trm-core 8.0.2 → 8.1.1

package/changelog.txt

@@ -8,6 +8,14 @@ Legend
 + : added
 - : removed
 
+2025-11-04 v8.1.1
+-------------------
++ moved lock file generation to core
++ lock file can be used to determine dependency version
++ package visibility to test publish endpoint
++ release tags
+! getPackageHierarchy ignore multiple roots in setDevclass method
+
 2025-10-30 v8.0.2
 -------------------
 * fix no dependency detection comparison with latest release

package/dist/actions/install/index.d.ts

@@ -7,6 +7,7 @@ import { DEVCLASS, E071, NAMESPACE, TADIR, TDEVC, TDEVCT } from "../../client";
 import { PackageHierarchy } from "../../commons";
 import { AbstractRegistry } from "../../registry";
 import { Package } from "trm-registry-types";
+import { Lockfile } from "../../lockfile/Lockfile";
 export type InstallPackageReplacements = {
     originalDevclass: string;
     installDevclass: string;
@@ -25,6 +26,7 @@ export type InstallActionInputInstallData = {
         replaceExistingTransports?: boolean;
     };
     checks?: {
+        lockfile?: Lockfile;
         noSapEntries?: boolean;
         noObjectTypes?: boolean;
         noDependencies?: boolean;

package/dist/actions/install/init.js

@@ -37,7 +37,6 @@ exports.init = {
             actualRegistry = oManifest.getPackage().registry;
             context.rawInput.packageData.name = manifest.name;
         }
-        context.rawInput.packageData.version = (0, semver_1.valid)(context.rawInput.packageData.version);
         if (registry.getRegistryType() !== registry_1.RegistryType.LOCAL) {
             trm_commons_1.Logger.loading(`Fetching package in registry ${registry.name}...`);
             packageData = yield registry.getPackage(context.rawInput.packageData.name, context.rawInput.packageData.version || 'latest');
@@ -49,14 +48,14 @@ exports.init = {
                     ping = yield registry.ping();
                 }
                 catch (_b) { }
-                trm_commons_1.Logger.error(`SECURITY ISSUE! Release checksum does NOT match!`);
+                trm_commons_1.Logger.error(`SECURITY ISSUE! Release integrity does NOT match!`);
                 trm_commons_1.Logger.error(`SECURITY ISSUE! Expected SHA is ${packageData.checksum}, current SHA is ${checksum}`);
                 trm_commons_1.Logger.error(`SECURITY ISSUE! Please, report the issue to ${ping && ping.alert_email ? ping.alert_email : 'registry moderation team'}`);
                 throw new Error(`Cannot continue due to security issues.`);
             }
             manifest = artifact.getManifest().get();
         }
-        trm_commons_1.Logger.info(`Ready to install ${manifest.name} v${manifest.version}.`);
+        trm_commons_1.Logger.info(`Ready to install ${manifest.name} v${manifest.version}${!(0, semver_1.valid)(context.rawInput.packageData.version) ? ' (' + context.rawInput.packageData.version + ')' : ''}.`);
         context.runtime = {
             registry: actualRegistry || registry,
             update: undefined,

