Handle impostor commits in auto-update

[j178]

Detect pinned commits without lazy fetching during auto-update.

• check commit presence with git --no-lazy-fetch cat-file -e
• avoid treating branch-only or GitHub impostor commits as present

Closes #1864

[codecov]

Codecov Report

❌ Patch coverage is 93.75000% with 4 lines in your changes missing coverage. Please review.
✅ Project coverage is 92.07%. Comparing base (f2cc974) to head (e9ef05f).
⚠️ Report is 3 commits behind head on master.

Files with missing lines	Patch %	Lines
crates/prek/src/cli/auto_update.rs	93.75%	4 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #1919      +/-   ##
==========================================
- Coverage   92.09%   92.07%   -0.02%     
==========================================
  Files         112      112              
  Lines       22913    22936      +23     
==========================================
+ Hits        21101    21119      +18     
- Misses       1812     1817       +5     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: e57b84a550

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[Copilot]

Pull request overview

Improves prek auto-update’s handling of pinned commit SHAs by detecting whether the commit is actually present in the locally fetched (partial) repository view, preventing “impostor”/branch-only commits from being treated as available during auto-update evaluation.

Changes:

• Add a commit-presence check using git --no-lazy-fetch cat-file -e to avoid partial-clone lazy fetching during auto-update diagnostics.
• Adjust frozen-comment mismatch diagnostics to reflect “present vs not present” semantics and remove dry-run-specific phrasing from warning notes.
• Update and extend integration tests/snapshots, including a new branch-only pinned commit case.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File	Description
crates/prek/src/cli/auto_update.rs	Implements commit presence detection without lazy fetching and updates frozen-comment warning rendering.
crates/prek/tests/auto_update.rs	Updates snapshots for new warning text and adds coverage for branch-only pinned commits.

[prek-ci-bot]

📦 Cargo Bloat Comparison

Binary size change: +0.00% (25.7 MiB → 25.7 MiB)

Expand for cargo-bloat output

Head Branch Results

 File  .text     Size             Crate Name
 1.3%   2.6% 332.0KiB        aws_lc_sys aws_lc_0_39_1_aes_gcm_encrypt_avx512
 1.3%   2.6% 332.0KiB        aws_lc_sys aws_lc_0_39_1_aes_gcm_decrypt_avx512
 0.3%   0.7%  88.1KiB              prek prek::languages::<impl prek::config::Language>::run::{{closure}}::{{closure}}
 0.3%   0.7%  84.1KiB             prek? <prek::cli::Command as clap_builder::derive::Subcommand>::augment_subcommands
 0.3%   0.6%  81.3KiB              prek prek::languages::<impl prek::config::Language>::run::{{closure}}::{{closure}}
 0.2%   0.4%  57.0KiB              prek prek::languages::<impl prek::config::Language>::install::{{closure}}
 0.2%   0.4%  52.5KiB annotate_snippets annotate_snippets::renderer::render::render
 0.2%   0.4%  45.3KiB              prek prek::run::{{closure}}
 0.2%   0.3%  41.9KiB              prek prek::cli::run::run::run::{{closure}}
 0.1%   0.3%  32.4KiB             prek? <prek::cli::RunArgs as clap_builder::derive::Args>::augment_args
 0.1%   0.2%  30.0KiB             prek? <prek::config::_::<impl serde_core::de::Deserialize for prek::config::Config>::deserialize::__Visitor as serde_core::de::Visitor>::visit_map
 0.1%   0.2%  28.0KiB      serde_saphyr saphyr_parser_bw::scanner::Scanner<T>::fetch_more_tokens
 0.1%   0.2%  28.0KiB        aws_lc_sys aws_lc_0_39_1_edwards25519_scalarmuldouble_alt
 0.1%   0.2%  27.5KiB        aws_lc_sys aws_lc_0_39_1_edwards25519_scalarmuldouble
 0.1%   0.2%  27.0KiB              prek prek::cli::try_repo::try_repo::{{closure}}
 0.1%   0.2%  26.8KiB               std core::ptr::drop_in_place<prek::languages::<impl prek::config::Language>::install::{{closure}}>
 0.1%   0.2%  22.8KiB              prek prek::hooks::meta_hooks::MetaHooks::run::{{closure}}
 0.1%   0.2%  22.6KiB      serde_saphyr saphyr_parser_bw::scanner::Scanner<T>::fetch_more_tokens
 0.1%   0.2%  22.3KiB         [Unknown] Lp384_montjscalarmul_alt_p384_montjadd
 0.1%   0.2%  21.5KiB      clap_builder clap_builder::parser::parser::Parser::get_matches_with
41.8%  86.2%  10.7MiB                   And 24053 smaller methods. Use -n N to show more.
48.5% 100.0%  12.5MiB                   .text section size, the file size is 25.7MiB

Base Branch Results

 File  .text     Size             Crate Name
 1.3%   2.6% 332.0KiB        aws_lc_sys aws_lc_0_39_1_aes_gcm_encrypt_avx512
 1.3%   2.6% 332.0KiB        aws_lc_sys aws_lc_0_39_1_aes_gcm_decrypt_avx512
 0.3%   0.7%  87.6KiB              prek prek::languages::<impl prek::config::Language>::run::{{closure}}::{{closure}}
 0.3%   0.6%  81.3KiB              prek prek::languages::<impl prek::config::Language>::run::{{closure}}::{{closure}}
 0.3%   0.6%  70.9KiB             prek? <prek::cli::Command as clap_builder::derive::Subcommand>::augment_subcommands
 0.2%   0.4%  57.0KiB              prek prek::languages::<impl prek::config::Language>::install::{{closure}}
 0.2%   0.4%  52.5KiB annotate_snippets annotate_snippets::renderer::render::render
 0.2%   0.4%  45.3KiB              prek prek::run::{{closure}}
 0.2%   0.3%  42.0KiB              prek prek::cli::run::run::run::{{closure}}
 0.1%   0.3%  32.6KiB             prek? <prek::cli::RunArgs as clap_builder::derive::Args>::augment_args
 0.1%   0.2%  30.0KiB             prek? <prek::config::_::<impl serde_core::de::Deserialize for prek::config::Config>::deserialize::__Visitor as serde_core::de::Visitor>::visit_map
 0.1%   0.2%  28.0KiB      serde_saphyr saphyr_parser_bw::scanner::Scanner<T>::fetch_more_tokens
 0.1%   0.2%  28.0KiB        aws_lc_sys aws_lc_0_39_1_edwards25519_scalarmuldouble_alt
 0.1%   0.2%  27.5KiB        aws_lc_sys aws_lc_0_39_1_edwards25519_scalarmuldouble
 0.1%   0.2%  27.1KiB              prek prek::cli::try_repo::try_repo::{{closure}}
 0.1%   0.2%  26.8KiB               std core::ptr::drop_in_place<prek::languages::<impl prek::config::Language>::install::{{closure}}>
 0.1%   0.2%  22.8KiB              prek prek::hooks::meta_hooks::MetaHooks::run::{{closure}}
 0.1%   0.2%  22.6KiB      serde_saphyr saphyr_parser_bw::scanner::Scanner<T>::fetch_more_tokens
 0.1%   0.2%  22.3KiB         [Unknown] Lp384_montjscalarmul_alt_p384_montjadd
 0.1%   0.2%  21.5KiB      clap_builder clap_builder::parser::parser::Parser::get_matches_with
41.9%  86.3%  10.8MiB                   And 24034 smaller methods. Use -n N to show more.
48.5% 100.0%  12.5MiB                   .text section size, the file size is 25.7MiB

[prek-ci-bot]

⚡️ Hyperfine Benchmarks

Summary: 0 regressions, 0 improvements above the 10% threshold.

Environment

• OS: Linux 6.17.0-1010-azure
• CPU: 4 cores
• prek version: prek 0.3.8+43 (db762f4 2026-04-10)
• Rust version: rustc 1.94.1 (e408947bf 2026-03-25)
• Hyperfine version: hyperfine 1.20.0

CLI Commands

Benchmarking basic commands in the main repo:

prek --version

Command	Mean [ms]	Min [ms]	Max [ms]	Relative
prek-base --version	2.2 ± 0.1	2.1	2.5	1.03 ± 0.05
prek-head --version	2.2 ± 0.1	2.0	2.4	1.00

prek list

Command	Mean [ms]	Min [ms]	Max [ms]	Relative
prek-base list	9.1 ± 0.3	8.6	10.0	1.02 ± 0.05
prek-head list	9.0 ± 0.4	8.5	10.7	1.00

prek validate-config .pre-commit-config.yaml

Command	Mean [ms]	Min [ms]	Max [ms]	Relative
prek-base validate-config .pre-commit-config.yaml	3.2 ± 0.1	3.0	3.4	1.07 ± 0.04
prek-head validate-config .pre-commit-config.yaml	3.0 ± 0.1	2.8	3.2	1.00

prek sample-config

Command	Mean [ms]	Min [ms]	Max [ms]	Relative
prek-base sample-config	2.5 ± 0.1	2.4	2.6	1.03 ± 0.03
prek-head sample-config	2.5 ± 0.1	2.4	2.7	1.00

Cold vs Warm Runs

Comparing first run (cold) vs subsequent runs (warm cache):

prek run --all-files (cold - no cache)

Command	Mean [ms]	Min [ms]	Max [ms]	Relative
prek-base run --all-files	142.4 ± 5.3	137.4	153.6	1.01 ± 0.05
prek-head run --all-files	141.3 ± 3.8	135.2	146.1	1.00

prek run --all-files (warm - with cache)

Command	Mean [ms]	Min [ms]	Max [ms]	Relative
prek-base run --all-files	141.2 ± 3.5	135.7	146.6	1.00
prek-head run --all-files	143.2 ± 2.8	138.8	150.2	1.01 ± 0.03

Full Hook Suite

Running the builtin hook suite on the benchmark workspace:

prek run --all-files (full builtin hook suite)

Command	Mean [ms]	Min [ms]	Max [ms]	Relative
prek-base run --all-files	141.4 ± 3.4	133.3	148.1	1.01 ± 0.03
prek-head run --all-files	140.3 ± 3.4	133.1	147.4	1.00

Individual Hook Performance

Benchmarking each hook individually on the test repo:

prek run trailing-whitespace --all-files

Command	Mean [ms]	Min [ms]	Max [ms]	Relative
prek-base run trailing-whitespace --all-files	20.7 ± 0.8	19.7	22.9	1.00
prek-head run trailing-whitespace --all-files	21.0 ± 1.0	19.3	23.2	1.02 ± 0.06

prek run end-of-file-fixer --all-files

Command	Mean [ms]	Min [ms]	Max [ms]	Relative
prek-base run end-of-file-fixer --all-files	33.9 ± 20.9	23.8	109.7	1.28 ± 0.80
prek-head run end-of-file-fixer --all-files	26.4 ± 2.1	23.4	30.4	1.00

prek run check-json --all-files

Command	Mean [ms]	Min [ms]	Max [ms]	Relative
prek-base run check-json --all-files	11.6 ± 0.5	10.8	12.9	1.03 ± 0.05
prek-head run check-json --all-files	11.2 ± 0.3	10.7	11.9	1.00

prek run check-yaml --all-files

Command	Mean [ms]	Min [ms]	Max [ms]	Relative
prek-base run check-yaml --all-files	11.2 ± 0.5	10.7	13.5	1.02 ± 0.05
prek-head run check-yaml --all-files	11.0 ± 0.2	10.7	11.7	1.00

prek run check-toml --all-files

Command	Mean [ms]	Min [ms]	Max [ms]	Relative
prek-base run check-toml --all-files	11.3 ± 0.6	10.7	13.8	1.01 ± 0.06
prek-head run check-toml --all-files	11.1 ± 0.3	10.6	11.8	1.00

prek run check-xml --all-files

Command	Mean [ms]	Min [ms]	Max [ms]	Relative
prek-base run check-xml --all-files	11.6 ± 0.8	10.9	15.3	1.05 ± 0.07
prek-head run check-xml --all-files	11.0 ± 0.3	10.6	11.7	1.00

prek run detect-private-key --all-files

Command	Mean [ms]	Min [ms]	Max [ms]	Relative
prek-base run detect-private-key --all-files	17.4 ± 1.2	15.4	20.2	1.02 ± 0.10
prek-head run detect-private-key --all-files	17.2 ± 1.2	15.5	20.1	1.00

prek run fix-byte-order-marker --all-files

Command	Mean [ms]	Min [ms]	Max [ms]	Relative
prek-base run fix-byte-order-marker --all-files	22.5 ± 1.5	19.4	24.7	1.03 ± 0.10
prek-head run fix-byte-order-marker --all-files	21.9 ± 1.6	19.2	24.7	1.00

