npm - @codyswann/lisa - Versions diffs - 2.171.0 → 2.171.3 - Mend

@codyswann/lisa 2.171.0 → 2.171.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (72) hide show

package/plugins/src/base/hooks/install-pkgs.sh CHANGED Viewed

@@ -8,18 +8,40 @@ if [ -d "node_modules" ]; then
   exit 0
 fi
-# Detect package manager based on lock file presence
-if [ -f "bun.lockb" ] || [ -f "bun.lock" ]; then
-  bun install
-elif [ -f "pnpm-lock.yaml" ]; then
-  pnpm install
-elif [ -f "yarn.lock" ]; then
-  yarn install
-elif [ -f "package-lock.json" ]; then
-  npm install
-else
-  npm install
-fi
+# Detect the package manager this project wants, honoring explicit opt-outs.
+# Precedence: packageManager field > engines "please-use-<pm>" sentinel >
+# lockfile presence (minus any PM the engines forbid) > npm default.
+#
+# This must NOT key on lockfile presence alone. An npm-only project
+# (engines.bun = "please-use-npm", CI runs `npm ci`) that picks up a stray
+# bun.lock would otherwise get `bun install`, re-create the bun.lock, and break
+# — the SE-5221 regression. The engines/packageManager signals are
+# authoritative; lockfiles are only a fallback and never override an opt-out.
+detect_package_manager() {
+  _field="" _forced="" _forbidden=""
+  if [ -f package.json ] && command -v jq >/dev/null 2>&1; then
+    _field=$(jq -r '(.packageManager // "") | sub("@.*$";"")' package.json 2>/dev/null)
+    _forced=$(jq -r 'first((.engines // {})[] | strings | capture("please-use-(?<pm>bun|npm|yarn|pnpm)")?.pm) // ""' package.json 2>/dev/null)
+    _forbidden=$(jq -r '[(.engines // {}) | to_entries[] | select(((.value|strings) // "") | test("please-use|do-not-use";"i")) | .key] | join(" ")' package.json 2>/dev/null)
+  fi
+  case "$_field" in bun | npm | yarn | pnpm) printf '%s\n' "$_field"; return 0 ;; esac
+  case "$_forced" in bun | npm | yarn | pnpm) printf '%s\n' "$_forced"; return 0 ;; esac
+  _pm_allowed() { case " $_forbidden " in *" $1 "*) return 1 ;; *) return 0 ;; esac; }
+  if { [ -f bun.lockb ] || [ -f bun.lock ]; } && _pm_allowed bun; then printf 'bun\n'; return 0; fi
+  if [ -f pnpm-lock.yaml ] && _pm_allowed pnpm; then printf 'pnpm\n'; return 0; fi
+  if [ -f yarn.lock ] && _pm_allowed yarn; then printf 'yarn\n'; return 0; fi
+  if [ -f package-lock.json ] && _pm_allowed npm; then printf 'npm\n'; return 0; fi
+  printf 'npm\n'
+}
+PACKAGE_MANAGER="$(detect_package_manager)"
+echo "Detected package manager: ${PACKAGE_MANAGER}"
+case "$PACKAGE_MANAGER" in
+  bun) bun install ;;
+  pnpm) pnpm install ;;
+  yarn) yarn install ;;
+  *) npm install ;;
+esac
 # The tools below use Linux-specific binaries and paths — skip on other platforms.
 if [ "$(uname -s)" != "Linux" ]; then

package/plugins/src/base/skills/generate-claude-remote-build-script/SKILL.md CHANGED Viewed

