Inedo Community Forums Forums
    • Recent
    • Tags
    • Popular
    • Login
    1. Home
    2. davi.morris_9177
    3. Topics

    Welcome to the Inedo Forums! Check out the Forums Guide for help getting started.

    If you are experiencing any issues with the forum software, please visit the Contact Form on our website and let us know!

    D Offline
    • Profile
    • Following 0
    • Followers 0
    • Topics 3
    • Posts 3
    • Groups 0

    Topics

    • D

      Maven packages not including JAR files in ProGet

      Watching Ignoring Scheduled Pinned Locked Moved Support
      2
      1
      0 Votes
      2 Posts
      10 Views
      dean-houstonD
      Hi @davi-morris_9177 , I'm afraid this behavior is expected because kotlin-stdlib-2.3.20.jar is not in the downloaded index file. There's is no file-listing API, which means there's no way to know what should be there otherwise. The Maven client downloads "blindly downloads" some files, and "silently accepts" a 404 for other files. When it's downloaded (cached), then ProGet knows about it. So, you really need to download the artifacts first if you want to make a curated feed I'm afraid. -- Dean
    • D

      Vulnerability checking on Maven packages

      Watching Ignoring Scheduled Pinned Locked Moved Support
      2
      1
      0 Votes
      2 Posts
      15 Views
      atrippA
      Hi @davi-morris_9177 , Unfortunately, the source data for these particular vulnerabilities specify invalid version numbers. A valid Maven version is a 5-part number consisting of 1-3 integer segments (separated by a .), an optional build number (prefixed with a -), and then an optional qualifier (another -). Following these rules, 2.9.10.8, is invalid. Valid versions are semantically sorted, where as invalid versions are alphabetically sorted -- which is what's causing the big headache here, since "2.21.1" < "2.9.10.8" when you sort alphabetically. At this time, we don't have any means to "override / bypass" source data, and rewriting/updating our Maven version parsing for just a small corner case (i.e. these old/irrelevant vulnerabilities in particular) doesn't seem worthwhile. As such, for the time being, your best solution is just to "Ignore" these vulnerabilities via an assessment. They are totally irrelevant now, not just because they refer to ancient versions, but there is simply no realistic real-world exploit path: https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062 FYI - for ProGet 2026, we are working on a lot of improvements in vulnerability management that will reduce the noise of these non-exploitable vulnerabilities so teams can address actual risk and focus on delivering value instead of constant patching. Thanks, Alana
    • D

      pgutil packages promote for pypi feeds

      Watching Ignoring Scheduled Pinned Locked Moved Support
      2
      0 Votes
      2 Posts
      8 Views
      dean-houstonD
      Hi @davi-morris_9177 , For multi-file packages like PyPI, the entire package (i.e. all the files) is promoted. This is the same in the UI as well. -- Dean
    • 1 / 1