ohrisk 0.127.1 → 0.129.0

package/dist/cli.js

@@ -7824,11 +7824,11 @@ var require_lockfile = __commonJS((exports, module) => {
         };
       })();
       let getEolFromFile = (() => {
-        var _ref30 = (0, (_asyncToGenerator2 || _load_asyncToGenerator()).default)(function* (path6) {
-          if (!(yield exists(path6))) {
+        var _ref30 = (0, (_asyncToGenerator2 || _load_asyncToGenerator()).default)(function* (path7) {
+          if (!(yield exists(path7))) {
             return;
           }
-          const buffer = yield readFileBuffer(path6);
+          const buffer = yield readFileBuffer(path7);
           for (let i = 0;i < buffer.length; ++i) {
             if (buffer[i] === cr) {
               return `\r
@@ -7846,13 +7846,13 @@ var require_lockfile = __commonJS((exports, module) => {
         };
       })();
       let writeFilePreservingEol = exports2.writeFilePreservingEol = (() => {
-        var _ref31 = (0, (_asyncToGenerator2 || _load_asyncToGenerator()).default)(function* (path6, data) {
-          const eol = (yield getEolFromFile(path6)) || (_os || _load_os()).default.EOL;
+        var _ref31 = (0, (_asyncToGenerator2 || _load_asyncToGenerator()).default)(function* (path7, data) {
+          const eol = (yield getEolFromFile(path7)) || (_os || _load_os()).default.EOL;
           if (eol !== `
 `) {
             data = data.replace(/\n/g, eol);
           }
-          yield writeFile(path6, data);
+          yield writeFile(path7, data);
         });
         return function writeFilePreservingEol2(_x30, _x31) {
           return _ref31.apply(this, arguments);
@@ -7903,10 +7903,10 @@ var require_lockfile = __commonJS((exports, module) => {
                 break;
               _ref35 = _i15.value;
             }
-            const path6 = _ref35;
+            const path7 = _ref35;
             try {
-              const fd = yield open(path6, "r");
-              return (_fs || _load_fs()).default.createReadStream(path6, { fd });
+              const fd = yield open(path7, "r");
+              return (_fs || _load_fs()).default.createReadStream(path7, { fd });
             } catch (err2) {}
           }
           return null;
@@ -8070,7 +8070,7 @@ var require_lockfile = __commonJS((exports, module) => {
       });
       exports2.getPathKey = getPathKey;
       const os = __webpack_require__(36);
-      const path6 = __webpack_require__(0);
+      const path7 = __webpack_require__(0);
       const userHome = __webpack_require__(45).default;
       var _require = __webpack_require__(171);
       const { getCacheDir, getConfigDir, getDataDir } = _require;
@@ -8093,29 +8093,29 @@ var require_lockfile = __commonJS((exports, module) => {
       function getPreferredCacheDirectories() {
         const preferredCacheDirectories = [getCacheDir()];
         if (process.getuid) {
-          preferredCacheDirectories.push(path6.join(os.tmpdir(), `.yarn-cache-${process.getuid()}`));
+          preferredCacheDirectories.push(path7.join(os.tmpdir(), `.yarn-cache-${process.getuid()}`));
         }
-        preferredCacheDirectories.push(path6.join(os.tmpdir(), `.yarn-cache`));
+        preferredCacheDirectories.push(path7.join(os.tmpdir(), `.yarn-cache`));
         return preferredCacheDirectories;
       }
       const PREFERRED_MODULE_CACHE_DIRECTORIES = exports2.PREFERRED_MODULE_CACHE_DIRECTORIES = getPreferredCacheDirectories();
       const CONFIG_DIRECTORY = exports2.CONFIG_DIRECTORY = getConfigDir();
       const DATA_DIRECTORY = exports2.DATA_DIRECTORY = getDataDir();
-      const LINK_REGISTRY_DIRECTORY = exports2.LINK_REGISTRY_DIRECTORY = path6.join(DATA_DIRECTORY, "link");
-      const GLOBAL_MODULE_DIRECTORY = exports2.GLOBAL_MODULE_DIRECTORY = path6.join(DATA_DIRECTORY, "global");
+      const LINK_REGISTRY_DIRECTORY = exports2.LINK_REGISTRY_DIRECTORY = path7.join(DATA_DIRECTORY, "link");
+      const GLOBAL_MODULE_DIRECTORY = exports2.GLOBAL_MODULE_DIRECTORY = path7.join(DATA_DIRECTORY, "global");
       const NODE_BIN_PATH = exports2.NODE_BIN_PATH = process.execPath;
       const YARN_BIN_PATH = exports2.YARN_BIN_PATH = getYarnBinPath();
       function getYarnBinPath() {
         if (isWebpackBundle) {
           return __filename;
         } else {
-          return path6.join(__dirname, "..", "bin", "yarn.js");
+          return path7.join(__dirname, "..", "bin", "yarn.js");
         }
       }
       const NODE_MODULES_FOLDER = exports2.NODE_MODULES_FOLDER = "node_modules";
       const NODE_PACKAGE_JSON = exports2.NODE_PACKAGE_JSON = "package.json";
       const POSIX_GLOBAL_PREFIX = exports2.POSIX_GLOBAL_PREFIX = `${process.env.DESTDIR || ""}/usr/local`;
-      const FALLBACK_GLOBAL_PREFIX = exports2.FALLBACK_GLOBAL_PREFIX = path6.join(userHome, ".yarn");
+      const FALLBACK_GLOBAL_PREFIX = exports2.FALLBACK_GLOBAL_PREFIX = path7.join(userHome, ".yarn");
       const META_FOLDER = exports2.META_FOLDER = ".yarn-meta";
       const INTEGRITY_FILENAME = exports2.INTEGRITY_FILENAME = ".yarn-integrity";
       const LOCKFILE_FILENAME = exports2.LOCKFILE_FILENAME = "yarn.lock";
@@ -8349,7 +8349,7 @@ var require_lockfile = __commonJS((exports, module) => {
         return obj && obj.__esModule ? obj : { default: obj };
       }
       const invariant = __webpack_require__(7);
-      const path6 = __webpack_require__(0);
+      const path7 = __webpack_require__(0);
       const ssri = __webpack_require__(55);
       function getName(pattern) {
         return (0, (_normalizePattern || _load_normalizePattern()).normalizePattern)(pattern).name;
@@ -8415,7 +8415,7 @@ var require_lockfile = __commonJS((exports, module) => {
         }
         static fromDirectory(dir, reporter) {
           return (0, (_asyncToGenerator2 || _load_asyncToGenerator()).default)(function* () {
-            const lockfileLoc = path6.join(dir, (_constants || _load_constants()).LOCKFILE_FILENAME);
+            const lockfileLoc = path7.join(dir, (_constants || _load_constants()).LOCKFILE_FILENAME);
             let lockfile;
             let rawLockfile = "";
             let parseResult;
@@ -8834,9 +8834,9 @@ var require_lockfile = __commonJS((exports, module) => {
       function _interopRequireDefault(obj) {
         return obj && obj.__esModule ? obj : { default: obj };
       }
-      const path6 = __webpack_require__(0);
+      const path7 = __webpack_require__(0);
       const home = exports2.home = __webpack_require__(36).homedir();
-      const userHomeDir = (_rootUser || _load_rootUser()).default ? path6.resolve("/usr/local/share") : home;
+      const userHomeDir = (_rootUser || _load_rootUser()).default ? path7.resolve("/usr/local/share") : home;
       exports2.default = userHomeDir;
     },
     function(module2, exports2) {
@@ -9236,9 +9236,9 @@ var require_lockfile = __commonJS((exports, module) => {
     function(module2, exports2, __webpack_require__) {
       module2.exports = minimatch;
       minimatch.Minimatch = Minimatch;
-      var path6 = { sep: "/" };
+      var path7 = { sep: "/" };
       try {
-        path6 = __webpack_require__(0);
+        path7 = __webpack_require__(0);
       } catch (er) {}
       var GLOBSTAR = minimatch.GLOBSTAR = Minimatch.GLOBSTAR = {};
       var expand = __webpack_require__(175);
@@ -9320,8 +9320,8 @@ var require_lockfile = __commonJS((exports, module) => {
         if (!options)
           options = {};
         pattern = pattern.trim();
-        if (path6.sep !== "/") {
-          pattern = pattern.split(path6.sep).join("/");
+        if (path7.sep !== "/") {
+          pattern = pattern.split(path7.sep).join("/");
         }
         this.options = options;
         this.set = [];
@@ -9688,8 +9688,8 @@ var require_lockfile = __commonJS((exports, module) => {
         if (f === "/" && partial)
           return true;
         var options = this.options;
-        if (path6.sep !== "/") {
-          f = f.split(path6.sep).join("/");
+        if (path7.sep !== "/") {
+          f = f.split(path7.sep).join("/");
         }
         f = f.split(slashSplit);
         this.debug(this.pattern, "split", f);
@@ -9919,7 +9919,7 @@ globstar while`, file, fr, pattern, pr, swallowee);
       var Minimatch = minimatch.Minimatch;
       var inherits = __webpack_require__(42);
       var EE = __webpack_require__(54).EventEmitter;
-      var path6 = __webpack_require__(0);
+      var path7 = __webpack_require__(0);
       var assert = __webpack_require__(22);
       var isAbsolute = __webpack_require__(76);
       var globSync = __webpack_require__(218);
@@ -10202,7 +10202,7 @@ globstar while`, file, fr, pattern, pr, swallowee);
                 e = prefix + e;
             }
             if (e.charAt(0) === "/" && !this.nomount) {
-              e = path6.join(this.root, e);
+              e = path7.join(this.root, e);
             }
             this._emitMatch(index, e);
           }
@@ -10389,9 +10389,9 @@ globstar while`, file, fr, pattern, pr, swallowee);
         if (prefix && isAbsolute(prefix) && !this.nomount) {
           var trail = /[\/\\]$/.test(prefix);
           if (prefix.charAt(0) === "/") {
-            prefix = path6.join(this.root, prefix);
+            prefix = path7.join(this.root, prefix);
           } else {
-            prefix = path6.resolve(this.root, prefix);
+            prefix = path7.resolve(this.root, prefix);
             if (trail)
               prefix += "/";
           }
@@ -10464,12 +10464,12 @@ globstar while`, file, fr, pattern, pr, swallowee);
       };
     },
     function(module2, exports2, __webpack_require__) {
-      function posix(path6) {
-        return path6.charAt(0) === "/";
+      function posix(path7) {
