Sonatype Nexus Repository 3.78.0 - 3.78.2 Release Notes
Warning
Sonatype is aware of an issue preventing successful installation of Sonatype Nexus Repository 3.78.2 as a Windows service. If you use Nexus Repository as a Windows service, do not upgrade to 3.78.x. We will release a fix for our Windows users as soon as possible.
Multiple Vulnerabilities Resolved in 3.77.x and 3.78.x
Are you on the latest Nexus Repository version? If not, your deployment could be at risk.
Sonatype has resolved multiple significant vulnerabilities just between releases 3.77.0 and 3.78.2, significantly enhancing Nexus Repository security. Here are details on these security enhancements:
Improved input validation to prevent processing malformed data, reducing the risk of unexpected behavior and potential information leakage. Also improved resource management to prevent uncontrolled resource consumption. (CVE-2024-47554)
Resolved multiple vulnerabilities by removing Karaf and pax-logging components. This eliminated several vulnerabilities, including those related to improper input validation, information exposure, XML External Entity attacks, uncontrolled resource consumption related to jiline, and denial-of-service attacks related to Jackson-core. (Sonatype-2015-0286, Sonatype-2022-6438, CVE-2023-6378, CVE-2023-4218)
Addressed issues related to storing sensitive information in memory, reducing the risk of information exposure through memory analysis.
Made updates to prevent Denial of Service attacks due to uncontrolled resource consumption.
What's New in 3.78.2?
Released March 18, 2025
Sonatype Nexus Repository version 3.78.2 fixes a number of bugs impacting release 3.78.0 - 3.78.1. Full details are available in the Bug Fixes section.
What's New in 3.78.1?
Released March 7, 2025
Sonatype Nexus Repository version 3.78.1 fixes a number of bugs impacting release 3.78.0. Full details are available in the Bug Fixes section.
This release also reverts our previous Logback upgrade back to version 1.2 and reverts our previous SLF4J upgrade back to version 1.7.
Known Issue Impacting 3.78.1 and 3.78.0
Nexus Repository not using some settings in nexus.vmoptions
Sonatype is aware of an issue where Nexus Repository deployments on versions 3.78.0 and 3.78.1 are not fully using custom data directory settings in nexus.vmoptions. This affects karaf.data, karaf.log, java.io.tmpdir, and XX:LogFile configurations, forcing the application to use the default ../sonatype-work/nexus3 directory. We will release a fix for this issue as soon as possible.
What’s New in 3.78.0 ?
Released March 4, 2025
Breaking Change for Custom Plugins: Nexus Repository Migrates to Spring Boot Architecture
This release marks a significant shift in Nexus Repository's architecture, migrating from Apache Karaf and OSGi to the Spring Framework. This transition modernizes the underlying technology stack, aligning with industry best practices and enabling future innovation.
Sonatype Nexus Repository is now packaged as a single "uber-jar," simplifying deployment and dependency management. Nexus Repository installers now include ARM-compatible JREs for Unix and macOS platforms in addition to the x86-64 versions. Windows installers will continue to be x86-64 only.
Impact to OSGi Bundle Deployment
Notably, this change also means that custom OSGi bundle deployment is no longer supported. You can learn more in our sunsetting documentation.
Nexus Repository Installer Update: Check Windows Service Configuration
With this release, JReleaser replaces Install4J as our tool for building our macOS, Windows, and Unix installers. Initially, JReleaser focuses on bundling a JRE with the application, maintaining the existing recommendation to use the bundled JRE for all deployments. Future iterations will leverage JReleaser's capabilities to further refine the installer experience and integrate more tightly with our uber-jar packaging.
Please note that our Unix archive now comes bundled with a platform-specific JDK and can no longer be used in a Mac environment.
Important Note for Windows Users
If you configure Windows Service Manager to run Nexus Repository, please review the updated instructions in our installation help docs before upgrading for details, including the commands you will need to use for starting, stopping, and uninstalling the service.
Simplified JDK Upgrades with Nexus Repository Source Code Migration to Java
This release completes the conversion of all Groovy source code to Java within Nexus Repository, both in the core and proprietary components. This migration simplifies maintenance and removes a barrier to upgrading to newer JDK versions. Note that you can still execute Groovy scripts via Task. See our Script API help documentation for more information.
Save on Infrastructure: ARM Docker Images Now Available
This release broadens Sonatype Nexus Repository’s architecture compatibility by introducing ARM Docker images alongside the existing x86_64 versions in Docker Hub. This enhancement aligns with our commitment to providing flexible deployment options and supporting a wider range of infrastructure.
You can find ARM images for Nexus Repository version 3.78.0 and later on Docker Hub under sonatype/nexus3.
Improved npm Audit Security with Firewall Integration
This release enhances npm audit command security (for npm versions 7 and 8) by ensuring full integration with Sonatype Repository Firewall. For deployments using Repository Firewall, all components retrieved during an npm audit using npm version 7 and 8 are subject to Firewall checks, providing an added layer of protection.
Repository Firewall does not yet support package-lock.json file v3 therefore lock files produced by npm 9 and 10 are not supported.
Sunsetting Log4J Visualizer and Bower Format
The Log4j Visualizer feature has been removed in this release. This early experiment in adding Software Composition Analysis (SCA) capabilities to Nexus Repository is now superseded by more comprehensive features, such as our malware warning banner.
We have also officially sunset Bower format, which was last available in our 3.70.x release line and only supported for OrientDB instances.
For full details on our feature sunsetting process, see our feature sunsetting documentation.
Breaking Changes with JFrog Artifactory 7.104
JFrog Artifactory 7.104 is the latest and is incompatible with the Repository Firewall plugin. JFrog Artifactory has introduced a newer version of groovy-core that is not backward compatible with the version the Repository Firewall plugin is compiled against.
We recommend not upgrading to Artifactory 7.104 as doing so causes an interruption with the Repository Firewall service and exposes you to malware entering the environment.
Bug Fixes
Note
Performance Tip - Exclude Nexus Repository Directory from Virus Scans
To optimize startup time, particularly on Windows systems, Sonatype recommends excluding the Nexus Repository directory from virus scans. Scanning every file during application startup can significantly increase the time required for the application to become operational.
The table below lists additional bug fixes included in release 3.78.2.
Issue ID | Description |
|---|---|
NEXUS-46461 | Sonatype Nexus Repository correctly loads the license file specified by the |
NEXUS-46451 | The startup script for macOS distributions now correctly identifies the embedded JDK home, resolving the previous issue where startup failed due to an incorrect path. |
NEXUS-46408 | Installations set up to use |
NEXUS-46377 | Sonatype Nexus Repository's Windows service installation now explicitly uses the embedded JDK, resolving an issue where the service could incorrectly select a system-installed JDK. |
NEXUS-46370 | Sonatype Nexus Repository's Unix distribution archive now preserves the user and group ownership of unpacked files, resolving an issue where files were incorrectly owned by a specific user ID. |
NEXUS-46362 | Removed unnecessary warning about |
NEXUS-46359 | Sonatype Nexus Repository now respects the |
NEXUS-46318 & NEXUS-46401 | Sonatype Nexus Repository now allows users to specify a custom JVM using the |
The table below lists additional bug fixes included in release 3.78.1.
Issue ID | Description |
|---|---|
NEXUS-46354 | Corrected a |
NEXUS-46353 | Nexus Repository Kubernetes deployments now correctly load and persist licenses upon initial installation, resolving a "License is not valid" error that occurred in some deployments. |
NEXUS-46345 | Corrected the URL used to retrieve Composer packages.json metadata. |
NEXUS-46319 | Restored missing Tasks REST API endpoints. |
NEXUS-46313 | Nexus Repository now starts correctly when installed in directories containing spaces. |
NEXUS-46310 | The bin/nexus script now correctly recognizes and applies the |
NEXUS-46168 | Adjusted the Reconciliation task so that it can restore missing properties files in cloud blob stores with date-based layout enabled and volume/chapter folder structure. |
NEXUS-46008 | Restored missing log line fields and daily rotation of the |
The table below lists bug fixes included in release 3.78.0.
Issue ID | Description |
|---|---|
NEXUS-46087 | Improved upload performance by preventing excessive asynchronous event queuing, which eliminates latency spikes and ensures background processing remains efficient. |
NEXUS-46004 | Improved npm audit security with Firewall integration. |
NEXUS-45997 | Fixed a NullPointerException that impacted some Helm proxy repositories on Nexus Repository version 3.77.0. |
NEXUS-45925 | The tarball download URLs in npm group repository metadata now matches those returned by npm proxy repositories as expected. |
NEXUS-45855 | Made changes to prevent heavy loads from causing browse node event handling to time out. |
NEXUS-45773 | Ensured correct migration of privileges and roles from Nexus Repository 2 to 3 by aligning privilege names and IDs. |
NEXUS-45729 | Maven metadata GET requests to a group repository are no longer much slower than direct requests to member repositories. |
NEXUS-45673 | Corrected P2 proxy repository functionality to allow proxying JAR files that do not have a MANIFEST entry as the first or second JAR entry. |
NEXUS-45639 | Fixed an error preventing blobstore loading during the Repair - Recalulcate blob store storage task by correcting a method name case mismatch. |
NEXUS-45432 | Corrected download URLs in npm package metadata for non-scoped, version-specific requests. |
NEXUS-45364 | Enabled configuration of the Apache Velocity parser pool size to prevent resource exhaustion during high-volume PyPi component index requests. |
NEXUS-45139 | Corrected repository root URL HEAD request responses to comply with HTTP/1.1 specifications, ensuring they now return the same status as GET requests. |
NEXUS-44544 | Improved component search results by displaying an empty field instead of the Unix epoch date when the last updated value is null. |
NEXUS-44016 | Corrected npm |
NEXUS-44007 | Resolved Java XML bind warning messages that occurred in some instances when starting Nexus Repository with Java 17. |
NEXUS-43115 | Expanded documentation on installing Sonatype Nexus Repository using the OpenShift operator. |
NEXUS-40991 | Ensured consistent favicon display across all static and dynamic pages in Nexus Repository. |
NEXUS-34688 | Prevented unnecessary load on IQ Server by ensuring the IQ: Audit and Quarantine capability is only configurable for supported repository formats. |
NEXUS-30693 | Improved logging for the Repair - Reconcile component database from blob store task to include the settings used during execution. |