flatlock 1.2.0 → 1.4.0

package/bin/flatlock.js

@@ -0,0 +1,158 @@
+#!/usr/bin/env node
+/**
+ * flatlock - Get dependencies from a lockfile
+ *
+ * For monorepo workspaces, outputs the production dependencies of a workspace.
+ * For standalone packages, outputs all production dependencies.
+ *
+ * Usage:
+ *   flatlock <lockfile>                           # all deps (names only)
+ *   flatlock <lockfile> --specs                   # name@version
+ *   flatlock <lockfile> --json                    # JSON array
+ *   flatlock <lockfile> --specs --json            # JSON with versions
+ *   flatlock <lockfile> --specs --ndjson          # streaming NDJSON
+ *   flatlock <lockfile> --full --ndjson           # full metadata streaming
+ */
+
+import { parseArgs } from 'node:util';
+import { readFileSync } from 'node:fs';
+import { dirname, join } from 'node:path';
+import { FlatlockSet } from '../src/set.js';
+
+const { values, positionals } = parseArgs({
+  options: {
+    workspace: { type: 'string', short: 'w' },
+    dev: { type: 'boolean', default: false },
+    peer: { type: 'boolean', default: true },
+    specs: { type: 'boolean', short: 's', default: false },
+    json: { type: 'boolean', default: false },
+    ndjson: { type: 'boolean', default: false },
+    full: { type: 'boolean', default: false },
+    help: { type: 'boolean', short: 'h' }
+  },
+  allowPositionals: true
+});
+
+if (values.help || positionals.length === 0) {
+  console.log(`flatlock - Get dependencies from a lockfile
+
+Usage:
+  flatlock <lockfile>
+  flatlock <lockfile> --workspace <path>
+
+Options:
+  -w, --workspace <path>  Workspace path within monorepo
+  -s, --specs             Include version (name@version or {name,version})
+  --json                  Output as JSON array
+  --ndjson                Output as newline-delimited JSON (streaming)
+  --full                  Include all metadata (integrity, resolved)
+  --dev                   Include dev dependencies (default: false)
+  --peer                  Include peer dependencies (default: true)
+  -h, --help              Show this help
+
+Output formats:
+  (default)               package names, one per line
+  --specs                 package@version, one per line
+  --json                  ["package", ...]
+  --specs --json          [{"name":"...","version":"..."}, ...]
+  --full --json           [{"name":"...","version":"...","integrity":"...","resolved":"..."}, ...]
+  --ndjson                "package" per line
+  --specs --ndjson        {"name":"...","version":"..."} per line
+  --full --ndjson         {"name":"...","version":"...","integrity":"...","resolved":"..."} per line
+
+Examples:
+  flatlock package-lock.json
+  flatlock package-lock.json --specs
+  flatlock package-lock.json --specs --json
+  flatlock package-lock.json --full --ndjson | jq -c 'select(.name | startswith("@babel"))'
+  flatlock pnpm-lock.yaml -w packages/core -s --ndjson`);
+  process.exit(values.help ? 0 : 1);
+}
+
+if (values.json && values.ndjson) {
+  console.error('Error: --json and --ndjson are mutually exclusive');
+  process.exit(1);
+}
+
+// --full implies --specs
+if (values.full) {
+  values.specs = true;
+}
+
+const lockfilePath = positionals[0];
+
+/**
+ * Format a single dependency based on output options
+ * @param {{ name: string, version: string, integrity?: string, resolved?: string }} dep
+ * @param {{ specs: boolean, full: boolean }} options
+ * @returns {string | object}
+ */
+function formatDep(dep, { specs, full }) {
+  if (full) {
+    const obj = { name: dep.name, version: dep.version };
+    if (dep.integrity) obj.integrity = dep.integrity;
+    if (dep.resolved) obj.resolved = dep.resolved;
+    return obj;
+  }
+  if (specs) {
+    return { name: dep.name, version: dep.version };
+  }
+  return dep.name;
+}
+
+/**
+ * Output dependencies in the requested format
+ * @param {Iterable<{ name: string, version: string, integrity?: string, resolved?: string }>} deps
+ * @param {{ specs: boolean, json: boolean, ndjson: boolean, full: boolean }} options
+ */
+function outputDeps(deps, { specs, json, ndjson, full }) {
+  const sorted = [...deps].sort((a, b) => a.name.localeCompare(b.name));
+
+  if (json) {
+    const data = sorted.map(d => formatDep(d, { specs, full }));
+    console.log(JSON.stringify(data, null, 2));
+    return;
+  }
+
+  if (ndjson) {
+    for (const d of sorted) {
+      console.log(JSON.stringify(formatDep(d, { specs, full })));
+    }
+    return;
+  }
+
+  // Plain text
+  for (const d of sorted) {
+    console.log(specs ? `${d.name}@${d.version}` : d.name);
+  }
+}
+
+try {
+  const lockfile = await FlatlockSet.fromPath(lockfilePath);
+  let deps;
+
+  if (values.workspace) {
+    const repoDir = dirname(lockfilePath);
+    const workspacePkgPath = join(repoDir, values.workspace, 'package.json');
+    const workspacePkg = JSON.parse(readFileSync(workspacePkgPath, 'utf8'));
+
+    deps = await lockfile.dependenciesOf(workspacePkg, {
+      workspacePath: values.workspace,
+      repoDir,
+      dev: values.dev,
+      peer: values.peer
+    });
+  } else {
+    deps = lockfile;
+  }
+
+  outputDeps(deps, {
+    specs: values.specs,
+    json: values.json,
+    ndjson: values.ndjson,
+    full: values.full
+  });
+} catch (err) {
+  console.error(`Error: ${err.message}`);
+  process.exit(1);
+}

package/dist/compare.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"compare.d.ts","sourceRoot":"","sources":["../src/compare.js"],"names":[],"mappings":"AAyhBA;;;;;GAKG;AACH,kCAJW,MAAM,YACN,cAAc,GACZ,OAAO,CAAC,gBAAgB,CAAC,CA8CrC;AAED;;;;;GAKG;AACH,sCAJW,MAAM,EAAE,YACR,cAAc,GACZ,cAAc,CAAC,gBAAgB,GAAG;IAAE,QAAQ,EAAE,MAAM,CAAA;CAAE,CAAC,CAMnE;AAED;;;GAGG;AACH,uCAFa,OAAO,CAAC;IAAE,QAAQ,EAAE,OAAO,CAAC;IAAC,SAAS,EAAE,OAAO,CAAC;IAAC,cAAc,EAAE,OAAO,CAAC;IAAC,QAAQ,EAAE,OAAO,CAAA;CAAE,CAAC,CAgB1G;;;;;aAnhBa,MAAM;;;;gBACN,MAAM,EAAE;;;;;;UAKR,MAAM;;;;aACN,MAAM;;;;kBACN,OAAO,GAAG,IAAI;;;;mBACd,MAAM;;;;sBACN,MAAM;;;;qBACN,MAAM;;;;qBACN,MAAM,EAAE;;;;uBACR,MAAM,EAAE;;;;;;cAKR,GAAG,CAAC,MAAM,CAAC;;;;oBACX,MAAM;;;;YACN,MAAM"}
+{"version":3,"file":"compare.d.ts","sourceRoot":"","sources":["../src/compare.js"],"names":[],"mappings":"AAyhBA;;;;;GAKG;AACH,kCAJW,MAAM,YACN,cAAc,GACZ,OAAO,CAAC,gBAAgB,CAAC,CA4CrC;AAED;;;;;GAKG;AACH,sCAJW,MAAM,EAAE,YACR,cAAc,GACZ,cAAc,CAAC,gBAAgB,GAAG;IAAE,QAAQ,EAAE,MAAM,CAAA;CAAE,CAAC,CAMnE;AAED;;;GAGG;AACH,uCAFa,OAAO,CAAC;IAAE,QAAQ,EAAE,OAAO,CAAC;IAAC,SAAS,EAAE,OAAO,CAAC;IAAC,cAAc,EAAE,OAAO,CAAC;IAAC,QAAQ,EAAE,OAAO,CAAA;CAAE,CAAC,CAgB1G;;;;;aAjhBa,MAAM;;;;gBACN,MAAM,EAAE;;;;;;UAKR,MAAM;;;;aACN,MAAM;;;;kBACN,OAAO,GAAG,IAAI;;;;mBACd,MAAM;;;;sBACN,MAAM;;;;qBACN,MAAM;;;;qBACN,MAAM,EAAE;;;;uBACR,MAAM,EAAE;;;;;;cAKR,GAAG,CAAC,MAAM,CAAC;;;;oBACX,MAAM;;;;YACN,MAAM"}

package/dist/parsers/index.d.ts

@@ -1,5 +1,5 @@
-export { fromPackageLock, parseLockfileKey as parseNpmKey } from "./npm.js";
-export { fromPnpmLock, parseLockfileKey as parsePnpmKey } from "./pnpm.js";
-export { fromYarnBerryLock, parseLockfileKey as parseYarnBerryKey, parseResolution as parseYarnBerryResolution } from "./yarn-berry.js";
+export { buildWorkspacePackages as buildNpmWorkspacePackages, extractWorkspacePaths as extractNpmWorkspacePaths, fromPackageLock, parseLockfileKey as parseNpmKey } from "./npm.js";
+export { buildWorkspacePackages as buildPnpmWorkspacePackages, extractWorkspacePaths as extractPnpmWorkspacePaths, fromPnpmLock, parseLockfileKey as parsePnpmKey } from "./pnpm.js";
+export { buildWorkspacePackages as buildYarnBerryWorkspacePackages, extractWorkspacePaths as extractYarnBerryWorkspacePaths, fromYarnBerryLock, parseLockfileKey as parseYarnBerryKey, parseResolution as parseYarnBerryResolution } from "./yarn-berry.js";
 export { fromYarnClassicLock, parseLockfileKey as parseYarnClassicKey, parseYarnClassic } from "./yarn-classic.js";
 //# sourceMappingURL=index.d.ts.map

package/dist/parsers/npm.d.ts

@@ -1,4 +1,13 @@
 /** @typedef {import('./types.js').Dependency} Dependency */
+/**
+ * @typedef {Object} WorkspacePackage
+ * @property {string} name
+ * @property {string} version
+ * @property {Record<string, string>} [dependencies]
+ * @property {Record<string, string>} [devDependencies]
+ * @property {Record<string, string>} [optionalDependencies]
+ * @property {Record<string, string>} [peerDependencies]
+ */
 /**
  * LIMITATION: Workspace symlinks are not yielded
  *
@@ -105,5 +114,41 @@ export function parseLockfileKey(path: string): string;
  * @returns {Generator<Dependency>}
  */
 export function fromPackageLock(input: string | object, _options?: Object): Generator<Dependency>;
+/**
+ * Extract workspace paths from npm lockfile.
+ *
+ * npm workspace packages are entries in `packages` that:
+ * - Are not the root ('')
+ * - Don't contain 'node_modules/' (those are installed deps)
+ * - Have a version field
+ *
+ * @param {string | object} input - Lockfile content string or pre-parsed object
+ * @returns {string[]} Array of workspace paths (e.g., ['workspaces/arborist', 'workspaces/libnpmfund'])
+ *
+ * @example
+ * extractWorkspacePaths(lockfile)
+ * // => ['workspaces/arborist', 'workspaces/libnpmfund', ...]
+ */
+export function extractWorkspacePaths(input: string | object): string[];
+/**
+ * Build workspace packages map by reading package.json files.
+ *
+ * @param {string | object} input - Lockfile content string or pre-parsed object
+ * @param {string} repoDir - Path to repository root
+ * @returns {Promise<Record<string, WorkspacePackage>>} Map of workspace path to package info
+ *
+ * @example
+ * const workspaces = await buildWorkspacePackages(lockfile, '/path/to/repo');
+ * // => { 'workspaces/arborist': { name: '@npmcli/arborist', version: '1.0.0', dependencies: {...} } }
+ */
+export function buildWorkspacePackages(input: string | object, repoDir: string): Promise<Record<string, WorkspacePackage>>;
 export type Dependency = import("./types.js").Dependency;
+export type WorkspacePackage = {
+    name: string;
+    version: string;
+    dependencies?: Record<string, string>;
+    devDependencies?: Record<string, string>;
+    optionalDependencies?: Record<string, string>;
+    peerDependencies?: Record<string, string>;
+};
 //# sourceMappingURL=npm.d.ts.map

package/dist/parsers/npm.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"npm.d.ts","sourceRoot":"","sources":["../../src/parsers/npm.js"],"names":[],"mappings":"AAAA,4DAA4D;AAE5D;;;;;;;;;;;GAWG;AAEH;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAqFG;AACH,uCA/DW,MAAM,GACJ,MAAM,CAoElB;AAED;;;;;GAKG;AACH,uCAJW,MAAM,GAAG,MAAM,aACf,MAAM,GACJ,SAAS,CAAC,UAAU,CAAC,CA6BjC;yBA9Ia,OAAO,YAAY,EAAE,UAAU"}
+{"version":3,"file":"npm.d.ts","sourceRoot":"","sources":["../../src/parsers/npm.js"],"names":[],"mappings":"AAGA,4DAA4D;AAE5D;;;;;;;;GAQG;AAEH;;;;;;;;;;;GAWG;AAEH;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAqFG;AACH,uCA/DW,MAAM,GACJ,MAAM,CAoElB;AAED;;;;;GAKG;AACH,uCAJW,MAAM,GAAG,MAAM,aACf,MAAM,GACJ,SAAS,CAAC,UAAU,CAAC,CA6BjC;AAED;;;;;;;;;;;;;;GAcG;AACH,6CAPW,MAAM,GAAG,MAAM,GACb,MAAM,EAAE,CAsBpB;AAED;;;;;;;;;;GAUG;AACH,8CARW,MAAM,GAAG,MAAM,WACf,MAAM,GACJ,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,gBAAgB,CAAC,CAAC,CA6BrD;yBA7Na,OAAO,YAAY,EAAE,UAAU;;UAI/B,MAAM;aACN,MAAM;mBACN,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC;sBACtB,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC;2BACtB,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC;uBACtB,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC"}

package/dist/parsers/pnpm/index.d.ts

@@ -115,6 +115,40 @@ export function parseLockfileKey(key: string): string | null;
  * const deps = [...fromPnpmLock(lockfile)];
  */
 export function fromPnpmLock(input: string | object, _options?: Object): Generator<Dependency>;
+/**
+ * Extract workspace paths from pnpm lockfile.
+ *
+ * pnpm stores workspace packages in the `importers` section.
+ * Each key is a workspace path relative to the repo root.
+ *
+ * @param {string | object} input - Lockfile content string or pre-parsed object
+ * @returns {string[]} Array of workspace paths (e.g., ['packages/foo', 'packages/bar'])
+ *
+ * @example
+ * extractWorkspacePaths(lockfile)
+ * // => ['packages/vue', 'packages/compiler-core', ...]
+ */
+export function extractWorkspacePaths(input: string | object): string[];
+/**
+ * Build workspace packages map by reading package.json files.
+ *
+ * @param {string | object} input - Lockfile content string or pre-parsed object
+ * @param {string} repoDir - Path to repository root
+ * @returns {Promise<Record<string, WorkspacePackage>>} Map of workspace path to package info
+ *
+ * @example
+ * const workspaces = await buildWorkspacePackages(lockfile, '/path/to/repo');
+ * // => { 'packages/foo': { name: '@scope/foo', version: '1.0.0', dependencies: {...} } }
+ */
+export function buildWorkspacePackages(input: string | object, repoDir: string): Promise<Record<string, WorkspacePackage>>;
 export { detectVersion } from "./detect.js";
 export type Dependency = import("../types.js").Dependency;
+export type WorkspacePackage = {
+    name: string;
+    version: string;
+    dependencies?: Record<string, string>;
+    devDependencies?: Record<string, string>;
+    optionalDependencies?: Record<string, string>;
+    peerDependencies?: Record<string, string>;
+};
 //# sourceMappingURL=index.d.ts.map

package/dist/parsers/pnpm/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/parsers/pnpm/index.js"],"names":[],"mappings":"AA2BA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAmFG;AACH,gCAzEW,MAAM,GACJ;IAAE,IAAI,EAAE,MAAM,GAAG,IAAI,CAAC;IAAC,OAAO,EAAE,MAAM,GAAG,IAAI,CAAA;CAAE,CA+H3D;AAED;;;;;;;;;;GAUG;AACH,sCAPW,MAAM,GACJ,MAAM,GAAG,IAAI,CAQzB;AAED;;;;;;;;;;;;;;;GAeG;AACH,oCAbW,MAAM,GAAG,MAAM,aACf,MAAM,GACJ,SAAS,CAAC,UAAU,CAAC,CAoGjC;;yBA5Qa,OAAO,aAAa,EAAE,UAAU"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/parsers/pnpm/index.js"],"names":[],"mappings":"AAuCA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAmFG;AACH,gCAzEW,MAAM,GACJ;IAAE,IAAI,EAAE,MAAM,GAAG,IAAI,CAAC;IAAC,OAAO,EAAE,MAAM,GAAG,IAAI,CAAA;CAAE,CA+H3D;AAED;;;;;;;;;;GAUG;AACH,sCAPW,MAAM,GACJ,MAAM,GAAG,IAAI,CAQzB;AAED;;;;;;;;;;;;;;;GAeG;AACH,oCAbW,MAAM,GAAG,MAAM,aACf,MAAM,GACJ,SAAS,CAAC,UAAU,CAAC,CAoGjC;AAED;;;;;;;;;;;;GAYG;AACH,6CAPW,MAAM,GAAG,MAAM,GACb,MAAM,EAAE,CAapB;AAED;;;;;;;;;;GAUG;AACH,8CARW,MAAM,GAAG,MAAM,WACf,MAAM,GACJ,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,gBAAgB,CAAC,CAAC,CA6BrD;;yBAhVa,OAAO,aAAa,EAAE,UAAU;;UAIhC,MAAM;aACN,MAAM;mBACN,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC;sBACtB,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC;2BACtB,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC;uBACtB,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC"}

package/dist/parsers/yarn-berry.d.ts

@@ -1,4 +1,13 @@
 /** @typedef {import('./types.js').Dependency} Dependency */
+/**
+ * @typedef {Object} WorkspacePackage
+ * @property {string} name
+ * @property {string} version
+ * @property {Record<string, string>} [dependencies]
+ * @property {Record<string, string>} [devDependencies]
+ * @property {Record<string, string>} [optionalDependencies]
+ * @property {Record<string, string>} [peerDependencies]
+ */
 /**
  * Extract package name from yarn berry resolution field.
  *
@@ -150,5 +159,39 @@ export function parseLockfileKey(key: string): string;
  * @returns {Generator<Dependency>}
  */
 export function fromYarnBerryLock(input: string | object, _options?: Object): Generator<Dependency>;
+/**
+ * Extract workspace paths from yarn berry lockfile.
+ *
+ * Yarn berry workspace entries use `@workspace:` protocol in keys.
+ * Keys can have multiple comma-separated descriptors.
+ *
+ * @param {string | object} input - Lockfile content string or pre-parsed object
+ * @returns {string[]} Array of workspace paths (e.g., ['packages/foo', 'packages/bar'])
+ *
+ * @example
+ * extractWorkspacePaths(lockfile)
+ * // => ['packages/babel-core', 'packages/babel-parser', ...]
+ */
+export function extractWorkspacePaths(input: string | object): string[];
+/**
+ * Build workspace packages map by reading package.json files.
+ *
+ * @param {string | object} input - Lockfile content string or pre-parsed object
+ * @param {string} repoDir - Path to repository root
+ * @returns {Promise<Record<string, WorkspacePackage>>} Map of workspace path to package info
+ *
+ * @example
+ * const workspaces = await buildWorkspacePackages(lockfile, '/path/to/repo');
+ * // => { 'packages/foo': { name: '@scope/foo', version: '1.0.0', dependencies: {...} } }
+ */
+export function buildWorkspacePackages(input: string | object, repoDir: string): Promise<Record<string, WorkspacePackage>>;
 export type Dependency = import("./types.js").Dependency;
+export type WorkspacePackage = {
+    name: string;
+    version: string;
+    dependencies?: Record<string, string>;
+    devDependencies?: Record<string, string>;
+    optionalDependencies?: Record<string, string>;
+    peerDependencies?: Record<string, string>;
+};
 //# sourceMappingURL=yarn-berry.d.ts.map

package/dist/parsers/yarn-berry.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"yarn-berry.d.ts","sourceRoot":"","sources":["../../src/parsers/yarn-berry.js"],"names":[],"mappings":"AAEA,4DAA4D;AAE5D;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAuEG;AACH,4CAjEW,MAAM,GACJ,MAAM,GAAG,IAAI,CA4FzB;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAqEG;AACH,sCAhEW,MAAM,GACJ,MAAM,CAiGlB;AAED;;;;;GAKG;AACH,yCAJW,MAAM,GAAG,MAAM,aACf,MAAM,GACJ,SAAS,CAAC,UAAU,CAAC,CAqCjC;yBA3Pa,OAAO,YAAY,EAAE,UAAU"}
+{"version":3,"file":"yarn-berry.d.ts","sourceRoot":"","sources":["../../src/parsers/yarn-berry.js"],"names":[],"mappings":"AAIA,4DAA4D;AAE5D;;;;;;;;GAQG;AAEH;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAuEG;AACH,4CAjEW,MAAM,GACJ,MAAM,GAAG,IAAI,CA4FzB;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAqEG;AACH,sCAhEW,MAAM,GACJ,MAAM,CAiGlB;AAED;;;;;GAKG;AACH,yCAJW,MAAM,GAAG,MAAM,aACf,MAAM,GACJ,SAAS,CAAC,UAAU,CAAC,CAqCjC;AAED;;;;;;;;;;;;GAYG;AACH,6CAPW,MAAM,GAAG,MAAM,GACb,MAAM,EAAE,CA+BpB;AAED;;;;;;;;;;GAUG;AACH,8CARW,MAAM,GAAG,MAAM,WACf,MAAM,GACJ,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,gBAAgB,CAAC,CAAC,CA6BrD;yBAjVa,OAAO,YAAY,EAAE,UAAU;;UAI/B,MAAM;aACN,MAAM;mBACN,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC;sBACtB,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC;2BACtB,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC;uBACtB,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC"}

package/dist/set.d.ts

@@ -16,7 +16,7 @@
  *
  * // Get dependencies for a specific workspace
  * const pkg = JSON.parse(await readFile('./packages/foo/package.json'));
- * const subset = set.dependenciesOf(pkg, { workspacePath: 'packages/foo' });
+ * const subset = await set.dependenciesOf(pkg, { workspacePath: 'packages/foo', repoDir: '.' });
  *
  * // Set operations
  * const other = await FlatlockSet.fromPath('./other-lock.json');
@@ -42,27 +42,35 @@ export class FlatlockSet {
      * @param {string} content
      * @param {LockfileType} type
      * @param {FromStringOptions} options
-     * @returns {{ deps: Map<string, Dependency>, packages: LockfilePackages, importers: LockfileImporters | null }}
+     * @returns {{ deps: Map<string, Dependency>, packages: LockfilePackages, importers: LockfileImporters | null, snapshots: Record<string, any> | null }}
      */
     static "__#private@#parseAll"(content: string, type: LockfileType, options: FromStringOptions): {
         deps: Map<string, Dependency>;
         packages: LockfilePackages;
         importers: LockfileImporters | null;
+        snapshots: Record<string, any> | null;
     };
     /**
      * @param {symbol} internal - Must be INTERNAL symbol
      * @param {Map<string, Dependency>} deps
      * @param {LockfilePackages | null} packages
      * @param {LockfileImporters | null} importers
+     * @param {Record<string, any> | null} snapshots
      * @param {LockfileType | null} type
      */
-    constructor(internal: symbol, deps: Map<string, Dependency>, packages: LockfilePackages | null, importers: LockfileImporters | null, type: LockfileType | null);
+    constructor(internal: symbol, deps: Map<string, Dependency>, packages: LockfilePackages | null, importers: LockfileImporters | null, snapshots: Record<string, any> | null, type: LockfileType | null);
     /** @returns {number} */
     get size(): number;
     /** @returns {LockfileType | null} */
     get type(): LockfileType | null;
     /** @returns {boolean} */
     get canTraverse(): boolean;
+    /**
+     * Get workspace paths from lockfile.
+     * Supports npm, pnpm, and yarn berry lockfiles.
+     * @returns {string[]} Array of workspace paths (e.g., ['packages/foo', 'packages/bar'])
+     */
+    getWorkspacePaths(): string[];
     /**
      * Check if a dependency exists
      * @param {string} nameAtVersion - e.g., "lodash@4.17.21"
@@ -126,7 +134,7 @@ export class FlatlockSet {
     /**
      * Get transitive dependencies of a package.json
      *
-     * For monorepos, provide workspacePath to get correct resolution.
+     * For monorepos, provide workspacePath and repoDir to get correct resolution.
      * Without workspacePath, assumes root package (hoisted deps only).
      *
      * NOTE: This method is only available on sets created directly from
@@ -135,10 +143,17 @@ export class FlatlockSet {
      *
      * @param {PackageJson} packageJson - Parsed package.json
      * @param {DependenciesOfOptions} [options]
-     * @returns {FlatlockSet}
+     * @returns {Promise<FlatlockSet>}
      * @throws {Error} If called on a set that cannot traverse
+     *
+     * @example
+     * // Simple usage with repoDir (recommended)
+     * const deps = await lockfile.dependenciesOf(pkg, {
+     *   workspacePath: 'packages/foo',
+     *   repoDir: '/path/to/repo'
+     * });
      */
-    dependenciesOf(packageJson: PackageJson, options?: DependenciesOfOptions): FlatlockSet;
+    dependenciesOf(packageJson: PackageJson, options?: DependenciesOfOptions): Promise<FlatlockSet>;
     /**
      * Convert to array
      * @returns {Dependency[]}
@@ -150,11 +165,41 @@ export class FlatlockSet {
 }
 export type Dependency = import("./parsers/npm.js").Dependency;
 export type LockfileType = import("./detect.js").LockfileType;
+export type WorkspacePackage = {
+    /**
+     * - Package name (e.g., '@vue/shared')
+     */
+    name: string;
+    /**
+     * - Package version (e.g., '3.5.26')
+     */
+    version: string;
+    /**
+     * - Production dependencies (for yarn berry workspace traversal)
+     */
+    dependencies?: Record<string, string>;
+    /**
+     * - Dev dependencies
+     */
+    devDependencies?: Record<string, string>;
+    /**
+     * - Optional dependencies
+     */
+    optionalDependencies?: Record<string, string>;
+    /**
+     * - Peer dependencies
+     */
+    peerDependencies?: Record<string, string>;
+};
 export type DependenciesOfOptions = {
     /**
      * - Path to workspace (e.g., 'packages/foo')
      */
     workspacePath?: string;
+    /**
+     * - Path to repository root for reading workspace package.json files
+     */
+    repoDir?: string;
     /**
      * - Include devDependencies
      */
@@ -167,6 +212,10 @@ export type DependenciesOfOptions = {
      * - Include peerDependencies (default false: peers are provided by consumer)
      */
     peer?: boolean;
+    /**
+     * - Map of workspace path to package info for resolving workspace links (auto-built if repoDir provided)
+     */
+    workspacePackages?: Record<string, WorkspacePackage>;
 };
 export type FromStringOptions = {
     /**

package/dist/set.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"set.d.ts","sourceRoot":"","sources":["../src/set.js"],"names":[],"mappings":"AAoDA;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH;IAoCE;;;;;OAKG;IACH,sBAJW,MAAM,YACN,iBAAiB,GACf,OAAO,CAAC,WAAW,CAAC,CAKhC;IAED;;;;;OAKG;IACH,2BAJW,MAAM,YACN,iBAAiB,GACf,WAAW,CAgBvB;IAED;;;;;;OAMG;IACH,uCALW,MAAM,QACN,YAAY,WACZ,iBAAiB,GACf;QAAE,IAAI,EAAE,GAAG,CAAC,MAAM,EAAE,UAAU,CAAC,CAAC;QAAC,QAAQ,EAAE,gBAAgB,CAAC;QAAC,SAAS,EAAE,iBAAiB,GAAG,IAAI,CAAA;KAAE,CAmD9G;IA7GD;;;;;;OAMG;IACH,sBANW,MAAM,QACN,GAAG,CAAC,MAAM,EAAE,UAAU,CAAC,YACvB,gBAAgB,GAAG,IAAI,aACvB,iBAAiB,GAAG,IAAI,QACxB,YAAY,GAAG,IAAI,EAa7B;IA6FD,wBAAwB;IACxB,YADc,MAAM,CAGnB;IAED,qCAAqC;IACrC,YADc,YAAY,GAAG,IAAI,CAGhC;IAED,yBAAyB;IACzB,mBADc,OAAO,CAGpB;IAED;;;;OAIG;IACH,mBAHW,MAAM,GACJ,OAAO,CAInB;IAED;;;;OAIG;IACH,mBAHW,MAAM,GACJ,UAAU,GAAG,SAAS,CAIlC;IAOD,8CAA8C;IAC9C,UADc,gBAAgB,CAAC,UAAU,CAAC,CAGzC;IAED,0CAA0C;IAC1C,QADc,gBAAgB,CAAC,MAAM,CAAC,CAGrC;IAED,wDAAwD;IACxD,WADc,gBAAgB,CAAC,CAAC,MAAM,EAAE,UAAU,CAAC,CAAC,CAGnD;IAED;;;;OAIG;IACH,kBAHW,CAAC,GAAG,EAAE,UAAU,EAAE,GAAG,EAAE,MAAM,EAAE,GAAG,EAAE,WAAW,KAAK,IAAI,YACxD,GAAG,QAMb;IAED;;;;OAIG;IACH,aAHW,WAAW,GACT,WAAW,CAUvB;IAED;;;;OAIG;IACH,oBAHW,WAAW,GACT,WAAW,CAUvB;IAED;;;;OAIG;IACH,kBAHW,WAAW,GACT,WAAW,CAUvB;IAED;;;;OAIG;IACH,kBAHW,WAAW,GACT,OAAO,CAOnB;IAED;;;;OAIG;IACH,oBAHW,WAAW,GACT,OAAO,CAInB;IAED;;;;OAIG;IACH,sBAHW,WAAW,GACT,OAAO,CAOnB;IAED;;;;;;;;;;;;;;OAcG;IACH,4BALW,WAAW,YACX,qBAAqB,GACnB,WAAW,CA4BvB;IAiOD;;;OAGG;IACH,WAFa,UAAU,EAAE,CAIxB;IA5XD,8CAA8C;IAC9C,qBADc,gBAAgB,CAAC,UAAU,CAAC,CAGzC;;CA0XF;yBA1lBY,OAAO,kBAAkB,EAAE,UAAU;2BACrC,OAAO,aAAa,EAAE,YAAY;;;;;oBAKjC,MAAM;;;;UACN,OAAO;;;;eACP,OAAO;;;;WACP,OAAO;;;;;;WAKP,MAAM;;;;WACN,YAAY;;;mBAKZ,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC;sBACtB,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC;2BACtB,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC;uBACtB,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC;;+BAIvB,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC;gCAInB,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC"}
+{"version":3,"file":"set.d.ts","sourceRoot":"","sources":["../src/set.js"],"names":[],"mappings":"AAsEA;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH;IAyCE;;;;;OAKG;IACH,sBAJW,MAAM,YACN,iBAAiB,GACf,OAAO,CAAC,WAAW,CAAC,CAKhC;IAED;;;;;OAKG;IACH,2BAJW,MAAM,YACN,iBAAiB,GACf,WAAW,CAgBvB;IAED;;;;;;OAMG;IACH,uCALW,MAAM,QACN,YAAY,WACZ,iBAAiB,GACf;QAAE,IAAI,EAAE,GAAG,CAAC,MAAM,EAAE,UAAU,CAAC,CAAC;QAAC,QAAQ,EAAE,gBAAgB,CAAC;QAAC,SAAS,EAAE,iBAAiB,GAAG,IAAI,CAAC;QAAC,SAAS,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,GAAG,IAAI,CAAA;KAAE,CAsDrJ;IAlHD;;;;;;;OAOG;IACH,sBAPW,MAAM,QACN,GAAG,CAAC,MAAM,EAAE,UAAU,CAAC,YACvB,gBAAgB,GAAG,IAAI,aACvB,iBAAiB,GAAG,IAAI,aACxB,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,GAAG,IAAI,QAC1B,YAAY,GAAG,IAAI,EAc7B;IAgGD,wBAAwB;IACxB,YADc,MAAM,CAGnB;IAED,qCAAqC;IACrC,YADc,YAAY,GAAG,IAAI,CAGhC;IAED,yBAAyB;IACzB,mBADc,OAAO,CAGpB;IAED;;;;OAIG;IACH,qBAFa,MAAM,EAAE,CAapB;IAoBD;;;;OAIG;IACH,mBAHW,MAAM,GACJ,OAAO,CAInB;IAED;;;;OAIG;IACH,mBAHW,MAAM,GACJ,UAAU,GAAG,SAAS,CAIlC;IAOD,8CAA8C;IAC9C,UADc,gBAAgB,CAAC,UAAU,CAAC,CAGzC;IAED,0CAA0C;IAC1C,QADc,gBAAgB,CAAC,MAAM,CAAC,CAGrC;IAED,wDAAwD;IACxD,WADc,gBAAgB,CAAC,CAAC,MAAM,EAAE,UAAU,CAAC,CAAC,CAGnD;IAED;;;;OAIG;IACH,kBAHW,CAAC,GAAG,EAAE,UAAU,EAAE,GAAG,EAAE,MAAM,EAAE,GAAG,EAAE,WAAW,KAAK,IAAI,YACxD,GAAG,QAMb;IAED;;;;OAIG;IACH,aAHW,WAAW,GACT,WAAW,CAUvB;IAED;;;;OAIG;IACH,oBAHW,WAAW,GACT,WAAW,CAUvB;IAED;;;;OAIG;IACH,kBAHW,WAAW,GACT,WAAW,CAUvB;IAED;;;;OAIG;IACH,kBAHW,WAAW,GACT,OAAO,CAOnB;IAED;;;;OAIG;IACH,oBAHW,WAAW,GACT,OAAO,CAInB;IAED;;;;OAIG;IACH,sBAHW,WAAW,GACT,OAAO,CAOnB;IAED;;;;;;;;;;;;;;;;;;;;;OAqBG;IACH,4BAZW,WAAW,YACX,qBAAqB,GACnB,OAAO,CAAC,WAAW,CAAC,CA8EhC;IAkyBD;;;OAGG;IACH,WAFa,UAAU,EAAE,CAIxB;IA/+BD,8CAA8C;IAC9C,qBADc,gBAAgB,CAAC,UAAU,CAAC,CAGzC;;CA6+BF;yBArwCY,OAAO,kBAAkB,EAAE,UAAU;2BACrC,OAAO,aAAa,EAAE,YAAY;;;;;UAKjC,MAAM;;;;aACN,MAAM;;;;mBACN,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC;;;;sBACtB,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC;;;;2BACtB,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC;;;;uBACtB,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC;;;;;;oBAKtB,MAAM;;;;cACN,MAAM;;;;UACN,OAAO;;;;eACP,OAAO;;;;WACP,OAAO;;;;wBACP,MAAM,CAAC,MAAM,EAAE,gBAAgB,CAAC;;;;;;WAKhC,MAAM;;;;WACN,YAAY;;;mBAKZ,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC;sBACtB,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC;2BACtB,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC;uBACtB,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC;;+BAIvB,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC;gCAInB,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "flatlock",
-  "version": "1.2.0",
+  "version": "1.4.0",
   "description": "The Matlock of lockfile parsers - extracts packages without building dependency graphs",
   "keywords": [
     "lockfile",
@@ -35,12 +35,16 @@
   },
   "main": "src/index.js",
   "bin": {
-    "flatlock-cmp": "./bin/flatlock-cmp.js"
+    "flatlock": "bin/flatlock.js",
+    "flatlock-cmp": "bin/flatlock-cmp.js",
+    "flatcover": "bin/flatcover.js"
   },
   "files": [
     "src",
     "dist",
-    "bin"
+    "bin/flatlock.js",
+    "bin/flatlock-cmp.js",
+    "bin/flatcover.js"
   ],
   "scripts": {
     "test": "node --test ./test/*.test.js ./test/**/*.test.js",
@@ -53,29 +57,41 @@
     "format:check": "biome format src test",
     "check": "biome check src test && pnpm run build:types",
     "check:fix": "biome check --write src test",
+    "build:ncc": "./bin/ncc.sh",
     "prepublishOnly": "pnpm run build:types"
   },
   "dependencies": {
     "@yarnpkg/lockfile": "^1.1.0",
     "@yarnpkg/parsers": "^3.0.3",
-    "js-yaml": "^4.1.1"
+    "js-yaml": "^4.1.1",
+    "undici": "^7.0.0"
   },
   "devDependencies": {
     "@biomejs/biome": "^2.3.8",
+    "@vercel/ncc": "^0.38.4",
     "@types/js-yaml": "^4.0.9",
     "@types/node": "^22.10.2",
     "c8": "^10.1.3",
+    "chalk": "^5.6.2",
+    "fast-glob": "^3.3.3",
+    "jackspeak": "^4.1.1",
     "markdownlint-cli2": "^0.17.2",
     "snyk-nodejs-lockfile-parser": "^1.55.0",
+    "tinyexec": "^1.0.2",
     "typescript": "^5.7.2"
   },
   "optionalDependencies": {
-    "@cyclonedx/cyclonedx-npm": "^4.1.2",
+    "@cyclonedx/cdxgen": "^11.3.3",
     "@npmcli/arborist": "^9.1.9",
     "@pnpm/lockfile.fs": "^1001.0.0",
     "@yarnpkg/core": "^4.5.0"
   },
   "packageManager": "pnpm@10.25.0",
+  "pnpm": {
+    "overrides": {
+      "tar": ">=7.5.3"
+    }
+  },
   "engines": {
     "node": ">=22"
   },

package/src/compare.js

@@ -6,7 +6,7 @@ import { tmpdir } from 'node:os';
 import { dirname, join } from 'node:path';
 import { parseSyml } from '@yarnpkg/parsers';
 import yaml from 'js-yaml';
-import { detectType, fromPath, Type } from './index.js';
+import { collect, detectType, Type } from './index.js';
 import { parseYarnBerryKey, parseYarnClassic, parseYarnClassicKey } from './parsers/index.js';
 import { parseSpec as parsePnpmSpec } from './parsers/pnpm.js';
 
@@ -545,12 +545,10 @@ export async function compare(filepath, options = {}) {
   const content = await readFile(filepath, 'utf8');
   const type = detectType({ path: filepath, content });
 
-  const flatlockSet = new Set();
-  for await (const dep of fromPath(filepath)) {
-    if (dep.name && dep.version) {
-      flatlockSet.add(`${dep.name}@${dep.version}`);
-    }
-  }
+  console.time(`⏱  collect [...]${filepath.slice(-40)}`);
+  const deps = await collect(filepath);
+  console.timeEnd(`⏱  collect [...]${filepath.slice(-40)}`);
+  const flatlockSet = new Set(deps.map(({ name, version }) => `${name}@${version}`));
 
   let comparisonResult;
   switch (type) {

package/src/parsers/index.js

@@ -2,9 +2,21 @@
  * Re-export all lockfile parsers
  */
 
-export { fromPackageLock, parseLockfileKey as parseNpmKey } from './npm.js';
-export { fromPnpmLock, parseLockfileKey as parsePnpmKey } from './pnpm.js';
 export {
+  buildWorkspacePackages as buildNpmWorkspacePackages,
+  extractWorkspacePaths as extractNpmWorkspacePaths,
+  fromPackageLock,
+  parseLockfileKey as parseNpmKey
+} from './npm.js';
+export {
+  buildWorkspacePackages as buildPnpmWorkspacePackages,
+  extractWorkspacePaths as extractPnpmWorkspacePaths,
+  fromPnpmLock,
+  parseLockfileKey as parsePnpmKey
+} from './pnpm.js';
+export {
+  buildWorkspacePackages as buildYarnBerryWorkspacePackages,
+  extractWorkspacePaths as extractYarnBerryWorkspacePaths,
   fromYarnBerryLock,
   parseLockfileKey as parseYarnBerryKey,
   parseResolution as parseYarnBerryResolution