pnpm development dependencies#1587
Conversation
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request implements tracking of non-development dependencies for pnpm projects by traversing the dependency graph using a BFS algorithm on lockfile snapshots, enabling accurate setting of the npm_development property on SBOM components. The review feedback suggests optimizing the BFS traversal by marking nodes as visited when queued to prevent redundant processing, and adding defensive checks to avoid potential KeyError and TypeError exceptions when parsing malformed lockfiles.
slimreaper35
force-pushed
the
pnpm-enhacements
branch
from
199128d to
0561fdc
Compare
slimreaper35
force-pushed
the
pnpm-enhacements
branch
from
0561fdc to
0a4cf26
Compare
eskultety
left a comment
eskultety
left a comment
There was a problem hiding this comment.
Almost there, one more iteration and I'm good.
slimreaper35
force-pushed
the
pnpm-enhacements
branch
from
0a4cf26 to
64e19fc
Compare
|
/gemini review |
There was a problem hiding this comment.
Code Review
This pull request updates the PNPM package manager implementation to trace transitive non-development dependencies and support JSR registry prefixes, adding development properties to the generated SBOM components. Feedback on these changes highlights several robustness issues, including potential AttributeError or TypeError when parsing empty YAML nodes in snapshots, and a potential KeyError if the lockfile is malformed or missing the root importer. Additionally, it is recommended to update and restore the deleted unit test for permissive mode rather than removing it, and to revert the temporary repository and branch configurations in the integration tests before merging.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
taylormadore
left a comment
taylormadore
left a comment
There was a problem hiding this comment.
Just test nits remaining. Otherwise LGTM
slimreaper35
force-pushed
the
pnpm-enhacements
branch
from
64e19fc to
101ab67
Compare
slimreaper35
force-pushed
the
pnpm-enhacements
branch
from
101ab67 to
be9d439
Compare
The package.json part is already covered below in the `test_create_root_component` function. Otherwise, it's just mocking and length comparison. Coverage is not affected. Signed-off-by: Michal Šoltis <msoltis@redhat.com>
1. Find all runtime dependencies and optional dependencies first 2. Those that are left are development dependencies Set the official CycloneDX property. The overall logic requires parsing snapshots section from the lockfile and matching them with constructed package IDs from the importers section in the lockfile. -- https://github.com/CycloneDX/cyclonedx-property-taxonomy/blob/main/cdx/npm.md Assisted-by: Cursor Signed-off-by: Michal Šoltis <msoltis@redhat.com>
Signed-off-by: Michal Šoltis <msoltis@redhat.com>
slimreaper35
force-pushed
the
pnpm-enhacements
branch
from
be9d439 to
ee69641
Compare
3 participants
No description provided.