Navigation

    Inedo Community Forums

    Forums

    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Groups
    1. Home
    2. stevedennis
    3. Posts
    • Profile
    • Following
    • Followers
    • Topics
    • Posts
    • Best
    • Groups

    Posts made by stevedennis

    • RE: npm package version falsely marked as vulnerable by ProGet

      Hi @andreas-unverdorben_1551 ,

      I'm afraid this is a problem with our upstream source (GHSA). Long story short, the datafile is incorrect and does not specify a range.

      We do not have any plans to build a system/module that allows us to "override" data in the upstream datasources at this time, so the only way we can really address it is by fixing the upstream source.

      I believe the best route to do that would be to submit a pull request to the GHSA repository against the related datafiles (e.g. GHSA-4r6h-8v6p-xvw6.json)

      In this case, they are missing a "fixed" event in the range:

            "ranges": [
              {
                "type": "ECOSYSTEM",
                "events": [
                  {
                    "introduced": "0"
                  }
                ]
              }
            ]
      

      Here's what it needs to look like:

            "ranges": [
              {
                "type": "ECOSYSTEM",
                "events": [
                  {
                    "introduced": "0"
                  },
                  {
                    "fixed": " 0.19.3"
                  }
                ]
              }
            ]
      

      Thanks,
      Steve

      posted in Support
      stevedennis
      stevedennis
    • RE: Git Repository Monitor - Create build when a PR is created/updated

      Hi @brandon_owensby_2976 ,

      You can configure release settings on an application-by-application basis under the Settings tab. In this case, you'd set Release Usage to be Optional or Disabled.

      If Release Usage is set to Required, users must select a release when creating a new build; this was the deefault in older versions of BuildMaster.

      https://docs.inedo.com/docs/buildmaster/modeling-your-applications/buildmaster-releases

      Cheers,
      Steve

      posted in Support
      stevedennis
      stevedennis
    • RE: ProGet: implement Policies & Blocking support for Container feeds

      @Nils-Nilsson excellent, let us know as you have other feedback too! This is definitely an area we intend to keep improving in throughout ProGet 2026+

      posted in Support
      stevedennis
      stevedennis
    • RE: ProGet web requests stuck returning 500 "Execution Timeout Expired" while background tasks & /health stay healthy — requires restart

      Hi @carl-westman_8110 ,

      Thanks for sharing that. This isn't a symptom of "server overload" that we've seen before.

      The error you shared is occurring on Feeds_GetFeeds, which is definitely not an intensive query, and I would not expect that to be timing out at all. It's just SELECT * FROM [Feeds].

      However, that's a similar symptom to the "AzureSQL resource throttling" that we've seen on other users: another query is being throttled (for example, something that joins on [Feeds]), and that is causing a cascading impact on other queries.

      We don't have enough information to say that's the case here. But, an easy way to test would be to up your DTUs substantially.

      Otherwise, the next troubleshooting step is to try to identify the cause of the timeouts, which involves looking at HTTP Access logs and jobs occurring around the same time under Admin > Scheduled Jobs.

      Thanks,
      Steve

      posted in Support
      stevedennis
      stevedennis
    • RE: ProGet web requests stuck returning 500 "Execution Timeout Expired" while background tasks & /health stay healthy — requires restart

      Hi @carl-westman_8110 ,

      Under Admin > Diagnostic Center, you should see some error-level messages logged. Can you share those? That will help us identify what the actual error messages are.

      Under Admin > Scheduled Jobs, what do you see scheduled at midnight? Are you aware of other external scheduled jobs, for example backup or nightly builds?

      One thing to be aware of... users with similar symptoms have discovered they were "rate limited" by Azure SQL. This doesn't lead to resource graph spikes or "419 errors" (like an API rate limit), but query throttling; some queries simply take 100x longer. And this eventually leads to random errors.

      I think 10DTU is relatively small, so this could be happening? Anyway the error messages will show.

      This may be a good opportunity to migrate to PostgreSQL, which will not have any kind of limits.

      Thanks,
      Steve

      posted in Support
      stevedennis
      stevedennis
    • RE: ProGet pnpm audit reports no vulnerabilities

      Hi @Ashley ,

      Amazing, thanks for this investigation! This is very helpful.

      You've also captured the exact issue we have with a lot of these APIs; no real specs (or worse... wrong specs), which involves a reverse engineering effort. This quote is wonderful:

      In summary, due to the lack of an official JSON schema and potential changes between npm versions, it's crucial to treat the npm audit --json output structure as subject to change. Relying solely on the npm CLI source code for the most accurate and up-to-date information is recommended, along with implementing robust version checks and testing in your development processes.

      Wouldn't it be nice if we could build our products like that! Anyway, I was curious and I asked internally, and the original engineer is almost certain that npmjs used to have the CVE number there, which we also used to emit until changing to PGVD number in ProGet 2023. But that is consistent with their position of "we don't do specs, just read the latest commit to figure it out.

      But it doesn't really matter, that's what we have now...

      To ensure consistency with the public npm registry, would it be possible to change ProGet to use a number for the id field on the audit response?

      If you discovered this in ProGet 2025, we'd just change it in ProGet 2026 and not worry about it. But we need to be super-careful making API changes in a maintenance release. We can't quite get away with Microsoft/GitHub levels of quality :)

      Seemingly harmless changes lead to broken builds, which are really painful to debug; for example, we recently added upload-time to PyPI API. That caused older versions of the pip client to break due to a bug in how they parsed dates.

      There are probably too many client/versions to answer the question "what is this field even used for and what are the consequences of changing it?"

      Perhaps an easier route is to just get pnmp to change to a string, like the rest of them? Or, just ignore it and "let it be"?

      Over time, if you follow our recommend best practices, these audits will show fewer and fewer vulnerabilities. We plan to continuously refine the PVRS algorithm to better combat both "vulnslop" (i.e. AI-discovered and AI-generated vulnerabilities that cannot be exploited in any real-world scenario nor would cause any real-world harm if so) and misreporting.

      Thanks,
      Steve

      posted in Support
      stevedennis
      stevedennis
    • RE: ProGet pnpm audit reports no vulnerabilities

      Hi @Ashley ,

      Thanks for the detailed information. I haven't set up an npm/pnpm environment to test this, but I wanted to share a few thoughts, and see if you can test something.

      I doubt the encoding is an issue.

      Idea 1: Different API Endpoints

      There are two vulnerability APIs, and I think one is kind of deprecated? Anyway ProGet has never implemented that one.

      If you haven't already, I'd make sure pnpm is calling the same endpoint.

      Idea 2: Null Severity

      In the example you provided, severity is only set on one of the three items. If this is the problem, then it would mean that pnpm is erroring when processing the resultset.

      This will be trivial to verify: can you (temporarily) override the assessment of PGV-262413Y and PGV-262413X to be Contain? Then, run it again. You should see a "critical" serverity in the results then.

      That being said, this is a bug. These vulnerabilities should be suppressed and not show up in the results at all; we'll fix that via PG-3317.

      Idea 3: Nonnumeric Id

      The other possibility; ProGet is using a string identifier, but npm is using an integer identifier. I suspect that npm used to do CVEs that field, but who knows. None of this is documented.

      I'm not really sure how how test this without some kind of proxy/MITM interception, or reverse-engineering their source code.

      Maybe this is a GitHub issue on the pnpm repository?

      Thanks,
      Steve

      posted in Support
      stevedennis
      stevedennis
    • RE: "Invalid scheduled job type:" (blank) in Update Checker Scheduled Job Dispatcher after 2025 → 2026 upgrade

      Hi @svc-4x9p2a_6341 ,

      This is known issue and will be addressed via PG-3309 in the next maintenance release. You can just ignore the messages for the time being, it only happens like once a week or so.... I wouldn't modify the database either.

      Thanks,
      Steve

      posted in Support
      stevedennis
      stevedennis
    • RE: ProGet 2026/PostgreSQL (Embedded) Group Managed Service Account Support

      Hi @mhelp_5176,

      Connecting to the embedded database requires local access to the ProGet server. Once an attacker has that, then they already have full access to the database, as it's stored as files on disk... basically it's the equivalent of storing the safe key inside of the safe :)

      As such. it doesn't make sense for us to add complexity to the product to support changing a password that's already secured.

      Thanks,
      Steve

      posted in Support
      stevedennis
      stevedennis
    • RE: User gets 500 error if you delete a logged in user

      Hello,

      Thanks for reporting this; this behavior is by design.

      ProGet uses authentication tickets (i.e. encrypted cookies). If the username on a valid ticket cannot be located in the user directory, then a "user not found" error will occur, as it did here.

      This errant behavior is generally desired for troubleshooting cases where users are intermittently not available from a user directory. Otherwise it's very difficult to troubleshoot, since it will just appear as a random log-out.

      Thanks,
      Steve

      posted in Support
      stevedennis
      stevedennis
    • RE: [feature] ProGet: Send test notifications from 'Notifiers & Webhooks'

      @sigurd-hansen_7559 wow very cool! We didn't anticipate anyone would customize these templates beyond adding a variable or two, so it it didn't seem to make a lot of sense to invest in a proper editor (like we have in the other products)

      Anyway, it'd be interesting to see what kind of templates you develop.

      posted in Support
      stevedennis
      stevedennis
    • RE: Support for Azure Key Vault references in Connector credentials

      Hi @alkhleif_2585 ,

      There isn't much demand for this kind of feature (I think we've only seen one or two requests for this over very many years) so it's not on our roadmap.

