1. Home
  2. Categories
  3. Support
  4. ProGet 2025.14: Vulnerability Database Updater causes duplicates in PackageNameIds

Welcome to the Inedo Forums! Check out the Forums Guide for help getting started.

If you are experiencing any issues with the forum software, please visit the Contact Form on our website and let us know!

ProGet 2025.14: Vulnerability Database Updater causes duplicates in PackageNameIds

  • J

    As the title says, after running the Vulnerability Database Updater job, duplicates appear in the PackageNameId table.
    This results in the feed integrity checker complaining about the duplicates and suggesting a index rebuild with duplicate cleanup, which does not fix this issue permanently.

    As a consequence, we found that in the SCA module the license of the package could no longer be detected, even though clicking on the package still navigates to the package page and shows the license as green.

    It looks like packages which had their casing changed in the past are the source of this issue. In our case it happens with the jQuery NuGet package which had the "Q" uppercased.

    The first row in the screenshot is present before the Vulnerability Database Updater job ran, the 2nd row appears after:
    6e2c16ea-25f3-4cd8-bc3b-9ba417d71aae-image.png

    Microsoft.NETCore.* are also packages causing this issue, apparently the "NET" was uppercased at some point.

    According to the NuGet spec, the package id should be handled case-insensitive. There is also this issue in the purl-spec repo.

    Is this an issue in our database or something that needs to be fixed on ProGet side?

    0 stevedennis 1 Reply
  • stevedennis
    inedo-engineer

    Hi @jw ,

    Did you try this on a new instance, or did you discover this on your (older) instance?

    This was a known issue through several versions of ProGet 2025, and it impacts mostly SCA as you noticed. However, the vuln updater has since been fixed, so it shouldn't be continuing.

    The "feed reindex" function can also merge/fix these duplicate names. They should be detected during a "feed integrity" check, and show as a "warning".

    Thanks,

    0
  • J

    Hi @stevedennis

    I first noticed the issue on our production instance, which is older installation upgraded to 2025.10. The issue is easily reproducible on my test instance, which was just installed from scratch this September.

    With database looking like the screenshot above, I ran the feed reindex with both options checked. Unfortunately that seems to clean up the wrong entry, in this case the ID 68622 gets deleted, which still has the old Package_Name.

    After reindexing the integrity check is green as expected, but when I run the Vulnerability Database Updater job, the database looks like this afterwards
    d80bf6b8-4a31-4adc-95d5-3c25407a23d7-image.png

    Running the feed integrity check again, we are back to where we started:
    e7bbb3fb-b6b0-4176-b91c-c761c9d0851f-image.png

    0 atripp 1 Reply
  • atripp
    inedo-engineer

    Hi @jw ,

    Thanks for confirming that; we were able to identify the bug -- this time it ws SQL-server specific.

    This is fixed via PG-3163, which we're shipping in this week's maintenance release. You'll still need to de-deduplication after however.

    Tanks,
    Alana

    0
Log in to reply
 
Inedo Website HomeSupport HomeCode of ConductForums GuideDocumentation