npm - ohrisk - Versions diffs - 0.128.0 → 0.129.0 - Mend

ohrisk 0.128.0 → 0.129.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/dist/cli.js CHANGED Viewed

@@ -7824,11 +7824,11 @@ var require_lockfile = __commonJS((exports, module) => {
         };
       })();
       let getEolFromFile = (() => {
-        var _ref30 = (0, (_asyncToGenerator2 || _load_asyncToGenerator()).default)(function* (path6) {
-          if (!(yield exists(path6))) {
+        var _ref30 = (0, (_asyncToGenerator2 || _load_asyncToGenerator()).default)(function* (path7) {
+          if (!(yield exists(path7))) {
             return;
           }
-          const buffer = yield readFileBuffer(path6);
+          const buffer = yield readFileBuffer(path7);
           for (let i = 0;i < buffer.length; ++i) {
             if (buffer[i] === cr) {
               return `\r
@@ -7846,13 +7846,13 @@ var require_lockfile = __commonJS((exports, module) => {
         };
       })();
       let writeFilePreservingEol = exports2.writeFilePreservingEol = (() => {
-        var _ref31 = (0, (_asyncToGenerator2 || _load_asyncToGenerator()).default)(function* (path6, data) {
-          const eol = (yield getEolFromFile(path6)) || (_os || _load_os()).default.EOL;
+        var _ref31 = (0, (_asyncToGenerator2 || _load_asyncToGenerator()).default)(function* (path7, data) {
+          const eol = (yield getEolFromFile(path7)) || (_os || _load_os()).default.EOL;
           if (eol !== `
 `) {
             data = data.replace(/\n/g, eol);
           }
-          yield writeFile(path6, data);
+          yield writeFile(path7, data);
         });
         return function writeFilePreservingEol2(_x30, _x31) {
           return _ref31.apply(this, arguments);
@@ -7903,10 +7903,10 @@ var require_lockfile = __commonJS((exports, module) => {
                 break;
               _ref35 = _i15.value;
             }
-            const path6 = _ref35;
+            const path7 = _ref35;
             try {
-              const fd = yield open(path6, "r");
-              return (_fs || _load_fs()).default.createReadStream(path6, { fd });
+              const fd = yield open(path7, "r");
+              return (_fs || _load_fs()).default.createReadStream(path7, { fd });
             } catch (err2) {}
           }
           return null;
@@ -8070,7 +8070,7 @@ var require_lockfile = __commonJS((exports, module) => {
       });
       exports2.getPathKey = getPathKey;
       const os = __webpack_require__(36);
-      const path6 = __webpack_require__(0);
+      const path7 = __webpack_require__(0);
       const userHome = __webpack_require__(45).default;
       var _require = __webpack_require__(171);
       const { getCacheDir, getConfigDir, getDataDir } = _require;
@@ -8093,29 +8093,29 @@ var require_lockfile = __commonJS((exports, module) => {
       function getPreferredCacheDirectories() {
         const preferredCacheDirectories = [getCacheDir()];
         if (process.getuid) {
-          preferredCacheDirectories.push(path6.join(os.tmpdir(), `.yarn-cache-${process.getuid()}`));
+          preferredCacheDirectories.push(path7.join(os.tmpdir(), `.yarn-cache-${process.getuid()}`));
         }
-        preferredCacheDirectories.push(path6.join(os.tmpdir(), `.yarn-cache`));
+        preferredCacheDirectories.push(path7.join(os.tmpdir(), `.yarn-cache`));
         return preferredCacheDirectories;
       }
       const PREFERRED_MODULE_CACHE_DIRECTORIES = exports2.PREFERRED_MODULE_CACHE_DIRECTORIES = getPreferredCacheDirectories();
       const CONFIG_DIRECTORY = exports2.CONFIG_DIRECTORY = getConfigDir();
       const DATA_DIRECTORY = exports2.DATA_DIRECTORY = getDataDir();
-      const LINK_REGISTRY_DIRECTORY = exports2.LINK_REGISTRY_DIRECTORY = path6.join(DATA_DIRECTORY, "link");
-      const GLOBAL_MODULE_DIRECTORY = exports2.GLOBAL_MODULE_DIRECTORY = path6.join(DATA_DIRECTORY, "global");
+      const LINK_REGISTRY_DIRECTORY = exports2.LINK_REGISTRY_DIRECTORY = path7.join(DATA_DIRECTORY, "link");
+      const GLOBAL_MODULE_DIRECTORY = exports2.GLOBAL_MODULE_DIRECTORY = path7.join(DATA_DIRECTORY, "global");
       const NODE_BIN_PATH = exports2.NODE_BIN_PATH = process.execPath;
       const YARN_BIN_PATH = exports2.YARN_BIN_PATH = getYarnBinPath();
       function getYarnBinPath() {
         if (isWebpackBundle) {
           return __filename;
         } else {
-          return path6.join(__dirname, "..", "bin", "yarn.js");
+          return path7.join(__dirname, "..", "bin", "yarn.js");
         }
       }
       const NODE_MODULES_FOLDER = exports2.NODE_MODULES_FOLDER = "node_modules";
       const NODE_PACKAGE_JSON = exports2.NODE_PACKAGE_JSON = "package.json";
       const POSIX_GLOBAL_PREFIX = exports2.POSIX_GLOBAL_PREFIX = `${process.env.DESTDIR || ""}/usr/local`;
-      const FALLBACK_GLOBAL_PREFIX = exports2.FALLBACK_GLOBAL_PREFIX = path6.join(userHome, ".yarn");
+      const FALLBACK_GLOBAL_PREFIX = exports2.FALLBACK_GLOBAL_PREFIX = path7.join(userHome, ".yarn");
       const META_FOLDER = exports2.META_FOLDER = ".yarn-meta";
       const INTEGRITY_FILENAME = exports2.INTEGRITY_FILENAME = ".yarn-integrity";
       const LOCKFILE_FILENAME = exports2.LOCKFILE_FILENAME = "yarn.lock";
@@ -8349,7 +8349,7 @@ var require_lockfile = __commonJS((exports, module) => {
         return obj && obj.__esModule ? obj : { default: obj };
       }
       const invariant = __webpack_require__(7);
-      const path6 = __webpack_require__(0);
+      const path7 = __webpack_require__(0);
       const ssri = __webpack_require__(55);
       function getName(pattern) {
         return (0, (_normalizePattern || _load_normalizePattern()).normalizePattern)(pattern).name;
@@ -8415,7 +8415,7 @@ var require_lockfile = __commonJS((exports, module) => {
         }
         static fromDirectory(dir, reporter) {
           return (0, (_asyncToGenerator2 || _load_asyncToGenerator()).default)(function* () {
-            const lockfileLoc = path6.join(dir, (_constants || _load_constants()).LOCKFILE_FILENAME);
+            const lockfileLoc = path7.join(dir, (_constants || _load_constants()).LOCKFILE_FILENAME);
             let lockfile;
             let rawLockfile = "";
             let parseResult;
@@ -8834,9 +8834,9 @@ var require_lockfile = __commonJS((exports, module) => {
       function _interopRequireDefault(obj) {
         return obj && obj.__esModule ? obj : { default: obj };
       }
-      const path6 = __webpack_require__(0);
+      const path7 = __webpack_require__(0);
       const home = exports2.home = __webpack_require__(36).homedir();
-      const userHomeDir = (_rootUser || _load_rootUser()).default ? path6.resolve("/usr/local/share") : home;
+      const userHomeDir = (_rootUser || _load_rootUser()).default ? path7.resolve("/usr/local/share") : home;
       exports2.default = userHomeDir;
     },
     function(module2, exports2) {
@@ -9236,9 +9236,9 @@ var require_lockfile = __commonJS((exports, module) => {
     function(module2, exports2, __webpack_require__) {
       module2.exports = minimatch;
       minimatch.Minimatch = Minimatch;
-      var path6 = { sep: "/" };
+      var path7 = { sep: "/" };
       try {
-        path6 = __webpack_require__(0);
+        path7 = __webpack_require__(0);
       } catch (er) {}
       var GLOBSTAR = minimatch.GLOBSTAR = Minimatch.GLOBSTAR = {};
       var expand = __webpack_require__(175);
@@ -9320,8 +9320,8 @@ var require_lockfile = __commonJS((exports, module) => {
         if (!options)
           options = {};
         pattern = pattern.trim();
-        if (path6.sep !== "/") {
-          pattern = pattern.split(path6.sep).join("/");
+        if (path7.sep !== "/") {
+          pattern = pattern.split(path7.sep).join("/");
         }
         this.options = options;
         this.set = [];
@@ -9688,8 +9688,8 @@ var require_lockfile = __commonJS((exports, module) => {
         if (f === "/" && partial)
           return true;
         var options = this.options;
-        if (path6.sep !== "/") {
-          f = f.split(path6.sep).join("/");
+        if (path7.sep !== "/") {
+          f = f.split(path7.sep).join("/");
         }
         f = f.split(slashSplit);
         this.debug(this.pattern, "split", f);
@@ -9919,7 +9919,7 @@ globstar while`, file, fr, pattern, pr, swallowee);
       var Minimatch = minimatch.Minimatch;
       var inherits = __webpack_require__(42);
       var EE = __webpack_require__(54).EventEmitter;
-      var path6 = __webpack_require__(0);
+      var path7 = __webpack_require__(0);
       var assert = __webpack_require__(22);
       var isAbsolute = __webpack_require__(76);
       var globSync = __webpack_require__(218);
@@ -10202,7 +10202,7 @@ globstar while`, file, fr, pattern, pr, swallowee);
                 e = prefix + e;
             }
             if (e.charAt(0) === "/" && !this.nomount) {
-              e = path6.join(this.root, e);
+              e = path7.join(this.root, e);
             }
             this._emitMatch(index, e);
           }
@@ -10389,9 +10389,9 @@ globstar while`, file, fr, pattern, pr, swallowee);
         if (prefix && isAbsolute(prefix) && !this.nomount) {
           var trail = /[\/\\]$/.test(prefix);
           if (prefix.charAt(0) === "/") {
-            prefix = path6.join(this.root, prefix);
+            prefix = path7.join(this.root, prefix);
           } else {
-            prefix = path6.resolve(this.root, prefix);
+            prefix = path7.resolve(this.root, prefix);
             if (trail)
               prefix += "/";
           }
@@ -10464,12 +10464,12 @@ globstar while`, file, fr, pattern, pr, swallowee);
       };
     },
     function(module2, exports2, __webpack_require__) {
-      function posix(path6) {
-        return path6.charAt(0) === "/";
+      function posix(path7) {
+        return path7.charAt(0) === "/";
       }
-      function win32(path6) {
+      function win32(path7) {
         var splitDeviceRe = /^([a-zA-Z]:|[\\\/]{2}[^\\\/]+[\\\/]+[^\\\/]+)?([\\\/])?([\s\S]*?)$/;
-        var result = splitDeviceRe.exec(path6);
+        var result = splitDeviceRe.exec(path7);
         var device = result[1] || "";
         var isUnc = Boolean(device && device.charAt(1) !== ":");
         return Boolean(result[2] || isUnc);
@@ -11430,7 +11430,7 @@ globstar while`, file, fr, pattern, pr, swallowee);
       function ownProp(obj, field) {
         return Object.prototype.hasOwnProperty.call(obj, field);
       }
-      var path6 = __webpack_require__(0);
+      var path7 = __webpack_require__(0);
       var minimatch = __webpack_require__(60);
       var isAbsolute = __webpack_require__(76);
       var Minimatch = minimatch.Minimatch;
@@ -11497,11 +11497,11 @@ globstar while`, file, fr, pattern, pr, swallowee);
         if (!ownProp(options, "cwd"))
           self2.cwd = cwd;
         else {
-          self2.cwd = path6.resolve(options.cwd);
+          self2.cwd = path7.resolve(options.cwd);
           self2.changedCwd = self2.cwd !== cwd;
         }
-        self2.root = options.root || path6.resolve(self2.cwd, "/");
-        self2.root = path6.resolve(self2.root);
+        self2.root = options.root || path7.resolve(self2.cwd, "/");
+        self2.root = path7.resolve(self2.root);
         if (process.platform === "win32")
           self2.root = self2.root.replace(/\\/g, "/");
         self2.cwdAbs = isAbsolute(self2.cwd) ? self2.cwd : makeAbs(self2, self2.cwd);
@@ -11582,35 +11582,35 @@ globstar while`, file, fr, pattern, pr, swallowee);
       function makeAbs(self2, f) {
         var abs = f;
         if (f.charAt(0) === "/") {
-          abs = path6.join(self2.root, f);
+          abs = path7.join(self2.root, f);
         } else if (isAbsolute(f) || f === "") {
           abs = f;
         } else if (self2.changedCwd) {
-          abs = path6.resolve(self2.cwd, f);
+          abs = path7.resolve(self2.cwd, f);
         } else {
-          abs = path6.resolve(f);
+          abs = path7.resolve(f);
         }
         if (process.platform === "win32")
           abs = abs.replace(/\\/g, "/");
         return abs;
       }
-      function isIgnored(self2, path7) {
+      function isIgnored(self2, path8) {
         if (!self2.ignore.length)
           return false;
         return self2.ignore.some(function(item) {
-          return item.matcher.match(path7) || !!(item.gmatcher && item.gmatcher.match(path7));
+          return item.matcher.match(path8) || !!(item.gmatcher && item.gmatcher.match(path8));
         });
       }
-      function childrenIgnored(self2, path7) {
+      function childrenIgnored(self2, path8) {
         if (!self2.ignore.length)
           return false;
         return self2.ignore.some(function(item) {
-          return !!(item.gmatcher && item.gmatcher.match(path7));
+          return !!(item.gmatcher && item.gmatcher.match(path8));
         });
       }
     },
     function(module2, exports2, __webpack_require__) {
-      var path6 = __webpack_require__(0);
+      var path7 = __webpack_require__(0);
       var fs = __webpack_require__(3);
       var _0777 = parseInt("0777", 8);
       module2.exports = mkdirP.mkdirp = mkdirP.mkdirP = mkdirP;
@@ -11629,7 +11629,7 @@ globstar while`, file, fr, pattern, pr, swallowee);
         if (!made)
           made = null;
         var cb = f || function() {};
-        p = path6.resolve(p);
+        p = path7.resolve(p);
         xfs.mkdir(p, mode, function(er) {
           if (!er) {
             made = made || p;
@@ -11637,7 +11637,7 @@ globstar while`, file, fr, pattern, pr, swallowee);
           }
           switch (er.code) {
             case "ENOENT":
-              mkdirP(path6.dirname(p), opts, function(er2, made2) {
+              mkdirP(path7.dirname(p), opts, function(er2, made2) {
                 if (er2)
                   cb(er2, made2);
                 else
@@ -11666,14 +11666,14 @@ globstar while`, file, fr, pattern, pr, swallowee);
         }
         if (!made)
           made = null;
-        p = path6.resolve(p);
+        p = path7.resolve(p);
         try {
           xfs.mkdirSync(p, mode);
           made = made || p;
         } catch (err0) {
           switch (err0.code) {
             case "ENOENT":
-              made = sync(path6.dirname(p), opts, made);
+              made = sync(path7.dirname(p), opts, made);
               sync(p, opts, made);
               break;
             default:
@@ -12051,27 +12051,27 @@ ${indent}`);
       exports2.getDataDir = getDataDir;
       exports2.getCacheDir = getCacheDir;
       exports2.getConfigDir = getConfigDir;
-      const path6 = __webpack_require__(0);
+      const path7 = __webpack_require__(0);
       const userHome = __webpack_require__(45).default;
-      const FALLBACK_CONFIG_DIR = path6.join(userHome, ".config", "yarn");
-      const FALLBACK_CACHE_DIR = path6.join(userHome, ".cache", "yarn");
+      const FALLBACK_CONFIG_DIR = path7.join(userHome, ".config", "yarn");
+      const FALLBACK_CACHE_DIR = path7.join(userHome, ".cache", "yarn");
       function getDataDir() {
         if (process.platform === "win32") {
           const WIN32_APPDATA_DIR = getLocalAppDataDir();
-          return WIN32_APPDATA_DIR == null ? FALLBACK_CONFIG_DIR : path6.join(WIN32_APPDATA_DIR, "Data");
+          return WIN32_APPDATA_DIR == null ? FALLBACK_CONFIG_DIR : path7.join(WIN32_APPDATA_DIR, "Data");
         } else if (process.env.XDG_DATA_HOME) {
-          return path6.join(process.env.XDG_DATA_HOME, "yarn");
+          return path7.join(process.env.XDG_DATA_HOME, "yarn");
         } else {
           return FALLBACK_CONFIG_DIR;
         }
       }
       function getCacheDir() {
         if (process.platform === "win32") {
-          return path6.join(getLocalAppDataDir() || path6.join(userHome, "AppData", "Local", "Yarn"), "Cache");
+          return path7.join(getLocalAppDataDir() || path7.join(userHome, "AppData", "Local", "Yarn"), "Cache");
         } else if (process.env.XDG_CACHE_HOME) {
-          return path6.join(process.env.XDG_CACHE_HOME, "yarn");
+          return path7.join(process.env.XDG_CACHE_HOME, "yarn");
         } else if (process.platform === "darwin") {
-          return path6.join(userHome, "Library", "Caches", "Yarn");
+          return path7.join(userHome, "Library", "Caches", "Yarn");
         } else {
           return FALLBACK_CACHE_DIR;
         }
@@ -12079,15 +12079,15 @@ ${indent}`);
       function getConfigDir() {
         if (process.platform === "win32") {
           const WIN32_APPDATA_DIR = getLocalAppDataDir();
-          return WIN32_APPDATA_DIR == null ? FALLBACK_CONFIG_DIR : path6.join(WIN32_APPDATA_DIR, "Config");
+          return WIN32_APPDATA_DIR == null ? FALLBACK_CONFIG_DIR : path7.join(WIN32_APPDATA_DIR, "Config");
         } else if (process.env.XDG_CONFIG_HOME) {
-          return path6.join(process.env.XDG_CONFIG_HOME, "yarn");
+          return path7.join(process.env.XDG_CONFIG_HOME, "yarn");
         } else {
           return FALLBACK_CONFIG_DIR;
         }
       }
       function getLocalAppDataDir() {
-        return process.env.LOCALAPPDATA ? path6.join(process.env.LOCALAPPDATA, "Yarn") : null;
+        return process.env.LOCALAPPDATA ? path7.join(process.env.LOCALAPPDATA, "Yarn") : null;
       }
     },
     ,
@@ -13683,7 +13683,7 @@ ${indent}`);
       var Minimatch = minimatch.Minimatch;
       var Glob = __webpack_require__(75).Glob;
       var util = __webpack_require__(2);
-      var path6 = __webpack_require__(0);
+      var path7 = __webpack_require__(0);
       var assert = __webpack_require__(22);
       var isAbsolute = __webpack_require__(76);
       var common = __webpack_require__(115);
@@ -13813,7 +13813,7 @@ ${indent}`);
                 e = prefix + e;
             }
             if (e.charAt(0) === "/" && !this.nomount) {
-              e = path6.join(this.root, e);
+              e = path7.join(this.root, e);
             }
             this._emitMatch(index, e);
           }
@@ -13962,9 +13962,9 @@ ${indent}`);
         if (prefix && isAbsolute(prefix) && !this.nomount) {
           var trail = /[\/\\]$/.test(prefix);
           if (prefix.charAt(0) === "/") {
-            prefix = path6.join(this.root, prefix);
+            prefix = path7.join(this.root, prefix);
           } else {
-            prefix = path6.resolve(this.root, prefix);
+            prefix = path7.resolve(this.root, prefix);
             if (trail)
               prefix += "/";
           }
@@ -14210,7 +14210,7 @@ ${indent}`);
       module2.exports = rimraf;
       rimraf.sync = rimrafSync;
       var assert = __webpack_require__(22);
-      var path6 = __webpack_require__(0);
+      var path7 = __webpack_require__(0);
       var fs = __webpack_require__(3);
       var glob = __webpack_require__(75);
       var _0666 = parseInt("666", 8);
@@ -14395,7 +14395,7 @@ ${indent}`);
             return options.rmdir(p, cb);
           var errState;
           files.forEach(function(f) {
-            rimraf(path6.join(p, f), options, function(er2) {
+            rimraf(path7.join(p, f), options, function(er2) {
               if (errState)
                 return;
               if (er2)
@@ -14472,7 +14472,7 @@ ${indent}`);
         assert(p);
         assert(options);
         options.readdirSync(p).forEach(function(f) {
-          rimrafSync(path6.join(p, f), options);
+          rimrafSync(path7.join(p, f), options);
         });
         var retries = isWindows ? 100 : 1;
         var i = 0;
@@ -14559,7 +14559,7 @@ ${indent}`);
 // src/cli/main.ts
 import { realpathSync as realpathSync2 } from "node:fs";
-import path13 from "node:path";
+import path14 from "node:path";
 import { fileURLToPath as fileURLToPath2 } from "node:url";
 // src/shared/errors.ts
@@ -15175,7 +15175,7 @@ function parseDiffArgs(argv) {
 }
 // src/cli/version.ts
-var OHRISK_VERSION = "0.128.0";
+var OHRISK_VERSION = "0.129.0";
 // src/diff/compare.ts
 function diffRiskFindings(input) {
@@ -15202,6 +15202,7 @@ import {
   closeSync as closeSync2,
   existsSync as existsSync2,
   openSync as openSync2,
+  readdirSync as readdirSync2,
   readSync as readSync2,
   realpathSync,
   statSync as statSync3
@@ -15677,6 +15678,295 @@ function isZeroBlock(buffer) {
   return buffer.every((byte) => byte === 0);
 }
+// src/evidence/zip-package.ts
+import { inflateRawSync } from "node:zlib";
+var ZIP_EOCD_SIGNATURE = 101010256;
+var ZIP_CENTRAL_DIRECTORY_SIGNATURE = 33639248;
+var ZIP_LOCAL_FILE_SIGNATURE = 67324752;
+var ZIP64_SENTINEL = 4294967295;
+var ZIP_EOCD_MIN_BYTES = 22;
+var ZIP_MAX_COMMENT_BYTES = 65535;
+var PACKAGE_ZIP_MAX_ENTRIES = 50000;
+var PACKAGE_ZIP_ENTRY_MAX_BYTES = 2 * 1024 * 1024;
+function collectZipPackageEvidence(input) {
+  const zip = Buffer.isBuffer(input.zip) ? input.zip : Buffer.from(input.zip);
+  const entryMaxBytes = input.entryMaxBytes ?? PACKAGE_ZIP_ENTRY_MAX_BYTES;
+  try {
+    const entries = parseZipEntries({
+      packageId: input.packageId,
+      zip,
+      maxEntries: input.maxEntries ?? PACKAGE_ZIP_MAX_ENTRIES
+    });
+    for (const packageJsonEntry of packageJsonEntries(entries)) {
+      const packageJson = readPackageJsonEntry({
+        packageId: input.packageId,
+        zip,
+        entry: packageJsonEntry,
+        maxBytes: entryMaxBytes
+      });
+      if (!packageJson.ok) {
+        return err(packageJson.error);
+      }
+      if (packageJson.value.packageJson.name !== input.packageName || packageJson.value.packageJson.version !== input.packageVersion) {
+        continue;
+      }
+      const files = collectZipEvidenceFiles({
+        packageId: input.packageId,
+        zip,
+        entries,
+        packageRoot: packageJson.value.packageRoot,
+        maxBytes: entryMaxBytes
+      });
+      if (!files.ok) {
+        return err(files.error);
+      }
+      const warnings = files.value.length === 0 ? ["No LICENSE, LICENCE, UNLICENSE, COPYING, or NOTICE file found."] : [];
+      return ok({
+        packageId: input.packageId,
+        ...readLicenseFields3(packageJson.value.packageJson),
+        files: files.value,
+        source: "local",
+        warnings
+      });
+    }
+    return ok(undefined);
+  } catch (cause) {
+    return err(createError({
+      code: "PACKAGE_EVIDENCE_READ_FAILED",
+      category: "unsupported_input",
+      message: "Failed to parse package zip cache evidence.",
+      details: {
+        packageId: input.packageId,
+        cause: cause instanceof Error ? cause.message : String(cause)
+      }
+    }));
+  }
+}
+function parseZipEntries(input) {
+  const endOfCentralDirectoryOffset = findEndOfCentralDirectory(input.zip);
+  if (endOfCentralDirectoryOffset === undefined) {
+    throw new Error("ZIP end of central directory record was not found.");
+  }
+  const diskNumber = input.zip.readUInt16LE(endOfCentralDirectoryOffset + 4);
+  const centralDirectoryDisk = input.zip.readUInt16LE(endOfCentralDirectoryOffset + 6);
+  const entriesOnDisk = input.zip.readUInt16LE(endOfCentralDirectoryOffset + 8);
+  const totalEntries = input.zip.readUInt16LE(endOfCentralDirectoryOffset + 10);
+  const centralDirectorySize = input.zip.readUInt32LE(endOfCentralDirectoryOffset + 12);
+  const centralDirectoryOffset = input.zip.readUInt32LE(endOfCentralDirectoryOffset + 16);
+  if (diskNumber !== 0 || centralDirectoryDisk !== 0 || entriesOnDisk !== totalEntries) {
+    throw new Error("Multi-disk ZIP archives are not supported.");
+  }
+  if (totalEntries === ZIP64_SENTINEL || centralDirectorySize === ZIP64_SENTINEL || centralDirectoryOffset === ZIP64_SENTINEL) {
+    throw new Error("ZIP64 package cache archives are not supported.");
+  }
+  if (totalEntries > input.maxEntries) {
+    throw new Error(`Package ZIP exceeded the maximum entry count (${input.maxEntries}).`);
+  }
+  const centralDirectoryEnd = centralDirectoryOffset + centralDirectorySize;
+  if (centralDirectoryOffset < 0 || centralDirectorySize < 0 || centralDirectoryEnd > input.zip.length) {
+    throw new Error("ZIP central directory extends beyond archive data.");
+  }
+  const entries = [];
+  let offset = centralDirectoryOffset;
+  while (offset < centralDirectoryEnd) {
+    if (offset + 46 > input.zip.length) {
+      throw new Error("ZIP central directory entry is truncated.");
+    }
+    const signature = input.zip.readUInt32LE(offset);
+    if (signature !== ZIP_CENTRAL_DIRECTORY_SIGNATURE) {
+      throw new Error("ZIP central directory entry has an invalid signature.");
+    }
+    const flags = input.zip.readUInt16LE(offset + 8);
+    const compressionMethod = input.zip.readUInt16LE(offset + 10);
+    const compressedSize = input.zip.readUInt32LE(offset + 20);
+    const uncompressedSize = input.zip.readUInt32LE(offset + 24);
+    const fileNameLength = input.zip.readUInt16LE(offset + 28);
+    const extraLength = input.zip.readUInt16LE(offset + 30);
+    const commentLength = input.zip.readUInt16LE(offset + 32);
+    const localHeaderOffset = input.zip.readUInt32LE(offset + 42);
+    const entryEnd = offset + 46 + fileNameLength + extraLength + commentLength;
+    if (entryEnd > centralDirectoryEnd || entryEnd > input.zip.length) {
+      throw new Error("ZIP central directory entry metadata is truncated.");
+    }
+    if ((flags & 1) !== 0) {
+      throw new Error("Encrypted ZIP entries are not supported.");
+    }
+    if (compressedSize === ZIP64_SENTINEL || uncompressedSize === ZIP64_SENTINEL || localHeaderOffset === ZIP64_SENTINEL) {
+      throw new Error("ZIP64 package cache entries are not supported.");
+    }
+    const rawPath = input.zip.subarray(offset + 46, offset + 46 + fileNameLength).toString("utf8");
+    const normalizedPath = normalizeZipPath(rawPath);
+    if (normalizedPath && !normalizedPath.endsWith("/")) {
+      entries.push({
+        path: normalizedPath,
+        compressionMethod,
+        compressedSize,
+        uncompressedSize,
+        localHeaderOffset
+      });
+    }
+    offset = entryEnd;
+  }
+  return entries.sort((left, right) => left.path.localeCompare(right.path));
+}
+function findEndOfCentralDirectory(zip) {
+  if (zip.length < ZIP_EOCD_MIN_BYTES) {
+    return;
+  }
+  const minOffset = Math.max(0, zip.length - ZIP_EOCD_MIN_BYTES - ZIP_MAX_COMMENT_BYTES);
+  for (let offset = zip.length - ZIP_EOCD_MIN_BYTES;offset >= minOffset; offset -= 1) {
+    if (zip.readUInt32LE(offset) !== ZIP_EOCD_SIGNATURE) {
+      continue;
+    }
+    const commentLength = zip.readUInt16LE(offset + 20);
+    if (offset + ZIP_EOCD_MIN_BYTES + commentLength === zip.length) {
+      return offset;
+    }
+  }
+  return;
+}
+function packageJsonEntries(entries) {
+  return entries.filter((entry) => entry.path === "package.json" || entry.path.endsWith("/package.json"));
+}
+function readPackageJsonEntry(input) {
+  if (input.entry.uncompressedSize > input.maxBytes) {
+    return err(createError({
+      code: "PACKAGE_EVIDENCE_READ_FAILED",
+      category: "unsupported_input",
+      message: "Package zip cache package.json exceeded the maximum supported size.",
+      details: {
+        packageId: input.packageId,
+        packageJsonPath: input.entry.path,
+        maxBytes: input.maxBytes,
+        observedBytes: input.entry.uncompressedSize
+      }
+    }));
+  }
+  const packageJsonData = readZipEntryData({
+    zip: input.zip,
+    entry: input.entry,
+    maxBytes: input.maxBytes
+  });
+  try {
+    const packageJson = JSON.parse(packageJsonData.toString("utf8"));
+    if (!isObjectRecord3(packageJson)) {
+      throw new Error("Expected package.json to contain an object.");
+    }
+    return ok({
+      packageJson,
+      packageRoot: packageRootForPackageJsonPath(input.entry.path)
+    });
+  } catch (cause) {
+    return err(createError({
+      code: "PACKAGE_JSON_PARSE_FAILED",
+      category: "unsupported_input",
+      message: "Failed to parse package.json from package zip cache.",
+      details: {
+        packageId: input.packageId,
+        packageJsonPath: input.entry.path,
+        cause: cause instanceof Error ? cause.message : String(cause)
+      }
+    }));
+  }
+}
+function collectZipEvidenceFiles(input) {
+  const files = [];
+  for (const entry of input.entries) {
+    const normalizedPath = normalizePackagePath2(entry.path, input.packageRoot);
+    if (!isRootPackageFile2(normalizedPath)) {
+      continue;
+    }
+    const kind = classifyEvidenceFile(normalizedPath);
+    if (!kind) {
+      continue;
+    }
+    if (entry.uncompressedSize > input.maxBytes) {
+      continue;
+    }
+    files.push({
+      path: normalizedPath,
+      kind,
+      text: readZipEntryData({
+        zip: input.zip,
+        entry,
+        maxBytes: input.maxBytes
+      }).toString("utf8")
+    });
+  }
+  return ok(files.sort((left, right) => left.path.localeCompare(right.path)));
+}
+function readZipEntryData(input) {
+  if (input.entry.uncompressedSize > input.maxBytes) {
+    throw new Error(`ZIP entry ${input.entry.path} exceeded the maximum supported size.`);
+  }
+  if (input.entry.localHeaderOffset + 30 > input.zip.length) {
+    throw new Error(`ZIP local file header for ${input.entry.path} is truncated.`);
+  }
+  const localSignature = input.zip.readUInt32LE(input.entry.localHeaderOffset);
+  if (localSignature !== ZIP_LOCAL_FILE_SIGNATURE) {
+    throw new Error(`ZIP local file header for ${input.entry.path} has an invalid signature.`);
+  }
+  const fileNameLength = input.zip.readUInt16LE(input.entry.localHeaderOffset + 26);
+  const extraLength = input.zip.readUInt16LE(input.entry.localHeaderOffset + 28);
+  const dataStart = input.entry.localHeaderOffset + 30 + fileNameLength + extraLength;
+  const dataEnd = dataStart + input.entry.compressedSize;
+  if (dataEnd > input.zip.length || dataEnd < dataStart) {
+    throw new Error(`ZIP entry ${input.entry.path} extends beyond archive data.`);
+  }
+  const compressedData = input.zip.subarray(dataStart, dataEnd);
+  if (input.entry.compressionMethod === 0) {
+    if (compressedData.length !== input.entry.uncompressedSize) {
+      throw new Error(`Stored ZIP entry ${input.entry.path} size did not match metadata.`);
+    }
+    return compressedData;
+  }
+  if (input.entry.compressionMethod === 8) {
+    const inflated = inflateRawSync(compressedData, {
+      maxOutputLength: input.entry.uncompressedSize
+    });
+    if (inflated.length !== input.entry.uncompressedSize) {
+      throw new Error(`Deflated ZIP entry ${input.entry.path} size did not match metadata.`);
+    }
+    return inflated;
+  }
+  throw new Error(`ZIP entry ${input.entry.path} uses unsupported compression method ${input.entry.compressionMethod}.`);
+}
+function packageRootForPackageJsonPath(packageJsonPath) {
+  return packageJsonPath === "package.json" ? "" : packageJsonPath.slice(0, -"/package.json".length);
+}
+function normalizePackagePath2(filePath, packageRoot) {
+  if (packageRoot === "") {
+    return filePath;
+  }
+  return filePath.startsWith(`${packageRoot}/`) ? filePath.slice(packageRoot.length + 1) : "";
+}
+function isRootPackageFile2(normalizedPath) {
+  return normalizedPath.length > 0 && !normalizedPath.includes("/");
+}
+function normalizeZipPath(filePath) {
+  if (filePath === "" || filePath.includes("\x00") || filePath.includes("\\") || filePath.startsWith("/") || /^[A-Za-z]:/.test(filePath)) {
+    return;
+  }
+  const segments = filePath.split("/");
+  if (segments.some((segment) => segment === "" || segment === "." || segment === "..")) {
+    return;
+  }
+  return segments.join("/");
+}
+function readLicenseFields3(packageJson) {
+  const license = packageJson.license;
+  const licenses = packageJson.licenses;
+  const legacyLicenseObject = isObjectRecord3(license) ? license : undefined;
+  return {
+    ...typeof license === "string" ? { packageJsonLicense: license } : {},
+    ...legacyLicenseObject !== undefined ? { packageJsonLicenses: legacyLicenseObject } : {},
+    ...licenses !== undefined ? { packageJsonLicenses: licenses } : {}
+  };
+}
+function isObjectRecord3(value) {
+  return typeof value === "object" && value !== null && !Array.isArray(value);
+}
 // src/evidence/collect.ts
 var ARTIFACT_FETCH_TIMEOUT_MS = 30000;
 var REGISTRY_METADATA_MAX_BYTES = 10 * 1024 * 1024;
@@ -15745,6 +16035,17 @@ async function collectNodeEvidence(input) {
       packageDir: nodeModulesPath
     });
   }
+  const yarnCacheEvidence = collectYarnCachePackageEvidence({
+    node: input.node,
+    projectRoot: input.projectRoot,
+    zipMaxBytes: input.tarballMaxBytes
+  });
+  if (!yarnCacheEvidence.ok) {
+    return err(yarnCacheEvidence.error);
+  }
+  if (yarnCacheEvidence.value) {
+    return ok(yarnCacheEvidence.value);
+  }
   if (!input.node.resolved) {
     return collectRegistryTarballEvidence({
       node: input.node,
@@ -16183,6 +16484,81 @@ function installedPackageMatchesNode(input) {
     return false;
   }
 }
+function collectYarnCachePackageEvidence(input) {
+  const cacheDir = path2.join(input.projectRoot, ".yarn", "cache");
+  if (!existsSync2(cacheDir) || !isReadableDirectory(cacheDir)) {
+    return ok(undefined);
+  }
+  const filenamePrefix = yarnCacheFilenamePrefix(input.node);
+  if (!filenamePrefix) {
+    return ok(undefined);
+  }
+  let entries;
+  try {
+    entries = readdirSync2(cacheDir, { withFileTypes: true }).filter((entry) => entry.isFile() && entry.name.startsWith(filenamePrefix) && entry.name.endsWith(".zip")).sort((left, right) => left.name.localeCompare(right.name));
+  } catch (cause) {
+    return err(createError({
+      code: "PACKAGE_EVIDENCE_READ_FAILED",
+      category: "filesystem",
+      message: "Failed to read Yarn package cache directory.",
+      details: {
+        packageId: input.node.id,
+        cacheDir,
+        cause: safeUrlForErrorDetails(cause instanceof Error ? cause.message : String(cause))
+      }
+    }));
+  }
+  for (const entry of entries) {
+    const cachePath = path2.join(cacheDir, entry.name);
+    const stats = readLocalArtifactStats({
+      filePath: cachePath,
+      packageId: input.node.id,
+      resolved: undefined
+    });
+    if (!stats.ok) {
+      return err(stats.error);
+    }
+    if (stats.value.size > input.zipMaxBytes) {
+      return err(localArtifactTooLargeError({
+        packageId: input.node.id,
+        resolved: undefined,
+        artifactPath: cachePath,
+        maxBytes: input.zipMaxBytes,
+        observedBytes: stats.value.size
+      }));
+    }
+    const zip = readLocalArtifactFileWithLimit({
+      filePath: cachePath,
+      packageId: input.node.id,
+      resolved: undefined,
+      maxBytes: input.zipMaxBytes
+    });
+    if (!zip.ok) {
+      return err(zip.error);
+    }
+    const evidence = collectZipPackageEvidence({
+      packageId: input.node.id,
+      packageName: input.node.name,
+      packageVersion: input.node.version,
+      zip: zip.value
+    });
+    if (!evidence.ok) {
+      return err(evidence.error);
+    }
+    if (evidence.value) {
+      return ok(evidence.value);
+    }
+  }
+  return ok(undefined);
+}
+function yarnCacheFilenamePrefix(node) {
+  const slug = yarnCachePackageSlug(node.name);
+  return slug ? `${slug}-npm-${node.version}-` : undefined;
+}
+function yarnCachePackageSlug(packageName) {
+  const segments = nodeModulesPackageSegments(packageName);
+  return segments ? segments.join("-") : undefined;
+}
 async function collectRemoteTarballEvidence(input) {
   const urlError = input.urlError ?? {
     code: "TARBALL_FETCH_FAILED",
@@ -17219,7 +17595,7 @@ function readFailedError(input) {
   });
 }
 function readProcessErrorText(cause) {
-  if (isObjectRecord3(cause)) {
+  if (isObjectRecord4(cause)) {
     const stderr = cause.stderr;
     if (typeof stderr === "string" && stderr.trim() !== "") {
       return stderr.trim();
@@ -17248,7 +17624,7 @@ function toGitObjectPath(input) {
 function isOutsideRelativePath(relativePath) {
   return relativePath === ".." || relativePath.startsWith(`..${path3.sep}`) || path3.isAbsolute(relativePath);
 }
-function isObjectRecord3(value) {
+function isObjectRecord4(value) {
   return typeof value === "object" && value !== null;
 }
@@ -17394,7 +17770,7 @@ function parseDenoLockText(input, lockfilePath = "deno.lock") {
 function parseLockfileJson(input, lockfilePath) {
   try {
     const parsed = JSON.parse(input);
-    if (!isObjectRecord4(parsed)) {
+    if (!isObjectRecord5(parsed)) {
       return denoParseFailed(lockfilePath, "deno.lock root must be a JSON object.");
     }
     return ok(parsed);
@@ -17422,18 +17798,18 @@ function denoParseFailed(lockfilePath, cause) {
   }));
 }
 function readNpmPackageMap(lockfile) {
-  if (isObjectRecord4(lockfile.npm)) {
+  if (isObjectRecord5(lockfile.npm)) {
     return lockfile.npm;
   }
-  const packages = isObjectRecord4(lockfile.packages) ? lockfile.packages : undefined;
-  return isObjectRecord4(packages?.npm) ? packages.npm : {};
+  const packages = isObjectRecord5(lockfile.packages) ? lockfile.packages : undefined;
+  return isObjectRecord5(packages?.npm) ? packages.npm : {};
 }
 function readSpecifierMap(lockfile) {
-  if (isObjectRecord4(lockfile.specifiers)) {
+  if (isObjectRecord5(lockfile.specifiers)) {
     return readStringMap(lockfile.specifiers);
   }
-  const packages = isObjectRecord4(lockfile.packages) ? lockfile.packages : undefined;
-  return isObjectRecord4(packages?.specifiers) ? readStringMap(packages.specifiers) : {};
+  const packages = isObjectRecord5(lockfile.packages) ? lockfile.packages : undefined;
+  return isObjectRecord5(packages?.specifiers) ? readStringMap(packages.specifiers) : {};
 }
 function collectRootDependencies(lockfile, specifiers) {
   const workspaceDependencies = readWorkspaceDependencies(lockfile).filter((specifier) => specifier.startsWith("npm:"));
@@ -17453,7 +17829,7 @@ function collectRootDependencies(lockfile, specifiers) {
   return edges;
 }
 function readWorkspaceDependencies(lockfile) {
-  const workspace = isObjectRecord4(lockfile.workspace) ? lockfile.workspace : isObjectRecord4(lockfile.packages) && isObjectRecord4(lockfile.packages.workspace) ? lockfile.packages.workspace : undefined;
+  const workspace = isObjectRecord5(lockfile.workspace) ? lockfile.workspace : isObjectRecord5(lockfile.packages) && isObjectRecord5(lockfile.packages.workspace) ? lockfile.packages.workspace : undefined;
   if (!workspace || !Array.isArray(workspace.dependencies)) {
     return [];
   }
@@ -17463,7 +17839,7 @@ function parseNpmRecords(packages) {
   const records = [];
   for (const [key, rawPackage] of Object.entries(packages)) {
     const packageKey = parseDenoNpmPackageKey(key);
-    if (!packageKey || !isObjectRecord4(rawPackage)) {
+    if (!packageKey || !isObjectRecord5(rawPackage)) {
       continue;
     }
     const pkg = rawPackage;
@@ -17510,7 +17886,7 @@ function readDependencyEdges(value, type) {
       return parsed ? [{ name: parsed.name, range: parsed.version, type }] : [];
     });
   }
-  if (!isObjectRecord4(value)) {
+  if (!isObjectRecord5(value)) {
     return [];
   }
   const edges = [];
@@ -17763,7 +18139,7 @@ function rootNameForLockfile(lockfilePath) {
 function isGitRefSyntheticPath(lockfilePath) {
   return lockfilePath.includes(":") && !/^[A-Za-z]:[\\/]/.test(lockfilePath);
 }
-function isObjectRecord4(value) {
+function isObjectRecord5(value) {
   return typeof value === "object" && value !== null && !Array.isArray(value);
 }
@@ -17886,7 +18262,7 @@ function readPackageTupleFields(input) {
     const resolved2 = registryOrMetadata !== "" ? registryOrMetadata : undefined;
     const parsedIntegrity2 = typeof integrity === "string" && integrity !== "" ? integrity : undefined;
     return {
-      metadata: isObjectRecord5(metadataOrIntegrity) ? metadataOrIntegrity : {},
+      metadata: isObjectRecord6(metadataOrIntegrity) ? metadataOrIntegrity : {},
       ...resolved2 ? { resolved: resolved2 } : {},
       ...parsedIntegrity2 ? { integrity: parsedIntegrity2 } : {}
     };
@@ -17894,7 +18270,7 @@ function readPackageTupleFields(input) {
   const resolved = isLocalArtifactReference(input.identity.version) ? input.identity.version : undefined;
   const parsedIntegrity = typeof metadataOrIntegrity === "string" && metadataOrIntegrity !== "" ? metadataOrIntegrity : undefined;
   return {
-    metadata: isObjectRecord5(registryOrMetadata) ? registryOrMetadata : {},
+    metadata: isObjectRecord6(registryOrMetadata) ? registryOrMetadata : {},
     ...resolved ? { resolved } : {},
     ...parsedIntegrity ? { integrity: parsedIntegrity } : {}
   };
@@ -17923,10 +18299,10 @@ function readWorkspaceEntries(workspaces) {
   if (!workspaces) {
     return [];
   }
-  const rootWorkspace = isObjectRecord5(workspaces[""]) ? workspaces[""] : undefined;
+  const rootWorkspace = isObjectRecord6(workspaces[""]) ? workspaces[""] : undefined;
   const rootName = readWorkspaceName(rootWorkspace);
   return Object.entries(workspaces).flatMap(([key, workspace]) => {
-    if (!isObjectRecord5(workspace)) {
+    if (!isObjectRecord6(workspace)) {
       return [];
     }
     return [{
@@ -17982,7 +18358,7 @@ function dependencyEntries(value, type) {
   }));
 }
 function readDependencyMap(value) {
-  if (!isObjectRecord5(value)) {
+  if (!isObjectRecord6(value)) {
     return {};
   }
   const dependencies = {};
@@ -18080,7 +18456,7 @@ function dependencyTypeRank2(type) {
       return 0;
   }
 }
-function isObjectRecord5(value) {
+function isObjectRecord6(value) {
   return typeof value === "object" && value !== null && !Array.isArray(value);
 }
@@ -18111,14 +18487,14 @@ function parsePackageLockText(input, lockfilePath = "package-lock.json") {
     return parsed;
   }
   const lockfile = parsed.value;
-  if (!isObjectRecord6(lockfile.packages) && isObjectRecord6(lockfile.dependencies)) {
+  if (!isObjectRecord7(lockfile.packages) && isObjectRecord7(lockfile.dependencies)) {
     return parsePackageLockV1({
       lockfile,
       lockfilePath,
       dependencies: lockfile.dependencies
     });
   }
-  if (!isObjectRecord6(lockfile.packages)) {
+  if (!isObjectRecord7(lockfile.packages)) {
     return err(createError({
       code: "PACKAGE_LOCK_PARSE_FAILED",
       category: "unsupported_input",
@@ -18468,13 +18844,13 @@ function dependencyTypeRank3(type) {
   }
 }
 function readPackage(value) {
-  return isObjectRecord6(value) ? value : undefined;
+  return isObjectRecord7(value) ? value : undefined;
 }
 function readV1Dependency(value) {
-  return isObjectRecord6(value) ? value : undefined;
+  return isObjectRecord7(value) ? value : undefined;
 }
 function readV1DependencyMap(value) {
-  if (!isObjectRecord6(value)) {
+  if (!isObjectRecord7(value)) {
     return {};
   }
   const dependencies = {};
@@ -18496,7 +18872,7 @@ function dependencyTypeForV1Dependency(dependency) {
   return "production";
 }
 function readDependencyMap2(value) {
-  if (!isObjectRecord6(value)) {
+  if (!isObjectRecord7(value)) {
     return {};
   }
   const dependencies = {};
@@ -18507,10 +18883,14 @@ function readDependencyMap2(value) {
   }
   return dependencies;
 }
-function isObjectRecord6(value) {
+function isObjectRecord7(value) {
   return typeof value === "object" && value !== null && !Array.isArray(value);
 }
+// src/graph/npm-pnpm-lock.ts
+import { existsSync as existsSync3 } from "node:fs";
+import path6 from "node:path";
 // node_modules/.bun/yaml@2.9.0/node_modules/yaml/dist/index.js
 var composer = require_composer();
 var Document = require_Document();
@@ -18574,13 +18954,30 @@ function parsePnpmLockfile(lockfilePath, options = {}) {
       }
     }));
   }
-  return parsePnpmLockText(lockfileText.value, lockfilePath);
+  const workspaceCatalogs = readPnpmWorkspaceCatalogs({
+    lockfilePath,
+    maxBytes: options.workspaceMaxBytes ?? LOCKFILE_MAX_BYTES
+  });
+  if (!workspaceCatalogs.ok) {
+    return workspaceCatalogs;
+  }
+  return parsePnpmLockText(lockfileText.value, lockfilePath, {
+    catalogs: workspaceCatalogs.value
+  });
 }
-function parsePnpmLockText(input, lockfilePath = "pnpm-lock.yaml") {
+function parsePnpmLockText(input, lockfilePath = "pnpm-lock.yaml", options = {}) {
   const parsed = parseLockfileYaml(input, lockfilePath);
   if (!parsed.ok) {
     return parsed;
   }
+  const catalogs = resolvePnpmCatalogs({
+    workspaceText: options.workspaceText,
+    workspacePath: options.workspacePath,
+    catalogs: options.catalogs
+  });
+  if (!catalogs.ok) {
+    return catalogs;
+  }
   const lockfile = parsed.value;
   const importers = readRecord(lockfile.importers);
   if (!importers) {
@@ -18594,14 +18991,18 @@ function parsePnpmLockText(input, lockfilePath = "pnpm-lock.yaml") {
       }
     }));
   }
-  const importerEntries = readImporterEntries(importers);
+  const importerEntries = readImporterEntries(importers, catalogs.value);
   const packages = readRecord(lockfile.packages) ?? {};
   const snapshots = readRecord(lockfile.snapshots) ?? {};
-  const records = parsePackageRecords3({ packages, snapshots });
+  const records = parsePackageRecords3({
+    packages,
+    snapshots,
+    catalogs: catalogs.value
+  });
   const packageIndex = indexPackagesByName2(records);
   const nodeMap = new Map;
   for (const importerEntry of importerEntries) {
-    for (const rootDependency of collectRootDependencies4(importerEntry.importer)) {
+    for (const rootDependency of collectRootDependencies4(importerEntry.importer, catalogs.value)) {
       const record = resolvePackageRecord3({
         packageIndex,
         name: rootDependency.name,
@@ -18630,7 +19031,7 @@ function parsePnpmLockText(input, lockfilePath = "pnpm-lock.yaml") {
 function parseLockfileYaml(input, lockfilePath) {
   try {
     const parsed = $parse(input);
-    if (!isObjectRecord7(parsed)) {
+    if (!isObjectRecord8(parsed)) {
       throw new Error("Expected a YAML mapping at the document root.");
     }
     return ok(parsed);
@@ -18646,14 +19047,100 @@ function parseLockfileYaml(input, lockfilePath) {
     }));
   }
 }
-function readImporterEntries(importers) {
+function readPnpmWorkspaceCatalogs(input) {
+  const workspacePath = path6.join(path6.dirname(input.lockfilePath), "pnpm-workspace.yaml");
+  if (!existsSync3(workspacePath)) {
+    return ok(emptyPnpmCatalogs());
+  }
+  const workspaceText = readInputTextFile({
+    filePath: workspacePath,
+    maxBytes: input.maxBytes
+  });
+  if (!workspaceText.ok) {
+    return err(createError({
+      code: "PNPM_WORKSPACE_READ_FAILED",
+      category: inputFileReadErrorCategory(workspaceText.error),
+      message: workspaceText.error.kind === "too_large" ? "pnpm-workspace.yaml exceeded the maximum supported size." : "Failed to read pnpm-workspace.yaml.",
+      details: {
+        workspacePath,
+        ...inputFileReadErrorDetails(workspaceText.error)
+      }
+    }));
+  }
+  return parsePnpmWorkspaceCatalogsText(workspaceText.value, workspacePath);
+}
+function resolvePnpmCatalogs(input) {
+  if (input.catalogs) {
+    return ok(input.catalogs);
+  }
+  if (input.workspaceText !== undefined) {
+    return parsePnpmWorkspaceCatalogsText(input.workspaceText, input.workspacePath ?? "pnpm-workspace.yaml");
+  }
+  return ok(emptyPnpmCatalogs());
+}
+function parsePnpmWorkspaceCatalogsText(input, workspacePath) {
+  try {
+    const parsed = $parse(input);
+    if (parsed === null || parsed === undefined) {
+      return ok(emptyPnpmCatalogs());
+    }
+    if (!isObjectRecord8(parsed)) {
+      throw new Error("Expected a YAML mapping at the document root.");
+    }
+    const workspace = parsed;
+    const namedCatalogs = new Map;
+    const catalogs = readRecord(workspace.catalogs);
+    if (catalogs) {
+      for (const [name, value] of Object.entries(catalogs)) {
+        const catalog = readCatalogMap(value);
+        if (catalog) {
+          namedCatalogs.set(name, catalog);
+        }
+      }
+    }
+    return ok({
+      defaultCatalog: readCatalogMap(workspace.catalog) ?? {},
+      namedCatalogs
+    });
+  } catch (cause) {
+    return err(createError({
+      code: "PNPM_WORKSPACE_PARSE_FAILED",
+      category: "unsupported_input",
+      message: "Failed to parse pnpm-workspace.yaml catalog definitions.",
+      details: {
+        workspacePath,
+        cause: cause instanceof Error ? cause.message : String(cause)
+      }
+    }));
+  }
+}
+function emptyPnpmCatalogs() {
+  return {
+    defaultCatalog: {},
+    namedCatalogs: new Map
+  };
+}
+function readCatalogMap(value) {
+  const record = readRecord(value);
+  if (!record) {
+    return;
+  }
+  const catalog = {};
+  for (const [name, range] of Object.entries(record)) {
+    if (typeof range === "string" && range !== "") {
+      catalog[name] = range;
+    }
+  }
+  return catalog;
+}
+function readImporterEntries(importers, catalogs) {
   return Object.entries(importers).flatMap(([key, value]) => {
     const importer = readRecord(value);
     if (!importer) {
       return [];
     }
     return [{
-      importer,
+      importer: resolveImporterCatalogReferences(importer, catalogs),
       pathSegment: importerPathSegment(key)
     }];
   });
@@ -18681,7 +19168,7 @@ function parsePackageRecords3(input) {
       id: `${identity2.name}@${identity2.version}`,
       ...resolved ? { resolved } : {},
       ...integrity ? { integrity } : {},
-      dependencies: collectDependencyEdges3(packageEntry, snapshotEntry)
+      dependencies: collectDependencyEdges3(input.catalogs, packageEntry, snapshotEntry)
     });
   }
   return records;
@@ -18725,24 +19212,92 @@ function readResolvedArtifact(resolution) {
   }
   return;
 }
-function collectRootDependencies4(importer) {
+function resolveImporterCatalogReferences(importer, catalogs) {
+  return {
+    ...importer,
+    dependencies: resolveDependencyCatalogReferences(importer.dependencies, catalogs),
+    devDependencies: resolveDependencyCatalogReferences(importer.devDependencies, catalogs),
+    optionalDependencies: resolveDependencyCatalogReferences(importer.optionalDependencies, catalogs),
+    peerDependencies: resolveDependencyCatalogReferences(importer.peerDependencies, catalogs)
+  };
+}
+function resolveDependencyCatalogReferences(value, catalogs) {
+  const dependencies = readRecord(value);
+  if (!dependencies) {
+    return value;
+  }
+  const resolved = {};
+  for (const [name, rawDependency] of Object.entries(dependencies)) {
+    if (typeof rawDependency === "string") {
+      resolved[name] = resolveCatalogRange({
+        name,
+        range: rawDependency,
+        catalogs
+      });
+      continue;
+    }
+    const dependency = readRecord(rawDependency);
+    if (!dependency) {
+      resolved[name] = rawDependency;
+      continue;
+    }
+    const version = typeof dependency.version === "string" ? resolveCatalogRange({
+      name,
+      range: dependency.version,
+      catalogs
+    }) : dependency.version;
+    const specifier = typeof dependency.specifier === "string" ? resolveCatalogRange({
+      name,
+      range: dependency.specifier,
+      catalogs
+    }) : dependency.specifier;
+    resolved[name] = {
+      ...dependency,
+      ...version !== undefined ? { version } : {},
+      ...specifier !== undefined ? { specifier } : {}
+    };
+  }
+  return resolved;
+}
+function resolveCatalogRange(input) {
+  const catalogName = parseCatalogReference(input.range);
+  if (catalogName === undefined) {
+    return input.range;
+  }
+  const catalog = catalogName === "" ? input.catalogs.defaultCatalog : input.catalogs.namedCatalogs.get(catalogName);
+  return catalog?.[input.name] ?? input.range;
+}
+function parseCatalogReference(value) {
+  if (value === "catalog:") {
+    return "";
+  }
+  if (!value.startsWith("catalog:")) {
+    return;
+  }
+  return value.slice("catalog:".length);
+}
+function collectRootDependencies4(importer, catalogs) {
   if (!importer) {
     return [];
   }
-  return collectDependencyEdges3(importer);
+  return collectDependencyEdges3(catalogs, importer);
 }
-function collectDependencyEdges3(...sources) {
+function collectDependencyEdges3(catalogs, ...sources) {
   return sources.flatMap((source) => [
-    ...dependencyEntries3(source.dependencies, "production"),
-    ...dependencyEntries3(source.devDependencies, "development"),
-    ...dependencyEntries3(source.optionalDependencies, "optional"),
-    ...dependencyEntries3(source.peerDependencies, "peer")
+    ...dependencyEntries3(source.dependencies, "production", catalogs),
+    ...dependencyEntries3(source.devDependencies, "development", catalogs),
+    ...dependencyEntries3(source.optionalDependencies, "optional", catalogs),
+    ...dependencyEntries3(source.peerDependencies, "peer", catalogs)
   ]);
 }
-function dependencyEntries3(value, type) {
+function dependencyEntries3(value, type, catalogs) {
   return Object.entries(readImporterDependencyMap(value)).map(([name, range]) => ({
     name,
-    range,
+    range: resolveCatalogRange({
+      name,
+      range,
+      catalogs
+    }),
     type
   }));
 }
@@ -18873,18 +19428,18 @@ function dependencyTypeRank4(type) {
   }
 }
 function readRecord(value) {
-  return isObjectRecord7(value) ? value : undefined;
+  return isObjectRecord8(value) ? value : undefined;
 }
-function isObjectRecord7(value) {
+function isObjectRecord8(value) {
   return typeof value === "object" && value !== null && !Array.isArray(value);
 }
 // src/graph/npm-yarn-lock.ts
 var yarnLockfileModule = __toESM(require_lockfile(), 1);
-import { existsSync as existsSync3, readdirSync as readdirSync2, statSync as statSync4 } from "node:fs";
-import path6 from "node:path";
+import { existsSync as existsSync4, readdirSync as readdirSync3, statSync as statSync4 } from "node:fs";
+import path7 from "node:path";
 var yarnLockfile = yarnLockfileModule;
-function parseYarnLockfile(lockfilePath, packageJsonPath = path6.join(path6.dirname(lockfilePath), "package.json"), options = {}) {
+function parseYarnLockfile(lockfilePath, packageJsonPath = path7.join(path7.dirname(lockfilePath), "package.json"), options = {}) {
   const lockfileText = readInputTextFile({
     filePath: lockfilePath,
     maxBytes: options.lockfileMaxBytes ?? LOCKFILE_MAX_BYTES
@@ -18921,7 +19476,7 @@ function parseYarnLockfile(lockfilePath, packageJsonPath = path6.join(path6.dirn
     return parsedRootPackageJson;
   }
   const workspacePackageJsonTexts = readWorkspacePackageJsonTexts({
-    projectRoot: path6.dirname(packageJsonPath),
+    projectRoot: path7.dirname(packageJsonPath),
     rootPackageJson: parsedRootPackageJson.value,
     lockfilePath,
     packageJsonMaxBytes: options.packageJsonMaxBytes ?? PACKAGE_JSON_MAX_BYTES
@@ -18997,7 +19552,7 @@ function parseYarnLockText(input) {
 function parsePackageJson(input, packageJsonPath) {
   try {
     const parsed = JSON.parse(input);
-    if (!isObjectRecord8(parsed)) {
+    if (!isObjectRecord9(parsed)) {
       throw new Error("Expected package.json to contain an object.");
     }
     return ok(parsed);
@@ -19063,9 +19618,9 @@ function readWorkspacePackageJsonTexts(input) {
 function findYarnWorkspacePackageJsonPaths(input) {
   const locations = [];
   const seen = new Set;
-  const projectRoot = path6.resolve(input.projectRoot);
+  const projectRoot = path7.resolve(input.projectRoot);
   const patterns = readWorkspacePatterns(input.workspaces);
-  const excludedWorkspacePaths = new Set(patterns.filter((pattern) => pattern.startsWith("!")).flatMap((pattern) => expandWorkspacePattern(projectRoot, pattern.slice(1))).filter((workspacePath) => isInsideDirectory(projectRoot, workspacePath)).map((workspacePath) => path6.resolve(workspacePath)));
+  const excludedWorkspacePaths = new Set(patterns.filter((pattern) => pattern.startsWith("!")).flatMap((pattern) => expandWorkspacePattern(projectRoot, pattern.slice(1))).filter((workspacePath) => isInsideDirectory(projectRoot, workspacePath)).map((workspacePath) => path7.resolve(workspacePath)));
   for (const pattern of patterns) {
     if (pattern.startsWith("!")) {
       continue;
@@ -19074,15 +19629,15 @@ function findYarnWorkspacePackageJsonPaths(input) {
       if (!isInsideDirectory(projectRoot, workspacePath)) {
         continue;
       }
-      const packageJsonPath = path6.join(workspacePath, "package.json");
-      const relativePackageJsonPath = path6.relative(projectRoot, packageJsonPath).replace(/\\/g, "/");
-      if (seen.has(relativePackageJsonPath) || excludedWorkspacePaths.has(path6.resolve(workspacePath)) || !existsSync3(packageJsonPath)) {
+      const packageJsonPath = path7.join(workspacePath, "package.json");
+      const relativePackageJsonPath = path7.relative(projectRoot, packageJsonPath).replace(/\\/g, "/");
+      if (seen.has(relativePackageJsonPath) || excludedWorkspacePaths.has(path7.resolve(workspacePath)) || !existsSync4(packageJsonPath)) {
         continue;
       }
       locations.push({
         packageJsonPath,
         relativePackageJsonPath,
-        workspacePath: path6.relative(projectRoot, workspacePath).replace(/\\/g, "/")
+        workspacePath: path7.relative(projectRoot, workspacePath).replace(/\\/g, "/")
       });
       seen.add(relativePackageJsonPath);
     }
@@ -19093,7 +19648,7 @@ function readWorkspacePatterns(value) {
   if (Array.isArray(value)) {
     return value.filter((item) => typeof item === "string");
   }
-  if (isObjectRecord8(value) && Array.isArray(value.packages)) {
+  if (isObjectRecord9(value) && Array.isArray(value.packages)) {
     return value.packages.filter((item) => typeof item === "string");
   }
   return [];
@@ -19122,17 +19677,17 @@ function expandWorkspaceSegments(currentPath, segments) {
   }
   if (segment.includes("*")) {
     const matcher = wildcardSegmentMatcher(segment);
-    return listChildDirectories(currentPath).filter((childPath) => matcher.test(path6.basename(childPath))).flatMap((childPath) => expandWorkspaceSegments(childPath, rest));
+    return listChildDirectories(currentPath).filter((childPath) => matcher.test(path7.basename(childPath))).flatMap((childPath) => expandWorkspaceSegments(childPath, rest));
   }
-  return expandWorkspaceSegments(path6.join(currentPath, segment), rest);
+  return expandWorkspaceSegments(path7.join(currentPath, segment), rest);
 }
 function isInsideDirectory(rootPath, candidatePath) {
-  const relativePath = path6.relative(rootPath, path6.resolve(candidatePath));
-  return relativePath === "" || relativePath !== ".." && !relativePath.startsWith(`..${path6.sep}`) && !path6.isAbsolute(relativePath);
+  const relativePath = path7.relative(rootPath, path7.resolve(candidatePath));
+  return relativePath === "" || relativePath !== ".." && !relativePath.startsWith(`..${path7.sep}`) && !path7.isAbsolute(relativePath);
 }
 function listChildDirectories(parentPath) {
   try {
-    return readdirSync2(parentPath, { withFileTypes: true }).filter((entry) => entry.isDirectory() && entry.name !== "node_modules").map((entry) => path6.join(parentPath, entry.name));
+    return readdirSync3(parentPath, { withFileTypes: true }).filter((entry) => entry.isDirectory() && entry.name !== "node_modules").map((entry) => path7.join(parentPath, entry.name));
   } catch {
     return [];
   }
@@ -19199,12 +19754,12 @@ function isYarnBerryLockfile(input) {
 function parseBerryLockfile(input, lockfilePath) {
   try {
     const parsed = $parse(input);
-    if (!isObjectRecord8(parsed)) {
+    if (!isObjectRecord9(parsed)) {
       throw new Error("Expected a YAML mapping at the document root.");
     }
     const entries = {};
     for (const [key, value] of Object.entries(parsed)) {
-      if (key === "__metadata" || !isObjectRecord8(value)) {
+      if (key === "__metadata" || !isObjectRecord9(value)) {
         continue;
       }
       entries[key] = value;
@@ -19400,7 +19955,7 @@ function dependencyEntries4(value, type) {
   }));
 }
 function readDependencyMap3(value) {
-  if (!isObjectRecord8(value)) {
+  if (!isObjectRecord9(value)) {
     return {};
   }
   const dependencies = {};
@@ -19538,7 +20093,7 @@ function dependencyTypeRank5(type) {
       return 0;
   }
 }
-function isObjectRecord8(value) {
+function isObjectRecord9(value) {
   return typeof value === "object" && value !== null && !Array.isArray(value);
 }
@@ -20222,13 +20777,13 @@ function severityRank2(severity) {
 }
 // src/policy/waivers.ts
-import { existsSync as existsSync4 } from "node:fs";
-import path7 from "node:path";
+import { existsSync as existsSync5 } from "node:fs";
+import path8 from "node:path";
 var DEFAULT_WAIVER_FILE_NAME = ".ohrisk-waivers.json";
 var WAIVER_FILE_MAX_BYTES = 1024 * 1024;
 function readRiskWaivers(projectRoot, options) {
-  const waiverPath = path7.join(projectRoot, DEFAULT_WAIVER_FILE_NAME);
-  if (!existsSync4(waiverPath)) {
+  const waiverPath = path8.join(projectRoot, DEFAULT_WAIVER_FILE_NAME);
+  if (!existsSync5(waiverPath)) {
     return ok([]);
   }
   const text = readTextFileWithLimit({
@@ -20373,7 +20928,7 @@ function isRecord2(value) {
 }
 // src/report/cyclonedx-report.ts
-import path8 from "node:path";
+import path9 from "node:path";
 function renderCycloneDxReport(input) {
   const licensesByPackageId = new Map(input.normalizedLicenses.map((license) => [license.packageId, license]));
   const findingsByPackageId = new Map(input.riskFindings.map((finding) => [finding.packageId, finding]));
@@ -20426,11 +20981,11 @@ function renderCycloneDxReport(input) {
   }, null, 2);
 }
 function projectRelativePath(projectRoot, targetPath) {
-  const relativePath = path8.relative(projectRoot, targetPath);
-  if (relativePath && !relativePath.startsWith("..") && !path8.isAbsolute(relativePath)) {
+  const relativePath = path9.relative(projectRoot, targetPath);
+  if (relativePath && !relativePath.startsWith("..") && !path9.isAbsolute(relativePath)) {
     return relativePath.replace(/\\/g, "/");
   }
-  return path8.basename(targetPath);
+  return path9.basename(targetPath);
 }
 function renderComponent(input) {
   const licenses = input.license ? renderLicenses(input.license) : [];
@@ -20539,8 +21094,8 @@ function directChildRefsByNodeId(nodes) {
   const nodeById = new Map(nodes.map((node) => [node.id, node]));
   const childIdsByNodeId = new Map;
   for (const candidate of nodes) {
-    for (const path9 of candidate.paths) {
-      const packagePath = path9.map(packageIdFromPathSegment);
+    for (const path10 of candidate.paths) {
+      const packagePath = path10.map(packageIdFromPathSegment);
       for (let index = 0;index < packagePath.length - 1; index += 1) {
         const parentId = packagePath[index];
         const childId = packagePath[index + 1];
@@ -20796,7 +21351,7 @@ function formatNormalizedExpression(license) {
 }
 // src/report/sarif-report.ts
-import path9 from "node:path";
+import path10 from "node:path";
 var SARIF_SCHEMA_URL = "https://json.schemastore.org/sarif-2.1.0.json";
 var RULES = [
   ruleFor("high", "High license risk", "A dependency has license evidence that is high risk for the selected profile."),
@@ -20806,7 +21361,7 @@ var RULES = [
 ];
 var RULE_INDEX_BY_ID = new Map(RULES.map((rule, index) => [rule.id, index]));
 function renderSarifReport(input) {
-  const lockfileUri = path9.relative(input.project.rootDir, input.project.lockfile.path).replace(/\\/g, "/") || path9.basename(input.project.lockfile.path);
+  const lockfileUri = path10.relative(input.project.rootDir, input.project.lockfile.path).replace(/\\/g, "/") || path10.basename(input.project.lockfile.path);
   return JSON.stringify({
