Skip to main content

2024 Release Notes

This page contains a list of 2024 Sonatype Nexus Repository releases, links to each release's release notes, and a brief list of major changes per release.

Summary of Major Changes in 2024

The following table lists major changes in 2024 that should be considered when upgrading to a new version. Select a release for more information.


Release Date

Major Changes


June 4, 2024

  • Java 17 Support for Deployments Using H2 or PostgreSQL Databases

  • Configure User Token Expiration (Pro Only)

  • SAML Integration Improvements

    • Optionally specify a user realm source when deleting a user via the Users API

    • Delete cached authenticated SAML user records via user administration section in the Sonatype Nexus Repository user interface

    • If a user’s IdP field mappings change, Nexus Repository now automatically updates the user’s profile to show the new values

  • Created Repair - Recalculate blob store storage task that can be run if blob store blob count and total size display incorrect information

  • Added a property to that users may configure in order to reduce overly verbose audit logging for NuGet v2 on deployments using PostgreSQL. To turn off attributes logging, add the following to nexus.audit.attribute.changes.enabled=true.

  • Dependency Updates

    • org.bouncycastle : bcprov-jdk15to18 upgraded from 1.75 to 1.78.1

3.68.0 - 3.68.1

May 16, 2024 (3.68.1)

May 7, 2024 (3.68.0)


Critical Vulnerability Fix for All Sonatype Nexus Repository Deployments

Sonatype Nexus Repository 3.68.1 fixes a critical vulnerability impacting all Sonatype Nexus Repository 3 deployments. This vulnerability can allow a specially crafted URL to return any file as a download, including system files outside of Nexus Repository application scope. See our CVE-2024-4956 KB article for full details.


  • View Repository Size from Repository Management Screen and API

  • Uploading to Raw Repository with API Generates SHA256 and SHA512 Checksums

  • Use Wildcards When Filtering Privileges and Roles

  • View Rebuild Repository Browse Task Progress in User Interface

  • Sunsetting of Legacy High Availability Clustering - As Nexus Repository will not start for any deployments that use legacy HA-C, ensure you have migrated off of legacy HA-C before upgrading to version 3.68.0 or beyond

  • Dependency Updates:

    • Updated axios from 0.21.4 to 0.27.2

    • Updated jackson2 from 2.15.3 to 2.17.0

3.67.0 - 3.67.1

April 10, 2024 (3.67.1)

April 2, 2024 (3.67.0)

  • 3.67.1

    • Fixed a bug impacting those who upgraded to 3.67.0 and then modified previously existing Docker or Maven cleanup policies that were configured to retain select recent versions (a PostgreSQL-only feature introduced in 3.65.0)

    • Fixed a bug preventing Docker subdomain routing from functioning

  • 3.67.0

    • Support for Java 11 (Note that separate binaries are available for deployments using Java 8 or Java 11)

    • Updated Groovy dependency from 2.4.17 to 3.0.19

    • Updated PostgreSQL database driver from 42.6.0 to 42.7.2


March 5, 2024

  • Usage alerts for deployments using embedded databases

  • Visual progress tracking for Repair - Rebuild repository browse task

  • Change to roles UI so that applied privileges and roles are in single columns and do not use a list transfer module

  • Dependency updates:

    • org.jboss.resteasy : resteasy-multipart-provider : 3.15.3.Final upgraded to 3.15.6.Final

    • AWS SDK dependencies from 1.12.299 to 1.12.658


February 6, 2024

  • Improved cleanup performance with SQL-based cleanup for deployments using a PostgreSQL database

  • Retain recent versions when using cleanup policies for Maven or Docker for deployments using a PostgreSQL database

  • Change repository blob store task supports group repositories for those using a PostgreSQL database


    Note that we made many improvements to component search in high availability (HA) environments in this release to make searching and tagging more precise. Due to these changes, the same search query should now return fewer but more precise results.

    For example, a keyword search for "nexus-core" in a database comprising "nexus-core, nexus-main-core, nexus-snapshot" would now only return the first two items whereas, previously, it would return all three.

    Please keep this behavior change in mind when looking at your previously configured search and tagging queries. The bug fixes listed below further explain some changes that we've made. Please also see the HA search differences documentation for full details about how HA search differs from non-HA search.


January 9, 2024

Note: Pre-release binaries for version 3.64.0 were inadvertently made available on some download links pulling the latest Sonatype Nexus Repository version. We then discovered a bug in the 3.64.0-03 binaries causing authentication errors for some SAML implementations. We fixed this bug and have released new binaries.

Please ensure you are using the 3.64.0-04 binaries to get all fixes in this release

  • logback-classic and logback-core updated to 1.2.13

  • upgraded jackson version from 2.15.0 to 2.15.3

  • upgraded snakeyaml version from 2.0 to 2.2

  • upgraded swagger version from 1.6.2 to 1.6.11

  • Multiple bug fixes