upd-cli 0.1.3__tar.gz → 0.1.5__tar.gz

{upd_cli-0.1.3 → upd_cli-0.1.5}/CHANGELOG.md

@@ -13,6 +13,20 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 
 
+
+
+## [0.1.5](https://github.com/rvben/upd/compare/v0.1.4...v0.1.5) - 2026-04-28
+
+### Added
+
+- **audit**: include package names and HTTP body in OSV error diagnostics ([87b9aa8](https://github.com/rvben/upd/commit/87b9aa8d27545abf449461c3c3d096a661fa377f))
+
+## [0.1.4](https://github.com/rvben/upd/compare/v0.1.3...v0.1.4) - 2026-04-28
+
+### Added
+
+- **discovery**: respect .gitignore for hidden ecosystem files and add --no-ignore ([bd44269](https://github.com/rvben/upd/commit/bd442692e4e7c5ab96e1163128ac8f274a771f30))
+
 ## [0.1.3](https://github.com/rvben/upd/compare/v0.1.2...v0.1.3) - 2026-04-25
 
 ### Added

{upd_cli-0.1.3 → upd_cli-0.1.5}/Cargo.lock

@@ -2024,7 +2024,7 @@ checksum = "8ecb6da28b8a351d773b68d5825ac39017e680750f980f3a1a85cd8dd28a47c1"
 
 [[package]]
 name = "upd"
-version = "0.1.3"
+version = "0.1.5"
 dependencies = [
  "anyhow",
  "async-trait",

{upd_cli-0.1.3 → upd_cli-0.1.5}/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "upd"
-version = "0.1.3"
+version = "0.1.5"
 edition = "2024"
 rust-version = "1.95.0"
 description = "A fast dependency updater for Python, Node.js, Rust, Go, Ruby, Terraform, GitHub Actions, pre-commit, and Mise projects"

{upd_cli-0.1.3 → upd_cli-0.1.5}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: upd-cli
-Version: 0.1.3
+Version: 0.1.5
 Classifier: Development Status :: 4 - Beta
 Classifier: Environment :: Console
 Classifier: Intended Audience :: Developers
@@ -57,7 +57,11 @@ pipx run --spec upd-cli upd --apply
 - **Major warnings**: Highlights breaking changes with `(MAJOR)`
 - **Format-preserving**: Keeps formatting, comments, and structure
 - **Pre-release aware**: Updates pre-releases to newer pre-releases
-- **Gitignore-aware**: Respects `.gitignore` when discovering files
+- **Gitignore-aware**: Honors `.gitignore`, `.git/info/exclude`, and the global
+  gitignore — even outside a git repo. Hidden directories are pruned by default;
+  `upd` only opens the dotfiles it actually updates (`.github/workflows`,
+  `.pre-commit-config.yaml`, `.mise.toml`, `.tool-versions`). Use `--no-ignore`
+  to walk every file regardless.
 - **Version alignment**: Align package versions across multiple files
 - **Security auditing**: Check dependencies for known vulnerabilities via OSV
 - **Config file support**: Ignore or pin packages via `.updrc.toml`
@@ -761,6 +765,7 @@ Global flags (accepted on every subcommand):
 | `--full-precision` | | Output full versions |
 | `--no-cache` | | Disable version cache |
 | `--no-color` | | Disable colored output |
+| `--no-ignore` | | Disable `.gitignore` filtering during discovery |
 | `--lock` | | Regenerate lockfiles after updates |
 | `--config <FILE>` | `-c` | Use a specific config file |
 | `--show-config` | | Print effective configuration and exit |

{upd_cli-0.1.3 → upd_cli-0.1.5}/README.md

@@ -34,7 +34,11 @@ pipx run --spec upd-cli upd --apply
 - **Major warnings**: Highlights breaking changes with `(MAJOR)`
 - **Format-preserving**: Keeps formatting, comments, and structure
 - **Pre-release aware**: Updates pre-releases to newer pre-releases
-- **Gitignore-aware**: Respects `.gitignore` when discovering files
+- **Gitignore-aware**: Honors `.gitignore`, `.git/info/exclude`, and the global
+  gitignore — even outside a git repo. Hidden directories are pruned by default;
+  `upd` only opens the dotfiles it actually updates (`.github/workflows`,
+  `.pre-commit-config.yaml`, `.mise.toml`, `.tool-versions`). Use `--no-ignore`
+  to walk every file regardless.
 - **Version alignment**: Align package versions across multiple files
 - **Security auditing**: Check dependencies for known vulnerabilities via OSV
 - **Config file support**: Ignore or pin packages via `.updrc.toml`
@@ -738,6 +742,7 @@ Global flags (accepted on every subcommand):
 | `--full-precision` | | Output full versions |
 | `--no-cache` | | Disable version cache |
 | `--no-color` | | Disable colored output |
+| `--no-ignore` | | Disable `.gitignore` filtering during discovery |
 | `--lock` | | Regenerate lockfiles after updates |
 | `--config <FILE>` | `-c` | Use a specific config file |
 | `--show-config` | | Print effective configuration and exit |

{upd_cli-0.1.3 → upd_cli-0.1.5}/src/audit/mod.rs

@@ -20,6 +20,35 @@ const BATCH_SIZE: usize = 1000;
 /// Maximum concurrent requests for fetching vulnerability details
 const MAX_CONCURRENT_REQUESTS: usize = 20;
 
+/// Cap for how many bytes of a non-success OSV response body we surface in
+/// an error message. A proxy or CDN can return arbitrarily large HTML error
+/// pages on the failure path, so we bound the read at the network layer
+/// (via `Response::chunk`) rather than buffering the whole body and then
+/// truncating. 1 KiB comfortably fits typical OSV/proxy diagnostics.
+const ERROR_BODY_LIMIT: usize = 1024;
+
+/// Read up to `max` bytes from `response`'s body and return them as a
+/// lossy UTF-8 string. Stops early at the first chunk that fills the cap
+/// so an oversized or slow body cannot stall the call up to the client
+/// timeout or balloon memory beyond `max` bytes.
+async fn read_bounded_body(response: &mut reqwest::Response, max: usize) -> String {
+    let mut buf: Vec<u8> = Vec::with_capacity(max);
+    while buf.len() < max {
+        match response.chunk().await {
+            Ok(Some(chunk)) => {
+                let remaining = max - buf.len();
+                let take = chunk.len().min(remaining);
+                buf.extend_from_slice(&chunk[..take]);
+                if take < chunk.len() {
+                    break;
+                }
+            }
+            Ok(None) | Err(_) => break,
+        }
+    }
+    String::from_utf8_lossy(&buf).into_owned()
+}
+
 /// Ecosystem names for OSV API
 #[derive(Debug, Clone, Copy, PartialEq, Eq)]
 pub enum Ecosystem {
@@ -273,7 +302,12 @@ impl OsvClient {
                     }
                 }
                 Err(e) => {
-                    result.errors.push(format!("Batch query failed: {}", e));
+                    let pkg_names: Vec<&str> = chunk.iter().map(|p| p.name.as_str()).collect();
+                    result.errors.push(format!(
+                        "Batch query failed for [{}]: {}",
+                        pkg_names.join(", "),
+                        e
+                    ));
                 }
             }
         }
@@ -299,7 +333,7 @@ impl OsvClient {
 
         let request = OsvBatchRequest { queries };
 
