Skip to main content

Policy-Compliant Component Selection for npm


Only available in Sonatype Nexus Repository Pro. Interested in a free trial? Start here.


This functionality requires integration with Sonatype Repository Firewall and a Firewall license.

When a user requests an npm package without explicitly specifying a version (e.g., npm install package) or specifying a version range, the npm client relies on the package metadata from the npm registry to select a version that satisfies the version constraints. If the selected version has policy violation and is quarantined by Sonatype Repository Firewall, it will cause a build failure that requires a manual fix of the root cause.

By enabling this option, Sonatype Repository Firewall will remove quarantined versions from the npm package metadata to prevent you from selecting a version with policy violations.

The Download policy compliant versions only option will eventually replace the Download cataloged versions only since, using properly configured policy, it is able to do that on top of additional functionality.

Two settings are needed to enable this behavior:

  1. Enable the Firewall Audit and Quarantine capability on the proxy repository.

  2. Check the Download policy compliant versions only box in the Sonatype Nexus Repository settings page.

Also see the Sonatype Repository Firewall documentation on policy-compliant component selection.