Release 10.2.x Release Notes Release 10.2.1 Release 10.2.1 includes these notable new features:

  • Plugins are now stored in a database, not in the file system
  • The Plugin Manager supports cluster installations
  • GitOps-enabled version control is available in Tech Preview
  • NTLM support for proxies
  • Webhook event tasks
  • Stability and performance improvements

The complete list of improvements and bug fixes are described below.

Support Policy

See Support Policy.

Upgrade Instructions

See below for upgrade notes specific to this version. For detailed instructions on upgrading from earlier versions of Release, refer to Upgrade scenarios.

IMPORTANT Starting with release 10.2.1, plugins are stored in a database and no longer managed by moving files to different locations in the filesystem. This has implications for upgrading the product and installing and upgrading plugins. See below for more information.

Feature breakdown and version-specific upgrade instructions

Plugin Manager

The new Plugin Manager improves the tasks of installing and upgrading integration plugins. Refer to Plugin Manager for more information.

The following are changes to how plugins are installed and loaded by the system:

  • Plugins are no longer installed by copying files into directories – they should be installed by using the Plugin Manager UI
  • The Plugin Manager UI is available in cluster mode and plugins are automatically distributed across nodes
  • Plugin directories on the server are managed by the Plugin Manager and should not be manipulated by hand.

Additional issues:

  • The hotfix directory is now split into hotfix/lib and hotfix/plugins
  • hotfix and ext directories are not managed by the Plugin Manager, and you must managed them manually
  • After installing or upgrading a plugin, you must restart all your servers
  • When installing a product upgrade, a new version of bundled plugins are automatically uploaded to the plugin database.

IMPORTANT Classpath entries for plugins have been removed from xlr-wrapper-linux.conf and xlr-wrapper-windows.conf. When using either the automated or manual procedure, you MUST manually edit these files to remove the plugins entry from the classpath. If you have custom entries in the wrapper files please make sure to not include any folders that contain plugins and plugin hotfixes.

If the product won’t start and issues an error message that duplicate plugins are detected, you probably need to update the wrapper.conf file.

Troubleshooting with the Plugin Manager CLI

The Plugin Manager downloads plugin files from the database and places them into the file system of a server node. In case of misconfiguration, plugins can be deleted from the database by invoking the Plugin Manager CLI from the command line:

$ bin/

GitOps-enabled Version Control (Tech Preview)

GitOps-enabled version control brings the GitOps style of authoring, reviewing, and publishing content backed by version control to the Release UI.

This feature allows you to version and publish any folder content from the UI – templates, variables, shared configuration, etc. – and share it across folders and even separate Release instances. Internally, YAML code is stored in Git and therefore integrates seamlessly with code-centric workflows.

This feature is in Tech Preview for evaluation purposes and can be enabled in Feature settings.

For more information, refer to GitOps-enabled version control.

NTLM Proxy Authentication

The proxy configuration for HTTP servers now supports the NTLM authentication protocol.

This feature is available for the following plugins:

  • Agility plugin
  • BlackDuck plugin
  • CheckMarx plugin
  • SonarQube plugin
  • ServiceNow plugin
  • Octopus Deploy plugin
  • SonarCloud plugin
  • Git plugin
  • Jenkins plugin
  • Jira plugin
  • Nexus plugin
  • Fortify on Demand plugin

Webhook Event Tasks

The new Webhook event tasks feature makes it possible to listen passively (without polling) for outside events received on HTTP Endpoints for Webhooks.

The bundled task Webhook: Wait For Json Event allows you to listen for events and process them with scripts. It uses the same event mechanism as Webhook triggers.

It is also possible to create custom webhook tasks in a plugin. In synthetic.xml, extend the task type webhook.ReactiveTask to create a new webhook event task type and tailor it to your needs. This can eliminate the need for polling and requires the Release server to be reachable from the third-party webhook source.

For more information, please refer to Webhook event tasks.

Release with Delivery Insights

The Delivery Insights dashboard presents the Manifest View for individual application versions and for individual phases. The Manifest View lets you know more about the work items that are part of:

  • an application version in a phase
  • all the application versions in a phase

The Manifest View includes the following work item information:

  • work item ID
  • work item title
  • work item type
  • application, which the work item belongs to
  • date and time of last activity
  • status of the work item
  • and the number of changes (commits) in the work item

You can also download the manifest for a phase or a version (as a .csv file).

  • To view the Manifest View for a phase, click Manifest view next to the phase name in the Delivery Insights dashboard.


  • To view the Manifest View for an application’s version, click Manifest view on the application version’s card in the Delivery Insights dashboard.


  • In addition, a new Commits tab has been added to the Work Item Details Pane that shows the list of commits associated with the work item.

    commits history tab

For more information, see Release with delivery Insights.

Stability and Performance Improvements

Many changes have been made to improve the stability and performance of the Release server in this release. Most notable is the task execution scheduler’s use of the database, making the system more resilient in multi-node setups.

OIDC Public Client Support

Support has been added for configuring public clients with OIDC in xl-release.conf.

If clientAuthMethod is set to ‘none’, the Release server will act as public client. Then clientSecret will not be required and can be removed from the configuration.

The property redirectUri is now optional and will be derived from the server.url property in the xl-release-server.conf file. If needed, it can still be overridden in the OIDC configuration.

xl {
  security {
    auth {
      providers {
        oidc {
          clientAuthMethod = "none"
          clientSecret = <not required now if clientAuthMethod is set as none>
          redirectUri = <optional and will be derived from server.url>

Other Configuration Changes

Remember-me token validity can now be configured, the default value is 30 days. For example:

xl {
    server {
        session {
            remember-me {
                tokenValidity = 30 days

Other Support Release v.10.2.1 is the last release that supports Internet Explorer 11.

Plugins and Integrations

Here’s what’s new and changed with plugins and integrations.


Users can now specify build versions with Create Release Task.

Agility Integration Plugin

  • Using the Update Multiple Asset Status task one can now update multiple assets status for the following similar types:
  • Defect
  • Test
  • Task
  • Story
  • Functionality has been added to show the Asset Number and Token from the Data section in Output properties for the following tasks:
  • Check Issue
  • Create Asset
  • Create Issue
  • Update Multiple Asset Status

Hashicorp Vault Plugin

Output properties of ReadSecret now optionally display password variables.

Bug Fixes and Field Incidents—10.2.20

  • D-22618 - When you set a blank value for the Number variable in the Variable screen, the value is automatically set to 0. However, when you do the same in the Release properties screen, it throws a 400 HTTP status code. This issue is now fixed.
  • D-19049 - The Release name field accepts more than 1024 characters when you create a release. However, when you edit the release name and save the changes. It throws an error and this issue is now fixed.

Bug Fixes and Field Incidents—10.2.19

  • D-20546 - Random Jenkins tasks are stuck in the In-progress state when their respective Jenkins jobs are already completed. This issue is now fixed.
  • D-20665 - Liquibase error occurs while upgrading Release from 10.0.4 to 22.0.2. This issue is now fixed by adding a validCheckSum property in the 14-a changeset.
  • D-22263 - Create Release task fails when the subfolder depth is greater than 4. It is because the ROOT_RELEASE_ID column is too short to hold the value. This issue is now fixed.
  • D-22296 - Updating watchers for a current task using Jython Task API fails. This issue is now fixed.
  • D-21723 - Fixed the blueprint.yaml and dairelease_cr.yaml files to better handle the values of the parameters for which there are no entry/value found in the Keycloak OIDC configuration file (external Keycloak).
  • S-87313 - Fixed the configuration to support the graceful shutdown of Release.

Bug Fixes and Field Incidents—10.2.18

  • D-22021 - When you open a task with thousands of users assigned to it, there is a delay in opening that task. This issue is now fixed.
  • D-22016 - The Operator-based installer of Release has the following fix:

    • The jmx-exporter.yaml file has been added to the release.configurationManagement.master.configuration.resetFiles and release.configurationManagement.worker.configuration.resetFiles keys of the Release’s Operator-based installer’s dairelease_cr.yaml file.
  • D-21725 - You can now add TLS configuration details in the Release Operator-based installer’s dairelease_cr.yaml file.
  • D-21883 - Fresh installation of 10.3.x version of Release and Deploy operators from the branch in OpenShift fails as the operator docker image is not up-to-date. This issue is now fixed.
  • D-21681 - When you upgrade from the helm chart to the latest operator using the upgrade utility, the RabbitMQ pod fails to spin up and the utility does not populate the storage class for RabbitMQ.
  • D-21724 - When you change the license in the CR file, the value is not updated in the Release and Deploy file systems. This issue is now fixed.
  • D-21726 - The memory limit of the operator is too low. This issue is now fixed by increasing the memory limits from 90 Mi to 200 Mi.

Bug Fixes and Field Incidents—10.2.17

  • D-20582 - Fixed the issue that prevented multiline text from being displayed in Output properties of a task.
  • D-21101 - Script tasks, if immediately preceded by a Gate task, fail to read the comments added to the Script task at runtime. This is now fixed.
  • D-21120 - Fixed an issue with the Webhook:Json webhook task that generates wrong authorization token.
  • D-21470 - When you import an already exported template from one instance to another, it breaks the folder. It is because the passwords are encrypted with different encryption key. The issue is now fixed.
  • D-21400 - When a valid Okta user, who is not assigned to the Release application in Okta, tries to login, an indefinite redirect loop occurs. This issue is now fixed.
  • D-21573 - You cannot export an excel report from a release that is completed and archived. This issue is now fixed.
  • D-21886 - After upgrading to 22.0.1, the dependencies that existed in Gate tasks before the upgrade are not available. These Gate tasks display the status as Not Found even when their status is In Progress. This issue is now fixed.

Bug Fixes and Field Incidents—10.2.16

  • D-21088 - Issue with the “Watchers” user drop-down list in Task modal—the search text entered to search for a user was also added as a watcher when you select a user using the mouse, which is now fixed.
  • D-21131 - Fixed an issue with the Attributes Rail—on clicking the Delete icon (not the button itself, but trash icon), the Edit Attributes modal opens up.

Bug Fixes and Field Incidents—10.2.15

  • D-20318 - Fixed the issue for the CVEs that were detected in the latest Release Docker distribution.
  • D-20645 - Fixed the issue where multiple API calls were made to access the variables in the user-input task.
  • D-20706 - Fixed the issue where importing java classes in jython script tasks was not possible.
  • D-20761 - Fixed the issue with the script task, which was unable to instantiate a condition subclass.

Bug Fixes and Field Incidents—10.2.14

  • D-20588 - Fixed an issue with the notification e-mail, which was not getting triggered when your e-mail address is inputted using the Assigned To field via release_variable task. Note that, only Username must be used to assign tasks.

Bug Fixes and Field Incidents—10.2.13

Note: There is no Release version 10.2.12.

  • FI-1018 - Fixed an issue with the Create Release task where the changes to the variable properties (label, description, required Flag) of the release template were not reflecting correctly.
  • ENG-9397 - Fixed an issue where we were unable to apply YAML with the value provider in CRT variables.
  • ENG-9180 - Fixed an issue with the task-transition permission by removing it from Release Owners. Earlier this permission was available by default. Now it has to be configured.

Bug Fixes and Field Incidents—10.2.11

  • ENG-9080 — Fixed an issue where the cluster data was not properly persisted in the database.
  • FI-859 — Fixed an issue with Folder variable mapping in the Release properties that prevented users from selecting variables under the Run automated tasks as user field.

Bug Fixes and Field Incidents—10.2.10

  • [ENG-8302] - Fixed an issue that prevented a release (that was created from a global template) from inheriting folder permissions.
  • [ENG-8545] - Fixed—You can now use variables in the Watchers field of release tasks.
  • [ENG-8812] - Deploy and Release are not susceptible to log4j vulnerability. Though Deploy and Release were bundled with log4j-to-slf4j and log4j-api files, these JAR files cannot be exploited. While neither these files nor Deploy and Release are susceptible to attack due to this log4j vulnerability, some threat detection systems may flag these files. To avoid any such false positive threat indications in future, the latest log4j library files (interface and supporting third party libraries) were bundled with both Release and Deploy. For more information, see this article.
  • [ENG-8952] - Fixed the missing index on XLR_FOLDER_VARIABLES (FOLDER_CI_UID).
  • [ENG-9015] - Fixed the incorrect Release component version in one of the database tables the XL_VERSION table.

    Important: If you are upgrading from one of the following Release versions, you must only upgrade to the latest patch release available for the version of Release you are upgrading to. For example, if you are on Release version 10.0.9 and planning to upgrade to the 10.3 version, you should upgrade to 10.3.8 or later versions of the 10.3 release. Here’s the list of Release versions that are affected due this bug: Release 9.7.18, 9.7.19, 9.7.20, 10.0.7, 10.0.8, 10.0.9, 10.0.10, 10.1.6, 10.1.7, 10.1.8, and 10.1.9. The fix for the bug is available on these versions: Release 9.7.21, 10.0.11, 10.1.10, 10.2.10, 10.3.8, and 22.0.1.

Bug Fixes and Field Incidents—10.2.9

  • [ENG-8434] - The non-BaseScript task, notification task, and so on are no longer removed from the job queue when you abort such tasks using the Task Manager. An error is logged instead when you abort such tasks using the Task Manager.
  • [ENG-8468] - Changed the datatype for job id field to address the INT limit issue.
  • [FI-745] - Fixed the trigger consistency issue in clustered environment.
  • [FI-893] - Fixed a permission issue (with Reactive Tasks) that prevented users from updating release variables.
  • [FI-943] - Fixed the “” “/root/.postgresql/postgresql.crt” “read” reporting pool error.
  • [FI-963] - Deploy and Release are not susceptible to log4j vulnerability. Though Deploy and Release were bundled with log4j-to-slf4j and log4j-api files, these JAR files cannot be exploited. While neither these files nor Deploy and Release are susceptible to attack due to this log4j vulnerability, some threat detection systems may flag these files. To avoid any such false positive threat indications in future, the latest log4j library files (interface and supporting third party libraries) were bundled with both Release and Deploy. For more information, see Log4j Vulnerability to Zero-Day Exploit and Release and Deploy.

Bug Fixes and Field Incidents—10.2.8

  • FI-912 - Fixed an issue with the Release CLI that caused problems with template export/import.
  • FI-917 - Fixed an issue with fetching the global variables (missing global variable exception) during the Wait for JSON Event task.

Bug Fixes and Field Incidents—10.2.7

  • [ENG-8052] - Fixed an issue for unknown ConfigurationItem property xlrelease.Attachment.release.

Bug Fixes and Field Incidents—10.2.6

  • [ENG-7980] - Fixed the broken Jython patch for issues 2618 and 2894.

Bug Fixes and Field Incidents—10.2.5

  • [ENG-7659] - Fixed the issue REOPEN & ESCALATE = Jython not truly patched for XLR 9.8, 10.0.
  • [ENG-7730] - Resolved the As-code generated dashboards that are not resolving filters on all tiles.
  • [FI-845] - Fixed the issue of Folder and Global password variable which was not working with failure handler in place for a task.

