Review and approve packages

When working with files and packages in a vault, you can review package contents, inspect security vulnerabilities, and approve or reject published packages. Approved packages can be consumed by build and deployment processes.

Review package contents

You can view the contents of a package, inspect security issues, rename the package, and send comments to team members.

Note: You can enable continuous vulnerability detection for vault packages. This way, PulseUno regularly checks for new security issues that may be discovered, and reports them in the Dependency Vulnerabilities tab of the related package version. By default, the regular check for dependency vulnerabilities is enabled for remote vaults. For details, see Detect dependency vulnerabilities.

To review the package contents:

  1. On the top navigation bar, select a space from the spaces list.

  2. On the sidebar, select Vaults.
  3. On the Vaults page, open the vault containing the package you want to review.

    Tip: By default, packages are displayed as a list. To display vault contents as a hierarchical tree, switch to the Tree View on the toolbar.

  4. Open the package and then the relevant package version.

    To view the details of a file in a generic vault, click the file name.

  5. To view and edit package information, switch between the tabs:

    Tab Description
    Conversation
    • Edit the description to change the package name.
    • View the recent activity for the package, such as who deployed the package or changed the approval state.
    • Send comments and questions to other members of your team. Replies from the team are displayed in this tab.
    • View the package details, such as the size of the package version, the user who deployed the package, and the time the package was deployed.
    • If a package was delivered using chains, open the relevant chain run.
    • If the package is not published, assign or remove approvers.

    Content

    (Not displayed for generic vaults)

    • View, sort, and browse a tree of files included in the package.
    • Click a file to view its details.
    • Download individual files. For details, see Download files and packages.

    Maven vaults: Maven snapshot versions are displayed as a tree of files, grouped into deliveries by date. Click a snapshot delivery to view its details. You can delete snapshot deliveries except the latest delivery.

    To override the vault retention policy for one or more Maven snapshot deliveries and keep them forever, select the deliveries and click Keep Forever on the toolbar.

    How to use

    View command and code hints on how to use the package.

    For example, for npm, find commands for installing the package in your npm project or adding the package to a dependency file.

    Licenses

    View licenses for the package.

    PulseUno detects the licenses when a package is uploaded.

    Dependency Vulnerabilities

    View dependency vulnerabilities detected by PulseUno, including the source, Common Weakness Enumeration (CWE, software weakness types), and description.

    Issues are color-coded to indicate severity.

    For details on how to enable regular vulnerability checks, see Edit vault settings.

  6. (Optional) For additional operations, use the buttons in the upper-right corner of the page:

    • To download the package version, click Download .

    • To delete the package version, click Delete .

    • All packages except Maven snapshots: To override the vault retention policy and keep the package version forever, click Keep Forever.

      For details about retention policies, see Create retention policies.

    • To publish the package version for approval, click Publish. For details, see Publish packages.

Back to top

Approve vault packages

After a package is published, it needs to be approved or rejected. For details on how to enable automated approvals, see Specify vault approval rules.

As an assigned approver, you can approve the package so that development teams can use it in their build and deployment processes.

Reject the package if it violates your organization's standards, such as licensing, performance, or security. A rejected package cannot be used. The developer who added the package must fix the issue.

To approve or reject one or more packages:

  1. In PulseUno, click the company logo in the upper-left corner. The My Work area opens.
  2. On the sidebar, select Package Approvals. A list of packages pending your approval is displayed.

    Sort the list as required, for example, by package version or the users who deployed the packages.

  3. Select one or more packages to approve or reject.

    To select all the packages, click Toggle visible selection .

  4. To approve the packages, select Change Approval > Approve. In the Confirm Approval dialog box, optionally enter the reason for approving the packages.

    To reject the packages, select Change Approval > Reject. In the Confirm Rejection dialog box, enter the reason for rejecting the packages.

  5. (Optional) If the vault uses an approval check list, select which check list items you have reviewed.

    For details about check lists, see Use vault approval check lists.

  6. Click Approve or Reject to confirm your action.

Back to top

Bypass the package approval process

As an administrator or vault owner, you can bypass the standard approval process and instantly approve or reject packages that are pending approval.

To approve or reject a package as an administrator:

  1. On the top navigation bar, select a space from the spaces list.

  2. On the sidebar, select Vaults. The Vaults page opens.

  3. Drill down to the relevant vault, package, and package version.

  4. To approve the package, click Actions in the upper-right corner of the page, and select Mark as Approved. In the Confirm Approval dialog box, optionally enter the reason for approving the package.

    To reject the package, click Actions and select Mark as Rejected. In the Confirm Rejection dialog box, enter the reason for rejecting the package.

  5. Click Approve or Reject to confirm your action.

Back to top

See also: