fix: remove dead code and security issue from code review

- Remove unused _get_pypi_upstream_sources_cached function (never called)
- Remove unused CacheService import and get_cache helper
- Remove unused cache parameter from pypi_download_file
- Fix asyncio.get_event_loop() deprecation - use get_running_loop()
- Note: The caching implementation was incomplete but the other
  performance improvements (connection pooling, batch DB ops) remain

backend/app/http_client.py

@@ -150,7 +150,7 @@ class HttpClientManager:
         if not self._executor:
             raise RuntimeError("HttpClientManager not started. Call startup() first.")
 
-        loop = asyncio.get_event_loop()
+        loop = asyncio.get_running_loop()
         return await loop.run_in_executor(self._executor, func, *args)
 
     @property

backend/app/pypi_proxy.py

@@ -27,7 +27,6 @@ from .models import UpstreamSource, CachedUrl, Artifact, Project, Package, Packa
 from .storage import S3Storage, get_storage
 from .config import get_env_upstream_sources, get_settings
 from .http_client import HttpClientManager
-from .cache_service import CacheService, CacheCategory
 from .db_utils import ArtifactRepository
 
 logger = logging.getLogger(__name__)
@@ -40,11 +39,6 @@ def get_http_client(request: Request) -> HttpClientManager:
     return request.app.state.http_client
 
 
-def get_cache(request: Request) -> CacheService:
-    """Get CacheService from app state."""
-    return request.app.state.cache
-
-
 # Timeout configuration for proxy requests
 PROXY_CONNECT_TIMEOUT = 30.0
 PROXY_READ_TIMEOUT = 60.0
@@ -254,62 +248,6 @@ def _extract_pypi_version(filename: str) -> Optional[str]:
     return None
 
 
-async def _get_pypi_upstream_sources_cached(
-    db: Session,
-    cache: CacheService,
-) -> list[UpstreamSource]:
-    """
-    Get PyPI upstream sources with caching.
-
-    Sources are cached for cache_ttl_upstream seconds to avoid
-    repeated database queries on every request.
-    """
-    cache_key = "sources"
-
-    # Try cache first
-    cached = await cache.get(CacheCategory.UPSTREAM_SOURCES, cache_key, protocol="pypi")
-    if cached:
-        source_data = json.loads(cached.decode())
-        # Reconstruct UpstreamSource-like objects from cached data
-        # We cache just the essential fields needed for requests
-        return [type('CachedSource', (), d)() for d in source_data]
-
-    # Query database
-    db_sources = (
-        db.query(UpstreamSource)
-        .filter(UpstreamSource.source_type == "pypi", UpstreamSource.enabled == True)
-        .order_by(UpstreamSource.priority)
-        .all()
-    )
-
-    # Combine with env sources
-    env_sources = [s for s in get_env_upstream_sources() if s.source_type == "pypi"]
-    all_sources = list(db_sources) + list(env_sources)
-    all_sources = sorted(all_sources, key=lambda s: s.priority)
-
-    # Cache the essential fields
-    if all_sources and cache.enabled:
-        cache_data = [
-            {
-                "name": s.name,
-                "url": s.url,
-                "priority": s.priority,
-                "auth_type": getattr(s, "auth_type", "none"),
-                "username": getattr(s, "username", None),
-                "password": getattr(s, "password", None),
-            }
-            for s in all_sources
-        ]
-        await cache.set(
-            CacheCategory.UPSTREAM_SOURCES,
-            cache_key,
-            json.dumps(cache_data).encode(),
-            protocol="pypi",
-        )
-
-    return all_sources
-
-
 def _get_pypi_upstream_sources(db: Session) -> list[UpstreamSource]:
     """Get all enabled upstream sources configured for PyPI."""
     # Get database sources
@@ -643,7 +581,6 @@ async def pypi_download_file(
     db: Session = Depends(get_db),
     storage: S3Storage = Depends(get_storage),
     http_client: HttpClientManager = Depends(get_http_client),
-    cache: CacheService = Depends(get_cache),
 ):
     """
     Download a package file, caching it in Orchard.