feat: tracking NPM packages (#4159)

Signed-off-by: anilb <epipav@gmail.com>
Signed-off-by: anil <epipav@gmail.com>
Signed-off-by: Joana Maia <jmaia@contractor.linuxfoundation.org>
Co-authored-by: Joana Maia <jmaia@contractor.linuxfoundation.org>

Author: epipav

backend/.env.dist.local

@@ -22,7 +22,7 @@ CROWD_REDIS_PORT=6379
 
 # S3 settings
 CROWD_S3_HOST=localhost
-CROWD_S3_PORT=9000
+CROWD_S3_PORT=9100
 CROWD_S3_INTEGRATION_ASSETS_BUCKET=crowd-integrations-assets
 CROWD_S3_MICROSERVICES_ASSETS_BUCKET=crowd-microservices-assets
 CROWD_S3_AWS_ACCOUNT_ID=000000000000

backend/src/osspckgs/migrations/V1780231200__npm_worker.sql

@@ -0,0 +1,97 @@
+-- npm worker supporting tables and partition management for download tracking.
+
+ALTER TABLE maintainers DROP COLUMN IF EXISTS email_hash;
+ALTER TABLE maintainers ADD COLUMN IF NOT EXISTS email text;
+
+CREATE TABLE npm_worker_state (
+  name        text PRIMARY KEY,
+  value       text NOT NULL,
+  updated_at  timestamptz NOT NULL DEFAULT now()
+);
+
+CREATE TABLE npm_package_state (
+  purl                              text        PRIMARY KEY,
+  metadata_first_scanned_at         timestamptz NOT NULL DEFAULT now(),
+  metadata_last_run_at              timestamptz,
+  metadata_run_result               jsonb,        -- { status, attempts, httpStatus?, errorKind?, message? }
+  daily_downloads_last_processed_at timestamptz,
+  daily_downloads_run_result        jsonb         -- { status, httpStatus?, errorKind?, message? }
+);
+
+CREATE TABLE npm_package_universe_state (
+  purl                                text        PRIMARY KEY,
+  downloads_30d_last_run_at           timestamptz,  -- breadth watermark: latest 30d window refreshed
+  downloads_30d_history_backfilled_at timestamptz,  -- depth watermark: NULL until full older history filled
+  downloads_30d_run_result            jsonb         -- { status, httpStatus?, errorKind?, message? }
+);
+CREATE INDEX ON npm_package_universe_state (downloads_30d_last_run_at);
+CREATE INDEX ON npm_package_universe_state (downloads_30d_history_backfilled_at);
+
+-- ============================================================
+-- pg_partman setup for downloads_daily (monthly partitions)
+-- ============================================================
+CREATE SCHEMA IF NOT EXISTS partman;
+CREATE EXTENSION IF NOT EXISTS pg_partman SCHEMA partman;
+
+SELECT partman.create_parent(
+  p_parent_table => 'public.downloads_daily',
+  p_control      => 'date',
+  p_interval     => '1 month',
+  p_premake      => 12
+);
+
+-- Create all historical monthly partitions (2015-01 through last month).
+DO $$
+DECLARE
+  m date;
+BEGIN
+  FOR m IN
+    SELECT d::date
+      FROM generate_series(
+        '2015-01-01'::date,
+        (date_trunc('month', now()) - interval '1 month')::date,
+        '1 month'::interval
+      ) AS d
+  LOOP
+    EXECUTE format(
+      'CREATE TABLE IF NOT EXISTS %I PARTITION OF downloads_daily FOR VALUES FROM (%L) TO (%L)',
+      'downloads_daily_p' || to_char(m, 'YYYYMMDD'),
+      m,
+      (m + interval '1 month')::date
+    );
+  END LOOP;
+END
+$$;
+
+-- ============================================================
+-- pg_partman setup for downloads_last_30d (yearly partitions)
+-- ============================================================
+SELECT partman.create_parent(
+  p_parent_table => 'public.downloads_last_30d',
+  p_control      => 'end_date',
+  p_interval     => '1 year',
+  p_premake      => 3
+);
+
+-- Create all historical yearly partitions (2015 through last year).
+DO $$
+DECLARE
+  y date;
+BEGIN
+  FOR y IN
+    SELECT d::date
+      FROM generate_series(
+        '2015-01-01'::date,
+        (date_trunc('year', now()) - interval '1 year')::date,
+        '1 year'::interval
+      ) AS d
+  LOOP
+    EXECUTE format(
+      'CREATE TABLE IF NOT EXISTS %I PARTITION OF downloads_last_30d FOR VALUES FROM (%L) TO (%L)',
+      'downloads_last_30d_p' || to_char(y, 'YYYYMMDD'),
+      y,
+      (y + interval '1 year')::date
+    );
+  END LOOP;
+END
+$$;

