fix: prevent package name cross-contamination with word boundaries

- Fix critical regex bug where 'zip' would match 'unzip' causing wrong version updates
- Add word boundaries (\b) to package regex in dependency file parser
- Prevent 'unzip: ^6.0' from being overwritten with 'zip' version (3.0.0)
- Add comprehensive tests for package name disambiguation
- Covers edge cases like vue/vue-router and other similar package names
- Resolves issue where constraint preservation failed due to substring matching

Fixes: unzip: ^6.0 → ^3.0.0 (wrong) now correctly becomes unzip: ^6.0 → ^6.0.0

Author: chrisbbreuer

src/buddy.ts

@@ -328,7 +328,7 @@ export class Buddy {
         // Use ts-pkgx to resolve latest versions
         const resolved = await resolveDependencyFile(file.path)
 
-        for (const dep of resolved.allDependencies || []) {
+                for (const dep of resolved.allDependencies || []) {
           // Compare constraint version with resolved version
           if (dep.constraint !== dep.version && dep.version) {
             // Extract version prefix (^, ~, >=, etc.) from constraint

src/utils/dependency-file-parser.ts

@@ -141,8 +141,9 @@ export async function updateDependencyFile(filePath: string, content: string, up
 
       // Create regex to find the package line and update its version
       // Handle various YAML formats: "package: version", "package:version", "  package: ^version"
+      // Use word boundaries to prevent partial matches (e.g., "zip" matching "unzip")
       const packageRegex = new RegExp(
-        `(\\s*${cleanPackageName.replace(/[.*+?^${}()|[\]\\]/g, '\\$&')}\\s*:\\s*)([^\\n\\r]*)`,
+        `(\\s*\\b${cleanPackageName.replace(/[.*+?^${}()|[\]\\]/g, '\\$&')}\\b\\s*:\\s*)([^\\n\\r]*)`,
         'g',
       )
 

test/dependency-file-parser.test.ts

@@ -494,4 +494,73 @@ devDependencies:
       expect(result[0].type).toBe('update')
     })
   })
+
+  describe('updateDependencyFile - package name disambiguation', () => {
+    it('should correctly update similar package names without cross-contamination', async () => {
+      const content = `dependencies:
+  zip: ^3.0
+  unzip: ^6.0
+  node: ^22.12.0`
+
+      const updates: PackageUpdate[] = [
+        {
+          name: 'zip',
+          currentVersion: '^3.0',
+          newVersion: '3.0.0',
+          updateType: 'patch',
+          dependencyType: 'dependencies',
+          file: 'deps.yaml',
+          metadata: undefined,
+        },
+        {
+          name: 'unzip',
+          currentVersion: '^6.0',
+          newVersion: '6.0.0',
+          updateType: 'patch',
+          dependencyType: 'dependencies',
+          file: 'deps.yaml',
+          metadata: undefined,
+        },
+      ]
+
+      const result = await updateDependencyFile('deps.yaml', content, updates)
+
+      // Should preserve constraints and update to correct versions
+      expect(result).toContain('zip: ^3.0.0')
+      expect(result).toContain('unzip: ^6.0.0')
+      
+      // Should NOT have cross-contamination (wrong packages having wrong versions)
+      expect(result).not.toContain('unzip: ^3.0.0')
+      expect(result).not.toMatch(/^\s*zip: \^6\.0\.0/m)
+      
+      // Should preserve other packages unchanged
+      expect(result).toContain('node: ^22.12.0')
+    })
+
+    it('should handle packages with shared substrings correctly', async () => {
+      const content = `dependencies:
+  vue: ^3.0.0
+  vue-router: ^4.0.0
+  @vue/compiler-sfc: ^3.0.0`
+
+      const updates: PackageUpdate[] = [
+        {
+          name: 'vue',
+          currentVersion: '^3.0.0',
+          newVersion: '3.5.0',
+          updateType: 'minor',
+          dependencyType: 'dependencies',
+          file: 'deps.yaml',
+          metadata: undefined,
+        },
+      ]
+
+      const result = await updateDependencyFile('deps.yaml', content, updates)
+
+      // Should only update 'vue', not 'vue-router' or '@vue/compiler-sfc'
+      expect(result).toContain('vue: ^3.5.0')
+      expect(result).toContain('vue-router: ^4.0.0')
+      expect(result).toContain('@vue/compiler-sfc: ^3.0.0')
+    })
+  })
 })