+        return path7.charAt(0) === "/";
       }
-      function win32(path6) {
+      function win32(path7) {
         var splitDeviceRe = /^([a-zA-Z]:|[\\\/]{2}[^\\\/]+[\\\/]+[^\\\/]+)?([\\\/])?([\s\S]*?)$/;
-        var result = splitDeviceRe.exec(path6);
+        var result = splitDeviceRe.exec(path7);
         var device = result[1] || "";
         var isUnc = Boolean(device && device.charAt(1) !== ":");
         return Boolean(result[2] || isUnc);
@@ -11430,7 +11430,7 @@ globstar while`, file, fr, pattern, pr, swallowee);
       function ownProp(obj, field) {
         return Object.prototype.hasOwnProperty.call(obj, field);
       }
-      var path6 = __webpack_require__(0);
+      var path7 = __webpack_require__(0);
       var minimatch = __webpack_require__(60);
       var isAbsolute = __webpack_require__(76);
       var Minimatch = minimatch.Minimatch;
@@ -11497,11 +11497,11 @@ globstar while`, file, fr, pattern, pr, swallowee);
         if (!ownProp(options, "cwd"))
           self2.cwd = cwd;
         else {
-          self2.cwd = path6.resolve(options.cwd);
+          self2.cwd = path7.resolve(options.cwd);
           self2.changedCwd = self2.cwd !== cwd;
         }
-        self2.root = options.root || path6.resolve(self2.cwd, "/");
-        self2.root = path6.resolve(self2.root);
+        self2.root = options.root || path7.resolve(self2.cwd, "/");
+        self2.root = path7.resolve(self2.root);
         if (process.platform === "win32")
           self2.root = self2.root.replace(/\\/g, "/");
         self2.cwdAbs = isAbsolute(self2.cwd) ? self2.cwd : makeAbs(self2, self2.cwd);
@@ -11582,35 +11582,35 @@ globstar while`, file, fr, pattern, pr, swallowee);
       function makeAbs(self2, f) {
         var abs = f;
         if (f.charAt(0) === "/") {
-          abs = path6.join(self2.root, f);
+          abs = path7.join(self2.root, f);
         } else if (isAbsolute(f) || f === "") {
           abs = f;
         } else if (self2.changedCwd) {
-          abs = path6.resolve(self2.cwd, f);
+          abs = path7.resolve(self2.cwd, f);
         } else {
-          abs = path6.resolve(f);
+          abs = path7.resolve(f);
         }
         if (process.platform === "win32")
           abs = abs.replace(/\\/g, "/");
         return abs;
       }
-      function isIgnored(self2, path7) {
+      function isIgnored(self2, path8) {
         if (!self2.ignore.length)
           return false;
         return self2.ignore.some(function(item) {
-          return item.matcher.match(path7) || !!(item.gmatcher && item.gmatcher.match(path7));
+          return item.matcher.match(path8) || !!(item.gmatcher && item.gmatcher.match(path8));
         });
       }
-      function childrenIgnored(self2, path7) {
+      function childrenIgnored(self2, path8) {
         if (!self2.ignore.length)
           return false;
         return self2.ignore.some(function(item) {
-          return !!(item.gmatcher && item.gmatcher.match(path7));
+          return !!(item.gmatcher && item.gmatcher.match(path8));
         });
       }
     },
     function(module2, exports2, __webpack_require__) {
-      var path6 = __webpack_require__(0);
+      var path7 = __webpack_require__(0);
       var fs = __webpack_require__(3);
       var _0777 = parseInt("0777", 8);
       module2.exports = mkdirP.mkdirp = mkdirP.mkdirP = mkdirP;
@@ -11629,7 +11629,7 @@ globstar while`, file, fr, pattern, pr, swallowee);
         if (!made)
           made = null;
         var cb = f || function() {};
-        p = path6.resolve(p);
+        p = path7.resolve(p);
         xfs.mkdir(p, mode, function(er) {
           if (!er) {
             made = made || p;
@@ -11637,7 +11637,7 @@ globstar while`, file, fr, pattern, pr, swallowee);
           }
           switch (er.code) {
             case "ENOENT":
-              mkdirP(path6.dirname(p), opts, function(er2, made2) {
+              mkdirP(path7.dirname(p), opts, function(er2, made2) {
                 if (er2)
                   cb(er2, made2);
                 else
@@ -11666,14 +11666,14 @@ globstar while`, file, fr, pattern, pr, swallowee);
         }
         if (!made)
           made = null;
-        p = path6.resolve(p);
+        p = path7.resolve(p);
         try {
           xfs.mkdirSync(p, mode);
           made = made || p;
         } catch (err0) {
           switch (err0.code) {
             case "ENOENT":
-              made = sync(path6.dirname(p), opts, made);
+              made = sync(path7.dirname(p), opts, made);
               sync(p, opts, made);
               break;
             default:
@@ -12051,27 +12051,27 @@ ${indent}`);
       exports2.getDataDir = getDataDir;
       exports2.getCacheDir = getCacheDir;
       exports2.getConfigDir = getConfigDir;
-      const path6 = __webpack_require__(0);
+      const path7 = __webpack_require__(0);
       const userHome = __webpack_require__(45).default;
-      const FALLBACK_CONFIG_DIR = path6.join(userHome, ".config", "yarn");
-      const FALLBACK_CACHE_DIR = path6.join(userHome, ".cache", "yarn");
+      const FALLBACK_CONFIG_DIR = path7.join(userHome, ".config", "yarn");
+      const FALLBACK_CACHE_DIR = path7.join(userHome, ".cache", "yarn");
       function getDataDir() {
         if (process.platform === "win32") {
           const WIN32_APPDATA_DIR = getLocalAppDataDir();
-          return WIN32_APPDATA_DIR == null ? FALLBACK_CONFIG_DIR : path6.join(WIN32_APPDATA_DIR, "Data");
+          return WIN32_APPDATA_DIR == null ? FALLBACK_CONFIG_DIR : path7.join(WIN32_APPDATA_DIR, "Data");
         } else if (process.env.XDG_DATA_HOME) {
-          return path6.join(process.env.XDG_DATA_HOME, "yarn");
+          return path7.join(process.env.XDG_DATA_HOME, "yarn");
         } else {
           return FALLBACK_CONFIG_DIR;
         }
       }
       function getCacheDir() {
         if (process.platform === "win32") {
-          return path6.join(getLocalAppDataDir() || path6.join(userHome, "AppData", "Local", "Yarn"), "Cache");
+          return path7.join(getLocalAppDataDir() || path7.join(userHome, "AppData", "Local", "Yarn"), "Cache");
         } else if (process.env.XDG_CACHE_HOME) {
-          return path6.join(process.env.XDG_CACHE_HOME, "yarn");
+          return path7.join(process.env.XDG_CACHE_HOME, "yarn");
         } else if (process.platform === "darwin") {
-          return path6.join(userHome, "Library", "Caches", "Yarn");
+          return path7.join(userHome, "Library", "Caches", "Yarn");
         } else {
           return FALLBACK_CACHE_DIR;
         }
@@ -12079,15 +12079,15 @@ ${indent}`);
       function getConfigDir() {
         if (process.platform === "win32") {
           const WIN32_APPDATA_DIR = getLocalAppDataDir();
-          return WIN32_APPDATA_DIR == null ? FALLBACK_CONFIG_DIR : path6.join(WIN32_APPDATA_DIR, "Config");
+          return WIN32_APPDATA_DIR == null ? FALLBACK_CONFIG_DIR : path7.join(WIN32_APPDATA_DIR, "Config");
         } else if (process.env.XDG_CONFIG_HOME) {
-          return path6.join(process.env.XDG_CONFIG_HOME, "yarn");
+          return path7.join(process.env.XDG_CONFIG_HOME, "yarn");
         } else {
           return FALLBACK_CONFIG_DIR;
         }
       }
       function getLocalAppDataDir() {
-        return process.env.LOCALAPPDATA ? path6.join(process.env.LOCALAPPDATA, "Yarn") : null;
+        return process.env.LOCALAPPDATA ? path7.join(process.env.LOCALAPPDATA, "Yarn") : null;
       }
     },
     ,
@@ -13683,7 +13683,7 @@ ${indent}`);
       var Minimatch = minimatch.Minimatch;
       var Glob = __webpack_require__(75).Glob;
       var util = __webpack_require__(2);
-      var path6 = __webpack_require__(0);
+      var path7 = __webpack_require__(0);
       var assert = __webpack_require__(22);
       var isAbsolute = __webpack_require__(76);
       var common = __webpack_require__(115);
@@ -13813,7 +13813,7 @@ ${indent}`);
                 e = prefix + e;
             }
             if (e.charAt(0) === "/" && !this.nomount) {
-              e = path6.join(this.root, e);
+              e = path7.join(this.root, e);
             }
             this._emitMatch(index, e);
           }
@@ -13962,9 +13962,9 @@ ${indent}`);
         if (prefix && isAbsolute(prefix) && !this.nomount) {
           var trail = /[\/\\]$/.test(prefix);
           if (prefix.charAt(0) === "/") {
-            prefix = path6.join(this.root, prefix);
+            prefix = path7.join(this.root, prefix);
           } else {
-            prefix = path6.resolve(this.root, prefix);
+            prefix = path7.resolve(this.root, prefix);
             if (trail)
               prefix += "/";
           }
@@ -14210,7 +14210,7 @@ ${indent}`);
       module2.exports = rimraf;
       rimraf.sync = rimrafSync;
       var assert = __webpack_require__(22);
-      var path6 = __webpack_require__(0);
+      var path7 = __webpack_require__(0);
       var fs = __webpack_require__(3);
       var glob = __webpack_require__(75);
       var _0666 = parseInt("666", 8);
@@ -14395,7 +14395,7 @@ ${indent}`);
             return options.rmdir(p, cb);
           var errState;
           files.forEach(function(f) {
-            rimraf(path6.join(p, f), options, function(er2) {
+            rimraf(path7.join(p, f), options, function(er2) {
               if (errState)
                 return;
               if (er2)
@@ -14472,7 +14472,7 @@ ${indent}`);
         assert(p);
         assert(options);
         options.readdirSync(p).forEach(function(f) {
-          rimrafSync(path6.join(p, f), options);
+          rimrafSync(path7.join(p, f), options);
         });
         var retries = isWindows ? 100 : 1;
         var i = 0;
@@ -14559,7 +14559,7 @@ ${indent}`);
 
 // src/cli/main.ts
 import { realpathSync as realpathSync2 } from "node:fs";
-import path13 from "node:path";
+import path14 from "node:path";
 import { fileURLToPath as fileURLToPath2 } from "node:url";
 
 // src/shared/errors.ts
@@ -15175,7 +15175,7 @@ function parseDiffArgs(argv) {
 }
 
 // src/cli/version.ts
-var OHRISK_VERSION = "0.127.1";
+var OHRISK_VERSION = "0.129.0";
 
 // src/diff/compare.ts
 function diffRiskFindings(input) {
@@ -15202,6 +15202,7 @@ import {
   closeSync as closeSync2,
   existsSync as existsSync2,
   openSync as openSync2,
+  readdirSync as readdirSync2,
   readSync as readSync2,
   realpathSync,
   statSync as statSync3
@@ -15677,6 +15678,295 @@ function isZeroBlock(buffer) {
   return buffer.every((byte) => byte === 0);
 }
 
+// src/evidence/zip-package.ts
+import { inflateRawSync } from "node:zlib";
+var ZIP_EOCD_SIGNATURE = 101010256;
+var ZIP_CENTRAL_DIRECTORY_SIGNATURE = 33639248;
+var ZIP_LOCAL_FILE_SIGNATURE = 67324752;
+var ZIP64_SENTINEL = 4294967295;
+var ZIP_EOCD_MIN_BYTES = 22;
+var ZIP_MAX_COMMENT_BYTES = 65535;
+var PACKAGE_ZIP_MAX_ENTRIES = 50000;
+var PACKAGE_ZIP_ENTRY_MAX_BYTES = 2 * 1024 * 1024;
+function collectZipPackageEvidence(input) {
+  const zip = Buffer.isBuffer(input.zip) ? input.zip : Buffer.from(input.zip);
+  const entryMaxBytes = input.entryMaxBytes ?? PACKAGE_ZIP_ENTRY_MAX_BYTES;
+  try {
+    const entries = parseZipEntries({
+      packageId: input.packageId,
+      zip,
+      maxEntries: input.maxEntries ?? PACKAGE_ZIP_MAX_ENTRIES
+    });
+    for (const packageJsonEntry of packageJsonEntries(entries)) {
+      const packageJson = readPackageJsonEntry({
+        packageId: input.packageId,
+        zip,
+        entry: packageJsonEntry,
+        maxBytes: entryMaxBytes
+      });
+      if (!packageJson.ok) {
+        return err(packageJson.error);
+      }
+      if (packageJson.value.packageJson.name !== input.packageName || packageJson.value.packageJson.version !== input.packageVersion) {
+        continue;
+      }
+      const files = collectZipEvidenceFiles({
+        packageId: input.packageId,
+        zip,
+        entries,
+        packageRoot: packageJson.value.packageRoot,
+        maxBytes: entryMaxBytes
+      });
+      if (!files.ok) {
+        return err(files.error);
+      }
+      const warnings = files.value.length === 0 ? ["No LICENSE, LICENCE, UNLICENSE, COPYING, or NOTICE file found."] : [];
+      return ok({
+        packageId: input.packageId,
+        ...readLicenseFields3(packageJson.value.packageJson),
+        files: files.value,
+        source: "local",
+        warnings
+      });
+    }
+    return ok(undefined);
+  } catch (cause) {
+    return err(createError({
+      code: "PACKAGE_EVIDENCE_READ_FAILED",
+      category: "unsupported_input",
+      message: "Failed to parse package zip cache evidence.",
+      details: {
+        packageId: input.packageId,
+        cause: cause instanceof Error ? cause.message : String(cause)
+      }
+    }));
+  }
+}
+function parseZipEntries(input) {
+  const endOfCentralDirectoryOffset = findEndOfCentralDirectory(input.zip);
+  if (endOfCentralDirectoryOffset === undefined) {
+    throw new Error("ZIP end of central directory record was not found.");
+  }
+  const diskNumber = input.zip.readUInt16LE(endOfCentralDirectoryOffset + 4);
+  const centralDirectoryDisk = input.zip.readUInt16LE(endOfCentralDirectoryOffset + 6);
+  const entriesOnDisk = input.zip.readUInt16LE(endOfCentralDirectoryOffset + 8);
+  const totalEntries = input.zip.readUInt16LE(endOfCentralDirectoryOffset + 10);
+  const centralDirectorySize = input.zip.readUInt32LE(endOfCentralDirectoryOffset + 12);
+  const centralDirectoryOffset = input.zip.readUInt32LE(endOfCentralDirectoryOffset + 16);
+  if (diskNumber !== 0 || centralDirectoryDisk !== 0 || entriesOnDisk !== totalEntries) {
+    throw new Error("Multi-disk ZIP archives are not supported.");
+  }
+  if (totalEntries === ZIP64_SENTINEL || centralDirectorySize === ZIP64_SENTINEL || centralDirectoryOffset === ZIP64_SENTINEL) {
+    throw new Error("ZIP64 package cache archives are not supported.");
+  }
+  if (totalEntries > input.maxEntries) {
+    throw new Error(`Package ZIP exceeded the maximum entry count (${input.maxEntries}).`);
+  }
+  const centralDirectoryEnd = centralDirectoryOffset + centralDirectorySize;
+  if (centralDirectoryOffset < 0 || centralDirectorySize < 0 || centralDirectoryEnd > input.zip.length) {
+    throw new Error("ZIP central directory extends beyond archive data.");
+  }
+  const entries = [];
+  let offset = centralDirectoryOffset;
+  while (offset < centralDirectoryEnd) {
+    if (offset + 46 > input.zip.length) {
+      throw new Error("ZIP central directory entry is truncated.");
+    }
+    const signature = input.zip.readUInt32LE(offset);
+    if (signature !== ZIP_CENTRAL_DIRECTORY_SIGNATURE) {
+      throw new Error("ZIP central directory entry has an invalid signature.");
+    }
+    const flags = input.zip.readUInt16LE(offset + 8);
+    const compressionMethod = input.zip.readUInt16LE(offset + 10);
+    const compressedSize = input.zip.readUInt32LE(offset + 20);
+    const uncompressedSize = input.zip.readUInt32LE(offset + 24);
+    const fileNameLength = input.zip.readUInt16LE(offset + 28);
+    const extraLength = input.zip.readUInt16LE(offset + 30);
+    const commentLength = input.zip.readUInt16LE(offset + 32);
+    const localHeaderOffset = input.zip.readUInt32LE(offset + 42);
+    const entryEnd = offset + 46 + fileNameLength + extraLength + commentLength;
+    if (entryEnd > centralDirectoryEnd || entryEnd > input.zip.length) {
+      throw new Error("ZIP central directory entry metadata is truncated.");
+    }
+    if ((flags & 1) !== 0) {
+      throw new Error("Encrypted ZIP entries are not supported.");
+    }
+    if (compressedSize === ZIP64_SENTINEL || uncompressedSize === ZIP64_SENTINEL || localHeaderOffset === ZIP64_SENTINEL) {
+      throw new Error("ZIP64 package cache entries are not supported.");
+    }
+    const rawPath = input.zip.subarray(offset + 46, offset + 46 + fileNameLength).toString("utf8");
+    const normalizedPath = normalizeZipPath(rawPath);
+    if (normalizedPath && !normalizedPath.endsWith("/")) {
+      entries.push({
+        path: normalizedPath,
+        compressionMethod,
+        compressedSize,
+        uncompressedSize,
+        localHeaderOffset
+      });
+    }
+    offset = entryEnd;
+  }
+  return entries.sort((left, right) => left.path.localeCompare(right.path));
+}
+function findEndOfCentralDirectory(zip) {
+  if (zip.length < ZIP_EOCD_MIN_BYTES) {
+    return;
+  }
+  const minOffset = Math.max(0, zip.length - ZIP_EOCD_MIN_BYTES - ZIP_MAX_COMMENT_BYTES);
+  for (let offset = zip.length - ZIP_EOCD_MIN_BYTES;offset >= minOffset; offset -= 1) {
+    if (zip.readUInt32LE(offset) !== ZIP_EOCD_SIGNATURE) {
+      continue;
+    }
+    const commentLength = zip.readUInt16LE(offset + 20);
+    if (offset + ZIP_EOCD_MIN_BYTES + commentLength === zip.length) {
+      return offset;
+    }
+  }
+  return;
+}
+function packageJsonEntries(entries) {
+  return entries.filter((entry) => entry.path === "package.json" || entry.path.endsWith("/package.json"));
+}
+function readPackageJsonEntry(input) {
+  if (input.entry.uncompressedSize > input.maxBytes) {
+    return err(createError({
+      code: "PACKAGE_EVIDENCE_READ_FAILED",
+      category: "unsupported_input",
+      message: "Package zip cache package.json exceeded the maximum supported size.",
+      details: {
+        packageId: input.packageId,
+        packageJsonPath: input.entry.path,
+        maxBytes: input.maxBytes,
+        observedBytes: input.entry.uncompressedSize
+      }
+    }));
+  }
+  const packageJsonData = readZipEntryData({
+    zip: input.zip,
+    entry: input.entry,
+    maxBytes: input.maxBytes
+  });
+  try {
+    const packageJson = JSON.parse(packageJsonData.toString("utf8"));
+    if (!isObjectRecord3(packageJson)) {
+      throw new Error("Expected package.json to contain an object.");
+    }
+    return ok({
+      packageJson,
+      packageRoot: packageRootForPackageJsonPath(input.entry.path)
+    });
+  } catch (cause) {
+    return err(createError({
+      code: "PACKAGE_JSON_PARSE_FAILED",
+      category: "unsupported_input",
+      message: "Failed to parse package.json from package zip cache.",
+      details: {
+        packageId: input.packageId,
+        packageJsonPath: input.entry.path,
+        cause: cause instanceof Error ? cause.message : String(cause)
+      }
+    }));
+  }
+}
+function collectZipEvidenceFiles(input) {
+  const files = [];
+  for (const entry of input.entries) {
+    const normalizedPath = normalizePackagePath2(entry.path, input.packageRoot);
+    if (!isRootPackageFile2(normalizedPath)) {
+      continue;
+    }
+    const kind = classifyEvidenceFile(normalizedPath);
+    if (!kind) {
+      continue;
+    }
+    if (entry.uncompressedSize > input.maxBytes) {
+      continue;
+    }
+    files.push({
+      path: normalizedPath,
+      kind,
+      text: readZipEntryData({
+        zip: input.zip,
+        entry,
+        maxBytes: input.maxBytes
+      }).toString("utf8")
+    });
+  }
+  return ok(files.sort((left, right) => left.path.localeCompare(right.path)));
+}
+function readZipEntryData(input) {
+  if (input.entry.uncompressedSize > input.maxBytes) {
+    throw new Error(`ZIP entry ${input.entry.path} exceeded the maximum supported size.`);
+  }
+  if (input.entry.localHeaderOffset + 30 > input.zip.length) {
+    throw new Error(`ZIP local file header for ${input.entry.path} is truncated.`);
+  }
+  const localSignature = input.zip.readUInt32LE(input.entry.localHeaderOffset);
+  if (localSignature !== ZIP_LOCAL_FILE_SIGNATURE) {
+    throw new Error(`ZIP local file header for ${input.entry.path} has an invalid signature.`);
+  }
+  const fileNameLength = input.zip.readUInt16LE(input.entry.localHeaderOffset + 26);
+  const extraLength = input.zip.readUInt16LE(input.entry.localHeaderOffset + 28);
+  const dataStart = input.entry.localHeaderOffset + 30 + fileNameLength + extraLength;
+  const dataEnd = dataStart + input.entry.compressedSize;
+  if (dataEnd > input.zip.length || dataEnd < dataStart) {
+    throw new Error(`ZIP entry ${input.entry.path} extends beyond archive data.`);
+  }
+  const compressedData = input.zip.subarray(dataStart, dataEnd);
+  if (input.entry.compressionMethod === 0) {
+    if (compressedData.length !== input.entry.uncompressedSize) {
+      throw new Error(`Stored ZIP entry ${input.entry.path} size did not match metadata.`);
+    }
+    return compressedData;
+  }
+  if (input.entry.compressionMethod === 8) {
+    const inflated = inflateRawSync(compressedData, {
+      maxOutputLength: input.entry.uncompressedSize
+    });
+    if (inflated.length !== input.entry.uncompressedSize) {
+      throw new Error(`Deflated ZIP entry ${input.entry.path} size did not match metadata.`);
+    }
+    return inflated;
+  }
+  throw new Error(`ZIP entry ${input.entry.path} uses unsupported compression method ${input.entry.compressionMethod}.`);
+}
+function packageRootForPackageJsonPath(packageJsonPath) {
+  return packageJsonPath === "package.json" ? "" : packageJsonPath.slice(0, -"/package.json".length);
+}
+function normalizePackagePath2(filePath, packageRoot) {
+  if (packageRoot === "") {
+    return filePath;
+  }
+  return filePath.startsWith(`${packageRoot}/`) ? filePath.slice(packageRoot.length + 1) : "";
+}
+function isRootPackageFile2(normalizedPath) {
+  return normalizedPath.length > 0 && !normalizedPath.includes("/");
+}
+function normalizeZipPath(filePath) {
+  if (filePath === "" || filePath.includes("\x00") || filePath.includes("\\") || filePath.startsWith("/") || /^[A-Za-z]:/.test(filePath)) {
+    return;
+  }
+  const segments = filePath.split("/");
+  if (segments.some((segment) => segment === "" || segment === "." || segment === "..")) {
+    return;
+  }
+  return segments.join("/");
+}
+function readLicenseFields3(packageJson) {
+  const license = packageJson.license;
+  const licenses = packageJson.licenses;
+  const legacyLicenseObject = isObjectRecord3(license) ? license : undefined;
+  return {
+    ...typeof license === "string" ? { packageJsonLicense: license } : {},
+    ...legacyLicenseObject !== undefined ? { packageJsonLicenses: legacyLicenseObject } : {},
+    ...licenses !== undefined ? { packageJsonLicenses: licenses } : {}
+  };
+}
+function isObjectRecord3(value) {
+  return typeof value === "object" && value !== null && !Array.isArray(value);
+}
+
 // src/evidence/collect.ts
 var ARTIFACT_FETCH_TIMEOUT_MS = 30000;
 var REGISTRY_METADATA_MAX_BYTES = 10 * 1024 * 1024;
@@ -15745,6 +16035,17 @@ async function collectNodeEvidence(input) {
       packageDir: nodeModulesPath
     });
   }
+  const yarnCacheEvidence = collectYarnCachePackageEvidence({
+    node: input.node,
+    projectRoot: input.projectRoot,
+    zipMaxBytes: input.tarballMaxBytes
+  });
+  if (!yarnCacheEvidence.ok) {
+    return err(yarnCacheEvidence.error);
+  }
+  if (yarnCacheEvidence.value) {
+    return ok(yarnCacheEvidence.value);
+  }
   if (!input.node.resolved) {
     return collectRegistryTarballEvidence({
       node: input.node,
@@ -16183,6 +16484,81 @@ function installedPackageMatchesNode(input) {
     return false;
   }
 }
+function collectYarnCachePackageEvidence(input) {
+  const cacheDir = path2.join(input.projectRoot, ".yarn", "cache");
+  if (!existsSync2(cacheDir) || !isReadableDirectory(cacheDir)) {
+    return ok(undefined);
+  }
+  const filenamePrefix = yarnCacheFilenamePrefix(input.node);
+  if (!filenamePrefix) {
+    return ok(undefined);
+  }
+  let entries;
+  try {
+    entries = readdirSync2(cacheDir, { withFileTypes: true }).filter((entry) => entry.isFile() && entry.name.startsWith(filenamePrefix) && entry.name.endsWith(".zip")).sort((left, right) => left.name.localeCompare(right.name));
+  } catch (cause) {
+    return err(createError({
+      code: "PACKAGE_EVIDENCE_READ_FAILED",
+      category: "filesystem",
+      message: "Failed to read Yarn package cache directory.",
+      details: {
+        packageId: input.node.id,
+        cacheDir,
+        cause: safeUrlForErrorDetails(cause instanceof Error ? cause.message : String(cause))
+      }
+    }));
+  }
+  for (const entry of entries) {
+    const cachePath = path2.join(cacheDir, entry.name);
+    const stats = readLocalArtifactStats({
+      filePath: cachePath,
+      packageId: input.node.id,
+      resolved: undefined
+    });
+    if (!stats.ok) {
+      return err(stats.error);
+    }
+    if (stats.value.size > input.zipMaxBytes) {
+      return err(localArtifactTooLargeError({
+        packageId: input.node.id,
+        resolved: undefined,
+        artifactPath: cachePath,
+        maxBytes: input.zipMaxBytes,
+        observedBytes: stats.value.size
+      }));
+    }
+    const zip = readLocalArtifactFileWithLimit({
+      filePath: cachePath,
+      packageId: input.node.id,
+      resolved: undefined,
+      maxBytes: input.zipMaxBytes
+    });
+    if (!zip.ok) {
+      return err(zip.error);
+    }
+    const evidence = collectZipPackageEvidence({
+      packageId: input.node.id,
+      packageName: input.node.name,
+      packageVersion: input.node.version,
+      zip: zip.value
+    });
+    if (!evidence.ok) {
+      return err(evidence.error);
+    }
+    if (evidence.value) {
+      return ok(evidence.value);
+    }
+  }
+  return ok(undefined);
+}
+function yarnCacheFilenamePrefix(node) {
+  const slug = yarnCachePackageSlug(node.name);
+  return slug ? `${slug}-npm-${node.version}-` : undefined;
+}
+function yarnCachePackageSlug(packageName) {
+  const segments = nodeModulesPackageSegments(packageName);
+  return segments ? segments.join("-") : undefined;
+}
 async function collectRemoteTarballEvidence(input) {
   const urlError = input.urlError ?? {
     code: "TARBALL_FETCH_FAILED",
@@ -17219,7 +17595,7 @@ function readFailedError(input) {
   });
 }
 function readProcessErrorText(cause) {
-  if (isObjectRecord3(cause)) {
+  if (isObjectRecord4(cause)) {
     const stderr = cause.stderr;
     if (typeof stderr === "string" && stderr.trim() !== "") {
       return stderr.trim();
@@ -17248,7 +17624,7 @@ function toGitObjectPath(input) {
 function isOutsideRelativePath(relativePath) {
   return relativePath === ".." || relativePath.startsWith(`..${path3.sep}`) || path3.isAbsolute(relativePath);
 }
-function isObjectRecord3(value) {
+function isObjectRecord4(value) {
   return typeof value === "object" && value !== null;
 }
 
@@ -17266,6 +17642,17 @@ function resolveNpmDependencyReference(requestedName, range) {
       aliased: alias.name !== requestedName
     };
   }
+  if (range.startsWith("npm:")) {
+    const bareRange = range.slice("npm:".length);
+    if (bareRange !== "") {
+      return {
+        requestedName,
+        lookupName: requestedName,
+        lookupRange: bareRange,
+        aliased: false
+      };
+    }
+  }
   return {
     requestedName,
     lookupName: requestedName,
@@ -17383,7 +17770,7 @@ function parseDenoLockText(input, lockfilePath = "deno.lock") {
 function parseLockfileJson(input, lockfilePath) {
   try {
     const parsed = JSON.parse(input);
-    if (!isObjectRecord4(parsed)) {
+    if (!isObjectRecord5(parsed)) {
       return denoParseFailed(lockfilePath, "deno.lock root must be a JSON object.");
     }
     return ok(parsed);
@@ -17411,18 +17798,18 @@ function denoParseFailed(lockfilePath, cause) {
   }));
 }
 function readNpmPackageMap(lockfile) {
-  if (isObjectRecord4(lockfile.npm)) {
+  if (isObjectRecord5(lockfile.npm)) {
     return lockfile.npm;
   }
-  const packages = isObjectRecord4(lockfile.packages) ? lockfile.packages : undefined;
-  return isObjectRecord4(packages?.npm) ? packages.npm : {};
+  const packages = isObjectRecord5(lockfile.packages) ? lockfile.packages : undefined;
+  return isObjectRecord5(packages?.npm) ? packages.npm : {};
 }
 function readSpecifierMap(lockfile) {
-  if (isObjectRecord4(lockfile.specifiers)) {
+  if (isObjectRecord5(lockfile.specifiers)) {
     return readStringMap(lockfile.specifiers);
   }
-  const packages = isObjectRecord4(lockfile.packages) ? lockfile.packages : undefined;
-  return isObjectRecord4(packages?.specifiers) ? readStringMap(packages.specifiers) : {};
+  const packages = isObjectRecord5(lockfile.packages) ? lockfile.packages : undefined;
+  return isObjectRecord5(packages?.specifiers) ? readStringMap(packages.specifiers) : {};
 }
 function collectRootDependencies(lockfile, specifiers) {
   const workspaceDependencies = readWorkspaceDependencies(lockfile).filter((specifier) => specifier.startsWith("npm:"));
@@ -17442,7 +17829,7 @@ function collectRootDependencies(lockfile, specifiers) {
   return edges;
 }
 function readWorkspaceDependencies(lockfile) {
-  const workspace = isObjectRecord4(lockfile.workspace) ? lockfile.workspace : isObjectRecord4(lockfile.packages) && isObjectRecord4(lockfile.packages.workspace) ? lockfile.packages.workspace : undefined;
+  const workspace = isObjectRecord5(lockfile.workspace) ? lockfile.workspace : isObjectRecord5(lockfile.packages) && isObjectRecord5(lockfile.packages.workspace) ? lockfile.packages.workspace : undefined;
   if (!workspace || !Array.isArray(workspace.dependencies)) {
     return [];
   }
@@ -17452,7 +17839,7 @@ function parseNpmRecords(packages) {
   const records = [];
   for (const [key, rawPackage] of Object.entries(packages)) {
     const packageKey = parseDenoNpmPackageKey(key);
-    if (!packageKey || !isObjectRecord4(rawPackage)) {
+    if (!packageKey || !isObjectRecord5(rawPackage)) {
       continue;
     }
     const pkg = rawPackage;
@@ -17499,7 +17886,7 @@ function readDependencyEdges(value, type) {
       return parsed ? [{ name: parsed.name, range: parsed.version, type }] : [];
     });
   }
-  if (!isObjectRecord4(value)) {
+  if (!isObjectRecord5(value)) {
     return [];
   }
   const edges = [];
@@ -17752,7 +18139,7 @@ function rootNameForLockfile(lockfilePath) {
 function isGitRefSyntheticPath(lockfilePath) {
   return lockfilePath.includes(":") && !/^[A-Za-z]:[\\/]/.test(lockfilePath);
 }
-function isObjectRecord4(value) {
+function isObjectRecord5(value) {
   return typeof value === "object" && value !== null && !Array.isArray(value);
 }
 
@@ -17875,7 +18262,7 @@ function readPackageTupleFields(input) {
     const resolved2 = registryOrMetadata !== "" ? registryOrMetadata : undefined;
     const parsedIntegrity2 = typeof integrity === "string" && integrity !== "" ? integrity : undefined;
     return {
-      metadata: isObjectRecord5(metadataOrIntegrity) ? metadataOrIntegrity : {},
+      metadata: isObjectRecord6(metadataOrIntegrity) ? metadataOrIntegrity : {},
       ...resolved2 ? { resolved: resolved2 } : {},
       ...parsedIntegrity2 ? { integrity: parsedIntegrity2 } : {}
     };
@@ -17883,7 +18270,7 @@ function readPackageTupleFields(input) {
   const resolved = isLocalArtifactReference(input.identity.version) ? input.identity.version : undefined;
   const parsedIntegrity = typeof metadataOrIntegrity === "string" && metadataOrIntegrity !== "" ? metadataOrIntegrity : undefined;
   return {
-    metadata: isObjectRecord5(registryOrMetadata) ? registryOrMetadata : {},
+    metadata: isObjectRecord6(registryOrMetadata) ? registryOrMetadata : {},
     ...resolved ? { resolved } : {},
     ...parsedIntegrity ? { integrity: parsedIntegrity } : {}
   };
@@ -17912,10 +18299,10 @@ function readWorkspaceEntries(workspaces) {
   if (!workspaces) {
     return [];
   }
-  const rootWorkspace = isObjectRecord5(workspaces[""]) ? workspaces[""] : undefined;
+  const rootWorkspace = isObjectRecord6(workspaces[""]) ? workspaces[""] : undefined;
   const rootName = readWorkspaceName(rootWorkspace);
   return Object.entries(workspaces).flatMap(([key, workspace]) => {
-    if (!isObjectRecord5(workspace)) {
+    if (!isObjectRecord6(workspace)) {
       return [];
     }
     return [{
@@ -17971,7 +18358,7 @@ function dependencyEntries(value, type) {
   }));
 }
 function readDependencyMap(value) {
-  if (!isObjectRecord5(value)) {
+  if (!isObjectRecord6(value)) {
     return {};
   }
   const dependencies = {};
@@ -18069,7 +18456,7 @@ function dependencyTypeRank2(type) {
       return 0;
   }
 }
-function isObjectRecord5(value) {
+function isObjectRecord6(value) {
   return typeof value === "object" && value !== null && !Array.isArray(value);
 }
 
