Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vulnerability RSS feed reuses same page/URL/guid so RSS watchers aren't notified when new security releases are available #5996

Open
pdehaan opened this issue Oct 13, 2023 · 2 comments
Open

Vulnerability RSS feed reuses same page/URL/guid so RSS watchers aren't notified when new security releases are available #5996

pdehaan opened this issue Oct 13, 2023 · 2 comments

Comments

@pdehaan
Copy link

pdehaan commented Oct 13, 2023

Enter your suggestions in details:

Sorry, possibly a bit of an edge case here... I just added https://nodejs.org/en/feed/vulnerability.xml to one of our company's Slack channels so we get pinged in-channel about new security updates.
So far so good. But apparently 30 minutes ago the new Node 18+20 builds were ready but the RSS didn't update to trigger Slack updates.

  1. Follow https://nodejs.org/en/feed/vulnerability.xml
  2. https://groups.google.com/g/nodejs-sec/c/m_wMICiQrlM says:
  3. Note that both URLs in the nodejs-sec Google Group point to the same page/post.
  4. Not sure if RSS/Slack/Feedly is determining new content by a change to a guid or new link tag, but looks like neither changed when the new releases were available since the page was updated, not a new page. 
    <link>https://nodejs.org/en/blog/vulnerability/october-2023-security-releases</link>
<guid>/blog/vulnerability/october-2023-security-releases</guid>

I could instead follow https://nodejs.org/en/feed/releases.xml for new Node releases in our Slack RSS integration, but then that'd notify us on EVERY new release, not just sec-releases. Not sure if it's possible to modify the guid/link with some hash or timestamp to cause it to invalidate when the page is updated. 🙏
@bmuenzenmeyer
Copy link
Collaborator

thanks for the report - i can seee how the current process of reuse leads to this. I and others need to research what you describe as a way to cache bust this

@pdehaan
Copy link
Author

pdehaan commented Oct 14, 2023

Not sure if it'd work, but my first theory was possibly converting the pubDate to an time integer and seeing if I could add that to a cache busting hash (or query param) after the link and guid. Although that assumes that the pubDate updates whenever you update the page contents.

Date.parse("Fri, 13 Oct 2023 13:30:00 GMT").getTime()
// 1697203800000
<item>
  <title>
    <![CDATA[ Friday October 13 2023 Security Releases ]]>
  </title>
  <link>https://nodejs.org/en/blog/vulnerability/october-2023-security-releases#1697203800000</link>
  <guid isPermaLink="false">/blog/vulnerability/october-2023-security-releases#1697203800000</guid>
  <pubDate>Fri, 13 Oct 2023 13:30:00 GMT</pubDate>
</item>

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bmuenzenmeyer @pdehaan