fix(import): run the peer pass in aube's own import; cover the bun parser#458
fix(import): run the peer pass in aube's own import; cover the bun parser#458afonsojramos wants to merge 1 commit into
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
There was a problem hiding this comment.
✅ No new issues found.
Reviewed changes — nub import / aube import now run the peer-context pass on suffix-less foreign lockfiles (npm / npm-shrinkwrap / bun) before writing the suffix-carrying target, so imported lockfiles no longer violate install's "pnpm-lock incumbents are already peer-resolved" assumption (nub#453).
- Add
peer_pass_for_import— newaube_resolverfn running the samehoist → apply_peer_contexts → strippipeline install uses, gated toNpm | NpmShrinkwrap | Bun(other kinds pass through unchanged), exported fromaube-resolver/src/lib.rs. - Wire both import paths — called from
import_to_pnpm_lockininstall_family.rs(with backup-restore on failure) and fromaube::commands::import::run. - Add
aube-resolverpath dep tocrates/nub-cli/Cargo.toml(+Cargo.lock). - Offline regression test
import_runs_peer_pass_on_bun_lock— real ajv-keywords/ajvbun.lockfixture asserting theajv-keywords@3.5.2(ajv@6.12.6)snapshot key and the mirroredajv: 6.12.6peer edge.
The pipeline faithfully mirrors the install path in install/resolve.rs — identical Npm | NpmShrinkwrap | Bun gating, same yarn-v1 exclusion rationale, same three-step sequence. Two intentional divergences are both correct: platform::filter_graph is deliberately skipped to keep imports portable (safe here — without the GC pass there is no peer-only-package pruning, so install's hoist-before-filter ordering constraint doesn't apply), and PeerContextOptions::default() is used because no ResolveCtx is threaded through import; the defaults match pnpm's stock behavior and produce the canonical (name@version) suffix form. The test is offline by construction and captures both the suffix and the mirrored edge — the two properties that actually make the store-resident peer resolvable at runtime.
Claude Opus | 𝕏
…rser Complements nubjs#471, which fixed nub import (pnpm-lock target) but left aube's own import command writing suffix-less aube-lock.yaml from npm/bun sources - the same nubjs#453 class, since install treats aube-lock as an already peer-resolved incumbent. Mirrors nubjs#471's pass, gating, and rationale at that call site. Also adds a bun.lock regression test (a real published peer pair, ajv-keywords -> ajv): nubjs#471's test covers the npm parser only, and bun's peer-dependency plumbing is a separate parse path. Asserts both the suffixed snapshot key and the mirrored peer edge.
c07bcef to
9a697db
Compare
There was a problem hiding this comment.
ℹ️ No critical issues — one informational note on test scope; the code change is correct.
Reviewed changes — this PR was rebased after #471 landed the nub-cli half independently, so the branch is now the complementary delta: aube import (writing aube-lock.yaml) runs the peer-context pass on suffix-less foreign lockfiles, plus a bun-parser regression test (nub#453).
- Run the peer pass in
aube::commands::import::run— gated toNpm | NpmShrinkwrap | Bun, the samehoist_auto_installed_peers → apply_peer_contexts(PeerContextOptions::default()) → remove_auto_installed_peerssequence used by the install path and by #471'simport_to_pnpm_lock.filter_graphintentionally omitted so the imported lockfile stays portable. - Add
import_writes_peer_suffixes_for_bun_lock_source— offline test with a realajv-keywords@3.5.2→ajv@6.12.6peer pair, asserting theajv-keywords@3.5.2(ajv@6.12.6)snapshot key and the mirroredajv: 6.12.6edge.
The import.rs block is byte-for-byte the same resolver sequence and gating as both the install path (vendor/aube/.../install/resolve.rs) and #471's nub-cli path — the filter_graph skip is safe here because, without the GC pass, there is no peer-only pruning, so install's hoist-before-filter ordering constraint doesn't apply. The aube-resolver dep was already present in the aube crate, so no Cargo.toml change was needed. The test's assertion is sound: pnpm writes the packages: key bare and the snapshots: key with the peer suffix, so the split-then-contains check targets the snapshot section correctly.
ℹ️ The new bun test exercises the nub-cli import path, not this PR's aube-import edit
The added test runs nub import, which routes through the nub-cli import_to_pnpm_lock path (writing pnpm-lock.yaml) — the path #471 already fixed — rather than aube::commands::import::run (writing aube-lock.yaml), which is the code this PR changes. The test adds genuinely useful bun-parse-path coverage, and because both paths call the identical shared aube_resolver sequence the coverage is transitively meaningful, but the aube-import path this PR modifies has no direct regression test.
Technical details
# New bun test does not directly cover the changed aube-import code path
## Affected sites
- `crates/nub-cli/tests/pm_verbs.rs:634` — `import_writes_peer_suffixes_for_bun_lock_source` calls `run_nub(&dir, &["import"])` and reads `pnpm-lock.yaml`.
- `crates/nub-cli/src/pm_engine/install_family.rs:768` — `nub import` routes to `import_to_pnpm_lock` (writes `pnpm-lock.yaml`), the #471-fixed path — NOT `aube::commands::import::run`.
- `vendor/aube/crates/aube/src/commands/import.rs:68-90` — the code this PR adds (writes `aube-lock.yaml`); no direct Rust test reaches it.
## Required outcome
- No functional change required — the code is correct and both paths share the exact same `aube_resolver` sequence, so the bun coverage is transitive.
- Optionally add a direct regression test for the aube-import path (or a follow-up), so a future divergence between the two call sites is caught. This would most naturally live in aube's own test surface (Rust e2e or bats), since the aube-lock.yaml write is aube-internal.
## Open questions for the human
- Is a direct aube-import test worth the fixture cost given the shared-pipeline transitivity, or is the nub-cli test plus code-review parity sufficient here?Claude Opus | 𝕏

Rebased after #471 landed the nub-cli half of this independently — this PR is now the complementary delta it left open:
aube import(→ aube-lock.yaml) still wrote suffix-less lockfiles from npm/bun sources. Same nub import writes pnpm-lock.yaml without peer suffixes, breaking store-resident peers under GVS #453 failure class: install treats aube-lock.yaml as an already peer-resolved incumbent and skips its peer pass, so store-resident packages get no sibling peer links at runtime. This mirrors fix(import): run peer-context pass when importing bun/npm to pnpm-lock #471's exact pass, gating (Npm | NpmShrinkwrap | Bun), and rationale (nofilter_graph, yarn excluded) at that call site.import_writes_peer_suffixes_for_bun_lock_sourcewith a real published peer pair (ajv-keywords → ajv, pinned integrities, offline), asserting both the suffixed snapshot key and the mirrored peer edge.All three import tests green (
import_converts_package_lock_to_pnpm_lock, #471'simport_writes_peer_suffixes_for_suffixless_source, and the new bun one).Fixes #453