@@ -18100,14 +18487,14 @@ function parsePackageLockText(input, lockfilePath = "package-lock.json") {
     return parsed;
   }
   const lockfile = parsed.value;
-  if (!isObjectRecord6(lockfile.packages) && isObjectRecord6(lockfile.dependencies)) {
+  if (!isObjectRecord7(lockfile.packages) && isObjectRecord7(lockfile.dependencies)) {
     return parsePackageLockV1({
       lockfile,
       lockfilePath,
       dependencies: lockfile.dependencies
     });
   }
-  if (!isObjectRecord6(lockfile.packages)) {
+  if (!isObjectRecord7(lockfile.packages)) {
     return err(createError({
       code: "PACKAGE_LOCK_PARSE_FAILED",
       category: "unsupported_input",
@@ -18457,13 +18844,13 @@ function dependencyTypeRank3(type) {
   }
 }
 function readPackage(value) {
-  return isObjectRecord6(value) ? value : undefined;
+  return isObjectRecord7(value) ? value : undefined;
 }
 function readV1Dependency(value) {
-  return isObjectRecord6(value) ? value : undefined;
+  return isObjectRecord7(value) ? value : undefined;
 }
 function readV1DependencyMap(value) {
-  if (!isObjectRecord6(value)) {
+  if (!isObjectRecord7(value)) {
     return {};
   }
   const dependencies = {};
@@ -18485,7 +18872,7 @@ function dependencyTypeForV1Dependency(dependency) {
   return "production";
 }
 function readDependencyMap2(value) {
-  if (!isObjectRecord6(value)) {
+  if (!isObjectRecord7(value)) {
     return {};
   }
   const dependencies = {};
@@ -18496,10 +18883,14 @@ function readDependencyMap2(value) {
   }
   return dependencies;
 }
-function isObjectRecord6(value) {
+function isObjectRecord7(value) {
   return typeof value === "object" && value !== null && !Array.isArray(value);
 }
 
+// src/graph/npm-pnpm-lock.ts
+import { existsSync as existsSync3 } from "node:fs";
+import path6 from "node:path";
+
 // node_modules/.bun/yaml@2.9.0/node_modules/yaml/dist/index.js
 var composer = require_composer();
 var Document = require_Document();
@@ -18563,13 +18954,30 @@ function parsePnpmLockfile(lockfilePath, options = {}) {
       }
     }));
   }
-  return parsePnpmLockText(lockfileText.value, lockfilePath);
+  const workspaceCatalogs = readPnpmWorkspaceCatalogs({
+    lockfilePath,
+    maxBytes: options.workspaceMaxBytes ?? LOCKFILE_MAX_BYTES
+  });
+  if (!workspaceCatalogs.ok) {
+    return workspaceCatalogs;
+  }
+  return parsePnpmLockText(lockfileText.value, lockfilePath, {
+    catalogs: workspaceCatalogs.value
+  });
 }
-function parsePnpmLockText(input, lockfilePath = "pnpm-lock.yaml") {
+function parsePnpmLockText(input, lockfilePath = "pnpm-lock.yaml", options = {}) {
   const parsed = parseLockfileYaml(input, lockfilePath);
   if (!parsed.ok) {
     return parsed;
   }
+  const catalogs = resolvePnpmCatalogs({
+    workspaceText: options.workspaceText,
+    workspacePath: options.workspacePath,
+    catalogs: options.catalogs
+  });
+  if (!catalogs.ok) {
+    return catalogs;
+  }
   const lockfile = parsed.value;
   const importers = readRecord(lockfile.importers);
   if (!importers) {
@@ -18583,14 +18991,18 @@ function parsePnpmLockText(input, lockfilePath = "pnpm-lock.yaml") {
       }
     }));
   }
-  const importerEntries = readImporterEntries(importers);
+  const importerEntries = readImporterEntries(importers, catalogs.value);
   const packages = readRecord(lockfile.packages) ?? {};
   const snapshots = readRecord(lockfile.snapshots) ?? {};
-  const records = parsePackageRecords3({ packages, snapshots });
+  const records = parsePackageRecords3({
+    packages,
+    snapshots,
+    catalogs: catalogs.value
+  });
   const packageIndex = indexPackagesByName2(records);
   const nodeMap = new Map;
   for (const importerEntry of importerEntries) {
-    for (const rootDependency of collectRootDependencies4(importerEntry.importer)) {
+    for (const rootDependency of collectRootDependencies4(importerEntry.importer, catalogs.value)) {
       const record = resolvePackageRecord3({
         packageIndex,
         name: rootDependency.name,
@@ -18619,7 +19031,7 @@ function parsePnpmLockText(input, lockfilePath = "pnpm-lock.yaml") {
 function parseLockfileYaml(input, lockfilePath) {
   try {
     const parsed = $parse(input);
-    if (!isObjectRecord7(parsed)) {
+    if (!isObjectRecord8(parsed)) {
       throw new Error("Expected a YAML mapping at the document root.");
     }
     return ok(parsed);
@@ -18635,14 +19047,100 @@ function parseLockfileYaml(input, lockfilePath) {
     }));
   }
 }
-function readImporterEntries(importers) {
+function readPnpmWorkspaceCatalogs(input) {
+  const workspacePath = path6.join(path6.dirname(input.lockfilePath), "pnpm-workspace.yaml");
+  if (!existsSync3(workspacePath)) {
+    return ok(emptyPnpmCatalogs());
+  }
+  const workspaceText = readInputTextFile({
+    filePath: workspacePath,
+    maxBytes: input.maxBytes
+  });
+  if (!workspaceText.ok) {
+    return err(createError({
+      code: "PNPM_WORKSPACE_READ_FAILED",
+      category: inputFileReadErrorCategory(workspaceText.error),
+      message: workspaceText.error.kind === "too_large" ? "pnpm-workspace.yaml exceeded the maximum supported size." : "Failed to read pnpm-workspace.yaml.",
+      details: {
+        workspacePath,
+        ...inputFileReadErrorDetails(workspaceText.error)
+      }
+    }));
+  }
+  return parsePnpmWorkspaceCatalogsText(workspaceText.value, workspacePath);
+}
+function resolvePnpmCatalogs(input) {
+  if (input.catalogs) {
+    return ok(input.catalogs);
+  }
+  if (input.workspaceText !== undefined) {
+    return parsePnpmWorkspaceCatalogsText(input.workspaceText, input.workspacePath ?? "pnpm-workspace.yaml");
+  }
+  return ok(emptyPnpmCatalogs());
+}
+function parsePnpmWorkspaceCatalogsText(input, workspacePath) {
+  try {
+    const parsed = $parse(input);
+    if (parsed === null || parsed === undefined) {
+      return ok(emptyPnpmCatalogs());
+    }
+    if (!isObjectRecord8(parsed)) {
+      throw new Error("Expected a YAML mapping at the document root.");
+    }
+    const workspace = parsed;
+    const namedCatalogs = new Map;
+    const catalogs = readRecord(workspace.catalogs);
+    if (catalogs) {
+      for (const [name, value] of Object.entries(catalogs)) {
+        const catalog = readCatalogMap(value);
+        if (catalog) {
+          namedCatalogs.set(name, catalog);
+        }
+      }
+    }
+    return ok({
+      defaultCatalog: readCatalogMap(workspace.catalog) ?? {},
+      namedCatalogs
+    });
+  } catch (cause) {
+    return err(createError({
+      code: "PNPM_WORKSPACE_PARSE_FAILED",
+      category: "unsupported_input",
+      message: "Failed to parse pnpm-workspace.yaml catalog definitions.",
+      details: {
+        workspacePath,
+        cause: cause instanceof Error ? cause.message : String(cause)
+      }
+    }));
+  }
+}
+function emptyPnpmCatalogs() {
+  return {
+    defaultCatalog: {},
+    namedCatalogs: new Map
+  };
+}
+function readCatalogMap(value) {
+  const record = readRecord(value);
+  if (!record) {
+    return;
+  }
+  const catalog = {};
+  for (const [name, range] of Object.entries(record)) {
+    if (typeof range === "string" && range !== "") {
+      catalog[name] = range;
+    }
+  }
+  return catalog;
+}
+function readImporterEntries(importers, catalogs) {
   return Object.entries(importers).flatMap(([key, value]) => {
     const importer = readRecord(value);
     if (!importer) {
       return [];
     }
     return [{
-      importer,
+      importer: resolveImporterCatalogReferences(importer, catalogs),
       pathSegment: importerPathSegment(key)
     }];
   });
@@ -18670,7 +19168,7 @@ function parsePackageRecords3(input) {
       id: `${identity2.name}@${identity2.version}`,
       ...resolved ? { resolved } : {},
       ...integrity ? { integrity } : {},
-      dependencies: collectDependencyEdges3(packageEntry, snapshotEntry)
+      dependencies: collectDependencyEdges3(input.catalogs, packageEntry, snapshotEntry)
     });
   }
   return records;
@@ -18714,24 +19212,92 @@ function readResolvedArtifact(resolution) {
   }
   return;
 }
-function collectRootDependencies4(importer) {
+function resolveImporterCatalogReferences(importer, catalogs) {
+  return {
+    ...importer,
+    dependencies: resolveDependencyCatalogReferences(importer.dependencies, catalogs),
+    devDependencies: resolveDependencyCatalogReferences(importer.devDependencies, catalogs),
+    optionalDependencies: resolveDependencyCatalogReferences(importer.optionalDependencies, catalogs),
+    peerDependencies: resolveDependencyCatalogReferences(importer.peerDependencies, catalogs)
+  };
+}
+function resolveDependencyCatalogReferences(value, catalogs) {
+  const dependencies = readRecord(value);
+  if (!dependencies) {
+    return value;
+  }
+  const resolved = {};
+  for (const [name, rawDependency] of Object.entries(dependencies)) {
+    if (typeof rawDependency === "string") {
+      resolved[name] = resolveCatalogRange({
+        name,
+        range: rawDependency,
+        catalogs
+      });
+      continue;
+    }
+    const dependency = readRecord(rawDependency);
+    if (!dependency) {
+      resolved[name] = rawDependency;
+      continue;
+    }
+    const version = typeof dependency.version === "string" ? resolveCatalogRange({
+      name,
+      range: dependency.version,
+      catalogs
+    }) : dependency.version;
+    const specifier = typeof dependency.specifier === "string" ? resolveCatalogRange({
+      name,
+      range: dependency.specifier,
+      catalogs
+    }) : dependency.specifier;
+    resolved[name] = {
+      ...dependency,
+      ...version !== undefined ? { version } : {},
+      ...specifier !== undefined ? { specifier } : {}
+    };
+  }
+  return resolved;
+}
+function resolveCatalogRange(input) {
+  const catalogName = parseCatalogReference(input.range);
+  if (catalogName === undefined) {
+    return input.range;
+  }
+  const catalog = catalogName === "" ? input.catalogs.defaultCatalog : input.catalogs.namedCatalogs.get(catalogName);
+  return catalog?.[input.name] ?? input.range;
+}
+function parseCatalogReference(value) {
+  if (value === "catalog:") {
+    return "";
+  }
+  if (!value.startsWith("catalog:")) {
+    return;
+  }
+  return value.slice("catalog:".length);
+}
+function collectRootDependencies4(importer, catalogs) {
   if (!importer) {
     return [];
   }
-  return collectDependencyEdges3(importer);
+  return collectDependencyEdges3(catalogs, importer);
 }
-function collectDependencyEdges3(...sources) {
+function collectDependencyEdges3(catalogs, ...sources) {
   return sources.flatMap((source) => [
-    ...dependencyEntries3(source.dependencies, "production"),
-    ...dependencyEntries3(source.devDependencies, "development"),
-    ...dependencyEntries3(source.optionalDependencies, "optional"),
-    ...dependencyEntries3(source.peerDependencies, "peer")
+    ...dependencyEntries3(source.dependencies, "production", catalogs),
+    ...dependencyEntries3(source.devDependencies, "development", catalogs),
+    ...dependencyEntries3(source.optionalDependencies, "optional", catalogs),
+    ...dependencyEntries3(source.peerDependencies, "peer", catalogs)
   ]);
 }
-function dependencyEntries3(value, type) {
+function dependencyEntries3(value, type, catalogs) {
   return Object.entries(readImporterDependencyMap(value)).map(([name, range]) => ({
     name,
-    range,
+    range: resolveCatalogRange({
+      name,
+      range,
+      catalogs
+    }),
     type
   }));
 }
@@ -18862,18 +19428,18 @@ function dependencyTypeRank4(type) {
   }
 }
 function readRecord(value) {
-  return isObjectRecord7(value) ? value : undefined;
+  return isObjectRecord8(value) ? value : undefined;
 }
-function isObjectRecord7(value) {
+function isObjectRecord8(value) {
   return typeof value === "object" && value !== null && !Array.isArray(value);
 }
 
