fix: harden dependency manifest parsers (Cargo, Poetry, pip, go.mod, npm)#70
Merged
Merged
Conversation
…npm)
An audit of the deterministic `deps.ts` engine (behind `bootcamp deps` and
DEPENDENCIES.md) found systematic mis-parsing of real-world manifests:
- Cargo: never reset section state, so keys under `[features]`,
`[profile.*]`, `[[bin]]` etc. that follow a deps section were counted as
dependencies. Inline tables (`dep = { version = "1.0", ... }`) recorded
the version as `"{"`, and `[dependencies.<crate>]` detailed tables
invented a `version` dep while dropping the real crate. Rewritten as a
line-oriented walk that resets on every header, parses inline-table and
detailed-table versions, and dedupes.
- Poetry: section capture terminated at the first `[` in a value (e.g.
`extras = ["d"]`), dropping every dependency after such a line. Now
terminates at the next table header and parses inline-table versions.
- requirements.txt: pip option/include lines (`-r`, `-e`, `-c`, `--hash`,
`--index-url`) were recorded as bogus packages. Now skipped; extras and
environment markers are stripped.
- go.mod: only the first `require ( … )` block was read, dropping the
entire `// indirect` block that gofmt emits. Now reads every block and
dedupes.
- npm: `optionalDependencies` were ignored entirely. Now included.
- npm/Cargo extractors no longer write a `console.debug` line to stdout on
the "not this manifest" path, so `bootcamp deps --json` output on non-npm
repos is no longer corrupted.
Covered by new fixture-based parser tests plus an e2e guard that a Cargo
repo's `--json` output is clean and parseable.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
A multi-agent correctness audit of the deterministic
deps.tsengine (behindbootcamp depsandDEPENDENCIES.md) found that several real-world manifest forms were mis-parsed. This fixes all of them. Each was confirmed by two independent adversarial verifiers with a code-traced repro.currentSectionnever reset → keys under[features]/[profile.*]/[[bin]]after a deps section counted as dependenciesdep = { version = "1.0", … }recorded version as"{"versionfield[dependencies.<crate>]detailed tables invented aversiondep and dropped the crateversion =line[in a value (extras = ["d"]), dropping later deps-r,-e,-c,--hash,--index-url) recorded as packages--prefixed lines; strip extras/markersrequire ( … )block read, dropping the// indirectblockoptionalDependenciesignoredoptional)console.debugon the "not this manifest" path wrote to stdout, corruptingdeps --jsonon non-npm reposTesting
test/deps-parsers.test.ts: fixture-based tests for each manifest (Cargo section-reset + inline/detailed tables, Poetry section terminator, pip option-line skipping, go.mod multi-block, npm optional).bootcamp deps --jsonis clean, parseable JSON.🤖 Generated with Claude Code