2019 Release Notes

Security Fix for discovered CVE

A security vulnerability has been found and corrected in 3.15.0. For details, please see CVE-2019-7238.

Sonatype recommends that administrators running NXRM3 versions up to and including 3.14.0 upgrade immediately.

Repository Manager 3.16.1


Sonatype is pleased to announce the immediate availability of Nexus Repository 3.16.1. The resolved issues are shown below.

License installation


After installing license (switching from OSS to PRO only, will not affect installing license in existing PRO instance) application doesn't start

Application Upgrade


Upgrading to 3.16.0 PRO can fail when usertoken database contains entries with duplicate (case-insensitive) usernames

Repository Manager 3.16.0


A bug which affects installing a license and moving from Nexus Repository OSS to Nexus Repository Pro has been discovered in version 3.16.0.  This issue does not affect existing Nexus Repository Pro installations which are being upgraded to version 3.16.0 and has been fixed in 3.16.1.

Sonatype is pleased to announce the immediate availability of Nexus Repository 3.16.0. A summary of the highlights in this release is shown below.

See the complete release notes for all resolved issues.

New and Noteworthy

REST Search Improvements


REST search now supports sorting results, as well as filtering prerelease components, allowing the search and download endpoint to return the latest version of an asset.

Update packaged JRE in installers to OpenJDK


Mac and Windows installers now include the Zulu OpenJDK 8 JRE.

Improve stability of using HA-C with Nexus Firewall


Using Nexus Repository Manager in HA-C with Nexus Firewall could cause the cluster to have numerous concurrent modification exceptions.  There were a number of changes made to both reduce the frequency of conflicts and more robustly handle them when they do occur.

Ability to collect all three HA-C support zips from a single node


Any node can collect the support zips from all members in a Nexus Repository Manager cluster.

Bower Resolver Updated

In addition to 3.16.0, we have also updated the bower resolver dependancies to the latest and most secure versions.  We strongly recommend any users using bower update their bower resolver to the latest.

Metrics Timers Identifiers Have Changed

Some customers may be parsing the /service/metrics/data REST resource or utilizing the info/metrics.json file in support zips. This release updates our metrics library, which has changed the names of timers to include the suffix '.timer'. For example:

Old timer: com.sonatype.nexus.plugins.healthcheck.ui.HealthCheckStatusComponent.read

New timer: com.sonatype.nexus.plugins.healthcheck.ui.HealthCheckStatusComponent.read.timer

The "version" field of the metrics file reflects this change, reving the version from 3.0.0 to 4.0.0.

General Improvements

Cleanup, Search

  • [NEXUS-18905] Cleanup tasks fail with "No search context found for id" error

Content Selectors

  • [NEXUS-18509] Make JEXL and CSEL behave the same for expressions without a leading slash

Content Selectors, Scripting, Upgrade

  • [NEXUS-17850] API does not validate contents of content selectors. Invalid content selectors can lead to failed upgrade.

Database, Scheduled Tasks

  • [NEXUS-18983] If NXRM is read-only or lacks quorum, then run now triggers make startup fail.


  • [NEXUS-18816] Slow delete performance when using REST API


  • [NEXUS-19125] Docker pull from mcr.microsoft.com results in 403

HA, Repository

  • [NEXUS-19229] LastDownloadedHandler conflicts in HA can cause long-running retries/rollbacks

LDAP, User Token, Upgrade

  • [NEXUS-13639] User tokens not migrated if LDAP user ID case does not match login case

LDAP, Tree View, Logging

  • [NEXUS-17616] On browse w/ LDAP, if no perms, a bunch of warns are fired

Cleanup, Logging

  • [NEXUS-18731] specifics about what is deleted by cleanup policies is not logged

Proxy Repository, Logging

  • [NEXUS-17502] Content validation message does not log which repository the invalid content is coming from


  • [NEXUS-16853] Enhance content validation for maven-metadata.xml files

Maven, Scheduled Tasks


  • [NEXUS-17908] Tag association may intermittently fail for new artifact

Security, Upgrade

  • [NEXUS-12222] NXRM2 repository view privileges are not migrated to NXRM3 browse privileges during upgrade


  • [NEXUS-18774] allow scoped NPM package name parts that start with '.' or '_'
  • [NEXUS-17896] concurrent requests for large npm metadata can lead to OutOfMemory during serialization performance


  • [NEXUS-19121] Delete of component or asset from PyPi proxy repository fails

Repository, UI

  • [NEXUS-19118] Clicking on the links in a repository for component/asset browse gives a 404

Repository Health Check

  • [NEXUS-18950] "Download trend' disabled text misleading



  • [NEXUS-19085] staging promotion move of more than 500 components may fail with IllegalStateException Unable to find component by id performance


Upload UI

  • [NEXUS-18277] UI upload creates temporary files in java.io.tmpdir


  • [NEXUS-16057] Add UI upload for Yum
  • [NEXUS-17884] upload of source rpm fails in yum hosted
  • [NEXUS-17920] Deleting an rpm via DELETE to /repository does not update metadata

Repository Manager 3.15.2


Sonatype is pleased to announce the immediate availability of Nexus Repository 3.15.2. A summary of the highlights in this release is shown below.

Search Hotfix


Fix search filtering using repository query parameter, when group repository is entered (REST and UI).

Docker image


Our official Docker image switches to OpenJDK as our recomended Java Runtime Environment. It's worth checking whether the difference has impact on your deployment (e.g., contains a different system trust store that may affect your SSL connections).

Repository Manager 3.15.1


Sonatype is pleased to announce the immediate availability of Nexus Repository 3.15.1. A summary of the highlights in this release is shown below.

NPM Hotfix


Fix anti-cross-site request forgery token mismatch blocking valid npm client publish and login.

Repository Manager 3.15.0


Sonatype is pleased to announce the immediate availability of Nexus Repository 3.15.0. A summary of the highlights in this release is shown below.

See the complete release notes for all resolved issues.

(info) We have found an issue in this release that affects NPM users, as well as using the REST search filtering by repository group names. We recommend NPM and/or REST search users upgrade immediately to 3.15.2-01 (see Download Archives for access) or newer.

New and Noteworthy

Beta REST API Endpoints Removed

The Nexus Repo REST API moved from beta to release status in the 3.13.10 release.  The old /service/rest/beta endpoints were kept for compatibility in the 3.13.0 and 3.14.0 releases, but they have now been removed (NEXUS-18562).  Update any scripts that use /service/rest/beta endpoints to use the new /service/rest/v1 endpoints.  

Dynamic Storage

For our Professional licensed customers, we added a new level of flexibility for administrators when planning and updating their blob stores. Multiple blob stores can be combined into a Blob Store Group. These groups allow an individual repository to use storage across multiple locations and devices. Member blob stores can be added or removed from a group to ease the burden of migrations. Also added Fill Policies which give administrators more control and insight into how components are being stored.

For all our users (OSS and PRO) we have added Soft Quota which allow you to receive a warning when your blobstore has reached a configured metric.

For more detail, see our documentation Storage Guide.

OpenJDK 8 Runtime


Users have been reporting OpenJDK has worked fine as the JVM for repository manager 3. As of 3.15.0, we now run our full test suite using a compliant Java SE standard distribution of OpenJDK 8. In light of the Oracle licensing changes to their Oracle JDK distributions, you can now be sure repository manager is fully tested against the standard. 

UI Upload left files in temporary directory after upload was complete


This bug would cause temp files to be left behind when the UI Upload feature was used. This could cause eventual disk space issues that would not be cleaned up by the standard NXRM cleanup tasks. This ticket fixes the issue going forward but does not assume to delete anything from the file system. If you utilize Upload UI frequently, we recommend checking the temp directory to see if you can get some disk space back.

Use HTTPS for outreach Base URL


In order to promote security, we changed our Welcome Outreach capability to use HTTPS instead of HTTP.

Analytics plugin deprecated

Due to complications, the Analytics plugin and respective pages within the application have been removed from the system. If it is restored, we will have a new feature release note.

General Improvements


  • [NEXUS-18252] Repository manager will not start on blobstore problems or errors


  • [NEXUS-15095MissingBlobException can occur when publishing Maven index
  • [NEXUS-18196] ArrayIndexOutOfBoundsException when uploading large POM


  • [NEXUS-12684HEAD request to /v2/<name>/manifests/<reference> results in 404 error
  • [NEXUS-18263] Docker proxy repositories configured with a remote URL including extra path info will not proxy correctly
  • [NEXUS-18353] Can't proxy older gcr.io Docker images


  • [NEXUS-18100] LDAP UI does not reflect configuration
  • [NEXUS-13626] Made Privileges box wider so Privileges fit
  • [NEXUS-7996] Changing dropdown does not show users list until refresh


  • [NEXUS-18564 Delete orphaned API keys task run before any other HTTP activity can stop some LDAP operations


  • [NEXUS-16964] Upgrade from 2.14.8 to 3.10.0 may prevent download of rubygems hosted repository gems


  • [NEXUS-17501] Caching of NuGet metadata causes thread serialization, query slowdowns under load performance


  • [NEXUS-14465] PyPI hosted repository does not send etag header
  • [NEXUS-17903] PyCharm does not work with PyPI repository
  • [NEXUS-18187] PyPI proxy of https://bloomberg.bintray.com/pip does not work
  • [NEXUS-16401] PyPi hosted repository packages can only be searched by pep-0503 normalized name


  • [NEXUS-18345] Running a "/search/assets" REST API call with just a "repository" query parameter does not give full results

Scheduled Tasks

  • [NEXUS-12828] Submitting more than 20 tasks at once causes ERROR for some tasks

Content Selectors, Tree View

  • [NEXUS-15085] Tree View is slow when there are large numbers of content selector privileges

Tree View

  • [NEXUS-16384] Maven SNAPSHOT timestamp versioned files are not direct children to the base snapshot version in tree or html view
  • [NEXUS-14682] Support deleting all assets under entire selected tree nodes
  • [NEXUS-15179] Deleting last pom leaves folder shell


  • [NEXUS-18119] New role not available for use until role page revisited
  • [NEXUS-12100] Delete button on component and asset is active even without permission to do so

Upload UI

  • [NEXUS-18276] UI upload leaves files in temporary directory after upload is complete
  • [NEXUS-18494] UI upload fails if it takes more than 60 seconds


  • [NEXUS-18299] JsonSyntaxException attempting to create Webhook capability


  • [NEXUS-18261] Hosted yum metadata not rebuilding due to parsing issues in the path being queried

Search, Tree View

  • [NEXUS-18617] Disable asset download count feature in all new/upgraded installations

Maven, Search

S3, Blobstore

  • [NEXUS-18631] Allow multipart copy for AWS S3 blob storage