Skip to content

docs(outdated): clarify monorepo tag pattern matching for virtual subdirectory deps#1895

Merged
danielmeppiel merged 5 commits into
microsoft:mainfrom
kevinbeier-enbw:docs/outdated-monorepo-virtual-subdir-tag
Jun 28, 2026
Merged

docs(outdated): clarify monorepo tag pattern matching for virtual subdirectory deps#1895
danielmeppiel merged 5 commits into
microsoft:mainfrom
kevinbeier-enbw:docs/outdated-monorepo-virtual-subdir-tag

Conversation

@kevinbeier-enbw

Copy link
Copy Markdown
Contributor

What

Follow-up documentation for PR #1504 (monorepo tag support) and PR #1893 (virtual subdirectory fix).

Changes

  • docs/src/content/docs/reference/cli/outdated.md:
    • Clarify that for virtual subdirectory packages (installed via path: in apm.yml), the {name} in patterned tags is derived from the final path segment of virtual_path — not the repo name.
    • Add an example row in sample output showing a monorepo virtual dep (org/monorepo/packages/my-pkg my-pkg_v1.0.0 my-pkg_v1.1.0 outdated).
    • Add a concrete apm.yml example with path: packages/my-pkg and ref: my-pkg_v1.0.0.

Why

Before this docs update, users installing monorepo subdirectories had no way of knowing that the tag pattern matching uses the path basename. This led to confusion when apm outdated reported unknown for valid monorepo tag layouts.

Refs: #1504 #1893

Copilot AI review requested due to automatic review settings June 25, 2026 09:34
@kevinbeier-enbw kevinbeier-enbw force-pushed the docs/outdated-monorepo-virtual-subdir-tag branch from 3597689 to a28768f Compare June 25, 2026 09:37

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates apm outdated documentation (and reinforces behavior with a regression test) for monorepo tag-pattern matching when dependencies are installed as virtual subdirectory packages via path:.

Changes:

  • Document that {name} in patterned git tags for virtual subdirectory deps is derived from the path/virtual_path basename (not the repo name), and add a concrete apm.yml example.
  • Add a sample-output row illustrating a monorepo virtual subdirectory dependency.
  • Add a unit test covering monorepo patterned-tag resolution for a virtual subdirectory dependency, and update _package_basename() to use the virtual path basename for tag-pattern matching.

Reviewed changes

Copilot reviewed 1 out of 1 changed files in this pull request and generated 2 comments.

File Description
src/apm_cli/commands/outdated.py Adjusts package-name derivation for patterned tag matching to use virtual_path basename for virtual subdirectory deps.
tests/unit/test_outdated_command.py Adds a regression test ensuring monorepo patterned tags are recognized for virtual subdirectory dependencies.
docs/src/content/docs/reference/cli/outdated.md Clarifies monorepo tag pattern behavior for path: deps and adds example/sample output.

Comment thread docs/src/content/docs/reference/cli/outdated.md Outdated
Comment thread docs/src/content/docs/reference/cli/outdated.md Outdated
…directory deps

- Document that {name} in patterned tags is derived from virtual_path
  basename for virtual subdirectory packages (e.g. packages/my-pkg).
- Add example row showing monorepo virtual dep in sample output.
- Add concrete apm.yml example with path: for monorepo deps.

Follow-up to microsoft#1504 and microsoft#1893.
@kevinbeier-enbw kevinbeier-enbw force-pushed the docs/outdated-monorepo-virtual-subdir-tag branch from a28768f to 448777a Compare June 25, 2026 09:41

@kevinbeier-enbw kevinbeier-enbw left a comment

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Both Copilot nits addressed in amended commit:

  • Clarified that tag names use the final path segment only (, not ).
  • Fixed extra leading space in sample output table.

@kevinbeier-enbw kevinbeier-enbw left a comment

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Both Copilot nits addressed in amended commit:

  • Clarified that tag names use the final path segment only (my-pkg_v1.2.3, not packages/my-pkg_v1.2.3).
  • Fixed extra leading space in sample output table.

