triage: issue tracker audit and cleanup recommendations (March 2026) #4103
Description
Issue Tracker Audit -- March 2026
The issue tracker currently has 237 open issues and 3 open PRs. This audit categorizes every open issue by priority and recommends concrete cleanup actions that would reduce the count to approximately 80-100 actionable issues.
Executive Summary
| Category | Count | Recommended Action |
|---|---|---|
| Legacy branch issues (maint-1.x, 2.x, legacy) | 93 | Bulk close |
| Obsolete v1/v2 component issues (unlabeled legacy) | ~63 | Close as obsolete |
| Active bugs (P1) | 4 | Fix or close with resolution |
| Security/infra (P2) | 9 | Address soon |
| Documentation gaps (P3) | 18 | Prioritize top items |
| Enhancements/RFCs (P4) | ~50 | Audit, close stale |
Priority 1 -- CRITICAL (active bugs and CI/CD)
| Issue | Summary | Age |
|---|---|---|
| #4067 | Adding a record fails with permission denied (v3.3) | 5.2y |
| #3989 | Files disappear after record update via REST API (data loss) | 6.1y |
| #4040 | invenio_admin version conflict prevents installation (v3.2) | 5.5y |
| #3015 | No formal security disclosure policy (RFC) | 10.8y |
PRs ready for review:
| PR | Summary | Status |
|---|---|---|
| #4101 | Modernize PyPI publish workflow (security fix + CI updates) | Open, supersedes #4097 |
| #4100 | Linux development environment setup guides | Open |
| #4102 | Add SECURITY.md vulnerability reporting policy | Open, addresses #3015 |
| #4097 | Dependabot bump of pypi-publish (superseded by #4101) | Open, recommend close |
Priority 2 -- HIGH (security and infrastructure)
| Issue | Summary | Recommended Action |
|---|---|---|
| #4045 | Verify inveniosoftware.org domain on GitHub | 5-min admin task |
| #3609 | Docker nginx should use HTTPS | Fix or close if Docker setup is deprecated |
| #3637 | Installation should use HTTPS port | Related to #3609 |
| #3961 | Update tested ElasticSearch versions across all repos | Audit needed |
| #3998 | Update Python classifiers in setup.py | Quick fix |
| #4048 | Investigate moving docs to MkDocs | Decision needed |
| #3988 | setup script conflicts with ipython autoreload | Fix or document workaround |
| #3810 | inveniomanage database init fails | Close if inveniomanage is deprecated |
| #3809 | inveniomanage incompatible with flask-collect 1.3.x | Close if inveniomanage is deprecated |
Priority 3 -- Documentation Gaps (18 issues)
Most filed by @lnielsen. Key items for production users:
| Issue | Summary |
|---|---|
| #4060 | Linux setup guide -- addressed by PR #4100 |
| #3906 | Securing your instance (missing entirely) |
| #3907 | Monitoring your infrastructure (missing entirely) |
| #3942 | Upgrading Elasticsearch chapter |
| #4016 | Template API stability guarantees |
| #4014 | Bundles and compatibility documentation |
| #3997 | Modules dependency management |
| #3948 | How to write documentation |
| #3914 | Restructure "build a module" section |
| #3876 | Improve quickstart |
| #3878 | Installing and running section |
| #3879 | Styling Invenio section |
| #3881 | Linking records section |
| #3885 | NGR support section |
| #3710 | Triage process docs |
| #3711 | Maintenance process docs |
| #3657 | Package anatomy docs |
| #3658 | Module anatomy docs |
Priority 5 -- RECOMMEND CLOSING
A. Legacy branch issues (93 issues)
These target maint-1.1, maint-1.2, maint-2.0, or legacy branches that have not received updates in years:
#3842, #3840, #3837, #3834, #3832, #3826, #3825, #3819, #3816, #3814, #3806, #3759, #3740, #3687, #3661, #3633, #3619, #3615, #3600, #3584, #3536, #3527, #3491, #3234, #3224, #3139, #2909, #2861, #2814, #2805, #2729, #2696, #2668, #2610, #2592, #2576, #2462, #2454, #2387, #2383, #2193, #2098, #2064, #1948, #1929, #1862, #1729, #1725, #1720, #1716, #1714, #1710, #1682, #1679, #1675, #1672, #1669, #1664, #1663, #1650, #1640, #1634, #1628, #1627, #1626, #1623, #1622, #1620, #1611, #1610, #1600, #1593, #1590, #1571, #1567, #1558, #1505, #1498, #1411, #1410, #1346, #1315, #1293, #1289, #1227, #1205, #1202, #1179, #1134, #1133, #1111, #1049, #921
Suggested close message:
Closing as stale. This issue targets a legacy branch (maint-1.x/2.x) that is no longer maintained. The component referenced here does not exist in Invenio v3+. If this issue is still relevant to a current version of Invenio, please open a new issue with updated reproduction steps.
B. Obsolete v1/v2 component issues without legacy label (~63 issues)
These reference components (WebSearch, BibEdit, BibSched, BibCirculation, etc.) from the Invenio v1/v2 architecture that do not exist in v3:
#860, #866, #867, #880, #881, #882, #883, #884, #885, #886, #887, #890, #899, #902, #906, #910, #927, #928, #959, #963, #967, #969, #972, #981, #984, #985, #1001, #1008, #1029, #1071, #1151, #1203, #1208, #1224, #1242, #1243, #1259, #1261, #1262, #1290, #1291, #1302, #1305, #1336, #1347, #1395, #1403, #1412, #1451, #1480, #1492, #1521, #1522, #1523, #1537, #1577, #2414, #2750, #2838, #2904, #3182, #3199, #3421, #3638, #3690
C. Other stale/obsolete issues
| Issue | Reason to close |
|---|---|
| #4056 | Sprint planning artifact from Dec 2020, not an issue |
| #3800 | Kickstart script issue (likely deprecated) |
| #3801 | Kickstart script issue (likely deprecated) |
| #3813 | Docker build failure from 2017 |
| #3820 | OpenSSL error from 2017 (resolved by upgrades) |
| #3858 | ssl_context issue targeting maint-2.1 (unlabeled) |
| #1009 | "Content translation on the fly" discussion from 2014 |
| #1203 | BatchUpload component (v1/v2) |
| #1243 | bibrank component (v1/v2) |
| #1629 | "Watch list" RFC from 2014 (v1/v2 era) |
| #1769 | JavaScript Code Style RFC from 2014 (predates modern tooling) |
| #1851 | BibDocFile copyright detection discussion from 2014 |
| #2803 | Custom Jinja template checker discussion from 2015 |
Governance Decisions Needed
These require maintainer input and cannot be resolved by triage alone:
| Issue | Decision |
|---|---|
| #3829 | MIT license migration -- audit which repos still need migration (23 comments) |
| #3650 | Obsoleted packages policy -- adopt and apply to enable bulk closure |
| #3665 | Project announcement space |
| #3666 | invenio-* component naming convention |
| #2895 | Reporting module RFC |
Recommended Action Plan
- Immediate: Review and merge PRs docs: add Linux development environment setup guides #4100, ci: modernize PyPI publish workflow #4101, docs: add SECURITY.md vulnerability reporting policy #4102; close build(deps): bump pypa/gh-action-pypi-publish from 1.3.1 to 1.13.0 in /.github/workflows #4097 as superseded
- This week: Bulk-close the 93 legacy-branch issues listed above
- This week: Close the ~63 obsolete v1/v2 component issues listed above
- This month: Verify GitHub domain (Verify domain on GitHub #4045), investigate bugs Adding a record fails with permission denied #4067 and Cannot attach files to an updated record #3989
- This quarter: Documentation sprint on docs: securing your instance #3906 (security) and docs: new section "Monitoring your infrastructure" #3907 (monitoring)
- Governance: Decide on RFC policy on clearly obsoleted packages #3650 (obsoleted packages policy) to prevent future accumulation
This would reduce the tracker from 237 to ~80 actionable issues.