Add GitHub shorthand syntax and auto-detection to swap-deps

[justin808]

Summary

• Support shorthand syntax for gem-specific flags (e.g., --shakapacker '#main')
• Auto-detect default branch when none specified
• Add zsh escaping documentation
• Map gem names to default GitHub repos

Changes

Shorthand Syntax

Gem-specific flags now accept GitHub specs in addition to local paths:

• --shakapacker '#main' → shakacode/shakapacker#main
• --shakapacker '@v9.0.0' → shakacode/[email protected]
• --shakapacker 'user/repo#branch' → custom repo/branch

Auto-Detection

When no branch/tag specified, automatically detects the default branch:

• --shakapacker shakacode/shakapacker → detects main/master
• Uses git ls-remote --symref for zero-cost detection
• Falls back to 'main' if detection fails

Shell Escaping

• Documents that # and @ require quotes in zsh
• Adds comprehensive examples to help text
• Note: Without quotes, zsh treats # as comment marker

Default Repo Mapping

• shakapacker → shakacode/shakapacker
• react_on_rails → shakacode/react_on_rails
• cypress-on-rails → shakacode/cypress-on-rails

Examples

# Shorthand (quotes required in zsh!)
bin/swap-deps --shakapacker '#main'
bin/swap-deps --react-on-rails '#feature-x'
bin/swap-deps --shakapacker '@v9.0.0'

# Auto-detect default branch (no quotes needed)
bin/swap-deps --shakapacker shakacode/shakapacker

# Full repo spec
bin/swap-deps --shakapacker 'otheruser/shakapacker#custom-branch'

# Mix local and GitHub
bin/swap-deps --shakapacker ~/dev/shakapacker \
              --react-on-rails '#main'

Test plan

• Tested shorthand syntax with quotes
• Tested auto-detection of default branch
• Tested full repo specs
• RuboCop passes
• Help text updated with examples

🤖 Generated with Claude Code

Summary by CodeRabbit

• New Features
  • Unified dependency status display.
  • Automatic detection of default branches for GitHub repos and current branch for local repos.
  • More flexible inputs: accept local paths, full GitHub specs, and shorthand (#branch, @tag), with smart default repo inference.
• Documentation
  • Expanded help with clearer syntax, examples, and notes on quoting and mixing local/GitHub sources.
• Refactor
  • Streamlined workflow and messaging for a more consistent, dependency-centric experience.

[coderabbitai]

Walkthrough

Consolidates dependency status display in DependencySwapper, adds GitHub default-branch detection and local git-branch detection, and removes separate gem/package presenters. Enhances SwapDepsCLI to parse flexible inputs (local paths, full/shorthand GitHub specs), introducing a default repo map and new parsing helpers. Updates option handling and help text accordingly.

Changes

Cohort / File(s)	Summary
DependencySwapper refactor and Git integration lib/demo_scripts/gem_swapper.rb	Simplified show_demo_status to depend on swapped_gems; unified display via display_swapped_dependencies; removed display_swapped_gems/display_swapped_packages; added display_dependency_info; added detect_git_branch; added detect_default_branch and updated GitHub validation to set/use branch/default branch; minor messaging changes.
CLI parsing enhancements and shorthand support lib/demo_scripts/swap_deps_cli.rb	Added GEM_REPOS constant; introduced process_gem_value, parse_github_spec_without_shorthand, parse_github_spec; refactored option handlers (--shakapacker, --react-on-rails, --cypress-on-rails, --github) to route through new helpers; expanded help text and examples; supports shorthand refs (#branch, @tag) and mixed local/GitHub sources.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  actor U as User
  participant DS as DependencySwapper
  participant GH as Git Remote
  participant FS as Filesystem

  U->>DS: show_demo_status()
  DS->>DS: swapped_gems.empty? check
  alt No swapped gems
    DS-->>U: return (no dependencies)
  else Has swapped gems
    DS->>DS: display_swapped_dependencies()
    loop each gem
      DS->>DS: display_dependency_info(gem)
      alt Local path
        DS->>FS: detect_git_branch(path)
        FS-->>DS: branch name or nil
        DS-->>U: print local path + branch
      else GitHub spec
        DS->>DS: validate_github_repos()
        DS->>GH: detect_default_branch(repo)
        GH-->>DS: default branch (or fallback)
        DS-->>U: print repo + ref/branch
      end
    end
  end

Loading

sequenceDiagram
  autonumber
  actor U as User
  participant CLI as SwapDepsCLI
  participant H as Helpers

  U->>CLI: run with options
  loop for each option value
    CLI->>H: process_gem_value(gem, value)
    alt Local path
      H-->>CLI: add to @gem_paths
    else GitHub spec (full)
      H->>H: parse_github_spec_without_shorthand()
      H-->>CLI: normalized [repo, ref, type]
      CLI->>CLI: update @github_repos
    else Shorthand (#branch/@tag)
      H->>H: parse_github_spec(gem, shorthand) using GEM_REPOS
      H-->>CLI: resolved [repo, ref, type]
      CLI->>CLI: update @github_repos
    end
  end
  CLI-->>U: proceed with swaps using @gem_paths/@github_repos

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related PRs

• Add local gem development utility #31: Introduces/adjusts GemSwapper/CLI; overlaps with current DependencySwapper and CLI parsing setup.
• Fix swap-deps to use correct Bundler syntax for Git tags (#38) #43: Modifies Git ref handling in gem_swapper.rb; related to new branch detection and GitHub validation changes.
• Add --status flag to bin/swap-deps #52: Reworks dependency status display; aligns with unified display_swapped_dependencies and display_dependency_info.

Poem

I hop through deps with nimble paws,
Branches sniffed, no hidden flaws.
Tags like carrots, paths like clover,
Shorthand trails I bound right over.
With whiskers twitching, swaps align—
Git and gems in perfect line. 🥕✨

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 40.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The title clearly and concisely summarizes the main enhancements by stating the addition of GitHub shorthand syntax and auto-detection to the swap-deps tool, matching the core changes in the pull request without extraneous details.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch swap-deps-github-shorthand

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[claude]

Code Review - PR #56: Add GitHub shorthand syntax and auto-detection to swap-deps

Overview

This PR adds convenient shorthand syntax for specifying GitHub dependencies and auto-detection of default branches. The implementation is well-structured and follows good practices overall.

---

✅ Strengths

1. Good Feature Design: The shorthand syntax is intuitive and user-friendly
2. Code Organization: Clear separation of concerns between swap_deps_cli.rb and gem_swapper.rb
3. Documentation: Comprehensive help text with multiple examples
4. Error Handling: Proper validation for gem names and repository formats
5. RuboCop Compliance: Code passes linting checks

---

🔍 Code Quality Issues

1. Security: Command Injection Risk (lib/demo_scripts/gem_swapper.rb:651)

Severity: Medium

The detect_default_branch method uses backticks with string interpolation which is a risky pattern. The existing codebase uses array-form system() calls elsewhere (lines 712-713) for safety.

Recommendation: Use Open3.capture2 (already required at line 8) instead of backticks to follow the existing pattern in the codebase.

2. Potential Bug: Nil Reference Handling (lib/demo_scripts/swap_deps_cli.rb:90-91)

Severity: Low-Medium

In process_gem_value, the ref can be nil (for auto-detection), but it's directly assigned to :branch. While this is handled later in validate_github_repos (line 638), it creates temporary state with nil values.

Recommendation: Document this intentional behavior with a comment.

3. Code Duplication (lib/demo_scripts/swap_deps_cli.rb:99-137 & 188-204)

Severity: Low

The GitHub spec parsing logic appears twice: in parse_github_spec and in the --github option handler.

Recommendation: Refactor the --github option to use the shared parsing method.

4. Network Call During Initialization (lib/demo_scripts/gem_swapper.rb:638)

Severity: Low

Auto-detection happens during validate_github_repos, which is called from the initializer. This means network calls occur during object construction, making initialization slower and harder to test.

Recommendation: Consider lazy evaluation or moving detection to the clone_github_repos! phase where other network operations happen.

---

🧪 Test Coverage Concerns

The PR mentions test plan items are checked off, but I don't see unit tests for the new parsing logic, edge case tests for malformed input, tests for auto-detection with mocked network calls, or tests for error conditions.

Recommendation: Add test coverage in a follow-up PR or before merging, especially for parse_github_spec with various inputs and detect_default_branch with mocked git commands.

---

🔒 Security Assessment

Good: Input validation with regex, use of array-form system calls in most places

Concerns: Backtick usage in detect_default_branch (see issue #1 above)

Verdict: Generally secure with one recommended fix.

---

📋 Minor Issues

1. Inconsistent quoting in examples (lib/demo_scripts/swap_deps_cli.rb:296-321)
2. Magic strings (lib/demo_scripts/gem_swapper.rb:653) - regex could be a constant
3. Deleted file not related to feature (demos/basic-v16-rspack/babel.config.js) - deletion seems unrelated to the PR's stated purpose

---

✨ Recommendations Summary

Before merging:

1. Fix command injection risk in detect_default_branch (use Open3.capture2)
2. Explain or split out the unrelated babel.config.js deletion

Follow-up (nice to have):
3. Add unit tests for parsing logic
4. Eliminate code duplication in GitHub spec parsing
5. Consider lazy evaluation for auto-detection

---

🎉 Conclusion

This is a high-quality PR that adds valuable functionality. The shorthand syntax will significantly improve developer experience. With the security fix for command injection, this is ready to merge.

Recommendation: Approve with minor changes

Great work! The feature design is thoughtful and the implementation is clean. 🚀

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 45fbe3a and 6461003.

📒 Files selected for processing (5)

• demos/basic-v16-rspack/.gitignore (1 hunks)
• demos/basic-v16-rspack/babel.config.js (0 hunks)
• demos/basic-v16-rspack/bin/export-bundler-config (1 hunks)
• lib/demo_scripts/gem_swapper.rb (3 hunks)
• lib/demo_scripts/swap_deps_cli.rb (4 hunks)

💤 Files with no reviewable changes (1)

• demos/basic-v16-rspack/babel.config.js

🧰 Additional context used

🧬 Code graph analysis (1)

lib/demo_scripts/gem_swapper.rb (1)

lib/demo_scripts/github_spec_parser.rb (1)

• validate_github_branch (53-74)

🪛 Brakeman (7.1.0)

lib/demo_scripts/gem_swapper.rb

[medium] 634-634: Possible command injection
Type: Command Injection
Confidence: Medium
More info: https://brakemanscanner.org/docs/warning_types/command_injection/

(Command Injection)

[claude]

Pull Request Review - PR #56

Overview

This PR adds GitHub shorthand syntax and auto-detection to the swap-deps CLI, making it significantly more user-friendly. The implementation is well-structured with comprehensive test coverage.

✅ Strengths

Code Quality

• Excellent test coverage: The changes to gem_swapper.rb are well-tested in gem_swapper_spec.rb with edge cases covered
• Security conscious: Proper validation with regex for GitHub repos and branches, preventing path traversal and command injection
• Good separation of concerns: The parse_github_spec method cleanly handles different shorthand formats
• Consistent error handling: Appropriate error messages with helpful suggestions
• RuboCop compliant: Code follows repository style guidelines with proper rubocop directives

Features

• Smart auto-detection: Using git ls-remote --symref is a zero-cost approach to detect default branches
• Excellent UX: Shorthand syntax (#branch, @tag) significantly improves developer experience
• Good documentation: Help text includes comprehensive examples with shell-specific guidance (zsh quoting)

Best Practices

• Backward compatible: Changes extend existing functionality without breaking existing workflows
• Dry-run friendly: All new features respect the dry-run flag
• Proper file permissions: The new export-bundler-config script has correct executable permissions

🔍 Code Review Observations

Minor Issues & Suggestions

1. RuboCop Directive Duplication (swap_deps_cli.rb:86-102)

The Lint/DuplicateBranch disable directive suggests the conditional branches are identical. While this is intentional (both set @gem_paths), consider refactoring for clarity:

# Current implementation has duplicate branches
if File.exist?(expanded_path) || value.start_with?('./', '../')
  @gem_paths[gem_name] = value
elsif value.start_with?('#', '@') || value.include?('/')
  # GitHub processing
else
  @gem_paths[gem_name] = value  # Duplicate!
end

Suggestion: Could simplify by handling GitHub specs first, defaulting to local path:

if value.start_with?('#', '@') || (value.include?('/') && !File.exist?(File.expand_path(value)))
  repo, ref, ref_type = parse_github_spec(gem_name, value)
  @github_repos[gem_name] = { repo: repo, branch: ref, ref_type: ref_type }
else
  @gem_paths[gem_name] = value
end

2. Default Branch Detection Network Dependency (gem_swapper.rb:647-661)

The detect_default_branch method makes a network call to GitHub, which could:

• Fail in offline environments
• Add latency when processing multiple repos
• Fail silently and fall back to 'main' without clear indication

Suggestions:

• Consider caching detection results per session
• Add a timeout to the git command
• Make the fallback behavior configurable (main vs master)
• Add verbose logging when detection fails

output = `timeout 5 git ls-remote --symref https://github.com/#{repo}.git HEAD 2>/dev/null`

3. Inconsistent require Statement (gem_swapper.rb:3)

The file adds require 'English' at line 3, which is good practice for using $CHILD_STATUS instead of $?. However, verify this is the first use of this pattern in the file - I see it's used in detect_default_branch.

