flatlock 1.0.1

package/src/detect.js

@@ -0,0 +1,153 @@
+import yaml from 'js-yaml';
+import { parseSyml } from '@yarnpkg/parsers';
+import yarnLockfile from '@yarnpkg/lockfile';
+
+/**
+ * @typedef {'npm' | 'pnpm' | 'yarn-classic' | 'yarn-berry'} LockfileType
+ */
+
+/**
+ * Lockfile type constants
+ */
+export const Type = Object.freeze({
+  NPM: 'npm',
+  PNPM: 'pnpm',
+  YARN_CLASSIC: 'yarn-classic',
+  YARN_BERRY: 'yarn-berry'
+});
+
+/**
+ * Try to parse content as npm package-lock.json
+ * @param {string} content
+ * @returns {boolean}
+ */
+function tryParseNpm(content) {
+  try {
+    const parsed = JSON.parse(content);
+    // Must have lockfileVersion as a number at root level
+    return typeof parsed.lockfileVersion === 'number';
+  } catch {
+    return false;
+  }
+}
+
+/**
+ * Try to parse content as yarn berry (v2+) lockfile
+ * @param {string} content
+ * @returns {boolean}
+ */
+function tryParseYarnBerry(content) {
+  try {
+    const parsed = parseSyml(content);
+    // Must have __metadata object at root with version property
+    return parsed
+      && typeof parsed.__metadata === 'object'
+      && parsed.__metadata !== null
+      && 'version' in parsed.__metadata;
+  } catch {
+    return false;
+  }
+}
+
+/**
+ * Try to parse content as yarn classic (v1) lockfile
+ * @param {string} content
+ * @returns {boolean}
+ */
+function tryParseYarnClassic(content) {
+  try {
+    const parse = yarnLockfile.default?.parse || yarnLockfile.parse;
+    if (!parse) return false;
+
+    const result = parse(content);
+    // Must parse successfully and NOT have __metadata (that's berry)
+    // Must have at least one package entry (not empty object)
+    const isValidResult = result.type === 'success' || result.type === 'merge';
+    const hasEntries = result.object && Object.keys(result.object).length > 0;
+    const notBerry = !('__metadata' in result.object);
+
+    return isValidResult && hasEntries && notBerry;
+  } catch {
+    return false;
+  }
+}
+
+/**
+ * Try to parse content as pnpm lockfile
+ * @param {string} content
+ * @returns {boolean}
+ */
+function tryParsePnpm(content) {
+  try {
+    const parsed = yaml.load(content);
+    // Must have lockfileVersion at root and NOT have __metadata
+    return parsed
+      && typeof parsed === 'object'
+      && 'lockfileVersion' in parsed
+      && !('__metadata' in parsed);
+  } catch {
+    return false;
+  }
+}
+
+/**
+ * Detect lockfile type from content and/or path
+ *
+ * Content is the primary signal - we actually parse the content to verify
+ * it's a valid lockfile of the detected type. This prevents spoofing attacks
+ * where malicious content contains detection markers in strings/comments.
+ *
+ * Path is only used as a fallback hint when content is not provided.
+ *
+ * @param {Object} options - Detection options
+ * @param {string} [options.path] - Path to the lockfile (optional hint)
+ * @param {string} [options.content] - Lockfile content (primary signal)
+ * @returns {LockfileType}
+ * @throws {Error} If unable to detect lockfile type
+ */
+export function detectType({ path, content } = {}) {
+  // Content-based detection (primary) - actually parse to verify type
+  if (content) {
+    // npm: valid JSON with lockfileVersion number at root
+    if (tryParseNpm(content)) {
+      return Type.NPM;
+    }
+
+    // yarn berry: valid YAML with __metadata.version at root
+    if (tryParseYarnBerry(content)) {
+      return Type.YARN_BERRY;
+    }
+
+    // yarn classic: parses with @yarnpkg/lockfile, no __metadata
+    if (tryParseYarnClassic(content)) {
+      return Type.YARN_CLASSIC;
+    }
+
+    // pnpm: valid YAML with lockfileVersion at root, no __metadata
+    if (tryParsePnpm(content)) {
+      return Type.PNPM;
+    }
+  }
+
+  // If content was provided but didn't match any format, that's an error
+  // Don't fall back to path-based detection with invalid content (security risk)
+  if (content) {
+    throw new Error('Unable to detect lockfile type: content does not match any known format');
+  }
+
+  // Path-based detection (only when no content provided)
+  if (path) {
+    if (path.endsWith('package-lock.json') || path.endsWith('npm-shrinkwrap.json')) {
+      return Type.NPM;
+    }
+    if (path.endsWith('pnpm-lock.yaml')) {
+      return Type.PNPM;
+    }
+    if (path.endsWith('yarn.lock')) {
+      // Without content, default to classic (more common historically)
+      return Type.YARN_CLASSIC;
+    }
+  }
+
+  throw new Error('Unable to detect lockfile type');
+}

package/src/index.js

@@ -0,0 +1,144 @@
+import { readFile } from 'node:fs/promises';
+import { Type, detectType } from './detect.js';
+import { Ok, Err } from './result.js';
+import {
+  fromPackageLock,
+  fromPnpmLock,
+  fromYarnClassicLock,
+  fromYarnBerryLock
+} from './parsers/index.js';
+
+/**
+ * @typedef {import('./detect.js').LockfileType} LockfileType
+ * @typedef {import('./result.js').Result} Result
+ * @typedef {import('./parsers/npm.js').Dependency} Dependency
+ */
+
+// Re-export Type and detection
+export { Type, detectType };
+
+// Re-export Result helpers
+export { Ok, Err };
+
+// Re-export individual parsers
+export { fromPackageLock, fromPnpmLock, fromYarnClassicLock, fromYarnBerryLock };
+
+/**
+ * Parse lockfile from path (auto-detect type)
+ * @param {string} path - Path to lockfile
+ * @param {Object} [options] - Parser options
+ * @returns {AsyncGenerator<Dependency>}
+ */
+export async function* fromPath(path, options = {}) {
+  const content = await readFile(path, 'utf8');
+  const type = detectType({ path, content });
+
+  yield* fromString(content, { ...options, path, type });
+}
+
+/**
+ * Parse lockfile from string (auto-detect or use options.type)
+ * @param {string} content - Lockfile content
+ * @param {Object} [options] - Parser options
+ * @param {string} [options.path] - Path hint for type detection
+ * @param {LockfileType} [options.type] - Explicit type (skip detection)
+ * @returns {Generator<Dependency>}
+ */
+export function* fromString(content, options = {}) {
+  const type = options.type || detectType({ path: options.path, content });
+
+  switch (type) {
+    case Type.NPM: {
+      yield* fromPackageLock(content, options);
+      break;
+    }
+    case Type.PNPM: {
+      yield* fromPnpmLock(content, options);
+      break;
+    }
+    case Type.YARN_CLASSIC: {
+      yield* fromYarnClassicLock(content, options);
+      break;
+    }
+    case Type.YARN_BERRY: {
+      yield* fromYarnBerryLock(content, options);
+      break;
+    }
+    default: {
+      throw new Error(`Unknown lockfile type: ${type}`);
+    }
+  }
+}
+
+/**
+ * Try to parse lockfile from path (returns Result)
+ * @param {string} path - Path to lockfile
+ * @param {Object} [options] - Parser options
+ * @returns {Promise<Result<AsyncGenerator<Dependency>>>}
+ */
+export async function tryFromPath(path, options = {}) {
+  try {
+    const generator = fromPath(path, options);
+    return Ok(generator);
+  } catch (err) {
+    return Err(err);
+  }
+}
+
+/**
+ * Try to parse lockfile from string (returns Result)
+ * @param {string} content - Lockfile content
+ * @param {Object} [options] - Parser options
+ * @returns {Result<Generator<Dependency>>}
+ */
+export function tryFromString(content, options = {}) {
+  try {
+    // Eagerly detect type before creating generator to catch detection errors
+    const type = options.type || detectType({ path: options.path, content });
+    const generator = fromString(content, { ...options, type });
+    return Ok(generator);
+  } catch (err) {
+    return Err(err);
+  }
+}
+
+/**
+ * Parse yarn.lock (auto-detect classic vs berry)
+ * @param {string} content - Lockfile content
+ * @param {Object} [options] - Parser options
+ * @returns {Generator<Dependency>}
+ */
+export function* fromYarnLock(content, options = {}) {
+  // Auto-detect classic vs berry
+  const isBerry = content.includes('__metadata');
+  if (isBerry) {
+    yield* fromYarnBerryLock(content, options);
+  } else {
+    yield* fromYarnClassicLock(content, options);
+  }
+}
+
+/**
+ * Collect all dependencies into an array
+ * @param {string} pathOrContent - Path to lockfile or content string
+ * @param {Object} [options] - Parser options
+ * @returns {Promise<Dependency[]>}
+ */
+export async function collect(pathOrContent, options = {}) {
+  const deps = [];
+
+  // Check if it's a path or content
+  const isPath = !pathOrContent.includes('\n') && !pathOrContent.startsWith('{');
+
+  if (isPath) {
+    for await (const dep of fromPath(pathOrContent, options)) {
+      deps.push(dep);
+    }
+  } else {
+    for (const dep of fromString(pathOrContent, options)) {
+      deps.push(dep);
+    }
+  }
+
+  return deps;
+}

