Sonatype Release Notes

Summary of Major Sonatype Nexus Repository Changes in 2026

This page contains a list of 2026 Sonatype Nexus Repository releases, links to each release's release notes, and a brief list of major changes per release.

Note that while we strive to fully document new features before releasing them to our Cloud environments, there may be occasional delays. In such instances, we will update this page with links to the relevant help documentation as soon as it becomes available.

The following table lists major changes to Sonatype Nexus Repository in 2026. Consider these changes when upgrading to a new version. Select a self-hosted release to see the fully featured release notes.

Major Changes | Cloud Release Date | Included in Self-Hosted Version

Features / Enhancements Preview Sonatype Nexus Repository's new user interface using the Switch to Nexus One UI toggle. Not that an administrator must enable this feature via Settings > System > Nexus One UI before the toggle will be visible (available in 3.92.0). SQL-to-SQL migrations now include SSL/TLS trusted certificates, preserving trust store configurations and reducing manual setup after migration. Configuration export and import now include role mappings for all users, including those from LDAP, SAML, and Crowd, ensuring access control is preserved during migrations. PyPI proxy repositories now support the PEP 658 and PEP 691 JSON API, caching JSON responses to improve performance for modern Python tools.

Bug Fixes NEXUS-51882 – PyPI hosted repositories now maintain consistent metadata during concurrent uploads by marking indexes as stale instead of deleting them, ensuring newly uploaded packages are accurately reflected. NEXUS-51795 – User-configured SAML Entity ID URIs now take precedence over the browser URL when generating SP metadata and authentication requests. NEXUS-51699 – The BlobRepositoryMismatch task now persists per-repository progress, resumes after restarts, logs progress periodically, and uses a CPU-scaled thread count instead of a fixed value. NEXUS-51514 – The compact blob store task now continues processing when individual S3 deletions fail, logging failures at WARN level instead of stopping the task.

April 29, 2026 | 3.92.0 (May 7, 2026) and 3.93.0 (Coming June 2026)

Features / Enhancements Swift repositories can now be migrated between Nexus Repository instances using the Instance Migrator. Package archives and manifests are transferred, while auto-generated metadata is excluded and regenerated on the target instance, enabling seamless migrations. Administrators can now manage SSRF protection settings at runtime using a new SSRF Protection endpoint in the Security Management API.

Bug Fixes NEXUS-52054 - Terraform hosted repository signing key material and passphrase are now redacted in support zip configuration exports. NEXUS-51930 - Conditional GET requests against proxy repositories now undergo Firewall policy evaluation, returning 403 Forbidden when a component is quarantined rather than incorrectly signaling 304 Not Modified. NEXUS-51633 - PyPI repositories now automatically invalidate and rebuild stale indexes after Verify and Repair blob restore tasks complete, eliminating the need to manually trigger index regeneration via API calls.

April 22, 2026 | 3.92.0 (May 7, 2026)

Features / Enhancements Added support for the Dart (pub) package format. Added support for Conda hosted and group repositories. The Instance Migrator can now migrate Terraform and Conda hosted repositories between Nexus Repository instances. Added support for Helm group repositories, allowing aggregation of multiple Helm repositories into a single endpoint (disabled by default; configurable via system property). Conda Hosted and Group repositories are now enabled by default, simplifying setup and providing immediate access to all Conda repository types. New Nexus Repository installations now have Server-Side Request Forgery (SSRF) protection enabled by default, blocking unauthorized access to private network resources out of the box. Existing installations are unaffected but can enable or configure this feature via API. The Usage Insights dashboard now retains daily storage metrics indefinitely, aligning with the retention model used for egress metrics. This ensures a complete and continuous view of storage trends across all time periods, eliminating gaps in historical data. Refreshed the login experience with a unified design across both self-hosted and Cloud deployments. The updated interface aligns with Sonatype’s standard design system, delivering a more consistent and polished user experience without introducing any functional changes. In cloud deployments, the Users page now includes an Invite User button, replacing Create Local User. This streamlines onboarding through your identity provider and simplifies the interface by automatically filtering to OAuth2 users. Self-hosted deployments are unchanged. Introduced a new admin REST API (GET/PUT /v1/security/ssrf-protection) for managing SSRF protection settings dynamically without requiring a restart. This includes support for configuring allowed IPs and domains, ensures cluster-wide consistency, and permanently blocks access to cloud metadata endpoints.

Bug Fixes NEXUS-51909 - PyPI proxy-chain repositories now correctly resolve relative package URLs, restoring successful package downloads. No viable workaround exists in affected versions; downgrade to 3.90.x is recommended until this fix is available. NEXUS-51864 - Version-specific npm requests (such as /lodash/latest) no longer invalidate or corrupt the PCCS cache. Subsequent metadata requests now return the complete and correct set of package versions. NEXUS-51814 - Docker tag pagination responses now correctly preserve connector-based paths when accessed via dedicated connector hosts or ports, ensuring Link headers remain compliant with the Docker Registry HTTP API V2 specification. NEXUS-51659 - The Search API now returns an HTTP 400 response with a clear validation message when unsupported wildcard patterns (such as leading wildcards or short trailing wildcards) are used in the Repository Name field, replacing previous silent empty responses. NEXUS-51540 - Maven group repository metadata now stays up to date when new component versions are uploaded to hosted repositories nested within sub-groups, ensuring accurate version resolution across group hierarchies. NEXUS-51537 - PyPI group repository simple index pages are now served from cache on repeated access, eliminating unnecessary blob creation and improving performance. NEXUS-51523 - The Data Repair Plan task now report "created plan entries" instead of "created plans," accurately reflecting the number of individual repair items identified rather than the number of executable repair plans. NEXUS-51509 - Concurrent Policy Compliant Component Selection requests for the same PyPI or npm package are now deduplicated. Only a single evaluation request is sent to Firewall (IQ Server), with concurrent requests reusing the result. NEXUS-51485 - Docker clients now receive a standards-compliant error response when Repository Firewall blocks a quarantined image. The response includes quarantine details and a link to the Firewall report directly in the JSON payload. NEXUS-51389 - Repositories that fail to initialize during startup are now skipped and marked offline, allowing Nexus Repository to start successfully without being blocked by individual repository failures.

April 20, 2026 | 3.92.0 (May 7, 2026)

The self-hosted Sonatype Nexus Repository 3.91.1 release introduces the following additional bug fixes: NEXUS-51509 – Concurrent PyPI and npm proxy requests for the same package under Policy Compliant Component Selection now share a single upstream evaluation call to Firewall, preventing the duplicate memory loading that previously caused OutOfMemoryError crashes on IQ Server. NEXUS-51485 – Docker clients now receive a Docker Registry HTTP API V2 compliant error response containing the quarantine explanation and Firewall report URL directly in the JSON body when Repository Firewall blocks a pull request. NEXUS-51112 – Policy Compliant Component Selection now uses an increased timeout when evaluating metadata for large PyPI packages, allowing installations of components like tensorflow and duckdb to complete successfully.

April 17, 2026

Sonatype Nexus Repository 3.90.3 provides the following bug fix, which is also included in version 3.91.0: NEXUS-51666 – Added a skipProcessing configuration option to BlobRepositoryMismatchTask for eligible direct upgrades. See our Support Knowledgebase article for details.

3.90.3 and 3.91.0

Bug Fixes NEXUS-51666 – Administrators can now set blob.repository.name.mismatch.skipProcessing=true to allow the blob repository mismatch upgrade task to complete immediately without scanning assets, eliminating weeks-long processing delays for instances upgrading from versions prior to 3.69.0. NEXUS-51551 – The system confirmed protection against malicious axios package versions after npm removed the compromised packages from the registry. NEXUS-51523 – Data Repair Plan task logs now report "identified repair items" and "processing entries" instead of the ambiguous "created plans" terminology, clarifying that counts represent individual blob records requiring attention rather than the number of executable repair plans. NEXUS-51391 – Content selectors using "starts with" operators correctly filter paths with segments shorter than three characters. NEXUS-51334 – Fallback logging in npm group repositories now operates at DEBUG level instead of INFO, reducing log volume and removing misleading references to PCCS policy differences. NEXUS-51283 – Single RubyGems file uploads now update only the necessary metadata indices instead of regenerating data for every gem in the repository, eliminating temporary blob storage spikes during upload operations. NEXUS-51282 – Download URLs generated from UI search results now correctly reference the group repository path instead of underlying member repositories, allowing users with group-only permissions to access assets without encountering authorization errors. NEXUS-51279 – Search API requests using unsupported wildcard patterns now return HTTP 400 responses with descriptive validation messages, ensuring consistent behavior across all search fields. NEXUS-51266 – Improved PostgreSQL query performance for prefix-based component searches by enabling index scans on key search_components columns, reducing reliance on sequential table scans. NEXUS-51247 – Concurrent requests for the same component no longer generate ERROR-level log entries when multiple threads update blob property files simultaneously NEXUS-51112 – Increased timeout for Policy Compliant Component Selection when evaluating large PyPI packages (such as tensorflow and duckdb), allowing installations to complete successfully. NEXUS-50782 – NuGet v2 proxy repositories now correctly follow OData pagination links for FindPackagesById queries, ensuring all package versions and dependencies are cached and installable in a single operation. NEXUS-49855 – Prefix-based component name searches in High Availability deployments now return only components whose names begin with the specified term, ensuring accurate and predictable results. NEXUS-48607 – The UI telemetry service now avoids repeated attempts to reach unavailable remote endpoints, eliminating long page load delays in air-gapped and network-restricted environments.

April 8, 2026 | 3.92.0 (May 7, 2026)

Caution Known Issue with npm Group Repositories in Sonatype Nexus Repository 3.90.2; Issue fixed in 3.91.0 Sonatype is aware of an issue in Sonatype Nexus Repository 3.90.2 where npm group repositories may serve stale package metadata after upstream repositories are updated. This issue is fixed in version 3.91.0. This issue occurs when requesting packages with versions or dist-tags (for example, npm install storybook@latest or npm install @sonatype/[email protected]). The cache invalidation process fails, causing the group repository to return outdated version information. Symptoms may include: npm builds failing with version mismatch errors. Recently published package versions not visible through the group repository Server logs showing errors such as: IllegalArgumentException: Non URL-safe name Workaround: Manually invalidate the package cache through the Nexus UI: Browse → Select repository → Right-click package → Invalidate cache

Features / Enhancements Database connection pool metrics are now exposed through the metrics API, enabling administrators to monitor active, idle, and pending connections to optimize database performance and troubleshoot connection issues. (Available in self-hosted 3.92.0)

Bug Fixes NEXUS-51488 - Terraform service discovery now requires repository-level endpoint access at /repository/{repository-name}/.well-known/terraform.json instead of root-level access. Terraform CLI can successfully discover hosted registry services through this endpoint, enabling module and provider resolution. NEXUS-51407 - Maven proxy repositories now accept macOS Mach-O executables (such as ARM64 protoc binaries) when strict content type validation is enabled. NEXUS-51397 - Blob repository mismatch tasks now process blobs concurrently across available threads, significantly improving completion time during post-upgrade validation. NEXUS-51301 – Disabling IQ Server integration in Nexus Repository Cloud instances completes immediately without blocking or causing node unresponsiveness. NEXUS-51267 - Failed login attempts are now recorded in the audit.log file with detailed authentication failure information, including failure reasons.

April 1, 2026 | 3.91.0 (April 7, 2026) and 3.92.0 (May 7, 2026)

Features / Enhancements Proxy repository migrations from OrientDB to self-hosted instances now preserve authentication credentials and HTTP request settings (such as connection timeout, retries, and user agent). This eliminates the need for manual reconfiguration after migration. If credentials cannot be securely migrated due to missing encryption configuration, only the authentication details are removed while all other repository settings are retained. Added an informational alert in the Historical Usage section to clarify that usage data is updated every 48 hours. This helps set expectations and explains why recent repository changes may not be immediately reflected in storage metrics. Yum repository migrations now automatically regenerate repository metadata, including required files such as repomd.xml and associated .xml.gz files. This ensures migrated repositories remain complete and fully functional without requiring manual intervention.

Bug Fixes NEXUS-51311 - Capability state changes now complete without causing thread deadlocks that could block UI loading and API responses. NEXUS-51210 - Maven group metadata remains available during blob store migration tasks, preventing temporary inconsistencies. NEXUS-51191 - The Remove a member from a blob store group task now completes successfully when multiple instances run concurrently. NEXUS-51164 - Log messages for invalid Maven metadata files now include the repository name, improving troubleshooting. NEXUS-51030 - Proxy repository creation via the REST API no longer requires the blocked field, which now defaults to false when omitted. NEXUS-50808 - Docker tag listing now handles large tag sets without causing a StackOverflowError during pagination. NEXUS-50585 - Upgrade tasks now skip and log deprecated task types, such as OrientDB backup tasks, instead of failing during processing. NEXUS-50510 - DEBUG-level logging now records when SSRF protection blocks outbound proxy requests to private or local network addresses. NEXUS-50471 - Docker container startup now detects existing memory settings in INSTALL4J_ADD_VM_PARAMS and avoids adding duplicate JVM parameters. NEXUS-50384 - Docker content validation now correctly recognizes application/zstd layers, improving performance during image staging, push, and pull operations. NEXUS-50322 - Staging delete operations now log additional request details, enabling troubleshooting without requiring TRACE-level logging. NEXUS-47043 - Default reconcile thread usage has been reduced to better balance CPU consumption and minimize impact on smaller deployments. NEXUS-37039 - Cleanup tasks now remove stale asset blob records for deleted blob stores, preventing repeated warnings and unnecessary data growth.

March 25, 2026 | 3.91.0 (April 7, 2026)

Features / Enhancements Nexus Repository now supports Swift group repositories. This allows you to aggregate multiple Swift package sources into a single endpoint for simplified dependency management.

Bug Fixes NEXUS-50905 – S3 blob stores on different endpoints now validate bucket existence independently, preventing initialization conflicts when multiple blob stores share the same node. NEXUS-50831 – Group repositories in Nexus Repository Cloud deployments now accurately calculate and display their total size, including content from nested group members. NEXUS-50813 – Tag association operations now complete synchronously, allowing immediate component promotion and tag-based searches without delays in both High Availability and non-HA deployments. NEXUS-50640 – SAML authentication handles missing cookies gracefully when reverse proxies strip cookie headers, preventing server errors during the login flow. NEXUS-50628 – Schedule modifications to the Admin - Cleanup expired user tokens task persist across Nexus Repository restarts. NEXUS-50552 – The Browse menu now appears for users who have content selector privileges with browse action, matching the visibility behavior of standard repository-view permissions. NEXUS-50532 – Docker group repositories now return a 504 Gateway Timeout error when firewall scanning encounters a cooperative wait timeout, instead of incorrectly returning 404 Not Found. NEXUS-50196 – SAML external role mappings now synchronize on every login, removing outdated role assignments when IdP groups change and preventing users from retaining elevated privileges after group revocation. NEXUS-50167 – Added support for configuring pod-level securityContext in the Sonatype Nexus Repository HA helm chart StatefulSet, enabling fsGroup and fsGroupChangePolicy to reduce volume permission overhead and improve pod startup times on large storage deployments. NEXUS-49003 – Repository browse rebuild tasks now display overall progress across all repositories, showing the current repository name, completion percentage, and repository count. NEXUS-48819 – The Default Role capability now supports built-in roles like nx-anonymous and nx-admin across instance restarts and upgrades. NEXUS-45518 – Tag creation, updates, and deletions are recorded in the audit log with details about the initiator, tag name, and attributes. NEXUS-44583 – Maven repositories no longer allow non-timestamped SNAPSHOT artifacts (e.g., my-app-1.0-SNAPSHOT.jar) uploaded directly through the GUI; all SNAPSHOT artifacts must now use timestamped versions (e.g., my-app-1.0-20241016.074913-1.jar) as generated by standard Maven or Gradle deployment tools. Asset views display successfully when clicking on SNAPSHOT components that were uploaded directly via the GUI with non-timestamped versions.

March 18, 2026 | 3.91.0 (April 7, 2026)

This release introduces an Instance Migrator that allows OrientDB-based Nexus Repository 3.70.5 instances to either Nexus Repository Cloud or self-hosted Nexus Repository version 3.90.2+. See the Instance Migrator help documentation for full requirements and migration details.

Bug Fixes (3.90.2) NEXUS-51040 – Docker proxy repositories handle bearer token authentication requests without encountering null pointer exceptions during HTTP context operations. NEXUS-50764 & NEXUS-39228 – Group repositories now properly detect policy-filtered version changes in member proxy repositories, ensuring metadata remains current and complete across npm and PyPI formats.

3.70.5 and 3.90.2 (March 23, 2026)

Bug Fixes NEXUS-51199 – Deleting a Docker manifest now removes all associated tags, preventing orphaned tags from remaining in the repository. NEXUS-51148 – Nexus Repository now logs detailed diagnostic information when npm package metadata requests to IQ Server approach timeout thresholds, including request timing, cache behavior, and actionable configuration guidance. NEXUS-51144 – Blob store configuration changes now display warning messages only when modifying settings that affect data availability, such as storage location updates. NEXUS-51143 – Terraform modules with subdirectory syntax (using //) now download directly from Git sources rather than through the proxy cache, ensuring correct directory structure resolution. Note: Module downloads will bypass Nexus Repository caching and connect directly to upstream Git repositories (for example, GitHub) when using subdirectory references like terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts. NEXUS-50861 – Docker repositories accept image names containing consecutive underscores, aligning with OCI Distribution Specification requirements. NEXUS-50809 – The Swagger API documentation for the GET /v1/repositories endpoint now includes the size field, displaying repository size in bytes and matching the actual API response structure. NEXUS-50504 – Container image scanning handles large Go binaries (500MB+) without memory exhaustion by using a streaming parser that maintains constant memory usage regardless of file size. NEXUS-50246 – Wildcard version searches now return only packages where the version starts with the specified pattern, preventing matches on partial segments within version numbers. NEXUS-49457 – APT proxy repositories now include cached packages in metadata even after upstream removal, allowing installations to succeed from the local cache. NEXUS-41419 – Role editing operations automatically remove references to obsolete privileges instead of displaying error messages. NEXUS-40545 – Conda proxy repositories now apply the "maximum metadata age" setting to repodata.json files instead of treating them as components subject to "maximum component age" rules.

March 11, 2026 | 3.91.0 (April 7, 2026)

This self-hosted release fixes an issue in Sonatype Nexus Repository 3.90.0 Community Edition that prevented the application from starting upon initial installation or upgrade. Community Edition users can now safely upgrade to version 3.90.1.

3.90.1 (March 6, 2026)

Features / Enhancements Repository Firewall now supports global webhooks for quarantine events, automatically notifying your systems when components are quarantined or blocked due to policy violations. This enables real-time integration with your security workflows and incident response systems, allowing you to immediately track and respond to potentially risky components.