      And it's unlikely we will add it to the roadmap considering that it would be quite costly to build, support, and maintain. Especially considering that we'd need to support all of the major "vaults" out there as well.

      It doesn't seem to add much value to ProGet as these types of read-only credentials can be very long living (several years) without any security risk, and take just a few minutes to rotate when needed.

      That being said, you could probably write a "sync script" pretty easily that continuously updates the connector credentials by connecting to the vault and then updating it via the API.

      Cheers,
      Steve

      posted in Support
      stevedennis
      stevedennis
    • RE: Issue with Composer Connector: ProGet blocks non-standard version names from Packagist

      Hi @vdubrovskyi_1854 ,

      Without knowing which specific package you're referring to, it's hard to give a more specific example.

      Historically, Packagist was effectively a database of "GitHub Repository pointers" and Composer was effectively just a wrapper around the Git client. They can both still operate in that mode, and needs to for older, non-standard packages. I suspect that's the type of package you're referring to here.

      ProGet's Composer feeds work with "packages" (i.e. not the GitHub pointers), which account for nearly all of the modern packages on Packagist.org. For the small number of packages that don't follow the standard (mostly older, legacy packages), you'll need to download them, properly package them, and then upload them to follow the standard.

      Unfortunately there's no technically feasible/sensible way to solve this problem - since it would require ProGet to serve as a GitHub pointer database, which just doesn't make sense.

      Cheers,
      Steve

      posted in Support
      stevedennis
      stevedennis
    • RE: PEP 700 conformance for PyPI feeds

      Hi @Ashley ,

      It should have been; I just double-checked and see a commit for "Add full PEP 700 conformance for PyPI feeds" that appears to add the fields discussed here and some more.

      Thanks,
      Steve

      posted in Support
      stevedennis
      stevedennis
    • RE: [BUG] ProGet 2026 no longer able to find Active Directory Users/Groups when configuring Task/Permissions

      @Nils-Nilsson FYI quick update, but it does look like LDAP searching is having issues in the UI.. so perhaps it's some kind of UI//library upgrade regression. Anyway we'll update once we have a fix.

      posted in Support
      stevedennis
      stevedennis
    • RE: [BUG] ProGet 2026 no longer able to find Active Directory Users/Groups when configuring Task/Permissions

      Hi @Nils-Nilsson,

      Aside from library/dependency upgrades, I'm not aware of any changes to AD/LDAP that would yield this change. So it's definitely possible a dependency update caused that, we'll keep our eyes out... but things did pass our ordinary LDAP/AD testing, so any other info would be really helpful ... like if it's easy to do a new testing instance so you can upgrade/downgrade to find if that's definitely the issue.

      As for permissions/tasks, there were definitely no changes here. The tasks/permissions data were not touched as part of the upgrade, nor was the data/schema changed; the renaming of "Feed Groups" to "Feed & Project Groups" is entirely cosmetic.

      Behind the scenes (in the database), it's still FeedGroup_Id. The only schema changes were related to creating new tables for vulnerability data and adding a column to projects table to support grouping. There were no data updates.

      Thanks,
      Steve

      posted in Support
      stevedennis
      stevedennis
    • RE: Can't able to upgrade Buildmaster 5.7 version through inedohub

      Hi @ybaskar-temp_3339 ,

      Thanks for confirming that.

      I think it'd be worth exploring how to change those migration/environment constraints. While it's unfortunate to "lose history" and need to navigate to a separate instance, there's a moderate amount of risk in things simply not working the way it did before.... we're talking a decade of evolution, including platform, architectural, and even usage changes.

      That said, for an in-place upgrade, here's the approach that I would use.

      1. Use the Legacy (Traditional) installer to get to BuildMaster 6.1.
      2. Verify things work as expected on BuildMaster 6.1, agents updated, etc
      3. Upgrade to BuildMaster 6.2, again using the traditional installer
      4. Verify things work as expected in same manner
      5. Uninstall
      6. Ensure all components (iis site, service, program files.... except database, artifacts) have been removed
      7. Install BuildMaster 2025 as per normal, pointing to existing database

      Note that there's a decent change that you'll run into database or binding errors after #7, so make sure to run buildmaster.service.exe run from the commandline to better see messages and errors if things don't start up.

