Varnish Orca
← Orca documentation

Artifact Firewall Changelog

Here’s an overview of the latest Varnish Artifact Firewall releases, describing feature additions, changes, fixes and removals per version.

Artifact Firewall 0.3.2

Released: 2026-06-13

Fixed

  • Manifests and artifacts served through a JFrog Artifactory virtual repo are now correctly identified, filtered, and rewritten — in both standalone and integrated mode, with no configuration. Previously the package path was assumed to sit at the registry root, so these requests were skipped (“not a transform path”).
    • npm / PyPI: the Artifactory API prefix (.../api/<type>/<repo>/) is stripped before identification.
    • Maven: maven-metadata.xml and .pom files are evaluated against the coordinates in the document body, not the URL path.
    • NuGet: V3 responses are dispatched by resource token (registration / flatcontainer / query / index.json), which match Artifactory’s layout as well as nuget.org’s.
  • npm and PyPI manifest responses with a Content-Type the firewall can’t filter (an Artifactory vnd.rt npm variant, a charset parameter, or a PyPI HTML simple index) now stream through unchanged instead of returning an error.

Varnish Artifact Firewall 0.3.1

Released: 2026-06-03

Fixed

  • Fixed rule engine initialization issue when only git fetchers are used. Issue was introduced in 0.3.0.

Varnish Artifact Firewall 0.3.0

Released: 2026-06-02

Added

  • Standalone deployment mode, now the default. The firewall sits directly in front of one or more origin registries and routes requests itself.
  • Automatic detection of registry from the Accept header, User-Agent prefix, and URL path pattern. Requests that can’t be classified stream through unchanged.
  • Per-version artifact preflight: direct downloads of tarballs (npm .tgz), wheels/sdists (PyPI), and .nupkg files are blocked at 403 when a per-version deny rule applies, preventing bypass via hard-coded artifact URLs.
  • Added support for the Maven ecosystem: maven-metadata.xml manifest filtering (artifact-level and per-version SNAPSHOT), plus per-artifact preflight on .jar, .pom, .war, .aar, .zip (including classifier variants).
  • New api_address config field. The admin API (/api/eval, /api/update, /api/mode) listens on this address only when set.
  • System-tests added under system_test/ (Docker-based mock origins for npm, PyPI, and NuGet plus a long-lived dotnet runtime container) covering both deployment modes.
  • Added storage configuration section for defining the path cloned git repositories should be stored at, as well as a size limit.
  • API now allows rules to be disabled at run time

Changed

  • /api/eval response shape is now structured JSON: {action, rule_id, ruleset_id, reason}, plus an error field on deny only (containing a human-readable message that npm-style clients display).
  • Admin endpoints no longer use the /fw/ prefix and are served on api_address only.
  • deployment: defaults to standalone; the Supervisor sets integrated explicitly when running the firewall as a Virtual Registry add-on.

Removed

  • The legacy pkg/nuget/e2e harness and its nuget-e2e Make target. NuGet coverage now lives in the shared system_test/ suite.

Varnish Artifact Firewall 0.2.2

Released: 2026-05-11

Added

  • Added support for the NuGet ecosystem
  • Added a mode option to the Artifact Firewall configuration, which can change the behavior of the firewall. Includes normal (default), hide and report.

Changed

  • Audit log now includes an effective_action field, which for modes other than normal can be different than the action field.
  • Changed log level for some chatty package quarantine logs to debug.

Varnish Artifact Firewall 0.1.1

Released: 2026-04-21

Added

  • Initial release.