@antongolub/lockfile 0.0.0-snapshot.61 → 0.0.0-snapshot.63

package/README.md

@@ -24,6 +24,13 @@ Published as `0.0.0-snapshot.*` builds — the first stable release is pending.
 [SCHEMAS.md](./SCHEMAS.md) maps each format id to the package-manager versions
 that emit it.
 
+> **ℹ️ Active R&D — snapshot channel.** While the project is under active research &
+> development, every release ships to the **snapshot channel** (`0.0.0-snapshot.N`,
+> published under the `snapshot` npm dist-tag) rather than `latest`. Install the newest
+> snapshot with `npm i @antongolub/lockfile@snapshot`, or pin an exact build
+> (e.g. `npm i @antongolub/lockfile@0.0.0-snapshot.61`). The first stable `latest`
+> release is pending.
+
 | Format | `detect` | `parse` | `stringify` |
 |--------|:-:|:-:|:-:|
 | `npm-1` · `npm-2` · `npm-3`        | ✓ | ✓ | ✓ |

package/dist/{_npm-flat-types-C6TSaidU.d.ts → _npm-flat-types-CR16JZFS.d.ts}

@@ -1,4 +1,4 @@
-import { D as Diagnostic, O as OverrideConstraint } from './graph-B_G4OKqF.js';
+import { D as Diagnostic, O as OverrideConstraint } from './graph-CPo-SvS2.js';
 
 interface NpmFamilyParseOptions {
 }

package/dist/{_pnpm-flat-core-NEg8x-yf.d.ts → _pnpm-flat-core-DmGs4UQu.d.ts}

@@ -1,4 +1,4 @@
-import { D as Diagnostic, O as OverrideConstraint } from './graph-B_G4OKqF.js';
+import { D as Diagnostic, O as OverrideConstraint } from './graph-CPo-SvS2.js';
 
 interface PnpmFamilyParseOptions {
     /**

package/dist/{_yarn-berry-core-CLT-3m_j.d.ts → _yarn-berry-core-BhE-AhmX.d.ts}

@@ -1,4 +1,4 @@
-import { O as OverrideConstraint, D as Diagnostic } from './graph-B_G4OKqF.js';
+import { O as OverrideConstraint, D as Diagnostic } from './graph-CPo-SvS2.js';
 
 interface YarnBerryFamilyParseOptions {
     workspaceRoot?: string;

package/dist/complete.d.ts

@@ -1,5 +1,5 @@
-import { N as NodeId, D as Diagnostic, G as Graph, E as EdgeTriple, a as Node, b as EdgeKind } from './graph-B_G4OKqF.js';
-import { R as RegistryAdapter } from './types-CGeGAM7Z.js';
+import { N as NodeId, D as Diagnostic, G as Graph, E as EdgeTriple, a as Node, b as EdgeKind } from './graph-CPo-SvS2.js';
+import { R as RegistryAdapter } from './types-BPMSHpCF.js';
 
 interface CompletionSeed {
     /** NodeIds the modifier added in the just-completed mutate phase. */

package/dist/formats/bun-text.d.ts

@@ -1,9 +1,18 @@
-import { D as Diagnostic, G as Graph } from '../graph-B_G4OKqF.js';
+import { O as OverrideConstraint, D as Diagnostic, G as Graph } from '../graph-CPo-SvS2.js';
 
 interface BunTextParseOptions {
 }
 interface BunTextStringifyOptions {
     lineEnding?: 'lf' | 'crlf';
+    /**
+     * Caller-supplied canonical override constraints (ADR-0025). bun's `overrides`
+     * block is npm-shaped, so these project through the npm grammar
+     * (`projectOverrides(_, 'npm')`). An explicit `[]` suppresses the verbatim
+     * carrier captured at parse; `undefined` falls back to it. This is the
+     * audit-fix write path — `pinOverride` results land here as a forced
+     * resolution into bun's top-level `overrides`.
+     */
+    overrides?: OverrideConstraint[];
     onDiagnostic?: (diagnostic: Diagnostic) => void;
 }
 interface BunTextManifest {
@@ -19,6 +28,14 @@ interface BunTextEnrichOptions {
 }
 interface BunTextOptimizeOptions {
 }
+/**
+ * Canonical override constraints captured from a bun-text graph's top-level
+ * `overrides` block (ADR-0025 §6, A2). Mirrors `getPnpmOverridesCanonical` /
+ * npm's `rootMeta.overrides` so `index.ts` `overridesOf` can fold a bun source's
+ * overrides into a cross-PM conversion. Returns undefined when the graph carries
+ * no overrides block (or the sidecar was lost to a bare `mutate`).
+ */
+declare function getBunOverridesCanonical(graph: Graph): OverrideConstraint[] | undefined;
 declare function check(input: string): boolean;
 declare function parse(input: string, _options?: BunTextParseOptions): Graph;
 declare function stringify(graph: Graph, options?: BunTextStringifyOptions): string;
@@ -31,4 +48,4 @@ declare function optimize(graph: Graph, _options?: BunTextOptimizeOptions): {
     diagnostics: Diagnostic[];
 };
 
-export { type BunTextEnrichOptions, type BunTextManifest, type BunTextOptimizeOptions, type BunTextParseOptions, type BunTextStringifyOptions, check, enrich, optimize, parse, stringify };
+export { type BunTextEnrichOptions, type BunTextManifest, type BunTextOptimizeOptions, type BunTextParseOptions, type BunTextStringifyOptions, check, enrich, getBunOverridesCanonical, optimize, parse, stringify };

package/dist/formats/bun-text.js

@@ -723,6 +723,13 @@ function emitWorkspaceCollapsed(edge, fromSpecifier, onDiagnostic) {
   if (onDiagnostic === void 0) return;
   onDiagnostic(workspaceCollapsedDiagnostic(edge, fromSpecifier));
 }
+function overrideParentRefDropped(pkg, to) {
+  return {
+    code: "OVERRIDE_PARENT_REF_DROPPED",
+    severity: "warning",
+    message: `override ${pkg}=${to}: npm $name self-ref has no yarn/pnpm equivalent; emitted verbatim`
+  };
+}
 
 // src/main/ts/recipe/workspace.ts
 function isWorkspaceSpecifier(s) {
@@ -771,11 +778,168 @@ function nodeVersionOf(id) {
   return paren < 0 ? rest : rest.slice(0, paren);
 }
 
+// src/main/ts/recipe/overrides.ts
+function splitNameVersion(selector) {
+  let depth = 0;
+  let lastAt = -1;
+  for (let i = 0; i < selector.length; i++) {
+    const c = selector[i];
+    if (c === "(") depth++;
+    else if (c === ")") depth--;
+    else if (c === "@" && depth === 0 && i >= 1) lastAt = i;
+  }
+  if (lastAt <= 0) return { package: selector };
+  const name = selector.slice(0, lastAt);
+  const version = selector.slice(lastAt + 1);
+  if (name.length === 0 || version.length === 0) return { package: selector };
+  return { package: name, versionCondition: version };
+}
+function captureOverrides(block, pm, onDiagnostic) {
+  if (block === null || typeof block !== "object") {
+    return { canonical: [], native: {} };
+  }
+  let canonical;
+  const native = {};
+  switch (pm) {
+    case "npm": {
+      native.npmOverrides = block;
+      canonical = captureNpm(block, []);
+      break;
+    }
+    case "yarn": {
+      const flat = asStringRecord(block);
+      native.yarnResolutions = flat;
+      canonical = captureFlat(flat, splitYarnKey);
+      break;
+    }
+    case "pnpm": {
+      const flat = asStringRecord(block);
+      native.pnpmOverrides = flat;
+      canonical = captureFlat(flat, splitPnpmKey);
+      break;
+    }
+  }
+  return { canonical, native };
+}
+function captureNpm(block, parentPath) {
+  const out = [];
+  for (const [key, value] of Object.entries(block)) {
+    if (key === ".") {
+      if (parentPath.length === 0) continue;
+      const pkg2 = parentPath[parentPath.length - 1];
+      const ancestors = parentPath.slice(0, -1);
+      if (typeof value === "string") out.push(constraint(pkg2, ancestors, value));
+      continue;
+    }
+    const { package: pkg } = splitNameVersion(key);
+    if (typeof value === "string") {
+      out.push(constraint(pkg, parentPath, value));
+    } else if (value !== null && typeof value === "object") {
+      out.push(...captureNpm(value, [...parentPath, pkg]));
+    }
+  }
+  return out;
+}
+function captureFlat(flat, splitKey) {
+  const out = [];
+  for (const [key, to] of Object.entries(flat)) {
+    const { package: pkg, parentPath, versionCondition } = splitKey(key);
+    out.push(constraint(pkg, parentPath, to, versionCondition));
+  }
+  return out;
+}
+function splitYarnKey(key) {
+  const segments = splitYarnPathSegments(key);
+  const leaf = segments[segments.length - 1];
+  const { package: pkg, versionCondition } = splitNameVersion(leaf);
+  const parentPath = segments.slice(0, -1).filter((s) => s !== "**");
+  return versionCondition !== void 0 ? { package: pkg, parentPath, versionCondition } : { package: pkg, parentPath };
+}
+function splitYarnPathSegments(key) {
+  const raw = key.split("/");
+  const segments = [];
+  for (let i = 0; i < raw.length; i++) {
+    const piece = raw[i];
+    if (piece.startsWith("@") && i + 1 < raw.length) {
+      segments.push(`${piece}/${raw[i + 1]}`);
+      i++;
+    } else {
+      segments.push(piece);
+    }
+  }
+  return segments;
+}
+function splitPnpmKey(key) {
+  const segments = key.split(">").filter((s) => s.length > 0);
+  const leaf = segments[segments.length - 1];
+  const { package: pkg, versionCondition } = splitNameVersion(leaf);
+  const parentPath = segments.slice(0, -1).map((s) => splitNameVersion(s).package);
+  return versionCondition !== void 0 ? { package: pkg, parentPath, versionCondition } : { package: pkg, parentPath };
+}
+function constraint(pkg, parentPath, to, versionCondition) {
+  const c = { package: pkg, to };
+  if (parentPath.length > 0) c.parentPath = parentPath;
+  if (versionCondition !== void 0 && versionCondition !== "") {
+    c.versionCondition = versionCondition;
+  }
+  if (to.startsWith("$")) c.selfRef = true;
+  return c;
+}
+function asStringRecord(block) {
+  const out = {};
+  for (const [k, v] of Object.entries(block)) {
+    if (typeof v === "string") out[k] = v;
+  }
+  return out;
+}
+function projectOverrides(canonical, pm, onDiagnostic) {
+  return pm === "npm" ? projectNpm(canonical) : projectPnpm(canonical, onDiagnostic);
+}
+function projectNpm(canonical) {
+  const root = {};
+  for (const c of canonical) {
+    const leafKey = c.versionCondition ? `${c.package}@${c.versionCondition}` : c.package;
+    let node = root;
+    for (const seg of c.parentPath ?? []) {
+      const existing = node[seg];
+      if (typeof existing === "object" && existing !== null) {
+        node = existing;
+      } else {
+        const nested = typeof existing === "string" ? { ".": existing } : {};
+        node[seg] = nested;
+        node = nested;
+      }
+    }
+    const existingLeaf = node[leafKey];
+    if (existingLeaf !== null && typeof existingLeaf === "object") {
+      existingLeaf["."] = c.to;
+    } else {
+      node[leafKey] = c.to;
+    }
+  }
+  return root;
+}
+function projectPnpm(canonical, onDiagnostic) {
+  const out = {};
+  for (const c of canonical) {
+    const leaf = c.versionCondition ? `${c.package}@${c.versionCondition}` : c.package;
+    const key = c.parentPath && c.parentPath.length > 0 ? `${c.parentPath.join(">")}>${leaf}` : leaf;
+    if (c.selfRef && onDiagnostic !== void 0) {
+      onDiagnostic(overrideParentRefDropped(c.package, c.to));
+    }
+    out[key] = c.to;
+  }
+  return out;
+}
+
 // src/main/ts/formats/bun-text.ts
 var sidecarByGraph = /* @__PURE__ */ new WeakMap();
 function rememberSidecar(graph, sidecar) {
   sidecarByGraph.set(graph, sidecar);
 }
+function getBunOverridesCanonical(graph) {
+  return sidecarByGraph.get(graph)?.canonicalOverrides;
+}
 function check(input) {
   if (!/"lockfileVersion"\s*:\s*1\b/.test(input)) return false;
   if (!/"workspaces"\s*:\s*\{/.test(input)) return false;
@@ -950,6 +1114,17 @@ function parse(input, _options = {}) {
     const consumerScope = buildConsumerScope(packagesKey, packages, packageByName);
     addBlockEdges(builder, diagnostics, entry.id, entry.inner, consumerScope, void 0, peerDeclarations);
   }
+  let nativeOverrides;
+  let canonicalOverrides;
+  if (lf.overrides !== void 0 && lf.overrides !== null && typeof lf.overrides === "object") {
+    nativeOverrides = lf.overrides;
+    const captured = captureOverrides(lf.overrides, "npm");
+    if (captured.canonical.length > 0) canonicalOverrides = captured.canonical;
+  }
+  const trustedDependencies = Array.isArray(lf.trustedDependencies) ? lf.trustedDependencies.filter((v) => typeof v === "string") : void 0;
+  const patchedDependencies = lf.patchedDependencies !== void 0 && lf.patchedDependencies !== null && typeof lf.patchedDependencies === "object" ? Object.fromEntries(
+    Object.entries(lf.patchedDependencies).filter((e) => typeof e[1] === "string")
+  ) : void 0;
   for (const diagnostic of diagnostics) {
     builder.diagnostic(diagnostic);
   }
@@ -961,7 +1136,11 @@ function parse(input, _options = {}) {
       workspaces: workspaceSidecar,
       workspaceByPath,
       nodes: nodeSidecar,
-      peerDeclarations
+      peerDeclarations,
+      nativeOverrides,
+      canonicalOverrides,
+      trustedDependencies,
+      patchedDependencies
     };
     rememberSidecar(graph, sidecar);
     return graph;
@@ -1013,13 +1192,34 @@ function stringify(graph, options = {}) {
     const key = chooseNodeEmitKey(node, sidecar, packagesBlock);
     packagesBlock[key] = [`${node.name}@${node.version}`, "", inner, integrity];
   }
-  const json = renderJsonc({
+  const overridesBlock = resolveOverridesBlock(options.overrides, sidecar, emitDiagnostic);
+  const out = {
     lockfileVersion: 1,
-    workspaces: workspacesBlock,
-    packages: packagesBlock
-  });
+    workspaces: workspacesBlock
+  };
+  if (overridesBlock !== void 0 && Object.keys(overridesBlock).length > 0) {
+    out.overrides = overridesBlock;
+  }
+  out.packages = packagesBlock;
+  if (sidecar?.patchedDependencies !== void 0 && Object.keys(sidecar.patchedDependencies).length > 0) {
+    out.patchedDependencies = sortRecord(sidecar.patchedDependencies);
+  }
+  if (sidecar?.trustedDependencies !== void 0 && sidecar.trustedDependencies.length > 0) {
+    out.trustedDependencies = [...sidecar.trustedDependencies].sort(cmpStr2);
+  }
+  const json = renderJsonc(out);
   return options.lineEnding === "crlf" ? json.replace(/\n/g, "\r\n") : json;
 }
+function resolveOverridesBlock(callerOverrides, sidecar, emitDiagnostic) {
+  if (callerOverrides !== void 0) {
+    return callerOverrides.length > 0 ? projectOverrides(callerOverrides, "npm", emitDiagnostic) : void 0;
+  }
+  if (sidecar?.nativeOverrides !== void 0) return sidecar.nativeOverrides;
+  if (sidecar?.canonicalOverrides !== void 0 && sidecar.canonicalOverrides.length > 0) {
+    return projectOverrides(sidecar.canonicalOverrides, "npm", emitDiagnostic);
+  }
+  return void 0;
+}
 function enrich(graph, options = {}) {
   const sidecar = sidecarByGraph.get(graph);
   const diagnostics = [];
@@ -1489,8 +1689,15 @@ function pruneSidecar(sidecar, graph) {
         const [srcId] = key.split("|");
         return srcId !== void 0 && reachableIds.has(srcId);
       })
-    )
+    ),
+    // Top-level fidelity blocks are project-global (not per-node), so they
+    // survive an orphan-prune verbatim — pruning unreachable nodes never
+    // invalidates a declared override / trusted / patched entry.
+    nativeOverrides: sidecar.nativeOverrides,
+    canonicalOverrides: sidecar.canonicalOverrides,
+    trustedDependencies: sidecar.trustedDependencies,
+    patchedDependencies: sidecar.patchedDependencies
   };
 }
 
-export { check, enrich, optimize, parse, stringify };
+export { check, enrich, getBunOverridesCanonical, optimize, parse, stringify };

package/dist/formats/npm-1.d.ts

@@ -1,4 +1,4 @@
-import { D as Diagnostic, G as Graph } from '../graph-B_G4OKqF.js';
+import { D as Diagnostic, G as Graph } from '../graph-CPo-SvS2.js';
 
 interface Npm1ParseOptions {
 }

package/dist/formats/npm-1.js

@@ -737,8 +737,19 @@ function parse(raw, options = {}) {
 }
 function parseInner(protocol, spec, raw, options) {
   switch (protocol) {
-    case "npm":
-      return { type: "tarball", url: deriveRegistryUrl(options.name, spec) };
+    case "npm": {
+      const bindIdx = spec.indexOf("::");
+      const version = bindIdx >= 0 ? spec.slice(0, bindIdx) : spec;
+      const bindSuffix = bindIdx >= 0 ? spec.slice(bindIdx + 2) : void 0;
+      if (bindSuffix !== void 0) {
+        const archiveUrl = archiveUrlOfBind(bindSuffix);
+        if (archiveUrl !== void 0) {
+          return { type: "tarball", url: archiveUrl };
+        }
+        return { type: "tarball", url: deriveRegistryUrl(options.name, version), bind: bindSuffix };
+      }
+      return { type: "tarball", url: deriveRegistryUrl(options.name, version) };
+    }
     case "portal":
       return { type: "directory", path: normaliseDirectoryPath(spec) };
     case "file":
@@ -767,6 +778,20 @@ function deriveRegistryUrl(name, spec) {
 function looksLikeNpmName(s) {
   return /^(?:@[a-z0-9][\w.-]*\/)?[a-z0-9][\w.-]*$/i.test(s);
 }
+function archiveUrlOfBind(bindSuffix) {
+  for (const pair of bindSuffix.split("&")) {
+    const eq = pair.indexOf("=");
+    if (eq < 0) continue;
+    if (pair.slice(0, eq) !== "__archiveUrl") continue;
+    const enc = pair.slice(eq + 1);
+    try {
+      return decodeURIComponent(enc);
+    } catch {
+      return void 0;
+    }
+  }
+  return void 0;
+}
 function registryUrlOf(name, version) {
   const tail = name.startsWith("@") ? name.split("/").slice(1).join("/") : name;
   return `https://registry.npmjs.org/${name}/-/${tail}-${version}.tgz`;
@@ -923,6 +948,9 @@ function canonicalSourceStringOf(resolution) {
       return `git\0${resolution.url}\0${resolution.sha}`;
     case "tarball": {
       const host = hostOfTarballUrl(resolution.url);
+      if (resolution.bind !== void 0) {
+        return `tarball\0${host ?? resolution.url}\0bind=${resolution.bind}`;
+      }
       return host !== void 0 && REGISTRY_HOSTS.has(host) ? void 0 : `tarball\0${host ?? resolution.url}`;
     }
     case "directory":
@@ -1057,7 +1085,6 @@ function parse2(input, _options = {}) {
           version,
           peerContext: []
         };
-        if (resolved !== void 0) node.resolution = resolved;
         if (source !== void 0) node.source = source;
         builder.addNode(node);
         const payload = {};
@@ -1066,6 +1093,7 @@ function parse2(input, _options = {}) {
           if (!isEmptyIntegrity(integrity)) payload.integrity = integrity;
         }
         if (resolved !== void 0) {
+          payload.nativeResolution = resolved;
           const canonical = parse(resolved, { sourceKind: "npm-resolved" });
           if (canonical.type === "unknown") {
             diagnostics.push({
@@ -1521,7 +1549,7 @@ function buildEntry(node, installPath, graph, sidecar, treeByParent) {
   const entry = { version: node.version };
   const nodeSide = sidecar?.nodes.get(node.id);
   const tarball = graph.tarballOf(node.id);
-  const resolutionStr = node.resolution ?? deriveResolvedFromCanonical(tarball?.resolution);
+  const resolutionStr = tarball?.nativeResolution ?? deriveResolvedFromCanonical(tarball?.resolution);
   if (resolutionStr !== void 0) {
     if (/^(git[+:]|github:)/.test(resolutionStr)) {
       entry.version = resolutionStr;

package/dist/formats/npm-2.d.ts

@@ -1,5 +1,5 @@
-import { G as Graph, D as Diagnostic } from '../graph-B_G4OKqF.js';
-import { N as NpmFamilyEnrichOptions, a as NpmFamilyOptimizeOptions, b as NpmFamilyParseOptions, c as NpmFamilyStringifyOptions } from '../_npm-flat-types-C6TSaidU.js';
+import { G as Graph, D as Diagnostic } from '../graph-CPo-SvS2.js';
+import { N as NpmFamilyEnrichOptions, a as NpmFamilyOptimizeOptions, b as NpmFamilyParseOptions, c as NpmFamilyStringifyOptions } from '../_npm-flat-types-CR16JZFS.js';
 
 interface Npm2ParseOptions extends NpmFamilyParseOptions {
 }

package/dist/formats/npm-2.js

@@ -791,8 +791,19 @@ function parse(raw, options = {}) {
 }
 function parseInner(protocol, spec, raw, options) {
   switch (protocol) {
-    case "npm":
-      return { type: "tarball", url: deriveRegistryUrl(options.name, spec) };
+    case "npm": {
+      const bindIdx = spec.indexOf("::");
+      const version = bindIdx >= 0 ? spec.slice(0, bindIdx) : spec;
+      const bindSuffix = bindIdx >= 0 ? spec.slice(bindIdx + 2) : void 0;
+      if (bindSuffix !== void 0) {
+        const archiveUrl = archiveUrlOfBind(bindSuffix);
+        if (archiveUrl !== void 0) {
+          return { type: "tarball", url: archiveUrl };
+        }
+        return { type: "tarball", url: deriveRegistryUrl(options.name, version), bind: bindSuffix };
+      }
+      return { type: "tarball", url: deriveRegistryUrl(options.name, version) };
+    }
     case "portal":
       return { type: "directory", path: normaliseDirectoryPath(spec) };
     case "file":
@@ -821,6 +832,20 @@ function deriveRegistryUrl(name, spec) {
 function looksLikeNpmName(s) {
   return /^(?:@[a-z0-9][\w.-]*\/)?[a-z0-9][\w.-]*$/i.test(s);
 }
+function archiveUrlOfBind(bindSuffix) {
+  for (const pair of bindSuffix.split("&")) {
+    const eq = pair.indexOf("=");
+    if (eq < 0) continue;
+    if (pair.slice(0, eq) !== "__archiveUrl") continue;
+    const enc = pair.slice(eq + 1);
+    try {
+      return decodeURIComponent(enc);
+    } catch {
+      return void 0;
+    }
+  }
+  return void 0;
+}
 function registryUrlOf(name, version) {
   const tail = name.startsWith("@") ? name.split("/").slice(1).join("/") : name;
   return `https://registry.npmjs.org/${name}/-/${tail}-${version}.tgz`;
@@ -977,6 +1002,9 @@ function canonicalSourceStringOf(resolution) {
       return `git\0${resolution.url}\0${resolution.sha}`;
     case "tarball": {
       const host = hostOfTarballUrl(resolution.url);
+      if (resolution.bind !== void 0) {
+        return `tarball\0${host ?? resolution.url}\0bind=${resolution.bind}`;
+      }
       return host !== void 0 && REGISTRY_HOSTS.has(host) ? void 0 : `tarball\0${host ?? resolution.url}`;
     }
     case "directory":
@@ -1941,7 +1969,7 @@ function buildNodeModulesEntry(graph, node, nodeSide, config, emitDiagnostic = (
   }
   body.version = node.version;
   const tarball = graph.tarballOf(node.id);
-  const resolved = node.resolution ?? config.hooks?.recoverResolvedForNode?.(graph, node) ?? deriveResolvedFromCanonical(tarball?.resolution);
+  const resolved = tarball?.nativeResolution ?? config.hooks?.recoverResolvedForNode?.(graph, node) ?? deriveResolvedFromCanonical(tarball?.resolution);
   if (resolved !== void 0) body.resolved = resolved;
   if (tarball?.integrity !== void 0) {
     const sri = emitSri(tarball.integrity);
@@ -2233,15 +2261,16 @@ function buildLegacyNodeEntry(ctx, node, parentInstallPrefix) {
   const entry = {};
   if (node.version !== void 0) entry.version = node.version;
   const tarball = ctx.graph.tarballOf(node.id);
+  const native = tarball?.nativeResolution;
   const sourceResolved = sidecarResolvedFor(ctx, node) ?? deriveLegacyResolvedFromCanonical(tarball?.resolution);
-  if (node.resolution !== void 0) {
-    const looksLikeGit = /^git[+@]/.test(node.resolution);
+  if (native !== void 0) {
+    const looksLikeGit = /^git[+@]/.test(native);
     if (looksLikeGit) {
-      entry.version = node.resolution;
+      entry.version = native;
       const fromSpec = synthesizeFromSpec(ctx, node);
       if (fromSpec !== void 0) entry.from = fromSpec;
     } else {
-      entry.resolved = node.resolution;
+      entry.resolved = native;
     }
   } else if (sourceResolved !== void 0) {
     const looksLikeGit = /^git[+@]/.test(sourceResolved);

package/dist/formats/npm-3.d.ts

@@ -1,5 +1,5 @@
-import { G as Graph, D as Diagnostic } from '../graph-B_G4OKqF.js';
-import { N as NpmFamilyEnrichOptions, a as NpmFamilyOptimizeOptions, b as NpmFamilyParseOptions, c as NpmFamilyStringifyOptions } from '../_npm-flat-types-C6TSaidU.js';
+import { G as Graph, D as Diagnostic } from '../graph-CPo-SvS2.js';
+import { N as NpmFamilyEnrichOptions, a as NpmFamilyOptimizeOptions, b as NpmFamilyParseOptions, c as NpmFamilyStringifyOptions } from '../_npm-flat-types-CR16JZFS.js';
 
 interface Npm3ParseOptions extends NpmFamilyParseOptions {
 }

package/dist/formats/npm-3.js

@@ -791,8 +791,19 @@ function parse(raw, options = {}) {
 }
 function parseInner(protocol, spec, raw, options) {
   switch (protocol) {
-    case "npm":
-      return { type: "tarball", url: deriveRegistryUrl(options.name, spec) };
+    case "npm": {
+      const bindIdx = spec.indexOf("::");
+      const version = bindIdx >= 0 ? spec.slice(0, bindIdx) : spec;
+      const bindSuffix = bindIdx >= 0 ? spec.slice(bindIdx + 2) : void 0;
+      if (bindSuffix !== void 0) {
+        const archiveUrl = archiveUrlOfBind(bindSuffix);
+        if (archiveUrl !== void 0) {
+          return { type: "tarball", url: archiveUrl };
+        }
+        return { type: "tarball", url: deriveRegistryUrl(options.name, version), bind: bindSuffix };
+      }
+      return { type: "tarball", url: deriveRegistryUrl(options.name, version) };
+    }
     case "portal":
       return { type: "directory", path: normaliseDirectoryPath(spec) };
     case "file":
@@ -821,6 +832,20 @@ function deriveRegistryUrl(name, spec) {
 function looksLikeNpmName(s) {
   return /^(?:@[a-z0-9][\w.-]*\/)?[a-z0-9][\w.-]*$/i.test(s);
 }
+function archiveUrlOfBind(bindSuffix) {
+  for (const pair of bindSuffix.split("&")) {
+    const eq = pair.indexOf("=");
+    if (eq < 0) continue;
+    if (pair.slice(0, eq) !== "__archiveUrl") continue;
+    const enc = pair.slice(eq + 1);
+    try {
+      return decodeURIComponent(enc);
+    } catch {
+      return void 0;
+    }
+  }
+  return void 0;
+}
 function registryUrlOf(name, version) {
   const tail = name.startsWith("@") ? name.split("/").slice(1).join("/") : name;
   return `https://registry.npmjs.org/${name}/-/${tail}-${version}.tgz`;
@@ -977,6 +1002,9 @@ function canonicalSourceStringOf(resolution) {
       return `git\0${resolution.url}\0${resolution.sha}`;
     case "tarball": {
       const host = hostOfTarballUrl(resolution.url);
+      if (resolution.bind !== void 0) {
+        return `tarball\0${host ?? resolution.url}\0bind=${resolution.bind}`;
+      }
       return host !== void 0 && REGISTRY_HOSTS.has(host) ? void 0 : `tarball\0${host ?? resolution.url}`;
     }
     case "directory":
@@ -1941,7 +1969,7 @@ function buildNodeModulesEntry(graph, node, nodeSide, config, emitDiagnostic = (
   }
   body.version = node.version;
   const tarball = graph.tarballOf(node.id);
-  const resolved = node.resolution ?? config.hooks?.recoverResolvedForNode?.(graph, node) ?? deriveResolvedFromCanonical(tarball?.resolution);
+  const resolved = tarball?.nativeResolution ?? config.hooks?.recoverResolvedForNode?.(graph, node) ?? deriveResolvedFromCanonical(tarball?.resolution);
   if (resolved !== void 0) body.resolved = resolved;
   if (tarball?.integrity !== void 0) {
     const sri = emitSri(tarball.integrity);

package/dist/formats/pnpm-v5.d.ts

@@ -1,4 +1,4 @@
-import { D as Diagnostic, G as Graph } from '../graph-B_G4OKqF.js';
+import { D as Diagnostic, G as Graph } from '../graph-CPo-SvS2.js';
 
 interface PnpmV5ParseOptions {
 }