惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

The Cloudflare Blog
D
Darknet – Hacking Tools, Hacker News & Cyber Security
T
The Blog of Author Tim Ferriss
G
Google Developers Blog
小众软件
小众软件
J
Java Code Geeks
V
Visual Studio Blog
The Register - Security
The Register - Security
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
罗磊的独立博客
美团技术团队
阮一峰的网络日志
阮一峰的网络日志
V
V2EX
博客园 - 叶小钗
N
Netflix TechBlog - Medium
月光博客
月光博客
aimingoo的专栏
aimingoo的专栏
大猫的无限游戏
大猫的无限游戏
T
The Exploit Database - CXSecurity.com
The Hacker News
The Hacker News
Cisco Talos Blog
Cisco Talos Blog
Hacker News: Ask HN
Hacker News: Ask HN
Hacker News - Newest:
Hacker News - Newest: "LLM"
AWS News Blog
AWS News Blog
Webroot Blog
Webroot Blog
The Last Watchdog
The Last Watchdog
T
Threatpost
I
Intezer
T
Tenable Blog
L
LINUX DO - 热门话题
T
Tailwind CSS Blog
Scott Helme
Scott Helme
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
C
Cybersecurity and Infrastructure Security Agency CISA
Engineering at Meta
Engineering at Meta
S
Schneier on Security
Recent Announcements
Recent Announcements
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
F
Fortinet All Blogs
腾讯CDC
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
T
Troy Hunt's Blog
量子位
H
Hacker News: Front Page
V2EX - 技术
V2EX - 技术
Google Online Security Blog
Google Online Security Blog
人人都是产品经理
人人都是产品经理
博客园 - 【当耐特】
博客园 - Franky
www.infosecurity-magazine.com
www.infosecurity-magazine.com

2024 Sonatype Blog

Open Source, Open Infrastructure, and the Space Between Request for Comments: CARE and Maven Central Q2 2026 Open Source Malware Index AI Is Forcing a New Open Source Security Model Vulnerability Prioritization Is Missing the AI-Era Point The Hidden National Security Threat Inside AI-Driven Software Miasma Returns: Leo Platform Compromise in npm The Rise of Collective Defense for Open Source Signal Over Noise: Reachability Analysis Is the Reality Check SCA Has Been Missing Software Security Has to Start at Assembly easy-day-js Targets Mastra, Dependency Attacks Grow Open Publishing, Commercial Scale Software Dependency Cooldowns Are a Symptom, Not a Strategy Atomic Arch npm Campaign Adds Malicious Dependency From SBOMs to AI BOMs: Why SPDX 3.0 Matters Mythos Found 10,000 Vulnerabilities. The Bigger Challenge Is Fixing Them New Shai-Hulud Miasma Wave Hits Hundreds of npm Packages Lazarus Group's Latest: Brandjacking Campaign on npm 5 Steps to Turn Your RMF Backlog Into a Continuous ATO: The CSRMC Migration Playbook The AI Race Is Becoming a Remediation Race Red Hat Cloud Services npm Packages Hijacked Inside a 176-Package npm Campaign Built to Beat Your Internal Dependencies AI Is Making Software Autonomous, and Governance Must Follow Your Outdated Repository Still Works, But It May Not Be Safe Hijacked npm Package Attempts to Deliver PolinRider-Linked RAT AppSec Tools Explained: SAST vs SCA vs DAST | Sonatype Managing Open Source Software Risks With the HeroDevs EOL Dashboard Shai-Hulud is Back: Maintainer Accounts Are Still the Soft Target Building Trusted AI Development With Kiro and Sonatype Guide How to Build a Software Supply Chain Security Playbook The Evolution of Open Source Malware: From Volume to Trust Abuse The Mythos AI Vulnerability Storm: What to Do Next Malicious PyTorch Lightning Packages Found on PyPI Why Developer Experience Is the Foundation of DevSecOps Success Open is Not Costless: Reclaiming Sustainable Infrastructure Q1 Updates in Nexus Repository: More Formats, Stronger Operations, and a Better Day-to-Day Experience Self-Propagating npm Malware Turns Trusted Packages Into Attack Paths The Time Is Now to Prepare for CRA Enforcement Sonatype Innovate: Real Peer Connections, Real Product Influence, Real Recognition Mythos and the AI Vulnerability Storm: Exploring the Control Point When AI Writes Code, Who Governs the Dependencies? Why Software Supply Chain Security Requires a New Playbook Q1 2026 Open Source Malware Index: Adaptive Attacks Exploit Trust AI, DevSecOps, and the Future of Application Security: The Gartner® Report How Sonatype's Container Scanning Protects You From Zero-Days Axios Compromise on npm Introduces Hidden Malicious Package Is Your Repository Ready for What's Next? Autonomous Development and AI: Speed vs. Security Grounded Intelligence Ensures Safe AI Software Development Compromised litellm PyPI Package Delivers Multi-Stage Credential Stealer Golden Pull Requests: Automating Trusted Remediation Without Breaking Builds Sonatype Discovers Two Malicious npm Packages
Modernizing Nexus Repository: Moving Beyond OrientDB
alinskens@sonatype.com (Aaron Linskens) · 2026-04-09 · via 2024 Sonatype Blog