✅ This is actually correct - good practice!

4. Test Coverage Gap

While the spec file is comprehensive, I notice there's no explicit test for the new detect_default_branch method. Consider adding:

describe '#detect_default_branch' do
  it 'detects main branch from git ls-remote' do
    allow(swapper).to receive(:`).and_return("ref: refs/heads/main\tHEAD\n")
    result = swapper.send(:detect_default_branch, 'shakacode/shakapacker')
    expect(result).to eq('main')
  end

  it 'falls back to main when detection fails' do
    allow(swapper).to receive(:`).and_return('')
    result = swapper.send(:detect_default_branch, 'shakacode/shakapacker')
    expect(result).to eq('main')
  end
end

5. Shell Injection Safety (gem_swapper.rb:651)

The code uses backticks with interpolation:

output = `git ls-remote --symref https://github.com/#{repo}.git HEAD 2>/dev/null`

✅ This is actually safe because repo has already been validated by validate_github_repo which uses a strict regex pattern. The validation happens at lines 635-640 before this code executes. Good defensive programming!

Documentation

6. Missing .gitignore Entry

The PR adds .gitignore entry for /shakapacker-config-exports/ which is good, but ensure this is documented in the demo's README if users might need to know about this directory.

7. Deleted babel.config.js

The deletion of demos/basic-v16-rspack/babel.config.js is mentioned in the PR description as simplifying setup, but:

• Verify this doesn't break any existing demo functionality
• Ensure the Babel configuration is now fully handled by Shakapacker
• Consider adding a note in CHANGELOG if this is a breaking change for users following old guides

🔒 Security Review

✅ Security Strengths

1. Input validation: Proper regex validation on repo names and branches (prevents injection)
2. Path traversal prevention: The validate_github_repo check prevents ../../../etc/passwd style attacks
3. YAML safe loading: Uses YAML.safe_load_file with restricted classes in load_config
4. No shell interpolation risks: Uses array form for system() calls in git operations
5. Gem name validation: clean_cache validates gem names with strict regex before file operations

⚠️ Security Considerations

1. Network calls: The auto-detection feature makes unauthenticated network calls to GitHub. This is low risk but could be subject to rate limiting or MITM attacks in untrusted networks. Consider documenting this behavior.

2. Cache directory: The cache at ~/.cache/swap-deps could grow unbounded. The PR includes cache management commands (--clean-cache), which is good. Consider adding a note about disk usage in the help text.

🧪 Testing

✅ Test Coverage Assessment

The spec file shows excellent coverage:

• Shorthand parsing: ✅ Covered (multiple contexts)
• GitHub specs with branches/tags: ✅ Covered
• Edge cases (master branch, tag named 'main'): ✅ Covered
• Error cases: ✅ Covered
• Cache management: ✅ Covered

Missing Test Coverage

• Auto-detection of default branch (network call)
• Integration test for the full shorthand workflow
• Error handling when GitHub is unreachable

📊 Performance Considerations

✅ Good Practices

1. Minimal git operations: Using --depth 1 for clones
2. Efficient cache lookups: Good use of caching mechanisms
3. Single directory traversal: Cache size calculation is done once and reused

💡 Suggestions

1. Parallel detection: When processing multiple GitHub repos, consider detecting default branches in parallel
2. Connection pooling: If many repos are processed, consider reusing git connections

🎯 Overall Assessment

Category	Rating	Notes
Code Quality	⭐⭐⭐⭐⭐	Excellent structure, well-documented
Security	⭐⭐⭐⭐½	Very good with minor network considerations
Testing	⭐⭐⭐⭐	Comprehensive, missing one method test
Performance	⭐⭐⭐⭐	Good approach, room for parallel optimization
Documentation	⭐⭐⭐⭐½	Great help text and examples
User Experience	⭐⭐⭐⭐⭐	Significant improvement with shorthand syntax

🎬 Recommendations

Must Address

• None - the PR is in good shape!

Should Address

1. Consider adding test for detect_default_branch method
2. Add timeout to git ls-remote call to prevent hanging
3. Consider refactoring process_gem_value to eliminate RuboCop directive

Nice to Have

1. Add parallel branch detection for multiple repos
2. Cache branch detection results for session duration
3. Document the babel.config.js removal in demo README
4. Add integration test for full shorthand workflow

🏁 Conclusion

Recommendation: ✅ APPROVE with minor suggestions

This is a high-quality PR that significantly improves developer experience. The code is well-tested, secure, and follows best practices. The shorthand syntax and auto-detection features are thoughtfully implemented. The suggestions above are mostly minor optimizations and enhancements rather than critical issues.

The PR demonstrates:

• Strong understanding of Ruby best practices
• Security awareness
• Excellent testing discipline
• User-centric design

Great work! 🎉

---

Review generated by Claude Code - PR #56

[claude]

Pull Request Review - PR #56

Summary

This PR adds GitHub shorthand syntax and auto-detection features to the swap-deps CLI tool. The changes enhance developer experience by supporting shorthand notation for gem-specific flags and automatically detecting default branches.

Code Quality & Best Practices

Strengths:

1. Well-structured code: The separation of concerns between swap_deps_cli.rb and gem_swapper.rb is clean
2. Good documentation: Comprehensive help text with examples, including zsh-specific guidance
3. RuboCop compliance: The PR notes that RuboCop passes
4. Backward compatibility: The changes maintain existing functionality while adding new features

[claude]

Areas for Improvement:

1. Network Call During Object Construction (lib/demo_scripts/gem_swapper.rb:638)

The detect_default_branch method makes a network call (git ls-remote) during the validation phase. While there's a comment acknowledging this design choice, it has implications:

Concerns:

• This happens during object initialization/validation, which can cause unexpected delays
• Network failures during construction can be confusing for users
• Multiple repos without branches will trigger sequential network calls

Recommendations:

• Consider lazy evaluation: detect the branch only when cloning is about to happen
• Add timeout handling for the git ls-remote call
• Consider caching detected branches for the session
• Add a progress indicator for multiple repos

[claude]

2. Security: Command Injection Risk (lib/demo_scripts/gem_swapper.rb:641)

While the comment states "Use array form to avoid shell injection (repo is already validated)", there's still a potential issue with the git ls-remote call.

Analysis:

• The validation happens in validate_github_repo, but I don't see that method in the diff
• If validation only checks format (e.g., user/repo), malicious input like user/repo --upload-pack=malicious could be problematic
• String interpolation into URLs can be risky if validation is insufficient

Recommendations:

• Ensure validate_github_repo validates both the format AND that the repo string contains only safe characters
• Consider using a more restrictive pattern (e.g., only alphanumeric, dash, underscore)
• Add a test case to verify malicious inputs are rejected

[claude]

3. Error Handling in process_gem_value (lib/demo_scripts/swap_deps_cli.rb:87-102)

The RuboCop disable for Lint/DuplicateBranch suggests potential refactoring opportunities.

Issues:

• The branches at lines 92 and 100 are identical, which triggers the lint warning
• The logic of "if it's not a path and not a GitHub spec, assume it's a local path" is confusing
• File.expand_path always succeeds, so this could misidentify GitHub specs as paths

Recommendations:

• Refactor to eliminate duplicate branches
• Make the logic more explicit about what constitutes a valid local path vs GitHub spec
• Consider validating that local paths actually exist or raising a clear error

[claude]

4. Missing Test Coverage for New Features

Looking at the PR description, I see "Test plan" items checked off, but the diff doesn't show new test files.

Missing tests for:

• detect_default_branch method (including network failure scenarios)
• parse_github_spec with shorthand syntax (#branch, @tag)
• parse_github_spec_without_shorthand method
• process_gem_value logic and edge cases

Recommendations:

• Add unit tests for detect_default_branch (mock Open3.capture2)
• Add tests for shorthand parsing edge cases
• Test error conditions (invalid repos, network failures, malformed specs)

[claude]

Performance Considerations

1. Sequential Network Calls: If multiple gems are specified without branches, detect_default_branch will be called sequentially for each. Consider:

   • Running detections in parallel using threads
   • Batching requests if possible
   • Adding a spinner/progress indicator

2. No Timeout on git ls-remote: Network calls without timeouts can hang indefinitely. Add a timeout mechanism.

Security Concerns

1. Input Validation: Ensure validate_github_repo thoroughly validates repo strings to prevent command injection
2. GitHub Specs from User Input: The shorthand syntax accepts user input that gets interpolated into git commands. Verify validation is sufficient.
3. Path Traversal: While File.expand_path is used, ensure user-provided paths can't escape intended directories if that matters for your use case.

[claude]

Additional Observations

Positive:

• The removal of babel.config.js suggests cleanup of unused config
• The addition of .gitignore entry for /shakapacker-config-exports/ shows attention to keeping the repo clean
• The new bin/export-bundler-config script is minimal and delegates to the shakapacker module (good separation)

Questions:

1. Why was babel.config.js removed? Is Babel no longer needed with rspack? (Worth documenting in the PR if not already)
2. Should detect_default_branch cache results to avoid redundant network calls?
3. Have you tested with private GitHub repos that require authentication?

[claude]

Recommendations Summary

High Priority:

1. Add comprehensive test coverage for new methods
2. Review and strengthen input validation for security
3. Add timeout handling to git ls-remote calls

Medium Priority:

4. Consider lazy evaluation for branch detection
5. Refactor process_gem_value to eliminate duplicate branches
6. Add parallel processing for multiple branch detections

Nice to Have:

7. Cache detected branches within a session
8. Add progress indicators for network operations

Conclusion

This is a valuable feature enhancement that improves the developer experience. The code is generally well-structured and documented. The main concerns are around:

1. Test coverage for the new functionality
2. Security validation of repo strings
3. Performance optimization for network calls

With these improvements, this will be a solid addition to the codebase! Great work on the comprehensive help text and shell-specific documentation.

---

Review generated with assistance from Claude Code

[claude]

Pull Request Review

Great work on adding GitHub shorthand syntax and auto-detection! This significantly improves the developer experience.

Strengths

1. Excellent UX Improvement - shorthand syntax is intuitive
2. Smart Auto-Detection - using git ls-remote is efficient
3. Good Documentation - help text and zsh escaping notes are clear
4. Code Quality - RuboCop compliance maintained
5. Backward Compatibility - no breaking changes

Issues Found

1. Network Error Handling (gem_swapper.rb:684-699)

The detect_default_branch method makes network calls during init but lacks timeout handling. Could hang indefinitely on network issues.

Suggestion: Add timeout parameter to Open3.capture2

2. Edge Case: Ambiguous Paths (swap_deps_cli.rb:88-92)

File.exist? check could misidentify repo names as local paths if a matching directory exists.

Example: Directory named shakacode would conflict with shakacode/shakapacker

3. Duplicate Branch Logic (swap_deps_cli.rb:86-103)

The RuboCop disable for Lint/DuplicateBranch indicates if/else branches doing same thing. Could be refactored.

4. Security: Input Validation

Verify validate_github_repo properly sanitizes input before string interpolation in detect_default_branch

Test Coverage Recommendations

• Unit tests for parse_github_spec variants
• Integration tests for auto-detection with mocks
• Edge case tests for ambiguous inputs

Performance Notes

• Network calls during init could be lazy-loaded or cached
• File.exist? on every gem value - acceptable for current scale

Overall Assessment: 8.5/10

Solid PR with great UX improvements. Main concerns are network error handling and edge case resolution. Once hardened, this will be production-ready.

Must Address

1. Add timeout/error handling to detect_default_branch
2. Fix ambiguous path detection logic
3. Verify input validation security

Great work!

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (3)

lib/demo_scripts/gem_swapper.rb (1)

630-652: Default-branch detection: add timeout; address Brakeman warning

• Add a short timeout to avoid hangs when git is slow/offline.
• Brakeman flags possible command injection (Line 642). Using array form and prior repo validation likely mitigates it; please confirm validate_github_repo enforces a strict safe pattern.

Apply this diff:

@@
-require 'open3'
+require 'open3'
+require 'timeout'
@@
-  output, status = Open3.capture2('git', 'ls-remote', '--symref', "https://github.com/#{repo}.git", 'HEAD')
+  output, status = nil, nil
+  begin
+    Timeout.timeout(5) do
+      output, status = Open3.capture2('git', 'ls-remote', '--symref', "https://github.com/#{repo}.git", 'HEAD')
+    end
+  rescue Timeout::Error
+    status = Struct.new(:success?).new(false)
+    output = ''
+  end

Please verify validate_github_repo looks like:

# expected: only [\w.\-]+/[\w.\-]+ allowed
def validate_github_repo(repo)
  # ... strict allowlist for owner/repo ...
end

If not, add such validation to fully silence the warning. (Based on static analysis hints)

lib/demo_scripts/swap_deps_cli.rb (2)

86-104: Local-path vs GitHub detection is solid; add guard for full URLs

Great fix prioritizing real paths. One edge case: users may pass full Git URLs (https://..., [email protected]:...). These will be treated as GitHub specs and misparsed. Recommend rejecting or normalizing these early for clearer UX.

 def process_gem_value(gem_name, value)
   # Check if it's a local filesystem path first (before checking for GitHub specs)
   expanded_path = File.expand_path(value)
-  if File.exist?(expanded_path) || value.start_with?('./', '../')
+  if File.exist?(expanded_path) || value.start_with?('./', '../')
     # It's a local path
     @gem_paths[gem_name] = value
-  elsif value.start_with?('#', '@') || value.include?('/')
+  elsif value.match?(%r{\Ahttps?://}) || value.start_with?('git@')
+    raise Error, "Unsupported Git URL format: #{value}. Use 'user/repo', 'user/repo#branch', or 'user/repo@tag'."
+  elsif value.start_with?('#', '@') || value.include?('/')
     # It's a GitHub spec
     repo, ref, ref_type = parse_github_spec(gem_name, value)
     # NOTE: ref can be nil for auto-detection; validate_github_repos will detect default branch later
     @github_repos[gem_name] = { repo: repo, branch: ref, ref_type: ref_type }
   else
     # Default to local path (for simple names without paths or GitHub markers)
     @gem_paths[gem_name] = value
   end
 end

---

105-125: Parsing helpers look good; minor robustness

Consider trimming whitespace and early-rejecting empty shorthand (just '#' or '@') for clearer CLI errors (validation later will catch but message here can be friendlier).

 def parse_github_spec_without_shorthand(spec)
-  if spec.include?('@')
+  spec = spec.strip
+  if spec.include?('@')
     # Full: user/repo@tag
     repo, ref = spec.split('@', 2)
     ref_type = :tag
   elsif spec.include?('#')
     # Full: user/repo#branch
     repo, ref = spec.split('#', 2)
     ref_type = :branch
   else
     # Just repo name: user/repo
     repo = spec
     ref = nil # Will auto-detect default branch
     ref_type = :branch
   end
-
+  raise Error, 'Invalid GitHub spec: empty ref' if ref&.empty?
   [repo, ref, ref_type]
 end

Also applies to: 126-155

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between b978345 and 690f7f2.

📒 Files selected for processing (2)

• lib/demo_scripts/gem_swapper.rb (3 hunks)
• lib/demo_scripts/swap_deps_cli.rb (3 hunks)

🧰 Additional context used

🧬 Code graph analysis (1)

lib/demo_scripts/gem_swapper.rb (1)

lib/demo_scripts/github_spec_parser.rb (1)

• validate_github_branch (53-74)

🪛 Brakeman (7.1.0)

lib/demo_scripts/gem_swapper.rb

[medium] 642-642: Possible command injection
Type: Command Injection
Confidence: Medium
More info: https://brakemanscanner.org/docs/warning_types/command_injection/

(Command Injection)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: claude-review

🔇 Additional comments (1)

lib/demo_scripts/swap_deps_cli.rb (1)

77-82: LGTM: default repo mapping, CLI flags, and help examples

• GEM_REPOS mapping aligns with project defaults.
• Gem-specific flags now accept shorthand/full specs; help clarifies zsh quoting.
• --github flow infers gem correctly.

Also applies to: 187-199, 205-211, 302-328

[coderabbitai]

Actionable comments posted: 0

♻️ Duplicate comments (1)

lib/demo_scripts/gem_swapper.rb (1)

633-642: Tag support added but update/cache logic not yet adapted.

The code now parses and stores ref_type (:tag or :branch) in the validation phase (lines 634, 641). However, the concerns raised in the previous review about update_github_repo and github_cache_path not handling tags correctly remain unaddressed. Those methods (lines 738-748 and 722-728) still assume branch-style refs and will fail when ref_type: :tag is used.

The previous review's suggested fixes for update_github_repo (conditional fetch/checkout for tags) and github_cache_path (include ref_type in cache directory name) should still be applied to fully support tag refs.

🧹 Nitpick comments (2)

lib/demo_scripts/gem_swapper.rb (2)

305-331: LGTM with optional documentation suggestion.

The dependency display logic correctly handles both GitHub and local path specs, resolves cache paths, checks directory existence, and detects git branches. The implementation is sound.

Consider adding a brief comment on line 314 explaining that the /\.$ pattern removes the npm package self-reference (e.g., path/to/package/. → path/to/package):

-      # Clean up path (remove trailing /. from npm packages)
+      # Clean up path (remove trailing /. from npm packages - npm uses '.' to reference package root)
       path = gem[:path].sub(%r{/\.$}, '')

---

3-3: Remove unused require 'English'. No English aliases are referenced; delete this line.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 690f7f2 and 12798ea.

📒 Files selected for processing (1)

• lib/demo_scripts/gem_swapper.rb (5 hunks)

🧰 Additional context used

🧬 Code graph analysis (1)

lib/demo_scripts/gem_swapper.rb (1)

lib/demo_scripts/github_spec_parser.rb (1)

• validate_github_branch (53-74)

🪛 Brakeman (7.1.0)

lib/demo_scripts/gem_swapper.rb

[medium] 672-672: Possible command injection
Type: Command Injection
Confidence: Medium
More info: https://brakemanscanner.org/docs/warning_types/command_injection/

(Command Injection)

🔇 Additional comments (4)

lib/demo_scripts/gem_swapper.rb (4)

333-342: LGTM!

The detect_git_branch method safely detects the current branch for local git repositories using git rev-parse. The implementation properly handles non-git directories, command failures, and exceptions by returning nil.

Note: When HEAD is detached (e.g., checked out to a specific commit), this will return 'HEAD' rather than a branch name, which is acceptable for the status display use case.

---

660-682: No command injection risk in detect_default_branch
The array-form Open3.capture2 call, combined with validate_github_repo enforcing %r{\A[\w.-]+/[\w.-]+\z}, guarantees the repo string is safe.

---

234-244: Confirm package.json swap display

The detect_swapped_packages method is defined but never invoked; if package.json swaps should still be shown in --status, reintroduce its call and related display logic.

---

649-651: Empty or invalid refs already error before auto-detection.
• parse_github_spec_without_shorthand raises on empty ref after @ or #.
• Any empty-string branch (e.g. from shorthand "#") is caught by validate_github_branch before or after auto-detect.
Auto-detection only runs when result[:branch] is genuinely nil.

[coderabbitai]

Actionable comments posted: 0

♻️ Duplicate comments (1)

lib/demo_scripts/gem_swapper.rb (1)

741-751: Critical: Tag handling still broken (duplicate of past review).

The past review comment correctly identified that update_github_repo breaks with tag refs because it uses origin/#{info[:branch]} (line 748), which doesn't work for tags. Additionally, github_cache_path (lines 725-731) still doesn't include ref_type, causing cache collisions when a branch and tag share the same name.

These issues remain unresolved and will cause failures when users specify tags (e.g., @v9.0.0).

The fixes suggested in the past review comment are still applicable and should be implemented.

🧹 Nitpick comments (1)

lib/demo_scripts/gem_swapper.rb (1)

3-3: Remove unused require 'English'. No special variables from the English module are used—delete line 3 in lib/demo_scripts/gem_swapper.rb.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 12798ea and c6ab7b9.

