GitLab 16.5 Release

GitLab 16.5 released with compliance standards adherence reports and merge request target branch rules

GitLab 16.5 released with compliance standards adherence reports, merge request target branch rules, improved fast-forward merge train support, resolvable comments in issues and much more!

Today, we are excited to announce the release of GitLab 16.5 with compliance standards adherence reports, merge request target branch rules, resolvable issue threads, fast-forward merge trains with semi-linear history, and much more!

These are just a few highlights from the 25+ improvements in this release. Read on to check out all of the great updates below.

To the wider GitLab community, thank you for the 170+ contributions you provided to GitLab 16.5! At GitLab, everyone can contribute and we couldn't have done it without you!

To preview what's coming in next month’s release, check out our Upcoming Releases page, which includes our 16.6 release kickoff video.

GitLab MVP badge

MVP This month's Most Valuable Person (MVP) is awarded to Thorben Westerhuys

Thorben was recognized for ongoing work on his merge request to add a user preference to show times in 24-hour format. This feature is planned for 16.6 and will give users the choice between 12-hour and 24-hour time formats.

Magdalena Frankiewicz, Product Manager at GitLab, nominated Thorben and noted the issue for this feature has been open for 7 years with over 190 upvotes. Peter Leitzen, Staff Backend Engineer at GitLab, also highlighted Thorben’s work to refactor backend code related to time format.

Thorben is CTO of LUUCY, a 3D web platform bringing together high resolution geo data. He is a former CTO of cividi, a geo spatial data consultancy for urban planning related topics.

Thank you to Thorben and the rest of the GitLab Community for contributing 🙌

16.5 Key improvements released in GitLab 16.5

Compliance standards adherence report

Compliance standards adherence report

The Compliance Center now includes a new tab for the standards adherence report. This report initially includes a GitLab best practices standard, showing when the projects in your group are not meeting the requirements for the checks included in the standard. The three checks shown initially are:

  • Approval rule exists to require at least 2 approvers on MRs
  • Approval rule exists to disallow the MR author to merge
  • Approval rule exists to disallow committers to the MR to merge

The report contains details on the status of each check on a per project basis. It will also show you when the check was last run, which standard the check applies to, and how to fix any failures or problems that might be shown on the report. Future iterations will add more checks and expand the scope to include more regulations and standards. Additionally, we will be adding improvements to group and filter the report, so you can focus on the projects or standards that matter most to your organization.

Compliance standards adherence report

Create rules to set target branches for merge requests

Create rules to set target branches for merge requests

Some projects use multiple long-term branches for development, like develop and qa. In these projects, you might want to keep main as the default branch since it represents the production state of the project. However, development work expects merge requests to target develop or qa. Target branch rules help ensure merge requests target the appropriate branch for your project and development workflow.

When you create a merge request, the rule checks the name of the branch. If the branch name matches the rule, the merge request pre-selects the branch you specified in the rule as the target. If the branch name does not match, the merge request targets the default branch of the project.

Create rules to set target branches for merge requests

Resolve an issue thread

Resolve an issue thread

Long-running issues with many threads can be challenging to read and track. You can now resolve a thread on an issue when the topic of discussion has concluded.

Resolve an issue thread

Fast-forward merge trains with semi-linear history

Fast-forward merge trains with semi-linear history

In 16.4, we released Fast-forward merge trains, and as a continuation, we want to ensure we support all merge methods. Now, if you want to ensure your semi-linear commit history is maintained you can use semi-linear fast-forward merge trains.

Fast-forward merge trains with semi-linear history

16.5 Other improvements in GitLab 16.5

Changing context just got easier

Changing context just got easier

We’ve heard your feedback that on the left sidebar, it can be hard to find the search button and to change between things like projects and preferences. In this release, we’ve made the button more prominent. This aids discoverability as well as streamlining workflows into a single touch point.

You can try it out by selecting the Search or go to… button or with a keyboard shortcut by typing / or s.

Changing context just got easier

Webhook now triggered when a release is deleted

Webhook now triggered when a release is deleted

You can use release events to monitor release objects and react to changes. Previously, a webhook was only triggered when a release was created or updated. In heavily regulated industries, deleting releases is a crucial event that must be monitored and followed up. With GitLab 16.5, a webhook is now also triggered when a release is deleted.

Export individual wiki pages as PDF

Export individual wiki pages as PDF

From GitLab 16.5, you can export individual wiki pages as PDF files. Now, sharing team knowledge is even more seamless. Exporting a wiki to PDF can be used for a variety of use cases. For example, to provide a copy of technical documentation that is kept in a wiki or share information in a wiki with project status. Gone is the need to leverage alternative tools to convert Markdown files to PDF, since in some organizations, using these tools is prohibited, creating another challenge. Thank you to JiHu for contributing this feature!

Set a parent for a task, objective, or key result with a quick action

Set a parent for a task, objective, or key result with a quick action

You can now set a parent item for a task, objective, or key result by using the /set_parent quick action.

Make jobs API endpoint rate limit configurable

Make jobs API endpoint rate limit configurable

A rate limit for the project/:id/jobs API endpoint was added recently, defaulting to 600 requests per minute per user. As a follow up iteration, we are making this limit configurable, enabling instance administrators to set the limit that best matches their requirements.

Redesigned Service Desk issues list

Redesigned Service Desk issues list

We’ve redesigned Service Desk issues list to load faster and more smoothly. It now matches more closely the regular issues list. Available features include:

  • The same sorting and ordering options as on the issue list.
  • The same filters, including the OR operator and filtering by issue ID.

API to create PAT for currently authenticated user

API to create PAT for currently authenticated user

You can now use a new REST API endpoint at user/personal_access_tokens to create a new personal access token for the currently authenticated user. This token’s scope is limited to k8s_proxy for security reasons, so you can use it to only perform Kubernetes API calls using the agent for Kubernetes. Previously, only instance administrators could create personal access tokens through the API.

Configurable locked user policy

Configurable locked user policy

Administrators can now configure a locked user policy for their instance by choosing the number of unsuccessful sign-in attempts, and how long the user is locked for. For example, five unsuccessful sign-in attempts would lock a user for 60 minutes. This allows administrators to define a locked user policy that meets their security and compliance needs. Previously, the number of sign-in attempts and locked user time period were not configurable.

Instance-level audit event streaming to Google Cloud Logging

Instance-level audit event streaming to Google Cloud Logging

Previously, you could configure only top-level group streaming audit events for Google Cloud Logging.

With GitLab 16.5, we’ve extended support for Google Cloud Logging to instance-level streaming destinations.

Use the API to delete a user’s SAML and SCIM identities

Use the API to delete a user’s SAML and SCIM identities

Previously, group Owners had no way to programmatically delete SAML or SCIM identities. This made it difficult to troubleshoot issues with the user provisioning and sign-in processes. Now, group Owners can use new endpoints to delete these identities.

Thank you jgao1025 for your contribution!

Back up and restore repository data in the cloud

Back up and restore repository data in the cloud

The GitLab backup and restore feature now supports storing repository data in object storage. This update improves performance by eliminating the intermediate steps used to create a large tarball, which needs to be manually stored in an appropriate location.

With this update, repository backups get stored in an object storage location of your choice (Amazon S3, Google Cloud Storage, Azure Cloud Data Storage, MinIO, etc.). This change eliminates the need to manually move data off of your Gitaly instance.

Omnibus improvements

Omnibus improvements

Reviewer information for merge requests in the Jira development panel

Reviewer information for merge requests in the Jira development panel

With the GitLab for Jira Cloud app, you can connect GitLab and Jira Cloud to sync development information in real time. You can view this information in the Jira development panel. Previously, when a reviewer was assigned to a merge request, the reviewer information was not displayed in the Jira development panel. With this release, the reviewer name, email, and approval status are displayed in the Jira development panel when you use the GitLab for Jira Cloud app.

Add a child task, objective, or key result with a quick action

Add a child task, objective, or key result with a quick action

You can now add a child item for a task, objective, or key result by using the /add_child quick action.

Linked items widget in tasks, objectives, and key results

Linked items widget in tasks, objectives, and key results

With this release, you can link tasks and OKRs as “related,” “blocked by,” or “blocking” to provide traceability between dependent and related work items.

When we migrate epics and issues to the work item framework, you will be able to link across all these types.

Linked items widget in tasks, objectives, and key results

GitLab Runner 16.5

GitLab Runner 16.5

We’re also releasing GitLab Runner 16.5 today! GitLab Runner is the lightweight, highly-scalable agent that runs your CI/CD jobs and sends the results back to a GitLab instance. GitLab Runner works in conjunction with GitLab CI/CD, the open-source continuous integration service included with GitLab.

What’s new:

Bug Fixes:

The list of all changes is in the GitLab Runner CHANGELOG.

Integrate deployment approval and approval rule changes into audit events

Integrate deployment approval and approval rule changes into audit events

Deployments in regulated industries are a central topic of compliance. In previous releases, deployment approvals were not part of audited events, which made it difficult to tell when and how approval rules changed.

GitLab now ships with a new set of audit events for deployment approval and approval rule changes. These events fire when deployment approval rules change, or when approval rules for protected environments change.

DAST analyzer updates

DAST analyzer updates

During the 16.5 release milestone, we enabled the following active checks for browser-based DAST by default:

  • Check 78.1 replaces ZAP check 90020 and identifies command injection, which can be exploited by executing arbitrary OS commands on the target application server. This is a critical vulnerability that can lead to a full system compromise.
  • Check 611.1 replaces ZAP check 90023 and identifies External XML Entity Injection (XXE), which can be exploited by causing an application’s XML parser to include external resources.
  • Check 94.4 replaces ZAP check 90019 and identifies “Server-side code injection (NodeJS)”, which can be exploited by injecting arbitrary JavaScript code to be executed on the server.
  • Check 113.1 replaces ZAP check 40003 and identifies “Improper Neutralization of CRLF Sequences in HTTP Headers (‘HTTP Response Splitting’)”, which can be exploited by inserting Carriage Return / Line Feed (CRLF) characters to inject arbitrary data into HTTP responses.

Activate and deactivate headers for streaming audit events

Activate and deactivate headers for streaming audit events

Previously, you had to delete HTTP headers added to audit event streaming destinations, even if you only wanted to deactivate them temporarily.

With GitLab 16.5, you can use the Active checkbox in the GitLab UI to toggle each header on and off individually. You can use this to:

  • Test different headers.
  • Temporarily deactivate a header.
  • Switch between two versions of the same header.

Export the compliance violations report

Export the compliance violations report

The compliance violations report can contain a lot of information. Previously, you could only view the information in the GitLab UI. This was fine for individual issues, but could be tricky if you needed to, for example:

  • Create an artifact of the current compliance status for a release. For example, prove to an auditor that there were 0 violations.
  • Aggregate the data with another data set or process it in another tool.

In GitLab 16.5, you can now export a list of the items included in the compliance violations report in CSV format.

New customizable permissions

New customizable permissions

The permissions to manage group members and project access tokens have been added to the custom roles framework. You can add these permissions to any base role to create a custom role. By creating custom roles with only the permissions needed to accomplish a particular set of tasks, you do not have to unnecessarily assign highly privileged roles such as Maintainer and Owner to users.

Vulnerability report grouping by status and severity

Vulnerability report grouping by status and severity

As a user, you require the ability to group vulnerabilities so that you can more efficiently triage vulnerabilities. With this release, you are able to group by severity or status. This will help you better answer questions like how many confirmed vulnerabilities are in a group or project, or how many vulnerabilities still need to be triaged.

Vulnerability report grouping by status and severity

Geo adds bulk resync and reverify buttons for all components

Geo adds bulk resync and reverify buttons for all components

You can now trigger bulk resync or reverify for any data component managed by Geo, through buttons in the Geo admin UI. Selecting the button will apply the operation to all data items related to the respective component. Before, this was only possible by logging into the Rails console. These actions are now more accessible, and the experience of troubleshooting and applying large scale changes that require a full resync or reverify of specific components, such as moving storage locations, is improved.

The popularity of epics in GitLab continues to grow. Previously, finding epics was a little more difficult than other content types. With this release, you can now search and view results for epics when you use advanced search.

Find epics with advanced search

Bug fixes, performance improvements, and usability improvements

Bug fixes, performance improvements, and usability improvements

At GitLab, we’re dedicated to providing the best possible experience for our users. With every release, we work tirelessly to fix bugs, improve performance, and enhance usability. Whether you’re one of the over 1 million users on GitLab.com or using our platform elsewhere, we’re committed to making sure your time with us is smooth and seamless.

Click the links below to see all the bug fixes, performance enhancements, and usability improvements we’ve delivered in 16.5.

Deprecations Deprecations

New deprecations and the complete list of all features that are currently deprecated can be viewed in the GitLab documentation. To be notified of upcoming breaking changes, subscribe to our Breaking Changes RSS feed.

  • Offset pagination for `/users` REST API endpoint is deprecated
  • Security policy field `newly_detected` is deprecated
  • Removals and breaking changes Removals and breaking changes

    The complete list of all removed features can be viewed in the GitLab documentation. To be notified of upcoming breaking changes, subscribe to our Breaking Changes RSS feed.

    • Geo: Housekeeping Rake tasks
    • Other notable changes Other notable changes

      Welcome page removed from GitLab self-managed

      Welcome page removed from GitLab self-managed

      From GitLab 16.5, users who complete the registration process for a self-managed instance are not shown the welcome page. Instead, newly registered users are sent to dashboard/projects, the activity page for the entity the user was invited to, or the location the user was trying to reach before registration. For more information, see issue 411858.

      GitLab releases are moving to the third Thursday of the month

      GitLab releases are moving to the third Thursday of the month

      Starting with GitLab 16.6, which will be released on Nov. 16, 2023, our monthly release date will change from the 22nd of every month to the third Thursday of every month. This iteration in our release processes will ensure consistency and create more predictability for our customers in terms of the day of the week for the release while continuing our monthly pace of self-managed releases.

      Please see more information in our blog post.

      GitLab is putting a 100MiB per file limit on pushes to projects on the Free tier of GitLab.com SaaS

      GitLab is putting a 100MiB per file limit on pushes to projects on the Free tier of GitLab.com SaaS

      Since Git is not designed to handle large files well, GitLab is putting in place a 100MiB per file limit on pushes to projects that are on the Free tier of GitLab.com SaaS. We believe this limit will improve the health of our Git systems on GitLab.com, leading to better performance across the board.

      More information can be found in the documentation.

      We welcome any feedback about this new limit.

      Important notes on upgrading to GitLab Important notes on upgrading to GitLab 16.5

      Geo has changed the workflow for proxying SSH Git pull requests. Pull requests made against a secondary site are now proxied via the GitLab shell (instead of Workhorse) to the primary site. This is a behind-the-scenes change. No action is needed on your part.


      Changelog Changelog

      Please check out the changelog to see all the named changes:

      Installing Installing

      If you are setting up a new GitLab installation please see the download GitLab page.

      Updating Updating

      Check out our update page.

      Questions? Questions?

      We'd love to hear your thoughts! Visit the GitLab Forum and let us know if you have questions about the release.

      GitLab Subscription Plans GitLab Subscription Plans

      • Free

        Free-forever features for individual users

      • Premium

        Enhance team productivity and coordination

      • Ultimate

        Organization wide security, compliance, and planning

      Try all GitLab features - free for 30 days

      We want to hear from you

      Enjoyed reading this blog post or have questions or feedback? Share your thoughts by creating a new topic in the GitLab community forum.

      Share your feedback

      Take GitLab for a spin

      See what your team could do with The DevSecOps Platform.

      Get free trial

      Have a question? We're here to help.

      Talk to an expert
      Edit this page View source