We just experienced an uncomfortable couple of days when we discovered that the latest version of every package in our myGet cloud-hosted package server had been deleted!
How did this happen? Surely nobody would manually access each package and delete the latest version?
Well, it turns out to be example of dangerous client-side filtering combined with a seemingly innocent action be a developer.
At the top of the feed screen we see the following:
OK, so the button on the right deletes the package (although it’s not clear whether it deletes the package below or the package above), and the one at the top deletes the… er… the… everything?
Ah, so clicking it shows a list of deletion options (although why would you ever want to delete the latest version of every package in your repository?)
OK, so what if we type something in that search box in the top right? After all, I only want to work with the Korzh.Net package…
Well, here we have an example of client-side filtering abuse. It’s great that we can narrow things down on-screen to make searching through long lists manageable, but of course people are going to click the top delete button to delete the only package on-screen, and remove the latest (or all versions) of every package in your repository!
So, if you plan to have client side search, please make sure you disable any actions that apply to the unfiltered set.