📒 Files selected for processing (1)

• lib/demo_scripts/gem_swapper.rb (5 hunks)

🧰 Additional context used

🧬 Code graph analysis (1)

lib/demo_scripts/gem_swapper.rb (1)

lib/demo_scripts/github_spec_parser.rb (1)

• validate_github_branch (53-74)

🪛 Brakeman (7.1.0)

lib/demo_scripts/gem_swapper.rb

[medium] 675-675: Possible command injection
Type: Command Injection
Confidence: Medium
More info: https://brakemanscanner.org/docs/warning_types/command_injection/

(Command Injection)

🔇 Additional comments (3)

lib/demo_scripts/gem_swapper.rb (3)

298-303: LGTM! Cleaner dependency display.

The refactored display logic provides a unified approach for presenting both GitHub and local dependencies, improving code maintainability.

---

305-345: LGTM! Well-structured dependency display logic.

The implementation correctly:

• Distinguishes between GitHub and local dependencies
• Normalizes npm package paths by removing trailing /.
• Validates directory existence
• Detects git branches for local repos using safe command execution
• Provides comprehensive status information with appropriate indicators

The error handling in detect_git_branch appropriately returns nil on failure, preventing crashes while still providing useful information when available.

---

636-636: Approve branch auto-detection and safe git invocation
validate_github_repo enforces a strict [\w.-]+/[\w.-]+ pattern (no shell metacharacters) and Open3.capture2’s array form passes the URL as a single argument, eliminating injection risk.

[claude]

Code Review - PR #56: Add GitHub shorthand syntax and auto-detection to swap-deps

Summary

This PR adds significant improvements to the swap-deps CLI tool, including shorthand syntax for GitHub specs, automatic default branch detection, and improved status display. Overall, the implementation is solid and well-thought-out.

Strengths

1. Clean Architecture: The separation between parse_github_spec and parse_github_spec_without_shorthand is well-designed
2. Good Error Handling: Proper validation of GitHub repos and branches with meaningful error messages
3. Security-Conscious: Uses Open3.capture2 with array form to prevent shell injection
4. Comprehensive Help Text: Excellent documentation with clear examples, including shell-specific notes (zsh quoting)
5. Backwards Compatibility: Maintains support for existing syntax while adding new features

Issues Found

Medium Priority Issues

1. Network Call During Object Construction (lib/demo_scripts/gem_swapper.rb:687) - detect_default_branch makes network calls during validation, which violates common Ruby patterns and makes testing difficult. Consider lazy evaluation.

2. Duplicate Branch Logic (lib/demo_scripts/swap_deps_cli.rb:86-103) - process_gem_value has RuboCop disable for Lint/DuplicateBranch. Consider refactoring to eliminate duplication.

Minor Issues

3. babel.config.js Deletion - This file is removed without explanation. Please document why this removal is part of this PR.

4. Missing Input Validation - parse_github_spec extracts refs with spec[1..] but doesn't validate empty strings when spec == '#' or spec == '@'.

5. Hardcoded Sleep Duration (lib/demo_scripts/gem_swapper.rb:621) - Consider polling with timeout instead of fixed sleep.

Security Assessment - All Good!

• Shell Injection Prevention: Consistently uses array form with Open3.capture2 and system calls
• Path Traversal Protection: Validates gem names with regex
• Input Validation: GitHub repo and branch names validated
• File Locking: Proper use of File::LOCK_EX
• YAML Loading: Uses safe_load_file correctly

Test Coverage Concern

No automated test additions found in this PR. Please consider adding:

• Unit tests for parse_github_spec with various inputs
• Integration tests for detect_default_branch (can mock network calls)
• Edge case tests (empty strings, special characters, invalid repos)
• Tests for the new shorthand syntax

Recommendations

High Priority:

1. Add automated tests for the new functionality
2. Validate that shorthand refs are not empty strings
3. Document the babel.config.js removal

Medium Priority:
4. Consider lazy evaluation for detect_default_branch
5. Refactor process_gem_value to eliminate duplicate branches

Overall Assessment

Rating: 4/5 stars

This is a well-implemented feature that significantly improves the developer experience. The code is secure, follows best practices, and includes excellent documentation. The main areas for improvement are adding automated tests and handling edge cases. The feature is production-ready but would benefit from the recommended improvements before merge.

Great work!

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (4)

lib/demo_scripts/swap_deps_cli.rb (4)

86-103: Consider documenting the path-precedence behavior

The current logic prioritizes existing filesystem paths over GitHub spec parsing, meaning vendor/shakapacker would be treated as a local path if that directory exists, even though it looks like a GitHub repo format. While this appears intentional (based on the past review and help text), it could surprise users.

The help text mentions using ./ prefix to force local path if ambiguous but doesn't clearly explain that existing directories are auto-detected as local paths regardless of their format.

Consider adding a comment above Line 89 explaining this precedence:

 def process_gem_value(gem_name, value)
+  # Precedence: existing filesystem paths > explicit ./ or ../ > GitHub specs > simple names
   # Check if it's a local filesystem path first (before checking for GitHub specs)

Also consider adding a log message in verbose mode when an ambiguous path is treated as local:

   if File.exist?(expanded_path) || value.start_with?('./', '../')
     # It's a local path
     @gem_paths[gem_name] = value
+    puts "  Treating '#{value}' as local path (exists: #{File.exist?(expanded_path)})" if @verbose

---

105-124: Add validation for empty or malformed specs

The method doesn't validate that spec is non-empty or that the extracted repo is valid. Edge cases like empty strings or specs like @ or # alone would result in empty repo names, causing confusing errors downstream.

Add validation before returning:

       repo = spec
       ref = nil # Will auto-detect default branch
       ref_type = :branch
     end
+
+    raise Error, "Invalid GitHub spec: '#{spec}'" if repo.nil? || repo.empty?

     [repo, ref, ref_type]

---

126-154: Validate shorthand refs are non-empty

If spec is just '#' or '@' without a ref, spec[1..] returns an empty string. This would pass through to @github_repos with an empty branch/tag, potentially causing confusing errors in downstream validation or git operations.

Add validation after extracting the ref in both shorthand branches:

     if spec.start_with?('#')
       # Shorthand: #branch
       repo = GEM_REPOS[gem_name]
       raise Error, "No default repo for gem: #{gem_name}" unless repo

       ref = spec[1..]
+      raise Error, "Invalid shorthand spec: missing branch after '#'" if ref.empty?
       ref_type = :branch
     elsif spec.start_with?('@')
       # Shorthand: @tag
       repo = GEM_REPOS[gem_name]
       raise Error, "No default repo for gem: #{gem_name}" unless repo

       ref = spec[1..]
+      raise Error, "Invalid shorthand spec: missing tag after '@'" if ref.empty?
       ref_type = :tag

---

345-363: Remove duplicate example

Lines 348-349 and 360-362 contain the same example (mixing local paths and GitHub repos). The second occurrence appears to be redundant.

