At the moment, Dependabot checks once a day, which is fine for normal dep updates. However, we want browscap/browscap releases to almost immediately trigger an update check here, so we can consume the new release.

It seems this isn't possible at the moment: dependabot/dependabot-core#3080 - if there was an API call available, @frankdejonge suggested:

If that is available on the GitHub API then you can create an action for it by using that base action which is just a JS hook

The URL it would call is https://github.com/browscap/browscap-site/network/updates?update_config_id=<some-id> - however, the POST payload seems to be some kind of number-used once called authenticity_token, so my guess is this isn't easily hackable (I mean, it probably is, but it'll likely be brittle).

A workaround was suggested on Twitter by @bendavies :

an awful workaround:
https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/configuration-options-for-dependency-updates
"When you add or update the dependabot.yml file, this triggers an immediate check for version updates."

so on tagging package A, trigger a workflow that updates repo B dependabot.yml in some way.

Whilst it may help, it seems a bit of a hack.

The alternatives at the moment:

• Wait up to 24 hours for Dependabot to pick up the release and send the PR
• Manually click the "Check for updates" button

It's worth noting that we'd have to introduce some kind of wait / polling of the Packagist API, since the release does NOT become immediately available (either when Dependabot checks, or occasionally I've seen Heroku not pick up the new release even!), so there will always be some lag whilst Packagist caches update, which we need to account for in any automated processes.

6.0.52+ of browscap/browscap will need PHP 8.1. Update this here, so that we can get the new dependency

See: browscap/browscap#2543

Originally reported by @AohRveTPV in browscap/browscap#320:

Hello, I have been trying to improve downloads of Browscap data in the Browscap Drupal module. It is already possible to use gzip compression with the download links, which reduces download size by a factor of 10-20x. However, gzip support is only available in PHP 5.4.0, and Drupal supports earlier versions of PHP.

If the browscap.org had support for deflate, all Drupal-supported PHP versions would support compression, and the Browscap Drupal module could exclusively use it. Since there are ~11000 sites using the Browscap module, a rough calculation indicates this would potentially save 65GB of traffic to http://browscap.org each time a new dataset is released.

I am not totally certain this would work, but wanted to put forth the feature request to see if it is something the Browscap project might be willing to add. http://browscap.org seems to be using Apache, and there is mod_deflate for Apache.

In any case, thank you for providing all the Browscap data.

Based on some discussion from this ticket (browscap/browscap-php#228) it sounds like Cloudflare has DDOS protection on all of browscap.org in order to prevent abusers from eating too much bandwidth, but apparently this is happening for all requests to browscap.org, even the version endpoints.

Would it be possible to move the actual file download to a different sub-domain on browscap.org, and only enable the DDOS protection on that sub-domain, so that the version endpoints will still work for these users?

The download link would probably have to be changed to redirect to this sub-domain.

http://browscap.org/statistics appears to be broken. Need to look into it at some point.

Reported initially by @dczaretsky in browscap/browscap#827

Would be great if there was an easy form on browscap.org to submit and fill in the info for new user agents. Maybe others can then help more to contribute and test. Seems the current method of posting to Github is a bit more cumbersome.

Just a thought.

https://dependabot.com/docs/config-file/#automerged_updates

Look into it... (placeholder issue) 😁

doctrine/cache is sadly deprecated, replace it with another PSR-16 compatible implementation - likely to be PHP-Cache as it's a reasonable drop-in replacement.

Whenever i try to perform a UA Lookup, it just returns

"Whoops, looks like something went wrong."

browscap/browscap#805 (comment)

As a suggestion, it might be a good idea to post the wiki link on the main site page because I looked for some documentation and didn't see it right off.
from @mylearningcenter

Silex is sunsetted: https://symfony.com/blog/the-end-of-silex

symfony/symfony-docs#8678 may be useful as a starting point

Now we can deploy PHP 8.3 in Heroku: heroku/heroku-buildpack-php#673 🎉

We've discussed this briefly before (browscap/browscap#511 (comment)) but maybe we could figure out a good way to make this work?

Could the download requests still go to browscap.org for stat collection and abuse mitigation, but the actual file request would be distributed between browscap.org and a mirror we'd provide?

Abusers could still potentially just cache the final redirect, whether it's browscap.org or our mirror, but maybe it would reduce your bandwidth usage to have the legit users split between two file locations.

I'm not sure what the specifics would be yet, just wanted to bring it up for further discussion since bandwidth seems to be a problem lately.

Describe the bug
Browscap configuration URL is returning a HTTP 500 error as of last night. Affects all configuration versions.

