Welcome to the Inedo Forums! Check out the Forums Guide for help getting started.

If you are experiencing any issues with the forum software, please visit the Contact Form on our website and let us know!

  • uploading debian package with plurl still required distrubtion

    4
    0 Votes
    4 Posts
    13 Views
    dean-houstonD
    @manuel.riezebosch_8638 the purl argument was never actually read, so you could have really put anything in there :) It was just one of those docs error; many other api endpoints will use a purl argument And you're right... all the other package types have metadata inside the package, so that's what's read. Some require a file name, but Debian is an outlier in that it requires a distribution argument as well.
  • Maven snapshot metadata not generated for versions like TRK.0-SNAPSHOT

    3
    0 Votes
    3 Posts
    15 Views
    O
    Hi @stevedennis, Thank you very much for your answer. From what I've read elsewhere, that's exactly what I thought. By the way, and besides that, ProGet is a really great tool. Good job ! Regards, Olivier
  • 0 Votes
    3 Posts
    14 Views
    B
    Hi @stevedennis, Can you provide more detail in your response? You mention, for example, standard practices. You don't however mention for what, what those are, or what features BuildMaster has to support them. Maybe you mean in terms of doing things on a build bases. If that is what you meant it might be helpful if you knew what I was doing which I unfortunately didn't provide in my original message. The goal of my script is a clean up script for PRs since you guys do not have that feature built in. The purpose behind this is I want a PR to kick off a release/build to prove that it will actually build and set a marker on the PR to allow it to be merged. Once the PR is merged those releases/builds are no longer useful. Unfortunately, none of your retention rules take that in to consideration (part of why I asked in the previous message if you had any enhancements coming in the next major build that might be helpful for me). On your note about standard practices, I'm assuming this might be where it is targeted (the PR workflow). One of our colleagues mentioned in another post trying things differently and even doing releaseless builds but they did support the idea of having some build verification on a PR before allowing it to be merged. I'm not entirely sure, however, how a releaseless build might help. I did think about it but my fear is making the UI more cumbersome in finding what you are looking for. What I mean by that is everything is listed together (although I haven't yet tried a mix of releases and releaseless builds but I will) so naturally the PRs would continue pushing the main release down. Also if PR releases aren't being removed as soon as the PR is merged then the main release stays pushed down and there are more PRs to go through to find yours. In my original message I left it a little more open to hopefully provide more flexibility in your response. This time going to try a list of specific questions. Do you have any upcoming features that might help with any of this? The call to Releases_GetRelease requires a release id but fetching the releases just gives me release numbers. How do I bridge that gap? What is the standard practices you referred to for the workflow? I'm not sure I'll be able to before you respond but I do plan on investigating writing an extension for a different purpose anyways so I'll also look at one for this PR management too. In addition to the bullet points feel free to add anything you might find useful. Thank you, Brandon
  • ProGet: Strategies for (more) flexible feed naming

    3
    0 Votes
    3 Posts
    8 Views
    G
    Thanks for the tips. That Docker constraint is particularly good to know, I hadn't realized! We do have a rather large amount of feeds to manage, including a (growing) set of feeds we use as local mirrors. I'll see if we can find an alternative solution that works for us...
  • Install Issues - Docker Compose + Postgres

    8
    1 Votes
    8 Posts
    19 Views
    stevedennisS
    Hi @jeremy-oaks_9309 , Just wanted to respond to this real quick: I have ~80k packages (~600GB) -- so we're opting for the stand-alone database for performance purposes Based on this information we still recommend using the embedded database; it's almost always going to be more performant as well as simpler to maintain. 80k is not that many packages by any stretch. While @pg_user_8607 is correct in that it's a bit easier to monitor database performance, investigate issues like bad queries, and do DBA maintenance tasks - that's all technically "our job". From a user perspective, the only required "database maintenance" should be backing up the files. We certainly don't mind the help (and users like @pg_user_8607 have helped us out a lot!!), and it may be quicker if you "know what you're doing" to get to a root issue, since we're not all exactly experts at all these layers. But I just wanted to make sure you were aware of the pros-and-cons. Thanks, Steve
  • 0 Votes
    1 Posts
    3 Views
    No one has replied
  • 0 Votes
    1 Posts
    2 Views
    No one has replied
  • 0 Votes
    2 Posts
    7 Views
    stevedennisS
    Hi @brandon_owensby_2976, I wasn't able to reproduce this issue, but looking over the code, I can see a few scenarios in which "not configured to allow access to encrypted values" will trigger, even if that's not accurate. It's not trivial to rewrite that to provide a more accurate error message or credential resolution, so we'll add this to our BuildMAter 2027t roadmap and review it more closely then. In the meantime, I would just use a variable and duplicate the information. Thanks, Steve
  • 0 Votes
    6 Posts
    17 Views
    gdivisG
    Glad I could help! We'll get that documentation updated as well.
  • [ProGet] Feature Request: Visual Studio Code - private Extension Gallery

    11
    0 Votes
    11 Posts
    49 Views
    X
    My company is also looking for a air-cap solution. It really is a pain and unfortunately, the Microsoft solution that requires GitHub Enterprise isn't a good fit. That's why we'd really like to have a solution like ProGet. As I understand it, two things are required: It must be possible to configure custom service endpoints in VS Code --> Microsoft allows this with these settings: https://github.com/microsoft/vsmarketplace/blob/main/privatemarketplace/latest/README.md#5-connect-vs-code-to-the-private-marketplace The API documentation must be available --> There is no official documentation from Microsoft. However, Open VSX has documented the API for its VS Code adapter here: https://open-vsx.org/swagger-ui/index.html?urls.primaryName=VSCode Adapter# The question now is whether this documentation is reliable enough for you to adapt it. The API doesn’t actually look very comprehensive. It would be great if you could look into that Another approach would be a VS Code "Private Marketplace" extension that supports NPM registries. There are some available, but they don’t seem to be actively maintained and are therefore not very trustworthy.
  • npm package version falsely marked as vulnerable by ProGet

    3
    0 Votes
    3 Posts
    16 Views
    A
    Hi Steve, thanks for the explanation. I also think creating a PR for GHSA would be the best way to go. Since your company is incorporating GHSA into your product I think it's up to Inedo to improve GHSA by creating this PR, thus improving your product for you customers. Thanks, Andreas
  • Git Repository Monitor - Create build when a PR is created/updated

    9
    0 Votes
    9 Posts
    32 Views
    stevedennisS
    Hi @brandon_owensby_2976 , You can configure release settings on an application-by-application basis under the Settings tab. In this case, you'd set Release Usage to be Optional or Disabled. If Release Usage is set to Required, users must select a release when creating a new build; this was the deefault in older versions of BuildMaster. https://docs.inedo.com/docs/buildmaster/modeling-your-applications/buildmaster-releases Cheers, Steve
  • 0 Votes
    4 Posts
    13 Views
    apxltdA
    Hi @fabrice-mejean , Thanks so much for the detailed information and offer to connect further! Very interested in that and I will definitely take you up on that :) Please give me a little time for that; I've got some travel coming up and then a bunch of other things... so I'd like to connect when I can really focus on some of these future things. . Cheers, Alex
  • ProGet: implement Policies & Blocking support for Container feeds

    8
    0 Votes
    8 Posts
    70 Views
    stevedennisS
    @Nils-Nilsson excellent, let us know as you have other feedback too! This is definitely an area we intend to keep improving in throughout ProGet 2026+
  • 0 Votes
    4 Posts
    17 Views
    stevedennisS
    Hi @carl-westman_8110 , Thanks for sharing that. This isn't a symptom of "server overload" that we've seen before. The error you shared is occurring on Feeds_GetFeeds, which is definitely not an intensive query, and I would not expect that to be timing out at all. It's just SELECT * FROM [Feeds]. However, that's a similar symptom to the "AzureSQL resource throttling" that we've seen on other users: another query is being throttled (for example, something that joins on [Feeds]), and that is causing a cascading impact on other queries. We don't have enough information to say that's the case here. But, an easy way to test would be to up your DTUs substantially. Otherwise, the next troubleshooting step is to try to identify the cause of the timeouts, which involves looking at HTTP Access logs and jobs occurring around the same time under Admin > Scheduled Jobs. Thanks, Steve
  • API request to get latest image or chart?

    2
    0 Votes
    2 Posts
    10 Views
    atrippA
    Hi @jeff-miles_5073 , You can get information about images and tags using the Docker API; we do not provide documentation on how to use that (see our caveat on Feed Endpoints). And unfortunately the Docker API is a bit awkward, but with enough ChatGPT you should be able to figure it out :) You could also query the database directly, perhaps building some kind of data export tool so that you can sync it with your dashboard. Hope that helps, Alana
  • 0 Votes
    4 Posts
    21 Views
    rhessingerR
    Hi @joris-guex, Thanks for sending an example over. It looks like this is related to an issue in the libssh2-sys's manifest. I have created a ticket, PG-3321, to handle these issues better. We are expecting to have a fix out within the couple of maintenance releases of ProGet 2026. Thanks, Rich
  • ProGet pnpm audit reports no vulnerabilities

    4
    0 Votes
    4 Posts
    21 Views
    stevedennisS
    Hi @Ashley , Amazing, thanks for this investigation! This is very helpful. You've also captured the exact issue we have with a lot of these APIs; no real specs (or worse... wrong specs), which involves a reverse engineering effort. This quote is wonderful: In summary, due to the lack of an official JSON schema and potential changes between npm versions, it's crucial to treat the npm audit --json output structure as subject to change. Relying solely on the npm CLI source code for the most accurate and up-to-date information is recommended, along with implementing robust version checks and testing in your development processes. Wouldn't it be nice if we could build our products like that! Anyway, I was curious and I asked internally, and the original engineer is almost certain that npmjs used to have the CVE number there, which we also used to emit until changing to PGVD number in ProGet 2023. But that is consistent with their position of "we don't do specs, just read the latest commit to figure it out. But it doesn't really matter, that's what we have now... To ensure consistency with the public npm registry, would it be possible to change ProGet to use a number for the id field on the audit response? If you discovered this in ProGet 2025, we'd just change it in ProGet 2026 and not worry about it. But we need to be super-careful making API changes in a maintenance release. We can't quite get away with Microsoft/GitHub levels of quality :) Seemingly harmless changes lead to broken builds, which are really painful to debug; for example, we recently added upload-time to PyPI API. That caused older versions of the pip client to break due to a bug in how they parsed dates. There are probably too many client/versions to answer the question "what is this field even used for and what are the consequences of changing it?" Perhaps an easier route is to just get pnmp to change to a string, like the rest of them? Or, just ignore it and "let it be"? Over time, if you follow our recommend best practices, these audits will show fewer and fewer vulnerabilities. We plan to continuously refine the PVRS algorithm to better combat both "vulnslop" (i.e. AI-discovered and AI-generated vulnerabilities that cannot be exploited in any real-world scenario nor would cause any real-world harm if so) and misreporting. Thanks, Steve
  • Block recently published - Metadata filter ?

    4
    1 Votes
    4 Posts
    28 Views
    apxltdA
    @jens-viebig_4541 ooh good catch! That guidance is outdated as of ProGet 2026, where we no longer recommend/default to blocking Noncompliant packages. We should rewrite/republish the article to be more focused on guidance, update the screenshots, etc. I'll add that to the list.
  • 0 Votes
    2 Posts
    7 Views
    stevedennisS
    Hi @svc-4x9p2a_6341 , This is known issue and will be addressed via PG-3309 in the next maintenance release. You can just ignore the messages for the time being, it only happens like once a week or so.... I wouldn't modify the database either. Thanks, Steve
Inedo Website HomeSupport HomeCode of ConductForums GuideDocumentation