Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

npm package list support #129

Merged
merged 1 commit into from
Jun 1, 2021
Merged

npm package list support #129

merged 1 commit into from
Jun 1, 2021

Conversation

tom--pollard
Copy link
Contributor

@tom--pollard tom--pollard commented May 28, 2021
edited
Loading

This extends #99 to support npm, as part of the ongoing effort towards #83

@tom--pollard tom--pollard changed the title WIP: NPM package list support npm package list support May 28, 2021
@tom--pollard
Copy link
Contributor Author

tom--pollard commented May 28, 2021
edited
Loading

The behaviour of hard failing when hitting an unpublished(all existing versions removed, at the given point in time) package on the critical list seems sensible to me, however it should probably be aligned with how this is handled for the pypi implementation for a similar scenario. Any insight on this @Qinusty?

Qinusty
Qinusty approved these changes Jun 1, 2021
View reviewed changes
Copy link
Contributor

@Qinusty Qinusty left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Minor point, otherwise looks good 👍

feeds/npm/README.md Outdated Show resolved Hide resolved
@Qinusty
Copy link
Contributor

Qinusty commented Jun 1, 2021

The behaviour of hard failing when hitting an unpublished(all existing versions removed, at the given point in time) package on the critical list seems sensible to me, however it should probably be aligned with how this is handled for the pypi implementation for a similar scenario. Any insight on this @Qinusty?

This could be quite problematic for a deployment with an NPM feed configured with many packages for critical polling. A single package being unpublished has the potential to prevent polling of all NPM packages specified.

@tom--pollard
Copy link
Contributor Author

The behaviour of hard failing when hitting an unpublished(all existing versions removed, at the given point in time) package on the critical list seems sensible to me, however it should probably be aligned with how this is handled for the pypi implementation for a similar scenario. Any insight on this @Qinusty?

This could be quite problematic for a deployment with an NPM feed configured with many packages for critical polling. A single package being unpublished has the potential to prevent polling of all NPM packages specified.

Yes this is definitely a concern, it should be looked at as part of #107 and addressed along with other brittle areas

@tom--pollard tom--pollard merged commit 940c020 into ossf:main Jun 1, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Qinusty Qinusty Qinusty approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@tom--pollard @Qinusty