Policy Compliant Component Selection
The DevSecOps best practice for build reliability is to specify exact versions of open source dependencies in the build manifest. A common norm for some projects is to leave the dependency versions undefined or defined as a range of versions. When the latest version has violations blocked by Repository Firewall the npm client errors without a clear path forward.
Policy-compliant component selection filters requests to prevent clients from selecting versions that violate your policies. This feature runs automatically when components are requested from quarantine-enabled proxy repositories.
Configuration for Nexus Repository 3 Pro
Prerequisites
IQ Server 167+ and Nexus Repository 3.61+ Pro
Nexus Repository 3 Pro and Repository Firewall license configured with IQ Server
Quarantine enabled on the npm and PyPi proxy repositories
Enable Policy Compliant Component Selection
In Nexus Repository, select the proxy repository from the Repositories view under the Settings menu
Check the Filter component versions that fail Sonatype Repository Firewall policy option and Save the changes.

Configure Cache Settings
The Policy Compliant Component Selection cache may be modified in Nexus Repository to one hour or less. Here's how to set the cache:
In Nexus Repository, select the proxy repository from the Repositories view under the Settings menu.
Change the Maximum metadata age to 60 minutes or less and Save the changes.
Configuration for JFrog Artifactory
Prerequisites
Next-Gen Repository Firewall license
Firewall for Artifactory plugin installed
Quarantine enabled on the proxy repository in JFrog Artifactory
npm proxy repositories supported
Pypi proxy is not supported
Enable Policy Compliant Component Selection
In the firewall.properties configuration file for Firewall for JFrog Artifactory, add a line for each repository you want to enable Policy Compliant Component Selection:
firewall.repo.my-remote-repo=policyCompliantComponentSelection
Configure Cache Settings
Performance for Policy Compliant Component Selection can be improved by reducing the Metadata Retrieval Cache Period configuration setting in Artifactory to one hour or less.
General Info
What is Policy-Compliant Component Selection?
Policy Compliant Component Selection is a feature of the Repository Firewall that delivers the most recent policy-compliant version of a requested component when you install your dependencies. When your dependencies specify a range of versions for a dependency, this feature prevents new releases with policy violations from interrupting your development process. This is useful for applications with large dependency trees and transitive dependencies.
Generally, automatically requesting the latest version of a dependency is not recommended.
Why should I enable this feature?
Enabling this feature can keep your projects running smoothly as Repository Firewall's Release Integrity features review each new release for malicious behavior. With Policy Compliant Component Selection, Repository Firewall reduces its impact on development while still providing maximum protection for your applications.
Does Policy Compliant Component Selection only work with the Release Integrity policy?
Policy Compliant Component Selection works for any policy set to Fail at the Proxy Stage - not just the Release Integrity policy. Failing unknown components is also not required for this feature to function. Be sure to check your auto-release settings as they complement this feature.
What ecosystems are currently supported?
npm and PyPI are currently supported for Repository Firewall.
What are the minimum requirements to use this feature?
Do not enable this feature without using the minimum version of both Nexus Repository 3 and IQ Server.
Using the Policy Compliant Component Selection on Nexus Repository versions older than 3.38.1 and/or IQ Server versions older than 134 will result in performance issues.
See the prerequisites above
Will versions audited by Policy Compliant Component Selection show up in my Repository Results view?
Only the versions downloaded to your repository, the versions used by Policy Compliant Component Selection will appear on the Repository Results.
Unsupported versions of IQ Server may result in unused versions appearing on your Repository Results screen.
What if there is no policy-compliant version of a package?
You will receive a "no package found" error. This is not the same as a quarantined component.
You will not be redirected to the Quarantined Component view.