Artifact Registry release notes

This page documents production updates to Artifact Registry. Check this page for announcements about new or updated features, bug fixes, known issues, and deprecated functionality.

You can see the latest product updates for all of Google Cloud on the Google Cloud page, browse and filter all release notes in the Google Cloud console, or programmatically access release notes in BigQuery.

To get the latest product updates delivered to you, add the URL of this page to your feed reader, or add the feed URL directly: https://cloud.google.com/feeds/artifactregistry-release-notes.xml

March 25, 2024

v1

The software bill of materials (SBOM) feature is now Generally Available (GA). To learn more, see SBOM overview.

Artifact Analysis support for Vulnerability Exploitability eXchange (VEX) statements now includes the capability to upload VEX statements for multiple versions of an image. You can specify whether to associate a VEX statement with one image digest, or all versions of an image. This feature is in Preview. To learn more, see Upload VEX statements.

March 22, 2024

v1

Effective March 22, 2024, Artifact Registry npm repositories enforce not including uppercase letters in package names in order to match npmjs naming rules. Packages with uppercase letters in their names pushed to Artifact Registry prior to this date aren't affected by this change unless you want to push them to a new repository.

March 19, 2024

v1

Fixed the issue causing images copied to Artifact Registry from Container Registry with the automatic migration tool to fail to propagate their creation time to Artifact Registry. Artifact Registry creation time is set to the time the image was uploaded to Container Registry, and update time is set to the time the image is copied to Artifact Registry.

March 15, 2024

v1

Artifact Registry remote repositories support basic authentication to user-defined and preset upstream sources for Docker, Maven, npm, and Python formats.

To create a remote repository using a preset or user-defined upstream source, see Create remote repositories. For more information on remote repository authentication, see Configure authentication to remote repositories.

Images copied to Artifact Registry from Container Registry with the automatic migration tool are failing to propagate their upload time to Artifact Registry, and instead have their upload time value set to zero, resulting in an upload time of early 1970. If you have cleanup policies that delete images based on upload time, this might mean all your copied images are deleted. We are actively working on a fix for this issue.

January 31, 2024

v1

Artifact Registry is available in the africa-south1 region (Johannesburg, South Africa).

January 12, 2024

v1

Artifact Registry Tags are Generally Available (GA). Tags are key-value pairs that you can use to group repositories and other resources across Google Cloud for reporting, auditing, and access control within your Google Cloud organization. To learn more, see Tag repositories.

October 31, 2023

v1

Artifact Registry remote repositories now support authentication to Docker Hub upstream repositories.

To create a Docker Hub remote repository, take the quickstart.

October 27, 2023

v1

Artifact Registry remote repositories are now generally available.

Remote repositories store artifacts from external sources such as Docker Hub or PyPI. A remote repository acts as a proxy for the external source so that you have more control over your external dependencies. The first time that you request a version of a package, Artifact Registry downloads and caches the package in the remote repository. The next time you request the same package version, Artifact Registry serves the cached copy.

To get started with remote repositories, try the quickstart.

Artifact Registry virtual repositories are now generally available.

Virtual repositories act as a single access point to download, install, or deploy artifacts in the same format from one or more upstream repositories. An upstream repository can be an Artifact Registry standard or remote repository.

To get started with virtual repositories, create a virtual repository, or see an example of how to use the different repository modes together in the repository overview usage example.

September 19, 2023

v1

Artifact Registry is now available in the me-central2 region (Dammam, Saudi Arabia).

September 13, 2023

v1

Artifact Registry now supports HTTP access to Apt repositories. For more information, see Configure HTTP access to an Apt repository.

August 29, 2023

v1

Artifact Analysis automatic scanning for Python and Node.js (npm) vulnerabilities in container images is now generally available. If the Container Scanning API is enabled, it scans container images pushed to Artifact Registry for Python and Node.js vulnerabilities, in addition to operating system vulnerabilities.

Artifact Analysis returns Python and Node.js vulnerability results for images that have a supported or unsupported operating system. When you push new versions of images to the registry, you might see more successful vulnerability scans and corresponding charges against images without a supported operating system.

For more information, see Python overview and Node.js overview.

Artifact Analysis now offers support for Vulnerability Exploitability eXchange (VEX). VEX is a type of security advisory that indicates whether a product is affected by a known vulnerability. For every container image pushed to Artifact Registry, Artifact Analysis can store an associated VEX statement.

You can upload VEX files to describe any vulnerabilities discovered in specific artifacts and provide context about their impact. VEX statuses can be used to assist your organization in triaging vulnerabilities.

This feature is in Preview. To learn more, see Upload and view VEX statements.

Artifact Analysis now offers the ability to export a consolidated software bill of materials (SBOM) for scanned containers in Artifact Registry. SBOMs are generated in the Software Package Data Exchange (SPDX) format; however, you can also ingest externally created SBOMs in either SPDX or CycloneDx formats. With this new capability, you can centrally manage SBOMs to gain visibility into key information about your software supply chain.

This feature is in Preview. To learn more about our SBOM capabilities, see SBOM overview.

August 22, 2023

v1

Artifact Registry is now available in the europe-west10 region (Berlin, Germany).

August 16, 2023

v1

Artifact Registry remote repositories for OS packages are now in Preview.

A remote repository stores artifacts from external sources such as Docker Hub, Maven Central, the Python Package Index (PyPI), Debian or CentOS. A remote repository acts as a proxy for the external source to enable more control over external dependencies.

For more information on which public OS package repositories are supported by Artifact Registry remote repositories, see OS packages supported upstreams. To create a remote repository for OS packages, see Create remote repositories.

July 11, 2023

v1

Cleanup policies for Artifact Registry are now in Preview. Cleanup policies help you manage artifacts by automatically deleting artifacts that you no longer need, while keeping artifacts that you want to store.

Deletions requested by Cleanup policies count against Artifact Registry delete request quota and limits.

Starting July 11, 2023, Artifact Registry write requests and delete requests have their own quotas. For more information on this change, see Quotas and limits.

June 30, 2023

v1

Go repositories are now generally available.

Storage and network egress charges apply to all formats that are generally available.

March 30, 2023

v1

Artifact Registry is now available in the me-central1 region (Doha, Qatar).

March 29, 2023

v1

Artifact Registry is now available in the europe-west12 region (Turin, Italy).

March 28, 2023

v1

Artifact Registry repositories with gcr.io domain support are now generally available. These repositories can host your existing Container Registry images and automatically redirect requests for gcr.io hosts to corresponding Artifact Registry repositories.

March 23, 2023

v1

The immutable tags setting is now in Preview for Docker repositories. When tags are immutable, you cannot change the image digest that a tag references in the repository. You can configure this setting when you create a repository or change the setting on an existing repository.

February 14, 2023

v1

Artifact Registry remote repositories and virtual repositories are now in Preview. These features help you to optimize your build and deployment workflows.

  • Remote repositories cache artifacts from external sources, including Docker Hub, Maven Central, PyPI, and the npm registry.
  • Virtual repositories provide a single access point to download artifacts from multiple remote or standard repositories. Each upstream repository has a set priority to protect against issues with dependency confusion.

February 09, 2023

v1

Container Analysis automatic scanning for Java and Go vulnerabilities in container images is now generally available. If the Container Scanning API is enabled, it scans container images pushed to Artifact Registry for Java and Go vulnerabilities, in addition to operating system vulnerabilities.

Container Analysis returns Java and Go vulnerability results for images that have a supported or unsupported operating system. When you push new versions of images to the registry, you might see more successful vulnerability scans and corresponding charges against images without a supported operating system.

For more information, see the Types of scanning in the Container Analysis documentation

October 11, 2022

v1

When users enable the Container Scanning API and push container images to Artifact Registry, automatic container scanning now generates metadata including a software bill of materials (SBOM) dependency list. Users can analyze the metadata to gain insights into software dependencies and vulnerabilities. For more information, see Examine dependencies. This feature is in private preview.

October 07, 2022

v1

Version 2.2.0 of the Java credential helpers for authentication are now available. This version improves performance and reduces the quantity of logging messages.

September 13, 2022

v1

Artifact Registry is now available in the me-west1 region (Tel Aviv, Israel).

August 25, 2022

v1

Container Analysis automatic scanning for Java and Go vulnerabilities in container images is now in Preview. If the Container Scanning API is enabled, it scans container images pushed to Artifact Registry for Java and Go vulnerabilities, in addition to operating system vulnerabilities.

Container Analysis returns Java and Go vulnerability results for images that have a supported or unsupported operating system. When you push new versions of images to the registry, you might see more successful vulnerability scans and corresponding charges against images without a supported operating system.

For more information, see the Types of scanning in the Container Analysis documentation.

July 02, 2022

v1

Artifact Registry is now available in the us-south1 region (Dallas, United States).

June 09, 2022

v1

Audit logs for Maven, npm, and Python repositories are now available in Cloud Logging.

May 25, 2022

v1

Apt and Yum repositories are now generally available.

May 24, 2022

v1

Artifact Registry is now available in the us-east5 region (Columbus, United States).

May 10, 2022

v1

Artifact Registry is now available in the europe-southwest1 region (Madrid, Spain).

May 03, 2022

v1

Artifact Registry is now available in the europe-west9 region (Paris, France).

May 02, 2022

v1

Getting and listing Artifact Registry locations in a project now requires the following permissions:

  • artifactregistry.locations.list
  • artifactregistry.locations.get

You can grant these permissions with the Artifact Registry Reader role (roles/artifactregistry.reader) role or another role that includes these permissions.

April 20, 2022

v1

Artifact Registry is now available in europe-west8 region (Milan, Italy).

March 25, 2022

v1

Artifact Registry support for attaching tags to repositories is now in Preview. Tags are key-value pairs that you can use to group repositories and other resources across Google Cloud for reporting, auditing, and access control within your Google Cloud organization.. To learn more, see Tagging repositories.

March 01, 2022

v1beta2

Support for Python repository hostnames ending in pypi.pkg.dev is no longer available. If you use commands that reference hosts with LOCATION-pypi.pkg.dev you must replace these references with LOCATION-python.pkg.dev.

The pypi.pkg.dev hostname was available when Python repositories were available in alpha, and alpha users were notified about the change.

February 15, 2022

v1beta2

On-Demand Scanning for Go packages is now generally available.

You can scan your container images and identify Go package vulnerabilities.

November 15, 2021

v1beta2

Artifact Registry repositories with gcr.io domain support are now available in Preview. These gcr.io repositories provide some features that are backwards-compatible with Container Registry.

October 04, 2021

v1beta2

You can now specify a release or snapshot version policy for Maven repositories when you create them. You cannot change the version policy of an existing repository. Repositories created before availability of this feature accept both snapshot and release packages.

September 08, 2021

v1beta2

Maven, npm, and Python repositories are now generally available.

Storage and network egress charges apply to all formats that are in Preview or are generally available.

August 03, 2021

v1beta2

Apt and Yum repositories are now in Preview.

Storage and network egress charges apply to all formats that are in Preview or are generally available.

July 23, 2021

v1beta2

Artifact Registry now supports Cloud External Key Manager (Cloud EKM) when using customer-managed encryption keys.

July 13, 2021

v1beta2

On-Demand Scanning for Java packages is now generally available.

You can scan your container images and identify Java package vulnerabilities.

June 04, 2021

v1beta2

Maven, npm, and Python repositories are now in Preview.

Storage and network egress charges apply to all formats that are in Preview or are generally available.

June 03, 2021

v1beta2

Artifact Registry now supports Access Transparency. Access Transparency provides you with logs of actions that Google staff have taken when accessing your data. To learn more about Access Transparency, see the Overview of Access Transparency.

May 03, 2021

v1beta2

Artifact Registry now supports audit logging for container images in Cloud Audit Logs.

February 26, 2021

v1beta2

Support for Python packages in private Python repositories is now in alpha. This feature is only available to alpha users. If you are interested in joining the alpha, fill in the sign up form.

  • See the quickstart to get started.
  • Learn more about working with Python packages in the overview.

February 02, 2021

v1beta2

On-Demand Scanning is available in Preview. You can manually scan Docker container images stored locally on your computer or remotely in Artifact Registry. To get started with manual scanning, see On-Demand Scanning quickstart

November 16, 2020

v1beta2

Artifact Registry is now generally available. To learn about transitioning from Container Registry, see the transition overview.

August 17, 2020

v1beta2

You can now use Pub/Sub to configure notifications for changes in Docker repositories. For more information, see Configuring Pub/Sub notifications.

July 14, 2020

v1beta2

You can now use Customer-Managed Encryption Keys (CMEK) to protect repository data in Artifact Registry. For more information, see Enabling customer-managed encryption keys.

March 16, 2020

v1beta2

Artifact Registry is now in beta.

Artifact Registry is the evolution of Container Registry, with support for Docker as well as Maven and npm package formats.

If you currently use Container Registry, see Migration and upgrade from Container Registry for more information.