fix: Update package vulnerability scanner to handle breaking PPM change (#335)

* update to new endpoint
* information for legacy versions in code comment

Author: juleswg23

extensions/package-vulnerability-scanner/main.py

@@ -1,3 +1,7 @@
+import asyncio
+import json
+
+import httpx
 from fastapi import FastAPI, HTTPException
 from fastapi.staticfiles import StaticFiles
 from posit import connect
@@ -6,44 +10,71 @@
 
 client = connect.Client()
 
+
 @app.get("/api/content")
 async def search_content(show_all: bool = False):
     if show_all:
         return client.content.find()
     return client.me.content.find()
 
+
 @app.get("/api/packages/{guid}")
 async def get_packages(guid: str):
     try:
         content = client.content.get(guid)
         packages = list(content.packages)
         return packages
     except Exception as e:
-        raise HTTPException(status_code=404, detail=f"Content not found or error fetching packages: {str(e)}")
-    
+        raise HTTPException(
+            status_code=404,
+            detail=f"Content not found or error fetching packages: {str(e)}",
+        )
+
+
 @app.get("/api/vulns")
 async def get_vulnerabilities():
-    import httpx
-    import asyncio
-    
     repositories = ["pypi", "cran"]
     results = {}
-    
+
     async def fetch_repo_vulns(repo):
-        async with httpx.AsyncClient() as client:
-            url = f"https://packagemanager.posit.co/__api__/repos/{repo}/vulns"
-            response = await client.get(url)
+        async with httpx.AsyncClient() as http:
+            # This fetches vulnerabilities from the public Posit Package Manager,
+            # which is always up to date. If customizing this to reference your
+            # own PPM instance, note that the has_vulns parameter requires
+            # PPM 2026.04 or later. Older versions may need to use the vulns
+            # parameter instead, or the legacy endpoint:
+            #
+            #     url = f"https://your-ppm-instance/__api__/repos/{repo}/vulns"
+            #     response = await http.get(url)
+            #     return repo, response.json()
+            #
+            #   tasks = [fetch_repo_vulns(repo) for repo in repositories]
+            #   for repo, data in await asyncio.gather(*tasks):
+            #     results[repo] = data
+            url = "https://packagemanager.posit.co/__api__/filter/packages"
+            payload = {
+                "repo": repo,
+                "has_vulns": True,
+                "omit_downloads": True,
+                "omit_dependencies": True,
+            }
+            response = await http.post(url, json=payload)
             response.raise_for_status()
-            return repo, response.json()
-    
+            packages = [
+                json.loads(line) for line in response.text.strip().split("\n") if line
+            ]
+            return repo, packages
+
     tasks = [fetch_repo_vulns(repo) for repo in repositories]
-    for repo, data in await asyncio.gather(*tasks):
-        results[repo] = data
-        
+    for repo, packages in await asyncio.gather(*tasks):
+        results[repo] = {pkg["name"]: pkg["vulns"] for pkg in packages}
+
     return results
 
+
 @app.get("/api/user")
 async def get_current_user():
     return client.me
 
+
 app.mount("/", StaticFiles(directory="dist", html=True), name="static")