Thanks for your feedback!
We weren’t trying to surprise anyone with the limits, and we imagined that the 45-day grace period would be triggered either by a long-term user of CE who has grown slowly above the limits, or as an extension to normal upgrade cycles. Our data shows that most organizations take months or longer to get onto a newer version, meaning that the typical Nexus Repository deployment will have much longer than just the grace period to absorb the implications of the limits and make their choice on how to proceed.
We applaud your intention to stay ahead of security problems. You’re ahead of most larger organizations in terms of your upgrade speed. Unfortunately this means you face the decision sooner than most.
Backporting security updates is a reasonable request and something we’ve considered. As it turns out, the biggest risks are actually in some of the older and more structural parts of the tech stack. We have some significant work underway now that will land in the next few releases that will make our security posture much better. Unfortunately, the degree of change makes backporting these improvements to a point release impractical, so this does mean that there won’t be security updates to 3.76. However, because open core is updated whenever we release, those security improvements will be available right away there as well.
We’re trying to strike a balance between reasonable notice, supporting our free user base, and encouraging larger organizations to contribute to accelerating the pace of development for the users of all three editions. We realize for a very small set of users already above the thresholds (~5%), this might require an urgent decision, but we hope that the combination of promotional pricing and new features will soften the impact.
A number of us have been discussing your post this week, and it’s really helpful that you’ve given us so much detail on your experience of the changes and your thought process. So again, thanks very much for taking the time to provide us with your feedback.