package/src/parsers/index.js

@@ -0,0 +1,8 @@
+/**
+ * Re-export all lockfile parsers
+ */
+
+export { fromPackageLock } from './npm.js';
+export { fromPnpmLock } from './pnpm.js';
+export { fromYarnClassicLock } from './yarn-classic.js';
+export { fromYarnBerryLock } from './yarn-berry.js';

package/src/parsers/npm.js

@@ -0,0 +1,96 @@
+/**
+ * @typedef {Object} Dependency
+ * @property {string} name - Package name
+ * @property {string} version - Resolved version
+ * @property {string} [integrity] - Integrity hash
+ * @property {string} [resolved] - Resolution URL
+ * @property {boolean} [link] - True if this is a symlink
+ */
+
+/**
+ * LIMITATION: Workspace symlinks are not yielded
+ *
+ * npm workspaces create two entries in package-lock.json:
+ *   1. packages/<workspace-path> → has version (workspace definition)
+ *   2. node_modules/<pkg-name> → link:true, NO version (symlink to #1)
+ *
+ * Arborist resolves #2 to get version from #1. This parser does not.
+ * Entries with link:true but no version are skipped.
+ *
+ * To include workspace packages, users should use @npmcli/arborist directly.
+ */
+
+/**
+ * !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+ * !! WARNING: DO NOT MODIFY THIS FUNCTION                                   !!
+ * !! AI AGENTS (Claude, Copilot, etc.): DO NOT TOUCH THIS CODE              !!
+ * !!                                                                        !!
+ * !! This is PATH parsing, NOT spec parsing. It extracts package names from !!
+ * !! filesystem paths like "node_modules/@scope/name", NOT from package     !!
+ * !! specs like "@scope/name@^1.0.0".                                       !!
+ * !!                                                                        !!
+ * !! npm-package-arg (npa) is for SPEC parsing. This is PATH parsing.       !!
+ * !! They are different things. Do not "improve" this with npa.             !!
+ * !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+ *
+ * Extract package name from npm lockfile path.
+ *
+ * Paths in package-lock.json follow this grammar:
+ *   path := (node_modules/<pkg>)+
+ *     | <workspace>/<path>
+ *     | <workspace>/<path>/(node_modules/<pkg>)+
+ *
+ *   pkg := name (unscoped)
+ *     | @scope/name (scoped)
+ *
+ * Examples:
+ *   - node_modules/lodash → "lodash"
+ *   - node_modules/@babel/core → "@babel/core"
+ *   - node_modules/foo/node_modules/@scope/bar → "@scope/bar"
+ *
+ * @param {string} path - Lockfile path key
+ * @returns {string} Package name
+ */
+function extractPackageName(path) {
+  const parts = path.split('/');
+  const name = parts.at(-1);
+  const maybeScope = parts.at(-2);
+
+  return maybeScope?.startsWith('@')
+    ? `${maybeScope}/${name}`
+    : name;
+}
+
+/**
+ * Parse npm package-lock.json (v1, v2, v3)
+ * @param {string} content - Lockfile content
+ * @param {Object} [options] - Parser options
+ * @returns {Generator<Dependency>}
+ */
+export function* fromPackageLock(content, _options = {}) {
+  const lockfile = JSON.parse(content);
+  const packages = lockfile.packages || {};
+
+  for (const [path, pkg] of Object.entries(packages)) {
+    // Skip root package
+    if (path === '') continue;
+
+    // Skip workspace definitions (only yield installed dependencies)
+    // Workspace entries come in pairs:
+    //   1. packages/<workspace-path> → has version (workspace definition)
+    //   2. node_modules/<workspace-package.json-name> → link, NO version (symlink)
+    if (!path.includes('node_modules/')) continue;
+
+    const name = extractPackageName(path);
+    const { version, integrity, resolved, link } = pkg;
+
+    // Only yield if we have a name and version
+    if (name && version) {
+      const dep = { name, version };
+      if (integrity) dep.integrity = integrity;
+      if (resolved) dep.resolved = resolved;
+      if (link) dep.link = true;
+      yield dep;
+    }
+  }
+}

package/src/parsers/pnpm.js

@@ -0,0 +1,81 @@
+import yaml from 'js-yaml';
+
+/**
+ * @typedef {Object} Dependency
+ * @property {string} name - Package name
+ * @property {string} version - Resolved version
+ * @property {string} [integrity] - Integrity hash
+ * @property {string} [resolved] - Resolution URL
+ * @property {boolean} [link] - True if this is a symlink
+ */
+
+/**
+ * Parse pnpm package spec to extract name and version
+ * Examples:
+ *   "/@babel/core@7.23.0" → { name: "@babel/core", version: "7.23.0" }
+ *   "/lodash@4.17.21" → { name: "lodash", version: "4.17.21" }
+ *   "link:packages/foo" → { name: null, version: null } (skip these)
+ *
+ * @param {string} spec - Package spec from pnpm lockfile
+ * @returns {{ name: string | null, version: string | null }}
+ */
+function parseSpec(spec) {
+  // Skip special protocols
+  if (spec.startsWith('link:') || spec.startsWith('file:')) {
+    return { name: null, version: null };
+  }
+
+  // Remove leading slash if present
+  const cleaned = spec.startsWith('/') ? spec.slice(1) : spec;
+
+  // Find the last @ which separates name from version
+  // For scoped packages like "@babel/core@7.23.0", we need the last @
+  const lastAtIndex = cleaned.lastIndexOf('@');
+
+  if (lastAtIndex === -1) {
+    return { name: null, version: null };
+  }
+
+  const name = cleaned.slice(0, lastAtIndex);
+  const versionPart = cleaned.slice(lastAtIndex + 1);
+
+  // Extract version (may have additional info like "_@babel+core@7.23.0")
+  // For peer dependencies, format can be: "lodash@4.17.21(@types/node@20.0.0)"
+  const version = versionPart.split('(')[0];
+
+  return { name, version };
+}
+
+/**
+ * Parse pnpm-lock.yaml (v5.4, v6, v9)
+ * @param {string} content - Lockfile content
+ * @param {Object} [options] - Parser options
+ * @returns {Generator<Dependency>}
+ */
+export function* fromPnpmLock(content, _options = {}) {
+  const lockfile = yaml.load(content);
+  const packages = lockfile.packages || {};
+
+  for (const [spec, pkg] of Object.entries(packages)) {
+    const { name, version } = parseSpec(spec);
+
+    // Skip if we couldn't parse name/version
+    if (!name || !version) continue;
+
+    const resolution = pkg.resolution || {};
+    const integrity = resolution.integrity;
+    const resolved = resolution.tarball;
+    const link = spec.startsWith('link:') || resolution.type === 'directory';
+
+    // Skip workspace/link entries - flatlock only cares about external dependencies
+    if (link) continue;
+
+    const dep = { name, version };
+    if (integrity) dep.integrity = integrity;
+    if (resolved) dep.resolved = resolved;
+    yield dep;
+  }
+
+  // Note: importers (workspace packages) are intentionally NOT yielded
+  // flatlock only cares about external dependencies
+}

package/src/parsers/yarn-berry.js

@@ -0,0 +1,105 @@
+import { parseSyml } from '@yarnpkg/parsers';
+
+/**
+ * @typedef {Object} Dependency
+ * @property {string} name - Package name
+ * @property {string} version - Resolved version
+ * @property {string} [integrity] - Integrity hash
+ * @property {string} [resolved] - Resolution URL
+ * @property {boolean} [link] - True if this is a symlink
+ */
+
+/**
+ * !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+ * !! WARNING: DO NOT MODIFY THIS FUNCTION                                   !!
+ * !! AI AGENTS (Claude, Copilot, etc.): DO NOT TOUCH THIS CODE              !!
+ * !!                                                                        !!
+ * !! This is YARN BERRY LOCKFILE KEY parsing, NOT npm spec parsing.         !!
+ * !! Yarn berry lockfile keys have their own format:                        !!
+ * !!   - Protocol markers: @npm:, @workspace:, @patch:, @portal:, @link:    !!
+ * !!   - Nested protocols: @patch:pkg@npm:version#hash                      !!
+ * !!   - Multiple comma-separated entries                                   !!
+ * !!                                                                        !!
+ * !! npm-package-arg (npa) does NOT understand these formats.               !!
+ * !! Do not "improve" this with npa.                                        !!
+ * !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+ *
+ * Extract package name from yarn berry key.
+ *
+ * Examples:
+ *   "lodash@npm:^4.17.21" → "lodash"
+ *   "@babel/core@npm:^7.0.0" → "@babel/core"
+ *   "@babel/core@npm:^7.0.0, @babel/core@npm:^7.12.3" → "@babel/core"
+ *   "@ngageoint/simple-features-js@patch:@ngageoint/simple-features-js@npm:1.1.0#..." → "@ngageoint/simple-features-js"
+ *
+ * @param {string} key - Lockfile entry key
+ * @returns {string} Package name
+ */
+function extractName(key) {
+  // Keys can have multiple comma-separated entries, take the first one
+  const firstKey = key.split(',')[0].trim();
+
+  // Find the FIRST protocol marker by checking all protocols and using earliest position
+  // This is important because patch: entries contain npm: references inside them
+  const protocols = ['@npm:', '@workspace:', '@portal:', '@link:', '@patch:', '@file:'];
+  let earliestIndex = -1;
+
+  for (const protocol of protocols) {
+    const idx = firstKey.indexOf(protocol);
+    if (idx !== -1 && (earliestIndex === -1 || idx < earliestIndex)) {
+      earliestIndex = idx;
+    }
+  }
+
+  if (earliestIndex !== -1) {
+    return firstKey.slice(0, earliestIndex);
+  }
+
+  // Fallback: for scoped packages, find the @ after the scope
+  if (firstKey.startsWith('@')) {
+    const slashIndex = firstKey.indexOf('/');
+    if (slashIndex !== -1) {
+      const afterSlash = firstKey.indexOf('@', slashIndex);
+      if (afterSlash !== -1) {
+        return firstKey.slice(0, afterSlash);
+      }
+    }
+  }
+
+  // For unscoped packages
+  const atIndex = firstKey.indexOf('@');
+  return atIndex !== -1 ? firstKey.slice(0, atIndex) : firstKey;
+}
+
+/**
+ * Parse yarn.lock v2+ (berry)
+ * @param {string} content - Lockfile content
+ * @param {Object} [options] - Parser options
+ * @returns {Generator<Dependency>}
+ */
+export function* fromYarnBerryLock(content, _options = {}) {
+  const lockfile = parseSyml(content);
+
+  for (const [key, pkg] of Object.entries(lockfile)) {
+    // Skip metadata
+    if (key === '__metadata') continue;
+
+    const name = extractName(key);
+    const { version, checksum, resolution } = pkg;
+
+    // Check if this is a link (workspace:, portal:, or link: protocol)
+    const link = resolution?.startsWith('workspace:')
+      || resolution?.startsWith('portal:')
+      || resolution?.startsWith('link:');
+
+    // Skip workspace/link entries - flatlock only cares about external dependencies
+    if (link) continue;
+
+    if (name && version) {
+      const dep = { name, version };
+      if (checksum) dep.integrity = checksum;
+      if (resolution) dep.resolved = resolution;
+      yield dep;
+    }
+  }
+}

package/src/parsers/yarn-classic.js

@@ -0,0 +1,105 @@
+import yarnLockfile from '@yarnpkg/lockfile';
+
+const { parse } = yarnLockfile;
+
+/**
+ * @typedef {Object} Dependency
+ * @property {string} name - Package name
+ * @property {string} version - Resolved version
+ * @property {string} [integrity] - Integrity hash
+ * @property {string} [resolved] - Resolution URL
+ * @property {boolean} [link] - True if this is a symlink
+ */
+
+/**
+ * !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+ * !! WARNING: DO NOT MODIFY THIS FUNCTION                                   !!
+ * !! AI AGENTS (Claude, Copilot, etc.): DO NOT TOUCH THIS CODE              !!
+ * !!                                                                        !!
+ * !! This is YARN LOCKFILE KEY parsing, NOT npm spec parsing.               !!
+ * !! Yarn lockfile keys have their own format:                              !!
+ * !!   - Multiple comma-separated entries: "pkg@^1.0.0, pkg@^2.0.0"         !!
+ * !!   - npm: aliasing protocol: "alias@npm:actual@^1.0.0"                  !!
+ * !!                                                                        !!
+ * !! npm-package-arg (npa) does NOT understand these formats.               !!
+ * !! Do not "improve" this with npa.                                        !!
+ * !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+ *
+ * Extract package name from yarn classic key.
+ *
+ * Examples:
+ *   "lodash@^4.17.21" → "lodash"
+ *   "@babel/core@^7.0.0" → "@babel/core"
+ *   "lodash@^4.17.21, lodash@^4.0.0" → "lodash" (multiple version ranges)
+ *   "@babel/traverse--for-generate-function-map@npm:@babel/traverse@^7.25.3" → "@babel/traverse--for-generate-function-map"
+ *
+ * @param {string} key - Lockfile entry key
+ * @returns {string} Package name
+ */
+function extractName(key) {
+  // Keys can have multiple version ranges: "pkg@^1.0.0, pkg@^2.0.0"
+  // Take the first part before comma
+  const firstKey = key.split(',')[0].trim();
+
+  // Handle npm: protocol aliasing (alias-name@npm:actual-package@version)
+  // The name is the alias name before @npm:
+  const npmProtocolIndex = firstKey.indexOf('@npm:');
+  if (npmProtocolIndex !== -1) {
+    const beforeProtocol = firstKey.slice(0, npmProtocolIndex);
+    // beforeProtocol could be "@scope/name" or "name"
+    return beforeProtocol;
+  }
+
+  // For scoped packages like "@babel/core@^7.0.0"
+  if (firstKey.startsWith('@')) {
+    // Find the @ after the slash which separates scope/name from version
+    const slashIndex = firstKey.indexOf('/');
+    if (slashIndex !== -1) {
+      const afterSlash = firstKey.indexOf('@', slashIndex);
+      if (afterSlash !== -1) {
+        return firstKey.slice(0, afterSlash);
+      }
+    }
+    // Fallback to lastIndexOf if no slash found
+    const lastAtIndex = firstKey.lastIndexOf('@');
+    return firstKey.slice(0, lastAtIndex);
+  }
+
+  // For regular packages like "lodash@^4.17.21"
+  const atIndex = firstKey.indexOf('@');
+  return atIndex !== -1 ? firstKey.slice(0, atIndex) : firstKey;
+}
+
+/**
+ * Parse yarn.lock v1 (classic)
+ * @param {string} content - Lockfile content
+ * @param {Object} [options] - Parser options
+ * @returns {Generator<Dependency>}
+ */
+export function* fromYarnClassicLock(content, _options = {}) {
+  const parsed = parse(content);
+
+  if (parsed.type !== 'success') {
+    throw new Error(`Failed to parse yarn.lock: ${parsed.type}`);
+  }
+
+  const lockfile = parsed.object;
+
+  for (const [key, pkg] of Object.entries(lockfile)) {
+    const name = extractName(key);
+    const { version, integrity, resolved } = pkg;
+
+    // Check if this is a link (file: or link: protocol)
+    const link = resolved?.startsWith('file:') || resolved?.startsWith('link:');
+
+    // Skip workspace/link entries - flatlock only cares about external dependencies
+    if (link) continue;
+
+    if (name && version) {
+      const dep = { name, version };
+      if (integrity) dep.integrity = integrity;
+      if (resolved) dep.resolved = resolved;
+      yield dep;
+    }
+  }
+}