Sonatype Release Notes

Caution

Known Issue with npm Group Repositories in Sonatype Nexus Repository 3.90.2; Issue fixed in 3.91.0

Sonatype is aware of an issue in Sonatype Nexus Repository 3.90.2 where npm group repositories may serve stale package metadata after upstream repositories are updated. This issue is fixed in version 3.91.0.

This issue occurs when requesting packages with versions or dist-tags (for example, npm install storybook@latest or npm install @sonatype/[email protected]). The cache invalidation process fails, causing the group repository to return outdated version information.

Symptoms may include:

• npm builds failing with version mismatch errors.
• Recently published package versions not visible through the group repository
• Server logs showing errors such as: IllegalArgumentException: Non URL-safe name

Workaround:

Manually invalidate the package cache through the Nexus UI: Browse → Select repository → Right-click package → Invalidate cache

What's New in 3.90.3?

Released April 8, 2026

Note

Sonatype Nexus Repository 3.90.3 is available for download from the Nexus Repository 3 Download archive.

Added Skip Processing Configuration

NEXUS-51666 – Added a skipProcessing configuration option to BlobRepositoryMismatchTask for eligible direct upgrades. See our Support Knowledgebase article for details.

What's New in 3.90.2?

Released March 23, 2026

New Instance Migrator Helps Nexus Repository 3.70.5 Deployments Move to Nexus Repository Cloud or Self-Hosted Nexus Repository 3.90.2 Without Downtime

Sonatype Nexus Repository now provides a migration path from OrientDB 3.70.5 to modern, supported platforms without requiring service interruption. With the new Instance migrator, you can migrate to either of the following without downtime:

• Nexus Repository Cloud
• Nexus Repository self-hosted version 3.90.2+

Migration preserves core configuration and repository data, enabling a seamless transition to a more scalable and supported architecture.

Key Capabilities

• Preserves repository data and configuration

  Migrates hosted repository content, repository configurations, and associated settings to the target environment.

• Maintains user and access configurations

  Transfers users, roles, and authentication mappings to ensure continuity of access control.

• Secure handling of sensitive data

  Encrypts and transfers secrets using supported security standards during migration.

• Automated validation checks

  Prevents invalid configurations, such as missing blob stores, and provides clear feedback during migration.

• No service interruption

  Keeps your source instance online and operational throughout the migration process.

Important Migration Requirements

• Blob stores must exist on the target instance

  Create blob stores in the target environment before migration. Do not reuse storage locations from the source instance.

• Shared storage is not supported

  Using the same S3 bucket, Azure container, or file path across source and target instances can lead to data corruption.

• LDAP/Crowd users require external server configuration

  While user tokens and role mappings for LDAP/Crowd users will migrate successfully, the target instance must be manually configured to connect to the same external authentication servers for these users to authenticate after migration.

• Some configurations require manual setup

  SSL/TLS certificates export from the source but may require manual import configuration on the target instance depending on your environment.

• Proxy/group repository cached content does not migrate

  Only hosted repository content is migrated.

For full migration requirements and process details, see the Instance Migrator help documentation. You can download the instance migrator for version 3.70.5 from the OrientDB Downloads page.

Bug Fixes in 3.90.2

This release includes the following additional bug fixes

Issue ID | Description

NEXUS-51040 | Docker proxy repositories handle bearer token authentication requests without encountering null pointer exceptions during HTTP context operations.

NEXUS-50764 & NEXUS-39228 | Group repositories now properly detect policy-filtered version changes in member proxy repositories, ensuring metadata remains current and complete across npm and PyPI formats.

What's New in 3.90.1?

Released March 6, 2026

Fix for Nexus Repository 3.90.0 Community Edition

This release fixes an issue that prevented Sonatype Nexus Repository 3.90.0 Community Edition deployments from starting upon initial installation or upgrade.

Community Edition users can now safely upgrade to 3.90.1.

What’s New in 3.90.0?

Released March 5, 2026

Support for Terraform Group Repositories

Sonatype Nexus Repository now supports the Terraform group repositories, allowing you to aggregate multiple Terraform hosted and proxy repositories into a single endpoint. This capability simplifies configuration for developers by providing one consistent URL for Terraform modules and providers, while centralizing control and visibility for repository administrators.

Terraform group repositories include intelligent caching with configurable TTL values for modules and provider versions, along with request deduplication to reduce redundant upstream queries. When the same version exists in multiple member repositories, you can apply configurable conflict resolution strategies to determine which artifact is served. The implementation also tracks member health and automatically handles unhealthy members, while exposing comprehensive metrics to help you monitor cache performance and overall repository health.

For full details, see the Terraform Repositories help documentation.

Support for Swift Hosted Repositories

Sonatype Nexus Repository now supports Swift hosted repositories, enabling you to publish and manage Swift packages as .zip files with MIME type validation. This capability allows teams to securely store and distribute internal Swift artifacts and approved third-party components through Nexus Repository, providing a centralized and reliable source for Swift dependencies.

Swift hosted repositories support enterprise controls such as access management and auditing, along with optional anonymous access where appropriate. For full details, see the Swift Repositories help documentation.

Re-enabled Repair - Execute Data Repair Plan Task

In Sonatype Nexus Repository 3.90.0, the Repair - Execute Data Repair Plan task is re-enabled by default. We previously disabled this task in 3.88.0 to prevent potential data loss while we addressed issues affecting the Verify and Repair and Data Repair Plan tasks.

You can now safely use the Repair - Execute Data Repair Plan task to correct data inconsistencies between the database and blob store. This update restores the intended maintenance workflow and allows you to run data repair operations with confidence.

This re-enablement aligns with the introduction of Recovery Mode, which provides a controlled operational state to help protect data integrity during repair and reconciliation activities.

New Recovery Mode for Safe Data Reconciliation

Sonatype Nexus Repository now includes Recovery Mode, a controlled operational state designed to support safe reconciliation between the database and blob storage after outages or data inconsistencies. When enabled, Recovery Mode helps protect data integrity by preventing specific background tasks from interfering with repair operations. This feature is available only for self-hosted deployments and requires administrative privileges. Before enabling Recovery Mode, consult Sonatype Support to confirm it is appropriate for your situation.

For full details, see the Recovery Mode help documentation.

New User Token API

A new User Token API allows administrators to create, view, and delete user tokens. With the appropriate privileges, administrators can generate tokens for specific users and realms, retrieve token summaries (excluding sensitive fields), and manage tokens across individual or all realms, including options to include expired tokens in responses.

For full details, see the User Token API help documentation.

Improved Transparency for Policy-Compliant Component Selection in npm Metadata

Sonatype Nexus Repository now enhances policy-compliant component selection (PCCS) by exposing filtered npm package versions directly in the package metadata. When PCCS filters versions that violate your Repository Firewall policies, those versions appear in the sonatype_filtered_versions field in the component's metadata. This update provides clearer visibility into which versions were excluded, helping teams quickly understand why a version is unavailable and identify an acceptable alternative.

Granular Permissions for Log Management API in Nexus Repository Cloud Environments

Sonatype Nexus Repository Cloud now supports more granular access control for the Log Management API. Previously, access to the Log Management API required the broad nexus:* permission, which is granted only to the nx-admin role. You can now grant access to this API using the built-in nexus:logging:read permission and the associated nx-logging-read privilege. This update enables teams to follow the principle of least privilege by allowing service accounts to download logs without granting administrative access across the entire tenant.

Removed Legacy Application Health Check and Hosted Repository Analysis

In this release, we removed the legacy Application Health Check plugin from Sonatype Nexus Repository. This plugin previously provided both Application Health Check and Hosted Repository Analysis capabilities.

Sonatype Lifecycle replaces these capabilities with more robust and fully supported software composition analysis. Lifecycle offers CLI-based scans, binary uploads, comprehensive policy evaluation, and continuous monitoring across your development lifecycle.

Removing these features reduces technical debt, eliminates non-functional UI elements and APIs, and simplifies the Nexus Repository codebase.

Note

This change applies to self-hosted Nexus Repository deployments only. These capabilities were never available in Nexus Repository Cloud.

Bug Fixes

The following sections group recent fixes by functional area to make them easier to scan and reference. Together, they reflect improvements across repository formats, search, HA, storage, migration, security, usability, and operational reliability.

Repository Format–Specific Fixes

These fixes address behavior specific to individual repository formats such as Docker, Maven, NuGet, Yum, APT, Helm, npm, Terraform, and RubyGems. The updates improve metadata accuracy, caching behavior, authentication handling, concurrency, and client compatibility to ensure predictable and standards-compliant interactions across all supported ecosystems.

Issue ID | Description

NEXUS-50951 | From Nexus Repository version 3.89.0+, newly created Docker repositories must use lowercase names. This fix allows users to edit, via the UI, the configuration of upgraded Docker repositories that have mixed/upper case naming.

NEXUS-50929 | Raw hosted repositories now support anonymous access to paths matching Terraform provider patterns when anonymous access is enabled globally.

NEXUS-50181 | Optimized Docker image retrieval by digest to achieve performance comparable to tag-based pulls.

NEXUS-50105 | Imported Docker images now maintain the correct content-type metadata for manifests and tags.

NEXUS-50056 | Corrected the Docker tags pagination Link header to include the complete repository path.

NEXUS-49785 | Enhanced Firewall quarantine checks for Docker proxy repositories to better handle concurrent pulls.

NEXUS-46841 | Improved Docker token handling to reliably process concurrent authentication requests.

NEXUS-50362 | Maven repositories now correctly return 404 responses for non-existent checksum signature files.

NEXUS-50243 | Corrected maven-metadata.xml generation in nested Maven groups.

NEXUS-44467 | Improved Maven POM uploads to correctly handle version numbers containing hyphens.

NEXUS-50205 | NuGet v3 search queries now correctly handle format-specific sorting parameters.

NEXUS-45352 | NuGet group repositories now retrieve cached packages from available proxy members.

NEXUS-44177 | NuGet v3 search queries now return locally cached replicated packages.

NEXUS-50153 | Yum group repositories now serve cached metadata during background regeneration.

NEXUS-49769 | Browse UI now removes outdated Yum metadata entries after repodata regeneration.

NEXUS-43881 | Improved cleanup of directory browse nodes in Yum repositories.

NEXUS-37102 | Optimized thread management in APT and Yum repositories to prevent blocking during concurrent operations.

NEXUS-23790 | The distribution field is now optional when configuring APT proxy repositories.

NEXUS-46491 | Helm repository metadata now updates correctly following database migration.

NEXUS-50706 | Improved cache invalidation for npm proxy repositories handling special-character package names.

NEXUS-50718 | Terraform hosted repositories now correctly generate and expose required provider metadata.

NEXUS-49752 | Firewall audits for RubyGems repositories now exclude metadata files from evaluation.

Search and Indexing

This set of fixes improves the accuracy, consistency, and performance of search operations. Enhancements address filtering logic, wildcard and token handling, database-specific behavior, and request optimization so that users and automation tools receive correct and complete results across deployment types.

Issue ID | Description

NEXUS-50711 | Checksum-based searches now correctly filter results when combined with repository or format parameters.

NEXUS-50435 | Improved search API handling of the prerelease parameter when using H2 databases.

NEXUS-49722 | Improved search tokenization to correctly index components with underscores in group names.

NEXUS-49164 | Enhanced search functionality in HA deployments to correctly handle wildcard queries with hyphens.

NEXUS-40204 | Optimized HEAD request handling in proxy repositories to improve response times.

High Availability, Clustering, and Concurrency

These updates strengthen reliability in clustered and high availability deployments. They resolve state consistency issues, improve concurrency handling, clarify clustering diagnostics, and reduce the likelihood of race conditions or configuration mismatches across nodes.

Issue ID | Description

NEXUS-50277 | Improved repository deletion in HA deployments to maintain consistent state across nodes.

NEXUS-50168 | Added warnings for unsafe file blob store paths in HA deployments.

NEXUS-48604 | Improved LDAP credential rotation handling in HA clusters.

NEXUS-46663 | Parallel API requests to create content selectors now complete successfully without race conditions.

NEXUS-40099 | Enhanced HA deployment log messages to clarify clustering configuration mismatches.

Blob Stores and Storage Management

These fixes focus on blob store validation, lifecycle management, and cleanup behavior. They improve correctness and resilience for both file- and S3-based storage, ensuring safe configuration, reliable deletion, and consistent data handling across UI and API operations.

Issue ID | Description

NEXUS-50503 | Improved credentials provider lifecycle management for S3 blob stores using AWS IRSA.

NEXUS-44209 | Compact blob store task now removes soft-deleted blobs after relocation.

NEXUS-37989 | Strengthened blob store name validation across UI and REST API operations.

NEXUS-28332 | Blobstore deletion now works correctly regardless of the chosen name.

Import, Export, and Migration

This group enhances upgrade, migration, import, and export workflows. The improvements ensure schema completeness, preserve metadata integrity, increase resilience to interruptions, and optimize performance when working with large or complex repositories.

Issue ID | Description

NEXUS-50612 | Upgrades from versions prior to 3.67.0 now include required database schema changes.

NEXUS-50402 | Asset import operations now preserve original uploader identity and IP address attributes.

NEXUS-45357 | Improved repository import process to handle non-UTF-8 metadata files.

NEXUS-42488 | Improved asset blob reference migration reliability after restarts or interruptions.

NEXUS-42251 | Optimized repository export prerequisite checks for large repositories.

NEXUS-34351 | Optimized import task performance for repositories with millions of flat-directory assets.

NEXUS-34303 | Database migrator now handles assets referencing missing components with improved logging.

NEXUS-42709 | Database migration logs now accurately reflect filtered records.

Security and Authentication

These changes improve system security posture and authentication reliability. They address third-party library vulnerabilities, permission model consistency, credential handling edge cases, and secure communication behavior across integrations and identity providers.

Issue ID | Description

NEXUS-50640 | SAML authentication now handles reverse proxy configurations that strip cookies during the identity provider redirect process.

NEXUS-49531 | Upgraded the CycloneDX core library to address an XML External Entity vulnerability.

NEXUS-47010 | Updated proxy repository authentication to properly handle passwords containing special characters.

NEXUS-47819 | Administrators can now remove all roles from SAML users through the API.

NEXUS-46805 | Simplified permission requirements for Content Replication configuration.

NEXUS-13303 | Improved email server connection handling to support plaintext SMTP when Trust Store is enabled.

UI, Permissions, and Usability

These fixes align user interface behavior with documented expectations and API behavior. They improve visibility, ordering, task reporting accuracy, and permission handling to create a more predictable and consistent administrative experience.

Issue ID | Description

NEXUS-50592 | Content selectors now appear in alphabetical order in the privilege dropdown.

NEXUS-48336 | Settings menu access now works correctly for users with nx-users-* privileges.

NEXUS-48281 | Task duration displays now reflect actual execution time.

NEXUS-40728 | Move Up and Move Down buttons now correctly reorder repositories in rebuild tasks.

Metrics, Logging, and Diagnostics

These updates enhance observability and troubleshooting. They improve log accuracy and persistence, align UI and API metrics, remove unused telemetry, and provide better diagnostic data to support operational monitoring and issue resolution.

Issue ID | Description

NEXUS-50133 | Support zip log truncation now retains the most recent log entries.

NEXUS-48701 | Removed the unused nexus_cluster.log file from deployments.

NEXUS-47716 | Metrics displayed in the UI now align with REST API values.

NEXUS-47618 | Removed unused S3 blob storage metrics from the Prometheus endpoint.

NEXUS-47362 | ROOT logger level settings now persist across system restarts.

NEXUS-46315 | Added JVM memory and garbage collection monitoring logs.

Configuration and Deployment

This category includes fixes that improve installation, configuration validation, and deployment workflows. The changes clarify documentation, prevent common misconfigurations, and ensure operator- and platform-based installations behave as expected.

Issue ID | Description

NEXUS-47399 | Corrected PostgreSQL configuration documentation examples.

NEXUS-45379 | H2 database backup task now trims whitespace from configured backup paths.

NEXUS-43752 | OpenShift Operator now correctly populates the ingress TLS hosts field.

Performance and Startup Optimization

These improvements reduce startup time and operational overhead. They streamline scheduler initialization and capability loading to help instances become fully operational more quickly after restart or configuration changes.

Issue ID | Description

NEXUS-46266 | Optimized Firewall Audit Capability initialization to reduce startup time.

NEXUS-50273 | Improved Quartz scheduler initialization to reduce restart delays.

Coming Soon

Change to Nexus Repository Docker Image Base and Tagging

As of 3.91.0, the base nexus3 image will be built off of alpine instead of ubi. This should be an invisible change for anyone using our image from dockerhub. If you are building an image off of our image, you will need to update your build process. Effective with 3.94.0, we will no longer publish new versions of the nexus3 image with the -ubi and -alpine suffix.

Change to Private Network Blocking Default Behavior

Sonatype Nexus Repository will soon block private networks by default. Customers are encouraged to review their configurations for any internal IP addresses or private network ranges and update them as needed to prevent service disruptions.

Note that this is a change to the default behavior only; you will still be able to configure this setting to allow private network access if your deployment requires it.

This update is designed to improve security by preventing unauthorized or unintended access from Nexus Repository to internal services. It helps protect production environments where repository administrators should not be able to connect to arbitrary internal endpoints.

Note that this was previously planned to become the default behavior in the 3.90.0 release; however, we have delayed its implementation to a future release.

Original source Report a problem

What’s New and Noteworthy in This Release?

In Case You Missed It: New Instance Migrator

In Nexus Repository 3.90.2 (March 23, 2026), we introduced a new Instance Migrator, which allows those on OrientDB-based Nexus Repository 3.70.5 to migrate to either Nexus Repository Cloud or self-hosted version 3.90.2+ without downtime.

Migration preserves core configuration and repository data, enabling a seamless transition to a more scalable and supported architecture. See the Nexus Repository 3.90.2 release notes for high-level details and the Instance Migrator help documentation for an in-depth look at the migration process and requirements.

You can download the instance migrator for version 3.70.5 from the OrientDB Downloads page.

Docker Tagging Update for Nexus Repository Images

As of release 3.91.0, Sonatype Nexus Repository has updated its Docker image tagging strategy, making the Alpine-based image the default variant. With this change, the 3.91.0, 3.91.0-alpine, and latest tags now point to the Alpine image, while the 3.91.0-ubi tag continues to reference the UBI-based image. Shifting the default to Alpine lowers risk exposure and improves security posture for containerized deployments.

Support for Swift Group Repository Format

Sonatype Nexus Repository now supports Swift group repositories, enabling you to aggregate multiple Swift package sources into a single endpoint. This capability simplifies dependency management by allowing teams to configure a single repository URL while seamlessly pulling components from multiple hosted, proxy, or group repositories. By consolidating access, you can reduce configuration overhead and improve consistency across development workflows.

For full details, see the Swift Repositories help documentation.

Database Connection Pool Metrics Available Through the Metrics API

Sonatype Nexus Repository now exposes database connection pool metrics through the metrics API, providing visibility into active, idle, and pending connections. This enhancement allows administrators to better understand how database resources are utilized in real time, without requiring additional tooling or manual inspection.

Preserved Proxy Repository Configuration During Migration

Sonatype Nexus Repository now preserves authentication credentials and HTTP request settings when migrating proxy repositories from OrientDB to self-hosted instances. Key configurations, such as connection timeout, retry attempts, and user agent values, carry over automatically, reducing the need for post-migration setup and ensuring repositories remain operational immediately after migration.

If authentication credentials cannot be securely migrated due to missing encryption configuration, Nexus Repository removes only the credential details while retaining all other repository settings. This approach maintains repository integrity while prompting you to reconfigure sensitive information as needed.

Automated Yum Repository Metadata Regeneration

Sonatype Nexus Repository now automatically regenerates Yum repository metadata during repository migrations, including required files such as repomd.xml and associated .xml.gz files. This enhancement ensures migrated repositories remain complete and immediately usable, eliminating the need for manual metadata repair or post-migration steps.

Global Webhooks for Firewall Quarantine Events

Sonatype Repository Firewall now supports global webhooks for quarantine events, automatically notifying your systems when components are quarantined or blocked due to policy violations. This capability enables seamless, real-time integration with your existing security and DevOps workflows, reducing the need for manual monitoring.

Cloud-Native AWS Reference Architectures for Sonatype Nexus Repository

Sonatype is now providing new cloud-native AWS reference architectures for Sonatype Nexus Repository, replacing the legacy reference architectures 1–4. The updated set includes five right-sized deployment options (XS, S, M, L, and XL) designed to support a range of scalability and performance needs. Each architecture includes Terraform configurations to simplify provisioning and accelerate time to value, enabling teams to deploy Nexus Repository in AWS with greater consistency and reduced operational overhead.

These architectures are now published in the Platform Cloud-Native Reference Architectures section alongside the existing IQ reference architectures, reinforcing Sonatype’s platform-oriented approach. The Sonatype Platform AWS Reference Architectures landing page provides a high-level overview of each architecture with links to specific details for each option. The previous Nexus Repository reference architectures are now marked as "Legacy" and will be removed in a future release.

Bug Fixes

This section summarizes the bug fixes included in Nexus Repository 3.91.0, grouped by functional area to highlight the most relevant improvements. The updates focus on improving repository correctness, system stability, performance, and user experience, while also addressing edge cases across supported formats and deployment environments. Each category provides a high-level view of related fixes, with details for individual issues listed below.

npm and PyPI Fixes

These updates focus on improving metadata accuracy, caching behavior, and policy enforcement for npm and PyPI repositories. They address inconsistencies caused by filtering, improve logging visibility for policy decisions, and ensure repository responses remain correct and performant under concurrent and edge-case scenarios.

Docker Fixes

These fixes target Docker repository behavior, focusing on correctness, scalability, and standards compliance. They improve handling of large datasets, manifest and tag integrity, permission evaluation, and compatibility with modern OCI image formats.

Other Repository Format Fixes

These changes improve compatibility and correctness across a range of repository formats, including Maven, Terraform, Conan, Yum, and others. They address edge cases in metadata handling, packaging behavior, and protocol support to ensure consistent interactions with upstream tools and clients.

High Availability, Concurrency, and System Stability

These updates improve system resilience under load, particularly in high availability and multi-node environments. They address concurrency issues, reduce the likelihood of deadlocks or timeouts, and ensure consistent behavior during distributed operations and resource-intensive tasks.

Blob Stores, Storage, and Data Integrity

These fixes focus on improving reliability and correctness in storage-related operations, including blob store management, migrations, and data consistency. They help ensure accurate metadata, prevent data loss, and improve behavior during concurrent or complex storage operations.

UI, Permissions, and User Experience

These updates enhance usability and consistency across the user interface and permission model. They resolve visibility issues, improve navigation behavior, and ensure that access controls and UI elements behave predictably for different user roles.

Logging, Observability, and Diagnostics

These changes improve visibility into system behavior through enhanced logging and diagnostics. They make it easier to troubleshoot issues by providing clearer, more detailed log output and ensuring relevant operational events are properly recorded.

Authentication and Security

These fixes strengthen authentication flows and ensure accurate enforcement of access control policies. They address issues with session handling, role synchronization, and HTTP response codes to provide clearer and more secure behavior.

Search and Indexing

These updates improve the reliability and accuracy of search and indexing operations. They address performance limits, ensure correct query matching behavior, and guarantee that index updates are applied consistently before results are returned.

Scheduled Tasks and Background Jobs

These fixes improve the reliability and behavior of scheduled and background tasks. They ensure task configurations persist correctly, prevent failures during upgrades, and provide better resource management and visibility into task execution progress.

Coming Soon to Sonatype Nexus Repository

Transition to Alpine-Only Docker Images (UBI Deprecation Notice)

Starting with Sonatype Nexus Repository 3.94.0, the Alpine-based image will become the sole supported variant, with both the 3.94.0 and latest tags pointing to Alpine. Version 3.93.x will be the final release to include the -ubi tag, providing a transition window for teams that still rely on the UBI-based image.

Original source Report a problem

Known Issue in Sonatype Nexus Repository 3.89.0 - 3.89.1

Sonatype is aware of an issue in Sonatype Nexus Repository versions 3.89.0 - 3.89.1 where using the Admin - Remove a member from a blob store group task on a blob store group can cause moved blobs to become unreachable.

This issue is fixed in Nexus Repository 3.90.0. Upgrade to version 3.90.x before running the Admin - Remove a member from a blob store group task.

What's New and Noteworthy in 3.89.1?

Released February 11, 2026

Sonatype Nexus Repository release 3.89.1 fixes the following bugs:

• NEXUS-50621: Metadata generation for hosted APT repositories now correctly includes all applicable package versions in Packages files, ensuring clients receive complete and accurate repository metadata.
• NEXUS-50490: The LDAP configuration REST API now properly handles authentication password parameters when creating LDAP server connections.
• NEXUS-50487: The LDAP configuration API now correctly handles updates when using URL-encoded connection names in REST API requests.
• NEXUS-50473: User access to group repositories now correctly inherits read and browse permissions from member repositories, with consistent enforcement of content selectors across authorization checks and Browse previews.
• NEXUS-50338: LDAP configuration updates via REST API now reliably preserve all required fields during credential rotation and server configuration changes.
• NEXUS-48604: Enhanced LDAP credential rotation in High Availability clusters to ensure cache synchronization across all nodes when updating bind credentials.

What’s New and Noteworthy in 3.89.0?

Released February 3, 2026

Known Issue in Sonatype Nexus Repository 3.89.0

Sonatype is aware of an issue in release 3.89.0 that affects APT hosted repositories. Repository metadata may be incomplete or incorrect, even though all packages exist in the repository.

If you rely on APT hosted repositories, we recommend delaying your upgrade to 3.89.0 until a fix is available.

Support for Swift Proxy Repository Format

Sonatype Nexus Repository now supports the Swift proxy repository format, enabling teams to integrate Swift Package Manager (SPM) into their existing repository management workflows.

Nexus Repository provides a registry-based alternative to SPM’s traditional Git-based dependency resolution, offering an HTTP- and JSON-driven approach to discovering, resolving, and consuming Swift packages. This allows organizations to centralize access to public Swift packages, reduce reliance on external Git hosting services, and improve build performance through caching and reuse of dependencies.

Swift proxy repositories are available in both Pro and Community editions. Teams can apply enterprise controls such as access management and auditing while continuing to support both registry-based dependencies (available with Swift 5.7 and later) and Git-based dependencies.

For full details, see our Swift Repositories help documentation.

Support for Terraform Hosted Repository Format

Sonatype Nexus Repository now extends its Terraform support to include hosted repositories. With hosted Terraform repositories, you can centrally distribute Terraform modules as versioned source archives and platform-specific binaries as well as Terraform providers packaged as .zip files. This enables teams to securely host internally developed Terraform assets and reduce reliance on external sources.

This enhancement also streamlines provider management by automatically generating required provider metadata, checksum files, and GPG signatures, while supporting multiple provider versions and incremental platform uploads. Repository-level permissions allow you to control access to Terraform content, and full REST API support makes it easier to automate repository and artifact management as part of your infrastructure-as-code workflows.

For full details, see our Terraform Repositories help documentation.

Expanded Authentication Options for Terraform

Sonatype Nexus Repository now enables access to Terraform repositories through expanded authentication support.

Terraform repositories can now be accessed using anonymous access when enabled, allowing unauthenticated clients to discover and retrieve provider versions without authorization failures.

In addition, authentication logic now correctly validates Base64-encoded username and password tokens, allowing Terraform clients to authenticate successfully without relying on Pro-only user tokens.

Improved User Interface Performance and Faster Page Loads

This release significantly improves the Sonatype Nexus Repository user interface by reducing initial page load times and making the application more responsive. Improvements include decreased bandwidth usage and improved caching efficiency, resulting in a more scalable, modern UI that performs consistently for users regardless of location or deployment size.

Change in Permissions for Executing Rolling Upgrades

The ability to inspect and execute rolling (i.e., zero-downtime) upgrades is now available to users with the nx-atlas-all privilege. This change simplifies access control by reducing the permissions required to manage rolling upgrades, enabling more teams to perform upgrade operations without expanding administrative privileges while still maintaining a secure deployment model.

Breaking change: SAML login requires SAML2_AUTH_REQUEST cookie

Starting in Sonatype Nexus Repository 3.89.0, SAML authentication requires the SAML2_AUTH_REQUEST cookie to complete the login flow. Environments, infrastructure, or browser configurations that block third-party cookies can prevent this cookie from being set, causing SAML login to fail after upgrade. Before upgrading, ensure that policies or browser settings allow the SAML2_AUTH_REQUEST cookie so that SAML authentication continues to function as expected.

Bug Fixes

This release delivers a wide range of fixes and improvements. For better readability, we’ve organized these improvements into logical sections below.

Known Issue in Sonatype Nexus Repository 3.83.0 - 3.89.1

There is an issue in Sonatype Nexus Repository 3.83.0 - 3.89.1 where running the Verify and Repair or Data Repair Plan tasks can incorrectly delete valid assets, leading to potential data loss.

This issue is fixed in version 3.90.0. Upgrade to version 3.90.0 before running the Verify and Repair or Data Repair Plan tasks.

Repository Storage, Uploads, and Data Integrity

This release includes several important improvements to how repositories handle data at scale, with a focus on stability, performance, and correctness during heavy operations. Changes address memory pressure during large uploads, race conditions during repository lifecycle events, safer execution of repair tasks, and more resilient database migrations and restores. Together, these fixes reduce the risk of outages, unexpected data loss, and failures during upgrades or maintenance in large or high-concurrency environments.

Formats and Ecosystem-Specific Fixes

A wide range of format-specific fixes improve reliability, performance, and standards compliance across supported ecosystems. Package managers such as APT, NuGet, npm, Maven, Docker, PyPI, Terraform, Conan, and Yum all benefit from targeted updates to metadata handling, search behavior, proxying, and rebuild logic.

Notably, Yum has received several improvements over the last couple of releases, including better metadata rebuild performance, safer handling of invalid group metadata, clearer diagnostics, and more efficient XML merging, resulting in more predictable behavior for large or complex Yum repositories.

Search, Browse, and Indexing

Search and browse functionality has been refined to be more accurate, predictable, and scalable, particularly in HA and large-repository environments. These changes improve filtering correctness, restore expected matching semantics, eliminate silent result truncation, and harden APIs against invalid requests. Performance optimizations also reduce the likelihood of failures during search rebuild tasks and high-volume query scenarios.

Security, Permissions, and Access Control

Several fixes improve how Nexus Repository evaluates permissions and access rules, both in terms of correctness and performance. Updates ensure that permission checks behave consistently across the UI and APIs, reduce authorization overhead in environments with frequent access checks, and ensure group repositories properly reflect the availability state of their members.

High Availability, Clustering, and Operations

HA and clustered deployments benefit from improved coordination, consistency, and operational safety. Fixes address credential synchronization across nodes, reduce migration-related memory issues, and improve the reliability and predictability of Helm-based HA deployments. These changes help ensure smoother upgrades and more stable behavior in multi-node environments.

UI and User Experience

User-facing workflows have been polished to remove friction, prevent common errors, and improve clarity. These updates include safer handling of whitespace in repository configuration, restored or simplified UI controls, and fixes to edge cases that could cause confusing behavior after session timeouts or during repository creation.

Logging, Monitoring, and Diagnostics

Logging and diagnostic output has been refined to be more actionable and less noisy. Improvements include clearer upgrade and metadata warnings, better visibility into long-running operations, consolidated request logging, and more informative startup and shutdown messages. These changes make it easier to troubleshoot issues and understand system behavior in production environments.

Tasks, Cleanup, and Maintenance

Maintenance and background tasks are now more resilient and resource-efficient, particularly when operating on large datasets. Enhancements ensure cleanup and repair tasks behave safely when encountering unexpected states, reduce memory usage during intensive operations, and improve overall system stability during scheduled or manual maintenance activities.

Documentation and API Fixes

Documentation and API examples have been corrected to better reflect supported behavior and real-world usage. These fixes remove misleading parameters and ensure example requests are accurate and usable, helping users avoid configuration errors and reducing friction when integrating with Nexus Repository programmatically.

Coming Soon to Sonatype Nexus Repository

Change to Nexus Repository Docker Image Base and Tagging

As of 3.91.0, the base nexus3 image will be built off of alpine instead of ubi. This should be an invisible change for anyone using our image from dockerhub. If you are building an image off of our image, you will need to update your build process. Effective with 3.94.0, we will no longer publish new versions of the nexus3 image with the -ubi and -alpine suffix.

Original source Report a problem

What's New and Noteworthy in 3.84.2

Released January 15, 2026

Repair - Execute Data Repair Plan Task Disabled

To prevent potential data loss caused by a known issue impacting Sonatype Nexus Repository 3.83.0 and later, this release disables the Repair - Execute Data Repair Plan task by default.

Attempting to run this task will result in a failure and an error in the logs. The task remains visible in the UI, and any existing instances of this task will not be removed. However, execution is blocked by default.

While it is possible to manually re-enable this task by setting the nexus.reconcile.task.enabled property to true, it is important that you not do so until you are using a release that restores support.

We will announce when it is safe to re-enable this task in a future release note.

Known Issue in Sonatype Nexus Repository 3.83.0 - 3.89.1

There is an issue in Sonatype Nexus Repository 3.83.0 - 3.89.1 where running the Verify and Repair or Data Repair Plan tasks can incorrectly delete valid assets, leading to potential data loss.

This issue is fixed in version 3.90.0.

Upgrade to version 3.90.0 before running the Verify and Repair or Data Repair Plan tasks.

What's New and Noteworthy in 3.84.1?

Released September 17, 2025

This release fixes multiple bugs impacting release 3.84.0. See the bug fixes section below for details.

What’s New and Noteworthy in 3.84.0?

Released September 9, 2025

Support for OCI Image Manifest Specification and RPM Packages in Container Scanning

Sonatype Repository Firewall now supports container images that use the OCI Image Manifest Specification and Linux distributions that use the RPM package format. This enhancement extends compatibility beyond existing support for Docker Manifest List Schema V2.

With this update, customers scanning container images can expect consistent analysis across OCI-compliant manifests and improved visibility into vulnerabilities and license risks within RPM-based layers.

For more information, see the Firewall for Docker help documentation.

Improved Stability for Concurrent Requests in Highly Available Deployments

This release enhances Sonatype Nexus Repository high availability (HA) deployment stability by improving how the system handles simultaneous requests for the same asset across multiple nodes. Nexus Repository can now better manage transient read failures when accessing blob attributes, reducing the likelihood of request failures during periods of high concurrency.

Customers running HA deployments will see more consistent performance and fewer interruptions when multiple users or systems request the same file at the same time.

Updated Task Names for Data Repair Consistency

To align with standard task naming conventions in Sonatype Nexus Repository, we have updated the names of two recently introduced tasks:

• Verify and Repair Data Consistency is now Repair - Data Repair Plan
• Execute Plan Data Repair is now Repair - Execute Data Repair Plan

These changes do not affect task functionality and only bring the naming into better alignment with our task naming conventions.

Dependency Updates

This release includes the following dependency updates:

• tika-core version upgraded from 1.28.4 to 3.2.2
• bouncycastle version upgraded from 1.78.1 to 1.81
• azure-identity version upgraded from 1.16.2 to 1.17.0

Bug Fixes in 3.84.2

Issue ID: NEXUS-50152

The blob attribute loading process no longer deletes properties files on transient I/O errors or unhandled exceptions.

Bug Fixes in 3.84.1

Issue ID: NEXUS-48666

Resolved an issue that prevented licenses ending with specific characters from being successfully installed in Nexus Repository.

Issue ID: NEXUS-48591

IQ Server certificates stored in the Nexus Repository truststore work as expected after restarting Nexus Repository.

Bug Fixes in 3.84.0

Issue ID: NEXUS-29075

Components can be downloaded as expected through a proxy repository in audit mode even when Sonatype Lifecycle is unreachable.

Issue ID: NEXUS-44970

Docker-specific attributes are now reliably saved during Docker asset creation.

Issue ID: NEXUS-45134

The Docker Garbage Collection task now skips and removes invalid BLOB assets missing a content_digest.

Issue ID: NEXUS-46276

The Tasks API now accepts "*" as a valid value for repositoryName.

Issue ID: NEXUS-46450

Cargo proxy repositories can now be successfully chained.

Issue ID: NEXUS-46734

The startup script now uses POSIX-compliant [ ] conditionals instead of bash-specific [[ ]] syntax.

Issue ID: NEXUS-47252

Uploads to instances migrated from H2 now complete successfully without duplicate key errors during blob operations.

Issue ID: NEXUS-47788

Users assigned repository-specific admin privileges can now access and manage the configuration page for their assigned repositories as expected.

Issue ID: NEXUS-48050

The global header search behavior now redirects to the correct search results page.

Issue ID: NEXUS-48149

Docker proxy repositories now correctly handle manifests retrieved via pre-signed URLs.

Issue ID: NEXUS-48177

Cleanup policies using the Asset Name Matcher criteria now function correctly for npm hosted repositories when using the H2 database.

Issue ID: NEXUS-48396

Removed the purl query parameter from the documentation for the api/v2/reports/components/quarantined endpoint, as it is not supported. Note that you can use the supported filtering options provided in the Components in Quarantine API documentation to retrieve specific quarantined components.

Issue ID: NEXUS-48422

Docker Firewall scanning now safely handles null values in image metadata.

Issue ID: NEXUS-48568 & NEXUS-48200

The Capabilities API now returns the expected responses and appears correctly in the UI.

Original source Report a problem

Known Issue with NuGet Search in Sonatype Nexus Repository 3.88.0

Sonatype is aware of an issue in Sonatype Nexus Repository 3.88.0 where NuGet client search requests fail when the application is running on the embedded H2 database.

If you rely on NuGet repository functionality and use the embedded H2 database, do not upgrade to version 3.88.0 until a fix is available.

What’s New and Noteworthy in This Release?

Note

Known Issue Update: Repair - Execute Data Repair Plan Task Disabled by Default

To prevent potential data loss caused by a known issue impacting Sonatype Nexus Repository 3.83.0 and later, the Repair - Execute Data Repair Plan task is now disabled by default starting in version 3.88.0.

Attempting to run this task in 3.88.0 will result in a failure and an error in the logs. The task remains visible in the UI, and any existing instances of this task will not be removed. However, execution is blocked by default.

While it is possible to manually re-enable this task by setting the nexus.reconcile.task.enabled property to true, it is important that you not do so until you are using a release that restores support.

We will announce when it is safe to re-enable this task in a future release note.

Support for Proxy Terraform Repositories

Sonatype Nexus Repository now supports proxy repositories for Terraform, enabling users to cache Terraform providers and modules from registry.terraform.io for improved performance, reliability, and governance.

This allows organizations to streamline infrastructure-as-code workflows by hosting provider binaries, checksums, signatures, and module archives directly within Nexus Repository. By rewriting upstream metadata, all download URLs point to your Nexus Repository instance, ensuring consistent access and control over Terraform content across all environments.

Terraform currently requires user token-based authentication, which requires a paid Nexus Repository Pro or Nexus Repository Cloud license. This means that, at the moment, Community Edition users are unable to authenticate for Terraform repositories. Anonymous access is not currently available for Terraform proxy repositories, though that will be enabled shortly.

Nexus Repository is compatible with the Terraform CLI version 0.13 and later, including all 1.x releases. To get started, see our Terraform repository help documentation.

Search Now Powered by SQL Instead of Elasticsearch

Starting in Nexus Repository 3.88.0, all search operations are now executed directly against the underlying SQL database, replacing Elasticsearch across all repository formats and editions.

This change improves consistency and simplifies deployment by using your configured database (i.e., PostgreSQL or H2) for search indexing and queries. While search functionality, API endpoints, and query syntax remain unchanged, some behavior may differ slightly, particularly around wildcard support, fuzzy matching, and relevance ranking.

PostgreSQL is recommended for production environments and supports relevance-based search; H2 is intended for development and may yield reduced performance on large datasets.

For full details, see our SQL Search help documentation.

Trigram Module Required for PostgreSQL

Reminder that it is required to have the pg_trgm (trigram) module installed when using a PostgreSQL database. This module may not be installed with PostgreSQL by default on all Linux distributions, which will result in an exception when attempting to upgrade.

See our installing the trigram module documentation.

New API to Retrieve Capability Types and Metadata

This releaseadds a new GET /v1/capabilities/types API endpoint that allows you to programmatically retrieve all available capability types along with their metadata, such as form fields, descriptions, and configuration requirements. This is useful for automating or dynamically generating capability-related configurations in external tools or custom UIs.

For full details, see the Capabilities API help documentation.

New Capability and Task for Managing Browse Tree Cleanup

Sonatype Nexus Repository 3.88.0 introduces a new Repository: Browse Trim capability and a Repair - Repository trim browse tree task to give administrators more control over cleaning up empty browse nodes (folders) after component deletion.

Automatic trimming is always enabled for H2 databases but disabled by default for PostgreSQL. For PostgreSQL users who prefer to keep automatic trimming disabled, the new repair task offers a manual alternative to clean up empty nodes on demand.

Learn more in the capability and task documentation.

Configurable Interation Settings for Password and Secret Encryption

Sonatype Nexus Repository 3.88.0 adds support for two new properties (nexus.security.password.iterations and nexus.security.secrets.iterations) that allow administrators to configure the number of PBKDF2 iterations used when encrypting user passwords and sensitive secrets like API keys and tokens.

These properties, set in the nexus.properties file, provide greater control over encryption strength and support seamless migration to updated security configurations.

See our Re-encryption in Nexus Repository help documentation for full details.

New URL Validation to Protect Against Private Network Access

Sonatype Nexus Repository 3.88.0 introduces optional URL validation to help protect against Server-Side Request Forgery (SSRF) by blocking outbound connections to private network addresses, localhost, or cloud metadata endpoints.

This validation applies to Remote Storage URLs for proxy repositories and Endpoint URLs for Amazon S3 blob stores. By default, private network access remains allowed, but administrators can restrict it by setting nexus.proxy.allowPrivateNetworks=false in the nexus.properties file or using environment variables.

For full details, see Securing Nexus Repository.

Important Change Coming in 3.90.0

Starting in version 3.90.0, private network access will be blocked by default.

Updated SAML Library for Improved Security and Compatibility

Sonatype Nexus Repository now uses a new library for handling SAML authentication. This update aligns with our ongoing efforts to improve security and maintain compatibility with modern identity providers (IdPs). We have tested this change internally with a range of IdPs, but we recommend validating your SAML configuration in a test environment before deploying to production.

Note

If your IdP includes an entityId in its SAML response, it must match the entityId configured in Nexus Repository for authentication to succeed. This behavior may differ from previous versions.

Bug Fixes

This release delivers a wide range of fixes and improvements focused on stability, accuracy, and operational reliability. For better readability, we’ve organized these improvements into logical sections below.

Note

Common Vulnerabilities and Exposures Fix

Sonatype Nexus Repository 3.88.0 fixes a reflected cross-site scripting (XSS) vulnerability (CVE-2026-0601) that impacts Sonatype Nexus Repository versions 3.82.0 through 3.87.1.

The vulnerability allows unauthenticated attackers to execute arbitrary JavaScript in a victim’s browser, which could lead to privilege escalation or unauthorized configuration changes.

See our CVE-2026-0601 Knowledge Base article for details.

Repository Formats and Package Management

This release includes a broad set of improvements across supported repository formats. Updates improve how package metadata is generated, cached, rebuilt, and displayed. These changes help ensure packages are indexed accurately, metadata stays up to date, and clients interact reliably with repositories even in edge cases involving redeployments, caching behavior, or format-specific nuances.

Search, Indexing, and Metadata Accuracy

This release refines search and indexing behavior to improve result accuracy, consistency, and resilience. Fixes address incorrect matches, case-sensitivity issues, pagination limits, and failures caused by orphaned or inconsistent data. Together, these changes make search results more predictable across APIs and the UI, improve cleanup and rebuild operations, and reduce the likelihood of errors caused by stale or malformed index data.

High Availability, Clustering, and Concurrency

Several fixes in this release target stability and accuracy in high availability deployments, particularly under concurrent load. Improvements address race conditions, deadlocks, case-handling inconsistencies, and startup issues related to shared resources such as blob stores. These changes help ensure reliable behavior across nodes during searches, downloads, background processing, and upgrades in clustered environments.

Blob Stores, Storage, and Data Integrity

This release improves the accuracy, reliability, and observability of blob store operations. Fixes address incorrect size reporting, upgrade edge cases, concurrency handling, and data repair behavior across different storage backends. Additional improvements ensure diagnostic artifacts and logs more accurately reflect the state of stored data, helping administrators better understand and maintain storage health.

Cleanup, Maintenance, and Background Tasks

Cleanup and maintenance tasks are now more reliable, predictable, and easier to troubleshoot. Enhancements improve how cleanup policies are evaluated and executed, how background tasks handle large datasets, and how errors and warnings are logged. These changes reduce operational friction and help ensure long-running or automated maintenance tasks complete successfully without unnecessary failures or noise.

Security, Authentication, and Authorization

Security-related updates focus on improving authentication flows, authorization checks, and administrative clarity. Changes include performance improvements for permission evaluation, clearer licensing behavior, more predictable login handling, and better support for LDAP and SAML configurations.

UI, Usability, and API Behavior

This release refines the Nexus Repository user interface and REST APIs to improve usability, accuracy, and consistency. Updates address UI display issues, missing or misleading controls, trimming and validation of user input, and more reliable API responses. These improvements help reduce confusion, prevent common errors, and ensure the UI and APIs reflect the actual system state.

Platform, Deployment, and Operations

Operational and deployment-related improvements focus on stability, configurability, and smoother upgrades. Fixes address Docker and container workflows, Helm and Kubernetes deployments, logging behavior, startup edge cases, and operator behavior. These changes help ensure Nexus Repository runs more reliably across diverse deployment environments and integrates more cleanly into modern infrastructure workflows.

Original source Report a problem

Known Issue for Community Edition 3.78.0-3.79.0

In Sonatype Nexus Repository 3.78.0 and 3.79.0, the RUT Auth Realm (rutauth-realm), which is used for authentication via remote user token, is not available for Community Edition deployments. Instances using rutauth-realm before upgrading will lose functionality, and downgrading is not possible without a database backup made before the upgrade.

We are investigating this issue and will provide a fix as soon as possible.

This issue does not impact Pro deployments or Community Edition 3.77.x deployments.

Warning

Sonatype is aware of an issue preventing successful installation of Sonatype Nexus Repository 3.78.2 as a Windows service. If you use Nexus Repository as a Windows service, do not upgrade to 3.78.x. We will release a fix for our Windows users as soon as possible.

Multiple Vulnerabilities Resolved in 3.77.x and 3.78.x

Are you on the latest Nexus Repository version? If not, your deployment could be at risk.

Sonatype has resolved multiple significant vulnerabilities just between releases 3.77.0 and 3.78.2, significantly enhancing Nexus Repository security. Here are details on these security enhancements:

• Improved input validation to prevent processing malformed data, reducing the risk of unexpected behavior and potential information leakage. Also improved resource management to prevent uncontrolled resource consumption. (CVE-2024-47554)
• Resolved multiple vulnerabilities by removing Karaf and pax-logging components. This eliminated several vulnerabilities, including those related to improper input validation, information exposure, XML External Entity attacks, uncontrolled resource consumption related to jiline, and denial-of-service attacks related to Jackson-core. (Sonatype-2015-0286, Sonatype-2022-6438, CVE-2023-6378, CVE-2023-4218)
• Addressed issues related to storing sensitive information in memory, reducing the risk of information exposure through memory analysis.
• Made updates to prevent Denial of Service attacks due to uncontrolled resource consumption.

What's New in 3.78.3?

Released August 15, 2025

This patch release includes a fix that reduces the time to load the login screen for deployments with a large number of repositories, content selectors, permissions, and with anonymous access enabled.

Full details are available in the Bug Fixes section.

What's New in 3.78.2?

Released March 18, 2025

Sonatype Nexus Repository version 3.78.2 fixes a number of bugs impacting release 3.78.0 - 3.78.1. Full details are available in the Bug Fixes section.

What's New in 3.78.1?

Released March 7, 2025

Sonatype Nexus Repository version 3.78.1 fixes a number of bugs impacting release 3.78.0. Full details are available in the Bug Fixes section.

This release also reverts our previous Logback upgrade back to version 1.2 and reverts our previous SLF4J upgrade back to version 1.7.

Known Issue Impacting 3.78.1 and 3.78.0

Nexus Repository not using some settings in nexus.vmoptions

Sonatype is aware of an issue where Nexus Repository deployments on versions 3.78.0 and 3.78.1 are not fully using custom data directory settings in nexus.vmoptions. This affects karaf.data, karaf.log, java.io.tmpdir, and XX:LogFile configurations, forcing the application to use the default ../sonatype-work/nexus3 directory. We will release a fix for this issue as soon as possible.

What’s New in 3.78.0 ?

Released March 4, 2025

Breaking Change for Custom Plugins: Nexus Repository Migrates to Spring Boot Architecture

This release marks a significant shift in Nexus Repository's architecture, migrating from Apache Karaf and OSGi to the Spring Framework. This transition modernizes the underlying technology stack, aligning with industry best practices and enabling future innovation.

Sonatype Nexus Repository is now packaged as a single "uber-jar," simplifying deployment and dependency management. Nexus Repository installers now include ARM-compatible JREs for Unix and macOS platforms in addition to the x86-64 versions. Windows installers will continue to be x86-64 only.

Impact to OSGi Bundle Deployment

Notably, this change also means that custom OSGi bundle deployment is no longer supported. You can learn more in our sunsetting documentation.

Nexus Repository Installer Update: Check Windows Service Configuration

With this release, JReleaser replaces Install4J as our tool for building our macOS, Windows, and Unix installers. Initially, JReleaser focuses on bundling a JRE with the application, maintaining the existing recommendation to use the bundled JRE for all deployments. Future iterations will leverage JReleaser's capabilities to further refine the installer experience and integrate more tightly with our uber-jar packaging.

Please note that our Unix archive now comes bundled with a platform-specific JDK and can no longer be used in a Mac environment.

Important Note for Windows Users

If you configure Windows Service Manager to run Nexus Repository, please review the updated instructions in our installation help docs before upgrading for details, including the commands you will need to use for starting, stopping, and uninstalling the service.

Simplified JDK Upgrades with Nexus Repository Source Code Migration to Java

This release completes the conversion of all Groovy source code to Java within Nexus Repository, both in the core and proprietary components. This migration simplifies maintenance and removes a barrier to upgrading to newer JDK versions. Note that you can still execute Groovy scripts via Task. See our Script API help documentation for more information.

Save on Infrastructure: ARM Docker Images Now Available

This release broadens Sonatype Nexus Repository’s architecture compatibility by introducing ARM Docker images alongside the existing x86_64 versions in Docker Hub. This enhancement aligns with our commitment to providing flexible deployment options and supporting a wider range of infrastructure.

You can find ARM images for Nexus Repository version 3.78.0 and later on Docker Hub under sonatype/nexus3.

With the addition of ARM architecture being added to the docker image, we are no longer publishing tags to the docker-nexus github repository.

Alternatively, you may use the tags posted to the nexus-public repository.

Improved npm Audit Security with Firewall Integration

This release enhances npm audit command security (for npm versions 7 and 8) by ensuring full integration with Sonatype Repository Firewall. For deployments using Repository Firewall, all components retrieved during an npm audit using npm version 7 and 8 are subject to Firewall checks, providing an added layer of protection.

Repository Firewall does not yet support package-lock.json file v3 therefore lock files produced by npm 9 and 10 are not supported.

Removal of the jetty-rewrite module during upgrade to Jetty 12

The jetty-rewrite module has been removed during the upgrade to Jetty 12. As this functionality was not officially supported by Nexus Repository, customers should verify any customizations in their jetty config files before upgrading.

Sunsetting Log4J Visualizer and Bower Format

The Log4j Visualizer feature has been removed in this release. This early experiment in adding Software Composition Analysis (SCA) capabilities to Nexus Repository is now superseded by more comprehensive features, such as our malware warning banner.

We have also officially sunset Bower format, which was last available in our 3.70.x release line and only supported for OrientDB instances.

For full details on our feature sunsetting process, see our feature sunsetting documentation.

Breaking Changes with JFrog Artifactory 7.104

JFrog Artifactory 7.104 is the latest and is incompatible with the Repository Firewall plugin. JFrog Artifactory has introduced a newer version of groovy-core that is not backward compatible with the version the Repository Firewall plugin is compiled against.

We recommend not upgrading to Artifactory 7.104 as doing so causes an interruption with the Repository Firewall service and exposes you to malware entering the environment.

Bug Fixes

Note

Performance Tip - Exclude Nexus Repository Directory from Virus Scans

To optimize startup time, particularly on Windows systems, Sonatype recommends excluding the Nexus Repository directory from virus scans. Scanning every file during application startup can significantly increase the time required for the application to become operational.

The table below lists additional bug fixes included in release 3.78.3.

Issue ID Description NEXUS-48385 UI can take over 20 minutes to load when local anonymous user has many roles and privileges.

The table below lists additional bug fixes included in release 3.78.2.

Issue ID Description NEXUS-48385 (3.78.3) UI can take over 20 minutes to load when local anonymous user has many roles and privileges. NEXUS-46461 Sonatype Nexus Repository correctly loads the license file specified by the nexus.licenseFile property in nexus.properties during initialization. NEXUS-46451 The startup script for macOS distributions now correctly identifies the embedded JDK home, resolving the previous issue where startup failed due to an incorrect path. NEXUS-46408 Installations set up to use systemd as described in our Run as a Service documentation now start as expected. NEXUS-46377 Sonatype Nexus Repository's Windows service installation now explicitly uses the embedded JDK, resolving an issue where the service could incorrectly select a system-installed JDK. NEXUS-46370 Sonatype Nexus Repository's Unix distribution archive now preserves the user and group ownership of unpacked files, resolving an issue where files were incorrectly owned by a specific user ID. NEXUS-46362 Removed unnecessary warning about JAVA_HOME not being set from all possible places where it might be set. NEXUS-46359 Sonatype Nexus Repository now respects the karaf.data and karaf.log properties specified in nexus.vmoptions as expected. NEXUS-46318 & NEXUS-46401 Sonatype Nexus Repository now allows users to specify a custom JVM using the APP_JAVA_HOME environment variable or the app_java_home property in nexus.rc, restoring the ability to override the embedded JDK.

The table below lists additional bug fixes included in release 3.78.1.

Issue ID Description NEXUS-46354 Corrected a NEXUS_DATA environment variable injection issue, resolving file lock errors in Kubernetes deployments. NEXUS-46353 Nexus Repository Kubernetes deployments now correctly load and persist licenses upon initial installation, resolving a "License is not valid" error that occurred in some deployments. NEXUS-46345 Corrected the URL used to retrieve Composer packages.json metadata. NEXUS-46319 Restored missing Tasks REST API endpoints. NEXUS-46313 Nexus Repository now starts correctly when installed in directories containing spaces. NEXUS-46310 The bin/nexus script now correctly recognizes and applies the run_as_user setting described in our run as a service documentation. NEXUS-46168 Adjusted the Reconciliation task so that it can restore missing properties files in cloud blob stores with date-based layout enabled and volume/chapter folder structure. NEXUS-46008 Restored missing log line fields and daily rotation of the request.log.

The table below lists bug fixes included in release 3.78.0.

Issue ID Description NEXUS-46087 Improved upload performance by preventing excessive asynchronous event queuing, which eliminates latency spikes and ensures background processing remains efficient. NEXUS-46004 Improved npm audit security with Firewall integration. NEXUS-45997 Fixed a NullPointerException that impacted some Helm proxy repositories on Nexus Repository version 3.77.0. NEXUS-45925 The tarball download URLs in npm group repository metadata now matches those returned by npm proxy repositories as expected. NEXUS-45855 Made changes to prevent heavy loads from causing browse node event handling to time out. NEXUS-45773 Ensured correct migration of privileges and roles from Nexus Repository 2 to 3 by aligning privilege names and IDs. NEXUS-45729 Maven metadata GET requests to a group repository are no longer much slower than direct requests to member repositories. NEXUS-45673 Corrected P2 proxy repository functionality to allow proxying JAR files that do not have a MANIFEST entry as the first or second JAR entry. NEXUS-45639 Fixed an error preventing blobstore loading during the Repair - Recalulcate blob store storage task by correcting a method name case mismatch. NEXUS-45432 Corrected download URLs in npm package metadata for non-scoped, version-specific requests. NEXUS-45364 Enabled configuration of the Apache Velocity parser pool size to prevent resource exhaustion during high-volume PyPi component index requests. NEXUS-45139 Corrected repository root URL HEAD request responses to comply with HTTP/1.1 specifications, ensuring they now return the same status as GET requests. NEXUS-44544 Improved component search results by displaying an empty field instead of the Unix epoch date when the last updated value is null. NEXUS-44016 Corrected npm latest tag resolution to prevent canary versions from being selected when the true latest version is removed. NEXUS-44007 Resolved Java XML bind warning messages that occurred in some instances when starting Nexus Repository with Java 17. NEXUS-43115 Expanded documentation on installing Sonatype Nexus Repository using the OpenShift operator. NEXUS-40991 Ensured consistent favicon display across all static and dynamic pages in Nexus Repository. NEXUS-34688 Prevented unnecessary load on IQ Server by ensuring the IQ: Audit and Quarantine capability is only configurable for supported repository formats. NEXUS-30693 Improved logging for the Repair - Reconcile component database from blob store task to include the settings used during execution. Original source Report a problem

Known Issue in Sonatype Nexus Repository 3.83.0 - 3.89.1

There is an issue in Sonatype Nexus Repository 3.83.0 - 3.89.1 where running the Verify and Repair or Data Repair Plan tasks can incorrectly delete valid assets, leading to potential data loss.

This issue is fixed in version 3.90.0.

Upgrade to version 3.90.0 before running the Verify and Repair or Data Repair Plan tasks.

Note

Version 3.83.0 - 3.83.2 contain a defect that prevents use of the Capabilities API. This bug is fixed in 3.84.0. Update to 3.84.0+ to use the Capabilities API.

What's New in 3.83.2?

Released September 3, 2025

This release fixes a number of bugs present in 3.83.0 – 3.83.1. See the bug fixes in 3.83.2 section for details.

What's New in 3.83.1?

Released August 19, 2025

This release fixes a number of important bugs present in 3.83.0. See the bug fixes in 3.83.1 section for details.

What’s New in 3.83.0?

Released August 12, 2025

Prevent Risky Containers from Entering Your Organization with Repository Firewall

You can now extend Sonatype Repository Firewall’s automatic policy enforcement to containerized applications, enabling your team to block non-compliant or vulnerable Docker images before they enter your development environments.

Repository Firewall analyzes Docker images as they are requested through a protected proxy repository. Images that violate your defined policies are automatically quarantined, ensuring developers and deployment pipelines only use trusted containers. Violations are reported in a new Containers dashboard that also provides clear insights into which components within a container triggered enforcement.

You can also apply waivers to container-level violations directly from the container report or via the new Container Waivers API, streamlining security review and enabling critical images to proceed when necessary.

This functionality supports Docker Schema 2 (both single and multi-architecture) images from any container registry proxied by Sonatype Nexus Repository. To optimize performance, local disk storage is recommended for temporary container analysis. Note that Sonatype does not ingest or retain container data during analysis.

For full configuration instructions, supported formats, and usage details, see the Repository Firewall for Docker help documentation.

Docker Registry Path-Based Repository Support

Sonatype Nexus Repository now supports path-based routing for Docker repositories.

This new routing option simplifies Docker setup by eliminating the need to configure custom subdomains or manage complex certificate requirements. It offers a more secure and streamlined approach to accessing Docker images, which is especially important in cloud environments with strict security constraints.

Path-based routing is required for all Nexus Repository Cloud deployments. While it is optional in self-hosted environments, adopting this configuration is recommended for improved security and easier maintenance.

For setup instructions, see our Docker Registry help documentation.

Improved Security Options for Password Hashing and Secrets Encryption

You can now customize Sonatype Nexus Repository’s password hashing algorithm to best align with your organization’s security standards. Supported options include SHA-512 (default), PBKDF2WithHmacSHA256, and PBKDF2WithHmacSHA1. This enhancement allows for greater flexibility and alignment with modern security policies.

Additionally, secrets encryption now supports both PBKDF2WithHmacSHA256 and PBKDF2WithHmacSHA1 (default), offering improved configurability for securing sensitive data within the system.

Streamlined Recovery with New Verify and Repair Data Consistency Task

A new Verify and Repair Data Consistency task is now available in Sonatype Nexus Repository to improve the recovery experience when the database and blob stores become out of sync. This task replaces the legacy Repair - Reconcile component database from blob store task and offers faster performance, enhanced precision, and greater flexibility.

Use this task to recover missing component metadata for artifacts that exist in storage but are no longer referenced in the database. This scenario may occur when restoring from backups or during failover events where the database and storage were finalized at different points in time. You can also restore soft-deleted artifacts before they're permanently removed from blob storage.

Administrators can scope the task by blob store, repository, and time window. A Dry Run option is also available so that you can preview changes before executing them, allowing for safer and more controlled recovery workflows.

For implementation details and API usage, see the Verify and Repair Data Consistency task help documentation.

Note that any scheduled Repair - Reconcile component database from blob store tasks will be automatically removed during the upgrade to Nexus Repository 3.83.0 and later. This is to prevent errors since the legacy task is not compatible with a date-based blob store layout, which Nexus Repository now uses by default.

New Documentation: Cross-Region Disaster Recovery for Enterprise Deployments

New Cross-Region Disaster Recovery documentation is now available to help administrators configure their Sonatype Nexus Repository high availability (HA) deployments to support cross-region disaster recovery in AWS. This approach is designed for enterprise-scale deployments that require minimal downtime and protection against regional cloud outages.

The documentation outlines how to use Amazon RDS and S3 with cross-region replication to enable automatic backup, rapid failover, and zero-loss failback. With this configuration, deployments can achieve a 15-minute Recovery Point Objective (RPO) for blob stores, a 5-minute RPO for the database, and a 1-hour Recovery Time Objective (RTO). It also includes steps for auditing asset loss, verifying data consistency, and synchronizing changes made during failover.

Bug Fixes in 3.83.2

• Issue ID: NEXUS-48483
  The request.log now correctly records the timestamp corresponding to when the response is written back to the client rather than when the request initially arrived.

• Issue ID: NEXUS-48480
  The RegistrationsBaseUrl value in index.json files for NuGet group repositories now includes the correct path, ensuring .NET clients can successfully retrieve package metadata. This restores compatibility with dotnet install commands against NuGet group repositories.

• Issue ID: NEXUS-47541
  When using Docker subdomain routing, request.log entries now include the resolved /repository/ path.

Bug Fixes in 3.83.1

• Issue ID: NEXUS-48391
  The legacy HA-C property is now properly ignored when explicitly set to false.

• Issue ID: NEXUS-48388
  Crowd authentication works as expected with version 3.83.x.

• Issue ID: NEXUS-48387
  The Docker repository user interface no longer incorrectly displays path-based routing as enabled when it is not enabled.

• Issue ID: NEXUS-48385
  Sonatype Nexus Repository now allows the UI to load promptly for anonymous users, even in environments with many content selector privileges.

