lockfile-subset 1.0.0 → 1.0.2

package/README.md

@@ -100,6 +100,7 @@ Dev dependencies of each package are excluded from traversal. Optional dependenc
 
 ## Limitations
 
+- **Lockfile v2/v3 only** — Requires npm 7+ (lockfile v2 or v3). The legacy v1 format (npm 5-6) is not supported.
 - **npm only** — pnpm and yarn have different lockfile formats. pnpm users can use `pnpm deploy`; yarn users can use `yarn workspaces focus`.
 - **Platform-specific optional deps** — Packages like `sharp` have OS/arch-specific optional dependencies (e.g., `@img/sharp-linux-x64`). If your lockfile was generated on macOS but you run `npm ci` on Linux (e.g., in Docker), those Linux-specific packages may be missing from the lockfile. In that case, generate the lockfile on the target platform, or use `npm install` instead of `npm ci`.
 

package/dist/index.mjs

@@ -7,6 +7,8 @@ import { mkdirSync, writeFileSync } from "fs";
 //#region src/extract.ts
 async function extractSubset({ projectPath, packageNames, includeOptional = true }) {
 	const tree = await new Arborist({ path: projectPath }).loadVirtual();
+	const originalLockfileVersion = tree.meta.originalLockfileVersion;
+	if (originalLockfileVersion < 2) throw new Error(`Lockfile version ${originalLockfileVersion} is not supported. Please upgrade to npm 7+ (lockfile v2/v3) by running: npm install --package-lock-only`);
 	const keep = /* @__PURE__ */ new Set();
 	for (const name of packageNames) {
 		const edge = tree.edgesOut.get(name);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "lockfile-subset",
-  "version": "1.0.0",
+  "version": "1.0.2",
   "description": "Extract a subset of package-lock.json for specified packages and their transitive dependencies",
   "type": "module",
   "bin": {
@@ -26,6 +26,9 @@
     "type": "git",
     "url": "git+https://github.com/tmokmss/lockfile-subset.git"
   },
+  "publishConfig": {
+    "provenance": true
+  },
   "license": "MIT",
   "devDependencies": {
     "@semantic-release/changelog": "^6.0.3",