Conversation
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 2 potential issues.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 9de27dd. Configure here.
Greptile SummaryThis PR extends install-time engine validation to cover The only notable gap is in Confidence Score: 5/5Safe to merge; the single P2 finding is a corner-case divergence in time-based mode that does not affect the main engines or install paths All issues from previous reviews are addressed in this diff. The only new finding is a P2 (missing passes_cutoff in add.rs) that only manifests in time-based resolution mode with a latest tag newer than the cutoff. The core engines.rs refactor is well-tested with 13 unit tests and three new integration tests. crates/aube/src/commands/add.rs — highest_satisfying closure is missing the passes_cutoff time-gate Important Files Changed
Reviews (4): Last reviewed commit: "fix(resolver): prefer dist-tags.latest w..." | Re-trigger Greptile |
Benchmark changesVersions:
Public ratios: warm installs vs Bun 6x -> 7x; warm installs vs pnpm 10x -> 13x.
d631f88 vs c4ac6a6 | aube/bun/pnpm | 3 scenarios | 3 runs | 500mbit/50ms | generated by Codex. |
jdx
added a commit
that referenced
this pull request
May 1, 2026
Three review fixes on PR #458: 1. P1: `run_checks` previously fed a sentinel string `"0.0.0-no-node"` into the manifest helpers when no Node was probed. The sentinel is legal SemVer (prerelease tag `no-node`), so `version_satisfies` did *not* take the parse-failure "no opinion" fallback — it ran for real against e.g. `>=20` and reported a spurious mismatch on every manifest declaring `engines.node`. Under engine-strict that hard-failed installs on machines without Node. Thread `Option<&str>` through `check_root` / `check_workspace_importers` / `check_manifest_engines` and skip the field when None. 2. P1: restore the `geteuid() == 0` early-return in `collect_dep_mismatches_propagates_non_not_found_io_errors`. Docker CI defaults to uid 0; root ignores `chmod 000`, so the permission-denied read would succeed and the assertion would panic. 3. P2: re-add the `resolve_node_version_strips_v_prefix` unit test that was lost in the refactor. The strip path is the most common real-world input (`node --version` always emits `vX.Y.Z`) and deserves a dedicated regression guard. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Extends `engines::run_checks` to cover constraints aube previously
ignored:
- `engines.aube` and `engines.pnpm` are now validated against aube's
own version (`env!("CARGO_PKG_VERSION")`). aube positions itself as
a pnpm-compatible drop-in, so a package gating on `engines.pnpm` is
honored as if aube were that pnpm. Both fields are checked on the
root manifest and workspace-project manifests; transitive deps stay
`engines.node`-only to avoid drowning users in warnings from wild
packages that pin authors' own toolchains.
- Workspace per-project manifests are now walked for `engines.{node,
aube,pnpm}` mismatches. Previously only the root manifest was
checked; a sub-project pinning `engines.node: ">=99999"` silently
passed. They warn by default and hard-fail under `engine-strict`.
The warning printer now labels each mismatch with which engine field
triggered it (`wanted node >=20`, `wanted aube >=99999`, etc.). The
strict-mode error is now engine-agnostic ("declare incompatible
engine constraints" instead of "require a Node version incompatible
with"). Existing engines.bats assertions on the "engine-strict"
substring keep working.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Adds three engines-coverage ports enabled by the new check_engines/ workspace-importer-walk plumbing: - 337 — workspace per-project engines.node fails install under engine-strict. - 371 — same fixture without engine-strict warns and succeeds. - 303 — workspace per-project engines.pnpm fails install under engine-strict. Pnpm fails this unconditionally; aube routes everything through one knob, so the port enables engine-strict. Reclassifies misc.ts:136 (package.yaml manifest) from "documented divergence" to "won't fix" — supporting YAML manifests would expand both the parser and the security-review surface for a feature pnpm itself documents as legacy. Not a pnpm-parity goal. misc.ts ported count: 27 -> 30 of 36. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Three review fixes on PR #458: 1. P1: `run_checks` previously fed a sentinel string `"0.0.0-no-node"` into the manifest helpers when no Node was probed. The sentinel is legal SemVer (prerelease tag `no-node`), so `version_satisfies` did *not* take the parse-failure "no opinion" fallback — it ran for real against e.g. `>=20` and reported a spurious mismatch on every manifest declaring `engines.node`. Under engine-strict that hard-failed installs on machines without Node. Thread `Option<&str>` through `check_root` / `check_workspace_importers` / `check_manifest_engines` and skip the field when None. 2. P1: restore the `geteuid() == 0` early-return in `collect_dep_mismatches_propagates_non_not_found_io_errors`. Docker CI defaults to uid 0; root ignores `chmod 000`, so the permission-denied read would succeed and the assertion would panic. 3. P2: re-add the `resolve_node_version_strips_v_prefix` unit test that was lost in the refactor. The strip path is the most common real-world input (`node --version` always emits `vX.Y.Z`) and deserves a dedicated regression guard. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
b44605c to
6274303
Compare
aube's pick_version always returned the strictly-highest version satisfying the range. npm and pnpm both prefer the version the publisher last tagged `latest` when it falls inside the range — a stray higher version (hotfix on an old line, withdrawn experimental publish, mid-rollback intermediary) shouldn't silently win over the publisher's anchor. The pnpm_update.bats serial cases (`add_dist_tag latest 100.0.0 + aube add foo@^100.0.0` -> expect lockfile pinned 100.0.0) bake this behavior in. Without the preference, those 4 tests were a flaky CI failure that finally went red on c4ac6a6 — a workflow-only commit, ruling out any actual regression. Apply the same preference in `aube add`'s display-version path so the printed `+ pkg@version` line agrees with what the resolver installs. TimeBased mode (`pick_lowest=true`) suppresses the preference: that mode pins to the floor of the range by design. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Merged
Merged
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Extends
crates/aube/src/engines.rsto cover engine constraints aube previously ignored, then ports the three pnpm misc.ts tests this unblocks.Engines coverage changes
engines.nodeon root manifestengines.nodeon workspace project manifestsengines.nodeon transitive depsengines.aubeon root + workspace projectsenv!(\"CARGO_PKG_VERSION\")engines.pnpmon root + workspace projectsenv!(\"CARGO_PKG_VERSION\")engines.{aube,pnpm}on transitive depsaube positions itself as a pnpm-compatible drop-in, so a package gating on
engines.pnpmis honored as if aube were that pnpm.The warning printer now labels each mismatch with the engine field that triggered it (
wanted node >=20,wanted aube >=99999,wanted pnpm >=8). The strict-mode error is now engine-agnostic — existingengines.batsassertions on theengine-strictsubstring keep working.Tests ported (
test/pnpm_install_misc.bats, 27 → 30 of 36)337workspace per-projectengines.nodestrict fail371workspace per-projectengines.nodewarn303workspace per-projectengines.pnpm(translated: pnpm hard-fails this unconditionally; aube routes everything through one knob, so the port enablesengine-strict=true)Doc reclassification
misc.ts:136(package.yaml manifest) moves from "documented divergence" to won't fix. Supporting YAML manifests would expand both the parser surface and the security-review surface for a feature pnpm itself documents as legacy. Not a pnpm-parity goal.Test plan
crates/aube/src/engines.rs(8 new —check_root_flags_{aube,pnpm}_mismatch,check_root_aube_satisfied_when_range_matches,check_root_flags_all_three_engines_independently,check_workspace_importers_{skips_root,flags_per_project,falls_back_to_rel_path_label})test/pnpm_install_misc.batspasstest/engines.bats(existing) still passtest/install.batsstill passtest/workspace.batsstill passcargo test --bin aubepasscargo clippy --all-targets -- -D warningscleancargo fmt --checkclean🤖 Generated with Claude Code
Note
Medium Risk
Changes dependency resolution to prefer
dist-tags.latestwithin a semver range and expands engine constraint enforcement across workspaces, which can alter installed versions and cause new install failures underengine-strict. Limited scope but touches core install/resolution paths.Overview
Aligns resolver and CLI output with npm/pnpm by preferring
dist-tags.latestwhen it satisfies a semver range (unlesspick_lowest), and adds tests covering the new selection behavior.Extends install-time engine validation to check
engines.aube/engines.pnpm(againstCARGO_PKG_VERSION) and to applyengines.nodechecks to workspace importer manifests as well as transitive deps; warnings/errors now label the specific engine key and avoid falsely failingengines.nodewhen no Node version is available.Adds pnpm parity BATS tests for workspace
engine-strictbehavior and updates pnpm import docs to reflect the newly covered cases.Reviewed by Cursor Bugbot for commit d631f88. Bugbot is set up for automated code reviews on this repo. Configure here.