@sergio-sisternes-epam sergio-sisternes-epam added the panel-review Trigger the apm-review-panel gh-aw workflow label Jun 26, 2026
@github-actions

Copy link
Copy Markdown

APM Review Panel: needs_rework

PR #1895 documents virtual-path-driven tag inference for monorepo subdirectory deps, but _package_basename() reads repo_url only -- the described behavior does not exist in the codebase.

cc @kevinbeier-enbw -- a fresh advisory pass is ready for your review.

Four active panelists (python-architect, cli-logging-expert, devx-ux-expert, doc-writer) and the oss-growth-hacker independently converged on the same root cause: _package_basename() at outdated.py:53-60 reads dep.repo_url.rstrip('/').split('/')[-1] exclusively and never touches dep.virtual_path. For a dep configured as git: github.com/org/monorepo.git + path: packages/my-pkg, the function returns "monorepo", not "my-pkg". Runtime verification by python-architect confirms: infer_tag_pattern('my-pkg_v1.0.0', 'monorepo') = None, while infer_tag_pattern('my-pkg_v1.0.0', 'my-pkg') = '{name}_v{version}'. The full tag-resolution pipeline documented in the PR silently fails, yielding status=unknown/git branch instead of the documented status=outdated/git tags. The three doc-writer blocking findings each target a distinct location encoding this false claim: the description prose at line 21, the sample output row at line 60, and the YAML example section at lines 83-92. This is not a documentation clarity gap -- it is documentation that actively misdirects enterprise users into configuring a tag scheme that silently fails with no actionable error.

The growth signal is real and must be honored. This is the second community doc contribution from kevinbeier-enbw (after #1893) targeting monorepo path: behavior in rapid succession -- a confirmed enterprise adoption pressure point. The companion code fix is trivial: one conditional in _package_basename (~3 lines). The right response is a warm, actionable rework request: open the code PR first, then resubmit the doc against the fixed codebase. This preserves contributor goodwill and lands a genuinely compelling enterprise story in the right order.

The supply-chain-security-expert's finding on resolved_commit SHA as the integrity anchor is orthogonal and valid -- a transparency note that should be folded into the resubmitted doc PR.

Dissent. doc-writer classified all three core findings as blocking; python-architect, cli-logging-expert, devx-ux-expert, and oss-growth-hacker classified the same root cause as recommended. I side with doc-writer's blocking severity: the behavior is runtime-verified to silently fail, users who follow this doc configure a tag scheme that yields wrong outdated status with no actionable error, and aspirational docs on an enterprise-targeting surface are the highest-risk trust-erosion pattern APM faces. Recommended severity understates the user harm.

Aligned with: Portable by Manifest, Pragmatic as npm, OSS Community Driven.

Growth signal. PR #1895 is the second community doc contribution (after #1893) from the same contributor targeting monorepo path: behavior in rapid succession -- confirmed enterprise adoption pressure. The _package_basename guard is trivial (~3 lines). When the code lands alongside a corrected doc, the release note "apm outdated now correctly resolves tag patterns for monorepo subdirectory packages via path: segment" is a compelling enterprise story. Merging aspirational docs now erodes exactly the trust that drives that story; getting the sequence right is the higher-leverage move.

Panel summary

Persona B R N Takeaway
Python Architect 0 1 0 Doc claims virtual_path drives {name} tag-pattern inference; _package_basename reads repo_url only -- described monorepo tag resolution is not implemented.
CLI Logging Expert 0 2 1 New sample row misaligns Current column; aspirational {name} claim contradicts _package_basename(); pre-existing count wrong.
DevX UX Expert 0 1 2 Doc/code mismatch: {name} in tag pattern comes from repo URL basename (monorepo), not path: segment (my-pkg), so the documented example silently fails.
Supply Chain Security Expert 0 1 1 Doc-only PR is safe; one recommended note on resolved_commit as integrity anchor; one nit on path validation mention.
OSS Growth Hacker 0 1 1 Strong monorepo adoption signal from community, but doc describes code behavior that does not exist -- aspirational docs erode trust faster than missing docs.
Doc Writer 3 1 1 PR documents virtual-path tag derivation that the code does not implement: _package_basename uses repo_url, not virtual_path; all added content is factually wrong.

B = blocking-severity findings, R = recommended, N = nits.
Counts are signal strength, not gates. The maintainer ships.

