Hello ProGet Community,
I'm testing ProGet 25.0.13 with npm feeds and SBOM scans using pgutil. My goal is to trigger "Build Issues Detected" webhooks when vulnerable npm packages are detected.
Setup:
- Docker-based ProGet instance, running on localhost:8888
- Custom npm feed (
npm-test) + npm proxy feed (npm-proxy) pointing to registry.npmjs.org - pgutil installed locally, scanning project
vuln-demo - Vulnerable npm packages like
qs@0.6.6included
services:
proget:
image: proget.inedo.com/productimages/inedo/proget:25.0.13
container_name: proget
restart: unless-stopped
ports:
- "8888:80"
volumes:
- proget_packages:/var/proget/packages
- proget_database:/var/proget/database
- proget_backups:/var/proget/backups
volumes:
proget_packages:
proget_database:
proget_backups:
Steps I took:
- Created npm-test feed and published local demo packages.
- Initialized npm project with vulnerable package(s):
npm init -y npm install qs@0.6.6 lodash@4.17.23 minimist@0.0.8 - Ran SBOM scan and audit via:
pgutil builds scan --source=local-api --input=package-lock.json --project-name="vuln demo" --version=1.0.0
- Build shows in ProGet, SBOM published, audit runs, but no vulnerabilities are detected.
- Promoted build to "Test" stage.
Problem:
Even packages known to be vulnerable (e.g., qs@0.6.6) do not produce any vulnerability issues.
As a result, the “Issues Opened on Build” webhook never fires, so my FastAPI integration never receives events.
Proxy feed exists, connector is unfiltered, but ProGet reports:
No Remote Metadata Provider was found for "pkg:npm/qs@0.6.6"
Audit/compliance logs: Warn, but Vulnerabilities: None.
Question:
How can I get ProGet to correctly identify vulnerabilities in npm packages from my SBOM scans?
Do I need additional metadata providers, connectors, or configuration for npm feeds to ensure that vulnerable packages trigger issues?
Thank you in advance for any guidance or configuration examples!