Add basic functionality for calling and caching the result from the pub.dev api for security advisories #4053
Conversation
szakarias
force-pushed
the
writeAdvJson
branch
from
92e5897
to
f21a499
Compare
| try { | ||
| ensureDir(p.dirname(path)); | ||
|
|
||
| await writeTextFileAsync( |
There was a problem hiding this comment.
These files are small enough we usually use the sync versions.
| path, | ||
| jsonEncode( | ||
| <String, dynamic>{ | ||
| ...body, |
There was a problem hiding this comment.
Maybe we want to at a timestamp here?
| ...body, | |
| ...body, | |
| 'fechedAt': DateTime.now.[convert to string...] |
| /// /api/packages/$package/advisories | ||
| class _PackageAdvisories { | ||
| final DateTime? advisoriesUpdated; | ||
| final List advisories; |
There was a problem hiding this comment.
I think the list needs a type-argument
| @@ -537,6 +537,62 @@ class HostedSource extends CachedSource { | |||
| return result; | |||
| } | |||
|
|
|||
| Future<_PackageAdvisories> _fetchAdvisories( | |||
| _RefAndCache refAndCache, | |||
There was a problem hiding this comment.
Don't use the _RefAndCache type, it is only used because records was not a thing back then - just take a Ref and a SystemCache.
| body = decoded; | ||
|
|
||
| result = _PackageAdvisories( | ||
| body['advisories'] as List, |
There was a problem hiding this comment.
Don't we want to decode the individual entries?
| body = decoded; | ||
|
|
||
| result = _PackageAdvisories( | ||
| body['advisories'] as List, |
There was a problem hiding this comment.
We cannot do a type-cast here. We have to validate this is actually a list and throw if not
|
|
||
| // Cache the response on disk. | ||
| // Don't cache overly big responses. | ||
| if (bodyText.length < 500 * 1024) { |
There was a problem hiding this comment.
Maybe we should make this size limit bigger. Perhaps 1000 kb?
| ? null | ||
| : DateTime.parse(body['advisoriesUpdated'] as String), | ||
| ); | ||
| } on Exception catch (error, stackTrace) { |
There was a problem hiding this comment.
Can we be more specific in what we catch here?
This is a first step towards showing surfacing security advisories in the client. The functionality is not yet called.