feat: replace rank_packages() with cumulative-coverage impact scoring [CM-1228]#4204
feat: replace rank_packages() with cumulative-coverage impact scoring [CM-1228]#4204mbani01 wants to merge 5 commits into
Conversation
Signed-off-by: Mouad BANI <mouad-mb@outlook.com>
|
|
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
| ALTER TABLE package_criticality_spotlight | ||
| ADD COLUMN package_id bigint NOT NULL REFERENCES packages(id), | ||
| DROP COLUMN name, | ||
| DROP COLUMN namespace; |
There was a problem hiding this comment.
Spotlight migration missing backfill
High Severity
The migration adds package_id as NOT NULL and drops namespace and name in one step, with no UPDATE to populate package_id from existing (ecosystem, namespace, name) rows first. On any database that already has package_criticality_spotlight rows, the migration fails and spotlight overrides cannot be migrated.
Reviewed by Cursor Bugbot for commit fdd2765. Configure here.
| last_rank_pass_at = NOW(), | ||
| last_synced_at = NOW() | ||
| FROM final | ||
| WHERE p.id = final.id; |
There was a problem hiding this comment.
Spotlight overrides scope reduced
Medium Severity
Spotlight forcing of is_critical now happens only inside the final join for packages that were ranked in the same pass. The previous rank_packages() ran a separate spotlight UPDATE for all matching packages, so partial --ecosystems runs (or packages skipped when signal totals are zero) can leave spotlight entries without is_critical = TRUE.
Reviewed by Cursor Bugbot for commit fdd2765. Configure here.
There was a problem hiding this comment.
Pull request overview
Updates the packages criticality ranking pipeline to switch from weighted percentile ranking + top-N caps to a cumulative-coverage based scoring model, and adjusts both storage (spotlight overrides) and the packages_worker CLI accordingly.
Changes:
- Replaces
rank_packages()SQL logic with a cumulative-coverage approach and changes its signature to(coverage_cutoff, ecosystems), returningprocessed_rows. - Refactors
package_criticality_spotlightto use apackage_idFK instead of(ecosystem, namespace, name)matching. - Updates
run-impact.tsCLI to accept--cutoffand--ecosystemsand call the new SQL signature.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 5 comments.
| File | Description |
|---|---|
services/apps/packages_worker/src/criticality/run-impact.ts |
Updates the worker CLI parsing/logging and SQL invocation to match the new rank_packages() signature. |
backend/src/osspckgs/migrations/V1781262276__rank_packages_cumulative_coverage.sql |
Alters spotlight schema and replaces rank_packages() with cumulative-coverage scoring + bulk update of packages criticality fields. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| function parseListArg(flag: string): string[] | null { | ||
| const idx = process.argv.indexOf(flag) | ||
| return idx !== -1 ? process.argv[idx + 1] : fallback | ||
| if (idx === -1) return null | ||
| return process.argv[idx + 1].split(',').map((s) => s.trim()) | ||
| } |
…available signals Signed-off-by: Mouad BANI <mouad-mb@outlook.com>
Signed-off-by: Mouad BANI <mouad-mb@outlook.com>
Signed-off-by: Mouad BANI <mouad-mb@outlook.com>
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
There are 4 total unresolved issues (including 3 from previous reviews).
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 8348b06. Configure here.
mbani01
changed the title
This pull request updates the package criticality ranking system to use a new cumulative coverage-based approach and simplifies both the database schema and the worker script. The changes remove the previous weighted ranking and arbitrary top-N caps in favor of a more robust and interpretable method, and update the code to match the new logic and schema.
Database schema and ranking logic changes:
package_criticality_spotlighttable now uses apackage_idforeign key instead of text-based identifiers, improving join performance and data integrity.rank_packages()function is rewritten to use cumulative coverage scoring: critical packages are those that together account for a specified percentage of each signal (e.g., downloads, dependents), and impact is calculated as the average of (1 − cumulative coverage) across signals. The function signature and logic are updated to support this.Worker script updates:
run-impact.ts) now accepts--cutoffand--ecosystemsarguments instead of weights and top-N caps, aligning with the new ranking method. [1] [2]Note
High Risk
Rewrites criticality scoring and spotlight schema, which will change which packages are flagged critical and their impact/rank across the product.
Overview
Replaces package criticality ranking with cumulative-coverage scoring and aligns spotlight overrides and the on-demand worker with the new model.
rank_packages()drops weightedPERCENT_RANKand per-ecosystem top-N JSON caps. It now takescoverage_cutoff(default 90%) and optionalecosystems, scores downloads / direct / transitive dependents per ecosystem, marksis_criticalwhen a package sits in the smallest prefix that reaches the cutoff for any signal, setsimpactto the average of(1 − cumulative_share)across signals with non-zero ecosystem totals, and ranks by impact. It updatespackagesdirectly and returnsprocessed_rows(replacing separate scored/ranked counts). Spotlight rows still forceis_criticalvia join.package_criticality_spotlightswitches from(ecosystem, namespace, name)to apackage_idFK with a unique index onpackage_idfor indexed joins.run-impact.tsCLI drops--w-*and--top-nin favor of--cutoffand--ecosystems, and logsprocessed_rowsfrom the new function signature.Reviewed by Cursor Bugbot for commit 8348b06. Bugbot is set up for automated code reviews on this repo. Configure here.