This seems like a perfect candidate for a federated service.
My schedule is completely packed for this year, but this seems like an interesting problem so leaving resources for anyone that’s interested:
Implementation requirements
GitHub’s implementation has decent, high-level architecture overview to how it works.
- Every supported forge requires a method to fetch (package management)files from the forge
- Every supported package manager requires a parser implementation to understand how dependencies are described
- Every supported package repository(pypy.org, crates.io, etc.) requires implementation to get the latest version
- Additionally, vulnerable dependencies must be checked and warned(emails to the maintainer or other private and secure channels)[0].
ForgeFed requirements
ForgeFed must include support for fetching files via federation similar to this Gitea endpoint. This is currently not a part of the ForgeFed goals.
Many code analysis services use this endpoint for cheap and on-demand source files fetching, so there is incentive in defining source files fetching within the ForgeFed spec.
Footnotes
[0]: The GitLab implementation relies on GitHub Advisory database, which per GitLab Dependabot documentation, requires a GitHub access token. But I believe the GitHub Advisory database can be replaced with the NIST Vulnerability Database(NVD) feeds. If anyone is aware of other trusted, independent sources, kindly let me know.