@visulima/package 5.0.0-alpha.7 → 5.0.0-alpha.8

package/CHANGELOG.md

@@ -1,3 +1,29 @@
+## @visulima/package [5.0.0-alpha.8](https://github.com/visulima/visulima/compare/@visulima/package@5.0.0-alpha.7...@visulima/package@5.0.0-alpha.8) (2026-04-21)
+
+### Features
+
+* Add CycloneDX 1.6 SBOM generation with `vis sbom` command ([#611](https://github.com/visulima/visulima/issues/611)) ([1e95276](https://github.com/visulima/visulima/commit/1e9527630958722a0f0f7e79d18bb23b5a57e0df))
+* **package:** add lockfile utilities ([12f9076](https://github.com/visulima/visulima/commit/12f9076ba1570bec2f2d43b58fcd31701634434e))
+
+### Bug Fixes
+
+* **package:** hoist regexes, rewrite lockfile parser, resolve eslint issues ([585ed7f](https://github.com/visulima/visulima/commit/585ed7f16b3f42996bb030a8bae5f1f37a50c316))
+
+### Miscellaneous Chores
+
+* **api-platform:** apply pending lint and source updates ([3fb0043](https://github.com/visulima/visulima/commit/3fb0043a4cf35f752ca89a09a077100ae0142da8))
+* bump engines.node to ^22.14.0 || >=24.10.0 ([c3d0931](https://github.com/visulima/visulima/commit/c3d0931d1504e4f21ebf50ea680cfa7ce4ba15ce))
+* fixed jsr.json ([5d85e51](https://github.com/visulima/visulima/commit/5d85e5179de38e284ec433b14d77c71a1619c8d6))
+* **package:** apply formatter and lint fixes ([a0f4acf](https://github.com/visulima/visulima/commit/a0f4acfb15beb256edd3b62958b4e3db039757a9))
+* **package:** apply pending changes ([919b214](https://github.com/visulima/visulima/commit/919b214f9659a5b4ff95ec8b35a70c10af3c4853))
+* **package:** apply pending lint and source updates ([2fd1c04](https://github.com/visulima/visulima/commit/2fd1c044d9528500943368c01f9b24fd2280058c))
+* **package:** enforce curly braces and apply lint fixes ([0df50ba](https://github.com/visulima/visulima/commit/0df50ba4f45bac67dabeb78ebfc3d555ba5aec56))
+
+
+### Dependencies
+
+* **@visulima/fs:** upgraded to 5.0.0-alpha.9
+
 ## @visulima/package [5.0.0-alpha.7](https://github.com/visulima/visulima/compare/@visulima/package@5.0.0-alpha.6...@visulima/package@5.0.0-alpha.7) (2026-04-08)
 
 ### Bug Fixes

package/dist/index.d.ts

@@ -1,4 +1,6 @@
 export { default as PackageNotFoundError } from "./error/package-not-found-error.d.ts";
+export type { LockFileEntry, LockFileIntegrity, LockFileIntegrityAlgorithm, LockFileParseResult, LockFileType } from "./lockfile.d.ts";
+export { decodeSriIntegrity, parseBunLockFile, parseLockFile, parseLockFileContent, parseLockFileSync, parseNpmLockFile, parsePnpmLockFile, parseYarnLockFile, } from "./lockfile.d.ts";
 export type { RootMonorepo, Strategy } from "./monorepo.d.ts";
 export { findMonorepoRoot, findMonorepoRootSync } from "./monorepo.d.ts";
 export { findPackageRoot, findPackageRootSync } from "./package.d.ts";

package/dist/index.js

@@ -1,4 +1,5 @@
 export { default as PackageNotFoundError } from './packem_shared/PackageNotFoundError-C0ltLzw7.js';
+export { decodeSriIntegrity, parseBunLockFile, parseLockFile, parseLockFileContent, parseLockFileSync, parseNpmLockFile, parsePnpmLockFile, parseYarnLockFile } from './lockfile.js';
 export { findMonorepoRoot, findMonorepoRootSync } from './monorepo.js';
 export { findPackageRoot, findPackageRootSync } from './package.js';
 export { ensurePackages, findPackageJson, findPackageJsonSync, getPackageJsonProperty, hasPackageJsonAnyDependency, hasPackageJsonProperty, parsePackageJson, parsePackageJsonSync, writePackageJson, writePackageJsonSync } from './package-json.js';

package/dist/lockfile.d.ts

@@ -0,0 +1,113 @@
+/** Lockfiles the parser recognises. Legacy binary `bun.lockb` is unsupported. */
+export type LockFileType = "bun" | "npm" | "pnpm" | "yarn";
+/** SRI algorithms the parser can decode into hex. */
+export type LockFileIntegrityAlgorithm = "sha256" | "sha384" | "sha512";
+/** Decoded integrity digest: algorithm + lowercase hex string. */
+export interface LockFileIntegrity {
+    algorithm: LockFileIntegrityAlgorithm;
+    hex: string;
+}
+/** A single resolved package extracted from a lockfile. */
+export interface LockFileEntry {
+    /**
+     * Declared runtime dependencies — `name → specifier[]` map. Values
+     * are arrays so pnpm v9+ peer-context variants (the same dep name
+     * resolved to different versions under different peer contexts)
+     * can all be preserved. npm, yarn v1, bun, and pnpm v6-v8 always
+     * produce single-element arrays; pnpm v9+ may produce multi-element
+     * arrays for peer-context-sensitive deps.
+     *
+     * Specifiers are whatever the lockfile recorded — a range
+     * (`^1.0.0`) for npm / yarn / bun, or an already-resolved exact
+     * version for pnpm. Callers resolve each specifier against
+     * {@link LockFileEntry.version} values elsewhere in the lockfile
+     * when they need a concrete edge.
+     */
+    dependencies?: Record<string, string[]>;
+    /** Decoded SRI digest, if the lockfile recorded one. */
+    integrity?: LockFileIntegrity;
+    /** Package name — `lodash` or `@scope/name`. */
+    name: string;
+    /** Declared optional dependencies, same shape as `dependencies`. */
+    optionalDependencies?: Record<string, string[]>;
+    /** Declared peer dependencies, same shape as `dependencies`. */
+    peerDependencies?: Record<string, string[]>;
+    /** Resolved exact version — e.g. `4.17.21`. */
+    version: string;
+}
+/** Result of locating + parsing a lockfile on disk. */
+export interface LockFileParseResult {
+    entries: LockFileEntry[];
+    /** Absolute path of the lockfile that was parsed. */
+    path: string;
+    type: LockFileType;
+}
+/**
+ * Decodes a Subresource Integrity string (`sha512-&lt;base64>`) into a
+ * `{ algorithm, hex }` pair. Returns `undefined` if the string is
+ * malformed, oversized, or uses an unsupported algorithm.
+ * @param sri Full SRI string, e.g. `sha512-&lt;base64>`.
+ * @returns Decoded algorithm + hex digest, or `undefined` when the
+ * input can't be parsed.
+ */
+export declare const decodeSriIntegrity: (sri: string) => LockFileIntegrity | undefined;
+/**
+ * Parses `package-lock.json` (npm v2 / v3 format).
+ * @param content Raw JSON text of the lockfile.
+ * @returns One {@link LockFileEntry} per distinct `name@version`.
+ */
+export declare const parseNpmLockFile: (content: string) => LockFileEntry[];
+/**
+ * Parses `pnpm-lock.yaml`. Regex-based; works for lockfile v6 through
+ * v9. v9 moves concrete resolved dependency versions out of `packages:`
+ * and into `snapshots:`; this parser reads both sections and unions
+ * their dep-maps onto the final entry.
+ * @param content Raw YAML text of the lockfile.
+ * @returns One {@link LockFileEntry} per distinct `name@version`.
+ */
+export declare const parsePnpmLockFile: (content: string) => LockFileEntry[];
+/**
+ * Parses `yarn.lock` for Yarn Classic (v1) and Berry (v2+). Berry's
+ * XXH64 `checksum:` is not a cryptographic hash and is intentionally
+ * dropped; only v1's SRI `integrity:` flows through to
+ * {@link LockFileEntry.integrity}.
+ * @param content Raw text of the lockfile.
+ * @returns One {@link LockFileEntry} per distinct `name@version`.
+ */
+export declare const parseYarnLockFile: (content: string) => LockFileEntry[];
+/**
+ * Parses `bun.lock` (Bun v1.1+, JSON-ish with trailing commas). The
+ * binary `bun.lockb` format is not supported.
+ *
+ * Attribution: format + tuple layout verified against lockparse
+ * (https://github.com/43081j/lockparse, MIT).
+ * @param content Raw text of the lockfile.
+ * @returns One {@link LockFileEntry} per distinct `name@version`.
+ */
+export declare const parseBunLockFile: (content: string) => LockFileEntry[];
+/**
+ * Parses raw lockfile content of the given type. Returns an empty
+ * array if the content is malformed or doesn't contain any package
+ * entries.
+ * @param content Raw text of the lockfile.
+ * @param type Which parser to dispatch to.
+ * @returns One {@link LockFileEntry} per distinct `name@version`.
+ */
+export declare const parseLockFileContent: (content: string, type: LockFileType) => LockFileEntry[];
+/**
+ * Walks up from `cwd`, locates the nearest supported lockfile, reads
+ * it, and returns the parsed entries alongside the lockfile type and
+ * absolute path.
+ * @param cwd Directory to start the search from. Defaults to
+ * `process.cwd()` (delegated to `findUp`).
+ * @returns The parsed result, keyed by the discovered lockfile path.
+ * @throws If no supported lockfile can be found above `cwd`.
+ */
+export declare const parseLockFile: (cwd?: URL | string) => Promise<LockFileParseResult>;
+/**
+ * Synchronous counterpart to {@link parseLockFile}.
+ * @param cwd Directory to start the search from.
+ * @returns The parsed result, keyed by the discovered lockfile path.
+ * @throws If no supported lockfile can be found above `cwd`.
+ */
+export declare const parseLockFileSync: (cwd?: URL | string) => LockFileParseResult;

package/dist/lockfile.js

@@ -0,0 +1,425 @@
+import { createRequire as __cjs_createRequire } from "node:module";
+
+const __cjs_require = __cjs_createRequire(import.meta.url);
+
+const __cjs_getProcess = typeof globalThis !== "undefined" && typeof globalThis.process !== "undefined" ? globalThis.process : process;
+
+const __cjs_getBuiltinModule = (module) => {
+    // Check if we're in Node.js and version supports getBuiltinModule
+    if (typeof __cjs_getProcess !== "undefined" && __cjs_getProcess.versions && __cjs_getProcess.versions.node) {
+        const [major, minor] = __cjs_getProcess.versions.node.split(".").map(Number);
+        // Node.js 20.16.0+ and 22.3.0+
+        if (major > 22 || (major === 22 && minor >= 3) || (major === 20 && minor >= 16)) {
+            return __cjs_getProcess.getBuiltinModule(module);
+        }
+    }
+    // Fallback to createRequire
+    return __cjs_require(module);
+};
+
+const {
+  readFileSync
+} = __cjs_getBuiltinModule("node:fs");
+const {
+  readFile
+} = __cjs_getBuiltinModule("node:fs/promises");
+import { findUp, findUpSync } from '@visulima/fs';
+
+const INTEGRITY_ALGORITHMS = {
+  sha256: "sha256",
+  sha384: "sha384",
+  sha512: "sha512"
+};
+const MAX_SRI_LENGTH = 1024;
+const BASE64_PAYLOAD = /^[A-Z0-9+/]+={0,2}$/i;
+const NPM_NODE_MODULES_PATH = /.*node_modules\/((?:@[^/]+\/)?[^/]+)$/;
+const QUOTE_PREFIX = /^['"]/;
+const QUOTE_SUFFIX = /['"]$/;
+const PNPM_SECTION_HEADER = /^[a-z][a-zA-Z0-9]*:\s*$/m;
+const PNPM_INTEGRITY = /resolution:\s*\{[^}]*integrity:\s*([^,}\s]+)/;
+const YARN_BLOCK = (
+  // eslint-disable-next-line sonarjs/slow-regex, sonarjs/regex-complexity, regexp/no-super-linear-backtracking
+  /^["']?((?:@[^/@"']+\/)?[^@"'\n]+)@[^"'\n]+["']?:?[\t\v\f\r \u00A0\u1680\u2000-\u200A\u2028\u2029\u202F\u205F\u3000\uFEFF]*\n((?:[\t ][^\n]*\n?)+)/gm
+);
+const YARN_VERSION = /^\s+version:?\s+"?([^"\n]+)"?/m;
+const YARN_INTEGRITY = /^\s+integrity[\s:]+"?([^"\s]+)"?/m;
+const decodeSriIntegrity = (sri) => {
+  if (sri.length > MAX_SRI_LENGTH) {
+    return void 0;
+  }
+  const dashIndex = sri.indexOf("-");
+  if (dashIndex <= 0) {
+    return void 0;
+  }
+  const algorithm = INTEGRITY_ALGORITHMS[sri.slice(0, dashIndex).toLowerCase()];
+  if (!algorithm) {
+    return void 0;
+  }
+  const payload = sri.slice(dashIndex + 1);
+  if (!BASE64_PAYLOAD.test(payload)) {
+    return void 0;
+  }
+  try {
+    const buffer = Buffer.from(payload, "base64");
+    if (buffer.length === 0) {
+      return void 0;
+    }
+    return { algorithm, hex: buffer.toString("hex") };
+  } catch {
+    return void 0;
+  }
+};
+const pushUniqueEntry = (result, seen, entry) => {
+  const key = `${entry.name}@${entry.version}`;
+  if (seen.has(key)) {
+    return;
+  }
+  seen.add(key);
+  result.push(entry);
+};
+const copyDepMap = (target, field, source) => {
+  if (source && Object.keys(source).length > 0) {
+    target[field] = { ...source };
+  }
+};
+const liftDepMap = (source) => {
+  if (!source) {
+    return void 0;
+  }
+  const result = {};
+  for (const [name, value] of Object.entries(source)) {
+    result[name] = [value];
+  }
+  return Object.keys(result).length > 0 ? result : void 0;
+};
+const parseNpmLockFile = (content) => {
+  const result = [];
+  const seen = /* @__PURE__ */ new Set();
+  let parsed;
+  try {
+    parsed = JSON.parse(content);
+  } catch {
+    return result;
+  }
+  if (!parsed.packages) {
+    return result;
+  }
+  for (const [path, entry] of Object.entries(parsed.packages)) {
+    if (!path || !entry.version) {
+      continue;
+    }
+    const match = NPM_NODE_MODULES_PATH.exec(path);
+    if (!match?.[1]) {
+      continue;
+    }
+    const name = entry.name ?? match[1];
+    if (name.startsWith(".")) {
+      continue;
+    }
+    const lockEntry = { name, version: entry.version };
+    if (entry.integrity) {
+      const integrity = decodeSriIntegrity(entry.integrity);
+      if (integrity) {
+        lockEntry.integrity = integrity;
+      }
+    }
+    copyDepMap(lockEntry, "dependencies", liftDepMap(entry.dependencies));
+    copyDepMap(lockEntry, "peerDependencies", liftDepMap(entry.peerDependencies));
+    copyDepMap(lockEntry, "optionalDependencies", liftDepMap(entry.optionalDependencies));
+    pushUniqueEntry(result, seen, lockEntry);
+  }
+  return result;
+};
+const splitPnpmPackageKey = (raw) => {
+  let key = raw.trim();
+  if (key.startsWith("/")) {
+    key = key.slice(1);
+  }
+  key = key.replace(QUOTE_PREFIX, "").replace(QUOTE_SUFFIX, "");
+  const parenIndex = key.indexOf("(");
+  if (parenIndex > 0) {
+    key = key.slice(0, parenIndex);
+  }
+  const atIndex = key.lastIndexOf("@");
+  if (atIndex <= 0) {
+    return void 0;
+  }
+  const name = key.slice(0, atIndex);
+  const version = key.slice(atIndex + 1);
+  if (!name || !version || version.startsWith("link:") || version.startsWith("workspace:") || version.startsWith("file:")) {
+    return void 0;
+  }
+  return { name, version };
+};
+const sliceTopLevelSection = (content, section) => {
+  const header = new RegExp(String.raw`^${section}:\s*$`, "m");
+  const start = header.exec(content);
+  if (!start) {
+    return void 0;
+  }
+  const after = start.index + start[0].length;
+  const next = PNPM_SECTION_HEADER.exec(content.slice(after));
+  return content.slice(after, next ? after + next.index : content.length);
+};
+const parsePnpmSnapshotEdges = (content) => {
+  const result = /* @__PURE__ */ new Map();
+  const body = sliceTopLevelSection(content, "snapshots");
+  if (!body) {
+    return result;
+  }
+  const entryRegex = /^ {2}(['"]?[^\s:][^:\n]*?['"]?):\s*\n((?: {4}[^\n]*\n?)+)/gm;
+  let match;
+  while ((match = entryRegex.exec(body) ?? void 0) !== void 0) {
+    const keyValue = splitPnpmPackageKey(match[1]);
+    if (!keyValue) {
+      continue;
+    }
+    const baseKey = `${keyValue.name}@${keyValue.version}`;
+    const entryBody = match[2];
+    const existing = result.get(baseKey) ?? {};
+    for (const field of ["dependencies", "peerDependencies", "optionalDependencies"]) {
+      const scraped = extractPnpmDependencyMap(entryBody, field);
+      if (!scraped) {
+        continue;
+      }
+      const merged = existing[field] ?? {};
+      for (const [depName, depVersions] of Object.entries(scraped)) {
+        const bucket = merged[depName] ?? [];
+        for (const depVersion of depVersions) {
+          if (!bucket.includes(depVersion)) {
+            bucket.push(depVersion);
+          }
+        }
+        merged[depName] = bucket;
+      }
+      existing[field] = merged;
+    }
+    result.set(baseKey, existing);
+  }
+  return result;
+};
+const parsePnpmLockFile = (content) => {
+  const result = [];
+  const seen = /* @__PURE__ */ new Set();
+  const packagesBody = sliceTopLevelSection(content, "packages");
+  if (!packagesBody) {
+    return result;
+  }
+  const snapshotEdges = parsePnpmSnapshotEdges(content);
+  const entryRegex = /^ {2}(['"]?[^\s:][^:\n]*?['"]?):\s*\n((?: {4}[^\n]*\n?)+)/gm;
+  let match;
+  while ((match = entryRegex.exec(packagesBody) ?? void 0) !== void 0) {
+    const keyValue = splitPnpmPackageKey(match[1]);
+    if (!keyValue) {
+      continue;
+    }
+    const body = match[2];
+    const integrityMatch = PNPM_INTEGRITY.exec(body);
+    const lockEntry = { name: keyValue.name, version: keyValue.version };
+    if (integrityMatch?.[1]) {
+      const integrity = decodeSriIntegrity(integrityMatch[1]);
+      if (integrity) {
+        lockEntry.integrity = integrity;
+      }
+    }
+    const snapshot = snapshotEdges.get(`${keyValue.name}@${keyValue.version}`);
+    copyDepMap(lockEntry, "dependencies", snapshot?.dependencies ?? extractPnpmDependencyMap(body, "dependencies"));
+    copyDepMap(lockEntry, "peerDependencies", snapshot?.peerDependencies ?? extractPnpmDependencyMap(body, "peerDependencies"));
+    copyDepMap(lockEntry, "optionalDependencies", snapshot?.optionalDependencies ?? extractPnpmDependencyMap(body, "optionalDependencies"));
+    pushUniqueEntry(result, seen, lockEntry);
+  }
+  return result;
+};
+const extractPnpmDependencyMap = (body, section) => {
+  const sectionRegex = new RegExp(String.raw`^ {4}${section}:\s*\n((?: {6,}[^\n]*\n?)+)`, "m");
+  const sectionMatch = sectionRegex.exec(body);
+  if (!sectionMatch?.[1]) {
+    return void 0;
+  }
+  const map = {};
+  const entryRegex = /^ {6}([^\s:]+):\s*([^\n]+)/gm;
+  let match;
+  while ((match = entryRegex.exec(sectionMatch[1]) ?? void 0) !== void 0) {
+    const name = match[1].replace(QUOTE_PREFIX, "").replace(QUOTE_SUFFIX, "");
+    let version = match[2].trim();
+    version = version.replace(QUOTE_PREFIX, "").replace(QUOTE_SUFFIX, "");
+    const parenIndex = version.indexOf("(");
+    if (parenIndex > 0) {
+      version = version.slice(0, parenIndex).trim();
+    }
+    if (!name || !version) {
+      continue;
+    }
+    const bucket = map[name] ?? [];
+    if (!bucket.includes(version)) {
+      bucket.push(version);
+    }
+    map[name] = bucket;
+  }
+  return Object.keys(map).length > 0 ? map : void 0;
+};
+const parseYarnLockFile = (content) => {
+  const result = [];
+  const seen = /* @__PURE__ */ new Set();
+  const entryRegex = YARN_BLOCK;
+  entryRegex.lastIndex = 0;
+  let match;
+  while ((match = entryRegex.exec(content) ?? void 0) !== void 0) {
+    const name = match[1].replace(QUOTE_PREFIX, "").replace(QUOTE_SUFFIX, "");
+    if (!name) {
+      continue;
+    }
+    const body = match[2];
+    const versionMatch = YARN_VERSION.exec(body);
+    if (!versionMatch?.[1]) {
+      continue;
+    }
+    const lockEntry = { name, version: versionMatch[1].trim() };
+    const integrityMatch = YARN_INTEGRITY.exec(body);
+    if (integrityMatch?.[1]) {
+      const integrity = decodeSriIntegrity(integrityMatch[1]);
+      if (integrity) {
+        lockEntry.integrity = integrity;
+      }
+    }
+    copyDepMap(lockEntry, "dependencies", extractYarnDependencyMap(body, "dependencies"));
+    copyDepMap(lockEntry, "peerDependencies", extractYarnDependencyMap(body, "peerDependencies"));
+    copyDepMap(lockEntry, "optionalDependencies", extractYarnDependencyMap(body, "optionalDependencies"));
+    pushUniqueEntry(result, seen, lockEntry);
+  }
+  return result;
+};
+const extractYarnDependencyMap = (body, section) => {
+  const sectionRegex = new RegExp(String.raw`^ {2}${section}:\s*\n((?: {4,}[^\n]*\n?)+)`, "m");
+  const sectionMatch = sectionRegex.exec(body);
+  if (!sectionMatch?.[1]) {
+    return void 0;
+  }
+  const map = {};
+  const entryRegex = /^ {4}(['"]?[^\s:'"]+['"]?)\s*(?::\s*)?['"]([^'"\n]+)['"]/gm;
+  let match;
+  while ((match = entryRegex.exec(sectionMatch[1]) ?? void 0) !== void 0) {
+    const name = match[1].replace(QUOTE_PREFIX, "").replace(QUOTE_SUFFIX, "");
+    const version = match[2];
+    if (name && version) {
+      const bucket = map[name] ?? [];
+      if (!bucket.includes(version)) {
+        bucket.push(version);
+      }
+      map[name] = bucket;
+    }
