Problem
When a marketplace author lists packages that have dependencies.apm entries using direct repo paths (e.g. owner/repo/path/to/pkg), those dependencies are resolved at consumer install time via direct git clone -- completely bypassing the marketplace catalogue.
This creates a supply-chain consistency gap:
- The package itself is pinned via the marketplace (specific SHA or version)
- But its transitive dependencies track HEAD of the source repo (mutable, unpinned)
Example
# marketplace.yml - author pins code-quality at a specific SHA
packages:
- name: code-quality
source: acme-org/agent-forge
ref: abc123...
subdir: agents/code-quality# code-quality/apm.yml - but its deps use direct paths (not marketplace refs)
dependencies:
apm:
- acme-org/agent-forge/general/conventions # resolves via git, tracks HEAD
- acme-org/agent-forge/backend/standards # same issueThe consumer gets code-quality at the pinned SHA, but conventions and standards at whatever HEAD happens to be -- defeating the purpose of marketplace version control.
Proposed solution
-
apm marketplace doctor should add a check: for each package in marketplace.yml, fetch its apm.yml and inspect dependencies.apm. Warn when dependencies use direct repo paths instead of name@marketplace format.
-
Documentation should guide marketplace authors to use marketplace refs in their package dependencies:
# Before (insecure, tracks HEAD):
dependencies:
apm:
- acme-org/agent-forge/general/conventions
# After (marketplace-resolved, version-pinned):
dependencies:
apm:
- conventions@my-marketplace
Context
Discovered during manual testing of the marketplace maintainer UX (PR #790). The DependencyReference.parse() path for direct repo paths creates a virtual subdirectory package that resolves via git clone, while the parse_marketplace_ref() path for name@marketplace format resolves through the catalogue with proper version pinning.
Related to #722.
Problem
When a marketplace author lists packages that have
dependencies.apmentries using direct repo paths (e.g.owner/repo/path/to/pkg), those dependencies are resolved at consumer install time via direct git clone -- completely bypassing the marketplace catalogue.This creates a supply-chain consistency gap:
Example
The consumer gets
code-qualityat the pinned SHA, butconventionsandstandardsat whatever HEAD happens to be -- defeating the purpose of marketplace version control.Proposed solution
apm marketplace doctorshould add a check: for each package inmarketplace.yml, fetch itsapm.ymland inspectdependencies.apm. Warn when dependencies use direct repo paths instead ofname@marketplaceformat.Documentation should guide marketplace authors to use marketplace refs in their package dependencies:
Context
Discovered during manual testing of the marketplace maintainer UX (PR #790). The
DependencyReference.parse()path for direct repo paths creates a virtual subdirectory package that resolves via git clone, while theparse_marketplace_ref()path forname@marketplaceformat resolves through the catalogue with proper version pinning.Related to #722.