fix: address code review comments for peer dependency warnings

- Add buffer overflow protection with "..." truncation marker - Replace two loose substring assertions with single regex match Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-10 19:08:50 +00:00 · 2026-01-14 21:55:44 +00:00
parent 40c12d9ae6
commit 7978a79339
2 changed files with 25 additions and 10 deletions
--- a/src/install/PackageManager/PackageManagerEnqueue.zig
+++ b/src/install/PackageManager/PackageManagerEnqueue.zig
@@ -1946,16 +1946,32 @@ fn getDependencyPath(this: *PackageManager, package_id: PackageID, buf: *[1024]u
        const pkg_id = path_ids[i];
        const name = names[pkg_id].slice(string_buf);

-        if (written > 0 and written + 3 < buf.len) {
+        // Check if we have enough space for separator + full name
+        const separator_len: usize = if (written > 0) 3 else 0; // " > "
+        const needed = separator_len + name.len;
+        const remaining = buf.len - written;
+
+        if (needed > remaining) {
+            // Not enough space - add truncation marker and stop
+            const truncation_marker = "...";
+            if (remaining >= separator_len + truncation_marker.len) {
+                if (separator_len > 0) {
+                    @memcpy(buf[written..][0..3], " > ");
+                    written += 3;
+                }
+                @memcpy(buf[written..][0..truncation_marker.len], truncation_marker);
+                written += truncation_marker.len;
+            }
+            break;
+        }
+
+        if (separator_len > 0) {
            @memcpy(buf[written..][0..3], " > ");
            written += 3;
        }

-        const copy_len = @min(name.len, buf.len - written);
-        if (copy_len > 0) {
-            @memcpy(buf[written..][0..copy_len], name[0..copy_len]);
-            written += copy_len;
-        }
+        @memcpy(buf[written..][0..name.len], name);
+        written += name.len;
    }

    return buf[0..written];
--- a/test/cli/install/bun-install-registry.test.ts
+++ b/test/cli/install/bun-install-registry.test.ts
@@ -3912,8 +3912,8 @@ describe("hoisting", async () => {
    expect(err).not.toContain("not found");
    expect(err).not.toContain("error:");
    // New improved peer dependency warning format shows the requiring package, expected version, and actual version
-    expect(err).toContain("peer-deps-fixed");
-    expect(err).toContain("has unmet peer dependency no-deps@^1.0.0 (found 2.0.0)");
+    // Match: "warn: ...peer-deps-fixed has unmet peer dependency no-deps@^1.0.0 (found 2.0.0)"
+    expect(err).toMatch(/warn:.*peer-deps-fixed has unmet peer dependency no-deps@\^1\.0\.0 \(found 2\.0\.0\)/);

    expect(out.replace(/\s*\[[0-9\.]+m?s\]\s*$/, "").split(/\r?\n/)).toEqual([
      expect.stringContaining("bun install v1."),
@@ -7676,8 +7676,7 @@ describe("yarn tests", () => {
    expect(err).not.toContain("error:");
    expect(err).not.toContain("not found");
    // New improved peer dependency warning format shows the requiring package, expected version, and actual version
-    expect(err).toContain("peer-deps-fixed");
-    expect(err).toContain("has unmet peer dependency no-deps@^1.0.0 (found 2.0.0)");
+    expect(err).toMatch(/warn:.*peer-deps-fixed has unmet peer dependency no-deps@\^1\.0\.0 \(found 2\.0\.0\)/);
    expect(out.replace(/\s*\[[0-9\.]+m?s\]\s*$/, "").split(/\r?\n/)).toEqual([
      expect.stringContaining("bun install v1."),
      "",