Latest Results
docs: sync CLI, env vars and dev scripts with current code (#337)
* docs: sync references with current code
- Add Environment Variables section to docs/configuration.md
documenting RUST_LOG, OSV_ENDPOINT, CARGO_HOME, and GITHUB_TOKEN.
OSV_ENDPOINT was previously only discoverable from src/main.rs.
- Add Developer Scripts table to CONTRIBUTING.md covering
build-and-deploy.sh, run-benchmarks.sh, scripts/coverage.sh,
scripts/fuzz.sh, scripts/profile-*.sh, and
scripts/check_mermaid_syntax.sh.
- Fix docs/cli.md drift against dependi-lsp/src/main.rs and
src/file_types.rs: document the html output format, the
--no-use-lockfile scan flag, and the missing Ruby (Gemfile),
Java (pom.xml), and Python (constraints.txt, hatch.toml) entries
in the Supported Files table.
* docs(readme): sync language coverage, CLI table and structure with code
- Add Java/Maven Central to the Supported Languages table, the FAQ
registries table, and the CI/CD Supported Files list.
- Add Ruby (Gemfile) to the CI/CD Supported Files list; it was already
in the main Supported Languages table but missing from the CLI
reference further down.
- Document the html output format and the --no-use-lockfile flag in
the CI/CD Options table to match src/main.rs.
- Refresh the Project Structure tree with the parsers and registries
that have been added since the last README pass: parsers/maven.rs,
pnpm_workspace.rs, json_spans.rs, lockfile_graph.rs,
lockfile_resolver.rs, plus registries/maven_central.rs and
url_sanitizer.rs.
- Update the Architecture ASCII diagram so the Parsers column lists
pom.xml and pnpm-workspace, and the Registries column lists Maven
Central.
* docs: address PR #337 bot review comments
- CONTRIBUTING.md: fix profile-registry.sh signature in the Developer
Scripts table — it takes [REGISTRY] [PACKAGES] [ITERATIONS], not
[FILE] [ITERATIONS], per the script's own usage header.
- CONTRIBUTING.md: widen the inline code fence around the literal
triple-backtick mermaid marker so Markdown renderers don't terminate
the code span on the contained backticks.
- docs/configuration.md: scope the OSV_ENDPOINT row to the scan
subcommand (the profile-* paths use OsvClient::default()), and
rewrite the npm token row to describe the actual runtime mechanism
(EnvTokenProvider reading the variable named in LSP settings) and
note that src/auth/npmrc.rs is test-only.
* docs(cli): trim Python scan list to files run_scan routes
Codex on PR #337 flagged that constraints.txt and hatch.toml fail the
scan subcommand with "Unsupported file type" because run_scan in
dependi-lsp/src/main.rs only routes requirements.txt and pyproject.toml
for Python. Trim the docs/cli.md and README.md CLI Supported Files
lists to match, and add a callout pointing readers at the broader
LSP-mode coverage in src/file_types.rs.
* docs(cli): scope --no-use-lockfile to wired ecosystems; drop gitignored script
Two Codex findings on PR #337 (commit 4c9a772):
- P1: docs/cli.md and README.md claimed that --no-use-lockfile turns
off a full transitive scan for every lockfile, including go.sum,
pubspec.lock, and packages.lock.json. In run_scan
(dependi-lsp/src/main.rs:357), Go/Pub/NuGet/Maven fall through
`_ => {}` with no graph parser, and bun.lock / pdm.lock build empty
graphs. Narrow the docs to the lockfiles actually wired today and
call out the empty/missing cases so users don't infer false
transitive coverage in CI.
- P2: CONTRIBUTING.md Developer Scripts table linked
`./build-and-deploy.sh`, but that file is .gitignored (root
.gitignore:54) and not tracked, so contributors hit a missing-file
error. Remove the row; add a CHANGELOG note explaining the script
is intentionally a personal helper.
---------
Co-authored-by: Mathieu Piton <27002047+mpiton@users.noreply.github.com> docs: sync references with current code
- Add Environment Variables section to docs/configuration.md
documenting RUST_LOG, OSV_ENDPOINT, CARGO_HOME, and GITHUB_TOKEN.
OSV_ENDPOINT was previously only discoverable from src/main.rs.
- Add Developer Scripts table to CONTRIBUTING.md covering
build-and-deploy.sh, run-benchmarks.sh, scripts/coverage.sh,
scripts/fuzz.sh, scripts/profile-*.sh, and
scripts/check_mermaid_syntax.sh.
- Fix docs/cli.md drift against dependi-lsp/src/main.rs and
src/file_types.rs: document the html output format, the
--no-use-lockfile scan flag, and the missing Ruby (Gemfile),
Java (pom.xml), and Python (constraints.txt, hatch.toml) entries
in the Supported Files table.docs/sync-cli-env-scripts [US] perf-reduce-tokio-feature-set-decrease: trim Tokio feature set (#336)
* [Scenario #321] Dependi LSP uses the trimmed Tokio feature set (#334)
* red(R-01): failing test for Dependi LSP uses trimmed Tokio feature set
* green(R-01): minimal impl for Dependi LSP uses trimmed Tokio feature set
---------
Co-authored-by: Mathieu Piton <27002047+mpiton@users.noreply.github.com>
* [Scenarios #322-#333] Guard remaining Tokio feature acceptance cases (#335)
* green(R-01,R-02,R-03): guard remaining Tokio feature scenarios
* fix: apply PR review feedback
* fix: compile probe Tokio capability guards
* fix: pin Tokio compile probe version
---------
Co-authored-by: Mathieu Piton <27002047+mpiton@users.noreply.github.com>
* fix(tokio): declare sync+time features directly per PR review
Codex flagged on #336 that the trimmed Tokio feature set drops `sync`
and `time` while `dependi-lsp/src/` uses `tokio::sync::{RwLock, Mutex,
Semaphore}` and `tokio::time::{sleep, timeout, interval}` directly
(backend, auth, cache, registries, vulnerabilities). The crate was
compiling only because transitive deps unify those features, which
would break on any upstream feature change.
Add `sync` and `time` to the explicit feature list and align the
acceptance tests to the seven-feature set. The negative scenario now
exercises `signal`/`process` as truly unrelated features.
* style: rustfmt tokio_feature_set_test
* fix(test): declare tokio dev-dep with `net` for OSV test server
Codex flagged on #336 that the test server `spawn_counting_osv_server`
in `dependi-lsp/src/vulnerabilities/osv.rs:511` uses
`tokio::net::TcpListener` directly while the spec asserts `net` must
not appear in the runtime feature set. The test was compiling only
because `wiremock` pulls `tokio/net` transitively, which would break
if `wiremock` ever stopped doing so.
Declare `tokio = { version = "1.52.3", features = ["net"] }` under
`[dev-dependencies]` so the test-only requirement is explicit. The
binary feature set stays at seven, R-02 invariant
(`network_capability_comes_from_reqwest_instead_of_a_direct_tokio_feature`)
remains intact because the assertion only inspects `[dependencies]`.
---------
Co-authored-by: Mathieu Piton <27002047+mpiton@users.noreply.github.com> Latest Branches
+11%
dependabot/cargo/dependi-lsp/serde_json-1.0.150 -60%
docs/sync-cli-env-scripts +1%
atdd/perf-reduce-tokio-feature-set-decrease/integration © 2026 CodSpeed Technology