Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-29484

impossible to delete a specific npm package metadata root in some scenarios


    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 3.27.0, 3.33.0, 3.35.0
    • Fix Version/s: 3.39.0
    • Component/s: NPM
    • Labels:
    • Story Points:
    • Sprint:
      NXRM MadMax Sprint 28, NXRM MadMax Sprint 29, NXRM MadMax Sprint 30
    • Notability:
    • InvestmentLayer:
    • Aha Concept:


      A customer encountered a situation where they could not find a conventional way to delete the Nexus Repository served package metadata for a specific npm package that was proxied from the official registry.

      Their repo structure was:

      ├ ⧈ npm (npm-group)
      │   ├ ▶ aws-proxy (npm-proxy) ≻ https://remote.nexus.example.com/repository/npm-hosted
      │   ├ ▶ npminternal-proxy (npm-proxy) ≻ http://other.nexus.example.com/repository/npminternal/
      │   ├ ▶ npmexternal-proxy (npm-proxy) ≻ http://other.nexus.example.com/repository/npmexternal/
      │   ├ ▶ aws-other-proxy (npm-proxy) ≻ http://other.nexus.example.com/repository/npm-other
      │   └ ▶ npm-proxy (npm-proxy) ≻ https://registry.npmjs.org/

      Customer performed these actions attempting to expose to them the npm package asset to delete:

      • rebuild search indexes
      • rebuild browse tree
      • invalidate cache on npm group and npm-proxy proxy repo and try to refetch the new metadata at the remote ( npm-proxy repo Metadata Max Age was already 5 minutes and that did not help )
      • deleting all individual npm package tgz files that search component REST API reported to exist for the same package
      • rebuilding npm repository metadata using groovy script described at this link

      None of those options worked to expose the package root metadata so that it could be deleted via REST or Browse views.

      Component search only returned 4 tgz npm component records for the specific package, not the package metadata ( each tgz is a component internally in npm ). Browse node for the package at #browse/browse:npm-proxy:examplepackage displayed an error message: "Unable to show requested tree entry" when clicked" so it could not be deleted that way either.

      Removing the npm-proxy repo from the group and adding in a new proxy repo has been known as a workaround ( based on previous workarounds needed in other situations ) but the other ramifications and risks for that were not desired. Customer eventually replaced existing group and proxy repos as a solution though because resolving this situation was an emergency.


      Sonatype has developed a groovy script ( only tested for 3.35.0 and npm assets ) that can delete a specific npm package metadata asset from a repository.


      Provide a supported conventional method to delete an npm package root metadata using Browse and Search/REST. One should never arrive at a situation where package specific metadata cannot be explicitly deleted from a repo ( and refreshed in any group repo containing that repo ).


          Issue Links



              mbucher Michael Bucher
              plynch Peter Lynch
              Last Updated By:
              Michael Oliverio Michael Oliverio
              NXRM - Mad Max
              2 Vote for this issue
              11 Start watching this issue


                Date of First Response: