Skip to main content

Sonatype Nexus Repository 3.78.0 - 3.78.2 Release Notes

Warning

Sonatype is aware of an issue preventing successful installation of Sonatype Nexus Repository 3.78.2 as a Windows service. If you use Nexus Repository as a Windows service, do not upgrade to 3.78.x. We will release a fix for our Windows users as soon as possible.

Multiple Vulnerabilities Resolved in 3.77.x and 3.78.x

Are you on the latest Nexus Repository version? If not, your deployment could be at risk.

Sonatype has resolved multiple significant vulnerabilities just between releases 3.77.0 and 3.78.2, significantly enhancing Nexus Repository security. Here are details on these security enhancements:

  • Improved input validation to prevent processing malformed data, reducing the risk of unexpected behavior and potential information leakage. Also improved resource management to prevent uncontrolled resource consumption. (CVE-2024-47554)

  • Resolved multiple vulnerabilities by removing Karaf and pax-logging components. This eliminated several vulnerabilities, including those related to improper input validation, information exposure, XML External Entity attacks, uncontrolled resource consumption related to jiline, and denial-of-service attacks related to Jackson-core. (Sonatype-2015-0286, Sonatype-2022-6438, CVE-2023-6378, CVE-2023-4218)

  • Addressed issues related to storing sensitive information in memory, reducing the risk of information exposure through memory analysis.

  • Made updates to prevent Denial of Service attacks due to uncontrolled resource consumption.

What's New in 3.78.2?

Released March 18, 2025

Sonatype Nexus Repository version 3.78.2 fixes a number of bugs impacting release 3.78.0 - 3.78.1. Full details are available in the Bug Fixes section.

What's New in 3.78.1?

Released March 7, 2025

Sonatype Nexus Repository version 3.78.1 fixes a number of bugs impacting release 3.78.0. Full details are available in the Bug Fixes section.

This release also reverts our previous Logback upgrade back to version 1.2 and reverts our previous SLF4J upgrade back to version 1.7.

Known Issue Impacting 3.78.1 and 3.78.0

Nexus Repository not using some settings in nexus.vmoptions

Sonatype is aware of an issue where Nexus Repository deployments on versions 3.78.0 and 3.78.1 are not fully using custom data directory settings in nexus.vmoptions. This affects karaf.data, karaf.log, java.io.tmpdir, and XX:LogFile configurations, forcing the application to use the default ../sonatype-work/nexus3 directory. We will release a fix for this issue as soon as possible.

What’s New in 3.78.0 ?

Released March 4, 2025

Breaking Change for Custom Plugins: Nexus Repository Migrates to Spring Boot Architecture

This release marks a significant shift in Nexus Repository's architecture, migrating from Apache Karaf and OSGi to the Spring Framework. This transition modernizes the underlying technology stack, aligning with industry best practices and enabling future innovation.

Sonatype Nexus Repository is now packaged as a single "uber-jar," simplifying deployment and dependency management. Nexus Repository installers now include ARM-compatible JREs for Unix and macOS platforms in addition to the x86-64 versions. Windows installers will continue to be x86-64 only.

Impact to OSGi Bundle Deployment

Notably, this change also means that custom OSGi bundle deployment is no longer supported. You can learn more in our sunsetting documentation.

Nexus Repository Installer Update: Check Windows Service Configuration

With this release, JReleaser replaces Install4J as our tool for building our macOS, Windows, and Unix installers. Initially, JReleaser focuses on bundling a JRE with the application, maintaining the existing recommendation to use the bundled JRE for all deployments. Future iterations will leverage JReleaser's capabilities to further refine the installer experience and integrate more tightly with our uber-jar packaging.

Please note that our Unix archive now comes bundled with a platform-specific JDK and can no longer be used in a Mac environment.

Important Note for Windows Users

If you configure Windows Service Manager to run Nexus Repository, please review the updated instructions in our installation help docs before upgrading for details, including the commands you will need to use for starting, stopping, and uninstalling the service.

Simplified JDK Upgrades with Nexus Repository Source Code Migration to Java

This release completes the conversion of all Groovy source code to Java within Nexus Repository, both in the core and proprietary components. This migration simplifies maintenance and removes a barrier to upgrading to newer JDK versions. Note that you can still execute Groovy scripts via Task. See our Script API help documentation for more information.

Save on Infrastructure: ARM Docker Images Now Available

This release broadens Sonatype Nexus Repository’s architecture compatibility by introducing ARM Docker images alongside the existing x86_64 versions in Docker Hub. This enhancement aligns with our commitment to providing flexible deployment options and supporting a wider range of infrastructure.

You can find ARM images for Nexus Repository version 3.78.0 and later on Docker Hub under sonatype/nexus3.

Improved npm Audit Security with Firewall Integration

This release enhances npm audit command security (for npm versions 7 and 8) by ensuring full integration with Sonatype Repository Firewall. For deployments using Repository Firewall, all components retrieved during an npm audit using npm version 7 and 8 are subject to Firewall checks, providing an added layer of protection.

Repository Firewall does not yet support package-lock.json file v3 therefore lock files produced by npm 9 and 10 are not supported.

Sunsetting Log4J Visualizer and Bower Format

The Log4j Visualizer feature has been removed in this release. This early experiment in adding Software Composition Analysis (SCA) capabilities to Nexus Repository is now superseded by more comprehensive features, such as our malware warning banner.

We have also officially sunset Bower format, which was last available in our 3.70.x release line and only supported for OrientDB instances.

For full details on our feature sunsetting process, see our feature sunsetting documentation.

Breaking Changes with JFrog Artifactory 7.104

JFrog Artifactory 7.104 is the latest and is incompatible with the Repository Firewall plugin. JFrog Artifactory has introduced a newer version of groovy-core that is not backward compatible with the version the Repository Firewall plugin is compiled against.

We recommend not upgrading to Artifactory 7.104 as doing so causes an interruption with the Repository Firewall service and exposes you to malware entering the environment.

Bug Fixes

Note

Performance Tip - Exclude Nexus Repository Directory from Virus Scans

To optimize startup time, particularly on Windows systems, Sonatype recommends excluding the Nexus Repository directory from virus scans. Scanning every file during application startup can significantly increase the time required for the application to become operational.

The table below lists additional bug fixes included in release 3.78.2.

Issue ID

Description

NEXUS-46461

Sonatype Nexus Repository correctly loads the license file specified by the nexus.licenseFile property in nexus.properties during initialization.

NEXUS-46451

The startup script for macOS distributions now correctly identifies the embedded JDK home, resolving the previous issue where startup failed due to an incorrect path.

NEXUS-46408

Installations set up to use systemd as described in our Run as a Service documentation now start as expected.

NEXUS-46377

Sonatype Nexus Repository's Windows service installation now explicitly uses the embedded JDK, resolving an issue where the service could incorrectly select a system-installed JDK.

NEXUS-46370

Sonatype Nexus Repository's Unix distribution archive now preserves the user and group ownership of unpacked files, resolving an issue where files were incorrectly owned by a specific user ID.

NEXUS-46362

Removed unnecessary warning about JAVA_HOME not being set from all possible places where it might be set.

NEXUS-46359

Sonatype Nexus Repository now respects the karaf.data and karaf.log properties specified in nexus.vmoptions as expected.

NEXUS-46318 & NEXUS-46401

Sonatype Nexus Repository now allows users to specify a custom JVM using the APP_JAVA_HOME environment variable or the app_java_home property in nexus.rc, restoring the ability to override the embedded JDK. See Obtaining a Suitable JRE.

The table below lists additional bug fixes included in release 3.78.1.

Issue ID

Description

NEXUS-46354

Corrected a NEXUS_DATA environment variable injection issue, resolving file lock errors in Kubernetes deployments.

NEXUS-46353

Nexus Repository Kubernetes deployments now correctly load and persist licenses upon initial installation, resolving a "License is not valid" error that occurred in some deployments.

NEXUS-46345

Corrected the URL used to retrieve Composer packages.json metadata.

NEXUS-46319

Restored missing Tasks REST API endpoints.

NEXUS-46313

Nexus Repository now starts correctly when installed in directories containing spaces.

NEXUS-46310

The bin/nexus script now correctly recognizes and applies the run_as_user setting described in our run as a service documentation.

NEXUS-46168

Adjusted the Reconciliation task so that it can restore missing properties files in cloud blob stores with date-based layout enabled and volume/chapter folder structure.

NEXUS-46008

Restored missing log line fields and daily rotation of the request.log.

The table below lists bug fixes included in release 3.78.0.

Issue ID

Description

NEXUS-46087

Improved upload performance by preventing excessive asynchronous event queuing, which eliminates latency spikes and ensures background processing remains efficient.

NEXUS-46004

Improved npm audit security with Firewall integration.

NEXUS-45997

Fixed a NullPointerException that impacted some Helm proxy repositories on Nexus Repository version 3.77.0.

NEXUS-45925

The tarball download URLs in npm group repository metadata now matches those returned by npm proxy repositories as expected.

NEXUS-45855

Made changes to prevent heavy loads from causing browse node event handling to time out.

NEXUS-45773

Ensured correct migration of privileges and roles from Nexus Repository 2 to 3 by aligning privilege names and IDs.

NEXUS-45729

Maven metadata GET requests to a group repository are no longer much slower than direct requests to member repositories.

NEXUS-45673

Corrected P2 proxy repository functionality to allow proxying JAR files that do not have a MANIFEST entry as the first or second JAR entry.

NEXUS-45639

Fixed an error preventing blobstore loading during the Repair - Recalulcate blob store storage task by correcting a method name case mismatch.

NEXUS-45432

Corrected download URLs in npm package metadata for non-scoped, version-specific requests.

NEXUS-45364

Enabled configuration of the Apache Velocity parser pool size to prevent resource exhaustion during high-volume PyPi component index requests.

NEXUS-45139

Corrected repository root URL HEAD request responses to comply with HTTP/1.1 specifications, ensuring they now return the same status as GET requests.

NEXUS-44544

Improved component search results by displaying an empty field instead of the Unix epoch date when the last updated value is null.

NEXUS-44016

Corrected npm latest tag resolution to prevent canary versions from being selected when the true latest version is removed.

NEXUS-44007

Resolved Java XML bind warning messages that occurred in some instances when starting Nexus Repository with Java 17.

NEXUS-43115

Expanded documentation on installing Sonatype Nexus Repository using the OpenShift operator.

NEXUS-40991

Ensured consistent favicon display across all static and dynamic pages in Nexus Repository.

NEXUS-34688

Prevented unnecessary load on IQ Server by ensuring the IQ: Audit and Quarantine capability is only configurable for supported repository formats.

NEXUS-30693

Improved logging for the Repair - Reconcile component database from blob store task to include the settings used during execution.