Top 5 follow-ups

  1. [Doc Writer] (blocking-severity) Remove all three sections encoding the false claim: description prose at line 21, sample output row at line 60 (uses my-pkg_v* tags the code cannot produce), and YAML example section at lines 83-92 ('tag name derived from virtual path'). -- Runtime-verified: infer_tag_pattern('my-pkg_v1.0.0', 'monorepo') = None. The described pipeline does not execute. Users who configure a monorepo tag scheme based on this doc get silently wrong outdated status.
  2. [Python Architect] Open a companion code PR adding an is_virtual guard in _package_basename(): if dep.is_virtual and dep.virtual_path: return dep.virtual_path.rstrip('/').split('/')[-1]. -- This is the implementation that makes the documented behavior true. The fix is ~3 lines and unblocks the doc resubmit, turning a community contribution into a shipped enterprise feature.
  3. [OSS Growth Hacker] After the code companion merges, resubmit this doc PR against the updated codebase with a CHANGELOG entry: 'apm outdated now correctly resolves tag patterns for monorepo subdirectory packages via path: segment'. -- Provides a clear landing path for the contributor and completes the enterprise adoption story.
  4. [Supply Chain Security Expert] Add a sentence noting that apm.lock.yaml records the resolved commit SHA (not the tag name) as the actual integrity anchor. -- Makes the trust model explicit for enterprise users. Fold into the resubmitted doc PR.
  5. [CLI Logging Expert] During the resubmit pass, fix the pre-existing Current column overflow (9-char column, several rows exceed it) and update '[!] 2 outdated deps found' to match the actual count in the sample table. -- Monospace table alignment is the primary rendering contract for CLI reference docs.

Architecture

classDiagram
    direction LR
    class LockedDependency {
        <<Dataclass>>
        +repo_url str
        +virtual_path str
        +is_virtual bool
        +marketplace_plugin_name str
        +resolved_ref str
        +get_unique_key() str
    }
    class OutdatedRow {
        <<ValueObject>>
        +package str
        +current str
        +latest str
        +status str
        +source str
    }
    class PackageBasename {
        <<Pure>>
        +call(dep) str
    }
    note for PackageBasename "Reads dep.repo_url only. dep.virtual_path is never consulted. Returns 'monorepo' for a dep at org/monorepo with path: packages/my-pkg. Fix: guard on is_virtual."
    class ResolveTagPattern {
        <<Pure>>
        +call(ref str, name str) str
    }
    class CheckOneDep {
        <<IOBoundary>>
        +call(dep dl verbose) OutdatedRow
    }
    class InferTagPattern {
        <<Pure>>
        +call(tag str, pkg_name str) str
    }
    CheckOneDep ..> LockedDependency : reads
    CheckOneDep ..> PackageBasename : calls
    CheckOneDep ..> ResolveTagPattern : calls
    CheckOneDep ..> OutdatedRow : produces
    PackageBasename ..> LockedDependency : reads repo_url only
    ResolveTagPattern ..> InferTagPattern : delegates
    class PackageBasename:::touched
    class LockedDependency:::touched
    classDef touched fill:#fff3b0,stroke:#d47600
Loading
flowchart TD
    A["apm outdated"] --> B
    B["_check_one_dep(dep)"] --> C
    C["[I/O] list_remote_refs"] --> D
    D["_package_basename(dep)"] --> E
    E{marketplace_plugin_name?}
    E -- yes --> F["return marketplace_plugin_name"]
    E -- no --> G["repo_url.split('/')[-1]\nreturns 'monorepo' NOT 'my-pkg'"]
    G --> H["_resolve_tag_pattern('my-pkg_v1.0.0', 'monorepo')"]
    H --> I["infer_tag_pattern with name='monorepo'"]
    I --> J["DEFAULT_TAG_PATTERNS: monorepo_v.. / monorepo--v.. / monorepo-v..\nNO MATCH for 'my-pkg_v1.0.0'"]
    J --> K["infer_tag_pattern returns None"]
    K --> L["TAG_RE.match: FAIL on 'my-pkg_v1.0.0'"]
    L --> M["tag_pattern=None, is_tag=False"]
    M --> N["_find_remote_tip('my-pkg_v1.0.0')"]
    N --> O["no branch named 'my-pkg_v1.0.0'"]
    O --> P["status=unknown, source=git branch\nDOCS CLAIM: outdated, git tags -- FALSE"]
    style P fill:#ffcccc,stroke:#cc0000
Loading

Recommendation

Hold PR #1895 until the three aspirational sections are removed or replaced with accurate current-behavior prose. The fastest path to merge: open the companion code PR adding the _package_basename is_virtual guard, then amend this PR to reflect post-fix behavior. Give kevinbeier-enbw the exact rework checklist (lines 21, 60, 83-92) and a direct pointer to the code change needed -- their third contribution in this area is a high-value enterprise signal and deserves a warm, actionable response rather than a silent close.


Full per-persona findings

Python Architect

  • [recommended] _package_basename ignores virtual_path; documentation describes behavior that does not exist in current code at src/apm_cli/commands/outdated.py:53
    LockedDependency.virtual_path (lockfile.py:76) carries the path: segment for virtual subdirectory deps. _package_basename(dep) at outdated.py:53-60 reads dep.repo_url and returns its final URL segment; it never checks dep.is_virtual or dep.virtual_path. For a dep with repo_url='org/monorepo' and virtual_path='packages/my-pkg', _package_basename returns 'monorepo'. _resolve_tag_pattern then calls infer_tag_pattern('my-pkg_v1.0.0', 'monorepo'): all DEFAULT_TAG_PATTERNS fail (name prefix is wrong -- 'monorepo' vs 'my-pkg'), returning None. TAG_RE at line 76 also fails. tag_pattern=None, is_tag=False, and the dep falls to _find_remote_tip yielding OutdatedRow(status='unknown', source='git branch'). The documentation at outdated.md:21 states '{name} is derived from the final path segment' and the sample output at line 60 shows 'outdated, git tags' -- both unreachable with current code.
    Suggested: Add virtual_path branch before the repo_url fallback in _package_basename: if dep.is_virtual and dep.virtual_path: return dep.virtual_path.rstrip('/').split('/')[-1]

CLI Logging Expert

  • [recommended] Doc claims {name} derives from virtual path segment, but _package_basename() uses repo_url basename at docs/src/content/docs/reference/cli/outdated.md:21
    _package_basename() at outdated.py:53-60 returns repo_url.rstrip('/').split('/')[-1]. For dep with repo_url='org/monorepo', yields 'monorepo', not 'my-pkg'. infer_tag_pattern('my-pkg_v1.0.0', 'monorepo') fails silently -- the dep falls through without tag-pattern detection. The documented behavior is aspirational, not current.
    Suggested: Either gate the prose on the feature landing, or replace with accurate current behavior: 'For virtual subdirectory packages, {name} is currently derived from the repository basename. Use an explicit marketplace tag_pattern to override.'
  • [recommended] New sample output row overflows Current column: 'my-pkg_v1.0.0' (13 chars) exceeds the 9-char column defined by the separator at docs/src/content/docs/reference/cli/outdated.md:60
    The static code block uses a fixed-width table. The new row's Current value overflows by 4 chars, pushing subsequent columns right and breaking the monospace alignment.
    Suggested: Widen the Current column separator, shorten the example ref to 'v1.0.0'/'v1.1.0', or annotate the block as approximate Rich output.
  • [nit] Pre-existing: '[!] 2 outdated dependencies found' count does not match; sample table shows 7 outdated rows including the new one at docs/src/content/docs/reference/cli/outdated.md:66
    Suggested: Update to '[!] 7 outdated dependencies found' or reduce the sample table to fewer rows.

DevX UX Expert

  • [recommended] _package_basename() uses repo URL basename, not virtual_path segment -- the documented tag-inference example does not work at docs/src/content/docs/reference/cli/outdated.md:21
    For a dep with path: packages/my-pkg, the PR documents that {name} resolves to 'my-pkg' so tags like my-pkg_v1.2.3 are matched. But _package_basename returns 'monorepo' (repo URL last segment). infer_tag_pattern fails. The dep is NOT processed via tag comparison at all -- users following this doc get silent wrong behaviour with no actionable error.
    Suggested: Do not merge the description sentence until _package_basename() is updated to return dep.virtual_path.rstrip('/').split('/')[-1] when dep.virtual_path is set.
  • [nit] Sample output row overflows the Current column at docs/src/content/docs/reference/cli/outdated.md:60
    'my-pkg_v1.0.0' is 13 characters; Current column separator is 9 dashes.
  • [nit] Monorepo apm.yml example sits between two flag-invocation examples with no heading at docs/src/content/docs/reference/cli/outdated.md:83
    Suggested: Add a #### Monorepo subdirectory packages heading immediately before the YAML block.

Supply Chain Security Expert

  • [recommended] Example does not clarify that resolved_commit SHA -- not the tag name -- is the actual integrity anchor at docs/src/content/docs/reference/cli/outdated.md:84
    The YAML example pins via ref: my-pkg_v1.0.0, a mutable git tag. APM records the resolved_commit (40-char SHA) in apm.lock.yaml at lock time. Without this note, the example implies weaker guarantees than APM actually provides.
    Suggested: Add a comment: # apm.lock.yaml records the commit SHA resolved at lock time; the tag ref drives outdated detection only -- not the integrity pin.
  • [nit] 'derived from the final path segment' does not note that path values are validated (traversal sequences rejected) at docs/src/content/docs/reference/cli/outdated.md:21
    Suggested: Change to 'derived from the final path segment (path values are validated; traversal sequences are rejected)'.

OSS Growth Hacker

  • [recommended] Aspirational docs for this enterprise use-case are the highest-risk trust-erosion pattern -- ship the code first at docs/src/content/docs/reference/cli/outdated.md:21
    _package_basename() returns 'monorepo' (last URL segment), not 'my-pkg'. The result is tag_pattern=None, is_tag=False, apm outdated silently misclassifies the dep. Shipping this directs enterprise monorepo users to a path that appears broken, destroying the trust this PR is trying to build.
    Suggested: Hold until companion code fix lands, or reframe as a known limitation with workaround: 'Set an explicit tag_pattern in the marketplace entry to override.'
  • [nit] Sample output row columns misalign at docs/src/content/docs/reference/cli/outdated.md:60

Doc Writer

  • [blocking] Description bullet claims {name} comes from path: segment -- contradicts _package_basename() which reads repo_url at docs/src/content/docs/reference/cli/outdated.md:21
    _package_basename(dep) at outdated.py:53-60 returns repo.rstrip('/').split('/')[-1], where repo is dep.repo_url. It never reads dep.virtual_path. For dep with git: .../monorepo.git and path: packages/my-pkg, the function returns 'monorepo', not 'my-pkg'. The added sentence is false. Users who configure their monorepo tag scheme as my-pkg_v* based on this doc get incorrect outdated status.
    Suggested: Remove the appended sentence entirely until the code change to _package_basename() that reads virtual_path lands.
  • [blocking] Sample output row uses my-pkg_v* tags the current code cannot produce; also overflows the Current column by 4 chars at docs/src/content/docs/reference/cli/outdated.md:60
    Under current implementation, _package_basename returns 'monorepo', so the tag pattern would match monorepo_v*, not my-pkg_v*. Additionally 'my-pkg_v1.0.0' (13 chars) overflows the 9-char Current column.
    Suggested: Remove this row entirely. If re-added, use tag names matching the repo-URL-derived pattern and fit within column width.
  • [blocking] YAML example section and its prose describe unimplemented behavior -- the exact scenario shown silently fails at docs/src/content/docs/reference/cli/outdated.md:83
    Lines 83-92 add 'Monorepo dependency installed via path: (tag name derived from virtual path)' and claim 'With a newer tag my-pkg_v1.1.0 on the remote, apm outdated reports it as outdated.' This is false: the code would not match my-pkg_v1.1.0. Since the code change is absent, this section must be removed.
    Suggested: Remove lines 83-92. Re-add as a complete unit once the code change lands and is tested.
  • [recommended] Word count increased ~90 words with no compensating removal at docs/src/content/docs/reference/cli/outdated.md
    The PR adds 14 lines without removing anything. Even if correct, additions trend word count up without a compensating cut.
  • [nit] The YAML snippet structure itself is valid (git:, path:, ref: fields are correctly formed) and can be reused once the code lands.

Auth Expert -- inactive

PR #1895 modifies only docs/src/content/docs/reference/cli/outdated.md -- no auth, token management, credential resolution, host classification, or remote-host fallback code is touched.

Test Coverage Expert -- inactive

documentation-only PR -- no runtime code paths to defend

Performance Expert -- inactive

documentation-only PR -- no performance-relevant source files modified

This panel is advisory. It does not block merge. Re-apply the
panel-review label after addressing feedback to re-run.

Generated by PR Review Panel for issue #1895 · 548 AIC · ⌖ 9.23 AIC · ⊞ 5.5K ·

@github-actions github-actions Bot removed the panel-review Trigger the apm-review-panel gh-aw workflow label Jun 26, 2026
- Widen Current column in sample output so monorepo tag names fit.
- Fix outdated dependency count in sample output (7, not 2).
- Add #### Monorepo subdirectory packages heading before YAML example.
- Add note that apm.lock.yaml stores resolved_commit SHA, not the tag, as
  the integrity anchor.
- Mention path validation / traversal-rejection in the virtual_path prose.
auto-merge was automatically disabled June 27, 2026 06:52

Head branch was pushed to by a user without write access

…al, fix heading level

Remove security implementation detail from patterned-tag bullet:
the path-validation note belongs in internals docs, not a usage
reference bullet. All six active panelists flagged the same sentence.

Fix heading level inconsistency: the new Monorepo subdirectory
section used h4 (####) while the adjacent Status values section uses
h3 (###). Both are subsections of Examples; align to h3.

Also trim redundant parenthetical from the subsection intro sentence:
tag derivation is already explained in the Description section above.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@danielmeppiel

Copy link
Copy Markdown
Collaborator

APM Review Panel: ship

Docs-only PR adds accurate monorepo tag guidance; two doc clarity items were fold-ready in the touched file and have been applied.

cc @kevinbeier-enbw -- a fresh advisory pass is ready for your review.

All six active panelists converged on the same signal: the inline parenthetical in the patterned-tag bullet ("(path values are validated; traversal sequences are rejected)") is an implementation detail that does not belong in a usage-focused reference bullet. Doc-writer additionally identified that the new "#### Monorepo subdirectory packages" section used h4 while the adjacent "### Status values" section uses h3 -- a heading-level inconsistency. Both items touched only the file this PR already modifies and were folded in this pass. The supply-chain expert raised a concern about {name} derivation accuracy; verification confirms that main (post #1893) correctly derives the name from virtual_path, so the documentation is accurate for the post-merge state.

Dissent. Supply-chain expert raised an accuracy concern about _package_basename(), but the fix is already on main (merged as PR #1893); the docs are correct for the merged state. Not blocking.

Growth signal. The patterned-tag bullet is the highest-traffic entry for monorepo consumers. A shorter, cleaner bullet removes unnecessary cognitive load for the common case.

Panel summary

Persona B R N Takeaway
Python Architect 0 0 1 Inline parenthetical too dense for reference doc readers.
CLI Logging Expert 0 0 1 Long inline sentence in patterned-tag bullet; split for clarity.
DevX UX Expert 0 0 1 Patterned-tag bullet conflates usage and implementation notes.
Supply Chain Security 0 1 1 Name-derivation claim verified accurate post-merge; parenthetical also flagged.
OSS Growth Hacker 0 1 1 Shorten inline sentence; cross-link to monorepo guide when one exists.
Doc Writer 0 1 2 Remove security parenthetical; fix h4->h3 heading level; trim intro prose.

B = blocking-severity findings, R = recommended, N = nits.
Counts are signal strength, not gates. The maintainer ships.

