search

ecosyste-ms / packages

An open API service providing package, version and dependency metadata of many open source software ecosystems and registries.
https://packages.ecosyste.ms
GNU Affero General Public License v3.0
26 stars 5 forks source link

Package data misses information about the user who released versions of packages on npm #838

Open lirantal opened 2 months ago

lirantal commented 2 months ago

Hi folks! 👋

I would expect that the Packages API for the versions data point will also include information about the user who released the version, on npm.

For example, the npm registry API at https://registry.npmjs.org/safe-regex2 would return that information under the versions key (look for the _npmUser key below):

{
  "_id": "safe-regex2",
  "_rev": "5-87f8c2e9312b92a9b82d5fe7f1fa9348",
  "name": "safe-regex2",
  "dist-tags": {
    "latest": "4.0.0"
  },
  "versions": {
    "2.0.0": {
      "name": "safe-regex2",
      "version": "2.0.0",
      "keywords": [
        "catastrophic",
        "exponential",
        "regex",
        "safe",
        "sandbox"
      ],
      "author": {
        "url": "http://substack.net",
        "name": "James Halliday",
        "email": "mail@substack.net"
      },
      "license": "MIT",
      "_id": "safe-regex2@2.0.0",
      "maintainers": [
        {
          "name": "matteo.collina",
          "email": "hello@matteocollina.com"
        }
      ],
      "contributors": [
        {
          "name": "Matteo Collina",
          "email": "hello@matteocollina.com"
        }
      ],
      "homepage": "https://github.com/fastify/safe-regex",
      "bugs": {
        "url": "https://github.com/fastify/safe-regex/issues"
      },
      "dist": {
        "shasum": "b287524c397c7a2994470367e0185e1916b1f5b9",
        "tarball": "https://registry.npmjs.org/safe-regex2/-/safe-regex2-2.0.0.tgz",
        "fileCount": 7,
        "integrity": "sha512-PaUSFsUaNNuKwkBijoAPHAK6/eM6VirvyPWlZ7BAQy4D+hCvh4B6lIG+nPdhbFfIbP+gTGBcrdsOaUs0F+ZBOQ==",
      },
      "main": "index.js",
      "gitHead": "6af6b35b1609474d928a5e9a8af4f95ab6771628",
      "scripts": {
        "test": "standard && tape test/*.js"
      },
      "_npmUser": {
        "name": "matteo.collina",
        "email": "hello@matteocollina.com"
      },
      "repository": {
        "url": "git://github.com/fastify/safe-regex.git",
        "type": "git"
      },
      "_npmVersion": "6.7.0",
      "description": "detect possibly catastrophic, exponential-time regular expressions",
      "directories": {

      },
      "_nodeVersion": "10.15.1",
      "dependencies": {
        "ret": "~0.2.0"
      },

However, in the existing Packages API today for versions (or any other endpoints), I couldn't find this information exist. I thought it should appear in this endpoint: https://packages.ecosyste.ms/api/v1/registries/npmjs.org/packages/safe-regex2

andrew commented 2 months ago

Agreed, this should be collected and stored on each version record in the metadata field.