Skip to content

SHA-pin upstream citations and re-enable perfectionist::unpinned_repo_ref (pacquet/pnpr) #12717

Description

@KSXGitHub

Context

The perfectionist dylint library was upgraded to 0.0.0-rc.21 (branch claude/perfectionist-rc21-upgrade-9rfgpq). The new active-by-default rule perfectionist::unpinned_repo_ref flags repository URLs in comments / doc comments whose ref is a branch or tag instead of a commit SHA — exactly the convention pacquet/AGENTS.md documents ("link to a specific commit SHA, not a branch name").

It fired 37 times, all on doc-comment citations of upstream source. Pinning them is the documented convention, but doing it correctly is a dedicated pass — and this sandbox could not reach some of the cited repos. The rule is disabled in dylint.toml for now:

[perfectionist]
disable = ["unpinned_repo_ref"]

Follow-up (this issue)

  1. Decide policy for permanent release-tag citations (npm/hosted-git-info@v4.1.0, pnpm/version-selector-type@v3.0.0, …): either SHA-pin them too, or accept them via ["perfectionist::unpinned_repo_ref"] allow_version_patterns = true.
  2. SHA-pin the branch-ref citations. Current resolved HEADs (first 10 hex), to make this mostly mechanical:
    • pnpm/pnpm main / HEAD4cd45a3e15
    • zkochan/packages maine65701a6ae
    • ds300/patch-package masterbe4dfd77d9
    • npm/registry masterae49abf1ba
  3. Repoint the dead citations (these no longer resolve and need a real target, not just a SHA):
    • pnpm/pnpm@deps (crates/cli/src/cli_args/why.rs) — the deps branch is gone; the why/inspection sources moved.
    • whitecolor/is-subdir and pnpm/util.lex-comparator — repos not reachable / renamed.
  4. Remove unpinned_repo_ref from the disable list and run cargo dylint locally.

Written by an agent (Claude Code).

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

Fields

No fields configured for Task.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions