NPM Group Repository Fetching Metadata from Second Proxy Despite Artifact Found in First Proxy (Nexus 3)

Sonatype Nexus Repository
, , , ,
1

Hi everyone,

I’m using Sonatype Nexus 3 for both NPM and Maven artifacts. I’ve set up group repositories for both NPM and Maven, each containing two proxy repositories:

  • First proxy: internal upstream (for artifacts stored internally)
  • Second proxy: external upstream (npmjs.org or Maven Central)

For Maven artifacts, Nexus works as expected: if an artifact is found in the first proxy (or its upstream), Nexus serves it directly without querying the second proxy.

However, I’m observing a different behavior with NPM group repositories. Here’s what’s happening:

  • When I request an artifact from the NPM group, Nexus first checks the internal proxy and finds the artifact, pulling it from the first proxy’s upstream (internal source).
  • Despite retrieving the artifact successfully, Nexus still queries the second proxy and its upstream (npmjs.org), but only for the metadata files.
  • Finally, the group repository serves the artifact from the first proxy, but I’m puzzled as to why it’s querying the second proxy at all, especially since the artifact is already found in the first proxy.

Configuration Details:

  • Metadata caching for both proxies is set to -1 to ensure it only calls the upstream when the artifact is not in the cache.
  • The artifact is always requested with the exact version in package.json (no version ranges).
  • I’ve double-checked the order of repositories in the group, and the first proxy is listed first.
  • In the logs, I see the artifact being fetched correctly from the first proxy’s upstream, but metadata is being fetched from the second proxy’s upstream.

My Understanding/Question:

For Maven, this setup works perfectly—once the artifact is found in the first proxy, it doesn’t check the second one. However, for NPM, even though the artifact is found in the first proxy, Nexus still queries the second proxy for metadata.

Is this expected behavior for NPM repositories in Nexus 3? If not, could this be related to how NPM metadata is handled in grouped repositories?

What I’ve Tried:

  • I’ve checked that the metadata caching settings are correctly configured at the proxy level.
  • The package.json requests an exact version (not a version range), so Nexus shouldn’t need to look at the second proxy.
  • I’ve confirmed that the artifact is being served from the first proxy; it’s only the metadata that Nexus seems to fetch from the second proxy.
  • The Maven group repository does not exhibit this behavior—Maven artifacts are served entirely from the first proxy without contacting the second proxy.

Could there be an issue with how Nexus handles metadata caching or group repository behavior for NPM repositories? Is there any configuration or known issue related to this behavior?

Thanks in advance for your help!

2

This is a duplicate of your previous post Sonatype Nexus OSS 3.69.0 Npm Issue

As I described previously it is expected that a group merges metadata from all group members. This is also the same behaviour as maven when a maven-metadata.xml file is requested.

3

@mpiggott , Thank you so much for responding, my concern is

When I run npm install ansi-regex@6.0.0 (with my .npmrc pointing to a Nexus npm group), requests are being sent to the upstreams of both proxy members in the group. The first proxy member retrieves both the artifact and metadata, while the second proxy member is queried it’s upstream for metadata.

I expected that if the artifact wasn’t found in the first proxy member or its upstream, only then would it query the second proxy member upstream.

For example, in a project with 2000 npm dependencies, this setup would result in 2000 requests to both upstreams. Why are calls being made to both proxy member upstreams, even when the artifact and metadata are already found in the first proxy member’s upstream?

4

Again, metadata is merged from all group members.