@visulima/package 5.0.0-alpha.1 → 5.0.0-alpha.10

package/CHANGELOG.md

@@ -1,3 +1,165 @@
+## @visulima/package [5.0.0-alpha.10](https://github.com/visulima/visulima/compare/@visulima/package@5.0.0-alpha.9...@visulima/package@5.0.0-alpha.10) (2026-04-21)
+
+### Miscellaneous Chores
+
+* jsr.json update and lock file ([73fce38](https://github.com/visulima/visulima/commit/73fce38c7cb4603f3fffb88609b1b18e2feb4937))
+
+
+### Dependencies
+
+* **@visulima/fs:** upgraded to 5.0.0-alpha.11
+
+## @visulima/package [5.0.0-alpha.9](https://github.com/visulima/visulima/compare/@visulima/package@5.0.0-alpha.8...@visulima/package@5.0.0-alpha.9) (2026-04-21)
+
+### Miscellaneous Chores
+
+* update the jsr.json ([864ab7e](https://github.com/visulima/visulima/commit/864ab7e71c4b5ae82f64792d1ae8debfea2c539b))
+
+
+### Dependencies
+
+* **@visulima/fs:** upgraded to 5.0.0-alpha.10
+
+## @visulima/package [5.0.0-alpha.8](https://github.com/visulima/visulima/compare/@visulima/package@5.0.0-alpha.7...@visulima/package@5.0.0-alpha.8) (2026-04-21)
+
+### Features
+
+* Add CycloneDX 1.6 SBOM generation with `vis sbom` command ([#611](https://github.com/visulima/visulima/issues/611)) ([1e95276](https://github.com/visulima/visulima/commit/1e9527630958722a0f0f7e79d18bb23b5a57e0df))
+* **package:** add lockfile utilities ([12f9076](https://github.com/visulima/visulima/commit/12f9076ba1570bec2f2d43b58fcd31701634434e))
+
+### Bug Fixes
+
+* **package:** hoist regexes, rewrite lockfile parser, resolve eslint issues ([585ed7f](https://github.com/visulima/visulima/commit/585ed7f16b3f42996bb030a8bae5f1f37a50c316))
+
+### Miscellaneous Chores
+
+* **api-platform:** apply pending lint and source updates ([3fb0043](https://github.com/visulima/visulima/commit/3fb0043a4cf35f752ca89a09a077100ae0142da8))
+* bump engines.node to ^22.14.0 || >=24.10.0 ([c3d0931](https://github.com/visulima/visulima/commit/c3d0931d1504e4f21ebf50ea680cfa7ce4ba15ce))
+* fixed jsr.json ([5d85e51](https://github.com/visulima/visulima/commit/5d85e5179de38e284ec433b14d77c71a1619c8d6))
+* **package:** apply formatter and lint fixes ([a0f4acf](https://github.com/visulima/visulima/commit/a0f4acfb15beb256edd3b62958b4e3db039757a9))
+* **package:** apply pending changes ([919b214](https://github.com/visulima/visulima/commit/919b214f9659a5b4ff95ec8b35a70c10af3c4853))
+* **package:** apply pending lint and source updates ([2fd1c04](https://github.com/visulima/visulima/commit/2fd1c044d9528500943368c01f9b24fd2280058c))
+* **package:** enforce curly braces and apply lint fixes ([0df50ba](https://github.com/visulima/visulima/commit/0df50ba4f45bac67dabeb78ebfc3d555ba5aec56))
+
+
+### Dependencies
+
+* **@visulima/fs:** upgraded to 5.0.0-alpha.9
+
+## @visulima/package [5.0.0-alpha.7](https://github.com/visulima/visulima/compare/@visulima/package@5.0.0-alpha.6...@visulima/package@5.0.0-alpha.7) (2026-04-08)
+
+### Bug Fixes
+
+* **package:** properly fix eslint errors in code ([56b1547](https://github.com/visulima/visulima/commit/56b15474d6edd8f33fb46cca81fa34d600df2023))
+* **package:** remove remaining eslint suppressions with proper code fixes ([69efa7a](https://github.com/visulima/visulima/commit/69efa7a9c67977c491a1ec8eaded733478ed29a1))
+* **package:** resolve eslint errors ([1ec4728](https://github.com/visulima/visulima/commit/1ec47286cfcec55ea50c51d51f198b119dd22e71))
+* resolve failing tests across multiple packages ([2b4b6f0](https://github.com/visulima/visulima/commit/2b4b6f04169b60fdc4cf77b293015436a272c0fb))
+
+### Miscellaneous Chores
+
+* **package:** add tsconfig.eslint.json for type-aware linting ([0355fea](https://github.com/visulima/visulima/commit/0355fea301fb7a8571da25bebd108830bc23ed04))
+* **package:** apply prettier formatting ([ebb5bd1](https://github.com/visulima/visulima/commit/ebb5bd12c6b7d49811c68ea96bf62ce7e2a7d42d))
+* **package:** migrate .prettierrc.cjs to prettier.config.js ([2b84ef0](https://github.com/visulima/visulima/commit/2b84ef0db67467e1360b2f1e6f9b6e96bf3dbbb0))
+* **tooling:** remove empty dependency objects from package.json ([dc52a23](https://github.com/visulima/visulima/commit/dc52a23bc1e2d36f4ec71ca67506bf6861a02929))
+
+
+### Dependencies
+
+* **@visulima/fs:** upgraded to 5.0.0-alpha.7
+* **@visulima/path:** upgraded to 3.0.0-alpha.8
+
+## @visulima/package [5.0.0-alpha.6](https://github.com/visulima/visulima/compare/@visulima/package@5.0.0-alpha.5...@visulima/package@5.0.0-alpha.6) (2026-03-26)
+
+### Features
+
+* **web:** auto-generate packages page from workspace metadata ([623e520](https://github.com/visulima/visulima/commit/623e5207693a7fe720f5f2f179593a3654c880e3))
+
+### Miscellaneous Chores
+
+* update homepage URLs to visulima.com/packages/ format ([be42968](https://github.com/visulima/visulima/commit/be42968129df85fb074224435e33135ff44cab91))
+
+
+### Dependencies
+
+* **@visulima/fs:** upgraded to 5.0.0-alpha.6
+* **@visulima/path:** upgraded to 3.0.0-alpha.7
+
+## @visulima/package [5.0.0-alpha.5](https://github.com/visulima/visulima/compare/@visulima/package@5.0.0-alpha.4...@visulima/package@5.0.0-alpha.5) (2026-03-26)
+
+### Bug Fixes
+
+* **package:** use workspace:* for internal [@visulima](https://github.com/visulima) deps ([e409128](https://github.com/visulima/visulima/commit/e409128c02a6d801dd385ae845c1ab28ca5c09da))
+* **web:** improve build setup with incremental stats caching and prod install ([fe33e75](https://github.com/visulima/visulima/commit/fe33e75827586779b4b3a0c6d57b39f889ee6207))
+
+### Miscellaneous Chores
+
+* **package:** migrate deps to pnpm catalogs ([301fac4](https://github.com/visulima/visulima/commit/301fac41be88df7469155649467921a72ca740a6))
+* **package:** update dependencies ([fb1a43d](https://github.com/visulima/visulima/commit/fb1a43de0fd345806d76aec660d48c627d576083))
+* visulima website ([#591](https://github.com/visulima/visulima/issues/591)) ([59ab2e2](https://github.com/visulima/visulima/commit/59ab2e2befb03e51cd2088956f83d9b87de6d033))
+
+
+### Dependencies
+
+* **@visulima/fs:** upgraded to 5.0.0-alpha.5
+* **@visulima/path:** upgraded to 3.0.0-alpha.6
+
+## @visulima/package [5.0.0-alpha.4](https://github.com/visulima/visulima/compare/@visulima/package@5.0.0-alpha.3...@visulima/package@5.0.0-alpha.4) (2026-03-06)
+
+### Bug Fixes
+
+* **package:** update packem to 2.0.0-alpha.54 ([e5b3249](https://github.com/visulima/visulima/commit/e5b3249026a425b7a42443f66a08f8f68c3d62e4))
+* **package:** use intentionally malformed JSON in bad workspace fixture ([a6680e7](https://github.com/visulima/visulima/commit/a6680e7a97aeae643c26b69bc5eb6c64c28de278))
+
+### Documentation
+
+* **humanizer,html,iso-locale,package,tsconfig:** add comprehensive Fumadocs documentation ([19781ce](https://github.com/visulima/visulima/commit/19781ce5d27605971a9f2fdf0a99863effd98091))
+
+### Miscellaneous Chores
+
+* **package:** update dependencies ([d89cde6](https://github.com/visulima/visulima/commit/d89cde6792e9036d0690cfaf9b771e26b24faac8))
+* **package:** update dependencies ([4b62cf8](https://github.com/visulima/visulima/commit/4b62cf85e6ef4deac4ef01c8a7e15bcf49ecbe80))
+* **tooling:** update dependencies ([7f6f9d3](https://github.com/visulima/visulima/commit/7f6f9d3c41b170c53659ab34b79ceb23e4e9660a))
+* update lock file maintenance ([d83e716](https://github.com/visulima/visulima/commit/d83e71697b75d24704185b66bb521a934d2db02d))
+* year update ([47f4105](https://github.com/visulima/visulima/commit/47f410596ce7190cfea36a073db32e0cec50bbcd))
+
+### Tests
+
+* **package:** fix broken JSON test fixture ([46141d6](https://github.com/visulima/visulima/commit/46141d6472d8de20512109200a12e79c48ddc33c))
+
+
+### Dependencies
+
+* **@visulima/fs:** upgraded to 5.0.0-alpha.4
+* **@visulima/path:** upgraded to 3.0.0-alpha.5
+
+## @visulima/package [5.0.0-alpha.3](https://github.com/visulima/visulima/compare/@visulima/package@5.0.0-alpha.2...@visulima/package@5.0.0-alpha.3) (2025-12-27)
+
+### Bug Fixes
+
+* **package:** update package files ([586668e](https://github.com/visulima/visulima/commit/586668ee3a790163aca11ddc8f35b7bdfd740ac6))
+
+### Miscellaneous Chores
+
+* fixed project.json names and schema path ([964722f](https://github.com/visulima/visulima/commit/964722f691db205c7edb9aa6db29e849a647500b))
+
+
+### Dependencies
+
+* **@visulima/fs:** upgraded to 5.0.0-alpha.3
+* **@visulima/path:** upgraded to 3.0.0-alpha.4
+
+## @visulima/package [5.0.0-alpha.2](https://github.com/visulima/visulima/compare/@visulima/package@5.0.0-alpha.1...@visulima/package@5.0.0-alpha.2) (2025-12-11)
+
+### Bug Fixes
+
+* update package OG images across multiple packages ([f08e4dd](https://github.com/visulima/visulima/commit/f08e4dd2b105ccb29c8412020a9c2be36d6c1e9e))
+
+
+### Dependencies
+
+* **@visulima/fs:** upgraded to 5.0.0-alpha.2
+* **@visulima/path:** upgraded to 3.0.0-alpha.3
+
 ## @visulima/package [5.0.0-alpha.1](https://github.com/visulima/visulima/compare/@visulima/package@4.1.7...@visulima/package@5.0.0-alpha.1) (2025-12-07)
 
