Hello; I've updated the documentation to clarify this, but it's available starting in ProGet 5.2.9. So, you'll need to upgrade to enable it :)

atripp
@atripp
C# developer by trade, but writing less and less code and more and more specs.
Best posts made by atripp
-
RE: Service Health API call returning 404
-
RE: NPM Connector returns plus "+" in versions
Thanks for the update! I've noted this in the docs, and linked to this discussion :)
https://github.com/Inedo/inedo-docs/commit/d24087911584bbda833314084a58c2ae1ff41c39
-
RE: [ProGet] [NativeApi] NpmPackages_DeletePackage not working.
Hello,
That API will only delete package metadata from the database, not from disk. It's mostly intended for internal use only, and probably shouldn't be exposed to the API. In any case, we don't store the
@
with internally, so if you change@myscope
tomyscope
it should work.Note that the NPM doesn't provide a way to delete packages, and we never implemented it. There hasn't been any demand for it to date, as people don't really delete packages programmatically - but you're definitely welcome to submit a feature request and help us understand why it'd be a value (like, the workflow you use that requires deleting packages, etc).
Alana
-
RE: Creating PowerShell repository, protecting pull/download by API key
Hello, for sure!
It's pretty easy; just don't give the
Anonymous
user any access to your feeds, and then authentication will always be required, either when browsing the ProGet application or using the API (such asInstall-Module
).When you use the Register-PSRepository command, you can the
Credential
option to specify a credential.This credential can be the name/password of a user inside of ProGet (let's say,
Admin:Admin
), or it can be username ofapi
with a password of an api key you've configured (so,api:my-secret-key
). -
RE: Restricting API access to View/Download
Hello;
The Native API is for low, system-level functions, and it's "all or nothing". If you give someone access to Native API, you are effectively making them an administrator, as they can also change permissions and grant admin privileges. So, I don't think you want this. Instead, you'll want to use the Debian API endpoint that we implement.
It's a third-party API format
In order to support third-party package formats types like NuGet, npm, etc., ProGet implements a variety of third-party APIs. We only provide minimal documentation for these APIs, as they are generally either already documented elsewhere. However, you can generally find the basics by searching for specific things you'd like to do with the API, such as "how to search for packages using the NuGet API" or "how to publish an npm package using the API".
So in this case, I recommend to search "how to view and download apt packages".
-
RE: PyPI package not shown in search results accessible via url
I'm not very familiar with PyPi packages, but I know there are some oddities with
-
and_
, and that they are sometimes supposed to be treated the same, and sometimes not. We don't totally understand all the rules, to be honest (even after reading PEP503 specifications).In this case, the package is actually
websocket_client
, notwebsocket-client
.See: https://pypi.org/project/websocket_client/
When you search for
websocket_client
in ProGet, it shows up, as expected. -
RE: How to find out package disk space?
In ProGet 5.3, we plan to have a couple tabs on each
Tag
(i.e. container image) that would provide this info: Metadata (will be a key/value pair of a bunch of stuff), andLayers
will show details about each of these layers.That might help, but otherwise, we have retention policies which are designed to clean up old and unused images.We'll also have a way to detect which images are actually being used :)
-
RE: [BUG - ProGet] Not able to remove container description
As @apxltd mentioned, we've got a whole bunch planned for ProGet 5.3.
I've logged this to our internal project document, and if it's easy to implement in ProGet 5.2 (I can't imagine it wouldn't be), we'll log it as a bug and ship in a maintence release.
Do note, this is not an IMAGE description, it's a REPOSITORY (i.e. a collection of images with the same name, like
MyCoolContainerApp
) description; so this means the description will be there on all images/tags in the repository. -
RE: [Question - ProGet] Are versions amount wrong ?
You're right, I guess that's showing the "layers" instead of the "tags"; I think it should be showing container registries separately (they're not really feeds), but that's how it's represented behind the scenes now.
Anyways we are working on ProGet 5.3 now; there's a whole bunch of container improvements coming, so I've noted this on our internal project document, to make sure we get a better display for container registries.
-
RE: Anonymous user can see list of packages and containers
@Stephen-Schaff thanks for the bug report, I verified that this may happen depending on permission of user, and which feeds they can/can't use --- but it seems an easy enough fix that we can do via PG-1894 (targeted to next release) - the packages can't be viewed upon clicking, but it's a sub-optimal experience for showing packages they can't see
Latest posts made by atripp
-
RE: Getting 500, "Could not find stored procedure 'Security_GetRoles', but /health show no errors
Hi @carl-westman_8110 ,
The error message means that the database wasn't updated as per normal during the start-up process. It's hard to guess why, as we have special handling for that.
It's likely that restarting the service would have fixed it, but downgrading and then upgrading would also force an upgrade as well. Unfortunately it's hard to say at this point.
Upgrading to 2025.10 should be fine.
Thanks,
Alana -
RE: Packages with Noncanonical Names errors on internalized packages
Hi @jfullmer_7346,
It's nothing you did.
The underlying issue is that a bug in ProGet allowed
WinSCP (ID=563)
to be added to the PackageNameIds table; that should never have happened sincenuget
is case insensitive. We've since fixed that bug.However, once you have a duplicate name, weird things happen since querying for "give me the PackageID for
nuget://winscp
" returns two results instead of one. So now when you query "give me the VersionID for(ID=563)-v6.5.3
", a new entry is created.This has been a very long-standing issue, but there aren't any major consequences to these "weird things" except casing in the UI and the health check now fails.
But we're on it :)
Thanks,
Alana -
RE: Packages with Noncanonical Names errors on internalized packages
Hi @jfullmer_7346 ,
I haven't had a chance to look into more details, but thanks for providing the results of the query.
FYI - the PackageNameIds and PackageVersionIds are designed as a kind of "permanent, read-only record" -- once added they are not deleted or modified. Even if all packages are deleted (i.e. FeedPackageVersions). This is why this the "duplicate name" is such a headache to deal with.
That said, on a quick glance, we can see exactly where the error is coming from: there are duplicate versions (i.e.
(ID=563)-v6.5.3
and(ID=562)-v6.5.3
). So, when we try to deduplicate(ID=563)
and(ID=562)
(i.e.winscp
andWinSCP
), we get the error as expected.What's not expected is that those versions were not de-duplicated in the earlier pass. My guess is that it's related to
winscp
being in one feed andWinSCP
being in the other -- we tried to be conservative, and keep the de-duplication to packages related to the feed.I'm thinking we just change that logic to "all packages of the feed type". Anyway, please stay tuned. We'll try to get it in the next maintencne release.
Thanks,
Alana -
RE: Packages with Noncanonical Names errors on internalized packages
@jfullmer_7346 thanks for giving it a shot, we'll take a closer look!
The "good news" is that the error message is a "sanity check" failure, so now have an idea of what's causing the error:
-- Sanity Check (ensure there are no duplicate versions) IF EXISTS ( SELECT * FROM "PackageVersionIds" PV_D, "PackageVersionIds" PV_C WHERE PV_D."PackageName_Id" = "@Duplicate_PackageName_Id" AND PV_C."PackageName_Id" = "@Canonical_PackageName_Id" AND PV_D."Package_Version" = PV_C."Package_Version" AND ( (PV_D."Qualifier_Text" IS NULL AND PV_C."Qualifier_Text" IS NULL) OR (PV_D."Qualifier_Text" = PV_C."Qualifier_Text") ) ) THEN RAISE EXCEPTION 'Cannot deduplicate given nameid'; RETURN; END IF;
In this case, it's saying that there are "duplicate versions" remaining (i.e. WinSCP-1.0.0 and winscp-1.0.0). Those should have been de-duplicated earlier. I wonder if the
PackageVersionIds_GetDuplicates()
function is not returning the right results.I'm not sure what your experience w/ PostgreSQL is, but are you able to query the embedded database? If not, that's fine... it's not meant to be easy to query.
Also, should the integrity check be taking 30 minutes?
Maybe. The integrity check needs to verify file hashes, so that involves opening and streaming through all the files on disk. So when you have a lot of large packages, then it's gonna take a while.
-
RE: Unable to download io.r2dbc:r2dbc-bom:pom:Borca-SR2 from ProGet feed.
ProGet can handle most invalid Maven version numbers, but
Borca-SR2
is really invalid and isn't currently supported. Our "name vs version" parsing requires that versions start with numbers, artifacts start with letters. This has been a Maven rule for 20+ years now.It's non trivial and quite risky to change our parsing logic so it's not something we're keen on doing in a maintenance release. This scenario seems to be very rare and impact ancient artifacts and a few cases where authors didn't use Maven to deploy the artifacts.
Thanks,
Alana -
RE: maven Checksum validation failed, no checksums available
@uli_2533 thanks for the additional info, great find in the source code too!!
On our end, I was looking at the
PUT
code, where a301
kind of made sense. I think it must have been some kind of regression on theGET
request? Not sure why it didn't get noticed before, but it's a trivial fix.PG-3108 will be in the next maintenance release (Sep 19)... or if you want to try it now, it's in
inedo/proget:25.0.10-ci.9
Docker image.Thanks,
Alana -
RE: maven Checksum validation failed, no checksums available
Hi @bohdan-cech_2403 ,
I'm not sure if that's the issue...
Returning a
201
has been the behavior for as long as we've had the feed (even the old version of the feed). The official Maven client does not seem to complain or cause any error in our testing, and no other user reported it as a problem.Any idea why it's happening "all of a sudden" for you? Is there a new version of Maven or something?
FYI the
PUT
uploads for hash files are ignored and a201
is always returned.Thanks,
Alana -
RE: Machine ID changes after restart
@jorgen-nilsson_1299 said in Machine ID changes after restart:
What is the Machine ID based on and how can I trouble shoot this? Any way to set a static Machine ID?
The Machine ID is based on the CPU Vendor ID, Machine Name (host name on Docker), and OS Version.
Hopefully @felfert gave some advice on how to make sure those don't change,
-
RE: proget 500 Internal server error when pushing to a proget docker feed
@pariv_0352 the code is not fixed in 25.0.9
However,
inedo/proget:25.0.10-ci.5
will have the new code that should prevent this error -
RE: Packages with Noncanonical Names errors on internalized packages
@jfullmer_7346 thanks! As an FYI...
- Names and Versions are centrally indexed, and were intended to be "write-only" by design
- NuGet does not have case-sensitive names, but some earlier bugs allowed duplicate names to be created
- we are adding Duplicate Names (e.g.
winscp
andWinSCP
) and Duplicate Versions (e.g.winscp-4.0.0
andWinSCP-4.0.0
checking to feed integrity - When re-indexing a feed, you'll get an option to de-duplicate names/versions, which will fix it across all feeds
- Pulling or Publishing a package will update the casing of a centrally-indexed name
- Also we're getting rid of the concept of "Noncannonical Names" altogether, since we've discovered many NuGet packages "change casing" at some version