Skip to main content

2019 Release Notes

Repository Manager 3.20.1


Sonatype is pleased to announce the immediate availability of Nexus Repository 3.20.1. The issues fixed in this release can be found below.

Potential startup failure due to race condition loading product license in 3.20.0


An error may occur when starting NXRM Pro due to race condition around the license loading.

OCommandExecutionException thrown during upgrade


During the upgrade process from older releases (3.19.0 and before), NXRM may throw an exception when updating PyPI database configuration.

Repository Manager 3.20.0


A bug, NEXUS-22241, which affects upgrading your instance from 3.19.0 and earlier exists. You can either upgrade to 3.19.1 first or upgrade directly to 3.20.1+.


Sonatype is pleased to announce the immediate availability of Nexus Repository 3.20.0. A summary of the highlights in this release is shown below.

New and Noteworthy

jetty-http-redirect-to-https.xml removed and its use discouraged


Following security best practices the example configuration file that redirects inbound HTTP requests to HTTPS requests has been removed from the distribution. Startup will fail if your configuration references the file and it cannot be found.

Should it still be needed, instructions for adding it back are available.

Ability to Clean Up by "Never downloaded"


In past versions of cleanup, you could clean up by Last Downloaded but components with no download date would be ignored. This new function allows the ability to include in Cleanup items that have never been downloaded. In this case, uploaded date will be checked instead. In addition to the ticket, see Cleanup Policies documentation for more information.

R Format Support


Nexus Repository Manager now provides native support for R repositories. R is a language used for statistical analysis and machine learning.

Yum and CentOS 8


Since the last NXRM release, CentOS 8 was released and it was found that NXRM did not function correctly with it. Full support is now added.

Enhanced npm login for private repository usages


Added support for "npm login" bearer token authentication to proxied upstream npm private repositories.

npm whoami support


Added support for "npm whoami".

npm package metadata does not return correct status code sometimes


Conditional request handling added to npm group repositories to prevent errant 200 status codes from showing as 304s.

HSTS enabled by default for Inbound Jetty HTTPS connectors


Following security best practices HSTS is now enabled by default if Jetty based HTTPS connectors (jetty-https.xml) are used.

An article has been published which describes how to enable it in older versions, where the configuration is to disable it, and how to modify the behavior.

General Improvements

Blobstore, UI

  • [NEXUS-19811] Offline and misconfigured blob store should be noted in UI


  • [NEXUS-21368] Proxy repository removes get-params from HTTP sources

Content Selectors, UI

  • [NEXUS-22144] Slow performance displaying content selectors in UI


  • [NEXUS-21306] Cannot proxy Docker repository on Bintray

Docker, Scheduled Tasks

  • [NEXUS-21315] Extremely slow processing in "Docker - Delete unused manifests and images" task


  • [NEXUS-21672] Group repo with proxy repo member to remote group repo responds 404 when remote group repo responds "403 Requested item is quarantined"


  • [NEXUS-18117] PyPI ignoring python_requires metadata

  • [NEXUS-20705] Index can contain absolute URLs which bypass Nexus Repository Manager

Repository Health Check

  • [NEXUS-21589] Repository health check can fail if the same asset exists in more than one repository


  • [NEXUS-14233] Support managing Realms via the REST API

Scheduled Tasks, Maven

  • [NEXUS-21138] Snapshot remover leaves maven-metadata.xml files deleted for a long time, breaking builds


  • [NEXUS-12488] Remote https repository with TLS client certificate loaded in NXRM JVM keystore not trusted

Support Tools, UI

  • [NEXUS-20140] 500 Server Error shown in Chrome console when accessing Support Status page

Repository Manager 3.19.1


Sonatype is pleased to announce the immediate availability of Nexus Repository 3.19.1. The issue fixed in this release can be found below.



Prevent Docker Proxy Repository throwing null pointer exceptions and blocking some image pulls after upgrade.

Repository Manager 3.19.0


Sonatype is pleased to announce the immediate availability of Nexus Repository 3.19.0. A summary of the highlights in this release is shown below.

New and Noteworthy

CocoaPods Format Support


Nexus Repository Manager now provides native support for CocoaPods proxy repositories. Developers using Swift and Objective-C languages will now have easy access to pods and podspecs while gaining several advantages of proxy support.

Conda Format Support


Nexus Repository Manager now provides native support for Conda proxy repositories. Those using Python, R, Ruby, Lua, Scala, Java, JavaScript, C/C++ and many more languages can now set up proxy repositories for Conda packages.

