  • Allow all images in Content Security Policy to allow for external avatars
  • Improve display of Installation Counts

1.0.9

Apr 19, 2017

New Features

  • HTTP Port is now configurable to something other than 80

1.0.8

Apr 19, 2017

Bugfixes

  • Fix regression in GitHub Enterprise API Access
  • Improve Startup Time of nginx container

1.0.7

Apr 19, 2017

New Features

  • Added HTTPS Port Selection to allow custom HTTPS Ports

1.0.0

Mar 30, 2017

First stable release

Start Free Trial

Login to create an organization and start your free trial!