Nothing else I’ve tried will coax the metadata out. Clearly that info is in Nexus, but the only way I can get to it is via the web page (which is not amenable to parsing on the fly).
So, what is the URL format to get that detailed metadata for the versions of a given Python package mirrored in Nexus, preferably in json format, similar to what one can get from https://pypi.org/pypi/uv/json ? Surely this exists?
I was looking for some information about this as well. Given the recent supply chain attacks, I wanted to setup my uv settings to skip packages newer than 3 days, but this breaks completely when we use the Nexus repository as this does not work and actually breaks the installation of packages completely since uv refuses (rightfully so) without the metadata.
Is this something planned to address? Nexus should already have all the information enough for both internal and proxied packages?
Your instinct to avoid new releases makes a lot of sense, given the recent open source malware attacks.
Nexus Repository doesn’t have functionality to block/avoid/skip packages based on age. For that, you’ll want Repository Firewall. Firewall lets you quarantine components on lots of criteria, including age. Use that quarantining capability and policy compliant component selection and Nexus Repository will grab the newest confirmed safe version if developers request the latest.
Yeah, I know that there are potential solutions with solutions that would block with a firewall of some kind, but given that this firewall (or someone) has to first analyze the potential package before it gets blocked is putting a risk that a low-tech solution like just waiting until any malware scanning would have happened…
My question is not really if Nexus Repository will support blocking new packages or not as I can defer and enforce it in uv, but the problem is that Nexus currently blocks that possibility to do that hence I was wondering if it’s something planned to support in Nexus?
I spoke with some folks the Nexus Repository team. Support for PEP 691 JSON Simple API is incoming. I don’t have a due date on that item and I’m not sure it entirely solves your problem, but I can confirm that it’s in the works.
Again, trying to address the problem with an enforced “cooldown” period through uv isn’t a bad instinct, but:
it’s messy because it requires a lot of configuration.
a mandatory waiting period means your apps won’t ever be on the most stable version of packages. That’s a big deal.
there’s no waiting period long enough to completely protect you from malware.
That’s why I’d encourage you to be extremely cautious about trying to solve this problem with package manager controls. Repository Firewall If addressing supply chain attacks is a high priority for your org, give it a look.