feat(package-manager): version unions in allowBuilds keys (#397 item 5 completion)

[zkochan]

Summary

Completes #397 item 5. Slice A+B's PR #425 moved AllowBuildPolicy off package.json onto pnpm-workspace.yaml; this PR ports the second half of upstream's matcher — expandPackageVersionSpecs — so users can write keys like foo@1.0.0 || 2.0.0 in their allowBuilds map.

What this adds

New pacquet_package_manager::version_policy module porting config/version-policy/src/index.ts at SHA b4f8f47ac2. expand_package_version_specs parses each allowBuilds key into one or more name / name@version literal strings:

• foo → {"foo"}
• foo@1.0.0 → {"foo@1.0.0"}
• foo@1.0.0 || 2.0.0 → {"foo@1.0.0", "foo@2.0.0"}
• @scope/foo@1.0.0 → {"@scope/foo@1.0.0"}

Two error codes mirror upstream:

• ERR_PNPM_INVALID_VERSION_UNION when a || member isn't valid semver
• ERR_PNPM_NAME_PATTERN_IN_VERSION_UNION when a * wildcard in the name is combined with a version part

Whitespace around || and within each version is trimmed before parsing, matching Node-semver's valid().

What this does NOT add

Wildcards in the name (is-*, @scope/*) are accepted by the parser and land in the expanded set as literal strings, but HashSet::contains lookups mean they never match real package names. Mirrors upstream's 'should not allow patterns in allowBuilds' test — the original #397 audit incorrectly claimed @scope/* should work in allowBuilds; it doesn't, neither upstream nor here. createPackageVersionPolicy (which DOES support wildcards via Matcher) is a separate upstream function used by minimumReleaseAgeExclude / dlx — pacquet doesn't have those features yet.

AllowBuildPolicy refactor

AllowBuildPolicy's internal storage changes from HashMap<String, bool> to two HashSet<String> (expanded_allowed and expanded_disallowed), populated through expand_package_version_specs. The check function checks disallowed before allowed, both against bare name and name@version, mirroring upstream's order at building/policy/src/index.ts:35-44.

This fixes a pre-existing pacquet divergence: the old matcher checked exact-version first, then bare name. With upstream's order, a bare-name disallow now correctly wins over an exact-version allow. New disallow_bare_name_wins_over_allow_exact_version test pins the behavior; the old exact_version_takes_precedence test was removed (it asserted the divergent behavior).

AllowBuildPolicy::new now takes the expanded sets directly (pure constructor — no IO). AllowBuildPolicy::from_config returns Result<Self, VersionPolicyError> so spec-parse failures surface at install time instead of being silently dropped. New InstallFrozenLockfileError::VersionPolicy variant propagates the error.

Test plan

• 12 new tests in version_policy::tests covering: bare name, exact version, version union, scoped names, whitespace trimming in unions, name-with-wildcard-alone (literal), invalid version union (error), mixed valid/invalid (error), wildcard-with-version (error), empty input, duplicate collapse.
• Ports of upstream's building/policy/test/index.ts cases: allow_via_version_union (version-union allows), wildcard_name_in_allow_builds_does_not_match_real_package (wildcards inert), disallow_bare_name_wins_over_allow_exact_version (matcher order), disallow_exact_version_with_allow_bare_name (converse).
• from_config error-propagation tests for both VersionPolicyError variants.
• just ready clean — 598 tests pass.
• just dylint (perfectionist) clean.
• RUSTDOCFLAGS="-D warnings" cargo doc --no-deps --workspace --document-private-items clean.
• taplo format --check clean.

---

Written by an agent (Claude Code, claude-opus-4-7).

Summary by CodeRabbit

• Bug Fixes

  • Improved error handling for package build policy configuration with more structured diagnostics.

• Refactor

  • Enhanced build policy evaluation logic for more accurate allow/deny decision-making.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 1f77d0d8-629a-4e27-b8f3-8646c1594120

📥 Commits

Reviewing files that changed from the base of the PR and between cba5422 and cded942.

📒 Files selected for processing (6)

• crates/package-manager/src/build_modules.rs
• crates/package-manager/src/build_modules/tests.rs
• crates/package-manager/src/install_frozen_lockfile.rs
• crates/package-manager/src/lib.rs
• crates/package-manager/src/version_policy.rs
• crates/package-manager/src/version_policy/tests.rs

📜 Recent review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (5)

• GitHub Check: Agent
• GitHub Check: Lint and Test (windows-latest)
• GitHub Check: Code Coverage
• GitHub Check: Run benchmark on ubuntu-latest
• GitHub Check: Run benchmark on ubuntu-latest

🧰 Additional context used

📓 Path-based instructions (1)

**/*.rs

📄 CodeRabbit inference engine (AGENTS.md)

**/*.rs: Preserve existing method chains and pipe-trait chains; do not break them into intermediate let bindings unless there is a concrete justification such as a compilation failure, borrow checker rejection, meaningful performance improvement, or other technical necessity. Refactoring for style alone is not sufficient justification.
Choose owned vs. borrowed parameters to minimize copies; prefer borrowed types (&Path over &PathBuf, &str over &String) when it does not force extra copies.
Prefer Arc::clone(&x) and Rc::clone(&x) over x.clone() for reference-counted types to make the cost visible at the call site.
Do not use star imports inside module bodies. Write use super::{Foo, bar} instead of use super::*; for any glob whose target is a module you control. External-crate preludes (e.g., use rayon::prelude::*;) and root-of-module re-exports (e.g., pub use submodule::*; in lib.rs) are exceptions.
Follow Rust API Guidelines for naming, as documented in https://rust-lang.github.io/api-guidelines/naming.html.
Declare a newtype wrapper for any branded string type being ported from TypeScript pnpm. Do not collapse the brand into a plain String or &str; give the type its own struct so misuse is a type error.
When porting branded string types where upstream TypeScript always validates before construction, validate in the Rust port too. Construct the wrapper only via TryFrom<String> and/or FromStr; do not provide an infallible public constructor that takes an arbitrary string.
For branded string types where upstream TypeScript never validates (used purely for type-safety to prevent confusion between string slots), expose an infallible From<String> and From<&str> constructor in the Rust wrapper.
When upstream TypeScript occasionally constructs a branded type without validation (via bare as assertion), add a from_str_unchecked (or similarly named) constructor on the Rust side. Keep the validating constructor as well; `from_str_u...

Files:

• crates/package-manager/src/lib.rs
• crates/package-manager/src/install_frozen_lockfile.rs
• crates/package-manager/src/version_policy/tests.rs
• crates/package-manager/src/build_modules.rs
• crates/package-manager/src/version_policy.rs
• crates/package-manager/src/build_modules/tests.rs

🧠 Learnings (2)

📚 Learning: 2026-05-07T23:19:08.272Z

Learnt from: KSXGitHub
Repo: pnpm/pacquet PR: 401
File: tasks/integrated-benchmark/src/work_env.rs:343-344
Timestamp: 2026-05-07T23:19:08.272Z
Learning: When reviewing Rust code in pnpm/pacquet for deprecated API usage, do not automatically treat `serde_saphyr::to_string` as deprecated. In `serde-saphyr` v0.0.25, `serde_saphyr::to_string` has no `#[deprecated]` attribute (the `#[deprecated]` later in `serde-saphyr-0.0.25/src/lib.rs` applies to a different function). Only flag `serde_saphyr::to_string` as deprecated if the resolved dependency version’s source shows `#[deprecated]` on that specific function.

Applied to files:

• crates/package-manager/src/lib.rs
• crates/package-manager/src/install_frozen_lockfile.rs
• crates/package-manager/src/version_policy/tests.rs
• crates/package-manager/src/build_modules.rs
• crates/package-manager/src/version_policy.rs
• crates/package-manager/src/build_modules/tests.rs

📚 Learning: 2026-05-01T10:01:33.766Z

Learnt from: zkochan
Repo: pnpm/pacquet PR: 349
File: crates/reporter/src/tests.rs:121-121
Timestamp: 2026-05-01T10:01:33.766Z
Learning: In Rust test code, follow the repo’s CODE_STYLE_GUIDE test-logging rule: add logging (e.g., `eprintln!`/`eprintln!(...)`) so that useful diagnostic values are printed when a test fails, unless the assertion is `assert_eq!` (where the differing values are already included). Concretely, if you use assertions like `assert!`, `assert_ne!`, etc., ensure the test logs the relevant actual/expected values (or context) before/around the assertion so failures can be diagnosed without rerunning.

Applied to files:

• crates/package-manager/src/version_policy/tests.rs
• crates/package-manager/src/build_modules/tests.rs

🔇 Additional comments (18)

crates/package-manager/src/version_policy.rs (6)

1-38: LGTM! Excellent documentation.

The module-level documentation is thorough and clearly explains the behavior, limitations, and upstream alignment. The wildcard semantics (literal strings in the expanded set, no pattern matching) are well-documented with upstream test references.

---

39-68: LGTM! Error types properly mirror upstream.

The error enum correctly uses derive_more and miette with diagnostic codes that match upstream pnpm's ERR_PNPM_INVALID_VERSION_UNION and ERR_PNPM_NAME_PATTERN_IN_VERSION_UNION.

---

70-104: LGTM! Expansion logic correctly implemented.

The function properly expands version unions into separate name@version entries, handles bare names, and returns a deduplicated HashSet. Generic parameters allow flexible input types while maintaining type safety.

---

106-139: LGTM! Scoped name handling is correct.

The logic for finding the version separator correctly handles both scoped (@scope/foo@1.0.0) and unscoped (foo@1.0.0) package names. For scoped names, skip(1) skips the first character (the leading @), then finds the next @ which separates the name from the version.

Error precedence is appropriate: invalid semver is caught first, then wildcard-in-name is checked.

---

141-154: LGTM! Union parsing handles whitespace correctly.

The function properly splits on ||, trims whitespace from each component, and strictly parses each as semver. The to_string() normalization ensures consistent version formats in the output.

---

156-157: LGTM!

crates/package-manager/src/lib.rs (1)

22-22: LGTM! Standard module declaration and re-export.

The new version_policy module follows the existing pattern in this file.

Also applies to: 43-43

crates/package-manager/src/version_policy/tests.rs (2)

4-9: LGTM! Clean test helper.

The expand helper function provides a convenient way to test the expansion logic with sorted output for stable assertions.

---

11-98: LGTM! Comprehensive test coverage.

The test suite thoroughly covers:

• Bare and scoped names (verbatim expansion)
• Exact versions (single literal)
• Version unions (multiple literals)
• Whitespace trimming
• Wildcard behavior (literal string, no pattern matching)
• Error cases (invalid semver, wildcard+version)
• Edge cases (empty input, duplicates)

All test expectations align with upstream pnpm behavior and include references to upstream test cases.

crates/package-manager/src/build_modules.rs (4)

45-67: LGTM! Struct refactor correctly implements pre-expansion.

The change from HashMap<String, bool> to two HashSet<String> (expanded_allowed and expanded_disallowed) is the correct representation for pre-expanded exact-match entries. Documentation clearly explains that version unions are expanded into multiple literals.

---

69-82: LGTM! Constructor updated appropriately.

The new constructor now takes pre-expanded sets, making the expansion logic explicit and testable separately from config loading.

---

84-112: LGTM! Config loading correctly propagates errors.

The from_config method now:

1. Partitions specs by boolean value into allowed/disallowed
2. Expands each set via expand_package_version_specs
3. Propagates errors (InvalidVersionUnion, NamePatternInVersionUnion)

This matches upstream behavior of throwing expansion errors at config-load time.

---

114-146: LGTM! Check order matches upstream semantics.

The check method correctly:

1. Returns Some(true) for dangerously_allow_all (short-circuit)
2. Checks disallowed first (both bare name and exact version)
3. Checks allowed second (both bare name and exact version)
4. Returns None if not found

This ensures a bare-name disallow wins over an exact-version allow, matching upstream's check order in createAllowBuildFunction.

crates/package-manager/src/install_frozen_lockfile.rs (2)

71-77: LGTM! Error variant properly added.

The new VersionPolicy variant correctly uses #[diagnostic(transparent)] and #[error(source)] to propagate VersionPolicyError through the install pipeline. Documentation references the upstream error codes.

---

177-178: LGTM! Error propagation correctly implemented.

The map_err properly converts VersionPolicyError into InstallFrozenLockfileError::VersionPolicy, surfacing config-load errors to the caller.

crates/package-manager/src/build_modules/tests.rs (3)

19-42: LGTM! Test helper mirrors runtime behavior.

The policy_from_specs helper correctly:

1. Partitions specs by boolean value (same as from_config)
2. Expands each set via expand_package_version_specs
3. Constructs AllowBuildPolicy via new

Using .expect("valid specs") is appropriate for tests—invalid specs should fail loudly.

---

96-118: LGTM! Tests correctly verify precedence and error propagation.

The updated tests properly verify:

1. Disallowed-before-allowed precedence (lines 96-118)
2. Interaction between bare-name and exact-version rules (lines 113-118)
3. Version union expansion behavior (lines 139-152)
4. Error propagation from from_config for invalid specs (lines 172-189)

All tests align with upstream pnpm behavior and include appropriate assertions for specific error variants.

Also applies to: 139-166, 172-189

---

199-214: LGTM! Config round-trip tests updated.

The from_config tests correctly handle the new Result return type with .expect(), verifying both success cases and error propagation.

---

📝 Walkthrough

Walkthrough

This PR introduces structured package-version policy expansion by extracting spec parsing into a dedicated module, refactoring AllowBuildPolicy to store pre-expanded exact-match sets instead of raw rule maps, and propagating parse errors through the install pipeline.

Changes

Version Policy Integration

Layer / File(s)	Summary
Version policy module and public API crates/package-manager/src/version_policy.rs, crates/package-manager/src/version_policy/tests.rs, crates/package-manager/src/lib.rs	expand_package_version_specs parses name[@version`[
AllowBuildPolicy refactoring to use expanded sets crates/package-manager/src/build_modules.rs, crates/package-manager/src/build_modules/tests.rs	AllowBuildPolicy now stores expanded_allowed and expanded_disallowed HashSet instead of a raw rules map. from_config expands specs via the new module and returns Result<Self, VersionPolicyError>. check evaluates disallowed set first (exact and bare-name matches), then allowed set, with dangerously_allow_all short-circuiting. Test helper policy_from_specs simplifies test setup; all policy unit tests validate precedence and union expansion; all end-to-end tests migrate to the new construction pattern.
Error propagation in InstallFrozenLockfile crates/package-manager/src/install_frozen_lockfile.rs	Added InstallFrozenLockfileError::VersionPolicy variant to carry VersionPolicyError. Policy construction failures from AllowBuildPolicy::from_config are now mapped through this error variant, surfacing validation errors through the install pipeline.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• pnpm/pacquet#425: Concurrent refactoring of AllowBuildPolicy construction from Config and the build_modules integration threading.

Poem

🐰 A rabbit's joy to parse and sow,

Specs expand in sets, a structured flow,

From unions blossomed, || strings unfold,

Each name and version now a truth we hold,

Error-caught and clear, the policy's told. 🌱

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: implementing version unions in allowBuilds keys, matching the PR objectives and raw summary.
Description check	✅ Passed	The PR description is comprehensive with Summary, Linked issue, upstream reference, and detailed checklist. It exceeds template requirements by explaining implementation details, test coverage, and upstream alignment.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch claude/allow-builds-version-unions

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 86.84%. Comparing base (cba5422) to head (cded942).

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #428      +/-   ##
==========================================
+ Coverage   86.71%   86.84%   +0.12%     
==========================================
  Files          92       93       +1     
  Lines        6481     6535      +54     
==========================================
+ Hits         5620     5675      +55     
+ Misses        861      860       -1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[Copilot]

Pull request overview

Ports pnpm’s expandPackageVersionSpecs into pacquet-package-manager so pnpm-workspace.yaml allowBuilds keys can include exact-version unions (e.g. foo@1.0.0 || 2.0.0), and wires parse failures into the frozen-lockfile install path as diagnostics.

Changes:

• Add version_policy module with expand_package_version_specs and upstream-matching diagnostics for invalid unions and wildcard+version combinations.
• Refactor AllowBuildPolicy to store expanded allow/deny sets and to apply upstream precedence (disallow before allow; bare name rules participate).
• Update install pipeline + tests to propagate and assert VersionPolicyError behavior.

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
crates/package-manager/src/version_policy.rs	New parser/expander for <name>@<v1 || v2 …> specs with upstream error codes.
crates/package-manager/src/version_policy/tests.rs	Unit tests covering unions, whitespace trimming, wildcard behavior, and error cases.
crates/package-manager/src/build_modules.rs	AllowBuildPolicy now uses expanded allow/deny HashSets; from_config becomes fallible; matcher order updated.
crates/package-manager/src/build_modules/tests.rs	Test helper updated to mirror runtime expansion; adds union + precedence + error-propagation coverage.
crates/package-manager/src/install_frozen_lockfile.rs	Propagates VersionPolicyError via new InstallFrozenLockfileError::VersionPolicy.
crates/package-manager/src/lib.rs	Registers and re-exports the new version_policy module.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[github-actions]

Micro-Benchmark Results

Linux

group                          main                                   pr
-----                          ----                                   --
tarball/download_dependency    1.00     16.3±0.48ms   266.1 KB/sec    1.00     16.2±0.61ms   267.2 KB/sec

[github-actions]

Integrated-Benchmark Report (Linux)

Scenario: Frozen Lockfile

Command	Mean [s]	Min [s]	Max [s]	Relative
pacquet@HEAD	2.538 ± 0.133	2.392	2.853	1.04 ± 0.06
pacquet@main	2.445 ± 0.048	2.365	2.531	1.00
pnpm	5.968 ± 0.088	5.835	6.138	2.44 ± 0.06

BENCHMARK_REPORT.json

{
  "results": [
    {
      "command": "pacquet@HEAD",
      "mean": 2.5382036111,
      "stddev": 0.1327402480392769,
      "median": 2.5224149431000003,
      "user": 2.6171872,
      "system": 3.4948041599999997,
      "min": 2.3917985871,
      "max": 2.8525644191,
      "times": [
        2.6207248550999998,
        2.5414053641,
        2.3917985871,
        2.5021402121,
        2.5369920251,
        2.5827147780999997,
        2.8525644191,
        2.4039451141,
        2.5078378611,
        2.4419128950999998
      ]
    },
    {
      "command": "pacquet@main",
      "mean": 2.4445736677,
      "stddev": 0.04817800281937254,
      "median": 2.4440112001000003,
      "user": 2.6350436,
      "system": 3.4297176599999992,
      "min": 2.3647051551,
      "max": 2.5305952171,
      "times": [
        2.5305952171,
        2.4759975911,
        2.4863035371,
        2.4431452921,
        2.4448771081,
        2.4158674131,
        2.4052318760999998,
        2.4707896701,
        2.3647051551,
        2.4082238170999997
      ]
    },
    {
      "command": "pnpm",
      "mean": 5.967883844199999,
      "stddev": 0.08781308297820856,
      "median": 5.971132857100001,
      "user": 8.7381174,
      "system": 4.308126860000001,
      "min": 5.8346596931,
      "max": 6.1379277911,
      "times": [
        5.9205566770999996,
        6.0246543941,
        5.8346596931,
        5.9878447811,
        5.9752409961,
        5.9670247181,
        6.0381853591,
        5.9250980721,
        5.8676459601,
        6.1379277911
      ]
    }
  ]
}

Scenario: Frozen Lockfile (Hot Cache)

Command	Mean [ms]	Min [ms]	Max [ms]	Relative
pacquet@HEAD	690.2 ± 44.1	660.0	808.6	1.00
pacquet@main	784.3 ± 44.6	742.1	882.0	1.14 ± 0.10
pnpm	2452.5 ± 67.6	2372.8	2586.2	3.55 ± 0.25

BENCHMARK_REPORT.json

{
  "results": [
    {
      "command": "pacquet@HEAD",
      "mean": 0.6902099420000001,
      "stddev": 0.04409192528382325,
      "median": 0.6745310328,
      "user": 0.36679118,
      "system": 1.4886750599999998,
      "min": 0.6599897073000001,
      "max": 0.8085515773,
      "times": [
        0.8085515773,
        0.6730349793,
        0.6760270863000001,
        0.6653408353,
        0.6697262603,
        0.7133035073,
        0.6599897073000001,
        0.6849693083,
        0.6808567823,
        0.6702993763
      ]
    },
    {
      "command": "pacquet@main",
      "mean": 0.784329485,
      "stddev": 0.04459400852528666,
      "median": 0.7689241648,
      "user": 0.35481798,
      "system": 1.5364566599999996,
      "min": 0.7421109373,
      "max": 0.8820290753000001,
      "times": [
        0.8176427463,
        0.7828765183,
        0.8820290753000001,
        0.7722556873,
        0.7451000443,
        0.7465010923000001,
        0.8244315043,
        0.7655926423,
        0.7647546023,
        0.7421109373
      ]
    },
    {
      "command": "pnpm",
      "mean": 2.452525818,
      "stddev": 0.06764214903005424,
      "median": 2.4331575773000003,
      "user": 2.90059588,
      "system": 2.2007328599999996,
      "min": 2.3727731053,
      "max": 2.5862419393,
      "times": [
        2.5862419393,
        2.4652698353,
        2.4054311083,
        2.5478660873,
        2.4203746463,
        2.4661060053,
        2.4169909523,
        2.3982639923,
        2.4459405083,
        2.3727731053
      ]
    }
  ]
}