feat(pacquet): port blockExoticSubdeps to reject exotic subdeps#11792
Conversation
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Plus Run ID: 📒 Files selected for processing (8)
📜 Recent review details⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (8)
🧰 Additional context used📓 Path-based instructions (1)pacquet/**/*.rs📄 CodeRabbit inference engine (pacquet/AGENTS.md)
Files:
🧠 Learnings (2)📚 Learning: 2026-05-20T19:40:55.051ZApplied to files:
📚 Learning: 2026-05-20T23:07:58.444ZApplied to files:
🔇 Additional comments (8)
📝 WalkthroughWalkthroughThis PR introduces ChangesBlock Exotic Transitive Dependencies
Sequence Diagram(s)sequenceDiagram
participant Installer as InstallWithoutLockfile::run
participant Resolver as resolve_importer / resolver chain
participant DepWalker as resolve_node (dependency walker)
Installer->>Resolver: call with ResolveOptions { block_exotic_subdeps }
Resolver->>DepWalker: resolve dependency node (returns ResolveResult with resolved_via)
DepWalker->>DepWalker: if depth>0 and block_exotic_subdeps then check resolved_via against NON_EXOTIC_RESOLVED_VIA
alt resolved_via allowed
DepWalker-->>Resolver: return resolved package
else exotic resolved_via
DepWalker-->>Installer: return ExoticSubdep error (specifier, resolved_via)
end
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Possibly related PRs
Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Qodo reviews are paused for this user.Troubleshooting steps vary by plan Learn more → On a Teams plan? Using GitHub Enterprise Server, GitLab Self-Managed, or Bitbucket Data Center? |
Micro-Benchmark ResultsLinux |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #11792 +/- ##
==========================================
- Coverage 87.41% 87.39% -0.03%
==========================================
Files 198 200 +2
Lines 23119 23514 +395
==========================================
+ Hits 20209 20549 +340
- Misses 2910 2965 +55 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
Integrated-Benchmark Report (Linux)Scenario: Frozen Lockfile
BENCHMARK_REPORT.json{
"results": [
{
"command": "pacquet@HEAD",
"mean": 2.8991743531000003,
"stddev": 0.11128917865175923,
"median": 2.857300347,
"user": 3.0333921400000006,
"system": 4.22339938,
"min": 2.795270952,
"max": 3.1116293059999998,
"times": [
3.1116293059999998,
2.811592349,
2.880357234,
3.011261246,
2.860646117,
2.835657626,
2.853954577,
2.795270952,
2.799847997,
3.031526127
]
},
{
"command": "pacquet@main",
"mean": 2.7902462403999997,
"stddev": 0.05793070086546354,
"median": 2.7757719925,
"user": 3.01012724,
"system": 4.163981980000001,
"min": 2.727069112,
"max": 2.920070234,
"times": [
2.727069112,
2.769839168,
2.773897924,
2.853433593,
2.7958284399999997,
2.777646061,
2.731354986,
2.794751768,
2.758571118,
2.920070234
]
},
{
"command": "pnpm",
"mean": 5.756288626500002,
"stddev": 0.09027497155399114,
"median": 5.759216821000001,
"user": 9.971017039999998,
"system": 4.76929708,
"min": 5.607190512000001,
"max": 5.942210093000001,
"times": [
5.942210093000001,
5.6737911400000005,
5.805904561,
5.775891647000001,
5.607190512000001,
5.777640001000001,
5.741771369,
5.693643284,
5.802301663000001,
5.742541995000001
]
}
]
}Scenario: Frozen Lockfile (Hot Cache)
BENCHMARK_REPORT.json{
"results": [
{
"command": "pacquet@HEAD",
"mean": 0.805834733,
"stddev": 0.042344210450721564,
"median": 0.7901867991,
"user": 0.44442838,
"system": 1.7494305799999998,
"min": 0.7757759136,
"max": 0.9192821766,
"times": [
0.9192821766,
0.7976685796,
0.7884392266,
0.7889569056,
0.8104936476,
0.8231565436,
0.7803633676,
0.7827942766,
0.7914166926,
0.7757759136
]
},
{
"command": "pacquet@main",
"mean": 0.8278628749999999,
"stddev": 0.06237726239698783,
"median": 0.8044649126000001,
"user": 0.44640188,
"system": 1.7712514799999997,
"min": 0.7803209086,
"max": 0.9928375816,
"times": [
0.8662117336,
0.7993886706000001,
0.8080973086000001,
0.9928375816,
0.7942093936,
0.7803209086,
0.7988182046,
0.8203478686,
0.8008325166,
0.8175645636000001
]
},
{
"command": "pnpm",
"mean": 3.0822510844,
"stddev": 0.050139526178859736,
"median": 3.0870850021000003,
"user": 3.92905718,
"system": 2.48433038,
"min": 3.0104180846000004,
"max": 3.1494138326,
"times": [
3.1205487006,
3.1410735386,
3.1494138326,
3.1055193676000004,
3.0459596076000004,
3.0220988296,
3.0686506366,
3.0104180846000004,
3.0451336716000004,
3.1136945746
]
}
]
} |
Rejects git/tarball/file resolutions reached transitively from the importer when `blockExoticSubdeps` is on. Direct deps remain allowed. Mirrors pnpm's gate at df990fd (`installing/deps-resolver/src/ resolveDependencies.ts:1420-1434`) and the closed `NON_EXOTIC_RESOLVED_VIA` set (lines 1831-1841). Default is `true`, matching v11's `config/reader/src/index.ts:187`.
Summary
Ports pnpm's
blockExoticSubdepssetting to pacquet. When on, transitive dependencies resolved via an exotic protocol (git, tarball, file, …) fail the install withERR_PNPM_EXOTIC_SUBDEP. Direct dependencies remain allowed. Mirrors upstream's gate atinstalling/deps-resolver/src/resolveDependencies.ts:1420-1434and the closedNON_EXOTIC_RESOLVED_VIAset.ResolveOptions.block_exotic_subdepsand the per-node check insideresolve_dependency_tree's walker.Config.block_exotic_subdeps(defaulttrue, matching v11'sconfig/reader/src/index.ts:187), wired throughpnpm-workspace.yamland theBLOCK_EXOTIC_SUBDEPSenv-overlay key.install_without_lockfile'sResolveOptions.Test plan
resolving-deps-resolver/src/tests.rscovering the four upstream scenarios (rejects exotic transitive, allows exotic direct, allows registry transitive, gate-off lets exotic through).cargo nextest run -p pacquet-resolving-deps-resolver -p pacquet-config -p pacquet-resolving-resolver-base -p pacquet-package-manager— 516 / 516 pass.cargo clippy --locked --workspace --all-targets -- --deny warningsclean.cargo fmt --checkclean.Written by an agent (Claude Code, claude-opus-4-7).
Summary by CodeRabbit