Sonatype Nexus Repository 3.78.0 Release Notes
Released March 4, 2025
What’s New and Noteworthy in This Release?
Breaking Change for Custom Plugins: Nexus Repository Migrates to Spring Boot Architecture
This release marks a significant shift in Nexus Repository's architecture, migrating from Apache Karaf and OSGi to the Spring Framework. This transition modernizes the underlying technology stack, aligning with industry best practices and enabling future innovation.
Sonatype Nexus Repository is now packaged as a single "uber-jar," simplifying deployment and dependency management. Nexus Repository installers now include ARM-compatible JREs for Unix and macOS platforms in addition to the x86-64 versions. Windows installers will continue to be x86-64 only.
Impact to OSGi Bundle Deployment
Notably, this change also means that custom OSGi bundle deployment is no longer supported. You can learn more in our sunsetting documentation.
Nexus Repository Installer Update: Check Windows Service Configuration
Known Issue in 3.78.0
There is a known issue in 3.78.0 that is preventing users from overriding the included JVM. We will release a fix for this issue as soon as possible.
With this release, JReleaser replaces Install4J as our tool for building our macOS, Windows, and Unix installers. Initially, JReleaser focuses on bundling a JRE with the application, maintaining the existing recommendation to use the bundled JRE for all deployments. Future iterations will leverage JReleaser's capabilities to further refine the installer experience and integrate more tightly with our uber-jar packaging.
Please note that our Unix archive now comes bundled with a platform-specific JDK and can no longer be used in a Mac environment.
Important Note for Windows Users
If you configure Windows Service Manager to run Nexus Repository, please review the updated instructions in our installation help docs before upgrading for details, including the commands you will need to use for starting, stopping, and uninstalling the service.
Simplified JDK Upgrades with Nexus Repository Source Code Migration to Java
This release completes the conversion of all Groovy source code to Java within Nexus Repository, both in the core and proprietary components. This migration simplifies maintenance and removes a barrier to upgrading to newer JDK versions. Note that you can still execute Groovy scripts via Task. See our Script API help documentation for more information.
Save on Infrastructure: ARM Docker Images Now Available
This release broadens Sonatype Nexus Repository’s architecture compatibility by introducing ARM Docker images alongside the existing x86_64 versions in Docker Hub. This enhancement aligns with our commitment to providing flexible deployment options and supporting a wider range of infrastructure.
You can find ARM images for Nexus Repository version 3.78.0 and later on Docker Hub under sonatype/nexus3.
Improved npm Audit Security with Firewall Integration
This release enhances npm audit command security (for npm version 7 and later) by ensuring full integration with Sonatype Repository Firewall. For deployments using Repository Firewall, all components retrieved during an npm audit using npm version 7 or later are now subject to Firewall checks, providing an added layer of protection.
Sunsetting Log4J Visualizer and Bower Format
The Log4j Visualizer feature has been removed in this release. This early experiment in adding Software Composition Analysis (SCA) capabilities to Nexus Repository is now superseded by more comprehensive features, such as our malware warning banner.
We have also officially sunset Bower format, which was last available in our 3.70.x release line and only supported for OrientDB instances.
For full details on our feature sunsetting process, see our feature sunsetting documentation.
Nexus Repository Core Dependency Updates
This release updates core dependencies, starting with a move from SLF4J 1.7 to SLF4J 2.0 and from Logback 1.2 to Logback 1.5. This upgrade removes a key blocker, paving the way for future updates to other core technologies like Jetty and Keycloak. These upcoming upgrades will unlock new capabilities and performance improvements.
Known Issue
An automatically configured authenticated username and thread name will not be present in the request.log due to removal of a defunct logging library with no immediately available replacement.
We expect to be able to return those fields in the request.log when we migrate to Jetty 12 in a future release.
Breaking Changes with JFrog Artifactory 7.104
JFrog Artifactory 7.104 is the latest and is incompatible with the Repository Firewall plugin. JFrog Artifactory has introduced a newer version of groovy-core that is not backward compatible with the version the Repository Firewall plugin is compiled against.
We recommend not upgrading to Artifactory 7.104 as doing so causes an interruption with the Repository Firewall service and exposes you to malware entering the environment.
Bug Fixes
Note
Performance Tip - Exclude Nexus Repository Directory from Virus Scans
To optimize startup time, particularly on Windows systems, Sonatype recommends excluding the Nexus Repository directory from virus scans. Scanning every file during application startup can significantly increase the time required for the application to become operational.
Issue ID | Description |
|---|---|
NEXUS-46087 | Improved upload performance by preventing excessive asynchronous event queuing, which eliminates latency spikes and ensures background processing remains efficient. |
NEXUS-46004 | Improved npm audit security with Firewall integration. |
NEXUS-45997 | Fixed a NullPointerException that impacted some Helm proxy repositories on Nexus Repository version 3.77.0. |
NEXUS-45925 | The tarball download URLs in npm group repository metadata now matches those returned by npm proxy repositories as expected. |
NEXUS-45855 | Made changes to prevent heavy loads from causing browse node event handling to time out. |
NEXUS-45773 | Ensured correct migration of privileges and roles from Nexus Repository 2 to 3 by aligning privilege names and IDs. |
NEXUS-45729 | Maven metadata GET requests to a group repository are no longer much slower than direct requests to member repositories. |
NEXUS-45673 | Corrected P2 proxy repository functionality to allow proxying JAR files that do not have a MANIFEST entry as the first or second JAR entry. |
NEXUS-45639 | Fixed an error preventing blobstore loading during the Repair - Recalulcate blob store storage task by correcting a method name case mismatch. |
NEXUS-45432 | Corrected download URLs in npm package metadata for non-scoped, version-specific requests. |
NEXUS-45364 | Enabled configuration of the Apache Velocity parser pool size to prevent resource exhaustion during high-volume PyPi component index requests. |
NEXUS-45139 | Corrected repository root URL HEAD request responses to comply with HTTP/1.1 specifications, ensuring they now return the same status as GET requests. |
NEXUS-44544 | Improved component search results by displaying an empty field instead of the Unix epoch date when the last updated value is null. |
NEXUS-44016 | Corrected npm |
NEXUS-44007 | Resolved Java XML bind warning messages that occurred in some instances when starting Nexus Repository with Java 17. |
NEXUS-43115 | Expanded documentation on installing Sonatype Nexus Repository using the OpenShift operator. |
NEXUS-40991 | Ensured consistent favicon display across all static and dynamic pages in Nexus Repository. |
NEXUS-34688 | Prevented unnecessary load on IQ Server by ensuring the IQ: Audit and Quarantine capability is only configurable for supported repository formats. |
NEXUS-30693 | Improved logging for the Repair - Reconcile component database from blob store task to include the settings used during execution. |