Sonatype Nexus Repository 3.86.0 - 3.86.2 Release Notes
What's New and Noteworthy in 3.86.2?
Released November 12, 2025
This release fixes a number of bugs as described in the Bug Fixes section below.
Note
Sonatype did not release a 3.86.1 version. Customers can safely upgrade directly from 3.86.0 to 3.86.2
What’s New and Noteworthy in 3.86.0?
Released November 5, 2025
OpenID Connect (OIDC) Support for Streamlined SSO Integration
Sonatype Nexus Repository now supports authentication using OpenID Connect (OIDC), allowing seamless Single Sign-On integration with identity providers such as Okta, Keycloak, and Azure AD. This new capability enables organizations to centralize user authentication and enhance security by redirecting login requests to a trusted OpenID Provider.
When OIDC is configured, users benefit from a simplified login experience while administrators gain greater control over access through external role mapping. For full details, see the OIDC help documentation.
License Expiry Notification and Status Check
To help administrators avoid unexpected service disruptions, Sonatype Nexus Repository now supports license expiration notifications. When enabled, Nexus Repository will send email alerts as the expiration date for the Pro license approaches. You can configure how many days in advance the notifications should be sent and specify the list of email recipients using the new License Expiry Notification capability.
In addition to email alerts, Nexus Repository displays a visual warning in the user interface as part of the Status Check system. A new License Check status check appears in the UI when the license is nearing expiration, making it easier for administrators to monitor license health at a glance.
To learn more, see the License Management help documentation.
New REST API for Managing SAML Users
Sonatype Nexus Repository Pro and Sonatype Nexus Repository Cloud now include a REST API for managing SAML-backed user records. This new capability allows administrators to pre-provision SAML users, assign roles before their first login, and ensure roles remain aligned with identity provider (IdP) group memberships.
By supporting full user lifecycle management through the API, this enhancement improves automation, simplifies role assignments, and strengthens integration with enterprise identity systems.
For full details, see the Security Management API documentation.
Firewall for Docker Scanning Now Uses Nexus Repository Network Settings
Starting with Nexus Repository version 3.86.0 and IQ Server version 197, Firewall for Docker Scanning now uses the network connection settings configured in Nexus Repository when accessing Docker registries.
This enhancement ensures that Docker scans respect custom networking configurations, allowing seamless image downloads and more consistent scanning behavior across different environments.
With this update, Firewall scans automatically apply the following Nexus Repository settings when available:
User-Agent customization
Connection and socket timeouts
Connection retry attempts
HTTP and HTTPS proxy settings, including host, port, authentication, NTLM domain, and hostname
If you use Nexus Repository 3.86.0 with an earlier version of IQ Server, Firewall for Docker will fall back to the older IQ CLI scanning method, which does not apply the Nexus Repository HTTP configuration.
Expanded Support for OCI-Based Docker Images
Firewall for Docker now supports analyzing and quarantining a broader range of OCI-compliant images requested through Docker proxy repositories. This includes multi-architecture manifest lists, single-manifest images without layers, and uncompressed image layers. These updates improve compatibility with modern image formats by adding support for less common Docker layer constructs.
Bug Fixes
The following table describes bug fixes included in 3.86.2:
Issue ID | Description |
|---|---|
NEXUS-49171 | APT repository metadata is now properly updated in both the source and target hosted repositories after performing a component move via the REST API. |
NEXUS-49474 | Firewall for Docker scans work as expected when using Sonatype IQ Server 196 or earlier. |
The following table describes bug fixes included in 3.86.0:
Issue ID | Description |
|---|---|
NEXUS-29298 | Routing rules assigned during repository creation using the REST API are now correctly applied and reflected in both the UI and subsequent API responses. |
NEXUS-40880 | Attempting to run the Database Migrator to migrate from an H2 to a PostgreSQL database without a |
NEXUS-41540 | Repository blob store migration now runs blob move operations in parallel using all available threads in the executor pool, improving task throughput and reducing migration time. |
NEXUS-44318 | Docker garbage collection now uses batch processing and memory-efficient data structures to reduce memory usage and improve performance when operating on large repositories. |
NEXUS-44942 | Removed the deprecated |
NEXUS-47323 | Support zip generation via the REST API is now allowed for local administrator users regardless of license state. |
NEXUS-47587 | Requests for package metadata in APT hosted repositories now wait for metadata rebuilds to complete, preventing 404 responses. |
NEXUS-47601 | The Conan proxy repository API now includes the |
NEXUS-47655 | (Requires Nexus Repository 3.86.0 and IQ 197.) Firewall for Docker now uses the HTTP configuration defined in Nexus Repository (i.e., proxy settings, authentication, timeouts, and SSL certificates) when downloading image content for scanning, improving compatibility with restricted or customized network environments. |
NEXUS-47712 | The Sonatype Lifecycle Component section in the Nexus Repository UI now correctly reflects the security status of Golang components, eliminating the misleading Unsupported format: go message when vulnerability data is available. |
NEXUS-47736 | Asset Search API queries using the |
NEXUS-47840 | The link in the Firewall column of the Nexus Repository Browse page now correctly redirects users to the Firewall report for the corresponding repository report. |
NEXUS-48148 | Pushing Helm charts no longer fails when the |
NEXUS-48190 | Content Selector privilege scopes based on format now work as expected. |
NEXUS-48395 & NEXUS-44994 | Staging move operations now correctly update the Browse page to remove empty directories and display accurate asset icons. |
NEXUS-48619 | The Execute Plan Data Repair task now logs detailed information about asset record removals, improving visibility and traceability during data repair operations. |
NEXUS-48624 | The Repair - Recalculate blob store storage task no longer double-counts soft-deleted blobs, ensuring accurate blob store size and component metrics. |
NEXUS-48629 | The Sonatype Lifecycle Component section in the Nexus Repository UI now correctly reflects the security status of Conan components, eliminating the misleading Unsupported format: conan message when vulnerability data is available. |
NEXUS-48634 | The Verify and Repair Data Consistency and Execute Plan Data Repair tasks now correctly clear the |
NEXUS-48748 | Wildcard version searches now return consistent results. |
NEXUS-48827 | Upgrading to 3.84.1 no longer incorrectly enables path-based routing on existing Docker repositories that had no connector selected, preserving the original configuration state. |
NEXUS-48891 | The Search API now correctly supports queries with multiple repository names using |
NEXUS-48902 | Search API results now return the actual storage location in the |
NEXUS-49025 | (Requires Nexus Repository 3.86.0 and IQ 196 for self-hosted customers.) Firewall report links using the legacy |
NEXUS-49070 | Logins to SaaS deployments now succeed and Nexus Repository no longer stores the OIDC |
NEXUS-49115 | Pulling OCI-formatted images through a Repository Firewall-enabled Docker proxy now works as expected. We have added support for scanning single-manifest images and those without layers. |
NEXUS-49118 | Modified JWT token generation dependencies to prevent cross-node session errors during OAuth redirects in clustered environments. |
NEXUS-49125 | Pulling multi-architecture Docker images through a Nexus Repository Docker proxy with Repository Firewall quarantine enabled now succeeds. We have added support for handling manifest lists and uncompressed image layers during scanning. |
Coming Soon to Sonatype Nexus Repository
We’re excited to share that the following enhancements will be coming soon to Sonatype Nexus Repository:
Java 21 Required Starting in 3.87.0
Beginning with the Sonatype Nexus Repository 3.87.0 release, Java 21 will be the minimum required version. The official Docker image and installers will include Java 21 by default. We recommend preparing your environments ahead of this change to ensure compatibility and minimize disruption.
New Product Launch Coming Soon
Sonatype will soon introduce a new product that helps your AI coding assistant make smarter dependency choices. A preview of the first component, our Model Context Protocol (MCP) server, is available now for early exploration. Sonatype’s MCP server guides AI to select secure, reliable, and license-compliant versions using Sonatype’s trusted open source intelligence.