Bug Fixes NEXUS-50951 – From Nexus Repository version 3.89.0+, newly created Docker repositories must use lowercase names. This fix allows users to edit, via the UI, the configuration of upgraded Docker repositories that have mixed/upper case naming. NEXUS-50929 – Terraform token authentication no longer applies to non-Terraform repository formats. Anonymous access to raw hosted repositories works correctly for paths matching /v1/providers/** patterns. NEXUS-50761 – Repository browse displays all content for users with administrative permissions, regardless of any additional content selector privileges assigned through other roles. NEXUS-50623 – npm group repositories now return valid JSON metadata with a single _id field instead of duplicating it at the top level. NEXUS-50616 – Hugging Face proxy repositories correctly process filenames containing spaces and special characters by properly encoding URI segments in outbound requests. NEXUS-50251 – Search indexing completes successfully for components with tens of thousands of associated file paths by implementing PostgreSQL parameter limits. NEXUS-48954 – Session timeout values configured in the UI Settings capability now apply correctly in High Availability deployments, ensuring users remain logged in for the specified duration. NEXUS-45172 – When attempting to redeploy an asset with the "Allow Redeploy" setting disabled, error messages now explicitly state that redeployment is not permitted for the repository, replacing the previous generic "blob upload invalid" message across all repository formats. NEXUS-44209 – The Compact blob store task now successfully removes soft-deleted blobs after they've been relocated by the Remove a member from a blob store group task. NEXUS-42338 – Yum repositories now correctly identify the architecture of signed RPM packages by reading metadata from the RPM header tags instead of the lead header. NEXUS-39798 – Database connection failures during authentication now return HTTP 503 Service Unavailable instead of HTTP 401 Unauthorized, clearly indicating a server-side infrastructure issue rather than incorrect credentials. NEXUS-39080 – Docker proxy repositories now return HTTP 404 (Not Found) instead of HTTP 400 (Bad Request) when remote content fails digest validation. NEXUS-29440 – PyPI proxy repositories support remote URLs without the /simple endpoint by allowing an empty index path configuration for services like GemFury and NVIDIA PyPI.

March 4, 2026 | 3.91.0 (April 7, 2026)

Known Issue in Sonatype Nexus Repository 3.83.0 - 3.89.1 There is an issue in Sonatype Nexus Repository 3.83.0 - 3.89.1 where running the Verify and Repair or Data Repair Plan tasks can incorrectly delete valid assets, leading to potential data loss. This issue is fixed in version 3.90.0. Upgrade to version 3.90.0 before running the Verify and Repair or Data Repair Plan tasks.

Features / Enhancements Support for Swift hosted repository format. Support for Terraform group repository format. The User Token API now allows administrators to create, view, and delete user tokens. With the appropriate privileges, administrators can generate tokens for specific users and realms, retrieve token summaries (excluding sensitive fields), and manage tokens across individual or all realms, including options to include expired tokens in responses. (self-hosted) The Repository - Copy Blob Size to Asset Table task is now available in the user interface. While this task is typically a one-time migration task that runs automatically during startup or upgrade, administrators can now manually run or schedule it if repository metrics become inconsistent, such as if the Size column no longer appears on the Repositories page. This update enables faster recovery from metrics corruption without requiring a restart or configuration changes. (self-hosted) New Recovery Mode feature that prepares self-hosted Nexus Repository deployments for reconciliation operations when repository or blob store data becomes inconsistent. This feature inclues a dedicated Recovery Mode page under the Support section as well as a new Recovery Mode API.

Bug Fixes NEXUS-50718 – Terraform hosted repositories now correctly generate provider metadata for all uploaded providers, ensuring consistent discovery and installation through the Terraform CLI. NEXUS-50711 – Improved search API filtering to accurately return results when combining component criteria (such as name or repository) with asset-level checksums in a single query. NEXUS-50706 – Improved cache invalidation for npm proxy repositories to properly handle packages with names starting with underscores or periods. NEXUS-50690 – Corrected npm search query handling to ensure consistent result ordering and de-duplication in PostgreSQL environments. NEXUS-50574 – npm audit requests for projects without dependencies now complete successfully instead of generating error logs. NEXUS-50554 – During Change repository blob store migrations to S3, asset requests now validate blob existence in the target cloud store and properly fall back to the source blob store, preventing 500 errors and build failures while migration is in progress.

February 25, 2026 | 3.90.0 - 3.90.1 (March 5, 2026) and 3.91.0 (April 7, 2026)

This self-hosted patch release fixes the following bugs: NEXUS-50621 – Metadata generation for hosted APT repositories now correctly includes all applicable package versions in Packages files, ensuring clients receive complete and accurate repository metadata. NEXUS-50490 – The LDAP configuration REST API now properly handles authentication password parameters when creating LDAP server connections. NEXUS-50487 – The LDAP configuration API now correctly handles updates when using URL-encoded connection names in REST API requests. NEXUS-50473 – User access to group repositories now correctly inherits read and browse permissions from member repositories, with consistent enforcement of content selectors across authorization checks and Browse previews. NEXUS-50338 – LDAP configuration updates via REST API now reliably preserve all required fields during credential rotation and server configuration changes. NEXUS-48604 – Enhanced LDAP credential rotation in High Availability clusters to ensure cache synchronization across all nodes when updating bind credentials.

February 11, 2026 | 3.89.1 (February 11, 2026)

Features / Enhancements Proxy URL validation is enabled by default to block outbound connections to private network addresses, localhost, and cloud metadata endpoints. Sonatype Repository Firewall now writes firewall.quarantine audit log events when components are newly quarantined or when users attempt to download already quarantined components. Note that you must be using self-hosted IQ version 201 or Sonatype Lifecycle Cloud (SaaS) for this to take effect. Improvements to the Sonatype Nexus Repository Cloud login page.

Bug Fixes NEXUS-50621 – APT hosted repositories now correctly include all package versions in generated Packages files for each architecture. (Also fixed in self-hosted 3.89.1.) NEXUS-50612 – Upgraded installations now successfully migrate the asset_blob_size column when upgrading directly from versions prior to 3.67.0 to 3.87.0 or later, ensuring artifact uploads complete without database errors. NEXUS-50592 – Content selectors now appear in alphabetical order within the Repository Content Selector Privilege dropdown, making it easier to locate specific selectors when working with large lists. NEXUS-50362 – Maven repositories now correctly return HTTP 404 responses when requesting non-existent hash signature files with compound extensions like .md5.asc. NEXUS-50277 – Improved repository synchronization in high availability deployments to maintain consistent state across all nodes during concurrent deletion operations. NEXUS-50273 – Improved Quartz scheduler initialization to prevent extended startup delays, reducing the time required for Sonatype Nexus Repository to become fully operational after restart. NEXUS-50243 – Improved Maven group metadata accuracy to consistently reflect the latest artifact versions across nested group configurations. NEXUS-50153 – Yum group repositories now serve cached metadata to clients while regenerating merged metadata in the background, preventing incomplete repodata responses during the merge process. NEXUS-48604 – Enhanced LDAP credential rotation to maintain consistent cache synchronization across all nodes in high availability clusters. (Also fixed in self-hosted release 3.89.1.) NEXUS-47776 – Improved URL encoding handling in proxy repositories to preserve special characters in redirect URLs, ensuring successful retrieval of artifacts from remote sources. NEXUS-47618 – Cleaned up Prometheus metrics by removing unused S3 blob store timers that always displayed zero values. NEXUS-46841 – Improved Docker token request handling to reliably process concurrent authentication attempts from the same client. NEXUS-46805 – Non-administrator users can now configure Content Replication with repository-specific privileges without encountering permission errors. NEXUS-46315 – Added JVM memory and garbage collection monitoring logs to help diagnose system resource issues across all deployment configurations. NEXUS-44226 – Added a new paginated REST API endpoint for retrieving SAML users, with the existing endpoint now limiting results to 100 users to improve performance and scalability for large user bases. NEXUS-43881 – Improved browse tree cleanup in YUM repositories to properly remove directory nodes when deleting duplicate RPM files uploaded to multiple paths.

January 28, 2026 | 3.89.0 - 3.89.1 (February 3, 2026) and 3.90.0 - 3.90.1 (March 5, 2026)

Features / Enhancements Support for Swift proxy repository format. (Available in Self-Hosted 3.89.0) Support for Terraform hosted repository format. (Available in Self-Hosted 3.89.0) Breaking change: SAML login requires SAML2_AUTH_REQUEST cookie beginning in 3.89.0

Bug Fixes NEXUS-50419 – Updated the image scanning process to ensure temporary resources are properly cleaned up, improving system stability and preventing potential memory issues. NEXUS-50338 – LDAP configuration updates via REST API now reliably preserve all required fields during credential rotation and server configuration changes. (Fixed in self-hosted 3.89.1) NEXUS-50313 – The log management API now works as expected to retrieve audit or request type events in Nexus Repository Cloud environments. Documentation will also be available soon. NEXUS-50240 – Anonymous access to Terraform proxy repositories now correctly allows unauthenticated users to retrieve provider versions without receiving a 401 response. NEXUS-50163 – The user interface handles rapid navigation during page loading without encountering null reference errors. NEXUS-50133 – Support zip log files now truncate from the bottom up, preserving the most recent log entries needed for effective troubleshooting. NEXUS-50116 & NEXUS-50151 – Resolved an issue with the Repair - Execute Data Repair Plan task that previously led to some unexpected assets being removed. Note that this task remains disabled by default in release 3.89.0. NEXUS-50112 – Importing Docker images no longer removes the /library/ namespace prefix. NEXUS-50056 – Docker tag list responses now include the correct Link header path when requests are made using repository or path-based URLs. NEXUS-50040 – The REST APIs for Hosted Repository Analysis now evaluate artifacts without returning an HTTP 500 error, preventing a NullPointerException when determining repository scan support. NEXUS-49769 – Uploading RPMs to a Yum hosted repository no longer leaves behind empty repodata folders in the Browse UI. NEXUS-49722 – Search results for pre-upgrade components with underscores in the group name now return correctly after upgrading without requiring a manual search index rebuild. NEXUS-49164 – Wildcard searches in HA environments now correctly return results when the search term includes a hyphen-prefixed token. NEXUS-48701 – The nexus_cluster.log file is no longer created when using H2 or PostgreSQL, eliminating confusion caused by an unused log file in non-OrientDB environments.

January 21, 2026 | 3.89.0 (February 3, 2026)

To prevent potential data loss caused by a known issue impacting Sonatype Nexus Repository 3.83.0 and later, we have disabled the Repair - Execute Data Repair Plan task by default.

3.84.2 (January 15, 2026) 3.85.1 (January 15, 2026) 3.86.3 (January 15, 2026) 3.87.2 (January 15, 2026)

Bug Fixes: NEXUS-49996 – Improved repository deletion performance and reliability by optimizing role privilege cleanup and addressing race conditions across HA nodes. NEXUS-49970 – Improved performance of delta APT metadata rebuilds for large hosted repositories by optimizing how metadata updates are written to the database. NEXUS-49845 – Corrected a race condition that caused npm group metadata updates to fail when handling non–URL-safe package names. NEXUS-49758 – Group repositories now correctly honor the offline status of member proxy repositories. NEXUS-49414 – Updated permission checks in the Browse interface. NEXUS-47679 – Improved synchronization of password changes across HA nodes to ensure updated credentials are recognized immediately. NEXUS-45388 – Improved the Admin - Cleanup Tags task to gracefully handle missing components by skipping over them. NEXUS-42793 – Improved PyPI index page handling in Repository Firewall by filtering out invalid component versions during processing. NEXUS-38502 – Corrected YUM group metadata handling so repositories with invalid or missing member metadata no longer return an empty repomd.xml, instead rebuilding metadata or returning a 404 to reflect the invalid state accurately.

Original source

What’s New and Noteworthy in This Release?

Get a First Look at Sonatype Nexus Repository’s New User Interface

You can now preview a redesigned user experience in Sonatype Nexus Repository using a Switch to Nexus One UI toggle. This update introduces a more streamlined interface built to reduce clicks, improve navigation, and make repository search and browsing more intuitive. The new design aligns Nexus Repository with Sonatype’s other solutions, creating a more consistent experience across the Sonatype platform while lowering training overhead and cognitive load for users.

To access the preview, an administrator must first enable the feature under Settings > System > Nexus One UI. Some areas are still under development and will appear as Coming Soon, including Users, Roles, Privileges, Upgrade, and Licensing. You can also provide feedback directly within the UI to help guide ongoing improvements as we continue to expand coverage and accelerate feature delivery.

Pub Repository Support for Dart and Flutter

Sonatype Nexus Repository now supports Pub repositories, enabling you to manage Dart and Flutter packages directly within your repository manager. With support for proxy, hosted, and group repositories, you can centralize access to public packages from pub.dev, publish internal packages with versioned metadata and checksums, and aggregate multiple repositories into a single endpoint. This integration helps improve control over package consumption and distribution while reducing reliance on external sources.

For full details, see the Pub repositories help documentation.

Support for Conda Hosted and Group Repositories

Sonatype Nexus Repository now includes hosted and group repository support for Conda, providing a complete solution for managing Python and data science packages.

With hosted repositories, you can publish proprietary Conda packages with full version control and automatically generated metadata. Group repositories allow you to combine proxy, hosted, and other group repositories into a single endpoint, simplifying client configuration and enabling unified package resolution. These enhancements make it easier to manage Conda ecosystems at scale while improving consistency and efficiency across development workflows.

For full details, see the Conda repositories help documentation.

Support for Helm Group Repositories

Sonatype Nexus Repository now supports Helm group repositories, allowing you to expose multiple Helm repositories through a single URL. By combining proxy, hosted, and other group repositories into one endpoint, you can simplify dependency management and reduce the need for complex client-side configuration.

For dull details, see the Helm repositories help documentation.

Instance Migrator Support for Migrating Swift, Terraform, and Conda Hosted Repositories

The Sonatype Nexus Repository Instance Migrator now supports migrating Swift, Terraform, and Conda hosted repositories, making it easier to move modern package ecosystems between instances. This enhancement helps you migrate critical artifacts and repository configurations with greater confidence, reducing manual effort and minimizing disruption during upgrades, consolidations, or infrastructure changes.

The migrator focuses on transferring essential package assets, such as Swift package archives and manifests, Terraform provider and module packages (including associated checksum and signature files), and Conda package binaries across supported architectures. Automatically generated metadata is excluded during migration and regenerated on the target instance, helping ensure consistency and integrity without unnecessary data transfer. This approach streamlines migrations while preserving repository structure and expected package behavior.

For setup and technical details, see the Instance Migrator help documentation.

Database Connection Pool Metrics Accessible via API

Sonatype Nexus Repository now exposes HikariCP database connection pool metrics through the Service Metrics Data API, providing deeper insight into system health and database utilization. You can track active, idle, total, and pending connections across connection pools, helping you better understand real-time demand and identify potential bottlenecks.

With this added visibility, you can make more informed decisions about connection pool sizing and quickly troubleshoot performance issues without relying on external monitoring. Note that this API does not appear in the in-product Swagger; instead, check out our Service Metrics Data API help documentation for details.

Server-Side Request Forgery (SSRF) Protection Enabled by Default and New SSRF API Endpoint

Sonatype Nexus Repository now enables SSRF protection by default for new installations, helping you secure outbound connections and reduce exposure to malicious requests without requiring additional setup. Existing installations are not impacted by this change, avoiding unintended service disruption. You can review your configuration, add trusted internal endpoints to an allowlist, and enable protection when ready.

This release also introduces a new administrative API to manage SSRF protection settings, giving you more flexible and centralized control over enablement and configuration. For full details, see the help documentation on securing Nexus Repository.

Usage Insights Dashboard Retains Daily Storage Metrics

The Usage Insights dashboard now retains daily storage metrics indefinitely, giving you a complete and uninterrupted view of storage trends over time. By aligning storage retention with the existing egress metrics model, this update eliminates gaps in historical data and provides more reliable long-term visibility.

With continuous access to storage usage history, you can better analyze growth patterns, support capacity planning, and make more informed decisions about repository management without losing critical historical context.

Webhook Support for Repository Firewall Events

Sonatype Repository Firewall now supports webhooks, providing real-time notifications when components are blocked or quarantined due to policy violations. This allows you to integrate Firewall events with external systems for faster incident response, alerting, and automation.

Webhook payloads include key details such as policy violations, threat levels, and component identifiers, helping you quickly understand and act on security events. Notifications also distinguish between new quarantines and repeated access attempts, giving you clear and actionable insight into Firewall activity.

For full details, see the Firewall Webhooks help documentation.

Firewall Bulk Waivers for Faster Quarantine Management

Sonatype Repository Firewall now supports Bulk Waivers, allowing you to waive multiple policy violations at one time while applying consistent scope, expiration, and context. This reduces manual effort and helps prevent inconsistencies when managing quarantined components across repositories.

Bulk Waivers are available directly from Repository Results or Component Details, making it easier to take action where quarantine status is visible. Built-in safeguards for unknown or unclaimed components help maintain control, while a complete audit trail ensures traceability for all actions.

For full details, see the Firewall Bulk Waivers and Bulk Waivers API help documentation.

Bug Fixes

Issue ID | Description

NEXUS-52054 | Terraform hosted repository signing key material and passphrase are now redacted in support zip exports.
NEXUS-51930 | Firewall policy evaluation now applies to conditional GET requests (If-None-Match / If-Modified-Since), ensuring quarantined components return 403 Forbidden rather than 304 Not Modified.
NEXUS-51909 | Corrected PyPI proxy chaining so package downloads resolve with the repository path intact, preventing 404 errors when retrieving components through a proxy-to-proxy configuration.
NEXUS-51882 | PyPI hosted repository metadata stays consistent during concurrent uploads, with index assets marked as stale and rebuilt on demand rather than deleted mid-operation.
NEXUS-51864 | Version-specific npm requests (e.g., /package/latest) no longer invalidate the PCCS cache, ensuring subsequent full metadata requests return the complete set of available package versions.
NEXUS-51814 | Docker tag pagination Link headers now preserve the original connector-based request path, allowing clients to correctly retrieve subsequent pages of tags.
NEXUS-51795 | The user-configured SAML Entity ID URI now takes precedence over the browser URL when building SP metadata and authentication requests.
NEXUS-51699 | The BlobRepositoryMismatchTask now saves per-repository progress checkpoints, resumes after node restart, logs completion status and throughput, and scales thread count based on CPU cores.
NEXUS-51659 | The Search API now returns a 400 error with a descriptive message when unsupported wildcard patterns are used in the repository name field.
NEXUS-51633 | PyPI repository indexes are automatically invalidated and rebuilt on the next client request following a "Verify and Repair" blob restore operation.
NEXUS-51540 | Maven group repository metadata propagates correctly through all nesting levels when new component versions are uploaded.
NEXUS-51523 | The Repair - Data Repair Plan task summary log now reports "created plan entries" instead of "created plans."
NEXUS-51509 | Concurrent Policy Compliant Component Selection requests are now deduplicated, reducing redundant upstream evaluations.
NEXUS-51485 | Docker pull errors for quarantined images now include the quarantine reason and IQ report URL directly in the response body.
NEXUS-51397 | The repository.blob.mismatch.task upgrade task now processes blobs concurrently without blocking other upgrade tasks.
NEXUS-51391 | Content selectors using "starts with" expressions now correctly filter results for short path segments.
NEXUS-51334 | Fallback member retrieval in npm group repositories now logs clearer DEBUG-level messages without misleading Firewall references.
NEXUS-51327 | Wildcard component name searches against paths with leading slashes now return correct results across all formats.
NEXUS-51319 | npm proxy repositories now send valid ETags, ensuring cached tarballs return 304 responses instead of triggering re-downloads.
NEXUS-51283 | This fix changes RubyGems metadata behavior so uploads trigger incremental index updates rather than full repository rebuilds.
NEXUS-51282 | Download URLs in UI search results now point to the group repository path, allowing access without 403 errors.
NEXUS-51281 | The Firewall Proprietary Names task now correctly implements the Cancelable interface.
NEXUS-51279 | Search API requests using unsupported wildcard patterns now return HTTP 400 with a descriptive error message.
NEXUS-51267 | Failed login attempts are again captured in the audit log with user ID, IP, and failure reason.
NEXUS-51266 | text_pattern_ops indexes enable efficient prefix searches, eliminating slow sequential scans on large databases.
NEXUS-51247 | Concurrent requests for the same component no longer generate ERROR-level log entries during blob property updates.
NEXUS-51112 | Policy Compliant Component Selection now uses an increased timeout for PyPI metadata evaluation, supporting large packages.
NEXUS-50971 | Upgrade ensures LDAP configuration events deserialize correctly across HA nodes, preventing REST API failures.
NEXUS-50945 | OAuth2/OIDC authentication now uses Nexus’s managed HTTP client, supporting truststore and proxy settings.
NEXUS-50782 | NuGet v2 proxy repositories now follow OData pagination links, ensuring all package versions are retrieved.
NEXUS-49855 | Prefix wildcard searches now correctly match only components that begin with the specified term.
NEXUS-48607 | The UI no longer experiences delays on initial load when telemetry endpoints are unreachable.
NEXUS-43728 | Audit logs in HA clusters now record blob store creation events only on the originating node.
NEXUS-40929 | The Health Check column automatically hides from Browse and Repositories pages when IQ Server Firewall is enabled, preventing unnecessary API calls since Firewall provides vulnerability data directly.

