Skip to content

fix(import): run the peer pass in aube's own import; cover the bun parser#458

Open
afonsojramos wants to merge 1 commit into
nubjs:mainfrom
afonsojramos:fix/import-peer-pass
Open

fix(import): run the peer pass in aube's own import; cover the bun parser#458
afonsojramos wants to merge 1 commit into
nubjs:mainfrom
afonsojramos:fix/import-peer-pass

Conversation

@afonsojramos

@afonsojramos afonsojramos commented Jul 13, 2026

Copy link
Copy Markdown
Contributor

Rebased after #471 landed the nub-cli half of this independently — this PR is now the complementary delta it left open:

  1. aube import (→ aube-lock.yaml) still wrote suffix-less lockfiles from npm/bun sources. Same nub import writes pnpm-lock.yaml without peer suffixes, breaking store-resident peers under GVS #453 failure class: install treats aube-lock.yaml as an already peer-resolved incumbent and skips its peer pass, so store-resident packages get no sibling peer links at runtime. This mirrors fix(import): run peer-context pass when importing bun/npm to pnpm-lock #471's exact pass, gating (Npm | NpmShrinkwrap | Bun), and rationale (no filter_graph, yarn excluded) at that call site.
  2. bun-parser regression test: fix(import): run peer-context pass when importing bun/npm to pnpm-lock #471's test exercises the npm lockfile parser only; bun's peer-dependency plumbing is a separate parse path. Added import_writes_peer_suffixes_for_bun_lock_source with a real published peer pair (ajv-keywords → ajv, pinned integrities, offline), asserting both the suffixed snapshot key and the mirrored peer edge.

All three import tests green (import_converts_package_lock_to_pnpm_lock, #471's import_writes_peer_suffixes_for_suffixless_source, and the new bun one).

Fixes #453

@vercel

vercel Bot commented Jul 13, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
nub Ready Ready Preview, Comment Jul 14, 2026 8:00pm

Request Review

@pullfrog pullfrog Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ No new issues found.

Reviewed changesnub import / aube import now run the peer-context pass on suffix-less foreign lockfiles (npm / npm-shrinkwrap / bun) before writing the suffix-carrying target, so imported lockfiles no longer violate install's "pnpm-lock incumbents are already peer-resolved" assumption (nub#453).

  • Add peer_pass_for_import — new aube_resolver fn running the same hoist → apply_peer_contexts → strip pipeline install uses, gated to Npm | NpmShrinkwrap | Bun (other kinds pass through unchanged), exported from aube-resolver/src/lib.rs.
  • Wire both import paths — called from import_to_pnpm_lock in install_family.rs (with backup-restore on failure) and from aube::commands::import::run.
  • Add aube-resolver path dep to crates/nub-cli/Cargo.toml (+ Cargo.lock).
  • Offline regression test import_runs_peer_pass_on_bun_lock — real ajv-keywords/ajv bun.lock fixture asserting the ajv-keywords@3.5.2(ajv@6.12.6) snapshot key and the mirrored ajv: 6.12.6 peer edge.

The pipeline faithfully mirrors the install path in install/resolve.rs — identical Npm | NpmShrinkwrap | Bun gating, same yarn-v1 exclusion rationale, same three-step sequence. Two intentional divergences are both correct: platform::filter_graph is deliberately skipped to keep imports portable (safe here — without the GC pass there is no peer-only-package pruning, so install's hoist-before-filter ordering constraint doesn't apply), and PeerContextOptions::default() is used because no ResolveCtx is threaded through import; the defaults match pnpm's stock behavior and produce the canonical (name@version) suffix form. The test is offline by construction and captures both the suffix and the mirrored edge — the two properties that actually make the store-resident peer resolvable at runtime.

Pullfrog  | View workflow run | Using Claude Opus𝕏

…rser

Complements nubjs#471, which fixed nub import (pnpm-lock target) but left aube's own import command writing suffix-less aube-lock.yaml from npm/bun sources - the same nubjs#453 class, since install treats aube-lock as an already peer-resolved incumbent. Mirrors nubjs#471's pass, gating, and rationale at that call site.

Also adds a bun.lock regression test (a real published peer pair, ajv-keywords -> ajv): nubjs#471's test covers the npm parser only, and bun's peer-dependency plumbing is a separate parse path. Asserts both the suffixed snapshot key and the mirrored peer edge.
@afonsojramos
afonsojramos force-pushed the fix/import-peer-pass branch from c07bcef to 9a697db Compare July 14, 2026 19:57
@afonsojramos afonsojramos changed the title fix(import): run the peer-context pass on suffix-less lockfile sources fix(import): run the peer pass in aube's own import; cover the bun parser Jul 14, 2026

@pullfrog pullfrog Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ℹ️ No critical issues — one informational note on test scope; the code change is correct.

Reviewed changes — this PR was rebased after #471 landed the nub-cli half independently, so the branch is now the complementary delta: aube import (writing aube-lock.yaml) runs the peer-context pass on suffix-less foreign lockfiles, plus a bun-parser regression test (nub#453).

  • Run the peer pass in aube::commands::import::run — gated to Npm | NpmShrinkwrap | Bun, the same hoist_auto_installed_peers → apply_peer_contexts(PeerContextOptions::default()) → remove_auto_installed_peers sequence used by the install path and by #471's import_to_pnpm_lock. filter_graph intentionally omitted so the imported lockfile stays portable.
  • Add import_writes_peer_suffixes_for_bun_lock_source — offline test with a real ajv-keywords@3.5.2ajv@6.12.6 peer pair, asserting the ajv-keywords@3.5.2(ajv@6.12.6) snapshot key and the mirrored ajv: 6.12.6 edge.

The import.rs block is byte-for-byte the same resolver sequence and gating as both the install path (vendor/aube/.../install/resolve.rs) and #471's nub-cli path — the filter_graph skip is safe here because, without the GC pass, there is no peer-only pruning, so install's hoist-before-filter ordering constraint doesn't apply. The aube-resolver dep was already present in the aube crate, so no Cargo.toml change was needed. The test's assertion is sound: pnpm writes the packages: key bare and the snapshots: key with the peer suffix, so the split-then-contains check targets the snapshot section correctly.

ℹ️ The new bun test exercises the nub-cli import path, not this PR's aube-import edit

The added test runs nub import, which routes through the nub-cli import_to_pnpm_lock path (writing pnpm-lock.yaml) — the path #471 already fixed — rather than aube::commands::import::run (writing aube-lock.yaml), which is the code this PR changes. The test adds genuinely useful bun-parse-path coverage, and because both paths call the identical shared aube_resolver sequence the coverage is transitively meaningful, but the aube-import path this PR modifies has no direct regression test.

Technical details
# New bun test does not directly cover the changed aube-import code path

## Affected sites
- `crates/nub-cli/tests/pm_verbs.rs:634``import_writes_peer_suffixes_for_bun_lock_source` calls `run_nub(&dir, &["import"])` and reads `pnpm-lock.yaml`.
- `crates/nub-cli/src/pm_engine/install_family.rs:768``nub import` routes to `import_to_pnpm_lock` (writes `pnpm-lock.yaml`), the #471-fixed path — NOT `aube::commands::import::run`.
- `vendor/aube/crates/aube/src/commands/import.rs:68-90` — the code this PR adds (writes `aube-lock.yaml`); no direct Rust test reaches it.

## Required outcome
- No functional change required — the code is correct and both paths share the exact same `aube_resolver` sequence, so the bun coverage is transitive.
- Optionally add a direct regression test for the aube-import path (or a follow-up), so a future divergence between the two call sites is caught. This would most naturally live in aube's own test surface (Rust e2e or bats), since the aube-lock.yaml write is aube-internal.

## Open questions for the human
- Is a direct aube-import test worth the fixture cost given the shared-pipeline transitivity, or is the nub-cli test plus code-review parity sufficient here?

Pullfrog  | Fix it ➔View workflow run | Using Claude Opus𝕏

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

nub import writes pnpm-lock.yaml without peer suffixes, breaking store-resident peers under GVS

1 participant