feat: add apm info, apm outdated, and list_remote_refs#613
Merged
sergio-sisternes-epam merged 10 commits intomicrosoft:mainfrom Apr 8, 2026
Merged
Conversation
Promote `apm deps info` to top-level `apm info <package> [field]`. Add `versions` field selector to list remote tags/refs via git ls-remote. Add `apm outdated` to compare locked deps against latest available tags. - list_remote_refs() on GitHubPackageDownloader enumerates refs without cloning - RemoteRef dataclass in models/dependency/types.py - apm deps info kept as backward-compatible alias - apm outdated supports --global and --verbose flags - 83 new tests (3608 total, 0 failures) - Updated CLI reference docs, dependency guide, commands skill, changelog Co-authored-by: Copilot <[email protected]>
Remove _list_refs_via_ado_api() and the ADO-specific branch in list_remote_refs(). All hosts (GitHub, ADO, GitLab, generic) now use the single git ls-remote code path. git ls-remote works against any git remote including Azure DevOps when given an authenticated URL. -69 lines removed, simpler to maintain. Co-authored-by: Copilot <[email protected]>
Instead of marking branch-pinned dependencies as 'unknown', compare the locked commit SHA against the remote branch tip SHA via git ls-remote. This turns every branch-pinned dep into a meaningful 'up-to-date' or 'outdated' status. - Add _find_remote_tip() helper to resolve branch/default-branch SHA - Branch-pinned deps: compare locked SHA vs named branch tip - No-ref deps: compare against main/master (default branch fallback) - Tag-pinned deps: unchanged (semver comparison still used) - Commit-pinned deps with unrecognized ref: still 'unknown' Co-authored-by: Copilot <[email protected]>
- Better description: 'Show information about a package' (not just installed) - Add --global/-g flag to inspect packages from user scope (~/.apm/) - Add examples showing both local metadata and remote versions usage - Document available fields (versions) in help text Co-authored-by: Copilot <[email protected]>
- Add --global flag to apm info documentation - Update outdated behavior: SHA comparison for branch-pinned deps - Update CHANGELOG with all new features under [Unreleased] - Update skills commands.md summary Co-authored-by: Copilot <[email protected]>
Show Ref and Commit fields in apm info output when lockfile data is available. Uses substring matching to find the lockfile entry for the queried package (handles virtual packages and org/repo keys). Co-authored-by: Copilot <[email protected]>
- Extract per-dep check logic into _check_one_dep() for thread safety - Add --parallel-checks / -j option (default: 4, 0 = sequential) - Rich progress bar with spinner during remote ref checks - ThreadPoolExecutor for concurrent git ls-remote calls - Plain text fallback when Rich is unavailable - 4 new tests covering parallel, sequential, custom workers, and error handling Co-authored-by: Copilot <[email protected]>
sergio-sisternes-epam
force-pushed
the
feature/info-versions-outdated
branch
from
9167e97 to
5f776df
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
Adds new CLI capabilities for inspecting installed package metadata and checking whether locked dependencies are stale, backed by a unified git ls-remote implementation for enumerating remote tags/branches.
Changes:
- Introduces top-level
apm info PACKAGE [FIELD](includingFIELD=versionsfor remote refs) andapm outdated(remote staleness checks with optional parallelism). - Adds
GitHubPackageDownloader.list_remote_refs()usinggit ls-remote --tags --heads, plus aRemoteRefmodel for parsed refs. - Updates docs/changelog and adds unit tests for ref enumeration, info, and outdated behavior.
Reviewed changes
Copilot reviewed 16 out of 16 changed files in this pull request and generated 6 comments.
Show a summary per file
| File | Description |
|---|---|
| tests/unit/test_outdated_command.py | New unit tests for apm outdated scenarios (tags/branches/errors/parallelism). |
| tests/unit/test_list_remote_refs.py | New unit tests for list_remote_refs() parsing/sorting/auth/error handling. |
| tests/unit/test_info_command.py | New unit tests for apm info local metadata + versions field behavior. |
| tests/unit/test_deps_list_tree_info.py | Adds back-compat assertion that apm deps info matches apm info. |
| src/apm_cli/models/dependency/types.py | Adds RemoteRef dataclass for remote tags/branches. |
| src/apm_cli/models/dependency/init.py | Re-exports RemoteRef. |
| src/apm_cli/models/apm_package.py | Re-exports RemoteRef for backward-compatible import paths. |
| src/apm_cli/deps/github_downloader.py | Implements list_remote_refs() + parsing/sorting helpers using git ls-remote. |
| src/apm_cli/commands/outdated.py | New apm outdated command with Rich progress + parallel checks. |
| src/apm_cli/commands/info.py | New top-level apm info command (local metadata + remote versions). |
| src/apm_cli/commands/deps/cli.py | Refactors apm deps info to delegate to shared apm info helpers. |
| src/apm_cli/cli.py | Registers new top-level commands (info, outdated). |
| packages/apm-guide/.apm/skills/apm-usage/commands.md | Updates command matrix for new commands/alias behavior. |
| docs/src/content/docs/reference/cli-commands.md | Documents apm info and apm outdated; updates deps info as alias. |
| docs/src/content/docs/guides/dependencies.md | Updates guide examples to prefer apm info over apm deps info. |
| CHANGELOG.md | Adds changelog entries for new commands/ref infrastructure. |
Comments suppressed due to low confidence (1)
CHANGELOG.md:46
- The new changelog bullets under
[Unreleased]don't follow the existing entry style in this file (most entries end with a PR reference like(#562)). Also, the same features are duplicated under the released[0.8.10]section, which risks misrepresenting what actually shipped in that release. Please format the new bullets with PR numbers and keep them only under[Unreleased]until they are released.