+  }
+  return Object.keys(map).length > 0 ? map : void 0;
+};
+const TRAILING_COMMA_REGEX = /,(?=\s*[}\]])/g;
+const parseBunLockFile = (content) => {
+  const result = [];
+  const seen = /* @__PURE__ */ new Set();
+  let parsed;
+  try {
+    parsed = JSON.parse(content.replaceAll(TRAILING_COMMA_REGEX, ""));
+  } catch {
+    return result;
+  }
+  if (!parsed.packages) {
+    return result;
+  }
+  for (const tuple of Object.values(parsed.packages)) {
+    const versionKey = tuple[0];
+    if (typeof versionKey !== "string") {
+      continue;
+    }
+    const atIndex = versionKey.indexOf("@", 1);
+    if (atIndex <= 0) {
+      continue;
+    }
+    const name = versionKey.slice(0, atIndex);
+    const version = versionKey.slice(atIndex + 1);
+    if (!name || !version || version.startsWith("workspace:") || version.startsWith("link:") || version.startsWith("file:")) {
+      continue;
+    }
+    const lockEntry = { name, version };
+    const rawIntegrity = tuple[3];
+    if (typeof rawIntegrity === "string" && rawIntegrity.length > 0) {
+      const integrity = decodeSriIntegrity(rawIntegrity);
+      if (integrity) {
+        lockEntry.integrity = integrity;
+      }
+    }
+    const metadata = tuple[2];
+    if (metadata && typeof metadata === "object" && !Array.isArray(metadata)) {
+      const meta = metadata;
+      copyDepMap(lockEntry, "dependencies", liftDepMap(meta.dependencies));
+      copyDepMap(lockEntry, "peerDependencies", liftDepMap(meta.peerDependencies));
+      copyDepMap(lockEntry, "optionalDependencies", liftDepMap(meta.optionalDependencies));
+    }
+    pushUniqueEntry(result, seen, lockEntry);
+  }
+  return result;
+};
+const inferLockFileType = (path) => {
+  if (path.endsWith("pnpm-lock.yaml")) {
+    return "pnpm";
+  }
+  if (path.endsWith("package-lock.json")) {
+    return "npm";
+  }
+  if (path.endsWith("yarn.lock")) {
+    return "yarn";
+  }
+  if (path.endsWith("bun.lock")) {
+    return "bun";
+  }
+  return void 0;
+};
+const parseLockFileContent = (content, type) => {
+  switch (type) {
+    case "bun": {
+      return parseBunLockFile(content);
+    }
+    case "npm": {
+      return parseNpmLockFile(content);
+    }
+    case "pnpm": {
+      return parsePnpmLockFile(content);
+    }
+    case "yarn": {
+      return parseYarnLockFile(content);
+    }
+    default: {
+      return [];
+    }
+  }
+};
+const LOCKFILE_CANDIDATES = ["pnpm-lock.yaml", "package-lock.json", "yarn.lock", "bun.lock"];
+const parseLockFile = async (cwd) => {
+  const path = await findUp(LOCKFILE_CANDIDATES, {
+    type: "file",
+    ...cwd && { cwd }
+  });
+  if (!path) {
+    throw new Error("Could not find a supported lock file (pnpm-lock.yaml, package-lock.json, yarn.lock, bun.lock)");
+  }
+  const type = inferLockFileType(path);
+  if (!type) {
+    throw new Error(`Unsupported lock file: ${path}`);
+  }
+  const content = await readFile(path, "utf8");
+  return { entries: parseLockFileContent(content, type), path, type };
+};
+const parseLockFileSync = (cwd) => {
+  const path = findUpSync(LOCKFILE_CANDIDATES, {
+    type: "file",
+    ...cwd && { cwd }
+  });
+  if (!path) {
+    throw new Error("Could not find a supported lock file (pnpm-lock.yaml, package-lock.json, yarn.lock, bun.lock)");
+  }
+  const type = inferLockFileType(path);
+  if (!type) {
+    throw new Error(`Unsupported lock file: ${path}`);
+  }
+  return { entries: parseLockFileContent(readFileSync(path, "utf8"), type), path, type };
+};
+
+export { decodeSriIntegrity, parseBunLockFile, parseLockFile, parseLockFileContent, parseLockFileSync, parseNpmLockFile, parsePnpmLockFile, parseYarnLockFile };

package/dist/monorepo.js

@@ -33,11 +33,14 @@ const findMonorepoRoot = async (cwd) => {
   });
   if (workspaceFilePath?.endsWith("lerna.json")) {
     const lerna = await readJson(workspaceFilePath);
-    if (lerna.useWorkspaces || lerna.packages) {
-      return {
-        path: dirname(workspaceFilePath),
-        strategy: "lerna"
-      };
+    if (lerna && typeof lerna === "object" && !Array.isArray(lerna)) {
+      const l = lerna;
+      if (l.useWorkspaces || l.packages) {
+        return {
+          path: dirname(workspaceFilePath),
+          strategy: "lerna"
+        };
+      }
     }
   }
   const isTurbo = workspaceFilePath?.endsWith("turbo.json");

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@visulima/package",
-  "version": "5.0.0-alpha.7",
+  "version": "5.0.0-alpha.8",
   "description": "A comprehensive package management utility that helps you find root directories, monorepos, package managers, and parse package.json, package.yaml, and package.json5 files with advanced features like catalog resolution.",
   "keywords": [
     "anolilab",
@@ -79,6 +79,10 @@
       "types": "./dist/package-manager.d.ts",
       "default": "./dist/package-manager.js"
     },
+    "./lockfile": {
+      "types": "./dist/lockfile.d.ts",
+      "default": "./dist/lockfile.js"
+    },
     "./pnpm": {
       "types": "./dist/pnpm.d.ts",
       "default": "./dist/pnpm.js"
@@ -97,15 +101,15 @@
   ],
   "dependencies": {
     "@antfu/install-pkg": "^1.1.0",
-    "@visulima/fs": "5.0.0-alpha.7",
-    "@visulima/path": "3.0.0-alpha.8",
+    "@visulima/fs": "5.0.0-alpha.9",
+    "@visulima/path": "3.0.0-alpha.9",
     "json5": "^2.2.3",
     "normalize-package-data": "^8.0.0",
-    "type-fest": "5.5.0",
+    "type-fest": "5.6.0",
     "yaml": "2.8.3"
   },
   "engines": {
-    "node": ">=22.13 <=25.x"
+    "node": "^22.14.0 || >=24.10.0"
   },
   "os": [
     "darwin",