package/dist/actions/installDependency/findInstallRelease.js

@@ -13,28 +13,24 @@ exports.findInstallRelease = void 0;
 const trm_commons_1 = require("trm-commons");
 const semver_sort_1 = require("semver-sort");
 const semver_1 = require("semver");
+const lockfile_1 = require("../../lockfile");
 exports.findInstallRelease = {
     name: 'find-install-release',
     run: (context) => __awaiter(void 0, void 0, void 0, function* () {
         trm_commons_1.Logger.log('Find install release step', true);
-        const packageData = yield context.rawInput.dependencyDataPackage.registry.getPackage(context.rawInput.dependencyDataPackage.name, 'latest');
-        const versions = packageData.versions.filter(v => (0, semver_1.satisfies)(v, context.rawInput.dependencyDataPackage.versionRange));
-        const yanked = packageData.yanked_versions.filter(v => (0, semver_1.satisfies)(v, context.rawInput.dependencyDataPackage.versionRange));
-        if (context.rawInput.dependencyDataPackage.integrity) {
-            const sortedVersions = (0, semver_sort_1.desc)(versions.concat(yanked));
-            for (const sortedVersion of sortedVersions) {
-                if (!context.runtime.installVersion) {
-                    try {
-                        const packageVersion = yield context.rawInput.dependencyDataPackage.registry.getPackage(context.rawInput.dependencyDataPackage.name, sortedVersion);
-                        if (context.rawInput.dependencyDataPackage.integrity === packageVersion.checksum) {
-                            context.runtime.installVersion = sortedVersion;
-                        }
-                    }
-                    catch (_a) { }
-                }
+        const lock = context.rawInput.installData.checks.lockfile ? context.rawInput.installData.checks.lockfile.getLock(context.runtime.trmPackage) : null;
+        if (lock) {
+            const testLock = yield lockfile_1.Lockfile.testReleaseByLock(lock);
+            if (!testLock) {
+                throw new Error(`Cannot continue due to security issues.`);
+            }
+            else {
+                context.runtime.installVersion = lock.version;
             }
         }
         else {
+            const packageData = yield context.rawInput.dependencyDataPackage.registry.getPackage(context.rawInput.dependencyDataPackage.name, 'latest');
+            const versions = packageData.versions.filter(v => (0, semver_1.satisfies)(v, context.rawInput.dependencyDataPackage.versionRange));
             if (versions.length === 0) {
                 throw new Error(`Dependency "${context.rawInput.dependencyDataPackage.name}": releases not found in range ${context.rawInput.dependencyDataPackage.versionRange}.`);
             }

package/dist/actions/installDependency/index.d.ts

@@ -1,16 +1,17 @@
 import { AbstractRegistry } from "../../registry";
 import { IActionContext, InstallActionInputContextData, InstallActionInputInstallData, InstallActionOutput } from "..";
+import { TrmPackage } from "../../trmPackage";
 export interface InstallDependencyActionInput {
     contextData?: InstallActionInputContextData;
     dependencyDataPackage: {
         name: string;
         versionRange: string;
         registry: AbstractRegistry;
-        integrity?: string;
     };
     installData?: InstallActionInputInstallData;
 }
 type WorkflowRuntime = {
+    trmPackage: TrmPackage;
     installVersion: string;
     installOutput: InstallActionOutput;
 };

package/dist/actions/installDependency/init.js

@@ -14,6 +14,7 @@ const trm_commons_1 = require("trm-commons");
 const commons_1 = require("../../commons");
 const semver_1 = require("semver");
 const registry_1 = require("../../registry");
+const trmPackage_1 = require("../../trmPackage");
 exports.init = {
     name: 'init',
     run: (context) => __awaiter(void 0, void 0, void 0, function* () {
@@ -22,13 +23,14 @@ exports.init = {
             fullName: context.rawInput.dependencyDataPackage.name
         }).fullName;
         if (context.rawInput.dependencyDataPackage.registry.getRegistryType() === registry_1.RegistryType.LOCAL) {
-            throw new Error(`Cannot install package "${context.rawInput.dependencyDataPackage.name}": TRM package has to be installed manually.`);
+            throw new Error(`Cannot install local package "${context.rawInput.dependencyDataPackage.name}": TRM package has to be installed manually.`);
         }
         context.rawInput.dependencyDataPackage.versionRange = (0, semver_1.validRange)(context.rawInput.dependencyDataPackage.versionRange);
         if (!context.rawInput.dependencyDataPackage.versionRange) {
             throw new Error(`Dependency "${context.rawInput.dependencyDataPackage.name}", invalid version range.`);
         }
         context.runtime = {
+            trmPackage: new trmPackage_1.TrmPackage(context.rawInput.dependencyDataPackage.name, context.rawInput.dependencyDataPackage.registry),
             installOutput: undefined,
             installVersion: undefined
         };

package/dist/actions/installDependency/installRelease.js

@@ -18,7 +18,7 @@ exports.installRelease = {
     run: (context) => __awaiter(void 0, void 0, void 0, function* () {
         trm_commons_1.Logger.log('Install release step', true);
         if (!context.runtime.installVersion) {
-            throw new Error(`Couldn't find dependency "${context.rawInput.dependencyDataPackage.name}" on registry. Try manual install.`);
+            throw new Error(`Couldn't find dependency "${context.rawInput.dependencyDataPackage.name}" on registry.`);
         }
         const inputData = {
             packageData: {

package/dist/actions/publish/finalizePublish.js

@@ -22,7 +22,7 @@ exports.finalizePublish = {
             trm_commons_1.Logger.loading(`Finalizing...`);
             yield systemConnector_1.SystemConnector.addSrcTrkorr(context.runtime.systemData.tadirTransport.trkorr);
             trm_commons_1.Logger.log(`Generating SHA512`, true);
-            const integrity = (0, crypto_1.createHash)("sha512").update(context.runtime.trmPackage.artifact.binary).digest("hex");
+            const integrity = (0, crypto_1.createHash)("sha512").update(context.runtime.trmPackage.artifact.binary).digest("base64");
             trm_commons_1.Logger.log(`SHA512: ${integrity}`, true);
             yield systemConnector_1.SystemConnector.setPackageIntegrity({
                 package_name: context.rawInput.packageData.name,

package/dist/actions/publish/index.d.ts

@@ -5,6 +5,7 @@ import { DEVCLASS, TADIR, TMSCSYS, TR_TARGET, TRNSPACET, TRNSPACETT } from "../.
 import { TrmManifest, TrmManifestBase } from "../../manifest";
 import { Transport } from "../../transport";
 import { DotAbapGit } from "../../abapgit";
+import { ReleaseType } from "semver";
 export interface PublishActionInput {
     contextData?: {
         systemPackages?: TrmPackage[];
@@ -14,6 +15,10 @@ export interface PublishActionInput {
     packageData: {
         name: string;
         version?: string;
+        inc?: ReleaseType;
+        preRelease?: boolean;
+        preReleaseIdentifier?: string;
+        tags?: string[];
         registry: AbstractRegistry;
         devclass?: DEVCLASS;
         manifest?: TrmManifestBase;

