Bump commons-fileupload:commons-fileupload from 1.5 to 1.6.0 in /pypi-adapter#8
Closed
dependabot[bot] wants to merge 189 commits into
Closed
Conversation
Conda+minIO S3 upload tests
* feat: removed ppom usage * correct release settings
* feat: move asto
* feat: move asto * revert s3 update * fix: corrected docs
* fix: release version 17 * simplify composer AstoRepositoryAddJsonTest
* feat: move asto * revert s3 update * correct docker ubuntu release script * fix: correct release scripts and description
* deps: update vulnerable guava
* feat: move asto * revert s3 update * correct docker ubuntu release script * fix: removed unused servlet slice * correct npm test
* Conda adapter uploading tests with S3 storage * Fix possible crash due to NPE * Conda S3 tests data * Core review fixes * Cache test image, like in conan IT tests in artipie-main * added asto-s3 in test scope --------- Co-authored-by: Alena <olena.gerasimova@gmail.com>
* Rollback ServletSliceWrap
…edWriter.close() isn't propagated.
Helm tests fix
* Changes for cloudArtifact
* docker-perm: expose image name
Optimizing integration test run time in CI by prebuilt docker images.
fix for missing dependencies httpcore5/httpcore5-h2 (artipie#1447)
Disable some hexpm-adapter tests due to the issue
…ion tests and smoke tests
…acts Debian delete artifacts
…-format Debian invalid date format fix
pypi adapter - implementation of delete artifacts
ASTO S3 - added aws sts dependency
Auto1 Fork - Technical Feature Summary Database & Infrastructure PostgreSQL Migration Migrated metadata storage from file-based to PostgreSQL Added ARM64 architecture support for Docker images Storage Layouts Implemented configurable storage layouts for repositories Allows custom path structures for artifact organization S3 Express Support Added support for S3 Express One Zone storage class ~10x lower latency for single-AZ workloads Authentication & Authorization Bearer Token Authentication Enabled Bearer auth across all repository types Configurable log.level in settings Okta OIDC Integration Full Okta authentication with MFA support (TOTP + push) Domain-based routing for multi-tenant setups JWT token validation and refresh Keycloak Setup Complete Keycloak integration for OAuth/OIDC Environment variable substitution in configuration Repository Features Dynamic Repository Creation REST API for creating, updating, and deleting repositories at runtime No restart required for configuration changes Virtual Repository (Group) Aggregate multiple local and proxy repositories Single endpoint for unified artifact access Global Prefixes Configure path prefixes across repositories Supports migration scenarios Cooldown System (Supply Chain Security) Core Implementation Blocks package versions newer than configurable age (default: 72h) Prevents supply chain attacks via fresh package injection Per-Adapter Support NPM, Maven, PyPI, Docker, Go, Composer, Gradle Release date extraction from upstream metadata Metadata Filtering Filters blocked versions from package listings Binary search optimization for large version sets 3-tier cache (L1 in-memory, L2 Redis, L3 PostgreSQL) Negative Cache Caches "allowed" decisions to reduce upstream calls Token generation enhancement for cache keys Package Manager Adapters NPM Full CLI compatibility (install, publish, audit, search) Semver resolution fixes Request deduplication for high-concurrency scenarios Security audit and vulnerability checks for proxy PyPI PEP 503 (Simple Repository API) implementation Proxy optimizations Maven Basic auth and anonymous access fixes Checksum validation (MD5, SHA-1, SHA-256, SHA-512) Metadata and plugin artifact handling PHP Composer Complete Composer adapter implementation Satis support for private packages Go Modules Go module proxy implementation GOPROXY protocol support Gradle Gradle plugin repository support Performance tuning for parallel builds Docker Revamped Docker adapter Streaming optimization for large layers Multi-platform manifest support Import CLI (Rust) Rust Migration Migrated import CLI from Java to Rust for performance ~10x faster bulk imports Features Bulk artifact import from upstream registries Retry mechanism with exponential backoff S3 multipart upload optimization Performance Optimizations Reactive Streams Backpressure Proper backpressure handling for large file transfers Prevents memory exhaustion under load File Streaming Streaming downloads without full buffering Large file download fixes (>2GB) Connection reset handling S3 Storage Memory-optimized multipart uploads Parallel downloads with configurable chunk size Retry improvements for transient failures HikariCP Connection Pool Database connection