Remove the duplicate:

   bin/swap-deps --shakapacker shakacode/shakapacker
   
-  MIXING SOURCES:
-  ---------------
-  # Mix local paths and GitHub repos
-  bin/swap-deps --shakapacker ~/dev/shakapacker \
-                --react-on-rails '#feature-x'
-  
   # Apply to specific demo only

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between c6ab7b9 and e1f3921.

📒 Files selected for processing (1)

• lib/demo_scripts/swap_deps_cli.rb (3 hunks)

🔇 Additional comments (5)

lib/demo_scripts/swap_deps_cli.rb (5)

77-82: LGTM: Clean constant definition

The default repository mapping is clear and properly frozen.

---

200-210: LGTM: Consistent option handling

The gem-specific options correctly delegate to process_gem_value for unified path/spec processing.

---

215-222: LGTM: Proper handling of --github option

Correctly uses parse_github_spec_without_shorthand since gem-name context isn't available for shorthand resolution. The zsh quoting warning is a helpful addition.

---

186-198: Excellent documentation improvements

The help text additions clearly explain the various input formats and provide practical examples. The zsh quoting warnings are particularly helpful for preventing common user errors.

Minor suggestion: Consider clarifying in Line 308 that the "/" check happens after filesystem path checks:

-  3. GitHub specs (contains #, @, or /)
+  3. GitHub specs (starts with #, @, or contains /)

This makes it clearer that all three are treated as GitHub specs if not already caught by earlier checks.

Also applies to: 305-313

---

139-139: No action needed: endless range syntax spec[1..] is compatible with the project’s Ruby ≥ 3.0 requirement.

[claude]

Pull Request Review - PR 56

Overall Assessment

This is a well-crafted enhancement that adds significant developer experience improvements to the swap-deps tool. APPROVED with minor recommendations.

Code Quality

Strengths:

• Excellent code organization and separation of concerns
• Consistent Ruby style guide compliance
• Clean refactoring with unified display_swapped_dependencies
• Comprehensive help text with extensive examples

Suggestions:

• Consider refactoring to eliminate Lint/DuplicateBranch disable at swap_deps_cli.rb:86-103
• Shell escaping documentation could be more explicit

Security

Strong posture: Excellent use of array-form commands preventing injection, thorough input validation, path traversal protection.

Minor concern: detect_default_branch makes network calls during initialization (line 687-702). Consider adding timeout handling.

Performance

• Lightweight git ls-remote calls
• Efficient caching to ~/.cache/swap-deps
• Sequential network calls could benefit from parallelization for multiple repos
• No explicit timeouts on git operations

Potential Bugs

1. babel.config.js deletion - verify this is obsolete for rspack
2. detect_git_branch silently swallows errors - consider verbose logging
3. Regex escaping order matters but is mitigated by later validation

Test Coverage

Substantial existing tests (gem_swapper_spec.rb 41KB, github_spec_parser_spec.rb 9KB)

Missing coverage for:

• detect_default_branch auto-detection
• parse_github_spec with shorthand syntax
• process_gem_value path detection
• Network failure error cases

Recommendations Priority

1. HIGH: Add timeout handling for git network operations
2. MEDIUM: Add tests for new auto-detection and shorthand parsing
3. MEDIUM: Verify babel.config.js deletion
4. LOW: Refactor duplicate branches
5. LOW: Add verbose logging for git failures

Overall: Strong work! Production-ready with high-priority recommendations addressed.

---

Review by Claude Code

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

lib/demo_scripts/gem_swapper.rb (1)

680-702: Command injection warning is a false positive; consider adding a comment for clarity.

The static analysis tool flags line 692 as a potential command injection risk. However, this is a false positive because:

1. The repo parameter is validated by validate_github_repo before this method is called (line 668)
2. The validation uses strict regex patterns (from GitHubSpecParser module) that only allow safe characters
3. Open3.capture2 uses array form for command arguments, preventing shell injection

The code is secure, but the comment on lines 691-692 could be enhanced to document why this is safe.

Consider enhancing the comment to clarify security:

-      # Use git ls-remote to find the default branch without cloning
-      # Use array form to avoid shell injection (repo is already validated by validate_github_repo)
+      # Use git ls-remote to find the default branch without cloning
+      # Security: repo is validated by validate_github_repo regex before calling this method,
+      # and Open3.capture2 uses array form to prevent shell injection
       output, status = Open3.capture2('git', 'ls-remote', '--symref', "https://github.com/#{repo}.git", 'HEAD')

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between e1f3921 and 0c2dda9.

📒 Files selected for processing (2)

• lib/demo_scripts/gem_swapper.rb (5 hunks)
• lib/demo_scripts/swap_deps_cli.rb (3 hunks)

🧰 Additional context used

🧬 Code graph analysis (1)

lib/demo_scripts/gem_swapper.rb (1)

lib/demo_scripts/github_spec_parser.rb (1)

• validate_github_branch (53-74)

🪛 Brakeman (7.1.0)

lib/demo_scripts/gem_swapper.rb

[medium] 692-692: Possible command injection
Type: Command Injection
Confidence: Medium
More info: https://brakemanscanner.org/docs/warning_types/command_injection/

(Command Injection)

🔇 Additional comments (13)

lib/demo_scripts/swap_deps_cli.rb (8)

77-82: LGTM! Clean default repository mapping.

The GEM_REPOS constant provides a sensible default mapping for shorthand syntax. The mapping is clear and covers the three supported gems.

---

105-124: LGTM! Parsing logic correctly handles full GitHub specs.

The method properly handles three cases:

• Full repo with tag (user/repo@tag)
• Full repo with branch (user/repo#branch)
• Just repo (user/repo, auto-detect branch)

The logic is clear and the nil ref with :branch type for auto-detection is appropriate.

---

126-154: LGTM! Shorthand expansion logic is correct.

The method correctly handles:

• Shorthand branch (#branch) → expands using GEM_REPOS
• Shorthand tag (@tag) → expands using GEM_REPOS
• Full specs → delegates to parse_github_spec_without_shorthand

Error handling for missing default repos is appropriate.

---

186-198: Help text clearly explains path detection order.

The documentation accurately describes the precedence:

1. Existing filesystem paths
2. Paths starting with ./ or ../
3. GitHub specs
4. Simple names default to local paths

The note about using ./ prefix to disambiguate is helpful.

---

200-210: LGTM! Option handlers correctly use process_gem_value.

All three gem-specific options now route through process_gem_value, which provides consistent handling of local paths and GitHub specs.

---

215-222: LGTM! --github flag properly handles full specs.

The handler correctly:

• Parses using parse_github_spec_without_shorthand (no shorthand expansion)
• Infers gem name from repo
• Documents the need for quotes in zsh

---

306-364: LGTM! Comprehensive examples covering all use cases.

The help text provides clear examples for:

• Local paths (absolute, home-relative, relative)
• GitHub shorthand (with zsh quoting notes)
• Full GitHub specs
• Auto-detection
• Mixing sources

The examples are practical and well-organized.

---

86-103: Nil branch values are auto-detected and validated in gem_swapper.rb, so downstream handling is correct.

lib/demo_scripts/gem_swapper.rb (5)

251-262: LGTM! Simplified status display logic.

The refactoring correctly consolidates the display logic:

• Single call to display_swapped_dependencies when gems are present
• Simplified early return condition (only checks swapped_gems.empty?)
• Clearer messaging

---

315-320: LGTM! Clean unified display method.

The new method provides a single entry point for displaying dependencies, delegating to display_dependency_info for each gem.

---

322-362: LGTM! Comprehensive dependency info display.

The method handles both GitHub and local dependencies well:

• Resolves GitHub specs to cache paths
• Cleans up npm package paths
• Detects git branch for local paths
• Shows clear status indicators

The logic is thorough and the output will be user-friendly.

---

353-362: LGTM! Safe git branch detection.

The method correctly:

• Checks for .git directory existence
• Uses git in read-only mode
• Returns nil on failure
• Handles exceptions gracefully

---

653-671: LGTM! Correctly handles nil branches and triggers auto-detection.

The changes allow branch to remain nil initially (lines 653, 660), then populate it via detect_default_branch (line 671). This enables the auto-detection feature mentioned in the PR objectives.

[coderabbitai]

🛠️ Refactor suggestion | 🟠 Major

❓ Verification inconclusive

Verify that English is actually used in the codebase.

The require 'English' statement was added, but I don't see obvious usage of English module features (like $CHILD_STATUS instead of $?) in the visible changes.

Run the following script to check if English module features are used:

---

🏁 Script executed:

#!/bin/bash
# Description: Search for English module usage in gem_swapper.rb

# Look for common English module variables
rg -nP '\$CHILD_STATUS|\$INPUT_RECORD_SEPARATOR|\$OUTPUT_RECORD_SEPARATOR|\$PROCESS_ID|\$PROGRAM_NAME' lib/demo_scripts/gem_swapper.rb

# If not found, this require might be unnecessary

Length of output: 0

---

🏁 Script executed:

#!/bin/bash
# Search for common English module variables in lib/demo_scripts/gem_swapper.rb
rg -nP '\$(CHILD_STATUS|ERROR_INFO|ERROR_POSITION|LAST_MATCH_INFO|MATCH|PREMATCH|POSTMATCH|INPUT_RECORD_SEPARATOR|OUTPUT_RECORD_SEPARATOR|FIELD_SEPARATOR|FS|OFS|ORS|RS|PID|PROCESS_ID|PROGRAM_NAME)' lib/demo_scripts/gem_swapper.rb

Length of output: 0

---

Remove unused require 'English'
No English module variables are referenced in lib/demo_scripts/gem_swapper.rb (line 3), so delete that require.

🤖 Prompt for AI Agents

In lib/demo_scripts/gem_swapper.rb around line 3, the file includes require
'English' but no English module variables are used; remove the require 'English'
line from the top of the file and run the test/lint suite to ensure nothing else
depends on it.

[claude]

Code Review: PR #56 - Add GitHub shorthand syntax and auto-detection to swap-deps

Overview

This PR adds convenient shorthand syntax for GitHub specifications and automatic default branch detection to the swap-deps CLI tool. Overall, this is a well-implemented feature with good attention to security and usability.

Strengths

Code Quality

• Excellent security practices: The switch from backticks to Open3.capture2 in detect_default_branch eliminates command injection risks
• Clear separation of concerns: The new parsing logic is well-organized with process_gem_value, parse_github_spec, and parse_github_spec_without_shorthand methods
• Good path detection ordering: Filesystem paths are checked before GitHub specs, preventing misclassification

Documentation

• Comprehensive help text: The updated help includes clear examples with proper shell escaping guidance for zsh users
• Path detection order documentation: Explicitly documents the precedence rules
• Great commit messages: Each commit has detailed explanations of changes and rationale

User Experience

• Smart auto-detection: Automatically detects default branches using git ls-remote --symref, which is lightweight and fast
• Improved status output: The consolidated dependency display with branch info and GitHub repo indicators provides better visibility

[claude]

Issues Found

1. Missing Test Coverage for New Functionality (Priority: High)

The new shorthand syntax and auto-detection features lack test coverage:

• No tests for process_gem_value method
• No tests for parse_github_spec with shorthand syntax
• No tests for parse_github_spec_without_shorthand
• No tests for detect_default_branch auto-detection
• No tests for the new GEM_REPOS constant mapping

2. Disabled RuboCop Rule Without Justification (Priority: Medium)

Line 85 in lib/demo_scripts/swap_deps_cli.rb has a disabled Lint/DuplicateBranch rule. The three branches in process_gem_value have identical code. Either refactor to eliminate duplication or add a comment explaining why the duplication is necessary.

3. Potential Edge Case: Empty String Handling (Priority: Low)

In parse_github_spec, if a user provides --shakapacker '#' or --shakapacker '@', the code would set ref to an empty string. Add validation for empty refs.

4. Network Call During Initialization (Priority: Low)

The detect_default_branch method makes network calls during object construction. Consider adding a timeout or retry mechanism for robustness.

5. Inconsistent Nil Handling (Priority: Low)

In validate_github_repos, the branch is set to nil when not specified. Ensure all code paths handle nil branches correctly, especially in swap_gem_to_github and GitHub caching logic.

[claude]

Performance Considerations

• Git ls-remote calls: The auto-detection makes one network call per unique repository, which is acceptable. The call is lightweight and happens during validation (fail-fast).
• Status display: The new detect_git_branch method could be expensive for large numbers of swapped dependencies. Consider caching branch results if performance becomes an issue.

Security Assessment

No security concerns identified:

• Input validation is thorough (GitHub repo format, branch names with validate_github_branch)
• Use of Open3.capture2 with array arguments prevents shell injection
• Path traversal attempts are caught by existing validate_github_repo checks

Suggestions for Follow-up

1. Add comprehensive test coverage for the new features (highest priority)
2. Consider adding integration tests that verify the full workflow with shorthand syntax
3. Add validation for empty branch/tag names in shorthand syntax
4. Document the GEM_REPOS constant in a comment explaining how to add new gems

Summary

This is a solid feature addition that improves developer experience significantly. The code quality is good, security practices are excellent, and the documentation is thorough. The main gap is test coverage for the new functionality. Once tests are added, this PR will be ready to merge.

Recommendation: Approve with minor changes (add tests before merging)

Generated with Claude Code