      Cheers,
      Steve

      posted in Support
      stevedennis
      stevedennis
    • RE: Add Documentation for Chocolatey Proxy feeds

      @steviecoaster sure thing!

      https://github.com/inedo/inedo-docs/tree/master/Content/proget/feeds/chocolatey#.md

      There's a "hidden in plain sight" GitHub link under the heading of each article, mostly for us :)

      Figured a PR/example would be easier than back-forth on forums. Thanks!

      posted in Support
      stevedennis
      stevedennis
    • RE: Problem with setting up LDAP in ProGet

      Hi @pg_user_8607 ,

      Unfortunately, the only information we receive from the underlying library is LdapReferralException, so there's nothing else we can log. My understand is that the server is limiting the information and you ought to see more information from the LDAP/AD server's query logs (they are like HTTP access logs). That's the absolute best place to look.

      In our experience, a referral typically means the domain name is incorrect (e.g. user@domain.com instead of user@domain.local), but it could be any of the things you mentioned to. Unfortunately, LDAP/AD configuration can be a pain in rare cases (which it sounds like you are), and there's just no way around that.

      As for monitoring, here is what we recommend:

      • periodic monitoring of the /health endpoint (every 5 minutes)
      • (optional) HTTP access logs (retain for 7 days)

      There's nothing required beyond that. Those "container logs" (i.e. proget console output) that you see are primarily intended for us (product engineers) to troubleshoot problems and there's not much value in trying to use/storing them.

      For a tool like ProGet, trying to do extract/monitor detailed metrics is counter productive and leads to information overload. Many "errors" are not problems are a total waste of everyone's time to troubleshoot.

      For auditing, ProGet maintains internal audit logs (you can query them from the database if you really want to "export" them), or you can use webhooks if you want to publish events. But again, we don't think that's productive; they just become a "secondary log" that no one looks because it's harder to query than ProGet database.

      For authentication-related information, a combination of HTTP log monitoring (403 errors) and LDAP/AD server is the best thing to check.

      Cheers,
      Steve

      posted in Support
      stevedennis
      stevedennis
    • RE: Can't able to upgrade Buildmaster 5.7 version through inedohub

      Hi @ybaskar-temp_3339,

      Upgrading from BuildMaster 5.7 to 2025 has never been supported; you'll need to first upgrade to BuildMaster 6.1, and then you can upgrade to BuildMaster 2025. Please see:
      https://docs.inedo.com/docs/buildmaster-upgrading

      It's certainly possible there was a bug/oversight in newer versions of the Inedo Hub that didn't "block" the upgrade, but it should never have been possible. Also I do believe we removed really old versions from the Inedo Hub, so you may need to download the offline installer to get to BuildMaster 6.1.

      Another approach to consider is to just "start from scratch" with BuildMaster 2025, and maintain BuildMaster 5.7 as a separate instance... moving to read-only over time. If a lot of your applications are templatized anyway, you may find the built-in Build Scripts work with minimal configuration. And as long as you're on the latest version of Inedo Agent (on the servers), they should be able to both communicate fine. This approach is the lowest risk by far.

      Cheers,
      Steve

      posted in Support
      stevedennis
      stevedennis
    • RE: Add Documentation for Chocolatey Proxy feeds

      @steviecoaster sounds good, feel free to submit a PR with suggestions if you'd like anything to add. For us, we usually just point to connectors documentation, though the topic doesn't really come up with this feed

      posted in Support
      stevedennis
      stevedennis
    • RE: Add Documentation for Chocolatey Proxy feeds

      Hi @steviecoaster ,

      We haven't had any users ask for help on this; it's pretty straight-forward in ProGet, as the UI guides users to do this and even pre-populates the default URLs. But if you think there's some nonobvious things or issues you've seen, then a technical note would be great (like we have on Connectors for Debian Feeds).

      I should note... we did not create a dedicated HOWTO guide for this use case (unlike, for example, HOWTO: Proxy Packages from NuGet.org in Visual Studio or CLI), mostly because we don't generally recommend it. Instead, we recommend internalizing the packages.

      What do you think about editing this section to clarify that?

      https://docs.inedo.com/docs/proget/feeds/chocolatey#internalizing-chocolatey-packages

      Thanks,
      Steve

      posted in Support
      stevedennis
      stevedennis
    • RE: Promote a Release from one Workflow to the next

      @dwilson_7533 that sounds about right! In modern versions of BuildMaster, it's possible to change Pipelines ("new" name for Workflows) a little easier, or even create builds without them.

      Speaking of, I'd recommend giving it a shot, we've got some pretty cool Git integration these days :)

      posted in Support
      stevedennis
      stevedennis
    • RE: Moving from IIS to Integrated Web Server

      Hi @caterina,

      Well, it's Microsoft, so their teams and guidance is all over the place... and that article is "AI-assisted" (labeled as such), so it's probably even more inconsistent than Microsoft's normal docs :)

      But, I definitely agree on the convenience of WIA over tokens. In any case, we don't have a plan to discontinue it from our products - but it is a "risky" feature, both in terms of making ProGet less secure and regressions (from Windows updates, or client/ProGet upgrades). So that's why we encourage users to move away.

      Anyway.... as for the issue, can you try adding ?bypassIntegrated=false to the URL? We are linking directly to the NPM API, which is bypassed. I'd like to see if that solves it.

      Thanks,
      Steve

      posted in Support
      stevedennis
      stevedennis
    • RE: Moving from IIS to Integrated Web Server

      Hi @caterina,

      I was referring to Windows Integrated Authentication (WIA) in general; while it's not "formally deprecated" yet, a lot of Microsoft's guidance and support it's basically treat it as a legacy technology used for existing internal intranet scenarios (especially now that NTLM has been disabled by default), and Microsoft’s modern web application guidance explicitly recommends token-based authentication instead.

      So, that drives our guidance as well.

      In any case, it sounds like you're doing port sharing:

      Our ProGet instance is bound to a hostname and a port.

      If you can bind it to just a port, then this should work. The reason is that hostname-binding requires operating system components (i.e. HTTP.SYS) to handle the request, and ProGet cannot disable it on a per-url basis.

      Thanks,
      Steve

      posted in Support
      stevedennis
      stevedennis
    • RE: Migrating from Sonatype Nexus to ProGet

      @pg_user_8607 sorry I accidently deleted that when trying to fork it into a new topic... I briefly saw the logs and wanted to review w/ team to see if we can figure them out

      Can you repost them again as a new topic? Thanks, we can then track it separately.

      posted in Support
      stevedennis
      stevedennis
    • RE: Moving from IIS to Integrated Web Server

      Hi @caterina ,

      First and foremost, Microsoft has effectively discontinued Windows Integrated Authentication (WIA) in favor of more modern and secure environments. As such, we strongly advise taking this opportunity to simply move away from it.

      Our recommended environment is:

      • No authentication required to view/download packages
        • the only exception to this is packages containing things like trade secrets.
        • that should not be the default, as "when everything is secret nothing is"
      • API Key required to publish packages
        • minimal permissions (i.e. no overwrite)
        • limit to feeds when appropriate, so you don't have too many keys
        • consider rotating annually

      That said, WIA is still supported in the Integrated Web Server and unsupported feeds (like npm) are automatically excluded from WIA when Kestrel is used (i.e. when you are NOT doing port sharing, and binding to a port). You can also explicitly exclude NuGet feeds.

      However, it's not possible to do "authentication by port", like what was possible by creating two sites in IIS.

      Hope that helps,
      Steve

      posted in Support
      stevedennis
      stevedennis
    • RE: Migrating from Sonatype Nexus to ProGet

      Hi @pg_user_8607 ,

      Can we move this issue to a new topic? I would "split" it for you, but then it won't show up on our dashboard when a reply comes through.

      Separate threads make it a lot easier to manage things on our end and keep track of things better :)

      But before you do that, just a hint - look at the container output startup logs. Basically just run without the -d and you'll be able to see the console output, and post anything related to the databse there.

      Thanks,
      Steve

      posted in Support
      stevedennis
      stevedennis
    • RE: Image-based Services (Containerized Builds) failing on "Build .NET Project"

      Hi @brandon_owensby_2976 ,

      The image that's being used is mcr.microsoft.com/dotnet/sdk:6.0, which is technically a "fat manifest" that points to a number of platform-specific images. But that's all handled by the Docker engine.

      So if you're getting a Windows-based image, then it means the Docker engine is not using Windows. I haven't used DockerDesktop in years, since WSL2 is much more reliable and a similar-to-production experience.

      I mentioned this in my other reply, but I would suggest to "play around" with the commands using docker run ... to see if you can get this working using that container.

      Once you can get it working from the CLI, then it won't be problem for Buildmaster to do the same thing.

      Thanks,
      Steve

      posted in Support
      stevedennis
      stevedennis
    • RE: Running InedoAgent on a Docker image

      Hi @brandon_owensby_2976 ,

      You can run Linux VMs on your laptop without an issue. They don't require much disk space or memory, and that's what WSL2 does behind the scenes.

      Docker containers aren't designed as or intended to be "servers" per se; they are meant to just run a single program without worrying about any operating-system dependencies. You can technically SSH into them and run other programs, but that's really only done in specialized debugging scenarios.

      In other words, you should not be "running commands" inside a Docker container, whether using SSH another means. Instead, you use the docker run command, which will create a container from an image, execute a command, and then stop the container.

      As far as getting unit tests to work, that may require additional dependencies. I don't really know. But they way to test that is by running commands like this:

      docker run --rm -v "$PWD:/src" -w /src mcr.microsoft.com/dotnet/sdk:10.0 dotnet test
      

      That basically just spins up a container to run dotnet test. That is what BuildMaster is doing behind the scenes.

      When you do docker run proget.inedo.com/productimages/inedo/buildmaster:2026.0 it's doing exactly the same thing, you just don't get to choose get to choose the command that runs when the container "spins up".

      Hope that helps

      Thanks,
      Steve

      posted in Support
      stevedennis
      stevedennis
    • RE: Running InedoAgent on a Docker image

      Hi @brandon_owensby_2976 ,

      This isn't really something that makes sense in the Docker paradigm. Keep in mind that a Docker container is essentially a wrapper for a single executable and is designed to be disposed after the command runs. That's how the Image-based services work as well.

      If you want to get Linux builds working, I'd start with a Linux-based server (create a VM) and SSH into it. You later try out Image-based services as well, but that also requires a Linux-based host.

      Thanks,
      Steve

      posted in Support
      stevedennis
      stevedennis
    • RE: Image-based Services (Containerized Builds) failing on "Build .NET Project"

      Hi @brandon_owensby_2976 ,

      Based on the error message, it looks like you've got Docker Desktop configured to use Windows-based containers, not Linux. I'm not sure if this can work on Docker Desktop; it's just a not a stack anyone considers/supports for use cases like this.

      The underlying error appears to becoming from the dotnet tooling. Though it's hard to say without troubleshooting further. Basically, something in the stack is calling the Linux tool id , which isn't going to work on a Windows container.

      If you're evaluating/testing, I would just use a virtual machine and pretend it's a remote server or something to that effect.

      Thanks,
      Steve

      posted in Support
      stevedennis
      stevedennis
    • RE: Running ProGet with Group Managed Service Account

      Thanks for sharing all the details @sgardj_2482.

      You shouldn't need to modify the Embedded Database like this when using a GMSA. It should continue to work just fine using a username/password as configured. If you ran into an issue when changing the service account, please let us know.

      Note that we don't support modifying the Embedded Database like this, so please be aware this may suddenly break in a future upgrade.

      posted in Support
      stevedennis
      stevedennis
    • RE: Dependency Confusion in ProGet

      Hi @certificatemanager_4002 ,

      This is really easy to do in ProGet and no need for a "scan". I can't even imagine how such a "scan" could work.

      Anyway, you just simply need to add a connector filter that prefixes your internal packages. For example, our filter for NuGet packages would look like Inedo* - which prevents any package named that coming through a connector.

      Check out this article to get some more details:
      https://blog.inedo.com/software-supply-chain-security/three-things

      Thanks,
      Steve

      posted in Support
      stevedennis
      stevedennis
    • RE: Some package versions not found

      Hi @daniel-mccoy_4395 ,

      About the only way I can imagine that happening is if you delete the version from the feed and navigate to that page. Or, if it was a remote package, and somehow the connector stopped working between pages.

      I would try to find a pattern and see if you can reproduce this more consistently.

      Thanks,
      Steve

      posted in Support
      stevedennis
      stevedennis
    • RE: ProGet: Editing Feed(s) field in a project changes the field for all projects

      Hi @Nils-Nilsson ,

      🤦

      This will be fixed via PG-3266 in the upcoming maintenance release (next Friday). It looks like it was a separate, SQL Server only bug. It's easy to patch if you'd like the SQL Script. Just let us know!

      Cheers,
      Steve

      posted in Support
      stevedennis
      stevedennis
    • RE: Using curl to either check or download a script file in Otter

      Hi @scusson_9923 ,

      Looks like this is a bug in not overriding the job/execution status; the force normal statement should make it "green" and a normal execution status. Anyway we'll get it fixed via OT-524.

      Cheers,
      Steve

      posted in Support
      stevedennis
      stevedennis
    • RE: [ProGet] Debian connector for Jenkins

      Hi @adoran_4131 ,

      It looks like the 404 error is occurring while trying to download the Release file (i.e. the index) for the repository. The file is being downloaded from this URL:

      {connector-url}/dists/{distro}/Release"
      

      And that URL is returning a 404. So make sure you are entering the correct distro in the connector.

      Thanks,
      Steve

      posted in Support
      stevedennis
      stevedennis
    • RE: Debian mirror feed / connector doesn't work " Signature by xyz was created after the --not-after date."

      Hi @matthias-schmitz_2037 ,

      The "Signature ... was created after the --not-after date" message is coming from sqv (Sequoia-PGP verifier), which newer versions of APT use for signature verification.

      It almost always indicates a system clock problem on the affected machine, not a repository problem, and often means "The system clock is behind the signature creation time."

      So bottom line, I would check the clocks to make sure they are accurate.

      Thanks,
      Steve

      posted in Support
      stevedennis
      stevedennis
    • RE: Using curl to either check or download a script file in Otter

      Hi @scusson_9923 ,

      The message is expected, but you should see scriptExists: false written at the end, and aNormal status (i.e. green) for the execution.

      Is that not the case?

      Thanks,
      Steve

      posted in Support
      stevedennis
      stevedennis
    • RE: Using curl to either check or download a script file in Otter

      Hi @scusson_9923 ,

      Sorry on the slow reply; i wanted to test this, but didn't get a chance and figure I'd just share this now (which should work):

      set $scriptExists = true;
      
      try
      {
          Get-Asset FooBar.ps1
          (
              Overwrite: true,
              Type: Script,
              To: D:\temp\FooBar.ps1
          );
      }
      catch
      {
          set $scriptExists = false;
          force normal;
      }
      
      Log-Information scriptExists: $scriptExists;
      

      Cheers,
      Steve

      posted in Support
      stevedennis
      stevedennis
    • RE: No longer able to download package after update to 2025.21

      Hi @v-makkenze_6348 ,

      This is a regression introduced from ProGet 2025.20's changes to malicious package handling. It's not intentional, and only the specific versions should be blocked (8.10.1, 9.1.1, 10.1.6, 10.1.7)

      We'll get it fixed via PG-3227 in the next maintenance release (scheduled for this Friday, but we may do a pre-release sooner). For now your best bet is to rollback to ProGet 2025.19.

      Thanks,
      Steve

      posted in Support
      stevedennis
      stevedennis
    • RE: Universal Package feed changes package name when creating a package using the UI

      Hi @daniel-pardo_5658 ,

      This behavior is expected; the UI is meant for creating basic, case-insenstiive archives.

      As for the permissions.... File metadata (including owner, execute permissions, etc) are stored within the filesystem (or as metadata in a zip file)... so once you transmit a file, that information is irrevocably lost.

      Best to upload a package file.

      Cheers,
      Steve

      posted in Support
      stevedennis
      stevedennis
    • RE: Would it be possible to add Tags to feeds and/or packages inside a feed?

      Hi @daniel-pardo_5658 ,

      Thanks for the suggestion; Universal Packages already support tags in the package manifest file: https://docs.inedo.com/docs/proget/feeds/universal/universal-packages#manifest

      Otherwise, if you're referring to "tagging" a package already added to a feed - that's a hard pass :)

      The reason is that a package is designed to be self-contained (i.e. all the metadata about the package is stored within the package) and cryptographically sealed (i.e. so you can't edit/mutate a package). Tags break these, as they apply semantic metadata outside of the package.

      These have caused big issues in ecosystems that have tried them (like npm) - but long story short, there's a good reason they don't exist and there's most certainly a better way to accomplish what you're trying to :)

      Cheers,
      Steve

      posted in Support
      stevedennis
      stevedennis
    • RE: Support for NotAutomatic/ButAutomaticUpgrades headers in Debian feed Release files

      Hi @geraldizo_0690,

      Thanks for the pointers -- now as an FYI, these settings would have to be a Feed-level setting, but the drop-downs would be the same.

      FYI, here's the code we use to generate the Release file --- I'm not sure what those other header values do, but we probably wouold just want to add the two you suggested.

      What do you think?

      I suspect this will be a quick, opt-in change!

      private void WriteReleaseFile(Stream output)
      {
          using var writer = new StreamWriter(output, InedoLib.UTF8Encoding, leaveOpen: true) { NewLine = "\n" };
          writer.WriteLine($"Suite: {this.Distro}");
          writer.WriteLine($"Codename: {this.Distro}");
          writer.WriteLine(FormattableString.Invariant($"Date: {this.Generated:ddd', 'dd' 'MMM' 'yyyy' 'HH':'mm':'ss' UTC'}"));
      // NotAutomatic: yes  <-- add here
      // ButAutomaticUpgrades: yes <-- add here
          writer.WriteLine($"Architectures: {string.Join(' ', this.indexes.Select(i => i.Architecture).Distinct(StringComparer.OrdinalIgnoreCase))}");
          writer.WriteLine($"Components: {string.Join(' ', this.indexes.Select(i => i.Component).Distinct(StringComparer.OrdinalIgnoreCase))}");
      
          var desc = FeedCache.GetFeed(this.feedId)?.Feed_Description;
          if (!string.IsNullOrWhiteSpace(desc))
              writer.WriteLine($"Description: {desc.ReplaceLineEndings(" ")}");
      