Top 3 follow-ups

  1. [Doc Writer] (folded) Remove "(path values are validated; traversal sequences are rejected)" from patterned-tag bullet (line 21) -- implementation detail not appropriate for a usage-focused reference bullet; all six panelists flagged the same sentence.
  2. [Doc Writer] (folded) Fix heading level: "#### Monorepo subdirectory packages" should be "### Monorepo subdirectory packages" to match sibling "### Status values".
  3. [OSS Growth Hacker] (deferred) Create a dedicated Monorepo patterns guide page so the reference entry can cross-link to a fuller treatment -- deferred: this PR adds a section to one reference page; creating a new guide page is a new theme.

Recommendation

Items 1 and 2 were folded in this pass (both touched only the file this PR already modifies, within stated scope). Item 3 deferred as scope boundary crossed. CI is expected to remain green. The documentation is accurate and the PR is ready for maintainer review.


Full per-persona findings

Python Architect

  • [nit] Inline parenthetical too dense for reference doc readers at docs/src/content/docs/reference/cli/outdated.md:21
    The parenthetical "(path values are validated; traversal sequences are rejected)" is an implementation detail that adds noise to what should be a clean usage-focused bullet.
    Suggested: Remove the parenthetical; the security property can be documented in an internals note if needed.

CLI Logging Expert

  • [nit] Long inline sentence in patterned-tag bullet at docs/src/content/docs/reference/cli/outdated.md:21
    The patterned-tag bullet has grown too long; the virtual-path derivation detail reads as inline prose rather than a scannable reference entry.
    Suggested: Trim to remove the parenthetical.

DevX UX Expert

  • [nit] Patterned-tag bullet conflates usage guidance and implementation notes at docs/src/content/docs/reference/cli/outdated.md:21
    A reference doc consumer needs to know what the command does, not how it validates paths. The security parenthetical breaks the user mental model.
    Suggested: Remove the parenthetical from the bullet.

Supply Chain Security Expert

  • [recommended] Name-derivation claim: on the PR branch _package_basename() derived from repo_url not virtual_path at src/apm_cli/commands/outdated.py:53
    The docs claim {name} is derived from the final path segment, but the function on the PR branch reads dep.repo_url. Verified: the fix is on main (PR fix(outdated): use virtual-path basename for monorepo tag pattern matching #1893); the docs are accurate for the post-merge state. Not blocking.
  • [nit] The parenthetical "(path values are validated; traversal sequences are rejected)" is implementation detail not appropriate for a user-facing reference bullet.
    Suggested: Remove the parenthetical.

OSS Growth Hacker

  • [recommended] Shorten inline sentence in patterned-tag bullet for clarity at docs/src/content/docs/reference/cli/outdated.md:21
    The monorepo virtual-path derivation explanation is buried in a long run-on sentence. For monorepo users (a growing segment), this is the most important bullet; it deserves clarity.
    Suggested: Remove the parenthetical. Consider adding a dedicated example below the bullet.
  • [nit] Add a cross-link to a monorepo patterns guide from this bullet once that guide exists.

Doc Writer

  • [recommended] Remove security parenthetical from patterned-tag bullet at docs/src/content/docs/reference/cli/outdated.md:21
    "(path values are validated; traversal sequences are rejected)" is an implementation detail about path handling that belongs in an internals note, not a reference description of tag pattern matching behavior.
    Suggested: Remove the parenthetical entirely.
  • [nit] Heading level inconsistency: new section uses h4 where sibling uses h3 at docs/src/content/docs/reference/cli/outdated.md:83
    "#### Monorepo subdirectory packages" is h4 while "### Status values" is h3. Both are subsections of ## Examples. Use h3 for consistency.
    Suggested: Change "####" to "###".
  • [nit] Intro sentence in new subsection carries redundant information at docs/src/content/docs/reference/cli/outdated.md:85
    "Monorepo dependency installed via path: (tag name derived from virtual path):" restates what the Description section already says.
    Suggested: Trim to "Monorepo dependency installed via path::"

Auth Expert -- inactive

Documentation-only PR; no auth surface modified.

Test Coverage Expert -- inactive

Documentation-only PR -- no runtime code paths to defend.

Performance Expert -- inactive

Documentation-only PR; no performance-relevant source files modified.

This panel is advisory. It does not block merge. Re-apply the
panel-review label after addressing feedback to re-run.

@danielmeppiel danielmeppiel merged commit 095317d into microsoft:main Jun 28, 2026
14 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants