flatlock 1.1.0 → 1.2.0

package/src/parsers/pnpm/v6plus.js

@@ -0,0 +1,290 @@
+/**
+ * @fileoverview Parser for pnpm-lock.yaml v6+ format (v6.0 and v9.0)
+ *
+ * pnpm-lock.yaml v6+ format (2023+) characteristics:
+ * - File: pnpm-lock.yaml
+ * - Version field: lockfileVersion (string like '6.0', '9.0')
+ * - Package key format:
+ *   - v6: /name@version or /@scope/name@version (with leading slash)
+ *   - v9: name@version or @scope/name@version (no leading slash)
+ * - Peer dependency suffix: (peer@ver) in parentheses
+ *   Example: /@babel/core@7.23.0(@types/node@20.0.0)
+ *
+ * Key differences from v5:
+ * - Uses @ separator between name and version instead of /
+ * - Peer suffix uses parentheses () instead of underscore _
+ * - Peer names are human-readable (no hashing)
+ * - v9 additionally removes leading slash from keys
+ *
+ * @module flatlock/parsers/pnpm/v6plus
+ */
+
+/**
+ * @typedef {Object} ParsedSpec
+ * @property {string|null} name - The package name (null if unparseable)
+ * @property {string|null} version - The package version (null if unparseable)
+ */
+
+/**
+ * Parse a pnpm-lock.yaml v6+ package spec.
+ *
+ * v6/v9 format uses:
+ * - @ separator between name and version: name@version
+ * - Leading slash in v6: /name@version, no slash in v9: name@version
+ * - Peer dependencies in parentheses: name@version(peer@ver)
+ * - Scoped packages: @scope/name@version
+ * - Multiple peers: name@version(peer1@ver)(peer2@ver)
+ *
+ * @param {string} spec - Package spec from pnpm-lock.yaml packages section
+ * @returns {ParsedSpec} Parsed name and version
+ *
+ * @example
+ * // Unscoped package (v6 format with leading slash)
+ * parseSpecV6Plus('/lodash@4.17.21')
+ * // => { name: 'lodash', version: '4.17.21' }
+ *
+ * @example
+ * // Unscoped package (v9 format without leading slash)
+ * parseSpecV6Plus('lodash@4.17.21')
+ * // => { name: 'lodash', version: '4.17.21' }
+ *
+ * @example
+ * // Scoped package (v6)
+ * parseSpecV6Plus('/@babel/core@7.23.0')
+ * // => { name: '@babel/core', version: '7.23.0' }
+ *
+ * @example
+ * // Scoped package (v9)
+ * parseSpecV6Plus('@babel/core@7.23.0')
+ * // => { name: '@babel/core', version: '7.23.0' }
+ *
+ * @example
+ * // With peer dependency suffix
+ * parseSpecV6Plus('/@babel/core@7.23.0(@types/node@20.0.0)')
+ * // => { name: '@babel/core', version: '7.23.0' }
+ *
+ * @example
+ * // With multiple peer dependencies
+ * parseSpecV6Plus('/@aleph-alpha/config-css@0.18.4(@unocss/core@66.5.2)(postcss@8.5.6)')
+ * // => { name: '@aleph-alpha/config-css', version: '0.18.4' }
+ *
+ * @example
+ * // Prerelease version
+ * parseSpecV6Plus('/unusual-pkg@1.0.0-beta.1')
+ * // => { name: 'unusual-pkg', version: '1.0.0-beta.1' }
+ *
+ * @example
+ * // Package with hyphenated name
+ * parseSpecV6Plus('/string-width@4.2.3')
+ * // => { name: 'string-width', version: '4.2.3' }
+ *
+ * @example
+ * // Scoped package with hyphenated name
+ * parseSpecV6Plus('@babel/helper-compilation-targets@7.23.6')
+ * // => { name: '@babel/helper-compilation-targets', version: '7.23.6' }
+ *
+ * @example
+ * // Complex nested peer dependencies (v9)
+ * parseSpecV6Plus('@testing-library/react@14.0.0(react-dom@18.2.0)(react@18.2.0)')
+ * // => { name: '@testing-library/react', version: '14.0.0' }
+ *
+ * @example
+ * // link: protocol - skipped
+ * parseSpecV6Plus('link:packages/my-pkg')
+ * // => { name: null, version: null }
+ *
+ * @example
+ * // file: protocol - skipped
+ * parseSpecV6Plus('file:../local-package')
+ * // => { name: null, version: null }
+ *
+ * @example
+ * // Null input
+ * parseSpecV6Plus(null)
+ * // => { name: null, version: null }
+ *
+ * @example
+ * // Build metadata version
+ * parseSpecV6Plus('esbuild@0.19.12+sha512.abc123')
+ * // => { name: 'esbuild', version: '0.19.12+sha512.abc123' }
+ */
+export function parseSpecV6Plus(spec) {
+  // Handle null/undefined input
+  if (spec == null || typeof spec !== 'string') {
+    return { name: null, version: null };
+  }
+
+  // Skip special protocols
+  if (spec.startsWith('link:') || spec.startsWith('file:')) {
+    return { name: null, version: null };
+  }
+
+  // Remove leading slash if present (v6 has it, v9 doesn't)
+  let cleaned = spec.startsWith('/') ? spec.slice(1) : spec;
+
+  // Handle empty string
+  if (!cleaned) {
+    return { name: null, version: null };
+  }
+
+  // Strip peer dependency suffixes FIRST (before looking for @ separator)
+  // v6+/v9 format uses parentheses: "@babel/core@7.23.0(@types/node@20.0.0)"
+  const parenIndex = cleaned.indexOf('(');
+  if (parenIndex !== -1) {
+    cleaned = cleaned.slice(0, parenIndex);
+  }
+
+  // Find the last @ which separates name from version
+  // For scoped packages like "@babel/core@7.23.0", we need the last @
+  const lastAtIndex = cleaned.lastIndexOf('@');
+
+  // If we found an @ that's not at position 0, use v6+ parsing
+  if (lastAtIndex > 0) {
+    const name = cleaned.slice(0, lastAtIndex);
+    const version = cleaned.slice(lastAtIndex + 1);
+
+    // Validate we have both name and version
+    if (!name || !version) {
+      return { name: null, version: null };
+    }
+
+    return { name, version };
+  }
+
+  // No valid @ separator found (or @ is at position 0 meaning just a scope)
+  return { name: null, version: null };
+}
+
+/**
+ * Check if a spec has peer dependency suffix (v6+ format).
+ *
+ * In v6+, peer dependencies are in parentheses: name@version(peer@ver)
+ *
+ * @param {string} spec - Package spec from pnpm-lock.yaml
+ * @returns {boolean} True if the spec has peer dependency suffix
+ *
+ * @example
+ * hasPeerSuffixV6Plus('/lodash@4.17.21') // => false
+ * hasPeerSuffixV6Plus('/@babel/core@7.23.0(@types/node@20.0.0)') // => true
+ * hasPeerSuffixV6Plus('lodash@4.17.21') // => false
+ * hasPeerSuffixV6Plus('@emotion/styled@10.0.27(react@17.0.2)') // => true
+ */
+export function hasPeerSuffixV6Plus(spec) {
+  if (spec == null || typeof spec !== 'string') {
+    return false;
+  }
+
+  return spec.includes('(') && spec.includes(')');
+}
+
+/**
+ * Extract the peer dependency suffix from a v6+ spec.
+ *
+ * @param {string} spec - Package spec from pnpm-lock.yaml v6+
+ * @returns {string|null} The peer suffix (including parentheses) or null if none
+ *
+ * @example
+ * extractPeerSuffixV6Plus('/lodash@4.17.21') // => null
+ * extractPeerSuffixV6Plus('/@babel/core@7.23.0(@types/node@20.0.0)') // => '(@types/node@20.0.0)'
+ * extractPeerSuffixV6Plus('/@pkg@1.0.0(peer1@2.0.0)(peer2@3.0.0)') // => '(peer1@2.0.0)(peer2@3.0.0)'
+ */
+export function extractPeerSuffixV6Plus(spec) {
+  if (spec == null || typeof spec !== 'string') {
+    return null;
+  }
+
+  const parenIndex = spec.indexOf('(');
+  if (parenIndex === -1) {
+    return null;
+  }
+
+  return spec.slice(parenIndex);
+}
+
+/**
+ * Parse peer dependencies from a v6+ peer suffix.
+ *
+ * @param {string} peerSuffix - The peer suffix like '(peer1@1.0.0)(peer2@2.0.0)'
+ * @returns {Array<{name: string, version: string}>} Array of parsed peer dependencies
+ *
+ * @example
+ * // Single scoped peer
+ * parsePeerDependencies('(@types/node@20.0.0)')
+ * // => [{ name: '@types/node', version: '20.0.0' }]
+ *
+ * @example
+ * // Multiple unscoped peers
+ * parsePeerDependencies('(react@18.2.0)(typescript@5.3.3)')
+ * // => [{ name: 'react', version: '18.2.0' }, { name: 'typescript', version: '5.3.3' }]
+ *
+ * @example
+ * // Single unscoped peer
+ * parsePeerDependencies('(lodash@4.17.21)')
+ * // => [{ name: 'lodash', version: '4.17.21' }]
+ *
+ * @example
+ * // Multiple scoped peers
+ * parsePeerDependencies('(@babel/core@7.23.0)(@types/react@18.2.0)')
+ * // => [{ name: '@babel/core', version: '7.23.0' }, { name: '@types/react', version: '18.2.0' }]
+ *
+ * @example
+ * // Mixed scoped and unscoped peers
+ * parsePeerDependencies('(react@18.2.0)(@types/react@18.2.0)')
+ * // => [{ name: 'react', version: '18.2.0' }, { name: '@types/react', version: '18.2.0' }]
+ *
+ * @example
+ * // React ecosystem peers (common pattern)
+ * parsePeerDependencies('(react-dom@18.2.0)(react@18.2.0)')
+ * // => [{ name: 'react-dom', version: '18.2.0' }, { name: 'react', version: '18.2.0' }]
+ *
+ * @example
+ * // Many peers (complex component library)
+ * parsePeerDependencies('(@unocss/core@66.5.2)(postcss@8.5.6)(typescript@5.3.3)')
+ * // => [{ name: '@unocss/core', version: '66.5.2' }, { name: 'postcss', version: '8.5.6' }, { name: 'typescript', version: '5.3.3' }]
+ *
+ * @example
+ * // Prerelease peer version
+ * parsePeerDependencies('(next@14.0.0-canary.0)')
+ * // => [{ name: 'next', version: '14.0.0-canary.0' }]
+ *
+ * @example
+ * // Empty/null input
+ * parsePeerDependencies(null)
+ * // => []
+ *
+ * @example
+ * // No parentheses (invalid)
+ * parsePeerDependencies('react@18.2.0')
+ * // => []
+ *
+ * @example
+ * // Deeply scoped peer
+ * parsePeerDependencies('(@babel/helper-compilation-targets@7.23.6)')
+ * // => [{ name: '@babel/helper-compilation-targets', version: '7.23.6' }]
+ */
+export function parsePeerDependencies(peerSuffix) {
+  if (peerSuffix == null || typeof peerSuffix !== 'string') {
+    return [];
+  }
+
+  const peers = [];
+
+  // Match each (name@version) group
+  const regex = /\(([^)]+)\)/g;
+
+  for (const match of peerSuffix.matchAll(regex)) {
+    const peerSpec = match[1];
+    const lastAtIndex = peerSpec.lastIndexOf('@');
+
+    if (lastAtIndex > 0) {
+      const name = peerSpec.slice(0, lastAtIndex);
+      const version = peerSpec.slice(lastAtIndex + 1);
+
+      if (name && version) {
+        peers.push({ name, version });
+      }
+    }
+  }
+
+  return peers;
+}

package/src/parsers/pnpm.js

@@ -1,94 +1,16 @@
-import yaml from 'js-yaml';
-
-/**
- * @typedef {Object} Dependency
- * @property {string} name - Package name
- * @property {string} version - Resolved version
- * @property {string} [integrity] - Integrity hash
- * @property {string} [resolved] - Resolution URL
- * @property {boolean} [link] - True if this is a symlink
- */
-
 /**
- * Parse pnpm package spec to extract name and version
- * Examples:
- *   "/@babel/core@7.23.0" → { name: "@babel/core", version: "7.23.0" }
- *   "/lodash@4.17.21" → { name: "lodash", version: "4.17.21" }
- *   "link:packages/foo" → { name: null, version: null } (skip these)
+ * @fileoverview pnpm lockfile parser - re-exports from modular implementation
  *
- * @param {string} spec - Package spec from pnpm lockfile
- * @returns {{ name: string | null, version: string | null }}
- */
-// Internal function - also exported for compare.js (not part of public API)
-export function parseSpec(spec) {
-  // Skip special protocols
-  if (spec.startsWith('link:') || spec.startsWith('file:')) {
-    return { name: null, version: null };
-  }
-
-  // Remove leading slash if present
-  const cleaned = spec.startsWith('/') ? spec.slice(1) : spec;
-
-  // Find the last @ which separates name from version
-  // For scoped packages like "@babel/core@7.23.0", we need the last @
-  const lastAtIndex = cleaned.lastIndexOf('@');
-
-  if (lastAtIndex === -1) {
-    return { name: null, version: null };
-  }
-
-  const name = cleaned.slice(0, lastAtIndex);
-  const versionPart = cleaned.slice(lastAtIndex + 1);
-
-  // Extract version (may have additional info like "_@babel+core@7.23.0")
-  // For peer dependencies, format can be: "lodash@4.17.21(@types/node@20.0.0)"
-  const version = versionPart.split('(')[0];
-
-  return { name, version };
-}
-
-/**
- * Extract package name from pnpm lockfile key.
- * Wraps parseSpec to return just the name (consistent with other parsers).
+ * This file maintains backward compatibility by re-exporting the pnpm parser
+ * from its new modular location at ./pnpm/index.js
  *
- * @param {string} key - pnpm lockfile key
- * @returns {string | null} Package name
- */
-export function parseLockfileKey(key) {
-  return parseSpec(key).name;
-}
-
-/**
- * Parse pnpm-lock.yaml (v5.4, v6, v9)
- * @param {string} content - Lockfile content
- * @param {Object} [_options] - Parser options (unused, reserved for future use)
- * @returns {Generator<Dependency>}
+ * Supported formats:
+ * - shrinkwrap.yaml v3/v4 (2016-2019)
+ * - pnpm-lock.yaml v5.x (2019-2022)
+ * - pnpm-lock.yaml v6.0 (2023)
+ * - pnpm-lock.yaml v9.0 (2024+)
+ *
+ * @module flatlock/parsers/pnpm
  */
-export function* fromPnpmLock(content, _options = {}) {
-  const lockfile = /** @type {{ packages?: Record<string, any> }} */ (yaml.load(content));
-  const packages = lockfile.packages || {};
-
-  for (const [spec, pkg] of Object.entries(packages)) {
-    const { name, version } = parseSpec(spec);
-
-    // Skip if we couldn't parse name/version
-    if (!name || !version) continue;
-
-    const resolution = pkg.resolution || {};
-    const integrity = resolution.integrity;
-    const resolved = resolution.tarball;
-    const link = spec.startsWith('link:') || resolution.type === 'directory';
-
-    // Skip workspace/link entries - flatlock only cares about external dependencies
-    if (link) continue;
-
-    /** @type {Dependency} */
-    const dep = { name, version };
-    if (integrity) dep.integrity = integrity;
-    if (resolved) dep.resolved = resolved;
-    yield dep;
-  }
 
-  // Note: importers (workspace packages) are intentionally NOT yielded
-  // flatlock only cares about external dependencies
-}
+export * from './pnpm/index.js';

package/src/parsers/types.js

@@ -0,0 +1,10 @@
+/**
+ * @typedef {Object} Dependency
+ * @property {string} name - Package name
+ * @property {string} version - Resolved version
+ * @property {string} [integrity] - Integrity hash
+ * @property {string} [resolved] - Resolution URL
+ * @property {boolean} [link] - True if this is a symlink
+ */
+
+export {};

package/src/parsers/yarn-berry.js

@@ -1,39 +1,178 @@
 import { parseSyml } from '@yarnpkg/parsers';
 
+/** @typedef {import('./types.js').Dependency} Dependency */
+
 /**
- * @typedef {Object} Dependency
- * @property {string} name - Package name
- * @property {string} version - Resolved version
- * @property {string} [integrity] - Integrity hash
- * @property {string} [resolved] - Resolution URL
- * @property {boolean} [link] - True if this is a symlink
+ * Extract package name from yarn berry resolution field.
+ *
+ * The resolution field is the CANONICAL identifier and should be used instead of the key.
+ * Keys can contain npm aliases (e.g., "string-width-cjs@npm:string-width@^4.2.0") while
+ * the resolution always contains the actual package name (e.g., "string-width@npm:4.2.3").
+ *
+ * @param {string} resolution - Resolution field from lockfile entry
+ * @returns {string | null} Package name or null if parsing fails
+ *
+ * @example
+ * // Unscoped npm package
+ * parseResolution('lodash@npm:4.17.21')
+ * // => 'lodash'
+ *
+ * @example
+ * // Scoped npm package
+ * parseResolution('@babel/core@npm:7.24.0')
+ * // => '@babel/core'
+ *
+ * @example
+ * // Aliased package - resolution shows the REAL package name
+ * // (key was "string-width-cjs@npm:string-width@^4.2.0")
+ * parseResolution('string-width@npm:4.2.3')
+ * // => 'string-width'
+ *
+ * @example
+ * // Scoped aliased package - resolution shows the REAL package name
+ * // (key was "@babel-baseline/core@npm:@babel/core@7.24.4")
+ * parseResolution('@babel/core@npm:7.24.4')
+ * // => '@babel/core'
+ *
+ * @example
+ * // Patch protocol (nested protocols)
+ * parseResolution('pkg@patch:pkg@npm:1.0.0#./patch')
+ * // => 'pkg'
+ *
+ * @example
+ * // Scoped package with patch protocol
+ * parseResolution('@scope/pkg@patch:@scope/pkg@npm:1.0.0#./fix.patch')
+ * // => '@scope/pkg'
+ *
+ * @example
+ * // Workspace protocol
+ * parseResolution('my-pkg@workspace:packages/my-pkg')
+ * // => 'my-pkg'
+ *
+ * @example
+ * // Scoped workspace package
+ * parseResolution('@myorg/utils@workspace:packages/utils')
+ * // => '@myorg/utils'
+ *
+ * @example
+ * // Git protocol
+ * parseResolution('my-lib@git:github.com/user/repo#commit-hash')
+ * // => 'my-lib'
+ *
+ * @example
+ * // Null/empty input
+ * parseResolution(null)
+ * // => null
+ *
+ * @example
+ * // Empty string
+ * parseResolution('')
+ * // => null
+ *
+ * @example
+ * // Portal protocol (symlink to external package)
+ * parseResolution('@scope/external@portal:../external-pkg')
+ * // => '@scope/external'
  */
+export function parseResolution(resolution) {
+  if (!resolution) return null;
+
+  // Resolution format: name@protocol:version or @scope/name@protocol:version
+  // Examples:
+  //   "lodash@npm:4.17.21"
+  //   "@babel/core@npm:7.24.0"
+  //   "pkg@patch:pkg@npm:1.0.0#./patch"
+
+  // Handle scoped packages: @scope/name@protocol:version
+  if (resolution.startsWith('@')) {
+    const slashIndex = resolution.indexOf('/');
+    if (slashIndex !== -1) {
+      // Find the @ after the scope/name
+      const afterSlash = resolution.indexOf('@', slashIndex);
+      if (afterSlash !== -1) {
+        return resolution.slice(0, afterSlash);
+      }
+    }
+  }
+
+  // Handle unscoped packages: name@protocol:version
+  const atIndex = resolution.indexOf('@');
+  if (atIndex !== -1) {
+    return resolution.slice(0, atIndex);
+  }
+
+  return null;
+}
 
 /**
- * !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
- * !! WARNING: DO NOT MODIFY THIS FUNCTION                                   !!
- * !! AI AGENTS (Claude, Copilot, etc.): DO NOT TOUCH THIS CODE              !!
- * !!                                                                        !!
- * !! This is YARN BERRY LOCKFILE KEY parsing, NOT npm spec parsing.         !!
- * !! Yarn berry lockfile keys have their own format:                        !!
- * !!   - Protocol markers: @npm:, @workspace:, @patch:, @portal:, @link:    !!
- * !!   - Nested protocols: @patch:pkg@npm:version#hash                      !!
- * !!   - Multiple comma-separated entries                                   !!
- * !!                                                                        !!
- * !! npm-package-arg (npa) does NOT understand these formats.               !!
- * !! Do not "improve" this with npa.                                        !!
- * !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
- *
- * Extract package name from yarn berry key.
- *
- * Examples:
- *   "lodash@npm:^4.17.21" → "lodash"
- *   "@babel/core@npm:^7.0.0" → "@babel/core"
- *   "@babel/core@npm:^7.0.0, @babel/core@npm:^7.12.3" → "@babel/core"
- *   "@ngageoint/simple-features-js@patch:@ngageoint/simple-features-js@npm:1.1.0#..." → "@ngageoint/simple-features-js"
+ * Extract package name from yarn berry key (fallback for when resolution is unavailable).
+ *
+ * WARNING: Keys can contain npm aliases. Prefer parseResolution() when possible.
+ * The key may return an alias name instead of the real package name.
  *
  * @param {string} key - Lockfile entry key
- * @returns {string} Package name
+ * @returns {string} Package name (may be alias name, not canonical name)
+ *
+ * @example
+ * // Simple unscoped package
+ * parseLockfileKey('lodash@npm:^4.17.21')
+ * // => 'lodash'
+ *
+ * @example
+ * // Scoped package
+ * parseLockfileKey('@babel/core@npm:^7.24.0')
+ * // => '@babel/core'
+ *
+ * @example
+ * // Multiple version ranges (comma-separated) - takes first entry
+ * parseLockfileKey('@types/node@npm:^18.0.0, @types/node@npm:^20.0.0')
+ * // => '@types/node'
+ *
+ * @example
+ * // npm alias - returns the ALIAS name (not real package)
+ * // Use parseResolution() for the real package name
+ * parseLockfileKey('string-width-cjs@npm:string-width@^4.2.0')
+ * // => 'string-width-cjs'
+ *
+ * @example
+ * // Scoped npm alias
+ * parseLockfileKey('@babel-baseline/core@npm:@babel/core@7.24.4')
+ * // => '@babel-baseline/core'
+ *
+ * @example
+ * // Workspace protocol
+ * parseLockfileKey('my-pkg@workspace:packages/my-pkg')
+ * // => 'my-pkg'
+ *
+ * @example
+ * // Scoped workspace package
+ * parseLockfileKey('@myorg/utils@workspace:.')
+ * // => '@myorg/utils'
+ *
+ * @example
+ * // Portal protocol
+ * parseLockfileKey('external-pkg@portal:../some/path')
+ * // => 'external-pkg'
+ *
+ * @example
+ * // Link protocol
+ * parseLockfileKey('linked-pkg@link:./local')
+ * // => 'linked-pkg'
+ *
+ * @example
+ * // Patch protocol (complex nested format)
+ * parseLockfileKey('pkg@patch:pkg@npm:1.0.0#./patches/fix.patch')
+ * // => 'pkg'
+ *
+ * @example
+ * // Scoped patch
+ * parseLockfileKey('@scope/pkg@patch:@scope/pkg@npm:1.0.0#./fix.patch')
+ * // => '@scope/pkg'
+ *
+ * @example
+ * // File protocol
+ * parseLockfileKey('local-pkg@file:../local-package')
+ * // => 'local-pkg'
  */
 export function parseLockfileKey(key) {
   // Keys can have multiple comma-separated entries, take the first one
@@ -73,29 +212,37 @@ export function parseLockfileKey(key) {
 
 /**
  * Parse yarn.lock v2+ (berry)
- * @param {string} content - Lockfile content
+ * @param {string | object} input - Lockfile content string or pre-parsed object
  * @param {Object} [_options] - Parser options (unused, reserved for future use)
  * @returns {Generator<Dependency>}
  */
-export function* fromYarnBerryLock(content, _options = {}) {
-  const lockfile = parseSyml(content);
+export function* fromYarnBerryLock(input, _options = {}) {
+  const lockfile = typeof input === 'string' ? parseSyml(input) : input;
 
   for (const [key, pkg] of Object.entries(lockfile)) {
     // Skip metadata
     if (key === '__metadata') continue;
 
-    const name = parseLockfileKey(key);
     const { version, checksum, resolution } = pkg;
 
-    // Check if this is a link (workspace:, portal:, or link: protocol)
+    // Check if this is a local/workspace entry (workspace:, portal:, or link: protocol)
+    // The protocol appears after @ in both key and resolution: "pkg@workspace:..."
     const link =
-      resolution?.startsWith('workspace:') ||
-      resolution?.startsWith('portal:') ||
-      resolution?.startsWith('link:');
+      key.includes('@workspace:') ||
+      key.includes('@portal:') ||
+      key.includes('@link:') ||
+      resolution?.includes('@workspace:') ||
+      resolution?.includes('@portal:') ||
+      resolution?.includes('@link:');
 
     // Skip workspace/link entries - flatlock only cares about external dependencies
     if (link) continue;
 
+    // Use the resolution field for the package name - it's the canonical identifier
+    // Keys can contain npm aliases (e.g., "string-width-cjs@npm:string-width@^4.2.0")
+    // but resolution always has the actual package name (e.g., "string-width@npm:4.2.3")
+    const name = parseResolution(resolution) || parseLockfileKey(key);
+
     if (name && version) {
       /** @type {Dependency} */
       const dep = { name, version };