ohrisk 0.127.1 → 0.129.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +30 -0
- package/README.md +7 -5
- package/dist/cli.js +942 -187
- package/package.json +1 -1
package/CHANGELOG.md
CHANGED
|
@@ -1,5 +1,35 @@
|
|
|
1
1
|
# Changelog
|
|
2
2
|
|
|
3
|
+
## 0.129.0 - 2026-06-20
|
|
4
|
+
|
|
5
|
+
### Added
|
|
6
|
+
|
|
7
|
+
- pnpm `catalog:` and `catalog:<name>` dependency specifiers are now resolved
|
|
8
|
+
from `pnpm-workspace.yaml` for scan and git-ref diff graph extraction.
|
|
9
|
+
- Yarn Berry `.yarn/cache` package zip files are now used as local package
|
|
10
|
+
evidence before registry fallback, covering PnP installs without
|
|
11
|
+
`node_modules`.
|
|
12
|
+
|
|
13
|
+
### Fixed
|
|
14
|
+
|
|
15
|
+
- Malformed `pnpm-workspace.yaml` catalog files now fail with a typed
|
|
16
|
+
`PNPM_WORKSPACE_PARSE_FAILED` error instead of silently dropping catalog
|
|
17
|
+
dependencies.
|
|
18
|
+
|
|
19
|
+
## 0.128.0 - 2026-06-20
|
|
20
|
+
|
|
21
|
+
### Added
|
|
22
|
+
|
|
23
|
+
- Yarn Berry `yarn.lock` files are now parsed alongside Yarn classic lockfiles,
|
|
24
|
+
including `npm:` protocol descriptors, patched npm packages, and workspace
|
|
25
|
+
package roots.
|
|
26
|
+
|
|
27
|
+
### Fixed
|
|
28
|
+
|
|
29
|
+
- Real-world Yarn workspace scans now ignore local `workspace:` packages as npm
|
|
30
|
+
package evidence while still scanning each workspace package manifest as a
|
|
31
|
+
dependency root.
|
|
32
|
+
|
|
3
33
|
## 0.127.1 - 2026-06-20
|
|
4
34
|
|
|
5
35
|
### Fixed
|
package/README.md
CHANGED
|
@@ -62,23 +62,25 @@ Ohrisk is distributed as an npm package, and the packaged CLI runs on Node.js
|
|
|
62
62
|
`>=20.0.0`. Bun is used for Ohrisk development, tests, and packaging, but users
|
|
63
63
|
do not need Bun installed to run the published CLI.
|
|
64
64
|
|
|
65
|
-
Ohrisk scans Bun, npm package-lock/shrinkwrap, pnpm, Deno npm, and Yarn
|
|
65
|
+
Ohrisk scans Bun, npm package-lock/shrinkwrap, pnpm, Deno npm, and Yarn
|
|
66
66
|
lockfiles regardless of which package manager you use to install the CLI.
|
|
67
67
|
|
|
68
68
|
## Current Scope
|
|
69
69
|
|
|
70
70
|
The current implementation is the first npm-style vertical slice:
|
|
71
71
|
|
|
72
|
-
- Bun `bun.lock`, npm `package-lock.json`, npm `npm-shrinkwrap.json`, pnpm `pnpm-lock.yaml`, Deno `deno.lock`, and Yarn
|
|
72
|
+
- Bun `bun.lock`, npm `package-lock.json`, npm `npm-shrinkwrap.json`, pnpm `pnpm-lock.yaml`, Deno `deno.lock`, and Yarn classic/Berry `yarn.lock` project discovery
|
|
73
73
|
- Node-compatible packaged CLI entrypoint for npm, pnpm, Yarn, npx, pnpm dlx, and yarn dlx users
|
|
74
74
|
- explicit lockfile selection with `--lockfile <path>` for projects that contain more than one supported lockfile
|
|
75
75
|
- direct and transitive dependency graph extraction
|
|
76
|
-
- Bun, npm, pnpm, and Yarn
|
|
76
|
+
- Bun, npm, pnpm, and Yarn classic/Berry workspace projects are scanned from every workspace/importer package root
|
|
77
|
+
- pnpm `catalog:` and `catalog:<name>` dependency specifiers are resolved from `pnpm-workspace.yaml`
|
|
77
78
|
- Deno `deno.lock` projects are scanned for npm package dependencies recorded in `npm:` specifiers; remote URL imports and JSR packages are not scanned yet
|
|
78
79
|
- npm alias dependency resolution, including pnpm alias package keys, with alias context preserved in dependency paths
|
|
79
80
|
- production, development, optional, and peer dependency classification
|
|
80
81
|
- local `file:` package artifact evidence
|
|
81
82
|
- installed `node_modules` package evidence, including npm alias install names, before network fallback
|
|
83
|
+
- Yarn Berry `.yarn/cache` package zip evidence before registry fallback for PnP installs without `node_modules`
|
|
82
84
|
- remote HTTP(S) package tarball evidence when the lockfile points to a tarball, with credential-bearing URLs, obvious local, private, special-purpose, and DNS-resolved internal hosts blocked before fetch, DNS answers rechecked at the default connection boundary, and redirects followed only after each target is validated
|
|
83
85
|
- lockfile integrity verification for local and remote package tarballs
|
|
84
86
|
- npm registry metadata lookup when the lockfile does not include a direct tarball URL
|
|
@@ -157,9 +159,9 @@ Supported lockfiles:
|
|
|
157
159
|
- `bun.lock`
|
|
158
160
|
- `package-lock.json` with either a modern `packages` section or an npm v1 dependency tree
|
|
159
161
|
- `npm-shrinkwrap.json` with the same package-lock parser support
|
|
160
|
-
- `pnpm-lock.yaml` with `importers`, `packages`, and `snapshots` sections
|
|
162
|
+
- `pnpm-lock.yaml` with `importers`, `packages`, and `snapshots` sections, including default and named catalogs from `pnpm-workspace.yaml`
|
|
161
163
|
- `deno.lock` npm package entries from Deno v3/v4-style lockfiles
|
|
162
|
-
- Yarn
|
|
164
|
+
- Yarn classic/Berry `yarn.lock` with root and workspace dependency sets from `package.json` manifests, plus local `.yarn/cache` zip evidence for Berry/PnP installs
|
|
163
165
|
|
|
164
166
|
Select a specific lockfile when a project contains more than one supported lockfile:
|
|
165
167
|
|