What’s new in Eficode ROOT: May 2025

These updates aim to enhance the platform's stability and performance, ensuring a more reliable user experience.

All delivered fixes were non-customer-impacting, so just enjoy a safer, more stable, and reliable version.

Gadgets fully removed

As part of ongoing improvements, gadgets have been fully removed from Confluence 9.0.3. Support for gadgets officially ended in Confluence 7.0, and while they remained functional in later versions, they’re no longer available as of this release. Users relying on gadgets should explore alternative solutions such as macro-based integrations or native Confluence features to maintain similar functionality. This change aligns with Confluence’s focus on modern, supported integrations for a more streamlined and secure experience. Learn more here.

To cheer you up, an upcoming marketplace app will re-enable integration between Jira and Confluence starting from Confluence version 9.2.0.

Note: The app is still under development, and its functionality may be limited. Learn more here.

Dark Theme is here!

Confluence 9 introduces the highly anticipated Dark Theme, giving your workspace a sleek, modern look while reducing eye strain during those long working sessions. It’s a visually refreshing update designed to keep you comfortable and focused, no matter how late you’re burning the midnight oil.

Note: If you use any dark theme plugin to work with Confluence, you may face issues after the application update. We recommend disabling/removing any dark theme applications.

Five Minutes of Fame also has text and background color palettes in table cells. The new colors adjust depending on whether the page is viewed in a light or dark theme.

Important: If you’re using any dark theme plugins in your browser or in the Confluence page itself, you need to disable them as they might cause issues.

Confluence 9.0 has a light theme set by default. It's the direct, lighter-colored alternative to dark theme. Both dark and light themes use the same design elements to give you a consistent experience when switching between themes. 

Improved Code Block macro security

Confluence 9.0.3 also improves security and performance for the Code Block macro, ensuring your code snippets are better protected against potential vulnerabilities. This update provides stronger safeguards for shared code, giving teams the confidence to collaborate securely while maintaining seamless functionality.

If you’ve installed custom languages, they‘ll stop working, and code blocks using them will revert to the default language. Java becomes the default for code blocks previously set to a custom language.

Word count and estimated read time for pages and blogs

This update instantly gives you insight into the length and readability of your content. Whether crafting a detailed guide or a quick update, these new metrics help you fine-tune your communication and keep your readers engaged.

If you need to count characters instead of words, the editor does that, too. Just switch over using the dropdown—easily done! Learn more here.

Dark theme support for custom logos and color schemes

You can now upload distinct logos for both light and dark themes. This ensures optimal brand visibility regardless of the user's chosen theme.

Further personalize the dark theme by creating a separate color scheme for spaces or the entire site. This allows you to select a palette that harmonizes with the dark background and light text.

To configure these features, navigate to the Administration menu, then General Configuration. Within the Look and Feel section, you will find the settings for the Global color scheme, site logo, and favicon. Learn more about configuring the global color scheme and site logo.

Microsoft Entra ID integration

Confluence introduces the ability to configure Microsoft Entra ID, previously called Azure AD, as a remote user directory. This enhancement enables administrators to utilize Microsoft's widely adopted cloud-based identity and access management solution for simplified user administration. Learn more here. 

Security improvements

More secure login with two-step verification

You can now set up two-step verification and verify your identity with an authentication app when you log in to protect your account. Learn more here.

OAuth2 for Application Links supporting 3LO

This more secure protocol will be used for application link integrations, ensuring consistent connected workflows between Atlassian on-premises and FedRAMP Cloud applications. This will not impact existing application links. Learn more here.

Default encryption

Administrators can be assured that plain-text secrets in Confluence are now secured. We've implemented default encryption for confidential passwords and secret keys to bolster product security. Specifically, certain sensitive plain-text values within Confluence configuration files will be automatically protected using robust AES 256-bit encryption.

Improved ways of work

Code Block macro enhancements

Support for 80+ languages: The macro now supports syntax highlighting for over 80 programming languages, including highly requested ones such as Rust and YAML, making reading and understanding code snippets easier.

Click to copy: Users can copy the contents of the macro to their clipboard with a single click.

Inline text wrapping: When the macro has long lines of text, you can use a new useful button for inline text wrapping.

Improved user experience: Several UX enhancements have made the macro more intuitive and user-friendly.

Removal of themes: The macro is now dark theme compatible, and the option to set individual themes across code blocks has been removed for a more consistent user experience.

Default Plain Text: When an admin doesn't set a default language, the system defaults to Plain Text instead of Java.

Learn more here.

Improved autocomplete behavior

There is a new autocomplete dialog behavior. Now, it automatically closes if the next typed character is a space. This change applies to all autocomplete dialogs, including:

• Image/Media: !
• Link: [
• Macro: {, /
• Mentions: @
• Emoji: :

Learn more here.

New keyboard shortcuts in the editor

To enhance the editing experience, we’ve introduced new keyboard shortcuts:

• Clear all formatting: CTRL + \
• Subscript: CTRL + Shift + ,
• Superscript: CTRL + Shift + .
• Monospace: CTRL + Shift + M

Note: CTRL + Shift + M doesn’t open the emojis menu. You can insert emojis using the colon (:) as a keyboard shortcut. Learn more here.

Loom support for the Widget Connector macro

You can now embed Loom videos by pasting the link into a page. The Widget Connector macro, which supports Loom content, enables this integration. Learn more here.

Single click to copy heading links

Enhance collaboration with Confluence's new feature: One-click link copying for headings. Quickly share direct links to specific sections, eliminating the need for manual anchor creation. Simply hover over a heading to display the link icon, click to copy, and paste to guide your team members to precise information. Learn more here.

Plugin removed from Confluence

Advanced Roadmaps for Jira in Confluence - Starting Confluence 7.20, the Advanced Roadmaps for Jira in Confluence plugin is bundled with Confluence. The Advanced Roadmaps in Confluence app is included with Confluence DC versions 7.20 and later.

Dependabot

Dependabot is now fully supported for pnpm workspaces, offering developers more reliable dependency updates. This integration helps prevent lockfile inconsistencies and broken dependency trees, ultimately improving the reliability of updates within monorepos. For more information, please refer to the GitHub blog post.

GHES now allows users to configure Dependabot to update their repositories to the latest .NET SDK automatically. When a newer version is available, Dependabot will generate a pull request proposing an update to the global.json file. This feature helps ensure your projects stay up-to-date with the newest .NET SDK. Learn more here.

Security insights

A SAST Vulnerabilities Summary table is now available on the security overview dashboard (Detection view) for organizations and enterprises. This table displays the top 10 CodeQL and third-party open alerts, ranked by count and categorized by vulnerability type. It allows teams to prioritize remediation efforts effectively by identifying the most frequent vulnerabilities present in their codebase. Learn more here.

Repositories

To enhance security and control, enterprise and organization administrators can now establish policies that restrict the use of deploy keys across all organizational repositories. This provides greater oversight of deploy keys. For more information, refer to Setting a personal access token policy for your organization. Learn more here.

Security advisories

Users who report security advisories can calculate a base vulnerability score using the new CVSS 4.0 schema. See About the GitHub Advisory database.

GitHub Mobile

The GitHub Mobile app is enhancing focus with its new Focused Notifications feature. This update prioritizes notifications from the last 30 days that require user attention, such as authored items, direct mentions, and assigned tasks. This feature aims to minimize distractions and boost user productivity by filtering out less critical notifications.

Closing down in GitHub Enterprise Server 3.17,

GitHub will migrate tag protection rules to a ruleset, and the tag protection rule feature will no longer be available. However, you can use the migration feature to move your tag protection rules prior to upgrading to 3.17.

GitHub will also deprecate the Docker registry for GitHub Packages in favor of the GitHub Container Registry, which supports Docker packages. All packages in the Docker registry will be deleted and cannot be fetched past the deprecation date.

Dependabot will no longer support Python 3.8, which has reached its end-of-life. If you continue to use Python 3.8, Dependabot cannot create pull requests to update dependencies. If this affects you, we recommend updating to a supported release of Python. As of February 2025, Python 3.13 is the newest supported release.

