Found during dogfooding v3.10.1-dev.80
Severity: Medium
Command: codegraph embed -m minilm
Reproduction
# 1. Install codegraph into a dedicated dir
mkdir /tmp/dogfood && cd /tmp/dogfood
npm init -y
npm install @optave/codegraph@<version>
# 2. Build a graph in some *other* directory (e.g. another git repo)
cd /path/to/some-other-repo
codegraph build .
# 3. From that other repo's cwd, run embed
/tmp/dogfood/node_modules/.bin/codegraph embed -m minilm
Actual behavior
embed triggers npm install @huggingface/transformers via execFileSync with no explicit cwd. The install runs against the current working directory's package.json/node_modules, not the codegraph package's location. Then await import('@huggingface/transformers') resolves from the codegraph package's own directory, where the dependency wasn't installed — and fails:
codegraph [ENGINE_UNAVAILABLE]: @huggingface/transformers was installed but failed to load. Please check your environment.
Expected behavior
The auto-install should resolve to the codegraph package's own node_modules (i.e., the location where await import('@huggingface/transformers') will look). Either:
- Recommended: Don't auto-install at all — print clear instructions ("Run:
npm install @huggingface/transformers in your project") and exit cleanly. Auto-modifying the user's package.json/node_modules is surprising and breaks reproducible installs.
- Or, pass
cwd to execFileSync pointing at the codegraph package directory (resolved via path.dirname(require.resolve('@optave/codegraph/package.json'))).
Root cause
src/domain/search/models.ts:131 calls execFileSync(NPM_BIN, ['install', packageName], { stdio: 'inherit', timeout: 300_000 }) with no cwd. Default cwd = process.cwd(). The subsequent await import(pkg) resolves from the codegraph package location — these two directories are different when codegraph is invoked from outside its own install root.
Side effects observed
- Installing into the user's working directory pollutes their
package.json/package-lock.json with @huggingface/transformers even though they didn't ask for it.
npm warn deprecated boolean@3.2.0 and 2 vulnerabilities (1 moderate, 1 critical) get dumped on the user's terminal mid-embed.- The user then has to manually remove the unwanted dep from their
package.json.
Workaround
Run embed from the directory where codegraph is installed (e.g., cd /tmp/dogfood && codegraph embed --db /path/to/other/repo/.codegraph/graph.db ...).
Found during dogfooding v3.10.1-dev.80
Severity: Medium
Command:
codegraph embed -m minilmReproduction
Actual behavior
embedtriggersnpm install @huggingface/transformersviaexecFileSyncwith no explicitcwd. The install runs against the current working directory'spackage.json/node_modules, not the codegraph package's location. Thenawait import('@huggingface/transformers')resolves from the codegraph package's own directory, where the dependency wasn't installed — and fails:Expected behavior
The auto-install should resolve to the codegraph package's own
node_modules(i.e., the location whereawait import('@huggingface/transformers')will look). Either:npm install @huggingface/transformersin your project") and exit cleanly. Auto-modifying the user'spackage.json/node_modulesis surprising and breaks reproducible installs.cwdtoexecFileSyncpointing at the codegraph package directory (resolved viapath.dirname(require.resolve('@optave/codegraph/package.json'))).Root cause
src/domain/search/models.ts:131callsexecFileSync(NPM_BIN, ['install', packageName], { stdio: 'inherit', timeout: 300_000 })with nocwd. Defaultcwd=process.cwd(). The subsequentawait import(pkg)resolves from the codegraph package location — these two directories are different when codegraph is invoked from outside its own install root.Side effects observed
package.json/package-lock.jsonwith@huggingface/transformerseven though they didn't ask for it.npm warn deprecated boolean@3.2.0and2 vulnerabilities (1 moderate, 1 critical)get dumped on the user's terminal mid-embed.package.json.Workaround
Run
embedfrom the directory where codegraph is installed (e.g.,cd /tmp/dogfood && codegraph embed --db /path/to/other/repo/.codegraph/graph.db ...).