GET maven-metadata.xml Panics with "index out of range [-1]" When No Package Versions Exist

[dianaStr7]

Description

After fix for maven packages in 33678, when trying to GET maven-metadata.xml for a non-existent package, function serveMavenMetadata crashes with an index out of range [-1] panic as no Maven package versions are found. I suppose this happens because the function attempts to access pds[len(pds)-1], but pds is empty.

Steps to Reproduce

1. Ensure no package versions exist for the given GroupID:ArtifactID.
2. Attempt to curl GET com/group/id/artifactId/maven-metadata.xml for the non-existent package.
3. Get 500 response and see the log with index out of range [-1] panic.

Expected Behavior

The function should return more clear HTTP response (e.g., 404 Not Found) instead of panicking.

Where I think the problem is

routers/api/packages/maven/maven.go
func serveMavenMetadata

latest := pds[len(pds)-1] // Panics if pds is empty

Suggested Fix

Add a check for package versions found before continuing:

pvs = append(pvsLegacy, pvs...)

if len(pvs) == 0 {
	apiError(ctx, http.StatusNotFound, packages_model.ErrPackageNotExist)
	return
}

Environment

• Gitea Version: 1.23.5
• Go Version: 1.23.5

Gitea Version

1.23.5

Can you reproduce the bug on the Gitea demo site?

Yes

Log Gist

No response

Screenshots

No response

Git Version

No response

Operating System

No response

How are you running Gitea?

Locally

Database

None

[wxiaoguang]

-> Fix maven panic when no package exist #33888

[dianaStr7]

-> Fix maven panic when no package exist #33888

Thank you for the fast reply and fix :)