Skip to content

feat: Add package pinning command (pin/unpin) #967

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
AshokThangavel wants to merge 3 commits into
base: main
Choose a base branch
from
Open

feat: Add package pinning command (pin/unpin) #967

AshokThangavel wants to merge 3 commits into from

Conversation

@AshokThangavel
Copy link
Contributor

@AshokThangavel AshokThangavel commented Nov 23, 2025
edited
Loading

Feature: Package Pinning (pin/unpin) Implementation

This Pull Request introduces package pinning functionality. This feature allows users to lock an installed module's version, preventing accidental or automatic upgrades, downgrades, or removal until explicitly unpinned.

1. Overview

This feature enhances IPM's stability and dependency management by implementing a mechanism to lock installed modules. This ensures production or critical modules remain fixed at a specific version, protecting them from core IPM modification commands.

The implementation relies on a new persistent storage class to track pinned modules.

2. New Commands: pin and unpin

2.1. pin Command

Marks a specific, installed module as pinned to prevent future modification operations.

Usage Examples:

zpm:USER>pin web-fslog
Module web-fslog is now pinned

zpm:USER>pin web-fslog
ERROR! Module web-fslog already pinned

zpm:USER>pin test-package
ERROR! Module test-package not found

2.2. unpin Command

Removes the pinned status from an installed module, allowing future ZPM operations (install, reinstall,uninstall, update) to proceed normally.

Usage Examples:

zpm:USER>unpin web-fslog
Module web-fslog is now unpinned

zpm:USER>unpin web-fslog
ERROR! Module web-fsog not currently pinned.

3. Architectural and Visibility Changes

3.1. Storage Mechanism

A new independent storage class, %IPM.Storage.PinnedModule, was created to manage the list of all modules marked as pinned, their version, and their current status.

3.2. Visibility and Discovery

  • list command: The status -Pinned is appended to the version number for easy identification (e.g., web-fslog 1.0.0-Pinned).
  • list -p modifier: A new modifier, -p (or --pinned), was implemented. This allows users to quickly list and audit only the modules that are currently pinned.

4. Operational Blocking (Integrity Check)

The pinning status is checked at the codebase level within the execution logic for all modification commands. If a module is pinned, the command is blocked and a specific error is returned.

Command Status when Pinned Example Output
install BLOCKED ERROR! The module web-fslog is pinned unable to install
reinstall BLOCKED ERROR! The module web-fslog is pinned unable to reinstall
uninstall BLOCKED ERROR! The module web-fslog is pinned unable to uninstall
update BLOCKED ERROR! The module web-fslog is pinned unable to update

Verification Trace for Blocking

The following sequence confirms the blocking mechanism when a module is pinned:

zpm:USER>pin web-fslog
Module web-fslog is now pinned

zpm:USER>install web-fslog
ERROR! The module web-fslog is pinned unable to install

zpm:USER>reinstall web-fslog
ERROR! The module web-fslog is pinned unable to reinstall

zpm:USER>uninstall web-fslog
ERROR! The module web-fslog is pinned unable to uninstall

Verification Trace for Unlocking

The following sequence confirms that the unpin command correctly restores the ability to modify the package:

zpm:USER>unpin web-fslog
Module web-fslog is now unpinned

zpm:USER>reinstall web-fslog
Reinstalling web-fslog 1.0.0 (Unpinning restored functionality)

5. Unit Testing Results

Integration and unit tests were created to validate the entire lifecycle of the pin feature and its interaction with core ZPM commands. All 20 assertions passed.

# Action Status Description
1-2 Passed Successfully installed the test module (web-fslog).
3-4 Passed Successfully pinned the installed module.
5-6 Passed Blocked pinning the already pinned module (AssertStatusNotOK).
7-8 Passed Blocked install command on the pinned module (AssertStatusNotOK).
9-10 Passed Blocked reinstall command on the pinned module (AssertStatusNotOK).
11-12 Passed Blocked uninstall command on the pinned module (AssertStatusNotOK).
13-14 Passed Blocked update command on the pinned module (AssertStatusNotOK).
15-16 Passed Successfully unpinned the module.
17-18 Passed Successfully uninstalled the module after being unpinned.
19-20 Passed Blocked unpin command on a module that was already unpinned (AssertStatusNotOK).

Resolves #968

@AshokThangavel
feat: Add package pinning command (pin/unpin) to ZPM
ffe27dd 
This feature introduces package pinning functionality to enhance module stability and integrity within ZPM.
**Key Changes:**
* **New Commands:** Implemented `pin <module>` to lock a module's version and `unpin <module>` to unlock it.
* **Integrity Check:** Added codebase-level checks to block `install`, `update`, `reinstall`, and `uninstall` when a module is pinned.
* **Storage:** Created `%IPM.Storage.PinnedModule` for persistent storage of pinned module status.
* **Visibility:** Updated `list` command to display the `-Pinned` status next to the version, and added the `list -p` modifier to view only pinned modules.
**Impact:** Prevents accidental version changes for critical installed packages.
@AshokThangavel
fix: Correct inconsistent error message for update command
1bf166e
@AshokThangavel AshokThangavel changed the title feat: Add package pinning command (pin/unpin) to ZPM feat: Add package pinning command (pin/unpin) Nov 24, 2025
@AshokThangavel
Copy link
Contributor Author

AshokThangavel commented Nov 25, 2025

As per discussion #968

1. Dependency Protection Strategy

The pin command defaults to protecting dependencies, thereby preserving the integrity of the pinned module, and introduces a -shallow flag to override this behavior.

Command Action Rationale / Use Case
pin ModuleA (Default) Pins Module A and Implicitly Protects all dependencies (Module B, C, etc.). Maximum Stability. This is the safest default, ensuring that the critical dependencies required by Module A cannot be accidentally uninstalled or updated, preventing side effects in production environments.
pin ModuleA -shallow Pins ONLY Module A. Dependencies remain unprotected. Developer Control. This addresses the scenario where a developer needs to actively update or debug a dependency (like Module B) while still keeping the main package (Module A) pinned against accidental modification.

2. Implementation Details

A. Implicit Protection Logic (Default)

When a module is implicitly protected (Module B is protected by Pinned Module A), the core IPM modification commands (install, update, uninstall) will be blocked on Module B, citing that it is a dependency of a pinned package.

B. Unpinning Logic

The protection on a dependency (Module B) will only be lifted when the last pinned module that relies on it (Module A) is unpinned.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@isc-kiyer isc-kiyer Awaiting requested review from isc-kiyer isc-kiyer is a code owner

@isc-eneil isc-eneil Awaiting requested review from isc-eneil isc-eneil is a code owner

@isc-jili isc-jili Awaiting requested review from isc-jili isc-jili is a code owner

@isc-jlechtne isc-jlechtne Awaiting requested review from isc-jlechtne isc-jlechtne is a code owner

@isc-egabhart isc-egabhart Awaiting requested review from isc-egabhart isc-egabhart is a code owner

@isc-pbarton isc-pbarton Awaiting requested review from isc-pbarton isc-pbarton is a code owner

@isc-dchui isc-dchui Awaiting requested review from isc-dchui isc-dchui is a code owner

@isc-tleavitt isc-tleavitt Awaiting requested review from isc-tleavitt isc-tleavitt is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Feature Request: Implement pin/unpin commands for IPM module stability.

1 participant

@AshokThangavel