We are continuously getting feedback from developers and excited to continue the rapid growth of native support for our officialrepository formats.

npm dist-tag


New abilities for adding and removing "distribution tags" into npm metadata via the npm CLI. As one of our top requested improvements to Nexus Repository Manager, we are excited to continue our support for npm developers.

S3 Performance Improvements


Higher performance S3 storage ability for Nexus Repository Manager deployments in AWS. This batch of work improves performance with enhanced support for encrypted S3 buckets, use of custom encryption keys, simplified permission testing, and essential improvements to storage space metrics.

Docker Windows Image Support


Added support for Docker Foreign Layers. Nexus Repository Manager users can now proxy docker images with foreign layers when pulling Microsoft Windows images.

REST API Improvements

NEXUS-19144, NEXUS-19142, NEXUS-19143, NEXUS-19145, NEXUS-19146, NEXUS-16734

Enhanced REST API endpoints for initial provisioning and maintenance of Nexus Repository Manager. Users will also benefit from new improvements to endpoints for local and external roles and permissions, privileges, and content selectors.

Go Format Data Integration


Users who also have access to Nexus Lifecycle can view Go component details in theComponent IQtab. Delivering advanced component information through Nexus Intelligence, details for Go components include information on policy violations, license issues, and security vulnerabilities that are known for a specific component.

Multi-policy Cleanup


NXRM admins can now make use of regular expressions to clean up a given repository by team and/or project. The ability to apply multiple cleanup policies for an individual repository can even be used for longer retention of a certain set of artifacts.

General Improvements


  • [NEXUS-10679] NPM repos don't handle HEAD requests


  • [NEXUS-19102] Unable to proxy private Azure (ACR) registry

Repository Manager 3.18.1


Sonatype is pleased to announce the immediate availability of Nexus Repository 3.18.1. The issues fixed in this release can be found below.

User Interface


Fixed an exception occurring when a user manually logs out of the user interface.



Propagates the quarantine status code when NXRM proxies another NXRM with Firewall enabled.

Repository Manager 3.18.0


Sonatype is pleased to announce the immediate availability of Nexus Repository 3.18.0. A summary of the highlights in this release is shown below.


Note: the permission model for browsing has been changed to behave similarly to NXRM2, see NEXUS-20453 for details.


Our Docker image was updated to use Red Hat Universal Base Image (UBI). This can have an impact on outbound SSL connections, see here for details: Sonatype Docker image security cryptographic standards may affect outbound TLS connections.



Fixes two cross-site scripting (XSS) vulnerabilities.

Browse Performance


Improves browse performance particularly when the user has a large number of content selectors.


The table that drives the repository browse tree will be rebuilt after upgrading to version 3.18.0. This will make the UI appear empty for a short period of time.

Database Backup & Upgrade Speed

NEXUS-20100, NEXUS-20104

Optimized compression level and buffer size defaults of Orient database backups, resulting in faster upgrade speeds.

Default Memory Configuration


Increased the default maximum heap and direct memory sizes for Nexus Repository Manager 3. Users will now receive increased sizing profiles and enhanced performance without having to manually change default configurations with new version upgrades.

Repository Manager 3.17.0


Sonatype is pleased to announce the immediate availability of Nexus Repository 3.17.0. A summary of the highlights in this release is shown below.


You will find that the default password for the admin user is now randomly generated on startup of a new NXRM instance.


The contents of the $install-dir/etc/fabric/hazelcast-network-default.xml file have changed - you must update your own $data-dir/etc/fabric/hazelcast-network.xml to include the new section.

Also, if you're using HA-C TCP/IP discovery an additional configuration property is needed in $data-dir/etc/ See the HA TCP/IP Discovery documentation for details.

New and Noteworthy

Routing Rules

For users with strict security controls we've added a feature we've called Routing Rules which can be used to prevent requests from being sent to external proxy repositories. This can for example allow users to block requests containing codenames from leaking to external repositories.

Apt Format Support

As part of our widespread format support we've begun to move one of the plugins from our great community members which supports the apt format into the core product. (Limited to single nodes in this release.)

Go Format Support

Supporting the burgeoning Go community we've added native support for go repositories. (Limited to single nodes in this release.)

Beta Provisioning REST API

We've continued to add to our REST API with new endpoints to support operations on users, and user tokens. In this release they are flagged as beta, please take a look at our API documentation in the administration part of the user interface and submit feedback.

Setup Wizard

New instances as well as instances which have not changed anonymous configuration will prompt administrators upon logging in to confirm that anonymous users should be allowed to access the system. Similarly if the admin user is using the default password then upon logging in they will be required to change the password.

