Release Notes

Security Fix

A critical security vulnerability has been found in 3.26.1 and earlier. For details, please see CVE-2020-13933.

Sonatype recommends that administrators upgrade to 3.27.0 or newer immediately.

Nexus Repository Manager 3.32.0

2021-07-08

These notes are a compilation of the improvements and significant bug fixes for Nexus Repository Manager 3.32.0.

See the complete release notes for all resolved issues.

New and Noteworthy

Replication (Product Preview)

NEXUS-28203 

PRO We are releasing a product preview version of repository replication to those Nexus Repository Pro customers who have signed up for our Product Preview program.

Repository replication allows you to copy content from a source repository and publish it to a target repository where users can access the replicated artifacts. 

Replication is still in product preview and should only be used in non-production environments at this time.

General Improvements

Bug Fixes

  • [NEXUS-27753] - The latest package version doesn't change in package root after component deleting
  • [NEXUS-27469] - Using AzureBlobStore causes docker image upload failure with 'digest invalid' error
  • [NEXUS-28247] - Docker GC Task incorrectly removing manifests and layers

Nexus Repository Manager 3.31.1

2021-06-23

Known Docker issue

If you installed this version and utilize the Docker - Delete unused manifests and images task this message is critical.

A bug in this Nexus Repository version can cause loss of some Docker data when running the Docker - Delete unused manifests and images task. We recommend disabling this task immediately to avoid data loss. If this is not possible for your organization, we recommend not updating to this version. For more information, see NEXUS-28247.

NEXUS-28078

Docker - Delete unused manifests and images task may delete referenced layers if the database query to select components encounters limits

Nexus Repository Manager 3.31.0

Includes a security fix for an Information Disclosure CVE. See the CVE-2021-34553 advisory for details.

Sonatype recommends administrators running Nexus Repository Manager 3.30.1 and earlier to upgrade immediately.

2021-06-16

These notes are a compilation of new features and significant bug fixes for Nexus Repository Manager 3.31.0.

Known Docker issue

If you installed this version and utilize the Docker - Delete unused manifests and images task this message is critical.

A bug in this Nexus Repository can cause loss of some Docker data when running the Docker - Delete unused manifests and images task. We recommend disabling this task immediately to avoid data loss. If this is not possible for your organization, we recommend not updating to this version. For more information, see NEXUS-28247.

See the complete release notes for all resolved issues.

New and Noteworthy

Database Externalization

This release adds important new database options. Nexus Repository Pro can now use an externalized PostgreSQL database instead of the embedded OrientDB. This means you can use highly available, cloud-provided databases like Amazon Aurora for improved resiliency and ease of operation. 

This feature is fully supported for general use. This initial release supports a subset of formats: Maven, Docker, NuGet V3, PyPI, Helm, Raw, and Yum. Over the next few versions, we will continue to add support for other formats along with new reference architectures to help you make full use of these new database options.

General Improvements

  • [NEXUS-26931] Added UI validation to ensure container name is all lower case alphanumeric.
  • [NEXUS-27683] StorageFacetCleanupTaskManager should remove & schedule task.
  • [NEXUS-20252] Support Staging with PyPI format.
  • [NEXUS-24311] Added hardlinks to import/export.
  • [NEXUS-27953] Upgrade Eclipse Jetty to 9.4.42.v20210604.

Bug Fixes

Docker

  • [NEXUS-26732] - Race Condition in Docker format can cause assets to be mistakenly deleted.
  • [NEXUS-26938] - Use HEAD request to determine whether remote content has changed instead of conditional GET to avoid hitting DockerHub rate limit prematurely.
  • [NEXUS-27014] - Cleanup policies and tasks do not fully consider Docker layers can be referenced by manifests in other repositories.
  • [NEXUS-26737] - Deleting manifest with Docker API does not delete all tags.

Maven

  • [NEXUS-27015] - IllegalArgumentException on Publish Maven Index task.

npm

  • [NEXUS-26177] - Deleting an npm repository or invalidating the cache breaks npm audit.
  • [NEXUS-26971] - Incorrect results can be returned when using npm show with group repositories.
  • [NEXUS-27436] - npm metadata rebuild failing due to NPE.

NuGet

  • [NEXUS-26312] - "Last downloaded" not updating consistently in NuGet.
  • [NEXUS-27427] - Blank values for NuGet attributes.

PyPI

  • [NEXUS-27614] - PyPI can swallow errors when the simple index is being re-written.

Yum, S3

  • [NEXUS-27564] - Yum Group repomd.xml merge connection pool exhaustion causes problems.
  • [NEXUS-27563] - S3 connection pool exhaustion when merging repomd.xml in group repositories.

Nexus Repository Manager 3.30.1

Includes a security fix for an Information Disclosure CVE. See the CVE-2021-30635 advisory for details.
Includes a security fix for an XSS vulnerability.  See CVE-2021-29159 advisory for details.
Includes a security fix for a Sensitive Information Disclosure CVE. See the CVE-2021-29158 advisory for details.

Sonatype recommends administrators running Nexus Repository Manager 3.30.0 and earlier to upgrade immediately.

2021-04-22

These notes are a compilation of the improvements and significant bug fixes for Nexus Repository Manager 3.30.1.

Known Docker issue

If you installed this version and utilize the Docker - Delete unused manifests and images task this message is critical.

A bug in this Nexus Repository version can cause loss of some Docker data when running the Docker - Delete unused manifests and images task. We recommend disabling this task immediately to avoid data loss. If this is not possible for your organization, we recommend not updating to this version. For more information, see NEXUS-28247.

See the complete release notes for all resolved issues.

General Improvements

  • [NEXUS-27384Upgrade Eclipse Jetty to 9.4.40.v20210413

Bug Fixes

Maven

  • [NEXUS-26789] Performance improvement to rebuilding GA maven-metadata.xml

NuGet V3

  • [NEXUS-26501] Package content is out of specification when downloading from NuGet hosted

Raw

  • [NEXUS-27013] Raw proxy is encoding slashes for outbound requests
  • [NEXUS-26855] Non-indexed raw proxy repositories cannot be browsed

Nexus Repository Manager 3.30.0

2021-03-04

Known Docker issue

If you installed this version and utilize the Docker - Delete unused manifests and images task this message is critical.

A bug in this Nexus Repository version can cause loss of some Docker data when running the Docker - Delete unused manifests and images task. We recommend disabling this task immediately to avoid data loss. If this is not possible for your organization, we recommend not updating to this version. For more information, see NEXUS-28247.

See the complete release notes for all resolved issues.

New and Noteworthy

Azure Blob Store Support

NEXUS-24446

PRO Nexus Repository Manager now includes the ability to create blobstores backed by Microsoft's Azure Blob storage.

Protection Against Namespace Confusion

Users of Sonatype's Nexus Firewall can indicate which repositories include proprietary content. When combined with a new policy condition in Nexus IQ this can help prevent namespace attacks by quarantining external packages which use the same name as your proprietary internal components. For more details checkout our demo video.

GPG for Yum Repositories

Yum repositories can be configured with GPG support for binary signing.

Logjam Attack Prevention

NEXUS-25909

To protect against the logjam attacks Nexus Repository Manager now enforces a minimum of 2048-bit keys.

Bug Fixes

NEXUS-26606 - Upgraded Jetty to 9.4.38.v20210224

NEXUS-23750 - Added support for Github's npm repositories

NEXUS-12022 - Allow configuring HTTPS Maven proxy repositories with pre-emptive authentication

Nexus Repository Manager 3.29.2

2021-01-06

If you installed 3.29.1 and modified or created a cleanup policy the following is critical.

A bug in the implementation of the new user interface for Cleanup Policies resulted in a value displayed as days being interpreted as seconds. If you created or modified a cleanup policy while using 3.29.1 after updating you must confirm that these fields have the intended values.

Bug Fix

NEXUS-26251 - Interface for Cleanup Policies erroneously interprets and persists values as seconds instead of days

Archives