ac3a8a7c43
quality: MSRV, tarpaulin config, proptest for parsers ( #84 )
...
* fix: proxy dedup, multi-registry GC, TOCTOU and credential hygiene
- Deduplicate proxy_fetch/proxy_fetch_text into generic proxy_fetch_core
with response extractor closure (removes ~50 lines of copy-paste)
- GC now scans all registry prefixes, not just docker/
- Add tracing::warn to fire-and-forget cache writes in docker proxy
- Mark S3 credentials as skip_serializing to prevent accidental leaks
- Remove TOCTOU race in LocalStorage get/delete (redundant exists check)
* chore: clean up root directory structure
- Move Dockerfile.astra and Dockerfile.redos to deploy/ (niche builds
should not clutter the project root)
- Harden .gitignore to exclude session files, working notes, and
internal review scripts
* refactor(metrics): replace 13 atomic fields with CounterMap
Per-registry download/upload counters were 13 individual AtomicU64
fields, each duplicated across new(), with_persistence(), save(),
record_download(), record_upload(), and get_registry_* (6 touch points
per counter). Adding a new registry required changes in 6+ places.
Now uses CounterMap (HashMap<String, AtomicU64>) for per-registry
counters. Adding a new registry = one entry in REGISTRIES const.
Added Go registry to REGISTRIES, gaining go metrics for free.
* quality: add MSRV, tarpaulin config, proptest for parsers
- Set rust-version = 1.75 in workspace Cargo.toml (MSRV policy)
- Add tarpaulin.toml: llvm engine, fail-under=25, json+html output
- Add coverage/ to .gitignore
- Update CI to use tarpaulin.toml instead of inline flags
- Add proptest dev-dependency and property tests:
- validation.rs: 16 tests (never-panics + invariants for all 4 validators)
- pypi.rs: 5 tests (extract_filename never-panics + format assertions)
* test: add unit tests for 14 modules, coverage 21% → 30%
Add 149 new tests across auth, backup, gc, metrics, mirror parsers,
docker (manifest detection, session cleanup, metadata serde),
docker_auth (token cache), maven, npm, pypi (normalize, rewrite, extract),
raw (content-type guessing), request_id, and s3 (URI encoding).
Update tarpaulin.toml: raise fail-under to 30, exclude UI/main from
coverage reporting as they require integration tests.
* bench: add criterion benchmarks for validation and manifest parsing
Add parsing benchmark suite with 14 benchmarks covering:
- Storage key, Docker name, digest, and reference validation
- Docker manifest media type detection (v2, OCI index, minimal, invalid)
Run with: cargo bench --package nora-registry --bench parsing
* test: add 48 integration tests via tower oneshot
Add integration tests for all HTTP handlers:
- health (3), raw (7), cargo (4), maven (4), request_id (2)
- pypi (5), npm (5), docker (12), auth (6)
Create test_helpers.rs with TestContext pattern.
Add tower and http-body-util dev-dependencies.
Update tarpaulin fail-under 30 to 40.
Coverage: 29.5% to 43.3% (2089/4825 lines)
* fix: clean clippy warnings in tests, fix flaky audit test
Add #[allow(clippy::unwrap_used)] to 18 test modules.
Fix 3 additional clippy lints: writeln_empty_string, needless_update,
unnecessary_get_then_check.
Fix flaky audit test: replace single sleep(50ms) with retry loop (max 1s).
Prefix unused token variable with underscore.
cargo clippy --all-targets = 0 warnings (was 245 errors)
2026-04-05 10:01:50 +03:00
7c8964f8fa
fix(deps): update sha2 0.10→0.11, hmac 0.12→0.13 ( #75 )
...
Breaking API changes in digest crate ecosystem:
- sha2 digest returns Array instead of GenericArray
- Replace format!("{:x}", digest) with hex::encode(digest)
- Add digest::KeyInit trait import for Hmac
- Update all hash formatting in docker, npm, s3, tokens
2026-03-31 19:36:29 +00:00
dependabot[bot]
d6e3f3e129
chore(deps): bump uuid from 1.22.0 to 1.23.0 ( #69 )
...
Bumps [uuid](https://github.com/uuid-rs/uuid ) from 1.22.0 to 1.23.0.
- [Release notes](https://github.com/uuid-rs/uuid/releases )
- [Commits](https://github.com/uuid-rs/uuid/compare/v1.22.0...v1.23.0 )
---
updated-dependencies:
- dependency-name: uuid
dependency-version: 1.23.0
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: DevITWay | Pavel Volkov <devitway@gmail.com >
2026-03-31 19:05:56 +00:00
5d1c07db51
docs: add Go module proxy support to README ( #62 )
...
* docs: add Go module proxy to README, update dashboard GIF
- Add Go Modules to supported registries table
- Add Go usage example (GOPROXY)
- Add Go config.toml example
- Add /go/ endpoint to endpoints table
- Update dashboard GIF with 6 registry cards in one row
- Fix registries count: 6 package registries
* feat(ui): add Raw storage to dashboard, sidebar, and list pages
- Raw Storage card on dashboard with file count and size
- Raw in sidebar navigation with file icon
- Raw list and detail pages (/ui/raw)
- Raw mount point in mount points table
- Grid updated to 7 columns for all registry cards
- README: 7 registries, add Go module proxy docs
* docs: add product badges (release, image size, downloads)
2026-03-27 22:01:41 +03:00
c8dc141b2f
feat: add Go module proxy (GOPROXY protocol) ( #59 )
...
* feat: add Go module proxy (GOPROXY protocol) (#47 )
Implements caching proxy for Go modules with 5 standard endpoints:
- GET /go/{module}/@v/list — list versions
- GET /go/{module}/@v/{version}.info — version metadata
- GET /go/{module}/@v/{version}.mod — go.mod file
- GET /go/{module}/@v/{version}.zip — module zip
- GET /go/{module}/@latest — latest version info
Features:
- Module path encoding/decoding per Go spec (!x → X)
- Immutable caching (.info/.mod/.zip never overwritten)
- Mutable endpoints (@v/list, @latest) refreshed from upstream
- Configurable upstream (default: proxy.golang.org)
- Separate timeout for .zip downloads (default: 120s)
- Size limit for zips (default: 100MB)
- Path traversal protection
- Dashboard integration (stats, mount points, index)
- 25 unit tests (encoding, path splitting, safety, content-type)
Closes #47
* style: cargo fmt
* feat(ui): add Go pages, compact cards, fix icons
- Go in sidebar + list/detail pages with go get command
- Dashboard: fix fallback icon (was Docker whale for Go)
- Compact registry cards: lg:grid-cols-6, all 6 in one row
- Cargo icon: crate boxes instead of truck
- Go icon: stylized Go text (sidebar + dashboard)
* fix(go): URL-decode path + send encoded paths to upstream
Go client sends %21 for ! in module paths. Axum wildcard does not
auto-decode, so we percent-decode manually. Upstream proxy.golang.org
expects encoded paths (with !), not decoded uppercase.
Tested: full Pusk build (22 modules, 135MB cached) including
SherClockHolmes/webpush-go with triple uppercase encoding.
* style: cargo fmt
2026-03-27 21:16:00 +03:00
432e8d35af
security: migrate token hashing from SHA256 to Argon2id ( #55 )
...
* docs: add DCO, governance model, roles, vulnerability credit policy
* security: migrate token hashing from SHA256 to Argon2id
- Replace unsalted SHA256 with Argon2id (salted) for API token hashing
- Fix TOCTOU race: replace exists()+read() with read()+match on error
- Set chmod 600 on token files and 700 on token storage directory
- Auto-migrate legacy SHA256 tokens to Argon2id on first verification
- Add regression tests: argon2 format, legacy migration, file permissions
2026-03-24 22:56:43 +00:00
975264c353
fix(deps): update rustls-webpki 0.103.9 -> 0.103.10 (RUSTSEC-2026-0049)
...
Also revert codeql-action to tag pin in scorecard.yml —
scorecard webapp rejects SHA pins for this specific action.
2026-03-20 23:07:09 +00:00
533f3cd795
release: bump version to v0.2.35
2026-03-20 22:54:30 +00:00
2ec0fe4a28
release: bump version to v0.2.34
2026-03-20 19:46:42 +00:00
f0cbb22bd9
fix(deps): update tar 0.4.44 -> 0.4.45
...
Fixes CVE-2026-33055 (PAX size header bypass) and
CVE-2026-33056 (symlink chmod directory traversal).
2026-03-20 19:32:46 +00:00
596b18a3fa
release: bump version to v0.2.33
2026-03-19 11:08:51 +00:00
fa2cd45ed3
security: harden Docker registry and container runtime
...
- Verify blob digest (SHA256) on upload, reject mismatches (DIGEST_INVALID)
- Reject sha512 digests (only sha256 supported)
- Add upload session limits: max 100 concurrent, 2GB per session, 30min TTL
- Bind upload sessions to repository name (prevent session fixation)
- Filter .meta.json from Docker tag list (fix ArgoCD Image Updater recursion)
- Fix catalog to show namespaced images (library/alpine instead of library)
- Add security headers: CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy
- Run containers as non-root user (USER nora) in all 3 Dockerfiles
- Add configurable NORA_MAX_UPLOAD_SESSIONS and NORA_MAX_UPLOAD_SESSION_SIZE_MB
2026-03-19 08:29:28 +00:00
67b55fba92
chore: repo cleanup — remove dead crates from workspace, stale files, duplicate assets
...
- Remove nora-cli and nora-storage from workspace (stub crates, not used)
- Remove root install.sh (duplicate of dist/install.sh)
- Remove root logo.jpg (duplicate of ui/logo.jpg)
- Remove committed SBOM .cdx.json files (generated by CI in release)
- Remove stale .githooks/ (real hook is in .git/hooks/)
- Update version in docs-ru to 0.2.32
- Add *.cdx.json to .gitignore
2026-03-18 11:20:22 +00:00
cb37813f11
security: add cargo-fuzz targets and ClusterFuzzLite config
...
Fuzz targets:
- fuzz_validation: storage key, Docker name, digest, reference validators
- fuzz_docker_manifest: Docker/OCI manifest media type detection
Infrastructure:
- lib.rs exposing validation module and docker_fuzz for fuzz harnesses
- ClusterFuzzLite project config (libfuzzer + ASan)
2026-03-17 11:20:17 +00:00
0727b421a9
Merge pull request #32 from getnora-io/dependabot/cargo/tracing-subscriber-0.3.23
...
chore(deps): bump tracing-subscriber from 0.3.22 to 0.3.23
2026-03-17 13:38:22 +03:00
22b01c9d78
Merge pull request #31 from getnora-io/dependabot/cargo/clap-4.6.0
...
chore(deps): bump clap from 4.5.60 to 4.6.0
2026-03-17 13:38:20 +03:00
dependabot[bot]
fd1a4c5fd5
chore(deps): bump tracing-subscriber from 0.3.22 to 0.3.23
...
Bumps [tracing-subscriber](https://github.com/tokio-rs/tracing ) from 0.3.22 to 0.3.23.
- [Release notes](https://github.com/tokio-rs/tracing/releases )
- [Commits](https://github.com/tokio-rs/tracing/compare/tracing-subscriber-0.3.22...tracing-subscriber-0.3.23 )
---
updated-dependencies:
- dependency-name: tracing-subscriber
dependency-version: 0.3.23
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com >
2026-03-17 04:25:13 +00:00
dependabot[bot]
d3df26b61a
chore(deps): bump clap from 4.5.60 to 4.6.0
...
Bumps [clap](https://github.com/clap-rs/clap ) from 4.5.60 to 4.6.0.
- [Release notes](https://github.com/clap-rs/clap/releases )
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md )
- [Commits](https://github.com/clap-rs/clap/compare/clap_complete-v4.5.60...clap_complete-v4.6.0 )
---
updated-dependencies:
- dependency-name: clap
dependency-version: 4.6.0
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com >
2026-03-17 04:25:03 +00:00
dependabot[bot]
1d61f50ab0
chore(deps): bump tempfile from 3.26.0 to 3.27.0
...
Bumps [tempfile](https://github.com/Stebalien/tempfile ) from 3.26.0 to 3.27.0.