Bug Fixes and Field Incidents—10.2.4

  • [ENG-6862] - Fixed the non functional Pop-Up menus (Help and Setting) on a Windows machine
  • [ENG-7142] - Fixed the issue of the Actor crashing in a task inside the group which is scheduled to start, but the group is not started.
  • [ENG-7196] - Fixed the issue of displaying all folders when creating a new release.
  • [ENG-7281] - Fixed the issue of Git servers that do not support atomic pushes which are not handled.
  • [ENG-7412] - Fixed the Custom logo alignment in the Email Notifications Footer.
  • [ENG-7487] - Fixed the resolved usernames when showing the Roles page by removing the LDAP data search.
  • [ENG-7537] - Fixed the issue where Restricting os.path module for Jython script.
  • [ENG-7586] - Fixed the issue by processing the variable changes correctly.
  • [ENG-7627] - Fixed the issue of Tooltip number which is not visible in the release tile.
  • [ENG-7700] - Fixing the issue of application in XLR which does not appear in the Deployment Attribute.

Bug Fixes and Field Incidents—10.2.3

  • [ENG-7296] - Fixed the As Code Apply failure issue for Custom Script task when the Synthetic Property is set as Empty.
  • [ENG-7282] - Fixed Trigger failure that caused serialization error in cluster mode.
  • [ENG-7186] - Fixed the issue where RolesApi#getRole()property did not return the exact role name.
  • [ENG-7175] - Increased release column width on release groups.

With Release 10.2.3, the Kubernetes Operator offers the following enhancements:

Bug Fixes and Field Incidents—10.2.2

  • [ENG-5504] - Fixed the issue when a large number of environments are present, Deployment tile throws an exception
  • [ENG-7024] - Fixed the duplicate TaskPreconditionValidated deliveries by clearing the executionId on task.
  • [ENG-7072] - Fixed the issue of variables with DOT in the name, which is not supported when webhook events trigger.

Note: Helm Charts-based installer is no longer available for Release 10.2 and later.

  • Release 10.2.2 brings you a simple and sophisticated Kubernetes Operator-based installer to install Release on Amazon EKS, Azure AKS, and OpenShift on AWS clusters
  • You can download the new Kubernetes Operator-based installer from the Deploy/Release Software Distribution site
  • Once you download the installer Zip file, Release installation is as simple as adding a few configuration parameters and custom resource definitions to the installer files and running the installer

For more information about Kubernetes Operator-based installation, see Kubernetes Operator.

Bug Fixes and Field Incidents—10.2.1

  • [ENG-3831] - Fixed the As-code issue while exporting the tasks with slash ”/” on name, which results in”/“.
  • [ENG-5152] - Fixed the setofstring field which used to lost when the template is applied/created through the CLI.
  • [ENG-5200] - Updated the user interface with the more precise format for Day, Week, and Month.
  • [ENG-5254] - Fixed: The same object (variable) value is modified from different threads.
  • [ENG-5345] - Find or Create Delivery task—Fixed an issue that prevented users from viewing the Pattern/Stage information on Find Or Create Delivery tasks.
  • [ENG-5409] - Fixed: Create Release task displays ReleaseId instead of Release Title.
  • [ENG-5464] - Fixed to pass multiline string parameter in Jenkins task.
  • [ENG-5508] - Fixed the server not shutdown issue via API.
  • [ENG-5631] - Fixed an issue that prevented Trigger creation when you import and apply an As Code YAML file that defines:

    • a Release Template and a time-based Trigger—wherein the template’s name starts with “Release” and the trigger references this template.
    • a Release Template and an event-based Trigger—wherein the template’s name starts with “Release” and the trigger references this template.
  • [ENG-5634] - Fixed: Password handling in script tasks is inconsistent when override of security is used.
  • [ENG-5719] - Fixed an issue that prevented the user from exporting the Release Audit Report.
  • [ENG-5840] - Fixed the Password field when becomes blank while starting release from Create Releaser task.
  • [ENG-6420] - Updated and fixed the ‘User Input’ task detail view UI from two inputs to one and variable field to show the previously added value.
  • [ENG-6436] - Removed unwanted encoding of user input, which made special characters look garbled in Jira tasks.
  • [ENG-6618] - Fixed the issue: ‘Create Release’ task displays the release ID instead of title for the Root level template.