Last checked and updated on 03 May 2026What Is New in Jenkins 2.516.x
This LTS release introduces a major UI overhaul, significant security enhancements, and performance optimizations.
| Category | Key Changes |
|---|---|
| New Features | Redesigned header, per-user Views tab configuration, experimental Details widget for builds |
| Security | SameSite cookie attribute enforcement, bcrypt password length limit, jbcrypt library removal |
| UI/UX Improvements | Modernized color palette, improved avatar display, accessibility enhancements |
| Performance | Reduced heap usage, background artifact list rendering, legacyIds file cleanup |
| Bug Fixes | Fixed node configuration sync, breadcrumb navigation, and various UI glitches |
| Deprecations/Removals | YUI library removal, RunIdMigrator removal, deprecated HTTP endpoints removed |
What security enhancements were introduced in Jenkins 2.516.x?
Jenkins 2.516.x brings several important security improvements. The SameSite attribute is now set for HTTP cookies when running with the default Jetty container, providing additional CSRF protection with a default value of Lax.
Jenkins' own user database now enforces a 72-byte maximum password length for new passwords, matching bcrypt's limitations. The jbcrypt library has been completely removed from the core, requiring plugin updates for compatibility.
These changes matter because they address specific attack vectors while maintaining backward compatibility for existing installations.
How does the header redesign affect plugin compatibility?
The completely redesigned header in 2.516.1 moves the Manage Jenkins link from the left navigation to the top and consolidates plugin actions into dropdown menus. Plugins like Support Core and Design Library now appear in the More Actions menu.
The Customizable Header plugin must be updated to the latest version before upgrading, as older versions are incompatible with the new header structure. This change creates a more consistent and modern navigation experience across all Jenkins components.
In practice, plugin developers may need to update their UI integrations to work properly with the new header layout and action placement.
What performance optimizations were implemented?
Several performance improvements reduce memory usage and processing overhead. The artifact list rendering for builds is now deferred to background requests, preventing UI freezes during expensive computations.
Heap usage for endpoints serving large build logs has been significantly reduced. The removal of legacyIds files from build directories decreases inode consumption, which is particularly beneficial for large installations with thousands of jobs.
These optimizations help maintain responsive performance even in large-scale Jenkins deployments with extensive build histories.
How does the Views tab customization work?
Users can now select their preferred ViewsTabBar implementation for the My Views dashboard. This per-user configuration replaces the previous system-wide setting, giving individual users control over how their view tabs are displayed.
The Configuration as Code entry for myViewsTabBar is deprecated in favor of this new user-specific approach. This change allows for more personalized workspace layouts without affecting other users' experiences.
What breaking changes should administrators prepare for?
Several removals require attention before upgrading. The Active Directory plugin must be updated to version 2.40 or newer due to the jbcrypt library removal. Microsoft Entra ID Plugin users need version 580.v2f665882b_a_71 or later for SameSite cookie compatibility.
The YUI library has been completely removed, which may affect plugins that haven't migrated to modern JavaScript frameworks. The RunIdMigrator functionality is gone, and legacyIds files are automatically deleted during upgrade.
Administrators should test these changes in staging environments before deploying to production systems.
FAQ
Do I need to update plugins before upgrading to Jenkins 2.516.1?
Yes, specifically the Active Directory plugin must be updated to version 2.40 or newer before upgrading due to the removal of the jbcrypt library. The Customizable Header plugin also requires updating for compatibility with the new header design.
What happens to existing passwords longer than 72 bytes?
Existing passwords longer than 72 bytes will continue to work for authentication. However, users won't be able to set new passwords exceeding this limit. It's recommended to change overly long passwords to stay within the bcrypt limitation.
Can I revert the header redesign if it causes issues?
The header redesign is a core change and cannot be reverted through configuration. The Customizable Header plugin provides some customization options, but the fundamental structure change is permanent in this LTS release.
What should I do about the legacyIds files being deleted?
The automatic deletion of legacyIds files during upgrade is intentional to reduce inode usage. No action is required unless you plan to downgrade, in which case you should manually recreate these files to avoid slow startup times.
How does the SameSite cookie setting affect authentication plugins?
The SameSite=Lax default provides CSRF protection but may require updates for some authentication plugins. Microsoft Entra ID Plugin users must update to version 580.v2f665882b_a_71 or newer to maintain proper authentication flow.