Coming Soon to Sonatype Nexus Repository

Java 25 Required as of 3.93.0

Starting with version 3.93.0, Sonatype Nexus Repository will require Java 25. This update ensures continued alignment with supported Java versions and enables access to the latest performance improvements and security enhancements provided by the Java platform.

Original source

Caution

Known Issue with npm Group Repositories in Sonatype Nexus Repository 3.90.2; Issue fixed in 3.91.0

Sonatype is aware of an issue in Sonatype Nexus Repository 3.90.2 where npm group repositories may serve stale package metadata after upstream repositories are updated. This issue is fixed in version 3.91.0.

This issue occurs when requesting packages with versions or dist-tags (for example, npm install storybook@latest or npm install @sonatype/[email protected]). The cache invalidation process fails, causing the group repository to return outdated version information.

Symptoms may include:

• npm builds failing with version mismatch errors.
• Recently published package versions not visible through the group repository
• Server logs showing errors such as: IllegalArgumentException: Non URL-safe name

Workaround:

Manually invalidate the package cache through the Nexus UI: Browse → Select repository → Right-click package → Invalidate cache

What's New in 3.90.3?

Released April 8, 2026

Note

Sonatype Nexus Repository 3.90.3 is available for download from the Nexus Repository 3 Download archive.

Added Skip Processing Configuration

NEXUS-51666 – Added a skipProcessing configuration option to BlobRepositoryMismatchTask for eligible direct upgrades. See our Support Knowledgebase article for details.

What's New in 3.90.2?

Released March 23, 2026

New Instance Migrator Helps Nexus Repository 3.70.5 Deployments Move to Nexus Repository Cloud or Self-Hosted Nexus Repository 3.90.2 Without Downtime

Sonatype Nexus Repository now provides a migration path from OrientDB 3.70.5 to modern, supported platforms without requiring service interruption. With the new Instance migrator, you can migrate to either of the following without downtime:

• Nexus Repository Cloud
• Nexus Repository self-hosted version 3.90.2+

Migration preserves core configuration and repository data, enabling a seamless transition to a more scalable and supported architecture.

Key Capabilities

• Preserves repository data and configuration

  Migrates hosted repository content, repository configurations, and associated settings to the target environment.

• Maintains user and access configurations

  Transfers users, roles, and authentication mappings to ensure continuity of access control.

• Secure handling of sensitive data

  Encrypts and transfers secrets using supported security standards during migration.

• Automated validation checks

  Prevents invalid configurations, such as missing blob stores, and provides clear feedback during migration.

• No service interruption

  Keeps your source instance online and operational throughout the migration process.

Important Migration Requirements

• Blob stores must exist on the target instance

  Create blob stores in the target environment before migration. Do not reuse storage locations from the source instance.

• Shared storage is not supported

  Using the same S3 bucket, Azure container, or file path across source and target instances can lead to data corruption.

• LDAP/Crowd users require external server configuration

  While user tokens and role mappings for LDAP/Crowd users will migrate successfully, the target instance must be manually configured to connect to the same external authentication servers for these users to authenticate after migration.

• Some configurations require manual setup

  SSL/TLS certificates export from the source but may require manual import configuration on the target instance depending on your environment.

• Proxy/group repository cached content does not migrate

  Only hosted repository content is migrated.

For full migration requirements and process details, see the Instance Migrator help documentation. You can download the instance migrator for version 3.70.5 from the OrientDB Downloads page.

Bug Fixes in 3.90.2

This release includes the following additional bug fixes

Issue ID | Description

NEXUS-51040 | Docker proxy repositories handle bearer token authentication requests without encountering null pointer exceptions during HTTP context operations.

NEXUS-50764 & NEXUS-39228 | Group repositories now properly detect policy-filtered version changes in member proxy repositories, ensuring metadata remains current and complete across npm and PyPI formats.

What's New in 3.90.1?

Released March 6, 2026

Fix for Nexus Repository 3.90.0 Community Edition

This release fixes an issue that prevented Sonatype Nexus Repository 3.90.0 Community Edition deployments from starting upon initial installation or upgrade.

Community Edition users can now safely upgrade to 3.90.1.

What’s New in 3.90.0?

Released March 5, 2026

Support for Terraform Group Repositories

Sonatype Nexus Repository now supports the Terraform group repositories, allowing you to aggregate multiple Terraform hosted and proxy repositories into a single endpoint. This capability simplifies configuration for developers by providing one consistent URL for Terraform modules and providers, while centralizing control and visibility for repository administrators.

Terraform group repositories include intelligent caching with configurable TTL values for modules and provider versions, along with request deduplication to reduce redundant upstream queries. When the same version exists in multiple member repositories, you can apply configurable conflict resolution strategies to determine which artifact is served. The implementation also tracks member health and automatically handles unhealthy members, while exposing comprehensive metrics to help you monitor cache performance and overall repository health.

For full details, see the Terraform Repositories help documentation.

Support for Swift Hosted Repositories

Sonatype Nexus Repository now supports Swift hosted repositories, enabling you to publish and manage Swift packages as .zip files with MIME type validation. This capability allows teams to securely store and distribute internal Swift artifacts and approved third-party components through Nexus Repository, providing a centralized and reliable source for Swift dependencies.

Swift hosted repositories support enterprise controls such as access management and auditing, along with optional anonymous access where appropriate. For full details, see the Swift Repositories help documentation.

Re-enabled Repair - Execute Data Repair Plan Task

In Sonatype Nexus Repository 3.90.0, the Repair - Execute Data Repair Plan task is re-enabled by default. We previously disabled this task in 3.88.0 to prevent potential data loss while we addressed issues affecting the Verify and Repair and Data Repair Plan tasks.

You can now safely use the Repair - Execute Data Repair Plan task to correct data inconsistencies between the database and blob store. This update restores the intended maintenance workflow and allows you to run data repair operations with confidence.

This re-enablement aligns with the introduction of Recovery Mode, which provides a controlled operational state to help protect data integrity during repair and reconciliation activities.

New Recovery Mode for Safe Data Reconciliation

Sonatype Nexus Repository now includes Recovery Mode, a controlled operational state designed to support safe reconciliation between the database and blob storage after outages or data inconsistencies. When enabled, Recovery Mode helps protect data integrity by preventing specific background tasks from interfering with repair operations. This feature is available only for self-hosted deployments and requires administrative privileges. Before enabling Recovery Mode, consult Sonatype Support to confirm it is appropriate for your situation.

For full details, see the Recovery Mode help documentation.

New User Token API

A new User Token API allows administrators to create, view, and delete user tokens. With the appropriate privileges, administrators can generate tokens for specific users and realms, retrieve token summaries (excluding sensitive fields), and manage tokens across individual or all realms, including options to include expired tokens in responses.

For full details, see the User Token API help documentation.

Improved Transparency for Policy-Compliant Component Selection in npm Metadata

Sonatype Nexus Repository now enhances policy-compliant component selection (PCCS) by exposing filtered npm package versions directly in the package metadata. When PCCS filters versions that violate your Repository Firewall policies, those versions appear in the sonatype_filtered_versions field in the component's metadata. This update provides clearer visibility into which versions were excluded, helping teams quickly understand why a version is unavailable and identify an acceptable alternative.

Granular Permissions for Log Management API in Nexus Repository Cloud Environments

Sonatype Nexus Repository Cloud now supports more granular access control for the Log Management API. Previously, access to the Log Management API required the broad nexus:* permission, which is granted only to the nx-admin role. You can now grant access to this API using the built-in nexus:logging:read permission and the associated nx-logging-read privilege. This update enables teams to follow the principle of least privilege by allowing service accounts to download logs without granting administrative access across the entire tenant.

Removed Legacy Application Health Check and Hosted Repository Analysis

In this release, we removed the legacy Application Health Check plugin from Sonatype Nexus Repository. This plugin previously provided both Application Health Check and Hosted Repository Analysis capabilities.

Sonatype Lifecycle replaces these capabilities with more robust and fully supported software composition analysis. Lifecycle offers CLI-based scans, binary uploads, comprehensive policy evaluation, and continuous monitoring across your development lifecycle.

Removing these features reduces technical debt, eliminates non-functional UI elements and APIs, and simplifies the Nexus Repository codebase.

Note

This change applies to self-hosted Nexus Repository deployments only. These capabilities were never available in Nexus Repository Cloud.

Bug Fixes

The following sections group recent fixes by functional area to make them easier to scan and reference. Together, they reflect improvements across repository formats, search, HA, storage, migration, security, usability, and operational reliability.

Repository Format–Specific Fixes

These fixes address behavior specific to individual repository formats such as Docker, Maven, NuGet, Yum, APT, Helm, npm, Terraform, and RubyGems. The updates improve metadata accuracy, caching behavior, authentication handling, concurrency, and client compatibility to ensure predictable and standards-compliant interactions across all supported ecosystems.

Issue ID | Description

NEXUS-50951 | From Nexus Repository version 3.89.0+, newly created Docker repositories must use lowercase names. This fix allows users to edit, via the UI, the configuration of upgraded Docker repositories that have mixed/upper case naming.

NEXUS-50929 | Raw hosted repositories now support anonymous access to paths matching Terraform provider patterns when anonymous access is enabled globally.

NEXUS-50181 | Optimized Docker image retrieval by digest to achieve performance comparable to tag-based pulls.

NEXUS-50105 | Imported Docker images now maintain the correct content-type metadata for manifests and tags.

NEXUS-50056 | Corrected the Docker tags pagination Link header to include the complete repository path.

NEXUS-49785 | Enhanced Firewall quarantine checks for Docker proxy repositories to better handle concurrent pulls.

NEXUS-46841 | Improved Docker token handling to reliably process concurrent authentication requests.

NEXUS-50362 | Maven repositories now correctly return 404 responses for non-existent checksum signature files.

NEXUS-50243 | Corrected maven-metadata.xml generation in nested Maven groups.

NEXUS-44467 | Improved Maven POM uploads to correctly handle version numbers containing hyphens.

NEXUS-50205 | NuGet v3 search queries now correctly handle format-specific sorting parameters.

NEXUS-45352 | NuGet group repositories now retrieve cached packages from available proxy members.

NEXUS-44177 | NuGet v3 search queries now return locally cached replicated packages.

NEXUS-50153 | Yum group repositories now serve cached metadata during background regeneration.

NEXUS-49769 | Browse UI now removes outdated Yum metadata entries after repodata regeneration.

NEXUS-43881 | Improved cleanup of directory browse nodes in Yum repositories.

NEXUS-37102 | Optimized thread management in APT and Yum repositories to prevent blocking during concurrent operations.

NEXUS-23790 | The distribution field is now optional when configuring APT proxy repositories.

NEXUS-46491 | Helm repository metadata now updates correctly following database migration.

NEXUS-50706 | Improved cache invalidation for npm proxy repositories handling special-character package names.

NEXUS-50718 | Terraform hosted repositories now correctly generate and expose required provider metadata.

NEXUS-49752 | Firewall audits for RubyGems repositories now exclude metadata files from evaluation.

Search and Indexing

This set of fixes improves the accuracy, consistency, and performance of search operations. Enhancements address filtering logic, wildcard and token handling, database-specific behavior, and request optimization so that users and automation tools receive correct and complete results across deployment types.

Issue ID | Description

NEXUS-50711 | Checksum-based searches now correctly filter results when combined with repository or format parameters.

NEXUS-50435 | Improved search API handling of the prerelease parameter when using H2 databases.

NEXUS-49722 | Improved search tokenization to correctly index components with underscores in group names.

NEXUS-49164 | Enhanced search functionality in HA deployments to correctly handle wildcard queries with hyphens.

NEXUS-40204 | Optimized HEAD request handling in proxy repositories to improve response times.

High Availability, Clustering, and Concurrency

These updates strengthen reliability in clustered and high availability deployments. They resolve state consistency issues, improve concurrency handling, clarify clustering diagnostics, and reduce the likelihood of race conditions or configuration mismatches across nodes.

Issue ID | Description

NEXUS-50277 | Improved repository deletion in HA deployments to maintain consistent state across nodes.

NEXUS-50168 | Added warnings for unsafe file blob store paths in HA deployments.

NEXUS-48604 | Improved LDAP credential rotation handling in HA clusters.

NEXUS-46663 | Parallel API requests to create content selectors now complete successfully without race conditions.

NEXUS-40099 | Enhanced HA deployment log messages to clarify clustering configuration mismatches.

Blob Stores and Storage Management

These fixes focus on blob store validation, lifecycle management, and cleanup behavior. They improve correctness and resilience for both file- and S3-based storage, ensuring safe configuration, reliable deletion, and consistent data handling across UI and API operations.

Issue ID | Description

NEXUS-50503 | Improved credentials provider lifecycle management for S3 blob stores using AWS IRSA.

NEXUS-44209 | Compact blob store task now removes soft-deleted blobs after relocation.

NEXUS-37989 | Strengthened blob store name validation across UI and REST API operations.

NEXUS-28332 | Blobstore deletion now works correctly regardless of the chosen name.

Import, Export, and Migration

This group enhances upgrade, migration, import, and export workflows. The improvements ensure schema completeness, preserve metadata integrity, increase resilience to interruptions, and optimize performance when working with large or complex repositories.

Issue ID | Description

NEXUS-50612 | Upgrades from versions prior to 3.67.0 now include required database schema changes.

NEXUS-50402 | Asset import operations now preserve original uploader identity and IP address attributes.

NEXUS-45357 | Improved repository import process to handle non-UTF-8 metadata files.

NEXUS-42488 | Improved asset blob reference migration reliability after restarts or interruptions.

NEXUS-42251 | Optimized repository export prerequisite checks for large repositories.

NEXUS-34351 | Optimized import task performance for repositories with millions of flat-directory assets.

NEXUS-34303 | Database migrator now handles assets referencing missing components with improved logging.

NEXUS-42709 | Database migration logs now accurately reflect filtered records.

Security and Authentication

These changes improve system security posture and authentication reliability. They address third-party library vulnerabilities, permission model consistency, credential handling edge cases, and secure communication behavior across integrations and identity providers.

Issue ID | Description

NEXUS-50640 | SAML authentication now handles reverse proxy configurations that strip cookies during the identity provider redirect process.

NEXUS-49531 | Upgraded the CycloneDX core library to address an XML External Entity vulnerability.

NEXUS-47010 | Updated proxy repository authentication to properly handle passwords containing special characters.

NEXUS-47819 | Administrators can now remove all roles from SAML users through the API.

NEXUS-46805 | Simplified permission requirements for Content Replication configuration.

NEXUS-13303 | Improved email server connection handling to support plaintext SMTP when Trust Store is enabled.

UI, Permissions, and Usability

These fixes align user interface behavior with documented expectations and API behavior. They improve visibility, ordering, task reporting accuracy, and permission handling to create a more predictable and consistent administrative experience.

Issue ID | Description

NEXUS-50592 | Content selectors now appear in alphabetical order in the privilege dropdown.

NEXUS-48336 | Settings menu access now works correctly for users with nx-users-* privileges.

NEXUS-48281 | Task duration displays now reflect actual execution time.

NEXUS-40728 | Move Up and Move Down buttons now correctly reorder repositories in rebuild tasks.

Metrics, Logging, and Diagnostics

These updates enhance observability and troubleshooting. They improve log accuracy and persistence, align UI and API metrics, remove unused telemetry, and provide better diagnostic data to support operational monitoring and issue resolution.

Issue ID | Description

NEXUS-50133 | Support zip log truncation now retains the most recent log entries.

NEXUS-48701 | Removed the unused nexus_cluster.log file from deployments.

NEXUS-47716 | Metrics displayed in the UI now align with REST API values.

NEXUS-47618 | Removed unused S3 blob storage metrics from the Prometheus endpoint.

NEXUS-47362 | ROOT logger level settings now persist across system restarts.

NEXUS-46315 | Added JVM memory and garbage collection monitoring logs.

Configuration and Deployment

This category includes fixes that improve installation, configuration validation, and deployment workflows. The changes clarify documentation, prevent common misconfigurations, and ensure operator- and platform-based installations behave as expected.

Issue ID | Description

NEXUS-47399 | Corrected PostgreSQL configuration documentation examples.

NEXUS-45379 | H2 database backup task now trims whitespace from configured backup paths.

NEXUS-43752 | OpenShift Operator now correctly populates the ingress TLS hosts field.

Performance and Startup Optimization

These improvements reduce startup time and operational overhead. They streamline scheduler initialization and capability loading to help instances become fully operational more quickly after restart or configuration changes.

Issue ID | Description

NEXUS-46266 | Optimized Firewall Audit Capability initialization to reduce startup time.

NEXUS-50273 | Improved Quartz scheduler initialization to reduce restart delays.

Coming Soon

Change to Nexus Repository Docker Image Base and Tagging

As of 3.91.0, the base nexus3 image will be built off of alpine instead of ubi. This should be an invisible change for anyone using our image from dockerhub. If you are building an image off of our image, you will need to update your build process. Effective with 3.94.0, we will no longer publish new versions of the nexus3 image with the -ubi and -alpine suffix.

Change to Private Network Blocking Default Behavior

Sonatype Nexus Repository will soon block private networks by default. Customers are encouraged to review their configurations for any internal IP addresses or private network ranges and update them as needed to prevent service disruptions.

Note that this is a change to the default behavior only; you will still be able to configure this setting to allow private network access if your deployment requires it.

This update is designed to improve security by preventing unauthorized or unintended access from Nexus Repository to internal services. It helps protect production environments where repository administrators should not be able to connect to arbitrary internal endpoints.

Note that this was previously planned to become the default behavior in the 3.90.0 release; however, we have delayed its implementation to a future release.

Original source

What’s New and Noteworthy in This Release?

In Case You Missed It: New Instance Migrator

In Nexus Repository 3.90.2 (March 23, 2026), we introduced a new Instance Migrator, which allows those on OrientDB-based Nexus Repository 3.70.5 to migrate to either Nexus Repository Cloud or self-hosted version 3.90.2+ without downtime.

Migration preserves core configuration and repository data, enabling a seamless transition to a more scalable and supported architecture. See the Nexus Repository 3.90.2 release notes for high-level details and the Instance Migrator help documentation for an in-depth look at the migration process and requirements.

You can download the instance migrator for version 3.70.5 from the OrientDB Downloads page.

Docker Tagging Update for Nexus Repository Images

As of release 3.91.0, Sonatype Nexus Repository has updated its Docker image tagging strategy, making the Alpine-based image the default variant. With this change, the 3.91.0, 3.91.0-alpine, and latest tags now point to the Alpine image, while the 3.91.0-ubi tag continues to reference the UBI-based image. Shifting the default to Alpine lowers risk exposure and improves security posture for containerized deployments.

Support for Swift Group Repository Format

Sonatype Nexus Repository now supports Swift group repositories, enabling you to aggregate multiple Swift package sources into a single endpoint. This capability simplifies dependency management by allowing teams to configure a single repository URL while seamlessly pulling components from multiple hosted, proxy, or group repositories. By consolidating access, you can reduce configuration overhead and improve consistency across development workflows.

For full details, see the Swift Repositories help documentation.

Database Connection Pool Metrics Available Through the Metrics API

Sonatype Nexus Repository now exposes database connection pool metrics through the metrics API, providing visibility into active, idle, and pending connections. This enhancement allows administrators to better understand how database resources are utilized in real time, without requiring additional tooling or manual inspection.

Preserved Proxy Repository Configuration During Migration

Sonatype Nexus Repository now preserves authentication credentials and HTTP request settings when migrating proxy repositories from OrientDB to self-hosted instances. Key configurations, such as connection timeout, retry attempts, and user agent values, carry over automatically, reducing the need for post-migration setup and ensuring repositories remain operational immediately after migration.

If authentication credentials cannot be securely migrated due to missing encryption configuration, Nexus Repository removes only the credential details while retaining all other repository settings. This approach maintains repository integrity while prompting you to reconfigure sensitive information as needed.

Automated Yum Repository Metadata Regeneration

Sonatype Nexus Repository now automatically regenerates Yum repository metadata during repository migrations, including required files such as repomd.xml and associated .xml.gz files. This enhancement ensures migrated repositories remain complete and immediately usable, eliminating the need for manual metadata repair or post-migration steps.

Global Webhooks for Firewall Quarantine Events

Sonatype Repository Firewall now supports global webhooks for quarantine events, automatically notifying your systems when components are quarantined or blocked due to policy violations. This capability enables seamless, real-time integration with your existing security and DevOps workflows, reducing the need for manual monitoring.

Cloud-Native AWS Reference Architectures for Sonatype Nexus Repository

Sonatype is now providing new cloud-native AWS reference architectures for Sonatype Nexus Repository, replacing the legacy reference architectures 1–4. The updated set includes five right-sized deployment options (XS, S, M, L, and XL) designed to support a range of scalability and performance needs. Each architecture includes Terraform configurations to simplify provisioning and accelerate time to value, enabling teams to deploy Nexus Repository in AWS with greater consistency and reduced operational overhead.

These architectures are now published in the Platform Cloud-Native Reference Architectures section alongside the existing IQ reference architectures, reinforcing Sonatype’s platform-oriented approach. The Sonatype Platform AWS Reference Architectures landing page provides a high-level overview of each architecture with links to specific details for each option. The previous Nexus Repository reference architectures are now marked as "Legacy" and will be removed in a future release.

Bug Fixes

This section summarizes the bug fixes included in Nexus Repository 3.91.0, grouped by functional area to highlight the most relevant improvements. The updates focus on improving repository correctness, system stability, performance, and user experience, while also addressing edge cases across supported formats and deployment environments. Each category provides a high-level view of related fixes, with details for individual issues listed below.

npm and PyPI Fixes

These updates focus on improving metadata accuracy, caching behavior, and policy enforcement for npm and PyPI repositories. They address inconsistencies caused by filtering, improve logging visibility for policy decisions, and ensure repository responses remain correct and performant under concurrent and edge-case scenarios.

Docker Fixes

These fixes target Docker repository behavior, focusing on correctness, scalability, and standards compliance. They improve handling of large datasets, manifest and tag integrity, permission evaluation, and compatibility with modern OCI image formats.

Other Repository Format Fixes

These changes improve compatibility and correctness across a range of repository formats, including Maven, Terraform, Conan, Yum, and others. They address edge cases in metadata handling, packaging behavior, and protocol support to ensure consistent interactions with upstream tools and clients.

High Availability, Concurrency, and System Stability

These updates improve system resilience under load, particularly in high availability and multi-node environments. They address concurrency issues, reduce the likelihood of deadlocks or timeouts, and ensure consistent behavior during distributed operations and resource-intensive tasks.

Blob Stores, Storage, and Data Integrity

These fixes focus on improving reliability and correctness in storage-related operations, including blob store management, migrations, and data consistency. They help ensure accurate metadata, prevent data loss, and improve behavior during concurrent or complex storage operations.

UI, Permissions, and User Experience

These updates enhance usability and consistency across the user interface and permission model. They resolve visibility issues, improve navigation behavior, and ensure that access controls and UI elements behave predictably for different user roles.

Logging, Observability, and Diagnostics

These changes improve visibility into system behavior through enhanced logging and diagnostics. They make it easier to troubleshoot issues by providing clearer, more detailed log output and ensuring relevant operational events are properly recorded.

Authentication and Security

These fixes strengthen authentication flows and ensure accurate enforcement of access control policies. They address issues with session handling, role synchronization, and HTTP response codes to provide clearer and more secure behavior.

Search and Indexing

These updates improve the reliability and accuracy of search and indexing operations. They address performance limits, ensure correct query matching behavior, and guarantee that index updates are applied consistently before results are returned.

Scheduled Tasks and Background Jobs

These fixes improve the reliability and behavior of scheduled and background tasks. They ensure task configurations persist correctly, prevent failures during upgrades, and provide better resource management and visibility into task execution progress.

Coming Soon to Sonatype Nexus Repository

Transition to Alpine-Only Docker Images (UBI Deprecation Notice)

Starting with Sonatype Nexus Repository 3.94.0, the Alpine-based image will become the sole supported variant, with both the 3.94.0 and latest tags pointing to Alpine. Version 3.93.x will be the final release to include the -ubi tag, providing a transition window for teams that still rely on the UBI-based image.

Original source

Important

The Nexus Repository 3.70.x line is the last release line to support OrientDB. If you must remain on OrientDB, you will need to remain on our 3.70.x release line until you can migrate to H2 or PostgreSQL.

As of January 9, 2026, OrientDB is considered officially sunset.

What's New in 3.70.5?

Released March 23, 2026

Here's what's new in 3.70.5:

New Instance Migrator Helps You Move to Nexus Repository Cloud or the Latest Self-Hosted Release Without Downtime

Sonatype Nexus Repository now provides a migration path from OrientDB 3.70.5 to modern, supported platforms without requiring service interruption. With the new Instance migrator, you can migrate to either of the following without downtime:

• Nexus Repository Cloud
• Nexus Repository self-hosted version 3.90.2+

Migration preserves core configuration and repository data, enabling a seamless transition to a more scalable and supported architecture.

Key Capabilities

• Preserves repository data and configuration

Migrates hosted repository content, repository configurations, and associated settings to the target environment.

• Maintains user and access configurations

Transfers users, roles, and authentication mappings to ensure continuity of access control.

• Secure handling of sensitive data

Encrypts and transfers secrets using supported security standards during migration.

• Automated validation checks

Prevents invalid configurations, such as missing blob stores, and provides clear feedback during migration.

• No service interruption

Keeps your source instance online and operational throughout the migration process.

Important Migration Requirements

• Blob stores must exist on the target instance

Create blob stores in the target environment before migration. Do not reuse storage locations from the source instance.

• Shared storage is not supported

Using the same S3 bucket, Azure container, or file path across source and target instances can lead to data corruption.

• LDAP/Crowd users require external server configuration

While user tokens and role mappings for LDAP/Crowd users will migrate successfully, the target instance must be manually configured to connect to the same external authentication servers for these users to authenticate after migration.

• Some configurations require manual setup

SSL/TLS certificates export from the source but may require manual import configuration on the target instance depending on your environment.

• Proxy/group repository cached content does not migrate

Only hosted repository content is migrated.

For full migration requirements and process details, see the Instance Migrator help documentation. You can download the instance migrator for version 3.70.5 from the OrientDB Downloads page.

What's New in 3.70.4?

Released February 13, 2025

Here's what's new in 3.70.4:

New Docker Tag for 3.70.x Releases

Sonatype Nexus Repository now publishes a latest-3.70.x tag on Docker Hub for the 3.70.x OrientDB releases. This tag ensures that customers using the 3.70.x series can consistently pull the most recent version without affecting deployments that rely on the main latest tag.

Bug Fixes

Sonatype Nexus Repository release 3.70.4 fixes multiple bugs. See the Bug Fixes section for details.

What's New in 3.70.3?

Released October 10, 2024

Sonatype Nexus Repository 3.70.3 fixes two cleanup policy-related bugs. We switched the order of staging delete and move operations to avoid a concurrency issue when running staging move and cleanup tasks at the same time. We also resolved an issue that was preventing the option to retain a select number of previous versions when running cleanup from working as expected.

• Upgraded protobuf-java from 1.36.0 to 3.25.5
• Upgraded pax-url-aether from 2.6.7 to 2.6.12

What's New in 3.70.2?

Released September 3, 2024

Sonatype Nexus Repository 3.70.2 fixes a Database Migrator issue that caused some customers to see duplicate key errors after migrating from OrientDB to H2. Both Pro and OSS users seeking to migrate from OrientDB to H2 should now upgrade to 3.70.2 and then use the 3.70.2 Database Migrator to move to H2.

• Upgraded axios back to 1.6.4

What’s New in 3.70.1?

Released July 10, 2024

Sonatype Nexus Repository 3.70.1 fixes an issue that broke UI functionality in instances using a custom context path. This issue only impacted the UI and did not impact other functionality (e.g., requests for components). Sonatype Nexus Repository deployments should upgrade to 3.70.1 when possible.

• downgraded axios to 0.27.2 to address the issue

What’s New in 3.70.0?

Released July 9, 2024

Here's what's new in Nexus Repository 3.70.0.

H2 Database Upgraded to Version 2.2.244

Tip

Required Action Before Upgrading

If you are using an H2 database, you must use the Admin - Export SQL database to script task (released in 3.69.0) to create a SQL script export of your H2 database before upgrading to Nexus Repository 3.70.0. This means you must upgrade to 3.69.0 before upgrading to 3.70.0.

In release 3.70.0, we have upgraded Sonatype Nexus Repository’s embedded H2 database to use version 2.2.244. As there are considerable changes between version 1.4.200 and 2.2.244, those using an H2 database will need to take some additional steps to upgrade to Nexus Repository 3.70.0.

In release 3.69.0, we added an Admin - Export SQL database to script task you can use to create a SQL script export of your H2 database. If you are using an H2 database, you will need to run this task and follow our H2 upgrade instructions in order to upgrade to release 3.70.0. This means that you must upgrade to version 3.69.0 before upgrading to 3.70.0.

You can learn more about the differences between the H2 1.x and 2.x version lines in the H2 documentation.

If you are unsure what database your deployment is using, follow the help documentation for determining your current database.

Create and Manage Cleanup Policies via New REST API (Pro Only)

Administrators can now create and manage cleanup policies using the REST API, making it easier to enhance automation in your DevOps workflows and take advantage of a powerful Nexus Repository feature without having to access the user interface.

The new API allows you to retrieve, create, update, and delete cleanup policies. Learn more in our Cleanup Policies API documentation.

This feature was made possible through your feedback in the Sonatype Ideas portal.

Create and Manage Tasks via API (Pro Only)

Administrators who prefer to work via API instead of the user interface can now create, update, and delete tasks through new endpoints in the Tasks REST API. Learn more in our updated Tasks API documentation.

This feature was made possible through your feedback in the Sonatype Ideas portal.

Retrieve and Set IQ Audit and Quarantine Statuses via API (Pro Only)

Sonatype Nexus Repository deployments that are also using Repository Firewall can now leverage Nexus Repository’s IQ REST API to retrieve and set audit and quarantine statuses for repositories. This allows administrators to configure further automation of CI/CD pipelines. Learn more in our updated IQ API documentation.

This feature was made possible through your feedback in the Sonatype Ideas portal.

New Database Migrator Flow

We have changed our Database Migrator flow to improve performance and reliability. Check out our help documentation for the new steps for migrating your database.

OrientDB, Java 8, and Java 11 Enter Extended Maintenance

Release 3.70.0 marks a turning point for Sonatype Nexus Repository as it is the final release that will include OrientDB alongside H2 and PostgreSQL. Starting in August 2024, OrientDB, Java 8, and Java 11 will all enter extended maintenance as defined in our Sunsetting documentation. Release 3.71.0+ will require either an H2 or PostgreSQL database and Java 17.

Note

Note that both H2 and PostgreSQL are currently only available to Pro customers. We expect to announce a new database option for OSS customers and will provide detailed migration paths in our August 2024 release.

Sonatype is invested in continually improving our solutions to take advantage of newer, more advanced technologies. As such, we are strategically moving away from legacy technologies like OrientDB, Java 8, and Java 11 and investing in supporting newer database options and Java versions. Moreover, Sonatype has observed data integrity problems in some deployments using OrientDB.

As migrating to H2 or PostgreSQL can take some time and planning, Sonatype will continue to provide security patches and critical bug fixes to release 3.70.0 while it is in extended maintenance. We encourage Sonatype Nexus Repository Pro customers using an OrientDB database to follow our documentation for migrating to H2 or PostgreSQL.

Dependency Updates in 3.70.0

• commons-io upgraded to 2.15.0
• org.apache.commons: commons-compress upgraded to 1.26.1
• com.h2database : h2 upgraded to 2.2.224
• axios upgraded to 1.6.4 (Note: this update was reverted in Nexus Repository 3.70.1)

Bug Fixes

Bug fixes in Nexus Repository 3.70.x.

[Issue ID] [Description]

NEXUS-45471 (Release 3.70.4) Resolved an issue that impacted Azure blob store users where attempting to download binary files exceeding 2GB could cause Nexus Repository to become unresponsive.
NEXUS-45363 (Release 3.70.4) Resolved an issue that prevented the Retain Select Versions Cleanup Policy option (PostgreSQL-only) from displaying in the UI.
NEXUS-45286 (Release 3.70.4) OrientDB users are now able to create and edit cleanup policies as expected.
NEXUS-45283 (Release 3.70.4) Improved the responsiveness of Nexus Repository when interacting with Azure blob storage in HA environments by adding timeouts to prevent delays.
NEXUS-44780 (Release 3.70.4) The Number of Versions option now displays as expected in the user interface when creating a Docker cleanup policy.
NEXUS-44578 (Release 3.70.4) Enabling/disabling a capability on one node in an HA cluster enables/disables it on other nodes as well and no longer results in a deadlock in some cases.
NEXUS-44351 (Release 3.70.4) Database Migrator - Improved logging for filtered assets.
NEXUS-43764 (Release 3.70.4) After migrating from OrientDB to PostgreSQL, the browse rebuild task only runs once.
NEXUS-43758 (Release 3.70.4) After migrating to a PostgreSQL database, the search rebuild index task only runs once.
NEXUS-39919 (Release 3.70.4) Users can search using the REST API or UI for components and assets as long as they have nx-search-read and nx-repository-view---browse permissions. Note that NuGet v2 does not need browse for searching while NuGet v3 does.
NEXUS-44370 (Release 3.70.3) Switched order of staging delete and move operations to avoid a concurrency issue when running staging move and cleanup unused asset tasks at the same time.
NEXUS-43516 Database Migrator version 3.70.1 - Resolved an issue that was causing some OrientDB to Postres migrations to fail with an error when a Maven2 repository contained npm assets.
NEXUS-44337 (Release 3.70.3) Resolved an issue that was preventing the option to retain a select number of previous versions when running cleanup from working as expected.
NEXUS-43935 (Release 3.70.2) Resolved a Database Migrator issue that was causing some users to see duplicate key errors after migrating from OrientDB to H2.
NEXUS-43523 (Release 3.70.1) Fixed an issue that broke UI functionality in instances using a custom context path. This issue only impacted the UI and did not impact other functionality (e.g., requests for components).
NEXUS-43307 Updated documentation to accurately state that access to SAML UI and API requires nx-all privileges.
NEXUS-43004 Errors will no longer be seen in HA mode.
NEXUS-42854 The npm view command works as expected for scoped packages.
NEXUS-42336 Database records that cause exceptions during database migration are appropriately logged.
NEXUS-39818 Running npm audit should no longer result in unexpected exceptions.
NEXUS-39799 In Yum repositories, all pathnames in the filelist.xml.gz file are properly escaped.
NEXUS-39462 If an asset’s format is incorrect, the Database Migrator will continue with migration and skip corrupted records.
NEXUS-22888 Added componentId validation when trying to view an asset that does not have a component. If the componentId is an empty string, string of blank spaces, null, or undefined, then the LifeCycle Component panel is not displayed.

Original source

Known Issue in Sonatype Nexus Repository 3.89.0 - 3.89.1

Sonatype is aware of an issue in Sonatype Nexus Repository versions 3.89.0 - 3.89.1 where using the Admin - Remove a member from a blob store group task on a blob store group can cause moved blobs to become unreachable.

This issue is fixed in Nexus Repository 3.90.0. Upgrade to version 3.90.x before running the Admin - Remove a member from a blob store group task.

What's New and Noteworthy in 3.89.1?

Released February 11, 2026

Sonatype Nexus Repository release 3.89.1 fixes the following bugs:

• NEXUS-50621: Metadata generation for hosted APT repositories now correctly includes all applicable package versions in Packages files, ensuring clients receive complete and accurate repository metadata.
• NEXUS-50490: The LDAP configuration REST API now properly handles authentication password parameters when creating LDAP server connections.
• NEXUS-50487: The LDAP configuration API now correctly handles updates when using URL-encoded connection names in REST API requests.
• NEXUS-50473: User access to group repositories now correctly inherits read and browse permissions from member repositories, with consistent enforcement of content selectors across authorization checks and Browse previews.
• NEXUS-50338: LDAP configuration updates via REST API now reliably preserve all required fields during credential rotation and server configuration changes.
• NEXUS-48604: Enhanced LDAP credential rotation in High Availability clusters to ensure cache synchronization across all nodes when updating bind credentials.

What’s New and Noteworthy in 3.89.0?

Released February 3, 2026

Known Issue in Sonatype Nexus Repository 3.89.0

Sonatype is aware of an issue in release 3.89.0 that affects APT hosted repositories. Repository metadata may be incomplete or incorrect, even though all packages exist in the repository.

If you rely on APT hosted repositories, we recommend delaying your upgrade to 3.89.0 until a fix is available.

Support for Swift Proxy Repository Format

Sonatype Nexus Repository now supports the Swift proxy repository format, enabling teams to integrate Swift Package Manager (SPM) into their existing repository management workflows.

Nexus Repository provides a registry-based alternative to SPM’s traditional Git-based dependency resolution, offering an HTTP- and JSON-driven approach to discovering, resolving, and consuming Swift packages. This allows organizations to centralize access to public Swift packages, reduce reliance on external Git hosting services, and improve build performance through caching and reuse of dependencies.

Swift proxy repositories are available in both Pro and Community editions. Teams can apply enterprise controls such as access management and auditing while continuing to support both registry-based dependencies (available with Swift 5.7 and later) and Git-based dependencies.

For full details, see our Swift Repositories help documentation.

Support for Terraform Hosted Repository Format

Sonatype Nexus Repository now extends its Terraform support to include hosted repositories. With hosted Terraform repositories, you can centrally distribute Terraform modules as versioned source archives and platform-specific binaries as well as Terraform providers packaged as .zip files. This enables teams to securely host internally developed Terraform assets and reduce reliance on external sources.

This enhancement also streamlines provider management by automatically generating required provider metadata, checksum files, and GPG signatures, while supporting multiple provider versions and incremental platform uploads. Repository-level permissions allow you to control access to Terraform content, and full REST API support makes it easier to automate repository and artifact management as part of your infrastructure-as-code workflows.

