npm - lockfile-subset - Versions diffs - 1.3.1 → 1.4.0 - Mend

lockfile-subset 1.3.1 → 1.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/README.md CHANGED Viewed

@@ -46,6 +46,10 @@ lockfile-subset @prisma/client sharp -o /standalone --install
 # Preview without writing files
 lockfile-subset chalk --dry-run
+# esbuild-style wildcards (single "*") match against direct dependencies.
+# Quote them so the shell doesn't expand them.
+lockfile-subset '@aws-sdk/*' sharp
 ```
 The lockfile type (npm, pnpm, or yarn) is auto-detected from the project directory. This generates a minimal `package.json` and lockfile in the output directory. Then run `npm ci`, `pnpm install --frozen-lockfile`, or `yarn install --frozen-lockfile` to install exactly those packages.

package/dist/index.mjs CHANGED Viewed

@@ -15,6 +15,47 @@ function normalizeWorkspacePath(p) {
 	return p.replace(/\\/g, "/").replace(/^\.\//, "").replace(/\/+$/, "");
 }
 //#endregion
+//#region src/wildcard.ts
+/**
+* esbuild-style wildcard matching for package names. A pattern may contain
+* at most one `*`, which matches any (possibly empty) substring. Patterns
+* without `*` are treated as exact names.
+*/
+function matchesPattern(pattern, name) {
+	const star = pattern.indexOf("*");
+	if (star === -1) return pattern === name;
+	if (pattern.indexOf("*", star + 1) !== -1) throw new Error(`Pattern "${pattern}" has more than one "*"; only one wildcard is supported.`);
+	const prefix = pattern.slice(0, star);
+	const suffix = pattern.slice(star + 1);
+	return name.length >= prefix.length + suffix.length && name.startsWith(prefix) && name.endsWith(suffix);
+}
+/**
+* Expand wildcard patterns against the set of available (root-level) package
+* names. Literal patterns pass through unchanged. Wildcard patterns that
+* match nothing throw, so typos surface as errors rather than silent no-ops.
+*/
+function expandWildcards(patterns, available) {
+	const availableArr = [...available];
+	const result = [];
+	const seen = /* @__PURE__ */ new Set();
+	for (const pattern of patterns) {
+		if (!pattern.includes("*")) {
+			if (!seen.has(pattern)) {
+				seen.add(pattern);
+				result.push(pattern);
+			}
+			continue;
+		}
+		const matched = availableArr.filter((name) => matchesPattern(pattern, name));
+		if (matched.length === 0) throw new Error(`Pattern "${pattern}" did not match any direct dependency.`);
+		for (const name of matched) if (!seen.has(name)) {
+			seen.add(name);
+			result.push(name);
+		}
+	}
+	return result;
+}
+//#endregion
 //#region src/extract.ts
 /**
 * Rewrite a package-lock.json location key so the output is a standalone project.
@@ -46,8 +87,11 @@ async function extractSubset({ projectPath, packageNames, includeOptional = true
 		}
 		startNode = found;
 	}
+	const nonDevDirectDeps = [];
+	for (const [name, edge] of startNode.edgesOut) if (edge.type !== "dev") nonDevDirectDeps.push(name);
+	const resolvedNames = expandWildcards(packageNames, nonDevDirectDeps);
 	const keep = /* @__PURE__ */ new Set();
-	for (const name of packageNames) {
+	for (const name of resolvedNames) {
 		const edge = startNode.edgesOut.get(name);
 		if (!edge?.to) throw new Error(`Package "${name}" not found in lockfile`);
 		if (edge.type === "workspace" || edge.to.isWorkspace) throw new Error(`Package "${name}" resolves to a workspace, not a published package`);
@@ -66,7 +110,7 @@ async function extractSubset({ projectPath, packageNames, includeOptional = true
 		}
 	}
 	const dependencies = {};
-	for (const name of packageNames) dependencies[name] = startNode.edgesOut.get(name).to.version;
+	for (const name of resolvedNames) dependencies[name] = startNode.edgesOut.get(name).to.version;
 	const subsetPackages = {};
 	subsetPackages[""] = {
 		name: "lockfile-subset-output",
@@ -136,9 +180,10 @@ async function extractPnpmSubset({ projectPath, packageNames, includeOptional =
 			version: dep.version
 		};
 	}
+	const resolvedNames = expandWildcards(packageNames, Object.keys(rootDeps));
 	const keepSnapshots = /* @__PURE__ */ new Set();
 	const keepPackages = /* @__PURE__ */ new Set();
-	for (const name of packageNames) {
+	for (const name of resolvedNames) {
 		const dep = rootDeps[name];
 		if (!dep) throw new Error(`Package "${name}" not found in pnpm-lock.yaml`);
 		if (dep.version.startsWith("link:")) throw new Error(`Package "${name}" resolves to a workspace (${dep.version}), not a published package`);
@@ -164,13 +209,13 @@ async function extractPnpmSubset({ projectPath, packageNames, includeOptional =
 		}
 	}
 	const dependencies = {};
-	for (const name of packageNames) dependencies[name] = rootDeps[name].specifier;
+	for (const name of resolvedNames) dependencies[name] = rootDeps[name].specifier;
 	const subsetPackages = {};
 	for (const key of keepPackages) if (lockfile.packages[key]) subsetPackages[key] = lockfile.packages[key];
 	const subsetSnapshots = {};
 	for (const key of keepSnapshots) if (lockfile.snapshots[key]) subsetSnapshots[key] = lockfile.snapshots[key];
 	const subsetImporter = { dependencies: {} };
-	for (const name of packageNames) subsetImporter.dependencies[name] = {
+	for (const name of resolvedNames) subsetImporter.dependencies[name] = {
 		specifier: rootDeps[name].specifier,
 		version: rootDeps[name].version
 	};
@@ -215,9 +260,10 @@ function extractV1({ projectPath, packageNames, includeOptional, lockfileContent
 		...pkgJson.dependencies,
 		...pkgJson.optionalDependencies
 	};
+	const resolvedNames = expandWildcards(packageNames, Object.keys(allDeps));
 	const keepKeys = /* @__PURE__ */ new Set();
 	const collected = [];
-	for (const name of packageNames) {
+	for (const name of resolvedNames) {
 		const range = allDeps[name];
 		if (!range) throw new Error(`Package "${name}" not found in yarn.lock`);
 		if (!lockfile[`${name}@${range}`]) throw new Error(`Package "${name}@${range}" has no lockfile entry. It is likely a workspace dependency, not a published package.`);
@@ -245,7 +291,7 @@ function extractV1({ projectPath, packageNames, includeOptional, lockfileContent
 	const subset = {};
 	for (const key of keepKeys) subset[key] = lockfile[key];
 	const dependencies = {};
-	for (const name of packageNames) dependencies[name] = allDeps[name];
+	for (const name of resolvedNames) dependencies[name] = allDeps[name];
 	const seen = /* @__PURE__ */ new Set();
 	const deduped = collected.filter((c) => {
 		const key = `${c.name}@${c.version}`;
@@ -282,10 +328,11 @@ function extractBerry({ projectPath, packageNames, includeOptional, lockfileCont
 		...pkgJson.dependencies,
 		...pkgJson.optionalDependencies
 	};
+	const resolvedNames = expandWildcards(packageNames, Object.keys(allDeps));
 	const keepOriginalKeys = /* @__PURE__ */ new Set();
 	const visited = /* @__PURE__ */ new Set();
 	const collected = [];
-	for (const name of packageNames) {
+	for (const name of resolvedNames) {
 		const range = allDeps[name];
 		if (!range) throw new Error(`Package "${name}" not found in yarn.lock`);
 		if (range.startsWith("workspace:")) throw new Error(`Package "${name}" resolves to a workspace, not a published package`);
@@ -314,7 +361,7 @@ function extractBerry({ projectPath, packageNames, includeOptional, lockfileCont
 		}
 	}
 	const dependencies = {};
-	for (const name of packageNames) dependencies[name] = allDeps[name];
+	for (const name of resolvedNames) dependencies[name] = allDeps[name];
 	const lines = [];
 	lines.push("# This file is generated by running \"yarn install\" inside your project.");
 	lines.push("# Manual changes might be lost - proceed with caution!");
@@ -535,7 +582,11 @@ Extract a subset of package-lock.json, pnpm-lock.yaml, or yarn.lock for specifie
 packages and their transitive dependencies.
 Arguments:
-  packages                  Package names to extract (one or more, space-separated)
+  packages                  Package names to extract (one or more, space-separated).
+                            esbuild-style wildcards (single "*") are expanded
+                            against the workspace's direct dependencies, e.g.
+                            "@aws-sdk/*" or "*-loader". Quote patterns to keep
+                            the shell from globbing them.
 Options:
   --lockfile, -l <path>     Path to lockfile (auto-detected by walking up from cwd)
@@ -552,6 +603,7 @@ Examples:
   lockfile-subset @prisma/client sharp -l /build/package-lock.json
   lockfile-subset @prisma/client sharp -l pnpm-lock.yaml --install
   lockfile-subset chalk --dry-run
+  lockfile-subset '@aws-sdk/*' sharp
 Monorepos: cd into the target workspace and run as usual.
 The lockfile is found by walking up from the current directory, and the
@@ -596,7 +648,8 @@ async function main() {
 		includeOptional: args.includeOptional,
 		workspacePath
 	});
-	console.log(`Collected ${result.collected.length} packages (${args.packages.length} direct, ${result.collected.length - args.packages.length} transitive)`);
+	const directCount = Object.keys(result.packageJson.dependencies).length;
+	console.log(`Collected ${result.collected.length} packages (${directCount} direct, ${result.collected.length - directCount} transitive)`);
 	if (args.dryRun) {
 		console.log("\n--- package.json ---");
 		console.log(JSON.stringify(result.packageJson, null, 2));

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "lockfile-subset",
-  "version": "1.3.1",
+  "version": "1.4.0",
   "description": "Extract a subset of package-lock.json, pnpm-lock.yaml, or yarn.lock for specified packages and their transitive dependencies",
   "type": "module",
   "bin": {