lockfile-subset 1.0.2 → 1.2.0

package/README.md

@@ -1,6 +1,6 @@
 # lockfile-subset
 
-Extract a subset of `package-lock.json` for specified packages and their transitive dependencies.
+Extract a subset of `package-lock.json` or `pnpm-lock.yaml` for specified packages and their transitive dependencies.
 
 ## Why?
 
@@ -11,8 +11,9 @@ When using bundlers like esbuild with `--external`, you need to ship those exter
 | Manually copy `node_modules` dirs | Breaks when transitive deps change (e.g., Prisma v6 added new deps) |
 | `npm install <pkg>` in runner stage | Resolves versions independently — may differ from your lockfile |
 | `npm ci --omit=dev` | Installs *all* prod dependencies, not just the ones you need |
+| `pnpm deploy` | Only works with workspaces, not arbitrary packages |
 
-**lockfile-subset** solves this by extracting a precise subset from your existing `package-lock.json` — only the packages you specify and their transitive dependencies, with versions exactly matching the original lockfile.
+**lockfile-subset** solves this by extracting a precise subset from your existing lockfile — only the packages you specify and their transitive dependencies, with versions exactly matching the original lockfile.
 
 ## Install
 
@@ -32,16 +33,19 @@ lockfile-subset @prisma/client sharp
 lockfile-subset @prisma/client sharp -o /standalone
 
 # Use a different lockfile path
-lockfile-subset @prisma/client sharp --lockfile /build/package-lock.json
+lockfile-subset @prisma/client sharp -l /build/package-lock.json
+
+# Use a pnpm lockfile
+lockfile-subset @prisma/client sharp -l pnpm-lock.yaml
 
 # Generate + install in one step
 lockfile-subset @prisma/client sharp -o /standalone --install
 
 # Preview without writing files
-lockfile-subset prisma --dry-run
+lockfile-subset chalk --dry-run
 ```
 
-This generates a minimal `package.json` and `package-lock.json` in the output directory. Then run `npm ci` to install exactly those packages at the exact versions from your original lockfile.
+The lockfile type (npm or pnpm) is auto-detected from the project directory. This generates a minimal `package.json` and lockfile in the output directory. Then run `npm ci` or `pnpm install --frozen-lockfile` to install exactly those packages.
 
 ### Dockerfile example
 
@@ -73,35 +77,27 @@ CMD ["node", "dist/index.js"]
 
 ### Options
 
-```
-lockfile-subset <packages...> [options]
-
-Arguments:
-  packages                  Package names to extract (space-separated)
-
-Options:
-  --lockfile, -l <path>     Path to project directory (default: .)
-  --output, -o <dir>        Output directory (default: ./lockfile-subset-output)
-  --no-optional             Exclude optional dependencies
-  --install                 Run npm ci after generating the subset
-  --dry-run                 Print the result without writing files
-  --version, -v             Show version
-  --help, -h                Show help
-```
+Run `lockfile-subset --help` for the full list of options.
 
 ## How it works
 
-1. Loads your `package-lock.json` using [`@npmcli/arborist`](https://github.com/npm/cli/tree/latest/workspaces/arborist) (npm's own dependency resolver)
+1. Loads your lockfile (`package-lock.json` via [@npmcli/arborist](https://github.com/npm/cli/tree/latest/workspaces/arborist), or `pnpm-lock.yaml` directly)
 2. Starting from the specified packages, walks the dependency tree via BFS to collect all transitive dependencies
 3. Copies the matching entries from the original lockfile — no re-resolution, no version drift
-4. Outputs a minimal `package.json` + `package-lock.json` ready for `npm ci`
+4. Outputs a minimal `package.json` + lockfile ready for `npm ci` or `pnpm install --frozen-lockfile`
 
 Dev dependencies of each package are excluded from traversal. Optional dependencies are included by default (use `--no-optional` to exclude).
 
+## Supported lockfile formats
+
+| Package manager | Lockfile | Supported versions |
+|---|---|---|
+| npm | `package-lock.json` | v2 (npm 7-8), v3 (npm 9+) |
+| pnpm | `pnpm-lock.yaml` | v9 (pnpm 9-10) |
+
 ## Limitations
 
-- **Lockfile v2/v3 only** — Requires npm 7+ (lockfile v2 or v3). The legacy v1 format (npm 5-6) is not supported.
-- **npm only** — pnpm and yarn have different lockfile formats. pnpm users can use `pnpm deploy`; yarn users can use `yarn workspaces focus`.
+- **yarn is not supported** — yarn users can use `yarn workspaces focus`.
 - **Platform-specific optional deps** — Packages like `sharp` have OS/arch-specific optional dependencies (e.g., `@img/sharp-linux-x64`). If your lockfile was generated on macOS but you run `npm ci` on Linux (e.g., in Docker), those Linux-specific packages may be missing from the lockfile. In that case, generate the lockfile on the target platform, or use `npm install` instead of `npm ci`.
 
 ## License

package/dist/index.mjs

@@ -1,9 +1,10 @@
 #!/usr/bin/env node
 import { join, resolve } from "path";
+import { existsSync, mkdirSync, readFileSync, writeFileSync } from "fs";
 import { execSync } from "child_process";
 import { createRequire } from "module";
 import Arborist from "@npmcli/arborist";
-import { mkdirSync, writeFileSync } from "fs";
+import yaml from "js-yaml";
 //#region src/extract.ts
 async function extractSubset({ projectPath, packageNames, includeOptional = true }) {
 	const tree = await new Arborist({ path: projectPath }).loadVirtual();
@@ -44,6 +45,7 @@ async function extractSubset({ projectPath, packageNames, includeOptional = true
 		location: node.location
 	}));
 	return {
+		type: "npm",
 		packageJson: {
 			name: "lockfile-subset-output",
 			version: "1.0.0",
@@ -60,11 +62,300 @@ async function extractSubset({ projectPath, packageNames, includeOptional = true
 	};
 }
 //#endregion
+//#region src/extract-pnpm.ts
+/** Parse "name@version" or "@scope/name@version" into [name, version] */
+function parseSnapshotKey(key) {
+	const withoutPeers = key.replace(/\(.*\)$/, "");
+	const lastAt = withoutPeers.lastIndexOf("@");
+	if (lastAt <= 0) throw new Error(`Invalid snapshot key: ${key}`);
+	return {
+		name: withoutPeers.slice(0, lastAt),
+		version: withoutPeers.slice(lastAt + 1)
+	};
+}
+/** Build snapshot key from name and version */
+function snapshotKey(name, version) {
+	return `${name}@${version}`;
+}
+async function extractPnpmSubset({ projectPath, packageNames, includeOptional = true }) {
+	const content = readFileSync(join(projectPath, "pnpm-lock.yaml"), "utf8");
+	const lockfile = yaml.load(content);
+	if (!lockfile.lockfileVersion || !String(lockfile.lockfileVersion).startsWith("9")) throw new Error(`pnpm lockfile version ${lockfile.lockfileVersion} is not supported. Please upgrade to pnpm 9+ (lockfile v9).`);
+	const rootImporter = lockfile.importers["."];
+	if (!rootImporter) throw new Error("No root importer found in pnpm-lock.yaml");
+	const rootDeps = {};
+	if (rootImporter.dependencies) for (const [name, info] of Object.entries(rootImporter.dependencies)) rootDeps[name] = info.version;
+	if (rootImporter.optionalDependencies) for (const [name, info] of Object.entries(rootImporter.optionalDependencies)) rootDeps[name] = info.version;
+	const keepSnapshots = /* @__PURE__ */ new Set();
+	const keepPackages = /* @__PURE__ */ new Set();
+	for (const name of packageNames) {
+		const version = rootDeps[name];
+		if (!version) throw new Error(`Package "${name}" not found in pnpm-lock.yaml`);
+		const queue = [snapshotKey(name, version)];
+		while (queue.length > 0) {
+			const current = queue.shift();
+			if (keepSnapshots.has(current)) continue;
+			keepSnapshots.add(current);
+			const parsed = parseSnapshotKey(current);
+			keepPackages.add(snapshotKey(parsed.name, parsed.version));
+			const snapshot = lockfile.snapshots[current];
+			if (!snapshot) continue;
+			if (snapshot.dependencies) for (const [depName, depVersion] of Object.entries(snapshot.dependencies)) {
+				const depKey = snapshotKey(depName, depVersion);
+				if (!keepSnapshots.has(depKey)) queue.push(depKey);
+			}
+			if (includeOptional && snapshot.optionalDependencies) for (const [depName, depVersion] of Object.entries(snapshot.optionalDependencies)) {
+				const depKey = snapshotKey(depName, depVersion);
+				if (!keepSnapshots.has(depKey)) queue.push(depKey);
+			}
+		}
+	}
+	const dependencies = {};
+	for (const name of packageNames) dependencies[name] = parseSnapshotKey(snapshotKey(name, rootDeps[name])).version;
+	const subsetPackages = {};
+	for (const key of keepPackages) if (lockfile.packages[key]) subsetPackages[key] = lockfile.packages[key];
+	const subsetSnapshots = {};
+	for (const key of keepSnapshots) if (lockfile.snapshots[key]) subsetSnapshots[key] = lockfile.snapshots[key];
+	const subsetImporter = { dependencies: {} };
+	for (const name of packageNames) subsetImporter.dependencies[name] = {
+		specifier: dependencies[name],
+		version: rootDeps[name]
+	};
+	const collected = [...keepPackages].map((key) => {
+		const parsed = parseSnapshotKey(key);
+		return {
+			name: parsed.name,
+			version: parsed.version
+		};
+	});
+	return {
+		type: "pnpm",
+		packageJson: {
+			name: "lockfile-subset-output",
+			version: "1.0.0",
+			dependencies
+		},
+		lockfileYaml: {
+			lockfileVersion: lockfile.lockfileVersion,
+			settings: lockfile.settings,
+			importers: { ".": subsetImporter },
+			packages: subsetPackages,
+			snapshots: subsetSnapshots
+		},
+		collected
+	};
+}
+//#endregion
+//#region src/extract-yarn.ts
+const { parse: parseYarnLockV1, stringify: stringifyYarnLockV1 } = createRequire(import.meta.url)("@yarnpkg/lockfile");
+function detectYarnVersion(content) {
+	return content.includes("# yarn lockfile v1") ? 1 : 2;
+}
+function extractV1({ projectPath, packageNames, includeOptional, lockfileContent }) {
+	const parsed = parseYarnLockV1(lockfileContent);
+	if (parsed.type !== "success") throw new Error(`Failed to parse yarn.lock: ${parsed.type}`);
+	const lockfile = parsed.object;
+	const pkgJsonPath = join(projectPath, "package.json");
+	const pkgJson = JSON.parse(readFileSync(pkgJsonPath, "utf8"));
+	const allDeps = {
+		...pkgJson.dependencies,
+		...pkgJson.optionalDependencies
+	};
+	const keepKeys = /* @__PURE__ */ new Set();
+	const collected = [];
+	for (const name of packageNames) {
+		const range = allDeps[name];
+		if (!range) throw new Error(`Package "${name}" not found in yarn.lock`);
+		const queue = [`${name}@${range}`];
+		while (queue.length > 0) {
+			const key = queue.shift();
+			if (keepKeys.has(key)) continue;
+			const entry = lockfile[key];
+			if (!entry) continue;
+			keepKeys.add(key);
+			collected.push({
+				name: key.slice(0, key.lastIndexOf("@")),
+				version: entry.version
+			});
+			if (entry.dependencies) for (const [depName, depRange] of Object.entries(entry.dependencies)) {
+				const depKey = `${depName}@${depRange}`;
+				if (!keepKeys.has(depKey)) queue.push(depKey);
+			}
+			if (includeOptional && entry.optionalDependencies) for (const [depName, depRange] of Object.entries(entry.optionalDependencies)) {
+				const depKey = `${depName}@${depRange}`;
+				if (!keepKeys.has(depKey)) queue.push(depKey);
+			}
+		}
+	}
+	const subset = {};
+	for (const key of keepKeys) subset[key] = lockfile[key];
+	const dependencies = {};
+	for (const name of packageNames) dependencies[name] = lockfile[`${name}@${allDeps[name]}`].version;
+	const seen = /* @__PURE__ */ new Set();
+	const deduped = collected.filter((c) => {
+		const key = `${c.name}@${c.version}`;
+		if (seen.has(key)) return false;
+		seen.add(key);
+		return true;
+	});
+	return {
+		type: "yarn",
+		yarnVersion: 1,
+		packageJson: {
+			name: "lockfile-subset-output",
+			version: "1.0.0",
+			dependencies
+		},
+		lockfileContent: stringifyYarnLockV1(subset),
+		collected: deduped
+	};
+}
+function extractBerry({ projectPath, packageNames, includeOptional, lockfileContent }) {
+	const lockfile = yaml.load(lockfileContent);
+	const descriptorMap = /* @__PURE__ */ new Map();
+	for (const [compoundKey, entry] of Object.entries(lockfile)) {
+		if (compoundKey === "__metadata") continue;
+		const descriptors = compoundKey.split(", ");
+		for (const descriptor of descriptors) descriptorMap.set(descriptor, {
+			entry,
+			originalKey: compoundKey
+		});
+	}
+	const pkgJsonPath = join(projectPath, "package.json");
+	const pkgJson = JSON.parse(readFileSync(pkgJsonPath, "utf8"));
+	const allDeps = {
+		...pkgJson.dependencies,
+		...pkgJson.optionalDependencies
+	};
+	const keepOriginalKeys = /* @__PURE__ */ new Set();
+	const visited = /* @__PURE__ */ new Set();
+	const collected = [];
+	for (const name of packageNames) {
+		const range = allDeps[name];
+		if (!range) throw new Error(`Package "${name}" not found in yarn.lock`);
+		const queue = [`${name}@npm:${range}`];
+		while (queue.length > 0) {
+			const desc = queue.shift();
+			if (visited.has(desc)) continue;
+			visited.add(desc);
+			const match = descriptorMap.get(desc);
+			if (!match) continue;
+			keepOriginalKeys.add(match.originalKey);
+			collected.push({
+				name: parseDescriptorName(desc),
+				version: match.entry.version
+			});
+			if (match.entry.dependencies) for (const [depName, depRange] of Object.entries(match.entry.dependencies)) {
+				const depDesc = `${depName}@${depRange}`;
+				if (!visited.has(depDesc)) queue.push(depDesc);
+			}
+			if (includeOptional && match.entry.optionalDependencies) for (const [depName, depRange] of Object.entries(match.entry.optionalDependencies)) {
+				const depDesc = `${depName}@${depRange}`;
+				if (!visited.has(depDesc)) queue.push(depDesc);
+			}
+		}
+	}
+	const dependencies = {};
+	for (const name of packageNames) {
+		const descriptor = `${name}@npm:${allDeps[name]}`;
+		dependencies[name] = descriptorMap.get(descriptor).entry.version;
+	}
+	const lines = [];
+	lines.push("# This file is generated by running \"yarn install\" inside your project.");
+	lines.push("# Manual changes might be lost - proceed with caution!");
+	lines.push("");
+	const metadata = lockfile.__metadata;
+	if (metadata) {
+		lines.push("__metadata:");
+		lines.push(`  version: ${metadata.version}`);
+		if (metadata.cacheKey) lines.push(`  cacheKey: ${metadata.cacheKey}`);
+		lines.push("");
+	}
+	for (const originalKey of keepOriginalKeys) {
+		const entry = lockfile[originalKey];
+		lines.push(`"${originalKey}":`);
+		lines.push(`  version: ${entry.version}`);
+		lines.push(`  resolution: "${entry.resolution}"`);
+		if (entry.dependencies && Object.keys(entry.dependencies).length > 0) {
+			lines.push("  dependencies:");
+			for (const [k, v] of Object.entries(entry.dependencies)) lines.push(`    ${k}: "${v}"`);
+		}
+		if (entry.optionalDependencies && Object.keys(entry.optionalDependencies).length > 0) {
+			lines.push("  optionalDependencies:");
+			for (const [k, v] of Object.entries(entry.optionalDependencies)) lines.push(`    ${k}: "${v}"`);
+		}
+		if (entry.dependenciesMeta && Object.keys(entry.dependenciesMeta).length > 0) {
+			lines.push("  dependenciesMeta:");
+			for (const [k, v] of Object.entries(entry.dependenciesMeta)) {
+				lines.push(`    ${k}:`);
+				if (v.optional !== void 0) lines.push(`      optional: ${v.optional}`);
+			}
+		}
+		if (entry.bin && Object.keys(entry.bin).length > 0) {
+			lines.push("  bin:");
+			for (const [k, v] of Object.entries(entry.bin)) lines.push(`    ${k}: ${v}`);
+		}
+		if (entry.conditions) lines.push(`  conditions: ${entry.conditions}`);
+		if (entry.checksum) lines.push(`  checksum: ${entry.checksum}`);
+		lines.push(`  languageName: ${entry.languageName || "node"}`);
+		lines.push(`  linkType: ${entry.linkType || "hard"}`);
+		lines.push("");
+	}
+	const seen = /* @__PURE__ */ new Set();
+	const deduped = collected.filter((c) => {
+		const key = `${c.name}@${c.version}`;
+		if (seen.has(key)) return false;
+		seen.add(key);
+		return true;
+	});
+	return {
+		type: "yarn",
+		yarnVersion: 2,
+		packageJson: {
+			name: "lockfile-subset-output",
+			version: "1.0.0",
+			dependencies
+		},
+		lockfileContent: lines.join("\n"),
+		collected: deduped
+	};
+}
+/** Extract package name from a descriptor like "chalk@npm:4.1.2" or "@scope/pkg@npm:^1.0.0" */
+function parseDescriptorName(descriptor) {
+	const npmIdx = descriptor.indexOf("@npm:");
+	if (npmIdx > 0) return descriptor.slice(0, npmIdx);
+	const lastAt = descriptor.lastIndexOf("@");
+	if (lastAt > 0) return descriptor.slice(0, lastAt);
+	return descriptor;
+}
+async function extractYarnSubset({ projectPath, packageNames, includeOptional = true }) {
+	const lockfileContent = readFileSync(join(projectPath, "yarn.lock"), "utf8");
+	if (detectYarnVersion(lockfileContent) === 1) return extractV1({
+		projectPath,
+		packageNames,
+		includeOptional,
+		lockfileContent
+	});
+	else return extractBerry({
+		projectPath,
+		packageNames,
+		includeOptional,
+		lockfileContent
+	});
+}
+//#endregion
 //#region src/write.ts
 function writeOutput(outputDir, result) {
 	mkdirSync(outputDir, { recursive: true });
 	writeFileSync(join(outputDir, "package.json"), JSON.stringify(result.packageJson, null, 2) + "\n");
-	writeFileSync(join(outputDir, "package-lock.json"), JSON.stringify(result.lockfileJson, null, 2) + "\n");
+	if (result.type === "npm") writeFileSync(join(outputDir, "package-lock.json"), JSON.stringify(result.lockfileJson, null, 2) + "\n");
+	else if (result.type === "pnpm") writeFileSync(join(outputDir, "pnpm-lock.yaml"), yaml.dump(result.lockfileYaml, {
+		lineWidth: -1,
+		noCompatMode: true,
+		quotingType: "'",
+		forceQuotes: false
+	}));
+	else writeFileSync(join(outputDir, "yarn.lock"), result.lockfileContent);
 }
 //#endregion
 //#region src/index.ts
@@ -72,7 +363,7 @@ const { version: VERSION } = createRequire(import.meta.url)("../package.json");
 function parseArgs(argv) {
 	const args = {
 		packages: [],
-		lockfile: ".",
+		lockfile: "",
 		output: "./lockfile-subset-output",
 		includeOptional: true,
 		install: false,
@@ -120,29 +411,62 @@ function parseArgs(argv) {
 	}
 	return args;
 }
+function resolveLockfile(lockfilePath) {
+	if (!lockfilePath) {
+		if (existsSync(resolve("pnpm-lock.yaml"))) return {
+			projectPath: resolve("."),
+			type: "pnpm"
+		};
+		if (existsSync(resolve("yarn.lock"))) return {
+			projectPath: resolve("."),
+			type: "yarn"
+		};
+		if (existsSync(resolve("package-lock.json"))) return {
+			projectPath: resolve("."),
+			type: "npm"
+		};
+		throw new Error("No lockfile found in current directory. Expected package-lock.json, pnpm-lock.yaml, or yarn.lock.");
+	}
+	const resolved = resolve(lockfilePath);
+	const basename = resolved.split("/").pop();
+	if (basename === "pnpm-lock.yaml") return {
+		projectPath: resolve(resolved, ".."),
+		type: "pnpm"
+	};
+	if (basename === "yarn.lock") return {
+		projectPath: resolve(resolved, ".."),
+		type: "yarn"
+	};
+	if (basename === "package-lock.json") return {
+		projectPath: resolve(resolved, ".."),
+		type: "npm"
+	};
+	throw new Error(`Invalid lockfile path: ${lockfilePath}. Expected a path to package-lock.json, pnpm-lock.yaml, or yarn.lock.`);
+}
 const HELP = `
 lockfile-subset <packages...> [options]
 
-Extract a subset of package-lock.json for specified packages and their transitive dependencies.
+Extract a subset of package-lock.json, pnpm-lock.yaml, or yarn.lock for specified
+packages and their transitive dependencies.
 
 Arguments:
   packages                  Package names to extract (one or more, space-separated)
 
 Options:
-  --lockfile, -l <path>     Path to project dir or package-lock.json (default: .)
+  --lockfile, -l <path>     Path to lockfile (auto-detected from cwd by default)
   --output, -o <dir>        Output directory (default: ./lockfile-subset-output)
   --no-optional             Exclude optional dependencies
-  --install                 Run npm ci after generating the subset
+  --install                 Run npm ci / pnpm install / yarn install after generating
   --dry-run                 Print the result without writing files
   --version, -v             Show version
   --help, -h                Show this help
 
 Examples:
-  lockfile-subset prisma sharp
-  lockfile-subset prisma sharp -o /lambda-standalone
-  lockfile-subset prisma sharp --lockfile /build/package-lock.json
-  lockfile-subset prisma sharp -o /lambda-standalone --install
-  lockfile-subset prisma --dry-run
+  lockfile-subset @prisma/client sharp
+  lockfile-subset @prisma/client sharp -o /standalone
+  lockfile-subset @prisma/client sharp -l /build/package-lock.json
+  lockfile-subset @prisma/client sharp -l pnpm-lock.yaml --install
+  lockfile-subset chalk --dry-run
 `.trim();
 async function main() {
 	const args = parseArgs(process.argv.slice(2));
@@ -159,9 +483,20 @@ async function main() {
 		console.log(HELP);
 		process.exit(1);
 	}
-	const projectPath = resolve(args.lockfile);
+	const { projectPath, type } = resolveLockfile(args.lockfile);
 	const outputDir = resolve(args.output);
-	const result = await extractSubset({
+	let result;
+	if (type === "pnpm") result = await extractPnpmSubset({
+		projectPath,
+		packageNames: args.packages,
+		includeOptional: args.includeOptional
+	});
+	else if (type === "yarn") result = await extractYarnSubset({
+		projectPath,
+		packageNames: args.packages,
+		includeOptional: args.includeOptional
+	});
+	else result = await extractSubset({
 		projectPath,
 		packageNames: args.packages,
 		includeOptional: args.includeOptional
@@ -170,18 +505,51 @@ async function main() {
 	if (args.dryRun) {
 		console.log("\n--- package.json ---");
 		console.log(JSON.stringify(result.packageJson, null, 2));
-		console.log("\n--- package-lock.json ---");
-		console.log(JSON.stringify(result.lockfileJson, null, 2));
+		if (result.type === "npm") {
+			console.log("\n--- package-lock.json ---");
+			console.log(JSON.stringify(result.lockfileJson, null, 2));
+		} else if (result.type === "pnpm") {
+			const yaml = (await import("js-yaml")).default;
+			console.log("\n--- pnpm-lock.yaml ---");
+			console.log(yaml.dump(result.lockfileYaml, {
+				lineWidth: -1,
+				noCompatMode: true
+			}));
+		} else {
+			console.log("\n--- yarn.lock ---");
+			console.log(result.lockfileContent);
+		}
 		return;
 	}
 	writeOutput(outputDir, result);
 	console.log(`Written to ${outputDir}`);
 	if (args.install) {
-		console.log("Running npm ci...");
-		execSync("npm ci", {
-			cwd: outputDir,
-			stdio: "inherit"
-		});
+		if (type === "pnpm") {
+			console.log("Running pnpm install --frozen-lockfile...");
+			execSync("pnpm install --frozen-lockfile", {
+				cwd: outputDir,
+				stdio: "inherit"
+			});
+		} else if (type === "yarn") if (result.type === "yarn" && result.yarnVersion === 1) {
+			console.log("Running yarn install --frozen-lockfile...");
+			execSync("yarn install --frozen-lockfile", {
+				cwd: outputDir,
+				stdio: "inherit"
+			});
+		} else {
+			console.log("Running yarn install --immutable...");
+			execSync("yarn install --immutable", {
+				cwd: outputDir,
+				stdio: "inherit"
+			});
+		}
+		else {
+			console.log("Running npm ci...");
+			execSync("npm ci", {
+				cwd: outputDir,
+				stdio: "inherit"
+			});
+		}
 		console.log("Done.");
 	}
 }

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "lockfile-subset",
-  "version": "1.0.2",
-  "description": "Extract a subset of package-lock.json for specified packages and their transitive dependencies",
+  "version": "1.2.0",
+  "description": "Extract a subset of package-lock.json, pnpm-lock.yaml, or yarn.lock for specified packages and their transitive dependencies",
   "type": "module",
   "bin": {
     "lockfile-subset": "./dist/index.mjs"
@@ -16,6 +16,8 @@
   },
   "keywords": [
     "npm",
+    "pnpm",
+    "yarn",
     "lockfile",
     "package-lock",
     "subset",
@@ -33,14 +35,18 @@
   "devDependencies": {
     "@semantic-release/changelog": "^6.0.3",
     "@semantic-release/git": "^10.0.1",
+    "@types/js-yaml": "^4.0.9",
     "@types/node": "^25.5.0",
     "@types/npmcli__arborist": "^6.3.3",
+    "@types/yarnpkg__lockfile": "^1.1.9",
     "semantic-release": "^25.0.3",
     "tsdown": "^0.21.4",
     "typescript": "^5.9.3",
     "vitest": "^4.1.0"
   },
   "dependencies": {
-    "@npmcli/arborist": "^9.4.2"
+    "@npmcli/arborist": "^9.4.2",
+    "@yarnpkg/lockfile": "^1.1.0",
+    "js-yaml": "^4.1.1"
   }
 }