Wpackagist not compliant with repository metadata v1 endpoint so not interfacable with dependency track

[ghost]

Hello,

The repository wpackagist is not compliant with repository metadata v1 endpoint.

Dependency Track (DT) only uses the repository information to fetch metadata about the component such as the latest available version. Regarding composer, DT uses the repository metadata v1 endpoint. It does seems that https://wpackagist.org/ does not support this endpoint. See https://wpackagist.org/p2/wpackagist-plugin/elementor.json which results in a 404 and https://repo.packagist.org/p/johnpbloch/wordpress.json which works.

Is it possible to make it compliant? This would be a really nice feature which permits to manage our outdated dependencies.

More information on this issue: https://github.com/DependencyTrack/dependency-track/issues/2544

Thanks a lot in advance,

[NoelLH]

@fakeNews-jpg I'd be open to PRs, but I think it's highly unlikely we'll ever be able to devote the time to do all the work for this to implement the deprecated schema.

There's some discussion on #408 about v2 metadata but it's a bit blocked for work my side on both clarity on the most valuable properties and feasibility of getting them, and lack of time generally.

Would you be able to work with v2 metadata? Is there anything intrinsic about v1 that meets requirements v2 doesn't?

[NoelLH]

I'm going to close this for now, as I think any future effort is more likely to be on v2 if anybody has the time.

From the linked issue and our past research, I also suspect that adding this endpoint would not lead to vulnerability alerts as you want without some additional outside developments – our research for other purposes has mostly shown a lack of bulk-queryable databases of WordPress security alerts that can be used freely without limits unfortunately.