fix: validate duplicate package names and paths#78
Conversation
There was a problem hiding this comment.
Pull request overview
Adds fixture definition validation to prevent ambiguous/unsafe package configurations where multiple packages share the same name or path (which can lead to overwriting generated version.toml files).
Changes:
- Add validation for duplicate
packages[*].namevalues. - Add validation for duplicate
packages[*].pathvalues. - Add unit tests covering duplicate package names and paths.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| // Check for duplicate package paths | ||
| let mut pkg_paths: Vec<&str> = def.packages.iter().map(|p| p.path.as_str()).collect(); | ||
| pkg_paths.sort(); | ||
| for window in pkg_paths.windows(2) { | ||
| if window[0] == window[1] { | ||
| errors.push(format!("duplicate package path: '{}'", window[0])); | ||
| } | ||
| } |
There was a problem hiding this comment.
packages[*].path is used to create directories/files via output_dir.join(&pkg.path) in generate.rs, but validate_single doesn't validate package paths for absolute paths or .. traversal (unlike commits/hooks/config). This can write outside the output directory, and also allows semantically equivalent paths (e.g. "./", "", "a/.") to bypass the duplicate-path check and still overwrite the same version.toml. Consider (1) rejecting absolute/traversal components for package paths using the existing has_traversal helper, and (2) normalizing/cleaning paths before the duplicate-path comparison so logically identical paths are treated as duplicates.
Summary
packages[*].namevaluespackages[*].pathvaluesCloses #71