docs/adr/0001-oss-packages-design-decisions.md

@@ -226,10 +226,10 @@ Five sub-workers run concurrently (npm, Maven, OSV, GitHub, Docker Hub), all wri
 | `packages`                            | Upsert on `purl`. Each worker only writes columns it owns; ecosystem isolation means column-level conflicts cannot occur in practice.                                                                                                                       |
 | `packages_universe`                   | Incremental upsert keyed on `purl`. The deps.dev import only touches rows whose underlying deps.dev snapshot date has advanced since the previous import (initial run is a one-time full backfill).           |
 | `versions`                            | Append-only via `INSERT … ON CONFLICT DO NOTHING`. Yanked/deprecated status is a separate targeted `UPDATE (is_yanked = true) WHERE …`.                                                                                                                     |
-| `repos`                               | Registry workers (npm, Maven) do **not** write directly to `repos`. They write `package_repos` rows. The GitHub enricher — triggered when `repos.last_synced_at IS NULL` — upserts `repos` with metadata. Docker Hub worker adds `docker_*` columns on top. |
+| `repos`                               | Registry workers (npm, Maven) do **not** write `repos` enrichment metadata. They INSERT a minimal `repos(url, host)` row — `url` (canonical) and `host` (coarse classification) are both derived from the declared repository URL — solely to create the FK target their `package_repos` link needs. `owner`/`name`/`stars`/`description` and all other metadata stay NULL and remain enricher-owned; existing rows are never updated by registry workers. The GitHub enricher — triggered when `repos.last_synced_at IS NULL` — upserts `repos` with metadata. Docker Hub worker adds `docker_*` columns on top. |
 | `package_repos`                       | Composite PK `(package_id, repo_url)`. Each `source` value ('declared', 'deps_dev', 'heuristic', 'manual') is a separate row — sources do not overwrite each other.                                                                                         |
 | `advisories`                          | Upsert on `osv_id`. OSV is the single source of truth; no other worker writes to this table.                                                                                                                                                                |
-| `maintainers` / `package_maintainers` | Upsert on `(ecosystem, username)`. Never delete — history is preserved.                                                                                                                                                                                     |
+| `maintainers` / `package_maintainers` | `maintainers`: upsert on `(ecosystem, username)`, never deleted — the identity history is preserved. `package_maintainers`: reflects the **current** link set — the npm worker replaces a package's links each ingest (delete + reinsert), so prior link rows are not retained.                                                                                                                                                                                     |
 | `downloads_daily`                     | Append-only time-series. Each `(package_id, date)` row is written once. npm and Maven workers own disjoint rows by ecosystem. Historical timelines are preserved — workers do not overwrite past dates.                                                     |
 | `downloads_last_30d`                  | Upsert on `(purl, end_date)`. Written by the weekly ranking worker only. The cached `packages_universe.downloads_last_30d` column must be updated in the same pass.                                                                                         |
 
@@ -375,10 +375,13 @@ Local verification against the live OSV dataset (2026-05-28) showed the multi-ra
 
 **Strategy**: daily delta poll via the CouchDB changes feed, not a full sync.
 
-1. Call `replicate.npmjs.com/_changes?since=<last_seq>&limit=<batch>` to get package names changed in the last 24h.
-2. For each changed name, fetch the full document from `registry.npmjs.com/<package>`.
-3. Normalize into `packages`, `versions`, `maintainers`, and `package_maintainers` using the write rules above.
-4. Downloads (timeline): call `api.npmjs.org/downloads/range/<start>:<end>/<package>` in batches of **128 packages per call** against the critical list. Write per-day rows to `downloads_daily`. Update `packages_universe.downloads_last_30d` at the end of each pass.
+1. Call `replicate.npmjs.com/_changes?since=<last_seq>&limit=<batch>` to get package names changed since the last run.
+2. Filter changed names against the `packages` table (~700k packages). Only packages already tracked in Tier 2 are re-ingested — unknown packages in the changes feed are ignored.
+3. For each matching changed name, fetch the full document from `registry.npmjs.com/<package>`.
+4. Normalize into `packages`, `versions`, `maintainers`, and `package_maintainers` using the write rules above.
+4. Downloads: two Temporal workflows — `backfillDailyDownloads` (per-day rows into `downloads_daily`) and `refreshLast30dDownloads` (rolling 30-day windows into `downloads_last_30d`). Both are self-healing: they detect and fill missing windows on each run rather than assuming continuity. Both currently source packages from a static watch list. Once the deps.dev BQ import is operational, `backfillDailyDownloads` will source from `packages` (Tier 2 critical slice) and `refreshLast30dDownloads` will source from `packages_universe` (full Tier 3 population).
+
+   **Rolling-30-day window shape**: each `downloads_last_30d` window uses `end_date = 1st of calendar month, start_date = end_date − 30 days` — not a true calendar month. This ensures every window covers exactly 30 days, making download counts directly comparable across months for criticality scoring. Calendar months (28–31 days) would skew comparisons.
 
 The `_changes` `seq` cursor is persisted between runs (in a `worker_state` row or env var) so each poll starts where the last one ended. If the cursor is lost the worker falls back to a full re-sync of the critical list.
 
@@ -557,7 +560,7 @@ SET count      = EXCLUDED.count,
     start_date = EXCLUDED.start_date;
 ```
 
-The weekly ranking worker must write both the `downloads_last_30d` row and the cached `packages_universe.downloads_last_30d` column in the same pass — if only one write happens, the ranking function silently uses a stale value. Code review must enforce this.
+The writer of a `downloads_last_30d` row must also update the cached `packages_universe.downloads_last_30d` column in the same pass when writing the latest window — if only one write happens, the ranking function silently uses a stale value. Code review must enforce this. For npm, this responsibility belongs to the npm worker's `refreshLast30dDownloads` workflow.
 
 A package promoted from Tier 3 to Tier 2 (becomes critical) will have rolling-window history but no daily history; the daily timeline starts from the promotion date forward.
 

pnpm-lock.yaml

@@ -1,4 +1,4 @@
 DOCKERFILE="./services/docker/Dockerfile.packages"
 CONTEXT="../"
 REPO="sjc.ocir.io/axbydjxa5zuh/packages"
-SERVICES="packages github-repos-enricher deps-dev-ingest"
+SERVICES="packages github-repos-enricher deps-dev-ingest npm-worker"

scripts/builders/packages.env

@@ -0,0 +1,4 @@
+FROM postgres:14
+RUN apt-get update \
+ && apt-get install -y --no-install-recommends postgresql-14-partman \
+ && rm -rf /var/lib/apt/lists/*

scripts/packages-db/Dockerfile

@@ -7,7 +7,7 @@ services:
       - POSTGRES_PASSWORD=example
       - POSTGRES_DB=crowd-web
     ports:
-      - 5432:5432
+      - '127.0.0.1:5432:5432'
     volumes:
       - pgdata-dev:/var/lib/postgresql/data
       - ./scaffold/sequin/postgres-docker-entrypoint-initdb.d/create-sequin-database.sql:/docker-entrypoint-initdb.d/create-sequin-database.sql
@@ -23,22 +23,24 @@ services:
       - POSTGRES_PASSWORD=example
       - POSTGRES_DB=product-db
     ports:
-      - 5433:5432
+      - '127.0.0.1:5433:5432'
     volumes:
       - pgdata-product-dev:/var/lib/postgresql/data
     shm_size: 1gb
     networks:
       - crowd-bridge
 
   packages:
-    image: postgres:14-alpine
+    build:
+      context: ./packages-db
+      dockerfile: Dockerfile
     restart: unless-stopped
     command: -c 'max_connections=300'
     environment:
       - POSTGRES_PASSWORD=example
       - POSTGRES_DB=packages-db
     ports:
-      - 5434:5432
+      - '127.0.0.1:5434:5432'
     volumes:
       - pgdata-packages-dev:/var/lib/postgresql/data
     shm_size: 1gb
@@ -62,8 +64,8 @@ services:
         soft: 65536
         hard: 65536
     ports:
-      - 9200:9200
-      - 9600:9600
+      - '127.0.0.1:9200:9200'
+      - '127.0.0.1:9600:9600'
     volumes:
       - opensearch-dev:/usr/share/opensearch/data
     networks:
@@ -85,7 +87,7 @@ services:
     image: scireum/s3-ninja:8.0.0
     restart: unless-stopped
     ports:
-      - 9000:9000
+      - '127.0.0.1:9100:9000'
     volumes:
       - s3-dev:/home/sirius/data
     networks:
@@ -98,7 +100,7 @@ services:
       - ./scaffold/nginx/templates:/etc/nginx/templates
       - ./scaffold/nginx/ssl:/etc/nginx/ssl
     ports:
-      - '443:443'
+      - '127.0.0.1:443:443'
     environment:
       - NGINX_HOST=localhost
       - NGINX_PORT=443
@@ -115,7 +117,7 @@ services:
     volumes:
       - redis-dev:/data
     ports:
-      - 6379:6379
+      - '127.0.0.1:6379:6379'
     networks:
       - crowd-bridge
 
@@ -133,7 +135,7 @@ services:
       - NANGO_SERVER_URL=http://localhost:3003
       - SERVER_PORT=3003
     ports:
-      - '3003:3003'
