Skip to content

[plugins] npm resolution (PR #3): robust npm pack parse, fetcher-dir contract, docs #5

Description

@kreneskyp

Context

feat/npm-source-resolution (PR #3) lands npm source resolution: resolveSource({type:"npm", …})resolveNpmdefaultNpmFetcher (npm pack + tar), exact-version caching, version-as-sha pin, plus the npmPackArgs helper and an option-like-package injection guard. It is green (tsc, 100% coverage, eslint, quire) and smoke-tested live (npm pack is-number@7.0.0 resolved + cached). A /code-review pass found the non-blocking items below.

Tasks

  • Medium — fragile npm-output parse. defaultNpmFetcher (src/resolve.ts ~lines 54–61) does JSON.parse(out.slice(out.indexOf("[")))[0]. A prepack/prepare script that prints a [ (e.g. [build] done) makes indexOf land on the wrong bracket and the parse throws; if there is no [, indexOf returns -1, slice(-1) yields the last char, and JSON.parse/[0] throw a cryptic error. Fix: parse npm's --json output robustly (e.g. take the last JSON value, or guard idx < 0 / empty-array and throw a descriptive SourceError). Add a test with prepack-style noise / no-bracket output.
  • Medium — undocumented fetcher contract. resolveNpm cache-hit (src/resolve.ts ~lines 167–178) returns dir: <cacheDir>/package, ignoring the dir a custom NpmFetcher returned on the miss path. A custom fetcher that extracts elsewhere is authoritative on miss but silently overridden on later resolves. Fix: document that an NpmFetcher MUST extract to <destDir>/package, or persist + read the fetcher's returned dir.
  • Low — stale docs (now also npm). Update: resolveSource docstring "git is the only side effect"; ResolveOptions.cacheRoot comment (only mentions <cacheRoot>/git/<key>); ResolvedSource.sha comment "(git sources)". All now also apply to npm sources.
  • Low — disk accumulation. The unpinned-spec re-fetch path leaves the prior tarball in cacheDir; clean it up.

Acceptance criteria

  • Prepack-noise / no-bracket npm output handled gracefully (descriptive error, with a test).
  • Fetcher <destDir>/package contract documented (or the returned dir honored).
  • Docstrings updated; src/resolve.ts stays at 100% coverage.

References

  • PR: feat: resolve npm sources via npm pack #3 · branch feat/npm-source-resolution
  • Spec: spec/functional/FR-004-source-resolution.md
  • Related: the option-like-package guard already added in this PR (reqArg in src/sources.ts, FR-004-CON-3) — see the git-hardening issue for extending it to git fields.

Metadata

Metadata

Assignees

No one assigned

    Labels

    pluginsPlugin system / discovery / marketplace

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions