dependency-radar 0.5.0 → 0.6.0

package/dist/runners/lockfileParsers.js

@@ -0,0 +1,434 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.parseYamlLike = parseYamlLike;
+exports.parseYarnV1Lockfile = parseYarnV1Lockfile;
+exports.splitSelectorList = splitSelectorList;
+/**
+ * Parse a YAML-like string into a plain object supporting only the subset used by lockfiles.
+ *
+ * The function is tolerant of comments and indentation but intentionally limits supported YAML
+ * features; on malformed input or when the top-level result is not a mapping, it returns an empty object.
+ *
+ * @returns A plain object representing the parsed mapping, or an empty object if parsing fails or no top-level mapping is present.
+ */
+function parseYamlLike(raw) {
+    var _a, _b;
+    try {
+        const lines = [];
+        for (const rawLine of raw.split(/\r?\n/)) {
+            const noComment = stripYamlInlineComment(rawLine).replace(/\s+$/, '');
+            if (!noComment.trim())
+                continue;
+            const indent = (_b = (_a = noComment.match(/^(\s*)/)) === null || _a === void 0 ? void 0 : _a[1].length) !== null && _b !== void 0 ? _b : 0;
+            lines.push({
+                indent,
+                content: noComment.trim()
+            });
+        }
+        let index = 0;
+        /**
+         * Parse either a mapping or sequence node at the current cursor position.
+         */
+        const parseNode = (indentLevel) => {
+            if (index >= lines.length)
+                return undefined;
+            if (lines[index].indent < indentLevel)
+                return undefined;
+            if (lines[index].indent === indentLevel && lines[index].content.startsWith('- ')) {
+                return parseSequence(indentLevel);
+            }
+            return parseMapping(indentLevel);
+        };
+        /**
+         * Parse an indentation-scoped YAML mapping.
+         */
+        const parseMapping = (indentLevel) => {
+            const out = {};
+            while (index < lines.length) {
+                const line = lines[index];
+                if (line.indent < indentLevel)
+                    break;
+                if (line.indent > indentLevel) {
+                    index += 1;
+                    continue;
+                }
+                if (line.content.startsWith('- '))
+                    break;
+                const colonIndex = findYamlMapSeparator(line.content);
+                if (colonIndex <= 0) {
+                    index += 1;
+                    continue;
+                }
+                const key = unwrapOuterQuotes(line.content.slice(0, colonIndex));
+                const valueToken = line.content.slice(colonIndex + 1).trim();
+                index += 1;
+                if (valueToken) {
+                    out[key] = parseYamlScalar(valueToken);
+                    continue;
+                }
+                if (index < lines.length && lines[index].indent > indentLevel) {
+                    out[key] = parseNode(lines[index].indent);
+                }
+                else {
+                    out[key] = null;
+                }
+            }
+            return out;
+        };
+        /**
+         * Parse an indentation-scoped YAML sequence.
+         */
+        const parseSequence = (indentLevel) => {
+            const values = [];
+            while (index < lines.length) {
+                const line = lines[index];
+                if (line.indent < indentLevel)
+                    break;
+                if (line.indent !== indentLevel || !line.content.startsWith('- '))
+                    break;
+                const valueToken = line.content.slice(2).trim();
+                index += 1;
+                if (valueToken) {
+                    values.push(parseYamlScalar(valueToken));
+                    if (index < lines.length && lines[index].indent > indentLevel) {
+                        parseNode(lines[index].indent);
+                    }
+                    continue;
+                }
+                if (index < lines.length && lines[index].indent > indentLevel) {
+                    values.push(parseNode(lines[index].indent));
+                }
+                else {
+                    values.push(null);
+                }
+            }
+            return values;
+        };
+        const parsed = parseNode(0);
+        if (!parsed || typeof parsed !== 'object' || Array.isArray(parsed)) {
+            return {};
+        }
+        return parsed;
+    }
+    catch {
+        return {};
+    }
+}
+/**
+ * Parses Yarn v1 lockfile content into selector-to-entry mappings.
+ *
+ * @param raw - The raw text content of a Yarn v1 lockfile
+ * @returns A Map from selector string to `YarnLockEntry`, or `undefined` if no entries could be parsed
+ */
+function parseYarnV1Lockfile(raw) {
+    var _a, _b;
+    try {
+        const map = new Map();
+        const lines = raw.split(/\r?\n/);
+        let currentSelectors = [];
+        let currentEntry;
+        let currentSection;
+        // Persist the currently parsed entry into every selector alias that points to it.
+        const flushEntry = () => {
+            if (!currentEntry || currentSelectors.length === 0)
+                return;
+            const entry = {};
+            if (currentEntry.version)
+                entry.version = currentEntry.version;
+            if (currentEntry.dependencies && Object.keys(currentEntry.dependencies).length > 0) {
+                entry.dependencies = { ...currentEntry.dependencies };
+            }
+            if (currentEntry.optionalDependencies && Object.keys(currentEntry.optionalDependencies).length > 0) {
+                entry.optionalDependencies = { ...currentEntry.optionalDependencies };
+            }
+            for (const selector of currentSelectors) {
+                if (!map.has(selector)) {
+                    map.set(selector, entry);
+                }
+            }
+        };
+        for (const rawLine of lines) {
+            const line = rawLine.replace(/\s+$/, '');
+            const trimmed = line.trim();
+            if (!trimmed || trimmed.startsWith('#'))
+                continue;
+            const indent = (_b = (_a = line.match(/^(\s*)/)) === null || _a === void 0 ? void 0 : _a[1].length) !== null && _b !== void 0 ? _b : 0;
+            if (indent === 0 && trimmed.endsWith(':')) {
+                flushEntry();
+                currentSelectors = splitSelectorList(trimmed.slice(0, -1));
+                currentEntry = {};
+                currentSection = undefined;
+                continue;
+            }
+            if (!currentEntry)
+                continue;
+            if (indent === 2) {
+                if (trimmed === 'dependencies:') {
+                    currentSection = 'dependencies';
+                    continue;
+                }
+                if (trimmed === 'optionalDependencies:') {
+                    currentSection = 'optionalDependencies';
+                    continue;
+                }
+                currentSection = undefined;
+                const pair = parseYarnTokenPair(trimmed);
+                if (!pair)
+                    continue;
+                if (pair[0] === 'version' && pair[1]) {
+                    currentEntry.version = pair[1];
+                }
+                continue;
+            }
+            if (indent >= 4 && currentSection) {
+                const pair = parseYarnTokenPair(trimmed);
+                if (!pair)
+                    continue;
+                const [name, spec] = pair;
+                if (!name || !spec)
+                    continue;
+                if (currentSection === 'dependencies') {
+                    if (!currentEntry.dependencies)
+                        currentEntry.dependencies = {};
+                    currentEntry.dependencies[name] = spec;
+                }
+                else {
+                    if (!currentEntry.optionalDependencies)
+                        currentEntry.optionalDependencies = {};
+                    currentEntry.optionalDependencies[name] = spec;
+                }
+            }
+        }
+        flushEntry();
+        return map.size > 0 ? map : undefined;
+    }
+    catch {
+        return undefined;
+    }
+}
+/**
+ * Split a comma-separated selector list into individual selector strings, respecting quotes and escapes.
+ *
+ * Handles quoted tokens (single and double quotes), preserves escaped characters inside double-quoted tokens,
+ * trims whitespace and unwraps optional outer quotes from each selector, and ignores empty tokens.
+ *
+ * @param selectorKey - The raw selector list (e.g. `"a@1", b@2`) to split and normalize
+ * @returns An array of normalized selector strings in order of appearance
+ */
+function splitSelectorList(selectorKey) {
+    const out = tokenizeSelectorParts(selectorKey.trim())
+        .map(normalizeSelectorToken)
+        .filter(Boolean);
+    // Yarn Berry often stores the *entire* selector list as one quoted scalar.
+    // If that happens, split the unwrapped scalar again to recover aliases.
+    if (out.length === 1 && out[0].includes(',')) {
+        return tokenizeSelectorParts(out[0])
+            .map(normalizeSelectorToken)
+            .filter(Boolean);
+    }
+    return out;
+}
+/**
+ * Tokenize a selector list by commas that are outside quote scopes.
+ *
+ * @param value - Raw selector list text.
+ * @returns Raw selector tokens in source order.
+ */
+function tokenizeSelectorParts(value) {
+    const out = [];
+    let current = '';
+    let inSingle = false;
+    let inDouble = false;
+    let escaped = false;
+    for (const ch of value) {
+        if (inDouble && ch === '\\' && !escaped) {
+            escaped = true;
+            current += ch;
+            continue;
+        }
+        if (ch === "'" && !inDouble) {
+            inSingle = !inSingle;
+            current += ch;
+            escaped = false;
+            continue;
+        }
+        if (ch === '"' && !inSingle && !escaped) {
+            inDouble = !inDouble;
+            current += ch;
+            continue;
+        }
+        if (ch === ',' && !inSingle && !inDouble) {
+            out.push(current);
+            current = '';
+            escaped = false;
+            continue;
+        }
+        current += ch;
+        escaped = false;
+    }
+    out.push(current);
+    return out;
+}
+/**
+ * Normalize a selector token by trimming surrounding whitespace and removing optional outer quotes.
+ *
+ * @param value - The selector token to normalize
+ * @returns The normalized selector string without outer quotes
+ */
+function normalizeSelectorToken(value) {
+    return unwrapOuterQuotes(value.trim());
+}
+/**
+ * Parse a single Yarn v1 lockfile token pair from a line containing a name and a spec.
+ *
+ * @param value - The line to parse, containing a name token followed by a spec token; tokens may be quoted.
+ * @returns A two-element tuple `[name, spec]` with outer quotes removed, or `undefined` if the line does not contain a valid pair.
+ */
+function parseYarnTokenPair(value) {
+    const first = readQuotedOrBareToken(value, 0);
+    if (!first)
+        return undefined;
+    const second = value.slice(first.next).trim();
+    if (!second)
+        return undefined;
+    return [unwrapOuterQuotes(first.token.trim()), unwrapOuterQuotes(second)];
+}
+/**
+ * Reads the next token from a string, supporting quoted (single or double) and bare tokens.
+ *
+ * @param value - The input string to read a token from.
+ * @param start - The index at which to begin scanning; leading whitespace is skipped.
+ * @returns An object `{ token, next }` where `token` is the raw token (quoted tokens include their surrounding quotes and any escape sequences) and `next` is the index immediately after the token, or `undefined` if no token is found or a quoted token is unterminated.
+ */
+function readQuotedOrBareToken(value, start) {
+    let index = start;
+    while (index < value.length && /\s/.test(value[index]))
+        index += 1;
+    if (index >= value.length)
+        return undefined;
+    const firstChar = value[index];
+    if (firstChar === '"' || firstChar === "'") {
+        const quote = firstChar;
+        let token = quote;
+        index += 1;
+        let escaped = false;
+        while (index < value.length) {
+            const ch = value[index];
+            token += ch;
+            if (quote === '"' && ch === '\\' && !escaped) {
+                escaped = true;
+                index += 1;
+                continue;
+            }
+            if (ch === quote && !escaped) {
+                return { token, next: index + 1 };
+            }
+            escaped = false;
+            index += 1;
+        }
+        return undefined;
+    }
+    let end = index;
+    while (end < value.length && !/\s/.test(value[end]))
+        end += 1;
+    return { token: value.slice(index, end), next: end };
+}
+/**
+ * Strip an inline YAML-style comment from a single line while preserving content inside quotes.
+ *
+ * @param rawLine - A single line of YAML-like text that may contain an inline `#` comment
+ * @returns The substring up to (but not including) the first `#` character that is not inside single or double quotes; returns the original line if no such comment is found
+ */
+function stripYamlInlineComment(rawLine) {
+    let inSingle = false;
+    let inDouble = false;
+    for (let i = 0; i < rawLine.length; i += 1) {
+        const ch = rawLine[i];
+        const prev = i > 0 ? rawLine[i - 1] : '';
+        if (ch === "'" && !inDouble) {
+            inSingle = !inSingle;
+            continue;
+        }
+        if (ch === '"' && !inSingle && prev !== '\\') {
+            inDouble = !inDouble;
+            continue;
+        }
+        if (ch === '#' && !inSingle && !inDouble) {
+            return rawLine.slice(0, i);
+        }
+    }
+    return rawLine;
+}
+/**
+ * Locate the colon that separates a YAML mapping key from its value, ignoring colons inside quoted strings.
+ *
+ * @returns The index of the separating colon in `content`, or `-1` if none is found. A colon is considered a separator only if it is not inside single-quoted or double-quoted strings (double quotes may use backslash to escape) and is followed by whitespace or the end of the line.
+ */
+function findYamlMapSeparator(content) {
+    let inSingle = false;
+    let inDouble = false;
+    for (let i = 0; i < content.length; i += 1) {
+        const ch = content[i];
+        const prev = i > 0 ? content[i - 1] : '';
+        if (ch === "'" && !inDouble) {
+            inSingle = !inSingle;
+            continue;
+        }
+        if (ch === '"' && !inSingle && prev !== '\\') {
+            inDouble = !inDouble;
+            continue;
+        }
+        if (ch !== ':' || inSingle || inDouble)
+            continue;
+        const next = content[i + 1];
+        if (next === undefined || next === ' ' || next === '\t') {
+            return i;
+        }
+    }
+    return -1;
+}
+/**
+ * Convert a YAML-like scalar token into its corresponding JavaScript value for the lockfile parser.