+      - '127.0.0.1:3003:3003'
     networks:
       - crowd-bridge
 
@@ -154,9 +156,9 @@ services:
       - KAFKA_KRAFT_CLUSTER_ID=OTMwNzFhYTY1ODNiNGE5OT
       - KAFKA_CFG_AUTO_CREATE_TOPICS_ENABLE=true
     ports:
-      - '9092:9092'
-      - '9093:9093'
-      - '9094:9094'
+      - '127.0.0.1:9092:9092'
+      - '127.0.0.1:9093:9093'
+      - '127.0.0.1:9094:9094'
     networks:
       - crowd-bridge
 
@@ -182,8 +184,8 @@ services:
       context: scaffold/temporal
     restart: unless-stopped
     ports:
-      - '7233:7233'
-      - '8233:8233'
+      - '127.0.0.1:7233:7233'
+      - '127.0.0.1:8233:8233'
     networks:
       - crowd-bridge
 
@@ -194,8 +196,8 @@ services:
     environment:
       - COMPATIBILITY_MODE=1 # <— force Classic version
     ports:
-      - '80:80'
-      - '7181:7181'
+      - '127.0.0.1:80:80'
+      - '127.0.0.1:7181:7181'
     networks:
       - crowd-bridge
 

scripts/scaffold.yaml

@@ -0,0 +1,67 @@
+version: '3.1'
+
+x-env-args: &env-args
+  DOCKER_BUILDKIT: 1
+  NODE_ENV: docker
+  SERVICE: npm-worker
+  CROWD_TEMPORAL_TASKQUEUE: npm-worker
+  CROWD_TEMPORAL_NAMESPACE: ${CROWD_PACKAGES_TEMPORAL_NAMESPACE}
+  SHELL: /bin/sh
+  SUPPRESS_NO_CONFIG_WARNING: 'true'
+
+services:
+  npm-worker:
+    build:
+      context: ../../
+      dockerfile: ./scripts/services/docker/Dockerfile.packages
+    command: 'pnpm run start:npm-worker'
+    working_dir: /usr/crowd/app/services/apps/packages_worker
+    env_file:
+      - ../../backend/.env.dist.local
+      - ../../backend/.env.dist.composed
+      - ../../backend/.env.override.local
+      - ../../backend/.env.override.composed
+    environment:
+      <<: *env-args
+    restart: always
+    networks:
+      - crowd-bridge
+
+  npm-worker-dev:
+    build:
+      context: ../../
+      dockerfile: ./scripts/services/docker/Dockerfile.packages
+    command: 'pnpm run dev:npm-worker'
+    working_dir: /usr/crowd/app/services/apps/packages_worker
+    # user: '${USER_ID}:${GROUP_ID}'
+    env_file:
+      - ../../backend/.env.dist.local
+      - ../../backend/.env.dist.composed
+      - ../../backend/.env.override.local
+      - ../../backend/.env.override.composed
+    environment:
+      <<: *env-args
+    hostname: npm-worker
+    networks:
+      - crowd-bridge
+    volumes:
+      - ../../services/libs/audit-logs/src:/usr/crowd/app/services/libs/audit-logs/src
+      - ../../services/libs/common/src:/usr/crowd/app/services/libs/common/src
+      - ../../services/libs/common_services/src:/usr/crowd/app/services/libs/common_services/src
+      - ../../services/libs/data-access-layer/src:/usr/crowd/app/services/libs/data-access-layer/src
+      - ../../services/libs/database/src:/usr/crowd/app/services/libs/database/src
+      - ../../services/libs/integrations/src:/usr/crowd/app/services/libs/integrations/src
+      - ../../services/libs/logging/src:/usr/crowd/app/services/libs/logging/src
+      - ../../services/libs/nango/src:/usr/crowd/app/services/libs/nango/src
+      - ../../services/libs/opensearch/src:/usr/crowd/app/services/libs/opensearch/src
+      - ../../services/libs/queue/src:/usr/crowd/app/services/libs/queue/src
+      - ../../services/libs/redis/src:/usr/crowd/app/services/libs/redis/src
+      - ../../services/libs/snowflake/src:/usr/crowd/app/services/libs/snowflake/src
+      - ../../services/libs/telemetry/src:/usr/crowd/app/services/libs/telemetry/src
+      - ../../services/libs/temporal/src:/usr/crowd/app/services/libs/temporal/src
+      - ../../services/libs/types/src:/usr/crowd/app/services/libs/types/src
+      - ../../services/apps/packages_worker/src:/usr/crowd/app/services/apps/packages_worker/src
+
+networks:
+  crowd-bridge:
+    external: true