Artifacts with "Non url-safe name" created by Nexus when using Github dependabot #838
Description
I'm using Github Dependabot to create pull request when npm dependencies of my project can be updated.
For each dependency, dependabot checks whether a new version exists like this:
updater | 2025/12/04 01:11:04 INFO <job_1173577943> Checking if vi18n-build 8.0.14 needs updating
proxy | 2025/12/04 01:11:04 [017] GET https://<private_repo>/repository/npm-group/vi18n-build
proxy | 2025/12/04 01:11:04 [017] * authenticating npm registry request (host: <private_repo>, basic auth)
proxy | 2025/12/04 01:11:06 [017] 200 https://<private_repo>/repository/npm-group/vi18n-build
proxy | 2025/12/04 01:11:06 [019] GET https://<private_repo>/repository/npm-group/vi18n-build/9.0.0
proxy | 2025/12/04 01:11:06 [019] * authenticating npm registry request (host: <private_repo>, basic auth)
proxy | 2025/12/04 01:11:06 [019] 500 https://<private_repo>/repository/npm-group/vi18n-build/9.0.0
The problem is the GET call to https://<private_repo>/repository/npm-group/vi18n-build/9.0.0. In Nexus this call results in a "500 internal server error" when being called for a specific version of an artifact for the first time. I'm not sure if this is the correct api to call to fetch a specific version of an artifact...
Anyway, what Nexus does when this GET is called is to create an artifcat with a Non URL-safe name: "vi18n-build/9.0.0". See screenshot below
This results in errors when rebuilding the npm metadata:
2025-12-04 10:03:40,898+0100 ERROR [quartz-14-thread-18] *TASK com.sonatype.nexus.repository.npm.internal.tasks.datastore.RebuildNpmMetadataTask - Failed to run task 'Rebuilding npm metadata of my-repo' on repository 'my-repo'
java.lang.IllegalArgumentException: Non URL-safe name: vi18n-build/9.0.0
at com.google.common.base.Preconditions.checkArgument(Preconditions.java:218)
at com.sonatype.nexus.repository.npm.internal.NpmPackageId.checkName(NpmPackageId.java:159)
at com.sonatype.nexus.repository.npm.internal.NpmPackageId.<init>(NpmPackageId.java:62)
at com.sonatype.nexus.repository.npm.internal.NpmPackageId.<init>(NpmPackageId.java:57)
at com.sonatype.nexus.repository.npm.internal.NpmPackageId.parse(NpmPackageId.java:138)
at com.sonatype.nexus.repository.npm.internal.tasks.datastore.RebuildNpmMetadataTask.repairMetadata(RebuildNpmMetadataTask.java:128)
at com.sonatype.nexus.repository.npm.internal.tasks.datastore.RebuildNpmMetadataTask.lambda$1(RebuildNpmMetadataTask.java:96)
at java.base/java.lang.Iterable.forEach(Iterable.java:75)
at com.sonatype.nexus.repository.npm.internal.tasks.datastore.RebuildNpmMetadataTask.rebuildMetadata(RebuildNpmMetadataTask.java:96)
at com.sonatype.nexus.repository.npm.internal.tasks.BaseRebuildNpmMetadataTask.execute(BaseRebuildNpmMetadataTask.java:45)
at org.sonatype.nexus.repository.RepositoryTaskSupport.execute(RepositoryTaskSupport.java:90)
at org.sonatype.nexus.scheduling.TaskSupport.call(TaskSupport.java:107)
at org.sonatype.nexus.quartz.internal.task.QuartzTaskJob.doExecute(QuartzTaskJob.java:147)
at org.sonatype.nexus.quartz.internal.task.QuartzTaskJob.execute(QuartzTaskJob.java:110)
at org.quartz.core.JobRunShell.run(JobRunShell.java:202)
at org.sonatype.nexus.quartz.internal.QuartzThreadPool.lambda$0(QuartzThreadPool.java:145)
at org.sonatype.nexus.thread.internal.MDCAwareRunnable.run(MDCAwareRunnable.java:40)
at org.apache.shiro.subject.support.SubjectRunnable.doRun(SubjectRunnable.java:120)
at org.apache.shiro.subject.support.SubjectRunnable.run(SubjectRunnable.java:108)
at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:539)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
at java.base/java.lang.Thread.run(Thread.java:840)
Also this artifact can neither be deleted via the ui nor via the rest api due to the Non url-safe name.
The creation of the artifacts happens, although I am authenticating with a user who only has read permission.
I get this behaviour in Nexus Repository Manager 3.80.0-06 and 3.86.2-01.