 // src/graph/npm-yarn-lock.ts
 var yarnLockfileModule = __toESM(require_lockfile(), 1);
-import { existsSync as existsSync3, readdirSync as readdirSync2, statSync as statSync4 } from "node:fs";
-import path6 from "node:path";
+import { existsSync as existsSync4, readdirSync as readdirSync3, statSync as statSync4 } from "node:fs";
+import path7 from "node:path";
 var yarnLockfile = yarnLockfileModule;
-function parseYarnLockfile(lockfilePath, packageJsonPath = path6.join(path6.dirname(lockfilePath), "package.json"), options = {}) {
+function parseYarnLockfile(lockfilePath, packageJsonPath = path7.join(path7.dirname(lockfilePath), "package.json"), options = {}) {
   const lockfileText = readInputTextFile({
     filePath: lockfilePath,
     maxBytes: options.lockfileMaxBytes ?? LOCKFILE_MAX_BYTES
@@ -18910,7 +19476,7 @@ function parseYarnLockfile(lockfilePath, packageJsonPath = path6.join(path6.dirn
     return parsedRootPackageJson;
   }
   const workspacePackageJsonTexts = readWorkspacePackageJsonTexts({
-    projectRoot: path6.dirname(packageJsonPath),
+    projectRoot: path7.dirname(packageJsonPath),
     rootPackageJson: parsedRootPackageJson.value,
     lockfilePath,
     packageJsonMaxBytes: options.packageJsonMaxBytes ?? PACKAGE_JSON_MAX_BYTES
@@ -18986,7 +19552,7 @@ function parseYarnLockText(input) {
 function parsePackageJson(input, packageJsonPath) {
   try {
     const parsed = JSON.parse(input);
-    if (!isObjectRecord8(parsed)) {
+    if (!isObjectRecord9(parsed)) {
       throw new Error("Expected package.json to contain an object.");
     }
     return ok(parsed);
@@ -19052,9 +19618,9 @@ function readWorkspacePackageJsonTexts(input) {
 function findYarnWorkspacePackageJsonPaths(input) {
   const locations = [];
   const seen = new Set;
-  const projectRoot = path6.resolve(input.projectRoot);
+  const projectRoot = path7.resolve(input.projectRoot);
   const patterns = readWorkspacePatterns(input.workspaces);
-  const excludedWorkspacePaths = new Set(patterns.filter((pattern) => pattern.startsWith("!")).flatMap((pattern) => expandWorkspacePattern(projectRoot, pattern.slice(1))).filter((workspacePath) => isInsideDirectory(projectRoot, workspacePath)).map((workspacePath) => path6.resolve(workspacePath)));
+  const excludedWorkspacePaths = new Set(patterns.filter((pattern) => pattern.startsWith("!")).flatMap((pattern) => expandWorkspacePattern(projectRoot, pattern.slice(1))).filter((workspacePath) => isInsideDirectory(projectRoot, workspacePath)).map((workspacePath) => path7.resolve(workspacePath)));
   for (const pattern of patterns) {
     if (pattern.startsWith("!")) {
       continue;
@@ -19063,15 +19629,15 @@ function findYarnWorkspacePackageJsonPaths(input) {
       if (!isInsideDirectory(projectRoot, workspacePath)) {
         continue;
       }
-      const packageJsonPath = path6.join(workspacePath, "package.json");
-      const relativePackageJsonPath = path6.relative(projectRoot, packageJsonPath).replace(/\\/g, "/");
-      if (seen.has(relativePackageJsonPath) || excludedWorkspacePaths.has(path6.resolve(workspacePath)) || !existsSync3(packageJsonPath)) {
+      const packageJsonPath = path7.join(workspacePath, "package.json");
+      const relativePackageJsonPath = path7.relative(projectRoot, packageJsonPath).replace(/\\/g, "/");
+      if (seen.has(relativePackageJsonPath) || excludedWorkspacePaths.has(path7.resolve(workspacePath)) || !existsSync4(packageJsonPath)) {
         continue;
       }
       locations.push({
         packageJsonPath,
         relativePackageJsonPath,
-        workspacePath: path6.relative(projectRoot, workspacePath).replace(/\\/g, "/")
+        workspacePath: path7.relative(projectRoot, workspacePath).replace(/\\/g, "/")
       });
       seen.add(relativePackageJsonPath);
     }
@@ -19082,7 +19648,7 @@ function readWorkspacePatterns(value) {
   if (Array.isArray(value)) {
     return value.filter((item) => typeof item === "string");
   }
-  if (isObjectRecord8(value) && Array.isArray(value.packages)) {
+  if (isObjectRecord9(value) && Array.isArray(value.packages)) {
     return value.packages.filter((item) => typeof item === "string");
   }
   return [];
@@ -19111,17 +19677,17 @@ function expandWorkspaceSegments(currentPath, segments) {
   }
   if (segment.includes("*")) {
     const matcher = wildcardSegmentMatcher(segment);
-    return listChildDirectories(currentPath).filter((childPath) => matcher.test(path6.basename(childPath))).flatMap((childPath) => expandWorkspaceSegments(childPath, rest));
+    return listChildDirectories(currentPath).filter((childPath) => matcher.test(path7.basename(childPath))).flatMap((childPath) => expandWorkspaceSegments(childPath, rest));
   }
-  return expandWorkspaceSegments(path6.join(currentPath, segment), rest);
+  return expandWorkspaceSegments(path7.join(currentPath, segment), rest);
 }
 function isInsideDirectory(rootPath, candidatePath) {
-  const relativePath = path6.relative(rootPath, path6.resolve(candidatePath));
-  return relativePath === "" || relativePath !== ".." && !relativePath.startsWith(`..${path6.sep}`) && !path6.isAbsolute(relativePath);
+  const relativePath = path7.relative(rootPath, path7.resolve(candidatePath));
+  return relativePath === "" || relativePath !== ".." && !relativePath.startsWith(`..${path7.sep}`) && !path7.isAbsolute(relativePath);
 }
 function listChildDirectories(parentPath) {
   try {
-    return readdirSync2(parentPath, { withFileTypes: true }).filter((entry) => entry.isDirectory() && entry.name !== "node_modules").map((entry) => path6.join(parentPath, entry.name));
+    return readdirSync3(parentPath, { withFileTypes: true }).filter((entry) => entry.isDirectory() && entry.name !== "node_modules").map((entry) => path7.join(parentPath, entry.name));
   } catch {
     return [];
   }
@@ -19141,17 +19707,20 @@ function readPackageName2(packageJson) {
   return typeof packageJson.name === "string" && packageJson.name !== "" ? packageJson.name : undefined;
 }
 function parseLockfile(input, lockfilePath) {
+  if (hasMergeConflictMarkers(input)) {
+    return err(createError({
+      code: "YARN_LOCK_PARSE_FAILED",
+      category: "unsupported_input",
+      message: "Failed to parse yarn.lock because it contains unresolved merge conflicts.",
+      details: {
+        lockfilePath
+      }
+    }));
+  }
+  if (isYarnBerryLockfile(input)) {
+    return parseBerryLockfile(input, lockfilePath);
+  }
   try {
-    if (hasMergeConflictMarkers(input)) {
-      return err(createError({
-        code: "YARN_LOCK_PARSE_FAILED",
-        category: "unsupported_input",
-        message: "Failed to parse yarn.lock because it contains unresolved merge conflicts.",
-        details: {
-          lockfilePath
-        }
-      }));
-    }
     const parsed = yarnLockfile.parse(input);
     if (parsed.type === "conflict") {
       return err(createError({
@@ -19163,12 +19732,47 @@ function parseLockfile(input, lockfilePath) {
         }
       }));
     }
-    return ok(parsed.object);
+    return ok({
+      format: "classic",
+      entries: parsed.object
+    });
   } catch (cause) {
     return err(createError({
       code: "YARN_LOCK_PARSE_FAILED",
       category: "unsupported_input",
-      message: "Failed to parse yarn.lock. Ohrisk currently supports Yarn v1 lockfiles.",
+      message: "Failed to parse yarn.lock. Ohrisk expects a Yarn classic or Berry lockfile.",
+      details: {
+        lockfilePath,
+        cause: cause instanceof Error ? cause.message : String(cause)
+      }
+    }));
+  }
+}
+function isYarnBerryLockfile(input) {
+  return /^__metadata:\s*$/m.test(input);
+}
+function parseBerryLockfile(input, lockfilePath) {
+  try {
+    const parsed = $parse(input);
+    if (!isObjectRecord9(parsed)) {
+      throw new Error("Expected a YAML mapping at the document root.");
+    }
+    const entries = {};
+    for (const [key, value] of Object.entries(parsed)) {
+      if (key === "__metadata" || !isObjectRecord9(value)) {
+        continue;
+      }
+      entries[key] = value;
+    }
+    return ok({
+      format: "berry",
+      entries
+    });
+  } catch (cause) {
+    return err(createError({
+      code: "YARN_LOCK_PARSE_FAILED",
+      category: "unsupported_input",
+      message: "Failed to parse Yarn Berry lockfile.",
       details: {
         lockfilePath,
         cause: cause instanceof Error ? cause.message : String(cause)
@@ -19181,12 +19785,12 @@ function hasMergeConflictMarkers(input) {
 }
 function parsePackageRecords4(lockfile) {
   const records = [];
-  for (const [key, entry] of Object.entries(lockfile)) {
+  for (const [key, entry] of Object.entries(lockfile.entries)) {
     if (typeof entry.version !== "string" || entry.version === "") {
       continue;
     }
     const descriptors = splitDescriptorKey(key);
-    const identity2 = descriptors.map(parseDescriptor).find(Boolean);
+    const identity2 = lockfile.format === "berry" ? readBerryPackageIdentity({ key, entry }) : descriptors.map(parseDescriptor).find(Boolean);
     if (!identity2) {
       continue;
     }
@@ -19194,7 +19798,10 @@ function parsePackageRecords4(lockfile) {
     const integrity = typeof entry.integrity === "string" && entry.integrity !== "" ? entry.integrity : undefined;
     records.push({
       key,
-      descriptors,
+      descriptors: descriptorIndexKeys({
+        descriptors,
+        format: lockfile.format
+      }),
       name: identity2.name,
       version: entry.version,
       id: `${identity2.name}@${entry.version}`,
@@ -19208,8 +19815,26 @@ function parsePackageRecords4(lockfile) {
 function splitDescriptorKey(key) {
   return key.split(/,\s*/).map((descriptor) => descriptor.trim()).filter(Boolean);
 }
+function descriptorIndexKeys(input) {
+  const keys = new Set;
+  for (const descriptor of input.descriptors) {
+    const unquoted = unquoteDescriptor(descriptor);
+    keys.add(unquoted);
+    const parsed = input.format === "berry" ? parseBerryDescriptor(unquoted) : parseDescriptor(unquoted);
+    if (!parsed) {
+      continue;
+    }
+    keys.add(`${parsed.name}@${parsed.range}`);
+    keys.add(`${parsed.name}@npm:${parsed.range}`);
+  }
+  return [...keys];
+}
 function parseDescriptor(descriptor) {
-  const unquoted = descriptor.replace(/^"|"$/g, "");
+  const unquoted = unquoteDescriptor(descriptor);
+  const berryDescriptor = parseBerryDescriptor(unquoted);
+  if (berryDescriptor) {
+    return berryDescriptor;
+  }
   const aliasMarker = "@npm:";
   const aliasIndex = unquoted.indexOf(aliasMarker);
   if (aliasIndex > 0) {
@@ -19225,6 +19850,89 @@ function parseDescriptor(descriptor) {
   }
   return { name: parsed.name, range: parsed.reference };
 }
+function parseBerryDescriptor(descriptor) {
+  const npmLocator = parseBerryNpmLocator(descriptor);
+  if (npmLocator) {
+    const alias = parseNpmPackageReference(`npm:${npmLocator.reference}`);
+    return alias ? { name: alias.name, range: alias.reference } : { name: npmLocator.name, range: npmLocator.reference };
+  }
+  const patchLocator = parseBerryPatchLocator(descriptor);
+  if (patchLocator) {
+    return patchLocator;
+  }
+  return;
+}
+function readBerryPackageIdentity(input) {
+  const resolution = typeof input.entry.resolution === "string" ? input.entry.resolution : undefined;
+  const parsedResolution = resolution ? parseBerryResolution(resolution) : undefined;
+  if (parsedResolution) {
+    return parsedResolution;
+  }
+  const descriptorIdentity = splitDescriptorKey(input.key).map((descriptor) => parseBerryDescriptor(unquoteDescriptor(descriptor))).find(Boolean);
+  return descriptorIdentity ? { name: descriptorIdentity.name, version: descriptorIdentity.range } : undefined;
+}
+function parseBerryResolution(value) {
+  const unquoted = unquoteDescriptor(value);
+  const npmLocator = parseBerryNpmLocator(unquoted);
+  if (npmLocator) {
+    return {
+      name: npmLocator.name,
+      version: npmLocator.reference
+    };
+  }
+  const patchLocator = parseBerryPatchLocator(unquoted);
+  if (patchLocator) {
+    return {
+      name: patchLocator.name,
+      version: patchLocator.range
+    };
+  }
+  return;
+}
+function parseBerryNpmLocator(value) {
+  const marker = "@npm:";
+  const index = value.indexOf(marker);
+  if (index <= 0) {
+    return;
+  }
+  const name = value.slice(0, index);
+  const reference = value.slice(index + marker.length);
+  if (!isValidNpmPackageName(name) || reference === "") {
+    return;
+  }
+  return { name, reference };
+}
+function parseBerryPatchLocator(value) {
+  const marker = "@patch:";
+  const index = value.indexOf(marker);
+  if (index <= 0) {
+    return;
+  }
+  const patchedLocator = value.slice(index + marker.length).split("#")[0]?.split("::")[0];
+  if (!patchedLocator) {
+    return;
+  }
+  const decodedLocator = safeDecodeURIComponent(patchedLocator);
+  const npmLocator = parseBerryNpmLocator(decodedLocator);
+  if (!npmLocator) {
+    return;
+  }
+  const alias = parseNpmPackageReference(`npm:${npmLocator.reference}`);
+  return alias ? { name: alias.name, range: alias.reference } : { name: npmLocator.name, range: npmLocator.reference };
+}
+function safeDecodeURIComponent(value) {
+  try {
+    return decodeURIComponent(value);
+  } catch {
+    return value;
+  }
+}
+function unquoteDescriptor(value) {
+  return value.replace(/^"|"$/g, "");
+}
+function isValidNpmPackageName(value) {
+  return /^(?:@[^/]+\/)?[^/@][^@]*$/.test(value);
+}
 function collectRootDependencies5(packageJson) {
   return [
     ...dependencyEntries4(packageJson.dependencies, "production"),
@@ -19247,7 +19955,7 @@ function dependencyEntries4(value, type) {
   }));
 }
 function readDependencyMap3(value) {
-  if (!isObjectRecord8(value)) {
+  if (!isObjectRecord9(value)) {
     return {};
   }
   const dependencies = {};
@@ -19277,10 +19985,28 @@ function indexPackagesByName3(records) {
   return index;
 }
 function resolvePackageRecord4(input) {
-  const descriptor = `${input.name}@${input.range}`;
   const reference = resolveNpmDependencyReference(input.name, input.range);
   const candidates = input.nameIndex.get(reference.lookupName) ?? [];
-  return input.descriptorIndex.get(descriptor) ?? (candidates.length === 1 ? candidates[0] : undefined) ?? candidates.find((candidate) => candidate.version === reference.lookupRange) ?? undefined;
+  return dependencyDescriptorCandidates({
+    name: input.name,
+    range: input.range,
+    reference
+  }).map((descriptor) => input.descriptorIndex.get(descriptor)).find((record) => record !== undefined) ?? (candidates.length === 1 ? candidates[0] : undefined) ?? candidates.find((candidate) => candidate.version === reference.lookupRange) ?? undefined;
+}
+function dependencyDescriptorCandidates(input) {
+  const candidates = new Set;
+  candidates.add(`${input.name}@${input.range}`);
+  candidates.add(`${input.reference.lookupName}@${input.reference.lookupRange}`);
+  candidates.add(`${input.name}@npm:${input.range}`);
+  candidates.add(`${input.reference.lookupName}@npm:${input.reference.lookupRange}`);
+  if (input.range.startsWith("npm:")) {
+    const bareRange = input.range.slice("npm:".length);
+    candidates.add(`${input.name}@${bareRange}`);
+    candidates.add(`${input.name}@npm:${bareRange}`);
+    candidates.add(`${input.reference.lookupName}@${bareRange}`);
+    candidates.add(`${input.reference.lookupName}@npm:${bareRange}`);
+  }
+  return [...candidates].filter((candidate) => !candidate.endsWith("@"));
 }
 function walkDependency5(input) {
   if (input.seen.has(input.record.key)) {
@@ -19367,7 +20093,7 @@ function dependencyTypeRank5(type) {
       return 0;
   }
 }
-function isObjectRecord8(value) {
+function isObjectRecord9(value) {
   return typeof value === "object" && value !== null && !Array.isArray(value);
 }
 