     $schema: SARIF_SCHEMA_URL,
     version: "2.1.0",
@@ -20985,7 +21540,7 @@ function securitySeverityFor(severity) {
 }
 // src/report/scan-report.ts
-import path10 from "node:path";
+import path11 from "node:path";
 function renderScanReport(input) {
   const summary = buildScanSummary(input);
   const nextAction = nextActionFor2(input.riskFindings);
@@ -21022,7 +21577,7 @@ function renderScanReport(input) {
   return [
     "Ohrisk scan",
     `Project: ${input.project.rootDir}`,
-    `Lockfile: ${path10.basename(input.project.lockfile.path)} (${input.project.lockfile.kind})`,
+    `Lockfile: ${path11.basename(input.project.lockfile.path)} (${input.project.lockfile.kind})`,
     `Profile: ${input.profile}`,
     `Production only: ${input.prodOnly ? "yes" : "no"}`,
     `Dependencies: ${summary.dependencyGraph.total} total, ${summary.dependencyGraph.direct} direct, ${summary.dependencyGraph.transitive} transitive`,
@@ -21056,7 +21611,7 @@ function renderMarkdownReport2(input, summary) {
     "# Ohrisk scan",
     "",
     `- Project: ${formatMarkdownInlineCode(markdownProjectLabel(input))}`,
-    `- Lockfile: ${formatMarkdownInlineCode(path10.basename(input.project.lockfile.path))} (${formatMarkdownInlineCode(input.project.lockfile.kind)})`,
+    `- Lockfile: ${formatMarkdownInlineCode(path11.basename(input.project.lockfile.path))} (${formatMarkdownInlineCode(input.project.lockfile.kind)})`,
     `- Profile: ${formatMarkdownInlineCode(input.profile)}`,
     `- Production only: ${formatMarkdownInlineCode(input.prodOnly ? "yes" : "no")}`,
     `- Dependencies: ${formatMarkdownInlineCode(`${summary.dependencyGraph.total} total`)}, ${formatMarkdownInlineCode(`${summary.dependencyGraph.direct} direct`)}, ${formatMarkdownInlineCode(`${summary.dependencyGraph.transitive} transitive`)}`,
@@ -21325,11 +21880,11 @@ function nextActionFor2(findings) {
 // src/report/write-output.ts
 import { mkdirSync, writeFileSync } from "node:fs";
-import path11 from "node:path";
+import path12 from "node:path";
 var writeReportFile = (input) => {
-  const resolvedPath = path11.resolve(input.cwd, input.outputPath);
+  const resolvedPath = path12.resolve(input.cwd, input.outputPath);
   try {
-    mkdirSync(path11.dirname(resolvedPath), { recursive: true });
+    mkdirSync(path12.dirname(resolvedPath), { recursive: true });
     writeFileSync(resolvedPath, `${input.contents}
 `, "utf8");
     return ok(resolvedPath);
@@ -21348,8 +21903,8 @@ var writeReportFile = (input) => {
 };
 // src/project/discover.ts
-import { existsSync as existsSync5, statSync as statSync5 } from "node:fs";
-import path12 from "node:path";
+import { existsSync as existsSync6, statSync as statSync5 } from "node:fs";
+import path13 from "node:path";
 var SUPPORTED_LOCKFILES = {
   "bun.lock": "bun",
   "package-lock.json": "package-lock",
@@ -21373,7 +21928,7 @@ var KNOWN_PROJECT_MANIFESTS = [
 ];
 var SUPPORTED_LOCKFILE_MESSAGE = "Ohrisk currently supports bun.lock, package-lock.json, npm-shrinkwrap.json, pnpm-lock.yaml, deno.lock, and Yarn classic/Berry yarn.lock.";
 function discoverProject(options = {}) {
-  const startDir = path12.resolve(options.cwd ?? process.cwd());
+  const startDir = path13.resolve(options.cwd ?? process.cwd());
   try {
     if (options.lockfilePath) {
       return discoverExplicitLockfile({
@@ -21383,7 +21938,7 @@ function discoverProject(options = {}) {
     }
     for (const dir of ancestorsFrom(startDir)) {
       const lockfiles = findKnownLockfiles(dir);
-      const hasProjectManifest = KNOWN_PROJECT_MANIFESTS.some((manifest) => existsSync5(path12.join(dir, manifest)));
+      const hasProjectManifest = KNOWN_PROJECT_MANIFESTS.some((manifest) => existsSync6(path13.join(dir, manifest)));
       if (lockfiles.length === 0) {
         if (hasProjectManifest) {
           return err(createError({
@@ -21430,7 +21985,7 @@ function discoverProject(options = {}) {
         rootDir: dir,
         lockfile: {
           kind,
-          path: path12.join(dir, lockfileName)
+          path: path13.join(dir, lockfileName)
         }
       });
     }
@@ -21456,8 +22011,8 @@ function discoverProject(options = {}) {
   }));
 }
 function discoverExplicitLockfile(input) {
-  const lockfilePath = path12.resolve(input.cwd, input.lockfilePath);
-  const lockfileName = path12.basename(lockfilePath);
+  const lockfilePath = path13.resolve(input.cwd, input.lockfilePath);
+  const lockfileName = path13.basename(lockfilePath);
   const kind = SUPPORTED_LOCKFILES[lockfileName];
   if (!kind) {
     return err(createError({
@@ -21470,7 +22025,7 @@ function discoverExplicitLockfile(input) {
       }
     }));
   }
-  if (!existsSync5(lockfilePath)) {
+  if (!existsSync6(lockfilePath)) {
     return err(createError({
       code: "LOCKFILE_NOT_FOUND",
       category: "invalid_input",
@@ -21491,7 +22046,7 @@ function discoverExplicitLockfile(input) {
     }));
   }
   return ok({
-    rootDir: path12.dirname(lockfilePath),
+    rootDir: path13.dirname(lockfilePath),
     lockfile: {
       kind,
       path: lockfilePath
@@ -21499,7 +22054,7 @@ function discoverExplicitLockfile(input) {
   });
 }
 function findKnownLockfiles(dir) {
-  return KNOWN_LOCKFILES.filter((lockfile) => isFile(path12.join(dir, lockfile)));
+  return KNOWN_LOCKFILES.filter((lockfile) => isFile(path13.join(dir, lockfile)));
 }
 function isFile(pathname) {
   try {
@@ -21513,7 +22068,7 @@ function ancestorsFrom(startDir) {
   let current = startDir;
   while (true) {
     dirs.push(current);
-    const parent = path12.dirname(current);
+    const parent = path13.dirname(current);
     if (parent === current) {
       return dirs;
     }
@@ -21556,7 +22111,7 @@ async function runDiff(command, io) {
     io.stderr(formatError(currentProject.error));
     return exitCodeForError(currentProject.error);
   }
-  const relativeLockfilePath = path13.relative(currentProject.value.project.rootDir, currentProject.value.project.lockfile.path);
+  const relativeLockfilePath = path14.relative(currentProject.value.project.rootDir, currentProject.value.project.lockfile.path);
   const readRefFile = io.readRefFile ?? readGitRefFile;
   const baselineLockfile = readRefFile({
     projectRoot: currentProject.value.project.rootDir,
@@ -21586,13 +22141,25 @@ async function runDiff(command, io) {
     io.stderr(formatError(baselineWorkspacePackageJsons.error));
     return exitCodeForError(baselineWorkspacePackageJsons.error);
   }
+  const baselinePnpmWorkspace = currentProject.value.project.lockfile.kind === "pnpm-lock" ? readOptionalBaselineFile({
+    projectRoot: currentProject.value.project.rootDir,
+    baselineRef: command.baselineRef,
+    relativePath: "pnpm-workspace.yaml",
+    readRefFile
+  }) : ok(undefined);
+  if (isErr(baselinePnpmWorkspace)) {
+    io.stderr(formatError(baselinePnpmWorkspace.error));
+    return exitCodeForError(baselinePnpmWorkspace.error);
+  }
   const baselineGraph = parseLockfileTextForKind({
     kind: currentProject.value.project.lockfile.kind,
     text: baselineLockfile.value,
     lockfilePath: `${command.baselineRef}:${relativeLockfilePath}`,
     packageJsonText: baselinePackageJson?.value,
     packageJsonPath: `${command.baselineRef}:package.json`,
-    workspacePackageJsonTexts: baselineWorkspacePackageJsons.value
+    workspacePackageJsonTexts: baselineWorkspacePackageJsons.value,
+    pnpmWorkspaceText: baselinePnpmWorkspace.value,
+    pnpmWorkspacePath: `${command.baselineRef}:pnpm-workspace.yaml`
   });
   if (isErr(baselineGraph)) {
     io.stderr(formatError(baselineGraph.error));
@@ -21859,7 +22426,10 @@ function parseLockfileTextForKind(input) {
     case "npm-shrinkwrap":
       return parsePackageLockText(input.text, input.lockfilePath);
     case "pnpm-lock":
-      return parsePnpmLockText(input.text, input.lockfilePath);
+      return parsePnpmLockText(input.text, input.lockfilePath, {
+        workspaceText: input.pnpmWorkspaceText,
+        workspacePath: input.pnpmWorkspacePath
+      });
     case "deno-lock":
       return parseDenoLockText(input.text, input.lockfilePath);
     case "yarn-lock":
@@ -21901,6 +22471,20 @@ function readBaselineYarnWorkspacePackageJsons(input) {
   }
   return ok(packageJsons);
 }
+function readOptionalBaselineFile(input) {
+  const result = input.readRefFile({
+    projectRoot: input.projectRoot,
+    ref: input.baselineRef,
+    relativePath: input.relativePath
+  });
+  if (!isErr(result)) {
+    return ok(result.value);
+  }
+  if (result.error.code === "GIT_REF_FILE_NOT_FOUND") {
+    return ok(undefined);
+  }
+  return err(result.error);
+}
 function tryParseObject(input) {
   try {
     const parsed = JSON.parse(input);
@@ -22102,7 +22686,7 @@ function isCliEntrypoint(metaUrl, argvPath) {
   try {
     return realpathSync2(fileURLToPath2(metaUrl)) === realpathSync2(argvPath);
   } catch {
-    return path13.resolve(fileURLToPath2(metaUrl)) === path13.resolve(argvPath);
+    return path14.resolve(fileURLToPath2(metaUrl)) === path14.resolve(argvPath);
   }
 }
 function defaultIO() {