feat: quarantine new releases (supply-chain attack prevention) #25
Reference in New Issue
Block a user
Delete Branch "benvin/issue-22-quarantine"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Closes #22
Summary
Adds per-remote quarantine support: immutable artifacts published within a configurable window (quarantine_days) are blocked with 404, giving teams time to detect malicious packages before they reach consumers.
Changes
ConfigManager.get_quarantine_config()— readsquarantine_new/quarantine_daysfrom remote configRedisCache.store/get_artifact_published()— persists the upstreamLast-Modifiedheader per artifact (namespacepkg:published:)proxy._check_quarantine()— raises HTTP 404 for artifacts within the quarantine window; fails open when the publish date is unknownproxy._fetch_last_modified()— HEAD-requests upstream to discover publish date on cache-hit when not yet stored/api/v1/remote/) and Docker (/v2/) proxy routes wired with quarantine checks on cache-hit and cache-miss pathsremotes.yaml— pypi example updated withquarantine_new: true,quarantine_days: 3README.md— documents the quarantine feature with a config exampleTests
21 new tests across
test_config.py,test_cache.py, andtest_routes.py:TestGetQuarantineConfig— config parsing edge casesTestArtifactPublished— Redis key format, store/retrieve, unavailable-Redis no-opTestQuarantine— cache-miss and cache-hit blocking, fail-open (no Last-Modified), disabled quarantine pass-through, 404 detail string formatDocker verification
quarantine_new: true,quarantine_days: 3for pypi remotepip-21.0-py3-none-any.whl(published 2021) returns 200 — correctly outside quarantine window/simple/pip/) are never quarantined