docs: sync CLI, env vars and dev scripts with current code#337
Conversation
- Add Environment Variables section to docs/configuration.md documenting RUST_LOG, OSV_ENDPOINT, CARGO_HOME, and GITHUB_TOKEN. OSV_ENDPOINT was previously only discoverable from src/main.rs. - Add Developer Scripts table to CONTRIBUTING.md covering build-and-deploy.sh, run-benchmarks.sh, scripts/coverage.sh, scripts/fuzz.sh, scripts/profile-*.sh, and scripts/check_mermaid_syntax.sh. - Fix docs/cli.md drift against dependi-lsp/src/main.rs and src/file_types.rs: document the html output format, the --no-use-lockfile scan flag, and the missing Ruby (Gemfile), Java (pom.xml), and Python (constraints.txt, hatch.toml) entries in the Supported Files table.
Qodo reviews are paused for this user.Troubleshooting steps vary by plan Learn more → On a Teams plan? Using GitHub Enterprise Server, GitLab Self-Managed, or Bitbucket Data Center? |
|
Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (4)
💤 Files with no reviewable changes (1)
✅ Files skipped from review due to trivial changes (1)
📝 WalkthroughWalkthroughThis PR adds documentation covering environment variables, developer helper scripts, additional CLI options and supported dependency file types, README re-syncs, and corresponding changelog entries. ChangesDocumentation Updates
Estimated code review effort🎯 2 (Simple) | ⏱️ ~8 minutes Possibly related PRs
Suggested labels
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. Comment |
github-actions
Bot
added
the
documentation
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@CONTRIBUTING.md`:
- Line 417: The table cell containing the inline code span ` ```mermaid ` breaks
Markdown rendering because the inline backticks are the same length as the
contained triple-backtick sequence; update the cell that mentions
`scripts/check_mermaid_syntax.sh [DOC.md]` to wrap the triple-backtick marker in
a longer inline code fence (use four backticks to enclose the sequence) so the
contained "```mermaid" is treated literally (i.e., replace the single-backtick
code span around the triple-backtick marker with a code span using more
backticks).
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: fc612737-acdb-499c-9735-52d440de520f
📒 Files selected for processing (4)
CHANGELOG.mdCONTRIBUTING.mddocs/cli.mddocs/configuration.md
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 4f08263c58
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
- Add Java/Maven Central to the Supported Languages table, the FAQ registries table, and the CI/CD Supported Files list. - Add Ruby (Gemfile) to the CI/CD Supported Files list; it was already in the main Supported Languages table but missing from the CLI reference further down. - Document the html output format and the --no-use-lockfile flag in the CI/CD Options table to match src/main.rs. - Refresh the Project Structure tree with the parsers and registries that have been added since the last README pass: parsers/maven.rs, pnpm_workspace.rs, json_spans.rs, lockfile_graph.rs, lockfile_resolver.rs, plus registries/maven_central.rs and url_sanitizer.rs. - Update the Architecture ASCII diagram so the Parsers column lists pom.xml and pnpm-workspace, and the Registries column lists Maven Central.
Merging this PR will degrade performance by 60.34%
Performance Changes
Comparing 
|
|
Second commit (ebbce8f) extends the sync to
Same audit method as the first commit — grepped |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: ebbce8f7ab
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
- CONTRIBUTING.md: fix profile-registry.sh signature in the Developer Scripts table — it takes [REGISTRY] [PACKAGES] [ITERATIONS], not [FILE] [ITERATIONS], per the script's own usage header. - CONTRIBUTING.md: widen the inline code fence around the literal triple-backtick mermaid marker so Markdown renderers don't terminate the code span on the contained backticks. - docs/configuration.md: scope the OSV_ENDPOINT row to the scan subcommand (the profile-* paths use OsvClient::default()), and rewrite the npm token row to describe the actual runtime mechanism (EnvTokenProvider reading the variable named in LSP settings) and note that src/auth/npmrc.rs is test-only.
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 69a3c2a6a5
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| | Rust | `Cargo.toml` | | ||
| | Node.js | `package.json` | | ||
| | Python | `requirements.txt`, `pyproject.toml` | | ||
| | Python | `requirements.txt`, `constraints.txt`, `pyproject.toml`, `hatch.toml` | |
There was a problem hiding this comment.
The scan command does not currently accept constraints.txt or hatch.toml as Python manifests: run_scan only routes Python parsing when file_name == "requirements.txt" || file_name == "pyproject.toml" (dependi-lsp/src/main.rs, run_scan). Documenting those two extra files here will cause CI users to run dependi-lsp scan --file constraints.txt/hatch.toml and hit Unsupported file type instead of a scan result.
Useful? React with 👍 / 👎.
There was a problem hiding this comment.
run_scanonly routes Python parsing whenfile_name == "requirements.txt" || file_name == "pyproject.toml"... Documenting those two extra files here will cause CI users to ... hitUnsupported file typeinstead of a scan result.
Right. dependi-lsp/src/main.rs:268 routes only those two filenames; constraints.txt and hatch.toml fall through to the Unsupported file type branch at line 283 even though FileType::detect recognises them for the LSP path. Fixed in 4c9a772 — the Python row in docs/cli.md and the README CI/CD list now show only requirements.txt and pyproject.toml, with a note pointing at the broader LSP-mode coverage.
There was a problem hiding this comment.
To use Codex here, create an environment for this repo.
Codex on PR #337 flagged that constraints.txt and hatch.toml fail the scan subcommand with "Unsupported file type" because run_scan in dependi-lsp/src/main.rs only routes requirements.txt and pyproject.toml for Python. Trim the docs/cli.md and README.md CLI Supported Files lists to match, and add a callout pointing readers at the broader LSP-mode coverage in src/file_types.rs.
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 4c9a772f2e
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| | `--output <format>` | `-o` | `summary` | Output format: `summary`, `json`, `markdown`, `html` | | ||
| | `--min-severity <level>` | `-m` | `low` | Minimum severity: `low`, `medium`, `high`, `critical` | | ||
| | `--fail-on-vulns` | | `true` | Exit with code 1 if vulnerabilities found | | ||
| | `--no-use-lockfile` | | (off) | Disable lockfile-based scanning. By default, when a sibling lockfile (e.g. `Cargo.lock`, `package-lock.json`, `pnpm-lock.yaml`, `go.sum`, `composer.lock`, `pubspec.lock`, `packages.lock.json`, `Gemfile.lock`) exists next to the manifest, the scanner resolves transitive dependencies from it. Pass this flag to scan only the manifest's direct dependencies. | |
There was a problem hiding this comment.
--no-use-lockfile docs
This row states that the scanner walks the full dependency graph whenever any listed sibling lockfile exists, but run_scan only builds a lockfile graph for Crates/NPM/Python/Packagist/Ruby and explicitly skips the other ecosystems (dependi-lsp/src/main.rs match arm with _ => {} for Go/Pub/NuGet/Maven). In CI, users scanning go.mod, pubspec.yaml, or *.csproj can be misled into thinking transitive vulns are covered when they are not, creating false security confidence; please narrow the claim to the lockfiles actually wired into scan (and mirror the same wording fix in README).
Useful? React with 👍 / 👎.
There was a problem hiding this comment.
run_scanonly builds a lockfile graph for Crates/NPM/Python/Packagist/Ruby and explicitly skips the other ecosystems ... users scanninggo.mod,pubspec.yaml, or*.csprojcan be misled into thinking transitive vulns are covered
Confirmed at dependi-lsp/src/main.rs:357 — the catch-all arm is _ => {} for Go/Pub/NuGet/Maven, and within the wired ecosystems bun.lock (line 320) and pdm.lock (line 339) construct LockfileGraph::default() so detection happens but no edges land in the graph. Fixed in 3110c4b: both docs/cli.md and README.md now list only the lockfiles that actually walk transitives (Cargo.lock, package-lock.json, yarn.lock, pnpm-lock.yaml, poetry.lock, uv.lock, Pipfile.lock, composer.lock, Gemfile.lock), call out bun.lock/pdm.lock as detected-but-empty, and note that Go, Dart, .NET, and Maven scans see direct deps only regardless of the flag.
There was a problem hiding this comment.
To use Codex here, create an environment for this repo.
|
|
||
| | Script | Purpose | | ||
| |--------|---------| | ||
| | `./build-and-deploy.sh` | Build the LSP in release mode and copy the binary into the local `dependi-zed/dependi-lsp-1.0.0/` dev-extension dir plus every installed `~/.local/share/zed/extensions/work/dependi/dependi-lsp-v*` directory (macOS path under `~/Library/Application Support/Zed/...`). Restart Zed afterwards. | |
There was a problem hiding this comment.
This table entry points contributors to ./build-and-deploy.sh, but there is no tracked file at that path in the current tree (fresh evidence: root scripts include run-benchmarks.sh, while helper scripts are under scripts/). Anyone following this command from the guide will fail immediately with a missing file error, so the row should be removed or replaced with an existing script.
Useful? React with 👍 / 👎.
There was a problem hiding this comment.
there is no tracked file at that path in the current tree (fresh evidence: root scripts include
run-benchmarks.sh, while helper scripts are underscripts/)
You were right twice — I dismissed this on the first pass because the file exists on my disk, but git ls-tree HEAD build-and-deploy.sh is empty and .gitignore:54 excludes it. It's a personal dev helper, not a tracked script. Fixed in 3110c4b: the row is removed from the Developer Scripts table. Apologies for the earlier wrong rebuttal.
There was a problem hiding this comment.
To use Codex here, create an environment for this repo.
…ed script Two Codex findings on PR #337 (commit 4c9a772): - P1: docs/cli.md and README.md claimed that --no-use-lockfile turns off a full transitive scan for every lockfile, including go.sum, pubspec.lock, and packages.lock.json. In run_scan (dependi-lsp/src/main.rs:357), Go/Pub/NuGet/Maven fall through `_ => {}` with no graph parser, and bun.lock / pdm.lock build empty graphs. Narrow the docs to the lockfiles actually wired today and call out the empty/missing cases so users don't infer false transitive coverage in CI. - P2: CONTRIBUTING.md Developer Scripts table linked `./build-and-deploy.sh`, but that file is .gitignored (root .gitignore:54) and not tracked, so contributors hit a missing-file error. Remove the row; add a CHANGELOG note explaining the script is intentionally a personal helper.
1 participant
Summary
Three documentation pages had drifted from the source of truth. This PR re-syncs them and adds two missing references.
docs/configuration.md— new Environment Variables section documentingRUST_LOG,OSV_ENDPOINT,CARGO_HOME, andGITHUB_TOKEN.OSV_ENDPOINT(used independi-lsp/src/main.rs:434to override the OSV.dev base URL) was previously undocumented.CONTRIBUTING.md— new Developer Scripts table covering the seven helper scripts (build-and-deploy.sh,run-benchmarks.sh,scripts/coverage.sh,scripts/fuzz.sh,scripts/profile-{parse,registry,full}.sh,scripts/check_mermaid_syntax.sh) that contributors previously had to discover byls-ing the repo.docs/cli.md— three drifts against the current code:html(added toOutputFormatenum insrc/main.rs:38).--no-use-lockfileflag row (added to theScansubcommand insrc/main.rs:63-65).Gemfile), Java (pom.xml), and the Python edge cases (constraints.txt,hatch.toml) thatsrc/file_types.rs::FileType::detectalready recognises.Why
The three docs were last edited 2026-01-10 and predated multiple feature additions (lockfile scanning, html output, Ruby/Java parsers, Python edge-case routing). Symptom-based pages (
docs/troubleshooting.md) and command-surface pages (docs/profiling.md) were re-verified during the audit and need no changes.Changes
CHANGELOG.md— new### Documentationsubsection under[Unreleased].CONTRIBUTING.md— Developer Scripts table appended to Build Commands Reference.docs/configuration.md— Environment Variables subsection appended to Debugging.docs/cli.md— Options table + Supported Files table updated.Testing
dependi-lsp/src/main.rs,src/file_types.rs,src/config.rs, andsrc/auth/npmrc.rs.Summary by cubic
Sync CLI, environment variable docs, developer scripts, and README with current code to remove drift. Adds
htmloutput, Ruby/Java support, and scopes--no-use-lockfileto supported lockfiles; clarifiesOSV_ENDPOINTand documents theEnvTokenProviderpattern; trims Python CLI routing.docs/cli.md: addhtmloutput; add--no-use-lockfilewith explicit coverage (full graphs:Cargo.lock,package-lock.json,yarn.lock,pnpm-lock.yaml,poetry.lock,uv.lock,Pipfile.lock,composer.lock,Gemfile.lock; empty graphs:bun.lock,pdm.lock; no parser yet: Go, Dart, .NET, Maven); extend Supported Files with Ruby (Gemfile) and Java (pom.xml); limit Python torequirements.txtandpyproject.tomlwith an LSP-only callout forconstraints.txt/hatch.toml.docs/configuration.md: new Environment Variables section forRUST_LOG,OSV_ENDPOINT(scan-only),CARGO_HOME, and theEnvTokenProvidertoken-variable pattern (Cargo alt registries and npm scoped registries). Note.npmrc${VAR}expansion is test-only.CONTRIBUTING.md: add Developer Scripts table (excludes gitignoredbuild-and-deploy.sh); fixprofile-registry.shsignature; escape the mermaid fenced-code marker.README.md: add Java/Maven Central and Ruby to supported/CI lists; note npm +pnpmworkspace catalogs; documenthtmloutput and the scoped--no-use-lockfile; refresh project structure withparsers/maven.rs,parsers/pnpm_workspace.rs,parsers/json_spans.rs,parsers/lockfile_graph.rs,parsers/lockfile_resolver.rs,registries/maven_central.rs,registries/url_sanitizer.rs; update architecture diagram.CHANGELOG.md: record these documentation changes and the script exclusion.Written for commit 3110c4b. Summary will update on new commits. Review in cubic
Summary by CodeRabbit