Navigation

    Inedo Community Forums

    Forums

    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Groups
    1. Home
    2. stevedennis
    • Profile
    • Following
    • Followers
    • Topics
    • Posts
    • Best
    • Groups

    stevedennis

    @stevedennis

    inedo-engineer

    29
    Reputation
    516
    Posts
    40
    Profile views
    1
    Followers
    0
    Following
    Joined Last Online

    stevedennis Follow
    inedo-engineer administrators

    Best posts made by stevedennis

    • RE: Proget: delete all versions of a package via API

      Hi @mcascone ,

      We don't have a single API method that can be used to delete all package versions from the API, but the foreach loop will do the trick!

      I should add that I am doing this as the first stab at an attempt to automatically delete packages from a development feed, when the corresponding branch in github is deleted

      I don't know the specifics/details of your use-case, but based on what I read, I'd recommend these guidelines:

      • assuming: one GitHub repository, one project, one package you want to release
      • use the same package name/group for all packages you create for this project, regardless of branch or development status
      • create your "dev" packages using a prerelease version number, that has a sort of -ci.## version (assuming you use CI to build packages)
      • embed the commit id and branch in your upack metadata file, for traceability
      • if you want to see which branch the packages was created from using the version number alone, add a +branch metadata label to the version number for branches (don't do this for master)
      • use repackaging and promotion to take your -ci packages to -rc to stable (and the desired feed)
      • let retention policies automatically cleanup up the -ci packages
      posted in Support
      stevedennis
      stevedennis
    • RE: No option for NuGet package path under Advanced Settings

      Hi @kichikawa_2913 ,

      I think it's this way for "historic reasons" - mostly all the other feed types came later, and it seems no one ever changes these paths or noticed.

      Easy enough to make it configurable, but can you share your use case? Why do you want to use something other than a single root path with all of your packages?

      Anyway I added a feature for this, and we should be able to get it in the next maintenance release PG-2006

      Cheers,

      Steve

      posted in Support
      stevedennis
      stevedennis
    • RE: Marking packages as deprecated

      Hi @benjamin-soddy_9591,

      No problem "resurrecting" topics! We definitely want to hear from users about feedback/feature requests.

      We still haven't had anyone else ask for deprecation since this request, but I wonder if there's a better solution to solving your challenges than this feature. It sounds like you want to increase governance of your NuGet Packages, potentially with some sort of compliance in mind.

      The dotnet list package --vulnerable is probably not what you want for your organization; NuGet's Built-in Vulnerability Scanning is really limited, in part because it only reports on a fraction of known package vulnerabilities (164 as of today). It also won't block packages that you deem problematic, unlike ProGet's feature.

      The same is true with dotnet list package --outdated -- it's probably not what you want, because it relies on developers to have to know (1) to run the command, and (2) know what to do if there's an outdated dependency.

      There are better ways to manage third-party packages (see How to Create a Package Approval Workflow for NuGet), and you'd better served knowing who's consuming outdated packages (see Use Package Consumers to Track Dependencies

      Just some thoughts; like I said, we haven't had any demand for this feature, but these are proven solutions for improving governance of packages as organizations grow/expand their NuGet usage like you are.

      Cheers,
      Steve

      posted in Support
      stevedennis
      stevedennis
    • RE: Permissions only work when set for specific user, not a group (LDAP)

      Hi @kichikawa_2913 ,

      The NuGet client's behavior is based on NuGet.org, where no authentication is ever required to view/download packages. As such, it doesn't pass the API key when doing those queries; instead, you can use a username of api and the password of your api key.

      Based on the issue though, it sounds like ProGet is unable resolve the groups; I would use the "test privileges" function on the Tasks page to verify this. Thatw ill show you if the username can download packages or not.

      The most common reason that groups aren't resolving is that the member is not directly in the group (i.e. they're in a group which is a member of the group), and you don't have recursive groups enabled; do note that this is really slow on some domains.

      Cheers,
      Steve

      posted in Support
      stevedennis
      stevedennis
    • RE: upack repack doesn't use complete version string from CLI

      Hi @mcascone ,

      Just looking at the code real quick, I suspect we have a bug where it writes out the wrong files name for the new package:
      https://github.com/Inedo/upack/blob/master/src/upack/Repack.cs#L120

      That's probably an easy fix, which we can do as part of this Q&A item. I'll wait to hear back about this one.

      As for the error, "The underlying connection was closed: An unexpected error occurred on a send.", that sounds like it's HTTPS related. Could you attach Fiddler, or something like that, to find out what's happening under the hood? We may be able to error message to better report it if so.

      Cheers,
      Steve

      posted in Support
      stevedennis
      stevedennis
    • RE: Mixing ProGet Instances

      Hi @cimen-eray1_6870 ,

      Great questions; there's no problem having a second instance with ProGet Free Edition.

      The relevant restriction is that you can't use a Connector in ProGet Free Edition to connect to another instance of ProGet (either another Free Edition or your paid edition).

      Hopefully you can use your Maven feed as a proof of concept for implementing it in the main instance. Good luck!

      Cheers,
      Steve

      posted in Support
      stevedennis
      stevedennis
    • RE: Support for Rust Cargo packages

      Hi @brett-polivka,

      I've added it to our Other Feed Types page, and linked this as the official discussion thread.

      There's a lot of things to consider in developing a new feed type, but ultimately it all comes down to two things: (1) how much more value does this feature bring to our users, and (2) how many new licenses of ProGet would this feature sell.

      The second question is where internal market research comes in, but we would love your opinion on the first question.

      Here's a nice and simple way to help understand value: how much more do you suppose your company/organization would pay for this feature if it were available as a hypothetical add-on? $100/year? $1,000/year? $10,000/year? Etc. And why? What time is it saving, risk is it mitigating, etc.

      The second part of the value equation is how much effort will it take, technically speaking. It's more than 15 minutes obviously, but is it 10 hours? 100 hours? Etc.

      On the plus side, the package format seems to be documented pretty well. However, the registry API has a huge red flag:

      The index key should be a URL to a git repository with the registry's index.

      Does this mean their API is Git-based, and we'd need to first add private Git repository hosting to ProGet? And did they test it with private/authenticated Git repositories, or just their public (probably GitHub) repository? 🙄

      posted in Support
      stevedennis
      stevedennis
    • RE: Debian feed mirror Performance

      @stefan-hakansson_8938 as you noticed, ProGet's Debian connectors are not currently designed to handle the gigantic, operating-system mirrors very well. This is because they are always refreshed "on demand" - which is what you want for CI/CD workflows.

      It's not great for public repository mirroring, however. In Q4 or later, we will explore adding an option to do periodic updates.

      posted in Support
      stevedennis
      stevedennis
    • RE: Proget - Can't use the native API even with an API Key with Native API access

      Hi @m-webster_0049 ,

      The first thing I would try is to troubleshoot this is to switch to a very basic API key like hello. That just eliminates any typos, spacing, etc.

      Next, I would try specifying the API Key via X-ApiKey header (see docs) - just to see if you get a different error. It's possible there is a regression somewhere.

      Best,
      Steve

      posted in Support
      stevedennis
      stevedennis
    • RE: How to set content type of asset with API?

      @joshuagilman_1054 this is currently planned for 5.3.27 as PG-1934 (April 17) - we'll let you know if plans change!

      posted in Support
      stevedennis
      stevedennis

    Latest posts made by stevedennis

    • RE: npm package version falsely marked as vulnerable by ProGet

      Hi @andreas-unverdorben_1551 ,

      I'm afraid this is a problem with our upstream source (GHSA). Long story short, the datafile is incorrect and does not specify a range.

      We do not have any plans to build a system/module that allows us to "override" data in the upstream datasources at this time, so the only way we can really address it is by fixing the upstream source.

      I believe the best route to do that would be to submit a pull request to the GHSA repository against the related datafiles (e.g. GHSA-4r6h-8v6p-xvw6.json)

      In this case, they are missing a "fixed" event in the range:

            "ranges": [
              {
                "type": "ECOSYSTEM",
                "events": [
                  {
                    "introduced": "0"
                  }
                ]
              }
            ]
      

      Here's what it needs to look like:

            "ranges": [
              {
                "type": "ECOSYSTEM",
                "events": [
                  {
                    "introduced": "0"
                  },
                  {
                    "fixed": " 0.19.3"
                  }
                ]
              }
            ]
      

      Thanks,
      Steve

      posted in Support
      stevedennis
      stevedennis
    • RE: Git Repository Monitor - Create build when a PR is created/updated

      Hi @brandon_owensby_2976 ,

      You can configure release settings on an application-by-application basis under the Settings tab. In this case, you'd set Release Usage to be Optional or Disabled.

      If Release Usage is set to Required, users must select a release when creating a new build; this was the deefault in older versions of BuildMaster.

      https://docs.inedo.com/docs/buildmaster/modeling-your-applications/buildmaster-releases

      Cheers,
      Steve

      posted in Support
      stevedennis
      stevedennis
    • RE: ProGet: implement Policies & Blocking support for Container feeds

      @Nils-Nilsson excellent, let us know as you have other feedback too! This is definitely an area we intend to keep improving in throughout ProGet 2026+

      posted in Support
      stevedennis
      stevedennis
    • RE: ProGet web requests stuck returning 500 "Execution Timeout Expired" while background tasks & /health stay healthy — requires restart

      Hi @carl-westman_8110 ,

      Thanks for sharing that. This isn't a symptom of "server overload" that we've seen before.

      The error you shared is occurring on Feeds_GetFeeds, which is definitely not an intensive query, and I would not expect that to be timing out at all. It's just SELECT * FROM [Feeds].

      However, that's a similar symptom to the "AzureSQL resource throttling" that we've seen on other users: another query is being throttled (for example, something that joins on [Feeds]), and that is causing a cascading impact on other queries.

      We don't have enough information to say that's the case here. But, an easy way to test would be to up your DTUs substantially.

      Otherwise, the next troubleshooting step is to try to identify the cause of the timeouts, which involves looking at HTTP Access logs and jobs occurring around the same time under Admin > Scheduled Jobs.

      Thanks,
      Steve

      posted in Support
      stevedennis
      stevedennis
    • RE: ProGet web requests stuck returning 500 "Execution Timeout Expired" while background tasks & /health stay healthy — requires restart

      Hi @carl-westman_8110 ,

      Under Admin > Diagnostic Center, you should see some error-level messages logged. Can you share those? That will help us identify what the actual error messages are.

      Under Admin > Scheduled Jobs, what do you see scheduled at midnight? Are you aware of other external scheduled jobs, for example backup or nightly builds?

      One thing to be aware of... users with similar symptoms have discovered they were "rate limited" by Azure SQL. This doesn't lead to resource graph spikes or "419 errors" (like an API rate limit), but query throttling; some queries simply take 100x longer. And this eventually leads to random errors.

      I think 10DTU is relatively small, so this could be happening? Anyway the error messages will show.

      This may be a good opportunity to migrate to PostgreSQL, which will not have any kind of limits.

      Thanks,
      Steve

      posted in Support
      stevedennis
      stevedennis
    • RE: ProGet pnpm audit reports no vulnerabilities

      Hi @Ashley ,

      Amazing, thanks for this investigation! This is very helpful.

      You've also captured the exact issue we have with a lot of these APIs; no real specs (or worse... wrong specs), which involves a reverse engineering effort. This quote is wonderful:

      In summary, due to the lack of an official JSON schema and potential changes between npm versions, it's crucial to treat the npm audit --json output structure as subject to change. Relying solely on the npm CLI source code for the most accurate and up-to-date information is recommended, along with implementing robust version checks and testing in your development processes.

      Wouldn't it be nice if we could build our products like that! Anyway, I was curious and I asked internally, and the original engineer is almost certain that npmjs used to have the CVE number there, which we also used to emit until changing to PGVD number in ProGet 2023. But that is consistent with their position of "we don't do specs, just read the latest commit to figure it out.

      But it doesn't really matter, that's what we have now...

      To ensure consistency with the public npm registry, would it be possible to change ProGet to use a number for the id field on the audit response?

      If you discovered this in ProGet 2025, we'd just change it in ProGet 2026 and not worry about it. But we need to be super-careful making API changes in a maintenance release. We can't quite get away with Microsoft/GitHub levels of quality :)

      Seemingly harmless changes lead to broken builds, which are really painful to debug; for example, we recently added upload-time to PyPI API. That caused older versions of the pip client to break due to a bug in how they parsed dates.

      There are probably too many client/versions to answer the question "what is this field even used for and what are the consequences of changing it?"

      Perhaps an easier route is to just get pnmp to change to a string, like the rest of them? Or, just ignore it and "let it be"?

      Over time, if you follow our recommend best practices, these audits will show fewer and fewer vulnerabilities. We plan to continuously refine the PVRS algorithm to better combat both "vulnslop" (i.e. AI-discovered and AI-generated vulnerabilities that cannot be exploited in any real-world scenario nor would cause any real-world harm if so) and misreporting.

      Thanks,
      Steve

      posted in Support
      stevedennis
      stevedennis
    • RE: ProGet pnpm audit reports no vulnerabilities

      Hi @Ashley ,

      Thanks for the detailed information. I haven't set up an npm/pnpm environment to test this, but I wanted to share a few thoughts, and see if you can test something.

      I doubt the encoding is an issue.

      Idea 1: Different API Endpoints

      There are two vulnerability APIs, and I think one is kind of deprecated? Anyway ProGet has never implemented that one.

      If you haven't already, I'd make sure pnpm is calling the same endpoint.

      Idea 2: Null Severity

      In the example you provided, severity is only set on one of the three items. If this is the problem, then it would mean that pnpm is erroring when processing the resultset.

      This will be trivial to verify: can you (temporarily) override the assessment of PGV-262413Y and PGV-262413X to be Contain? Then, run it again. You should see a "critical" serverity in the results then.

      That being said, this is a bug. These vulnerabilities should be suppressed and not show up in the results at all; we'll fix that via PG-3317.

      Idea 3: Nonnumeric Id

      The other possibility; ProGet is using a string identifier, but npm is using an integer identifier. I suspect that npm used to do CVEs that field, but who knows. None of this is documented.

      I'm not really sure how how test this without some kind of proxy/MITM interception, or reverse-engineering their source code.

      Maybe this is a GitHub issue on the pnpm repository?

      Thanks,
      Steve

      posted in Support
      stevedennis
      stevedennis
    • RE: "Invalid scheduled job type:" (blank) in Update Checker Scheduled Job Dispatcher after 2025 → 2026 upgrade

      Hi @svc-4x9p2a_6341 ,

      This is known issue and will be addressed via PG-3309 in the next maintenance release. You can just ignore the messages for the time being, it only happens like once a week or so.... I wouldn't modify the database either.

      Thanks,
      Steve

      posted in Support
      stevedennis
      stevedennis
    • RE: ProGet 2026/PostgreSQL (Embedded) Group Managed Service Account Support

      Hi @mhelp_5176,

      Connecting to the embedded database requires local access to the ProGet server. Once an attacker has that, then they already have full access to the database, as it's stored as files on disk... basically it's the equivalent of storing the safe key inside of the safe :)

      As such. it doesn't make sense for us to add complexity to the product to support changing a password that's already secured.

      Thanks,
      Steve

      posted in Support
      stevedennis
      stevedennis
    • RE: User gets 500 error if you delete a logged in user

      Hello,

      Thanks for reporting this; this behavior is by design.

      ProGet uses authentication tickets (i.e. encrypted cookies). If the username on a valid ticket cannot be located in the user directory, then a "user not found" error will occur, as it did here.

      This errant behavior is generally desired for troubleshooting cases where users are intermittently not available from a user directory. Otherwise it's very difficult to troubleshoot, since it will just appear as a random log-out.

      Thanks,
      Steve

      posted in Support
      stevedennis
      stevedennis