@@ -20051,13 +20777,13 @@ function severityRank2(severity) {
 }
 
 // src/policy/waivers.ts
-import { existsSync as existsSync4 } from "node:fs";
-import path7 from "node:path";
+import { existsSync as existsSync5 } from "node:fs";
+import path8 from "node:path";
 var DEFAULT_WAIVER_FILE_NAME = ".ohrisk-waivers.json";
 var WAIVER_FILE_MAX_BYTES = 1024 * 1024;
 function readRiskWaivers(projectRoot, options) {
-  const waiverPath = path7.join(projectRoot, DEFAULT_WAIVER_FILE_NAME);
-  if (!existsSync4(waiverPath)) {
+  const waiverPath = path8.join(projectRoot, DEFAULT_WAIVER_FILE_NAME);
+  if (!existsSync5(waiverPath)) {
     return ok([]);
   }
   const text = readTextFileWithLimit({
@@ -20202,7 +20928,7 @@ function isRecord2(value) {
 }
 
 // src/report/cyclonedx-report.ts
-import path8 from "node:path";
+import path9 from "node:path";
 function renderCycloneDxReport(input) {
   const licensesByPackageId = new Map(input.normalizedLicenses.map((license) => [license.packageId, license]));
   const findingsByPackageId = new Map(input.riskFindings.map((finding) => [finding.packageId, finding]));
@@ -20255,11 +20981,11 @@ function renderCycloneDxReport(input) {
   }, null, 2);
 }
 function projectRelativePath(projectRoot, targetPath) {
-  const relativePath = path8.relative(projectRoot, targetPath);
-  if (relativePath && !relativePath.startsWith("..") && !path8.isAbsolute(relativePath)) {
+  const relativePath = path9.relative(projectRoot, targetPath);
+  if (relativePath && !relativePath.startsWith("..") && !path9.isAbsolute(relativePath)) {
     return relativePath.replace(/\\/g, "/");
   }
-  return path8.basename(targetPath);
+  return path9.basename(targetPath);
 }
 function renderComponent(input) {
   const licenses = input.license ? renderLicenses(input.license) : [];
@@ -20368,8 +21094,8 @@ function directChildRefsByNodeId(nodes) {
   const nodeById = new Map(nodes.map((node) => [node.id, node]));
   const childIdsByNodeId = new Map;
   for (const candidate of nodes) {
-    for (const path9 of candidate.paths) {
-      const packagePath = path9.map(packageIdFromPathSegment);
+    for (const path10 of candidate.paths) {
+      const packagePath = path10.map(packageIdFromPathSegment);
       for (let index = 0;index < packagePath.length - 1; index += 1) {
         const parentId = packagePath[index];
         const childId = packagePath[index + 1];
@@ -20625,7 +21351,7 @@ function formatNormalizedExpression(license) {
 }
 
