2018 Release Notes
Repository Manager 3.14.0
2018-10-12
Sonatype is pleased to announce the immediate availability of Nexus Repository 3.14.0. A summary of the highlights in this release is shown below.
New and Noteworthy
Security Fixes for multiple CVEs
Multiple security vulnerabilities have been corrected in 3.14. For details, please see:
Sonatype recommends that administrators running 3.13 and earlier upgrade immediately.
Cleanup Policies
This release introduces Cleanup Policies which are intended to eventually be a complete solution to cleanup old or unwanted components and replace a number of tasks which already exist. Briefly, you would create a cleanup policy for a format with the details of the criteria to cleanup. Then you'd assign the policy to a repository or repositories and then repeat creating and assigning as many times as needed. Cleanup itself runs as a task on a schedule determined by you doing the work automatically. This release focused on having a basic set of actions for all formats.
Tags and Custom Attributes
NEXUS-17694
Tags and Custom Attributes are now in the UI.
Search Improvements
NEXUS-8884, NEXUS-8798, NEXUS-13227, NEXUS-12691
A number of improvements have been made to the search functionality.
Staging: more formats can move and delete
NEXUS-16673, NEXUS-16674
Professional users can now move and delete components in NuGet and YUM hosted repositories
Maven metadata rebuild task performance improvement
NEXUS-17759
The maven metadata rebuild task previously could be slow. The performance has been improved in this release.
Content selector permissions to staging operations
NEXUS-17199
Content selectors can be used to allow staging operations on portions of repositories as opposed to the entire repo or nothing.
General Improvements
Browse Storage
[NEXUS-17690] - Browse Docker Repository causes IllegalArgumentException 'Comparison method violates its general contract'
Repository Health Check
[NEXUS-17741] - Resolve Repository Health Check invalid states post-restart
Upgrade
[NEXUS-17772] - Migration from 2 to 3 leaves low heap memory ERROR in Nexus 3 performance
[NEXUS-17460] - Nexus 2 to 3 upgrade fails with concurrency error in NuGet
Docker
[NEXUS-17548] - Docker proxy repositories auto-block for images that don't exist
UI
[NEXUS-12033] - Add method to configure request timeout via UI
[NEXUS-14593] - Errors reported when accessing UI via index.html
[NEXUS-17259] - NullPointerException and upload hangs using UI to upload a larger file to raw repository
HTML View
[NEXUS-17614] - HTML Browse View Encodes File Paths
NPM
[NEXUS-16312] - Metadata for NPM group considers pre-release version higher than actual version
REST
[NEXUS-17921] - REST API upload that fails due to lack of permissions returns 404 (not found)
NuGet
[NEXUS-17611] - 404s returned for packages containing build-metadata in version
[NEXUS-17712] - Nuget repo unable to proxy packages with 4 digit version
User Token
[NEXUS-17498] - Option to generate URL-safe user tokens for URL based authentication
Security
[NEXUS-10692] - Do not prompt for user credentials for RUT authenticated users
Yum
[NEXUS-17886] - Yum metadata from unrelated folder incorrectly removed when regenerating a folder
Backup
[NEXUS-17233] - Restarting while backup is in progress leaves NXRM as read-only
Repository Manager 3.13.0
2018-07-19
Sonatype is pleased to announce the immediate availability of Nexus Repository 3.13.0. A summary of the highlights in this release is shown below.
New and Noteworthy
Request Log Line Format Change
NEXUS-16903
The default request.log line format has changed to include the request Content-Length header value. External log parsers like Splunk may need adjustment to account for this change.
REST API v1
NEXUS-17633
The REST API has been released under new v1 endpoints (/service/rest/v1/...). While the previous endpoints will remain available (e.g., /service/rest/beta/...) they are subject to change; it is highly recommended to update any integrations to leverage the new endpoint paths.
General Improvements
Scheduled Tasks
[NEXUS-9605] - Task last run and last result not persisted correctly
[NEXUS-13121] - Tasks may appear as 'Starting' or 'Cancelling' indefinitely and cannot be stopped, cancelled, or deleted
[NEXUS-17008] - Task will never run again if its previous run time passes its next scheduled start time
[NEXUS-17262] - Removing repository does not remove tasks specific to the removed repository
Yum
[NEXUS-16545] - Yum Metadata Generation performance improvements
HA
[NEXUS-17440] - "Unable to detect which node you are currently connected to" warning can appear in non-clustered instance
Maven Repository
[NEXUS-16430] - Connection reset when uploading large file using Apache Ivy
Upgrade
[NEXUS-17455] - Last-Modified not returned in header for migrated RAW artifacts
[NEXUS-16985] - Nexus 2 to 3 migration fails if there are staging build promotion repositories
NPM
[NEXUS-15714] - Continue to serve locally cached proxied npm packages that are unpublished on the remote
NuGet
[NEXUS-16476] - Do not change NuGet API key when a user's password is changed
Rubygems
[NEXUS-16461] - New rubygems dependency files are cached in blob storage every time Nexus requests them from a proxy repository remote
Security
[NEXUS-17231] - User role mappings will match user IDs case insensitively for LDAP, Crowd, and default authentication realms
Yum
[NEXUS-16409] - Support HTTP DELETE requests on RPMs to a Yum hosted repository
Repository Manager 3.12.1
6/11/2018
Sonatype is pleased to announce the immediate availability of Nexus Repository 3.12.1. This is a patch release fixing a single urgent bug noted below.
Upload UI
[NEXUS-17287] - Maven UI/REST API upload results in empty pom
Repository Manager 3.12.0
5/22/2018
Sonatype is pleased to announce the immediate availability of Nexus Repository 3.12.0. A summary of the highlights in this release is shown below.
Warning
Version 3.12.0 has a critical bug regarding the Maven Upload UI/REST endpoint. When uploading a POM file (and not having it autogenerated), empty content is stored for the file. If you are using Maven repositories and plan on uploading files through the UI or REST interface, it is HIGHLY recommended to not use this version, rather use version 3.12.1 (or newer) where the issue is resolved.
New and Noteworthy
Built-in S3 Blobstore support
NEXUS-11409
We've taken the popular S3 Blobstore Plugin and are now including it with OSS and PRO distributions.
General Improvements
Security
[NEXUS-16980] - User tokens cannot be retrieved by users who have "nx-usertoken-current" privilege
Upload UI
[NEXUS-16740] - Upload interface doesnt update or create metadata after upload file
REST
[NEXUS-16225] - Swagger UI caching causing load problems on upgrade
NPM
[NEXUS-11139] - ConcurrentModificationException when deleting NPM resource
Docker
[NEXUS-15582] - docker proxy repository does not work for container-registry.oracle.com
[NEXUS-16718] - "scope" authentication errors when connecting to registry.connect.redhat.com
[NEXUS-16992] - 403 forbidden when a proxy repository authenticates to private docker registry in gitlab
Repository Manager 3.11.0
5/1/2018
Sonatype is pleased to announce the immediate availability of Nexus Repository 3.11.0. A summary of the highlights in this release is shown below.
New and Noteworthy
Restore Directory Location Changed
NEXUS-14493
We found old database restore location ($data-dir/backup
) was causing confusion. The location has been changed, database backups should be placed in ($data-dir/restore-from-backup
) for restoration as of the 3.11.0 release.
Yum Group
NEXUS-12331
This release includes the ability to create Yum Group repositories.
Staging via REST API
NEXUS-11446
Nexus Repository Manager PRO customers are now able to utilise REST API endpoints for staging requirements into their CI/CD pipeline. The REST API exposes tag, move and delete endpoints to accomplish this.
Upload UI
PRO customers now have the ability to tag components while uploading them through the UI.
