Hiding a version from the metadata (#130) stops a fresh install from choosing it, but a project with a lockfile pinning that version will still download it directly.
Check the same advisory data in the download path and return 403 with the advisory ID in the response body and an X-Proxy-Block-Reason header. That breaks the build instead of silently serving a known-bad file, and the header gives CI something to report.
Uses the same severity floor, waivers, and audit/enforce mode as #130.
Depends on #129.
Hiding a version from the metadata (#130) stops a fresh install from choosing it, but a project with a lockfile pinning that version will still download it directly.
Check the same advisory data in the download path and return 403 with the advisory ID in the response body and an
X-Proxy-Block-Reasonheader. That breaks the build instead of silently serving a known-bad file, and the header gives CI something to report.Uses the same severity floor, waivers, and audit/enforce mode as #130.
Depends on #129.