- [Changelog](https://github.com/Stebalien/tempfile/blob/master/CHANGELOG.md )
- [Commits](https://github.com/Stebalien/tempfile/compare/v3.26.0...v3.27.0 )
---
updated-dependencies:
- dependency-name: tempfile
dependency-version: 3.27.0
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com >
2026-03-17 04:24:55 +00:00
01027888cb
feat: npm full proxy — URL rewriting, scoped packages, publish, integrity cache (v0.2.31)
...
npm proxy:
- Rewrite tarball URLs in metadata to point to NORA (was broken — tarballs bypassed NORA)
- Scoped packages (@scope/package) full support in handler and repo index
- Metadata cache TTL (NORA_NPM_METADATA_TTL, default 300s) with stale-while-revalidate
- proxy_auth now wired into fetch_from_proxy (was configured but unused)
npm publish:
- PUT /npm/{package} — accepts standard npm publish payload
- Version immutability — 409 Conflict on duplicate version
- Tarball URL rewriting in published metadata
Security:
- SHA256 integrity verification on cached tarballs (immutable cache)
- Attachment filename validation (path traversal protection)
- Package name mismatch detection (URL vs payload)
Config:
- npm.metadata_ttl — configurable cache TTL (env: NORA_NPM_METADATA_TTL)
2026-03-16 12:32:16 +00:00
a9996b6b54
fix: dashboard — docker namespaced repos, npm proxy cache, upstream display (v0.2.30)
2026-03-16 08:55:33 +00:00
e4890b457b
v0.2.29: upstream auth, remove dead code, version bump
...
- Remove unused DockerAuth::fetch_with_auth() method
- Fix basic_auth_header docstring
- Bump to v0.2.29
2026-03-15 21:42:49 +00:00
272898f43c
fix: quinn-proto CVE, add Telegram @getnora, fix website URL
2026-03-13 16:44:20 +00:00
68089b2bbf
chore: bump version to 0.2.28
2026-03-12 19:23:32 +00:00
af411a2bf4
Merge pull request #28 from getnora-io/dependabot/cargo/toml-1.0.6spec-1.1.0
...
chore(deps): bump toml from 1.0.3+spec-1.1.0 to 1.0.6+spec-1.1.0
2026-03-12 22:14:13 +03:00
96ccd16879
Merge pull request #27 from getnora-io/dependabot/cargo/uuid-1.22.0
...
chore(deps): bump uuid from 1.21.0 to 1.22.0
2026-03-12 22:14:09 +03:00
6582000789
Merge pull request #26 from getnora-io/dependabot/cargo/tokio-1.50.0
...
chore(deps): bump tokio from 1.49.0 to 1.50.0
2026-03-12 22:14:06 +03:00
dependabot[bot]
9349b93757
chore(deps): bump toml from 1.0.3+spec-1.1.0 to 1.0.6+spec-1.1.0
...
Bumps [toml](https://github.com/toml-rs/toml ) from 1.0.3+spec-1.1.0 to 1.0.6+spec-1.1.0.
- [Commits](https://github.com/toml-rs/toml/compare/toml-v1.0.3...toml-v1.0.6 )
---
updated-dependencies:
- dependency-name: toml
dependency-version: 1.0.6+spec-1.1.0
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com >
2026-03-10 04:26:09 +00:00
dependabot[bot]
69080dfd90
chore(deps): bump uuid from 1.21.0 to 1.22.0
...
Bumps [uuid](https://github.com/uuid-rs/uuid ) from 1.21.0 to 1.22.0.
- [Release notes](https://github.com/uuid-rs/uuid/releases )
- [Commits](https://github.com/uuid-rs/uuid/compare/v1.21.0...v1.22.0 )
---
updated-dependencies:
- dependency-name: uuid
dependency-version: 1.22.0
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com >
2026-03-10 04:25:59 +00:00
dependabot[bot]
ae799aed94
chore(deps): bump tokio from 1.49.0 to 1.50.0
...
Bumps [tokio](https://github.com/tokio-rs/tokio ) from 1.49.0 to 1.50.0.
- [Release notes](https://github.com/tokio-rs/tokio/releases )
- [Commits](https://github.com/tokio-rs/tokio/compare/tokio-1.49.0...tokio-1.50.0 )
---
updated-dependencies:
- dependency-name: tokio
dependency-version: 1.50.0
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com >
2026-03-10 04:25:50 +00:00
dependabot[bot]
95c6e403a8
chore(deps): bump bcrypt from 0.18.0 to 0.19.0
...
Bumps [bcrypt](https://github.com/Keats/rust-bcrypt ) from 0.18.0 to 0.19.0.
- [Commits](https://github.com/Keats/rust-bcrypt/compare/v0.18.0...v0.19.0 )
---
updated-dependencies:
- dependency-name: bcrypt
dependency-version: 0.19.0
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com >
2026-03-10 04:25:38 +00:00
a9455c35b9
chore: bump version to 0.2.27
2026-03-03 22:30:24 +00:00
4c3a9f6bd5
chore: bump version to 0.2.26
...
DevITWay
2026-03-03 10:41:38 +00:00
e34032d08f
chore: bump version to 0.2.25
...
Changes:
- fix(rate-limit): NORA_RATE_LIMIT_ENABLED flag + SmartIpKeyExtractor
- deps: clap 4.5.60, uuid 1.21.0, tempfile 3.26.0, bcrypt 0.18.0, indicatif 0.18.4
- ci: checkout v6, upload-artifact v7, gh-release v2, trivy v0.34.2, build-push v6
2026-03-03 09:16:20 +00:00
45c3e276dc
Merge pull request #8 from getnora-io/dependabot/cargo/indicatif-0.18.4
...
chore(deps): bump indicatif from 0.17.11 to 0.18.4
2026-03-03 12:13:33 +03:00
dependabot[bot]
f4e53b85dd
chore(deps): bump indicatif from 0.17.11 to 0.18.4
...
Bumps [indicatif](https://github.com/console-rs/indicatif ) from 0.17.11 to 0.18.4.
- [Release notes](https://github.com/console-rs/indicatif/releases )
- [Commits](https://github.com/console-rs/indicatif/compare/0.17.11...0.18.4 )
---
updated-dependencies:
- dependency-name: indicatif
dependency-version: 0.18.4
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com >
2026-03-03 09:13:21 +00:00
05d89d5153
Merge pull request #18 from getnora-io/dependabot/cargo/bcrypt-0.18.0
...
chore(deps): bump bcrypt from 0.17.1 to 0.18.0
2026-03-03 12:13:20 +03:00
b149f7ebd4
Merge pull request #19 from getnora-io/dependabot/cargo/tempfile-3.26.0
...
chore(deps): bump tempfile from 3.24.0 to 3.26.0
2026-03-03 12:12:32 +03:00
5254e2a54a
Merge pull request #17 from getnora-io/dependabot/cargo/uuid-1.21.0
...
chore(deps): bump uuid from 1.20.0 to 1.21.0
2026-03-03 12:12:19 +03:00
dependabot[bot]
4c05df2359
chore(deps): bump clap from 4.5.56 to 4.5.60
...
Bumps [clap](https://github.com/clap-rs/clap ) from 4.5.56 to 4.5.60.
- [Release notes](https://github.com/clap-rs/clap/releases )
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md )
- [Commits](https://github.com/clap-rs/clap/compare/clap_complete-v4.5.56...clap_complete-v4.5.60 )
---
updated-dependencies:
- dependency-name: clap
dependency-version: 4.5.60
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com >
2026-03-03 08:53:05 +00:00
7f8e3cfe68
fix(rate-limit): add NORA_RATE_LIMIT_ENABLED flag and SmartIpKeyExtractor
...
- Add enabled field to RateLimitConfig (default: true, env: NORA_RATE_LIMIT_ENABLED)
- Skip rate limiter layers entirely when disabled
- Replace PeerIpKeyExtractor with SmartIpKeyExtractor for upload/general routes
to correctly identify clients behind reverse proxies and Docker bridge networks
- Keep PeerIpKeyExtractor for auth routes (stricter brute-force protection)
Root cause: PeerIpKeyExtractor saw all Docker bridge traffic as single IP (172.17.0.1),
exhausting GCRA bucket for all clients simultaneously. With burst=1M, recovery time
reached 84000+ seconds.
2026-03-03 08:51:33 +00:00
dependabot[bot]
13f33e8919
chore(deps): bump tempfile from 3.24.0 to 3.26.0
...
Bumps [tempfile](https://github.com/Stebalien/tempfile ) from 3.24.0 to 3.26.0.
- [Changelog](https://github.com/Stebalien/tempfile/blob/master/CHANGELOG.md )
- [Commits](https://github.com/Stebalien/tempfile/compare/v3.24.0...v3.26.0 )
---
updated-dependencies:
- dependency-name: tempfile
dependency-version: 3.26.0
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com >
2026-03-03 04:26:40 +00:00
dependabot[bot]
7454ff2e03
chore(deps): bump bcrypt from 0.17.1 to 0.18.0
...
Bumps [bcrypt](https://github.com/Keats/rust-bcrypt ) from 0.17.1 to 0.18.0.
- [Commits](https://github.com/Keats/rust-bcrypt/compare/v0.17.1...v0.18.0 )
---
updated-dependencies:
- dependency-name: bcrypt
dependency-version: 0.18.0
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com >
2026-03-03 04:26:29 +00:00
dependabot[bot]
5ffb5a9be3
chore(deps): bump uuid from 1.20.0 to 1.21.0
...
Bumps [uuid](https://github.com/uuid-rs/uuid ) from 1.20.0 to 1.21.0.
- [Release notes](https://github.com/uuid-rs/uuid/releases )
- [Commits](https://github.com/uuid-rs/uuid/compare/v1.20.0...v1.21.0 )
---
updated-dependencies:
- dependency-name: uuid
dependency-version: 1.21.0
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com >
2026-03-03 04:26:15 +00:00
4ad802ce2f
fix: bump prometheus 0.13->0.14 and bytes 1.11.0->1.11.1 (CVE-2025-53605, CVE-2026-25541)
2026-02-24 11:36:07 +00:00
dependabot[bot]
04c806b659
chore(deps): bump chrono from 0.4.43 to 0.4.44 ( #10 )
...
Bumps [chrono](https://github.com/chronotope/chrono ) from 0.4.43 to 0.4.44.
- [Release notes](https://github.com/chronotope/chrono/releases )
- [Changelog](https://github.com/chronotope/chrono/blob/main/CHANGELOG.md )
- [Commits](https://github.com/chronotope/chrono/compare/v0.4.43...v0.4.44 )
---
updated-dependencies:
- dependency-name: chrono
dependency-version: 0.4.44
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-02-24 12:23:06 +01:00
dependabot[bot]
50a5395a87
chore(deps): bump quick-xml from 0.31.0 to 0.39.2 ( #9 )
...
Bumps [quick-xml](https://github.com/tafia/quick-xml ) from 0.31.0 to 0.39.2.
- [Release notes](https://github.com/tafia/quick-xml/releases )
- [Changelog](https://github.com/tafia/quick-xml/blob/master/Changelog.md )
- [Commits](https://github.com/tafia/quick-xml/compare/v0.31.0...v0.39.2 )
---
updated-dependencies:
- dependency-name: quick-xml
dependency-version: 0.39.2
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-02-24 12:22:58 +01:00
dependabot[bot]
bcd172f23f
chore(deps): bump toml from 0.8.23 to 1.0.3+spec-1.1.0 ( #7 )
...
Bumps [toml](https://github.com/toml-rs/toml ) from 0.8.23 to 1.0.3+spec-1.1.0.
- [Commits](https://github.com/toml-rs/toml/compare/toml-v0.8.23...toml-v1.0.3 )
---
updated-dependencies:
- dependency-name: toml
dependency-version: 1.0.3+spec-1.1.0
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-02-24 12:22:52 +01:00
dependabot[bot]
a5a7c4f8be
chore(deps): bump flate2 from 1.1.8 to 1.1.9 ( #6 )
...
Bumps [flate2](https://github.com/rust-lang/flate2-rs ) from 1.1.8 to 1.1.9.
- [Release notes](https://github.com/rust-lang/flate2-rs/releases )
- [Commits](https://github.com/rust-lang/flate2-rs/compare/1.1.8...1.1.9 )
---
updated-dependencies:
- dependency-name: flate2
dependency-version: 1.1.9
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-02-24 12:22:46 +01:00
42e71b9195
refactor: use shared reqwest::Client across all registry handlers
...
Add http_client field to AppState, initialized once at startup.
Replace per-request Client::builder() calls in npm, maven, pypi,
and docker registry handlers with the shared instance.
This reuses the connection pool across requests instead of
creating a new client on every proxy fetch.
Bump version to 0.2.20.
2026-02-23 07:45:44 +00:00