 ### ⚠ BREAKING CHANGES

package/LICENSE.md

@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2025 visulima
+Copyright (c) 2026 visulima
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

package/dist/error.js

@@ -1 +1 @@
-import{default as a}from"./packem_shared/PackageNotFoundError-BictYTIA.js";export{a as PackageNotFoundError};
+export { default as PackageNotFoundError } from './packem_shared/PackageNotFoundError-C0ltLzw7.js';

package/dist/index.d.ts

@@ -1,4 +1,6 @@
 export { default as PackageNotFoundError } from "./error/package-not-found-error.d.ts";
+export type { LockFileEntry, LockFileIntegrity, LockFileIntegrityAlgorithm, LockFileParseResult, LockFileType } from "./lockfile.d.ts";
+export { decodeSriIntegrity, parseBunLockFile, parseLockFile, parseLockFileContent, parseLockFileSync, parseNpmLockFile, parsePnpmLockFile, parseYarnLockFile, } from "./lockfile.d.ts";
 export type { RootMonorepo, Strategy } from "./monorepo.d.ts";
 export { findMonorepoRoot, findMonorepoRootSync } from "./monorepo.d.ts";
 export { findPackageRoot, findPackageRootSync } from "./package.d.ts";

package/dist/index.js

@@ -1 +1,7 @@
-import{default as n}from"./packem_shared/PackageNotFoundError-BictYTIA.js";import{findMonorepoRoot as r,findMonorepoRootSync as c}from"./monorepo.js";import{findPackageRoot as s,findPackageRootSync as t}from"./package.js";import{ensurePackages as P,findPackageJson as k,findPackageJsonSync as f,getPackageJsonProperty as d,hasPackageJsonAnyDependency as p,hasPackageJsonProperty as l,parsePackageJson as y,parsePackageJsonSync as J,writePackageJson as m,writePackageJsonSync as M}from"./package-json.js";import{findLockFile as R,findLockFileSync as x,findPackageManager as C,findPackageManagerSync as u,generateMissingPackagesInstallMessage as v,getPackageManagerVersion as F,identifyInitiatingPackageManager as I}from"./package-manager.js";import{isPackageInWorkspace as w,readPnpmCatalogs as D,readPnpmCatalogsSync as L,resolveCatalogReference as A,resolveCatalogReferences as E,resolveDependenciesCatalogReferences as N}from"./pnpm.js";export{n as PackageNotFoundError,P as ensurePackages,R as findLockFile,x as findLockFileSync,r as findMonorepoRoot,c as findMonorepoRootSync,k as findPackageJson,f as findPackageJsonSync,C as findPackageManager,u as findPackageManagerSync,s as findPackageRoot,t as findPackageRootSync,v as generateMissingPackagesInstallMessage,d as getPackageJsonProperty,F as getPackageManagerVersion,p as hasPackageJsonAnyDependency,l as hasPackageJsonProperty,I as identifyInitiatingPackageManager,w as isPackageInWorkspace,y as parsePackageJson,J as parsePackageJsonSync,D as readPnpmCatalogs,L as readPnpmCatalogsSync,A as resolveCatalogReference,E as resolveCatalogReferences,N as resolveDependenciesCatalogReferences,m as writePackageJson,M as writePackageJsonSync};
+export { default as PackageNotFoundError } from './packem_shared/PackageNotFoundError-C0ltLzw7.js';
+export { decodeSriIntegrity, parseBunLockFile, parseLockFile, parseLockFileContent, parseLockFileSync, parseNpmLockFile, parsePnpmLockFile, parseYarnLockFile } from './lockfile.js';
+export { findMonorepoRoot, findMonorepoRootSync } from './monorepo.js';
+export { findPackageRoot, findPackageRootSync } from './package.js';
+export { ensurePackages, findPackageJson, findPackageJsonSync, getPackageJsonProperty, hasPackageJsonAnyDependency, hasPackageJsonProperty, parsePackageJson, parsePackageJsonSync, writePackageJson, writePackageJsonSync } from './package-json.js';
+export { findLockFile, findLockFileSync, findPackageManager, findPackageManagerSync, generateMissingPackagesInstallMessage, getPackageManagerVersion, identifyInitiatingPackageManager } from './package-manager.js';
+export { isPackageInWorkspace, readPnpmCatalogs, readPnpmCatalogsSync, resolveCatalogReference, resolveCatalogReferences, resolveDependenciesCatalogReferences } from './pnpm.js';

package/dist/lockfile.d.ts

@@ -0,0 +1,113 @@
+/** Lockfiles the parser recognises. Legacy binary `bun.lockb` is unsupported. */
+export type LockFileType = "bun" | "npm" | "pnpm" | "yarn";
+/** SRI algorithms the parser can decode into hex. */
+export type LockFileIntegrityAlgorithm = "sha256" | "sha384" | "sha512";
+/** Decoded integrity digest: algorithm + lowercase hex string. */
+export interface LockFileIntegrity {
+    algorithm: LockFileIntegrityAlgorithm;
+    hex: string;
+}
+/** A single resolved package extracted from a lockfile. */
+export interface LockFileEntry {
+    /**
+     * Declared runtime dependencies — `name → specifier[]` map. Values
+     * are arrays so pnpm v9+ peer-context variants (the same dep name
+     * resolved to different versions under different peer contexts)
+     * can all be preserved. npm, yarn v1, bun, and pnpm v6-v8 always
+     * produce single-element arrays; pnpm v9+ may produce multi-element
+     * arrays for peer-context-sensitive deps.
+     *
+     * Specifiers are whatever the lockfile recorded — a range
+     * (`^1.0.0`) for npm / yarn / bun, or an already-resolved exact
+     * version for pnpm. Callers resolve each specifier against
+     * {@link LockFileEntry.version} values elsewhere in the lockfile
+     * when they need a concrete edge.
+     */
+    dependencies?: Record<string, string[]>;
+    /** Decoded SRI digest, if the lockfile recorded one. */
+    integrity?: LockFileIntegrity;
+    /** Package name — `lodash` or `@scope/name`. */
+    name: string;
+    /** Declared optional dependencies, same shape as `dependencies`. */
+    optionalDependencies?: Record<string, string[]>;
+    /** Declared peer dependencies, same shape as `dependencies`. */
+    peerDependencies?: Record<string, string[]>;
+    /** Resolved exact version — e.g. `4.17.21`. */
+    version: string;
+}
+/** Result of locating + parsing a lockfile on disk. */
+export interface LockFileParseResult {
+    entries: LockFileEntry[];
+    /** Absolute path of the lockfile that was parsed. */
+    path: string;
+    type: LockFileType;
+}
+/**
+ * Decodes a Subresource Integrity string (`sha512-&lt;base64>`) into a
+ * `{ algorithm, hex }` pair. Returns `undefined` if the string is
+ * malformed, oversized, or uses an unsupported algorithm.
+ * @param sri Full SRI string, e.g. `sha512-&lt;base64>`.
+ * @returns Decoded algorithm + hex digest, or `undefined` when the
+ * input can't be parsed.
+ */
+export declare const decodeSriIntegrity: (sri: string) => LockFileIntegrity | undefined;
+/**
+ * Parses `package-lock.json` (npm v2 / v3 format).
+ * @param content Raw JSON text of the lockfile.
+ * @returns One {@link LockFileEntry} per distinct `name@version`.
+ */
+export declare const parseNpmLockFile: (content: string) => LockFileEntry[];
+/**
+ * Parses `pnpm-lock.yaml`. Regex-based; works for lockfile v6 through
+ * v9. v9 moves concrete resolved dependency versions out of `packages:`
+ * and into `snapshots:`; this parser reads both sections and unions
+ * their dep-maps onto the final entry.
+ * @param content Raw YAML text of the lockfile.
+ * @returns One {@link LockFileEntry} per distinct `name@version`.
+ */
+export declare const parsePnpmLockFile: (content: string) => LockFileEntry[];
+/**
+ * Parses `yarn.lock` for Yarn Classic (v1) and Berry (v2+). Berry's
+ * XXH64 `checksum:` is not a cryptographic hash and is intentionally
+ * dropped; only v1's SRI `integrity:` flows through to
+ * {@link LockFileEntry.integrity}.
+ * @param content Raw text of the lockfile.
+ * @returns One {@link LockFileEntry} per distinct `name@version`.
+ */
+export declare const parseYarnLockFile: (content: string) => LockFileEntry[];
+/**
+ * Parses `bun.lock` (Bun v1.1+, JSON-ish with trailing commas). The
+ * binary `bun.lockb` format is not supported.
+ *
+ * Attribution: format + tuple layout verified against lockparse
+ * (https://github.com/43081j/lockparse, MIT).
+ * @param content Raw text of the lockfile.
+ * @returns One {@link LockFileEntry} per distinct `name@version`.
+ */
+export declare const parseBunLockFile: (content: string) => LockFileEntry[];
+/**
+ * Parses raw lockfile content of the given type. Returns an empty
+ * array if the content is malformed or doesn't contain any package
+ * entries.
+ * @param content Raw text of the lockfile.
+ * @param type Which parser to dispatch to.
+ * @returns One {@link LockFileEntry} per distinct `name@version`.
+ */
+export declare const parseLockFileContent: (content: string, type: LockFileType) => LockFileEntry[];
+/**
+ * Walks up from `cwd`, locates the nearest supported lockfile, reads
+ * it, and returns the parsed entries alongside the lockfile type and
+ * absolute path.
+ * @param cwd Directory to start the search from. Defaults to
+ * `process.cwd()` (delegated to `findUp`).
+ * @returns The parsed result, keyed by the discovered lockfile path.
+ * @throws If no supported lockfile can be found above `cwd`.
+ */
+export declare const parseLockFile: (cwd?: URL | string) => Promise<LockFileParseResult>;
+/**
+ * Synchronous counterpart to {@link parseLockFile}.
+ * @param cwd Directory to start the search from.
+ * @returns The parsed result, keyed by the discovered lockfile path.
+ * @throws If no supported lockfile can be found above `cwd`.
+ */
+export declare const parseLockFileSync: (cwd?: URL | string) => LockFileParseResult;