From 4be097c99aefb46cdf7766b6b6c274a0bbb667fa Mon Sep 17 00:00:00 2001 From: Gabor Greif Date: Tue, 21 Apr 2026 20:17:17 +0200 Subject: [PATCH] fix(integrity): dedupe packageIds when counting resolved packages MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit `getResolvedMopsPackageIds()` produces one entry per dependency-table row, including alias rows like `base`, `base@0`, `base@0.16` all resolving to the same `base@0.16.0`. The subsequent length comparison against `Object.keys(lockFileJson.hashes).length` then fails — the hashes object is naturally deduplicated by its packageId keys, so the two counts diverge by the number of alias duplicates. Compare unique packageId counts via `Set` to match the lock file's semantics. Fixes #506 Co-Authored-By: Claude Opus 4.7 (1M context) --- cli/integrity.ts | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/cli/integrity.ts b/cli/integrity.ts index 181f223d..cad01c34 100644 --- a/cli/integrity.ts +++ b/cli/integrity.ts @@ -267,11 +267,16 @@ export async function checkLockFile(force = false) { } } - // check number of packages - if (Object.keys(lockFileJson.hashes).length !== packageIds.length) { + // check number of packages — packageIds can contain duplicates when + // multiple aliases (e.g. `base`, `base@0`, `base@0.16`) resolve to the + // same package@version, while lockFileJson.hashes is keyed by packageId + // and naturally deduplicated. Compare unique counts to avoid a spurious + // mismatch. + let uniquePackageIdCount = new Set(packageIds).size; + if (Object.keys(lockFileJson.hashes).length !== uniquePackageIdCount) { console.error("Integrity check failed"); console.error( - `Mismatched number of resolved packages: ${JSON.stringify(Object.keys(lockFileJson.hashes).length)} vs ${JSON.stringify(packageIds.length)}`, + `Mismatched number of resolved packages: ${JSON.stringify(Object.keys(lockFileJson.hashes).length)} vs ${JSON.stringify(uniquePackageIdCount)}`, ); process.exit(1); }