When a client asks the proxy for a package's available versions, drop any that match a known advisory so the resolver never picks them.
This uses the version matcher from #129 plugged into the filter interface from #127, so the handlers that already filter for cooldown get it without extra wiring.
Config:
filter:
block:
severity: high # only block at this severity or above
malware: always # MAL- advisories are blocked regardless of severity
mode: enforce # or "audit" to log what would be blocked without doing it
waive:
- purl: pkg:npm/lodash
vuln: GHSA-p6mc-m468-83gw
until: 2026-08-01When the advisory sync learns about a new vulnerability for a package, the cached metadata for that package should be invalidated so the next request is re-filtered.
Depends on #127 and #129.
When a client asks the proxy for a package's available versions, drop any that match a known advisory so the resolver never picks them.
This uses the version matcher from #129 plugged into the filter interface from #127, so the handlers that already filter for cooldown get it without extra wiring.
Config:
When the advisory sync learns about a new vulnerability for a package, the cached metadata for that package should be invalidated so the next request is re-filtered.
Depends on #127 and #129.