For full details, see our Terraform Repositories help documentation.

Expanded Authentication Options for Terraform

Sonatype Nexus Repository now enables access to Terraform repositories through expanded authentication support.

Terraform repositories can now be accessed using anonymous access when enabled, allowing unauthenticated clients to discover and retrieve provider versions without authorization failures.

In addition, authentication logic now correctly validates Base64-encoded username and password tokens, allowing Terraform clients to authenticate successfully without relying on Pro-only user tokens.

Improved User Interface Performance and Faster Page Loads

This release significantly improves the Sonatype Nexus Repository user interface by reducing initial page load times and making the application more responsive. Improvements include decreased bandwidth usage and improved caching efficiency, resulting in a more scalable, modern UI that performs consistently for users regardless of location or deployment size.

Change in Permissions for Executing Rolling Upgrades

The ability to inspect and execute rolling (i.e., zero-downtime) upgrades is now available to users with the nx-atlas-all privilege. This change simplifies access control by reducing the permissions required to manage rolling upgrades, enabling more teams to perform upgrade operations without expanding administrative privileges while still maintaining a secure deployment model.

Breaking change: SAML login requires SAML2_AUTH_REQUEST cookie

Starting in Sonatype Nexus Repository 3.89.0, SAML authentication requires the SAML2_AUTH_REQUEST cookie to complete the login flow. Environments, infrastructure, or browser configurations that block third-party cookies can prevent this cookie from being set, causing SAML login to fail after upgrade. Before upgrading, ensure that policies or browser settings allow the SAML2_AUTH_REQUEST cookie so that SAML authentication continues to function as expected.

Bug Fixes

This release delivers a wide range of fixes and improvements. For better readability, we’ve organized these improvements into logical sections below.

Known Issue in Sonatype Nexus Repository 3.83.0 - 3.89.1

There is an issue in Sonatype Nexus Repository 3.83.0 - 3.89.1 where running the Verify and Repair or Data Repair Plan tasks can incorrectly delete valid assets, leading to potential data loss.

This issue is fixed in version 3.90.0. Upgrade to version 3.90.0 before running the Verify and Repair or Data Repair Plan tasks.

Repository Storage, Uploads, and Data Integrity

This release includes several important improvements to how repositories handle data at scale, with a focus on stability, performance, and correctness during heavy operations. Changes address memory pressure during large uploads, race conditions during repository lifecycle events, safer execution of repair tasks, and more resilient database migrations and restores. Together, these fixes reduce the risk of outages, unexpected data loss, and failures during upgrades or maintenance in large or high-concurrency environments.

Formats and Ecosystem-Specific Fixes

A wide range of format-specific fixes improve reliability, performance, and standards compliance across supported ecosystems. Package managers such as APT, NuGet, npm, Maven, Docker, PyPI, Terraform, Conan, and Yum all benefit from targeted updates to metadata handling, search behavior, proxying, and rebuild logic.

Notably, Yum has received several improvements over the last couple of releases, including better metadata rebuild performance, safer handling of invalid group metadata, clearer diagnostics, and more efficient XML merging, resulting in more predictable behavior for large or complex Yum repositories.

Search, Browse, and Indexing

Search and browse functionality has been refined to be more accurate, predictable, and scalable, particularly in HA and large-repository environments. These changes improve filtering correctness, restore expected matching semantics, eliminate silent result truncation, and harden APIs against invalid requests. Performance optimizations also reduce the likelihood of failures during search rebuild tasks and high-volume query scenarios.

Security, Permissions, and Access Control

Several fixes improve how Nexus Repository evaluates permissions and access rules, both in terms of correctness and performance. Updates ensure that permission checks behave consistently across the UI and APIs, reduce authorization overhead in environments with frequent access checks, and ensure group repositories properly reflect the availability state of their members.

High Availability, Clustering, and Operations

HA and clustered deployments benefit from improved coordination, consistency, and operational safety. Fixes address credential synchronization across nodes, reduce migration-related memory issues, and improve the reliability and predictability of Helm-based HA deployments. These changes help ensure smoother upgrades and more stable behavior in multi-node environments.

UI and User Experience

User-facing workflows have been polished to remove friction, prevent common errors, and improve clarity. These updates include safer handling of whitespace in repository configuration, restored or simplified UI controls, and fixes to edge cases that could cause confusing behavior after session timeouts or during repository creation.

Logging, Monitoring, and Diagnostics

Logging and diagnostic output has been refined to be more actionable and less noisy. Improvements include clearer upgrade and metadata warnings, better visibility into long-running operations, consolidated request logging, and more informative startup and shutdown messages. These changes make it easier to troubleshoot issues and understand system behavior in production environments.

Tasks, Cleanup, and Maintenance

Maintenance and background tasks are now more resilient and resource-efficient, particularly when operating on large datasets. Enhancements ensure cleanup and repair tasks behave safely when encountering unexpected states, reduce memory usage during intensive operations, and improve overall system stability during scheduled or manual maintenance activities.

Documentation and API Fixes

Documentation and API examples have been corrected to better reflect supported behavior and real-world usage. These fixes remove misleading parameters and ensure example requests are accurate and usable, helping users avoid configuration errors and reducing friction when integrating with Nexus Repository programmatically.

Coming Soon to Sonatype Nexus Repository

Change to Nexus Repository Docker Image Base and Tagging

As of 3.91.0, the base nexus3 image will be built off of alpine instead of ubi. This should be an invisible change for anyone using our image from dockerhub. If you are building an image off of our image, you will need to update your build process. Effective with 3.94.0, we will no longer publish new versions of the nexus3 image with the -ubi and -alpine suffix.

Original source

Known Issue in Sonatype Nexus Repository 3.83.0 - 3.89.1

There is an issue in Sonatype Nexus Repository 3.83.0 - 3.89.1 where running the Verify and Repair or Data Repair Plan tasks can incorrectly delete valid assets, leading to potential data loss.

This issue is fixed in version 3.90.0.

Upgrade to version 3.90.0 before running the Verify and Repair or Data Repair Plan tasks.

Possible Need to Rebuild Search Index

Search in High Availability (HA) environments is now case-insensitive for component and asset fields. However, components indexed using earlier versions may not appear in search results if they contain uppercase characters.

To ensure complete and accurate search results, manually run the Repair - Rebuild repository search task for any affected repositories after upgrading.

What's New and Noteworthy in 3.85.1?

Released January 15, 2026

Repair - Execute Data Repair Plan Task Disabled

To prevent potential data loss caused by a known issue impacting Sonatype Nexus Repository 3.83.0 and later, this release disables the Repair - Execute Data Repair Plan task by default.

Attempting to run this task will result in a failure and an error in the logs. The task remains visible in the UI, and any existing instances of this task will not be removed. However, execution is blocked by default.

While it is possible to manually re-enable this task by setting the nexus.reconcile.task.enabled property to true, it is important that you not do so until you are using a release that restores support.

We will announce when it is safe to re-enable this task in a future release note.

What’s New and Noteworthy in 3.85.0?

Released October 7, 2025

Predictable S3 Bucket URLs for Nexus Repository Cloud

Sonatype Nexus Repository Cloud now supports predictable S3 bucket URLs for binary downloads, making it easier for teams to configure and manage outbound traffic rules in their tenants.

This update introduces a standardized URL format that includes region and tenant identifiers. With this structure, you can quickly identify and allow necessary traffic from Nexus Repository Cloud without relying on dynamic URLs. This is especially useful in tightly controlled network environments where pre-approving outbound traffic is required.

For more details, see the Nexus Repository Cloud help documentation.

Firewall API Endpoint Alignment

The Firewall API now consistently uses the /api/v2/firewall/ path for all but the malware defense-specific endpoints. Previously existing /api/v2/malware-defense/ paths remain supported for backward compatibility.

The /api/v2/malware-defense/evaluate API continues to be available and uses malware-defense in its path.

Bug Fixes in 3.85.1

Issue ID

Description

• NEXUS-50152
  The blob attribute loading process no longer deletes properties files on transient I/O errors or unhandled exceptions.

Bug Fixes in 3.85.0

Note

A bug in the UI has been reported where the Upload Component button is missing when browsing repositories. This issue will be fixed in later updates.

Issue ID

Description

• NEXUS-17448
  Calls to the Crowd user manager are now skipped when Crowd is not configured. Related log messages have been downgraded from WARN to DEBUG.
• NEXUS-41430
  Audit log messages for asset update and delete events now include the full path to the corresponding blob within the blobstore.
• NEXUS-42187
  The Use Nexus truststore checkbox in repository settings is now editable in the UI for users with nx-repository-admin privileges.
• NEXUS-44626
  The Repository - Import external files task now successfully recognizes network-mounted drive paths when Nexus Repository is running as a Windows service.
• NEXUS-44791
  The application now uses the HOSTNAME environment variable as the primary source for determining the hostname, preventing unnecessary error logs during startup in containerized HA environments.
• NEXUS-45297
  APT snapshots for non-flat repositories now include by-hash metadata files generated from stored asset checksums, ensuring full compatibility with Ubuntu 24.04 and allowing functional snapshot usage.
• NEXUS-45343
  RubyGems uploaded via the UI or REST API are now correctly included in the specs.4.8.gz file.
• NEXUS-45370
  Improved logs for quarantined npm and PyPI package versions.
• NEXUS-45788
  The search assets API now correctly supports sorting by the last_updated field.
• NEXUS-45844
  NuGet V2 proxy repositories no longer throw a java.lang.IllegalStateException: Duplicate key during package restore operations.
• NEXUS-45943
  Modified how secret mappings are handled in the Helm chart to prevent volume binding failures during deployment.
• NEXUS-45973
  Re-enabled SHA1 encryption in the Nexus Repository Docker image to restore compatibility with Azure-hosted PostgreSQL instances and other external services that still rely on SHA1-based certificates.
• NEXUS-46115
  Uploading to a NuGet group repository now correctly returns a 405 response.
• NEXUS-46127
  Addressed a UI error that could occur after session timeouts, preventing crashes when returning to an inactive tab.
• NEXUS-46281
  Database migrations now correctly set the id column in the docker_foreign_layers table to an integer type, preventing data conversion errors when retrieving Docker layers after migrating between H2 and PostgreSQL.
• NEXUS-46487
  The Admin - Change repository blob store task now preserves the original blobCreated timestamp.
• NEXUS-46507
  The Format field is no longer required when editing Repository Content Selector privileges.
• NEXUS-46697
  APT staging moves now correctly update metadata in both source and target repositories.
• NEXUS-46966
  Logger name inputs are now validated to prevent invalid characters or formatting.
• NEXUS-47019
  Added additional logging to improve visibility into search index purge operations triggered by component deletions.
• NEXUS-47022
  APT metadata is now automatically updated when components are removed by cleanup policies, ensuring metadata reflects the current state of hosted repositories.
• NEXUS-47364
  The INSTALL4J_ADD_VM_PARAMS environment variable is now safely quoted during processing to prevent errors when it includes special characters.
• NEXUS-47406
  Conan search results are now correctly scoped to the specified repository.
• NEXUS-47446
  Composer proxy repositories now correctly handle packages with missing metadata.
• NEXUS-47512
  The tagging UI now uses pagination to efficiently load and display tag data.
• NEXUS-47652
  Selecting the Nexus Repository logo in the UI now correctly redirects to the configured nexus-context-path.
• NEXUS-47770
  Startup messages about unknown or obsolete capability types are now logged at the INFO level instead of WARN, reducing unnecessary alerts for expected conditions.
• NEXUS-47851 & NEXUS-48501
  Components removed from Sonatype Nexus Repository by a clean-up policy are now correctly removed from the Sonatype Repository Firewall quarantine list.
• NEXUS-47948
  The Plan Repair and Execute Repair tasks no longer appear in Nexus Repository Cloud deployments.
• NEXUS-48106
  YUM group metadata is now properly shared across nodes in an HA cluster after repository membership changes, preventing repeated and unnecessary remerging of repomd.xml during cross-node requests.
• NEXUS-48162
  HA search is now case-insensitive by default.
• NEXUS-48509
  Changing the Maximum Connection Pool Size setting no longer puts Nexus Repository into an invalid state, ensuring the application remains available without requiring a restart.
• NEXUS-48511
  Uploads to hosted repositories backed by group blob stores now defer makeBlobPermanent to member stores, eliminating unnecessary blob copying and improving performance.
• NEXUS-48564
  The root.level system property is now correctly honored at startup, allowing debug logging to be enabled before Nexus Repository initializes.
• NEXUS-48573
  Made change to improve the Admin - Compact Blob Store task performance.
• NEXUS-48595
  Using the nexus.blobstore.get.maxRetries=0 property no longer prevents file uploads by ensuring the blob retrieval logic executes at least once before retry handling begins.
• NEXUS-48602
  The internal node heartbeat cleanup task no longer fails with SQL syntax errors.
• NEXUS-48644
  Logging out of the Nexus Repository user interface now correctly ends the session in HA environments.

Original source

Known Issue in Sonatype Nexus Repository 3.83.0 - 3.89.1

There is an issue in Sonatype Nexus Repository 3.83.0 - 3.89.1 where running the Verify and Repair or Data Repair Plan tasks can incorrectly delete valid assets, leading to potential data loss.

This issue is fixed in version 3.90.0.

Upgrade to version 3.90.0 before running the Verify and Repair or Data Repair Plan tasks.

Known Issue in Sonatype Nexus Repository 3.87.0 - 3.87.2

Sonatype is aware of an issue impacting Sonatype Nexus Repository 3.87.0 - 3.87.2 High Availability (HA) deployments that use group blob stores created using the REST API. After upgrading, the Blob Stores page can fail to load, and errors are logged during startup.

If you are using Nexus Repository in an HA configuration and have configured group blob stores via API, we recommend delaying your upgrade to 3.87.0 - 3.87.2 until a fix is available.

What's New and Noteworthy in 3.87.2?

Released January 15, 2026

Repair - Execute Data Repair Plan Task Disabled

To prevent potential data loss caused by a known issue impacting Sonatype Nexus Repository 3.83.0 and later, this release disables the Repair - Execute Data Repair Plan task by default.

Attempting to run this task will result in a failure and an error in the logs. The task remains visible in the UI, and any existing instances of this task will not be removed. However, execution is blocked by default.

While it is possible to manually re-enable this task by setting the nexus.reconcile.task.enabled property to true, it is important that you not do so until you are using a release that restores support.

We will announce when it is safe to re-enable this task in a future release note.

Bug Fixes in 3.87.2

Issue ID
Description
NEXUS-50152
The blob attribute loading process no longer deletes properties files on transient I/O errors or unhandled exceptions.

What's New and Noteworthy in 3.87.1?

Released December 8, 2025

Multiple Bug Fixes

This release contains multiple bug fixes impacting release 3.87.0:

Issue ID
Description
NEXUS-49788
Restored a missing Netty class dependency that was required for Azure client initialization. Sonatype Nexus Repository instances using Azure blob store now start as expected.
NEXUS-43821
The Compact Blob Store task now gracefully handles 404 responses from Azure during deletion, allowing the task to continue when a blob is already missing instead of marking the task as failed.

What’s New and Noteworthy in 3.87.0?

Released December 2, 2025

Java 21 Now Minimum Required Java Version

Java 21 is now the minimum required version for running Sonatype Nexus Repository. All official Docker images and installers have been updated to include Java 21 by default, ensuring compatibility with the latest platform improvements and long-term support standards.

Change Impacting Non-AWS S3 Blob Stores

Starting with Nexus Repository Manager 3.87.x, the AWS SDK used for S3 blob stores has been upgraded from version 1.12.658 to 2.33.5 because the AWS SDK for Java 1.x reaches end of life on December 31, 2025.

This change impacts users of non-AWS S3–compliant blob stores. Customers using S3-compatible storage should review compatibility with AWS SDK for Java 2.x when upgrading.

For example, Dell S3-compatible storage is currently incompatible with the latest AWS SDK.

Adjustments to Community Edition Usage Limits

To better align with our goals of supporting individual developers and small teams, Sonatype Nexus Repository Community Edition now supports up to 40,000 total components and 100,000 requests per day. These adjustments ensure consistent, reliable performance for intended use cases and help maintain Community Edition’s long-term sustainability.

When either threshold is exceeded, the addition of new components will pause until usage returns below both limits. This behavior helps safeguard performance and provides a clear signal that your development needs may benefit from the scalability and enterprise features offered in Sonatype Nexus Repository Pro.

Administrators can continue to monitor usage through the Usage Center. For details on interpreting usage and planning for growth, refer to the Usage Center documentation.

Repository Firewall Supports Release Integrity for NuGet

Repository Firewall now extends Release Integrity protection to NuGet components. This enhancement allows teams using NuGet to benefit from Sonatype’s analysis, which flags suspicious or malicious component behavior and automatically quarantines high-risk releases. By broadening ecosystem coverage, this update helps secure .NET development pipelines against emerging supply chain threats with minimal manual effort.

For full details, see the Release Integrity help documentation.

New Configuration API for Instance Configuration and Metadata Migration

A new Configuration API is now available to support configuration management and metadata migration between Nexus Repository instances. This API enables you to programmatically export and import repository configuration and retrieve or migrate asset metadata, making it easier to automate and streamline tasks such as environment setup, backup, and migration.

For details on available endpoints and usage examples, refer to the Configuration API documentation.

Modernized Login Experience

This release introduces a redesigned login experience that delivers a consistent, modern interface that aligns with enterprise accessibility standards.

OAuth2 Realm Now Enabled by Default with JWT

In Sonatype Nexus Repository Pro, the OAuth2 realm is now automatically enabled when nexus.jwt.enabled is set to true, either by default in high availability (HA) deployments or when manually configured in the nexus.properties file. This update ensures a smoother out-of-the-box experience for environments using token-based authentication and reduces the need for manual security realm configuration.

Bug Fixes in 3.87.0

This release includes a wide range of stability, performance, and usability improvements across Sonatype Nexus Repository. For better scannability, we've broken our bug fix listings into categories:

Repository and Format-Specific Fixes

Issue ID
Description
NEXUS-49171
APT repository metadata is now properly updated in both the source and target hosted repositories after performing a component move via the REST API.
NEXUS-48894
Docker pull requests against repositories with Repository Firewall enabled no longer fail due to a missing base URL; the system now derives it from the inbound request instead of requiring manual configuration.
NEXUS-48777
Docker login requests now succeed for users with access to at least one Docker repository, even when path-based routing is enabled.
NEXUS-48729
Deleting an individual npm metadata asset from the Browse page now correctly updates the UI without falsely indicating that the entire package directory has been removed.
NEXUS-48561
The proprietary component synchronization process now excludes orphaned Maven components without assets, preventing unintended quarantining of valid open source components.
NEXUS-48463
Routing rules now apply correctly to Huggingface proxy repositories.
NEXUS-48330
Nexus Repository now correctly caches and reuses remote ETags for npm package root requests when PCCS is enabled.
NEXUS-48259
Nexus Repository now consistently serves PyPI package metadata for proxy repositories protected by PCCS, regardless of whether the request URL includes a trailing slash.
NEXUS-48000
APT hosted repositories now generate Filename fields in metadata without a leading slash.
NEXUS-47603
Scoped npm packages in hosted repositories now appear with their full names (including the scope prefix) in search results.
NEXUS-47551
Outbound requests for scoped npm packages now correctly encode slashes, ensuring compatibility with strict registries and restoring support for scoped package installs in environments that require encoded URLs.
NEXUS-47148
Added validation for Composer package distribution types to prevent errors when processing certain upstream package metadata.
NEXUS-45796
Tag association requests in Sonatype Nexus Repository no longer return 404 errors immediately after uploading a component.
NEXUS-42101
Ensured that group-level maven-metadata.xml files are updated correctly when a version is deleted from a member repository.
NEXUS-36481
Docker group repository searches now handle invalid responses from member proxy repositories more gracefully.
NEXUS-27439
Anonymous access settings for Docker repositories in Sonatype Nexus Repository now correctly respect per-repository configurations, ensuring global anonymous permissions no longer override repository-level restrictions.

