fix(integrity): dedupe packageIds when counting resolved packages

ggreif · claude · ggreif · commit 4be097c99aef · 2026-04-21T20:31:39.000+02:00
`getResolvedMopsPackageIds()` produces one entry per dependency-table row, including alias rows like `base`, `base@0`, `base@0.16` all resolving to the same `base@0.16.0`. The subsequent length comparison against `Object.keys(lockFileJson.hashes).length` then fails — the hashes object is naturally deduplicated by its packageId keys, so the two counts diverge by the number of alias duplicates. Compare unique packageId counts via `Set` to match the lock file's semantics. Fixes #506 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
diff --git a/cli/integrity.ts b/cli/integrity.ts
@@ -267,11 +267,16 @@ export async function checkLockFile(force = false) {
     }
   }
 
-  // check number of packages
-  if (Object.keys(lockFileJson.hashes).length !== packageIds.length) {
+  // check number of packages — packageIds can contain duplicates when
+  // multiple aliases (e.g. `base`, `base@0`, `base@0.16`) resolve to the
+  // same package@version, while lockFileJson.hashes is keyed by packageId
+  // and naturally deduplicated. Compare unique counts to avoid a spurious
+  // mismatch.
+  let uniquePackageIdCount = new Set(packageIds).size;
+  if (Object.keys(lockFileJson.hashes).length !== uniquePackageIdCount) {
     console.error("Integrity check failed");
     console.error(
-      `Mismatched number of resolved packages: ${JSON.stringify(Object.keys(lockFileJson.hashes).length)} vs ${JSON.stringify(packageIds.length)}`,
+      `Mismatched number of resolved packages: ${JSON.stringify(Object.keys(lockFileJson.hashes).length)} vs ${JSON.stringify(uniquePackageIdCount)}`,
     );
     process.exit(1);
   }

Original file line number	Diff line number	Diff line change
`@@ -267,11 +267,16 @@ export async function checkLockFile(force = false) {`
`267`	`267`	`}`
`268`	`268`	`}`
`269`	`269`
`270`		`- // check number of packages`
`271`		`- if (Object.keys(lockFileJson.hashes).length !== packageIds.length) {`
	`270`	`+ // check number of packages — packageIds can contain duplicates when`
	`271`	+ // multiple aliases (e.g. `base`, `base@0`, `base@0.16`) resolve to the
	`272`	`+ // same package@version, while lockFileJson.hashes is keyed by packageId`
	`273`	`+ // and naturally deduplicated. Compare unique counts to avoid a spurious`
	`274`	`+ // mismatch.`
	`275`	`+ let uniquePackageIdCount = new Set(packageIds).size;`
	`276`	`+ if (Object.keys(lockFileJson.hashes).length !== uniquePackageIdCount) {`
`272`	`277`	`console.error("Integrity check failed");`
`273`	`278`	`console.error(`
`274`		- `Mismatched number of resolved packages: ${JSON.stringify(Object.keys(lockFileJson.hashes).length)} vs ${JSON.stringify(packageIds.length)}`,
	`279`	+ `Mismatched number of resolved packages: ${JSON.stringify(Object.keys(lockFileJson.hashes).length)} vs ${JSON.stringify(uniquePackageIdCount)}`,
`275`	`280`	`);`
`276`	`281`	`process.exit(1);`
`277`	`282`	`}`