depopsy 1.0.0

package/src/parser/graph.js

@@ -0,0 +1,64 @@
+export function buildGraphTraversal(reverseGraph, topLevelSet) {
+  const cache = new Map();
+
+  function traverse(pkgId) {
+    if (cache.has(pkgId)) return cache.get(pkgId);
+    
+    const visited = new Set();
+    const stack = [pkgId];
+    const parents = [];
+    const roots = [];
+    const immediateParents = reverseGraph.get(pkgId) || [];
+
+    while (stack.length > 0) {
+      let current = stack.pop();
+      const currParents = reverseGraph.get(current) || [];
+      
+      for (const parent of currParents) {
+        if (!visited.has(parent)) {
+          visited.add(parent);
+          parents.push(parent);
+          stack.push(parent);
+          
+          const lastAtIdx = parent.lastIndexOf('@');
+          const nameOnly = lastAtIdx > 0 ? parent.substring(0, lastAtIdx) : parent;
+          
+          if (topLevelSet.has(nameOnly)) {
+             roots.push(parent);
+          }
+        }
+      }
+    }
+    
+    // Sort and unique the arrays to ensure stability
+    const result = {
+      parents: Array.from(new Set(immediateParents)),
+      allParents: Array.from(new Set(parents)),
+      roots: Array.from(new Set(roots))
+    };
+    
+    cache.set(pkgId, result);
+    return result;
+  }
+
+  return { traverse };
+}
+
+export async function getTopLevelSet(projectDir, fs, path) {
+  try {
+    const pkgJsonPath = path.join(projectDir, 'package.json');
+    const content = await fs.readFile(pkgJsonPath, 'utf-8');
+    const pkg = JSON.parse(content);
+    
+    const topLevelSet = new Set();
+    if (pkg.dependencies) {
+      Object.keys(pkg.dependencies).forEach(d => topLevelSet.add(d));
+    }
+    if (pkg.devDependencies) {
+      Object.keys(pkg.devDependencies).forEach(d => topLevelSet.add(d));
+    }
+    return topLevelSet;
+  } catch (e) {
+    return new Set();
+  }
+}

package/src/parser/index.js

@@ -0,0 +1,47 @@
+import fs from 'fs/promises';
+import path from 'path';
+import { parseNpmLockfile } from './npm-parser.js';
+import { parseYarnLockfile } from './yarn-parser.js';
+import { parsePnpmLockfile } from './pnpm-parser.js';
+
+export async function parseLockfile(projectDir) {
+  // Detect lockfile
+  const hasNpm = await fs.access(path.join(projectDir, 'package-lock.json')).then(() => true).catch(() => false);
+  const hasYarn = await fs.access(path.join(projectDir, 'yarn.lock')).then(() => true).catch(() => false);
+  const hasPnpm = await fs.access(path.join(projectDir, 'pnpm-lock.yaml')).then(() => true).catch(() => false);
+
+  if (hasPnpm) {
+    const { packagesMap, topLevelDeps } = await parsePnpmLockfile(projectDir);
+    return { type: 'pnpm', map: packagesMap, topLevelDeps };
+  } else if (hasYarn) {
+    return { type: 'yarn', map: await parseYarnLockfile(projectDir) };
+  } else if (hasNpm) {
+    return { type: 'npm', map: await parseNpmLockfile(projectDir) };
+  }
+
+  throw new Error('No supported lockfile found (package-lock.json, yarn.lock, pnpm-lock.yaml). Please run install first.');
+}
+
+/**
+ * Common graph insertion utility used by all parsers
+ */
+export function addToPackagesMap(packagesMap, name, version, instancePath, graphData = { parents: [], allParents: [], roots: [] }) {
+  if (!name || instancePath === '') return;
+
