Fixes comma support in the lockfile (#279)

arcanis · web-flow · commit 6e60f09b8742 · 2026-04-13T21:26:29.000+02:00
The lockfile format doesn't currently escape commas in ranges, which leads to lockfile corruption when they contain some (since we already split on commas entries with multiple descriptors). This diff addresses that by making sure we escape commas when serializing multikeys.  --- > [!NOTE] > **Medium Risk** > Changes lockfile key serialization/deserialization rules to introduce escaping for commas/backslashes, which could impact reading/writing lockfiles across versions if edge cases aren’t handled correctly. > > **Overview** > Prevents lockfile corruption when descriptor strings contain commas (e.g., comma-separated PyPI ranges) by **escaping `,` and `\\`** when serializing `MultiKey` values and updating deserialization to correctly unescape them while preserving unknown escapes for backward compatibility. > > Adds an acceptance test that runs `install` twice with a comma-separated `pypi:` range to ensure lockfile round-trips cleanly. > > <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit 33eb8f8. Bugbot is set up for automated code reviews on this repo. Configure [here](https://www.cursor.com/dashboard/bugbot).</sup>
diff --git a/packages/zpm/src/lockfile.rs b/packages/zpm/src/lockfile.rs
@@ -205,7 +205,14 @@ impl<T> Serialize for MultiKey<T> where T: ToFileString {
                 string.push_str(", ");
             }
 
-            string.push_str(&item.to_file_string());
+            let serialized = item.to_file_string();
+            for ch in serialized.chars() {
+                if ch == ',' || ch == '\\' {
+                    string.push('\\');
+                }
+
+                string.push(ch);
+            }
         }
 
         serializer.serialize_str(&string)
@@ -226,10 +233,37 @@ impl<'de, T: FromFileString> Deserialize<'de> for MultiKey<T> where <T as FromFi
             }
 
             fn visit_str<E>(self, value: &str) -> Result<Vec<T>, E> where E: de::Error {
-                let result = value
-                    .split(',')
-                    .map(str::trim)
-                    .map(|s| T::from_file_string(s))
+                let mut chunks = Vec::new();
+                let mut current = String::new();
+                let mut chars = value.chars().peekable();
+
+                while let Some(ch) = chars.next() {
+                    if ch == ',' {
+                        chunks.push(current);
+                        current = String::new();
+                        continue;
+                    }
+
+                    if ch != '\\' {
+                        current.push(ch);
+                        continue;
+                    }
+
+                    match chars.peek() {
+                        Some(',') | Some('\\') => {
+                            current.push(chars.next().expect("peeked character should be present"));
+                        }
+                        _ => {
+                            // Keep unknown escapes as-is to stay backward-compatible with legacy lockfiles.
+                            current.push('\\');
+                        }
+                    }
+                }
+
+                chunks.push(current);
+
+                let result = chunks.into_iter()
+                    .map(|s| T::from_file_string(s.trim()))
                     .collect::<Result<Vec<_>, _>>()
                     .map_err(de::Error::custom)?;
 
diff --git a/tests/acceptance-tests/pkg-tests-specs/sources/basic/python.test.ts b/tests/acceptance-tests/pkg-tests-specs/sources/basic/python.test.ts
@@ -86,5 +86,27 @@ describe(`Protocols`, () => {
         },
       ),
     );
+
+    test(
+      `it should support running install twice with a comma-separated PyPI range`,
+      makeTemporaryEnv(
+        {
+          dependencies: {
+            [`pypi-no-deps`]: `pypi:>=1.0.0,<2.0.0`,
+          },
+        },
+        async ({run}) => {
+          const registryUrl = await tests.startPackageServer();
+
+          for (let i = 0; i < 2; i++) {
+            await run(`install`, {
+              env: {
+                ZPM_PYPI_REGISTRY: registryUrl,
+              },
+            });
+          }
+        },
+      ),
+    );
   });
 });
