fix(intelligence): discover nested workspace dependencies#129
Conversation
SHAURYAKSHARMA24
left a comment
There was a problem hiding this comment.
Requesting changes before approval. I found three issues that the current tests do not cover:
Manifest size limits are applied after unbounded reads. Every candidate manifest is fully loaded and retained before ExtractionPipeline applies its 512 KiB limit. Large or numerous manifests could exhaust worker memory. Please use bounded reads or pre-check sizes, emit RI-LIMIT-SKIP, and preferably process manifests individually.
Requirements URL fragments are discarded. Splitting each line at the first # truncates valid direct references such as pkg @ https://host/archive.whl#sha256=.... This loses part of the declared specifier and can cause distinct references to aggregate as identical. Please preserve URL fragments and add regression coverage.
Conflicting versions render as None in AI prompts. A nullable aggregate version is appropriate for the dependency API, but RepositoryContextBuilder passes it into DependencyContext.version: str, and PromptBuilder renders it directly—for example, requests None. Please model and render the conflict explicitly, with a regression test.
CI is green, but these cases should be addressed before merging.
ab6a190 to
a595dc6
Compare
|
Addressed the three requested changes in
Added regression coverage for all three cases. Validation:
|
Summary
Fixes dependency inventories for monorepos whose supported manifests live below the repository root. The dependency graph now discovers parser-approved nested manifests, retains every direct-declaration provenance record, bounds each manifest read to the source-size budget, and reports malformed or oversized manifests as explicit diagnostics instead of a false successful zero.
Linked issue
Closes #124
What changed
DependencyManifestExtractor(producerdependency-manifest@1.2.0) to retain each declaration’s ecosystem, declared version/specifier, dependency section/type, normalized manifest/workspace path, and exact line span.RepositoryIntelligenceEngineto derive supported manifest candidates fromRepositoryParser’s accepted file inventory, in deterministic path order, then size-check and process each candidate independently with a bounded read and the canonical extractor.RI-LIMIT-SKIPwith the configured and reported byte counts; candidate source bytes are never accumulated across the inventory.requirements.txtdirect-reference specifiers while continuing to recognize whitespace-delimited comments.DependencyGraphBuilderas a Repository Intelligence consumer. Dependency graph relations target the aggregated nodes and retain every declaring manifest as evidence.None.Acceptance criteria completed
package.json,pyproject.toml, andrequirements.txtfiles are discovered from accepted workspace paths; ignored/vendor directories remain excluded.RI-LIMIT-SKIP.nullrather than arbitrary.RI-SRC-MALFORMEDdiagnostics without erasing valid declarations; empty valid manifests remain distinct.Noneversion value.not_computed.Testing performed
Screenshots
Not applicable — no visible UI change.
Security and data considerations
AnalysisService; no migrations or secret-bearing data are introduced.Dependencies and blocked work
Scope changes or remaining work
None. Lockfiles, transitive resolution, vulnerability scanning, and outdated-version scanning remain intentionally unsupported.
Contributor checklist
devupstream/devupstream/devCloses) is used only because the issue is fully resolved