Deal somehow with stale packages

bower / registry

The Bower registry

https://registry.bower.io/packages

MIT License

292 stars 66 forks source link

Deal somehow with stale packages #110

Closed sheerun closed 4 years ago

sheerun commented 9 years ago

I think the best idea is to create web interface for listing stale packages, and let registry editors remove them manually. I think we don't want any automation because we can easily delete half of registry by mistake.

Followup of: #69, #72

davidjbradshaw commented 9 years ago

I've just added these tickets to help understand the size of the issue and possibly be used to update the registry.

113 List of 3815 projects missing bower.json file.
114 List of 1556 projects that have moved on GitHub, with old and new locations.
115 List of 1248 projects that have been deleted from GitHub.

patrickkettner commented 9 years ago

I do not believe #113 is relevant. we can't control wether or not a repo has a bower.json

sheerun commented 9 years ago

The only concern I have is following case:

Developer uses package xxx
This package gets removed by its author
We removed package from registry
Someone registered malicious package under xxx name
Developer performs bower install, and malicious xxx package is installed, instead just erroring that package got removed from GitHub..

bower / registry

Deal somehow with stale packages #110

113 List of 3815 projects missing bower.json file.

114 List of 1556 projects that have moved on GitHub, with old and new locations.

115 List of 1248 projects that have been deleted from GitHub.