-        let response = self
+        let mut response = self
             .client
             .post(format!("{}/querybatch", self.base_url))
             .json(&request)
@@ -307,7 +341,13 @@ impl OsvClient {
             .await?;
 
         if !response.status().is_success() {
-            anyhow::bail!("OSV API error: HTTP {}", response.status());
+            let status = response.status();
+            let snippet = read_bounded_body(&mut response, ERROR_BODY_LIMIT).await;
+            if snippet.is_empty() {
+                anyhow::bail!("OSV API error: HTTP {}", status);
+            } else {
+                anyhow::bail!("OSV API error: HTTP {}: {}", status, snippet);
+            }
         }
 
         let batch_response: OsvBatchResponse = response.json().await?;
@@ -1003,4 +1043,169 @@ mod tests {
         assert_eq!(result.safe_count, 1);
         // wiremock will assert that no requests were received when the server drops.
     }
+
+    // ─── batch failure error message ─────────────────────────────────────────
+
+    #[tokio::test]
+    async fn batch_failure_error_includes_package_names_status_and_body() {
+        use wiremock::matchers::{method, path};
+        use wiremock::{Mock, MockServer, ResponseTemplate};
+
+        let server = MockServer::start().await;
+
+        // OSV returns a non-success response with a body. Both should surface
+        // in the AuditResult error so operators can diagnose the failure.
+        Mock::given(method("POST"))
+            .and(path("/querybatch"))
+            .respond_with(
+                ResponseTemplate::new(503).set_body_string("upstream temporarily unavailable"),
+            )
+            .mount(&server)
+            .await;
+
+        let client = OsvClient::with_base_url(server.uri());
+        let pkgs = vec![
+            Package {
+                name: "requests".into(),
+                version: "2.0.0".into(),
+                ecosystem: Ecosystem::PyPI,
+            },
+            Package {
+                name: "boto3".into(),
+                version: "1.0.0".into(),
+                ecosystem: Ecosystem::PyPI,
+            },
+        ];
+
+        let result = client.check_packages(&pkgs).await.unwrap();
+
+        assert!(result.vulnerable.is_empty());
+        assert_eq!(
+            result.errors.len(),
+            1,
+            "one error for the failing batch, got {:?}",
+            result.errors
+        );
+        let err = &result.errors[0];
+        assert!(
+            err.contains("requests") && err.contains("boto3"),
+            "error should list the failing batch's package names: {err}"
+        );
+        assert!(
+            err.contains("503"),
+            "error should include the HTTP status: {err}"
+        );
+        assert!(
+            err.contains("upstream temporarily unavailable"),
+            "error should include the response body: {err}"
+        );
+    }
+
+    #[tokio::test]
+    async fn batch_failure_stops_reading_at_cap_when_body_stalls() {
+        // Stand up a TCP server that lies about Content-Length: it claims
+        // 1 MB but only delivers 2 KiB, then stalls forever. The bounded
+        // read in query_batch must fill its 1 KiB cap from the head of
+        // the body and return immediately. An unbounded read (e.g.
+        // `response.text().await`) would block until either the rest of
+        // the body arrives or the 30 s client timeout fires.
+        use std::time::{Duration, Instant};
+        use tokio::io::{AsyncReadExt, AsyncWriteExt};
+        use tokio::net::TcpListener;
+
+        let listener = TcpListener::bind("127.0.0.1:0").await.unwrap();
+        let addr = listener.local_addr().unwrap();
+
+        let server = tokio::spawn(async move {
+            let (mut stream, _) = listener.accept().await.unwrap();
+
+            // Drain the request until we see the empty header line.
+            let mut buf = [0u8; 4096];
+            loop {
+                let n = match stream.read(&mut buf).await {
+                    Ok(n) if n > 0 => n,
+                    _ => return,
+                };
+                if buf[..n].windows(4).any(|w| w == b"\r\n\r\n") {
+                    break;
+                }
+            }
+
+            // Headers promise 1 MB; we send only 2 KiB then stall.
+            let head = b"HTTP/1.1 503 Service Unavailable\r\n\
+                         Content-Type: text/plain\r\n\
+                         Content-Length: 1000000\r\n\
+                         Connection: close\r\n\r\n";
+            let _ = stream.write_all(head).await;
+            let _ = stream.write_all(&vec![b'x'; 2048]).await;
+            let _ = stream.flush().await;
+
+            // Park the task so the connection stays open without further
+            // bytes. The test will abort the handle after the client
+            // returns.
+            std::future::pending::<()>().await;
+        });
+
+        let client = OsvClient::with_base_url(format!("http://{}", addr));
+        let started = Instant::now();
+        let outcome = tokio::time::timeout(
+            Duration::from_secs(10),
+            client.check_packages(&[Package {
+                name: "pkg".into(),
+                version: "1.0.0".into(),
+                ecosystem: Ecosystem::PyPI,
+            }]),
+        )
+        .await;
+        let elapsed = started.elapsed();
+
+        server.abort();
+
+        let result = outcome
+            .expect(
+                "OSV call must return promptly when the body stalls; \
+                 if it didn't, the body is being read unbounded",
+            )
+            .unwrap();
+
+        assert_eq!(result.errors.len(), 1, "{:?}", result.errors);
+        let err = &result.errors[0];
+        assert!(err.contains("503"), "should include status: {err}");
+        // 5 s leaves a >100x margin over the expected ~1 RTT return
+        // time, while staying well under the 30 s client timeout that
+        // the buggy implementation would hit.
+        assert!(
+            elapsed < Duration::from_secs(5),
+            "bounded read should return promptly; took {:?}",
+            elapsed
+        );
+    }
+
+    #[tokio::test]
+    async fn batch_failure_error_includes_package_names_on_network_error() {
+        // Point at a closed port so reqwest fails to connect. Package names
+        // should still be embedded in the resulting error message.
+        let client = OsvClient::with_base_url("http://127.0.0.1:1/".to_string());
+        let pkgs = vec![
+            Package {
+                name: "lonely-pkg".into(),
+                version: "1.0.0".into(),
+                ecosystem: Ecosystem::PyPI,
+            },
+            Package {
+                name: "another-pkg".into(),
+                version: "2.0.0".into(),
+                ecosystem: Ecosystem::PyPI,
+            },
+        ];
+
+        let result = client.check_packages(&pkgs).await.unwrap();
+
+        assert_eq!(result.errors.len(), 1, "{:?}", result.errors);
+        let err = &result.errors[0];
+        assert!(
+            err.contains("lonely-pkg") && err.contains("another-pkg"),
+            "network-level errors should still name the failing packages: {err}"
+        );
+    }
 }

{upd_cli-0.1.3 → upd_cli-0.1.5}/src/cli.rs

@@ -183,6 +183,15 @@ pub struct Cli {
         value_delimiter = ','
     )]
     pub packages: Vec<String>,
+
+    /// Disable .gitignore filtering and walk every dependency file in the tree.
+    ///
+    /// By default, `upd` honors `.gitignore`, `.git/info/exclude`, and the
+    /// global gitignore when discovering dependency files. Pass `--no-ignore`
+    /// to scan files git would ignore. Equivalent to `rg --no-ignore`.
+    /// Explicit file paths are always processed regardless of this flag.
+    #[arg(long = "no-ignore", global = true)]
+    pub no_ignore: bool,
 }
 
 #[derive(Subcommand)]
@@ -842,4 +851,27 @@ mod tests {
         assert_eq!(cli.min_age.as_deref(), Some("14d"));
         assert!(matches!(cli.command, Some(Command::Update { .. })));
     }
+
+    #[test]
+    fn test_cli_no_ignore_default_false() {
+        let cli = Cli::try_parse_from(["upd"]).unwrap();
+        assert!(!cli.no_ignore);
+    }
+
+    #[test]
+    fn test_cli_no_ignore_parses() {
+        let cli = Cli::try_parse_from(["upd", "--no-ignore"]).unwrap();
+        assert!(cli.no_ignore);
+    }
+
+    #[test]
+    fn test_cli_no_ignore_is_global_across_subcommands() {
+        let cli = Cli::try_parse_from(["upd", "audit", "--no-ignore"]).unwrap();
+        assert!(cli.no_ignore);
+        assert!(matches!(cli.command, Some(Command::Audit { .. })));
+
+        let cli = Cli::try_parse_from(["upd", "align", "--no-ignore"]).unwrap();
+        assert!(cli.no_ignore);
+        assert!(matches!(cli.command, Some(Command::Align { .. })));
+    }
 }

