One explanation and solution for when applying CF updates uninstalls new packages unexpectedly
We only experienced it with CF2023, but others have reported the problem in the past, with various CF updates to any CF version. As I'll explain it seems to be a caching problem relative to Adobe's servers (so some people may experience it, but not others):
- First, you may find that after applying the update all the of the packages that were to be updated by the release will instead be UNINSTALLED unexpectedly/
- Even worse, that could mean that the administrator package is uninstalled, such that you can't get to the CF Admin after the update...which will also mean you can't use the admin to try to "uninstall the update" (if you wanted to).
Of course, you could go the command line route, as you would be told to consider doing if the Administrator package was uninstalled, using CF's cfpm tool to either install the admin package or even perhaps try to uninstall the update entirely.
But I have what seems to be a better solution. It's quite simple, but bear with me while I explain it...both to help you (and Adobe) better understand what seems amiss, and in case more info may come out soon from them or other folks.
Beware also that if you may have "solved the problem" yourself, consider what I have to say below--you should confirm that you DO in fact have the correctly UPDATED packages, which you may have installed using that cfpm tool.
To be clear, this problem does not present itself as an error in doing the update itself, nor in the update log (which I discuss further in each of my posts about each CF update). But there is indeed a log entry that would explain what happened.
And while the most obvious problem is that the Admin is not working, sometimes such a failure due to an update will lead to features within CF suddenly no longer working.
Finding evidence that the problem has happened
On the surface, if the problem is that the administrator was uninstalled, that will be indicated plainly when trying to access it. But not everyone uses the CF Admin. And again if it's another package that's uninstalled unexpectedly, then your application functionality may fail.
But if you look at the coldfusion-out.log to observe the startup messages after the update (which I discuss in my post/s about performing the update), in the situation discussed here the log will show CF "uninstalling" the whatever packages it was wanting to update (like the administrator package and 11 other packages being updated by this December update).
The problem is that then it fails to "reinstall" them. (It never reports "installing" or even "updating" them, but it normally would show "starting" each installed package.)
Instead, in this scenario you will see an error when the package tries to start reporting (for each of them) that the:
Of course, it's not at all obvious what this means...but this is how you know you had this problem I'm describing.
(If you have "this problem" I'm describing but do NOT see that message on startup after the update, you may have a difference problem. This post focuses only on the above problem. Reach out to me directly for help on other problems.)
Following directions may NOT get you the updated packages, or admin in this situation
I'd mentioned that if you DO attempt to visit the CF admin (in this situation where the administrator package is uninstalled but not reinstalled), then you will be presented a screen indicating that the administrator is in fact not installed and showing that you can install it from the command line with the cfpm tool and its "install administrator" command. And that will indeed work.
But beware first that it may only implements the admin package as of its last update (not this latest one, so CF2023 update 17 for this December update, where some of us experienced this problem). Now, most folks will never notice or even pay attention to that version indication: they just want to get into their Admin (or to reinstall whatever package is missing).
Yet once I could get into the CF Admin, I found that on visiting the "package management" page and visiting the "installed packages", then clicking on the "administrator" package, it reported that I was indeed on update 15 rather than this latest update 17.
And when I went to the "available packages" section and clicked on each of those (the ones that were unexpectedly uninstalled by the update failure), they also offered only the package versions from BEFORE this latest update. (Also, if I were to try to "install" the packages in that admin page, there was none indicating the version of this latest update, for those packages which WERE to be updated by this update.)
What's worse is that if one were to install them from that "install all" button there or via the "cfpm install all", they would again NOT be updated to the actual LATEST versions of those packages, from update 17, but whatever was the previous latest version of the packages--which is almost as bad as not doing the update.
Where the root cause of the problem lies
So as I dug into things, I found what seems to be the root cause problem: the bundlesdependency.json file (which was put into the bundles folder by the update, and which is looked to by those CF Admin and cfpm package install mechanisms) simply did not have the needed lines pointing to the updated version of the packages that were to have been updated!
In this case of CF2023's Dec 2025 update I mean there was no reference to any 2023.0.17 in that file. Again this problem has happened to other folks (in different CF versions and updates) over time, and they could use this information to look in that file for whether it had references to THEIR latest update.
And this is where it seems this is due to some sort of caching issue...where at the time CF obtains that file it's a cached older version, not yet reflecting the update.
A workaround...until things work as they should
But here's good news (if this happens to you, and you confirm all the above): I was able to "solve" the problem by visiting the URL that's listed in the "settings" page of that CF admin package update page, as the "packages url" (or at least the value you see if you click "restore default url"), which for 2023 defaults to https://www.adobe.com/go/cf2023_packages. See your admin for that value for your version (and if you don't "save" the changes on that page, then changing that setting to show the "default url" won't have any impact.)
I found that on viewing the JSON returned by that URL (at a later time than when I did the update that failes), the file DID have the needed references to the latest update ("2023.0.17", for this Dec 2025 update to CF2023), which sadly bundles/bundlesdependency.json file did not.
Update since original post: A commenter asked if I could share the specific "properly" up-to-date bundlesdependency.json file, for this very CF2023 update 17 (from Dec 2025). Here is google drive link to that, available to anyone, which shows a viewer for the file from which you can either copy the json or download the file. I don't want to commit to sharing the updated file for each version and its update, in my posts. There's always a chance that Adobe may well even UPDATE the file after an update, such as to fix some problem. I don't want to risk having to keep up with that on all updates. (For the same reason, I wouldn't think it a wise idea for them to be posted on the cfmlrepo.com site, but this is just my opinion.)Now, back to the rest of my original post.
So I simply saved that entire json over top of what was in that bundles/bundlesdependency.json, and then upon saving that file change, I found that when I went back to the CF Admin "package management" page and went to its "available packages" section, when I clicked any of them it DID now offer the update 17 version of the packages.
So from there I did the "install all", and they not only all installed, but of course they do now report being correctly the update 17 versions of those packages.
(Note also: the page indicated that I had one update outstanding for the "installed package"--the admin package I had installed from the command line. I clicked on that and updated it to update 17 as well. Note that updating that package does indicate that it requires a CF restart to take effect.
What you can do, if hit by this
So, beyond just getting your CF Admin back up and running, and perhaps doing an "install all" for the packages that were not installed, you should look at the administrator (or use cfpm listall) to check the version of these packages, specifically those that were updated in this update: which for this Dec 2023 CF update were the administrator, ccs, document, htmltopdf, presentation, pdf, print, report, scheduler, search, spreadsheet, and websocket packages.
If they don't show being on the latest update (update 17 in the case of CF2023), then you, too, could and should open your bundles/bundlesdependency.json file to see if it's missing references to that 2023.0.17 (or whatever is your latest version if you're reading this in the future about some other CF update). In that case, visit that URL offered above, confirm it DOES have the needed lines, save the contents of that entire page (json) into the bundles/bundlesdependency.json file, and then do "install all" (if you'd not yet installed them) or "update all" (if you had).
And of course, some folks may say, "this is why I don't apply updates the day they come out". That's always a two-edged sword: damned if you do (you might his a problem like this), damned if you don't (you may get hit by a vuln that the update is intending to protect against).
I've shared this not just for this latest update but in case it may benefit folks hitting similar problems in other CF updates. Hope it's helpful. Comments welcome, and I'll of course correct anything I've gotten wrong, misunderstood, or misrepresented.
For more content like this from Charlie Arehart:Need more help with problems?
- Signup to get his blog posts by email:
- Follow his blog RSS feed
- View the rest of his blog posts
- View his blog posts on the Adobe CF portal
- If you may prefer direct help, rather than digging around here/elsewhere or via comments, he can help via his online consulting services
- See that page for more on how he can help a) over the web, safely and securely, b) usually very quickly, c) teaching you along the way, and d) with satisfaction guaranteed
It's more akin to Janus Web Server which we helped people use (when I worked with you at Sirius Software, 30 years ago next year!) to build web apps in 204's User Language. Of course, that was on a 4gl on the mainframe. (CF apps are built with its own language, cfml, which runs on Windows, Linux, or MacOS.)
And yep, to other readers, at the very same time cf was coming out (1995), some of us were working to create web apps on mainframes! :-) And to be clear I made the switch to it, leaving the mainframe world, in '97. What a ride it's been! But I do have fond memories of my time with Dave and that team, as well as the 15 years I worked with 204, starting in college.
So much about IT is common to many platforms...and even centuries. :-) But of course so much is radically different, which helps keep our brains well-oiled and working!
Apologies to folks who are here for the topic of the post. Some day some of you may interact with someone decades after your time working with CF now, and I hope you can have as fond memories.
We're finding that some of our servers still are retrieving older versions of bundlesdependency.json from the Adobe URL directly. We are also finding that when we update the file ourselves, it is getting overwritten causing packages to get uninstalled during updates. I guess we could disable the auto checking of updates, but that makes the whole process more manual which I'd like to avoid, but if we must then we must.
yours in coldfusion and fine pork sausages
I manually applied the ColdFusion 2025 Update 5, and I am seeing the following error in my exception log: "Unable to install zip package: java.lang.IllegalArgumentException: Illegal character in opaque part at index 2: C:\downloads\CF2025-5/repo/bcprov-jdk18on-1.78.1.jar".
In my neo_updates.xml file, I wrote the "packagesurl" value as "C:\downloads\CF2025-5\bundlesdependency.json".
I have done this many times in the past. This is the first time it complains about using backslashes.
Am I supposed to rewrite it as "C:/downloads/CF2025-5/bundlesdependency.json", and if so, would saving this change and simply restarting ColdFusion fix the issue? This is a production server so I am hesitant to fiddle around until it works.
Thanks!
And though you're referring to the automatic check for updates, that only happens when you LOGIN to the admin. So I should have clarified I was presuming you'd already be logged in. (I was indeed referring to using info on the packages page to check the versions indicated for packages of concern.)
Let us know if that works for you, since you do say you have a properly up-to-date json file. For those not getting it (other commenter here) I'll answer them separately.
But I'll add that the "opaque" error may have a different cause. Does that file exist at that path if you try to access it in Windows explorer or via dir from the command line, using the path reported in the error:
C:\downloads\CF2025-5/repo/bcprov-jdk18on-1.78.1.jar
If it does not, then you're focused on the wrong thing. The question would be why that file is not there, when cf thinks it should be. That's often got quite different explanations.
Anyway, back to your original issue, can you first just try copying the full path to the json file into that cf admin settings page for the "packages url"? Let us know if that helps (though this discussion is getting off-topic from the post).
But note that I had asked a second question: can you confirm that the JAR (in the error) is indeed in the folder named in the error. If it's not, then THAT is your problem (not necessarily related to this matter of the json file).
Finally, I have confirmed also that WHATEVER you put into that CF admin "packages url" value will be stored into that neo_updates.xml file. It does NOT change the slashes. (FWIW, the CF Admin "java home" setting on the "java and jvm" page does indeed change the Windows file separators to linux ones, which Java requires.)
Thanks for following up. What I was experiencing was when I updated the file manually, I was able to see the package updates. Once I installed the package updates and restarted ColdFusion, all the updated packages were uninstalled I had to reinstall all of them again (the bundlesdependency file has been overwritten at that point somehow without the newer package versions listed). At that point though, they reverted to the previous versions instead of the latest. The bundles file keeps getting overwritten despite me not running the update call for that URL. Does that make sense? Let me know if could be any clearer, thanks again!
In my “neo_updates.xml” file, I modified the “packagesurl” to be “C:/CFUpdates/CF25_U5/bundles/bundlesdependency.json”
Gemini suggested less directories (shorter path) and changing backslashes to forward slashes.
After saving the xml file and restarting ColdFusion, no more errors in the exception log and cfzip works.
Again, you won't pay for time you don't value, and I do think we'd fix things within a half hour.