+  if (!packagesMap.has(name)) {
+    packagesMap.set(name, {
+      versions: new Set(),
+      instances: []
+    });
+  }
+
+  const entry = packagesMap.get(name);
+  entry.versions.add(version);
+  entry.instances.push({ 
+    path: instancePath, 
+    version, 
+    parents: graphData.parents,
+    allParents: graphData.allParents,
+    roots: graphData.roots
+  });
+}

package/src/parser/npm-parser.js

@@ -0,0 +1,143 @@
+import fs from 'fs/promises';
+import path from 'path';
+import { addToPackagesMap } from './index.js';
+import { buildGraphTraversal, getTopLevelSet } from './graph.js';
+
+export async function parseNpmLockfile(projectDir) {
+  const lockfilePath = path.join(projectDir, 'package-lock.json');
+  const lockfileContent = await fs.readFile(lockfilePath, 'utf-8');
+  const lockfile = JSON.parse(lockfileContent);
+  const packagesMap = new Map();
+
+  const reverseMap = new Map();
+
+  if (lockfile.packages) {
+    // Map paths securely to extract resolution models securely
+    const pathMap = new Map();
+    for (const [pkgPath, pkgData] of Object.entries(lockfile.packages)) {
+      if (pkgPath === '' || pkgData.link) continue;
+      const parts = pkgPath.split('node_modules/');
+      const name = parts[parts.length - 1];
+      pathMap.set(pkgPath, `${name}@${pkgData.version}`);
+    }
+
+    const resolveDependencyPath = (callerPath, depName) => {
+      let currentPath = callerPath;
+      while (currentPath !== '') {
+         const probe = `${currentPath}/node_modules/${depName}`;
+         if (pathMap.has(probe)) return pathMap.get(probe);
+         const lastIndex = currentPath.lastIndexOf('/node_modules/');
+         if (lastIndex === -1) {
+             currentPath = '';
+         } else {
+             currentPath = currentPath.substring(0, lastIndex);
+         }
+      }
+      const rootProbe = `node_modules/${depName}`;
+      if (pathMap.has(rootProbe)) return pathMap.get(rootProbe);
+      return null;
+    };
+
+    for (const [pkgPath, pkgData] of Object.entries(lockfile.packages)) {
+      if (pkgPath === '' || pkgData.link) continue;
+      const callerId = pathMap.get(pkgPath);
+      
+      const requires = pkgData.dependencies || {};
+      for (const [depName] of Object.entries(requires)) {
+         const resolvedDepId = resolveDependencyPath(pkgPath, depName);
+         if (resolvedDepId) {
+             if (!reverseMap.has(resolvedDepId)) reverseMap.set(resolvedDepId, new Set());
+             reverseMap.get(resolvedDepId).add(callerId);
+         }
+      }
+    }
+
+    const topLevelSet = await getTopLevelSet(projectDir, fs, path);
+    const graph = buildGraphTraversal(reverseMap, topLevelSet);
+
+    for (const [pkgPath, pkgData] of Object.entries(lockfile.packages)) {
+      if (pkgPath === '' || pkgData.link) continue;
+      
+      const parts = pkgPath.split('node_modules/');
+      const name = parts[parts.length - 1];
+      
+      const selfId = `${name}@${pkgData.version}`;
+      const graphData = graph.traverse(selfId);
+      
+      addToPackagesMap(packagesMap, name, pkgData.version, pkgPath, graphData);
+    }
+
+  } else if (lockfile.dependencies) {
+    // Fallback for extremely old v1 lockfiles without packages block
+    // V1 resolution mirrors V2 closely but operates through nested arrays natively.
+    const pathMap = new Map();
+    
+    const indexDependencies = (deps, basePath = '') => {
+      for (const [name, data] of Object.entries(deps)) {
+         const currentPath = basePath ? `${basePath}/node_modules/${name}` : `node_modules/${name}`;
+         pathMap.set(currentPath, `${name}@${data.version}`);
+         if (data.dependencies) {
+            indexDependencies(data.dependencies, currentPath);
+         }
+      }
+    };
+    indexDependencies(lockfile.dependencies);
+
+    const resolveDependencyPathV1 = (callerPath, depName) => {
+      let currentPath = callerPath;
+      while (currentPath !== '') {
+         const probe = `${currentPath}/node_modules/${depName}`;
+         if (pathMap.has(probe)) return pathMap.get(probe);
+         const lastIndex = currentPath.lastIndexOf('/node_modules/');
+         if (lastIndex === -1) {
+             currentPath = '';
+         } else {
+             currentPath = currentPath.substring(0, lastIndex);
+         }
+      }
+      const rootProbe = `node_modules/${depName}`;
+      if (pathMap.has(rootProbe)) return pathMap.get(rootProbe);
+      return null;
+    };
+
+    const linkDependencies = (deps, basePath = '') => {
+      for (const [name, data] of Object.entries(deps)) {
+         const currentPath = basePath ? `${basePath}/node_modules/${name}` : `node_modules/${name}`;
+         const callerId = pathMap.get(currentPath);
+         
+         const requires = data.requires || {};
+         for (const [depName] of Object.entries(requires)) {
+            const resolvedDepId = resolveDependencyPathV1(currentPath, depName);
+            if (resolvedDepId) {
+                if (!reverseMap.has(resolvedDepId)) reverseMap.set(resolvedDepId, new Set());
+                reverseMap.get(resolvedDepId).add(callerId);
+            }
+         }
+
+         if (data.dependencies) {
+            linkDependencies(data.dependencies, currentPath);
+         }
+      }
+    };
+    linkDependencies(lockfile.dependencies);
+
+    const topLevelSet = await getTopLevelSet(projectDir, fs, path);
+    const graph = buildGraphTraversal(reverseMap, topLevelSet);
+
+    const processDependencies = (deps, basePath = '') => {
+      for (const [name, data] of Object.entries(deps)) {
+         const currentPath = basePath ? `${basePath}/node_modules/${name}` : `node_modules/${name}`;
+         const selfId = `${name}@${data.version}`;
+         const graphData = graph.traverse(selfId);
+         
+         addToPackagesMap(packagesMap, name, data.version, currentPath, graphData);
+         if (data.dependencies) {
+            processDependencies(data.dependencies, currentPath);
+         }
+      }
+    };
+    processDependencies(lockfile.dependencies);
+  }
+
+  return packagesMap;
+}

package/src/parser/pnpm-parser.js

@@ -0,0 +1,257 @@
+import fs from 'fs/promises';
+import path from 'path';
+import yaml from 'js-yaml';
+import { addToPackagesMap } from './index.js';
+
+// ── Key normalization ────────────────────────────────────────────────────────
+
+/** Strip leading "/" from lockfile keys (pnpm v5/v6 format) */
+function normalizePkgKey(key) {
+  return key.replace(/^\//, '');
+}
+
+/** Strip parenthesised peer suffix: "1.2.3(react@18)" → "1.2.3" */
+function cleanVersion(version) {
+  return String(version).split('(')[0].trim();
+}
+
+/**
+ * Extract a bare package name from a "name@version" key.
+ * Handles scoped packages: "@babel/core@7.0.0" → "@babel/core"
+ */
+function pkgNameOf(key) {
+  if (!key) return '';
+  if (key.startsWith('@')) {
+    const second = key.indexOf('@', 1);
+    return second > 0 ? key.substring(0, second) : key;
+  }
+  const at = key.indexOf('@');
+  return at > 0 ? key.substring(0, at) : key;
+}
+
+// ── Importer extraction (handles v5 / v6 / v7 / v9 formats) ─────────────────
+
+/**
+ * Return the root importer object from parsed lockfile.
+ * pnpm v5: importers['.']  (or absent — everything is packages only)
+ * pnpm v6+: importers['.'] with { dependencies: { name: { specifier, version } } }
+ * pnpm v9: same but lockfileVersion is "9.0"
+ */
+function getRootImporter(parsed) {
+  if (!parsed.importers) return {};
+  // Try '.', then '' (empty string), then first key
+  return parsed.importers['.']
+    || parsed.importers['']
+    || Object.values(parsed.importers)[0]
+    || {};
+}
+
+/**
+ * Extract a bare version string from a dependency spec.
+ * Handles both string specs ("1.2.3") and object specs ({ specifier, version }).
+ */
+function extractVersion(spec) {
+  if (!spec) return null;
+  if (typeof spec === 'string') return cleanVersion(spec);
+  if (typeof spec === 'object') {
+    if (spec.version) return cleanVersion(spec.version);
+  }
+  return null;
+}
+
+/**
+ * Get all top-level dep names from the importer.
+ * Returns bare package names like ["next", "eslint", "@babel/core"].
+ */
+function getTopLevelDepNames(importer) {
+  const deps = {
+    ...(importer.dependencies || {}),
+    ...(importer.devDependencies || {}),
+    ...(importer.optionalDependencies || {}),
+  };
+  return new Set(Object.keys(deps));
+}
+
+// ── Package entry iteration ──────────────────────────────────────────────────
+
+/**
+ * Build the forward dependency graph and reverse graph from the packages block.
+ * Returns { forwardGraph, reverseGraph, allPkgKeys }
+ *
+ * Handles two package block formats:
+ *   pnpm v5/v6: { "/pkg@1.0.0": { dependencies: { dep: "version" } } }
+ *   pnpm v9:    { "pkg@1.0.0":  { dependencies: { dep: "version" } } }
+ */
+function buildGraphs(parsed) {
+  const forwardGraph = {};
+  const reverseGraph = {};
+  const packages = parsed.packages || {};
+
+  // pnpm v9 "snapshots" block takes precedence if present; otherwise use packages
+  const pkgBlock = parsed.snapshots || packages;
+
+  for (const rawKey of Object.keys(pkgBlock)) {
+    const pkgKey = normalizePkgKey(rawKey);
+    if (!forwardGraph[pkgKey]) forwardGraph[pkgKey] = [];
+    if (!reverseGraph[pkgKey]) reverseGraph[pkgKey] = [];
+
+    // Get deps from both snapshots and packages (pnpm v9 split them)
+    const pkgEntry = pkgBlock[rawKey] || {};
+    const pkgMeta  = packages[rawKey] || packages['/' + rawKey] || {};
+    const deps = { ...(pkgMeta.dependencies || {}), ...(pkgEntry.dependencies || {}) };
+
+    for (const [depName, depSpec] of Object.entries(deps)) {
+      const ver = extractVersion(depSpec);
+      if (!ver || String(depSpec).startsWith('link:')) continue;
+
+      const depKey = `${depName}@${ver}`;
+      forwardGraph[pkgKey].push(depKey);
+      if (!reverseGraph[depKey]) reverseGraph[depKey] = [];
+      reverseGraph[depKey].push(pkgKey);
+    }
+  }
+
+  return { forwardGraph, reverseGraph };
+}
+
+// ── Top-down ownership DFS ───────────────────────────────────────────────────
+
+/**
+ * For each top-level dep, DFS through forwardGraph to find every package
+ * it introduces. Returns Map<pkgKey, Set<topLevelDepName>>.
+ *
+ * Start keys are found by:
+ *   1. Matching pkgKey name against topLevelDeps set
+ *   2. Seeding from importer version specs (for exact key format)
+ */
+function buildOwnershipMap(parsed, forwardGraph, topLevelDeps, importer) {
+  // Step A — find versioned start keys for each top-level dep
+  const topLevelVersioned = new Map(); // depName → Set<pkgKey>
+
+  // Seed from package keys
+  const pkgBlock = parsed.snapshots || parsed.packages || {};
+  for (const rawKey of Object.keys(pkgBlock)) {
+    const pkgKey = normalizePkgKey(rawKey);
+    const name   = pkgNameOf(pkgKey);
+    if (topLevelDeps.has(name)) {
+      if (!topLevelVersioned.has(name)) topLevelVersioned.set(name, new Set());
+      topLevelVersioned.get(name).add(pkgKey);
+    }
+  }
+
+  // Seed from importer dep version specs (catches exact key variations)
+  const allImporterDeps = {
+    ...(importer.dependencies || {}),
+    ...(importer.devDependencies || {}),
+    ...(importer.optionalDependencies || {}),
+  };
+  for (const [depName, spec] of Object.entries(allImporterDeps)) {
+    const ver = extractVersion(spec);
+    if (ver) {
+      const key = `${depName}@${ver}`;
+      if (!topLevelVersioned.has(depName)) topLevelVersioned.set(depName, new Set());
+      topLevelVersioned.get(depName).add(key);
+      // Also try without peer suffix
+      const cleanKey = `${depName}@${cleanVersion(ver)}`;
+      topLevelVersioned.get(depName).add(cleanKey);
+    }
+  }
+
+  // Step B — DFS from each start key
+  const ownership = new Map(); // pkgKey → Set<topLevelDepName>
+
+  for (const [depName, startKeys] of topLevelVersioned) {
+    for (const startKey of startKeys) {
+      const stack   = [startKey];
+      const visited = new Set([startKey]);
+
+      while (stack.length) {
+        const node = stack.pop();
+        if (!ownership.has(node)) ownership.set(node, new Set());
+        ownership.get(node).add(depName);
+
+        for (const child of (forwardGraph[node] || [])) {
+          if (!visited.has(child)) {
+            visited.add(child);
+            stack.push(child);
+          }
+        }
+      }
+    }
+  }
+
+  return ownership;
+}
+
+// ── Main parser ──────────────────────────────────────────────────────────────
+
+export async function parsePnpmLockfile(projectDir) {
+  const lockfilePath = path.join(projectDir, 'pnpm-lock.yaml');
+  const lockfileContent = await fs.readFile(lockfilePath, 'utf-8');
+  const parsed = yaml.load(lockfileContent);
+  const packagesMap = new Map();
+
+  const packages = parsed.packages || {};
+  if (Object.keys(packages).length === 0 && !parsed.snapshots) {
+    return { packagesMap, topLevelDeps: new Set() };
+  }
+
+  // ── Importer & top-level dep extraction ──────────────────────────────────
+  const importer    = getRootImporter(parsed);
+  const topLevelDeps = getTopLevelDepNames(importer);
+
+  // ── Graph construction ────────────────────────────────────────────────────
+  const { forwardGraph, reverseGraph } = buildGraphs(parsed);
+
+  // ── Ownership map (top-down DFS) ──────────────────────────────────────────
+  const ownership = buildOwnershipMap(parsed, forwardGraph, topLevelDeps, importer);
+
+  // ── Emit packages ─────────────────────────────────────────────────────────
+  // Use packages block (not snapshots) as the canonical source of package identity
+  for (const rawKey of Object.keys(packages)) {
+    const pkgKey = normalizePkgKey(rawKey);
+    const lastAt = pkgKey.lastIndexOf('@');
+    if (lastAt <= 0) continue;
+
+    const name            = pkgKey.substring(0, lastAt);
+    const resolvedVersion = pkgKey.substring(lastAt + 1);
+    const selfId          = `${name}@${resolvedVersion}`;
+
+    // roots = bare top-level dep names that introduce this package
+    const roots   = Array.from(ownership.get(selfId) || []);
+    // parents = immediate dependents from reverse graph
+    const parents = Array.from(new Set(reverseGraph[selfId] || []));
+
+    addToPackagesMap(packagesMap, name, resolvedVersion, rawKey, {
+      roots,
+      parents,
+      allParents: ancestors(reverseGraph, selfId), // full chain for grouper fallback
+    });
+  }
+
+  return { packagesMap, topLevelDeps };
+}
+
+/**
+ * Walk reverse graph upward to collect all ancestors (BFS, depth-limited).
+ * Used as allParents so the grouper fallback layers have data if roots are empty.
+ */
+function ancestors(reverseGraph, startId, maxDepth = 8) {
+  const result  = new Set();
+  const queue   = [{ node: startId, depth: 0 }];
+  const visited = new Set([startId]);
+
+  while (queue.length) {
+    const { node, depth } = queue.shift();
+    if (depth >= maxDepth) continue;
+    for (const parent of (reverseGraph[node] || [])) {
+      if (!visited.has(parent)) {
+        visited.add(parent);
+        result.add(parent);
+        queue.push({ node: parent, depth: depth + 1 });
+      }
+    }
+  }
+
+  return Array.from(result);
+}

package/src/parser/yarn-parser.js

@@ -0,0 +1,93 @@
+import fs from 'fs/promises';
+import path from 'path';
+import yaml from 'js-yaml';
+import lockfileParser from '@yarnpkg/lockfile';
+import { addToPackagesMap } from './index.js';
+import { buildGraphTraversal, getTopLevelSet } from './graph.js';
+
+export async function parseYarnLockfile(projectDir) {
+  const lockfilePath = path.join(projectDir, 'yarn.lock');
+  const lockfileContent = await fs.readFile(lockfilePath, 'utf-8');
+
+  const packagesMap = new Map();
+
+  // Try to determine if it's Yarn v1 or v2+
+  // Yarn v2+ lockfiles usually have "__metadata" block and standard YAML structure
+  let parsed;
+  if (lockfileContent.includes('__metadata')) {
+    // It's likely Yarn v2+ (YAML)
+    parsed = yaml.load(lockfileContent);
+    // Remove metadata
+    delete parsed.__metadata;
+  } else {
+    // Yarn v1
+    const result = lockfileParser.parse(lockfileContent);
+    if (result.type !== 'success') {
+      throw new Error('Failed to parse yarn.lock');
+    }
+    parsed = result.object;
+  }
+
+  // Pass 1: Build exact version lookup map
+  const exactVersions = new Map();
+  for (const [key, pkgData] of Object.entries(parsed)) {
+    const resolutions = key.split(',').map(s => s.trim());
+    for (let res of resolutions) {
+      if (res.includes('@npm:')) res = res.replace('@npm:', '@');
+      if (res.includes('@workspace:')) res = res.replace('@workspace:', '@');
+      exactVersions.set(res, pkgData.version);
+    }
+  }
+
+  // Pass 2: Build specific name@version Reverse Graph Matrix
+  const reverseMap = new Map();
+  for (const [key, pkgData] of Object.entries(parsed)) {
+    const resolutions = key.split(',').map(s => s.trim());
+    let firstRes = resolutions[0];
+    if (firstRes.includes('@npm:')) firstRes = firstRes.replace('@npm:', '@');
+    if (firstRes.includes('@workspace:')) firstRes = firstRes.replace('@workspace:', '@');
+    const lastAtIdx = firstRes.lastIndexOf('@');
+    if (lastAtIdx <= 0) continue;
+    
+    const name = firstRes.substring(0, lastAtIdx);
+    const callerId = `${name}@${pkgData.version}`;
+
+    if (pkgData.dependencies) {
+      for (const [depName, depReq] of Object.entries(pkgData.dependencies)) {
+        const depKey = `${depName}@${depReq}`;
+        const resolvedVersion = exactVersions.get(depKey);
+        if (resolvedVersion) {
+           const depId = `${depName}@${resolvedVersion}`;
+           if (!reverseMap.has(depId)) reverseMap.set(depId, new Set());
+           reverseMap.get(depId).add(callerId);
+        }
+      }
+    }
+  }
+
+  // Pass 3: Evaluate unified recursive graph limits
+  const topLevelSet = await getTopLevelSet(projectDir, fs, path);
+  const graph = buildGraphTraversal(reverseMap, topLevelSet);
+
+  for (const [key, pkgData] of Object.entries(parsed)) {
+    // Extract the raw package name. 
+    const resolutions = key.split(',').map(s => s.trim());
+    let firstRes = resolutions[0];
+    
+    if (firstRes.includes('@npm:')) firstRes = firstRes.replace('@npm:', '@');
+    if (firstRes.includes('@workspace:')) firstRes = firstRes.replace('@workspace:', '@');
+
+    const lastAtIdx = firstRes.lastIndexOf('@');
+    if (lastAtIdx <= 0) continue; // safety check
+    
+    const name = firstRes.substring(0, lastAtIdx);
+    const selfId = `${name}@${pkgData.version}`;
+    
+    const graphData = graph.traverse(selfId);
+
+    // In Yarn, packages are flattened into the lockfile. The "instance path" is abstract.
+    addToPackagesMap(packagesMap, name, pkgData.version, key, graphData);
+  }
+
+  return packagesMap;
+}