2018 Release Notes

Repository Manager 3.12.0

5/22/2018

Sonatype is pleased to announce the immediate availability of Nexus Repository 3.12.0. A summary of the highlights in this release is shown below.

See the complete release notes for all resolved issues.

New and Noteworthy

Built-in S3 Blobstore support

NEXUS-11409

We've taken the popular S3 Blobstore Plugin and are now including it with OSS and PRO distributions.

General Improvements

Security

  • [NEXUS-16980] - User tokens cannot be retrieved by users who have "nx-usertoken-current" privilege

Upload UI

  • [NEXUS-16740] - Upload interface doesnt update or create metadata after upload file

REST

  • [NEXUS-16225] - Swagger UI caching causing load problems on upgrade

NPM

  • [NEXUS-11139] - ConcurrentModificationException when deleting NPM resource

Docker

  • [NEXUS-15582] - docker proxy repository does not work for container-registry.oracle.com
  • [NEXUS-16718] - "scope" authentication errors when connecting to registry.connect.redhat.com
  • [NEXUS-16992] - 403 forbidden when a proxy repository authenticates to private docker registry in gitlab

Repository Manager 3.11.0

5/1/2018

Sonatype is pleased to announce the immediate availability of Nexus Repository 3.11.0. A summary of the highlights in this release is shown below.

See the complete release notes for all resolved issues.

New and Noteworthy

Restore Directory Location Changed

NEXUS-14493

We found old database restore location ($data-dir/backup) was causing confusion.  The location has been changed, database backups should be placed in ($data-dir/restore-from-backup) for restoration as of the 3.11.0 release.

Yum Group

NEXUS-12331

This release includes the ability to create Yum Group repositories, see the documentation here for further information.

Staging via REST API

NEXUS-11446

Nexus Repository Manager PRO customers are now able to utilise REST API endpoints for staging requirements into their CI/CD pipeline. The REST API exposes tag, move and delete endpoints to accomplish this. See the documentation here for further information.

Upload UI

PRO customers now have the ability to tag components while uploading them through the UI.

General Improvements

Security

  • [NEXUS-16227] - Roles are cleaned up when an associated repository has been deleted

UI

  • [NEXUS-16387] - Rebuild of browse nodes is only performed on available repositories
  • [NEXUS-16584] - Fix to uploading large artifacts

Maven

  • [NEXUS-16393] - Correctly merge non-timstamped maven-metadata.xml files
  • [NEXUS-16539] - 401 responses now engage auto-blocking

Docker

  • [NEXUS-16753] - Fix to the connection pool when 401 responses are received
  • [NEXUS-16757] - Ensures deletion of incomplete upload task

HA-C

Repository Manager 3.10.0

4/5/2018

Sonatype is pleased to announce the immediate availability of Nexus Repository 3.10.0. A summary of the highlights in this release is shown below.

See the complete release notes for all resolved issues.

New and Noteworthy

Component Tagging and Custom Attributes

This release includes a preview of our REST endpoints for component tagging (NXRM Pro only), which allows NXRM users to search for components and tag them, creating arbitrary collections of components. Tags also support custom attributes, which makes it possible to attach user-supplied information to tagged components.

In an upcoming release, it will be possible to tag components as they are uploaded to NXRM, making it possible to identify collections of components as a 'build'. This will form the basis of our upcoming staging features.

For more information please review the tagging documentation.

Hosted NuGet Queries Now Return Supported Frameworks

NEXUS-14839

Hosted NuGet queries will now return supported frameworks that don't have listed dependencies - previously frameworks without dependencies were incorrectly ignored.

This fix applies to all new packages that are deployed. If you have existing packages that are affected and can't redeploy them this script (NEXUS-14839-fixNugetDependencies.groovy) will need to be run once to successful completion on version 3.10.0 and greater.

Docker Push of Multilayer Images Now Works in HA-C

NEXUS-15722

Docker push of images containing multiple layers to an NXRM HA cluster running behind a load balancer is now properly handled.

General Improvements

LDAP

  • [NEXUS-15816]  - Paged results sets can now be disabled in LDAP searches 

NuGet

  • [NEXUS-10030]  - Pre-released NuGet packages are now identified by their version string to workaround a NuGet bug

REST

  • [NEXUS-16425]  - Download endpoint now only returns the jar file if Maven classifier parameter is set

Security,UI

  • [NEXUS-16248]  - Roles with circular references can no longer be created 

Tree View

  • [NEXUS-16470]  - User-supplied filters are now properly escaped and sanitized

Upload UI

  • [NEXUS-16454]  - Raw repository upload now works in IE11
  • [NEXUS-16503]  - Artifacts can now be uploaded to the root of a Raw repository

Yum

  • [NEXUS-15745]  - Yum proxy is now able to remove absolute URLs for metadata files that aren't at the root of a repository

Repository Manager 3.9.0

2/28/2018

Sonatype is pleased to announce the immediate availability of Nexus Repository 3.9.0. A summary of the highlights in this release is shown below.

See the complete release notes for all resolved issues.

New and Noteworthy

Upload components to a repository from the UI

NEXUS-10121

This is the new and improved version of the upload feature that exists in Nexus Repository 2. For Nexus Repository 3, we support uploads to hosted Maven, Raw, npm, PyPI, NuGet, and RubyGems repositories.

Nexus Firewall now supported on OSS

NEXUS-16155

This release makes it possible to use Nexus Firewall with Nexus Repository OSS, for those who want the ability to block bad components from entering their repositories, but don’t necessarily need the full set of capabilities in Nexus Repository Pro.

Yum Proxy and Hosted support conditional GET

NEXUS-15815NEXUS-16066

When making request to either a hosted or proxy yum repository, Nexus will respond properly when a  If-Modified-Since  header is present.

Remove support for the non-gzipped specs 4.8 from Rubygems

NEXUS-14885

The public RubyGems repository has removed support for the uncompressed specs.4.8 index file and this ticket removes it from NXRM.

Anyone running a Rubygems client earlier than 1.8 will have to update when upgrading to the latest version of NXRM.

If you have any third party tools that are accessing the specs.4.8 endpoint directly they will receive a 404. They should be redirected to the specs.4.8.gz endpoint instead.

Example old endpoint = http://localhost:8080/repository/ruby-hosted/specs.4.8
Example new endpoint = http://localhost:8080/repository/ruby-hosted/specs.4.8.gz

General Improvements

NPM

  • [NEXUS-10255  NPM proxy failed with 404 for requests with version specified

Repository Health Check,Upgrade

  • [NEXUS-15746] Health check config database upgrade sometimes fails

Yum

  • [ NEXUS-15795] Yum hosted caches 404 responses for files unnecessarily due to negative cache handler

Tasks

Repository Manager 3.8.0

02/05/2018

Sonatype is pleased to announce the immediate availability of Nexus Repository 3.8.0. A summary of the highlights in this release is shown below.

For more detail see the complete release notes.

Multiple XSS Vulnerabilities

Multiple XSS vulnerabilities have been discovered in Nexus Repository 3.x up to and including version 3.7.1. We recommend upgrading to 3.8.0 or later immediately. See our support knowledge base article for more information.

Yum Hosted

NEXUS-10191

With our initial support for Yum Proxy released in version 3.5.0 we are now continuing on with the Yum Hosted. This new feature is no longer built on top of Maven and no longer dependant on the external createrepo program. Yum hosting is now platform independent.  Yum group repository and support for upgrading 2.x yum repositories to 3.x will be included in future releases.

Use permissive Deploy Policy if you're using Maven to deploy RPMs to Yum Hosted.

REST API deprecating /siesta

NEXUS-14940

We have removed "/siesta/" from all of our REST endpoints, so you'll need to update your integrations. For example, the "/service/siesta/rest/v1/script" endpoint has been moved to "/service/rest/v1/script".

Upgrading from 3.x

This version upgrades Eclipse Jetty from 9.3.x to 9.4.x. This upgrade required a line to be removed from the shipped <install-dir>/etc/jetty/jetty-http.xml and <install-dir>/etc/jetty/jetty-https.xml as compared to previous versions.

Startup will fail if you try to use a jetty configuration file from a previous version that contains the following line:

line that will fail startup if present in jetty-http.xml or jetty-https.xml
<Set name="selectorPriorityDelta"><Property name="jetty.http.selectorPriorityDelta" default="0"/></Set>

This highlights why it is important to always compare install files you previously modified on upgrade as recommended by our upgrade instructions.

Upgrading from 2.x

If you’re upgrading from Nexus Repository 2, you must first upgrade your installation to 2.14.6. See the upgrade compatibility matrix for more information.

General Improvements

Blobstore,UI

  • [NEXUS-15467] - Make blob store type field not editiable

Bootstrap

Bower,Security

  • [NEXUS-12452] - Bower install no longer fails when user has only group level privileges

Content Selectors,Tree View

  • [NEXUS-15545] - Tree view now works properly with content selectors

Fabric

  • [NEXUS-14969] - HA-C nodes now properly rejoin their cluster after cluster shutdown
  • [NEXUS-15084] - HA-C properly syncs user accounts between nodes

LDAP

  • [NEXUS-15147] - Prevent ConcurrentModificationException when editing multiple user roles

Logging

  • [NEXUS-15364] - Logging from different task threads may log to the same task log if tasks are started within the same second

Maven

  • [NEXUS-12482] - Inconsistent behaviour with upload to snapshot repository fixed

NPM

  • [NEXUS-15282] - NPM allows redeploys despite Deploy Policy
  • [NEXUS-15425] - Assets now properly updated when a npm package is republished

Outreach

  • [NEXUS-15466] - Welcome screen content is now displayed for administrators who are mapped in via LDAP group

REST

  • [NEXUS-15202] - Take classifier into account when downloading a jar through the REST endpoint /rest/beta/search/assets/download
  • [NEXUS-15088] - Incorrect error response code 406 for bad ID in DELETE /component
  • [NEXUS-15089] - Error response code 204 not listed in REST API codes for component and asset delete

Yum

  • [NEXUS-15131] - Component naming for Yum Proxy now matches RPM header