This cloud release contains the following bug fixes, which will be provided to self-hosted customers in a future release: NEXUS-48644 – Logging out of the Nexus Repository user interface now correctly ends the session in HA environments. NEXUS-48616 – Changed the log level from WARN to INFO for missing tasklogfile appender. NEXUS-48573 – Made change to improve the Admin - Compact Blob Store task performance. NEXUS-48511 – Uploads to hosted repositories backed by group blob stores now defer makeBlobPermanent to member stores, eliminating unnecessary blob copying and improving performance. NEXUS-47446 – Composer proxy repositories now correctly handle packages with missing metadata. NEXUS-47022 – APT metadata is now automatically updated when components are removed by cleanup policies, ensuring metadata reflects the current state of hosted repositories. NEXUS-44318 – Docker garbage collection now uses batch processing and memory-efficient data structures to reduce memory usage and improve performance when operating on large repositories. NEXUS-42187 – The Use Nexus truststore checkbox in repository settings is now editable in the UI for users with nx-repository-admin privileges.
| September 18, 2025 (cloud release) | 3.85.0 (Coming October 2025) |
This cloud release contains the following bug fixes, which will be provided to self-hosted customers in a future release: NEXUS-48666 – Licenses that end with allowed special characters now parse correctly as expected. NEXUS-48602 – The internal node heartbeat cleanup task no longer fails with SQL syntax errors. NEXUS-48591 – IQ Server ceritificants stored in the Nexus Repository truststore continue to work as expected after restarting Nexus Repository. NEXUS-47770 – Startup messages about unknown or obsolete capability types are now logged at the INFO level instead of WARN, reducing unnecessary alerts for expected conditions. NEXUS-47652 – Selecting the Nexus Repository logo in the UI now correctly redirects to the configured nexus-context-path. NEXUS-46697 – APT staging moves now correctly update metadata in both source and target repositories. NEXUS-46487 – The Admin - Change repository blob store task now preserves the original blobCreated timestamp. NEXUS-45297 – APT snapshots for non-flat repositories now include by-hash metadata files generated from stored asset checksums, ensuring full compatibility with Ubuntu 24.04 and allowing functional snapshot usage. NEXUS-44791 – The application now uses the HOSTNAME environment variable as the primary source for determining the hostname, preventing unnecessary error logs during startup in containerized HA environments. NEXUS-44626 – The Repository - Import external files task now successfully recognizes network-mounted drive paths when Nexus Repository is running as a Windows service. NEXUS-17448 – Calls to the Crowd user manager are now skipped when Crowd is not configured. Related log messages have been downgraded from WARN to DEBUG.
| September 11, 2025 (cloud release date) | 3.85.0 (Coming October 2025) |
3.84.1 3.84.0 Support for OCI Image Manifest Specification and RPM Packages in Container Scanning Improved Stability for Concurrent Requests in Highly Available Deployments Updated Task Names for Data Repair Consistency Dependency Updates tika-core version upgraded from 1.28.4 to 3.2.2 bouncycastle version upgraded from 1.78.1 to 1.81 azure-identity version upgraded from 1.16.2 to 1.17.0
Multiple bug fixes
| September 9, 2025 (3.84.0 – self-hosted) September 17, 2025 (3.84.1 – self-hosted) | 3.84.0 |
This cloud release includes all bug fixes from the self-hosted 3.82.1, 3.83.1, 3.83.2, and 3.84.0 releases along with the following bug fixes that will be included in the October 3.85.0 self-hosted release: NEXUS-45343 – RubyGems uploaded via the UI or REST API are now correctly included in the specs.4.8.gz file. NEXUS-45370 – Improved logs for quarantined npm and PyPI package versions. NEXUS-45788 – The search assets API now correctly supports sorting by the last_updated field. NEXUS-45844 – NuGet V2 proxy repositories no longer throw a java.lang.IllegalStateException: Duplicate key during package restore operations. NEXUS-46507 – The Format field is no longer required when editing Repository Content Selector privileges. NEXUS-46966 – Logger name inputs are now validated to prevent invalid characters or formatting. NEXUS-47019 – Added additional logging to improve visibility into search index purge operations triggered by component deletions. NEXUS-47364 – The INSTALL4J_ADD_VM_PARAMS environment variable is now safely quoted during processing to prevent errors when it includes special characters. NEXUS-47512 – The tagging UI now uses pagination to efficiently load and display tag data. NEXUS-47948 – The Plan Repair and Execute Repair tasks no longer appear in Nexus Repository Cloud deployments. NEXUS-48162 – HA search is now case-insensitive by default.
| September 8, 2025 (cloud release date) | 3.82.1, 3.83.1, 3.83.2, 3.84.0, and 3.85.0 (coming October 2025) |
3.83.2 3.83.1 3.83.0 Firewall for Containers (Requires Sonatype IQ Server 194). Improved security options for password hashing and secrets encryption. Streamlined recovery with new Verify and Repair Data Consistency task, which replaces the now legacy Repair - Reconcile component database from blob store task. New cross-region disaster recovery documentation to help configure your HA deployment to support cross-region disaster recovery in AWS. Multiple bug fixes.
Sonatype Nexus Repository Now Available in the Cloud – Sonatype Nexus Repository Pro is now available as a fully managed, cloud-hosted service, eliminating the overhead of infrastructure management and allowing your development teams to focus on building and delivering secure and reliable software faster. Docker Registry Path-Based Repository Support.
| September 3, 2025 (3.83.2 – self-hosted release date) August 19, 2025 (3.83.1 – self-hosted release date) August 12, 2025 (3.83.0 – self-hosted and cloud release date) | 3.83.0 - 3.83.2 |
3.82.1 This release fixes an issue with the Repair - Reconcile component database from blob store task where running the task with the integrity check option enabled could incorrectly remove content from repositories that use an Azure blob store. 3.82.0 Known Issue in 3.82.0 with Repair - Reconcile component database from blob store task for Azure blob stores Sonatype has identified an issue in Sonatype Nexus Repository where running the Repair - reconcile component database from blob store task with the integrity check option enabled can incorrectly remove content from repositories that use an Azure blob store. If you are using an Azure blob store, do not run this task with integrity check selected. New Capabilities API to view, create, update, and delete capabilities. Firewall quarantine messaging restored and improved.
| August 26, 2025 (3.82.1 – self-hosted release date) July 9, 2025 (3.82.0 – self-hosted release date) | 3.82.0 - 3.82.1 |
Known Issue in 3.81.1: Quarantine Messages Missing from 403 Responses Sonatype is aware of an issue in Nexus Repository 3.81.1 that prevents all quarantine messages—both default and custom—from appearing in HTTP responses when components are blocked by Repository Firewall. Affected requests return only a generic “403 Forbidden” status with no explanatory message or link to the component report. This may impact environments that depend on these messages to inform users about quarantine reasons. Known Issue in 3.81.0: dotnet restore Command Fails We’ve identified an issue in Nexus Repository 3.81.0 that causes dotnet restore commands to fail due to NuGet v3 content requests returning 404 errors. This can disrupt build pipelines that rely on NuGet group repositories. If your environment uses the dotnet build tool, do not upgrade to 3.81.0. A fix is in progress and will be released as soon as possible. 3.81.0 Egress information available in the Usage tab under Licensing. Upgraded from Jetty 9 to Jetty 12. Performance improvements for Change Repository Blobstore task in Google Cloud environments. Integrate Sonatype Repository Firewall with Zscaler.
| June 11, 2025 (3.81.1) June 10, 2025 (3.81.0) (self-hosted release dates) | 3.81.0 - 3.81.1 |
New modern user interface Usage Center support for high availability Historical usage table with insights into month-to-month usage LDAP to SAML user token migration task Simplified cleanup for S3 blob stores with Compact Blob Store task and retention property Improvements to high availability configurations for AWS database failover Upgrade impact for those with custom Jetty configuration: in this release, we renamed the logging framework module from nexus-pax-logging to nexus-logging Hugging Face support for Firewall (requires Lifecycle 191) and Firewall for Artifactory Plugin (Plugin version 2.6.0)
| May 6, 2025 (self-hosted release date) | 3.80.0 |
3.79.1 Restored RUT auth realm for Community Edition Resolved known issue preventing uploads to Azure blob store Restored Windows service installation option Additional bug fixes
3.79.0 Monthly request metrics available in Usage Center Support for AWS Pre-Signed URL Downloads (Pro Only) Pre-Signed URLs for Hugging Face and PyPI Not Yet Supported As of release 3.79.0, the pre-signed URL feature does not yet support Hugging Face and PyPI. We will add support for these formats as soon as possible. Updates to Licensing Page in User Interface Firewall - New Malware Defense Evaluation REST API (Requires IQ Server 189+) Firewall - New Firewall REST API to protect against Namespace Confusion attacks (Requires IQ Server 189+) Firewall - New Firewall for Artifactory Plugin supporting latest Artifactory versions
| April 10, 2025 (3.79.1) April 1, 2025 (3.79.0) (self-hosted release dates) | 3.79.0 - 3.79.1 |
Known Issue for Community Edition 3.78.0-3.79.0 In Sonatype Nexus Repository 3.78.0 and 3.79.0, the RUT Auth Realm (rutauth-realm), which is used for authentication via remote user token, is not available for Community Edition deployments. Instances using rutauth-realm before upgrading will lose functionality, and downgrading is not possible without a database backup made before the upgrade. We are investigating this issue and will provide a fix as soon as possible. This issue does not impact Pro deployments or Community Edition 3.77.x deployments. Warning Sonatype is aware of an issue preventing successful installation of Sonatype Nexus Repository 3.78.2 as a Windows service. If you use Nexus Repository as a Windows service, do not upgrade to 3.78.x. We will release a fix for our Windows users as soon as possible. 3.78.3 3.78.2 3.78.1 Multiple fixes for bugs impacting release 3.78.0; see the full release notes for details. Reverted previous core dependency updates, including moving back to SLF4J 1.7 and Logback 1.2.
3.78.0 Breaking change for custom plugins: Nexus Repository migrates to Spring Boot architecture. Custom OSGi bundle deployment no longer supported. Important breaking change for Windows users. JReleaser replaces Install4J as our tool for building installers. If you configure Windows Service Manager to run Nexus Repository, please review the updated instructions in our installation help docs before upgrading for details, including the commands you will need to use for starting, stopping, and uninstalling the service. Unix archive now comes with platform-specific JDK and can no longer be used in a Mac environment. Simpliefied JDK upgrades with Nexus Repository source code migration to Java. ARM Docker images now available on Docker Hub. Improved npm audit security with Firewall integration. Sunsetting Log4J Visualizer and Bower format. Core dependency updates, including move from SLF4J 1.7 to SLF4J 2.0 and from Logback 1.2 to Logback 1.5. (Reverted in 3.78.1)
Breaking Changes with JFrog Artifactory 7.104 JFrog Artifactory 7.104 is the latest and is incompatible with the Repository Firewall plugin. JFrog Artifactory has introduced a newer version of groovy-core that is not backward compatible with the version the Repository Firewall plugin is compiled against. We recommend not upgrading to Artifactory 7.104 as doing so causes an interruption with the Repository Firewall service and exposes you to malware entering the environment. | August 15, 2025 (3.78.3) March 18, 2025 (3.78.2) March 7, 2025 (3.78.1) March 4, 2025 (3.78.0) (self-hosted release dates) | 3.78.0 - 3.78.3 |
Important The Nexus Repository 3.70.x line is the last release line to support OrientDB. If you must remain on OrientDB, you will need to remain on our 3.70.x release line until you can migrate to H2 or PostgreSQL. This marks OrientDB's transition to Extended Maintenance as defined in our sunsetting documentation. As of January 9, 2026, OrientDB will be considered officially sunset. 3.70.4 | February 13, 2025 (3.70.4) October 10, 2024 (3.70.3) September 3, 2024 (3.70.2) July 10, 2024 (3.70.1) July 9, 2024 (3.70.0) (self-hosted release dates) | 3.70.0 - 3.70.4 |
3.77.2 3.77.1 Fixes an issue in 3.77.0 where using the X-Forwarded-Port header with that exact letter case caused Docker repositories to return a 500 Server Error due to a conversion issue. Fixes an issue in 3.77.0 that prevented the option to automatically remove malware from displaying when configuring the Automatic Malware Management task.
3.77.0 Nexus Repository OSS becomes Nexus Repository Community Edition Support for Hugging Face Proxy Repositories (Pro and Community Edition) Automatically Remove Malicious Components with Repository Firewall (Pro Only) Content Replication for Conan V2 (Pro Only) Helm Staging Support (Pro Only) Status Check for Embedded Database Use (H2 Only) Options like Vulnerability Lookup and Advanced Search no longer display in the standalone Firewall user interface available via Solution Switcher. You can find these items by switching to the Lifecycle option via Solution Switcher.
| February 25, 2025 (3.77.2) February 6, 2025 (3.77.1) February 4, 2025 (3.77.0) (self-hosted release dates) | 3.77.0 - 3.77.2 |
Known Issue Sonatype is aware of an issue impacting Azure Blob Store users where attempting to download binary files exceeding 2GB can cause Nexus Repository to become unresponsive. We will release a patch for this issue as soon as possible. 3.76.1 3.76.0 Native support for Conan 2.0 (Pro only) Malware remediation task Firewall added to solution switcher Google Cloud Platform (GCP) blob store Region field is now auto-populated when creating a new blob store
| January 23, 2025 (3.76.1) January 7, 2025 (3.76.0) (self-hosted release dates) | 3.76.0 - 3.76.1 |