Dependabot will also no longer support NPM version 6, which has reached its end-of-life. If you continue to use NPM version 6, Dependabot cannot create pull requests to update dependencies. If this affects you, we recommend updating to a supported release of NPM. As of December 2024, NPM 9 is the newest supported release.

The field cvss for GitHub security advisories in the REST and GraphQL APIs will be deprecated in favour of the new cvss_severities field.

Retired in GHES 3.16

GitHub no longer supports .NET 6 in GitHub Enterprise Server 3.16 and later.

Known issues

On an instance hosted on Azure, commenting on an issue via email did not add the comment to the issue.

Administration

Configurable token duration with GitLab OIDC provider (Core, Premium, Ultimate)

The `id_token_expiration` attribute now allows you to configure the lifespan of ID tokens when using GitLab as an OpenID Connect (OIDC) provider. Previously, these tokens had a static 120-second expiration. Learn more here.

Request reassignment by using a CSV file (Core, Premium, Ultimate)

This update introduces bulk reassignment of user contributions via CSV file upload. This feature is designed for large user bases with numerous placeholder users. Owners can now:

• Download a pre-filled CSV template.
• Populate it with GitLab usernames or public emails from the target instance.
• Upload the completed CSV to reassign all contributions simultaneously.

This new method replaces the time-consuming manual reassignment process in the user interface. API support for CSV-based reassignment has also been implemented to simplify extensive migration projects. Learn more here.

Improved project creation permission settings (Core, Premium, Ultimate)

GitLab refined the project creation permission settings to be clearer, more intuitive, and better aligned with security standards. These improvements include:

• Clarity: The "Default project creation protection" dropdown is now "Minimum role required for project creation," directly indicating its function.
• Consistency: The "Developers + Maintainers" option has been renamed "Developers" for better platform-wide uniformity.
• Organization: The dropdown options are now ordered from the most restrictive to the least restrictive access level.

These updates simplify the process of understanding and configuring which roles have project creation privileges within your groups. This allows administrators to implement the necessary access controls more confidently. Learn more here.

Map OmniAuth profile attributes to user (Premium, Ultimate)

GitLab user profiles can now automatically reflect Organization and Title attributes defined in an OmniAuth identity provider (IdP). This integration establishes the IdP as the authoritative source for this information, preventing users from manually altering these fields within GitLab. Learn more here.

Identify and revoke tokens with token information API (Core, Premium, Ultimate)

A unified API is now available for GitLab administrators to identify and revoke tokens. Previously, token revocation required using specific endpoints for each token type. This new API simplifies the process by allowing revocation regardless of the token type. Refer to the Token information API for a list of supported token types. Learn more here.

AI

Select models for AI-powered features on GitLab Duo Self-Hosted (Ultimate, Duo Enterprise)

The beta release of GitLab Duo Self-Hosted allows users to choose specific supported models for each GitLab Duo Chat sub-feature within their self-managed environment. This provides granular control over model selection and configuration for individual Chat sub-features. Learn more here.

Meta Llama 3 models available for GitLab Duo Self-Hosted Code Suggestions and Chat (Ultimate, Duo Enterprise)

GitLab Duo Self-Hosted now supports select Meta Llama 3 models in beta. This integration allows using these models with GitLab Duo Chat and Code Suggestions. Learn more here.

AI Impact Dashboard available on GitLab Duo Self-Hosted Code Suggestions (Ultimate)

The AI Impact Dashboard now supports GitLab Duo Self-Hosted Code Suggestions on self-managed instances, enabling you to assess GitLab Duo's impact on your team's productivity. Currently in beta for self-hosted GitLab Duo, the dashboard integrates with Visual Studio Code, Microsoft Visual Studio, JetBrains, and Neovim IDEs on your self-managed instance.

By comparing AI usage trends against key metrics such as lead time, cycle time, DORA, and vulnerability counts, the AI Impact Dashboard allows you to quantify the time saved through GitLab Duo Self-Hosted across your entire workflow. This focuses on achieving business results rather than simply tracking developer actions. Learn more here.

Root Cause Analysis available on Gitlab Duo Self-Hosted (Ultimate, Duo Enterprise)

GitLab Duo Root Cause Analysis is now available in beta for GitLab Self-Managed instances using GitLab Duo Self-Hosted. This feature supports Mistral, Anthropic, and OpenAI GPT models.

Root Cause Analysis helps you quickly identify the reasons behind failed CI/CD pipeline jobs and suggest solutions while maintaining data sovereignty. By analyzing the failed job log, it streamlines troubleshooting.

Please note that this beta version has limited functionality. The full feature set is expected in version 17.11. Learn more here.

Duo Code Review available in beta (Ultimate, Duo Enterprise)

Code review is a critical yet time-intensive part of software development. It safeguards code quality and security while fostering mentorship and providing valuable feedback.

Introducing Duo Code Review, the evolution designed to accelerate your development process. By performing an initial review on your merge requests, Duo can proactively identify potential bugs and suggest enhancements, some of which can be implemented directly in your browser. Leverage Duo to refine your changes before involving another reviewer.

Get started:

• Initiate a review instantly: Add `@GitLabDuo` as a reviewer to your merge request.
• Refine feedback: Mention `@GitLabDuo` in a comment on your changes.

Learn more here.

UI/UX 

Configurable squash settings in branch rules (Premium, Ultimate)

Git workflows necessitate diverse commit handling approaches during branch merges. 

Now, branch rules allow per-protected-branch squash configuration. For instance:

• Require squashing when merging a feature to develop for a clean history.
• Disable squashing when merging develop to main to preserve commit history.

This enhanced flexibility guarantees consistent commit history project-wide, accommodating each branch's unique workflow needs without manual intervention. Learn more here.

Sort access tokens in Credentials Inventory (Ultimate)

The Credentials Inventory allows sorting personal, project, and group access tokens by owner, creation date, and last used date. This enhancement improves the speed and ease of finding and recognizing your access tokens. Learn more here.

GitLab Duo Chat is now resizable (Premium, Ultimate, Duo Pro, Duo Enterprise)

The Duo Chat drawer in the GitLab UI is now resizable, allowing for easier viewing of code outputs or keeping the chat open while working in GitLab. Learn more here.

New navigation experience for projects in Your Work (Core, Premium, Ultimate)

Enhancements to the project overview in Your Work

Improved project overview in Your Work, designed to simplify project discovery and access, has arrived. This update features a more intuitive tab-based navigation to better align with user workflows.

Key changes include:

• Contributed tab (formerly Yours): Now consolidates all projects you've contributed to, including personal projects, for easier tracking of your development activities.
• Personal tab: Your individual projects are now more readily accessible via a dedicated tab in the main navigation.
• Member tab (formerly All): This tab displays all projects where you are a member, providing a clear view of team projects.
• Inactive tab (formerly Pending deletion): The tab offers a comprehensive view of both archived projects and those marked for deletion.

Additionally, users with the necessary permissions can now directly edit or delete projects from the Your Work overview. These enhancements reflect our ongoing effort to deliver a more efficient and user-friendly GitLab experience. The updated layout aims to improve focus on relevant projects and reduce navigation time. Learn more here. 

Select a compliance framework as default from the dropdown list on the Frameworks page (Premium, Ultimate)

In the GitLab compliance center, users can designate a default compliance framework for top-level groups. This framework will automatically apply to all newly created or imported projects within that group and have a distinctive default label.

To simplify the process of setting a default framework, a new option has been added to the framework dropdown list on the list frameworks page in the compliance center of a top-level group. This functionality is exclusive to top-level groups and unavailable in subgroup or project compliance centers. Learn more here.

Snooze to-do items (Core, Premium, Ultimate)

With the new snooze notification feature, you can temporarily hide items in your to-do list, enabling better focus on immediate priorities. You can also gain precise control over when these notifications reappear—whether in an hour or the next day—to enhance your workflow management. Learn more here.

New issues look now in beta (Core, Premium, Ultimate)

Issues now offer a unified experience with epics and tasks, including:

• Real-time updates and workflow improvements: Benefit from immediate synchronization and optimized processes.
• Drawer view: Quickly view items from lists or boards in a sliding panel without navigating away. Expand to full-page view when needed.
• Change type: Easily convert items between epics, issues, and tasks using the renamed "Change type" action (formerly "Promote to epic").
• Start date: Issues now support start dates, aligning with epics and tasks.
• Ancestry: View the complete hierarchy above the title and in the Parent field of the sidebar. Manage relationships using new quick actions: `/set_parent`, `/remove_parent`, `/add_child`, and `/remove_child`.
• Controls: All actions are now conveniently located in the top menu (vertical ellipsis), which stays visible as you scroll.
• Development: You can access a consolidated list of all related development items (merge requests, branches, and feature flags) for any issue or task.
• Layout: Enjoy a smoother user interface across issues, epics, tasks, and merge requests, enhancing workflow efficiency.
• Linked items: Establish connections between tasks, issues, and epics with improved linking functionalities. Drag and drop to modify link types and control the visibility of labels and closed items.

Enhanced markdown experience (Core, Premium, Ultimate)

GitLab Flavored Markdown now includes the following enhancements:

Improved math and image handling:

• Math rendering limits can be disabled at the group or self-hosted instance level for more intricate mathematical expressions.
• Image dimensions can be precisely controlled using pixels or percentages for enhanced layout management.

Enhanced editor experience:

• Lists will now automatically continue when pressing Enter/Return.
• Keyboard shortcuts can be used to shift text left or right.
• Description lists for term-definition pairs can be created using specific syntax.
• Video widths are now adjustable.

Better content organizing:

• Content navigation is improved with auto-expanding summary quick views (by adding +s to URLs).
• Referenced issue titles now render automatically (by adding + to URLs).
• Modular content organization is possible with the include syntax.
• Visually distinct callouts and warnings can be created using alert boxes.

These updates enhance GitLab Flavored Markdown, giving teams more power and flexibility for creating and managing documentation. Learn more here.

Reporting

New insights into GitLab Duo Code Suggestions and GitLab Duo Chat trends (Ultimate)

The AI Impact Dashboard's AI comparison metrics panel now offers month-over-month (MoM) tracking for GitLab Duo Code Suggestions acceptance rate and GitLab Duo Chat usage (MoM%). These trend insights enhance the 30-day snapshots of Duo Code Suggestions and Duo Chat metrics. By providing a historical perspective, managers can more effectively evaluate the impact of AI on their software development lifecycle (SDLC) and identify correlations between Code Suggestions acceptance rate and Duo Chat usage with other SDLC metrics over time. Learn more here.

Bulk edit to-do items (Core, Premium, Ultimate)

Enhance your task management with Eficode ROOT's updated To-Do List. The new bulk editing feature allows you to select and mark multiple items as done or snooze them. This improvement provides greater control and streamlines the organization with minimal effort. Learn more here.

Package registry adds audit events (Premium, Ultimate)

GitLab now logs package registry operations as audit events, enabling teams to monitor package publishing and deletion for compliance purposes. Previously, tracking package changes relied on custom, manual systems. There was no built-in mechanism to identify who modified packages.

Each audit event now provides a comprehensive record of package modifications, including:

• Who made the change.
• When the change occurred.
• The authentication method used.
• Specific details of the change.

Project audit events are stored within the group namespace or the project itself (for individual project Owners). Groups can disable audit events to manage storage requirements. Learn more here.

New visualization of DevOps performance with DORA metrics across projects (Ultimate)

New metric Projects by the DORA panel are integrated into the Value Streams Dashboard. This enhancement provides a comprehensive table of all projects within the top-level group, detailing their performance across the four key DORA metrics. This allows managers to easily distinguish between high, medium, and low-performing projects, enabling data-informed decisions regarding resource allocation and strategic focus on improving software delivery speed, stability, and reliability.

Leveraging the readily available DORA metrics in GitLab, this new panel, alongside the existing DORA Performers score panel, offers executives a complete, end-to-end view of their organization's DevOps health. Learn more here.

GitLab Query Language views Beta (Core, Premium, Ultimate)

Tracking work in progress across GitLab previously involved navigating multiple areas, hindering team efficiency and wasting time.

This release introduces Beta access to GitLab Query Language (GLQL) views, enabling you to create dynamic, real-time work tracking within your existing workflows.

GLQL views embed live data queries in Markdown code blocks within Wiki pages, epic descriptions, issue comments, and merge requests.

Previously an experiment, GLQL views now enter beta, offering sophisticated filtering using logical expressions and operators across key fields such as assignee, author, label, and milestone. Customize the presentation as tables or lists, control displayed fields, and set result limits for focused, actionable team insights.

Teams can now maintain context while accessing necessary information, fostering shared understanding and improving collaboration, all without leaving their current workflow. Learn more here.

Project development

Docker Hub authentication for the dependency proxy (Core, Premium, Ultimate)

Avoiding Docker Hub rate limits with GitLab Dependency Proxy

Effective April 1, 2025, Docker Hub is implementing stricter pull limits for unauthenticated users (100 pulls per 6 hours per IP address range). This change may cause pipeline failures if these limits are exceeded.

To prevent such failures and to enable access to private images, the GitLab Dependency Proxy for container images now supports authentication with Docker Hub.

In this release, Docker Hub authentication can be configured via the GraphQL API using your Docker Hub credentials, personal access token, or organization access tokens. User interface configuration support will be available in GitLab 17.11. Learn more here. 

Ignore specific revisions in Git blame (Core, Premium, Ultimate)

Project history views can become cluttered with commits from refactoring or mass code formatting, obscuring meaningful changes. Git's `.git-blame-ignore-revs` file allows identification of these commits. GitLab now enhances the blame view with a toggle in "Blame preferences" to show or hide these ignored revisions, improving project history comprehension. Learn more here.

Wider distribution for token expiration notifications (Core, Premium, Ultimate)

When enabled, access token expiry notifications will now be sent to both direct and inherited members of groups and projects. This enhancement expands the notification reach beyond direct members, simplifying token management before they expire. Learn more here.

Dependency Scanning support for pub (Dart) package manager (Ultimate)

Dependency Scanning now supports pub Dart's official package manager. Our latest Dependency Scanning template and CI/CD component includes this enhancement. Learn more here.

Authenticate to private Pages with an access token (Core, Premium, Ultimate)

Private GitLab Pages can now be accessed programmatically using access tokens, streamlining automation. This enhancement removes the previous requirement for interactive UI authentication, boosting developer productivity and flexibility in managing and distributing secure Pages content. Security remains a priority with this change. Learn more here.

Path exclusions for CODEOWNERS (Premium, Ultimate)

Refined Text

It's a common practice for teams setting up a CODEOWNERS file to use general patterns for file paths and types. However, these broad configurations can cause issues when certain files, like documentation or build automation scripts, don't need a designated code owner.

To address this, GitLab allows you to specify path exclusions within the CODEOWNERS file. This feature lets you exclude particular files or directories from the requirement of having Code Owner approval, providing greater flexibility in managing code ownership within your projects. Learn more here. 

Extended webhook triggers for expiring tokens (Core, Premium, Ultimate)

Optional webhook triggers for project and group access token expiry at 60 and 30 days are now included. Previously, these notifications were only sent 7 days before expiry. This new setting aligns with the existing email notification schedule for expiring tokens. Learn more here.

Description templates for epics, issues, tasks, objectives, and key results (Core, Premium, Ultimate)

Boost your project efficiency and uniformity with the new description templates for work items (epics, tasks, objectives, and key results). This enhancement enables the creation of standardized templates, saving time and guaranteeing that all necessary information is incorporated when new work items are created. Learn more here. 

Handling of `needs` statements in pipeline execution policies for compliance (Ultimate)

To give you more control over pipeline execution, jobs in the `.pipeline-policy-pre` reserved stage must now finish before jobs in later stages can start. This is true even if the later jobs don't have `needs` statements.

Previously, jobs in `.pipeline-policy-pre` and jobs in later stages with `needs` would start as soon as the pipeline began. Now, subsequent stages will wait for `.pipeline-policy-pre` to complete before starting any jobs without dependencies. This helps you enforce a specific execution order and ensures security policies are followed.

Our customers use reserved stages to ensure compliance and security checks happen before developer jobs. A common example is a security or compliance check that stops the whole pipeline if it fails. Letting jobs run out of order could skip this check and weaken the intended policy. This change gives you a more reliable way to enforce compliance.

If you want to add jobs at the beginning of the pipeline without changing how `needs` works, you can set up the jobs to use a custom stage. This feature was introduced in version 17.9. Learn more here.

Change the severity of a vulnerability (Ultimate)

GitLab now offers enhanced flexibility in vulnerability triage by allowing users to adjust the severity levels of vulnerability occurrences manually. This feature addresses the limitations of relying solely on default scanner-assigned severities, which may not always align with an organization's security context and risk appetite.

Key benefits include:

• Customizable severity levels: Assign any of the following severity levels to vulnerabilities: Critical, High, Medium, Low, Info, or Unknown.
• Bulk editing: Modify the severity of multiple vulnerabilities simultaneously from the vulnerability report.
• Visual identification: Easily distinguish vulnerabilities with custom severity levels through visual cues.
• Auditable changes: All severity adjustments are logged in the vulnerability history and audit events.
• Controlled access: Overriding severity changes is restricted to team members with at least the Maintainer role or a custom role possessing the admin_vulnerability permission.

This enhancement empowers security teams with greater flexibility and control over the prioritization of vulnerabilities, leading to a more tailored and effective security management process. Learn more here.

These updates include better detection of misused APIs, enhanced precision in identifying problematic patterns like redundant conditionals or inefficient loops, and new rules focused on modern Java practices. This release helps developers write cleaner, more efficient Java code with fewer false positives.

While no new features have been introduced in this release, the improvements aim to ensure a more reliable and efficient user experience.

AI features

The AI CodeFix functionality has been expanded, supporting self-hosted Azure OpenAI models and providing organizations greater control over AI-assisted code remediation. Additionally, rule coverage for AI CodeFix has been extended across multiple programming languages, including C#, C++, JavaScript/TypeScript, and Python, enhancing its ability to suggest fixes for a broader range of code issues. 

Language support

The update brings new rules covering the OWASP Mobile Top 10, enhancing security analysis for mobile applications. Furthermore, support has been added for PySpark and Jupyter Notebooks in PyCharm, catering to AI/ML developers. Updates also include improved support for the latest versions of Dart and Kotlin, ensuring compatibility with modern development practices.

Sonatype Nexus Repository OSS is now Community Edition

Version 3.77 of Nexus Repository introduces a name change for the free edition, now known as Sonatype Nexus Repository Community Edition.

This Community Edition offers strong repository management for individual users and smaller teams. Upgrading to version 3.77.0 allows users to access new functionalities, such as support for previously Pro-exclusive formats and smooth integration with containerized platforms like Kubernetes, alongside certain usage restrictions. Learn more here.  ​

View Published and Last Downloaded Date in Cleanup Preview CSV (PostgreSQL Only)

For PostgreSQL deployments, the Cleanup Policy Preview CSV now includes columns showing the publications of the components and the last downloaded dates.

Support for Rust / Cargo format (Pro Only)

The Pro edition now supports Rust/Cargo format repositories, including hosted, proxy, and group types. Currently, components are uploaded exclusively through Cargo publish. It's important to note that the native format support is incompatible with the Community plugin. Learn more here.

Malware warning banner

This enhancement allows for the proactive identification of intentionally harmful open-source components. Learn more here.

Support for proxy PHP/Composer repositories (Pro)

Update introduces native support for PHP/Composer proxy repositories in Sonatype Nexus Repository Pro. This enhancement allows users to store and manage Composer components within the same platform as other application dependencies. The native integration also enables programmatic interaction with Composer repositories via APIs, and Firewall users can now scan these components for security vulnerabilities.

Please note that there is no direct migration path from the community plugin to this new native support. Learn more here.

Cargo repositories

Extracting Key Cargo Attributes from cargo.toml

The display of Cargo package details in Nexus Repository has been enhanced. Key attributes such as name, license, authors, vendor, description, version, and homepage are now extracted from cargo.toml files and are visible in the Browse interface when navigating Cargo repositories.

