Nine handlers (npm, Composer, PyPI, Cargo, pub, NuGet, Hex, RubyGems, Conda) can filter versions out of a package's metadata today because they already parse it for cooldown. The other eight can't:
- Go
- Maven
- OCI containers
- CRAN
- Debian
- RPM
- Conan
- Julia
For cooldown and advisory blocking (#130) to apply everywhere, each of these needs its version-list response parsed enough to drop entries before serving. Some are a few lines (Go's /@v/list, OCI /tags/list), some need index-file parsing (CRAN, Debian, RPM), and a couple are structurally awkward (Julia is content-addressed, Conan keys on user/channel).
This issue tracks bringing all of them up to parity. The per-ecosystem approach can be worked out as each one is picked up.
Depends on #127.
Nine handlers (npm, Composer, PyPI, Cargo, pub, NuGet, Hex, RubyGems, Conda) can filter versions out of a package's metadata today because they already parse it for cooldown. The other eight can't:
For cooldown and advisory blocking (#130) to apply everywhere, each of these needs its version-list response parsed enough to drop entries before serving. Some are a few lines (Go's
/@v/list, OCI/tags/list), some need index-file parsing (CRAN, Debian, RPM), and a couple are structurally awkward (Julia is content-addressed, Conan keys on user/channel).This issue tracks bringing all of them up to parity. The per-ecosystem approach can be worked out as each one is picked up.
Depends on #127.