@antongolub/lockfile 0.0.0-snapshot.49 → 0.0.0-snapshot.50

package/README.md

@@ -5,10 +5,9 @@
 <p><img alt="@antongolub/lockfile — universal lockfile model and converter for npm, yarn, pnpm, bun" src="./pics/lockfile.svg" align="right" width="300">
 
 Each package manager brings its own philosophy of how to describe, store and
-control project dependencies. It looks acceptable to a developer staring at a
-single repo, but it becomes a real headache for IS, DevOps and release
-engineers — and impossible for any tool that needs to reason about
-dependency graphs across the ecosystem.
+control project dependencies. Inside a single repo it's invisible to the
+developer — but it becomes a recurring cost for InfoSec, DevOps and release
+engineers, and makes consistent policy unenforceable across the enterprise.
 
 This library models the dependency graph independent of any specific
 package manager, then projects it back into the format you need.
@@ -19,11 +18,23 @@ license filtering) is the headline.
 
 ## Status
 
-🔒 **Contract preview, implementation in progress.** The public API
-(`parse` / `stringify`) is locked. Adapter implementations are landing
-incrementally — see [SCHEMAS.md](./SCHEMAS.md) for what's recognised.
-Not yet published; `npm install` will appear once the first adapters
-ship end-to-end.
+**Snapshot preview.** Every format below parses and stringifies; conversion is
+*semantically equivalent*, not byte-identical (see [Concept](#concept)).
+Published as `0.0.0-snapshot.*` builds — the first stable release is pending.
+[SCHEMAS.md](./SCHEMAS.md) maps each format id to the package-manager versions
+that emit it.
+
+| Format | `detect` | `parse` | `stringify` |
+|--------|:-:|:-:|:-:|
+| `npm-1` · `npm-2` · `npm-3`        | ✓ | ✓ | ✓ |
+| `yarn-classic`                    | ✓ | ✓ | ✓ |
+| `yarn-berry-v4` … `yarn-berry-v10`| ✓ | ✓ | ✓ |
+| `pnpm-v5` · `pnpm-v6` · `pnpm-v9`  | ✓ | ✓ | ✓ |
+| `bun-text`                        | ✓ | ✓ | ✓ |
+
+Graph-level operations apply to **any** parsed graph, regardless of source
+format: `convert` (parse any → stringify any), `modify` (audit-fix,
+override-pin, license-filter), and `optimize` (orphan GC / dedup).
 
 ## Concept
 
@@ -49,66 +60,74 @@ signatures) are the exception — they are never silently lost.
 ## API
 
 ```ts
-import { parse, stringify } from '@antongolub/lockfile'
+import { parse, stringify, convert } from '@antongolub/lockfile'
+
+// explicit format (it's always the first argument):
+const graph = parse('pnpm-v9', raw)
+const out   = stringify('npm-3', graph)
 
-const lf  = parse(rawLockfileBytes)
-const str = stringify(lf, { format: 'npm-3' })
+// or one step, auto-detecting the source:
+const npm = convert(raw, { to: 'npm-3' })
 ```
 
-Two top-level operations, modelled on `JSON.parse` / `JSON.stringify`:
+The format is **explicit**, never implicit — `parse` and `stringify` both take
+it as the first argument; `detect` sniffs it from the bytes when you don't know
+it. Round-tripping is a choice the caller makes, not a default.
 
 ```ts
-parse(input: string | Uint8Array, options?: ParseOptions): Lockfile
-
-stringify(lockfile: Lockfile, options: StringifyOptions): string
+detect(input: string): FormatId | undefined
+check(format: FormatId, input: string): boolean
+parse(format: FormatId, input: string, opts?: ParseOptions): Graph
+stringify(format: FormatId, graph: Graph, opts?: StringifyOptions): string
+convert(input: string, opts: ConvertOptions): string   // parse(from) → stringify(to)
 ```
 
-- `parse` auto-detects the format by content sniffing. Pass
-  `{ format: '<id>' }` to skip detection. Pass `{ manifests }` for
-  formats that need extra workspace context (notably `yarn-classic`).
-- `stringify`'s `options.format` is **required** — there is no implicit
-  "same as parsed". Round-tripping is an explicit choice the caller makes.
+`Graph` is the canonical, package-manager-independent model; `FormatId` is a
+string-literal union (the [Status](#status) table lists every id, and
+[SCHEMAS.md](./SCHEMAS.md) maps each to the package-manager versions behind it).
+
+### Operating on the graph
+
+The graph is where the value lives — `modify` and `optimize` transform it,
+format-agnostically:
 
-`Lockfile` is the public alias for the internal canonical-graph type.
-`FormatId` is a string-literal union — see
-[SCHEMAS.md](./SCHEMAS.md) for the full list.
+- **`modify`** applies a `Primitive[]` — `replaceVersion`, `pinOverride`,
+  `addDependency`, `removeDependency`, `applyPatch`, `filterLicense` — the
+  building blocks of audit-fix, override-pinning and license filtering.
+- **`optimize`** runs orphan GC / dedup over the graph.
+- **`overridesOf(graph)`** reads the canonical overrides back out.
 
 ### Options
 
 ```ts
 type ParseOptions = {
-  format?:     FormatId          // skip auto-detect
-  manifests?:  Manifests         // package.jsons keyed by workspace path
-  pmConfig?:   PmConfig          // .npmrc / .yarnrc.yml / pnpm-workspace.yaml / bunfig.toml
-  installDir?: string            // path to node_modules / .pnp.cjs (refinement)
-  cache?:      CacheAdapter      // PM cache (refinement)
-  registry?:   RegistryAdapter   // network access (opt-in)
+  workspaceRoot?: string                     // FS root for out-of-lockfile reads (patch bytes, manifests)
+  manifests?:     Record<string, Manifest>   // package.jsons keyed by workspace path
+  onDiagnostic?:  (d: Diagnostic) => void
 }
 
 type StringifyOptions = {
-  format:        FormatId        // required
-  manifests?:    Manifests
-  pmConfig?:     PmConfig
-  installDir?:   string
-  cache?:        CacheAdapter
-  registry?:     RegistryAdapter
+  lineEnding?:   'lf' | 'crlf'
+  cacheKey?:     string                       // yarn-berry cache-key prefix
+  overrides?:    OverrideConstraint[]         // canonical overrides → native projection
   onDiagnostic?: (d: Diagnostic) => void
 }
 ```
 
-`pmConfig` / `installDir` / `cache` / `registry` are progressive
-**refinement opt-ins**: each unlocks more information at higher cost. The
-default succeeds offline, against the lockfile bytes (and `manifests`)
-alone.
+`manifests` supplies the workspace/override context the lockfile bytes cannot
+carry on their own (notably for `yarn-classic` monorepos); everything else
+succeeds offline against the bytes alone. Registry- and cache-backed refinement
+ships as opt-in adapters (see [Sub-imports](#sub-imports)).
 
 ### Sub-imports
 
 | Surface | Importable as | Contains |
 |---------|---------------|----------|
-| Root | `@antongolub/lockfile` | `parse`, `stringify`, plus types: `Lockfile`, `FormatId`, `ParseOptions`, `StringifyOptions`, `Manifest`, `Manifests` |
-| Modifiers | `@antongolub/lockfile/modify` | audit-fix, override-pin, license-filter |
-| Registry | `@antongolub/lockfile/registry` | adapters for live npm, file cache, frozen-from-lockfile |
-| Per-format | `@antongolub/lockfile/formats/<id>` | direct access to a single adapter (test surface; not a primary user API) |
+| Root | `@antongolub/lockfile` | `detect`, `check`, `parse`, `stringify`, `convert`, `modify`, `optimize`, `overridesOf`, plus types `Graph`, `FormatId`, `ParseOptions`, `StringifyOptions`, `ConvertOptions`, `Manifest` |
+| Modifiers | `@antongolub/lockfile/modify` | the individual `Primitive` functions behind `modify` (audit-fix, override-pin, license-filter) |
+| Optimize | `@antongolub/lockfile/optimize` | the individual GC passes behind `optimize` |
+| Registry | `@antongolub/lockfile/registry` | `frozenRegistry`, `liveRegistry`, `fsCache`, `npmCache`, `pnpmCache` |
+| Per-format | `@antongolub/lockfile/formats/<id>` | a single adapter directly (test surface; not a primary user API) |
 
 ### Errors
 
@@ -117,8 +136,9 @@ alone.
 
 ```ts
 'PARSE_FAILED' | 'FORMAT_DETECT_FAILED' | 'FORMAT_MISMATCH'
-| 'CAPABILITY_LACK' | 'MISSING_MANIFEST'
-| 'IRREDUCIBLE_LOSS' | 'INVARIANT_VIOLATION'
+| 'CAPABILITY_LACK' | 'MISSING_MANIFEST' | 'MISSING_REQUIRED_FIELD'
+| 'INVALID_INPUT' | 'ENRICH_REQUIRED' | 'IRREDUCIBLE_LOSS'
+| 'PIPELINE_DIVERGED' | 'REGISTRY_UNREACHABLE' | 'INVARIANT_VIOLATION'
 ```
 
 Reducible losses (e.g. dropped patches when emitting `npm-1` from a

package/dist/{_npm-flat-types-BtjAgSy6.d.ts → _npm-flat-types-6ABSGUI9.d.ts}

@@ -1,4 +1,4 @@
-import { D as Diagnostic, O as OverrideConstraint } from './graph-DlYNIpXt.js';
+import { D as Diagnostic, O as OverrideConstraint } from './graph-DL9MNz81.js';
 
 interface NpmFamilyParseOptions {
 }

package/dist/{_pnpm-flat-core-u9QE3m8R.d.ts → _pnpm-flat-core-CGSknThP.d.ts}

@@ -1,4 +1,4 @@
-import { D as Diagnostic, O as OverrideConstraint } from './graph-DlYNIpXt.js';
+import { D as Diagnostic, O as OverrideConstraint } from './graph-DL9MNz81.js';
 
 interface PnpmFamilyParseOptions {
     /**

package/dist/{_yarn-berry-core-tgctDDH2.d.ts → _yarn-berry-core-E1kzf3tA.d.ts}

@@ -1,4 +1,4 @@
-import { D as Diagnostic } from './graph-DlYNIpXt.js';
+import { D as Diagnostic } from './graph-DL9MNz81.js';
 
 interface YarnBerryFamilyParseOptions {
     workspaceRoot?: string;

package/dist/complete.d.ts

@@ -1,5 +1,5 @@
-import { N as NodeId, D as Diagnostic, G as Graph, E as EdgeTriple, a as Node, b as EdgeKind } from './graph-DlYNIpXt.js';
-import { R as RegistryAdapter } from './types-Ci06KZkZ.js';
+import { N as NodeId, D as Diagnostic, G as Graph, E as EdgeTriple, a as Node, b as EdgeKind } from './graph-DL9MNz81.js';
+import { R as RegistryAdapter } from './types-BJ6TTw2m.js';
 
 interface CompletionSeed {
     /** NodeIds the modifier added in the just-completed mutate phase. */

package/dist/formats/bun-text.d.ts

@@ -1,4 +1,4 @@
-import { D as Diagnostic, G as Graph } from '../graph-DlYNIpXt.js';
+import { D as Diagnostic, G as Graph } from '../graph-DL9MNz81.js';
 
 interface BunTextParseOptions {
 }

package/dist/formats/bun-text.js

@@ -214,6 +214,7 @@ function validate(s) {
       const inc = s.incoming.get(id) ?? [];
       for (const edge of inc) {
         if (s.nodes.get(edge.src)?.workspacePath !== void 0) continue;
+        if (s.tarballs.get(stripPeerContextFromNodeId(edge.src))?.resolution?.type === "directory") continue;
         if (isPublishedSelfLink(edge)) {
           s.diagnostics.push({
             code: "SEAL_PUBLISHED_SELF_LINK",
@@ -634,16 +635,41 @@ function newBuilder() {
 }
 
 // src/main/ts/recipe/integrity.ts
-var CANONICAL_RE = /^sha512-[A-Za-z0-9+/]{86}==$/;
-function isCanonical(s) {
-  if (!CANONICAL_RE.test(s)) return false;
-  const b64 = s.slice("sha512-".length);
-  const buf = Buffer.from(b64, "base64");
-  if (buf.length !== 64) return false;
-  return buf.toString("base64") === b64;
+var SRI_ALGO_BYTES = { sha1: 20, sha256: 32, sha384: 48, sha512: 64 };
+var SRI_MEMBER_RE = /^([a-z][a-z0-9]*)-([A-Za-z0-9+/]+={0,2})(?:\?.*)?$/;
+function hexToBase64(hex) {
+  return Buffer.from(hex, "hex").toString("base64");
+}
+function isEmptyIntegrity(i) {
+  return i.hashes.length === 0;
+}
+function isTarballOrigin(origin) {
+  return origin !== "berry-zip";
+}
+function tarballHashes(i) {
+  return i.hashes.filter((h) => isTarballOrigin(h.origin));
+}
+function parseSri(raw, origin = "sri") {
+  const hashes = [];
+  for (const member of raw.trim().split(/\s+/)) {
+    if (member === "") continue;
+    const m = SRI_MEMBER_RE.exec(member);
+    if (!m) continue;
+    const algorithm = m[1];
+    const bytes = Buffer.from(m[2], "base64");
+    const expected = SRI_ALGO_BYTES[algorithm];
+    if (expected !== void 0) {
+      if (bytes.length !== expected) continue;
+    } else if (bytes.length < 16) {
+      continue;
+    }
+    hashes.push({ algorithm, digest: bytes.toString("hex"), origin });
+  }
+  return { hashes };
 }
-function validateCanonical(raw) {
-  return isCanonical(raw) ? raw : void 0;
+function emitSri(i) {
+  const members = tarballHashes(i).map((h) => `${h.algorithm}-${hexToBase64(h.digest)}`);
+  return members.length > 0 ? members.join(" ") : void 0;
 }
 
 // src/main/ts/recipe/diagnostics.ts
@@ -652,7 +678,7 @@ function invalidIntegrityDiagnostic(prefix, subject, rawIntegrity) {
     code: `${prefix}_INVALID_INTEGRITY`,
     severity: "warning",
     subject,
-    message: `integrity ${JSON.stringify(rawIntegrity)} is not a canonical sha512 SRI; dropping`
+    message: `integrity ${JSON.stringify(rawIntegrity)} has no parseable hash; dropping`
   };
 }
 function emitDropped(nodeId, feature, reason, onDiagnostic) {
@@ -857,11 +883,11 @@ function parse(input, _options = {}) {
         peerContext: []
       });
       if (integrity !== void 0) {
-        const canonical = validateCanonical(integrity);
-        if (canonical === void 0) {
+        const parsed2 = parseSri(integrity, "sri");
+        if (isEmptyIntegrity(parsed2)) {
           diagnostics.push(invalidIntegrityDiagnostic("BUN_TEXT", nodeId, integrity));
         } else {
-          builder.setTarball({ name, version }, { integrity: canonical });
+          builder.setTarball({ name, version }, { integrity: parsed2 });
         }
       }
     }
@@ -962,7 +988,7 @@ function stringify(graph, options = {}) {
     emittedNameVersion.add(nameVersion);
     const inner = buildInnerBlock(graph, node, sidecar);
     const integritySrc = graph.tarballOf(node.id)?.integrity;
-    const integrity = integritySrc ?? "";
+    const integrity = (integritySrc && emitSri(integritySrc)) ?? "";
     const key = chooseNodeEmitKey(node, sidecar, packagesBlock);
     packagesBlock[key] = [`${node.name}@${node.version}`, "", inner, integrity];
   }

package/dist/formats/npm-1.d.ts

@@ -1,4 +1,4 @@
-import { D as Diagnostic, G as Graph } from '../graph-DlYNIpXt.js';
+import { D as Diagnostic, G as Graph } from '../graph-DL9MNz81.js';
 
 interface Npm1ParseOptions {
 }

package/dist/formats/npm-1.js

@@ -215,6 +215,7 @@ function validate(s) {
       const inc = s.incoming.get(id) ?? [];
       for (const edge of inc) {
         if (s.nodes.get(edge.src)?.workspacePath !== void 0) continue;
+        if (s.tarballs.get(stripPeerContextFromNodeId(edge.src))?.resolution?.type === "directory") continue;
         if (isPublishedSelfLink(edge)) {
           s.diagnostics.push({
             code: "SEAL_PUBLISHED_SELF_LINK",
@@ -634,6 +635,44 @@ function newBuilder() {
   };
 }
 
+// src/main/ts/recipe/integrity.ts
+var SRI_ALGO_BYTES = { sha1: 20, sha256: 32, sha384: 48, sha512: 64 };
+var SRI_MEMBER_RE = /^([a-z][a-z0-9]*)-([A-Za-z0-9+/]+={0,2})(?:\?.*)?$/;
+function hexToBase64(hex) {
+  return Buffer.from(hex, "hex").toString("base64");
+}
+function isEmptyIntegrity(i) {
+  return i.hashes.length === 0;
+}
+function isTarballOrigin(origin) {
+  return origin !== "berry-zip";
+}
+function tarballHashes(i) {
+  return i.hashes.filter((h) => isTarballOrigin(h.origin));
+}
+function parseSri(raw, origin = "sri") {
+  const hashes = [];
+  for (const member of raw.trim().split(/\s+/)) {
+    if (member === "") continue;
+    const m = SRI_MEMBER_RE.exec(member);
+    if (!m) continue;
+    const algorithm = m[1];
+    const bytes = Buffer.from(m[2], "base64");
+    const expected = SRI_ALGO_BYTES[algorithm];
+    if (expected !== void 0) {
+      if (bytes.length !== expected) continue;
+    } else if (bytes.length < 16) {
+      continue;
+    }
+    hashes.push({ algorithm, digest: bytes.toString("hex"), origin });
+  }
+  return { hashes };
+}
+function emitSri(i) {
+  const members = tarballHashes(i).map((h) => `${h.algorithm}-${hexToBase64(h.digest)}`);
+  return members.length > 0 ? members.join(" ") : void 0;
+}
+
 // src/main/ts/formats/_npm-flat-types.ts
 var cmpStr2 = (a, b) => a < b ? -1 : a > b ? 1 : 0;
 function sortRecord(record) {
@@ -971,7 +1010,10 @@ function parse2(input, _options = {}) {
         if (resolved !== void 0) node.resolution = resolved;
         builder.addNode(node);
         const payload = {};
-        if (entry.integrity !== void 0) payload.integrity = entry.integrity;
+        if (entry.integrity !== void 0) {
+          const integrity = parseSri(entry.integrity, "sri");
+          if (!isEmptyIntegrity(integrity)) payload.integrity = integrity;
+        }
         if (resolved !== void 0) {
           const canonical = parse(resolved, { sourceKind: "npm-resolved" });
           if (canonical.type === "unknown") {
@@ -1439,7 +1481,8 @@ function buildEntry(node, installPath, graph, sidecar, treeByParent) {
     }
   }
   if (tarball?.integrity !== void 0 && !/^(git[+:]|github:)/.test(entry.version ?? "")) {
-    entry.integrity = tarball.integrity;
+    const sri = emitSri(tarball.integrity);
+    if (sri !== void 0) entry.integrity = sri;
   }
   if (nodeSide?.dev === true) entry.dev = true;
   if (nodeSide?.optional === true) entry.optional = true;

package/dist/formats/npm-2.d.ts

@@ -1,5 +1,5 @@
-import { G as Graph, D as Diagnostic } from '../graph-DlYNIpXt.js';
-import { N as NpmFamilyEnrichOptions, a as NpmFamilyOptimizeOptions, b as NpmFamilyParseOptions, c as NpmFamilyStringifyOptions } from '../_npm-flat-types-BtjAgSy6.js';
+import { G as Graph, D as Diagnostic } from '../graph-DL9MNz81.js';
+import { N as NpmFamilyEnrichOptions, a as NpmFamilyOptimizeOptions, b as NpmFamilyParseOptions, c as NpmFamilyStringifyOptions } from '../_npm-flat-types-6ABSGUI9.js';
 
 interface Npm2ParseOptions extends NpmFamilyParseOptions {
 }

package/dist/formats/npm-2.js

@@ -228,6 +228,7 @@ function validate(s) {
       const inc = s.incoming.get(id) ?? [];
       for (const edge of inc) {
         if (s.nodes.get(edge.src)?.workspacePath !== void 0) continue;
+        if (s.tarballs.get(stripPeerContextFromNodeId(edge.src))?.resolution?.type === "directory") continue;
         if (isPublishedSelfLink(edge)) {
           s.diagnostics.push({
             code: "SEAL_PUBLISHED_SELF_LINK",
@@ -648,16 +649,41 @@ function newBuilder() {
 }
 
 // src/main/ts/recipe/integrity.ts
-var CANONICAL_RE = /^sha512-[A-Za-z0-9+/]{86}==$/;
-function isCanonical(s) {
-  if (!CANONICAL_RE.test(s)) return false;
-  const b64 = s.slice("sha512-".length);
-  const buf = Buffer.from(b64, "base64");
-  if (buf.length !== 64) return false;
-  return buf.toString("base64") === b64;
+var SRI_ALGO_BYTES = { sha1: 20, sha256: 32, sha384: 48, sha512: 64 };
+var SRI_MEMBER_RE = /^([a-z][a-z0-9]*)-([A-Za-z0-9+/]+={0,2})(?:\?.*)?$/;
+function hexToBase64(hex) {
+  return Buffer.from(hex, "hex").toString("base64");
+}
+function isEmptyIntegrity(i) {
+  return i.hashes.length === 0;
+}
+function isTarballOrigin(origin) {
+  return origin !== "berry-zip";
+}
+function tarballHashes(i) {
+  return i.hashes.filter((h) => isTarballOrigin(h.origin));
+}
+function parseSri(raw, origin = "sri") {
+  const hashes = [];
+  for (const member of raw.trim().split(/\s+/)) {
+    if (member === "") continue;
+    const m = SRI_MEMBER_RE.exec(member);
+    if (!m) continue;
+    const algorithm = m[1];
+    const bytes = Buffer.from(m[2], "base64");
+    const expected = SRI_ALGO_BYTES[algorithm];
+    if (expected !== void 0) {
+      if (bytes.length !== expected) continue;
+    } else if (bytes.length < 16) {
+      continue;
+    }
+    hashes.push({ algorithm, digest: bytes.toString("hex"), origin });
+  }
+  return { hashes };
 }
-function validateCanonical(raw) {
-  return isCanonical(raw) ? raw : void 0;
+function emitSri(i) {
+  const members = tarballHashes(i).map((h) => `${h.algorithm}-${hexToBase64(h.digest)}`);
+  return members.length > 0 ? members.join(" ") : void 0;
 }
 
 // src/main/ts/recipe/diagnostics.ts
@@ -666,7 +692,7 @@ function invalidIntegrityDiagnostic(prefix, subject, rawIntegrity) {
     code: `${prefix}_INVALID_INTEGRITY`,
     severity: "warning",
     subject,
-    message: `integrity ${JSON.stringify(rawIntegrity)} is not a canonical sha512 SRI; dropping`
+    message: `integrity ${JSON.stringify(rawIntegrity)} has no parseable hash; dropping`
   };
 }
 function emitDropped(nodeId, feature, reason, onDiagnostic) {
@@ -1616,11 +1642,11 @@ function hasTarballPayload(entry) {
 function tarballPayloadOf(entry, subject, diagnostics) {
   const payload = {};
   if (entry.integrity !== void 0) {
-    const canonical = validateCanonical(entry.integrity);
-    if (canonical === void 0) {
+    const integrity = parseSri(entry.integrity, "sri");
+    if (isEmptyIntegrity(integrity)) {
       diagnostics.push(invalidIntegrityDiagnostic("NPM", subject, entry.integrity));
     } else {
-      payload.integrity = canonical;
+      payload.integrity = integrity;
     }
   }
   if (entry.engines !== void 0) payload.engines = { ...entry.engines };
@@ -1861,7 +1887,10 @@ function buildNodeModulesEntry(graph, node, nodeSide, config, emitDiagnostic = (
   const tarball = graph.tarballOf(node.id);
   const resolved = node.resolution ?? config.hooks?.recoverResolvedForNode?.(graph, node) ?? deriveResolvedFromCanonical(tarball?.resolution);
   if (resolved !== void 0) body.resolved = resolved;
-  if (tarball?.integrity !== void 0) body.integrity = tarball.integrity;
+  if (tarball?.integrity !== void 0) {
+    const sri = emitSri(tarball.integrity);
+    if (sri !== void 0) body.integrity = sri;
+  }
   if (nodeSide?.dev === true) body.dev = true;
   if (nodeSide?.optional === true) body.optional = true;
   if (nodeSide?.peer === true) body.peer = true;
@@ -2169,7 +2198,8 @@ function buildLegacyNodeEntry(ctx, node, parentInstallPrefix) {
     }
   }
   if (tarball?.integrity !== void 0 && entry.from === void 0) {
-    entry.integrity = tarball.integrity;
+    const sri = emitSri(tarball.integrity);
+    if (sri !== void 0) entry.integrity = sri;
   }
   const nodeSide = ctx.sidecar?.nodes.get(node.id);
   if (nodeSide?.dev === true) entry.dev = true;

package/dist/formats/npm-3.d.ts

@@ -1,5 +1,5 @@
-import { G as Graph, D as Diagnostic } from '../graph-DlYNIpXt.js';
-import { N as NpmFamilyEnrichOptions, a as NpmFamilyOptimizeOptions, b as NpmFamilyParseOptions, c as NpmFamilyStringifyOptions } from '../_npm-flat-types-BtjAgSy6.js';
+import { G as Graph, D as Diagnostic } from '../graph-DL9MNz81.js';
+import { N as NpmFamilyEnrichOptions, a as NpmFamilyOptimizeOptions, b as NpmFamilyParseOptions, c as NpmFamilyStringifyOptions } from '../_npm-flat-types-6ABSGUI9.js';
 
 interface Npm3ParseOptions extends NpmFamilyParseOptions {
 }

package/dist/formats/npm-3.js

@@ -228,6 +228,7 @@ function validate(s) {
       const inc = s.incoming.get(id) ?? [];
       for (const edge of inc) {
         if (s.nodes.get(edge.src)?.workspacePath !== void 0) continue;
+        if (s.tarballs.get(stripPeerContextFromNodeId(edge.src))?.resolution?.type === "directory") continue;
         if (isPublishedSelfLink(edge)) {
           s.diagnostics.push({
             code: "SEAL_PUBLISHED_SELF_LINK",
@@ -648,16 +649,41 @@ function newBuilder() {
 }
 
 // src/main/ts/recipe/integrity.ts
-var CANONICAL_RE = /^sha512-[A-Za-z0-9+/]{86}==$/;
-function isCanonical(s) {
-  if (!CANONICAL_RE.test(s)) return false;
-  const b64 = s.slice("sha512-".length);
-  const buf = Buffer.from(b64, "base64");
-  if (buf.length !== 64) return false;
-  return buf.toString("base64") === b64;
+var SRI_ALGO_BYTES = { sha1: 20, sha256: 32, sha384: 48, sha512: 64 };
+var SRI_MEMBER_RE = /^([a-z][a-z0-9]*)-([A-Za-z0-9+/]+={0,2})(?:\?.*)?$/;
+function hexToBase64(hex) {
+  return Buffer.from(hex, "hex").toString("base64");
+}
+function isEmptyIntegrity(i) {
+  return i.hashes.length === 0;
+}
+function isTarballOrigin(origin) {
+  return origin !== "berry-zip";
+}
+function tarballHashes(i) {
+  return i.hashes.filter((h) => isTarballOrigin(h.origin));
+}
+function parseSri(raw, origin = "sri") {
+  const hashes = [];
+  for (const member of raw.trim().split(/\s+/)) {
+    if (member === "") continue;
+    const m = SRI_MEMBER_RE.exec(member);
+    if (!m) continue;
+    const algorithm = m[1];
+    const bytes = Buffer.from(m[2], "base64");
+    const expected = SRI_ALGO_BYTES[algorithm];
+    if (expected !== void 0) {
+      if (bytes.length !== expected) continue;
+    } else if (bytes.length < 16) {
+      continue;
+    }
+    hashes.push({ algorithm, digest: bytes.toString("hex"), origin });
+  }
+  return { hashes };
 }
-function validateCanonical(raw) {
-  return isCanonical(raw) ? raw : void 0;
+function emitSri(i) {
+  const members = tarballHashes(i).map((h) => `${h.algorithm}-${hexToBase64(h.digest)}`);
+  return members.length > 0 ? members.join(" ") : void 0;
 }
 
 // src/main/ts/recipe/diagnostics.ts
@@ -666,7 +692,7 @@ function invalidIntegrityDiagnostic(prefix, subject, rawIntegrity) {
     code: `${prefix}_INVALID_INTEGRITY`,
     severity: "warning",
     subject,
-    message: `integrity ${JSON.stringify(rawIntegrity)} is not a canonical sha512 SRI; dropping`
+    message: `integrity ${JSON.stringify(rawIntegrity)} has no parseable hash; dropping`
   };
 }
 function emitDropped(nodeId, feature, reason, onDiagnostic) {
@@ -1616,11 +1642,11 @@ function hasTarballPayload(entry) {
 function tarballPayloadOf(entry, subject, diagnostics) {
   const payload = {};
   if (entry.integrity !== void 0) {
-    const canonical = validateCanonical(entry.integrity);
-    if (canonical === void 0) {
+    const integrity = parseSri(entry.integrity, "sri");
+    if (isEmptyIntegrity(integrity)) {
       diagnostics.push(invalidIntegrityDiagnostic("NPM", subject, entry.integrity));
     } else {
-      payload.integrity = canonical;
+      payload.integrity = integrity;
     }
   }
   if (entry.engines !== void 0) payload.engines = { ...entry.engines };
@@ -1861,7 +1887,10 @@ function buildNodeModulesEntry(graph, node, nodeSide, config, emitDiagnostic = (
   const tarball = graph.tarballOf(node.id);
   const resolved = node.resolution ?? config.hooks?.recoverResolvedForNode?.(graph, node) ?? deriveResolvedFromCanonical(tarball?.resolution);
   if (resolved !== void 0) body.resolved = resolved;
-  if (tarball?.integrity !== void 0) body.integrity = tarball.integrity;
+  if (tarball?.integrity !== void 0) {
+    const sri = emitSri(tarball.integrity);
+    if (sri !== void 0) body.integrity = sri;
+  }
   if (nodeSide?.dev === true) body.dev = true;
   if (nodeSide?.optional === true) body.optional = true;
   if (nodeSide?.peer === true) body.peer = true;

package/dist/formats/pnpm-v5.d.ts

@@ -1,4 +1,4 @@
-import { D as Diagnostic, G as Graph } from '../graph-DlYNIpXt.js';
+import { D as Diagnostic, G as Graph } from '../graph-DL9MNz81.js';
 
 interface PnpmV5ParseOptions {
 }