1. Home
  2. Categories
  3. Support
  4. ProGet 2025.14: Vulnerability Database Updater causes duplicates in PackageNameIds

Welcome to the Inedo Forums! Check out the Forums Guide for help getting started.

If you are experiencing any issues with the forum software, please visit the Contact Form on our website and let us know!

ProGet 2025.14: Vulnerability Database Updater causes duplicates in PackageNameIds

  • J

    As the title says, after running the Vulnerability Database Updater job, duplicates appear in the PackageNameId table.
    This results in the feed integrity checker complaining about the duplicates and suggesting a index rebuild with duplicate cleanup, which does not fix this issue permanently.

    As a consequence, we found that in the SCA module the license of the package could no longer be detected, even though clicking on the package still navigates to the package page and shows the license as green.

    It looks like packages which had their casing changed in the past are the source of this issue. In our case it happens with the jQuery NuGet package which had the "Q" uppercased.

    The first row in the screenshot is present before the Vulnerability Database Updater job ran, the 2nd row appears after:
    6e2c16ea-25f3-4cd8-bc3b-9ba417d71aae-image.png

    Microsoft.NETCore.* are also packages causing this issue, apparently the "NET" was uppercased at some point.

    According to the NuGet spec, the package id should be handled case-insensitive. There is also this issue in the purl-spec repo.

    Is this an issue in our database or something that needs to be fixed on ProGet side?

    0 stevedennis 1 Reply
  • stevedennis
    inedo-engineer

    Hi @jw ,

    Did you try this on a new instance, or did you discover this on your (older) instance?

    This was a known issue through several versions of ProGet 2025, and it impacts mostly SCA as you noticed. However, the vuln updater has since been fixed, so it shouldn't be continuing.

    The "feed reindex" function can also merge/fix these duplicate names. They should be detected during a "feed integrity" check, and show as a "warning".

    Thanks,

    0
  • J

    Hi @stevedennis

    I first noticed the issue on our production instance, which is older installation upgraded to 2025.10. The issue is easily reproducible on my test instance, which was just installed from scratch this September.

    With database looking like the screenshot above, I ran the feed reindex with both options checked. Unfortunately that seems to clean up the wrong entry, in this case the ID 68622 gets deleted, which still has the old Package_Name.

    After reindexing the integrity check is green as expected, but when I run the Vulnerability Database Updater job, the database looks like this afterwards
    d80bf6b8-4a31-4adc-95d5-3c25407a23d7-image.png

    Running the feed integrity check again, we are back to where we started:
    e7bbb3fb-b6b0-4176-b91c-c761c9d0851f-image.png

    0 atripp 1 Reply
  • atripp
    inedo-engineer

    Hi @jw ,

    Thanks for confirming that; we were able to identify the bug -- this time it ws SQL-server specific.

    This is fixed via PG-3163, which we're shipping in this week's maintenance release. You'll still need to de-deduplication after however.

    Tanks,
    Alana

    0
  • J

    Hi @atripp

    Just tested 2025.15 and the Vulnerability Database Updater does not cause duplications anymore - so thank you for that fix!

    A small semi-related issue:

    The deduplication during reindex does remove the duplicate entries, but it always leaves the entry with the wrong (old) package name behind.

    E.g. when I have no jQuery package in the cache everything looks correct, most likely because the package name is taken directly from the feed:
    57e92fad-68ac-44ca-ab99-9d35456ee2e5-image.png

    When I download the package and it gets cached, the database entry seems to take over causing the old package name to be displayed:
    8078806e-df8b-4ed9-8c40-36ca48ea02b4-image.png

    Is there any way I can update these packages with changed names to use the newer one?
    Maybe this could be an option during reindex?

    0 atripp 1 Reply
  • atripp
    inedo-engineer

    Hi @jw,

    Unfortunately there's no easy way to guess which name is "correct", so sometimes the "wrong" name gets de-duplicated. This also should have no real side-effect, except perhaps seeing the "wrong" casing in some places.

    However, as you noticed, the name is overwritten when a package is added to a feed. So, if jquery is the package name stored in the database, that record will be updated to jQuery upon upload of a package.

    This doesn't seem to impact many packages at all.

    Thanks,
    Alana

    0
  • J

    However, as you noticed, the name is overwritten when a package is added to a feed. So, if jquery is the package name stored in the database, that record will be updated to jQuery upon upload of a package.

    This was a pretty good hint. So far I've only been hitting the "Download Package" button, which puts the package in the cache, but apparently does not update the name in PackageNameIds. "Pull to ProGet" however seems to update that table and I can fix the old names in the database.

    Thank you!

    0
Log in to reply
 
Inedo Website HomeSupport HomeCode of ConductForums GuideDocumentation