Skip to content

Add pnpm-aliased-chain regression fixture (#528)#559

Merged
sonukapoor merged 1 commit into
OWASP:mainfrom
Ayush7614:ayush20
Jun 8, 2026
Merged

Add pnpm-aliased-chain regression fixture (#528)#559
sonukapoor merged 1 commit into
OWASP:mainfrom
Ayush7614:ayush20

Conversation

@Ayush7614

@Ayush7614 Ayush7614 commented Jun 5, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Summary

  • Adds examples/pnpm-aliased-chain/ for Discussion Help wanted: edge case lockfile fixtures for regression testing #528 fixture 6
  • Minimal crafted pnpm v9 lockfile reproducing the formisch/vm2 alias bug fixed in v1.18.2
  • Chain: vercel@vercel/remix-builder@remix-run/dev (alias → @vercel/remix-run-dev) → vm2@3.9.19
  • Lockfile entry '@remix-run/dev': '@vercel/remix-run-dev@1.16.1' — dep name differs from real package name
  • Documents fixture in examples/readme.md

Verified scan output

node dist/index.js examples/pnpm-aliased-chain --verbose
  • 4 packages parsed from pnpm-lock.yaml
  • 1 critical finding: vm2@3.9.19 (transitive)
  • Dependency path: project → vercel → @vercel/remix-builder → @vercel/remix-run-dev → vm2 (real name, not alias)
  • Fix command: pnpm add vercel@32.0.2 (parent upgrade — not a broken direct-install on the alias name)

Test plan

Closes Discussion #528 fixture 6 (regression fixture).

@Ayush7614

Ayush7614 commented Jun 5, 2026

Copy link
Copy Markdown
Contributor Author

cc: @sonukapoor

sonukapoor
sonukapoor approved these changes Jun 7, 2026
View reviewed changes

@sonukapoor sonukapoor left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tested - correctly resolves the aliased pnpm v9 chain and emits pnpm add vercel@32.0.2 with the full dependency path through the alias. Good regression fixture for the v1.18.2 pnpm alias fix.

@sonukapoor

sonukapoor commented Jun 7, 2026

Copy link
Copy Markdown
Collaborator

The fixture and scan output look correct - pnpm add vercel@32.0.2 is exactly right for the aliased chain. However there are now merge conflicts in examples/readme.md from recent merges. Could you rebase against main and push? Once that's resolved this is ready to merge.

@Ayush7614
Add pnpm-aliased-chain regression fixture for Discussion OWASP#528
0e0ebd8 
Minimal pnpm v9 lockfile reproducing the formisch/vm2 alias bug: deep
transitive vm2@3.9.19 through @remix-run/dev → @vercel/remix-run-dev.
Path resolution must keep the real package name and suggest pnpm add vercel.
@Ayush7614

Ayush7614 commented Jun 8, 2026

Copy link
Copy Markdown
Contributor Author

Rebased against main and resolved the merge conflict in examples/readme.md — kept both pnpm-within-range (#557) and pnpm-aliased-chain entries in the fixtures table and usage section. Force-pushed to ayush20 (0e0ebd8). Should be ready to merge once CI passes.

sonukapoor
sonukapoor approved these changes Jun 8, 2026
View reviewed changes

@sonukapoor sonukapoor left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

CI passing, fixture verified earlier - correctly emits pnpm add vercel@32.0.2 for the aliased vm2 chain. Good regression fixture for the v1.18.2 pnpm alias fix.

@sonukapoor sonukapoor merged commit 394721d into OWASP:main Jun 8, 2026
6 checks passed
@sonukapoor

sonukapoor commented Jun 8, 2026

Copy link
Copy Markdown
Collaborator

Merged — thank you @Ayush7614!

@sonukapoor sonukapoor mentioned this pull request Jun 9, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sonukapoor sonukapoor sonukapoor approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Ayush7614 @sonukapoor