kpfleming/pkg-proxy
1
0
Fork 0
forked from mirrors/pkg-proxy
Code Pull requests Activity
157 commits 4 branches 1 tag 854 KiB
Commit graph

157 commits

This branch
This branch
All branches
Author SHA1 Message Date
Andrew Nesbitt
68a8af56d4
 		Merge pull request #26 from git-pkgs/fix-path-traversal 
Reject path traversal in debian and rpm handlers
 2026-03-13 07:24:43 +00:00
Andrew Nesbitt
c46535bbef
 		Merge pull request #27 from git-pkgs/docs-improvements 
Document web UI, monitoring, and database schema
 2026-03-13 07:22:57 +00:00
Andrew Nesbitt
ade64386a6
 		Document web UI, monitoring, database schema, and cooldown support 
Add web interface section to README describing all pages (dashboard,
package browser, source browser, version diff). Add monitoring section
with the full Prometheus metrics table and scrape config. Add cooldown
column to the registry support table. Update architecture doc with
accurate database schema including all columns and indexes, and add
entries for metrics, cooldown, and enrichment packages.
 2026-03-12 12:18:27 +00:00
Andrew Nesbitt
bf7e83efe3
 		Reject path traversal in debian and rpm handlers 
The debian and rpm handlers take the request path and pass it directly
to the upstream URL without checking for ".." segments. This could let
a client craft a request that reaches unintended upstream paths.

Add a containsPathTraversal check at the entry point of both handlers
and return 400 for any path containing ".." segments.
 2026-03-12 12:05:52 +00:00
Andrew Nesbitt
3d6ebc9522
 		Stop leaking internal error messages in API and health responses 
Replace err.Error() in HTTP error responses with generic messages.
Internal details like database driver errors and enrichment failures
were being sent directly to clients.
 2026-03-12 12:01:29 +00:00
Andrew Nesbitt
9e97a3316a
 		Escape user-controlled strings in browse source JavaScript 
File paths from archive contents were interpolated directly into onclick
handlers and innerHTML via template literals. A crafted filename containing
quotes could break out of the string context and execute arbitrary JS.

Add an escapeHTML helper and use it on all interpolated path and URL values
in the browse source page.
 2026-03-12 11:59:14 +00:00
Andrew Nesbitt
9b321eaaa6
 		Merge pull request #21 from git-pkgs/openapi-docs 
Add generated OpenAPI docs support
 2026-03-12 11:54:55 +00:00
Andrew Nesbitt
82443e137f
 		Add generated OpenAPI docs support 2026-03-12 11:49:31 +00:00
Andrew Nesbitt
9c0f1bc58d
 		Merge pull request #22 from git-pkgs/template-ecosystem-cleanup 
Remove hard-coded ecosystems from templates
 2026-03-11 17:55:42 +00:00
Andrew Nesbitt
fe32236a57
 		Remove hard-coded ecosystems from templates 2026-03-11 17:25:47 +00:00
Andrew Nesbitt
4858286778
 		Merge pull request #17 from git-pkgs/cooldown-feature 
Add version cooldown to filter recently published packages
 2026-03-11 16:04:56 +00:00
Andrew Nesbitt
befc4493a2
 		Merge pull request #19 from git-pkgs/dependabot/github_actions/actions/setup-go-6.3.0 
Bump actions/setup-go from 6.2.0 to 6.3.0
 2026-03-05 15:42:22 +00:00
dependabot[bot]
bd99f3dd82
 		Bump actions/setup-go from 6.2.0 to 6.3.0 
Bumps [actions/setup-go](https://github.com/actions/setup-go) from 6.2.0 to 6.3.0.
- [Release notes](https://github.com/actions/setup-go/releases)
- [Commits](7a3fe6cf4c...4b73464bb3)

---
updated-dependencies:
- dependency-name: actions/setup-go
  dependency-version: 6.3.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2026-03-05 15:27:53 +00:00
Andrew Nesbitt
dd4595ddc5
 		Add version cooldown section to README 
Explains the motivation (supply chain attacks rely on speed), shows a
concrete config example, and walks through what happens when a new
version is published.
 2026-03-04 19:07:53 +00:00
Andrew Nesbitt
4f8f63f354
 		Add version cooldown to filter recently published packages 
Hides package versions published too recently from metadata responses,
giving the community time to spot malicious releases. Configurable
per-ecosystem and per-package with duration overrides. Supported for
npm, PyPI, pub.dev, and Composer.
 2026-03-04 19:00:31 +00:00
Andrew Nesbitt
5f4c57693e
 		Merge pull request #15 from git-pkgs/use-purl-library 
Replace inline PURL construction with purl library
 2026-03-04 09:23:10 +00:00
Andrew Nesbitt
364549ad14
 		Replace inline PURL construction with purl library 
Uses purl.MakePURLString() instead of fmt.Sprintf("pkg:...") for
correct namespace handling (npm scopes, Go module paths, Maven group
IDs) and percent-encoding. Replaces hand-rolled extractEcosystem and
inline PURL parsing in the bulk lookup fallback with purl.Parse().
 2026-03-04 09:20:16 +00:00
Andrew Nesbitt
40cfd7798e
 		Merge pull request #14 from git-pkgs/update-dependencies 
Update all dependencies
 2026-03-04 09:15:43 +00:00
Andrew Nesbitt
1618d6deca
 		Update all dependencies 2026-03-04 09:09:13 +00:00
Andrew Nesbitt
bd123e298e
 		Merge pull request #13 from git-pkgs/use-archives-diff 
Replace internal/diff with archives/diff
 2026-02-27 12:18:38 +00:00
Andrew Nesbitt
a93eb4da5e
 		Update archives to v0.2.0 2026-02-27 12:14:00 +00:00
Andrew Nesbitt
07778d9727
 		Replace internal/diff with archives/diff 
The diff package has been extracted into the archives module where it
belongs, since it operates on archives.Reader. This removes the internal
copy and imports from github.com/git-pkgs/archives/diff instead.
 2026-02-27 10:55:10 +00:00
Andrew Nesbitt
1897f2f44f
 		Merge pull request #11 from git-pkgs/dependabot/github_actions/goreleaser/goreleaser-action-7.0.0 
Bump goreleaser/goreleaser-action from 6.4.0 to 7.0.0
 2026-02-26 16:19:44 +00:00
dependabot[bot]
5b16012ab3
 		Bump goreleaser/goreleaser-action from 6.4.0 to 7.0.0 
Bumps [goreleaser/goreleaser-action](https://github.com/goreleaser/goreleaser-action) from 6.4.0 to 7.0.0.
- [Release notes](https://github.com/goreleaser/goreleaser-action/releases)
- [Commits](e435ccd777...ec59f474b9)

---
updated-dependencies:
- dependency-name: goreleaser/goreleaser-action
  dependency-version: 7.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
 2026-02-26 15:34:49 +00:00
Andrew Nesbitt
2e9dc1a6b3
 		Merge pull request #10 from git-pkgs/use-registries-fetch 
Replace internal/upstream with registries/fetch
 2026-02-20 20:26:23 +00:00
Andrew Nesbitt
be8c4b9860
 		Replace internal/upstream with registries/fetch 
Use the new client/ and fetch/ sub-packages from git-pkgs/registries
instead of the local upstream package. The fetcher, circuit breaker, and
resolver now live in registries where they can be shared across projects.

Depends on git-pkgs/registries#8.
 2026-02-20 17:31:12 +00:00
Andrew Nesbitt
f10610fc15
 		Use go tool directive for golangci-lint instead of GitHub Action 2026-02-20 07:59:32 +00:00
Andrew Nesbitt
e6645f38c9
 		Fix staticcheck QF1012 lint warnings in diff package 2026-02-20 07:53:24 +00:00
Andrew Nesbitt
70dd557184
 		Update Go dependencies 2026-02-20 07:41:00 +00:00
Andrew Nesbitt
48ae3898c2
 		Merge pull request #3 from git-pkgs/dependabot/go_modules/github.com/go-chi/chi/v5-5.2.5 
Bump github.com/go-chi/chi/v5 from 5.2.4 to 5.2.5
 2026-02-16 11:25:21 +00:00
Andrew Nesbitt
337159d3cd
 		Merge pull request #2 from git-pkgs/dependabot/github_actions/zizmorcore/zizmor-action-0.5.0 
Bump zizmorcore/zizmor-action from 0.4.1 to 0.5.0
 2026-02-16 11:25:10 +00:00
Andrew Nesbitt
4d5098e044
 		Remove internal/archive package, replaced by git-pkgs/archives dependency 2026-02-16 11:11:48 +00:00
dependabot[bot]
c50bf725b7
 		Bump github.com/go-chi/chi/v5 from 5.2.4 to 5.2.5 
Bumps [github.com/go-chi/chi/v5](https://github.com/go-chi/chi) from 5.2.4 to 5.2.5.
- [Release notes](https://github.com/go-chi/chi/releases)
- [Changelog](https://github.com/go-chi/chi/blob/master/CHANGELOG.md)
- [Commits](https://github.com/go-chi/chi/compare/v5.2.4...v5.2.5)

---
updated-dependencies:
- dependency-name: github.com/go-chi/chi/v5
  dependency-version: 5.2.5
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2026-02-16 10:54:33 +00:00
dependabot[bot]
b86c8be81d
 		Bump zizmorcore/zizmor-action from 0.4.1 to 0.5.0 
Bumps [zizmorcore/zizmor-action](https://github.com/zizmorcore/zizmor-action) from 0.4.1 to 0.5.0.
- [Release notes](https://github.com/zizmorcore/zizmor-action/releases)
- [Commits](135698455d...0dce2577a4)

---
updated-dependencies:
- dependency-name: zizmorcore/zizmor-action
  dependency-version: 0.5.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2026-02-16 10:54:32 +00:00
Andrew Nesbitt
8ddf07587c
 		Fix golangci-lint errors (errcheck, staticcheck, unused) 2026-02-16 10:53:21 +00:00
Andrew Nesbitt
e35394bee3
 		Use shared github.com/git-pkgs/enrichment module 2026-02-06 10:37:00 +00:00
Andrew Nesbitt
c7106922c8
 		go mod tidy 2026-02-04 08:49:17 +00:00
Andrew Nesbitt
8c7928cf31
 		Update dependencies 2026-02-03 22:53:40 +00:00
Andrew Nesbitt
96ff2731e5
 		Update ecosystems-go dependency version in go.mod 2026-02-03 22:41:13 +00:00
Andrew Nesbitt
2d7cb8eae5
 		Refactoring and features 2026-02-03 22:40:40 +00:00
Andrew Nesbitt
bbd88fcca1
 		Update .gitignore 2026-02-03 22:40:26 +00:00
Andrew Nesbitt
0901aa082b
 		ignore binary 2026-02-03 22:40:26 +00:00
Andrew Nesbitt
fb66817a05
 		remove and ignore cache db 2026-02-03 22:40:25 +00:00
Andrew Nesbitt
c3750adfd0
 		Merge pull request #1 from git-pkgs/dependabot/go_modules/github.com/ecosyste-ms/ecosystems-go-0.1.0 
Bump github.com/ecosyste-ms/ecosystems-go from 0.0.0-20260115154313-d5f3879b6ec0 to 0.1.0
 2026-01-29 21:20:51 +00:00
dependabot[bot]
d36b660f9d
 		Bump github.com/ecosyste-ms/ecosystems-go 
Bumps [github.com/ecosyste-ms/ecosystems-go](https://github.com/ecosyste-ms/ecosystems-go) from 0.0.0-20260115154313-d5f3879b6ec0 to 0.1.0.
- [Commits](https://github.com/ecosyste-ms/ecosystems-go/commits/v0.1.0)

---
updated-dependencies:
- dependency-name: github.com/ecosyste-ms/ecosystems-go
  dependency-version: 0.1.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2026-01-29 21:17:08 +00:00
Andrew Nesbitt
9c974a0a81
 		Fix Windows CI test failures 
- Use proper file:/// URL format for Windows paths in blob storage tests
- Accept both text/javascript and application/javascript MIME types
 2026-01-29 21:12:13 +00:00
Andrew Nesbitt
935c881c2f
 		Remove local replace directives for git-pkgs dependencies 
The replace directives pointed to sibling directories that don't exist
in CI. Updated registries and vulns to use published versions.
 2026-01-29 19:57:10 +00:00
Andrew Nesbitt
f4a407ced3
 		Add GitHub Actions workflows and goreleaser config 2026-01-29 19:44:41 +00:00
Andrew Nesbitt
658e9621d8
 		Add Container, Debian, RPM handlers and enrichment API 
Adds proxy support for Docker/OCI container registries, Debian/APT
repositories, and RPM/Yum repositories. Includes a new enrichment API
for package metadata, vulnerability scanning, and outdated detection.

Updates the dashboard with Tailwind CSS, dark mode support, and a
security overview section showing vulnerability counts.
 2026-01-29 19:35:15 +00:00
Andrew Nesbitt
1eb9d71bd7
 		Align database schema with git-pkgs for compatibility 
The proxy can now use an existing git-pkgs database as a starting point.
Packages and versions tables match git-pkgs schema, using PURL-based
references instead of integer IDs. The proxy adds its own artifacts
table for caching functionality.
 2026-01-29 16:44:01 +00:00