Skip to content

Polish package vulnerability scanner#428

Open
amylin1249 wants to merge 11 commits into
mainfrom
polish-package-vulnerability-scanner
Open

Polish package vulnerability scanner#428
amylin1249 wants to merge 11 commits into
mainfrom
polish-package-vulnerability-scanner

Conversation

@amylin1249

@amylin1249 amylin1249 commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Fixes #415.

Polishes the package-vulnerability-scanner (can review commit by commit):

  • Viewer identity switch: Connect API calls now run as the signed-in viewer via their per-request session token, instead of the deploying publisher, so each person sees the content they published and their own name in the header. This requires a Connect Visitor API Key integration (added to requiredFeatures).
  • In-app setup page: When the integration is missing, the app shows a setup screen with the steps to add it, similar to simple-shiny-chat-with-mcp.
  • Performance improvement: Packages for all visible content load in a single request. Vulnerability lookups query Package Manager in parallel across chunks, bounded to five concurrent requests. The package cache is kept when toggling between your content and all content, so re-viewing already-scanned content makes no new requests.
  • Robustness: Transient 5xx responses (from Connect or Package Manager) are retried with a short backoff, so a brief blip doesn't fail the whole scan. A failed fetch now shows a clear reason for failure instead of a premature zero or a permanent spinner.
  • Accessibility: The content-visibility toggle now has an accessible label so screen readers announce its purpose.
  • Security: Updated frontend dependencies to clear vulnerabilities flagged by npm audit, including a ReDoS advisory in the bundled markdown-it renderer.
  • Docs: README and description rewritten to match style of other Gallery items.
  • Testing: Manually deployed and verified both by self and non-publisher viewer to confirm the viewer identity switch works, and that there are no timeout errors with lots of content (~9000). Added a backend test suite (test_main.py, 29 tests covering the retry/setup helpers and all four API endpoints) and a frontend store test suite (37 tests across the Pinia stores and collectInstalledPackages). Both run in the extension workflow — npm test before the build and uv run pytest after.

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Extension release summary

🚀 Will release on merge

  • package-vulnerability-scanner: 3.0.63.0.7

See the contributing guide for details.

@amylin1249 amylin1249 force-pushed the polish-package-vulnerability-scanner branch 3 times, most recently from caa5be8 to e0ce488 Compare July 8, 2026 19:36
- Read packages from Connect's server-wide /v1/packages endpoint in one pass,
  grouped by content, instead of a request per item — scales to thousands.
- Query Package Manager in parallel; keep the package cache when toggling
  between your content and all content.
- Retry transient failures (Connect and PPM 5xx/network) with backoff; add a
  PPM timeout so a stall can't hang the scan.
- Surface every failure with an explicit message instead of a misleading 0
@amylin1249 amylin1249 force-pushed the polish-package-vulnerability-scanner branch from e0ce488 to a3c587f Compare July 8, 2026 19:47
@amylin1249 amylin1249 force-pushed the polish-package-vulnerability-scanner branch from b66ea97 to 35340b3 Compare July 8, 2026 20:15
@amylin1249 amylin1249 requested review from dotNomad, karawoo and m-- July 10, 2026 14:43
@amylin1249 amylin1249 marked this pull request as ready for review July 10, 2026 16:04
karawoo
karawoo previously approved these changes Jul 14, 2026
@karawoo

karawoo commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

Ack sorry I meant to approve #418, got my tabs mixed up. I have not reviewed this yet.

@karawoo karawoo self-requested a review July 14, 2026 19:04
@karawoo karawoo dismissed their stale review July 14, 2026 19:05

reviewed erroneously

Comment on lines +104 to +110
# Read every package across the viewer's content from the server-wide
# endpoint and group by content, instead of a request per item. Each
# record carries the guid of the content it belongs to, so a server with
# thousands of items scans in one pass rather than thousands of round-trips.
def fetch_grouped() -> dict[str, list]:
by_guid: dict[str, list] = {}
for pkg in visitor.packages.fetch():

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Isn't the server-wide endpoint admin-only? If the viewer is not an admin, I don't think this will work.

I'm realizing the API docs don't suggest this but I think that is an omission.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Polish package-vulnerability-scanner

2 participants