lockfile-subset 1.0.2 → 1.1.0

package/README.md

@@ -1,6 +1,6 @@
 # lockfile-subset
 
-Extract a subset of `package-lock.json` for specified packages and their transitive dependencies.
+Extract a subset of `package-lock.json` or `pnpm-lock.yaml` for specified packages and their transitive dependencies.
 
 ## Why?
 
@@ -11,8 +11,9 @@ When using bundlers like esbuild with `--external`, you need to ship those exter
 | Manually copy `node_modules` dirs | Breaks when transitive deps change (e.g., Prisma v6 added new deps) |
 | `npm install <pkg>` in runner stage | Resolves versions independently — may differ from your lockfile |
 | `npm ci --omit=dev` | Installs *all* prod dependencies, not just the ones you need |
+| `pnpm deploy` | Only works with workspaces, not arbitrary packages |
 
-**lockfile-subset** solves this by extracting a precise subset from your existing `package-lock.json` — only the packages you specify and their transitive dependencies, with versions exactly matching the original lockfile.
+**lockfile-subset** solves this by extracting a precise subset from your existing lockfile — only the packages you specify and their transitive dependencies, with versions exactly matching the original lockfile.
 
 ## Install
 
@@ -32,16 +33,19 @@ lockfile-subset @prisma/client sharp
 lockfile-subset @prisma/client sharp -o /standalone
 
 # Use a different lockfile path
-lockfile-subset @prisma/client sharp --lockfile /build/package-lock.json
+lockfile-subset @prisma/client sharp -l /build/package-lock.json
+
+# Use a pnpm lockfile
+lockfile-subset @prisma/client sharp -l pnpm-lock.yaml
 
 # Generate + install in one step
 lockfile-subset @prisma/client sharp -o /standalone --install
 
 # Preview without writing files
-lockfile-subset prisma --dry-run
+lockfile-subset chalk --dry-run
 ```
 
-This generates a minimal `package.json` and `package-lock.json` in the output directory. Then run `npm ci` to install exactly those packages at the exact versions from your original lockfile.
+The lockfile type (npm or pnpm) is auto-detected from the project directory. This generates a minimal `package.json` and lockfile in the output directory. Then run `npm ci` or `pnpm install --frozen-lockfile` to install exactly those packages.
 
 ### Dockerfile example
 
@@ -73,35 +77,27 @@ CMD ["node", "dist/index.js"]
 
 ### Options
 
-```
-lockfile-subset <packages...> [options]
-
-Arguments:
-  packages                  Package names to extract (space-separated)
-
-Options:
-  --lockfile, -l <path>     Path to project directory (default: .)
-  --output, -o <dir>        Output directory (default: ./lockfile-subset-output)
-  --no-optional             Exclude optional dependencies
-  --install                 Run npm ci after generating the subset
-  --dry-run                 Print the result without writing files
-  --version, -v             Show version
-  --help, -h                Show help
-```
+Run `lockfile-subset --help` for the full list of options.
 
 ## How it works
 
-1. Loads your `package-lock.json` using [`@npmcli/arborist`](https://github.com/npm/cli/tree/latest/workspaces/arborist) (npm's own dependency resolver)
+1. Loads your lockfile (`package-lock.json` via [@npmcli/arborist](https://github.com/npm/cli/tree/latest/workspaces/arborist), or `pnpm-lock.yaml` directly)
 2. Starting from the specified packages, walks the dependency tree via BFS to collect all transitive dependencies
 3. Copies the matching entries from the original lockfile — no re-resolution, no version drift
-4. Outputs a minimal `package.json` + `package-lock.json` ready for `npm ci`
+4. Outputs a minimal `package.json` + lockfile ready for `npm ci` or `pnpm install --frozen-lockfile`
 
 Dev dependencies of each package are excluded from traversal. Optional dependencies are included by default (use `--no-optional` to exclude).
 
+## Supported lockfile formats
+
+| Package manager | Lockfile | Supported versions |
+|---|---|---|
+| npm | `package-lock.json` | v2 (npm 7-8), v3 (npm 9+) |
+| pnpm | `pnpm-lock.yaml` | v9 (pnpm 9-10) |
+
 ## Limitations
 
-- **Lockfile v2/v3 only** — Requires npm 7+ (lockfile v2 or v3). The legacy v1 format (npm 5-6) is not supported.
-- **npm only** — pnpm and yarn have different lockfile formats. pnpm users can use `pnpm deploy`; yarn users can use `yarn workspaces focus`.
+- **yarn is not supported** — yarn users can use `yarn workspaces focus`.
 - **Platform-specific optional deps** — Packages like `sharp` have OS/arch-specific optional dependencies (e.g., `@img/sharp-linux-x64`). If your lockfile was generated on macOS but you run `npm ci` on Linux (e.g., in Docker), those Linux-specific packages may be missing from the lockfile. In that case, generate the lockfile on the target platform, or use `npm install` instead of `npm ci`.
 
 ## License

package/dist/index.mjs

@@ -1,9 +1,10 @@
 #!/usr/bin/env node
 import { join, resolve } from "path";
+import { existsSync, mkdirSync, readFileSync, writeFileSync } from "fs";
 import { execSync } from "child_process";
 import { createRequire } from "module";
 import Arborist from "@npmcli/arborist";
-import { mkdirSync, writeFileSync } from "fs";
+import yaml from "js-yaml";
 //#region src/extract.ts
 async function extractSubset({ projectPath, packageNames, includeOptional = true }) {
 	const tree = await new Arborist({ path: projectPath }).loadVirtual();
@@ -44,6 +45,7 @@ async function extractSubset({ projectPath, packageNames, includeOptional = true
 		location: node.location
 	}));
 	return {
+		type: "npm",
 		packageJson: {
 			name: "lockfile-subset-output",
 			version: "1.0.0",
@@ -60,11 +62,101 @@ async function extractSubset({ projectPath, packageNames, includeOptional = true
 	};
 }
 //#endregion
+//#region src/extract-pnpm.ts
+/** Parse "name@version" or "@scope/name@version" into [name, version] */
+function parseSnapshotKey(key) {
+	const withoutPeers = key.replace(/\(.*\)$/, "");
+	const lastAt = withoutPeers.lastIndexOf("@");
+	if (lastAt <= 0) throw new Error(`Invalid snapshot key: ${key}`);
+	return {
+		name: withoutPeers.slice(0, lastAt),
+		version: withoutPeers.slice(lastAt + 1)
+	};
+}
+/** Build snapshot key from name and version */
+function snapshotKey(name, version) {
