You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
feat/npm-source-resolution (PR #3) lands npm source resolution: resolveSource({type:"npm", …}) → resolveNpm → defaultNpmFetcher (npm pack + tar), exact-version caching, version-as-sha pin, plus the npmPackArgs helper and an option-like-package injection guard. It is green (tsc, 100% coverage, eslint, quire) and smoke-tested live (npm pack is-number@7.0.0 resolved + cached). A /code-review pass found the non-blocking items below.
Tasks
Medium — fragile npm-output parse.defaultNpmFetcher (src/resolve.ts ~lines 54–61) does JSON.parse(out.slice(out.indexOf("[")))[0]. A prepack/prepare script that prints a [ (e.g. [build] done) makes indexOf land on the wrong bracket and the parse throws; if there is no [, indexOf returns -1, slice(-1) yields the last char, and JSON.parse/[0] throw a cryptic error. Fix: parse npm's --json output robustly (e.g. take the last JSON value, or guard idx < 0 / empty-array and throw a descriptive SourceError). Add a test with prepack-style noise / no-bracket output.
Medium — undocumented fetcher contract.resolveNpm cache-hit (src/resolve.ts ~lines 167–178) returns dir: <cacheDir>/package, ignoring the dir a custom NpmFetcher returned on the miss path. A custom fetcher that extracts elsewhere is authoritative on miss but silently overridden on later resolves. Fix: document that an NpmFetcher MUST extract to <destDir>/package, or persist + read the fetcher's returned dir.
Low — stale docs (now also npm). Update: resolveSource docstring "git is the only side effect"; ResolveOptions.cacheRoot comment (only mentions <cacheRoot>/git/<key>); ResolvedSource.sha comment "(git sources)". All now also apply to npm sources.
Low — disk accumulation. The unpinned-spec re-fetch path leaves the prior tarball in cacheDir; clean it up.
Acceptance criteria
Prepack-noise / no-bracket npm output handled gracefully (descriptive error, with a test).
Fetcher <destDir>/package contract documented (or the returned dir honored).
Docstrings updated; src/resolve.ts stays at 100% coverage.
Related: the option-like-package guard already added in this PR (reqArg in src/sources.ts, FR-004-CON-3) — see the git-hardening issue for extending it to git fields.
Context
feat/npm-source-resolution(PR #3) lands npm source resolution:resolveSource({type:"npm", …})→resolveNpm→defaultNpmFetcher(npm pack+tar), exact-version caching, version-as-shapin, plus thenpmPackArgshelper and an option-like-packageinjection guard. It is green (tsc, 100% coverage, eslint, quire) and smoke-tested live (npm pack is-number@7.0.0resolved + cached). A/code-reviewpass found the non-blocking items below.Tasks
defaultNpmFetcher(src/resolve.ts~lines 54–61) doesJSON.parse(out.slice(out.indexOf("[")))[0]. Aprepack/preparescript that prints a[(e.g.[build] done) makesindexOfland on the wrong bracket and the parse throws; if there is no[,indexOfreturns-1,slice(-1)yields the last char, andJSON.parse/[0]throw a cryptic error. Fix: parse npm's--jsonoutput robustly (e.g. take the last JSON value, or guardidx < 0/ empty-array and throw a descriptiveSourceError). Add a test with prepack-style noise / no-bracket output.resolveNpmcache-hit (src/resolve.ts~lines 167–178) returnsdir: <cacheDir>/package, ignoring thedira customNpmFetcherreturned on the miss path. A custom fetcher that extracts elsewhere is authoritative on miss but silently overridden on later resolves. Fix: document that anNpmFetcherMUST extract to<destDir>/package, or persist + read the fetcher's returned dir.resolveSourcedocstring "git is the only side effect";ResolveOptions.cacheRootcomment (only mentions<cacheRoot>/git/<key>);ResolvedSource.shacomment "(git sources)". All now also apply to npm sources.cacheDir; clean it up.Acceptance criteria
<destDir>/packagecontract documented (or the returned dir honored).src/resolve.tsstays at 100% coverage.References
feat/npm-source-resolutionspec/functional/FR-004-source-resolution.mdpackageguard already added in this PR (reqArginsrc/sources.ts, FR-004-CON-3) — see the git-hardening issue for extending it to git fields.