@lockfile-affected/core 0.1.3 → 0.2.2

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 split
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -1,9 +1,6 @@
 # @lockfile-affected/core
 
-Pure diff engine and affected-package resolver for `lockfile-affected`.
-
-This package contains all domain logic with no I/O. It is format-agnostic —
-lockfile parsers live in separate adapter packages.
+Diff engine, affected-package resolver, and programmatic API for `lockfile-affected`.
 
 ## Installation
 
@@ -11,48 +8,79 @@ lockfile parsers live in separate adapter packages.
 npm install @lockfile-affected/core
 ```
 
-## API
+## Programmatic API
 
-### `diffLockfileSnapshots(before, after)`
+### `findAffectedPackages(options)` - high-level entry point
 
-Compares two lockfile snapshots and returns what changed.
+Parses two lockfile snapshots, diffs them, loads workspace manifests from disk,
+and returns the names of affected packages. This is the primary API for
+programmatic use.
 
 ```ts
-import { diffLockfileSnapshots } from '@lockfile-affected/core';
+import { findAffectedPackages } from '@lockfile-affected/core';
+import { pnpmLockfileParser } from '@lockfile-affected/lockfile-pnpm';
+
+const affected = await findAffectedPackages({
+  beforeContent: fs.readFileSync('pnpm-lock.yaml.old', 'utf-8'),
+  afterContent: fs.readFileSync('pnpm-lock.yaml', 'utf-8'),
+  parser: pnpmLockfileParser,
+  workspaceRoot: process.cwd(),
+  // filter: { dependencies: true, devDependencies: true } - optional
+});
+// ReadonlySet<string> of affected package names
+```
 
-const diff = diffLockfileSnapshots(snapshotBefore, snapshotAfter);
-// diff.added   — Map<name, newVersion>
-// diff.removed — Map<name, oldVersion>
-// diff.changed — Map<name, { from, to }>
+### `detectLockfile(dir, parsers)`
+
+Finds the first known lockfile in `dir` by checking each parser's `lockfileNames`.
+
+```ts
+import { detectLockfile } from '@lockfile-affected/core';
+import { pnpmLockfileParser, npmLockfileParser, yarnLockfileParser } from '...';
+
+const { format, path } = await detectLockfile(process.cwd(), [
+  pnpmLockfileParser,
+  npmLockfileParser,
+  yarnLockfileParser,
+]);
 ```
 
-### `resolveAffectedPackages(diff, workspaceGraph, filter?)`
+### `loadWorkspaceManifests(dir)`
 
-Returns the names of workspace packages that depend on any package in the diff.
+Recursively walks `dir` and returns all valid `package.json` manifests,
+skipping `node_modules` and malformed files.
 
 ```ts
-import { resolveAffectedPackages, ALL_DEPENDENCY_TYPES } from '@lockfile-affected/core';
+import { loadWorkspaceManifests } from '@lockfile-affected/core';
 
-const affected = resolveAffectedPackages(diff, workspaceGraph, ALL_DEPENDENCY_TYPES);
-// Set<string> of affected package names
+const manifests = await loadWorkspaceManifests(process.cwd());
 ```
 
-The optional `filter` is a `DependencyFilter` controlling which dependency types
-are considered. Omitting a field (or setting it to `false`) excludes that type.
-When omitted entirely, all types are included.
+## Low-level API
+
+These primitives are useful for building custom pipelines.
+
+### `diffLockfileSnapshots(before, after)`
 
 ```ts
-type DependencyFilter = {
-  dependencies?: boolean;
-  devDependencies?: boolean;
-  peerDependencies?: boolean;
-  optionalDependencies?: boolean;
-};
+import { diffLockfileSnapshots } from '@lockfile-affected/core';
+
+const diff = diffLockfileSnapshots(snapshotBefore, snapshotAfter);
+// diff.added   - Map<name, newVersion>
+// diff.removed - Map<name, oldVersion>
+// diff.changed - Map<name, { from, to }>
 ```
 
-### `buildWorkspaceGraph(manifests)`
+### `resolveAffectedPackages(diff, workspaceGraph, filter?)`
+
+```ts
+import { resolveAffectedPackages, ALL_DEPENDENCY_TYPES } from '@lockfile-affected/core';
 
-Builds a workspace graph from an array of parsed `package.json` objects.
+const affected = resolveAffectedPackages(diff, workspaceGraph, ALL_DEPENDENCY_TYPES);
+// ReadonlySet<string> of affected package names
+```
+
+### `buildWorkspaceGraph(manifests)`
 
 ```ts
 import { buildWorkspaceGraph } from '@lockfile-affected/core';
@@ -64,12 +92,11 @@ const graph = buildWorkspaceGraph(manifests);
 ## Types
 
 ```ts
-type LockfileSnapshot = ReadonlyMap<string, string>;
-
-type LockfileDiff = {
-  added: ReadonlyMap<string, string>;
-  removed: ReadonlyMap<string, string>;
-  changed: ReadonlyMap<string, { from: string; to: string }>;
+type DependencyFilter = {
+  dependencies?: boolean;
+  devDependencies?: boolean;
+  peerDependencies?: boolean;
+  optionalDependencies?: boolean;
 };
 
 type LockfileParser = {
@@ -77,11 +104,15 @@ type LockfileParser = {
   lockfileNames: readonly string[];
   parse: (content: string) => Promise<LockfileSnapshot>;
 };
-```
 
-## Related packages
+type LockfileSnapshot = ReadonlyMap<string, string>;
+
+type LockfileDiff = {
+  added: ReadonlyMap<string, string>;
+  removed: ReadonlyMap<string, string>;
+  changed: ReadonlyMap<string, { from: string; to: string }>;
+};
+```
 
-- [`lockfile-affected`](https://www.npmjs.com/package/lockfile-affected) — CLI
-- [`@lockfile-affected/lockfile-pnpm`](https://www.npmjs.com/package/@lockfile-affected/lockfile-pnpm) — pnpm adapter
-- [`@lockfile-affected/lockfile-npm`](https://www.npmjs.com/package/@lockfile-affected/lockfile-npm) — npm adapter
-- [`@lockfile-affected/lockfile-yarn`](https://www.npmjs.com/package/@lockfile-affected/lockfile-yarn) — yarn adapter
+For Git-based and CI usage patterns, see the CLI guide:
+`https://github.com/split/lockfile-affected/tree/main/packages/cli#readme`.

package/dist/affected/find-affected-packages.d.ts

@@ -0,0 +1,19 @@
+import { type DependencyFilter, type LockfileParser } from '../types/lockfile.js';
+export type FindAffectedOptions = {
+    /** Raw content of the "before" lockfile snapshot */
+    readonly beforeContent: string;
+    /** Raw content of the "after" lockfile snapshot */
+    readonly afterContent: string;
+    /** Parser for the lockfile format */
+    readonly parser: LockfileParser;
+    /** Root directory to search for workspace package.json files */
+    readonly workspaceRoot: string;
+    /** Which dependency types to consider. When omitted, all types are included. */
+    readonly filter?: DependencyFilter;
+};
+/**
+ * High-level entry point: parses two lockfile snapshots, diffs them,
+ * and returns the names of workspace packages affected by the changes.
+ */
+export declare function findAffectedPackages(options: FindAffectedOptions): Promise<ReadonlySet<string>>;
+//# sourceMappingURL=find-affected-packages.d.ts.map

package/dist/affected/find-affected-packages.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"find-affected-packages.d.ts","sourceRoot":"","sources":["../../src/affected/find-affected-packages.ts"],"names":[],"mappings":"AAAA,OAAO,EAEL,KAAK,gBAAgB,EACrB,KAAK,cAAc,EACpB,MAAM,sBAAsB,CAAC;AAM9B,MAAM,MAAM,mBAAmB,GAAG;IAChC,oDAAoD;IACpD,QAAQ,CAAC,aAAa,EAAE,MAAM,CAAC;IAC/B,mDAAmD;IACnD,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC;IAC9B,qCAAqC;IACrC,QAAQ,CAAC,MAAM,EAAE,cAAc,CAAC;IAChC,gEAAgE;IAChE,QAAQ,CAAC,aAAa,EAAE,MAAM,CAAC;IAC/B,gFAAgF;IAChF,QAAQ,CAAC,MAAM,CAAC,EAAE,gBAAgB,CAAC;CACpC,CAAC;AAEF;;;GAGG;AACH,wBAAsB,oBAAoB,CACxC,OAAO,EAAE,mBAAmB,GAC3B,OAAO,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC,CAU9B"}

package/dist/affected/find-affected-packages.js

@@ -0,0 +1,20 @@
+import { ALL_DEPENDENCY_TYPES, } from '../types/lockfile.js';
+import { diffLockfileSnapshots } from '../diff/diff-lockfile-snapshots.js';
+import { resolveAffectedPackages } from './resolve-affected-packages.js';
+import { buildWorkspaceGraph } from '../workspace/build-workspace-graph.js';
+import { loadWorkspaceManifests } from '../workspace/load-workspace-manifests.js';
+/**
+ * High-level entry point: parses two lockfile snapshots, diffs them,
+ * and returns the names of workspace packages affected by the changes.
+ */
+export async function findAffectedPackages(options) {
+    const [snapshotBefore, snapshotAfter, manifests] = await Promise.all([
+        options.parser.parse(options.beforeContent),
+        options.parser.parse(options.afterContent),
+        loadWorkspaceManifests(options.workspaceRoot),
+    ]);
+    const diff = diffLockfileSnapshots(snapshotBefore, snapshotAfter);
+    const workspaceGraph = buildWorkspaceGraph(manifests);
+    return resolveAffectedPackages(diff, workspaceGraph, options.filter ?? ALL_DEPENDENCY_TYPES);
+}
+//# sourceMappingURL=find-affected-packages.js.map

package/dist/affected/find-affected-packages.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"find-affected-packages.js","sourceRoot":"","sources":["../../src/affected/find-affected-packages.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,oBAAoB,GAGrB,MAAM,sBAAsB,CAAC;AAC9B,OAAO,EAAE,qBAAqB,EAAE,MAAM,oCAAoC,CAAC;AAC3E,OAAO,EAAE,uBAAuB,EAAE,MAAM,gCAAgC,CAAC;AACzE,OAAO,EAAE,mBAAmB,EAAE,MAAM,uCAAuC,CAAC;AAC5E,OAAO,EAAE,sBAAsB,EAAE,MAAM,0CAA0C,CAAC;AAelF;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,oBAAoB,CACxC,OAA4B;IAE5B,MAAM,CAAC,cAAc,EAAE,aAAa,EAAE,SAAS,CAAC,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC;QACnE,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC,aAAa,CAAC;QAC3C,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC,YAAY,CAAC;QAC1C,sBAAsB,CAAC,OAAO,CAAC,aAAa,CAAC;KAC9C,CAAC,CAAC;IAEH,MAAM,IAAI,GAAG,qBAAqB,CAAC,cAAc,EAAE,aAAa,CAAC,CAAC;IAClE,MAAM,cAAc,GAAG,mBAAmB,CAAC,SAAS,CAAC,CAAC;IACtD,OAAO,uBAAuB,CAAC,IAAI,EAAE,cAAc,EAAE,OAAO,CAAC,MAAM,IAAI,oBAAoB,CAAC,CAAC;AAC/F,CAAC"}

package/dist/index.d.ts

@@ -2,6 +2,11 @@ export type { DependencyFilter, DependencyGroups, LockfileDiff, LockfileParser,
 export { ALL_DEPENDENCY_TYPES } from './types/lockfile.js';
 export { diffLockfileSnapshots } from './diff/diff-lockfile-snapshots.js';
 export { resolveAffectedPackages } from './affected/resolve-affected-packages.js';
+export { findAffectedPackages } from './affected/find-affected-packages.js';
+export type { FindAffectedOptions } from './affected/find-affected-packages.js';
 export { buildWorkspaceGraph } from './workspace/build-workspace-graph.js';
 export type { PackageManifest } from './workspace/build-workspace-graph.js';
+export { loadWorkspaceManifests } from './workspace/load-workspace-manifests.js';
+export { detectLockfile } from './lockfile/detect-lockfile.js';
+export type { DetectedLockfile } from './lockfile/detect-lockfile.js';
 //# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,YAAY,EACV,gBAAgB,EAChB,gBAAgB,EAChB,YAAY,EACZ,cAAc,EACd,gBAAgB,EAChB,cAAc,EACd,gBAAgB,GACjB,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EAAE,oBAAoB,EAAE,MAAM,qBAAqB,CAAC;AAC3D,OAAO,EAAE,qBAAqB,EAAE,MAAM,mCAAmC,CAAC;AAC1E,OAAO,EAAE,uBAAuB,EAAE,MAAM,yCAAyC,CAAC;AAClF,OAAO,EAAE,mBAAmB,EAAE,MAAM,sCAAsC,CAAC;AAC3E,YAAY,EAAE,eAAe,EAAE,MAAM,sCAAsC,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,YAAY,EACV,gBAAgB,EAChB,gBAAgB,EAChB,YAAY,EACZ,cAAc,EACd,gBAAgB,EAChB,cAAc,EACd,gBAAgB,GACjB,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EAAE,oBAAoB,EAAE,MAAM,qBAAqB,CAAC;AAC3D,OAAO,EAAE,qBAAqB,EAAE,MAAM,mCAAmC,CAAC;AAC1E,OAAO,EAAE,uBAAuB,EAAE,MAAM,yCAAyC,CAAC;AAClF,OAAO,EAAE,oBAAoB,EAAE,MAAM,sCAAsC,CAAC;AAC5E,YAAY,EAAE,mBAAmB,EAAE,MAAM,sCAAsC,CAAC;AAChF,OAAO,EAAE,mBAAmB,EAAE,MAAM,sCAAsC,CAAC;AAC3E,YAAY,EAAE,eAAe,EAAE,MAAM,sCAAsC,CAAC;AAC5E,OAAO,EAAE,sBAAsB,EAAE,MAAM,yCAAyC,CAAC;AACjF,OAAO,EAAE,cAAc,EAAE,MAAM,+BAA+B,CAAC;AAC/D,YAAY,EAAE,gBAAgB,EAAE,MAAM,+BAA+B,CAAC"}

package/dist/index.js

@@ -1,5 +1,8 @@
 export { ALL_DEPENDENCY_TYPES } from './types/lockfile.js';
 export { diffLockfileSnapshots } from './diff/diff-lockfile-snapshots.js';
 export { resolveAffectedPackages } from './affected/resolve-affected-packages.js';
+export { findAffectedPackages } from './affected/find-affected-packages.js';
 export { buildWorkspaceGraph } from './workspace/build-workspace-graph.js';
+export { loadWorkspaceManifests } from './workspace/load-workspace-manifests.js';
+export { detectLockfile } from './lockfile/detect-lockfile.js';
 //# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AASA,OAAO,EAAE,oBAAoB,EAAE,MAAM,qBAAqB,CAAC;AAC3D,OAAO,EAAE,qBAAqB,EAAE,MAAM,mCAAmC,CAAC;AAC1E,OAAO,EAAE,uBAAuB,EAAE,MAAM,yCAAyC,CAAC;AAClF,OAAO,EAAE,mBAAmB,EAAE,MAAM,sCAAsC,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AASA,OAAO,EAAE,oBAAoB,EAAE,MAAM,qBAAqB,CAAC;AAC3D,OAAO,EAAE,qBAAqB,EAAE,MAAM,mCAAmC,CAAC;AAC1E,OAAO,EAAE,uBAAuB,EAAE,MAAM,yCAAyC,CAAC;AAClF,OAAO,EAAE,oBAAoB,EAAE,MAAM,sCAAsC,CAAC;AAE5E,OAAO,EAAE,mBAAmB,EAAE,MAAM,sCAAsC,CAAC;AAE3E,OAAO,EAAE,sBAAsB,EAAE,MAAM,yCAAyC,CAAC;AACjF,OAAO,EAAE,cAAc,EAAE,MAAM,+BAA+B,CAAC"}

package/dist/lockfile/detect-lockfile.d.ts

@@ -0,0 +1,14 @@
+import type { LockfileParser } from '../types/lockfile.js';
+export type DetectedLockfile = {
+    readonly path: string;
+    readonly format: string;
+};
+/**
+ * Finds the first known lockfile in `dir` by checking each parser's `lockfileNames`.
+ * Returns the absolute path and the format name from the matching parser.
+ * Throws if no lockfile is found.
+ *
+ * Supports: pnpm, npm, yarn, and bun lockfile formats.
+ */
+export declare function detectLockfile(dir: string, parsers: readonly LockfileParser[]): Promise<DetectedLockfile>;
+//# sourceMappingURL=detect-lockfile.d.ts.map

package/dist/lockfile/detect-lockfile.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"detect-lockfile.d.ts","sourceRoot":"","sources":["../../src/lockfile/detect-lockfile.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AAE3D,MAAM,MAAM,gBAAgB,GAAG;IAC7B,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;CACzB,CAAC;AAEF;;;;;;GAMG;AACH,wBAAsB,cAAc,CAClC,GAAG,EAAE,MAAM,EACX,OAAO,EAAE,SAAS,cAAc,EAAE,GACjC,OAAO,CAAC,gBAAgB,CAAC,CAe3B"}

package/dist/lockfile/detect-lockfile.js

@@ -0,0 +1,26 @@
+import { access } from 'node:fs/promises';
+import { join } from 'node:path';
+/**
+ * Finds the first known lockfile in `dir` by checking each parser's `lockfileNames`.
+ * Returns the absolute path and the format name from the matching parser.
+ * Throws if no lockfile is found.
+ *
+ * Supports: pnpm, npm, yarn, and bun lockfile formats.
+ */
+export async function detectLockfile(dir, parsers) {
+    for (const parser of parsers) {
+        for (const filename of parser.lockfileNames) {
+            const fullPath = join(dir, filename);
+            try {
+                await access(fullPath);
+                return { path: fullPath, format: parser.format };
+            }
+            catch {
+                // not found, try next
+            }
+        }
+    }
+    const allNames = parsers.flatMap((p) => p.lockfileNames);
+    throw new Error(`No lockfile found in ${dir}. Expected one of: ${allNames.join(', ')}`);
+}
+//# sourceMappingURL=detect-lockfile.js.map

package/dist/lockfile/detect-lockfile.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"detect-lockfile.js","sourceRoot":"","sources":["../../src/lockfile/detect-lockfile.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,kBAAkB,CAAC;AAC1C,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAQjC;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,GAAW,EACX,OAAkC;IAElC,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;QAC7B,KAAK,MAAM,QAAQ,IAAI,MAAM,CAAC,aAAa,EAAE,CAAC;YAC5C,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC;YACrC,IAAI,CAAC;gBACH,MAAM,MAAM,CAAC,QAAQ,CAAC,CAAC;gBACvB,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,CAAC;YACnD,CAAC;YAAC,MAAM,CAAC;gBACP,sBAAsB;YACxB,CAAC;QACH,CAAC;IACH,CAAC;IAED,MAAM,QAAQ,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC;IACzD,MAAM,IAAI,KAAK,CAAC,wBAAwB,GAAG,sBAAsB,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;AAC1F,CAAC"}

package/dist/workspace/load-workspace-manifests.d.ts

@@ -0,0 +1,7 @@
+import type { PackageManifest } from './build-workspace-graph.js';
+/**
+ * Recursively walks `dir` and returns all valid package.json manifests found,
+ * skipping `node_modules` directories and malformed files.
+ */
+export declare function loadWorkspaceManifests(dir: string): Promise<PackageManifest[]>;
+//# sourceMappingURL=load-workspace-manifests.d.ts.map

package/dist/workspace/load-workspace-manifests.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"load-workspace-manifests.d.ts","sourceRoot":"","sources":["../../src/workspace/load-workspace-manifests.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,4BAA4B,CAAC;AAElE;;;GAGG;AACH,wBAAsB,sBAAsB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,eAAe,EAAE,CAAC,CAIpF"}

package/dist/workspace/load-workspace-manifests.js

@@ -0,0 +1,49 @@
+import { readdir, readFile } from 'node:fs/promises';
+import { join } from 'node:path';
+/**
+ * Recursively walks `dir` and returns all valid package.json manifests found,
+ * skipping `node_modules` directories and malformed files.
+ */
+export async function loadWorkspaceManifests(dir) {
+    const manifests = [];
+    await collectManifests(dir, manifests);
+    return manifests;
+}
+async function collectManifests(dir, manifests) {
+    let entries;
+    try {
+        entries = await readdir(dir, { withFileTypes: true });
+    }
+    catch {
+        return;
+    }
+    for (const entry of entries) {
+        if (entry.name === 'node_modules')
+            continue;
+        const fullPath = join(dir, entry.name);
+        if (entry.isDirectory()) {
+            await collectManifests(fullPath, manifests);
+        }
+        else if (entry.isFile() && entry.name === 'package.json') {
+            try {
+                const content = await readFile(fullPath, 'utf-8');
+                const parsed = JSON.parse(content);
+                if (isPackageManifest(parsed)) {
+                    manifests.push(parsed);
+                }
+            }
+            catch {
+                // skip malformed package.json files
+            }
+        }
+    }
+}
+function isPackageManifest(value) {
+    if (typeof value !== 'object' || value === null)
+        return false;
+    const obj = value;
+    if ('name' in obj && typeof obj['name'] !== 'string')
+        return false;
+    return true;
+}
+//# sourceMappingURL=load-workspace-manifests.js.map

package/dist/workspace/load-workspace-manifests.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"load-workspace-manifests.js","sourceRoot":"","sources":["../../src/workspace/load-workspace-manifests.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AACrD,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAGjC;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,sBAAsB,CAAC,GAAW;IACtD,MAAM,SAAS,GAAsB,EAAE,CAAC;IACxC,MAAM,gBAAgB,CAAC,GAAG,EAAE,SAAS,CAAC,CAAC;IACvC,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,KAAK,UAAU,gBAAgB,CAAC,GAAW,EAAE,SAA4B;IACvE,IAAI,OAAO,CAAC;IACZ,IAAI,CAAC;QACH,OAAO,GAAG,MAAM,OAAO,CAAC,GAAG,EAAE,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC,CAAC;IACxD,CAAC;IAAC,MAAM,CAAC;QACP,OAAO;IACT,CAAC;IAED,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;QAC5B,IAAI,KAAK,CAAC,IAAI,KAAK,cAAc;YAAE,SAAS;QAE5C,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,CAAC,CAAC;QAEvC,IAAI,KAAK,CAAC,WAAW,EAAE,EAAE,CAAC;YACxB,MAAM,gBAAgB,CAAC,QAAQ,EAAE,SAAS,CAAC,CAAC;QAC9C,CAAC;aAAM,IAAI,KAAK,CAAC,MAAM,EAAE,IAAI,KAAK,CAAC,IAAI,KAAK,cAAc,EAAE,CAAC;YAC3D,IAAI,CAAC;gBACH,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;gBAClD,MAAM,MAAM,GAAY,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;gBAC5C,IAAI,iBAAiB,CAAC,MAAM,CAAC,EAAE,CAAC;oBAC9B,SAAS,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;gBACzB,CAAC;YACH,CAAC;YAAC,MAAM,CAAC;gBACP,oCAAoC;YACtC,CAAC;QACH,CAAC;IACH,CAAC;AACH,CAAC;AAED,SAAS,iBAAiB,CAAC,KAAc;IACvC,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,KAAK,IAAI;QAAE,OAAO,KAAK,CAAC;IAC9D,MAAM,GAAG,GAAG,KAAgC,CAAC;IAC7C,IAAI,MAAM,IAAI,GAAG,IAAI,OAAO,GAAG,CAAC,MAAM,CAAC,KAAK,QAAQ;QAAE,OAAO,KAAK,CAAC;IACnE,OAAO,IAAI,CAAC;AACd,CAAC"}

package/package.json

@@ -1,7 +1,12 @@
 {
   "name": "@lockfile-affected/core",
-  "version": "0.1.3",
+  "version": "0.2.2",
   "description": "Core diff engine and affected package resolver",
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/split/lockfile-affected"
+  },
   "type": "module",
   "engines": {
     "node": ">=18"
@@ -11,7 +16,8 @@
     "README.md"
   ],
   "publishConfig": {
-    "access": "public"
+    "access": "public",
+    "provenance": true
   },
   "main": "./dist/index.js",
   "types": "./dist/index.d.ts",
@@ -24,6 +30,7 @@
   "devDependencies": {
     "vitest": "*",
     "@vitest/coverage-v8": "*",
+    "@types/node": "*",
     "typescript": "*"
   },
   "scripts": {