+	return `${name}@${version}`;
+}
+async function extractPnpmSubset({ projectPath, packageNames, includeOptional = true }) {
+	const content = readFileSync(join(projectPath, "pnpm-lock.yaml"), "utf8");
+	const lockfile = yaml.load(content);
+	if (!lockfile.lockfileVersion || !String(lockfile.lockfileVersion).startsWith("9")) throw new Error(`pnpm lockfile version ${lockfile.lockfileVersion} is not supported. Please upgrade to pnpm 9+ (lockfile v9).`);
+	const rootImporter = lockfile.importers["."];
+	if (!rootImporter) throw new Error("No root importer found in pnpm-lock.yaml");
+	const rootDeps = {};
+	if (rootImporter.dependencies) for (const [name, info] of Object.entries(rootImporter.dependencies)) rootDeps[name] = info.version;
+	if (rootImporter.optionalDependencies) for (const [name, info] of Object.entries(rootImporter.optionalDependencies)) rootDeps[name] = info.version;
+	const keepSnapshots = /* @__PURE__ */ new Set();
+	const keepPackages = /* @__PURE__ */ new Set();
+	for (const name of packageNames) {
+		const version = rootDeps[name];
+		if (!version) throw new Error(`Package "${name}" not found in pnpm-lock.yaml`);
+		const queue = [snapshotKey(name, version)];
+		while (queue.length > 0) {
+			const current = queue.shift();
+			if (keepSnapshots.has(current)) continue;
+			keepSnapshots.add(current);
+			const parsed = parseSnapshotKey(current);
+			keepPackages.add(snapshotKey(parsed.name, parsed.version));
+			const snapshot = lockfile.snapshots[current];
+			if (!snapshot) continue;
+			if (snapshot.dependencies) for (const [depName, depVersion] of Object.entries(snapshot.dependencies)) {
+				const depKey = snapshotKey(depName, depVersion);
+				if (!keepSnapshots.has(depKey)) queue.push(depKey);
+			}
+			if (includeOptional && snapshot.optionalDependencies) for (const [depName, depVersion] of Object.entries(snapshot.optionalDependencies)) {
+				const depKey = snapshotKey(depName, depVersion);
+				if (!keepSnapshots.has(depKey)) queue.push(depKey);
+			}
+		}
+	}
+	const dependencies = {};
+	for (const name of packageNames) dependencies[name] = parseSnapshotKey(snapshotKey(name, rootDeps[name])).version;
+	const subsetPackages = {};
+	for (const key of keepPackages) if (lockfile.packages[key]) subsetPackages[key] = lockfile.packages[key];
+	const subsetSnapshots = {};
+	for (const key of keepSnapshots) if (lockfile.snapshots[key]) subsetSnapshots[key] = lockfile.snapshots[key];
+	const subsetImporter = { dependencies: {} };
+	for (const name of packageNames) subsetImporter.dependencies[name] = {
+		specifier: dependencies[name],
+		version: rootDeps[name]
+	};
+	const collected = [...keepPackages].map((key) => {
+		const parsed = parseSnapshotKey(key);
+		return {
+			name: parsed.name,
+			version: parsed.version
+		};
+	});
+	return {
+		type: "pnpm",
+		packageJson: {
+			name: "lockfile-subset-output",
+			version: "1.0.0",
+			dependencies
+		},
+		lockfileYaml: {
+			lockfileVersion: lockfile.lockfileVersion,
+			settings: lockfile.settings,
+			importers: { ".": subsetImporter },
+			packages: subsetPackages,
+			snapshots: subsetSnapshots
+		},
+		collected
+	};
+}
+//#endregion
 //#region src/write.ts
 function writeOutput(outputDir, result) {
 	mkdirSync(outputDir, { recursive: true });
 	writeFileSync(join(outputDir, "package.json"), JSON.stringify(result.packageJson, null, 2) + "\n");
-	writeFileSync(join(outputDir, "package-lock.json"), JSON.stringify(result.lockfileJson, null, 2) + "\n");
+	if (result.type === "npm") writeFileSync(join(outputDir, "package-lock.json"), JSON.stringify(result.lockfileJson, null, 2) + "\n");
+	else writeFileSync(join(outputDir, "pnpm-lock.yaml"), yaml.dump(result.lockfileYaml, {
+		lineWidth: -1,
+		noCompatMode: true,
+		quotingType: "'",
+		forceQuotes: false
+	}));
 }
 //#endregion
 //#region src/index.ts
@@ -72,7 +164,7 @@ const { version: VERSION } = createRequire(import.meta.url)("../package.json");
 function parseArgs(argv) {
 	const args = {
 		packages: [],
-		lockfile: ".",
+		lockfile: "",
 		output: "./lockfile-subset-output",
 		includeOptional: true,
 		install: false,
@@ -120,29 +212,54 @@ function parseArgs(argv) {
 	}
 	return args;
 }
+function resolveLockfile(lockfilePath) {
+	if (!lockfilePath) {
+		if (existsSync(resolve("pnpm-lock.yaml"))) return {
+			projectPath: resolve("."),
+			type: "pnpm"
+		};
+		if (existsSync(resolve("package-lock.json"))) return {
+			projectPath: resolve("."),
+			type: "npm"
+		};
+		throw new Error("No lockfile found in current directory. Expected package-lock.json or pnpm-lock.yaml.");
+	}
+	const resolved = resolve(lockfilePath);
+	const basename = resolved.split("/").pop();
+	if (basename === "pnpm-lock.yaml") return {
+		projectPath: resolve(resolved, ".."),
+		type: "pnpm"
+	};
+	if (basename === "package-lock.json") return {
+		projectPath: resolve(resolved, ".."),
+		type: "npm"
+	};
+	throw new Error(`Invalid lockfile path: ${lockfilePath}. Expected a path to package-lock.json or pnpm-lock.yaml.`);
+}
 const HELP = `
 lockfile-subset <packages...> [options]
 
-Extract a subset of package-lock.json for specified packages and their transitive dependencies.
+Extract a subset of package-lock.json or pnpm-lock.yaml for specified packages
+and their transitive dependencies.
 
 Arguments:
   packages                  Package names to extract (one or more, space-separated)
 
 Options:
-  --lockfile, -l <path>     Path to project dir or package-lock.json (default: .)
+  --lockfile, -l <path>     Path to lockfile (auto-detected from cwd by default)
   --output, -o <dir>        Output directory (default: ./lockfile-subset-output)
   --no-optional             Exclude optional dependencies
-  --install                 Run npm ci after generating the subset
+  --install                 Run npm ci / pnpm install --frozen-lockfile after generating
   --dry-run                 Print the result without writing files
   --version, -v             Show version
   --help, -h                Show this help
 
 Examples:
-  lockfile-subset prisma sharp
-  lockfile-subset prisma sharp -o /lambda-standalone
-  lockfile-subset prisma sharp --lockfile /build/package-lock.json
-  lockfile-subset prisma sharp -o /lambda-standalone --install
-  lockfile-subset prisma --dry-run
+  lockfile-subset @prisma/client sharp
+  lockfile-subset @prisma/client sharp -o /standalone
+  lockfile-subset @prisma/client sharp -l /build/package-lock.json
+  lockfile-subset @prisma/client sharp -l pnpm-lock.yaml --install
+  lockfile-subset chalk --dry-run
 `.trim();
 async function main() {
 	const args = parseArgs(process.argv.slice(2));
@@ -159,9 +276,15 @@ async function main() {
 		console.log(HELP);
 		process.exit(1);
 	}
-	const projectPath = resolve(args.lockfile);
+	const { projectPath, type } = resolveLockfile(args.lockfile);
 	const outputDir = resolve(args.output);
-	const result = await extractSubset({
+	let result;
+	if (type === "pnpm") result = await extractPnpmSubset({
+		projectPath,
+		packageNames: args.packages,
+		includeOptional: args.includeOptional
+	});
+	else result = await extractSubset({
 		projectPath,
 		packageNames: args.packages,
 		includeOptional: args.includeOptional
@@ -170,18 +293,35 @@ async function main() {
 	if (args.dryRun) {
 		console.log("\n--- package.json ---");
 		console.log(JSON.stringify(result.packageJson, null, 2));
-		console.log("\n--- package-lock.json ---");
-		console.log(JSON.stringify(result.lockfileJson, null, 2));
+		if (result.type === "npm") {
+			console.log("\n--- package-lock.json ---");
+			console.log(JSON.stringify(result.lockfileJson, null, 2));
+		} else {
+			const yaml = (await import("js-yaml")).default;
+			console.log("\n--- pnpm-lock.yaml ---");
+			console.log(yaml.dump(result.lockfileYaml, {
+				lineWidth: -1,
+				noCompatMode: true
+			}));
+		}
 		return;
 	}
 	writeOutput(outputDir, result);
 	console.log(`Written to ${outputDir}`);
 	if (args.install) {
-		console.log("Running npm ci...");
-		execSync("npm ci", {
-			cwd: outputDir,
-			stdio: "inherit"
-		});
+		if (type === "pnpm") {
+			console.log("Running pnpm install --frozen-lockfile...");
+			execSync("pnpm install --frozen-lockfile", {
+				cwd: outputDir,
+				stdio: "inherit"
+			});
+		} else {
+			console.log("Running npm ci...");
+			execSync("npm ci", {
+				cwd: outputDir,
+				stdio: "inherit"
+			});
+		}
 		console.log("Done.");
 	}
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "lockfile-subset",
-  "version": "1.0.2",
+  "version": "1.1.0",
   "description": "Extract a subset of package-lock.json for specified packages and their transitive dependencies",
   "type": "module",
   "bin": {
@@ -16,6 +16,7 @@
   },
   "keywords": [
     "npm",
+    "pnpm",
     "lockfile",
     "package-lock",
     "subset",
@@ -33,6 +34,7 @@
   "devDependencies": {
     "@semantic-release/changelog": "^6.0.3",
     "@semantic-release/git": "^10.0.1",
+    "@types/js-yaml": "^4.0.9",
     "@types/node": "^25.5.0",
     "@types/npmcli__arborist": "^6.3.3",
     "semantic-release": "^25.0.3",
@@ -41,6 +43,7 @@
     "vitest": "^4.1.0"
   },
   "dependencies": {
-    "@npmcli/arborist": "^9.4.2"
+    "@npmcli/arborist": "^9.4.2",
+    "js-yaml": "^4.1.1"
   }
 }