### Added
- Artifactory archive entry download for virtual file packages (#525)
### Added
- `apm info <package> [field]` command for inspecting package metadata and remote refs
- `apm info <package> versions` field selector lists remote tags and branches via `git ls-remote`
- `apm outdated` command compares locked dependencies against remote refs
- `--parallel-checks` (`-j`) option on `apm outdated` for concurrent remote checks (default: 4)
- Rich progress feedback during `apm outdated` dependency checking
- `--global` flag on `apm info` for inspecting user-scope packages
### Changed
- Scope resolution now happens once via `TargetProfile.for_scope()` and `resolve_targets()` -- integrators no longer need scope-aware parameters (#562)
- Unified integration dispatch table in `dispatch.py` -- both install and uninstall import from one source of truth (#562)
- Hook merge logic deduplicated: three copy-pasted JSON-merge methods replaced with `_integrate_merged_hooks()` + config dict (#562)
- `apm outdated` uses SHA comparison for branch-pinned deps instead of reporting them as `unknown`
### Fixed
- Reject symlinked primitive files in all discovery and resolution paths to prevent symlink-based traversal attacks (#596)
- `apm install -g` now deploys hooks to the scope-resolved target directory instead of hardcoding `.github/hooks/` (#565, #566)
- Hook sync/cleanup derives prefixes dynamically from `KNOWN_TARGETS` instead of hardcoded paths (#565)
- `auto_create=False` targets no longer get directories unconditionally created during install (#576)
- `apm deps update -g` now correctly passes scope, preventing user-scope updates from silently using project-scope paths (#562)
- Subprocess encoding failures on Windows non-UTF-8 consoles (CP950/CP936) -- all subprocess calls now use explicit UTF-8 encoding (#591)
- PowerShell 5.1 compatibility: replace multi-argument `Join-Path` calls with nested two-argument calls (#593)
- `apm marketplace add` now respects `GITHUB_HOST` environment variable for GitHub Enterprise users (#589)
- `compilation.exclude` patterns now filter primitive discovery, preventing excluded files from leaking into compiled output (#477)
- Runtime detection in script runner now uses anchored patterns to prevent false positives when runtime keywords appear in flag values (#563)
- `apm compile` now warns when instructions are missing `applyTo` across all compilation modes (#449)
- Detect remote default branch instead of hardcoding `main` (#574)
- Warn when two packages deploy a native skill with the same name (#545)
- Add path validation in resolve_package_path() using path_security guards - Fix ADO dependency handling in _check_one_dep() via DependencyReference.parse() - Escape Rich markup symbols in panel titles ([[i]] not [i]) - Use logger param in display_versions() instead of direct _rich calls - Remove dead HEAD check in _find_remote_tip() - Clean up CHANGELOG entries with (microsoft#613) references Co-authored-by: Copilot <[email protected]>
danielmeppiel
requested changes
Apr 8, 2026
Collaborator
danielmeppiel
left a comment
danielmeppiel
left a comment
There was a problem hiding this comment.
To make sure APM is familiar to devs, I'd name the "info" command "view", as in npm. See https://docs.npmjs.com/cli/v8/commands/npm-view
That's already the case for APM outdated (has equivalent in npm).
- Rename info.py -> view.py, command name "info" -> "view" - Keep "apm info" as hidden backward-compatible alias - Update deps/cli.py delegation imports - Rename test file, add alias backward-compat test - Update CLI reference, guides, skills docs, CHANGELOG Co-authored-by: Copilot <[email protected]>
Collaborator
Author
|
@danielmeppiel Great call -- renamed Changes:
Ready for re-review when you get a chance. |
danielmeppiel
approved these changes
Apr 8, 2026
sergio-sisternes-epam
pushed a commit
that referenced
this pull request
Apr 10, 2026
Document apm outdated and apm view <pkg> versions in the dependencies guide (guides/dependencies.md). These commands were shipped in #613 but were only referenced in the CLI reference (cli-commands.md); the guide had no mention of how to check for staleness before running an update. Co-authored-by: Copilot <[email protected]>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Adds two new top-level commands and the underlying
git ls-remoteinfrastructure to support package version inspection and staleness detection.apm info PACKAGE [FIELD]— Show installed package metadata (name, version, description, ref, commit from lockfile). Passversionsas the field selector to list remote tags and branches without cloning.apm outdated— Compare locked dependencies against remote refs. Tag-pinned deps use semver comparison; branch-pinned deps compare the locked commit SHA against the remote branch tip. Includes Rich progress feedback and configurable parallel checks (-j N, default 4).list_remote_refs()— New function ingithub_downloader.pythat wrapsgit ls-remote --tags --headsfor all git hosts (GitHub, ADO, GHE) using a single unified code path with no host-specific APIs.Type of change
Testing
test_list_remote_refs.py— 29 tests (parsing, sorting, auth, error handling)test_info_command.py— 15 tests (metadata display, versions, --global, lockfile ref)test_outdated_command.py— 24 tests (tag/branch/SHA comparison, parallel, progress, edge cases)test_deps_list_tree_info.py— 1 backward-compat test forapm deps infoalias