• Issue ID: NEXUS-48369
  Fixed an issue that prevented Community Edition deployments from starting after upgrade to 3.83.0 if they contained Docker group repositories.

• Issue ID: NEXUS-48367
  Updated logger configuration to ensure HA deployments start as expected on version 3.83.0+ when using the Helm chart.

• Issue ID: NEXUS-48212
  Sonatype Nexus Repository 3.83 no longer fails to start when transitioning from non-HA to HA mode using a shared PostgreSQL database. Node identity is now handled separately to prevent conflicts with legacy node entries in the node_heartbeat table.

• Issue ID: NEXUS-48145
  Made changes to how Nexus Repository handles telemetry HTTP responses to prevent excessive NullPointerException log warnings caused by unhandled 204 responses from telemetry endpoints.

• Issue ID: NEXUS-48025
  When creating Docker repositories, user can select domain or port connectors without selecting a radio button.

Bug Fixes in 3.83.0

• Issue ID: NEXUS-48217
  This release replaces the Repair - reconcile component database from blob store task with a new Verify and Repair Data Consistency task.

• Issue ID: NEXUS-47958
  Routing rules created via the REST API that include non-alphanumeric characters in their names now correctly load in the UI when selected.

• Issue ID: NEXUS-47563 & NEXUS-47159
  Cleanup policies using asset matchers with the option to retain a select number of versions now correctly identify and retain the expected number of Maven assets. The CSV preview and cleanup task execution now return accurate results when used with PostgreSQL-backed repositories.

• Issue ID: NEXUS-47553
  Cleanup policies using the Component age criteria now correctly remove eligible components when applied to repositories backed by an H2 database.

• Issue ID: NEXUS-46937
  Startup failures related to the FileBlobStoreMetricsMigrationStep after migrating from H2 to PostgreSQL no longer occur. The Flyway migration state is now correctly reloaded, ensuring the system accurately reflects migration progress and can start reliably after the initial post-migration launch.

• Issue ID: NEXUS-46388
  Simultaneous requests for the same asset sent to different nodes in a High Availability (HA) Nexus Repository cluster no longer result in 500 errors. Blob property file access is now handled safely across nodes, ensuring reliable asset downloads under concurrent access.

• Issue ID: NEXUS-46385
  Updated Docker Hub credentials for proxy repositories now take effect as expected without requiring a server restart.

• Issue ID: NEXUS-46136 & NEXUS-45942
  Docker login requests through reverse proxies that include a port in the X-Forwarded-Host header no longer result in malformed authentication redirects with duplicated port values. Nexus Repository now correctly parses forwarded host headers, ensuring compatibility with standard reverse proxy configurations such as Apache httpd.

• Issue ID: NEXUS-45843
  Upgrades from earlier versions of Nexus Repository no longer fail when NuGet proxy repositories are missing the nugetVersion attribute. The migration logic now safely defaults to expected values, allowing startup to complete without manual intervention.

• Issue ID: NEXUS-45369
  Made improvements to prevent startup failures caused by the FileBlobStoreMetricsMigrationStep when migrating from OrientDB to PostgreSQL.

Original source Report a problem

What's New and Notable in 3.82.1?

Released August 26, 2025

This release fixes an issue with the Repair - Reconcile component database from blob store task where running the task with the integrity check option enabled could incorrectly remove content from repositories that use an Azure blob store.

Sonatype Nexus Repository Now Available in the Cloud!

Cloud Released on July 16, 2025

Sonatype Nexus Repository Pro is now available as a fully managed, cloud-hosted service, eliminating the overhead of infrastructure management and allowing your development teams to focus on building and delivering secure and reliable software faster. Check out the benefits below:

Operational Efficiency Without the Overhead

With Nexus Repository Cloud, Sonatype handles everything required to get and stay up and running, including high availability, rolling upgrades, automated backups, and seamless failover. This ensures maximum uptime and reliability for your development pipelines. Your deployment scales automatically with your usage, allowing your team to focus on delivering software instead of managing tooling.

Accelerated Time-to-Value

By removing the complexities of provisioning and maintaining servers, Nexus Repository Cloud reduces total cost of ownership and accelerates onboarding. Your teams can start building and deploying software quickly using pre-configured defaults, secure access controls, and guided setup flows.

Access to the Latest Features First

Nexus Repository Cloud is always running the latest stable release, often ahead of the on-premises version. This ensures your team can take advantage of new features and performance improvements without delay.

Migration Support Available

Sonatype provides expert-led migration services to help organizations transition from on-premises deployments to the cloud with minimal downtime. Our Customer Success team ensures your data and configurations are migrated securely and efficiently.

Key Features in Nexus Repository Cloud

• Simplified Setup – Guided onboarding helps you get up and running quickly with secure access, default roles, and user management via your identity provider or direct configuration.
• No Maintenance Overhead – Sonatype handles upgrades, patches, monitoring, and infrastructure operations, eliminating day-to-day maintenance tasks.
• Cloud Tenant Provisioning – Organizations receive a unique, secure URL for accessing their Nexus Repository Cloud tenant.
• Client Tool Integration – Configure tools such as Maven, npm, and Docker to interact directly with your Nexus Repository Cloud instance.

For more information about getting started with Nexus Repository Cloud, see our official documentation.

What's New and Noteworthy in 3.82.0?

Released July 9, 2025

Sonatype Nexus Repository 3.82.0 includes the following new features and enhancements:

New Capabilities API

Sonatype Nexus Repository now provides a new Capabilities API, giving administrators more flexibility and control when managing system-level features through automation.

With this API, you can programmatically view, create, update, and delete Capabilities in your Nexus Repository instance. This allows for faster setup, consistent configuration across environments, and easier integration into infrastructure-as-code workflows. This improves efficiency and reduces the risk of manual errors in administrative tasks.

For full details, see the Capabilities API help documentation.

Quarantine Message Behavior Restored and Improved

Sonatype previously noted a regression in Nexus Repository 3.81.x that prevented quarantine messages from being returned as expected when a component was blocked by Sonatype Repository Firewall. Updates in this release restore expected quarantine message behavior and introduce enhancements to improve clarity for users and automation.

Those using npm and NuGet formats will now see clearer quarantine messages directly in their CLI output when a component is blocked by Repository Firewall. These messages include the reason for the quarantine, helping developers quickly understand and address policy violations without additional troubleshooting.

Bug Fixes

This release includes the following notable bug fixes:

• NEXUS-48217 (3.82.1) Fixed an issue with the Repair - Reconcile component database from blob store task where running the task with the integrity check option enabled could incorrectly remove content from repositories that use an Azure blob store.
• NEXUS-47645 The Blob Store undelete process now handles self-referencing properties files without triggering a stack overflow. This prevents unexpected shutdowns of the GCP connection pool and eliminates the need for a restart.
• NEXUS-47455 The UI: Settings capability now correctly updates the page title as configured.
• NEXUS-47234 The /search/assets API now correctly supports the maven.baseVersion parameter in HA mode.
• NEXUS-47027 The package-ids endpoint for NuGet v2 repositories now returns a maximum of 30 package IDs as a JSON array, aligning with the NuGet tab-completion API specification. This prevents excessive memory usage and improves performance when clients like MSBuild query the endpoint with empty or broad parameters.
• NEXUS-47013 The npm audit bulk endpoint now accepts requests from users with read-only permissions, eliminating the need for view-add privileges. This ensures that audit operations work as expected for read-access users, including anonymous users if authentication is not required.
• NEXUS-29739 The Browse UI for NuGet v3 group repositories now displays the correct path and generates working download links. Requests with or without the index segment are normalized, preventing 404 errors when accessing assets like index.json.

Original source Report a problem

What's New in Nexus Repository 3.81.1?

Released June 11, 2025

Known Issue in 3.81.1: Quarantine Messages Missing from 403 Responses

Sonatype is aware of an issue in Nexus Repository 3.81.1 that prevents all quarantine messages—both default and custom—from appearing in HTTP responses when components are blocked by Repository Firewall. Affected requests return only a generic “403 Forbidden” status with no explanatory message or link to the component report. This may impact environments that depend on these messages to inform users about quarantine reasons.

This release fixes an issue that caused dotnet restore commands to fail due to NuGet v3 content requests returning 404 errors.

Switch Metrics Servlets to use JAX-RS

The REST API endpoints for metrics have changed. Redirects have been added, but not all scripts will follow redirects.

Original Endpoint | New Endpoint

/service/metrics/prometheus | /service/rest/metrics/prometheus
/service/metrics/data | /service/rest/metrics/data
/service/metrics/ping | /service/rest/metrics/ping
/service/metrics/threads | /service/rest/metrics/threads
/service/metrics/healthcheck | /service/rest/v1/status/check

What’s New in Nexus Repository 3.81.0?

Released June 10, 2025

Egress Information Available in Licensing Usage Tab

Sonatype Nexus Repository now provides egress information for on-prem instances; administrators can find this information in the Usage tab under Settings > System > Licensing. This new feature helps you understand your data transfer patterns, making it easier to plan for a potential cloud migration. By seeing your egress data upfront, you can better estimate costs and resource needs in a cloud environment.

Note that Total Egress is calculated at the application level. This might differ from network transfer measurements from your cloud provider. Our testing indicates approximately 15% more traffic when estimating total egress in cloud environments.

For full details, see the License Management help documentation.

Enhanced Security and Performance with Jetty 12

This release upgrades Sonatype Nexus Repository from Jetty 9 to Jetty 12, bringing enhanced security and performance to your instance. This upgrade ensures that Sonatype Nexus Repository operates on a supported and modern server technology.

If your Sonatype Nexus Repository instance uses a customized Jetty configuration, serves HTTPS directly through Sonatype Nexus Repository, or has a customized request log, plan to update your configurations accordingly.

Performance Improvements for Change Repository Blobstore in Google Cloud Environments

This release includes performance improvements for the Change Repository Blob Store task when moving from one Google Cloud Storage (GCP) bucket to another. Previously, this operation took considerably longer than other blob store migration types. This enhancement greatly improves the efficiency of managing your Google Cloud Storage-backed repositories.

Integrate Sonatype Repository Firewall with Zscaler for Enhanced Malware Protection

Sonatype Repository Firewall now integrates with Zscaler, a cloud-native cybersecurity platform, to provide an additional layer of defense against actively verified malware components. This integration automatically blocks malicious components from being downloaded directly from public repositories, protecting your organization from malware found in "shadow downloads."

For details on how to enable this protection, see our Zscaler integration help documentation.

