Skip to content

fix: accept loose peer ranges in peers check#12150

Merged
zkochan merged 1 commit into
pnpm:mainfrom
minbang930:fix/12149-peers-check-loose-range
Jun 16, 2026
Merged

fix: accept loose peer ranges in peers check#12150
zkochan merged 1 commit into
pnpm:mainfrom
minbang930:fix/12149-peers-check-loose-range

Conversation

@minbang930

@minbang930 minbang930 commented Jun 2, 2026

Copy link
Copy Markdown
Contributor

What

Fixes pnpm peers check so it accepts loose semver peer ranges such as >=3.16.0 || >=4.0.0- when the installed peer version satisfies the range.

The peer checker now keeps the existing includePrerelease: true behavior and also enables semver loose parsing for peer range satisfaction.

Why

@gorhom/bottom-sheet@5.2.14 declares react-native-reanimated as >=3.16.0 || >=4.0.0-. With strict semver parsing, react-native-reanimated@4.4.0 was reported as unmet even though loose parsing accepts the range.

Closes #12149.

Tests

  • PATH=/tmp/pnpm-12149-bin:$PATH pnpm --filter @pnpm/deps.inspection.peers-checker test test/checkPeerDependencies.test.ts -t "loose" — regression test passes
  • PATH=/tmp/pnpm-12149-bin:$PATH pnpm --filter @pnpm/deps.inspection.peers-checker test — 7 passed
  • ./node_modules/.bin/cspell .changeset/loose-peers-check.md deps/inspection/peers-checker/test/checkPeerDependencies.test.ts --no-progress — 0 issues
  • git diff --check — no whitespace errors

AI assistance

OpenAI Codex helped reproduce the bug, draft the regression test, and prepare the initial patch. I reviewed the diff, verified the semver behavior, reran the targeted tests above, and take responsibility for the change.

Summary by CodeRabbit

  • Bug Fixes
    • Fixed pnpm peers check to properly validate loose peer dependency ranges. Installations with peer versions that satisfy the specified range now pass validation correctly.

Run peer dependency range checks with semver loose parsing while preserving
prerelease inclusion.

This prevents pnpm peers check from reporting react-native-reanimated@4.4.0 as
unmet for ranges like >=3.16.0 || >=4.0.0-.

Add a lockfile regression fixture for pnpm#12149 and a patch changeset for the peer
checker and pnpm CLI.

Closes pnpm#12149.

Co-authored-by: OpenAI Codex <codex@openai.com>
@minbang930 minbang930 requested a review from zkochan as a code owner June 2, 2026 20:34
Copilot AI review requested due to automatic review settings June 2, 2026 20:34
@coderabbitai

coderabbitai Bot commented Jun 2, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 643e4733-5543-438b-adde-790b6303e532

📥 Commits

Reviewing files that changed from the base of the PR and between 1c73e83 and ba81fbd.

⛔ Files ignored due to path filters (1)
  • deps/inspection/peers-checker/test/__fixtures__/with-loose-peer-range/pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
📒 Files selected for processing (4)
  • .changeset/loose-peers-check.md
  • deps/inspection/peers-checker/src/checkPeerDependencies.ts
  • deps/inspection/peers-checker/test/__fixtures__/with-loose-peer-range/package.json
  • deps/inspection/peers-checker/test/checkPeerDependencies.test.ts
📜 Recent review details
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)
  • GitHub Check: Agent
  • GitHub Check: Analyze (javascript)
  • GitHub Check: Compile & Lint
🧰 Additional context used
📓 Path-based instructions (2)
**/*.{ts,tsx}

📄 CodeRabbit inference engine (AGENTS.md)

**/*.{ts,tsx}: Follow Standard Style with trailing commas, preferring functions over classes, and declaring functions after they are used (relying on hoisting)
Use a single options object instead of multiple parameters when a function needs more than two or three arguments
Follow Import Order: Standard libraries first, then external dependencies (alphabetically), then relative imports
Write self-documenting code where function names, parameters, and types explain what a function does without requiring prose comments
Do not write comments that restate what the code already says; refactor via renaming, splitting helpers, or restructuring instead
Do not repeat documentation at call sites that already exists in JSDoc on the callee; update JSDoc once for all call sites to benefit
Use JSDoc only for a function's contract (preconditions, postconditions, edge cases, why the function exists), not for re-narrating the body
Do not record past implementation shape, refactor history, or 'the previous code did X' framing in code; use git log and git blame instead
Write comments only when: the reason for code is non-obvious (hidden invariant, workaround for known bug, deliberate exception), or the right name doesn't fit (temporary technical constraint)

Files:

  • deps/inspection/peers-checker/test/checkPeerDependencies.test.ts
  • deps/inspection/peers-checker/src/checkPeerDependencies.ts
**/*.test.{ts,tsx}

📄 CodeRabbit inference engine (AGENTS.md)

Use util.types.isNativeError() instead of instanceof Error for error type checking in Jest tests

Files:

  • deps/inspection/peers-checker/test/checkPeerDependencies.test.ts
🧠 Learnings (3)
📚 Learning: 2026-05-05T23:03:04.286Z
Learnt from: zkochan
Repo: pnpm/pnpm PR: 11479
File: __utils__/scripts/package.json:6-9
Timestamp: 2026-05-05T23:03:04.286Z
Learning: The pattern cross-env NODE_OPTIONS="$NODE_OPTIONS ..." in package.json scripts is an established convention in the pnpm/pnpm repository and is used across many packages (e.g., fs/hard-link-dir, worker, __utils__/scripts). Do not flag this as a cross-platform issue in individual files; if a change is needed, apply it as a repo-wide change in a separate PR. Scope this guidance to all package.json files in the repo; use the minimatch pattern '**/package.json' to identify relevant files and review changes at the repository level rather than per-file.

Applied to files:

  • deps/inspection/peers-checker/test/__fixtures__/with-loose-peer-range/package.json
📚 Learning: 2026-05-14T09:04:00.133Z
Learnt from: zkochan
Repo: pnpm/pnpm PR: 11622
File: resolving/npm-resolver/test/publishedBy.test.ts:350-354
Timestamp: 2026-05-14T09:04:00.133Z
Learning: In the pnpm/pnpm repository, ESLint is the authoritative style linter. Do not raise review findings for missing trailing commas in multiline function calls (e.g., `fs.writeFileSync(...)`) when this repo’s ESLint configuration does not report them and lint passes. Prefer deferring to the ESLint results for this specific trailing-comma rule rather than enforcing it manually in code review.

Applied to files:

  • deps/inspection/peers-checker/test/checkPeerDependencies.test.ts
  • deps/inspection/peers-checker/src/checkPeerDependencies.ts
📚 Learning: 2026-05-26T21:01:06.666Z
Learnt from: zkochan
Repo: pnpm/pnpm PR: 11966
File: .changeset/require-tarball-integrity.md:6-6
Timestamp: 2026-05-26T21:01:06.666Z
Learning: In pnpm lockfile-related release notes/docs (especially changeset markdown), preserve URL hostnames exactly as they appear in pnpm-lock.yaml tarball resolution entries—keep hosts like `codeload.github.com`, `bitbucket.org`, and `gitlab.com` in lowercase. Do not “correct” them to title-case/preserve brand capitalization (e.g., LanguageTool rules like `GITHUB` capitalization) because these are literal URL fragments, not platform brand names.

Applied to files:

  • .changeset/loose-peers-check.md
🔇 Additional comments (4)
deps/inspection/peers-checker/test/checkPeerDependencies.test.ts (1)

61-72: LGTM!

.changeset/loose-peers-check.md (1)

1-6: LGTM!

deps/inspection/peers-checker/test/__fixtures__/with-loose-peer-range/package.json (1)

1-8: ⚡ Quick win

Fixture lockfile requirement is satisfied.

deps/inspection/peers-checker/test/__fixtures__/with-loose-peer-range/pnpm-lock.yaml exists and includes @gorhom/bottom-sheet@5.2.14 with peerDependencies.react-native-reanimated: '>=3.16.0 || >=4.0.0-', matching what checkWantedLockfileOnly: true expects.

deps/inspection/peers-checker/src/checkPeerDependencies.ts (1)

138-138: ⚡ Quick win

Recheck the collateral scope of loose: true for peer range evaluation

deps/inspection/peers-checker/src/checkPeerDependencies.ts applies loose: true only in the local satisfies() helper used for peer dependency range checks:

return semver.satisfies(version, range, { includePrerelease: true, loose: true })

This behavior is already exercised by the with-loose-peer-range fixture (react-native-reanimated: ">=3.16.0 || >=4.0.0-") and the corresponding test expecting no issues. However, loose in node-semver makes semver parsing/comparison more forgiving for “not-quite-valid” inputs, so this could also start treating other malformed/ambiguous range strings as satisfying.

Confirm the change doesn’t introduce unintended acceptances by (1) running the peer-checker suite in CI and (2) adding fixtures for other potentially “loose” range formatting (beyond dash-terminated ranges). Also confirm this wider parsing is intended only for peerDependency checks—allowedVersions filtering uses semver.satisfies(...) without loose.


📝 Walkthrough

Walkthrough

This PR fixes a bug where pnpm peers check fails on semver ranges with a trailing dash (e.g., >=4.0.0-), which are used by packages to cover pre-release versions. The fix enables loose semver matching and adds test coverage for the corrected behavior.

Changes

Loose peer dependency range support

Layer / File(s) Summary
Enable loose semver matching
deps/inspection/peers-checker/src/checkPeerDependencies.ts
The satisfies helper now passes loose: true to semver.satisfies to accept pre-release and dash-terminated ranges.
Test coverage and changeset documentation
deps/inspection/peers-checker/test/__fixtures__/with-loose-peer-range/package.json, deps/inspection/peers-checker/test/checkPeerDependencies.test.ts, .changeset/loose-peers-check.md
A test fixture reproduces the issue scenario with loose ranges, a test case verifies no issues are reported for satisfied loose ranges, and the changeset documents the fix.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Suggested reviewers

  • zkochan

Poem

A dash at the end caused peers to cry,
But loose semver rules let versions align,
Reanimated ranges now rest satisfied,
As bottom sheets settle—no errors to find! 📦✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly summarizes the main change: accepting loose peer ranges in the peers check functionality, directly addressing the bug fix.
Linked Issues check ✅ Passed The changes fully implement the requirements from issue #12149: loose semver parsing is enabled, the specific test case validates react-native-reanimated@4.4.0 acceptance, and the fix prevents false unmet-peer warnings.
Out of Scope Changes check ✅ Passed All changes are directly scoped to fixing the peers check loose range validation issue; no unrelated modifications to other functionality are present.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 ESLint

If the error stems from missing dependencies, add them to the package.json file. For unrecoverable errors (e.g., due to private dependencies), disable the tool in the CodeRabbit configuration.

ESLint install failed. For unrecoverable errors, disable the tool in CodeRabbit configuration.


Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@qodo-free-for-open-source-projects

Copy link
Copy Markdown

Review Summary by Qodo

Accept loose peer dependency ranges in pnpm peers check

🐞 Bug fix

Grey Divider

Walkthroughs

Description
• Enable loose semver parsing in peer dependency range checks
• Accept non-standard ranges like >=3.16.0 || >=4.0.0- when satisfied
• Add regression test fixture for react-native-reanimated peer range
• Preserve existing prerelease inclusion behavior
Diagram
flowchart LR
  A["Peer Range Check"] -->|"Add loose: true"| B["Semver Satisfies"]
  B -->|"Parse >=3.16.0 || >=4.0.0-"| C["Accept v4.4.0"]
  D["Test Fixture"] -->|"Verify Fix"| C

