Sonatype Nexus Repository 3.83.0 Release Notes
Released August 12, 2025
What’s New and Noteworthy in This Release?
Prevent Risky Containers from Entering Your Organization with Repository Firewall
You can now extend Sonatype Repository Firewall’s automatic policy enforcement to containerized applications, enabling your team to block non-compliant or vulnerable Docker images before they enter your development environments.
Repository Firewall analyzes Docker images as they are requested through a protected proxy repository. Images that violate your defined policies are automatically quarantined, ensuring developers and deployment pipelines only use trusted containers. Violations are reported in a new Containers dashboard that also provides clear insights into which components within a container triggered enforcement.
You can also apply waivers to container-level violations directly from the container report or via the new Container Waivers API, streamlining security review and enabling critical images to proceed when necessary.
This functionality supports Docker Schema 2 (both single and multi-architecture) images from any container registry proxied by Sonatype Nexus Repository. To optimize performance, local disk storage is recommended for temporary container analysis. Note that Sonatype does not ingest or retain container data during analysis.
For full configuration instructions, supported formats, and usage details, see the Repository Firewall for Docker help documentation.
Improved Security Options for Password Hashing and Secrets Encryption
You can now customize Sonatype Nexus Repository’s password hashing algorithm to best align with your organization’s security standards. Supported options include SHA-512 (default), PBKDF2WithHmacSHA256, and PBKDF2WithHmacSHA1. This enhancement allows for greater flexibility and alignment with modern security policies.
Additionally, secrets encryption now supports both PBKDF2WithHmacSHA256 and PBKDF2WithHmacSHA1 (default), offering improved configurability for securing sensitive data within the system.
Streamlined Recovery with New Verify and Repair Data Consistency Task
A new Verify and Repair Data Consistency task is now available in Sonatype Nexus Repository to improve the recovery experience when the database and blob stores become out of sync. This task replaces the legacy Repair - Reconcile component database from blob store task and offers faster performance, enhanced precision, and greater flexibility.
Use this task to recover missing component metadata for artifacts that exist in storage but are no longer referenced in the database. This scenario may occur when restoring from backups or during failover events where the database and storage were finalized at different points in time. You can also restore soft-deleted artifacts before they're permanently removed from blob storage.
Administrators can scope the task by blob store, repository, and time window. A Dry Run option is also available so that you can preview changes before executing them, allowing for safer and more controlled recovery workflows.
For implementation details and API usage, see the Verify and Repair Data Consistency task help documentation.
Note that any scheduled Repair - Reconcile component database from blob store tasks will be automatically removed during the upgrade to Nexus Repository 3.83.0 and later. This is to prevent errors since the legacy task is not compatible with a date-based blob store layout, which Nexus Repository now uses by default.
New Documentation: Cross-Region Disaster Recovery for Enterprise Deployments
New Cross-Region Disaster Recovery documentation is now available to help administrators configure their Sonatype Nexus Repository high availability (HA) deployments to support cross-region disaster recovery in AWS. This approach is designed for enterprise-scale deployments that require minimal downtime and protection against regional cloud outages.
The documentation outlines how to use Amazon RDS and S3 with cross-region replication to enable automatic backup, rapid failover, and zero-loss failback. With this configuration, deployments can achieve a 15-minute Recovery Point Objective (RPO) for blob stores, a 5-minute RPO for the database, and a 1-hour Recovery Time Objective (RTO). It also includes steps for auditing asset loss, verifying data consistency, and synchronizing changes made during failover.
Bug Fixes
Issue ID | Description |
|---|---|
NEXUS-48217 | This release replaces the Repair - reconcile component database from blob store task with a new Verify and Repair Data Consistency task. |
NEXUS-47958 | Routing rules created via the REST API that include non-alphanumeric characters in their names now correctly load in the UI when selected. |
NEXUS-47563 & NEXUS-47159 | Cleanup policies using asset matchers with the option to retain a select number of versions now correctly identify and retain the expected number of Maven assets. The CSV preview and cleanup task execution now return accurate results when used with PostgreSQL-backed repositories. |
NEXUS-47553 | Cleanup policies using the Component age criteria now correctly remove eligible components when applied to repositories backed by an H2 database. |
NEXUS-46937 | Startup failures related to the FileBlobStoreMetricsMigrationStep after migrating from H2 to PostgreSQL no longer occur. The Flyway migration state is now correctly reloaded, ensuring the system accurately reflects migration progress and can start reliably after the initial post-migration launch. |
NEXUS-46388 | Simultaneous requests for the same asset sent to different nodes in a High Availability (HA) Nexus Repository cluster no longer result in 500 errors. Blob property file access is now handled safely across nodes, ensuring reliable asset downloads under concurrent access. |
NEXUS-46385 | Updated Docker Hub credentials for proxy repositories now take effect as expected without requiring a server restart. |
NEXUS-46136 & NEXUS-45942 | Docker login requests through reverse proxies that include a port in the X-Forwarded-Host header no longer result in malformed authentication redirects with duplicated port values. Nexus Repository now correctly parses forwarded host headers, ensuring compatibility with standard reverse proxy configurations such as Apache HTTPd. |
NEXUS-45843 | Upgrades from earlier versions of Nexus Repository no longer fail when NuGet proxy repositories are missing the |
NEXUS-45369 | Made improvements to prevent startup failures caused by the FileBlobStoreMetricsMigrationStep when migrating from OrientDB to PostgreSQL. |