From d84024fb179e3ebb55573971a329cb6ff72d7fa0 Mon Sep 17 00:00:00 2001
From: nsfisis <nsfisis@gmail.com>
Date: Sun, 3 May 2026 16:23:40 +0900
Subject: fix(resolver): seed locked packages into pool and honour root-require
 barrier
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Mirror Composer's PoolBuilder/Request semantics for partial updates: each
non-allow-listed locked package becomes a non-fixed pool entry restricted to
its locked version, so `replace`-providing peers cannot silently displace
it. Path-repo packages are exempt — Composer always reloads them from disk.

Threading `--with-dependencies` through `expand_with_direct_dependencies`
now performs transitive expansion with a root-require barrier matching
UPDATE_LISTED_WITH_TRANSITIVE_DEPS_NO_ROOT_REQUIRE, so root requires stay
locked when reached via a transitive dep.

Newly green: remove_does_nothing_if_removal_requires_update_of_dep,
update_allow_list_removes_unused, github_issues_4795,
partial_update_with_deps_warns_root.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 crates/mozart/src/commands/remove.rs | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

(limited to 'crates/mozart/src/commands/remove.rs')

diff --git a/crates/mozart/src/commands/remove.rs b/crates/mozart/src/commands/remove.rs
index 15b3586..9c5f7fa 100644
--- a/crates/mozart/src/commands/remove.rs
+++ b/crates/mozart/src/commands/remove.rs
@@ -1,5 +1,5 @@
 use clap::Args;
-use indexmap::IndexMap;
+use indexmap::{IndexMap, IndexSet};
 use mozart_core::console::Verbosity;
 use mozart_core::console_format;
 use mozart_core::package;
@@ -275,6 +275,7 @@ pub async fn execute(
             .map(|(k, v)| (k.clone(), v.clone()))
             .collect(),
         locked_package_names: indexmap::IndexSet::new(),
+        locked_packages: Vec::new(),
     };
 
     // Print header messages
@@ -340,7 +341,7 @@ pub async fn execute(
             super::update::expand_with_all_dependencies(removed_names, lock)
         } else {
             // Default: freed packages + their direct dependencies
-            super::update::expand_with_direct_dependencies(removed_names, lock)
+            super::update::expand_with_direct_dependencies(removed_names, lock, &IndexSet::new())
         };
 
         // For --minimal-changes, additionally pin packages beyond the allow list
@@ -552,6 +553,7 @@ async fn remove_unused(
             .map(|(k, v)| (k.clone(), v.clone()))
             .collect(),
         locked_package_names: indexmap::IndexSet::new(),
+        locked_packages: Vec::new(),
     };
 
     console.info("Resolving dependencies to detect unused packages...");
@@ -905,6 +907,7 @@ mod tests {
             root_replace: IndexMap::new(),
             root_conflict: IndexMap::new(),
             locked_package_names: IndexSet::new(),
+            locked_packages: Vec::new(),
         };
         let resolved = resolve(&request)
             .await
@@ -961,6 +964,7 @@ mod tests {
             root_replace: IndexMap::new(),
             root_conflict: IndexMap::new(),
             locked_package_names: IndexSet::new(),
+            locked_packages: Vec::new(),
         };
         let resolved2 = resolve(&request2)
             .await
-- 
cgit v1.3.1