Policy Compliant Component Selection
This feature is only available for npm repositories
The prerequisites for using this feature have changed.
- IQ Server version 134+
- Nexus Repository Pro 3.38.1+
- An npm repository
- Firewall License
Enabling this feature without Nexus Repository Pro 3.381+ or IQ Server 134 can cause performance issues. For more information contact Sonatype Technical Support.
In npm, you can request the latest version of a package or allow a range of versions in your
package.json . Blindly requesting the latest version can introduce malware, compatibility issues, and other problems to your project. Policy Compliant Component Selection is a feature in Nexus Firewall that audits all allowable versions of a dependency and delivers the most recent policy compliant version of each dependency. This makes requesting components from a Firewall protected repository safer and more reliable.
Policy Compliant Component Selection assesses each component for policy compliance. If a policy compliant dependency component has a transitive dependency with no compliant version, Nexus Firewall will not reassess your dependency to find a version where all dependencies adhere to your policies. In this instance you will receive a component not found error for the transitive dependency.
This feature also only assess versions allowable in your
package.json . Here are some common examples:
latest - Firewall will deliver most recent policy compliant version.
^1.0.0 - Firewall will deliver the most recent policy compliant version for major release 1
2.3.1 - 2.0.2 - Firewall will deliver the most recent policy compliant version between version 2.3.1 and 2.0.2.
To enable Policy Compliant Component Selection:
- Navigate to Nexus Repository Pro
- Select the Server Administration and Settings Cog
- Select Repositories
- Select the desired repository
- Check Remove Quarantined Versions
- Click Save
See this page for more information on the Remove Quarantined Versions option.
Configure Cache Settings
Performance for Policy Compliant Component Selection can be improved by reducing the Nexus Repository cache refresh to one hour. Here's how to set the cache:
- Navigate to the
sonatype-workdirectory for your instance of Nexus Repository.
- Locate the
nexus.propertiesfile in the
- Open the
nexus.propertiesfile with a text editor or IDE.
Add the following line to the file:
If the configuration option already exists, change the value to 1. This will set the cache duration to one hour.
- Save your changes.
This feature runs automatically when you request dependencies from a quarantine-enabled proxy repository. For example, when you run
npm install .
Firewall will then deliver policy compliant dependencies within the allowable version range. If there is no policy compliant version available for a component you will receive a
component not found error.
Components quarantined by this feature are not downloaded to your repository.
Auditing all versions for requested components greatly increases the number of packages checked before downloading. This can increase the dependency install time.