Fix lockfile path resolution and add comprehensive edge case tests

justin808 · claude · justin808 · commit 75d0552b2aff · 2025-11-02T15:33:41.000-10:00
Path Resolution Fixes: - Fix lockfile path construction to look in same directory as package.json - Use base_dir from node_modules_location instead of File.dirname - Prevent resolving to filesystem root when node_modules_location is empty - Ensure lockfiles are found next to package.json as expected Package-lock.json v1 Fix: - Fix dependency_data type checking (can be Hash or String in v1) - Use is_a?(Hash) check before calling key? method New Test Coverage: - Similar package names (react-on-rails vs react-on-rails-pro) - Package-lock.json v1 format parsing - Malformed yarn.lock handling (graceful fallback) - Malformed package-lock.json handling (graceful fallback) The regex pattern ^"?package-name@ already ensures exact matching because @ is the delimiter, preventing "react-on-rails" from matching "react-on-rails-pro". Added test to verify this behavior. All 65 tests passing. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
diff --git a/lib/react_on_rails/version_checker.rb b/lib/react_on_rails/version_checker.rb
@@ -225,13 +225,17 @@ def self.package_json_path
       end
 
       def self.yarn_lock_path
-        lockfile_dir = File.dirname(Rails.root.join(ReactOnRails.configuration.node_modules_location).to_s)
-        File.join(lockfile_dir, "yarn.lock")
+        # Lockfiles are in the same directory as package.json
+        # If node_modules_location is empty, use Rails.root
+        base_dir = ReactOnRails.configuration.node_modules_location.presence || ""
+        Rails.root.join(base_dir, "yarn.lock").to_s
       end
 
       def self.package_lock_path
-        lockfile_dir = File.dirname(Rails.root.join(ReactOnRails.configuration.node_modules_location).to_s)
-        File.join(lockfile_dir, "package-lock.json")
+        # Lockfiles are in the same directory as package.json
+        # If node_modules_location is empty, use Rails.root
+        base_dir = ReactOnRails.configuration.node_modules_location.presence || ""
+        Rails.root.join(base_dir, "package-lock.json").to_s
       end
 
       def initialize(package_json, yarn_lock = nil, package_lock = nil)
@@ -355,13 +359,17 @@ def resolve_version(package_json_version, package_name)
       # Looks for entries like:
       #   react-on-rails@^16.1.1:
       #     version "16.1.1"
+      # The pattern ensures exact package name match to avoid matching similar names
+      # (e.g., "react-on-rails" won't match "react-on-rails-pro")
       # rubocop:disable Metrics/CyclomaticComplexity
       def version_from_yarn_lock(package_name)
         return nil unless yarn_lock && File.exist?(yarn_lock)
 
         in_package_block = false
         File.foreach(yarn_lock) do |line|
           # Check if we're starting the block for our package
+          # Pattern: optionally quoted package name, followed by @, ensuring it's not followed by more word chars
+          # This prevents "react-on-rails" from matching "react-on-rails-pro"
           if line.match?(/^"?#{Regexp.escape(package_name)}@/)
             in_package_block = true
             next
@@ -403,7 +411,8 @@ def version_from_package_lock(package_name)
           # Fall back to v1 format (dependencies)
           if parsed["dependencies"]
             dependency_data = parsed["dependencies"][package_name]
-            return dependency_data["version"] if dependency_data&.key?("version")
+            # In v1, the dependency can be a hash with a "version" key
+            return dependency_data["version"] if dependency_data.is_a?(Hash) && dependency_data.key?("version")
           end
         rescue JSON::ParserError
           # If we can't parse the lockfile, fall back to package.json version
diff --git a/spec/react_on_rails/fixtures/malformed_package-lock.txt b/spec/react_on_rails/fixtures/malformed_package-lock.txt
@@ -0,0 +1,5 @@
+{
+  "name": "test-app",
+  "version": "1.0.0",
+  "this is not valid JSON because of the trailing comma",
+}
diff --git a/spec/react_on_rails/fixtures/malformed_yarn.lock b/spec/react_on_rails/fixtures/malformed_yarn.lock
@@ -0,0 +1,5 @@
+# THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY.
+# yarn lockfile v1
+
+This is not a valid yarn.lock format
+Just some random text here
diff --git a/spec/react_on_rails/fixtures/semver_caret_package-lock_v1.json b/spec/react_on_rails/fixtures/semver_caret_package-lock_v1.json
@@ -0,0 +1,23 @@
+{
+  "name": "test-app",
+  "version": "1.0.0",
+  "lockfileVersion": 1,
+  "requires": true,
+  "dependencies": {
+    "babel": {
+      "version": "6.23.0",
+      "resolved": "https://registry.npmjs.org/babel/-/babel-6.23.0.tgz",
+      "integrity": "sha1-0NHn2APpdHZb7qMjLU4VPA77kPQ="
+    },
+    "react-on-rails": {
+      "version": "1.2.3",
+      "resolved": "https://registry.npmjs.org/react-on-rails/-/react-on-rails-1.2.3.tgz",
+      "integrity": "sha512-abc123def456ghi789jkl012mno345pqr678stu901vwx234yz="
+    },
+    "webpack": {
+      "version": "1.15.0",
+      "resolved": "https://registry.npmjs.org/webpack/-/webpack-1.15.0.tgz",
+      "integrity": "sha1-v4SbvGJWkYqkKVBKjNJlJQQNqZg="
+    }
+  }
+}
diff --git a/spec/react_on_rails/fixtures/similar_packages_package.json b/spec/react_on_rails/fixtures/similar_packages_package.json
@@ -0,0 +1,6 @@
+{
+  "dependencies": {
+    "react-on-rails": "^1.2.3",
+    "react-on-rails-pro": "^16.1.1"
+  }
+}
diff --git a/spec/react_on_rails/fixtures/similar_packages_yarn.lock b/spec/react_on_rails/fixtures/similar_packages_yarn.lock
@@ -0,0 +1,13 @@
+# THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY.
+# yarn lockfile v1
+
+
+react-on-rails-pro@^16.1.1:
+  version "16.1.1"
+  resolved "https://registry.yarnpkg.com/react-on-rails-pro/-/react-on-rails-pro-16.1.1.tgz"
+  integrity sha512-abc123def456ghi789jkl012mno345pqr678stu901vwx234yz=
+
+react-on-rails@^1.2.3:
+  version "1.2.3"
+  resolved "https://registry.yarnpkg.com/react-on-rails/-/react-on-rails-1.2.3.tgz"
+  integrity sha512-abc123def456ghi789jkl012mno345pqr678stu901vwx234yz=
diff --git a/spec/react_on_rails/version_checker_spec.rb b/spec/react_on_rails/version_checker_spec.rb
@@ -441,13 +441,37 @@ def check_version_and_raise(node_package_version)
           end
         end
 
-        context "with semver caret in package.json and package-lock.json" do
+        context "with similar package names in yarn.lock" do
+          let(:package_json) { File.expand_path("fixtures/similar_packages_package.json", __dir__) }
+          let(:yarn_lock) { File.expand_path("fixtures/similar_packages_yarn.lock", __dir__) }
+          let(:node_package_version) { described_class.new(package_json, yarn_lock, nil) }
+
+          describe "#raw" do
+            it "returns exact version for react-on-rails-pro, not react-on-rails" do
+              expect(node_package_version.raw).to eq("16.1.1")
+            end
+          end
+        end
+
+        context "with semver caret in package.json and package-lock.json v2" do
           let(:package_json) { File.expand_path("fixtures/semver_caret_package.json", __dir__) }
           let(:package_lock) { File.expand_path("fixtures/semver_caret_package-lock.json", __dir__) }
           let(:node_package_version) { described_class.new(package_json, nil, package_lock) }
 
           describe "#raw" do
-            it "returns exact version from package-lock.json instead of semver range" do
+            it "returns exact version from package-lock.json v2 instead of semver range" do
+              expect(node_package_version.raw).to eq("1.2.3")
+            end
+          end
+        end
+
+        context "with semver caret in package.json and package-lock.json v1" do
+          let(:package_json) { File.expand_path("fixtures/semver_caret_package.json", __dir__) }
+          let(:package_lock) { File.expand_path("fixtures/semver_caret_package-lock_v1.json", __dir__) }
+          let(:node_package_version) { described_class.new(package_json, nil, package_lock) }
+
+          describe "#raw" do
+            it "returns exact version from package-lock.json v1 instead of semver range" do
               expect(node_package_version.raw).to eq("1.2.3")
             end
           end
@@ -512,6 +536,30 @@ def check_version_and_raise(node_package_version)
             end
           end
         end
+
+        context "with malformed yarn.lock" do
+          let(:package_json) { File.expand_path("fixtures/semver_caret_package.json", __dir__) }
+          let(:yarn_lock) { File.expand_path("fixtures/malformed_yarn.lock", __dir__) }
+          let(:node_package_version) { described_class.new(package_json, yarn_lock, nil) }
+
+          describe "#raw" do
+            it "falls back to package.json version when yarn.lock is malformed" do
+              expect(node_package_version.raw).to eq("^1.2.3")
+            end
+          end
+        end
+
+        context "with malformed package-lock.json" do
+          let(:package_json) { File.expand_path("fixtures/semver_caret_package.json", __dir__) }
+          let(:package_lock) { File.expand_path("fixtures/malformed_package-lock.txt", __dir__) }
+          let(:node_package_version) { described_class.new(package_json, nil, package_lock) }
+
+          describe "#raw" do
+            it "falls back to package.json version when package-lock.json is malformed" do
+              expect(node_package_version.raw).to eq("^1.2.3")
+            end
+          end
+        end
       end
 
       describe "Pro package detection" do
