Skip to content

fix(resolver): trust benchmark fixture churn packages#370

Merged
jdx merged 1 commit intomainfrom
codex/trust-policy-bench-excludes
Apr 28, 2026
Merged

fix(resolver): trust benchmark fixture churn packages#370
jdx merged 1 commit intomainfrom
codex/trust-policy-bench-excludes

Conversation

@jdx
Copy link
Copy Markdown
Contributor

@jdx jdx commented Apr 28, 2026
edited by cursor Bot
Loading

Summary

  • add built-in trustPolicy exclusions for eslint-config-prettier, react-redux, and reselect
  • keep the no-downgrade algorithm unchanged; these packages are registry provenance metadata churn cases surfaced by the benchmark fixture

Validation

  • cargo fmt --check
  • cargo test -p aube-resolver trust::tests
  • cargo build -p aube
  • cargo clippy -p aube-resolver --all-targets -- -D warnings
  • fresh-cache benchmark fixture install: aube --disable-global-virtual-store install --no-side-effects-cache

Notes

cargo clippy --all-targets -- -D warnings currently fails outside this change on clippy::items-after-test-module in crates/aube/src/commands/install/mod.rs.

This PR description was generated by Codex.

Note

Medium Risk
Adjusts default trust-policy enforcement by globally excluding three additional packages, which can bypass downgrade failures for those dependencies. Low code complexity, but it touches a security-related guardrail and changes install acceptance for affected packages.

Overview
Expands the built-in DEFAULT_TRUST_POLICY_EXCLUDES list to also exclude eslint-config-prettier, react-redux, and reselect from trust-downgrade checks, reducing benchmark/fixture churn caused by registry provenance metadata changes.

Reviewed by Cursor Bugbot for commit 8b11a39. Bugbot is set up for automated code reviews on this repo. Configure here.

@jdx jdx merged commit 3eba9f7 into main Apr 28, 2026
10 checks passed
@jdx jdx deleted the codex/trust-policy-bench-excludes branch April 28, 2026 19:53
@greptile-apps
Copy link
Copy Markdown

greptile-apps Bot commented Apr 28, 2026

Greptile Summary

Adds three packages (eslint-config-prettier, react-redux, reselect) to the built-in DEFAULT_TRUST_POLICY_EXCLUDES list as name-only (all-version) entries, suppressing false-positive trust-downgrade errors caused by registry provenance metadata churn on those packages. No algorithmic changes are made; the existing default_excludes_known_provenance_churn_packages test automatically covers the new entries.

Confidence Score: 5/5

Safe to merge — the change is a pure data addition with no logic modifications and is covered by the existing parameterised test.

Single-line list additions in alphabetical order, no algorithm changes, and the existing test suite iterates over DEFAULT_TRUST_POLICY_EXCLUDES so new entries are automatically exercised.

No files require special attention.

Important Files Changed

Filename Overview
crates/aube-resolver/src/trust.rs Adds eslint-config-prettier, react-redux, and reselect as name-only trust-policy exclusions; alphabetical order maintained; no logic changes.

Reviews (1): Last reviewed commit: "fix(resolver): trust benchmark fixture c..." | Re-trigger Greptile

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jdx