lockfile-subset 1.2.1 → 1.3.1

package/dist/index.mjs

@@ -1,33 +1,72 @@
 #!/usr/bin/env node
-import { join, resolve } from "path";
+import { basename, dirname, join, relative, resolve, sep } from "path";
 import { existsSync, mkdirSync, readFileSync, writeFileSync } from "fs";
 import { execSync } from "child_process";
 import { createRequire } from "module";
 import Arborist from "@npmcli/arborist";
 import yaml from "js-yaml";
+//#region src/workspace-path.ts
+/**
+* Normalize a workspace/importer path to a forward-slash relative key.
+* Returns "." for the root (empty input, ".", "./").
+*/
+function normalizeWorkspacePath(p) {
+	if (!p || p === "." || p === "./") return ".";
+	return p.replace(/\\/g, "/").replace(/^\.\//, "").replace(/\/+$/, "");
+}
+//#endregion
 //#region src/extract.ts
-async function extractSubset({ projectPath, packageNames, includeOptional = true }) {
+/**
+* Rewrite a package-lock.json location key so the output is a standalone project.
+* Locations inside the chosen workspace get their workspace prefix stripped;
+* hoisted entries at the root stay where they are.
+*/
+function rewritePackageLocation(location, workspacePath) {
+	if (workspacePath === ".") return location;
+	if (location === workspacePath) return "";
+	const prefix = workspacePath + "/";
+	if (location.startsWith(prefix)) return location.slice(prefix.length);
+	return location;
+}
+async function extractSubset({ projectPath, packageNames, includeOptional = true, workspacePath = "." }) {
 	const tree = await new Arborist({ path: projectPath }).loadVirtual();
 	const originalLockfileVersion = tree.meta.originalLockfileVersion;
 	if (originalLockfileVersion < 2) throw new Error(`Lockfile version ${originalLockfileVersion} is not supported. Please upgrade to npm 7+ (lockfile v2/v3) by running: npm install --package-lock-only`);
+	const normalizedWorkspace = normalizeWorkspacePath(workspacePath);
+	let startNode = tree;
+	if (normalizedWorkspace !== ".") {
+		let found;
+		for (const child of tree.fsChildren) if (child.location === normalizedWorkspace) {
+			found = child;
+			break;
+		}
+		if (!found) {
+			const available = [...tree.fsChildren].map((c) => c.location).join(", ");
+			throw new Error(`Workspace "${normalizedWorkspace}" not found in package-lock.json. Available workspaces: ${available || "(none)"}`);
+		}
+		startNode = found;
+	}
 	const keep = /* @__PURE__ */ new Set();
 	for (const name of packageNames) {
-		const edge = tree.edgesOut.get(name);
+		const edge = startNode.edgesOut.get(name);
 		if (!edge?.to) throw new Error(`Package "${name}" not found in lockfile`);
+		if (edge.type === "workspace" || edge.to.isWorkspace) throw new Error(`Package "${name}" resolves to a workspace, not a published package`);
 		const queue = [edge.to];
 		while (queue.length > 0) {
 			const node = queue.shift();
 			if (keep.has(node)) continue;
+			if (node.isWorkspace) continue;
 			keep.add(node);
 			for (const e of node.edgesOut.values()) {
 				if (e.type === "dev") continue;
+				if (e.type === "workspace") continue;
 				if (e.type === "optional" && !includeOptional) continue;
-				if (e.to && !keep.has(e.to)) queue.push(e.to);
+				if (e.to && !e.to.isWorkspace && !keep.has(e.to)) queue.push(e.to);
 			}
 		}
 	}
 	const dependencies = {};
-	for (const name of packageNames) dependencies[name] = tree.edgesOut.get(name).to.version;
+	for (const name of packageNames) dependencies[name] = startNode.edgesOut.get(name).to.version;
 	const subsetPackages = {};
 	subsetPackages[""] = {
 		name: "lockfile-subset-output",
@@ -36,8 +75,10 @@ async function extractSubset({ projectPath, packageNames, includeOptional = true
 	};
 	const originalPackages = tree.meta.data.packages;
 	for (const node of keep) {
-		const location = node.location;
-		if (originalPackages[location]) subsetPackages[location] = originalPackages[location];
+		const original = originalPackages[node.location];
+		if (!original) continue;
+		const rewritten = rewritePackageLocation(node.location, normalizedWorkspace);
+		subsetPackages[rewritten] = original;
 	}
 	const collected = [...keep].map((node) => ({
 		name: node.name,
@@ -77,21 +118,31 @@ function parseSnapshotKey(key) {
 function snapshotKey(name, version) {
 	return `${name}@${version}`;
 }
-async function extractPnpmSubset({ projectPath, packageNames, includeOptional = true }) {
+async function extractPnpmSubset({ projectPath, packageNames, includeOptional = true, workspacePath = "." }) {
 	const content = readFileSync(join(projectPath, "pnpm-lock.yaml"), "utf8");
 	const lockfile = yaml.load(content);
 	if (!lockfile.lockfileVersion || !String(lockfile.lockfileVersion).startsWith("9")) throw new Error(`pnpm lockfile version ${lockfile.lockfileVersion} is not supported. Please upgrade to pnpm 9+ (lockfile v9).`);
-	const rootImporter = lockfile.importers["."];
-	if (!rootImporter) throw new Error("No root importer found in pnpm-lock.yaml");
+	const importerKey = normalizeWorkspacePath(workspacePath);
+	const importer = lockfile.importers[importerKey];
+	if (!importer) {
+		const available = Object.keys(lockfile.importers).join(", ");
+		throw new Error(`Importer "${importerKey}" not found in pnpm-lock.yaml. Available importers: ${available}`);
+	}
 	const rootDeps = {};
-	if (rootImporter.dependencies) for (const [name, info] of Object.entries(rootImporter.dependencies)) rootDeps[name] = info.version;
-	if (rootImporter.optionalDependencies) for (const [name, info] of Object.entries(rootImporter.optionalDependencies)) rootDeps[name] = info.version;
+	for (const info of [importer.dependencies, importer.optionalDependencies]) {
+		if (!info) continue;
+		for (const [name, dep] of Object.entries(info)) rootDeps[name] = {
+			specifier: dep.specifier,
+			version: dep.version
+		};
+	}
 	const keepSnapshots = /* @__PURE__ */ new Set();
 	const keepPackages = /* @__PURE__ */ new Set();
 	for (const name of packageNames) {
-		const version = rootDeps[name];
-		if (!version) throw new Error(`Package "${name}" not found in pnpm-lock.yaml`);
-		const queue = [snapshotKey(name, version)];
+		const dep = rootDeps[name];
+		if (!dep) throw new Error(`Package "${name}" not found in pnpm-lock.yaml`);
+		if (dep.version.startsWith("link:")) throw new Error(`Package "${name}" resolves to a workspace (${dep.version}), not a published package`);
+		const queue = [snapshotKey(name, dep.version)];
 		while (queue.length > 0) {
 			const current = queue.shift();
 			if (keepSnapshots.has(current)) continue;
@@ -101,25 +152,27 @@ async function extractPnpmSubset({ projectPath, packageNames, includeOptional =
 			const snapshot = lockfile.snapshots[current];
 			if (!snapshot) continue;
 			if (snapshot.dependencies) for (const [depName, depVersion] of Object.entries(snapshot.dependencies)) {
+				if (depVersion.startsWith("link:")) continue;
 				const depKey = snapshotKey(depName, depVersion);
 				if (!keepSnapshots.has(depKey)) queue.push(depKey);
 			}
 			if (includeOptional && snapshot.optionalDependencies) for (const [depName, depVersion] of Object.entries(snapshot.optionalDependencies)) {
+				if (depVersion.startsWith("link:")) continue;
 				const depKey = snapshotKey(depName, depVersion);
 				if (!keepSnapshots.has(depKey)) queue.push(depKey);
 			}
 		}
 	}
 	const dependencies = {};
-	for (const name of packageNames) dependencies[name] = parseSnapshotKey(snapshotKey(name, rootDeps[name])).version;
+	for (const name of packageNames) dependencies[name] = rootDeps[name].specifier;
 	const subsetPackages = {};
 	for (const key of keepPackages) if (lockfile.packages[key]) subsetPackages[key] = lockfile.packages[key];
 	const subsetSnapshots = {};
 	for (const key of keepSnapshots) if (lockfile.snapshots[key]) subsetSnapshots[key] = lockfile.snapshots[key];
 	const subsetImporter = { dependencies: {} };
 	for (const name of packageNames) subsetImporter.dependencies[name] = {
-		specifier: dependencies[name],
-		version: rootDeps[name]
+		specifier: rootDeps[name].specifier,
+		version: rootDeps[name].version
 	};
 	const collected = [...keepPackages].map((key) => {
 		const parsed = parseSnapshotKey(key);
@@ -148,14 +201,15 @@ async function extractPnpmSubset({ projectPath, packageNames, includeOptional =
 //#endregion
 //#region src/extract-yarn.ts
 const { parse: parseYarnLockV1, stringify: stringifyYarnLockV1 } = createRequire(import.meta.url)("@yarnpkg/lockfile");
+const OUTPUT_PACKAGE_NAME = "lockfile-subset-output";
 function detectYarnVersion(content) {
 	return content.includes("# yarn lockfile v1") ? 1 : 2;
 }
-function extractV1({ projectPath, packageNames, includeOptional, lockfileContent }) {
+function extractV1({ projectPath, packageNames, includeOptional, lockfileContent, workspacePath }) {
 	const parsed = parseYarnLockV1(lockfileContent);
 	if (parsed.type !== "success") throw new Error(`Failed to parse yarn.lock: ${parsed.type}`);
 	const lockfile = parsed.object;
-	const pkgJsonPath = join(projectPath, "package.json");
+	const pkgJsonPath = join(projectPath, workspacePath, "package.json");
 	const pkgJson = JSON.parse(readFileSync(pkgJsonPath, "utf8"));
 	const allDeps = {
 		...pkgJson.dependencies,
@@ -166,6 +220,7 @@ function extractV1({ projectPath, packageNames, includeOptional, lockfileContent
 	for (const name of packageNames) {
 		const range = allDeps[name];
 		if (!range) throw new Error(`Package "${name}" not found in yarn.lock`);
+		if (!lockfile[`${name}@${range}`]) throw new Error(`Package "${name}@${range}" has no lockfile entry. It is likely a workspace dependency, not a published package.`);
 		const queue = [`${name}@${range}`];
 		while (queue.length > 0) {
 			const key = queue.shift();
@@ -190,7 +245,7 @@ function extractV1({ projectPath, packageNames, includeOptional, lockfileContent
 	const subset = {};
 	for (const key of keepKeys) subset[key] = lockfile[key];
 	const dependencies = {};
-	for (const name of packageNames) dependencies[name] = lockfile[`${name}@${allDeps[name]}`].version;
+	for (const name of packageNames) dependencies[name] = allDeps[name];
 	const seen = /* @__PURE__ */ new Set();
 	const deduped = collected.filter((c) => {
 		const key = `${c.name}@${c.version}`;
@@ -202,7 +257,7 @@ function extractV1({ projectPath, packageNames, includeOptional, lockfileContent
 		type: "yarn",
 		yarnVersion: 1,
 		packageJson: {
-			name: "lockfile-subset-output",
+			name: OUTPUT_PACKAGE_NAME,
 			version: "1.0.0",
 			dependencies
 		},
@@ -210,7 +265,7 @@ function extractV1({ projectPath, packageNames, includeOptional, lockfileContent
 		collected: deduped
 	};
 }
-function extractBerry({ projectPath, packageNames, includeOptional, lockfileContent }) {
+function extractBerry({ projectPath, packageNames, includeOptional, lockfileContent, workspacePath }) {
 	const lockfile = yaml.load(lockfileContent);
 	const descriptorMap = /* @__PURE__ */ new Map();
 	for (const [compoundKey, entry] of Object.entries(lockfile)) {
@@ -221,7 +276,7 @@ function extractBerry({ projectPath, packageNames, includeOptional, lockfileCont
 			originalKey: compoundKey
 		});
 	}
-	const pkgJsonPath = join(projectPath, "package.json");
+	const pkgJsonPath = join(projectPath, workspacePath, "package.json");
 	const pkgJson = JSON.parse(readFileSync(pkgJsonPath, "utf8"));
 	const allDeps = {
 		...pkgJson.dependencies,
@@ -233,6 +288,7 @@ function extractBerry({ projectPath, packageNames, includeOptional, lockfileCont
 	for (const name of packageNames) {
 		const range = allDeps[name];
 		if (!range) throw new Error(`Package "${name}" not found in yarn.lock`);
+		if (range.startsWith("workspace:")) throw new Error(`Package "${name}" resolves to a workspace, not a published package`);
 		const queue = [`${name}@npm:${range}`];
 		while (queue.length > 0) {
 			const desc = queue.shift();
@@ -246,20 +302,19 @@ function extractBerry({ projectPath, packageNames, includeOptional, lockfileCont
 				version: match.entry.version
 			});
 			if (match.entry.dependencies) for (const [depName, depRange] of Object.entries(match.entry.dependencies)) {
+				if (depRange.startsWith("workspace:")) continue;
 				const depDesc = `${depName}@${depRange}`;
 				if (!visited.has(depDesc)) queue.push(depDesc);
 			}
 			if (includeOptional && match.entry.optionalDependencies) for (const [depName, depRange] of Object.entries(match.entry.optionalDependencies)) {
+				if (depRange.startsWith("workspace:")) continue;
 				const depDesc = `${depName}@${depRange}`;
 				if (!visited.has(depDesc)) queue.push(depDesc);
 			}
 		}
 	}
 	const dependencies = {};
-	for (const name of packageNames) {
-		const descriptor = `${name}@npm:${allDeps[name]}`;
-		dependencies[name] = descriptorMap.get(descriptor).entry.version;
-	}
+	for (const name of packageNames) dependencies[name] = allDeps[name];
 	const lines = [];
 	lines.push("# This file is generated by running \"yarn install\" inside your project.");
 	lines.push("# Manual changes might be lost - proceed with caution!");
@@ -271,7 +326,22 @@ function extractBerry({ projectPath, packageNames, includeOptional, lockfileCont
 		if (metadata.cacheKey) lines.push(`  cacheKey: ${metadata.cacheKey}`);
 		lines.push("");
 	}
-	for (const originalKey of keepOriginalKeys) {
+	const rootWorkspaceKey = `${OUTPUT_PACKAGE_NAME}@workspace:.`;
+	const sortedKeys = [...keepOriginalKeys, rootWorkspaceKey].sort();
+	for (const originalKey of sortedKeys) {
+		if (originalKey === rootWorkspaceKey) {
+			lines.push(`"${originalKey}":`);
+			lines.push("  version: 0.0.0-use.local");
+			lines.push(`  resolution: "${originalKey}"`);
+			if (Object.keys(dependencies).length > 0) {
+				lines.push("  dependencies:");
+				for (const [k, v] of Object.entries(dependencies)) lines.push(`    ${k}: "npm:${v}"`);
+			}
+			lines.push("  languageName: unknown");
+			lines.push("  linkType: soft");
+			lines.push("");
+			continue;
+		}
 		const entry = lockfile[originalKey];
 		lines.push(`"${originalKey}":`);
 		lines.push(`  version: ${entry.version}`);
@@ -312,7 +382,7 @@ function extractBerry({ projectPath, packageNames, includeOptional, lockfileCont
 		type: "yarn",
 		yarnVersion: 2,
 		packageJson: {
-			name: "lockfile-subset-output",
+			name: OUTPUT_PACKAGE_NAME,
 			version: "1.0.0",
 			dependencies
 		},
@@ -328,19 +398,23 @@ function parseDescriptorName(descriptor) {
 	if (lastAt > 0) return descriptor.slice(0, lastAt);
 	return descriptor;
 }
-async function extractYarnSubset({ projectPath, packageNames, includeOptional = true }) {
+async function extractYarnSubset({ projectPath, packageNames, includeOptional = true, workspacePath = "." }) {
 	const lockfileContent = readFileSync(join(projectPath, "yarn.lock"), "utf8");
-	if (detectYarnVersion(lockfileContent) === 1) return extractV1({
+	const version = detectYarnVersion(lockfileContent);
+	const normalizedWorkspace = normalizeWorkspacePath(workspacePath);
+	if (version === 1) return extractV1({
 		projectPath,
 		packageNames,
 		includeOptional,
-		lockfileContent
+		lockfileContent,
+		workspacePath: normalizedWorkspace
 	});
 	else return extractBerry({
 		projectPath,
 		packageNames,
 		includeOptional,
-		lockfileContent
+		lockfileContent,
+		workspacePath: normalizedWorkspace
 	});
 }
 //#endregion
@@ -411,37 +485,48 @@ function parseArgs(argv) {
 	}
 	return args;
 }
+const LOCKFILE_BASENAMES = {
+	"pnpm-lock.yaml": "pnpm",
+	"yarn.lock": "yarn",
+	"package-lock.json": "npm"
+};
+/** Walk up from `start` looking for any known lockfile. Returns null if none found. */
+function findLockfileUpwards(start) {
+	let dir = start;
+	while (true) {
+		for (const [name, type] of Object.entries(LOCKFILE_BASENAMES)) if (existsSync(resolve(dir, name))) return {
+			projectPath: dir,
+			type
+		};
+		const parent = dirname(dir);
+		if (parent === dir) return null;
+		dir = parent;
+	}
+}
 function resolveLockfile(lockfilePath) {
 	if (!lockfilePath) {
-		if (existsSync(resolve("pnpm-lock.yaml"))) return {
-			projectPath: resolve("."),
-			type: "pnpm"
-		};
-		if (existsSync(resolve("yarn.lock"))) return {
-			projectPath: resolve("."),
-			type: "yarn"
-		};
-		if (existsSync(resolve("package-lock.json"))) return {
-			projectPath: resolve("."),
-			type: "npm"
-		};
-		throw new Error("No lockfile found in current directory. Expected package-lock.json, pnpm-lock.yaml, or yarn.lock.");
+		const found = findLockfileUpwards(resolve("."));
+		if (found) return found;
+		throw new Error("No lockfile found in current directory or any parent. Expected package-lock.json, pnpm-lock.yaml, or yarn.lock.");
 	}
 	const resolved = resolve(lockfilePath);
-	const basename = resolved.split("/").pop();
-	if (basename === "pnpm-lock.yaml") return {
-		projectPath: resolve(resolved, ".."),
-		type: "pnpm"
-	};
-	if (basename === "yarn.lock") return {
-		projectPath: resolve(resolved, ".."),
-		type: "yarn"
-	};
-	if (basename === "package-lock.json") return {
-		projectPath: resolve(resolved, ".."),
-		type: "npm"
+	const type = LOCKFILE_BASENAMES[basename(resolved)];
+	if (!type) throw new Error(`Invalid lockfile path: ${lockfilePath}. Expected a path to package-lock.json, pnpm-lock.yaml, or yarn.lock.`);
+	return {
+		projectPath: dirname(resolved),
+		type
 	};
-	throw new Error(`Invalid lockfile path: ${lockfilePath}. Expected a path to package-lock.json, pnpm-lock.yaml, or yarn.lock.`);
+}
+/**
+* Resolve the workspace path (relative to projectPath, forward slashes).
+* Inferred from process.cwd() vs the lockfile's project directory: if cwd
+* sits inside a sub-workspace, that path is used; otherwise "." (root).
+*/
+function resolveWorkspacePath(projectPath) {
+	const rel = relative(projectPath, resolve("."));
+	if (rel === "" || rel === ".") return ".";
+	if (rel.startsWith("..")) return ".";
+	return rel.split(sep).join("/");
 }
 const HELP = `
 lockfile-subset <packages...> [options]
@@ -453,7 +538,7 @@ Arguments:
   packages                  Package names to extract (one or more, space-separated)
 
 Options:
-  --lockfile, -l <path>     Path to lockfile (auto-detected from cwd by default)
+  --lockfile, -l <path>     Path to lockfile (auto-detected by walking up from cwd)
   --output, -o <dir>        Output directory (default: ./lockfile-subset-output)
   --no-optional             Exclude optional dependencies
   --install                 Run npm ci / pnpm install / yarn install after generating
@@ -467,6 +552,11 @@ Examples:
   lockfile-subset @prisma/client sharp -l /build/package-lock.json
   lockfile-subset @prisma/client sharp -l pnpm-lock.yaml --install
   lockfile-subset chalk --dry-run
+
+Monorepos: cd into the target workspace and run as usual.
+The lockfile is found by walking up from the current directory, and the
+sub-workspace is inferred from cwd relative to the lockfile.
+  cd apps/web && lockfile-subset next
 `.trim();
 async function main() {
 	const args = parseArgs(process.argv.slice(2));
@@ -484,22 +574,27 @@ async function main() {
 		process.exit(1);
 	}
 	const { projectPath, type } = resolveLockfile(args.lockfile);
+	const workspacePath = resolveWorkspacePath(projectPath);
 	const outputDir = resolve(args.output);
+	if (workspacePath !== ".") console.log(`Using workspace: ${workspacePath} (lockfile root: ${projectPath})`);
 	let result;
 	if (type === "pnpm") result = await extractPnpmSubset({
 		projectPath,
 		packageNames: args.packages,
-		includeOptional: args.includeOptional
+		includeOptional: args.includeOptional,
+		workspacePath
 	});
 	else if (type === "yarn") result = await extractYarnSubset({
 		projectPath,
 		packageNames: args.packages,
-		includeOptional: args.includeOptional
+		includeOptional: args.includeOptional,
+		workspacePath
 	});
 	else result = await extractSubset({
 		projectPath,
 		packageNames: args.packages,
-		includeOptional: args.includeOptional
+		includeOptional: args.includeOptional,
+		workspacePath
 	});
 	console.log(`Collected ${result.collected.length} packages (${args.packages.length} direct, ${result.collected.length - args.packages.length} transitive)`);
 	if (args.dryRun) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "lockfile-subset",
-  "version": "1.2.1",
+  "version": "1.3.1",
   "description": "Extract a subset of package-lock.json, pnpm-lock.yaml, or yarn.lock for specified packages and their transitive dependencies",
   "type": "module",
   "bin": {