feat: Enhance metadata generation to support @vibe/* imports

[rivka-ungar]

User description

https://monday.monday.com/boards/3532714909/views/80492480/pulses/18371348991

---

PR Type

Enhancement

---

Description

• Support @vibe/* imports in metadata generation

• Load source files from separate component packages

• Generate correct import paths for component packages

• Ensure output directory exists before writing metadata

---

Diagram Walkthrough

flowchart LR
  A["Export declarations"] --> B{"Check if @vibe/* import?"}
  B -->|Yes| C["Resolve from components directory"]
  B -->|No| D["Resolve from relative path"]
  C --> E["Load component source files"]
  D --> E
  E --> F["Generate import paths"]
  F --> G["Write metadata.json"]

Loading

File Walkthrough

Relevant files

Enhancement

generate-metadata.ts Add @vibe/* package import support to metadata generation packages/core/src/scripts/generate-metadata.ts Added support for @vibe/* imports by detecting and resolving them to separate component packages Extended project source file loading to include files from ../../../components/*/src directory Modified import path generation to use @vibe/{pkgName} for component packages instead of always using @vibe/core Added directory creation before writing metadata.json to ensure output path exists +23/-3

---

[qodo-merge-for-open-source]

PR Reviewer Guide 🔍

Here are some key observations to aid the review process:

⏱️ Estimated effort to review: 3 🔵🔵🔵⚪⚪

🧪 No relevant tests

🔒 No security concerns identified

⚡ Recommended focus areas for review Path Resolution Issue The hardcoded path resolution using __dirname and relative paths like ../../../components/${pkgName}/src/index.ts may be fragile and break if the script is moved or the directory structure changes. Consider using a more robust path resolution strategy or configuration-based approach. const pkgPath = path.resolve(__dirname, `../../../components/${pkgName}/src/index.ts`); if (fs.existsSync(pkgPath)) matchedPaths = [pkgPath]; Missing Error Handling When @vibe/* imports are detected but the package path doesn't exist, matchedPaths becomes an empty array with no warning or error. This could lead to silent failures where exports are not resolved. Consider logging a warning when a @vibe/* import cannot be resolved. if (modSpec.startsWith("@vibe/")) { const pkgName = modSpec.replace("@vibe/", ""); const pkgPath = path.resolve(__dirname, `../../../components/${pkgName}/src/index.ts`); if (fs.existsSync(pkgPath)) matchedPaths = [pkgPath]; Regex Vulnerability The regex pattern /\/components\/([^/]+)\/src\// used to extract package names from file paths could fail or produce incorrect results if the directory structure varies slightly (e.g., nested components, different casing). Consider adding validation or using a more robust path parsing approach. const pkgMatch = agg.filePath.match(/\/components\/([^/]+)\/src\//); const importPath = pkgMatch ? `@vibe/${pkgMatch[1]}` : `@vibe/core${agg.aggregator === "next" ? "/next" : ""}`;

[github-actions]

A new prerelease version of this PR has been published! 🎉
To install this prerelease version, run the following command in your terminal with any one of the packages changed in this PR:

To update @vibe/core:

yarn add @vibe/[email protected]

Or with npm:

npm i @vibe/[email protected]

To update @vibe/docs:

yarn add @vibe/[email protected]

Or with npm:

npm i @vibe/[email protected]

[qodo-merge-for-open-source]

PR Compliance Guide 🔍

Below is a summary of compliance checks for this PR:

Security Compliance
🔴	Path traversal vulnerability Description: Path traversal vulnerability: the pkgName derived from user-controlled modSpec is directly concatenated into a file path without validation, allowing potential directory traversal attacks via malicious import statements like @vibe/../../../etc/passwd. generate-metadata.ts [172-175] Referred Code if (modSpec.startsWith("@vibe/")) { const pkgName = modSpec.replace("@vibe/", ""); const pkgPath = path.resolve(__dirname, `../../../components/${pkgName}/src/index.ts`); if (fs.existsSync(pkgPath)) matchedPaths = [pkgPath];
Ticket Compliance
⚪	🎫 No ticket provided Create ticket/issue
Codebase Duplication Compliance
⚪	Codebase context is not defined Follow the guide to enable codebase context checks.
Custom Compliance
🟢	Generic: Comprehensive Audit Trails Objective: To create a detailed and reliable record of critical system actions for security analysis and compliance. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Meaningful Naming and Self-Documenting Code Objective: Ensure all identifiers clearly express their purpose and intent, making code self-documenting Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Logging Practices Objective: To ensure logs are useful for debugging and auditing without exposing sensitive information like PII, PHI, or cardholder data. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
🔴	Generic: Secure Error Handling Objective: To prevent the leakage of sensitive system information through error messages while providing sufficient detail for internal debugging. Status: Exposed error details: Error message at line 498 exposes internal error details directly to console output without sanitization Referred Code console.error("Failed to generate documentation:", error.message); process.exit(1); Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Security-First Input Validation and Data Handling Objective: Ensure all data inputs are validated, sanitized, and handled securely to prevent vulnerabilities Status: Path traversal vulnerability: The pkgName extracted from modSpec at line 173 is used directly in path construction without validation, allowing potential path traversal attacks Referred Code const pkgName = modSpec.replace("@vibe/", ""); const pkgPath = path.resolve(__dirname, `../../../components/${pkgName}/src/index.ts`); Learn more about managing compliance generic rules or creating your own custom rules
⚪	Generic: Robust Error Handling and Edge Case Management Objective: Ensure comprehensive error handling that provides meaningful context and graceful degradation Status: Missing error handling: File existence check at line 175 and 219 does not handle potential file system errors or validate the resolved path structure Referred Code if (modSpec.startsWith("@vibe/")) { const pkgName = modSpec.replace("@vibe/", ""); const pkgPath = path.resolve(__dirname, `../../../components/${pkgName}/src/index.ts`); if (fs.existsSync(pkgPath)) matchedPaths = [pkgPath]; } else { Learn more about managing compliance generic rules or creating your own custom rules

Compliance status legend

🟢 - Fully Compliant
🟡 - Partial Compliant
🔴 - Not Compliant
⚪ - Requires Further Human Verification
🏷️ - Compliance label