ohrisk 0.128.0 → 0.129.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +16 -0
- package/README.md +4 -2
- package/dist/cli.js +754 -170
- package/package.json +1 -1
package/CHANGELOG.md
CHANGED
|
@@ -1,5 +1,21 @@
|
|
|
1
1
|
# Changelog
|
|
2
2
|
|
|
3
|
+
## 0.129.0 - 2026-06-20
|
|
4
|
+
|
|
5
|
+
### Added
|
|
6
|
+
|
|
7
|
+
- pnpm `catalog:` and `catalog:<name>` dependency specifiers are now resolved
|
|
8
|
+
from `pnpm-workspace.yaml` for scan and git-ref diff graph extraction.
|
|
9
|
+
- Yarn Berry `.yarn/cache` package zip files are now used as local package
|
|
10
|
+
evidence before registry fallback, covering PnP installs without
|
|
11
|
+
`node_modules`.
|
|
12
|
+
|
|
13
|
+
### Fixed
|
|
14
|
+
|
|
15
|
+
- Malformed `pnpm-workspace.yaml` catalog files now fail with a typed
|
|
16
|
+
`PNPM_WORKSPACE_PARSE_FAILED` error instead of silently dropping catalog
|
|
17
|
+
dependencies.
|
|
18
|
+
|
|
3
19
|
## 0.128.0 - 2026-06-20
|
|
4
20
|
|
|
5
21
|
### Added
|
package/README.md
CHANGED
|
@@ -74,11 +74,13 @@ The current implementation is the first npm-style vertical slice:
|
|
|
74
74
|
- explicit lockfile selection with `--lockfile <path>` for projects that contain more than one supported lockfile
|
|
75
75
|
- direct and transitive dependency graph extraction
|
|
76
76
|
- Bun, npm, pnpm, and Yarn classic/Berry workspace projects are scanned from every workspace/importer package root
|
|
77
|
+
- pnpm `catalog:` and `catalog:<name>` dependency specifiers are resolved from `pnpm-workspace.yaml`
|
|
77
78
|
- Deno `deno.lock` projects are scanned for npm package dependencies recorded in `npm:` specifiers; remote URL imports and JSR packages are not scanned yet
|
|
78
79
|
- npm alias dependency resolution, including pnpm alias package keys, with alias context preserved in dependency paths
|
|
79
80
|
- production, development, optional, and peer dependency classification
|
|
80
81
|
- local `file:` package artifact evidence
|
|
81
82
|
- installed `node_modules` package evidence, including npm alias install names, before network fallback
|
|
83
|
+
- Yarn Berry `.yarn/cache` package zip evidence before registry fallback for PnP installs without `node_modules`
|
|
82
84
|
- remote HTTP(S) package tarball evidence when the lockfile points to a tarball, with credential-bearing URLs, obvious local, private, special-purpose, and DNS-resolved internal hosts blocked before fetch, DNS answers rechecked at the default connection boundary, and redirects followed only after each target is validated
|
|
83
85
|
- lockfile integrity verification for local and remote package tarballs
|
|
84
86
|
- npm registry metadata lookup when the lockfile does not include a direct tarball URL
|
|
@@ -157,9 +159,9 @@ Supported lockfiles:
|
|
|
157
159
|
- `bun.lock`
|
|
158
160
|
- `package-lock.json` with either a modern `packages` section or an npm v1 dependency tree
|
|
159
161
|
- `npm-shrinkwrap.json` with the same package-lock parser support
|
|
160
|
-
- `pnpm-lock.yaml` with `importers`, `packages`, and `snapshots` sections
|
|
162
|
+
- `pnpm-lock.yaml` with `importers`, `packages`, and `snapshots` sections, including default and named catalogs from `pnpm-workspace.yaml`
|
|
161
163
|
- `deno.lock` npm package entries from Deno v3/v4-style lockfiles
|
|
162
|
-
- Yarn classic/Berry `yarn.lock` with root and workspace dependency sets from `package.json` manifests
|
|
164
|
+
- Yarn classic/Berry `yarn.lock` with root and workspace dependency sets from `package.json` manifests, plus local `.yarn/cache` zip evidence for Berry/PnP installs
|
|
163
165
|
|
|
164
166
|
Select a specific lockfile when a project contains more than one supported lockfile:
|
|
165
167
|
|