mirror of
https://github.com/unslothai/unsloth.git
synced 2026-07-09 15:58:41 +00:00
Studio: auto-sync allowScripts pins after dependency bumps (#6136)
* Studio: npm v12 readiness for install-script gating npm 12 (July 2026) stops running dependency install scripts unless they are approved via allowScripts, and npm 11.16 already warns. Studio has no git or remote URL deps anywhere, so script gating is the only exposure: - commit the allowScripts policy that npm approve-scripts writes for @biomejs/biome and msw, plus a manual fsevents entry: the tooling cannot match a darwin-only optional dep from Linux, but the strict check walks the platform independent ideal tree and flags it anyway - drop the minimum-release-age npmrc alias; npm >=11.16 flags it as an unknown project config that stops working in npm 12 - approve bun's postinstall in the setup.sh / setup.ps1 bun bootstrap; under npm 12 defaults npm install -g bun otherwise leaves a broken stub and setup falls back to the slower npm install path - fix the stale esbuild comment in studio-frontend-ci.yml: the vite 8 chain ships napi binaries with no install scripts * Studio: auto-sync allowScripts pins after dependency bumps The allowScripts entries from #6128 are version pinned, so a biome or msw bump strands the pin and the approval silently stops matching. Dependabot cannot maintain the field, so: - scripts/sync_allow_scripts_pins.py re-pins existing entries from the versions package-lock.json actually resolves. It never adds or removes entries, so approving a new script-bearing package stays a human decision. Bare names and non-exact specs are left alone. - a pre-commit hook runs it with --fix; pre-commit.ci pushes the fix commit to PR branches, Dependabot's included, so stale pins heal without a human in the loop - a Frontend CI step runs --check plus the offline unit tests as the backstop when pre-commit.ci is skipped No dependabot.yml change needed: the /studio/frontend entry already suppresses version PRs (security only) behind a 7 day cooldown. * [pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci * Make the sync hook robust to lost executable bits The pre-commit.ci autofix commit dropped the script's exec bit, which breaks a shebang-style entry. Invoke via python instead and restore the bit. * [pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci --------- Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>
This commit is contained in:
parent
87deee7fbd
commit
f41617ad9f
4 changed files with 306 additions and 0 deletions
10
.github/workflows/studio-frontend-ci.yml
vendored
10
.github/workflows/studio-frontend-ci.yml
vendored
|
|
@ -17,6 +17,8 @@ on:
|
|||
- 'studio/frontend/**'
|
||||
- 'scripts/check_frontend_dep_removal.py'
|
||||
- 'tests/studio/test_frontend_dep_removal.py'
|
||||
- 'scripts/sync_allow_scripts_pins.py'
|
||||
- 'tests/studio/test_sync_allow_scripts_pins.py'
|
||||
- '.github/workflows/studio-frontend-ci.yml'
|
||||
push:
|
||||
branches: [main, pip]
|
||||
|
|
@ -68,6 +70,14 @@ jobs:
|
|||
working-directory: ${{ github.workspace }}
|
||||
run: python3 scripts/lockfile_supply_chain_audit.py
|
||||
|
||||
# Dependency bumps strand the version-pinned allowScripts entries.
|
||||
# The paired pre-commit hook auto-fixes PRs; this is the backstop.
|
||||
- name: allowScripts pins must match the lockfile
|
||||
working-directory: ${{ github.workspace }}
|
||||
run: |
|
||||
python3 tests/studio/test_sync_allow_scripts_pins.py
|
||||
python3 scripts/sync_allow_scripts_pins.py --check
|
||||
|
||||
- name: Lockfile must agree with package.json (npm ci is strict)
|
||||
# The vite 8 chain (rolldown, lightningcss, tailwind oxide) ships napi
|
||||
# binaries with no install scripts. The only script-bearing deps are
|
||||
|
|
|
|||
|
|
@ -19,3 +19,15 @@ repos:
|
|||
exclude: '(chat_templates|ollama_template_mappers|_auto_install|mapper)\.py$'
|
||||
additional_dependencies:
|
||||
- ruff==0.6.9
|
||||
# Re-pins allowScripts entries after dependency bumps. pre-commit.ci
|
||||
# pushes the fix to PR branches, Dependabot's included, so stale pins
|
||||
# heal without a human in the loop.
|
||||
- id: sync-allow-scripts-pins
|
||||
name: Sync allowScripts pins with the frontend lockfile
|
||||
# `python <script>` not a direct exec: autofix commits can drop the
|
||||
# executable bit, which kills shebang-style entries.
|
||||
entry: python scripts/sync_allow_scripts_pins.py
|
||||
args: [--fix]
|
||||
language: python
|
||||
files: ^studio/frontend/(package\.json|package-lock\.json)$
|
||||
pass_filenames: false
|
||||
|
|
|
|||
143
scripts/sync_allow_scripts_pins.py
Normal file
143
scripts/sync_allow_scripts_pins.py
Normal file
|
|
@ -0,0 +1,143 @@
|
|||
#!/usr/bin/env python3
|
||||
"""Keep `allowScripts` pins in studio/frontend/package.json in sync with
|
||||
package-lock.json.
|
||||
|
||||
`npm approve-scripts` writes version-pinned entries ("pkg@1.2.3": true).
|
||||
A dependency bump strands the pin, so the approval (or denial) silently
|
||||
stops matching and the package's install scripts fall back to
|
||||
"unreviewed". This tool re-pins existing entries to the versions the
|
||||
lockfile actually resolves; it never adds or removes entries, so
|
||||
approving a brand-new script-bearing package stays a human decision.
|
||||
|
||||
Usage:
|
||||
python scripts/sync_allow_scripts_pins.py --check # CI: exit 1 on drift
|
||||
python scripts/sync_allow_scripts_pins.py --fix # rewrite package.json
|
||||
|
||||
Pinned keys follow npm's allowScripts grammar: "name@1.2.3" or
|
||||
"name@1.2.3 || 1.2.4". Bare names (no version) match every version and
|
||||
are left alone. Entries whose range is not an exact-version disjunction
|
||||
(wildcards, tags) are left alone too.
|
||||
"""
|
||||
|
||||
from __future__ import annotations
|
||||
|
||||
import argparse
|
||||
import json
|
||||
import re
|
||||
import sys
|
||||
from pathlib import Path
|
||||
|
||||
REPO_ROOT = Path(__file__).resolve().parents[1]
|
||||
DEFAULT_DIR = REPO_ROOT / "studio" / "frontend"
|
||||
|
||||
EXACT_VERSION_RE = re.compile(r"^\d+\.\d+\.\d+(?:[-+][0-9A-Za-z.+-]+)?$")
|
||||
|
||||
|
||||
def split_spec(key: str) -> tuple[str, str | None]:
|
||||
"""'@scope/name@1.2.3' -> ('@scope/name', '1.2.3'); bare names -> (key, None)."""
|
||||
if key.startswith("@"):
|
||||
rest = key[1:]
|
||||
if "@" not in rest:
|
||||
return key, None
|
||||
name, rng = rest.split("@", 1)
|
||||
return "@" + name, rng
|
||||
if "@" not in key:
|
||||
return key, None
|
||||
name, rng = key.split("@", 1)
|
||||
return name, rng
|
||||
|
||||
|
||||
def is_exact_disjunction(rng: str) -> bool:
|
||||
parts = [p.strip() for p in rng.split("||")]
|
||||
return all(EXACT_VERSION_RE.match(p) for p in parts) and bool(parts)
|
||||
|
||||
|
||||
def version_sort_key(version: str) -> tuple:
|
||||
release = version.split("-", 1)[0].split("+", 1)[0]
|
||||
return tuple(int(x) for x in release.split(".")), version
|
||||
|
||||
|
||||
def script_versions_from_lock(lock: dict) -> dict[str, list[str]]:
|
||||
"""Map package name -> sorted versions that carry install scripts."""
|
||||
out: dict[str, set[str]] = {}
|
||||
for path, meta in (lock.get("packages") or {}).items():
|
||||
if not path or not meta.get("hasInstallScript"):
|
||||
continue
|
||||
name = path.rsplit("node_modules/", 1)[-1]
|
||||
version = meta.get("version")
|
||||
if name and version:
|
||||
out.setdefault(name, set()).add(version)
|
||||
return {n: sorted(vs, key = version_sort_key) for n, vs in out.items()}
|
||||
|
||||
|
||||
def desired_key(name: str, versions: list[str]) -> str:
|
||||
return f"{name}@{' || '.join(versions)}"
|
||||
|
||||
|
||||
def compute_renames(policy: dict, lock_versions: dict[str, list[str]]) -> dict[str, str]:
|
||||
renames: dict[str, str] = {}
|
||||
for key in policy:
|
||||
name, rng = split_spec(key)
|
||||
if rng is None or not is_exact_disjunction(rng):
|
||||
continue # bare name or non-exact spec: matches by name, never stale
|
||||
versions = lock_versions.get(name)
|
||||
if not versions:
|
||||
continue # package gone or script-free now: stale pin is inert
|
||||
want = desired_key(name, versions)
|
||||
if key != want:
|
||||
renames[key] = want
|
||||
return renames
|
||||
|
||||
|
||||
def main(argv: list[str] | None = None) -> int:
|
||||
ap = argparse.ArgumentParser(description = __doc__)
|
||||
mode = ap.add_mutually_exclusive_group(required = True)
|
||||
mode.add_argument("--check", action = "store_true", help = "exit 1 if pins are stale")
|
||||
mode.add_argument("--fix", action = "store_true", help = "rewrite package.json in place")
|
||||
ap.add_argument(
|
||||
"--dir",
|
||||
type = Path,
|
||||
default = DEFAULT_DIR,
|
||||
help = "directory holding package.json + package-lock.json",
|
||||
)
|
||||
args = ap.parse_args(argv)
|
||||
|
||||
pkg_path = args.dir / "package.json"
|
||||
lock_path = args.dir / "package-lock.json"
|
||||
if not pkg_path.exists() or not lock_path.exists():
|
||||
print(f"sync-allow-scripts: nothing to do ({args.dir} has no package.json + lockfile)")
|
||||
return 0
|
||||
|
||||
pkg = json.loads(pkg_path.read_text(encoding = "utf-8"))
|
||||
policy = pkg.get("allowScripts")
|
||||
if not isinstance(policy, dict) or not policy:
|
||||
print("sync-allow-scripts: no allowScripts policy in package.json, nothing to do")
|
||||
return 0
|
||||
|
||||
lock = json.loads(lock_path.read_text(encoding = "utf-8"))
|
||||
renames = compute_renames(policy, script_versions_from_lock(lock))
|
||||
|
||||
if not renames:
|
||||
print(f"sync-allow-scripts: {len(policy)} allowScripts entries in sync with the lockfile")
|
||||
return 0
|
||||
|
||||
for old, new in renames.items():
|
||||
print(f' stale pin: "{old}" -> "{new}"')
|
||||
|
||||
if args.check:
|
||||
print(
|
||||
"sync-allow-scripts: pins are stale; run "
|
||||
"`python scripts/sync_allow_scripts_pins.py --fix` and commit the result"
|
||||
)
|
||||
return 1
|
||||
|
||||
pkg["allowScripts"] = {renames.get(k, k): v for k, v in policy.items()}
|
||||
pkg_path.write_text(json.dumps(pkg, indent = 2, ensure_ascii = False) + "\n", encoding = "utf-8")
|
||||
print(
|
||||
f"sync-allow-scripts: re-pinned {len(renames)} entr{'y' if len(renames) == 1 else 'ies'} in {pkg_path}"
|
||||
)
|
||||
return 0
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
sys.exit(main())
|
||||
141
tests/studio/test_sync_allow_scripts_pins.py
Normal file
141
tests/studio/test_sync_allow_scripts_pins.py
Normal file
|
|
@ -0,0 +1,141 @@
|
|||
#!/usr/bin/env python3
|
||||
"""Offline tests for scripts/sync_allow_scripts_pins.py."""
|
||||
|
||||
from __future__ import annotations
|
||||
|
||||
import json
|
||||
import sys
|
||||
import tempfile
|
||||
from pathlib import Path
|
||||
|
||||
REPO_ROOT = Path(__file__).resolve().parents[2]
|
||||
sys.path.insert(0, str(REPO_ROOT / "scripts"))
|
||||
|
||||
import sync_allow_scripts_pins as sync # noqa: E402
|
||||
|
||||
|
||||
def write_fixture(tmp: Path, policy: dict, lock_packages: dict) -> None:
|
||||
(tmp / "package.json").write_text(
|
||||
json.dumps(
|
||||
{
|
||||
"name": "fixture",
|
||||
"dependencies": {"a": "^1.0.0"},
|
||||
"allowScripts": policy,
|
||||
},
|
||||
indent = 2,
|
||||
)
|
||||
+ "\n"
|
||||
)
|
||||
(tmp / "package-lock.json").write_text(
|
||||
json.dumps(
|
||||
{
|
||||
"lockfileVersion": 3,
|
||||
"packages": lock_packages,
|
||||
}
|
||||
)
|
||||
+ "\n"
|
||||
)
|
||||
|
||||
|
||||
LOCK = {
|
||||
"": {"name": "fixture"},
|
||||
"node_modules/@biomejs/biome": {"version": "1.9.9", "hasInstallScript": True},
|
||||
"node_modules/msw": {"version": "2.15.0", "hasInstallScript": True},
|
||||
"node_modules/vite/node_modules/fsevents": {"version": "2.3.3", "hasInstallScript": True},
|
||||
"node_modules/clean": {"version": "3.0.0"},
|
||||
}
|
||||
|
||||
|
||||
def test_split_spec():
|
||||
assert sync.split_spec("fsevents") == ("fsevents", None)
|
||||
assert sync.split_spec("@biomejs/biome") == ("@biomejs/biome", None)
|
||||
assert sync.split_spec("@biomejs/biome@1.9.4") == ("@biomejs/biome", "1.9.4")
|
||||
assert sync.split_spec("msw@2.14.3 || 2.15.0") == ("msw", "2.14.3 || 2.15.0")
|
||||
|
||||
|
||||
def test_in_sync_is_clean():
|
||||
with tempfile.TemporaryDirectory() as d:
|
||||
tmp = Path(d)
|
||||
write_fixture(
|
||||
tmp,
|
||||
{
|
||||
"@biomejs/biome@1.9.9": True,
|
||||
"msw@2.15.0": True,
|
||||
"fsevents": True,
|
||||
},
|
||||
LOCK,
|
||||
)
|
||||
assert sync.main(["--check", "--dir", str(tmp)]) == 0
|
||||
|
||||
|
||||
def test_stale_pin_fails_check_and_fix_repairs():
|
||||
with tempfile.TemporaryDirectory() as d:
|
||||
tmp = Path(d)
|
||||
write_fixture(
|
||||
tmp,
|
||||
{
|
||||
"@biomejs/biome@1.9.4": True, # stale, bumped to 1.9.9
|
||||
"msw@2.14.3": False, # stale denial, bumped to 2.15.0
|
||||
"fsevents": True, # bare: never stale
|
||||
"ghost@9.9.9": True, # not in lockfile: left alone
|
||||
"weird@*": True, # non-exact spec: left alone
|
||||
},
|
||||
LOCK,
|
||||
)
|
||||
assert sync.main(["--check", "--dir", str(tmp)]) == 1
|
||||
assert sync.main(["--fix", "--dir", str(tmp)]) == 0
|
||||
got = json.loads((tmp / "package.json").read_text())["allowScripts"]
|
||||
assert got == {
|
||||
"@biomejs/biome@1.9.9": True,
|
||||
"msw@2.15.0": False, # value and key order preserved
|
||||
"fsevents": True,
|
||||
"ghost@9.9.9": True,
|
||||
"weird@*": True,
|
||||
}
|
||||
assert list(got) == [
|
||||
"@biomejs/biome@1.9.9",
|
||||
"msw@2.15.0",
|
||||
"fsevents",
|
||||
"ghost@9.9.9",
|
||||
"weird@*",
|
||||
]
|
||||
assert sync.main(["--check", "--dir", str(tmp)]) == 0
|
||||
|
||||
|
||||
def test_multi_version_disjunction():
|
||||
lock = dict(LOCK)
|
||||
lock["node_modules/x/node_modules/msw"] = {"version": "2.14.3", "hasInstallScript": True}
|
||||
with tempfile.TemporaryDirectory() as d:
|
||||
tmp = Path(d)
|
||||
write_fixture(tmp, {"msw@2.14.3": True}, lock)
|
||||
assert sync.main(["--fix", "--dir", str(tmp)]) == 0
|
||||
got = json.loads((tmp / "package.json").read_text())["allowScripts"]
|
||||
assert got == {"msw@2.14.3 || 2.15.0": True}
|
||||
|
||||
|
||||
def test_no_policy_is_noop():
|
||||
with tempfile.TemporaryDirectory() as d:
|
||||
tmp = Path(d)
|
||||
(tmp / "package.json").write_text(json.dumps({"name": "fixture"}) + "\n")
|
||||
(tmp / "package-lock.json").write_text(json.dumps({"packages": {}}) + "\n")
|
||||
before = (tmp / "package.json").read_text()
|
||||
assert sync.main(["--fix", "--dir", str(tmp)]) == 0
|
||||
assert (tmp / "package.json").read_text() == before
|
||||
|
||||
|
||||
def test_missing_files_is_noop():
|
||||
with tempfile.TemporaryDirectory() as d:
|
||||
assert sync.main(["--check", "--dir", d]) == 0
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
failures = 0
|
||||
for name, fn in sorted(globals().items()):
|
||||
if name.startswith("test_") and callable(fn):
|
||||
try:
|
||||
fn()
|
||||
print(f"PASS {name}")
|
||||
except AssertionError as e:
|
||||
failures += 1
|
||||
print(f"FAIL {name}: {e}")
|
||||
sys.exit(1 if failures else 0)
|
||||
Loading…
Add table
Add a link
Reference in a new issue