hexpm: support vulnerability info from Hex#5900
Open
ankddev wants to merge 5 commits into
Open
Conversation
ankddev
commented
Jun 25, 2026
Contributor
- First part of Warn when a vulnerable package version is added as a dependency #5725
- Updated protobuf files to hexpm/specifications@bb45464
- The changes in this PR have been discussed beforehand in an issue
- The issue for this PR has been linked
- Tests have been added for new behaviour
- The changelog has been updated for any user-facing changes
ankddev
force-pushed
the
support-hexpm-vulnerabilities
branch
9 times, most recently
from
June 27, 2026 15:19
38c1188 to
5fdeec5
Compare
ankddev
marked this pull request as ready for review
June 27, 2026 15:20
ankddev
commented
Jun 27, 2026
| /// | ||
| /// https://github.com/hexpm/specifications/blob/main/registry-v2.md | ||
| /// | ||
| /// TODO: Where are the API docs for this? |
Contributor
Author
There was a problem hiding this comment.
I think that this todo is stale, because there's a documentation in the specifications repo, am I right?
| } | ||
|
|
||
| /// Create a request to download a version of a package as a tarball | ||
| /// TODO: Where are the API docs for this? |
| .collect::<Result<HashMap<_, _>, _>>()?; | ||
| let version = Version::try_from(release.version.as_str()) | ||
| .expect("Failed to parse version format from Hex"); | ||
| let security_advisories = package_advisories |
Contributor
Author
There was a problem hiding this comment.
We need to this, because the info from the repo v2 endpoint (package information) and from the HTTP API endpoint (release information) is in different formats.
ankddev
force-pushed
the
support-hexpm-vulnerabilities
branch
from
June 27, 2026 15:31
5fdeec5 to
06f0933
Compare
jtdowney
reviewed
Jun 27, 2026
There were few quite old TODOs about missing endpoint documentation, but I found it at https://github.com/hexpm/specifications/blob/main/endpoints.md, so I guess that we need to remove it
ankddev
force-pushed
the
support-hexpm-vulnerabilities
branch
from
July 13, 2026 14:21
06f0933 to
506cfab
Compare
It used to use the name not from HTTP API
Contributor
Author
|
@jtdowney I addresses all of your comments! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.