Compliant Version Selection
When a developer requests a package version that is blocked by a curation policy, Compliant Version Selection (CVS) automatically identifies and returns the highest available version that passes all active policies. Instead of failing the request, Curation seamlessly resolves to a compliant alternative — keeping builds running and minimizing developer disruption.
CVS operates at the dependency resolution stage, evaluating both direct and transitive dependencies against all applicable curation policies in real time. It integrates with the JFrog Catalog to assess version metadata, ensuring that only vetted and policy-compliant versions are delivered to developers.
How It Works
When a requested package version fails a curation policy (for example, block immature or missing in Catalog):
- Artifactory retrieves all versions that satisfy the dependency range.
- Curation evaluates each version against all active policies for the repository.
- The highest version that passes all policies is returned to Artifactory.
- The developer receives the compliant version transparently — no manual action required.
- The Curation audit log records the original request and the compliant version that was delivered.
If the originally requested version is later updated in the Catalog and passes policy, subsequent requests for it will succeed normally.
Capabilities
Capabilities include:
- Automatic Compliant Version Selection – Returns the highest compliant version when a requested version is blocked, covering both direct and transitive dependencies.
- Policy Evaluation – Evaluates all active curation policies (security, license, operational) for the repository when selecting a compliant version.
- Seamless Developer Experience – Developers are not notified when a different version is delivered. Builds succeed transparently without interruption.
Supported Package Types
| Package Type | Support Level | Minimal Artifactory Version | Minimal Curation Version (Xray Version) | Notes |
|---|---|---|---|---|
| npm | Full Support | 7.124.0 | 3.131.4 | |
| PyPI | Full Support | 7.124.0 | 3.131.4 | |
| Maven | Full Support | 7.124.0 | 3.131.4 | |
| Go | Full Support | 7.141.1 | 3.141.14 | |
| NuGet | Full Support | 7.143.2 | 3.142.3 | |
| Gems | Full Support | 7.143.2 | 3.142.3 | |
| Conda | Partial Support | 7.144.0 | 3.142.3 | Currently supports only the Immaturity policy. |
Key Considerations
- Version-based waivers are not supported with CVS. To ensure waivers function correctly, configure waivers using labels rather than explicit package versions.
- If a developer requests a specific, locked version that is blocked by policy, the request fails (no fallback is attempted for locked versions).
Configure Compliant Version Selection in Fallback Behavior for Blocked Packages
Updated 4 days ago