          writeHashes("MD5Sum:", i => i.MD5);
          writeHashes("SHA1:", i => i.SHA1);
          writeHashes("SHA256:", i => i.SHA256);
          writeHashes("SHA512:", i => i.SHA512);
      
          void writeHashes(string name, Func<IndexHashData, byte[]> getHash)
          {
              writer.WriteLine(name);
              foreach (var i in this.indexes)
              {
                  writer.WriteLine($" {Convert.ToHexString(getHash(i.Uncompressed)).ToLowerInvariant()} {i.Uncompressed.Length,16} {i.Component}/binary-{i.Architecture}/Packages")
                  writer.WriteLine($" {Convert.ToHexString(getHash(i.GZip)).ToLowerInvariant()} {i.GZip.Length,16} {i.Component}/binary-{i.Architecture}/Packages.gz");
              }
          }
      }
      
      posted in Support
      stevedennis
      stevedennis
    • RE: Bitbucket authentication issues

      Hi @brandon_owensby_2976 ,

      It sounds like you're on the right rack with troubleshooting; the issue is definitely on the server-side in this case, so I asked ChatGPT. Who knows if any of this is accurate, but...

      This is a very common situation with older versions of Bitbucket Server (especially pre-6.x / pre-7.x era, but even up to some 7.x versions in certain setups).

      The REST API (e.g. /rest/api/1.0/...) and the Git Smart HTTP protocol (/scm/.../info/refs, /git-upload-pack, etc.) are handled by different authentication filters in Bitbucket Server.

      Most likely you're using a Personal Access Token / HTTP Access Token (most frequent cause in older versions). In many Bitbucket Server versions (especially ≤ 7.17–7.21), HTTP access tokens were designed mainly for REST API and did not work reliably (or at all) for Git over HTTPS in many cases.

      As a workaround , you need to use a real username + password (or username + app password if 2FA is on) for Git operations

      We've seen similar in really old version of ADO, GitHub, etc, where API tokens wouldn't work for Git.

      Anyway, I would try that - at least from the curl side of things. And maybe upgrading will help as well. If it works, then you'll likely only be able to use a Generic Git repository with a real username/password -- and just create a special builds user which effectiveely acts like an APi key.

      Cheers,
      Steve

      posted in Support
      stevedennis
      stevedennis
    • RE: Suggestion: Show total container image size

      Hi @Stephen-Schaff,

      It seems pretty easy to add these up and display them on the screen! I suppose the "hard part" is the UI...

      A "Total" line doesn't seem to look right. And it seems like too little information to put in one of those info-boxes. "Total Size: XXXX MB" at the bottom just looks incomplete.

      Any suggestions? I'm struggling a bit to see how it could be displayed without looking a little out of place... and since it was your idea I figured I'd ask ;)

      Thanks,

      Steve

      posted in Support
      stevedennis
      stevedennis
    • RE: Support for NotAutomatic/ButAutomaticUpgrades headers in Debian feed Release files

      Hi @geraldizo_0690,

      Hello,

      I'm not all that familiar with Debian/APT... but I briefly researched this, and it seems like this involves adding values like this at the top of the Release file like this:

      NotAutomatic: yes 
      ButAutomaticUpgrades: yes
      

      Is that it really? And this setting would impact the entire feed... but have no real relation/impact to connectors or packages?

      If that's the case, how would you envision configuring this? I'm thinking on the Feed Properties page, but perhaps as a checkbox? How do other products/tools do it in your experience?

      Thanks,
      Steve

      posted in Support
      stevedennis
      stevedennis
    • RE: Bitbucket authentication issues

      Hi @brandon_owensby_2976 ,

      Thanks for the feedback. Based on what you described, it sounds like...

      • BitBucket Server API is working fine
      • Git API is not working due to a failed/failing authentication challenge

      You were able to confirm this with the "Generic Git Repository" also not working. If you were to do a curl -I -u USERNAME;APIKEY https:/.../.git you would most certainly get a 401 response as well.

      Anyway that's where I would start -- try to figure out why the Git API is not accepting the credentials. It's most likely related to permissions on theh key, but it's really hard to say... just a guess.

      Thankks,
      Steve

      posted in Support
      stevedennis
      stevedennis
    • RE: Migrate Feed from C drive to another drive

      Hi @Julian-huebner_9077 ,

      Here's some information on file storage paths:
      https://docs.inedo.com/docs/proget/feeds/feed-overview/proget-feed-storage

      Long story short, if you modify Storage.PackagesRootPath under Admin > Advanced Settings and move your files as needed, then it should work just fine.

      Thanks,
      Steve

      posted in Support
      stevedennis
      stevedennis
    • 1
    • 2
    • 3
    • 4
    • 5
    • 10
    • 11
    • 1 / 11