From d84024fb179e3ebb55573971a329cb6ff72d7fa0 Mon Sep 17 00:00:00 2001
From: nsfisis <nsfisis@gmail.com>
Date: Sun, 3 May 2026 16:23:40 +0900
Subject: fix(resolver): seed locked packages into pool and honour root-require
 barrier
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Mirror Composer's PoolBuilder/Request semantics for partial updates: each
non-allow-listed locked package becomes a non-fixed pool entry restricted to
its locked version, so `replace`-providing peers cannot silently displace
it. Path-repo packages are exempt — Composer always reloads them from disk.

Threading `--with-dependencies` through `expand_with_direct_dependencies`
now performs transitive expansion with a root-require barrier matching
UPDATE_LISTED_WITH_TRANSITIVE_DEPS_NO_ROOT_REQUIRE, so root requires stay
locked when reached via a transitive dep.

Newly green: remove_does_nothing_if_removal_requires_update_of_dep,
update_allow_list_removes_unused, github_issues_4795,
partial_update_with_deps_warns_root.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 crates/mozart/src/commands/require.rs | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

(limited to 'crates/mozart/src/commands/require.rs')

diff --git a/crates/mozart/src/commands/require.rs b/crates/mozart/src/commands/require.rs
index 6a2917b..caf88c1 100644
--- a/crates/mozart/src/commands/require.rs
+++ b/crates/mozart/src/commands/require.rs
@@ -1,5 +1,5 @@
 use clap::Args;
-use indexmap::IndexMap;
+use indexmap::{IndexMap, IndexSet};
 use mozart_core::console::Verbosity;
 use mozart_core::console_format;
 use mozart_core::package::{self, Stability};
@@ -663,6 +663,7 @@ pub async fn execute(
             .map(|(k, v)| (k.clone(), v.clone()))
             .collect(),
         locked_package_names: indexmap::IndexSet::new(),
+        locked_packages: Vec::new(),
     };
 
     // Print header messages
@@ -731,7 +732,7 @@ pub async fn execute(
         let allow_list = if with_all_deps {
             super::update::expand_with_all_dependencies(newly_required, lock)
         } else if with_deps {
-            super::update::expand_with_direct_dependencies(newly_required, lock)
+            super::update::expand_with_direct_dependencies(newly_required, lock, &IndexSet::new())
         } else {
             // Default for `require`: only the newly added packages are allowed to change.
             additions.iter().map(|(name, _, _)| name.clone()).collect()
@@ -1064,6 +1065,7 @@ mod tests {
             root_replace: IndexMap::new(),
             root_conflict: IndexMap::new(),
             locked_package_names: IndexSet::new(),
+            locked_packages: Vec::new(),
         };
 
         let resolved = resolver::resolve(&request)
@@ -1138,6 +1140,7 @@ mod tests {
             root_replace: IndexMap::new(),
             root_conflict: IndexMap::new(),
             locked_package_names: IndexSet::new(),
+            locked_packages: Vec::new(),
         };
 
         let resolved = resolver::resolve(&request)
-- 
cgit v1.3.1