Explicitly Control Cargo authentication requirements by Repository

The authentication process for Cargo clients, which relies on a signal in the `config.json` file, could previously cause confusion. This was particularly true when the Nexus Repository enabled anonymous access but restricted it at the individual Cargo repository level.

A new "Restrict repository content to authenticated users" checkbox has been added to the Cargo proxy and group repository configuration to improve this. This option sets the `auth-required` flag in `/config.json` responses and overrides anonymous access settings, providing a more consistent and intuitive experience for users interacting with proxy and group Cargo repositories.

Native Support for Conan 2.0 (Pro)

This release delivers full native support for Conan 2.0, significantly enhancing C/C++ development workflows. Development teams can utilize the latest Conan features, including improved package IDs, simplified recipe formats, and a redesigned CLI.

Enhanced C/C++ Dependency Management with Nexus Repository Pro

Integrating Conan 2.0 with Nexus Repository Pro provides complete control over C/C++ dependencies, ensuring consistency, reproducibility, and efficiency throughout the development lifecycle. Benefit from:

• Enhanced security.
• Simplified workflows.
• Improved collaboration.
• Comprehensive Nexus Repository Pro features:
  • Repository management.
  • Cleanup policies.
  • High availability.
  • Content replication.
  • Robust security measures.

Important considerations for transitioning to Conan 2.0

To ensure a seamless transition:

• Maintain separate Conan 1.x and 2.0 repositories within Nexus Repository to prevent conflicts.
• Adopt a phased migration approach, allowing for gradual updates to recipes and client configurations while using existing Conan 1.x packages.
• Note that group Conan repositories are supported for version 2.0 only.

Learn more here.

Eliminate lurking malware with the new Malware Remediation Task (Pro)

Even before security measures like Sonatype Repository Firewall are in place, malicious components can enter your repositories. To address this, Nexus Repository Pro now features a Malware Remediation task. This task thoroughly inspects all components in your proxy repositories, regardless of their ingestion time.

This new task works with the malware warning banner introduced in version 3.73.0, offering an efficient method to find and handle existing malware. By configuring the Malware Remediation task to use Sonatype Repository Firewall, you can analyze components for potential threats and identify malicious ones within your repositories. The task produces a detailed report on a dedicated Malware Audit page, which includes essential details like the component name, repository location, and quarantine status. Learn more here.

Support for Hugging Face Proxy Repositories (Pro and Community Edition)

As the adoption of AI/ML grows, efficiently managing and distributing models is essential. This new functionality allows you to directly proxy Hugging Face models within Nexus Repository, combining the power of pre-trained models with enhanced control and efficiency.

It is recommended that you use NFS/EFS/Azure file storage for your Hugging Face repositories for optimal performance.

While this initial release supports proxying Hugging Face models, future updates will include support for datasets and spaces.

Key benefits of the new Hugging Face proxy feature in Nexus Repository include:

• Performance and efficiency: Locally caching pre-trained models improves speed and reduces bandwidth, minimizing external requests and network usage. This is especially beneficial for large models.
• Enhanced security: Protect your machine learning assets by leveraging Nexus Repository's access controls and robust security features.
• Streamlined workflows: Centralize the management and distribution of models within your current repository infrastructure for increased efficiency.

Learn more here.

Automatically remove malicious components with Repository Firewall (Pro Only)

The Automatic Malware Management task, introduced in release 3.76.0, now offers enhanced repository security. You can configure it to remove malware detected in your proxy repositories automatically. This streamlines the removal of infected components, further reducing the risk of exposure. This feature complements Repository Firewall, which proactively prevents users from downloading malware. Learn more here.

Content replication for Conan V2 (Pro Only)

This enhancement enables developers to publish artifacts to a central Nexus Repository instance, which then automatically pre-fetches these artifacts to other instances via standard proxy repositories. The result is quicker artifact delivery and improved productivity for developers. Learn more here.

Helm staging support (Pro Only)

The staging feature now supports Helm charts for Sonatype Nexus Repository Pro users with H2 or PostgreSQL databases. This improvement reduces deployment risks by allowing development teams to thoroughly test and validate Helm charts in separate staging environments before deploying them to production. Learn more here.