pooling Configurable pool size and timeouts Cache Optimization Removed blocking calls during cache writes Enhanced cooldown filtering performance Version sorting optimizations Thread Pool Tuning Configurable worker thread pools Optimized for high-concurrency workloads HTTP Server HTTP/2 Support HTTP/2 over TLS (h2) HTTP/2 over cleartext (h2c) for AWS NLB HTTP/3 Support QUIC protocol support (experimental) Fixes for HTTP/3 edge cases Jetty 12.1.x Upgrade Upgraded to Jetty 12.1.x Improved connection handling Vert.x Connection Leak Fix Fixed resource leaks in HTTP client Proper connection cleanup on errors Observability Elastic APM Integration Distributed tracing for requests Transaction and span tracking Error capture and reporting Prometheus Metrics Request counts, latencies, cache hit rates Cooldown block counts JVM and system metrics ECS JSON Logging Structured logging for Elasticsearch/Kibana Configurable log levels Request correlation IDs Operations Directory Listing Performance Optimized large directory listings Pagination support Config Watcher Content-based change detection for hot reload Avoids unnecessary reloads on file touch Testcontainers Upgrade Updated integration test framework Improved test reliability
Bumps commons-fileupload:commons-fileupload from 1.5 to 1.6.0. --- updated-dependencies: - dependency-name: commons-fileupload:commons-fileupload dependency-version: 1.6.0 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
added
dependencies
Author
|
OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting If you change your mind, just re-open this PR and I'll resolve any conflicts on it. |
dependabot
Bot
deleted the
dependabot/maven/pypi-adapter/commons-fileupload-commons-fileupload-1.6.0
branch
aydasraf
added a commit
that referenced
this pull request
May 13, 2026
Adds the metric scaffolding the plan's later milestones depend on for
validation. Without this, "did the fix work?" remains non-falsifiable.
New metrics:
- pantera.upstream.requests.total{upstream_host, caller_tag, outcome}
Incremented once per outbound request at the http-client funnel
(JettyClientSlice.recordOutboundMetric). Outcome buckets:
2xx / 3xx / 4xx / 429 / 5xx / timeout / connect_error / error.
- pantera.proxy.429.total{upstream_host, repo_name}
Isolated counter for the primary throttling alert.
- pantera.upstream.request.duration timer with the same labels —
feeds the upstream-latency-by-source dashboard.
caller_tag plumbing:
- New ThreadContext key RequestContext.KEY_CALLER_TAG ("caller.tag").
- Constants: CALLER_TAG_FOREGROUND / _COOLDOWN_HEAD / _METADATA_REFRESH.
- bindCallerTag(tag) AutoCloseable for try-with-resources at
non-foreground call sites (cooldown HEAD, metadata refresh).
- currentCallerTag() reads from ThreadContext, defaults to
"foreground" if unset.
- JettyClientSlice snapshots caller.tag + repository.name from
ThreadContext BEFORE request.send() — the Jetty callback may run on
a thread that does not carry our MDC.
Prometheus rules + alerts (rules/amplification.yml):
- pantera_upstream_amplification_ratio recording rule:
sum(rate(pantera_upstream_requests_total[5m]))
/ clamp_min(sum(rate(pantera_http_requests_total[5m])), 1)
per upstream_host.
- pantera_request_to_artifact_ratio recording rule.
- PanteraUpstream429 alert: any 429 sustained 5 min → page.
- PanteraAmplificationRatio alert: ratio > 1.5 sustained 5 min → page.
- rule_files glob enabled in prometheus.yml.
Status code outcome bucketing utility on MicrometerMetrics:
- outcomeBucket(int statusCode) — coarse buckets + 429 isolated.
- outcomeFromFailure(Throwable) — timeout / connect_error / error.
Tests:
- RequestContextTest gains 4 new tests for bindCallerTag /
currentCallerTag / round-trip / double-close semantics. All
18 tests green.
- Full http-client + pantera-core suite re-run: 110 + 1017 = 1127
tests, 0 failures.
The recording-rule + alert YAML lives at:
pantera-main/docker-compose/prometheus/rules/amplification.yml
and is loaded via the enabled rule_files glob in prometheus.yml.
References:
- analysis/03-findings.md finding #8
- analysis/plan/v1/PLAN.md milestone M1 + workstream W1
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps commons-fileupload:commons-fileupload from 1.5 to 1.6.0.
You can trigger a rebase of this PR by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot mergewill merge this PR after your CI passes on it@dependabot squash and mergewill squash and merge this PR after your CI passes on it@dependabot cancel mergewill cancel a previously requested merge and block automerging@dependabot reopenwill reopen this PR if it is closed@dependabot closewill close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.