Skip to main content

Nexus Repository 3.29.0 - 3.29.2 Release Notes

Nexus Repository Manager 3.29.2

2021-01-06

Warning

If you installed 3.29.1 and modified or created a cleanup policy the following is critical.

A bug in the implementation of the new user interface for Cleanup Policies resulted in a value displayed as days being interpreted as seconds. If you created or modified a cleanup policy while using 3.29.1 after updating you must confirm that these fields have the intended values.

Bug Fix

NEXUS-26251 - Interface for Cleanup Policies erroneously interprets and persists values as seconds instead of days

Nexus Repository Manager 3.29.1

2020-12-24

These notes are a compilation significant bug fixes for Nexus Repository Manager 3.29.1.

Warning

A flaw ( NEXUS-26251 ) has been discovered in Cleanup Policies affecting version 3.29.1. Repositories with a cleanup policy can have components soft deleted that do not meet the criteria specified.

An upgrade to 3.29.2 or newer is strongly recommended especially for instances that use Cleanup Policies. If this is not possible, any 3.29.1 instance is advised to take the following action:

  1. As an Administrator user, navigate to AdministrationSystemTasks.

  2. Select the task of type Admin - Cleanup repositories using their associated policies. The default task name is Cleanup service. Click the task Settings tab.

  3. Uncheck the Task enabled checkbox on the Settings tab and click Save.

Bug Fixes

Blobstore, Docker, Scheduled Tasks

  • [NEXUS-25504] Unable to pull images from hosted docker repo after move to new blob store

helm

  • [NEXUS-25611] Installing via helm proxy errors if not using official remote

npm-audit

  • [NEXUS-25936] npm audit fails with 500 response using group and anonymous

NuGet V3

  • [NEXUS-25801] Group repository registration API requests may fail

Staging

  • [NEXUS-24391] 'Destination already contains component' error when using staging API

Nexus Repository Manager 3.29.0

Includes Security Fix for XML External Entity CVE. See the CVE-2020-29436 advisory for details.

Sonatype recommends that administrators running 3.28.1 and earlier upgrade immediately.

2020-12-04

These notes are a compilation of new features and significant bug fixes for Nexus Repository Manager 3.29.0.

New and Noteworthy

Filtering npm Package Root Metadata

A common pattern in npm projects is to use version ranges for dependencies for users of Nexus Firewall this could lead to build failures if quarantine is enabled for unknown components when builds occurred before a package was catalogued. Firewall is now smarter, and when configured it will filter new packages that haven’t yet been vetted for quality so developers can use latest and version ranges without friction.

Deprecating /service/metrics/healthcheck

NEXUS-19840

The /service/metrics/healthcheck endpoint has been deprecated and scheduled for eventual removal. It is recommended to use the alternative endpoint/service/rest/v1/status/check which has a near equivalent JSON response, except it does not return 500 status when one or more system status checks fail.

Support for Maven and Gradle SHA256/SHA512 Hashing

These hashes are now created automatically during UI Upload of jars and automatically removed when the accompanying components are removed by cleanup policies or maven-specific deletion tasks.

Remote URL of nuget.org-proxy Defaults to V3 for New Installs

NEXUS-25506

New installs will now contain the default NuGet proxy repository as https://api.nuget.org/v3/index.json. Upgrading will not modify any existing remote URLs, although users are encouraged to start migrating away from using NuGet V2 API URLs such as the previous default (https://www.nuget.org/api/v2/).

More Secure Direct Inbound HTTPS Connection Ciphers and TLS Protocols

NEXUS-20267, NEXUS-25786

For instances using Eclipse Jetty-based direct inbound HTTPS connections (no reverse proxy), the default connector configration inside jetty-https.xml now only allows TLS v1.2 connections. Excluded are weak ciphers, deprecated TLS v1 and TLS v1.1 protocols.

It is possible that very old insecure HTTP clients may fail establishing an HTTPS connection to repository manager using these new defaults. Should this occur and you need to revert changes in your instance, consult the JIRA issues or our knowledge base article.

General Improvements

  • [NEXUS-25307] Protection against deletion of related blob stores while the Change repository blob store task is executing

  • [NEXUS-14631] Added more attributes to REST resource for asset

  • [NEXUS-19021] Logging at default levels when roles are added or removed

  • [NEXUS-25774] Upgraded Eclipse Jetty to 9.4.33.v20201020

Bug Fixes

Blobstore

  • [NEXUS-23733] Creating more than one file based blobstore using the same root path is not prevented

Crowd, REST

  • [NEXUS-25529] Security management: Users API does not show "externalRoles" for Crowd

Proxy Repository

  • [NEXUS-25510] Error Response Code 429 (Rate Limiting) does not autoblock

NuGet V3

  • [NEXUS-25291] Proxy can be configured only using a specific remote in UI field

  • [NEXUS-25605] Proxy repositories to github package registry can fail query requests when accessed in a group repository

  • [NEXUS-25478] Group packages incorrectly sorted in page causing some installs to fail

  • [NEXUS-25357] Proxy does not work with some third-party V3 repositories

npm-audit

  • [NEXUS-24913] npm audit caching prevents policy updates

NuGet

  • [NEXUS-25609] Exception processing payloads for a single NuGet group member repository can stop all group member processing

R

  • [NEXUS-23827] PACKAGES.gz cannot be updated if repository doesn't allow redeploy

Security

  • [NEXUS-25829] CVE-2020-29436: Fixes an XXE Vulnerability

Transport

  • [NEXUS-25158] HeaderPatternFilter may reject implicit Host value due to certain combinations of X-Forwarded headers

Yum

  • [NEXUS-25604] Some newly deployed rpm files not showing up in primary.xml.gz, despite logging saying they are being added

  • [NEXUS-25502] yum metadata is rebuilt after downloading it which can cause build failures

  • [NEXUS-25628] yum metadata missing provides entries when multiple versions are provided by a package