Clojars Worklog - 2025

This worklog covers work performed on Clojars under a contract from the Clojurists Together Foundation. The contract covers general maintenance.

CHANGELOG | clojars-web commits | infrastructure commits

• Alpha sort dependencies & dependents

CHANGELOG | clojars-web commits | infrastructure commits

• I finally addressed issues with running out of memory on occasion. It turned out to be the in-memory session store; we were using aging sessions, but we were generating enough sessions in 48 hours (the session ttl) to exhaust the heap. Adjusting the ttl to 1 hour solved the problem, but a better long-term solution would be to not create a session until a user logs in, as that is all we need a session for. Clojars currently creates a session for each visit to the site.
• Clojars was storing uploads in /tmp during deploys, and there is no signal to when a deploy is complete, so we can’t delete them at the end of the deploy. This was causing the server to run out of disk space, so I moved upload storage to a larger partition, and made tmp file cleanup happen more often.
• We had some client that was repeatedly connecting to Clojars, then failing TLS negotiation, then trying again. This caused our AWS load balancer expense to increase by several hundred dollars, so I blocked that IP address from accessing Clojars.

infrastructure commits

I did little on Clojars in May.

CHANGELOG | clojars-web commits

June was a busy month for Clojars, with mostly security work. I worked with Ambrose Bonnaire-Sergeant on:

• Fixing, then inlining a deps.edn alias we used to override versions to resolve CVEs. We weren’t actually using the alias when building the uberjar, and then realized we didn’t need the alias at all, as those dependencies could be top-level.
• Adding a pom.xml to the repository to allow Dependabot to detect vulnerable dependencies.
• Importing/adding clj-kondo configurations for dependencies to give better linting.

I also upgraded a few dependencies, and addressed a CVE.

clojars-web commits

This month I worked on spiking out how to implement using Problem Details (rfc9457) to return deploy validation failures to the client. See this issue for more details.