fix(validators): distinguish a missing package from a missing version on PyPI/NPM#1411
Open
sronix wants to merge 2 commits into
Open
fix(validators): distinguish a missing package from a missing version on PyPI/NPM#1411sronix wants to merge 2 commits into
sronix wants to merge 2 commits into
Conversation
… on PyPI/NPM The version-specific metadata endpoint 404s both when a package is missing and when only the requested version is absent. On a version 404, probe the package-level endpoint with HEAD to tell the two apart, and treat 429/5xx as transient. Mirrors the cargo validator's probe-and-classify pattern. Fixes modelcontextprotocol#553.
The probe only refines an error message, so give it a 3s context deadline instead of letting it ride the client's full 10s timeout. Pin the expected methods in the httptest mocks (GET fetch, HEAD probe) and skip the live RealPackages cases on transient 429/5xx responses instead of failing them.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #553.
The PyPI and npm validators fetch the version-specific metadata endpoint (
/pypi/{name}/{version}/jsonand the npm equivalent) and report any non-200 as<pkg> not found. That endpoint 404s for two different reasons though: the package doesn't exist, or it exists and only the version is missing (e.g. a release that hasn't propagated yet). So a valid package reads as gone:On a version 404 it probes the package-level endpoint (
/pypi/{name}/json,/{name}) with aHEADto tell the two apart, and reports 429/5xx as transient rather than "not found".HEADso it reads a status without pulling the whole packument. The probe carries its own 3s deadline: it only refines the error message, so a hung probe must not stretch the validator past the ~10s-per-registry budget the publish path assumes. Same probe-and-classify shape as the existing cargo validator.The fetch is split into
validatePyPIPackage/validateNPMPackagebehindexport_test.goso the branches are testable withhttptest, the same seam cargo uses.Testing
httptestfor the status matrix (version-missing, package-missing, 5xx, 429, inconclusive probe, positive path, scoped npm); the mocks pin the expected method per endpoint (GETfetch,HEADprobe)t.Skipas inconclusive instead of flaking (deliberate: CI runs these against the real registries with no short-mode gating)gofmt/go vet/golangci-lintcleanOut of scope: auto-retry for the propagation race, and SSRF redirect-pinning parity for the pypi/npm clients (pre-existing, shared with nuget).