flatlock 1.1.0 → 1.2.0

package/README.md

@@ -11,7 +11,7 @@ Most lockfile parsers (like `@npmcli/arborist` or `snyk-nodejs-lockfile-parser`)
 **flatlock** takes a different approach: it extracts a flat stream of packages from any lockfile format. No trees, no graphs, no edges - just packages.
 
 ```javascript
-import * as `flatlock`from 'flatlock';
+import * as flatlock from 'flatlock';
 
 // Stream packages from any lockfile
 for await (const pkg of flatlock.fromPath('./package-lock.json')) {
@@ -89,6 +89,59 @@ Each yielded package has:
 }
 ```
 
+## FlatlockSet
+
+For more advanced use cases, `FlatlockSet` provides Set-like operations on lockfile dependencies:
+
+```javascript
+import { FlatlockSet } from 'flatlock';
+
+// Create from lockfile
+const set = await FlatlockSet.fromPath('./package-lock.json');
+console.log(set.size); // 1234
+console.log(set.has('lodash@4.17.21')); // true
+
+// Set operations (immutable - return new sets)
+const other = await FlatlockSet.fromPath('./other-lock.json');
+const common = set.intersection(other);  // packages in both
+const added = other.difference(set);     // packages only in other
+const all = set.union(other);            // packages in either
+
+// Predicates
+set.isSubsetOf(other);    // true if all packages in set are in other
+set.isSupersetOf(other);  // true if set contains all packages in other
+set.isDisjointFrom(other); // true if no packages in common
+
+// Iterate like a Set
+for (const dep of set) {
+  console.log(dep.name, dep.version);
+}
+```
+
+### Workspace-Specific SBOMs
+
+For monorepos, use `dependenciesOf()` to get only the dependencies of a specific workspace:
+
+```javascript
+import { readFile } from 'node:fs/promises';
+import { FlatlockSet } from 'flatlock';
+
+const lockfile = await FlatlockSet.fromPath('./package-lock.json');
+const pkg = JSON.parse(await readFile('./packages/api/package.json', 'utf8'));
+
+// Get only dependencies reachable from this workspace
+const subset = lockfile.dependenciesOf(pkg, {
+  workspacePath: 'packages/api',  // for correct resolution in monorepos
+  dev: false,                      // exclude devDependencies
+  optional: true,                  // include optionalDependencies
+  peer: false                      // exclude peerDependencies
+});
+
+console.log(`${pkg.name} has ${subset.size} production dependencies`);
+```
+
+**Note:** Sets created via `union()`, `intersection()`, or `difference()` cannot use `dependenciesOf()` because they lack the raw lockfile data needed for traversal. Check `set.canTraverse` before calling.
+
 ## License
 
 Apache-2.0

package/bin/flatlock-cmp.js

@@ -5,18 +5,6 @@ import { join } from 'node:path';
 import { parseArgs } from 'node:util';
 import * as flatlock from '../src/index.js';
 
-/**
- * Get comparison parser name for type
- */
-function getComparisonName(type) {
-  switch (type) {
-    case 'npm': return '@npmcli/arborist';
-    case 'yarn-classic': return '@yarnpkg/lockfile';
-    case 'yarn-berry': return '@yarnpkg/parsers';
-    case 'pnpm': return 'js-yaml';
-    default: return 'unknown';
-  }
-}
 
 /**
  * Convert glob pattern to regex
@@ -59,18 +47,17 @@ async function processFile(filepath, baseDir) {
   try {
     const result = await flatlock.compare(filepath);
     const rel = baseDir ? filepath.replace(baseDir + '/', '') : filepath;
-    const comparisonName = getComparisonName(result.type);
 
-    if (result.identical === null) {
+    if (result.equinumerous === null) {
       // Unsupported type or no comparison available
       return {
         type: result.type,
         path: rel,
-        comparisonName,
+        source: result.source || 'unknown',
         flatlockCount: result.flatlockCount,
         comparisonCount: null,
         workspaceCount: 0,
-        identical: null,
+        equinumerous: null,
         onlyInFlatlock: null,
         onlyInComparison: null
       };
@@ -79,11 +66,11 @@ async function processFile(filepath, baseDir) {
     return {
       type: result.type,
       path: rel,
-      comparisonName,
+      source: result.source,
       flatlockCount: result.flatlockCount,
       comparisonCount: result.comparisonCount,
       workspaceCount: result.workspaceCount,
-      identical: result.identical,
+      equinumerous: result.equinumerous,
       onlyInFlatlock: result.onlyInFlatlock,
       onlyInComparison: result.onlyInComparison
     };
@@ -118,10 +105,21 @@ Options:
   -h, --help           Show this help
 