User Experience and Access Control

Issue ID
Description
NEXUS-49753
Repository permission checks now defer evaluation of content selectors using the path variable to the asset level, restoring search and tag operations that failed after upgrading to 3.86.0 - 3.86.2.
NEXUS-49653
Authenticated users who navigate to the /saml endpoint are now automatically redirected to the application home page.
NEXUS-48888
Search queries containing slashes (/) now correctly encode the character, preventing 404 errors.
NEXUS-48889
Search queries using double quotes for exact matches now return correct results in High Availability (HA) Sonatype Nexus Repository deployments, aligning behavior with documented expectations.
NEXUS-48542 & NEXUS-48540
New login experience properly handles deep links. Users who log in with a username and password are now correctly redirected to their intended destination after authentication.
NEXUS-48410
The Blob Stores UI now displays Used Size instead of Total Size to more accurately reflect current storage usage and reduce confusion for administrators.
NEXUS-47018
Anonymous users with only nx-search-read and nx-repository-view---browse privileges can now successfully perform search operations as expected.
NEXUS-46707
The licensing UI now displays a more accurate message when updating a license, clarifying that a restart is only required if installing a license for the first time.
NEXUS-44162
The Blob Store and Repositories pages now display a "Calculating..." message while metrics are still being processed after a database migration.
NEXUS-43689
Creating LDAP server connections via the Swagger UI now works as expected.
NEXUS-27044
Enhanced LDAP logging to include full exception details and complete query information.
NEXUS-25658
Users only need edit and read privileges for a specific repository to access the Invalidate Cache button.

Blob Store and Storage Management

Issue ID
Description
NEXUS-49200
You can no longer accidentally create blob stores with invalid names via the API.
NEXUS-49091
Cleanup policies now properly delete components when using the H2 database.
NEXUS-49031
Corrupted or unreadable blob properties files are now automatically deleted across all supported blob stores, allowing recovery tasks to proceed and preventing component download failures.
NEXUS-48143
Improved error handling in file and S3 blob stores now suppresses misleading warnings when simultaneous requests temporarily fail to update blob property files.
NEXUS-48087
Repository deletions now complete successfully even when group cleanup operations encounter issues; affected groups are logged for review.
NEXUS-47545
Failures during S3 blob store creation are now logged at the error level with full exception details, making it easier to diagnose issues without requiring debug-level logging.

Performance, High Availability, and Scalability

Issue ID
Description
NEXUS-49043
Improved performance of the Users page by optimizing role mapping queries to prevent timeouts in environments with a large number of user roles.
NEXUS-49032
Support zip generation no longer logs serialization errors or truncates logs when SAML is configured.
NEXUS-48160
Task-specific log files are now preserved when deploying via Helm charts, improving troubleshooting by maintaining separate logs per task type while still supporting the combined allTasks.log output for Kubernetes environments.
NEXUS-47926
Improved the asset export task to gracefully handle missing blobs by skipping over them and logging warnings, allowing the export to complete successfully even if some blobs are unavailable.
NEXUS-47826
Improved reliability of the rolling upgrade process by preventing timeouts during schema changes from leaving the system in a failed or partially upgraded state.
NEXUS-42345
Added a global configuration option to control URL escaping behavior for proxy repositories. Details are included in the Configuring the Runtime Environment help documentation.
NEXUS-40172
The nodeHeartbeatExport.json file is now compressed as a ZIP archive, significantly reducing its size and making it easier to manage during support zip generation and HA troubleshooting.
NEXUS-21637
Improved support zip generation to prevent duplicate file path errors.

Schema, API, and Configuration Improvements

Issue ID
Description
NEXUS-49379
Ensured the default-features value in Cargo manifests defaults to true and updated attribute names to align with Cargo documentation.
NEXUS-49154
Refactored schema management to ensure all database changes are handled through Flyway migrations, preventing startup delays and outages caused by schema modifications under load.
NEXUS-49120
Sonatype Nexus Repository no longer includes commons-lang 2.x as a dependency; all usage has been migrated to commons-lang3.
NEXUS-48505
Corrected the Components API response to include the appropriate blob store name instead of returning null.
NEXUS-47905
The archetype-catalog.xml file is now automatically updated after deploying new SNAPSHOT base versions of Maven archetypes, eliminating the need to manually delete the file to reflect recent changes.
NEXUS-36020
REST API updates to Maven repositories now validate deployment policy values correctly.
NEXUS-25475
Updated the REST API to accept writePolicy values regardless of letter casing, preventing repository misconfiguration and ensuring Docker pushes to group repositories work as expected.

Licensing and Audit

Issue ID
Description
NEXUS-46449
Tag association and disassociation with components are now recorded in the audit log.

Coming Soon to Sonatype Nexus Repository

We’re excited to share that the following enhancements will be coming soon to Sonatype Nexus Repository:

Nexus Repository Instance Migrator

Sonatype’s new Nexus Repository Instance Migrator supports both configuration and content migration through a powerful command-line interface. Designed to handle complex, large-scale migrations with reliability and flexibility, the Instance Migrator includes features like repository mapping, real-time asset polling, persistent state tracking, and detailed logging.

Already using Nexus Repository Cloud?

The migrator is already available for customers with an active cloud tenant. Our team will work directly with you to guide the setup and migration process for your Cloud onboarding.

Original source

What's New and Noteworthy in 3.84.2

Released January 15, 2026

Repair - Execute Data Repair Plan Task Disabled

To prevent potential data loss caused by a known issue impacting Sonatype Nexus Repository 3.83.0 and later, this release disables the Repair - Execute Data Repair Plan task by default.

Attempting to run this task will result in a failure and an error in the logs. The task remains visible in the UI, and any existing instances of this task will not be removed. However, execution is blocked by default.

While it is possible to manually re-enable this task by setting the nexus.reconcile.task.enabled property to true, it is important that you not do so until you are using a release that restores support.

We will announce when it is safe to re-enable this task in a future release note.

Known Issue in Sonatype Nexus Repository 3.83.0 - 3.89.1

There is an issue in Sonatype Nexus Repository 3.83.0 - 3.89.1 where running the Verify and Repair or Data Repair Plan tasks can incorrectly delete valid assets, leading to potential data loss.

This issue is fixed in version 3.90.0.

Upgrade to version 3.90.0 before running the Verify and Repair or Data Repair Plan tasks.

What's New and Noteworthy in 3.84.1?

Released September 17, 2025

This release fixes multiple bugs impacting release 3.84.0. See the bug fixes section below for details.

What’s New and Noteworthy in 3.84.0?

Released September 9, 2025

Support for OCI Image Manifest Specification and RPM Packages in Container Scanning

Sonatype Repository Firewall now supports container images that use the OCI Image Manifest Specification and Linux distributions that use the RPM package format. This enhancement extends compatibility beyond existing support for Docker Manifest List Schema V2.

With this update, customers scanning container images can expect consistent analysis across OCI-compliant manifests and improved visibility into vulnerabilities and license risks within RPM-based layers.

For more information, see the Firewall for Docker help documentation.

Improved Stability for Concurrent Requests in Highly Available Deployments

This release enhances Sonatype Nexus Repository high availability (HA) deployment stability by improving how the system handles simultaneous requests for the same asset across multiple nodes. Nexus Repository can now better manage transient read failures when accessing blob attributes, reducing the likelihood of request failures during periods of high concurrency.

Customers running HA deployments will see more consistent performance and fewer interruptions when multiple users or systems request the same file at the same time.

Updated Task Names for Data Repair Consistency

To align with standard task naming conventions in Sonatype Nexus Repository, we have updated the names of two recently introduced tasks:

• Verify and Repair Data Consistency is now Repair - Data Repair Plan
• Execute Plan Data Repair is now Repair - Execute Data Repair Plan

These changes do not affect task functionality and only bring the naming into better alignment with our task naming conventions.

Dependency Updates

This release includes the following dependency updates:

• tika-core version upgraded from 1.28.4 to 3.2.2
• bouncycastle version upgraded from 1.78.1 to 1.81
• azure-identity version upgraded from 1.16.2 to 1.17.0

Bug Fixes in 3.84.2

Issue ID: NEXUS-50152

The blob attribute loading process no longer deletes properties files on transient I/O errors or unhandled exceptions.

Bug Fixes in 3.84.1

Issue ID: NEXUS-48666

Resolved an issue that prevented licenses ending with specific characters from being successfully installed in Nexus Repository.

Issue ID: NEXUS-48591

IQ Server certificates stored in the Nexus Repository truststore work as expected after restarting Nexus Repository.

Bug Fixes in 3.84.0

Issue ID: NEXUS-29075

Components can be downloaded as expected through a proxy repository in audit mode even when Sonatype Lifecycle is unreachable.

Issue ID: NEXUS-44970

Docker-specific attributes are now reliably saved during Docker asset creation.

Issue ID: NEXUS-45134

The Docker Garbage Collection task now skips and removes invalid BLOB assets missing a content_digest.

Issue ID: NEXUS-46276

The Tasks API now accepts "*" as a valid value for repositoryName.

Issue ID: NEXUS-46450

Cargo proxy repositories can now be successfully chained.

Issue ID: NEXUS-46734

The startup script now uses POSIX-compliant [ ] conditionals instead of bash-specific [[ ]] syntax.

Issue ID: NEXUS-47252

Uploads to instances migrated from H2 now complete successfully without duplicate key errors during blob operations.

Issue ID: NEXUS-47788

Users assigned repository-specific admin privileges can now access and manage the configuration page for their assigned repositories as expected.

Issue ID: NEXUS-48050

The global header search behavior now redirects to the correct search results page.

Issue ID: NEXUS-48149

Docker proxy repositories now correctly handle manifests retrieved via pre-signed URLs.

Issue ID: NEXUS-48177

Cleanup policies using the Asset Name Matcher criteria now function correctly for npm hosted repositories when using the H2 database.

Issue ID: NEXUS-48396

Removed the purl query parameter from the documentation for the api/v2/reports/components/quarantined endpoint, as it is not supported. Note that you can use the supported filtering options provided in the Components in Quarantine API documentation to retrieve specific quarantined components.

Issue ID: NEXUS-48422

Docker Firewall scanning now safely handles null values in image metadata.

Issue ID: NEXUS-48568 & NEXUS-48200

The Capabilities API now returns the expected responses and appears correctly in the UI.

Original source

Known Issue with NuGet Search in Sonatype Nexus Repository 3.88.0

Sonatype is aware of an issue in Sonatype Nexus Repository 3.88.0 where NuGet client search requests fail when the application is running on the embedded H2 database.

If you rely on NuGet repository functionality and use the embedded H2 database, do not upgrade to version 3.88.0 until a fix is available.

What’s New and Noteworthy in This Release?

Note

Known Issue Update: Repair - Execute Data Repair Plan Task Disabled by Default

To prevent potential data loss caused by a known issue impacting Sonatype Nexus Repository 3.83.0 and later, the Repair - Execute Data Repair Plan task is now disabled by default starting in version 3.88.0.

Attempting to run this task in 3.88.0 will result in a failure and an error in the logs. The task remains visible in the UI, and any existing instances of this task will not be removed. However, execution is blocked by default.

While it is possible to manually re-enable this task by setting the nexus.reconcile.task.enabled property to true, it is important that you not do so until you are using a release that restores support.

We will announce when it is safe to re-enable this task in a future release note.

Support for Proxy Terraform Repositories

Sonatype Nexus Repository now supports proxy repositories for Terraform, enabling users to cache Terraform providers and modules from registry.terraform.io for improved performance, reliability, and governance.

This allows organizations to streamline infrastructure-as-code workflows by hosting provider binaries, checksums, signatures, and module archives directly within Nexus Repository. By rewriting upstream metadata, all download URLs point to your Nexus Repository instance, ensuring consistent access and control over Terraform content across all environments.

Terraform currently requires user token-based authentication, which requires a paid Nexus Repository Pro or Nexus Repository Cloud license. This means that, at the moment, Community Edition users are unable to authenticate for Terraform repositories. Anonymous access is not currently available for Terraform proxy repositories, though that will be enabled shortly.

Nexus Repository is compatible with the Terraform CLI version 0.13 and later, including all 1.x releases. To get started, see our Terraform repository help documentation.

Search Now Powered by SQL Instead of Elasticsearch

Starting in Nexus Repository 3.88.0, all search operations are now executed directly against the underlying SQL database, replacing Elasticsearch across all repository formats and editions.

This change improves consistency and simplifies deployment by using your configured database (i.e., PostgreSQL or H2) for search indexing and queries. While search functionality, API endpoints, and query syntax remain unchanged, some behavior may differ slightly, particularly around wildcard support, fuzzy matching, and relevance ranking.

PostgreSQL is recommended for production environments and supports relevance-based search; H2 is intended for development and may yield reduced performance on large datasets.

For full details, see our SQL Search help documentation.

Trigram Module Required for PostgreSQL

Reminder that it is required to have the pg_trgm (trigram) module installed when using a PostgreSQL database. This module may not be installed with PostgreSQL by default on all Linux distributions, which will result in an exception when attempting to upgrade.

See our installing the trigram module documentation.

New API to Retrieve Capability Types and Metadata

This releaseadds a new GET /v1/capabilities/types API endpoint that allows you to programmatically retrieve all available capability types along with their metadata, such as form fields, descriptions, and configuration requirements. This is useful for automating or dynamically generating capability-related configurations in external tools or custom UIs.

For full details, see the Capabilities API help documentation.

New Capability and Task for Managing Browse Tree Cleanup

Sonatype Nexus Repository 3.88.0 introduces a new Repository: Browse Trim capability and a Repair - Repository trim browse tree task to give administrators more control over cleaning up empty browse nodes (folders) after component deletion.

Automatic trimming is always enabled for H2 databases but disabled by default for PostgreSQL. For PostgreSQL users who prefer to keep automatic trimming disabled, the new repair task offers a manual alternative to clean up empty nodes on demand.

Learn more in the capability and task documentation.

Configurable Interation Settings for Password and Secret Encryption

Sonatype Nexus Repository 3.88.0 adds support for two new properties (nexus.security.password.iterations and nexus.security.secrets.iterations) that allow administrators to configure the number of PBKDF2 iterations used when encrypting user passwords and sensitive secrets like API keys and tokens.

These properties, set in the nexus.properties file, provide greater control over encryption strength and support seamless migration to updated security configurations.

See our Re-encryption in Nexus Repository help documentation for full details.

New URL Validation to Protect Against Private Network Access

Sonatype Nexus Repository 3.88.0 introduces optional URL validation to help protect against Server-Side Request Forgery (SSRF) by blocking outbound connections to private network addresses, localhost, or cloud metadata endpoints.

This validation applies to Remote Storage URLs for proxy repositories and Endpoint URLs for Amazon S3 blob stores. By default, private network access remains allowed, but administrators can restrict it by setting nexus.proxy.allowPrivateNetworks=false in the nexus.properties file or using environment variables.

For full details, see Securing Nexus Repository.

Important Change Coming in 3.90.0

Starting in version 3.90.0, private network access will be blocked by default.

Updated SAML Library for Improved Security and Compatibility

Sonatype Nexus Repository now uses a new library for handling SAML authentication. This update aligns with our ongoing efforts to improve security and maintain compatibility with modern identity providers (IdPs). We have tested this change internally with a range of IdPs, but we recommend validating your SAML configuration in a test environment before deploying to production.

Note

If your IdP includes an entityId in its SAML response, it must match the entityId configured in Nexus Repository for authentication to succeed. This behavior may differ from previous versions.

Bug Fixes

This release delivers a wide range of fixes and improvements focused on stability, accuracy, and operational reliability. For better readability, we’ve organized these improvements into logical sections below.

Note

Common Vulnerabilities and Exposures Fix

Sonatype Nexus Repository 3.88.0 fixes a reflected cross-site scripting (XSS) vulnerability (CVE-2026-0601) that impacts Sonatype Nexus Repository versions 3.82.0 through 3.87.1.

The vulnerability allows unauthenticated attackers to execute arbitrary JavaScript in a victim’s browser, which could lead to privilege escalation or unauthorized configuration changes.

See our CVE-2026-0601 Knowledge Base article for details.

Repository Formats and Package Management

This release includes a broad set of improvements across supported repository formats. Updates improve how package metadata is generated, cached, rebuilt, and displayed. These changes help ensure packages are indexed accurately, metadata stays up to date, and clients interact reliably with repositories even in edge cases involving redeployments, caching behavior, or format-specific nuances.

Search, Indexing, and Metadata Accuracy

This release refines search and indexing behavior to improve result accuracy, consistency, and resilience. Fixes address incorrect matches, case-sensitivity issues, pagination limits, and failures caused by orphaned or inconsistent data. Together, these changes make search results more predictable across APIs and the UI, improve cleanup and rebuild operations, and reduce the likelihood of errors caused by stale or malformed index data.

High Availability, Clustering, and Concurrency

Several fixes in this release target stability and accuracy in high availability deployments, particularly under concurrent load. Improvements address race conditions, deadlocks, case-handling inconsistencies, and startup issues related to shared resources such as blob stores. These changes help ensure reliable behavior across nodes during searches, downloads, background processing, and upgrades in clustered environments.

Blob Stores, Storage, and Data Integrity

This release improves the accuracy, reliability, and observability of blob store operations. Fixes address incorrect size reporting, upgrade edge cases, concurrency handling, and data repair behavior across different storage backends. Additional improvements ensure diagnostic artifacts and logs more accurately reflect the state of stored data, helping administrators better understand and maintain storage health.

Cleanup, Maintenance, and Background Tasks

Cleanup and maintenance tasks are now more reliable, predictable, and easier to troubleshoot. Enhancements improve how cleanup policies are evaluated and executed, how background tasks handle large datasets, and how errors and warnings are logged. These changes reduce operational friction and help ensure long-running or automated maintenance tasks complete successfully without unnecessary failures or noise.

Security, Authentication, and Authorization

Security-related updates focus on improving authentication flows, authorization checks, and administrative clarity. Changes include performance improvements for permission evaluation, clearer licensing behavior, more predictable login handling, and better support for LDAP and SAML configurations.

UI, Usability, and API Behavior

This release refines the Nexus Repository user interface and REST APIs to improve usability, accuracy, and consistency. Updates address UI display issues, missing or misleading controls, trimming and validation of user input, and more reliable API responses. These improvements help reduce confusion, prevent common errors, and ensure the UI and APIs reflect the actual system state.

Platform, Deployment, and Operations

Operational and deployment-related improvements focus on stability, configurability, and smoother upgrades. Fixes address Docker and container workflows, Helm and Kubernetes deployments, logging behavior, startup edge cases, and operator behavior. These changes help ensure Nexus Repository runs more reliably across diverse deployment environments and integrates more cleanly into modern infrastructure workflows.

Original source

Known Issue for Community Edition 3.78.0-3.79.0

In Sonatype Nexus Repository 3.78.0 and 3.79.0, the RUT Auth Realm (rutauth-realm), which is used for authentication via remote user token, is not available for Community Edition deployments. Instances using rutauth-realm before upgrading will lose functionality, and downgrading is not possible without a database backup made before the upgrade.

We are investigating this issue and will provide a fix as soon as possible.

This issue does not impact Pro deployments or Community Edition 3.77.x deployments.

Warning

Sonatype is aware of an issue preventing successful installation of Sonatype Nexus Repository 3.78.2 as a Windows service. If you use Nexus Repository as a Windows service, do not upgrade to 3.78.x. We will release a fix for our Windows users as soon as possible.

Multiple Vulnerabilities Resolved in 3.77.x and 3.78.x

Are you on the latest Nexus Repository version? If not, your deployment could be at risk.

Sonatype has resolved multiple significant vulnerabilities just between releases 3.77.0 and 3.78.2, significantly enhancing Nexus Repository security. Here are details on these security enhancements:

• Improved input validation to prevent processing malformed data, reducing the risk of unexpected behavior and potential information leakage. Also improved resource management to prevent uncontrolled resource consumption. (CVE-2024-47554)
• Resolved multiple vulnerabilities by removing Karaf and pax-logging components. This eliminated several vulnerabilities, including those related to improper input validation, information exposure, XML External Entity attacks, uncontrolled resource consumption related to jiline, and denial-of-service attacks related to Jackson-core. (Sonatype-2015-0286, Sonatype-2022-6438, CVE-2023-6378, CVE-2023-4218)
• Addressed issues related to storing sensitive information in memory, reducing the risk of information exposure through memory analysis.
• Made updates to prevent Denial of Service attacks due to uncontrolled resource consumption.

What's New in 3.78.3?

Released August 15, 2025

This patch release includes a fix that reduces the time to load the login screen for deployments with a large number of repositories, content selectors, permissions, and with anonymous access enabled.

Full details are available in the Bug Fixes section.

What's New in 3.78.2?

Released March 18, 2025

Sonatype Nexus Repository version 3.78.2 fixes a number of bugs impacting release 3.78.0 - 3.78.1. Full details are available in the Bug Fixes section.

What's New in 3.78.1?

Released March 7, 2025

Sonatype Nexus Repository version 3.78.1 fixes a number of bugs impacting release 3.78.0. Full details are available in the Bug Fixes section.

This release also reverts our previous Logback upgrade back to version 1.2 and reverts our previous SLF4J upgrade back to version 1.7.

Known Issue Impacting 3.78.1 and 3.78.0

Nexus Repository not using some settings in nexus.vmoptions

Sonatype is aware of an issue where Nexus Repository deployments on versions 3.78.0 and 3.78.1 are not fully using custom data directory settings in nexus.vmoptions. This affects karaf.data, karaf.log, java.io.tmpdir, and XX:LogFile configurations, forcing the application to use the default ../sonatype-work/nexus3 directory. We will release a fix for this issue as soon as possible.

What’s New in 3.78.0 ?

Released March 4, 2025

Breaking Change for Custom Plugins: Nexus Repository Migrates to Spring Boot Architecture

This release marks a significant shift in Nexus Repository's architecture, migrating from Apache Karaf and OSGi to the Spring Framework. This transition modernizes the underlying technology stack, aligning with industry best practices and enabling future innovation.

Sonatype Nexus Repository is now packaged as a single "uber-jar," simplifying deployment and dependency management. Nexus Repository installers now include ARM-compatible JREs for Unix and macOS platforms in addition to the x86-64 versions. Windows installers will continue to be x86-64 only.

Impact to OSGi Bundle Deployment

Notably, this change also means that custom OSGi bundle deployment is no longer supported. You can learn more in our sunsetting documentation.

Nexus Repository Installer Update: Check Windows Service Configuration

With this release, JReleaser replaces Install4J as our tool for building our macOS, Windows, and Unix installers. Initially, JReleaser focuses on bundling a JRE with the application, maintaining the existing recommendation to use the bundled JRE for all deployments. Future iterations will leverage JReleaser's capabilities to further refine the installer experience and integrate more tightly with our uber-jar packaging.

Please note that our Unix archive now comes bundled with a platform-specific JDK and can no longer be used in a Mac environment.

Important Note for Windows Users

If you configure Windows Service Manager to run Nexus Repository, please review the updated instructions in our installation help docs before upgrading for details, including the commands you will need to use for starting, stopping, and uninstalling the service.

Simplified JDK Upgrades with Nexus Repository Source Code Migration to Java

This release completes the conversion of all Groovy source code to Java within Nexus Repository, both in the core and proprietary components. This migration simplifies maintenance and removes a barrier to upgrading to newer JDK versions. Note that you can still execute Groovy scripts via Task. See our Script API help documentation for more information.

Save on Infrastructure: ARM Docker Images Now Available

This release broadens Sonatype Nexus Repository’s architecture compatibility by introducing ARM Docker images alongside the existing x86_64 versions in Docker Hub. This enhancement aligns with our commitment to providing flexible deployment options and supporting a wider range of infrastructure.

You can find ARM images for Nexus Repository version 3.78.0 and later on Docker Hub under sonatype/nexus3.

With the addition of ARM architecture being added to the docker image, we are no longer publishing tags to the docker-nexus github repository.

Alternatively, you may use the tags posted to the nexus-public repository.

Improved npm Audit Security with Firewall Integration

This release enhances npm audit command security (for npm versions 7 and 8) by ensuring full integration with Sonatype Repository Firewall. For deployments using Repository Firewall, all components retrieved during an npm audit using npm version 7 and 8 are subject to Firewall checks, providing an added layer of protection.

Repository Firewall does not yet support package-lock.json file v3 therefore lock files produced by npm 9 and 10 are not supported.

Removal of the jetty-rewrite module during upgrade to Jetty 12

The jetty-rewrite module has been removed during the upgrade to Jetty 12. As this functionality was not officially supported by Nexus Repository, customers should verify any customizations in their jetty config files before upgrading.

Sunsetting Log4J Visualizer and Bower Format

The Log4j Visualizer feature has been removed in this release. This early experiment in adding Software Composition Analysis (SCA) capabilities to Nexus Repository is now superseded by more comprehensive features, such as our malware warning banner.

We have also officially sunset Bower format, which was last available in our 3.70.x release line and only supported for OrientDB instances.

For full details on our feature sunsetting process, see our feature sunsetting documentation.

Breaking Changes with JFrog Artifactory 7.104

JFrog Artifactory 7.104 is the latest and is incompatible with the Repository Firewall plugin. JFrog Artifactory has introduced a newer version of groovy-core that is not backward compatible with the version the Repository Firewall plugin is compiled against.

We recommend not upgrading to Artifactory 7.104 as doing so causes an interruption with the Repository Firewall service and exposes you to malware entering the environment.

Bug Fixes

Note

Performance Tip - Exclude Nexus Repository Directory from Virus Scans

To optimize startup time, particularly on Windows systems, Sonatype recommends excluding the Nexus Repository directory from virus scans. Scanning every file during application startup can significantly increase the time required for the application to become operational.

The table below lists additional bug fixes included in release 3.78.3.

Issue ID Description NEXUS-48385 UI can take over 20 minutes to load when local anonymous user has many roles and privileges.

The table below lists additional bug fixes included in release 3.78.2.

Issue ID Description NEXUS-48385 (3.78.3) UI can take over 20 minutes to load when local anonymous user has many roles and privileges. NEXUS-46461 Sonatype Nexus Repository correctly loads the license file specified by the nexus.licenseFile property in nexus.properties during initialization. NEXUS-46451 The startup script for macOS distributions now correctly identifies the embedded JDK home, resolving the previous issue where startup failed due to an incorrect path. NEXUS-46408 Installations set up to use systemd as described in our Run as a Service documentation now start as expected. NEXUS-46377 Sonatype Nexus Repository's Windows service installation now explicitly uses the embedded JDK, resolving an issue where the service could incorrectly select a system-installed JDK. NEXUS-46370 Sonatype Nexus Repository's Unix distribution archive now preserves the user and group ownership of unpacked files, resolving an issue where files were incorrectly owned by a specific user ID. NEXUS-46362 Removed unnecessary warning about JAVA_HOME not being set from all possible places where it might be set. NEXUS-46359 Sonatype Nexus Repository now respects the karaf.data and karaf.log properties specified in nexus.vmoptions as expected. NEXUS-46318 & NEXUS-46401 Sonatype Nexus Repository now allows users to specify a custom JVM using the APP_JAVA_HOME environment variable or the app_java_home property in nexus.rc, restoring the ability to override the embedded JDK.

The table below lists additional bug fixes included in release 3.78.1.

Issue ID Description NEXUS-46354 Corrected a NEXUS_DATA environment variable injection issue, resolving file lock errors in Kubernetes deployments. NEXUS-46353 Nexus Repository Kubernetes deployments now correctly load and persist licenses upon initial installation, resolving a "License is not valid" error that occurred in some deployments. NEXUS-46345 Corrected the URL used to retrieve Composer packages.json metadata. NEXUS-46319 Restored missing Tasks REST API endpoints. NEXUS-46313 Nexus Repository now starts correctly when installed in directories containing spaces. NEXUS-46310 The bin/nexus script now correctly recognizes and applies the run_as_user setting described in our run as a service documentation. NEXUS-46168 Adjusted the Reconciliation task so that it can restore missing properties files in cloud blob stores with date-based layout enabled and volume/chapter folder structure. NEXUS-46008 Restored missing log line fields and daily rotation of the request.log.

The table below lists bug fixes included in release 3.78.0.

Issue ID Description NEXUS-46087 Improved upload performance by preventing excessive asynchronous event queuing, which eliminates latency spikes and ensures background processing remains efficient. NEXUS-46004 Improved npm audit security with Firewall integration. NEXUS-45997 Fixed a NullPointerException that impacted some Helm proxy repositories on Nexus Repository version 3.77.0. NEXUS-45925 The tarball download URLs in npm group repository metadata now matches those returned by npm proxy repositories as expected. NEXUS-45855 Made changes to prevent heavy loads from causing browse node event handling to time out. NEXUS-45773 Ensured correct migration of privileges and roles from Nexus Repository 2 to 3 by aligning privilege names and IDs. NEXUS-45729 Maven metadata GET requests to a group repository are no longer much slower than direct requests to member repositories. NEXUS-45673 Corrected P2 proxy repository functionality to allow proxying JAR files that do not have a MANIFEST entry as the first or second JAR entry. NEXUS-45639 Fixed an error preventing blobstore loading during the Repair - Recalulcate blob store storage task by correcting a method name case mismatch. NEXUS-45432 Corrected download URLs in npm package metadata for non-scoped, version-specific requests. NEXUS-45364 Enabled configuration of the Apache Velocity parser pool size to prevent resource exhaustion during high-volume PyPi component index requests. NEXUS-45139 Corrected repository root URL HEAD request responses to comply with HTTP/1.1 specifications, ensuring they now return the same status as GET requests. NEXUS-44544 Improved component search results by displaying an empty field instead of the Unix epoch date when the last updated value is null. NEXUS-44016 Corrected npm latest tag resolution to prevent canary versions from being selected when the true latest version is removed. NEXUS-44007 Resolved Java XML bind warning messages that occurred in some instances when starting Nexus Repository with Java 17. NEXUS-43115 Expanded documentation on installing Sonatype Nexus Repository using the OpenShift operator. NEXUS-40991 Ensured consistent favicon display across all static and dynamic pages in Nexus Repository. NEXUS-34688 Prevented unnecessary load on IQ Server by ensuring the IQ: Audit and Quarantine capability is only configurable for supported repository formats. NEXUS-30693 Improved logging for the Repair - Reconcile component database from blob store task to include the settings used during execution. Original source

Known Issue in Sonatype Nexus Repository 3.83.0 - 3.89.1

There is an issue in Sonatype Nexus Repository 3.83.0 - 3.89.1 where running the Verify and Repair or Data Repair Plan tasks can incorrectly delete valid assets, leading to potential data loss.

This issue is fixed in version 3.90.0.

Upgrade to version 3.90.0 before running the Verify and Repair or Data Repair Plan tasks.

What's New and Noteworthy in 3.86.3?

Released January 16, 2026

Repair - Execute Data Repair Plan Task Disabled

To prevent potential data loss caused by a known issue impacting Sonatype Nexus Repository 3.83.0 and later, this release disables the Repair - Execute Data Repair Plan task by default.

Attempting to run this task will result in a failure and an error in the logs. The task remains visible in the UI, and any existing instances of this task will not be removed. However, execution is blocked by default.

While it is possible to manually re-enable this task by setting the nexus.reconcile.task.enabled property to true, it is important that you not do so until you are using a release that restores support.

We will announce when it is safe to re-enable this task in a future release note.

What's New and Noteworthy in 3.86.2?

Released November 12, 2025

This release fixes a number of bugs as described in the Bug Fixes section below.

Note

Sonatype did not release a 3.86.1 version. Customers can safely upgrade directly from 3.86.0 to 3.86.2

What’s New and Noteworthy in 3.86.0?

Released November 5, 2025

OpenID Connect (OIDC) Support for Streamlined SSO Integration

Sonatype Nexus Repository now supports authentication using OpenID Connect (OIDC), allowing seamless Single Sign-On integration with identity providers such as Okta, Keycloak, and Azure AD. This new capability enables organizations to centralize user authentication and enhance security by redirecting login requests to a trusted OpenID Provider.

When OIDC is configured, users benefit from a simplified login experience while administrators gain greater control over access through external role mapping. For full details, see the OIDC help documentation.

License Expiry Notification and Status Check

To help administrators avoid unexpected service disruptions, Sonatype Nexus Repository now supports license expiration notifications. When enabled, Nexus Repository will send email alerts as the expiration date for the Pro license approaches. You can configure how many days in advance the notifications should be sent and specify the list of email recipients using the new License Expiry Notification capability.

In addition to email alerts, Nexus Repository displays a visual warning in the user interface as part of the Status Check system. A new License Check status check appears in the UI when the license is nearing expiration, making it easier for administrators to monitor license health at a glance.

To learn more, see the License Management help documentation.

New REST API for Managing SAML Users

Sonatype Nexus Repository Pro and Sonatype Nexus Repository Cloud now include a REST API for managing SAML-backed user records. This new capability allows administrators to pre-provision SAML users, assign roles before their first login, and ensure roles remain aligned with identity provider (IdP) group memberships.

By supporting full user lifecycle management through the API, this enhancement improves automation, simplifies role assignments, and strengthens integration with enterprise identity systems.

For full details, see the Security Management API documentation.

Firewall for Docker Scanning Now Uses Nexus Repository Network Settings

Starting with Nexus Repository version 3.86.0 and IQ Server version 197, Firewall for Docker Scanning now uses the network connection settings configured in Nexus Repository when accessing Docker registries.

This enhancement ensures that Docker scans respect custom networking configurations, allowing seamless image downloads and more consistent scanning behavior across different environments.

With this update, Firewall scans automatically apply the following Nexus Repository settings when available:

• User-Agent customization
• Connection and socket timeouts
• Connection retry attempts
• HTTP and HTTPS proxy settings, including host, port, authentication, NTLM domain, and hostname

If you use Nexus Repository 3.86.0 with an earlier version of IQ Server, Firewall for Docker will fall back to the older IQ CLI scanning method, which does not apply the Nexus Repository HTTP configuration.

Expanded Support for OCI-Based Docker Images

Firewall for Docker now supports analyzing and quarantining a broader range of OCI-compliant images requested through Docker proxy repositories. This includes multi-architecture manifest lists, single-manifest images without layers, and uncompressed image layers. These updates improve compatibility with modern image formats by adding support for less common Docker layer constructs.

Bug Fixes

The following table describes bug fixes in 3.86.3:

Issue ID

Description

NEXUS-50152

The blob attribute loading process no longer deletes properties files on transient I/O errors or unhandled exceptions.

The following table describes bug fixes included in 3.86.2:

Issue ID

Description

NEXUS-49171

APT repository metadata is now properly updated in both the source and target hosted repositories after performing a component move via the REST API.

NEXUS-49474

Firewall for Docker scans work as expected when using Sonatype IQ Server 196 or earlier.

The following table describes bug fixes included in 3.86.0:

Issue ID

Description

NEXUS-29298

Routing rules assigned during repository creation using the REST API are now correctly applied and reflected in both the UI and subsequent API responses.

NEXUS-40880

Attempting to run the Database Migrator to migrate from an H2 to a PostgreSQL database without a nexus.mv.db file now fails with an error as expected.

NEXUS-41540

Repository blob store migration now runs blob move operations in parallel using all available threads in the executor pool, improving task throughput and reducing migration time.

NEXUS-44318

Docker garbage collection now uses batch processing and memory-efficient data structures to reduce memory usage and improve performance when operating on large repositories.

NEXUS-44942

Removed the deprecated X-XSS-Protection header from all responses.

NEXUS-47323

Support zip generation via the REST API is now allowed for local administrator users regardless of license state.

NEXUS-47587

Requests for package metadata in APT hosted repositories now wait for metadata rebuilds to complete, preventing 404 responses.

NEXUS-47601

The Conan proxy repository API now includes the conanVersion field in its response.

NEXUS-47655

(Requires Nexus Repository 3.86.0 and IQ 197.) Firewall for Docker now uses the HTTP configuration defined in Nexus Repository (i.e., proxy settings, authentication, timeouts, and SSL certificates) when downloading image content for scanning, improving compatibility with restricted or customized network environments.

NEXUS-47712

The Sonatype Lifecycle Component section in the Nexus Repository UI now correctly reflects the security status of Golang components, eliminating the misleading Unsupported format: go message when vulnerability data is available.

NEXUS-47736

Asset Search API queries using the group parameter with spaces or uppercase letters now return correct results in High Availability environments.

NEXUS-47840

The link in the Firewall column of the Nexus Repository Browse page now correctly redirects users to the Firewall report for the corresponding repository report.

NEXUS-48148

Pushing Helm charts no longer fails when the appVersion field is a number.

NEXUS-48190

Content Selector privilege scopes based on format now work as expected.

NEXUS-48395 & NEXUS-44994

Staging move operations now correctly update the Browse page to remove empty directories and display accurate asset icons.

NEXUS-48619

The Execute Plan Data Repair task now logs detailed information about asset record removals, improving visibility and traceability during data repair operations.

NEXUS-48624

The Repair - Recalculate blob store storage task no longer double-counts soft-deleted blobs, ensuring accurate blob store size and component metrics.

NEXUS-48629

The Sonatype Lifecycle Component section in the Nexus Repository UI now correctly reflects the security status of Conan components, eliminating the misleading Unsupported format: conan message when vulnerability data is available.

NEXUS-48634

The Verify and Repair Data Consistency and Execute Plan Data Repair tasks now correctly clear the deleted=true flag when restoring blobs, preventing persistent MissingBlobException errors after database rollback scenarios.

NEXUS-48748

Wildcard version searches now return consistent results.

NEXUS-48827

Upgrading to 3.84.1 no longer incorrectly enables path-based routing on existing Docker repositories that had no connector selected, preserving the original configuration state.

NEXUS-48891

The Search API now correctly supports queries with multiple repository names using OR.

NEXUS-48902

Search API results now return the actual storage location in the repository field when querying a group repository.

NEXUS-49025

(Requires IQ 197 for self-hosted customers.) Firewall report links using the legacy /malware-defense path now redirect correctly, with full backward compatibility implemented to ensure both /malware-defense and /firewall URLs load without errors.

NEXUS-49070

Logins to SaaS deployments now succeed and Nexus Repository no longer stores the OIDC id_token in the cookie, avoiding the 4096-character size limit error.

NEXUS-49115

Pulling OCI-formatted images through a Repository Firewall-enabled Docker proxy now works as expected. We have added support for scanning single-manifest images and those without layers.

