Conversation
Coverage Report for CI Build 26154129852Warning No base build found for commit Coverage: 94.081%Details
Uncovered Changes
Coverage RegressionsRequires a base build to compare against. How to fix this → Coverage Stats
💛 - Coveralls |
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Autofix Details
Bugbot Autofix prepared a fix for the issue found in the latest run.
- ✅ Fixed: Allow list bypassed via nodePaths
- Added validateDependencies call in the else-if branch to ensure dependencies resolved via nodePaths are validated against allow.dependencies and invalid name checks.
Or push these changes by commenting:
@cursor push 1cd5d0e321
Preview (1cd5d0e321)
diff --git a/src/compile/index.js b/src/compile/index.js
--- a/src/compile/index.js
+++ b/src/compile/index.js
@@ -59,6 +59,8 @@
await enqueueInstall(tmpdir, dependencies, allow)
phases.install = elapsed()
} else if (allDependencies.length) {
+ const { validateDependencies } = require('./install-dependencies')
+ validateDependencies(allDependencies, allow.dependencies)
content = transformDependencies(content)
}
diff --git a/src/compile/install-dependencies.js b/src/compile/install-dependencies.js
--- a/src/compile/install-dependencies.js
+++ b/src/compile/install-dependencies.js
@@ -56,3 +56,5 @@
validateDependencies(dependencies, allow.dependencies)
return $(`${install} ${dependencies.join(' ')}`, { cwd, env: { ...process.env, CI: true } })
}
+
+module.exports.validateDependencies = validateDependenciesYou can send follow-ups to the cloud agent here.
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 2 potential issues.
Autofix Details
Bugbot Autofix prepared fixes for both issues found in the latest run.
- ✅ Fixed: nodePaths ignores dependency versions
- Modified the filtering logic to always install dependencies with explicit version specifiers, ensuring the exact requested version is used rather than whatever version exists on nodePaths.
- ✅ Fixed: Duplicates extractPackageName parsing logic
- Removed the duplicate packageName helper from compile/index.js and reused the exported extractPackageName from install-dependencies.js instead.
Or push these changes by commenting:
@cursor push d456bd359f
Preview (d456bd359f)
diff --git a/src/compile/index.js b/src/compile/index.js
--- a/src/compile/index.js
+++ b/src/compile/index.js
@@ -12,18 +12,6 @@
const DEFAULT_TMPDIR = path.join(require('os').tmpdir(), 'isolated-fn-deps')
-const packageName = dep => {
- if (dep.startsWith('@')) {
- const slashIndex = dep.indexOf('/')
- if (slashIndex !== -1) {
- const atIndex = dep.indexOf('@', slashIndex)
- return atIndex !== -1 ? dep.substring(0, atIndex) : dep
- }
- }
- const atIndex = dep.indexOf('@')
- return atIndex !== -1 ? dep.substring(0, atIndex) : dep
-}
-
const installQueues = new Map()
const enqueueInstall = (tmpdir, dependencies, allow) => {
@@ -44,8 +32,13 @@
installDependencies.validateDependencies(allDependencies, allow.dependencies)
const dependencies = nodePaths.length
? allDependencies.filter(dep => {
+ const packageName = installDependencies.extractPackageName(dep)
+ const hasVersionSpecifier = packageName !== dep
+ if (hasVersionSpecifier) {
+ return true
+ }
try {
- require.resolve(packageName(dep), { paths: nodePaths })
+ require.resolve(packageName, { paths: nodePaths })
return false
} catch {
return true
diff --git a/src/compile/install-dependencies.js b/src/compile/install-dependencies.js
--- a/src/compile/install-dependencies.js
+++ b/src/compile/install-dependencies.js
@@ -58,3 +58,4 @@
}
module.exports.validateDependencies = validateDependencies
+module.exports.extractPackageName = extractPackageNameYou can send follow-ups to the cloud agent here.
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Autofix Details
Bugbot Autofix prepared a fix for the issue found in the latest run.
- ✅ Fixed: Cwd wins over nodePaths
- Changed resolveDir to use nodePaths[0] instead of process.cwd() when all dependencies are filtered via nodePaths, ensuring consistent resolution between require.resolve checks and esbuild bundling.
Or push these changes by commenting:
@cursor push 2f88c72d1e
Preview (2f88c72d1e)
diff --git a/src/compile/index.js b/src/compile/index.js
--- a/src/compile/index.js
+++ b/src/compile/index.js
@@ -52,7 +52,7 @@
content = transformDependencies(content)
}
- const cwd = dependencies.length ? tmpdir : process.cwd()
+ const cwd = dependencies.length ? tmpdir : (nodePaths.length && allDependencies.length ? nodePaths[0] : process.cwd())
const elapsed = timeSpan()
const result = await build({ content, cwd, nodePaths })
phases.build = elapsed()You can send follow-ups to the cloud agent here.
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Bugbot Autofix prepared a fix for the issue found in the latest run.
- ✅ Fixed: Versioned deps still install
- Removed the conditional check that skipped require.resolve for non-@latest dependencies, ensuring all dependencies are checked against nodePaths before installation.
Or push these changes by commenting:
@cursor push a41a87a6b5
Preview (a41a87a6b5)
diff --git a/src/compile/index.js b/src/compile/index.js
--- a/src/compile/index.js
+++ b/src/compile/index.js
@@ -32,7 +32,6 @@
installDependencies.validateDependencies(allDependencies, allow.dependencies)
const dependencies = nodePaths.length
? allDependencies.filter(dep => {
- if (!dep.endsWith('@latest')) return true
try {
require.resolve(installDependencies.extractPackageName(dep), { paths: nodePaths })
return falseYou can send follow-ups to the cloud agent here.
Reviewed by Cursor Bugbot for commit 233f9de. Configure here.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Note
Medium Risk
Changes dependency detection/installation flow and module resolution (via
nodePaths), which can alter what gets bundled or when installs occur; risk is moderate due to potential resolution/version edge cases.Overview
Adds a new
nodePathsoption to the public API and TypeScript types, threading it through compilation and bundling.During compilation, dependencies are now validated up-front and, when
nodePathsis provided,npm/pnpm installis skipped for packages already resolvable from those paths with a matching version; esbuild is also configured withnodePathsfor resolution.install-dependenciesnow exportsvalidateDependenciesandextractPackageNamefor reuse in this filtering logic.Reviewed by Cursor Bugbot for commit b047c42. Bugbot is set up for automated code reviews on this repo. Configure here.