From 0fb69a6aaa51fbd57a025532cd7ffde142125ecc Mon Sep 17 00:00:00 2001 From: Mondo Diaz Date: Wed, 4 Feb 2026 13:55:53 -0600 Subject: [PATCH] feat: remove fetch depth limit for dependency resolution Real package managers (pip, npm, Maven) don't have depth limits - they resolve the full dependency tree. We have other safeguards: - Loop prevention via fetch_attempted set - Timeout via auto_fetch_timeout setting - Dependency trees are finite --- backend/app/dependencies.py | 15 --------------- backend/app/routes.py | 1 - 2 files changed, 16 deletions(-) diff --git a/backend/app/dependencies.py b/backend/app/dependencies.py index 7a3a537..bcfd938 100644 --- a/backend/app/dependencies.py +++ b/backend/app/dependencies.py @@ -896,7 +896,6 @@ async def resolve_dependencies_with_fetch( base_url: str, storage: "S3Storage", registry_clients: Dict[str, "RegistryClient"], - max_fetch_depth: int = 10, ) -> DependencyResolutionResponse: """ Resolve all dependencies for an artifact recursively, fetching missing ones from upstream. @@ -916,7 +915,6 @@ async def resolve_dependencies_with_fetch( base_url: Base URL for download URLs storage: S3 storage for caching fetched artifacts registry_clients: Map of system project to registry client {"_pypi": PyPIRegistryClient} - max_fetch_depth: Maximum depth for auto-fetching (prevents runaway fetching) Returns: DependencyResolutionResponse with all resolved artifacts and fetch status @@ -924,7 +922,6 @@ async def resolve_dependencies_with_fetch( Raises: DependencyNotFoundError: If the root artifact cannot be found (even after fetch attempt) CircularDependencyError: If circular dependencies are detected - DependencyConflictError: If conflicting versions are required """ # Track fetched artifacts for response fetched_artifacts: List[ResolvedArtifact] = [] @@ -1024,7 +1021,6 @@ async def resolve_dependencies_with_fetch( dep_package: str, constraint: str, required_by: str, - fetch_depth: int, ) -> Optional[Tuple[str, str, int]]: """ Try to fetch a missing dependency from upstream registry. @@ -1039,13 +1035,6 @@ async def resolve_dependencies_with_fetch( ) return None - # Check fetch depth - if fetch_depth > max_fetch_depth: - logger.info( - f"Max fetch depth ({max_fetch_depth}) exceeded for {dep_project}/{dep_package}" - ) - return None - # Build fetch key for loop prevention fetch_key = f"{dep_project}/{dep_package}@{constraint}" if fetch_key in fetch_attempted: @@ -1105,7 +1094,6 @@ async def resolve_dependencies_with_fetch( size: int, required_by: Optional[str], depth: int = 0, - fetch_depth: int = 0, ): """Recursively resolve dependencies with fetch capability.""" if depth > MAX_DEPENDENCY_DEPTH: @@ -1178,7 +1166,6 @@ async def resolve_dependencies_with_fetch( dep.dependency_package, dep.version_constraint, pkg_key, - fetch_depth + 1, ) if fetched: @@ -1193,7 +1180,6 @@ async def resolve_dependencies_with_fetch( constraint=dep.version_constraint, required_by=pkg_key, fetch_attempted=was_attempted, - fetch_error="Max fetch depth exceeded" if was_attempted and fetch_depth >= max_fetch_depth else None, )) continue @@ -1244,7 +1230,6 @@ async def resolve_dependencies_with_fetch( dep_size, pkg_key, depth + 1, - fetch_depth + 1 if dep_artifact_id in [f.artifact_id for f in fetched_artifacts] else fetch_depth, ) visiting.remove(artifact_id) diff --git a/backend/app/routes.py b/backend/app/routes.py index 0f1bd5a..d82507f 100644 --- a/backend/app/routes.py +++ b/backend/app/routes.py @@ -7093,7 +7093,6 @@ async def resolve_artifact_dependencies( base_url=base_url, storage=storage, registry_clients=registry_clients, - max_fetch_depth=settings.auto_fetch_max_depth, ) else: # Fast, synchronous resolution without network calls