Sonatype Nexus Repository 3.84.0 Release Notes
Released September 9, 2025
What’s New and Noteworthy in This Release?
Support for OCI Image Manifest Specification and RPM Packages in Container Scanning
Sonatype Repository Firewall now supports container images that use the OCI Image Manifest Specification and Linux distributions that use the RPM package format. This enhancement extends compatibility beyond existing support for Docker Manifest List Schema V2.
With this update, customers scanning container images can expect consistent analysis across OCI-compliant manifests and improved visibility into vulnerabilities and license risks within RPM-based layers.
For more information, see the Firewall for Docker help documentation.
Improved Stability for Concurrent Requests in Highly Available Deployments
This release enhances Sonatype Nexus Repository high availability (HA) deployment stability by improving how the system handles simultaneous requests for the same asset across multiple nodes. Nexus Repository can now better manage transient read failures when accessing blob attributes, reducing the likelihood of request failures during periods of high concurrency.
Customers running HA deployments will see more consistent performance and fewer interruptions when multiple users or systems request the same file at the same time.
Updated Task Names for Data Repair Consistency
To align with standard task naming conventions in Sonatype Nexus Repository, we have updated the names of two recently introduced tasks:
Verify and Repair Data Consistency is now Repair - Data Repair Plan
Execute Plan Data Repair is now Repair - Execute Data Repair Plan
These changes do not affect task functionality and only bring the naming into better alignment with our task naming conventions.
Dependency Updates
This release includes the following dependency updates:
tika-core version upgraded from 1.28.4 to 3.2.2
bouncycastle version upgraded from 1.78.1 to 1.81
azure-identity version upgraded from 1.16.2 to 1.17.0
Bug Fixes
Issue ID | Description |
|---|---|
NEXUS-29075 | Components can be downloaded as expected through a proxy repository in audit mode even when Sonatype Lifecycle is unreachable. |
NEXUS-44970 | Docker-specific attributes are now reliably saved during Docker asset creation. |
NEXUS-45134 | The Docker Garbage Collection task now skips and removes invalid BLOB assets missing a |
NEXUS-46276 | The Tasks API now accepts "*" as a valid value for |
NEXUS-46450 | Cargo proxy repositories can now be successfully chained. |
NEXUS-46734 | The startup script now uses POSIX-compliant |
NEXUS-47252 | Uploads to instances migrated from H2 now complete successfully without duplicate key errors during blob operations. |
NEXUS-47788 | Users assigned repository-specific admin privileges can now access and manage the configuration page for their assigned repositories as expected. |
NEXUS-48149 | Docker proxy repositories now correctly handle manifests retrieved via pre-signed URLs. |
NEXUS-48177 | Cleanup policies using the Asset Name Matcher criteria now function correctly for npm hosted repositories when using the H2 database. |
NEXUS-48396 | Removed the |
NEXUS-48422 | Docker Firewall scanning now safely handles null values in image metadata. |
NEXUS-48568 & NEXUS-48200 | The Capabilities API now returns the expected responses and appears correctly in the UI. |
NEXUS-48602 | The internal cleanup task for node heartbeat data no longer fails due to a |