fix: modernize dependency scripts for current tool versions#189
Merged
Conversation
Chocolatey.ps1 (fixes #187): - Use 'choco search' for remote version queries; 'choco list' stopped querying remote sources in Chocolatey 2.0 and rejects URL sources - Version-gate --local-only via new Get-ChocoVersion helper (flag was removed in Chocolatey 2.0) - Default Source and install script to community.chocolatey.org - Fix undefined $scriptUrl in bootstrap catch block - Use Test-VersionEquality for explicit-version checks and TryParse for latest checks (raw [System.Version] casts throw on prerelease) GitHub.ps1: - Replace COM shell.application zip extraction with Expand-Archive (module floor is PS 5.1) - Suppress New-Item pipeline leak into the script output stream PSGalleryNuget.ps1: - Replace lexical string version comparison with typed SemanticVersion/Version TryParse ("10.0.0" -le "9.0.0" is true as strings, causing needless reinstalls) FileSystem.ps1: - Fix operator precedence in missing-source check (-not $array -like evaluated to always-false, error never surfaced) - Add documented Force/Mirror parameters missing from the param block (Parameters splat was a binding error) - Normalize action checks from -like to -contains Task.ps1: - Honor documented Target field (code only read Source, so documented usage silently ran zero tasks) Git.ps1: return after "git not found" error instead of invoking git anyway Command.ps1: fix loop variable in verbose output; document FailOnError Npm.ps1: remove dead $PackageListArguments; use Join-Path for target Tests updated for the new choco list/search contract with regression coverage for 1.x vs 2.x flag detection, and the new default source URL. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
…t items The reviewer checklist verified invocation mechanics but not whether the wrapped tool's CLI contract is still valid - the class of breakage in issue #187 (choco list changed semantics in Chocolatey 2.0) passed every existing item. Add: - External tool and endpoint currency: version-gate CLI flags across supported tool majors, prefer canonical endpoint URLs, honor Credential for rate-limited APIs, flag deprecated upstream providers - Docs-vs-code drift: documented Dependency fields must be read by the code and documented parameters must exist in the param block - Output-stream hygiene: object-emitting cmdlets must not pollute the stream that carries Test booleans - Secrets on process command lines, not just in Write-Verbose output Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Test Results 3 files 66 suites 1m 34s ⏱️ Results for commit be83442. ♻️ This comment has been updated with latest results. |
Contributor
There was a problem hiding this comment.
Pull request overview
This PR modernizes multiple PSDepend/PSDependScripts/ dependency handlers to align with current external-tool CLI behavior (notably Chocolatey 2.x), fixes several latent script bugs, and updates tests + reviewer guidance to prevent similar regressions.
Changes:
- Update Chocolatey handler for v2.x compatibility (remote queries via
search, version-gated--local-only, updated default endpoints). - Fix/modernize several other handlers (Task
TargetvsSource, GitHub extraction, version comparisons, path handling, output hygiene). - Update Pester coverage and extend the reviewer checklist to include external tool currency and output-stream hygiene checks.
Reviewed changes
Copilot reviewed 11 out of 11 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| Tests/PSModuleGallery.Type.Tests.ps1 | Updates Chocolatey-related integration assertions (list vs search) and adds CLI version-gating regression coverage. |
| Tests/Chocolatey.Type.Tests.ps1 | Updates default Chocolatey feed expectation to community.chocolatey.org. |
| PSDepend/PSDependScripts/Task.ps1 | Honors Target (with Source treated as an alias) when enumerating tasks to run. |
| PSDepend/PSDependScripts/PSGalleryNuget.ps1 | Replaces string version comparisons with typed SemanticVersion/Version comparisons. |
| PSDepend/PSDependScripts/Npm.ps1 | Uses Join-Path for cross-platform-safe target building and removes dead variable. |
| PSDepend/PSDependScripts/GitHub.ps1 | Replaces COM zip extraction with Expand-Archive and suppresses New-Item pipeline output. |
| PSDepend/PSDependScripts/Git.ps1 | Stops processing immediately after reporting missing git. |
| PSDepend/PSDependScripts/FileSystem.ps1 | Adds missing parameters and corrects action checks (-contains/-notcontains). |
| PSDepend/PSDependScripts/Command.ps1 | Fixes verbose logging to reference the correct loop variable; documents FailOnError. |
| PSDepend/PSDependScripts/Chocolatey.ps1 | Implements Chocolatey 2.x compatibility changes and improves version handling (with remaining semver gap noted in comments). |
| docs/PSDependScripts-ReviewerChecklist.md | Adds reviewer checklist items around external CLI currency, output-stream hygiene, and docs-vs-code drift. |
Comments suppressed due to low confidence (2)
PSDepend/PSDependScripts/Chocolatey.ps1:20
ChocoInstallScriptUrlis a public parameter in the param block but it isn't documented in the comment-based help (.PARAMETER ...). This creates docs-vs-code drift and makesGet-Helpincomplete.
.PARAMETER Force
If specified and the package is already installed, force the install again.
.PARAMETER PSDependAction
Test, or Install the package. Defaults to Install
Test: Return true or false on whether the dependency is in place
Install: Install the dependency
PSDepend/PSDependScripts/FileSystem.ps1:113
-Forceis now a top-level parameter (and documented in help) but it isn't used to change folder install behavior. As written,-Forcehas no effect for container sources, so users can't actually get the "overwrite the target" behavior described in the help.
if ($PSDependAction -contains 'Install') {
# TODO: Add non Windows equivalent...
[string[]]$Arguments = "/XO"
$Arguments += "/E"
if ($Dependency.Parameters.Mirror -eq $True -or $Mirror) {
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Chocolatey.ps1: - Fix synopsis grammar and replace stale Chocolatey.org references with the Chocolatey community repository - Document the Dependency and ChocoInstallScriptUrl parameters - Compare "have latest" versions SemanticVersion-first so prerelease versions (e.g. 2.2.2-beta) do not fall through to a reinstall FileSystem.ps1: - Report the specific missing $Source in the error, not the whole $Sources collection - Wire the documented Force switch: drop robocopy /XO so the target is overwritten even where its copy is newer Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Member
Author
|
Addressed all review feedback in be83442:
Full suite: 425 passed / 0 failed. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Review of all 16
PSDepend/PSDependScripts/handlers against modern best practices, prompted by #187. Fixes the Chocolatey 2.0 breakage plus seven other latent bugs found during the review, and extends the reviewer checklist to cover the blind spots that let #187 ship.Chocolatey 2.0 compatibility (fixes #187)
choco search—choco liststopped querying remote sources in Chocolatey 2.0 and rejects URL sources with the exact error reported in the issue.--local-onlyis version-gated via a newGet-ChocoVersionhelper: passed on 1.x (wherelistqueries remote by default), omitted on 2.x (where the flag was removed).community.chocolatey.org; fixed an undefined$scriptUrlin the bootstrap error path.Test-VersionEquality/TryParseinstead of raw string equality and[System.Version]casts that throw on prerelease versions.Other script fixes
shell.applicationzip extraction replaced withExpand-Archive(module floor is PS 5.1);New-Itempipeline leak suppressed"10.0.0" -le "9.0.0"is true as strings) replaced with typed SemVer/Version comparisonForce/Mirrorparams were absent from the param block (binding error);-likeaction checks normalized to-containsTargetbut code only readSource, so documented usage silently ran zero tasks — both now honoredFailOnErrordocumented$PackageListArgumentsremoved;Join-Pathinstead of\concatReviewer checklist additions
The existing checklist verified invocation mechanics but not whether the wrapped tool''s CLI contract was still valid — #187 passed every item. New items cover: external tool/endpoint currency (version-gating flags across tool majors), docs-vs-code field drift, secrets in process argv, and output-stream hygiene.
Test plan
--local-onlydetection on Chocolatey 1.x vs 2.x🤖 Generated with Claude Code