Policy Compliant Component Selection


This feature is only available for npm repositories


The prerequisites for using this feature have changed. 

Enabling this feature without Nexus Repository Manager Pro 3.381+ or IQ Server 134 can cause performance issues. For more information contact Sonatype Technical Support.


In most ecosystems, it is possible to request the latest version or a range of versions for a package in the dependency list. If a dependency accepts multiple versions Nexus Firewall can audit all versions of the package and quarantine version that do not meet your organization's policy standards. Nexus Repository Manager will then provide the most recent policy compliant version of that package. This makes requesting components more reliable for applications using version ranges or requesting the latest version of a component. 


To enable Policy Compliant Component Selection:

  1. Navigate to Nexus Repository Manager Pro
  2. Select the Server Administration and Settings Cog
  3. Select Repositories
  4. Select the desired repository
  5. Check Remove Quarantined Versions
  6. Click Save

NXRM configuration checkbox

See this page for more information on the Remove Quarantined Versions option.


This feature will run automatically when an application requests components from a quarantine enabled repository. 

Auditing all versions for requested components greatly increases the number of packages checked before downloading. This can increase the dependency install time. 

The list of audited and quarantined components is available in the IQ Server Repository Results screen. See the Reviewing Repository Results page for additional information.

To access results from Nexus Repository Manager Pro: 

  1. Navigate to Nexus Repository Manager Pro
  2. Select Browse from the sidebar
  3. Click the link in the IQ Policy Violations column

To access results from IQ Server:

  1. Navigate to IQ Server
  2. Log in
  3. Select Orgs and Policies from the sidebar
  4. Select Repositories
  5. Click on the desired repository
  6. Select Quarantined 

To see which component versions were installed and information about quarantined versions run npm audit . This will provide a list of all components and identify instances where the latest version was not installed.