Starting with this release, we’re publishing a new container image variant for the apiserver and bundled distributions. The variant is based on Alpine Linux and uses jlink to ship a minimal Java Runtime Environment (JRE). As a result, image size is decreased by over 55% (~350MB vs. ~150MB uncompressed), and attack surface is reduced due to fewer operating system packages. It uses Java 25 and enables compact object headers by default, leading to lower memory footprint.
To use the new image variant, append the -alpine suffix to the image tag, e.g.:
docker.io/dependencytrack/apiserver:latest-alpinedocker.io/dependencytrack/bundled:4.13.6-alpine
The previous Debian-based image variant continues to be the default for now,
but will eventually be discontinued in a future release. Users experiencing
issues with alpine images can safely fall back to non-alpine variants.
Features:
- Add Alpine-based container variants - apiserver/#5533
- Update Ukrainian translation - frontend/#1385
Fixes:
- Improve performance of database migration to v4.13.5 - apiserver/#5419
- Ignore stale Lucene index entries - apiserver/#5428
- Fix typo in email notification template - apiserver/#5434
- Fix referential integrity violation during bulk project deletion - apiserver/#5446
- Fix referential integrity violation during team deletion - apiserver/#5447
- Fix NPE in Composer component metadata analyzer - apiserver/#5519
- Fix XML External Entity injection via validation of CycloneDX BOMs in XML format - apiserver/#5528 / GHSA-93r8-3g93-w2gq
- Fix OSS Index documentation link - apiserver/#5531
- Change
toString()method ofProjectto use name and version instead of PURL - apiserver/#5532 - Fix broken routing when
BASE_PATHis configured - frontend/#1381 - Fix policy tag selection dialogue using the wrong REST API endpoint - frontend/#1382
- Fix persistent Cross-Site-Scripting via welcome message - frontend/#1383 / GHSA-7xvh-c266-cfr5
- Fix redirect loop when authenticated user is lacking permissions - frontend/#1386
For a complete list of changes, refer to the respective GitHub milestones:
We thank all organizations and individuals who contributed to this release, from logging issues to taking part in discussions on GitHub & Slack to testing of fixes.
Special thanks to everyone who contributed code to implement enhancements and fix defects:
@ElenaStroebele, @arjavdongaonkar, @aurifi, @ch8matt, @illenko, @sahibamittal, @snieguu, @stohrendorf
dependency-track-apiserver.jar
| Algorithm | Checksum |
|---|---|
| SHA-1 | 3964cf821761609912487077fa41d513dad37d1a |
| SHA-256 | 8f2aa10424403b2b201d0c48b243ea3bbe458761 |
dependency-track-bundled.jar
| Algorithm | Checksum |
|---|---|
| SHA-1 | 1048a039391992fc36b23433d8987689baca33e68cc2130254787d1a3d1c66cc |
| SHA-256 | ab47deb0c5be2d947d57cf5862fef714023b4ce4d794ac00a855cf7590eb111e |
frontend-dist.zip
| Algorithm | Checksum |
|---|---|
| SHA-1 | 525b47c72fb3bdbb675b5c5414319e5f19e43b03 |
| SHA-256 | 84440921692e95c88378e1f82738ccea24c2fb038083b42b3f1c98b1f6702a4a |