Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Filter specific versions of a package #2015

Open
hanzo opened this issue Dec 17, 2024 · 0 comments
Open

Filter specific versions of a package #2015

hanzo opened this issue Dec 17, 2024 · 0 comments

Comments

@hanzo
Copy link

hanzo commented Dec 17, 2024

Is your feature request related to a problem? Please describe.
It would be useful to prevent specific versions of a packages from being downloaded, e.g. if a security vulnerability is discovered to be present in certain versions. From what I can tell, it used to be possible to filter specific versions of a package using a filter file, but this mechanism is now deprecated. The currently supported solution of using a download mode file seems to operate at the package level without any ability to configure behavior for specific versions of the package.

Describe the solution you'd like
Ideally the download mode file would allow configuration to be applied to a range of versions for a particular package. I haven't thought too hard about the config structure but something along these lines:

download "golang.org/x/crypto" {
    versions = ">=v0.25.0,<v0.31.0"
    mode = "none"
}

The effect of this config block would be to delete all versions of the crypto package between v0.25.0-v0.31.0 from persistent storage and anywhere that they're cached, and to return a 404 when go get is called for those particular versions.

Describe alternatives you've considered
I don't know of any good alternatives. I could manually delete files from the underlying data stores and purge the cache, but this isn't a scaleable or safe solution.

Additional context
My organization has some internal packages that have thousands of versions (periodically generated code from IDL schema), so for our use case it's necessary that the solution supports a range of versions instead of needing to specify exact version numbers.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant