As titled, how long does Sonatype take to register a new version of a component? I had previously heard or read that it takes minutes, at least with Maven, and had assumed it was somewhere in the same ballpark with NPM. However, it has been 2 days since one particular package was released, and it remains ‘unknown’.
Example package, still ‘unknown’: array.prototype.flat - npm v.1.3.3
We have seen that it can take up to 2 hours with NPM to have the validation completed. Depending on your firewall settings, this means you may encounter a “License-None” finding that can be set to auto-release after Sonatype has completed their process. Nexus Repo has a setting that can be enabled on the npm-proxy to download the last “good” version that complies with all your policies. This will allow developers with “get latest” to obtain the n-1 version if the latest is not yet through the validation process at Sonatype. Please note that we did need to have an updated version of Nexus Repo and be on a database that was not the default/internal database to avoid performance issues and outages that were not anticipated. Sonatype’s documentation only indicated the version of Nexus Repo where this was available.