If you're running Sonatype Nexus Repository or Sonatype Nexus Repository Community Edition (formerly known as Nexus Repository OSS) on OrientDB, you're operating on a legacy database architecture that is no longer aligned with current security and platform requirements.

Support for OrientDB in Nexus Repository is now fully sunset. Deployments using OrientDB will no longer be supported.

While issues in newer architectures have been addressed, they cannot be fully remediated within the legacy OrientDB-based stack. The result is a growing gap between what can be secured and what can no longer be maintained.

In this post, we explain:

The Problem: OrientDB Is No Longer Defensible

Older Nexus Repository versions (below 3.70.5) rely on an architecture built around OrientDB and outdated software dependencies.

That stack now carries:

  • High-severity vulnerabilities.

  • Active exploitation in the wild.

  • No complete patch path.

Remaining on OrientDB introduces increasing operational constraints. Security fixes cannot always be backported. Platform innovation is moving elsewhere.

PostgreSQL is now the recommended and actively supported database for Nexus Repository. It offers measurable improvements in performance, better support for high availability and cloud-native architectures, and access to new and future product capabilities not being built for OrientDB.

The Decision: Two Supported Paths Forward

Once you decide to move off OrientDB, there are two supported migration paths forward.

Both approaches eliminate dependence on OrientDB. The difference is how much infrastructure responsibility your team wants to retain.

Option A: Move to Sonatype Nexus Repository Cloud (Recommended)

The fastest and most secure path forward is to move to Nexus Repository Cloud.

Benefits of this move include:

  • Fully managed infrastructure.

  • Automatic updates and patching.

  • Reduced operational overhead.

  • Built-in scalability and resilience.

  • Eliminates database management entirely.

This approach removes the operational burden of database management entirely and ensures you're always running on a current, supported architecture.

Option B: Stay Self-Hosted and Migrate to PostgreSQL

If you need to remain self-hosted, the supported path is:

This path preserves your deployment model while aligning your system with the supported and actively developed database layer.

However, this path still requires infrastructure ownership, ongoing patching and maintenance, and careful migration execution.

Setting Up Your Repository for the Future

Moving off OrientDB is ultimately about aligning your repository with a supported, secure, and forward-looking architecture.

By combining Sonatype's migration guidance with modern DevOps practices and automated workflows, you can turn a complex migration into a structured, repeatable process — one that reduces risk while improving long-term maintainability.

For detailed migration steps, prerequisites, and troubleshooting guidance, refer to the full migration guide or connect with a Sonatype migration specialist for tailored support.

Tags