@visulima/package 5.0.0-alpha.6 → 5.0.0-alpha.8

package/CHANGELOG.md

@@ -1,3 +1,51 @@
+## @visulima/package [5.0.0-alpha.8](https://github.com/visulima/visulima/compare/@visulima/package@5.0.0-alpha.7...@visulima/package@5.0.0-alpha.8) (2026-04-21)
+
+### Features
+
+* Add CycloneDX 1.6 SBOM generation with `vis sbom` command ([#611](https://github.com/visulima/visulima/issues/611)) ([1e95276](https://github.com/visulima/visulima/commit/1e9527630958722a0f0f7e79d18bb23b5a57e0df))
+* **package:** add lockfile utilities ([12f9076](https://github.com/visulima/visulima/commit/12f9076ba1570bec2f2d43b58fcd31701634434e))
+
+### Bug Fixes
+
+* **package:** hoist regexes, rewrite lockfile parser, resolve eslint issues ([585ed7f](https://github.com/visulima/visulima/commit/585ed7f16b3f42996bb030a8bae5f1f37a50c316))
+
+### Miscellaneous Chores
+
+* **api-platform:** apply pending lint and source updates ([3fb0043](https://github.com/visulima/visulima/commit/3fb0043a4cf35f752ca89a09a077100ae0142da8))
+* bump engines.node to ^22.14.0 || >=24.10.0 ([c3d0931](https://github.com/visulima/visulima/commit/c3d0931d1504e4f21ebf50ea680cfa7ce4ba15ce))
+* fixed jsr.json ([5d85e51](https://github.com/visulima/visulima/commit/5d85e5179de38e284ec433b14d77c71a1619c8d6))
+* **package:** apply formatter and lint fixes ([a0f4acf](https://github.com/visulima/visulima/commit/a0f4acfb15beb256edd3b62958b4e3db039757a9))
+* **package:** apply pending changes ([919b214](https://github.com/visulima/visulima/commit/919b214f9659a5b4ff95ec8b35a70c10af3c4853))
+* **package:** apply pending lint and source updates ([2fd1c04](https://github.com/visulima/visulima/commit/2fd1c044d9528500943368c01f9b24fd2280058c))
+* **package:** enforce curly braces and apply lint fixes ([0df50ba](https://github.com/visulima/visulima/commit/0df50ba4f45bac67dabeb78ebfc3d555ba5aec56))
+
+
+### Dependencies
+
+* **@visulima/fs:** upgraded to 5.0.0-alpha.9
+
+## @visulima/package [5.0.0-alpha.7](https://github.com/visulima/visulima/compare/@visulima/package@5.0.0-alpha.6...@visulima/package@5.0.0-alpha.7) (2026-04-08)
+
+### Bug Fixes
+
+* **package:** properly fix eslint errors in code ([56b1547](https://github.com/visulima/visulima/commit/56b15474d6edd8f33fb46cca81fa34d600df2023))
+* **package:** remove remaining eslint suppressions with proper code fixes ([69efa7a](https://github.com/visulima/visulima/commit/69efa7a9c67977c491a1ec8eaded733478ed29a1))
+* **package:** resolve eslint errors ([1ec4728](https://github.com/visulima/visulima/commit/1ec47286cfcec55ea50c51d51f198b119dd22e71))
+* resolve failing tests across multiple packages ([2b4b6f0](https://github.com/visulima/visulima/commit/2b4b6f04169b60fdc4cf77b293015436a272c0fb))
+
+### Miscellaneous Chores
+
+* **package:** add tsconfig.eslint.json for type-aware linting ([0355fea](https://github.com/visulima/visulima/commit/0355fea301fb7a8571da25bebd108830bc23ed04))
+* **package:** apply prettier formatting ([ebb5bd1](https://github.com/visulima/visulima/commit/ebb5bd12c6b7d49811c68ea96bf62ce7e2a7d42d))
+* **package:** migrate .prettierrc.cjs to prettier.config.js ([2b84ef0](https://github.com/visulima/visulima/commit/2b84ef0db67467e1360b2f1e6f9b6e96bf3dbbb0))
+* **tooling:** remove empty dependency objects from package.json ([dc52a23](https://github.com/visulima/visulima/commit/dc52a23bc1e2d36f4ec71ca67506bf6861a02929))
+
+
+### Dependencies
+
+* **@visulima/fs:** upgraded to 5.0.0-alpha.7
+* **@visulima/path:** upgraded to 3.0.0-alpha.8
+
 ## @visulima/package [5.0.0-alpha.6](https://github.com/visulima/visulima/compare/@visulima/package@5.0.0-alpha.5...@visulima/package@5.0.0-alpha.6) (2026-03-26)
 
 ### Features

package/dist/error.js

@@ -1 +1 @@
-export { default as PackageNotFoundError } from './packem_shared/PackageNotFoundError-CJmAqa_k.js';
+export { default as PackageNotFoundError } from './packem_shared/PackageNotFoundError-C0ltLzw7.js';

package/dist/index.d.ts

@@ -1,4 +1,6 @@
 export { default as PackageNotFoundError } from "./error/package-not-found-error.d.ts";
+export type { LockFileEntry, LockFileIntegrity, LockFileIntegrityAlgorithm, LockFileParseResult, LockFileType } from "./lockfile.d.ts";
+export { decodeSriIntegrity, parseBunLockFile, parseLockFile, parseLockFileContent, parseLockFileSync, parseNpmLockFile, parsePnpmLockFile, parseYarnLockFile, } from "./lockfile.d.ts";
 export type { RootMonorepo, Strategy } from "./monorepo.d.ts";
 export { findMonorepoRoot, findMonorepoRootSync } from "./monorepo.d.ts";
 export { findPackageRoot, findPackageRootSync } from "./package.d.ts";

package/dist/index.js

@@ -1,4 +1,5 @@
-export { default as PackageNotFoundError } from './packem_shared/PackageNotFoundError-CJmAqa_k.js';
+export { default as PackageNotFoundError } from './packem_shared/PackageNotFoundError-C0ltLzw7.js';
+export { decodeSriIntegrity, parseBunLockFile, parseLockFile, parseLockFileContent, parseLockFileSync, parseNpmLockFile, parsePnpmLockFile, parseYarnLockFile } from './lockfile.js';
 export { findMonorepoRoot, findMonorepoRootSync } from './monorepo.js';
 export { findPackageRoot, findPackageRootSync } from './package.js';
 export { ensurePackages, findPackageJson, findPackageJsonSync, getPackageJsonProperty, hasPackageJsonAnyDependency, hasPackageJsonProperty, parsePackageJson, parsePackageJsonSync, writePackageJson, writePackageJsonSync } from './package-json.js';

package/dist/lockfile.d.ts

@@ -0,0 +1,113 @@
+/** Lockfiles the parser recognises. Legacy binary `bun.lockb` is unsupported. */
+export type LockFileType = "bun" | "npm" | "pnpm" | "yarn";
+/** SRI algorithms the parser can decode into hex. */
+export type LockFileIntegrityAlgorithm = "sha256" | "sha384" | "sha512";
+/** Decoded integrity digest: algorithm + lowercase hex string. */
+export interface LockFileIntegrity {
+    algorithm: LockFileIntegrityAlgorithm;
+    hex: string;
+}
+/** A single resolved package extracted from a lockfile. */
+export interface LockFileEntry {
+    /**
+     * Declared runtime dependencies — `name → specifier[]` map. Values
+     * are arrays so pnpm v9+ peer-context variants (the same dep name
+     * resolved to different versions under different peer contexts)
+     * can all be preserved. npm, yarn v1, bun, and pnpm v6-v8 always
+     * produce single-element arrays; pnpm v9+ may produce multi-element
+     * arrays for peer-context-sensitive deps.
+     *
+     * Specifiers are whatever the lockfile recorded — a range
+     * (`^1.0.0`) for npm / yarn / bun, or an already-resolved exact
+     * version for pnpm. Callers resolve each specifier against
+     * {@link LockFileEntry.version} values elsewhere in the lockfile
+     * when they need a concrete edge.
+     */
+    dependencies?: Record<string, string[]>;
+    /** Decoded SRI digest, if the lockfile recorded one. */
+    integrity?: LockFileIntegrity;
+    /** Package name — `lodash` or `@scope/name`. */
+    name: string;
+    /** Declared optional dependencies, same shape as `dependencies`. */
+    optionalDependencies?: Record<string, string[]>;
+    /** Declared peer dependencies, same shape as `dependencies`. */
+    peerDependencies?: Record<string, string[]>;
+    /** Resolved exact version — e.g. `4.17.21`. */
+    version: string;
+}
+/** Result of locating + parsing a lockfile on disk. */
+export interface LockFileParseResult {
+    entries: LockFileEntry[];
+    /** Absolute path of the lockfile that was parsed. */
+    path: string;
+    type: LockFileType;
+}
+/**
+ * Decodes a Subresource Integrity string (`sha512-&lt;base64>`) into a
+ * `{ algorithm, hex }` pair. Returns `undefined` if the string is
+ * malformed, oversized, or uses an unsupported algorithm.
+ * @param sri Full SRI string, e.g. `sha512-&lt;base64>`.
+ * @returns Decoded algorithm + hex digest, or `undefined` when the
+ * input can't be parsed.
+ */
+export declare const decodeSriIntegrity: (sri: string) => LockFileIntegrity | undefined;
+/**
+ * Parses `package-lock.json` (npm v2 / v3 format).
+ * @param content Raw JSON text of the lockfile.
+ * @returns One {@link LockFileEntry} per distinct `name@version`.
+ */
+export declare const parseNpmLockFile: (content: string) => LockFileEntry[];
+/**
+ * Parses `pnpm-lock.yaml`. Regex-based; works for lockfile v6 through
+ * v9. v9 moves concrete resolved dependency versions out of `packages:`
+ * and into `snapshots:`; this parser reads both sections and unions
+ * their dep-maps onto the final entry.
+ * @param content Raw YAML text of the lockfile.
+ * @returns One {@link LockFileEntry} per distinct `name@version`.
+ */
+export declare const parsePnpmLockFile: (content: string) => LockFileEntry[];
+/**
+ * Parses `yarn.lock` for Yarn Classic (v1) and Berry (v2+). Berry's
+ * XXH64 `checksum:` is not a cryptographic hash and is intentionally
+ * dropped; only v1's SRI `integrity:` flows through to
+ * {@link LockFileEntry.integrity}.
+ * @param content Raw text of the lockfile.
+ * @returns One {@link LockFileEntry} per distinct `name@version`.
+ */
+export declare const parseYarnLockFile: (content: string) => LockFileEntry[];
+/**
+ * Parses `bun.lock` (Bun v1.1+, JSON-ish with trailing commas). The
+ * binary `bun.lockb` format is not supported.
+ *
+ * Attribution: format + tuple layout verified against lockparse
+ * (https://github.com/43081j/lockparse, MIT).
+ * @param content Raw text of the lockfile.
+ * @returns One {@link LockFileEntry} per distinct `name@version`.
+ */
+export declare const parseBunLockFile: (content: string) => LockFileEntry[];
+/**
+ * Parses raw lockfile content of the given type. Returns an empty
+ * array if the content is malformed or doesn't contain any package
+ * entries.
+ * @param content Raw text of the lockfile.
+ * @param type Which parser to dispatch to.
+ * @returns One {@link LockFileEntry} per distinct `name@version`.
+ */
+export declare const parseLockFileContent: (content: string, type: LockFileType) => LockFileEntry[];
+/**
+ * Walks up from `cwd`, locates the nearest supported lockfile, reads
+ * it, and returns the parsed entries alongside the lockfile type and
+ * absolute path.
+ * @param cwd Directory to start the search from. Defaults to
+ * `process.cwd()` (delegated to `findUp`).
+ * @returns The parsed result, keyed by the discovered lockfile path.
+ * @throws If no supported lockfile can be found above `cwd`.
+ */
+export declare const parseLockFile: (cwd?: URL | string) => Promise<LockFileParseResult>;
+/**
+ * Synchronous counterpart to {@link parseLockFile}.
+ * @param cwd Directory to start the search from.
+ * @returns The parsed result, keyed by the discovered lockfile path.
+ * @throws If no supported lockfile can be found above `cwd`.
+ */
+export declare const parseLockFileSync: (cwd?: URL | string) => LockFileParseResult;

package/dist/lockfile.js

@@ -0,0 +1,425 @@
+import { createRequire as __cjs_createRequire } from "node:module";
+
+const __cjs_require = __cjs_createRequire(import.meta.url);
+
+const __cjs_getProcess = typeof globalThis !== "undefined" && typeof globalThis.process !== "undefined" ? globalThis.process : process;
+
+const __cjs_getBuiltinModule = (module) => {
+    // Check if we're in Node.js and version supports getBuiltinModule
+    if (typeof __cjs_getProcess !== "undefined" && __cjs_getProcess.versions && __cjs_getProcess.versions.node) {
+        const [major, minor] = __cjs_getProcess.versions.node.split(".").map(Number);
+        // Node.js 20.16.0+ and 22.3.0+
+        if (major > 22 || (major === 22 && minor >= 3) || (major === 20 && minor >= 16)) {
+            return __cjs_getProcess.getBuiltinModule(module);
+        }
+    }
+    // Fallback to createRequire
+    return __cjs_require(module);
+};
+
+const {
+  readFileSync
+} = __cjs_getBuiltinModule("node:fs");
+const {
+  readFile
+} = __cjs_getBuiltinModule("node:fs/promises");
+import { findUp, findUpSync } from '@visulima/fs';
+
+const INTEGRITY_ALGORITHMS = {
+  sha256: "sha256",
+  sha384: "sha384",
+  sha512: "sha512"
+};
+const MAX_SRI_LENGTH = 1024;
+const BASE64_PAYLOAD = /^[A-Z0-9+/]+={0,2}$/i;
+const NPM_NODE_MODULES_PATH = /.*node_modules\/((?:@[^/]+\/)?[^/]+)$/;
+const QUOTE_PREFIX = /^['"]/;
+const QUOTE_SUFFIX = /['"]$/;
+const PNPM_SECTION_HEADER = /^[a-z][a-zA-Z0-9]*:\s*$/m;
+const PNPM_INTEGRITY = /resolution:\s*\{[^}]*integrity:\s*([^,}\s]+)/;
+const YARN_BLOCK = (
+  // eslint-disable-next-line sonarjs/slow-regex, sonarjs/regex-complexity, regexp/no-super-linear-backtracking
+  /^["']?((?:@[^/@"']+\/)?[^@"'\n]+)@[^"'\n]+["']?:?[\t\v\f\r \u00A0\u1680\u2000-\u200A\u2028\u2029\u202F\u205F\u3000\uFEFF]*\n((?:[\t ][^\n]*\n?)+)/gm
+);
+const YARN_VERSION = /^\s+version:?\s+"?([^"\n]+)"?/m;
+const YARN_INTEGRITY = /^\s+integrity[\s:]+"?([^"\s]+)"?/m;
+const decodeSriIntegrity = (sri) => {
+  if (sri.length > MAX_SRI_LENGTH) {
+    return void 0;
+  }
+  const dashIndex = sri.indexOf("-");
+  if (dashIndex <= 0) {
+    return void 0;
+  }
+  const algorithm = INTEGRITY_ALGORITHMS[sri.slice(0, dashIndex).toLowerCase()];
+  if (!algorithm) {
+    return void 0;
+  }
+  const payload = sri.slice(dashIndex + 1);
+  if (!BASE64_PAYLOAD.test(payload)) {
+    return void 0;
+  }
+  try {
+    const buffer = Buffer.from(payload, "base64");
+    if (buffer.length === 0) {
+      return void 0;
+    }
+    return { algorithm, hex: buffer.toString("hex") };
+  } catch {
+    return void 0;
+  }
+};
+const pushUniqueEntry = (result, seen, entry) => {
+  const key = `${entry.name}@${entry.version}`;
+  if (seen.has(key)) {
+    return;
+  }
+  seen.add(key);
+  result.push(entry);
+};
+const copyDepMap = (target, field, source) => {
+  if (source && Object.keys(source).length > 0) {
+    target[field] = { ...source };
+  }
+};
+const liftDepMap = (source) => {
+  if (!source) {
+    return void 0;
+  }
+  const result = {};
+  for (const [name, value] of Object.entries(source)) {
+    result[name] = [value];
+  }
+  return Object.keys(result).length > 0 ? result : void 0;
+};
+const parseNpmLockFile = (content) => {
+  const result = [];
+  const seen = /* @__PURE__ */ new Set();
+  let parsed;
+  try {
+    parsed = JSON.parse(content);
+  } catch {
+    return result;
+  }
+  if (!parsed.packages) {
+    return result;
+  }
+  for (const [path, entry] of Object.entries(parsed.packages)) {
+    if (!path || !entry.version) {
+      continue;
+    }
+    const match = NPM_NODE_MODULES_PATH.exec(path);
+    if (!match?.[1]) {
+      continue;
+    }
+    const name = entry.name ?? match[1];
+    if (name.startsWith(".")) {
+      continue;
+    }
+    const lockEntry = { name, version: entry.version };
+    if (entry.integrity) {
+      const integrity = decodeSriIntegrity(entry.integrity);
+      if (integrity) {
+        lockEntry.integrity = integrity;
+      }
+    }
+    copyDepMap(lockEntry, "dependencies", liftDepMap(entry.dependencies));
+    copyDepMap(lockEntry, "peerDependencies", liftDepMap(entry.peerDependencies));
+    copyDepMap(lockEntry, "optionalDependencies", liftDepMap(entry.optionalDependencies));
+    pushUniqueEntry(result, seen, lockEntry);
+  }
+  return result;
+};
+const splitPnpmPackageKey = (raw) => {
+  let key = raw.trim();
+  if (key.startsWith("/")) {
+    key = key.slice(1);
+  }
+  key = key.replace(QUOTE_PREFIX, "").replace(QUOTE_SUFFIX, "");
+  const parenIndex = key.indexOf("(");
+  if (parenIndex > 0) {
+    key = key.slice(0, parenIndex);
+  }
+  const atIndex = key.lastIndexOf("@");
+  if (atIndex <= 0) {
+    return void 0;
+  }
+  const name = key.slice(0, atIndex);
+  const version = key.slice(atIndex + 1);
+  if (!name || !version || version.startsWith("link:") || version.startsWith("workspace:") || version.startsWith("file:")) {
+    return void 0;
+  }
+  return { name, version };
+};
+const sliceTopLevelSection = (content, section) => {
+  const header = new RegExp(String.raw`^${section}:\s*$`, "m");
+  const start = header.exec(content);
+  if (!start) {
+    return void 0;
+  }
+  const after = start.index + start[0].length;
+  const next = PNPM_SECTION_HEADER.exec(content.slice(after));
+  return content.slice(after, next ? after + next.index : content.length);
+};
+const parsePnpmSnapshotEdges = (content) => {
+  const result = /* @__PURE__ */ new Map();
+  const body = sliceTopLevelSection(content, "snapshots");
+  if (!body) {
+    return result;
+  }
+  const entryRegex = /^ {2}(['"]?[^\s:][^:\n]*?['"]?):\s*\n((?: {4}[^\n]*\n?)+)/gm;
+  let match;
+  while ((match = entryRegex.exec(body) ?? void 0) !== void 0) {
+    const keyValue = splitPnpmPackageKey(match[1]);
+    if (!keyValue) {
+      continue;
+    }
+    const baseKey = `${keyValue.name}@${keyValue.version}`;
+    const entryBody = match[2];
+    const existing = result.get(baseKey) ?? {};
+    for (const field of ["dependencies", "peerDependencies", "optionalDependencies"]) {
+      const scraped = extractPnpmDependencyMap(entryBody, field);
+      if (!scraped) {
+        continue;
+      }
+      const merged = existing[field] ?? {};
+      for (const [depName, depVersions] of Object.entries(scraped)) {
+        const bucket = merged[depName] ?? [];
+        for (const depVersion of depVersions) {
+          if (!bucket.includes(depVersion)) {
+            bucket.push(depVersion);
+          }
+        }
+        merged[depName] = bucket;
+      }
+      existing[field] = merged;
+    }
+    result.set(baseKey, existing);
+  }
+  return result;
+};
+const parsePnpmLockFile = (content) => {
+  const result = [];
+  const seen = /* @__PURE__ */ new Set();
+  const packagesBody = sliceTopLevelSection(content, "packages");
+  if (!packagesBody) {
+    return result;
+  }
+  const snapshotEdges = parsePnpmSnapshotEdges(content);
+  const entryRegex = /^ {2}(['"]?[^\s:][^:\n]*?['"]?):\s*\n((?: {4}[^\n]*\n?)+)/gm;
+  let match;
+  while ((match = entryRegex.exec(packagesBody) ?? void 0) !== void 0) {
+    const keyValue = splitPnpmPackageKey(match[1]);
+    if (!keyValue) {
+      continue;
+    }
+    const body = match[2];
+    const integrityMatch = PNPM_INTEGRITY.exec(body);
+    const lockEntry = { name: keyValue.name, version: keyValue.version };
+    if (integrityMatch?.[1]) {
+      const integrity = decodeSriIntegrity(integrityMatch[1]);
+      if (integrity) {
+        lockEntry.integrity = integrity;
+      }
+    }
+    const snapshot = snapshotEdges.get(`${keyValue.name}@${keyValue.version}`);
+    copyDepMap(lockEntry, "dependencies", snapshot?.dependencies ?? extractPnpmDependencyMap(body, "dependencies"));
+    copyDepMap(lockEntry, "peerDependencies", snapshot?.peerDependencies ?? extractPnpmDependencyMap(body, "peerDependencies"));
+    copyDepMap(lockEntry, "optionalDependencies", snapshot?.optionalDependencies ?? extractPnpmDependencyMap(body, "optionalDependencies"));
+    pushUniqueEntry(result, seen, lockEntry);
+  }
+  return result;
+};
+const extractPnpmDependencyMap = (body, section) => {
+  const sectionRegex = new RegExp(String.raw`^ {4}${section}:\s*\n((?: {6,}[^\n]*\n?)+)`, "m");
+  const sectionMatch = sectionRegex.exec(body);
+  if (!sectionMatch?.[1]) {
+    return void 0;
+  }
+  const map = {};
+  const entryRegex = /^ {6}([^\s:]+):\s*([^\n]+)/gm;
+  let match;
+  while ((match = entryRegex.exec(sectionMatch[1]) ?? void 0) !== void 0) {
+    const name = match[1].replace(QUOTE_PREFIX, "").replace(QUOTE_SUFFIX, "");
+    let version = match[2].trim();
+    version = version.replace(QUOTE_PREFIX, "").replace(QUOTE_SUFFIX, "");
+    const parenIndex = version.indexOf("(");
+    if (parenIndex > 0) {
+      version = version.slice(0, parenIndex).trim();
+    }
+    if (!name || !version) {
+      continue;
+    }
+    const bucket = map[name] ?? [];
+    if (!bucket.includes(version)) {
+      bucket.push(version);
+    }
+    map[name] = bucket;
+  }
+  return Object.keys(map).length > 0 ? map : void 0;
+};
+const parseYarnLockFile = (content) => {
+  const result = [];
+  const seen = /* @__PURE__ */ new Set();
+  const entryRegex = YARN_BLOCK;
+  entryRegex.lastIndex = 0;
+  let match;
+  while ((match = entryRegex.exec(content) ?? void 0) !== void 0) {
+    const name = match[1].replace(QUOTE_PREFIX, "").replace(QUOTE_SUFFIX, "");
+    if (!name) {
+      continue;
+    }
+    const body = match[2];
+    const versionMatch = YARN_VERSION.exec(body);
+    if (!versionMatch?.[1]) {
+      continue;
+    }
+    const lockEntry = { name, version: versionMatch[1].trim() };
+    const integrityMatch = YARN_INTEGRITY.exec(body);
+    if (integrityMatch?.[1]) {
+      const integrity = decodeSriIntegrity(integrityMatch[1]);
+      if (integrity) {
+        lockEntry.integrity = integrity;
+      }
+    }
+    copyDepMap(lockEntry, "dependencies", extractYarnDependencyMap(body, "dependencies"));
+    copyDepMap(lockEntry, "peerDependencies", extractYarnDependencyMap(body, "peerDependencies"));
+    copyDepMap(lockEntry, "optionalDependencies", extractYarnDependencyMap(body, "optionalDependencies"));
+    pushUniqueEntry(result, seen, lockEntry);
+  }
+  return result;
+};
+const extractYarnDependencyMap = (body, section) => {
+  const sectionRegex = new RegExp(String.raw`^ {2}${section}:\s*\n((?: {4,}[^\n]*\n?)+)`, "m");
+  const sectionMatch = sectionRegex.exec(body);
+  if (!sectionMatch?.[1]) {
+    return void 0;
+  }
+  const map = {};
+  const entryRegex = /^ {4}(['"]?[^\s:'"]+['"]?)\s*(?::\s*)?['"]([^'"\n]+)['"]/gm;
+  let match;
+  while ((match = entryRegex.exec(sectionMatch[1]) ?? void 0) !== void 0) {
+    const name = match[1].replace(QUOTE_PREFIX, "").replace(QUOTE_SUFFIX, "");
+    const version = match[2];
+    if (name && version) {
+      const bucket = map[name] ?? [];
+      if (!bucket.includes(version)) {
+        bucket.push(version);
+      }
+      map[name] = bucket;
+    }
+  }
+  return Object.keys(map).length > 0 ? map : void 0;
+};
+const TRAILING_COMMA_REGEX = /,(?=\s*[}\]])/g;
+const parseBunLockFile = (content) => {
+  const result = [];
+  const seen = /* @__PURE__ */ new Set();
+  let parsed;
+  try {
+    parsed = JSON.parse(content.replaceAll(TRAILING_COMMA_REGEX, ""));
+  } catch {
+    return result;
+  }
+  if (!parsed.packages) {
+    return result;
+  }
+  for (const tuple of Object.values(parsed.packages)) {
+    const versionKey = tuple[0];
+    if (typeof versionKey !== "string") {
+      continue;
+    }
+    const atIndex = versionKey.indexOf("@", 1);
+    if (atIndex <= 0) {
+      continue;
+    }
+    const name = versionKey.slice(0, atIndex);
+    const version = versionKey.slice(atIndex + 1);
+    if (!name || !version || version.startsWith("workspace:") || version.startsWith("link:") || version.startsWith("file:")) {
+      continue;
+    }
+    const lockEntry = { name, version };
+    const rawIntegrity = tuple[3];
+    if (typeof rawIntegrity === "string" && rawIntegrity.length > 0) {
+      const integrity = decodeSriIntegrity(rawIntegrity);
+      if (integrity) {
+        lockEntry.integrity = integrity;
+      }
+    }
+    const metadata = tuple[2];
+    if (metadata && typeof metadata === "object" && !Array.isArray(metadata)) {
+      const meta = metadata;
+      copyDepMap(lockEntry, "dependencies", liftDepMap(meta.dependencies));
+      copyDepMap(lockEntry, "peerDependencies", liftDepMap(meta.peerDependencies));
+      copyDepMap(lockEntry, "optionalDependencies", liftDepMap(meta.optionalDependencies));
+    }
+    pushUniqueEntry(result, seen, lockEntry);
+  }
+  return result;
+};
+const inferLockFileType = (path) => {
+  if (path.endsWith("pnpm-lock.yaml")) {
+    return "pnpm";
+  }
+  if (path.endsWith("package-lock.json")) {
+    return "npm";
+  }
+  if (path.endsWith("yarn.lock")) {
+    return "yarn";
+  }
+  if (path.endsWith("bun.lock")) {
+    return "bun";
+  }
+  return void 0;
+};
+const parseLockFileContent = (content, type) => {
+  switch (type) {
+    case "bun": {
+      return parseBunLockFile(content);
+    }
+    case "npm": {
+      return parseNpmLockFile(content);
+    }
+    case "pnpm": {
+      return parsePnpmLockFile(content);
+    }
+    case "yarn": {
+      return parseYarnLockFile(content);
+    }
+    default: {
+      return [];
+    }
+  }
+};
+const LOCKFILE_CANDIDATES = ["pnpm-lock.yaml", "package-lock.json", "yarn.lock", "bun.lock"];
+const parseLockFile = async (cwd) => {
+  const path = await findUp(LOCKFILE_CANDIDATES, {
+    type: "file",
+    ...cwd && { cwd }
+  });
+  if (!path) {
+    throw new Error("Could not find a supported lock file (pnpm-lock.yaml, package-lock.json, yarn.lock, bun.lock)");
+  }
+  const type = inferLockFileType(path);
+  if (!type) {
+    throw new Error(`Unsupported lock file: ${path}`);
+  }
+  const content = await readFile(path, "utf8");
+  return { entries: parseLockFileContent(content, type), path, type };
+};
+const parseLockFileSync = (cwd) => {
+  const path = findUpSync(LOCKFILE_CANDIDATES, {
+    type: "file",
+    ...cwd && { cwd }
+  });
+  if (!path) {
+    throw new Error("Could not find a supported lock file (pnpm-lock.yaml, package-lock.json, yarn.lock, bun.lock)");
+  }
+  const type = inferLockFileType(path);
+  if (!type) {
+    throw new Error(`Unsupported lock file: ${path}`);
+  }
+  return { entries: parseLockFileContent(readFileSync(path, "utf8"), type), path, type };
+};
+
+export { decodeSriIntegrity, parseBunLockFile, parseLockFile, parseLockFileContent, parseLockFileSync, parseNpmLockFile, parsePnpmLockFile, parseYarnLockFile };

package/dist/monorepo.js

@@ -33,11 +33,14 @@ const findMonorepoRoot = async (cwd) => {
   });
   if (workspaceFilePath?.endsWith("lerna.json")) {
     const lerna = await readJson(workspaceFilePath);
-    if (lerna.useWorkspaces || lerna.packages) {
-      return {
-        path: dirname(workspaceFilePath),
-        strategy: "lerna"
-      };
+    if (lerna && typeof lerna === "object" && !Array.isArray(lerna)) {
+      const l = lerna;
+      if (l.useWorkspaces || l.packages) {
+        return {
+          path: dirname(workspaceFilePath),
+          strategy: "lerna"
+        };
+      }
     }
   }
   const isTurbo = workspaceFilePath?.endsWith("turbo.json");

package/dist/package-json.d.ts

@@ -39,10 +39,10 @@ export declare const findPackageJsonSync: (cwd?: URL | string, options?: ReadOpt
  * `cwd` represents the current working directory. If not specified, the default working directory will be used.
  * @returns A `Promise` that resolves once the package.json file has been written. The type of the returned promise is `Promise<void>`.
  */
-export declare const writePackageJson: <T = PackageJson>(data: T, options?: WriteJsonOptions & {
+export declare const writePackageJson: (data: PackageJson, options?: WriteJsonOptions & {
     cwd?: URL | string;
 }) => Promise<void>;
-export declare const writePackageJsonSync: <T = PackageJson>(data: T, options?: WriteJsonOptions & {
+export declare const writePackageJsonSync: (data: PackageJson, options?: WriteJsonOptions & {
     cwd?: URL | string;
 }) => void;
 /**

package/dist/package-json.js

@@ -301,6 +301,7 @@ ${styleText(["gray"], "→")} ${formatAnswer(defaultValue)}`);
 
 const isNode = typeof process.stdout < "u" && !process.versions.deno && !globalThis.window;
 
+const LAST_SEPARATOR_REGEX = /, ([^,]*)$/;
 const PackageJsonParseCache = /* @__PURE__ */ new Map();
 const PackageJsonFileCache = /* @__PURE__ */ new Map();
 class PackageJsonValidationError extends Error {
@@ -383,14 +384,14 @@ const findPackageJson = async (cwd, options = {}) => {
     searchPatterns.push("package.json5");
   }
   let filePath;
-  for await (const pattern of searchPatterns) {
+  for (const pattern of searchPatterns) {
     filePath = await findUp(pattern, findUpConfig);
     if (filePath) {
       break;
     }
   }
   if (!filePath) {
-    throw new NotFoundError(`No such file or directory, for ${searchPatterns.join(", ").replace(/, ([^,]*)$/, " or $1")} found.`);
+    throw new NotFoundError(`No such file or directory, for ${searchPatterns.join(", ").replace(LAST_SEPARATOR_REGEX, " or $1")} found.`);
   }
   const cache = options.cache && typeof options.cache !== "boolean" ? options.cache : PackageJsonFileCache;
   if (options.cache && cache.has(filePath)) {
@@ -435,7 +436,7 @@ const findPackageJsonSync = (cwd, options = {}) => {
     }
   }
   if (!filePath) {
-    throw new NotFoundError(`No such file or directory, for ${searchPatterns.join(", ").replace(/, ([^,]*)$/, " or $1")} found.`);
+    throw new NotFoundError(`No such file or directory, for ${searchPatterns.join(", ").replace(LAST_SEPARATOR_REGEX, " or $1")} found.`);
   }
   const cache = options.cache && typeof options.cache !== "boolean" ? options.cache : PackageJsonFileCache;
   if (options.cache && cache.has(filePath)) {
@@ -469,7 +470,7 @@ const writePackageJsonSync = (data, options = {}) => {
   writeJsonSync(join(directory, "package.json"), data, writeOptions);
 };
 const parsePackageJsonSync = (packageFile, options) => {
-  const isObject = packageFile !== null && typeof packageFile === "object" && !Array.isArray(packageFile);
+  const isObject = typeof packageFile === "object" && !Array.isArray(packageFile);
   const isString = typeof packageFile === "string";
   if (!isObject && !isString) {
     throw new TypeError("`packageFile` should be either an `object` or a `string`.");
@@ -502,14 +503,14 @@ const parsePackageJsonSync = (packageFile, options) => {
   }
   normalizeInput(json, options?.strict ?? false, options?.ignoreWarnings);
   const result = json;
-  if (isFile && filePath && options?.cache) {
-    const cache = options.cache && typeof options.cache !== "boolean" ? options.cache : PackageJsonParseCache;
+  if (isFile && options?.cache) {
+    const cache = typeof options.cache === "boolean" ? PackageJsonParseCache : options.cache;
     cache.set(filePath, result);
   }
   return result;
 };
 const parsePackageJson = async (packageFile, options) => {
-  const isObject = packageFile !== null && typeof packageFile === "object" && !Array.isArray(packageFile);
+  const isObject = typeof packageFile === "object" && !Array.isArray(packageFile);
   const isString = typeof packageFile === "string";
   if (!isObject && !isString) {
     throw new TypeError("`packageFile` should be either an `object` or a `string`.");
@@ -542,8 +543,8 @@ const parsePackageJson = async (packageFile, options) => {
   }
   normalizeInput(json, options?.strict ?? false, options?.ignoreWarnings);
   const result = json;
-  if (isFile && filePath && options?.cache) {
-    const cache = options.cache && typeof options.cache !== "boolean" ? options.cache : PackageJsonParseCache;
+  if (isFile && options?.cache) {
+    const cache = typeof options.cache === "boolean" ? PackageJsonParseCache : options.cache;
     cache.set(filePath, result);
   }
   return result;
@@ -582,7 +583,7 @@ const ensurePackages = async (packageJson, packages, installKey = "dependencies"
   if (nonExistingPackages.length === 0) {
     return;
   }
-  if (process.env.CI || isNode && !process.stdout?.isTTY) {
+  if (process.env.CI || isNode && !process.stdout.isTTY) {
     const message = `Skipping package installation for [${packages.join(", ")}] because the process is not interactive.`;
     if (options.throwOnWarn) {
       throw new Error(message);

package/dist/package-manager.d.ts

@@ -45,14 +45,13 @@ export declare const getPackageManagerVersion: (name: string) => string;
  * An asynchronous function that detects what package manager executes the process.
  *
  * Supports npm, pnpm, Yarn, cnpm, and bun. And also any other package manager that sets the npm_config_user_agent env variable.
- * @returns A `Promise` that resolves to an object containing the name and version of the package manager,
- * or undefined if the package manager information cannot be determined. The return type of the function
- * is `Promise<{ name: PackageManager | "cnpm"; version: string } | undefined>`.
+ * @returns An object containing the name and version of the package manager,
+ * or undefined if the package manager information cannot be determined.
  */
-export declare const identifyInitiatingPackageManager: () => Promise<{
+export declare const identifyInitiatingPackageManager: () => {
     name: PackageManager | "cnpm";
     version: string;
-} | undefined>;
+} | undefined;
 /**
  * Function that generates a message to install missing packages.
  * @param packageName The name of the package that requires the missing packages.

package/dist/package-manager.js

@@ -27,7 +27,7 @@ const {
 import { findUp, findUpSync } from '@visulima/fs';
 import { NotFoundError } from '@visulima/fs/error';
 import { join, dirname } from '@visulima/path';
-import { parsePackageJsonSync, parsePackageJson } from './package-json.js';
+import { parsePackageJsonSync } from './package-json.js';
 
 const lockFileNames = ["yarn.lock", "package-lock.json", "pnpm-lock.yaml", "npm-shrinkwrap.json", "bun.lockb"];
 const packageMangerFindUpMatcher = (directory) => {
@@ -49,50 +49,7 @@ const packageMangerFindUpMatcher = (directory) => {
   }
   return void 0;
 };
-const findPackageManagerOnFile = async (foundFile) => {
-  if (!foundFile) {
-    throw new NotFoundError("Could not find a package manager");
-  }
-  if (foundFile.endsWith("package.json")) {
-    const packageJson = await parsePackageJson(foundFile);
-    if (packageJson.packageManager) {
-      const packageManagerNames = ["npm", "yarn", "pnpm", "bun"];
-      const foundPackageManager = packageManagerNames.find((prefix) => packageJson.packageManager.startsWith(prefix));
-      if (foundPackageManager) {
-        return {
-          packageManager: foundPackageManager,
-          path: dirname(foundFile)
-        };
-      }
-    }
-  }
-  if (foundFile.endsWith("yarn.lock")) {
-    return {
-      packageManager: "yarn",
-      path: dirname(foundFile)
-    };
-  }
-  if (foundFile.endsWith("package-lock.json") || foundFile.endsWith("npm-shrinkwrap.json")) {
-    return {
-      packageManager: "npm",
-      path: dirname(foundFile)
-    };
-  }
-  if (foundFile.endsWith("pnpm-lock.yaml")) {
-    return {
-      packageManager: "pnpm",
-      path: dirname(foundFile)
-    };
-  }
-  if (foundFile.endsWith("bun.lockb")) {
-    return {
-      packageManager: "bun",
-      path: dirname(foundFile)
-    };
-  }
-  throw new NotFoundError("Could not find a package manager");
-};
-const findPackageManagerOnFileSync = (foundFile) => {
+const resolvePackageManagerFromFile = (foundFile) => {
   if (!foundFile) {
     throw new NotFoundError("Could not find a package manager");
   }
@@ -159,16 +116,16 @@ const findPackageManager = async (cwd) => {
   const foundFile = await findUp(packageMangerFindUpMatcher, {
     ...cwd && { cwd }
   });
-  return findPackageManagerOnFile(foundFile);
+  return resolvePackageManagerFromFile(foundFile);
 };
 const findPackageManagerSync = (cwd) => {
   const foundFile = findUpSync(packageMangerFindUpMatcher, {
     ...cwd && { cwd }
   });
-  return findPackageManagerOnFileSync(foundFile);
+  return resolvePackageManagerFromFile(foundFile);
 };
 const getPackageManagerVersion = (name) => execSync(`${name} --version`).toString("utf8").trim();
-const identifyInitiatingPackageManager = async () => {
+const identifyInitiatingPackageManager = () => {
   if (!process.env.npm_config_user_agent) {
     return void 0;
   }
@@ -182,9 +139,7 @@ const identifyInitiatingPackageManager = async () => {
 };
 const generateMissingPackagesInstallMessage = (packageName, missingPackages, options) => {
   const s = missingPackages.length === 1 ? "" : "s";
-  if (options.packageManagers === void 0) {
-    options.packageManagers = ["npm", "pnpm", "yarn"];
-  }
+  options.packageManagers ??= ["npm", "pnpm", "yarn"];
   if (options.packageManagers.length === 0) {
     throw new Error("No package managers provided, please provide at least one package manager");
   }

package/dist/packem_shared/{PackageNotFoundError-CJmAqa_k.js → PackageNotFoundError-C0ltLzw7.js}

@@ -20,9 +20,7 @@ class PackageNotFoundError extends Error {
       } catch {
       }
     }
-    if (packageManager === void 0) {
-      packageManager = "npm";
-    }
+    packageManager ??= "npm";
     super(`Package '${packageName.join(" ")}' was not found. Please install it using '${packageManager} install ${packageName.join(" ")}'`);
   }
   // eslint-disable-next-line class-methods-use-this

package/dist/types.d.ts

@@ -5,7 +5,7 @@ import type { Package as normalizePackage } from "normalize-package-data";
 import type { PackageJson as typeFestPackageJson } from "type-fest";
 export type NormalizedPackageJson = normalizePackage & PackageJson;
 export type PackageJson = typeFestPackageJson;
-export type Cache<T = any> = Map<string, T>;
+export type Cache<T = unknown> = Map<string, T>;
 export type EnsurePackagesOptions = {
     /** Configuration for user confirmation prompts when installing packages */
     confirm?: {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@visulima/package",
-  "version": "5.0.0-alpha.6",
+  "version": "5.0.0-alpha.8",
   "description": "A comprehensive package management utility that helps you find root directories, monorepos, package managers, and parse package.json, package.yaml, and package.json5 files with advanced features like catalog resolution.",
   "keywords": [
     "anolilab",
@@ -79,6 +79,10 @@
       "types": "./dist/package-manager.d.ts",
       "default": "./dist/package-manager.js"
     },
+    "./lockfile": {
+      "types": "./dist/lockfile.d.ts",
+      "default": "./dist/lockfile.js"
+    },
     "./pnpm": {
       "types": "./dist/pnpm.d.ts",
       "default": "./dist/pnpm.js"
@@ -97,17 +101,15 @@
   ],
   "dependencies": {
     "@antfu/install-pkg": "^1.1.0",
-    "@visulima/fs": "5.0.0-alpha.6",
-    "@visulima/path": "3.0.0-alpha.7",
+    "@visulima/fs": "5.0.0-alpha.9",
+    "@visulima/path": "3.0.0-alpha.9",
     "json5": "^2.2.3",
     "normalize-package-data": "^8.0.0",
-    "type-fest": "5.5.0",
+    "type-fest": "5.6.0",
     "yaml": "2.8.3"
   },
-  "peerDependencies": {},
-  "optionalDependencies": {},
   "engines": {
-    "node": ">=22.13 <=25.x"
+    "node": "^22.14.0 || >=24.10.0"
   },
   "os": [
     "darwin",