Compliant Version Selection
When a developer requests a package version that is blocked by a curation policy, Compliant Version Selection (CVS) automatically identifies and returns the highest available version that passes all active policies. Instead of failing the request, Curation seamlessly resolves to a compliant alternative — keeping builds running and minimizing developer disruption.
CVS operates at the dependency resolution stage, evaluating both direct and transitive dependencies against all applicable curation policies in real time. It integrates with the JFrog Catalog to assess version metadata, ensuring that only vetted and policy-compliant versions are delivered to developers.
How It Works
When a requested package version fails a curation policy (for example, block immature or missing in Catalog):
- Artifactory retrieves all versions that satisfy the dependency range.
- Curation evaluates each version against all active policies for the repository.
- The highest version that passes all policies is returned to Artifactory.
- The developer receives the compliant version transparently — no manual action required.
- The Curation audit log records the original request and the compliant version that was delivered.
If the originally requested version is later updated in the Catalog and passes policy, subsequent requests for it will succeed normally.
Capabilities
Capabilities include:
- Automatic Version Fallback – Returns the highest compliant version when a requested version is blocked, covering both direct and transitive dependencies.
- Policy Evaluation – Evaluates all active curation policies (security, license, operational) for the repository when selecting a compliant version.
- On-Demand Support – CVS works with on-demand curation for packages from non-standard remotes, applying Immature policy evaluation using release dates from the request.
- Audit Visibility – Every CVS decision is recorded in the Curation audit log, including which version was requested, which was returned, and which policies were evaluated.
- Seamless Developer Experience – Developers are not notified when a different version is delivered. Builds succeed transparently without interruption.
Supported Package Types
| Package Type | Support Level | Notes |
|---|---|---|
| npm | Full Support | |
| PyPI | Full Support | |
| Maven | Full Support | |
| Go | Full Support | |
| NuGet | Full Support (Beta) | Contact JFrog Support to enable. |
| Gems | Full Support (Beta) | Contact JFrog Support to enable. |
| Conda | Partial Support (Beta) | Currently supports only Immature policy. Contact JFrog Support to enable. |
Key Considerations
- CVS requires the JFrog Catalog (custom catalog) to be available. If the Catalog is unavailable, CVS requests return an error.
- Version-based waivers are not supported with CVS. To ensure waivers function correctly, configure waivers using labels rather than explicit package versions.
- If a developer requests a specific, locked version that is blocked by policy, the request fails (no fallback is attempted for locked versions).
- Conda CVS currently supports only the Immature policy condition; other conditions (CVE, CVSS, license) are not yet evaluated for Conda.
Learn more:
Updated 5 days ago