Polish package vulnerability scanner#428
Open
amylin1249 wants to merge 11 commits into
Open
Conversation
Contributor
Extension release summary🚀 Will release on merge
See the contributing guide for details. |
…or API Key integration is missing
caa5be8 to
e0ce488
Compare
- Read packages from Connect's server-wide /v1/packages endpoint in one pass, grouped by content, instead of a request per item — scales to thousands. - Query Package Manager in parallel; keep the package cache when toggling between your content and all content. - Retry transient failures (Connect and PPM 5xx/network) with backoff; add a PPM timeout so a stall can't hang the scan. - Surface every failure with an explicit message instead of a misleading 0
e0ce488 to
a3c587f
Compare
b66ea97 to
35340b3
Compare
… clear npm audit vulnerabilities
…st handlers so a missing integration shows the setup page
…ckage Manager is unreachable
…ouple backend tests from build
karawoo
previously approved these changes
Jul 14, 2026
Contributor
|
Ack sorry I meant to approve #418, got my tabs mixed up. I have not reviewed this yet. |
karawoo
reviewed
Jul 14, 2026
Comment on lines
+104
to
+110
| # Read every package across the viewer's content from the server-wide | ||
| # endpoint and group by content, instead of a request per item. Each | ||
| # record carries the guid of the content it belongs to, so a server with | ||
| # thousands of items scans in one pass rather than thousands of round-trips. | ||
| def fetch_grouped() -> dict[str, list]: | ||
| by_guid: dict[str, list] = {} | ||
| for pkg in visitor.packages.fetch(): |
Contributor
There was a problem hiding this comment.
Isn't the server-wide endpoint admin-only? If the viewer is not an admin, I don't think this will work.
I'm realizing the API docs don't suggest this but I think that is an omission.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #415.
Polishes the
package-vulnerability-scanner(can review commit by commit):requiredFeatures).simple-shiny-chat-with-mcp.test_main.py, 29 tests covering the retry/setup helpers and all four API endpoints) and a frontend store test suite (37 tests across the Pinia stores andcollectInstalledPackages). Both run in the extension workflow —npm testbefore the build anduv run pytestafter.