To Reproduce
Steps to reproduce the behavior:

1. Go to https://browscap.org/stream?q=BrowsCapINI
2. See error.

Expected behavior
Configuration response.

The browscap builds on Travis often become broken due to hitting the usage cap.

e.g. https://travis-ci.org/browscap/browscap-php/builds/78827251

Find a good solution that doesn't open a security hole for this

If you search with Google for Mozilla/5.0 (compatible; fr-crawler/1.1) which is part of browscap/browscap#267 the link browscap.org/stream?q=BrowsCapINI is part of the search result.

I think, our ini files dont need to be indexed by Google. A rel="nofollow" should be added to each download link, or it should be added with a meta tag.

• Check that Heroku supports Composer 2 first
• Check we're compatible with Composer 2 (unsure if any BC breaks in hooks / API etc. that we use)

From https://github.com/browscap/browscap/wiki/Public-release-procedure

It is then recommended to re-initialise the UA lookup tool. First, cd .cache && rm * then run any search - it will take a short while to download the browscap.ini and re-cache the file.

We are actually going against our own recommendations to cache the browscap.ini for the UA lookup tool. Add a tool that maybe runs after a composer install|update that removes the current cache and rebuilds it, so that the first time you run the UA lookup tool it does not hang for ages.

May be able to use ocramius/package-versions to determine what the package version of browscap/browscap requested is, and generate the build number properly. Would mean using a proper version number though, I'm thinking perhaps we form it from the current one i.e. next is 6029 so would be come 6.0.29. That way we can track BC breaks in browscap/browscap by bumping major version, and each patch version can simply be the new build release (means we can also drop the stupid BUILD_NUMBER textfile!)

Then in composer.json here (for the site) can just do "browscap/browscap": "6.0.29" and that would translate to 6029. Note the "minor" version we'd drop, it doesn't count to the middle version, so example translations:

• 6.0.29 => 6029
• 7.0.0 => 7000
• 7.3.12 => 7012
• 7.4.104 => 7104

Otherwise we limit ourselves to 99 builds per minor, this way we have 999 builds at least.

Or alternatively, we make the build number get really big next version and use 3 digits for each major/minor/patch version:

• 6.0.29 => 6000029 (i.e. 006.000.029)
• 7.0.0 => 7000000
• 7.3.12 => 7003012
• 7.4.104 => 7004104

The latter might be more flexible actually.

Finally, the other approach is to drop the build number entirely, and just use the version as major/minor/patch as-is, though this might break lots of stuff that depend on the "build number" concept...

Use doctrine/coding-standard for applying CS - lets make it consistent across all the Browscap projects. Less maintenance our side if we just apply a known standard etc.

They are all static and whatnot.

Although so far the INI files are readily available, this is problematic and we get a huge amount of abuse.

My idea was this: in order to download the files, you must generate an API key. Generating the API key shouldn't need an account or anything, but we could probably use a Google reCaptcha or something.

The API keys should expire (maybe in 1 year or something), and probably makes sense to be a JWT as the key, then we don't even need to store anything.

Basically anything without an API key would now be blocked.

At the moment, there is no rate limiting on the new site. We need to build a system whereby we measure the downloads from any IP - if it's more than a certain amount, ban the IP.

Or something better maybe, I haven't thought too much about it :)

The old site that Moose made simply uses a .htaccess to ban IPs, so yeah.

I don't know what this process currently entails, so it might be naive of me to assume that it's something that could be automated, but I wanted to discuss the possibility.

Would it be possible to be able to release a new version of the browscap file by updating composer in this project and having travis/circleci build and deploy to Digital Ocean (or whatever it is you're hosting on)?

Might allow us to release on a more regular schedule and do it without your intervention (@asgrim).

Thoughts?

http://tempdownloads.browserscap.com/versions/version-number.php

This existed on the old site - needs to exist on the new one too.

Just returns text with the version number in it.

How to reproduce:
wget --server-response https://browscap.org/stream?q=PHP_BrowsCapINI

This header makes HTTP agents to save the file with the 1970 modified time:

Workaround until fixed: use --no-use-server-timestamps parameter of wget

This is the script I used on Linode to manage the bans and unban people. Need to push this so it's usable in Heroku (note: mysql creds is the blocker here - but we have environment variables we can butcher for the mysql creds)

#!/bin/bash

MYSQL="mysql -u??? -p??? browscap "
USAGE="Usage : $0"

if [ $# -lt 1 ]
then
  echo "$USAGE command [options]"
  echo ""
  echo "  list x.x.x.x       Lists bans for an IP"
  echo "  downloads x.x.x.x  Lists downloads for an IP"
  echo "  unban 123          Converts a perm ban to a temp ban"
  echo "  unban-ip x.x.x.x   Converts all perm bans to temp bans"
  exit 1
fi

case "$1" in
  'list' )
    if [ "$2" = "" ]
    then
      echo "$USAGE list ip"
      exit 1
    fi
    $MYSQL -e "SELECT * FROM banLog WHERE ipAddress='$2'"
  ;;
  'unban' )
    if [ "$2" = "" ]
    then
      echo "$USAGE unban banId"
      exit 1
    fi
    $MYSQL -e "UPDATE banLog SET isPermanent = 0 WHERE id=$2"
  ;;
  'unban-ip' )
    if [ "$2" = "" ]
    then
      echo "$USAGE unban-ip ip"
      exit 1
    fi
    $MYSQL -e "UPDATE banLog SET isPermanent = 0 WHERE ipAddress='$2'"
  ;;
  'downloads' )
    if [ "$2" = "" ]
    then
      echo "$USAGE downloads ip"
      exit 1
    fi
    $MYSQL -e "SELECT * FROM downloadLog WHERE ipAddress='$2'"
  ;;
esac

I did try to ask CloudFlare to help me estimate the real cost of enabling the rate limiting feature (as, if the 100,000,000+ requests/month we get were all genuine - they're not - it'd cost around $500/mo).

Therefore, had an idea. When a rate limit abuse happens, instead of blocking it at the application level, block it in CloudFlare so the traffic never reaches us. There does seem to be a limit on the number of IPs that can be blocked, so maybe we can "rotate" them as such.

Need to find out what the limit is and what we can do about it.

We first noticed the block about 20 hours ago.

We have called the service the same way for 5+ years and this is the first time we've been blocked.

I would be surprised if we tried to download the csv file more than 30 times in any 1 hour period... but I suppose it could be possible if something went wrong which may have led to retries (by automated processes). Otherwise, it should never really go over 10 max.

I would appreciate it if you can please check. All calls are made from IP - 54.208.16.197. Many thanks!

$ curl -I "https://browscap.org/stream?q=BrowsCapCSV"
HTTP/2 403 
date: Fri, 08 Mar 2024 07:59:42 GMT

browscap/browscap#1606 restores the missing IniParser class that is used by this site. It's only used here, so it makes much more sense to be over here. Port it over here for safe keeping :)

DBs in PaaS world are a bit less flexible on account of we pay for what we use; therefore need to limit the amount of download logs stored.

We have 1GB database, currently using "60%" (ClearDB on Heroku is not exactly clear about how much data that is exactly...).

Maybe 6mo or 12mo is a reasonable cutoff?

As described, the version.xml RSS feed is missing from the new site.

Apparently there were some Mobile Usability issues detected by Google Search Console:

• Text too small to read
• Viewport not set
• Clickable elements too close together

On a smaller screen, the dotted line meets the bottom of the screen. Add 10px padding or something to the bottom to space it a little.

I wish to automate the updating of the browscap.ini files on our production servers, but I can't determine a way to programmatically verify the integrity of the downloaded files. Can you please also generate checksums that are hosted alongside the browscaps with predictable URLs so that we can automate verification of file integrity?

Originally reported at browscap/browscap#107 by @c0ldfusi0nz

The binary is written "bin": ["bin/browscap"], in the composer.json, it should be "bin": ["bin/browscap-site"],.

We should automate this: https://github.com/browscap/browscap/wiki/Public-release-procedure

The process could probably be a script or something I can run periodically. The process is basically:

browscap/browscap

• determine github milestone ID (e.g. 1.0.0 = 11)
• make a new milestone for 1.0.1
• move any remaining 1.0.0 tickets to 1.0.1
• run changelog_generator.php -c ~/path_to_config.php -u browscap -r browscap -m 56 for notes
• close milestone 1.0.0
• git pull
• git tag -s 1.0.0
• message = changelog
• git push origin 1.0.0
• create github release for version

browscap/browscap-site

• docker-compose run php-server composer require browscap/browscap 6.0.33
• git commit -m "Update site to serve browscap 6.0.33"
• git push

Dino on the forum creates a separate set of files based on each version of Browscap. These are "progressive" versions of the full file, split down by relevance. We could add a link on the website to these files, although we are not responsible for them or provide docs for them. The link is:

https://github.com/getusedtoit/wp-slimstat/tree/master/databases

My plan is to pull stuff like the file sizes, version number etc. from a JSON metadata file which is generated by a console tool.

Silex? Symfony? Something else?

The site is pretty ugly (code-wise) at the moment and could do with some conventional structure.

Create a page with download statistics.