fix(vendor): make scan --vendor / vendor / --prune just work#112
Closed
Mikola Lysenko (mikolalysenko) wants to merge 5 commits into
Closed
fix(vendor): make scan --vendor / vendor / --prune just work#112Mikola Lysenko (mikolalysenko) wants to merge 5 commits into
Mikola Lysenko (mikolalysenko) wants to merge 5 commits into
Conversation
The patches API serves scoped purls percent-encoded (pkg:npm/%40scope/name@1.0.0) and scan stores them verbatim as manifest keys, but neither the npm crawler nor the vendor coordinate parser decoded them — so apply/vendor reported scoped packages as 'package not installed', and detect_prunable saw every encoded entry as prunable. - utils/purl.rs: percent_decode_purl_component (strict, all-or-nothing, fail-safe passthrough), normalize_purl + purl_eq (compare/display only, never path construction) - npm_crawler parse_purl_components, vendor parse_npm_purl (NpmCoords now owns decoded name/version; base_purl stays verbatim for ledger/ manifest key parity), parse_jsr_purl: decode AFTER /-and-@ splits, BEFORE the is_safe_* guards — %2e%2e/%2f cannot smuggle traversal - detect_prunable + purl_matches_identifier compare normalized forms - human output shows the decoded purl; JSON keeps verbatim keys Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
…y-applied events The vendor stage is a private copy and every apply write path is hash-gated to exactly afterHash, so a beforeHash mismatch (a patch built against different bytes than the installed artifact, or a package already patched in place by apply) no longer fails the vendor: the stage is overwritten with the verified patched content and the overwrite surfaces as a vendor_content_mismatch_overwritten warning event. Missing patch-target files still fail closed without --force (force's silent NotFound skip would pack an artifact without the fix). - shared force_apply_staged / missing_existing_patch_files / mismatch_overwrite_warnings policy helpers in vendor/mod.rs, used by all npm flavors (via stage_patch_pack) + cargo/composer/gem/pypi/ golang backends; dry runs predict the same outcome - vendor.rs: gate the already_vendored rewrite on entry.is_none() — the first vendor of an in-place-applied package now emits Applied (it packed + rewired this run) instead of a miscounted skip - scan --vendor: pre-prompt baseline check annotates mismatched packages before the confirm prompt (best-effort, read-only) - --force narrowed to missing-file tolerance + variant-probe bypass; CLI_CONTRACT.md documents the new warning code Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
A user-authored override/resolution that pins the package to exactly the version being vendored (Flowise: pnpm.overrides 'tar-fs': '3.1.0') no longer refuses with vendor_override_conflict. The pin's key is kept (its spelling and quoting preserved on both pnpm surfaces — pnpm hard-requires the package.json and lock override maps to agree), its VALUE is rewritten to the file:.socket/vendor/... spec, and the pinned value is recorded as the wiring original so every revert path (--revert, reconcile, remove) restores the user's pin verbatim. - pnpm: classify_pkg_override (Insert / Ours / Takeover) replaces the boolean conflict checks; effective key threads through EditCtx, apply_pkg_override and edit_overrides; revert restores originals in place instead of deleting. Ranges, different versions, parent>child selector chains, and duplicate same-name keys still refuse, now with a hint that exact pins are taken over. - yarn berry: bare-name resolutions pin equal to the version is taken over symmetrically (KIND_RESOLUTION records the original). - npm/yarn-classic/bun wire the lock only (no override surface), so no conflict exists there to take over. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
scan --prune previously blanket-exempted vendored purls, so nothing
ever cleaned unused vendored state: dropped patches kept their
artifacts and overrides forever, removed dependencies stayed redirected,
and orphan uuid dirs were only swept by vendor --revert.
The prune pass now runs a vendored-state GC first (under the apply
lock; contention degrades to a skip, never a scan failure):
(a) entries whose patch is gone from the manifest are reverted
(same stale test as the vendor flows' reconcile_dropped);
(b) entries whose dependency left the lockfile graph are reverted and
their manifest entries dropped, feeding the same pass's blob sweep.
Per-flavor in-use probes: pnpm scans packages:/snapshots: blocks
for the artifact (the mirrored overrides: declaration alone is not
usage); package-lock/yarn/bun probe the lock text for the uuid dir
(those flavors wire resolutions into the lock itself). None =
cannot determine = keep, fail-safe; detached entries are exempt
(lockfile-invisible by design);
(c) orphan .socket/vendor/<eco>/<uuid> dirs are swept (extracted from
run_revert into a shared sweep_orphan_vendor_dirs).
JSON gc gains revertedVendoredEntries/removedVendorOrphanDirs (wet)
and revertableVendoredEntries/vendorOrphanDirs (preview, which also
mirrors the wet pass's manifest drops so blob counts agree); human
output gains a GC summary line. CLI_CONTRACT.md updated.
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
…ne lifecycle - scan_vendor_e2e: full pipeline with the API's percent-encoded scoped purl form (download -> vendor lookup against node_modules/@scope -> lock rewiring -> prune exemption); interactive pre-prompt baseline annotation + auto-force warning; scan --prune reverting an unused vendored entry (ledger + manifest + artifact + lock all reconciled) - clippy: too_many_arguments allow on stage_patch_pack, JsrPurlParts type alias Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Collaborator
Author
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Running
socket-patch scan --vendoron Flowise (pnpm monorepo, clean install) vendored only 7/10 patches, and--prunenever cleaned vendored state. This PR fixes all four root causes, each verified live against Flowise (now 10/10 vendored,pnpm install --frozen-lockfilegreen, prune dry-run shows zero false positives).1. Percent-decode purl components (
fix(purl))The patches API serves scoped purls percent-encoded (
pkg:npm/%40modelcontextprotocol/sdk@1.12.0) andscanstores them verbatim as manifest keys — but neither the npm crawler nor the vendor coordinate parser decoded them, so lookups againstnode_modules/@scope/...never matched (package not installedfrom bothapplyandvendor), anddetect_prunablesaw every encoded entry as always-prunable.percent_decode_purl_component/normalize_purl/purl_eqinutils/purl.rs(strict, all-or-nothing, fail-safe passthrough; compare/display only — never path construction)/-and-@splits and BEFORE theis_safe_*path guards, so%2e%2e/%2fcannot smuggle a traversal past them (RED tests included)NpmCoordscarries decoded name/version;base_purland ledger keys stay verbatim-encoded for manifest parity2. Vendor auto-force on content mismatch (
feat(vendor))The vendor stage is a private copy and every apply write path is hash-gated to exactly
afterHash(archive + blob pre-write checks; the diff path self-disables on a base mismatch), so abeforeHashmismatch no longer fails the vendor: the stage is overwritten with the verified patched content and surfaced as avendor_content_mismatch_overwrittenwarning event. Missing patch-target files still fail closed without--force(force's silent NotFound skip would pack an artifact without the fix).force_apply_stagedpolicy used by all npm flavors + cargo/composer/gem/pypi/golang backends; dry runs predict the same outcomeapplynow emitsapplied(it packed + rewired this run) instead of a miscountedskipped/already_vendoredscan --vendorpre-verifies baselines and annotates mismatched packages before the confirm prompt3. Take over exact-version override pins (
feat(vendor))A user-authored override pinning the exact version being vendored (Flowise:
pnpm.overrides"tar-fs": "3.1.0") no longer refuses withvendor_override_conflict. The pin's key keeps its spelling on both pnpm surfaces (pnpm hard-requires the package.json and lock override maps to agree), its value moves to thefile:spec, and the pinned value is recorded as the wiringoriginal— every revert path restores the user's pin verbatim. Yarn berry bare-name resolutions get the symmetric treatment. Ranges,parent>childselector chains, different versions, and duplicate same-name keys still refuse (now with a hint). npm/yarn-classic/bun wire the lock only, so no conflict surface exists there.4. Prune lifecycle for vendored packages (
feat(scan))scan --prunepreviously blanket-exempted vendored purls, so nothing ever cleaned unused vendored state. The prune pass now runs a vendored-state GC first (under the apply lock; contention degrades to a skip):packages:/snapshots:blocks, excluding the lingeringoverrides:declaration; package-lock/yarn/bun probe the lock text for the uuid dir). Undeterminable → keep, fail-safe; detached entries exempt (lockfile-invisible by design).socket/vendor/<eco>/<uuid>dirs are sweptJSON
gcgainsrevertedVendoredEntries/removedVendorOrphanDirs(wet) andrevertableVendoredEntries/vendorOrphanDirs(preview, which mirrors the wet pass's manifest drops so blob counts agree).CLI_CONTRACT.mdupdated (prune section,--forcesemantics, new warning code).Test plan
run_vendor_gcunits (dropped/unused/dry-run/detached/orphans), in-process vendor envelope tests, and scan e2e (encoded scoped purl end-to-end incl.--pruneexemption, pre-prompt annotation, prune reverting an unused vendored entry)cargo test --workspace --all-features: 101/102 suites green; the one red is the pre-existingsetup_matrix_composeraspirational suite ("BASELINE GAP … non-blocking in CI"), untouched by this branchcargo clippy --workspace --all-featuresclean; corepack-gated npm/pnpm build capstones ran real package managersscan --vendor→ "Vendored 3 package(s); 13 skipped; 0 failed" (previously 0 vendored, 2 failed, 1 refused);pnpm install --frozen-lockfileaccepts the takeover surgery; installed flatted hashes to afterHash 6/6 files;scan --prune --dry-runreports nothing revertable on the fully in-use project🤖 Generated with Claude Code