{upd_cli-0.1.3 → upd_cli-0.1.5}/src/lib.rs

@@ -25,7 +25,9 @@ pub use registry::{
     GitHubReleasesRegistry, NpmRegistry, NuGetRegistry, PyPiRegistry, Registry, RubyGemsRegistry,
     TerraformRegistry, VersionMeta,
 };
-pub use updater::{FileType, Lang, UpdateResult, Updater, discover_files};
+pub use updater::{
+    DiscoverOptions, FileType, Lang, UpdateResult, Updater, discover_files, discover_files_with,
+};
 
 /// Determine the process exit code given the outcome of a run.
 ///

{upd_cli-0.1.3 → upd_cli-0.1.5}/src/main.rs

@@ -22,10 +22,10 @@ use upd::registry::{
     NuGetRegistry, PyPiRegistry, RubyGemsRegistry, TerraformRegistry,
 };
 use upd::updater::{
-    CargoTomlUpdater, CsprojUpdater, FileType, GemfileUpdater, GithubActionsUpdater, GoModUpdater,
-    Lang, MiseUpdater, PackageJsonUpdater, PreCommitUpdater, PyProjectUpdater, RequirementsUpdater,
-    TerraformUpdater, UpdateOptions, UpdateResult, Updater, discover_files, read_file_safe,
-    write_file_atomic,
+    CargoTomlUpdater, CsprojUpdater, DiscoverOptions, FileType, GemfileUpdater,
+    GithubActionsUpdater, GoModUpdater, Lang, MiseUpdater, PackageJsonUpdater, PreCommitUpdater,
+    PyProjectUpdater, RequirementsUpdater, TerraformUpdater, UpdateOptions, UpdateResult, Updater,
+    discover_files_with, read_file_safe, write_file_atomic,
 };
 use upd::version::match_version_precision;
 
@@ -546,7 +546,14 @@ async fn run_update(cli: &Cli) -> Result<()> {
     // or --dry-run), the run behaves as dry-run and tells the user how to apply.
     let effective_dry_run = cli.is_effective_dry_run();
 
-    let files = discover_files(&paths, &cli.langs);
+    let files = discover_files_with(
+        &paths,
+        &cli.langs,
+        DiscoverOptions {
+            no_ignore: cli.no_ignore,
+            verbose: cli.verbose,
+        },
+    );
     let file_count = files.len();
 
     let text_mode_early = cli.format == upd::cli::OutputFormat::Text;
@@ -1493,7 +1500,14 @@ async fn run_align(cli: &Cli) -> Result<()> {
         }
     };
 
-    let files = discover_files(&paths, &cli.langs);
+    let files = discover_files_with(
+        &paths,
+        &cli.langs,
+        DiscoverOptions {
+            no_ignore: cli.no_ignore,
+            verbose: cli.verbose,
+        },
+    );
     let file_count = files.len();
 
     if files.is_empty() {
@@ -1701,7 +1715,14 @@ async fn run_audit(cli: &Cli) -> Result<()> {
             explicit
         }
     };
-    let files = discover_files(&paths, &cli.langs);
+    let files = discover_files_with(
+        &paths,
+        &cli.langs,
+        DiscoverOptions {
+            no_ignore: cli.no_ignore,
+            verbose: cli.verbose,
+        },
+    );
     let file_count = files.len();
 
     if files.is_empty() {