@@ -101,12 +101,34 @@ need() { command -v "$1" >/dev/null 2>&1; }
 require() { need "$1" || { echo "FATAL: required tool '$1' missing and install failed" >&2; exit 1; }; }
 # --- package manager (REQUIRED) ---
-if ! need bun; then
+# Resolve the PM from packageManager/engines/lockfiles — emit the manager the
+# `packageManager` inventory field reported, NEVER a hardcoded bun. An npm-only
+# project (engines.bun = "please-use-npm") must install with npm; emitting
+# `bun install` would create a stray bun.lock and break it (the SE-5221
+# regression). Only install/PATH-export the manager actually selected below.
+detect_package_manager() {
+  _field="" _forced="" _forbidden=""
+  if [ -f package.json ] && command -v jq >/dev/null 2>&1; then
+    _field=$(jq -r '(.packageManager // "") | sub("@.*$";"")' package.json 2>/dev/null)
+    _forced=$(jq -r 'first((.engines // {})[] | strings | capture("please-use-(?<pm>bun|npm|yarn|pnpm)")?.pm) // ""' package.json 2>/dev/null)
+    _forbidden=$(jq -r '[(.engines // {}) | to_entries[] | select(((.value|strings) // "") | test("please-use|do-not-use";"i")) | .key] | join(" ")' package.json 2>/dev/null)
+  fi
+  case "$_field" in bun | npm | yarn | pnpm) printf '%s\n' "$_field"; return 0 ;; esac
+  case "$_forced" in bun | npm | yarn | pnpm) printf '%s\n' "$_forced"; return 0 ;; esac
+  _pm_allowed() { case " $_forbidden " in *" $1 "*) return 1 ;; *) return 0 ;; esac; }
+  { [ -f bun.lockb ] || [ -f bun.lock ]; } && _pm_allowed bun && { printf 'bun\n'; return 0; }
+  [ -f pnpm-lock.yaml ] && _pm_allowed pnpm && { printf 'pnpm\n'; return 0; }
+  [ -f yarn.lock ] && _pm_allowed yarn && { printf 'yarn\n'; return 0; }
+  [ -f package-lock.json ] && _pm_allowed npm && { printf 'npm\n'; return 0; }
+  printf 'npm\n'
+}
+PM="$(detect_package_manager)"
+if [ "$PM" = "bun" ] && ! need bun; then
   curl -fsSL https://bun.sh/install | bash
+  export PATH="$HOME/.bun/bin:$PATH"
 fi
-export PATH="$HOME/.bun/bin:$PATH"
 # NOTE: bun has known proxy package-fetch issues in cloud sessions; retry to survive transient proxy errors.
-for i in 1 2 3; do bun install && break || sleep 5; done
+for i in 1 2 3; do "$PM" install && break || sleep 5; done
 # --- required CLIs ---
 need gh || (sudo apt-get update -y && sudo apt-get install -y gh)

package/scripts/claude-remote-setup.sh CHANGED Viewed

@@ -80,12 +80,40 @@ fi
 require gitleaks
 # --- project dependencies ---
+# Resolve the package manager from packageManager/engines/lockfiles rather than
+# hardcoding bun: an npm-only project (engines.bun = "please-use-npm", CI runs
+# `npm ci`) must install with npm, never `bun install` — which would create a
+# stray bun.lock and break the project (the SE-5221 regression). jq is required
+# above, so the package.json signals are always available here.
 # bun has known proxy package-fetch issues in cloud sessions; retry transient failures.
+detect_package_manager() {
+  _field="" _forced="" _forbidden=""
+  if [ -f package.json ]; then
+    _field=$(jq -r '(.packageManager // "") | sub("@.*$";"")' package.json 2>/dev/null)
+    _forced=$(jq -r 'first((.engines // {})[] | strings | capture("please-use-(?<pm>bun|npm|yarn|pnpm)")?.pm) // ""' package.json 2>/dev/null)
+    _forbidden=$(jq -r '[(.engines // {}) | to_entries[] | select(((.value|strings) // "") | test("please-use|do-not-use";"i")) | .key] | join(" ")' package.json 2>/dev/null)
+  fi
+  case "$_field" in bun | npm | yarn | pnpm) printf '%s\n' "$_field"; return 0 ;; esac
+  case "$_forced" in bun | npm | yarn | pnpm) printf '%s\n' "$_forced"; return 0 ;; esac
+  _pm_allowed() { case " $_forbidden " in *" $1 "*) return 1 ;; *) return 0 ;; esac; }
+  if { [ -f bun.lockb ] || [ -f bun.lock ]; } && _pm_allowed bun; then printf 'bun\n'; return 0; fi
+  if [ -f pnpm-lock.yaml ] && _pm_allowed pnpm; then printf 'pnpm\n'; return 0; fi
+  if [ -f yarn.lock ] && _pm_allowed yarn; then printf 'yarn\n'; return 0; fi
+  if [ -f package-lock.json ] && _pm_allowed npm; then printf 'npm\n'; return 0; fi
+  printf 'npm\n'
+}
+PM="$(detect_package_manager)"
+case "$PM" in
+  bun) PM_INSTALL="bun install" ;;
+  pnpm) PM_INSTALL="pnpm install" ;;
+  yarn) PM_INSTALL="yarn install" ;;
+  *) PM_INSTALL="npm install" ;;
+esac
 if [ ! -d node_modules ]; then
-  echo "Installing project dependencies (bun install)..."
-  for i in 1 2 3; do bun install && break || { echo "bun install attempt $i failed; retrying..."; sleep 5; }; done
+  echo "Installing project dependencies (${PM_INSTALL})..."
+  for i in 1 2 3; do $PM_INSTALL && break || { echo "${PM_INSTALL} attempt $i failed; retrying..."; sleep 5; }; done
 fi
-[ -d node_modules ] || { echo "FATAL: bun install failed after retries" >&2; exit 1; }
+[ -d node_modules ] || { echo "FATAL: ${PM_INSTALL} failed after retries" >&2; exit 1; }
 # --- OPTIONAL (only with --include-optional; dormant stacks/integrations) ---
 if [ "$INCLUDE_OPTIONAL" = "1" ]; then

package/typescript/copy-contents/.husky/pre-push CHANGED Viewed

@@ -150,7 +150,14 @@ else
     # `bun audit --audit-level=high --ignore ...`, parse `bun audit --json` and
     # apply the exclusion list ourselves with jq — same approach as the npm/yarn
     # paths above.
-    AUDIT_JSON=$(bun audit --json 2>/dev/null || true)
+    #
+    # `--production` scopes the audit to production dependencies, matching the
+    # npm branch (`npm audit --production`) and the yarn branch
+    # (`yarn audit --groups dependencies`). Without it, bun audits
+    # devDependencies too and the gate fails on dev-only CVEs that never ship —
+    # the SE-5221 false positive. bun honours `--production` even though
+    # `bun audit --help` omits it from the flag list.
+    AUDIT_JSON=$(bun audit --production --json 2>/dev/null || true)
     UNFIXED_HIGH=$(echo "$AUDIT_JSON" | jq -r --arg ids "$AUDIT_EXCLUSIONS" '
       ($ids | split(" ") | map(select(length > 0))) as $ex
       | [ .[]? | .[]?

package/typescript/package-lisa/package.lisa.json CHANGED Viewed

@@ -28,12 +28,20 @@
     "resolutions": {
       "@isaacs/brace-expansion": "^5.0.1",
       "axios": ">=1.15.2",
-      "handlebars": ">=4.7.9"
+      "esbuild": ">=0.28.1",
+      "handlebars": ">=4.7.9",
+      "lodash": ">=4.18.1",
+      "vite": ">=8.0.16",
+      "ws": ">=8.20.1"
     },
     "overrides": {
       "@isaacs/brace-expansion": "^5.0.1",
       "axios": ">=1.15.2",
-      "handlebars": ">=4.7.9"
+      "esbuild": ">=0.28.1",
+      "handlebars": ">=4.7.9",
+      "lodash": ">=4.18.1",
+      "vite": "^8.0.16",
+      "ws": ">=8.20.1"
     }
   },
   "defaults": {