Removed Recent Connections Accesslog Database

The "accesslog" database which tracks recent unique connections has been removed, along with the Recent Connections section of the administration interface. This removal in no way impacts the request.log text file.

Reduced Logging for Missing Task Listeners


Unnecessary logging of missing task listeners has been reduced.

Repository Manager 3.16.2


Sonatype is pleased to announce the immediate availability of Nexus Repository 3.16.2.


The only fix in this release is for users of high availability.

Log entries for errors of "Task Already Running"


Users of high availability may encounter logged errors that a task failed to start as it was already running.

Repository Manager 3.16.1


Sonatype is pleased to announce the immediate availability of Nexus Repository 3.16.1 . The resolved issues are shown below.

License installation


After installing license (switching from OSS to PRO only, will not affect installing license in existing PRO instance) application doesn't start

Application Upgrade


Upgrading to 3.16.0 PRO can fail when usertoken database contains entries with duplicate (case-insensitive) usernames

Repository Manager 3.16.0



A bug which affects installing a license and moving from Nexus Repository OSS to Nexus Repository Pro has been discovered in version 3.16.0. This issue does not affect existing Nexus Repository Pro installations which are being upgraded to version 3.16.0 and has been fixed in 3.16.1.

Sonatype is pleased to announce the immediate availability of Nexus Repository 3.16.0. A summary of the highlights in this release is shown below.

New and Noteworthy

REST Node Status Endpoint


If you are running a cluster, or otherwise monitoring node health, you need a simple check to determine if your node should receive requests. To meet that need, we have added a new REST endpoint, /v1/status/writable. This endpoint returns a 200 status code when the node is ready to process requests. It's perfect for integration with load balancers to remove a node from the active set when it becomes unhealthy and return it after the node has been recovered. See the documentation Status API for more.

Support Zip Improvements


Getting all of the necessary support zips can be arduous in a HA-C environment. Administrators no longer have to access each node to generate support zips. Generating support zips will have the option to generate them on all nodes instead, and the pop-up window will have a tab per node.

Previously, gathering support zips was a GUI-driven process. So administrators could not use scripts to automate gathering support zips. The new REST endpoint, /v1/support/supportzip, gives programmatic access to support zips.

HA-C topologies have whole new classes of metrics that are beneficial to gain insight into your cluster. A new log file, nexus_cluster.log, has been added to contain them. This log contains information about the cluster's health, such as internode latency and replication queue depth. Support zips will include this log to make introspection on the history of cluster health easier.

Additional System Status Checks for Professional HA Clusters

NEXUS-18776, NEXUS-19313, NEXUS-18181

System Status Checks are a great way for components of NXRM to report vital information to administrators. To that end, the checks have been added to the banner. In normal operation, every check is passing and administrators will see a green checkmark. However, if at least one status check is failing then the header will have a red exclamation point.

Three new status checks were added specifically targeting high availability health.

  • Cluster Size is a new status check that ensures that your cluster has 3 nodes. If a cluster is missing a node, it can still respond to requests and save new components, but it is at risk of losing one more node and becoming inoperable.

  • Transactions status check monitors an instance for any transaction with excessive retries in the last hour. Excess transactions can indicate things like heavy cluster load, inter-node network issue, or something more malignant.

  • Lifecycle Phase is a status check that verifies that the node is running the proper lifecycle phase. Running in the wrong phase can occur due to startup issues, improper use of the lifecycle API, etc.

Lifecycle API


When a node becomes unhealthy, we now have a REST API to control the lifecycle phase of an NXRM node. A lifecycle phase is a step in the start up process used to group similar components and ensure that their dependencies are started before them. The REST API documentation has more information.

Maintenance API


The Maintenace API helps NXRM administrators understand their databases' status and recover from some error cases. Each endpoint can optionally take a node Id determining on which node the request is executed. See the REST API documentation for more insights.

REST Search Improvements


REST search now supports sorting results, as well as filtering prerelease components, allowing the search and download endpoint to return the latest version of an asset.

Update packaged JRE in installers to OpenJDK


Mac and Windows installers now include the Zulu OpenJDK 8 JRE.

Improve stability of using HA-C with Nexus Firewall


Using Nexus Repository Manager in HA-C with Nexus Firewall could cause the cluster to have numerous concurrent modification exceptions. There were a number of changes made to both reduce the frequency of conflicts and more robustly handle them when they do occur.

Bower Resolver Updated

In addition to 3.16.0, we have also updated the bower resolver dependancies to the latest and most secure versions. We strongly recommend any users using bower update their bower resolver to the latest.

Metrics Timers Identifiers Have Changed

Some customers may be parsing the /service/metrics/data REST resource or utilizing the info/metrics.json file in support zips. This release updates our metrics library, which has changed the names of timers to include the suffix '.timer'. For example:

Old timer:

New timer:

The "version" field of the metrics file reflects this change, reving the version from 3.0.0 to 4.0.0.

Audit Database Replaced With Log File


The audit database at $data-dir/db/audit is no longer in use and is replaced with audit log files written and archived in $data-dir/log/audit . Administrators may remove the audit database files from disk at their own discretion.

General Improvements

Content Selectors

  • [NEXUS-18509] Make JEXL and CSEL behave the same for expressions without a leading slash

Content Selectors, Scripting, Upgrade

  • [NEXUS-17850] API does not validate contents of content selectors. Invalid content selectors can lead to failed upgrade.

Database, Scheduled Tasks

  • [NEXUS-18983] If NXRM is read-only or lacks quorum, then run now triggers make startup fail.


  • [NEXUS-18816] Slow delete performance when using REST API


  • [NEXUS-19125] Docker pull from results in 403

HA, Repository

  • [NEXUS-19229] LastDownloadedHandler conflicts in HA can cause long-running retries/rollbacks

LDAP, User Token, Upgrade

  • [NEXUS-13639] User tokens not migrated if LDAP user ID case does not match login case

LDAP, Tree View, Logging

  • [NEXUS-17616] On browse w/ LDAP, if no perms, a bunch of warns are fired

Cleanup, Logging

  • [NEXUS-18731] specifics about what is deleted by cleanup policies is not logged

Proxy Repository, Logging

  • [NEXUS-17502] Content validation message does not log which repository the invalid content is coming from


  • [NEXUS-16853] Enhance content validation for maven-metadata.xml files

Maven, Scheduled Tasks

  • [NEXUS-19034] NPE on "Purge unused snapshots" task


  • [NEXUS-17908] Tag association may intermittently fail for new artifact

Security, Upgrade

  • [NEXUS-12222] NXRM2 repository view privileges are not migrated to NXRM3 browse privileges during upgrade


  • [NEXUS-18774] allow scoped NPM package name parts that start with '.' or '_'

  • [NEXUS-17896] concurrent requests for large npm metadata can lead to OutOfMemory during serialization performance


  • [NEXUS-19121] Delete of component or asset from PyPi proxy repository fails

Repository, UI

  • [NEXUS-19118] Clicking on the links in a repository for component/asset browse gives a 404

Repository Health Check

  • [NEXUS-18950] "Download trend' disabled text misleading


  • [NEXUS-14407] REST Search & Download by 'Latest'


  • [NEXUS-19085] staging promotion move of more than 500 components may fail with IllegalStateException Unable to find component by id performance


  • [NEXUS-13057] "Uncaught TypeError" UI errors

  • [NEXUS-19051] Edge and Internet Explorer errors in the user interface

  • [NEXUS-12253] Order by version incorrect

Upload UI

  • [NEXUS-18277] UI upload creates temporary files in


  • [NEXUS-16057] Add UI upload for Yum

  • [NEXUS-17884] upload of source rpm fails in yum hosted

  • [NEXUS-17920] Deleting an rpm via DELETE to /repository does not update metadata

Repository Manager 3.15.2


Sonatype is pleased to announce the immediate availability of Nexus Repository 3.15.2. A summary of the highlights in this release is shown below.

Search Hotfix


Fix search filtering using repository query parameter, when group repository is entered (REST and UI).

Docker image


Our official Docker image switches to OpenJDK as our recomended Java Runtime Environment. It's worth checking whether the difference has impact on your deployment (e.g., contains a different system trust store that may affect your SSL connections).

Repository Manager 3.15.1


Sonatype is pleased to announce the immediate availability of Nexus Repository 3.15.1. A summary of the highlights in this release is shown below.

NPM Hotfix


Fix anti-cross-site request forgery token mismatch blocking valid npm client publish and login.

Repository Manager 3.15.0


Sonatype is pleased to announce the immediate availability of Nexus Repository 3.15.0. A summary of the highlights in this release is shown below.

We have found an issue in this release that affects NPM users, as well as using the REST search filtering by repository group names. We recommend NPM and/or REST search users upgrade immediately to 3.15.2-01or newer.

New and Noteworthy

Beta REST API Endpoints Removed

The Nexus Repo REST API moved from beta to release status in the 3.13.10 release. The old /service/rest/beta endpoints were kept for compatibility in the 3.13.0 and 3.14.0 releases, but they have now been removed (NEXUS-18562). Update any scripts that use /service/rest/beta endpoints to use the new /service/rest/v1 endpoints.

Dynamic Storage

For our Professional licensed customers, we added a new level of flexibility for administrators when planning and updating their blob stores. Multiple blob stores can be combined into a Blob Store Group. These groups allow an individual repository to use storage across multiple locations and devices. Member blob stores can be added or removed from a group to ease the burden of migrations. Also added Fill Policies which give administrators more control and insight into how components are being stored.

For all our users (OSS and PRO) we have added Soft Quota which allow you to receive a warning when your blobstore has reached a configured metric.

OpenJDK 8 Runtime


Users have been reporting OpenJDK has worked fine as the JVM for repository manager 3. As of 3.15.0, we now run our full test suite using a compliant Java SE standard distribution of OpenJDK 8. In light of the Oracle licensing changes to their Oracle JDK distributions, you can now be sure repository manager is fully tested against the standard.

UI Upload left files in temporary directory after upload was complete


This bug would cause temp files to be left behind when the UI Upload feature was used. This could cause eventual disk space issues that would not be cleaned up by the standard NXRM cleanup tasks. This ticket fixes the issue going forward but does not assume to delete anything from the file system. If you utilize Upload UI frequently, we recommend checking the temp directory to see if you can get some disk space back.

Use HTTPS for outreach Base URL


In order to promote security, we changed our Welcome Outreach capability to use HTTPS instead of HTTP.

Analytics plugin deprecated

Due to complications, the Analytics plugin and respective pages within the application have been removed from the system. If it is restored, we will have a new feature release note.

General Improvements


  • [NEXUS-18252] Repository manager will not start on blobstore problems or errors


  • [NEXUS-15095] MissingBlobException can occur when publishing Maven index

  • [NEXUS-18196] ArrayIndexOutOfBoundsException when uploading large POM


  • [NEXUS-12684] HEAD request to /v2/<name>/manifests/<reference> results in 404 error

  • [NEXUS-18263] Docker proxy repositories configured with a remote URL including extra path info will not proxy correctly

  • [NEXUS-18353] Can't proxy older Docker images


  • [NEXUS-18100] LDAP UI does not reflect configuration

  • [NEXUS-13626] Made Privileges box wider so Privileges fit

  • [NEXUS-7996] Changing dropdown does not show users list until refresh


  • [NEXUS-18564] Delete orphaned API keys task run before any other HTTP activity can stop some LDAP operations

RubyGems, Upgrade

  • [NEXUS-16964] Upgrade from 2.14.8 to 3.10.0 may prevent download of rubygems hosted repository gems


  • [NEXUS-17501] Caching of NuGet metadata causes thread serialization, query slowdowns under load performance


  • [NEXUS-14465] PyPI hosted repository does not send etag header

  • [NEXUS-17903] PyCharm does not work with PyPI repository

  • [NEXUS-18187] PyPI proxy of does not work

  • [NEXUS-16401] PyPi hosted repository packages can only be searched by pep-0503 normalized name


  • [NEXUS-18345] Running a "/search/assets" REST API call with just a "repository" query parameter does not give full results

Scheduled Tasks

  • [NEXUS-12828] Submitting more than 20 tasks at once causes ERROR for some tasks

Content Selectors, Tree View

  • [NEXUS-15085] Tree View is slow when there are large numbers of content selector privileges

Tree View

  • [NEXUS-16384] Maven SNAPSHOT timestamp versioned files are not direct children to the base snapshot version in tree or html view

  • [NEXUS-14682] Support deleting all assets under entire selected tree nodes

  • [NEXUS-15179] Deleting last pom leaves folder shell


  • [NEXUS-18119] New role not available for use until role page revisited

  • [NEXUS-12100] Delete button on component and asset is active even without permission to do so

Upload UI

  • [NEXUS-18276] UI upload leaves files in temporary directory after upload is complete

  • [NEXUS-18494] UI upload fails if it takes more than 60 seconds


  • [NEXUS-18299] JsonSyntaxException attempting to create Webhook capability


  • [NEXUS-18261] Hosted yum metadata not rebuilding due to parsing issues in the path being queried

Search, Tree View

  • [NEXUS-18617] Disable asset download count feature in all new/upgraded installations

S3, Blobstore

  • [NEXUS-18631] Allow multipart copy for AWS S3 blob storage