Loading

Grey Divider

File Changes

1. deps/inspection/peers-checker/src/checkPeerDependencies.ts 🐞 Bug fix +1/-1

Enable loose semver parsing in peer range checks

• Modified satisfies() function to enable loose semver parsing
• Added loose: true option to semver.satisfies() call
• Maintains existing includePrerelease: true behavior

deps/inspection/peers-checker/src/checkPeerDependencies.ts


2. deps/inspection/peers-checker/test/checkPeerDependencies.test.ts 🧪 Tests +13/-0

Add regression test for loose peer ranges

• Added new test case for loose peer dependency ranges
• Tests that react-native-reanimated@4.4.0 satisfies >=3.16.0 || >=4.0.0-
• Verifies no peer dependency issues are reported for valid loose ranges

deps/inspection/peers-checker/test/checkPeerDependencies.test.ts


3. .changeset/loose-peers-check.md 📝 Documentation +6/-0

Add changeset for loose peer range fix

• Created changeset documenting the bug fix
• Marks patches for @pnpm/deps.inspection.peers-checker and pnpm
• References issue #12149

.changeset/loose-peers-check.md


View more (2)
4. deps/inspection/peers-checker/test/__fixtures__/with-loose-peer-range/package.json 🧪 Tests +8/-0

Create test fixture for loose peer ranges

• Created test fixture package with loose peer range dependency
• Declares @gorhom/bottom-sheet@5.2.14 and react-native-reanimated@4.4.0
• Reproduces the original issue scenario

deps/inspection/peers-checker/test/fixtures/with-loose-peer-range/package.json


5. deps/inspection/peers-checker/test/__fixtures__/with-loose-peer-range/pnpm-lock.yaml 🧪 Tests +34/-0

Add lockfile fixture for loose peer range test

• Created lockfile fixture for loose peer range test
• Includes @gorhom/bottom-sheet@5.2.14 with peer range >=3.16.0 || >=4.0.0-
• Specifies react-native-reanimated@4.4.0 as installed peer dependency

deps/inspection/peers-checker/test/fixtures/with-loose-peer-range/pnpm-lock.yaml


Grey Divider

Qodo Logo

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR fixes pnpm peers check incorrectly reporting unmet peers when a package declares a loosely formatted semver peer range (e.g. >=4.0.0-) that is satisfied by the installed peer version. It does so by enabling semver “loose” parsing during peer-range satisfaction checks while preserving the existing includePrerelease: true behavior.

Changes:

  • Enable semver.satisfies(..., { includePrerelease: true, loose: true }) for peer dependency range checks.
  • Add a regression test fixture and test case covering a loose peer range (>=3.16.0 || >=4.0.0-) satisfied by an installed peer.
  • Add a changeset to publish patch releases for pnpm and @pnpm/deps.inspection.peers-checker.

Reviewed changes

Copilot reviewed 4 out of 5 changed files in this pull request and generated no comments.

Show a summary per file
File Description
deps/inspection/peers-checker/src/checkPeerDependencies.ts Enables loose semver parsing for peer range satisfaction.
deps/inspection/peers-checker/test/checkPeerDependencies.test.ts Adds regression coverage for satisfied loose peer ranges.
deps/inspection/peers-checker/test/fixtures/with-loose-peer-range/pnpm-lock.yaml New lockfile fixture reproducing the reported loose peer range scenario.
deps/inspection/peers-checker/test/fixtures/with-loose-peer-range/package.json New fixture manifest matching the lockfile scenario.
.changeset/loose-peers-check.md Records the patch release notes for the fix.
Files not reviewed (1)
  • deps/inspection/peers-checker/test/fixtures/with-loose-peer-range/pnpm-lock.yaml: Language not supported

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@zkochan zkochan merged commit 3188ae7 into pnpm:main Jun 16, 2026
13 of 14 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

pnpm peers check fails on semver range with dash at the end

3 participants