Clojars Maintenance and Support: August-October 2025 Update

2025 Critical Infrastructure: Clojars Maintentance and Support Update by Toby Crawley

August-October, 2025. Published November 22, 2025

This is an update on the work I’ve done maintaining Clojars with the support of Clojurists Together in August through October of 2025. Most of my work on Clojars is reactive, based on issues reported through the community or noticed through monitoring.
If you have any issues or questions about Clojars, you can find me in the #clojars channel on the Clojurians Slack, or you can file an issue on the main Clojars GitHub repository.

You can see the CHANGELOG for notable changes, and see all commits in the clojars-web and infrastructure repositories for this period. I also track my work over the years for Clojurists Together (and, before that, the Software Freedom Conservancy.

Below are some highlights for work done in August through October:

• I enabled backups of the artifact repository S3 bucket. I thought I had done this years ago, but had not, so fixed this oversight.
• I upgraded Clojars to Clojure 1.12.3 (from 1.12.1) and Java 25 (from 21)
• We had a couple of places where invalid input would trigger 500s, which resulted in noise from Sentry. One was invalid emails on password reset, and the other was null bytes on in project browsing url The latter one was pretty common, as I believe some fuzzing tools do this to try and find vulnerabilities. There are a couple of other places where I need to address them as well.

Though after October, I enjoyed the opportunity to chat with Clojars users at Clojure/Conj in Charlotte, NC! It was great to see old friends and make some new ones!

You can find earlier updates re Clojar fixes and updates here: March - July 2025