Closed jonl-percsolutions-com closed 3 months ago
Does sound like an Artifactory issue. The error message is reported by Artifactory, so it may be a configuration issue.
Could it be an error caused by the orginal HTTP request responding with a "not-found" error, which is fine for Pub, it takes it as there being no advisories, but the proxy can't handle a failing request well?
Seems to me to be a duplicate or at least related to https://github.com/dart-lang/pub/issues/4269
The proxying need to also proxy the http/advisories to be fully compliant. See https://github.com/dart-lang/pub/blob/master/doc/repository-spec-v2.md#list-security-advisories-for-a-package
The crash should be fixed in dart 3.5 where this will show up as a warning instead of a crash.
cc @szakarias
We should probably consider making a cherry pick of the fix into 3.4.
We should probably consider making a cherry pick of the fix into 3.4.
Would it also be possible to add a global flag to ignore advisories in some scenarios, like CI/CD. Cause I think there is a second issue that will need to be resolved by artifactory in the handling and proxying of these endpoints.
I have seen behavior where IF <package>/advisories
is pulled by artifactory BEFORE <package>
, the it creates and http fold containing the advisories.
I believe this scenario can happen when local cache resolution occurs for a package and it attempts to retrieve the advisories and artifactory cache for a package is cleared.
So there is definitely an issue to open with artifactory.
I was looking but I don't see any specific documentation on how the advisories are supposed to work from an api perspective? I would like to open an issue with artifactory, but would like to have some understanding on that before doing so.
Documentation is here: https://github.com/dart-lang/pub/blob/master/doc/repository-spec-v2.md
In short there is:
/api/packages/<package>/advisories
end-point, which returns advisories.advisoriesUpdated
property in the version-listing API response.When (B) is present (A) is required.
Context:
I dropped a line to some jfrog people, though I'm not sure my contacts are still active -- it's been a while :rofl:
For the record, this is a dart pub
client issue: https://github.com/dart-lang/pub
This is fixed in dart 3.4.4
FYI, seems like you are using the wrong URL in RT.
Should be: "https://
In your issue, please include:
dart info
)We are utilizing artifactory to proxy pub.dev internally. After upgrading to our flutter sdks recently, we have begun receiving failures in resolution because dart pub attempts to pull an endpoint at
<packagname>/advisories
. When artifactory pulls this, it expects<packagname>
to be a folder, but<packagename>
is not a folder.I can't tell, however, if the problem lies in artifactory or the addition of advisory resolution in pub get. Should dart be using the
PUB_HOSTED_URL
for pulling advisories at all?This can be overridden temporarily by setting
PUB_HOSTED_URL=pub.dev
, but this goes against our compliance requirements.Resolution example logs:
Response from artifactory when attempting to retrieve
http/advisories