Installation Performance

Benchmarking hook installation (fast path hooks skip Python setup):

prek install-hooks (cold - no cache)

Command	Mean [ms]	Min [ms]	Max [ms]	Relative
prek-base install-hooks	4.5 ± 0.1	4.4	4.6	1.03 ± 0.02
prek-head install-hooks	4.4 ± 0.1	4.3	4.5	1.00

prek install-hooks (warm - with cache)

Command	Mean [ms]	Min [ms]	Max [ms]	Relative
prek-base install-hooks	4.6 ± 0.1	4.5	4.7	1.05 ± 0.02
prek-head install-hooks	4.4 ± 0.0	4.3	4.4	1.00

File Filtering/Scoping Performance

Testing different file selection modes:

prek run (staged files only)

Command	Mean [ms]	Min [ms]	Max [ms]	Relative
prek-base run	49.0 ± 1.2	47.1	51.4	1.01 ± 0.04
prek-head run	48.7 ± 1.3	46.9	51.5	1.00

prek run --files '*.json' (specific file type)

Command	Mean [ms]	Min [ms]	Max [ms]	Relative
prek-base run --files '*.json'	8.3 ± 0.1	8.1	8.6	1.00
prek-head run --files '*.json'	8.3 ± 0.1	8.0	8.5	1.00 ± 0.02

Workspace Discovery & Initialization

Benchmarking hook discovery and initialization overhead:

prek run --dry-run --all-files (measures init overhead)

Command	Mean [ms]	Min [ms]	Max [ms]	Relative
prek-base run --dry-run --all-files	13.1 ± 0.5	12.7	14.4	1.02 ± 0.04
prek-head run --dry-run --all-files	12.9 ± 0.2	12.5	13.4	1.00

Meta Hooks Performance

Benchmarking meta hooks separately:

prek run check-hooks-apply --all-files

Command	Mean [ms]	Min [ms]	Max [ms]	Relative
prek-base run check-hooks-apply --all-files	13.1 ± 0.2	12.8	13.7	1.00
prek-head run check-hooks-apply --all-files	13.2 ± 0.2	12.8	13.4	1.00 ± 0.02

prek run check-useless-excludes --all-files

Command	Mean [ms]	Min [ms]	Max [ms]	Relative
prek-base run check-useless-excludes --all-files	12.8 ± 0.7	11.7	13.8	1.09 ± 0.06
prek-head run check-useless-excludes --all-files	11.8 ± 0.1	11.6	12.1	1.00

prek run identity --all-files

Command	Mean [ms]	Min [ms]	Max [ms]	Relative
prek-base run identity --all-files	10.4 ± 0.1	10.2	10.5	1.00
prek-head run identity --all-files	10.5 ± 0.2	10.1	10.9	1.02 ± 0.02

[shaanmajid]

Unsure of the performance impact of this, but just an idea -- it would be ideal if this check could automatically happen during hook installation. Most folks probably won't manually execute this to check if they have a malicious config file, but if it's surfaced during normal workflows, everyone will reap the benefit.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: e9ef05f849

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Preserve frozen-comment checks when no-lazy-fetch is unsupported

On Git versions like 2.43, git --no-lazy-fetch ... returns unknown option, and this branch forces CommitPresence::Unknown; that flows into collect_frozen_mismatches as FrozenMismatch::NoReplacement, so stale frozen comments for valid, untagged pinned SHAs are no longer removed and --check can pass even when the frozen marker is stale. I verified the command behavior locally on Git 2.43 and traced it to this return path, so this is not just theoretical compatibility drift.

Useful? React with 👍 / 👎.

[j178]

@shaanmajid Good idea. I started with auto-update because the repo-fetching model there is quite different from installation.

During installation we currently use shallow clones (--depth=1), while auto-update uses a blob-less fetch. Detecting impostor commits reliably would likely require fetching a much larger commit graph, which would be a fairly invasive change to the installation path.

Adding the check in auto-update first is a more contained change, and it lets us validate the approach before expanding it further. If this works well, we can definitely explore bringing the same protection to installation later.