Thank you for the pointers.
I think I finally got it working, though I must admit I'm still not a 100% sure what combination in what order actually led to success.
I'm already in contact with @apxltd about your planned SCA changes. I will try to write up what tripped me as part of that feedback.
There is updated documentation with step-by-step instructions here:
Hi @stevedennis
I first noticed the issue on our production instance, which is older installation upgraded to 2025.10. The issue is easily reproducible on my test instance, which was just installed from scratch this September.
With database looking like the screenshot above, I ran the feed reindex with both options checked. Unfortunately that seems to clean up the wrong entry, in this case the ID 68622 gets deleted, which still has the old Package_Name.
After reindexing the integrity check is green as expected, but when I run the Vulnerability Database Updater job, the database looks like this afterwards
Running the feed integrity check again, we are back to where we started:
As the title says, after running the Vulnerability Database Updater job, duplicates appear in the PackageNameId table.
This results in the feed integrity checker complaining about the duplicates and suggesting a index rebuild with duplicate cleanup, which does not fix this issue permanently.
As a consequence, we found that in the SCA module the license of the package could no longer be detected, even though clicking on the package still navigates to the package page and shows the license as green.
It looks like packages which had their casing changed in the past are the source of this issue. In our case it happens with the jQuery NuGet package which had the "Q" uppercased.
The first row in the screenshot is present before the Vulnerability Database Updater job ran, the 2nd row appears after:
Microsoft.NETCore.* are also packages causing this issue, apparently the "NET" was uppercased at some point.
According to the NuGet spec, the package id should be handled case-insensitive. There is also this issue in the purl-spec repo.
Is this an issue in our database or something that needs to be fixed on ProGet side?
Just tested the partial updates for licenses. Everything is working smoothly now, so thank you for that.
One issue I noticed:
It looks like there is no cache invalidation after calling _progetClient.UpdateLicenseAsync().
Subsequent calls to _progetClient.ListLicensesAsync().ToListAsync() still return the old data.
The only way to get the API to return the updated data is to reload the /licenses/types page, which seems a bit inconvenient for API usage.
Maybe it would make sense to invalidate the cache on all modifying (Add/Delete/Update) license API calls?
Whoops sorry I keep forgetting - it shows up different on our end. Let me know if you'd like me to update your email on the forums, so you can login with your company account. It's fine either way, but we might forget again -- it shows up as free/community user on our dashboard
Thanks for the offer, I created a ticket EDO-12291 with the information required.
Anyway in that case, sure we can prioritize this for you!
I guess in the end you guys need to sort out the question if you want to support partial updates.
Since you're the first user whose requested this... we'll go with what you suggested. That makes sense to me. I just made this (PG-3137) since it was trivial:
Sounds good, thanks for the fast implementation! I will check it out.
Hi @atripp
Technically it's double, though it's not trivial due to the number of places the change would need to be made and tested... ProGet API,
pgutil, docs.
I guess in the end you guys need to sort out the question if you want to support partial updates. They do have advantages, especially for complex objects like in this case, but it indeed requires more effort to implement and maintain.
The code/title change itself looks trivial (i.e. just pass in
External_IdandTitle_Textto the call toLicenses_UpdateLicenseData), though I'm not totally clear what to do about the other one. What does pgutil send in? Null? []? Etc.
I'd probably do something like this:
| C# | JSON | Meaning |
|---|---|---|
| List<T> = null | <empty, not serialized> (1) | Ignore during update |
| List<T> = new List<T>() | [] (empty array) | Clear all items of the reference |
| List<T> = new List<T>() { Item1, Item2} | [Item1, Item2] | Update the reference to the new list |
(1) [JsonProperty(NullValueHandling=NullValueHandling.Ignore)]
As a free/community user this isn't all that easy to prioritize... but if you could do the heavy-lifting on the Docs and
pgutil(i.e. submit a PR), and give us a script or set of pgutil commands that we can just run against a local instance... I'm like 95% I can make the API change in 5 minutes.
We are actually paying customers, e.g. EDO-10681 is tied to our actual customer account. That makes it hard for me to justify the development work to our management.
(I kept my forum account from before we were customers to keep the posting history. I failed trying to connect my forum account to the company my.inedo.com account, but that is another story)
@stevedennis said in ProGet 2025.10: License Update API Issues:
And you're right, you can't update code/title, which aligns with the
pgutilbehavior as well.
Is this something that could be added?
Same question about the partial update behavior?
Right now, as far as I can tell, it is not properly supported. Either null means ignore or null means clear, for a proper implementation three states need to be considered, like I listed above.
Hi @stevedennis
the code seems to explain at least half of the problems I ran into
Title property of LicenseInfo, it is never passed to the DBCode property of LicenseInfo, it is never passed to the DBDB.Licenses_UpdateLicenseDataAsync handles null valuesGiven that the properties in the LicenseInfo objects are nullable, the code shown here doesn't quite match the intention of partial updates. At least not how it is described in the docs
This endpoint supports partial updating by only updating the properties that are supplied in the request.
It appears the AddLicenseAsync() API also has issues:
ProGet: 2025.10
Inedo.Proget: 2.0.5
The Update License API does not update the database in all cases.
For example just updating the title via a partial object (which is supposed to be supported according to docs?) never seems to update the database, even though the call always succeeds.
await _progetClient.UpdateLicenseAsync(new LicenseInfo { Id = 59, Code = "CC-BY-1.0", Title = "Test" });
I've had some success with updating the Urls and PackageNames properties, but even these calls are not always immediately reflected in the database or the UI. Sometimes it feels like the changes only get persisted after clicking around in the UI a bit, but that could just be coincidence. Rarely it is visible directly after the API call.
I've also tried retrieving the full LicenseInfo object from the database, and using a modified clone of the object with the Update API, but this has also flaky behavior and the title update also never works.
Am I doing something wrong or is there a glitch in the update API?
Thank you for the feedback.
I will observe for a while and reserve yelling at people to close their browsers for later. ;)