Skip to content

formula_auditor: reject claude-agent-sdk#21804

Merged
cho-m merged 1 commit intomainfrom
formula_auditor-claude-agent-sdk
Mar 23, 2026
Merged

formula_auditor: reject claude-agent-sdk#21804
cho-m merged 1 commit intomainfrom
formula_auditor-claude-agent-sdk

Conversation

@cho-m
Copy link
Copy Markdown
Member

@cho-m cho-m commented Mar 22, 2026
edited
Loading

  • Have you followed the guidelines in our Contributing document?
  • Have you checked to ensure there aren't other open Pull Requests for the same change?
  • Have you added an explanation of what your changes do and why you'd like us to include them?
  • Have you written new tests (excluding integration tests) for your changes? Here's an example.
  • Have you successfully run brew lgtm (style, typechecking and tests) with your changes locally?
  • AI was used to generate or assist with generating this PR. Please specify below how you used AI to help you, and what steps you have taken to manually verify the changes.

Audit to detect

Example output after brew install promptfoo with timing (run in Linux container):

$ time (brew audit --only node_modules promptfoo)
promptfoo
  * Formula promptfoo uses @anthropic-ai/claude-agent-sdk which has an incompatible license.
    All installed npm dependencies must satisfy https://docs.brew.sh/License-Guidelines
Error: 1 problem in 1 formula detected.

real	0m2.998s
user	0m2.186s
sys	0m0.876s

Using an array to extend this with other npm packages.

Future ideas

In future, may consider moving this to a JSON file we store in Homebrew/core so it can be implemented as a tap-specific blacklist. Then can also be used in 3rd-party taps to detect unwanted dependencies.

And in further future, may want to analyze SPDX licenses of all installed npm packages to automatically detect disallowed licenses. May need a whitelist in this case when an npm package doesn't use SPDX.

Copilot AI review requested due to automatic review settings March 22, 2026 17:51
Copilot AI reviewed Mar 22, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds a new FormulaAuditor audit to detect disallowed npm dependencies (starting with @anthropic-ai/claude-agent-sdk) in installed node_modules trees for core formulae, with accompanying RSpec coverage.

Changes:

  • Introduce FormulaAuditor#audit_node_modules to scan libexec/lib/node_modules for incompatible npm packages in homebrew/core.
  • Emit an audit problem directing maintainers to Homebrew’s license guidelines when a rejected package is found.
  • Add unit tests covering direct, nested, and dot-directory (.pnpm-style) locations, plus core/non-core behavior.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File Description
Library/Homebrew/formula_auditor.rb Adds a new audit_node_modules audit that searches installed node_modules for a rejected package and reports a license-guidelines error.
Library/Homebrew/test/formula_auditor_spec.rb Adds specs validating detection/skip behavior for the new audit_node_modules audit across common directory layouts.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

MikeMcQuaid
MikeMcQuaid approved these changes Mar 22, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@MikeMcQuaid MikeMcQuaid left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Makes sense, thanks!

@cho-m cho-m added this pull request to the merge queue Mar 23, 2026
Merged via the queue into main with commit 894a3d2 Mar 23, 2026
46 checks passed
@cho-m cho-m deleted the formula_auditor-claude-agent-sdk branch March 23, 2026 03:26
some67086-del

This comment was marked as spam.

Sign in to view

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@MikeMcQuaid MikeMcQuaid MikeMcQuaid approved these changes

@krehel krehel krehel approved these changes

@bevanjkay bevanjkay bevanjkay approved these changes

+1 more reviewer

@some67086-del some67086-del some67086-del left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@cho-m @MikeMcQuaid @krehel @bevanjkay @some67086-del