Bug Fixes

Issue ID | Description

NEXUS-47610 | (3.81.1) This release fixes an issue that caused dotnet restore commands to fail due to NuGet v3 content requests returning 404 errors.
NEXUS-47222 | The nexus.log no longer generates ERROR and WARN entries related to an unavailable reconcile/list resource when administrators open the Administration > System > Tasks page.
NEXUS-47217 | Sonatype Nexus Repository's cargo-group functionality now correctly handles features2 when building projects, preventing build failures that previously occurred.
NEXUS-47197 | Custom branding changes made through the UI branding capability now correctly appear in the application's user interface.
NEXUS-47020 | Made performance improvements so that newly uploaded components and staging move results now appear in search results more quickly.
NEXUS-46899 | Sonatype Nexus Repository now immediately reflects changes to user data from Crowd in the UI.
NEXUS-46508 | In Sonatype Nexus Repository HA instances, the Disassociate Tag API now correctly disassociates components from a tag and no longer returns an unrelated list of components.
NEXUS-46264 | Resolved various issues with 3.77.1 Alpine image.
NEXUS-46033 | The Number of versions option in the cleanup policy for maven2 and docker repositories no longer unexpectedly hides or reveals itself when other cleanup policy options are selected.
NEXUS-45866 | After enabling HA in Sonatype Nexus Repository, the Support > Status and System > Nodes pages now display consistent information.
NEXUS-45113 | The cleanup policy and cleanup service tasks now correctly remove empty directories.
NEXUS-44548 | npm audit commands work as expected when npm package name aliases are present.
NEXUS-29739 | NuGet v3 group repositories display the correct path in the browse UI. The download link for assets within these repositories also now functions as expected.

Coming Soon

Here’s what’s coming soon for Sonatype Nexus Repository:

Sonatype Nexus Repository Cloud

Sonatype Nexus Repository will soon be available as a Sonatype Cloud solution! This will provide all the powerful artifact management capabilities you rely on, delivered and managed by Sonatype in the cloud.

Path-Based Repository Support for Docker

Sonatype Nexus Repository will soon provide path-based repository support for Docker, allowing you to host multiple Docker registries under a single hostname using different URL subpaths. This eliminates the need for multiple ports or wildcard TLS certificates, simplifying enterprise deployments.

Firewall Support for Containers

Sonatype Repository Firewall will soon introduce support for containers, enabling you to proactively block the download of container images violating your organization's policy configurations before they enter your container ecosystem.

Original source Report a problem

What’s New and Noteworthy in This Release?

Nexus Repository Gets a More Modern and Intuitive User Interface

This release introduces a significant enhancement to the Sonatype Nexus Repository user interface, focusing on improved navigation and a more modern experience.

We’ve transitioned the underlying shell to a responsive React-based framework, paving the way for future UI advancements and a more consistent design. This update streamlines how you interact with Nexus Repository, making key functions more easily accessible.

Notably, all of the main navigation is now located in a collapsible left-hand menu for better discoverability and screen utilization. The Administration or Settings panel, previously a top-navigation cog icon, is now a clearly labeled Settings option in the side navigation, retaining all its familiar sub-options.

Similarly, the Browse functionality, formerly a cube icon in the top navigation, is now directly accessible as a clearly labeled Browse option in the left-hand menu.

For more detailed information on the technical changes and specific updates, please refer to our User Interface Overview help documentation.

Hugging Face Support for Repository Firewall (Requires IQ 191)

Sonatype Firewall now extends its comprehensive component analysis to include artifacts from Hugging Face. This enhancement allows users to leverage Firewall's policy engine and vulnerability insights to govern the use of pre-trained models and other assets hosted on the Hugging Face Hub.

By integrating Hugging Face support, organizations can proactively identify and mitigate potential security risks and licensing issues associated with these widely used machine learning resources, ensuring a more secure AI/ML development lifecycle.

Hugging Face Support for Firewall for Artifactory Plugin (Plugin version 2.6.0)

The 2.6.0 release of the Firewall for Artifactory Plugin also provides Hugging Face support. See the Firewall for Artifactory Plugin help docs for details on this plugin.

Usage Center Support for High Availability (HA) Deployments

Administrators of High Availability (HA) deployments can now access the Nexus Repository Usage Center via the user interface. This enhancement brings visibility into your deployment's scale, helping you proactively review your deployment model to ensure continued performance and stability as usage evolves.

The Usage Center offers insights aligned with Sonatype's verified and tested architecture guidelines for Nexus Repository deployments. For full details, see our Usage Center help documentation.

Historical Usage Table Provides Insights into Month-to-Month Nexus Repository Usage

The Licensing section of the Sonatype Nexus Repository user interface now features a Usage tab under which you will find a new Historical Usage table. This table, available to both single-instance and high availability deployments, provides valuable insights into your instance's resource consumption over time by providing a monthly overview of key metrics to help you understand your Nexus Repository instance’s growth and activity.

The Historical Usage table displays critical data points such as the total number of unique components stored, month-over-month changes in component count, the total number of HTTP interactions with format-specific endpoints, month-over-month changes in requests, and the maximum storage space that your components use. This comprehensive view empowers administrators to monitor trends, plan for future capacity needs, and gain a deeper understanding of their Nexus Repository usage patterns.

For full details, see the License Management help documentation.

New LDAP to SAML User Token Migration Task

Sonatype Nexus Repository now includes a built-in task to facilitate migrating existing user tokens when transitioning from LDAP to SAML. While you can still use the scripts provided in our LDAP to SAML migration help documentation, this new task provides a more straightforward and simple method for carrying out this process.

For detailed instructions, see our LDAP to SAML migration help documentation.

Simplified Cleanup for S3 Blob Stores with Compact Blob Store Task and Retention Property

Sonatype Nexus Repository 3.80.0 introduces a significant change in how you manage cleanup/hard deletion for S3 blob stores.

With this release, we have removed the Expiration Days setting previously found in the S3 blob store configuration. Now, all S3 blob stores require an associated Admin - Compact blob store task to manage the permanent deletion of files. When creating this task, you can configure the new Blob Older Than property to specify a number of days to keep soft deleted files before they are permanently removed.

Note

When you upgrade your Nexus Repository instance to 3.80.0+, Nexus Repository will automatically create Admin - Compact blob store tasks for your existing S3 blob stores.

For full details, see the Hard Deletion section of the Cleanup Policies help documentation.

Improvements to High Availability Configurations for AWS Database Failover

For Sonatype Nexus Repository Pro High Availability (HA) deployments using AWS, we've made important improvements to our help documentation and configuration recommendations. These updates are designed to optimize recovery times for AWS environments. We encourage administrators to review the latest guidance. Please refer to the updated recommended PostgreSQL parameters for failover recovery and updated Java DNS caching in cloud environments documentation for specific configuration suggestions.

Upgrade Impacts for Those With Customized Jetty Configuration

In this release, we have renamed the logging framework module from nexus-pax-logging to nexus-logging. Customers who have customized their Jetty configuration files, particularly those involving logging configurations such as logback.xml, may need to update their references to the old package name. Failure to update these configurations may result in unexpected behavior or broken logging functionality.

Please review your custom logging configurations and update any instances of org.sonatype.nexus.pax.logging to the new org.sonatype.nexus.logging to ensure continued proper logging.

Bug Fixes

• NEXUS-46989: Improved AWS pre-signed URL help documentation to add information about the default expiry configuration of 5 minutes (300s) for pre-signed URLs and how it can be overridden using nexus.s3.preSignedUrl.duration.
• NEXUS-46748: Azure blob storage operations no longer fail with "java.lang.IllegalArgumentException: Not blob attribute path" error.
• NEXUS-46691: Added enhanced logging to provide greater insight into the root cause of any discrepancies between the malware banner count and the malware CSV.
• NEXUS-46594: You can now tag more than 100 components in HA environments. This fix introduces pagination for associated and unassociated tags, aligning the functionality with non-HA setups.
• NEXUS-46553: Nexus Repository now checks the pg_extension table to determine if the extension is already present before attempting to create it, preventing permissions errors in Azure Postgres Flexible Server deployments.
• NEXUS-46435: Addressed an issue in which “.bytes” files in S3 blob stores were sometimes deleted before S3 “Expiration Days” were reached. See Simplified Cleanup for S3 Blob Stores above for details.
• NEXUS-46256: We’ve provided improved documentation and configuration recommendations for Sonatype Nexus Repository Pro HA deployments on AWS to improve failover recovery times. Please refer to the updated recommended PostgreSQL parameters for failover recovery and updated Java DNS caching in cloud environments documentation for specific configuration suggestions.
• NEXUS-46183: The asset search API now gracefully handles empty enum parameters passed in the URL.
• NEXUS-46177: When searching assets against a group repository, the download URLs now correctly include the group repository in the path.
• NEXUS-46164: In Nexus Repository HA, searching for a tag now returns only components with an exact match, resolving an issue where substring matches (e.g., searching for "tag-test" incorrectly included components tagged with "tag-test-1").
• NEXUS-46021: Maven builds should no longer intermittently fail when putting Maven metadata due to "java.nio.file.NoSuchFileException" exception.
• NEXUS-45319: When using an Azure blob store, concurrent requests for the same component no longer result in errors. This fix introduces a new update method to manage the creation and updating of small blobs, preventing concurrent modification of properties and improving the reliability of blob handling.
• NEXUS-44535: The Nexus log file no longer displays NullPointerException errors related to the npm audit feature when running npm install. This fix addresses an issue where the system incorrectly handled null values for package versions during audit processing.
• NEXUS-40741: Components deleted by Cleanup Policies are now also removed from the IQ Repository Report. This fix ensures that the IQ report accurately reflects the repository's content after cleanup tasks have been executed.
• NEXUS-36198 & NEXUS-21752: Nexus Repository now sets Content-Security-Policy (CSP) headers for all requests, enhancing security by controlling the resources the browser is allowed to load. For user-submitted HTML/JavaScript content served inline, the "sandbox" value for CSP is applied to prevent stored cross-site scripting (XSS) attacks and restrict access to sensitive information like the repository application session cookie. Additionally, for requests submitted over HTTPS, a Strict-Transport-Security (HSTS) header is now included to enforce secure connections.

Coming Soon to Sonatype Nexus Repository

We’re excited to share that the following enhancements will be coming soon to Sonatype Nexus Repository:

Upgrade to Jetty 12

Sonatype Nexus Repository is scheduled to upgrade to Jetty 12 in the 3.81.0 release. If your system uses a customized Jetty configuration, serves HTTPS through Nexus Repository, or has a customized request log, you should plan to update your configurations to ensure compatibility.

New Reconcile Task with Improved Performance

A new task will replace the older Repair - Reconcile component database from blob store task, delivering a more reliable and efficient reconciliation process. The new, better performing task syncs the Nexus database and blob stores more quickly and accurately, ensuring data stays in perfect alignment. For added flexibility, users will also be able to customize the reconciliation period to suit their specific needs.

Original source Report a problem