Unable to get version for NPM artifacts


I’m developing a plugin for the nexus repository manager. I can get the artifact version for maven as below. But I’m having an issue getting the version for NPM artifacts. What is the best way to get the version programmatically? I’m using 3.26.1-02 nexus-plugin version.

MavenPath mavenPath = (MavenPath) mavenPathAttribute;

MavenPath parsedMavenPath = mavenPathParser .parsePath(mavenPath.getPath());

coordinates = parsedMavenPath.getCoordinates();

Seem like you already have Coordinates of your component, so you can just call coordinates.getVersion() to get version of that component. Please take a look at MavenPath.Coordinates implementation to find more.

We can get it for the Maven repository. But How do we get the version for the NPM?
Maven has the version details in the Maven path

For Npm repo type, it doesn’t have version details in the context

Hi @dsawa I have tried the below option, But it is giving a null value for the versions.

        TokenMatcher.State state = context.getAttributes().require(TokenMatcher.State.class);
        String packageName = (String)state.getTokens().get("packageName");
        String version = (String)state.getTokens().get("packageVersion");

Do you have a Component or Asset object for that NPM artifact? If you do, Asset::getComponent gives you the Component, which has Component::version.

However, your code snippet suggests you may have only the request context. In that case you need to remember that some of your request will be for metadata file that does not have any version associated with. If your context is from request for a tarball, then your code should be working fine, but if your request is coming for a metadata you need to obtain the tarball to get version (this is how npm client works).

@dsawa Below is my class and please let me know how do I get the npm artifact version inside the class.

`import org.sonatype.nexus.repository.view.Context;

import org.sonatype.nexus.repository.view.Response;
import org.sonatype.nexus.repository.view.handlers.ConditionalRequestHandler;

import javax.annotation.Nonnull;

public class MyConditionalRequestHandler extends ConditionalRequestHandler {
public Response handle(@Nonnull Context context) throws Exception {
return super.handle(context);

What does your context object carry?

@dsawa This is my context object. I need to get the version of the i18n artifact to check that particular version has vulnerabilities. But I see only the package name here. I think package version supposed to come under tokens with the package name. Is it a bug in nexus?

It wouldn’t be considered a bug unless it affects requests to Nexus.

Are you sure you’re actually downloading a tarball instead of package root metadata

Thinking about it more in npm the version isn’t guaranteed to be part of the path

@mpiggott @dsawa This is not a tarball request. I’m using below package.json file in the nodejs sample project to download the dependencies. I need to validate the artifact before download it via my plugin. I can get the artifact version for Maven & Nuget. But I can’t find a way to get it for NPM.

npm install


“name”: “nexus-test-nodejs-app”,
“version”: “1.0.0”,
“description”: “”,
“main”: “index.js”,
“scripts”: {
“test”: “echo “Error: no test specified” && exit 1”
“keywords”: [],
“author”: “”,
“license”: “ISC”,
“dependencies”: {
“i18n”: “0.9.1”,
“winston-console-formatter”: “0.1.0”,
“logback”: “1.0.16”,
“parse-server”: “4.4.0”,
“harp”: “0.33.0”,
“react-native-webview”: “10.10.2”