Skip to main content

2024 Release Notes

This page contains a list of 2024 Sonatype Nexus Repository releases, links to each release's release notes, and a brief list of major changes per release.

Summary of Major Changes in 2024

The following table lists major changes in 2024 that should be considered when upgrading to a new version. Select a release for more information.

Release

Release Date

Major Changes

3.75.0 - 3.75.1

December 5, 2024 (3.75.1)

December 3, 2024 (3.75.0)

3.75.1

  • Fixed an issue that caused some anonymous Docker pull requests to unexpectedly fail in instances using a reverse proxy.

3.75.0

  • Support for proxy PHP/Composer repositories (Pro Only)

  • Support for Cloud Key Management Service Integration with Google Blob Store

  • Dismiss the Malware Risk Banner During Your Session

  • Upgraded H2 database driver to 2.3.232.

3.74.0

November 5, 2024

  • Google Cloud Platform (GCP) Support for HA and Resilient Deployments (Pro only)

  • GCP Blob Store Support (Pro only)

  • Automatic License Distribution in HA Environments (Pro only)

  • Custom Region List for AWS Blob Stores

  • S3 Replication Bucket Support for S3 Failover

  • Support for External Secrets Operator for HA Deployments (Pro only)

  • Improved Search for Conan Format

3.73.0

October 10, 2024

Common Vulnerabilities and Exposures Fix

Sonatype Nexus Repository 3.73.0 introduces a re-encryption feature to mitigate CVE-2024-5764. This feature allows administrators to change the encryption key used to protect passwords and other confidential information. Read more below

Note

For a limited set of users, upgrading to Sonatype Nexus Repository 3.73.0 may fail due to javax.crypto.IllegalBlockSizeException: last block incomplete in decryption during the process of secret encryption introduced in this version. See this support article for troubleshooting help.

  • Upgrade pax-url-aether from 2.6.7 to 2.6.12

  • Upgrade protobuf-java from 3.25.3 to 3.25.5

  • Upgraded keycloak-saml-* and keycloak-admin-client from 12.0.3 to 18.0.2

  • Native Rust / Cargo support for Nexus Repository Pro

  • Re-encryption for sensitive data

  • Malware warning banner

  • Dependency changes as follows:

3.72.0

September 4, 2024

  • Upgrade to 3.72.0 with Zero Downtime (Rolling Upgrades) in High Availability (HA) environments

  • View Published and Last Downloaded dates in Cleanup Preview CSV (PostgreSQL Only)

  • Configurable database refetch limit for search in HA deployments

  • Upcoming changes to minimum PostgreSQL version: beginning in November 2024, Nexus Repository deployments using PostgreSQL will require PostgreSQL version 14 or newer.

3.71.0

August 8, 2024

Note

Release 3.71.0 includes multiple breaking changes; 3.71.0 and beyond do not support OrientDB, Java 8, or Java 11. Carefully read both the release notes as well as our help documentation on upgrading to 3.71.0 and beyond before upgrading to this release.

  • H2 is now the default database for new installations, including OSS installations

  • Java 8 and 11 in Extended Maintenance

  • OrientDB in Extended Maintenance

  • Zero Downtime Upgrades for HA deployments (3.72.0 is the first version to which HA deployments can upgrade without downtime)

  • OCI Specification Support for Docker

  • Manage HTTP Configuration via API

  • Additional Audit Logging

3.70.0 - 3.70.3

October 10, 2024 (3.70.3)

September 3, 2024 (3.70.2)

July 10, 2024 (3.70.1)

July 9, 2024 (3.70.0)

Important

The Nexus Repository 3.70.x line is the last release line to support OrientDB. If you must remain on OrientDB, you will need to remain on our 3.70.x release line until you can migrate to H2 or PostgreSQL.

This marks OrientDB's transition to Extended Maintenance as defined in our sunsetting documentation.

There is no official sunset date for OrientDB at this time.

3.70.3

  • Upgraded protobuf-java from 1.36.0 to 3.25.5

  • Upgraded pax-url-aether from 2.6.7 to 2.6.12

  • Switched the order of staging delete and move operations to avoid a concurrency issue

  • Resolved an issue that was preventing the option to retain a select number of previous versions when running cleanup from working as expected

  • Dependency changes:

3.70.2

Sonatype Nexus Repository 3.70.2 fixes a Database Migrator issue that caused some customers to see duplicate key errors after migrating from OrientDB to H2.

This release also upgrades axios back to 1.6.4.

3.70.1

Sonatype Nexus Repository 3.70.1 fixes an issue impacting deployments where the UI is not functional when using a custom context path for the instance. This issue is only in the UI and not when making requests for components.

This release also downgrades axios to 0.27.2 to resolve the above issue.

3.70.0

Tip

Required Action Before Upgrading

If you are using an H2 database, you must use the Admin - Export SQL database to script task (released in 3.69.0) to create a SQL script export of your H2 database before upgrading to Nexus Repository 3.70.0. This means you must upgrade to 3.69.0 before upgrading to 3.70.0.

  • Upgraded H2 Database to Version 2.2.244 (Pro Only)

  • Create and Manage Cleanup Policies via New REST API (Pro Only)

  • Create and Manage Tasks via API (Pro Only)

  • Retrieve and Set IQ Audit and Quarantine Statuses via API (Pro Only)

  • New Database Migrator Flow

  • OrientDB, Java 8, and Java 11 Enter Extended Maintenance

  • Dependency Upgrades

    • commons-io upgraded to 2.15.0

    • org.apache.commons: commons-compress upgraded to 1.26.1

    • com.h2database : h2 upgraded to 2.2.224

    • axios upgraded to 1.6.4

3.69.0

June 4, 2024

  • Java 17 Support for Deployments Using H2 or PostgreSQL Databases

  • Configure User Token Expiration (Pro Only)

  • SAML Integration Improvements

    • Optionally specify a user realm source when deleting a user via the Users API

    • Delete cached authenticated SAML user records via user administration section in the Sonatype Nexus Repository user interface

    • If a user’s IdP field mappings change, Nexus Repository now automatically updates the user’s profile to show the new values

  • Created Repair - Recalculate blob store storage task that can be run if blob store blob count and total size display incorrect information

  • Added a property to nexus.properties that users may configure in order to reduce overly verbose audit logging for NuGet v2 on deployments using PostgreSQL. To turn off attributes logging, add the following to nexus.properties: nexus.audit.attribute.changes.enabled=true.

  • Dependency Updates

    • org.bouncycastle : bcprov-jdk15to18 upgraded from 1.75 to 1.78.1

3.68.0 - 3.68.1

May 16, 2024 (3.68.1)

May 7, 2024 (3.68.0)

3.68.1

Critical Vulnerability Fix for All Sonatype Nexus Repository Deployments

Sonatype Nexus Repository 3.68.1 fixes a critical vulnerability impacting all Sonatype Nexus Repository 3 deployments. This vulnerability can allow a specially crafted URL to return any file as a download, including system files outside of Nexus Repository application scope. See our CVE-2024-4956 KB article for full details.

3.68.0

Note

Note that both H2 and PostgreSQL are currently only available to Pro customers. We expect to announce a new database option for OSS customers and will provide detailed migration paths in our August 2024 release.

  • View Repository Size from Repository Management Screen and API

  • Uploading to Raw Repository with API Generates SHA256 and SHA512 Checksums

  • Use Wildcards When Filtering Privileges and Roles

  • View Rebuild Repository Browse Task Progress in User Interface

  • Sunsetting of Legacy High Availability Clustering - As Nexus Repository will not start for any deployments that use legacy HA-C, ensure you have migrated off of legacy HA-C before upgrading to version 3.68.0 or beyond

  • Dependency Updates:

    • Updated axios from 0.21.4 to 0.27.2

    • Updated jackson2 from 2.15.3 to 2.17.0

3.67.0 - 3.67.1

April 10, 2024 (3.67.1)

April 2, 2024 (3.67.0)

  • 3.67.1

    • Fixed a bug impacting those who upgraded to 3.67.0 and then modified previously existing Docker or Maven cleanup policies that were configured to retain select recent versions (a PostgreSQL-only feature introduced in 3.65.0)

    • Fixed a bug preventing Docker subdomain routing from functioning

  • 3.67.0

    • Support for Java 11 (Note that separate binaries are available for deployments using Java 8 or Java 11)

    • Updated Groovy dependency from 2.4.17 to 3.0.19

    • Updated PostgreSQL database driver from 42.6.0 to 42.7.2

3.66.0

March 5, 2024

  • Usage alerts for deployments using embedded databases

  • Visual progress tracking for Repair - Rebuild repository browse task

  • Change to roles UI so that applied privileges and roles are in single columns and do not use a list transfer module

  • Dependency updates:

    • org.jboss.resteasy : resteasy-multipart-provider : 3.15.3.Final upgraded to 3.15.6.Final

    • AWS SDK dependencies from 1.12.299 to 1.12.658

3.65.0

February 6, 2024

  • Improved cleanup performance with SQL-based cleanup for deployments using a PostgreSQL database

  • Retain recent versions when using cleanup policies for Maven or Docker for deployments using a PostgreSQL database

  • Change repository blob store task supports group repositories for those using a PostgreSQL database

    Note

    Note that we made many improvements to component search in high availability (HA) environments in this release to make searching and tagging more precise. Due to these changes, the same search query should now return fewer but more precise results.

    For example, a keyword search for "nexus-core" in a database comprising "nexus-core, nexus-main-core, nexus-snapshot" would now only return the first two items whereas, previously, it would return all three.

    Please keep this behavior change in mind when looking at your previously configured search and tagging queries. The bug fixes listed below further explain some changes that we've made. Please also see the HA search differences documentation for full details about how HA search differs from non-HA search.

3.64.0

January 9, 2024

Note: Pre-release binaries for version 3.64.0 were inadvertently made available on some download links pulling the latest Sonatype Nexus Repository version. We then discovered a bug in the 3.64.0-03 binaries causing authentication errors for some SAML implementations. We fixed this bug and have released new binaries.

Please ensure you are using the 3.64.0-04 binaries to get all fixes in this release

  • logback-classic and logback-core updated to 1.2.13

  • upgraded jackson version from 2.15.0 to 2.15.3

  • upgraded snakeyaml version from 2.0 to 2.2

  • upgraded swagger version from 1.6.2 to 1.6.11

  • Multiple bug fixes