feat: add filters and risk sort to GET /v1/packages#4203
Conversation
There was a problem hiding this comment.
Copilot encountered an error: Your billing is not configured or you have Copilot licenses from multiple standalone organizations or enterprises. To use premium requests, select a billing entity via the GitHub site, under Settings > Copilot > Features.
|
Your PR title doesn't contain a Jira issue key. Consider adding it for better traceability. Example:
Projects:
Please add a Jira issue key to your PR title. |
Signed-off-by: Gašper Grom <gasper.grom@gmail.com>
Signed-off-by: Gašper Grom <gasper.grom@gmail.com>
…ackages list endpoint Signed-off-by: Gašper Grom <gasper.grom@gmail.com>
gaspergrom
force-pushed
the
feat/packages-name-search
branch
from
4a7e060 to
4e0679d
Compare
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 2 potential issues.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 4e0679d. Configure here.
| // from leaking into filtered results. | ||
| if (opts.lifecycle) { | ||
| conditions.push('p.status IS NOT NULL') | ||
| } |
There was a problem hiding this comment.
Lifecycle filter ignores value
Medium Severity
When lifecycle is passed from the list endpoint, the DAL only adds p.status IS NOT NULL and never compares the requested lifecycle value (active, stable, declining, abandoned). Every lifecycle choice returns the same result set while the response still echoes the chosen filter.
Reviewed by Cursor Bugbot for commit 4e0679d. Configure here.
| JOIN repos r ON r.id = pr.repo_id | ||
| WHERE pr.package_id = p.id | ||
| ORDER BY pr.confidence DESC | ||
| LIMIT 1 |
There was a problem hiding this comment.
Scorecard repo pick inconsistent
Medium Severity
The new r_sc lateral picks a linked repo with ORDER BY pr.confidence DESC only. Package detail elsewhere breaks ties by preferring declared source, so list health, healthBand, and sortBy=health|risk can use a different scorecard than the detail view for the same package.
Reviewed by Cursor Bugbot for commit 4e0679d. Configure here.
gaspergrom
changed the title
Summary
Extends
GET /v1/packageswith the additional filters and sort options currently handled post-fetch on the consumer side, moving them into the DB layer.status=unassigned|open|assessing|active|...) — filters by stewardship status;unassignedincludes packages with no stewardship rowhealthBand=healthy|fair|concerning|critical) — filters by scorecard score (0–10 × 10 = 0–100 health), using best-confidence linked repovulnSeverity=any|high|critical) — filters by worst advisory severity rank across all open advisoriessortBy=risk) — composite score: impact + health deficit + vuln exposure + bus factor + stalenesshealthfield now returns the scorecard-based 0–100 value instead of alwaysnulllifecycleis passed, packages with no registry status (p.status IS NULL) are excluded from resultsnameparam for case-insensitiveILIKEfilterChanges
backend/src/api/public/v1/packages/listPackages.ts— new Zod params (status,healthBand,vulnSeverity,risksort), forwarded to DAL;filtersandhealthin response updatedservices/libs/data-access-layer/src/osspckgs/api.ts— newListPackagesOptionsfields; added LATERAL joins for scorecard (r_sc) and max advisory severity rank (ap_severity); sharedlateralsfragment used in both paginated query and empty-page COUNT fallback; risk sort expression inline in SQL