Skip to content

marketplace doctor: warn when package dependencies bypass marketplace #847

@sergio-sisternes-epam

Description

@sergio-sisternes-epam

Problem

When a marketplace author lists packages that have dependencies.apm entries using direct repo paths (e.g. owner/repo/path/to/pkg), those dependencies are resolved at consumer install time via direct git clone -- completely bypassing the marketplace catalogue.

This creates a supply-chain consistency gap:

  • The package itself is pinned via the marketplace (specific SHA or version)
  • But its transitive dependencies track HEAD of the source repo (mutable, unpinned)

Example

# marketplace.yml - author pins code-quality at a specific SHA
packages:
  - name: code-quality
    source: acme-org/agent-forge
    ref: abc123...
    subdir: agents/code-quality
# code-quality/apm.yml - but its deps use direct paths (not marketplace refs)
dependencies:
  apm:
    - acme-org/agent-forge/general/conventions   # resolves via git, tracks HEAD
    - acme-org/agent-forge/backend/standards      # same issue

The consumer gets code-quality at the pinned SHA, but conventions and standards at whatever HEAD happens to be -- defeating the purpose of marketplace version control.

Proposed solution

  1. apm marketplace doctor should add a check: for each package in marketplace.yml, fetch its apm.yml and inspect dependencies.apm. Warn when dependencies use direct repo paths instead of name@marketplace format.

  2. Documentation should guide marketplace authors to use marketplace refs in their package dependencies:

    # Before (insecure, tracks HEAD):
    dependencies:
      apm:
        - acme-org/agent-forge/general/conventions
    
    # After (marketplace-resolved, version-pinned):
    dependencies:
      apm:
        - conventions@my-marketplace

Context

Discovered during manual testing of the marketplace maintainer UX (PR #790). The DependencyReference.parse() path for direct repo paths creates a virtual subdirectory package that resolves via git clone, while the parse_marketplace_ref() path for name@marketplace format resolves through the catalogue with proper version pinning.

Related to #722.

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions