Scope dependency tickets by ecosystem to prevent cross-registry merges#50
Open
stevelandeydescript wants to merge 1 commit intomainfrom
Open
Scope dependency tickets by ecosystem to prevent cross-registry merges#50stevelandeydescript wants to merge 1 commit intomainfrom
stevelandeydescript wants to merge 1 commit intomainfrom
Conversation
When an npm package and a PyPI package share the same name (e.g., "braintrust"), they were merged into a single ticket with a nonsensical mixed target version. The root cause was that both issue reconcilers keyed their internal dedup maps by package name alone, even though mergeProviderDependencies() already correctly keys by ecosystem::name. The fix has three parts: Ticket titles now include an ecosystem tag: "[Dependicus] [npm] Update braintrust from 0.1.0 to 3.9.0". extractDependencyNameFromTitle parses the tag and returns "npm::braintrust" as the dependency identity. Internal maps in both the Linear and GitHub reconcilers now key by ecosystem::name, so same-name packages from different registries produce separate tickets. A findExistingIssue helper provides backward compatibility: it tries the qualified key first, then falls back to the bare name. Old issues (without ecosystem tags) get updated in place rather than closed and recreated. The first ecosystem to claim an old issue wins; other ecosystems get new properly-scoped issues. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
When an npm package and a PyPI package share the same name (e.g., "braintrust"), they were merged into a single ticket with a nonsensical mixed target version. The root cause was that both issue reconcilers keyed their internal dedup maps by package name alone, even though mergeProviderDependencies() already correctly keys by ecosystem::name.
The fix has three parts:
Ticket titles now include an ecosystem tag: "[Dependicus] [npm] Update braintrust from 0.1.0 to 3.9.0". extractDependencyNameFromTitle parses the tag and returns "npm::braintrust" as the dependency identity.
Internal maps in both the Linear and GitHub reconcilers now key by ecosystem::name, so same-name packages from different registries produce separate tickets.
A findExistingIssue helper provides backward compatibility: it tries the qualified key first, then falls back to the bare name. Old issues (without ecosystem tags) get updated in place rather than closed and recreated. The first ecosystem to claim an old issue wins; other ecosystems get new properly-scoped issues.
Note
Medium Risk
Changes issue deduplication and matching logic in both GitHub and Linear reconcilers, which could affect whether issues are updated vs created/closed if keying or title parsing is wrong. Backward-compat fallback matching and added tests reduce risk but behavior changes in production issue management.
Overview
Prevents same-name packages from different registries (e.g., npm vs PyPI) from being merged into a single Dependicus ticket by scoping dependency identity to
ecosystem::nameend-to-end.Ticket titles now include an ecosystem tag (e.g.,
[npm] ...),extractDependencyNameFromTitlecan parse the new tagged format, andbuildTicketTitleoptionally prefixes titles with the ecosystem.Both the GitHub and Linear issue reconcilers now key their internal “outdated dependency” and “existing issue” maps by
ecosystem::name, while a newfindExistingIssuefallback lets previously-created untagged issues be updated in place instead of being recreated. Tests were added to assert cross-ecosystem separation and migration behavior.Reviewed by Cursor Bugbot for commit d46128a. Bugbot is set up for automated code reviews on this repo. Configure here.