Description
REF: #110
Problem: Inspector can serve a 'Project Removed' response when a package has not yet been removed.
Background: When a package is uploaded, in our experience, it can often take a moment for PyPI to serve the appropriate content on the package's page, while Inspector is able to serve the contents of the files relatively immediately.
Steps to Reproduce:
- Identify a recently uploaded package.
- Visit the inspector link of said package prior to the content being served on PyPI.
Example:
We were alerted to pipcryptov2 at 2:46PM.
I visited the Inspector URL to confirm malicious content. I was met with a package removed notification.
The PyPI page initially 404'd, but refreshing it moments later provided the appropriate webpage, and the package had not yet been removed.
Discussion: I understand this is probably a transient issue and likely not impactful as a whole to the service, as very few people are visiting inspector within the time frame that a package is uploaded and the time the PyPI content is served. Given that we tend to respond within ~60 seconds of receiving notification of a package upload, this is likely an issue that will only affect our service and services similar, so from our end, we can inform our team accurately that this should be ignored unless responding to a package significantly after the fact.