fix(cli): doctor resolves @opencodehub/sarif as installed pkg, not monorepo path#164
Merged
Merged
Conversation
…norepo path The sarif-build doctor check probed <repoRoot>/packages/sarif/dist, where repoRoot is guessRepoRoot()'s 4-dirs-up monorepo guess. On a customer npm install there is no packages/sarif/ tree — @opencodehub/sarif is a normal prebuilt node_modules dep — so the check always WARNed 'not built yet' and told end users to run 'pnpm -r build', which is nonsensical for an installed copy. Resolve the installed package first via import.meta.resolve (sarif's exports map declares only the 'import' condition, so createRequire().resolve throws ERR_PACKAGE_PATH_NOT_EXPORTED — same precedent as resolveVendorWasmsDir). Keep the packages/sarif/dist probe as the monorepo source-checkout fallback, the only context where the 'pnpm -r build' hint is correct. Adds a regression test: with a bogus repoRoot (kills the source fallback) the check still reports ok against the real installed package.
Merged
theagenticguy
pushed a commit
that referenced
this pull request
May 29, 2026
🤖 Automated release via release-please --- <details><summary>cli: 0.5.5</summary> ## [0.5.5](cli-v0.5.4...cli-v0.5.5) (2026-05-29) ### Bug Fixes * **cli:** doctor resolves @opencodehub/sarif as installed pkg, not monorepo path ([#164](#164)) ([2b2b389](2b2b389)) * **scanners:** uv-first bandit[sarif] install + pip-audit pyproject.toml support ([#166](#166)) ([5ad02d8](5ad02d8)) ### Dependencies * The following workspace dependencies were updated * dependencies * @opencodehub/mcp bumped to 0.4.4 * @opencodehub/scanners bumped to 0.2.2 </details> <details><summary>mcp: 0.4.4</summary> ## [0.4.4](mcp-v0.4.3...mcp-v0.4.4) (2026-05-29) ### Dependencies * The following workspace dependencies were updated * dependencies * @opencodehub/scanners bumped to 0.2.2 </details> <details><summary>scanners: 0.2.2</summary> ## [0.2.2](scanners-v0.2.1...scanners-v0.2.2) (2026-05-29) ### Bug Fixes * **scanners:** uv-first bandit[sarif] install + pip-audit pyproject.toml support ([#166](#166)) ([5ad02d8](5ad02d8)) </details> <details><summary>root: 0.6.6</summary> ## [0.6.6](root-v0.6.5...root-v0.6.6) (2026-05-29) ### Bug Fixes * **cli:** doctor resolves @opencodehub/sarif as installed pkg, not monorepo path ([#164](#164)) ([2b2b389](2b2b389)) * **scanners:** uv-first bandit[sarif] install + pip-audit pyproject.toml support ([#166](#166)) ([5ad02d8](5ad02d8)) </details> --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
codehub doctorreported a misleading WARN to end users:```
│ @opencodehub/sarif build │ WARN │ @opencodehub/sarif not built yet │ run `pnpm -r build` │
```
sarifSchemaCheckprobed<repoRoot>/packages/sarif/dist, whererepoRootisguessRepoRoot()'s 4-dirs-up monorepo guess. On a customernpm i -g @opencodehub/cliinstall there is nopackages/sarif/tree —@opencodehub/sarifis a normal prebuiltnode_modulesdependency — sostatalways threw and the check WARNed "not built yet", telling end users to runpnpm -r build. That command is nonsensical for an installed copy.This was the last workspace-package doctor check still hard-coded to the monorepo layout. The native-binding checks (
duckdb,lbug) already resolve the installed package viaresolveFromRoot/createRequire; vendored wasms viaresolveVendorWasmsDir/import.meta.resolve. This check was missed.Fix
@opencodehub/sarif's ESM entry viaimport.meta.resolveand confirm it exists on disk. (sarif'sexportsmap declares only theimportcondition, socreateRequire().resolve()throwsERR_PACKAGE_PATH_NOT_EXPORTED— same reasonresolveVendorWasmsDirusesimport.meta.resolve.) A resolvable prebuilt entry →ok.packages/sarif/distprobe; this is the only context where thepnpm -r buildhint is correct.Test plan
repoRoot(kills the source fallback), the check still reportsokagainst the real installed package — proving installed-package resolution.node --testdoctor suite: 17/17 pass (dev + compileddist)@opencodehub/clisuite: 263/263 passtsc --noEmitworkspace: cleanbiome checkon changed files: clean