Skip to content

Bump registries to v0.6.0 and gate client with safehttp#20

Merged
andrew merged 1 commit into
mainfrom
registries-v0.6.0-safehttp
May 13, 2026
Merged

Bump registries to v0.6.0 and gate client with safehttp#20
andrew merged 1 commit into
mainfrom
registries-v0.6.0-safehttp

Conversation

@andrew
Copy link
Copy Markdown
Contributor

@andrew andrew commented May 12, 2026

PURLs passed to this library can carry a repository_url qualifier that registries.NewFromPURL and BulkFetchPackages use as the fetch base URL. Since those PURLs may originate from manifests or other untrusted input, the registries client is now constructed with client.WithSafeHTTP() so loopback, RFC1918, CGNAT, link-local and similar targets are refused at dial time.

The bump also picks up populated Version.Integrity for pub, julia and nuget, which flows through GetVersion/GetVersions unchanged.

registries_test.go spins up a 127.0.0.1 server, points a PURL's repository_url at it, and asserts the request never lands.

The client subpackage is imported directly because WithSafeHTTP isn't yet re-exported at the registries root (git-pkgs/registries#28).

@andrew
Bump registries to v0.6.0 and gate client with safehttp
927271f 
PURLs can carry a repository_url qualifier that NewFromPURL and
BulkFetchPackages use as the fetch base URL. Wrap the underlying
client with WithSafeHTTP so loopback, RFC1918, link-local and
similar targets are refused at dial time.
@andrew andrew merged commit 5b49b1a into main May 13, 2026
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@andrew