Outdated extensions and open pull requests
some extensions (like "Add Custom Header") don't have their latest version available in the BAppStore, and that lasts for a few months (and I hate having to maintain private versions)
First, I wonder how the process used to update existing extensions works. AFAIK, it isn't explicitly documented. In a previous ticket, I was told that it "is the responsibility of the BApp author to inform us of new versions so that we can then initiate the process to update the version hosted in our BApp store". How should the author inform PortSwigger? Email? Github pull requests?
The second point is that, if notifications are based on pull requests (that's my current understanding), then a few month-old ones exist (here two related to "Add Custom Header) https://github.com/PortSwigger/add-custom-header/pulls Is there an official way to get them examined?
Our current procedure is:
- The author creates a pull request against the PortSwigger branch of their repository
- The author emails email@example.com to inform us that they’ve opened a pull request
- Changes are reviewed and merged into the PortSwigger branch
- The extension is tested for loading errors
- The updated version is published to the BApp Store
Currently, when a new submission is approved, the author is informed of the update procedure. However, that isn’t too helpful if they forget, or if it’s an older BApp needing an update.
We will look into providing a more detailed explanation for Authors to update their BApps.
However, pull requests may be opened by other people than the original author (example at https://github.com/PortSwigger/add-custom-header/pull/1, also common with older and possibly unmaintained extensions). For this reason, the update procedure should imo be public (i.e. not being shared only with authors), ideally as an integral part of the documentation. Currently, I can't find any reference to the update process, and only one to the submission process (at https://portswigger.net/bappstore)
I'll ping support@ ASAP regarding the open pull requests...
At present, unless the original user is completely uncontactable and inactive, we only allow the original author to make changes to their BApp.
If the original author gets in contact and requests for someone else to take over the maintenance of their BApp, then we can make allowances for that.
Pull requests can be opened on the original authors GitHub repository, for the original author to merge in changes and then create a pull request to the PortSwigger branch, which allows for community contributions.