NEXUS-49118

Modified JWT token generation dependencies to prevent cross-node session errors during OAuth redirects in clustered environments.

NEXUS-49125

Pulling multi-architecture Docker images through a Nexus Repository Docker proxy with Repository Firewall quarantine enabled now succeeds. We have added support for handling manifest lists and uncompressed image layers during scanning.

Coming Soon to Sonatype Nexus Repository

We’re excited to share that the following enhancements will be coming soon to Sonatype Nexus Repository:

Java 21 Required Starting in 3.87.0

Beginning with the Sonatype Nexus Repository 3.87.0 release, Java 21 will be the minimum required version. The official Docker image and installers will include Java 21 by default. We recommend preparing your environments ahead of this change to ensure compatibility and minimize disruption.

New Product Launch Coming Soon

Sonatype will soon introduce a new product that helps your AI coding assistant make smarter dependency choices. A preview of the first component, our Model Context Protocol (MCP) server, is available now for early exploration. Sonatype’s MCP server guides AI to select secure, reliable, and license-compliant versions using Sonatype’s trusted open source intelligence.

Original source

Known Issue in Sonatype Nexus Repository 3.83.0 - 3.89.1

There is an issue in Sonatype Nexus Repository 3.83.0 - 3.89.1 where running the Verify and Repair or Data Repair Plan tasks can incorrectly delete valid assets, leading to potential data loss.

This issue is fixed in version 3.90.0.

Upgrade to version 3.90.0 before running the Verify and Repair or Data Repair Plan tasks.

Note

Version 3.83.0 - 3.83.2 contain a defect that prevents use of the Capabilities API. This bug is fixed in 3.84.0. Update to 3.84.0+ to use the Capabilities API.

What's New in 3.83.2?

Released September 3, 2025

This release fixes a number of bugs present in 3.83.0 – 3.83.1. See the bug fixes in 3.83.2 section for details.

What's New in 3.83.1?

Released August 19, 2025

This release fixes a number of important bugs present in 3.83.0. See the bug fixes in 3.83.1 section for details.

What’s New in 3.83.0?

Released August 12, 2025

Prevent Risky Containers from Entering Your Organization with Repository Firewall

You can now extend Sonatype Repository Firewall’s automatic policy enforcement to containerized applications, enabling your team to block non-compliant or vulnerable Docker images before they enter your development environments.

Repository Firewall analyzes Docker images as they are requested through a protected proxy repository. Images that violate your defined policies are automatically quarantined, ensuring developers and deployment pipelines only use trusted containers. Violations are reported in a new Containers dashboard that also provides clear insights into which components within a container triggered enforcement.

You can also apply waivers to container-level violations directly from the container report or via the new Container Waivers API, streamlining security review and enabling critical images to proceed when necessary.

This functionality supports Docker Schema 2 (both single and multi-architecture) images from any container registry proxied by Sonatype Nexus Repository. To optimize performance, local disk storage is recommended for temporary container analysis. Note that Sonatype does not ingest or retain container data during analysis.

For full configuration instructions, supported formats, and usage details, see the Repository Firewall for Docker help documentation.

Docker Registry Path-Based Repository Support

Sonatype Nexus Repository now supports path-based routing for Docker repositories.

This new routing option simplifies Docker setup by eliminating the need to configure custom subdomains or manage complex certificate requirements. It offers a more secure and streamlined approach to accessing Docker images, which is especially important in cloud environments with strict security constraints.

Path-based routing is required for all Nexus Repository Cloud deployments. While it is optional in self-hosted environments, adopting this configuration is recommended for improved security and easier maintenance.

For setup instructions, see our Docker Registry help documentation.

Improved Security Options for Password Hashing and Secrets Encryption

You can now customize Sonatype Nexus Repository’s password hashing algorithm to best align with your organization’s security standards. Supported options include SHA-512 (default), PBKDF2WithHmacSHA256, and PBKDF2WithHmacSHA1. This enhancement allows for greater flexibility and alignment with modern security policies.

Additionally, secrets encryption now supports both PBKDF2WithHmacSHA256 and PBKDF2WithHmacSHA1 (default), offering improved configurability for securing sensitive data within the system.

Streamlined Recovery with New Verify and Repair Data Consistency Task

A new Verify and Repair Data Consistency task is now available in Sonatype Nexus Repository to improve the recovery experience when the database and blob stores become out of sync. This task replaces the legacy Repair - Reconcile component database from blob store task and offers faster performance, enhanced precision, and greater flexibility.

Use this task to recover missing component metadata for artifacts that exist in storage but are no longer referenced in the database. This scenario may occur when restoring from backups or during failover events where the database and storage were finalized at different points in time. You can also restore soft-deleted artifacts before they're permanently removed from blob storage.

Administrators can scope the task by blob store, repository, and time window. A Dry Run option is also available so that you can preview changes before executing them, allowing for safer and more controlled recovery workflows.

For implementation details and API usage, see the Verify and Repair Data Consistency task help documentation.

Note that any scheduled Repair - Reconcile component database from blob store tasks will be automatically removed during the upgrade to Nexus Repository 3.83.0 and later. This is to prevent errors since the legacy task is not compatible with a date-based blob store layout, which Nexus Repository now uses by default.

New Documentation: Cross-Region Disaster Recovery for Enterprise Deployments

New Cross-Region Disaster Recovery documentation is now available to help administrators configure their Sonatype Nexus Repository high availability (HA) deployments to support cross-region disaster recovery in AWS. This approach is designed for enterprise-scale deployments that require minimal downtime and protection against regional cloud outages.

The documentation outlines how to use Amazon RDS and S3 with cross-region replication to enable automatic backup, rapid failover, and zero-loss failback. With this configuration, deployments can achieve a 15-minute Recovery Point Objective (RPO) for blob stores, a 5-minute RPO for the database, and a 1-hour Recovery Time Objective (RTO). It also includes steps for auditing asset loss, verifying data consistency, and synchronizing changes made during failover.

Bug Fixes in 3.83.2

• Issue ID: NEXUS-48483
  The request.log now correctly records the timestamp corresponding to when the response is written back to the client rather than when the request initially arrived.

• Issue ID: NEXUS-48480
  The RegistrationsBaseUrl value in index.json files for NuGet group repositories now includes the correct path, ensuring .NET clients can successfully retrieve package metadata. This restores compatibility with dotnet install commands against NuGet group repositories.

• Issue ID: NEXUS-47541
  When using Docker subdomain routing, request.log entries now include the resolved /repository/ path.

Bug Fixes in 3.83.1

• Issue ID: NEXUS-48391
  The legacy HA-C property is now properly ignored when explicitly set to false.

• Issue ID: NEXUS-48388
  Crowd authentication works as expected with version 3.83.x.

• Issue ID: NEXUS-48387
  The Docker repository user interface no longer incorrectly displays path-based routing as enabled when it is not enabled.

• Issue ID: NEXUS-48385
  Sonatype Nexus Repository now allows the UI to load promptly for anonymous users, even in environments with many content selector privileges.

• Issue ID: NEXUS-48369
  Fixed an issue that prevented Community Edition deployments from starting after upgrade to 3.83.0 if they contained Docker group repositories.

• Issue ID: NEXUS-48367
  Updated logger configuration to ensure HA deployments start as expected on version 3.83.0+ when using the Helm chart.

• Issue ID: NEXUS-48212
  Sonatype Nexus Repository 3.83 no longer fails to start when transitioning from non-HA to HA mode using a shared PostgreSQL database. Node identity is now handled separately to prevent conflicts with legacy node entries in the node_heartbeat table.

• Issue ID: NEXUS-48145
  Made changes to how Nexus Repository handles telemetry HTTP responses to prevent excessive NullPointerException log warnings caused by unhandled 204 responses from telemetry endpoints.

• Issue ID: NEXUS-48025
  When creating Docker repositories, user can select domain or port connectors without selecting a radio button.

Bug Fixes in 3.83.0

• Issue ID: NEXUS-48217
  This release replaces the Repair - reconcile component database from blob store task with a new Verify and Repair Data Consistency task.

• Issue ID: NEXUS-47958
  Routing rules created via the REST API that include non-alphanumeric characters in their names now correctly load in the UI when selected.

• Issue ID: NEXUS-47563 & NEXUS-47159
  Cleanup policies using asset matchers with the option to retain a select number of versions now correctly identify and retain the expected number of Maven assets. The CSV preview and cleanup task execution now return accurate results when used with PostgreSQL-backed repositories.

• Issue ID: NEXUS-47553
  Cleanup policies using the Component age criteria now correctly remove eligible components when applied to repositories backed by an H2 database.

• Issue ID: NEXUS-46937
  Startup failures related to the FileBlobStoreMetricsMigrationStep after migrating from H2 to PostgreSQL no longer occur. The Flyway migration state is now correctly reloaded, ensuring the system accurately reflects migration progress and can start reliably after the initial post-migration launch.

• Issue ID: NEXUS-46388
  Simultaneous requests for the same asset sent to different nodes in a High Availability (HA) Nexus Repository cluster no longer result in 500 errors. Blob property file access is now handled safely across nodes, ensuring reliable asset downloads under concurrent access.

• Issue ID: NEXUS-46385
  Updated Docker Hub credentials for proxy repositories now take effect as expected without requiring a server restart.

• Issue ID: NEXUS-46136 & NEXUS-45942
  Docker login requests through reverse proxies that include a port in the X-Forwarded-Host header no longer result in malformed authentication redirects with duplicated port values. Nexus Repository now correctly parses forwarded host headers, ensuring compatibility with standard reverse proxy configurations such as Apache httpd.

• Issue ID: NEXUS-45843
  Upgrades from earlier versions of Nexus Repository no longer fail when NuGet proxy repositories are missing the nugetVersion attribute. The migration logic now safely defaults to expected values, allowing startup to complete without manual intervention.

• Issue ID: NEXUS-45369
  Made improvements to prevent startup failures caused by the FileBlobStoreMetricsMigrationStep when migrating from OrientDB to PostgreSQL.

Original source

What's New and Notable in 3.82.1?

Released August 26, 2025

This release fixes an issue with the Repair - Reconcile component database from blob store task where running the task with the integrity check option enabled could incorrectly remove content from repositories that use an Azure blob store.

Sonatype Nexus Repository Now Available in the Cloud!

Cloud Released on July 16, 2025

Sonatype Nexus Repository Pro is now available as a fully managed, cloud-hosted service, eliminating the overhead of infrastructure management and allowing your development teams to focus on building and delivering secure and reliable software faster. Check out the benefits below:

Operational Efficiency Without the Overhead

With Nexus Repository Cloud, Sonatype handles everything required to get and stay up and running, including high availability, rolling upgrades, automated backups, and seamless failover. This ensures maximum uptime and reliability for your development pipelines. Your deployment scales automatically with your usage, allowing your team to focus on delivering software instead of managing tooling.

Accelerated Time-to-Value

By removing the complexities of provisioning and maintaining servers, Nexus Repository Cloud reduces total cost of ownership and accelerates onboarding. Your teams can start building and deploying software quickly using pre-configured defaults, secure access controls, and guided setup flows.

Access to the Latest Features First

Nexus Repository Cloud is always running the latest stable release, often ahead of the on-premises version. This ensures your team can take advantage of new features and performance improvements without delay.

Migration Support Available

Sonatype provides expert-led migration services to help organizations transition from on-premises deployments to the cloud with minimal downtime. Our Customer Success team ensures your data and configurations are migrated securely and efficiently.

Key Features in Nexus Repository Cloud

• Simplified Setup – Guided onboarding helps you get up and running quickly with secure access, default roles, and user management via your identity provider or direct configuration.
• No Maintenance Overhead – Sonatype handles upgrades, patches, monitoring, and infrastructure operations, eliminating day-to-day maintenance tasks.
• Cloud Tenant Provisioning – Organizations receive a unique, secure URL for accessing their Nexus Repository Cloud tenant.
• Client Tool Integration – Configure tools such as Maven, npm, and Docker to interact directly with your Nexus Repository Cloud instance.

For more information about getting started with Nexus Repository Cloud, see our official documentation.

What's New and Noteworthy in 3.82.0?

Released July 9, 2025

Sonatype Nexus Repository 3.82.0 includes the following new features and enhancements:

New Capabilities API

Sonatype Nexus Repository now provides a new Capabilities API, giving administrators more flexibility and control when managing system-level features through automation.

With this API, you can programmatically view, create, update, and delete Capabilities in your Nexus Repository instance. This allows for faster setup, consistent configuration across environments, and easier integration into infrastructure-as-code workflows. This improves efficiency and reduces the risk of manual errors in administrative tasks.

For full details, see the Capabilities API help documentation.

Quarantine Message Behavior Restored and Improved

Sonatype previously noted a regression in Nexus Repository 3.81.x that prevented quarantine messages from being returned as expected when a component was blocked by Sonatype Repository Firewall. Updates in this release restore expected quarantine message behavior and introduce enhancements to improve clarity for users and automation.

Those using npm and NuGet formats will now see clearer quarantine messages directly in their CLI output when a component is blocked by Repository Firewall. These messages include the reason for the quarantine, helping developers quickly understand and address policy violations without additional troubleshooting.

Bug Fixes

This release includes the following notable bug fixes:

• NEXUS-48217 (3.82.1) Fixed an issue with the Repair - Reconcile component database from blob store task where running the task with the integrity check option enabled could incorrectly remove content from repositories that use an Azure blob store.
• NEXUS-47645 The Blob Store undelete process now handles self-referencing properties files without triggering a stack overflow. This prevents unexpected shutdowns of the GCP connection pool and eliminates the need for a restart.
• NEXUS-47455 The UI: Settings capability now correctly updates the page title as configured.
• NEXUS-47234 The /search/assets API now correctly supports the maven.baseVersion parameter in HA mode.
• NEXUS-47027 The package-ids endpoint for NuGet v2 repositories now returns a maximum of 30 package IDs as a JSON array, aligning with the NuGet tab-completion API specification. This prevents excessive memory usage and improves performance when clients like MSBuild query the endpoint with empty or broad parameters.
• NEXUS-47013 The npm audit bulk endpoint now accepts requests from users with read-only permissions, eliminating the need for view-add privileges. This ensures that audit operations work as expected for read-access users, including anonymous users if authentication is not required.
• NEXUS-29739 The Browse UI for NuGet v3 group repositories now displays the correct path and generates working download links. Requests with or without the index segment are normalized, preventing 404 errors when accessing assets like index.json.

Original source

What's New in Nexus Repository 3.81.1?

Released June 11, 2025

Known Issue in 3.81.1: Quarantine Messages Missing from 403 Responses

Sonatype is aware of an issue in Nexus Repository 3.81.1 that prevents all quarantine messages—both default and custom—from appearing in HTTP responses when components are blocked by Repository Firewall. Affected requests return only a generic “403 Forbidden” status with no explanatory message or link to the component report. This may impact environments that depend on these messages to inform users about quarantine reasons.

This release fixes an issue that caused dotnet restore commands to fail due to NuGet v3 content requests returning 404 errors.

Switch Metrics Servlets to use JAX-RS

The REST API endpoints for metrics have changed. Redirects have been added, but not all scripts will follow redirects.

Original Endpoint | New Endpoint

/service/metrics/prometheus | /service/rest/metrics/prometheus
/service/metrics/data | /service/rest/metrics/data
/service/metrics/ping | /service/rest/metrics/ping
/service/metrics/threads | /service/rest/metrics/threads
/service/metrics/healthcheck | /service/rest/v1/status/check

What’s New in Nexus Repository 3.81.0?

Released June 10, 2025

Egress Information Available in Licensing Usage Tab

Sonatype Nexus Repository now provides egress information for on-prem instances; administrators can find this information in the Usage tab under Settings > System > Licensing. This new feature helps you understand your data transfer patterns, making it easier to plan for a potential cloud migration. By seeing your egress data upfront, you can better estimate costs and resource needs in a cloud environment.

Note that Total Egress is calculated at the application level. This might differ from network transfer measurements from your cloud provider. Our testing indicates approximately 15% more traffic when estimating total egress in cloud environments.

For full details, see the License Management help documentation.

Enhanced Security and Performance with Jetty 12

This release upgrades Sonatype Nexus Repository from Jetty 9 to Jetty 12, bringing enhanced security and performance to your instance. This upgrade ensures that Sonatype Nexus Repository operates on a supported and modern server technology.

If your Sonatype Nexus Repository instance uses a customized Jetty configuration, serves HTTPS directly through Sonatype Nexus Repository, or has a customized request log, plan to update your configurations accordingly.

Performance Improvements for Change Repository Blobstore in Google Cloud Environments

This release includes performance improvements for the Change Repository Blob Store task when moving from one Google Cloud Storage (GCP) bucket to another. Previously, this operation took considerably longer than other blob store migration types. This enhancement greatly improves the efficiency of managing your Google Cloud Storage-backed repositories.

Integrate Sonatype Repository Firewall with Zscaler for Enhanced Malware Protection

Sonatype Repository Firewall now integrates with Zscaler, a cloud-native cybersecurity platform, to provide an additional layer of defense against actively verified malware components. This integration automatically blocks malicious components from being downloaded directly from public repositories, protecting your organization from malware found in "shadow downloads."

For details on how to enable this protection, see our Zscaler integration help documentation.

Bug Fixes

Issue ID | Description

NEXUS-47610 | (3.81.1) This release fixes an issue that caused dotnet restore commands to fail due to NuGet v3 content requests returning 404 errors.
NEXUS-47222 | The nexus.log no longer generates ERROR and WARN entries related to an unavailable reconcile/list resource when administrators open the Administration > System > Tasks page.
NEXUS-47217 | Sonatype Nexus Repository's cargo-group functionality now correctly handles features2 when building projects, preventing build failures that previously occurred.
NEXUS-47197 | Custom branding changes made through the UI branding capability now correctly appear in the application's user interface.
NEXUS-47020 | Made performance improvements so that newly uploaded components and staging move results now appear in search results more quickly.
NEXUS-46899 | Sonatype Nexus Repository now immediately reflects changes to user data from Crowd in the UI.
NEXUS-46508 | In Sonatype Nexus Repository HA instances, the Disassociate Tag API now correctly disassociates components from a tag and no longer returns an unrelated list of components.
NEXUS-46264 | Resolved various issues with 3.77.1 Alpine image.
NEXUS-46033 | The Number of versions option in the cleanup policy for maven2 and docker repositories no longer unexpectedly hides or reveals itself when other cleanup policy options are selected.
NEXUS-45866 | After enabling HA in Sonatype Nexus Repository, the Support > Status and System > Nodes pages now display consistent information.
NEXUS-45113 | The cleanup policy and cleanup service tasks now correctly remove empty directories.
NEXUS-44548 | npm audit commands work as expected when npm package name aliases are present.
NEXUS-29739 | NuGet v3 group repositories display the correct path in the browse UI. The download link for assets within these repositories also now functions as expected.

Coming Soon

Here’s what’s coming soon for Sonatype Nexus Repository:

Sonatype Nexus Repository Cloud

Sonatype Nexus Repository will soon be available as a Sonatype Cloud solution! This will provide all the powerful artifact management capabilities you rely on, delivered and managed by Sonatype in the cloud.

Path-Based Repository Support for Docker

Sonatype Nexus Repository will soon provide path-based repository support for Docker, allowing you to host multiple Docker registries under a single hostname using different URL subpaths. This eliminates the need for multiple ports or wildcard TLS certificates, simplifying enterprise deployments.

Firewall Support for Containers

Sonatype Repository Firewall will soon introduce support for containers, enabling you to proactively block the download of container images violating your organization's policy configurations before they enter your container ecosystem.

Original source