fix: handle version ranges correctly

[9romise]

• Use maxSatisfying to handle version range
• add external link for upgrade diagnostics
• add tests for all diagnostics

[coderabbitai]

Warning

Rate limit exceeded

@9romise has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 3 minutes and 51 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📥 Commits

Reviewing files that changed from the base of the PR and between 4083b5f and 88bd4cd.

📒 Files selected for processing (5)

• src/providers/diagnostics/rules/upgrade.ts
• src/providers/hover/npmx.ts
• tests/__setup__/msw.ts
• tests/diagnostics/deprecation.test.ts
• tests/diagnostics/upgrade.test.ts

📝 Walkthrough

Walkthrough

ParsedVersion now exposes version (removed prefix/semver). Added formatUpgradeVersion(current, target) and resolveExactVersion(pkg, version) to resolve ranges and dist-tags to exact versions. Consumers (completion, hover, diagnostics) use parsed.version and version-keyed lookups into pkg.versionsMeta. Diagnostic rules now accept a single DiagnosticContext ({ dep, pkg, parsed, exactVersion }) and most rules early-exit when parsed or exactVersion is absent. Per-rule evaluation is wrapped in try/catch to log and continue on errors.

Possibly related PRs

• feat(completion): support 'npm:'-prefixed versions #29: Alters version-parsing/formatting flow and updates callers to use the new format function and parsed shape.
• feat: version upgrade diagnostics and quick fix #36: Modifies version-handling utilities and the upgrade diagnostic implementation, overlapping the same utils/version and diagnostics/rules/upgrade code paths.
• refactor: enhance version parsing with protocol support and validation #30: Changes parseVersion/isSupportedProtocol and updates consumers across providers to the new ParsedVersion shape and exact-version resolution.

🚥 Pre-merge checks | ✅ 1

✅ Passed checks (1 passed)

Check name	Status	Explanation
Description check	✅ Passed	The pull request description directly aligns with the changeset, addressing three key objectives: using maxSatisfying for version range handling, adding external links for upgrade diagnostics, and adding comprehensive test coverage.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch refactor/semver

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

---

ℹ️ Review info

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 3778859 and d891519.

📒 Files selected for processing (6)

• src/providers/completion-item/version.ts
• src/providers/diagnostics/rules/deprecation.ts
• src/providers/diagnostics/rules/upgrade.ts
• src/providers/diagnostics/rules/vulnerability.ts
• src/utils/version.ts
• tests/utils/version.test.ts

[coderabbitai]

🧹 Nitpick comments (1)

tests/diagnostics/replacement.test.ts (1)

14-20: Consider asserting additional diagnostic properties for more robust coverage.

The test verifies that a result is returned and has a message, but the checkReplacement rule also returns severity, code, and node properties. Asserting these would catch regressions more comprehensively.

💡 Optional: More comprehensive assertions

   it('should flag when replacement found', async () => {
     const result = await checkReplacement(createReplacementContext('left-pad'))
 
     expect(result).toBeDefined()
     expect(result!.message).toBeDefined()
+    expect(result!.severity).toBeDefined()
+    expect(result!.code).toBeDefined()
   })

---

ℹ️ Review info

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 44055fa and 99ea373.

📒 Files selected for processing (4)

• src/providers/diagnostics/rules/upgrade.ts
• tests/diagnostics/deprecation.test.ts
• tests/diagnostics/replacement.test.ts
• tests/diagnostics/upgrade.test.ts

🚧 Files skipped from review as they are similar to previous changes (1)

• src/providers/diagnostics/rules/upgrade.ts

[coderabbitai]

🧹 Nitpick comments (2)

tests/__setup__/msw.ts (2)

19-71: Hoist static vulnerability fixtures out of the handler.

results is reconstructed on every request (from Line 21). Move it to module scope to avoid repeated allocation and keep the handler focused on request routing.

Proposed refactor

+const vulnerabilityResults: Record<string, Record<string, unknown>> = {
+  'pkg-crit@1.0.0': {
+    package: 'pkg-crit',
+    version: '1.0.0',
+    vulnerablePackages: [],
+    deprecatedPackages: [],
+    totalPackages: 1,
+    failedQueries: 0,
+    totalCounts: { total: 1, critical: 1, high: 0, moderate: 0, low: 0 },
+  },
+  'pkg-multi@1.0.0': {
+    package: 'pkg-multi',
+    version: '1.0.0',
+    vulnerablePackages: [],
+    deprecatedPackages: [],
+    totalPackages: 1,
+    failedQueries: 0,
+    totalCounts: { total: 3, critical: 1, high: 2, moderate: 0, low: 0 },
+  },
+  'pkg-fix@1.0.0': {
+    package: 'pkg-fix',
+    version: '1.0.0',
+    vulnerablePackages: [{
+      name: 'pkg-fix',
+      version: '1.0.0',
+      depth: 'root',
+      path: [],
+      vulnerabilities: [{ id: 'GHSA-1', summary: '', severity: 'high', aliases: [], url: '', fixedIn: '1.2.0' }],
+      counts: { total: 1, critical: 0, high: 1, moderate: 0, low: 0 },
+    }],
+    deprecatedPackages: [],
+    totalPackages: 1,
+    failedQueries: 0,
+    totalCounts: { total: 1, critical: 0, high: 1, moderate: 0, low: 0 },
+  },
+  'pkg-safe@1.0.0': {
+    package: 'pkg-safe',
+    version: '1.0.0',
+    vulnerablePackages: [],
+    deprecatedPackages: [],
+    totalPackages: 1,
+    failedQueries: 0,
+    totalCounts: { total: 0, critical: 0, high: 0, moderate: 0, low: 0 },
+  },
+}
+
 const server = setupServer(
   http.get(`${NPMX_DEV_API}/replacements/:name`, ({ params }) => {
@@
   http.get(`${NPMX_DEV_API}/registry/vulnerabilities/:name/v/:version`, ({ params }) => {
     const key = `${params.name}@${params.version}`
-    const results: Record<string, Record<string, unknown>> = {
-      ...
-    }
-
-    const data = results[key]
+    const data = vulnerabilityResults[key]
     return data
       ? HttpResponse.json(data)
       : new HttpResponse(null, { status: 404 })
   }),
 )

---

22-39: Make fixture payloads internally consistent.

At Line 22 and Line 31, totalCounts.total is non-zero while vulnerablePackages is empty. Consider adding representative vulnerability entries so tests don’t pass against an unrealistic response shape.

---

ℹ️ Review info

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 4083b5f and 357ef3c.

📒 Files selected for processing (4)

• src/providers/diagnostics/rules/upgrade.ts
• src/providers/hover/npmx.ts
• tests/__setup__/msw.ts
• tests/diagnostics/upgrade.test.ts

🚧 Files skipped from review as they are similar to previous changes (1)

• src/providers/hover/npmx.ts