General Improvements
Security
[NEXUS-16227] - Roles are cleaned up when an associated repository has been deleted
UI
[NEXUS-16387] - Rebuild of browse nodes is only performed on available repositories
[NEXUS-16584] - Fix to uploading large artifacts
Maven
[NEXUS-16393] - Correctly merge non-timstamped maven-metadata.xml files
[NEXUS-16539] - 401 responses now engage auto-blocking
Docker
[NEXUS-16753] - Connection pool leak when docker hub proxy repository receives 401 responses from auth.docker.io
[NEXUS-16757] - Ensures deletion of incomplete upload task
HA-C
[NEXUS-16561] - Some database backups were prevented
Repository Manager 3.10.0
4/5/2018
Sonatype is pleased to announce the immediate availability of Nexus Repository 3.10.0. A summary of the highlights in this release is shown below.
New and Noteworthy
Component Tagging and Custom Attributes
This release includes a preview of our REST endpoints for component tagging (NXRM Pro only), which allows NXRM users to search for components and tag them, creating arbitrary collections of components. Tags also support custom attributes, which makes it possible to attach user-supplied information to tagged components.
In an upcoming release, it will be possible to tag components as they are uploaded to NXRM, making it possible to identify collections of components as a 'build'. This will form the basis of our upcoming staging features.
Hosted NuGet Queries Now Return Supported Frameworks
NEXUS-14839
Hosted NuGet queries will now return supported frameworks that don't have listed dependencies - previously frameworks without dependencies were incorrectly ignored.
This fix applies to all new packages that are deployed. If you have existing packages that are affected and can't redeploy them this script (NEXUS-14839-fixNugetDependencies.groovy) will need to be run once to successful completion on version 3.10.0 and greater.
Docker Push of Multilayer Images Now Works in HA-C
NEXUS-15722
Docker push of images containing multiple layers to an NXRM HA cluster running behind a load balancer is now properly handled.
General Improvements
LDAP
[NEXUS-15816] - Paged results sets can now be disabled in LDAP searches
NuGet
[NEXUS-10030] - Pre-released NuGet packages are now identified by their version string to workaround a NuGet bug
REST
[NEXUS-16425] - Download endpoint now only returns the jar file if Maven classifier parameter is set
Security,UI
[NEXUS-16248] - Roles with circular references can no longer be created
Tree View
[NEXUS-16470] - User-supplied filters are now properly escaped and sanitized
Upload UI
[NEXUS-16454] - Raw repository upload now works in IE11
[NEXUS-16503] - Artifacts can now be uploaded to the root of a Raw repository
Yum
[NEXUS-15745] - Yum proxy is now able to remove absolute URLs for metadata files that aren't at the root of a repository
Repository Manager 3.9.0
2/28/2018
Sonatype is pleased to announce the immediate availability of Nexus Repository 3.9.0. A summary of the highlights in this release is shown below.
New and Noteworthy
Upload components to a repository from the UI
NEXUS-10121
This is the new and improved version of the upload feature that exists in Nexus Repository 2. For Nexus Repository 3, we support uploads to hosted Maven, Raw, npm, PyPI, NuGet, and RubyGems repositories.
Nexus Firewall now supported on OSS
NEXUS-16155
This release makes it possible to use Nexus Firewall with Nexus Repository OSS, for those who want the ability to block bad components from entering their repositories, but don’t necessarily need the full set of capabilities in Nexus Repository Pro.
Yum Proxy and Hosted support conditional GET
NEXUS-15815, NEXUS-16066
When making request to either a hosted or proxy yum repository, Nexus will respond properly when a If-Modified-Since header is present.
Remove support for the non-gzipped specs 4.8 from Rubygems
NEXUS-14885
The public RubyGems repository has removed support for the uncompressed specs.4.8 index file and this ticket removes it from NXRM.
Anyone running a Rubygems client earlier than 1.8 will have to update when upgrading to the latest version of NXRM.
If you have any third party tools that are accessing the specs.4.8 endpoint directly they will receive a 404. They should be redirected to the specs.4.8.gz endpoint instead.
Example old endpoint = http://localhost:8080/repository/ruby-hosted/specs.4.8
Example new endpoint = http://localhost:8080/repository/ruby-hosted/specs.4.8.gz
General Improvements
NPM
[NEXUS-10255] NPM proxy failed with 404 for requests with version specified
Repository Health Check,Upgrade
[NEXUS-15746] Health check config database upgrade sometimes fails
Yum
[NEXUS-15795] Yum hosted caches 404 responses for files unnecessarily due to negative cache handler
Tasks
[NEXUS-15461] Allow more tasks to be canceled
Repository Manager 3.8.0
02/05/2018
Sonatype is pleased to announce the immediate availability of Nexus Repository 3.8.0. A summary of the highlights in this release is shown below.
Multiple XSS Vulnerabilities
Multiple XSS vulnerabilities have been discovered in Nexus Repository 3.x up to and including version 3.7.1. We recommend upgrading to 3.8.0 or later immediately. See our support knowledge base article for more information.
Yum Hosted
NEXUS-10191
With our initial support for Yum Proxy released in version 3.5.0 we are now continuing on with the Yum Hosted. This new feature is no longer built on top of Maven and no longer dependant on the external createrepo program. Yum hosting is now platform independent. Yum group repository and support for upgrading 2.x yum repositories to 3.x will be included in future releases.
Use permissive Deploy Policy if you're using Maven to deploy RPMs to Yum Hosted.
REST API deprecating /siesta
NEXUS-14940
We have removed "/siesta/" from all of our REST endpoints, so you'll need to update your integrations. For example, the "/service/siesta/rest/v1/script" endpoint has been moved to "/service/rest/v1/script".
Upgrading from 3.x
This version upgrades Eclipse Jetty from 9.3.x to 9.4.x. This upgrade required a line to be removed from the shipped <install-dir>/etc/jetty/jetty-http.xml and <install-dir>/etc/jetty/jetty-https.xml as compared to previous versions.
Startup will fail if you try to use a jetty configuration file from a previous version that contains the following line:
line that will fail startup if present in jetty-http.xml or jetty-https.xml
<Set name="selectorPriorityDelta"><Property name="jetty.http.selectorPriorityDelta" default="0"/></Set>
This highlights why it is important to always compare install files you previously modified on upgrade as recommended by our upgrade instructions.
Upgrading from 2.x
If you’re upgrading from Nexus Repository 2, you must first upgrade your installation to 2.14.6.
General Improvements
Blobstore,UI
[NEXUS-15467] - Make blob store type field not editiable
Bootstrap
[NEXUS-14956] - Upgrade to Eclipse Jetty 9.4.x
Bower,Security
[NEXUS-12452] - Bower install no longer fails when user has only group level privileges
Content Selectors,Tree View
[NEXUS-15545] - Tree view now works properly with content selectors
Fabric
[NEXUS-14969] - HA-C nodes now properly rejoin their cluster after cluster shutdown
[NEXUS-15084] - HA-C properly syncs user accounts between nodes
LDAP
[NEXUS-15147] - Prevent ConcurrentModificationException when editing multiple user roles
Logging
[NEXUS-15364] - Logging from different task threads may log to the same task log if tasks are started within the same second
Maven
[NEXUS-12482] - Inconsistent behaviour with upload to snapshot repository fixed
NPM
[NEXUS-15282] - NPM allows redeploys despite Deploy Policy
[NEXUS-15425] - Assets now properly updated when a npm package is republished
Outreach
[NEXUS-15466] - Welcome screen content is now displayed for administrators who are mapped in via LDAP group
REST
[NEXUS-15202] - Take classifier into account when downloading a jar through the REST endpoint
/rest/beta/search/assets/download
[NEXUS-15088] - Incorrect error response code 406 for bad ID in DELETE /component
[NEXUS-15089] - Error response code 204 not listed in REST API codes for component and asset delete
Yum
[NEXUS-15131] - Component naming for Yum Proxy now matches RPM header