Fallback Behavior for Blocked Packages
Define how JFrog Curation should handle package requests when the requested version is blocked by curation policies.
Configure Fallback Behavior
In the Fallback Behavior for Blocked Packages section, configure the setting under Resolution of Pending Package Updates:
- Allow if no blocking policy on remote – Allows the package if no blocking policies exist on the remote repository.
- Always block – Blocks all requests for packages that violate curation policies.
- Always allow (Not recommended) – Allows all package requests, even if they violate policies.
Enable Compliant Version
Important Notes:
- This feature requires Xray version 3.131.x and above, Artifactory version 7.125.x and above.
- The remote repository must have cache enabled for the feature to work properly.
- In the current version of NPM CVS, when a developer requests a locked version, the requested version may be removed by the CVS functionality if it is blocked, resulting in an Etargt error.
- Version-based waivers are not supported with CVS. To ensure waivers function correctly, configure waivers using labels rather than explicit package versions.
Supported package types:
| Package Type | Support Level | Notes |
|---|---|---|
| npm | Full Support | |
| PyPI | Full Support | |
| Maven | Full Support | |
| Go | Full Support | |
| NuGet | Full Support (Beta) | Contact JFrog Support to enable. |
| Gems | Full Support (Beta) | Contact JFrog Support to enable. |
| Conda | Partial Support (Beta) | Currently CVS supports only Immature policy for Conda. Contact JFrog Support to enable. |
Enable compliant version selection: Toggle this option to return the highest version that complies with your policies instead of blocking the request.
- Works for both direct and transitive dependencies.
- Primarily effective for the Missing in Catalog and Immature policies.
- Developers are not notified when a different version is delivered—this ensures a seamless workflow.
- If a developer requests a specific, locked version that is blocked by policy, the request fails (current behavior).
- A Compliant Version Log is being developed to let developers see why they received a different version.
Per-Package-Type Enablement
Compliant Version Selection can be enabled or disabled per package type:
- Navigate to Administration > Curation > Remote Repositories.
- Select the package type you want to configure.
- Toggle Compliant Version Selection on or off for that package type.
When auto-connect is enabled, CVS is automatically activated for newly supported package types as they become available.
How Compliant Version Selection Works
When a requested package version fails a Curation policy (for example, because it is immature or missing from the Catalog), Curation automatically resolves the request to the nearest compliant version through the following process:
Request: A developer requests a specific package version, for example 3.141.
Version range retrieval: Artifactory retrieves all available versions that satisfy the dependency constraints (for example 3.08–3.141).
Policy evaluation: Curation evaluates these versions and identifies the first version that complies with all policies—3.13 in this example.
Return compliant version: Curation returns version 3.13 to Artifactory, which downloads and serves it to the developer.
Audit log: The Curation audit log records 3.13 as Approved, allowing the build or dependency resolution to proceed without interruption.
Later updates: If the originally requested version (3.141) is later updated in the Catalog and becomes policy-compliant, future requests for that version will succeed.
Advantages
Reduced Development Disruptions: Prevents failed dependency requests by automatically resolving them to a compliant version.
Smarter Dependency Resolution: Ensures both direct and transitive dependencies resolve to secure, policy-compliant versions.
Updated 5 days ago