npm - ohrisk - Versions diffs - 0.127.0 → 0.128.0 - Mend

ohrisk 0.127.0 → 0.128.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/CHANGELOG.md CHANGED Viewed

@@ -1,5 +1,37 @@
 # Changelog
+## 0.128.0 - 2026-06-20
+### Added
+- Yarn Berry `yarn.lock` files are now parsed alongside Yarn classic lockfiles,
+  including `npm:` protocol descriptors, patched npm packages, and workspace
+  package roots.
+### Fixed
+- Real-world Yarn workspace scans now ignore local `workspace:` packages as npm
+  package evidence while still scanning each workspace package manifest as a
+  dependency root.
+## 0.127.1 - 2026-06-20
+### Fixed
+- The default Node artifact fetcher now returns DNS lookup results in the shape
+  requested by Node's HTTP client, fixing `Invalid IP address: undefined`
+  failures when scanning real remote package tarballs.
+- Package tarball evidence now accepts npm tarballs that use a custom
+  top-level directory, such as `bun/package.json`, instead of only
+  `package/package.json`.
+- Registry metadata fallback now requests the exact package version endpoint
+  instead of the full package metadata document, avoiding oversized metadata
+  failures for packages with long histories such as `@types/node`.
+- Remote package tarballs that exceed Ohrisk's size limits now produce
+  unavailable package evidence instead of aborting the whole repository scan.
+- Package metadata now uses npm's normalized `bin` path form, avoiding publish
+  auto-correction warnings for the CLI entry.
 ## 0.127.0 - 2026-06-20
 ### Fixed

package/README.md CHANGED Viewed

@@ -62,18 +62,18 @@ Ohrisk is distributed as an npm package, and the packaged CLI runs on Node.js
 `>=20.0.0`. Bun is used for Ohrisk development, tests, and packaging, but users
 do not need Bun installed to run the published CLI.
-Ohrisk scans Bun, npm package-lock/shrinkwrap, pnpm, Deno npm, and Yarn v1
+Ohrisk scans Bun, npm package-lock/shrinkwrap, pnpm, Deno npm, and Yarn
 lockfiles regardless of which package manager you use to install the CLI.
 ## Current Scope
 The current implementation is the first npm-style vertical slice:
-- Bun `bun.lock`, npm `package-lock.json`, npm `npm-shrinkwrap.json`, pnpm `pnpm-lock.yaml`, Deno `deno.lock`, and Yarn v1 `yarn.lock` project discovery
+- Bun `bun.lock`, npm `package-lock.json`, npm `npm-shrinkwrap.json`, pnpm `pnpm-lock.yaml`, Deno `deno.lock`, and Yarn classic/Berry `yarn.lock` project discovery
 - Node-compatible packaged CLI entrypoint for npm, pnpm, Yarn, npx, pnpm dlx, and yarn dlx users
 - explicit lockfile selection with `--lockfile <path>` for projects that contain more than one supported lockfile
 - direct and transitive dependency graph extraction
-- Bun, npm, pnpm, and Yarn v1 workspace projects are scanned from every workspace/importer package root
+- Bun, npm, pnpm, and Yarn classic/Berry workspace projects are scanned from every workspace/importer package root
 - Deno `deno.lock` projects are scanned for npm package dependencies recorded in `npm:` specifiers; remote URL imports and JSR packages are not scanned yet
 - npm alias dependency resolution, including pnpm alias package keys, with alias context preserved in dependency paths
 - production, development, optional, and peer dependency classification
@@ -159,7 +159,7 @@ Supported lockfiles:
 - `npm-shrinkwrap.json` with the same package-lock parser support
 - `pnpm-lock.yaml` with `importers`, `packages`, and `snapshots` sections
 - `deno.lock` npm package entries from Deno v3/v4-style lockfiles
-- Yarn v1 `yarn.lock` with root and workspace dependency sets from `package.json` manifests
+- Yarn classic/Berry `yarn.lock` with root and workspace dependency sets from `package.json` manifests
 Select a specific lockfile when a project contains more than one supported lockfile:

package/dist/cli.js CHANGED Viewed

@@ -15175,7 +15175,7 @@ function parseDiffArgs(argv) {
 }
 // src/cli/version.ts
-var OHRISK_VERSION = "0.127.0";
+var OHRISK_VERSION = "0.128.0";
 // src/diff/compare.ts
 function diffRiskFindings(input) {
@@ -15480,7 +15480,8 @@ function collectTarballEvidence(input) {
       tarball: unpacked.value,
       maxEntries: input.maxEntries ?? PACKAGE_TARBALL_MAX_ENTRIES
     });
-    const packageJsonEntry = entries.find((entry) => normalizePackagePath(entry.path) === "package.json");
+    const packageRoot = findPackageRoot(entries);
+    const packageJsonEntry = packageRoot === undefined ? undefined : entries.find((entry) => normalizePackagePath(entry.path, packageRoot) === "package.json");
     if (!packageJsonEntry) {
       return err(createError({
         code: "PACKAGE_JSON_PARSE_FAILED",
@@ -15498,7 +15499,7 @@ function collectTarballEvidence(input) {
     if (!packageJson.ok) {
       return err(packageJson.error);
     }
-    const files = collectTarEvidenceFiles(entries);
+    const files = collectTarEvidenceFiles(entries, packageRoot);
     const warnings = files.length === 0 ? ["No LICENSE, LICENCE, UNLICENSE, COPYING, or NOTICE file found."] : [];
     return ok({
       packageId: input.packageId,
@@ -15589,9 +15590,22 @@ function parseTarEntries(input) {
   }
   return entries;
 }
-function collectTarEvidenceFiles(entries) {
+function findPackageRoot(entries) {
+  if (entries.some((entry) => entry.path === "package.json")) {
+    return "";
+  }
+  const roots = entries.map((entry) => {
+    const match = /^([^/]+)\/package\.json$/.exec(entry.path);
+    return match?.[1];
+  }).filter((root) => root !== undefined).sort();
+  if (roots.includes("package")) {
+    return "package";
+  }
+  return roots[0];
+}
+function collectTarEvidenceFiles(entries, packageRoot) {
   return entries.map((entry) => {
-    const normalized = normalizePackagePath(entry.path);
+    const normalized = normalizePackagePath(entry.path, packageRoot);
     if (!isRootPackageFile(normalized)) {
       return;
     }
@@ -15622,8 +15636,11 @@ function readLicenseFields2(packageJson) {
 function isObjectRecord2(value) {
   return typeof value === "object" && value !== null && !Array.isArray(value);
 }
-function normalizePackagePath(path2) {
-  return path2.replace(/^package\//, "");
+function normalizePackagePath(path2, packageRoot) {
+  if (packageRoot === "") {
+    return path2;
+  }
+  return path2.startsWith(`${packageRoot}/`) ? path2.slice(packageRoot.length + 1) : path2;
 }
 function readNullTerminated(buffer, start, length) {
   const slice = buffer.subarray(start, start + length);
@@ -15911,7 +15928,7 @@ function localArtifactTooLargeError(input) {
   });
 }
 async function collectRegistryTarballEvidence(input) {
-  const metadataUrl = npmRegistryPackageUrl(input.node.name);
+  const metadataUrl = npmRegistryPackageVersionUrl(input.node.name, input.node.version);
   const metadataUrlPreflight = await preflightRemoteArtifactFetchTarget({
     code: "REGISTRY_METADATA_FETCH_FAILED",
     packageId: input.node.id,
@@ -16250,6 +16267,9 @@ async function collectRemoteTarballEvidence(input) {
       }
     });
     if (!tarball.ok) {
+      if (isPackageTarballTooLargeError(tarball.error)) {
+        return ok(unavailableOversizedTarballEvidence(input.packageId));
+      }
       return err(tarball.error);
     }
     const verified = verifyPackageIntegrity({
@@ -16266,6 +16286,9 @@ async function collectRemoteTarballEvidence(input) {
       tarball: tarball.value
     });
     if (!evidence.ok) {
+      if (isPackageTarballTooLargeError(evidence.error)) {
+        return ok(unavailableOversizedTarballEvidence(input.packageId));
+      }
       return err(evidence.error);
     }
     return ok(addIntegrityWarningWhenUnverified({
@@ -16285,6 +16308,19 @@ async function collectRemoteTarballEvidence(input) {
     }));
   }
 }
+function isPackageTarballTooLargeError(error) {
+  return error.code === "TARBALL_FETCH_FAILED" && error.message === "Package tarball response exceeded the maximum supported size." || error.code === "TARBALL_PARSE_FAILED" && error.message === "Failed to decompress package tarball evidence." && typeof error.details.maxUnpackedBytes === "number";
+}
+function unavailableOversizedTarballEvidence(packageId) {
+  return {
+    packageId,
+    files: [],
+    source: "unavailable",
+    warnings: [
+      "Package tarball evidence exceeded Ohrisk's size limit and was not scanned."
+    ]
+  };
+}
 function resolveExistingLocalArtifactPath(input) {
   const allowedRoot = realpathSync(resolveLocalArtifactRoot(input.projectRoot));
   const artifactPath = realpathSync(input.artifactPath);
@@ -16967,6 +17003,9 @@ function decodeIntegrityDigest(input) {
   const normalizedDecoded = decoded.toString("base64").replace(/=+$/, "");
   return normalizedDecoded === normalizedInput ? decoded : undefined;
 }
+function npmRegistryPackageVersionUrl(name, version) {
+  return `${npmRegistryPackageUrl(name)}/${encodeURIComponent(version)}`;
+}
 function npmRegistryPackageUrl(name) {
   return `https://registry.npmjs.org/${encodeURIComponent(name).replace(/^%40/, "@")}`;
 }
@@ -16974,6 +17013,10 @@ function readRegistryTarballUrl(metadata, version) {
   if (!isRecord(metadata)) {
     return;
   }
+  const dist = metadata.dist;
+  if (isRecord(dist) && typeof dist.tarball === "string") {
+    return dist.tarball;
+  }
   const versions = metadata.versions;
   if (!isRecord(versions)) {
     return;
@@ -16982,11 +17025,11 @@ function readRegistryTarballUrl(metadata, version) {
   if (!isRecord(versionMetadata)) {
     return;
   }
-  const dist = versionMetadata.dist;
-  if (!isRecord(dist) || typeof dist.tarball !== "string") {
+  const versionDist = versionMetadata.dist;
+  if (!isRecord(versionDist) || typeof versionDist.tarball !== "string") {
     return;
   }
-  return dist.tarball;
+  return versionDist.tarball;
 }
 function isRecord(value) {
   return typeof value === "object" && value !== null && !Array.isArray(value);
@@ -17028,29 +17071,63 @@ async function defaultArtifactHostResolver(hostname) {
 }
 function secureArtifactLookup(hostname, options, callback) {
   defaultArtifactHostResolver(hostname).then((resolutions) => {
-    if (resolutions.length === 0) {
-      callback(new Error(`Artifact host ${normalizeUrlHostname(hostname)} returned no DNS addresses.`), "", 0);
+    const selection = selectSecureArtifactLookupResponse(hostname, options, resolutions);
+    if (!selection.ok) {
+      respondToSecureArtifactLookupError(callback, options, selection.error);
       return;
     }
-    const requestedFamily = options.family === 4 || options.family === 6 ? options.family : undefined;
-    const familyResolutions = requestedFamily === undefined ? resolutions : resolutions.filter((resolution) => resolution.family === requestedFamily);
-    if (familyResolutions.length === 0) {
-      callback(new Error(`Artifact host ${normalizeUrlHostname(hostname)} returned no matching DNS addresses.`), "", 0);
+    if (selection.value.all) {
+      callback(null, selection.value.resolutions);
       return;
     }
-    for (const resolution of familyResolutions) {
-      const blockedReason = blockedRemoteArtifactHostReason(resolution.address);
-      if (blockedReason) {
-        callback(new Error(`Blocked artifact host resolution for ${normalizeUrlHostname(hostname)}: ${normalizeUrlHostname(resolution.address)} (${blockedReason}).`), "", 0);
-        return;
-      }
-    }
-    const selected = familyResolutions[0];
-    callback(null, selected.address, selected.family);
+    callback(null, selection.value.address, selection.value.family);
   }).catch((cause) => {
-    callback(cause instanceof Error ? cause : new Error(String(cause)), "", 0);
+    respondToSecureArtifactLookupError(callback, options, cause instanceof Error ? cause : new Error(String(cause)));
+  });
+}
+function selectSecureArtifactLookupResponse(hostname, options, resolutions) {
+  const normalizedOptions = normalizeArtifactLookupOptions(options);
+  const normalizedHostname = normalizeUrlHostname(hostname);
+  if (resolutions.length === 0) {
+    return err(new Error(`Artifact host ${normalizedHostname} returned no DNS addresses.`));
+  }
+  const familyResolutions = normalizedOptions.family === undefined ? resolutions : resolutions.filter((resolution) => resolution.family === normalizedOptions.family);
+  if (familyResolutions.length === 0) {
+    return err(new Error(`Artifact host ${normalizedHostname} returned no matching DNS addresses.`));
+  }
+  for (const resolution of familyResolutions) {
+    const blockedReason = blockedRemoteArtifactHostReason(resolution.address);
+    if (blockedReason) {
+      return err(new Error(`Blocked artifact host resolution for ${normalizedHostname}: ${normalizeUrlHostname(resolution.address)} (${blockedReason}).`));
+    }
+  }
+  if (normalizedOptions.all) {
+    return ok({
+      all: true,
+      resolutions: familyResolutions
+    });
+  }
+  const selected = familyResolutions[0];
+  return ok({
+    all: false,
+    address: selected.address,
+    family: selected.family
   });
 }
+function normalizeArtifactLookupOptions(options) {
+  const family = typeof options === "number" ? options : options?.family;
+  return {
+    all: typeof options === "object" && options?.all === true,
+    family: family === 4 || family === 6 ? family : undefined
+  };
+}
+function respondToSecureArtifactLookupError(callback, options, error) {
+  if (normalizeArtifactLookupOptions(options).all) {
+    callback(error, []);
+    return;
+  }
+  callback(error, "", 0);
+}
 function headersForIncomingMessage(headers) {
   return {
     get: (name) => {
@@ -17189,6 +17266,17 @@ function resolveNpmDependencyReference(requestedName, range) {
       aliased: alias.name !== requestedName
     };
   }
+  if (range.startsWith("npm:")) {
+    const bareRange = range.slice("npm:".length);
+    if (bareRange !== "") {
+      return {
+        requestedName,
+        lookupName: requestedName,
+        lookupRange: bareRange,
+        aliased: false
+      };
+    }
+  }
   return {
     requestedName,
     lookupName: requestedName,
@@ -19064,17 +19152,20 @@ function readPackageName2(packageJson) {
   return typeof packageJson.name === "string" && packageJson.name !== "" ? packageJson.name : undefined;
 }
 function parseLockfile(input, lockfilePath) {
+  if (hasMergeConflictMarkers(input)) {
+    return err(createError({
+      code: "YARN_LOCK_PARSE_FAILED",
+      category: "unsupported_input",
+      message: "Failed to parse yarn.lock because it contains unresolved merge conflicts.",
+      details: {
+        lockfilePath
+      }
+    }));
+  }
+  if (isYarnBerryLockfile(input)) {
+    return parseBerryLockfile(input, lockfilePath);
+  }
   try {
-    if (hasMergeConflictMarkers(input)) {
-      return err(createError({
-        code: "YARN_LOCK_PARSE_FAILED",
-        category: "unsupported_input",
-        message: "Failed to parse yarn.lock because it contains unresolved merge conflicts.",
-        details: {
-          lockfilePath
-        }
-      }));
-    }
     const parsed = yarnLockfile.parse(input);
     if (parsed.type === "conflict") {
       return err(createError({
@@ -19086,12 +19177,47 @@ function parseLockfile(input, lockfilePath) {
         }
       }));
     }
-    return ok(parsed.object);
+    return ok({
+      format: "classic",
+      entries: parsed.object
+    });
   } catch (cause) {
     return err(createError({
       code: "YARN_LOCK_PARSE_FAILED",
       category: "unsupported_input",
-      message: "Failed to parse yarn.lock. Ohrisk currently supports Yarn v1 lockfiles.",
+      message: "Failed to parse yarn.lock. Ohrisk expects a Yarn classic or Berry lockfile.",
+      details: {
+        lockfilePath,
+        cause: cause instanceof Error ? cause.message : String(cause)
+      }
+    }));
+  }
+}
+function isYarnBerryLockfile(input) {
+  return /^__metadata:\s*$/m.test(input);
+}
+function parseBerryLockfile(input, lockfilePath) {
+  try {
+    const parsed = $parse(input);
+    if (!isObjectRecord8(parsed)) {
+      throw new Error("Expected a YAML mapping at the document root.");
+    }
+    const entries = {};
+    for (const [key, value] of Object.entries(parsed)) {
+      if (key === "__metadata" || !isObjectRecord8(value)) {
+        continue;
+      }
+      entries[key] = value;
+    }
+    return ok({
+      format: "berry",
+      entries
+    });
+  } catch (cause) {
+    return err(createError({
+      code: "YARN_LOCK_PARSE_FAILED",
+      category: "unsupported_input",
+      message: "Failed to parse Yarn Berry lockfile.",
       details: {
         lockfilePath,
         cause: cause instanceof Error ? cause.message : String(cause)
@@ -19104,12 +19230,12 @@ function hasMergeConflictMarkers(input) {
 }
 function parsePackageRecords4(lockfile) {
   const records = [];
-  for (const [key, entry] of Object.entries(lockfile)) {
+  for (const [key, entry] of Object.entries(lockfile.entries)) {
     if (typeof entry.version !== "string" || entry.version === "") {
       continue;
     }
     const descriptors = splitDescriptorKey(key);
-    const identity2 = descriptors.map(parseDescriptor).find(Boolean);
+    const identity2 = lockfile.format === "berry" ? readBerryPackageIdentity({ key, entry }) : descriptors.map(parseDescriptor).find(Boolean);
     if (!identity2) {
       continue;
     }
@@ -19117,7 +19243,10 @@ function parsePackageRecords4(lockfile) {
     const integrity = typeof entry.integrity === "string" && entry.integrity !== "" ? entry.integrity : undefined;
     records.push({
       key,
-      descriptors,
+      descriptors: descriptorIndexKeys({
+        descriptors,
+        format: lockfile.format
+      }),
       name: identity2.name,
       version: entry.version,
       id: `${identity2.name}@${entry.version}`,
@@ -19131,8 +19260,26 @@ function parsePackageRecords4(lockfile) {
 function splitDescriptorKey(key) {
   return key.split(/,\s*/).map((descriptor) => descriptor.trim()).filter(Boolean);
 }
+function descriptorIndexKeys(input) {
+  const keys = new Set;
+  for (const descriptor of input.descriptors) {
+    const unquoted = unquoteDescriptor(descriptor);
+    keys.add(unquoted);
+    const parsed = input.format === "berry" ? parseBerryDescriptor(unquoted) : parseDescriptor(unquoted);
+    if (!parsed) {
+      continue;
+    }
+    keys.add(`${parsed.name}@${parsed.range}`);
+    keys.add(`${parsed.name}@npm:${parsed.range}`);
+  }
+  return [...keys];
+}
 function parseDescriptor(descriptor) {
-  const unquoted = descriptor.replace(/^"|"$/g, "");
+  const unquoted = unquoteDescriptor(descriptor);
+  const berryDescriptor = parseBerryDescriptor(unquoted);
+  if (berryDescriptor) {
+    return berryDescriptor;
+  }
   const aliasMarker = "@npm:";
   const aliasIndex = unquoted.indexOf(aliasMarker);
   if (aliasIndex > 0) {
@@ -19148,6 +19295,89 @@ function parseDescriptor(descriptor) {
   }
   return { name: parsed.name, range: parsed.reference };
 }
+function parseBerryDescriptor(descriptor) {
+  const npmLocator = parseBerryNpmLocator(descriptor);
+  if (npmLocator) {
+    const alias = parseNpmPackageReference(`npm:${npmLocator.reference}`);
+    return alias ? { name: alias.name, range: alias.reference } : { name: npmLocator.name, range: npmLocator.reference };
+  }
+  const patchLocator = parseBerryPatchLocator(descriptor);
+  if (patchLocator) {
+    return patchLocator;
+  }
+  return;
+}
+function readBerryPackageIdentity(input) {
+  const resolution = typeof input.entry.resolution === "string" ? input.entry.resolution : undefined;
+  const parsedResolution = resolution ? parseBerryResolution(resolution) : undefined;
+  if (parsedResolution) {
+    return parsedResolution;
+  }
+  const descriptorIdentity = splitDescriptorKey(input.key).map((descriptor) => parseBerryDescriptor(unquoteDescriptor(descriptor))).find(Boolean);
+  return descriptorIdentity ? { name: descriptorIdentity.name, version: descriptorIdentity.range } : undefined;
+}
+function parseBerryResolution(value) {
+  const unquoted = unquoteDescriptor(value);
+  const npmLocator = parseBerryNpmLocator(unquoted);
+  if (npmLocator) {
+    return {
+      name: npmLocator.name,
+      version: npmLocator.reference
+    };
+  }
+  const patchLocator = parseBerryPatchLocator(unquoted);
+  if (patchLocator) {
+    return {
+      name: patchLocator.name,
+      version: patchLocator.range
+    };
+  }
+  return;
+}
+function parseBerryNpmLocator(value) {
+  const marker = "@npm:";
+  const index = value.indexOf(marker);
+  if (index <= 0) {
+    return;
+  }
+  const name = value.slice(0, index);
+  const reference = value.slice(index + marker.length);
+  if (!isValidNpmPackageName(name) || reference === "") {
+    return;
+  }
+  return { name, reference };
+}
+function parseBerryPatchLocator(value) {
+  const marker = "@patch:";
+  const index = value.indexOf(marker);
+  if (index <= 0) {
+    return;
+  }
+  const patchedLocator = value.slice(index + marker.length).split("#")[0]?.split("::")[0];
+  if (!patchedLocator) {
+    return;
+  }
+  const decodedLocator = safeDecodeURIComponent(patchedLocator);
+  const npmLocator = parseBerryNpmLocator(decodedLocator);
+  if (!npmLocator) {
+    return;
+  }
+  const alias = parseNpmPackageReference(`npm:${npmLocator.reference}`);
+  return alias ? { name: alias.name, range: alias.reference } : { name: npmLocator.name, range: npmLocator.reference };
+}
+function safeDecodeURIComponent(value) {
+  try {
+    return decodeURIComponent(value);
+  } catch {
+    return value;
+  }
+}
+function unquoteDescriptor(value) {
+  return value.replace(/^"|"$/g, "");
+}
+function isValidNpmPackageName(value) {
+  return /^(?:@[^/]+\/)?[^/@][^@]*$/.test(value);
+}
 function collectRootDependencies5(packageJson) {
   return [
     ...dependencyEntries4(packageJson.dependencies, "production"),
@@ -19200,10 +19430,28 @@ function indexPackagesByName3(records) {
   return index;
 }
 function resolvePackageRecord4(input) {
-  const descriptor = `${input.name}@${input.range}`;
   const reference = resolveNpmDependencyReference(input.name, input.range);
   const candidates = input.nameIndex.get(reference.lookupName) ?? [];
-  return input.descriptorIndex.get(descriptor) ?? (candidates.length === 1 ? candidates[0] : undefined) ?? candidates.find((candidate) => candidate.version === reference.lookupRange) ?? undefined;
+  return dependencyDescriptorCandidates({
+    name: input.name,
+    range: input.range,
+    reference
+  }).map((descriptor) => input.descriptorIndex.get(descriptor)).find((record) => record !== undefined) ?? (candidates.length === 1 ? candidates[0] : undefined) ?? candidates.find((candidate) => candidate.version === reference.lookupRange) ?? undefined;
+}
+function dependencyDescriptorCandidates(input) {
+  const candidates = new Set;
+  candidates.add(`${input.name}@${input.range}`);
+  candidates.add(`${input.reference.lookupName}@${input.reference.lookupRange}`);
+  candidates.add(`${input.name}@npm:${input.range}`);
+  candidates.add(`${input.reference.lookupName}@npm:${input.reference.lookupRange}`);
+  if (input.range.startsWith("npm:")) {
+    const bareRange = input.range.slice("npm:".length);
+    candidates.add(`${input.name}@${bareRange}`);
+    candidates.add(`${input.name}@npm:${bareRange}`);
+    candidates.add(`${input.reference.lookupName}@${bareRange}`);
+    candidates.add(`${input.reference.lookupName}@npm:${bareRange}`);
+  }
+  return [...candidates].filter((candidate) => !candidate.endsWith("@"));
 }
 function walkDependency5(input) {
   if (input.seen.has(input.record.key)) {
@@ -21123,7 +21371,7 @@ var KNOWN_PROJECT_MANIFESTS = [
   "deno.json",
   "deno.jsonc"
 ];
-var SUPPORTED_LOCKFILE_MESSAGE = "Ohrisk currently supports bun.lock, package-lock.json, npm-shrinkwrap.json, pnpm-lock.yaml, deno.lock, and Yarn v1 yarn.lock.";
+var SUPPORTED_LOCKFILE_MESSAGE = "Ohrisk currently supports bun.lock, package-lock.json, npm-shrinkwrap.json, pnpm-lock.yaml, deno.lock, and Yarn classic/Berry yarn.lock.";
 function discoverProject(options = {}) {
   const startDir = path12.resolve(options.cwd ?? process.cwd());
   try {

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "ohrisk",
-  "version": "0.127.0",
+  "version": "0.128.0",
   "description": "Catch open-source license risk before your PR ships.",
   "license": "MIT",
   "type": "module",
@@ -9,7 +9,7 @@
     "node": ">=20.0.0"
   },
   "bin": {
-    "ohrisk": "./dist/cli.js"
+    "ohrisk": "dist/cli.js"
   },
   "repository": {
     "type": "git",