 Comparison parsers (workspace/link entries excluded from all):
-  npm:          @npmcli/arborist (loadVirtual)
+  npm:          @npmcli/arborist (preferred) or @cyclonedx/cyclonedx-npm
   yarn-classic: @yarnpkg/lockfile
   yarn-berry:   @yarnpkg/parsers
-  pnpm:         js-yaml
+  pnpm:         @pnpm/lockfile.fs (preferred) or js-yaml
+
+Result types:
+  ✓ equinumerous  Same packages in both (exact match)
+  ⊃ SUPERSET      flatlock found MORE packages (expected for pnpm)
+  ❌ MISMATCH      Unexpected difference (comparison found packages flatlock missed)
+
+Note on pnpm supersets:
+  flatlock performs full reachability analysis on lockfiles, finding all
+  transitive dependencies. pnpm's official tools don't enumerate all reachable
+  packages - they omit some transitive deps from their API output. When flatlock
+  finds MORE packages than pnpm, this is expected and correct behavior.
 
 Examples:
   flatlock-cmp package-lock.json
@@ -153,6 +151,7 @@ Examples:
   let fileCount = 0;
   let errorCount = 0;
   let matchCount = 0;
+  let supersetCount = 0;  // flatlock found more (expected for pnpm reachability)
   let mismatchCount = 0;
 
   for (const file of files) {
@@ -175,44 +174,61 @@ Examples:
       if (!values.quiet) {
         console.log(`\n⚠️  ${result.path}`);
         console.log(`   flatlock: ${result.flatlockCount} packages`);
-        console.log(`   ${result.comparisonName}: unavailable`);
+        console.log(`   ${result.source}: unavailable`);
       }
       continue;
     }
 
     totalComparison += result.comparisonCount;
 
-    if (result.identical) {
+    if (result.equinumerous) {
       matchCount++;
       if (!values.quiet) {
         const wsNote = result.workspaceCount > 0 ? ` (${result.workspaceCount} workspaces excluded)` : '';
         console.log(`✓  ${result.path}${wsNote}`);
-        console.log(`   count: flatlock=${result.flatlockCount} ${result.comparisonName}=${result.comparisonCount}`);
-        console.log(`   sets:  identical`);
+        console.log(`   count: flatlock=${result.flatlockCount} ${result.source}=${result.comparisonCount}`);
+        console.log(`   sets:  equinumerous`);
       }
     } else {
-      mismatchCount++;
-      console.log(`\n❌ ${result.path}`);
-      console.log(`   count: flatlock=${result.flatlockCount} ${result.comparisonName}=${result.comparisonCount}`);
-      console.log(`   sets:  MISMATCH`);
-
-      if (result.onlyInFlatlock.length > 0) {
-        console.log(`   only in flatlock (${result.onlyInFlatlock.length}):`);
-        for (const pkg of result.onlyInFlatlock.slice(0, 10)) {
-          console.log(`     + ${pkg}`);
-        }
-        if (result.onlyInFlatlock.length > 10) {
-          console.log(`     ... and ${result.onlyInFlatlock.length - 10} more`);
+      // Determine if this is a "superset" (flatlock found more, expected for pnpm)
+      // or a true "mismatch" (comparison found packages flatlock missed)
+      const isPnpm = result.type === 'pnpm' || result.path.includes('pnpm-lock');
+      const isSuperset = result.onlyInFlatlock.length > 0 && result.onlyInComparison.length === 0;
+
+      if (isPnpm && isSuperset) {
+        // Expected behavior: flatlock's reachability analysis found more packages
+        supersetCount++;
+        if (!values.quiet) {
+          const wsNote = result.workspaceCount > 0 ? ` (${result.workspaceCount} workspaces excluded)` : '';
+          console.log(`⊃  ${result.path}${wsNote}`);
+          console.log(`   count: flatlock=${result.flatlockCount} ${result.source}=${result.comparisonCount}`);
+          console.log(`   sets:  SUPERSET (+${result.onlyInFlatlock.length} reachable deps)`);
+          console.log(`   note:  flatlock's reachability analysis found transitive deps pnpm omits`);
         }
-      }
+      } else {
+        mismatchCount++;
+        console.log(`\n❌ ${result.path}`);
+        console.log(`   count: flatlock=${result.flatlockCount} ${result.source}=${result.comparisonCount}`);
+        console.log(`   sets:  MISMATCH`);
 
-      if (result.onlyInComparison.length > 0) {
-        console.log(`   only in ${result.comparisonName} (${result.onlyInComparison.length}):`);
-        for (const pkg of result.onlyInComparison.slice(0, 10)) {
-          console.log(`     - ${pkg}`);
+        if (result.onlyInFlatlock.length > 0) {
+          console.log(`   only in flatlock (${result.onlyInFlatlock.length}):`);
+          for (const pkg of result.onlyInFlatlock.slice(0, 10)) {
+            console.log(`     + ${pkg}`);
+          }
+          if (result.onlyInFlatlock.length > 10) {
+            console.log(`     ... and ${result.onlyInFlatlock.length - 10} more`);
+          }
         }
-        if (result.onlyInComparison.length > 10) {
-          console.log(`     ... and ${result.onlyInComparison.length - 10} more`);
+
+        if (result.onlyInComparison.length > 0) {
+          console.log(`   only in ${result.source} (${result.onlyInComparison.length}):`);
+          for (const pkg of result.onlyInComparison.slice(0, 10)) {
+            console.log(`     - ${pkg}`);
+          }
+          if (result.onlyInComparison.length > 10) {
+            console.log(`     ... and ${result.onlyInComparison.length - 10} more`);
+          }
         }
       }
     }
@@ -220,7 +236,13 @@ Examples:
 
   // Summary
   console.log('\n' + '='.repeat(70));
-  console.log(`SUMMARY: ${fileCount} files, ${matchCount} identical, ${mismatchCount} mismatches, ${errorCount} errors`);
+  const summaryParts = [`${fileCount} files`, `${matchCount} equinumerous`];
+  if (supersetCount > 0) {
+    summaryParts.push(`${supersetCount} supersets`);
+  }
+  summaryParts.push(`${mismatchCount} mismatches`, `${errorCount} errors`);
+  console.log(`SUMMARY: ${summaryParts.join(', ')}`);
+
   console.log(`  flatlock total:    ${totalFlatlock.toString().padStart(8)} packages`);
   if (totalComparison > 0) {
     console.log(`  comparison total:  ${totalComparison.toString().padStart(8)} packages`);
@@ -228,8 +250,12 @@ Examples:
   if (totalWorkspaces > 0) {
     console.log(`  workspaces:        ${totalWorkspaces.toString().padStart(8)} excluded (local/workspace refs)`);
   }
+  if (supersetCount > 0) {
+    console.log(`  supersets:         ${supersetCount.toString().padStart(8)} (flatlock found more via reachability)`);
+  }
 
-  // Exit with error if any mismatches
+  // Exit with error only for true mismatches (not supersets)
+  // Supersets are expected: flatlock's reachability analysis is more thorough
   if (mismatchCount > 0) {
     process.exit(1);
   }

package/dist/compare.d.ts

@@ -14,11 +14,25 @@ export function compare(filepath: string, options?: CompareOptions): Promise<Com
 export function compareAll(filepaths: string[], options?: CompareOptions): AsyncGenerator<ComparisonResult & {
     filepath: string;
 }>;
+/**
+ * Check which optional comparison parsers are available
+ * @returns {Promise<{ arborist: boolean, cyclonedx: boolean, pnpmLockfileFs: boolean, yarnCore: boolean }>}
+ */
+export function getAvailableParsers(): Promise<{
+    arborist: boolean;
+    cyclonedx: boolean;
+    pnpmLockfileFs: boolean;
+    yarnCore: boolean;
+}>;
 export type CompareOptions = {
     /**
-     * - Temp directory for Arborist (npm only)
+     * - Temp directory for Arborist/CycloneDX (npm only)
      */
     tmpDir?: string;
+    /**
+     * - Workspace paths for CycloneDX (-w flag)
+     */
+    workspace?: string[];
 };
 export type ComparisonResult = {
     /**
@@ -26,9 +40,13 @@ export type ComparisonResult = {
      */
     type: string;
     /**
-     * - Whether flatlock matches comparison parser
+     * - Comparison source used (e.g., '@npmcli/arborist', '@cyclonedx/cyclonedx-npm')
      */
-    identical: boolean | null;
+    source?: string;
+    /**
+     * - Whether flatlock and comparison have same cardinality
+     */
+    equinumerous: boolean | null;
     /**
      * - Number of packages found by flatlock
      */
@@ -59,5 +77,9 @@ export type PackagesResult = {
      * - Number of workspace packages skipped
      */
     workspaceCount: number;
+    /**
+     * - Comparison source used
+     */
+    source: string;
 };
 //# sourceMappingURL=compare.d.ts.map

package/dist/compare.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"compare.d.ts","sourceRoot":"","sources":["../src/compare.js"],"names":[],"mappings":"AAyMA;;;;;GAKG;AACH,kCAJW,MAAM,YACN,cAAc,GACZ,OAAO,CAAC,gBAAgB,CAAC,CA6CrC;AAED;;;;;GAKG;AACH,sCAJW,MAAM,EAAE,YACR,cAAc,GACZ,cAAc,CAAC,gBAAgB,GAAG;IAAE,QAAQ,EAAE,MAAM,CAAA;CAAE,CAAC,CAMnE;;;;;aAzPa,MAAM;;;;;;UAKN,MAAM;;;;eACN,OAAO,GAAG,IAAI;;;;mBACd,MAAM;;;;sBACN,MAAM;;;;qBACN,MAAM;;;;qBACN,MAAM,EAAE;;;;uBACR,MAAM,EAAE;;;;;;cAKR,GAAG,CAAC,MAAM,CAAC;;;;oBACX,MAAM"}
+{"version":3,"file":"compare.d.ts","sourceRoot":"","sources":["../src/compare.js"],"names":[],"mappings":"AAyhBA;;;;;GAKG;AACH,kCAJW,MAAM,YACN,cAAc,GACZ,OAAO,CAAC,gBAAgB,CAAC,CA8CrC;AAED;;;;;GAKG;AACH,sCAJW,MAAM,EAAE,YACR,cAAc,GACZ,cAAc,CAAC,gBAAgB,GAAG;IAAE,QAAQ,EAAE,MAAM,CAAA;CAAE,CAAC,CAMnE;AAED;;;GAGG;AACH,uCAFa,OAAO,CAAC;IAAE,QAAQ,EAAE,OAAO,CAAC;IAAC,SAAS,EAAE,OAAO,CAAC;IAAC,cAAc,EAAE,OAAO,CAAC;IAAC,QAAQ,EAAE,OAAO,CAAA;CAAE,CAAC,CAgB1G;;;;;aAnhBa,MAAM;;;;gBACN,MAAM,EAAE;;;;;;UAKR,MAAM;;;;aACN,MAAM;;;;kBACN,OAAO,GAAG,IAAI;;;;mBACd,MAAM;;;;sBACN,MAAM;;;;qBACN,MAAM;;;;qBACN,MAAM,EAAE;;;;uBACR,MAAM,EAAE;;;;;;cAKR,GAAG,CAAC,MAAM,CAAC;;;;oBACX,MAAM;;;;YACN,MAAM"}

package/dist/detect.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"detect.d.ts","sourceRoot":"","sources":["../src/detect.js"],"names":[],"mappings":"AA8FA;;;;;;;;;;;;;;GAcG;AACH,+CALG;IAAyB,IAAI;IACJ,OAAO;CAChC,GAAU,YAAY,CAgDxB;AAtJD;;GAEG;AAEH;;GAEG;AACH;;;;;GAKG;2BAXU,KAAK,GAAG,MAAM,GAAG,cAAc,GAAG,YAAY"}
+{"version":3,"file":"detect.d.ts","sourceRoot":"","sources":["../src/detect.js"],"names":[],"mappings":"AA6FA;;;;;;;;;;;;;;GAcG;AACH,+CALG;IAAyB,IAAI;IACJ,OAAO;CAChC,GAAU,YAAY,CAgDxB;AArJD;;GAEG;AAEH;;GAEG;AACH;;;;;GAKG;2BAXU,KAAK,GAAG,MAAM,GAAG,cAAc,GAAG,YAAY"}

package/dist/index.d.ts

@@ -65,6 +65,8 @@ import { fromPackageLock } from './parsers/index.js';
 import { fromPnpmLock } from './parsers/index.js';
 import { fromYarnClassicLock } from './parsers/index.js';
 import { fromYarnBerryLock } from './parsers/index.js';
-export { Type, detectType, Ok, Err, fromPackageLock, fromPnpmLock, fromYarnClassicLock, fromYarnBerryLock };
+import { FlatlockSet } from './set.js';
+export { Type, detectType, Ok, Err, fromPackageLock, fromPnpmLock, fromYarnClassicLock, fromYarnBerryLock, FlatlockSet };
+export { compare, compareAll, getAvailableParsers } from "./compare.js";
 export { parseNpmKey, parsePnpmKey, parseYarnBerryKey, parseYarnClassicKey } from "./parsers/index.js";
 //# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.js"],"names":[],"mappings":"AA4BA;;;;;GAKG;AACH,+BAJW,MAAM,YACN,MAAM,GACJ,cAAc,CAAC,UAAU,CAAC,CAOtC;AAED;;;;;;;GAOG;AACH,oCANW,MAAM,YAEd;IAAyB,IAAI;IACE,IAAI;CACnC,GAAU,SAAS,CAAC,UAAU,CAAC,CA0BjC;AAED;;;;;GAKG;AACH,kCAJW,MAAM,YACN,YAAY,GACV,OAAO,CAAC,OAAO,aAAa,EAAE,MAAM,CAAC,cAAc,CAAC,UAAU,CAAC,CAAC,CAAC,CAS7E;AAED;;;;;GAKG;AACH,uCAJW,MAAM,YACN,YAAY,GACV,OAAO,aAAa,EAAE,MAAM,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC,CAW/D;AAED;;;;;GAKG;AACH,sCAJW,MAAM,YACN,MAAM,GACJ,SAAS,CAAC,UAAU,CAAC,CAUjC;AAED;;;;;GAKG;AACH,uCAJW,MAAM,YACN,MAAM,GACJ,OAAO,CAAC,UAAU,EAAE,CAAC,CAmBjC;2BAxIa,OAAO,aAAa,EAAE,YAAY;yBAClC,OAAO,kBAAkB,EAAE,UAAU;;;;;WAIrC,MAAM;;;;WACN,YAAY;;qBAfO,aAAa;2BAAb,aAAa;mBAOtB,aAAa;oBAAb,aAAa;gCAD9B,oBAAoB;6BAApB,oBAAoB;oCAApB,oBAAoB;kCAApB,oBAAoB"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.js"],"names":[],"mappings":"AAgCA;;;;;GAKG;AACH,+BAJW,MAAM,YACN,MAAM,GACJ,cAAc,CAAC,UAAU,CAAC,CAOtC;AAED;;;;;;;GAOG;AACH,oCANW,MAAM,YAEd;IAAyB,IAAI;IACE,IAAI;CACnC,GAAU,SAAS,CAAC,UAAU,CAAC,CA0BjC;AAED;;;;;GAKG;AACH,kCAJW,MAAM,YACN,YAAY,GACV,OAAO,CAAC,OAAO,aAAa,EAAE,MAAM,CAAC,cAAc,CAAC,UAAU,CAAC,CAAC,CAAC,CAS7E;AAED;;;;;GAKG;AACH,uCAJW,MAAM,YACN,YAAY,GACV,OAAO,aAAa,EAAE,MAAM,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC,CAW/D;AAED;;;;;GAKG;AACH,sCAJW,MAAM,YACN,MAAM,GACJ,SAAS,CAAC,UAAU,CAAC,CAUjC;AAED;;;;;GAKG;AACH,uCAJW,MAAM,YACN,MAAM,GACJ,OAAO,CAAC,UAAU,EAAE,CAAC,CAmBjC;2BA3Ia,OAAO,aAAa,EAAE,YAAY;yBAClC,OAAO,kBAAkB,EAAE,UAAU;;;;;WAIrC,MAAM;;;;WACN,YAAY;;qBAhBO,aAAa;2BAAb,aAAa;mBAOtB,aAAa;oBAAb,aAAa;gCAD9B,oBAAoB;6BAApB,oBAAoB;oCAApB,oBAAoB;kCAApB,oBAAoB;4BAEC,UAAU"}

package/dist/parsers/index.d.ts

@@ -1,5 +1,5 @@
 export { fromPackageLock, parseLockfileKey as parseNpmKey } from "./npm.js";
 export { fromPnpmLock, parseLockfileKey as parsePnpmKey } from "./pnpm.js";
-export { fromYarnBerryLock, parseLockfileKey as parseYarnBerryKey } from "./yarn-berry.js";
-export { fromYarnClassicLock, parseLockfileKey as parseYarnClassicKey } from "./yarn-classic.js";
+export { fromYarnBerryLock, parseLockfileKey as parseYarnBerryKey, parseResolution as parseYarnBerryResolution } from "./yarn-berry.js";
+export { fromYarnClassicLock, parseLockfileKey as parseYarnClassicKey, parseYarnClassic } from "./yarn-classic.js";
 //# sourceMappingURL=index.d.ts.map

package/dist/parsers/npm.d.ts

@@ -1,11 +1,4 @@
-/**
- * @typedef {Object} Dependency
- * @property {string} name - Package name
- * @property {string} version - Resolved version
- * @property {string} [integrity] - Integrity hash
- * @property {string} [resolved] - Resolution URL
- * @property {boolean} [link] - True if this is a symlink
- */
+/** @typedef {import('./types.js').Dependency} Dependency */
 /**
  * LIMITATION: Workspace symlinks are not yielded
  *
@@ -41,42 +34,76 @@
  *   pkg := name (unscoped)
  *     | @scope/name (scoped)
  *
- * Examples:
- *   - node_modules/lodash → "lodash"
- *   - node_modules/@babel/core → "@babel/core"
- *   - node_modules/foo/node_modules/@scope/bar → "@scope/bar"
- *
  * @param {string} path - Lockfile path key
  * @returns {string} Package name
+ *
+ * @example
+ * // Simple unscoped package
+ * parseLockfileKey('node_modules/lodash')
+ * // => 'lodash'
+ *
+ * @example
+ * // Scoped package
+ * parseLockfileKey('node_modules/@babel/core')
+ * // => '@babel/core'
+ *
+ * @example
+ * // Nested dependency (hoisted conflict resolution)
+ * parseLockfileKey('node_modules/foo/node_modules/bar')
+ * // => 'bar'
+ *
+ * @example
+ * // Nested scoped dependency
+ * parseLockfileKey('node_modules/foo/node_modules/@scope/bar')
+ * // => '@scope/bar'
+ *
+ * @example
+ * // Deeply nested dependency
+ * parseLockfileKey('node_modules/a/node_modules/b/node_modules/c')
+ * // => 'c'
+ *
+ * @example
+ * // Deeply nested scoped dependency
+ * parseLockfileKey('node_modules/a/node_modules/@types/node')
+ * // => '@types/node'
+ *
+ * @example
+ * // Workspace package path (definition)
+ * parseLockfileKey('packages/my-lib')
+ * // => 'my-lib'
+ *
+ * @example
+ * // Workspace nested dependency
+ * parseLockfileKey('packages/my-lib/node_modules/lodash')
+ * // => 'lodash'
+ *
+ * @example
+ * // Workspace nested scoped dependency
+ * parseLockfileKey('packages/my-lib/node_modules/@types/react')
+ * // => '@types/react'
+ *
+ * @example
+ * // Package with hyphenated name
+ * parseLockfileKey('node_modules/string-width')
+ * // => 'string-width'
+ *
+ * @example
+ * // Scoped package with hyphenated name
+ * parseLockfileKey('node_modules/@emotion/styled')
+ * // => '@emotion/styled'
+ *
+ * @example
+ * // Complex nested path
+ * parseLockfileKey('node_modules/@babel/core/node_modules/@babel/helper-compilation-targets')
+ * // => '@babel/helper-compilation-targets'
  */
 export function parseLockfileKey(path: string): string;
 /**
  * Parse npm package-lock.json (v1, v2, v3)
- * @param {string} content - Lockfile content
+ * @param {string | object} input - Lockfile content string or pre-parsed object
  * @param {Object} [_options] - Parser options (unused, reserved for future use)
  * @returns {Generator<Dependency>}
  */
-export function fromPackageLock(content: string, _options?: Object): Generator<Dependency>;
-export type Dependency = {
-    /**
-     * - Package name
-     */
-    name: string;
-    /**
-     * - Resolved version
-     */
-    version: string;
-    /**
-     * - Integrity hash
-     */
-    integrity?: string;
-    /**
-     * - Resolution URL
-     */
-    resolved?: string;
-    /**
-     * - True if this is a symlink
-     */
-    link?: boolean;
-};
+export function fromPackageLock(input: string | object, _options?: Object): Generator<Dependency>;
+export type Dependency = import("./types.js").Dependency;
 //# sourceMappingURL=npm.d.ts.map

package/dist/parsers/npm.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"npm.d.ts","sourceRoot":"","sources":["../../src/parsers/npm.js"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH;;;;;;;;;;;GAWG;AAEH;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8BG;AACH,uCAHW,MAAM,GACJ,MAAM,CAQlB;AAED;;;;;GAKG;AACH,yCAJW,MAAM,aACN,MAAM,GACJ,SAAS,CAAC,UAAU,CAAC,CA6BjC;;;;;UA5Fa,MAAM;;;;aACN,MAAM;;;;gBACN,MAAM;;;;eACN,MAAM;;;;WACN,OAAO"}
+{"version":3,"file":"npm.d.ts","sourceRoot":"","sources":["../../src/parsers/npm.js"],"names":[],"mappings":"AAAA,4DAA4D;AAE5D;;;;;;;;;;;GAWG;AAEH;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAqFG;AACH,uCA/DW,MAAM,GACJ,MAAM,CAoElB;AAED;;;;;GAKG;AACH,uCAJW,MAAM,GAAG,MAAM,aACf,MAAM,GACJ,SAAS,CAAC,UAAU,CAAC,CA6BjC;yBA9Ia,OAAO,YAAY,EAAE,UAAU"}

package/dist/parsers/pnpm/detect.d.ts

@@ -0,0 +1,136 @@
+/**
+ * @fileoverview Version detection for pnpm lockfiles
+ *
+ * Detects the era and version of pnpm lockfiles including:
+ * - shrinkwrap.yaml (v3/v4) from 2016-2019
+ * - pnpm-lock.yaml v5.x (2019-2022)
+ * - pnpm-lock.yaml v6.0 (2023)
+ * - pnpm-lock.yaml v9.0 (2024+)
+ *
+ * @module flatlock/parsers/pnpm/detect
+ */
+/**
+ * @typedef {'shrinkwrap'|'v5'|'v5-inline'|'v6'|'v9'|'unknown'} LockfileEra
+ */
+/**
+ * @typedef {Object} DetectedVersion
+ * @property {LockfileEra} era - The lockfile era/format family
+ * @property {string|number} version - The raw version from the lockfile
+ * @property {boolean} isShrinkwrap - True if this is a shrinkwrap.yaml file
+ */
+/**
+ * Detect the version and era of a pnpm lockfile.
+ *
+ * Version detection rules:
+ * - If `shrinkwrapVersion` exists: shrinkwrap era (v3/v4)
+ * - If `lockfileVersion` is a number: v5 era
+ * - If `lockfileVersion` is '5.4-inlineSpecifiers': v5-inline era
+ * - If `lockfileVersion` starts with '6': v6 era
+ * - If `lockfileVersion` starts with '9': v9 era
+ *
+ * @param {Object} lockfile - Parsed pnpm lockfile object
+ * @param {string|number} [lockfile.lockfileVersion] - The lockfile version field
+ * @param {number} [lockfile.shrinkwrapVersion] - The shrinkwrap version field (v3/v4)
+ * @param {number} [lockfile.shrinkwrapMinorVersion] - Minor version for shrinkwrap
+ * @returns {DetectedVersion} The detected version information
+ *
+ * @example
+ * // shrinkwrap.yaml v3
+ * detectVersion({ shrinkwrapVersion: 3 })
+ * // => { era: 'shrinkwrap', version: 3, isShrinkwrap: true }
+ *
+ * @example
+ * // pnpm-lock.yaml v5.4
+ * detectVersion({ lockfileVersion: 5.4 })
+ * // => { era: 'v5', version: 5.4, isShrinkwrap: false }
+ *
+ * @example
+ * // pnpm-lock.yaml v6.0
+ * detectVersion({ lockfileVersion: '6.0' })
+ * // => { era: 'v6', version: '6.0', isShrinkwrap: false }
+ *
+ * @example
+ * // pnpm-lock.yaml v9.0
+ * detectVersion({ lockfileVersion: '9.0' })
+ * // => { era: 'v9', version: '9.0', isShrinkwrap: false }
+ */
+export function detectVersion(lockfile: {
+    lockfileVersion?: string | number | undefined;
+    shrinkwrapVersion?: number | undefined;
+    shrinkwrapMinorVersion?: number | undefined;
+}): DetectedVersion;
+/**
+ * Check if a lockfile uses the v6+ package key format (name@version).
+ *
+ * v5 and earlier use: /name/version or /@scope/name/version
+ * v6+ use: /name@version or /@scope/name@version
+ * v9+ use: name@version (no leading slash)
+ *
+ * @param {DetectedVersion} detected - The detected version info
+ * @returns {boolean} True if the lockfile uses @ separator for name@version
+ *
+ * @example
+ * usesAtSeparator({ era: 'v5', version: 5.4 }) // => false
+ * usesAtSeparator({ era: 'v6', version: '6.0' }) // => true
+ * usesAtSeparator({ era: 'v9', version: '9.0' }) // => true
+ */
+export function usesAtSeparator(detected: DetectedVersion): boolean;
+/**
+ * Check if a lockfile uses the packages/snapshots split (v9+).
+ *
+ * v9 separates package metadata (packages) from dependency relationships (snapshots).
+ *
+ * @param {DetectedVersion} detected - The detected version info
+ * @returns {boolean} True if the lockfile has packages/snapshots split
+ *
+ * @example
+ * usesSnapshotsSplit({ era: 'v6', version: '6.0' }) // => false
+ * usesSnapshotsSplit({ era: 'v9', version: '9.0' }) // => true
+ */
+export function usesSnapshotsSplit(detected: DetectedVersion): boolean;
+/**
+ * Check if a lockfile uses inline specifiers.
+ *
+ * v5.4-inlineSpecifiers and v6+ use inline specifiers in importers.
+ * Earlier versions have a separate `specifiers` block.
+ *
+ * @param {DetectedVersion} detected - The detected version info
+ * @returns {boolean} True if specifiers are inlined
+ *
+ * @example
+ * usesInlineSpecifiers({ era: 'v5', version: 5.4 }) // => false
+ * usesInlineSpecifiers({ era: 'v5-inline', version: '5.4-inlineSpecifiers' }) // => true
+ * usesInlineSpecifiers({ era: 'v6', version: '6.0' }) // => true
+ */
+export function usesInlineSpecifiers(detected: DetectedVersion): boolean;
+/**
+ * Check if package keys have a leading slash.
+ *
+ * v5 and v6 use leading slash: /name/version or /name@version
+ * v9 omits leading slash: name@version
+ *
+ * @param {DetectedVersion} detected - The detected version info
+ * @returns {boolean} True if package keys have leading slash
+ *
+ * @example
+ * hasLeadingSlash({ era: 'v5', version: 5.4 }) // => true
+ * hasLeadingSlash({ era: 'v6', version: '6.0' }) // => true
+ * hasLeadingSlash({ era: 'v9', version: '9.0' }) // => false
+ */
+export function hasLeadingSlash(detected: DetectedVersion): boolean;
+export type LockfileEra = "shrinkwrap" | "v5" | "v5-inline" | "v6" | "v9" | "unknown";
+export type DetectedVersion = {
+    /**
+     * - The lockfile era/format family
+     */
+    era: LockfileEra;
+    /**
+     * - The raw version from the lockfile
+     */
+    version: string | number;
+    /**
+     * - True if this is a shrinkwrap.yaml file
+     */
+    isShrinkwrap: boolean;
+};
+//# sourceMappingURL=detect.d.ts.map

package/dist/parsers/pnpm/detect.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"detect.d.ts","sourceRoot":"","sources":["../../../src/parsers/pnpm/detect.js"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH;;GAEG;AAEH;;;;;GAKG;AAEH;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAmCG;AACH,wCAzBG;IAAiC,eAAe;IACtB,iBAAiB;IACjB,sBAAsB;CAChD,GAAU,eAAe,CAyF3B;AAED;;;;;;;;;;;;;;GAcG;AACH,0CARW,eAAe,GACb,OAAO,CASnB;AAED;;;;;;;;;;;GAWG;AACH,6CAPW,eAAe,GACb,OAAO,CAQnB;AAED;;;;;;;;;;;;;GAaG;AACH,+CARW,eAAe,GACb,OAAO,CASnB;AAED;;;;;;;;;;;;;GAaG;AACH,0CARW,eAAe,GACb,OAAO,CASnB;0BAxLY,YAAY,GAAC,IAAI,GAAC,WAAW,GAAC,IAAI,GAAC,IAAI,GAAC,SAAS;;;;;SAKhD,WAAW;;;;aACX,MAAM,GAAC,MAAM;;;;kBACb,OAAO"}