lockfile-subset 1.3.0 → 1.4.0

package/README.md

@@ -46,6 +46,10 @@ lockfile-subset @prisma/client sharp -o /standalone --install
 
 # Preview without writing files
 lockfile-subset chalk --dry-run
+
+# esbuild-style wildcards (single "*") match against direct dependencies.
+# Quote them so the shell doesn't expand them.
+lockfile-subset '@aws-sdk/*' sharp
 ```
 
 The lockfile type (npm, pnpm, or yarn) is auto-detected from the project directory. This generates a minimal `package.json` and lockfile in the output directory. Then run `npm ci`, `pnpm install --frozen-lockfile`, or `yarn install --frozen-lockfile` to install exactly those packages.

package/dist/index.mjs

@@ -15,6 +15,47 @@ function normalizeWorkspacePath(p) {
 	return p.replace(/\\/g, "/").replace(/^\.\//, "").replace(/\/+$/, "");
 }
 //#endregion
+//#region src/wildcard.ts
+/**
+* esbuild-style wildcard matching for package names. A pattern may contain
+* at most one `*`, which matches any (possibly empty) substring. Patterns
+* without `*` are treated as exact names.
+*/
+function matchesPattern(pattern, name) {
+	const star = pattern.indexOf("*");
+	if (star === -1) return pattern === name;
+	if (pattern.indexOf("*", star + 1) !== -1) throw new Error(`Pattern "${pattern}" has more than one "*"; only one wildcard is supported.`);
+	const prefix = pattern.slice(0, star);
+	const suffix = pattern.slice(star + 1);
+	return name.length >= prefix.length + suffix.length && name.startsWith(prefix) && name.endsWith(suffix);
+}
+/**
+* Expand wildcard patterns against the set of available (root-level) package
+* names. Literal patterns pass through unchanged. Wildcard patterns that
+* match nothing throw, so typos surface as errors rather than silent no-ops.
+*/
+function expandWildcards(patterns, available) {
+	const availableArr = [...available];
+	const result = [];
+	const seen = /* @__PURE__ */ new Set();
+	for (const pattern of patterns) {
+		if (!pattern.includes("*")) {
+			if (!seen.has(pattern)) {
+				seen.add(pattern);
+				result.push(pattern);
+			}
+			continue;
+		}
+		const matched = availableArr.filter((name) => matchesPattern(pattern, name));
+		if (matched.length === 0) throw new Error(`Pattern "${pattern}" did not match any direct dependency.`);
+		for (const name of matched) if (!seen.has(name)) {
+			seen.add(name);
+			result.push(name);
+		}
+	}
+	return result;
+}
+//#endregion
 //#region src/extract.ts
 /**
 * Rewrite a package-lock.json location key so the output is a standalone project.
@@ -46,8 +87,11 @@ async function extractSubset({ projectPath, packageNames, includeOptional = true
 		}
 		startNode = found;
 	}
+	const nonDevDirectDeps = [];
+	for (const [name, edge] of startNode.edgesOut) if (edge.type !== "dev") nonDevDirectDeps.push(name);
+	const resolvedNames = expandWildcards(packageNames, nonDevDirectDeps);
 	const keep = /* @__PURE__ */ new Set();
-	for (const name of packageNames) {
+	for (const name of resolvedNames) {
 		const edge = startNode.edgesOut.get(name);
 		if (!edge?.to) throw new Error(`Package "${name}" not found in lockfile`);
 		if (edge.type === "workspace" || edge.to.isWorkspace) throw new Error(`Package "${name}" resolves to a workspace, not a published package`);
@@ -66,7 +110,7 @@ async function extractSubset({ projectPath, packageNames, includeOptional = true
 		}
 	}
 	const dependencies = {};
-	for (const name of packageNames) dependencies[name] = startNode.edgesOut.get(name).to.version;
+	for (const name of resolvedNames) dependencies[name] = startNode.edgesOut.get(name).to.version;
 	const subsetPackages = {};
 	subsetPackages[""] = {
 		name: "lockfile-subset-output",
@@ -136,9 +180,10 @@ async function extractPnpmSubset({ projectPath, packageNames, includeOptional =
 			version: dep.version
 		};
 	}
+	const resolvedNames = expandWildcards(packageNames, Object.keys(rootDeps));
 	const keepSnapshots = /* @__PURE__ */ new Set();
 	const keepPackages = /* @__PURE__ */ new Set();
-	for (const name of packageNames) {
+	for (const name of resolvedNames) {
 		const dep = rootDeps[name];
 		if (!dep) throw new Error(`Package "${name}" not found in pnpm-lock.yaml`);
 		if (dep.version.startsWith("link:")) throw new Error(`Package "${name}" resolves to a workspace (${dep.version}), not a published package`);
@@ -164,13 +209,13 @@ async function extractPnpmSubset({ projectPath, packageNames, includeOptional =
 		}
 	}
 	const dependencies = {};
-	for (const name of packageNames) dependencies[name] = rootDeps[name].specifier;
+	for (const name of resolvedNames) dependencies[name] = rootDeps[name].specifier;
 	const subsetPackages = {};
 	for (const key of keepPackages) if (lockfile.packages[key]) subsetPackages[key] = lockfile.packages[key];
 	const subsetSnapshots = {};
 	for (const key of keepSnapshots) if (lockfile.snapshots[key]) subsetSnapshots[key] = lockfile.snapshots[key];
 	const subsetImporter = { dependencies: {} };
-	for (const name of packageNames) subsetImporter.dependencies[name] = {
+	for (const name of resolvedNames) subsetImporter.dependencies[name] = {
 		specifier: rootDeps[name].specifier,
 		version: rootDeps[name].version
 	};
@@ -201,6 +246,7 @@ async function extractPnpmSubset({ projectPath, packageNames, includeOptional =
 //#endregion
 //#region src/extract-yarn.ts
 const { parse: parseYarnLockV1, stringify: stringifyYarnLockV1 } = createRequire(import.meta.url)("@yarnpkg/lockfile");
+const OUTPUT_PACKAGE_NAME = "lockfile-subset-output";
 function detectYarnVersion(content) {
 	return content.includes("# yarn lockfile v1") ? 1 : 2;
 }
@@ -214,9 +260,10 @@ function extractV1({ projectPath, packageNames, includeOptional, lockfileContent
 		...pkgJson.dependencies,
 		...pkgJson.optionalDependencies
 	};
+	const resolvedNames = expandWildcards(packageNames, Object.keys(allDeps));
 	const keepKeys = /* @__PURE__ */ new Set();
 	const collected = [];
-	for (const name of packageNames) {
+	for (const name of resolvedNames) {
 		const range = allDeps[name];
 		if (!range) throw new Error(`Package "${name}" not found in yarn.lock`);
 		if (!lockfile[`${name}@${range}`]) throw new Error(`Package "${name}@${range}" has no lockfile entry. It is likely a workspace dependency, not a published package.`);
@@ -244,7 +291,7 @@ function extractV1({ projectPath, packageNames, includeOptional, lockfileContent
 	const subset = {};
 	for (const key of keepKeys) subset[key] = lockfile[key];
 	const dependencies = {};
-	for (const name of packageNames) dependencies[name] = allDeps[name];
+	for (const name of resolvedNames) dependencies[name] = allDeps[name];
 	const seen = /* @__PURE__ */ new Set();
 	const deduped = collected.filter((c) => {
 		const key = `${c.name}@${c.version}`;
@@ -256,7 +303,7 @@ function extractV1({ projectPath, packageNames, includeOptional, lockfileContent
 		type: "yarn",
 		yarnVersion: 1,
 		packageJson: {
-			name: "lockfile-subset-output",
+			name: OUTPUT_PACKAGE_NAME,
 			version: "1.0.0",
 			dependencies
 		},
@@ -281,10 +328,11 @@ function extractBerry({ projectPath, packageNames, includeOptional, lockfileCont
 		...pkgJson.dependencies,
 		...pkgJson.optionalDependencies
 	};
+	const resolvedNames = expandWildcards(packageNames, Object.keys(allDeps));
 	const keepOriginalKeys = /* @__PURE__ */ new Set();
 	const visited = /* @__PURE__ */ new Set();
 	const collected = [];
-	for (const name of packageNames) {
+	for (const name of resolvedNames) {
 		const range = allDeps[name];
 		if (!range) throw new Error(`Package "${name}" not found in yarn.lock`);
 		if (range.startsWith("workspace:")) throw new Error(`Package "${name}" resolves to a workspace, not a published package`);
@@ -313,7 +361,7 @@ function extractBerry({ projectPath, packageNames, includeOptional, lockfileCont
 		}
 	}
 	const dependencies = {};
-	for (const name of packageNames) dependencies[name] = allDeps[name];
+	for (const name of resolvedNames) dependencies[name] = allDeps[name];
 	const lines = [];
 	lines.push("# This file is generated by running \"yarn install\" inside your project.");
 	lines.push("# Manual changes might be lost - proceed with caution!");
@@ -325,7 +373,22 @@ function extractBerry({ projectPath, packageNames, includeOptional, lockfileCont
 		if (metadata.cacheKey) lines.push(`  cacheKey: ${metadata.cacheKey}`);
 		lines.push("");
 	}
-	for (const originalKey of keepOriginalKeys) {
+	const rootWorkspaceKey = `${OUTPUT_PACKAGE_NAME}@workspace:.`;
+	const sortedKeys = [...keepOriginalKeys, rootWorkspaceKey].sort();
+	for (const originalKey of sortedKeys) {
+		if (originalKey === rootWorkspaceKey) {
+			lines.push(`"${originalKey}":`);
+			lines.push("  version: 0.0.0-use.local");
+			lines.push(`  resolution: "${originalKey}"`);
+			if (Object.keys(dependencies).length > 0) {
+				lines.push("  dependencies:");
+				for (const [k, v] of Object.entries(dependencies)) lines.push(`    ${k}: "npm:${v}"`);
+			}
+			lines.push("  languageName: unknown");
+			lines.push("  linkType: soft");
+			lines.push("");
+			continue;
+		}
 		const entry = lockfile[originalKey];
 		lines.push(`"${originalKey}":`);
 		lines.push(`  version: ${entry.version}`);
@@ -366,7 +429,7 @@ function extractBerry({ projectPath, packageNames, includeOptional, lockfileCont
 		type: "yarn",
 		yarnVersion: 2,
 		packageJson: {
-			name: "lockfile-subset-output",
+			name: OUTPUT_PACKAGE_NAME,
 			version: "1.0.0",
 			dependencies
 		},
@@ -519,7 +582,11 @@ Extract a subset of package-lock.json, pnpm-lock.yaml, or yarn.lock for specifie
 packages and their transitive dependencies.
 
 Arguments:
-  packages                  Package names to extract (one or more, space-separated)
+  packages                  Package names to extract (one or more, space-separated).
+                            esbuild-style wildcards (single "*") are expanded
+                            against the workspace's direct dependencies, e.g.
+                            "@aws-sdk/*" or "*-loader". Quote patterns to keep
+                            the shell from globbing them.
 
 Options:
   --lockfile, -l <path>     Path to lockfile (auto-detected by walking up from cwd)
@@ -536,6 +603,7 @@ Examples:
   lockfile-subset @prisma/client sharp -l /build/package-lock.json
   lockfile-subset @prisma/client sharp -l pnpm-lock.yaml --install
   lockfile-subset chalk --dry-run
+  lockfile-subset '@aws-sdk/*' sharp
 
 Monorepos: cd into the target workspace and run as usual.
 The lockfile is found by walking up from the current directory, and the
@@ -580,7 +648,8 @@ async function main() {
 		includeOptional: args.includeOptional,
 		workspacePath
 	});
-	console.log(`Collected ${result.collected.length} packages (${args.packages.length} direct, ${result.collected.length - args.packages.length} transitive)`);
+	const directCount = Object.keys(result.packageJson.dependencies).length;
+	console.log(`Collected ${result.collected.length} packages (${directCount} direct, ${result.collected.length - directCount} transitive)`);
 	if (args.dryRun) {
 		console.log("\n--- package.json ---");
 		console.log(JSON.stringify(result.packageJson, null, 2));

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "lockfile-subset",
-  "version": "1.3.0",
+  "version": "1.4.0",
   "description": "Extract a subset of package-lock.json, pnpm-lock.yaml, or yarn.lock for specified packages and their transitive dependencies",
   "type": "module",
   "bin": {