+ *
+ * @param value - The scalar token to parse (may be quoted or a special literal)
+ * @returns The parsed value: `''` for empty input, `{}` for `'{}'`, `[]` for `'[]'`, `null` for `'null'` or `'~'`, `true` for `'true'`, `false` for `'false'`, or the unquoted string otherwise.
+ */
+function parseYamlScalar(value) {
+    const normalized = value.trim();
+    if (!normalized)
+        return '';
+    if (normalized === '{}')
+        return {};
+    if (normalized === '[]')
+        return [];
+    if (normalized === 'null' || normalized === '~')
+        return null;
+    if (normalized === 'true')
+        return true;
+    if (normalized === 'false')
+        return false;
+    return unwrapOuterQuotes(normalized);
+}
+/**
+ * Remove matching outer single or double quotes from a string and unescape their common escape sequences.
+ *
+ * @param value - The input string that may be wrapped in matching quotes
+ * @returns The trimmed string with outer matching quotes removed; for double-quoted input, unescapes `\"` to `"` and `\\` to `\`; for single-quoted input, collapses doubled single quotes `''` to `'`. If the input is not wrapped in matching quotes, returns the trimmed input unchanged.
+ */
+function unwrapOuterQuotes(value) {
+    const trimmed = value.trim();
+    if (trimmed.length < 2)
+        return trimmed;
+    const first = trimmed[0];
+    const last = trimmed[trimmed.length - 1];
+    if (first !== last || (first !== '"' && first !== "'")) {
+        return trimmed;
+    }
+    const inner = trimmed.slice(1, -1);
+    if (first === '"') {
+        return inner
+            .replace(/\\"/g, '"')
+            .replace(/\\\\/g, '\\');
+    }
+    return inner.replace(/''/g, "'");
+}

package/dist/runners/npmAudit.js

@@ -61,7 +61,18 @@ function buildAuditCommand(tool, yarnVersion) {
         lockFiles: ["package-lock.json", "npm-shrinkwrap.json"],
     };
 }
-async function runPackageAudit(projectPath, tempDir, tool, yarnVersion) {
+/**
+ * Run a dependency audit using the specified package manager, normalize the audit output, and optionally write the result to disk.
+ *
+ * @param projectPath - Path to the project whose dependencies should be audited
+ * @param tempDir - Directory where the audit output file may be written
+ * @param tool - Package manager to use: `"npm"`, `"pnpm"`, or `"yarn"`
+ * @param yarnVersion - Optional Yarn version string used to select the correct Yarn audit command
+ * @param options - Optional persistence settings; when `options.persistToDisk` is omitted or `true`, write audit output/diagnostics to `${tempDir}/${tool}-audit.json` and include `file` in the result
+ * @returns An object with `ok: true` and `data` containing the normalized audit output (and `file` when persisted) on success; otherwise `ok: false` and `error` with an optional `file` when persisted
+ */
+async function runPackageAudit(projectPath, tempDir, tool, yarnVersion, options = {}) {
+    const persistToDisk = options.persistToDisk !== false;
     const targetFile = path_1.default.join(tempDir, `${tool}-audit.json`);
     try {
         const { cmd, args, lockFiles } = buildAuditCommand(tool, yarnVersion);
@@ -71,26 +82,32 @@ async function runPackageAudit(projectPath, tempDir, tool, yarnVersion) {
         const parsed = (0, utils_1.parseJsonOutput)(result.stdout);
         const normalized = normalizeAuditOutput(tool, parsed);
         if (normalized) {
-            await (0, utils_1.writeJsonFile)(targetFile, normalized);
-            return { ok: true, data: normalized, file: targetFile };
+            if (persistToDisk) {
+                await (0, utils_1.writeJsonFile)(targetFile, normalized);
+            }
+            return { ok: true, data: normalized, ...(persistToDisk ? { file: targetFile } : {}) };
+        }
+        if (persistToDisk) {
+            await (0, utils_1.writeJsonFile)(targetFile, {
+                stdout: result.stdout,
+                stderr: result.stderr,
+                code: result.code,
+            });
         }
-        await (0, utils_1.writeJsonFile)(targetFile, {
-            stdout: result.stdout,
-            stderr: result.stderr,
-            code: result.code,
-        });
         return {
             ok: false,
             error: `Failed to parse ${tool} audit output`,
-            file: targetFile,
+            ...(persistToDisk ? { file: targetFile } : {}),
         };
     }
     catch (err) {
-        await (0, utils_1.writeJsonFile)(targetFile, { error: String(err) });
+        if (persistToDisk) {
+            await (0, utils_1.writeJsonFile)(targetFile, { error: String(err) });
+        }
         return {
             ok: false,
             error: `${tool} audit failed: ${String(err)}`,
-            file: targetFile,
+            ...(persistToDisk ? { file: targetFile } : {}),
         };
     }
 }

package/dist/runners/npmLs.js

@@ -17,15 +17,18 @@ const PNPM_MAX_OLD_SPACE_SIZE_MB = '8192';
  * @param tempDir - Directory where the resulting JSON file and any diagnostics will be written
  * @param tool - Package manager to use (`npm`, `pnpm`, or `yarn`)
  * @param options - Optional progress callbacks and context; if `lockfileSearchRoot` is provided it will be used as the root when searching for a lockfile
- * @returns The tool result. On success, `data` is the normalized dependency tree and `file` is the path of the written JSON; on failure, `error` contains a message suitable for users and `file` points to the diagnostics JSON written to disk.
+ * @returns The tool result. On success, `data` is the normalized dependency tree and `file` is the path of the written JSON when `options.persistToDisk !== false` (omitted/undefined when `options.persistToDisk === false`); on failure, `error` contains a message suitable for users and `file` points to diagnostics only when persistence is enabled.
  */
 async function runNpmLs(projectPath, tempDir, tool = 'npm', options = {}) {
+    const persistToDisk = options.persistToDisk !== false;
     const targetFile = path_1.default.join(tempDir, `${tool}-ls.json`);
     try {
         const lockfileTree = await (0, lockfileGraph_1.tryBuildDependencyTreeFromLockfile)(projectPath, tool, options.lockfileSearchRoot);
         if (lockfileTree) {
-            await (0, utils_1.writeJsonFile)(targetFile, lockfileTree.data);
-            return { ok: true, data: lockfileTree.data, file: targetFile };
+            if (persistToDisk) {
+                await (0, utils_1.writeJsonFile)(targetFile, lockfileTree.data);
+            }
+            return { ok: true, data: lockfileTree.data, ...(persistToDisk ? { file: targetFile } : {}) };
         }
         if (tool === 'pnpm') {
             return await runPnpmLsWithFallback(projectPath, targetFile, options);
@@ -35,18 +38,34 @@ async function runNpmLs(projectPath, tempDir, tool = 'npm', options = {}) {
         const parsed = parseJsonOutput(result.stdout);
         const normalized = normalize(parsed);
         if (normalized) {
-            await (0, utils_1.writeJsonFile)(targetFile, normalized);
-            return { ok: true, data: normalized, file: targetFile };
+            if (persistToDisk) {
+                await (0, utils_1.writeJsonFile)(targetFile, normalized);
+            }
+            return { ok: true, data: normalized, ...(persistToDisk ? { file: targetFile } : {}) };
+        }
+        if (persistToDisk) {
+            await (0, utils_1.writeJsonFile)(targetFile, { stdout: result.stdout, stderr: result.stderr, code: result.code });
         }
-        await (0, utils_1.writeJsonFile)(targetFile, { stdout: result.stdout, stderr: result.stderr, code: result.code });
         const error = buildLsFailureMessage(tool, result.code, result.stderr);
-        return { ok: false, error, file: targetFile };
+        return { ok: false, error, ...(persistToDisk ? { file: targetFile } : {}) };
     }
     catch (err) {
-        await (0, utils_1.writeJsonFile)(targetFile, { error: String(err) });
-        return { ok: false, error: `${tool} ls failed: ${String(err)}`, file: targetFile };
+        if (persistToDisk) {
+            await (0, utils_1.writeJsonFile)(targetFile, { error: String(err) });
+        }
+        return {
+            ok: false,
+            error: `${tool} ls failed: ${String(err)}`,
+            ...(persistToDisk ? { file: targetFile } : {})
+        };
     }
 }
+/**
+ * Selects the package-manager-specific list command arguments and the corresponding normalizer.
+ *
+ * @param tool - The package manager identifier ('npm', 'pnpm', or 'yarn') used to choose arguments and normalizer.
+ * @returns An object with `args`, the CLI arguments to run the tool's list command, and `normalize`, a function that converts the tool's parsed output into a `ResolvedTree` or `undefined` when parsing/normalization fails.
+ */
 function buildLsCommand(tool) {
     if (tool === 'yarn') {
         return {
@@ -59,7 +78,18 @@ function buildLsCommand(tool) {
         normalize: normalizeNpmTree
     };
 }
+/**
+ * Attempt to build a normalized dependency tree for a pnpm workspace by running `pnpm list` with progressively lower depths until a parseable result is produced.
+ *
+ * Tries multiple depth levels, detects out-of-memory conditions, and optionally persists the normalized tree or diagnostic JSON to `targetFile` when `options.persistToDisk` is not explicitly `false`.
+ *
+ * @param projectPath - Filesystem path of the project/workspace to inspect
+ * @param targetFile - Path where the normalized tree or diagnostics will be written when persistence is enabled
+ * @param options - Progress and persistence options; when `options.persistToDisk` is omitted or `true`, successful results include `file: targetFile` and diagnostic output is written on failure
+ * @returns On success: an object with `ok: true` and `data` containing the normalized dependency tree (and `file` when persisted). On failure: an object with `ok: false` and an `error` message describing the failure (and `file` when diagnostics were persisted).
+ */
 async function runPnpmLsWithFallback(projectPath, targetFile, options) {
+    const persistToDisk = options.persistToDisk !== false;
     const installState = createPnpmInstallState(projectPath);
     const attempts = [];
     const env = {
@@ -85,8 +115,10 @@ async function runPnpmLsWithFallback(projectPath, targetFile, options) {
             if (index > 0) {
                 progress(options, `✔ PNPM ls recovered for workspace: ${formatContextLabel(options)} (depth=${depth})`);
             }
-            await (0, utils_1.writeJsonFile)(targetFile, normalized);
-            return { ok: true, data: normalized, file: targetFile };
+            if (persistToDisk) {
+                await (0, utils_1.writeJsonFile)(targetFile, normalized);
+            }
+            return { ok: true, data: normalized, ...(persistToDisk ? { file: targetFile } : {}) };
         }
         const reason = describeAttemptFailure(result.code, result.stderr);
         progress(options, `✖ Failed pnpm ls for workspace: ${formatContextLabel(options)} (depth=${depth}; ${reason})`);
@@ -95,18 +127,20 @@ async function runPnpmLsWithFallback(projectPath, targetFile, options) {
             progress(options, `✔ Retrying pnpm ls for workspace: ${formatContextLabel(options)} (depth=${nextDepth})`);
         }
     }
-    await (0, utils_1.writeJsonFile)(targetFile, {
-        error: 'pnpm ls retries exhausted',
-        nodeOptions: env.NODE_OPTIONS,
-        attempts
-    });
+    if (persistToDisk) {
+        await (0, utils_1.writeJsonFile)(targetFile, {
+            error: 'pnpm ls retries exhausted',
+            nodeOptions: env.NODE_OPTIONS,
+            attempts
+        });
+    }
     const sawOom = attempts.some((attempt) => attempt.outOfMemory);
     const lastAttempt = attempts[attempts.length - 1];
     if (sawOom) {
         return {
             ok: false,
             error: 'pnpm ls ran out of memory while building the dependency tree (retried with lower depths).',
-            file: targetFile
+            ...(persistToDisk ? { file: targetFile } : {})
         };
     }
     const suffix = lastAttempt && typeof lastAttempt.code === 'number'
@@ -115,7 +149,7 @@ async function runPnpmLsWithFallback(projectPath, targetFile, options) {
     return {
         ok: false,
         error: `Failed to parse pnpm ls output after retries.${suffix}`,
-        file: targetFile
+        ...(persistToDisk ? { file: targetFile } : {})
     };
 }
 function progress(options, line) {
@@ -446,6 +480,12 @@ function normalizeYarnNode(node) {
     }
     return { name: parsed.name, node: out };
 }
+/**
+ * Parse a Yarn node label into a package name and version.
+ *
+ * @param label - The Yarn label, typically in the form `name@version` (the version may be prefixed with `npm:`).
+ * @returns An object with `name` containing the package name and `version` containing the package version; if the label or either part is missing, that field is `"unknown"`.
+ */
 function splitYarnLabel(label) {
     if (!label)
         return { name: 'unknown', version: 'unknown' };