 // src/report/sarif-report.ts
-import path9 from "node:path";
+import path10 from "node:path";
 var SARIF_SCHEMA_URL = "https://json.schemastore.org/sarif-2.1.0.json";
 var RULES = [
   ruleFor("high", "High license risk", "A dependency has license evidence that is high risk for the selected profile."),
@@ -20635,7 +21361,7 @@ var RULES = [
 ];
 var RULE_INDEX_BY_ID = new Map(RULES.map((rule, index) => [rule.id, index]));
 function renderSarifReport(input) {
-  const lockfileUri = path9.relative(input.project.rootDir, input.project.lockfile.path).replace(/\\/g, "/") || path9.basename(input.project.lockfile.path);
+  const lockfileUri = path10.relative(input.project.rootDir, input.project.lockfile.path).replace(/\\/g, "/") || path10.basename(input.project.lockfile.path);
   return JSON.stringify({
     $schema: SARIF_SCHEMA_URL,
     version: "2.1.0",
@@ -20814,7 +21540,7 @@ function securitySeverityFor(severity) {
 }
 
 // src/report/scan-report.ts
-import path10 from "node:path";
+import path11 from "node:path";
 function renderScanReport(input) {
   const summary = buildScanSummary(input);
   const nextAction = nextActionFor2(input.riskFindings);
@@ -20851,7 +21577,7 @@ function renderScanReport(input) {
   return [
     "Ohrisk scan",
     `Project: ${input.project.rootDir}`,
-    `Lockfile: ${path10.basename(input.project.lockfile.path)} (${input.project.lockfile.kind})`,
+    `Lockfile: ${path11.basename(input.project.lockfile.path)} (${input.project.lockfile.kind})`,
     `Profile: ${input.profile}`,
     `Production only: ${input.prodOnly ? "yes" : "no"}`,
     `Dependencies: ${summary.dependencyGraph.total} total, ${summary.dependencyGraph.direct} direct, ${summary.dependencyGraph.transitive} transitive`,
@@ -20885,7 +21611,7 @@ function renderMarkdownReport2(input, summary) {
     "# Ohrisk scan",
     "",
     `- Project: ${formatMarkdownInlineCode(markdownProjectLabel(input))}`,
-    `- Lockfile: ${formatMarkdownInlineCode(path10.basename(input.project.lockfile.path))} (${formatMarkdownInlineCode(input.project.lockfile.kind)})`,
+    `- Lockfile: ${formatMarkdownInlineCode(path11.basename(input.project.lockfile.path))} (${formatMarkdownInlineCode(input.project.lockfile.kind)})`,
     `- Profile: ${formatMarkdownInlineCode(input.profile)}`,
     `- Production only: ${formatMarkdownInlineCode(input.prodOnly ? "yes" : "no")}`,
     `- Dependencies: ${formatMarkdownInlineCode(`${summary.dependencyGraph.total} total`)}, ${formatMarkdownInlineCode(`${summary.dependencyGraph.direct} direct`)}, ${formatMarkdownInlineCode(`${summary.dependencyGraph.transitive} transitive`)}`,
@@ -21154,11 +21880,11 @@ function nextActionFor2(findings) {
 
 // src/report/write-output.ts
 import { mkdirSync, writeFileSync } from "node:fs";
-import path11 from "node:path";
+import path12 from "node:path";
 var writeReportFile = (input) => {
-  const resolvedPath = path11.resolve(input.cwd, input.outputPath);
+  const resolvedPath = path12.resolve(input.cwd, input.outputPath);
   try {
-    mkdirSync(path11.dirname(resolvedPath), { recursive: true });
+    mkdirSync(path12.dirname(resolvedPath), { recursive: true });
     writeFileSync(resolvedPath, `${input.contents}
 `, "utf8");
     return ok(resolvedPath);
@@ -21177,8 +21903,8 @@ var writeReportFile = (input) => {
 };
 
 // src/project/discover.ts
-import { existsSync as existsSync5, statSync as statSync5 } from "node:fs";
-import path12 from "node:path";
+import { existsSync as existsSync6, statSync as statSync5 } from "node:fs";
+import path13 from "node:path";
 var SUPPORTED_LOCKFILES = {
   "bun.lock": "bun",
   "package-lock.json": "package-lock",
@@ -21200,9 +21926,9 @@ var KNOWN_PROJECT_MANIFESTS = [
   "deno.json",
   "deno.jsonc"
 ];
-var SUPPORTED_LOCKFILE_MESSAGE = "Ohrisk currently supports bun.lock, package-lock.json, npm-shrinkwrap.json, pnpm-lock.yaml, deno.lock, and Yarn v1 yarn.lock.";
+var SUPPORTED_LOCKFILE_MESSAGE = "Ohrisk currently supports bun.lock, package-lock.json, npm-shrinkwrap.json, pnpm-lock.yaml, deno.lock, and Yarn classic/Berry yarn.lock.";
 function discoverProject(options = {}) {
-  const startDir = path12.resolve(options.cwd ?? process.cwd());
+  const startDir = path13.resolve(options.cwd ?? process.cwd());
   try {
     if (options.lockfilePath) {
       return discoverExplicitLockfile({
@@ -21212,7 +21938,7 @@ function discoverProject(options = {}) {
     }
     for (const dir of ancestorsFrom(startDir)) {
       const lockfiles = findKnownLockfiles(dir);
-      const hasProjectManifest = KNOWN_PROJECT_MANIFESTS.some((manifest) => existsSync5(path12.join(dir, manifest)));
+      const hasProjectManifest = KNOWN_PROJECT_MANIFESTS.some((manifest) => existsSync6(path13.join(dir, manifest)));
       if (lockfiles.length === 0) {
         if (hasProjectManifest) {
           return err(createError({
@@ -21259,7 +21985,7 @@ function discoverProject(options = {}) {
         rootDir: dir,
         lockfile: {
           kind,
-          path: path12.join(dir, lockfileName)
+          path: path13.join(dir, lockfileName)
         }
       });
     }
@@ -21285,8 +22011,8 @@ function discoverProject(options = {}) {
   }));
 }
 function discoverExplicitLockfile(input) {
-  const lockfilePath = path12.resolve(input.cwd, input.lockfilePath);
-  const lockfileName = path12.basename(lockfilePath);
+  const lockfilePath = path13.resolve(input.cwd, input.lockfilePath);
+  const lockfileName = path13.basename(lockfilePath);
   const kind = SUPPORTED_LOCKFILES[lockfileName];
   if (!kind) {
     return err(createError({
@@ -21299,7 +22025,7 @@ function discoverExplicitLockfile(input) {
       }
     }));
   }
-  if (!existsSync5(lockfilePath)) {
+  if (!existsSync6(lockfilePath)) {
     return err(createError({
       code: "LOCKFILE_NOT_FOUND",
       category: "invalid_input",
@@ -21320,7 +22046,7 @@ function discoverExplicitLockfile(input) {
     }));
   }
   return ok({
-    rootDir: path12.dirname(lockfilePath),
+    rootDir: path13.dirname(lockfilePath),
     lockfile: {
       kind,
       path: lockfilePath
@@ -21328,7 +22054,7 @@ function discoverExplicitLockfile(input) {
   });
 }
 function findKnownLockfiles(dir) {
-  return KNOWN_LOCKFILES.filter((lockfile) => isFile(path12.join(dir, lockfile)));
+  return KNOWN_LOCKFILES.filter((lockfile) => isFile(path13.join(dir, lockfile)));
 }
 function isFile(pathname) {
   try {
@@ -21342,7 +22068,7 @@ function ancestorsFrom(startDir) {
   let current = startDir;
   while (true) {
     dirs.push(current);
-    const parent = path12.dirname(current);
+    const parent = path13.dirname(current);
     if (parent === current) {
       return dirs;
     }
@@ -21385,7 +22111,7 @@ async function runDiff(command, io) {
     io.stderr(formatError(currentProject.error));
     return exitCodeForError(currentProject.error);
   }
-  const relativeLockfilePath = path13.relative(currentProject.value.project.rootDir, currentProject.value.project.lockfile.path);
+  const relativeLockfilePath = path14.relative(currentProject.value.project.rootDir, currentProject.value.project.lockfile.path);
   const readRefFile = io.readRefFile ?? readGitRefFile;
   const baselineLockfile = readRefFile({
     projectRoot: currentProject.value.project.rootDir,
@@ -21415,13 +22141,25 @@ async function runDiff(command, io) {
     io.stderr(formatError(baselineWorkspacePackageJsons.error));
     return exitCodeForError(baselineWorkspacePackageJsons.error);
   }
+  const baselinePnpmWorkspace = currentProject.value.project.lockfile.kind === "pnpm-lock" ? readOptionalBaselineFile({
+    projectRoot: currentProject.value.project.rootDir,
+    baselineRef: command.baselineRef,
+    relativePath: "pnpm-workspace.yaml",
+    readRefFile
+  }) : ok(undefined);
+  if (isErr(baselinePnpmWorkspace)) {
+    io.stderr(formatError(baselinePnpmWorkspace.error));
+    return exitCodeForError(baselinePnpmWorkspace.error);
+  }
   const baselineGraph = parseLockfileTextForKind({
     kind: currentProject.value.project.lockfile.kind,
     text: baselineLockfile.value,
     lockfilePath: `${command.baselineRef}:${relativeLockfilePath}`,
     packageJsonText: baselinePackageJson?.value,
     packageJsonPath: `${command.baselineRef}:package.json`,
-    workspacePackageJsonTexts: baselineWorkspacePackageJsons.value
+    workspacePackageJsonTexts: baselineWorkspacePackageJsons.value,
+    pnpmWorkspaceText: baselinePnpmWorkspace.value,
+    pnpmWorkspacePath: `${command.baselineRef}:pnpm-workspace.yaml`
   });
   if (isErr(baselineGraph)) {
     io.stderr(formatError(baselineGraph.error));
@@ -21688,7 +22426,10 @@ function parseLockfileTextForKind(input) {
     case "npm-shrinkwrap":
       return parsePackageLockText(input.text, input.lockfilePath);
     case "pnpm-lock":
-      return parsePnpmLockText(input.text, input.lockfilePath);
+      return parsePnpmLockText(input.text, input.lockfilePath, {
+        workspaceText: input.pnpmWorkspaceText,
+        workspacePath: input.pnpmWorkspacePath
+      });
     case "deno-lock":
       return parseDenoLockText(input.text, input.lockfilePath);
     case "yarn-lock":
@@ -21730,6 +22471,20 @@ function readBaselineYarnWorkspacePackageJsons(input) {
   }
   return ok(packageJsons);
 }
+function readOptionalBaselineFile(input) {
+  const result = input.readRefFile({
+    projectRoot: input.projectRoot,
+    ref: input.baselineRef,
+    relativePath: input.relativePath
+  });
+  if (!isErr(result)) {
+    return ok(result.value);
+  }
+  if (result.error.code === "GIT_REF_FILE_NOT_FOUND") {
+    return ok(undefined);
+  }
+  return err(result.error);
+}
 function tryParseObject(input) {
   try {
     const parsed = JSON.parse(input);
@@ -21931,7 +22686,7 @@ function isCliEntrypoint(metaUrl, argvPath) {
   try {
     return realpathSync2(fileURLToPath2(metaUrl)) === realpathSync2(argvPath);
   } catch {
-    return path13.resolve(fileURLToPath2(metaUrl)) === path13.resolve(argvPath);
+    return path14.resolve(fileURLToPath2(metaUrl)) === path14.resolve(argvPath);
   }
 }
 function defaultIO() {