package/dist/actions/publish/init.js

@@ -8,6 +8,9 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
         step((generator = generator.apply(thisArg, _arguments || [])).next());
     });
 };
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.init = void 0;
 const trm_commons_1 = require("trm-commons");
@@ -17,6 +20,39 @@ const semver_1 = require("semver");
 const systemConnector_1 = require("../../systemConnector");
 const registry_1 = require("../../registry");
 const transport_1 = require("../../transport");
+const chalk_1 = __importDefault(require("chalk"));
+function nextPrerelease(version, identifier) {
+    const pre = (0, semver_1.prerelease)(version);
+    const currentId = pre && typeof pre[0] === "string" ? String(pre[0]) : undefined;
+    if (identifier) {
+        return pre && currentId === identifier
+            ? (0, semver_1.inc)(version, "prerelease", identifier)
+            : `${(0, semver_1.valid)(version)}-${identifier}.0`;
+    }
+    else {
+        return (0, semver_1.inc)(version, "prerelease", currentId);
+    }
+}
+function getHighestPrerelease(versions, baseVersion, identifier) {
+    const base = (0, semver_1.parse)(baseVersion);
+    const filtered = versions.filter((v) => {
+        const parsed = (0, semver_1.parse)((0, semver_1.clean)(v) || v, { loose: true });
+        if (!parsed)
+            return false;
+        const pre = (0, semver_1.prerelease)(parsed.version);
+        if (!pre)
+            return false;
+        const vBase = `${parsed.major}.${parsed.minor}.${parsed.patch}`;
+        if (vBase !== `${base.major}.${base.minor}.${base.patch}`)
+            return false;
+        return identifier
+            ? pre[0] === identifier
+            : typeof pre[0] === "number" || pre.length === 1;
+    });
+    if (filtered.length === 0)
+        return null;
+    return filtered.sort(semver_1.rcompare)[0];
+}
 exports.init = {
     name: 'init',
     run: (context) => __awaiter(void 0, void 0, void 0, function* () {
@@ -72,6 +108,9 @@ exports.init = {
                 }
             });
         }
+        if (!context.rawInput.packageData.tags) {
+            context.rawInput.packageData.tags = [];
+        }
         trm_commons_1.Logger.loading(`Validating version...`);
         var automaticVersion = false;
         var releasesInRegistry;
@@ -85,20 +124,31 @@ exports.init = {
         }
         catch (_a) { }
         if (!latestReleaseManifest) {
-            if (!context.rawInput.packageData.version) {
+            if (!context.rawInput.packageData.version || !(0, semver_1.valid)(context.rawInput.packageData.version)) {
                 context.rawInput.packageData.version = '1.0.0';
                 automaticVersion = true;
             }
+            if (context.rawInput.packageData.preRelease) {
+                context.rawInput.packageData.version = nextPrerelease(context.rawInput.packageData.version, context.rawInput.packageData.preReleaseIdentifier);
+            }
         }
         else {
-            if (!context.rawInput.packageData.version) {
-                context.rawInput.packageData.version = (0, semver_1.inc)(latestReleaseManifest.version, "patch");
+            if (!context.rawInput.packageData.version || !(0, semver_1.valid)(context.rawInput.packageData.version)) {
+                context.rawInput.packageData.version = (0, semver_1.inc)(latestReleaseManifest.version, context.rawInput.packageData.inc || "patch");
                 automaticVersion = true;
             }
             else {
                 if (releasesInRegistry.includes(context.rawInput.packageData.version)) {
                     throw new Error(`Version "${context.rawInput.packageData.version}" already published.`);
                 }
+                if (context.rawInput.packageData.preRelease) {
+                    const highestPreRelease = getHighestPrerelease(releasesInRegistry, context.rawInput.packageData.version, context.rawInput.packageData.preReleaseIdentifier);
+                    if (highestPreRelease) {
+                        context.rawInput.packageData.version = highestPreRelease;
+                        automaticVersion = true;
+                    }
+                    context.rawInput.packageData.version = nextPrerelease(context.rawInput.packageData.version, context.rawInput.packageData.preReleaseIdentifier);
+                }
             }
             if (registry.getRegistryType() === registry_1.RegistryType.PUBLIC) {
                 trm_commons_1.Logger.log(`Public registry, checking if visibility is the same as latest release`, true);
@@ -139,12 +189,35 @@ exports.init = {
                     }])).version || context.rawInput.packageData.version;
             }
         }
+        var isPrivate;
+        if (registry.getRegistryType() === registry_1.RegistryType.LOCAL) {
+            isPrivate = true;
+        }
+        else {
+            isPrivate = typeof (context.rawInput.publishData.private) === 'undefined' ? (latestReleaseManifest ? latestReleaseManifest.private : undefined) : context.rawInput.publishData.private;
+            if (typeof (isPrivate) === 'undefined') {
+                isPrivate = (yield trm_commons_1.Inquirer.prompt({
+                    type: "list",
+                    message: "Package visibility",
+                    name: "private",
+                    default: isPrivate,
+                    choices: [{
+                            name: `Public`,
+                            value: false
+                        }, {
+                            name: `Private`,
+                            value: true
+                        }]
+                })).private;
+            }
+        }
         trm_commons_1.Logger.loading(`Validating data...`);
-        yield registry.validatePublish(context.rawInput.packageData.name, context.rawInput.packageData.version);
+        yield registry.validatePublish(context.rawInput.packageData.name, context.rawInput.packageData.version, isPrivate);
         if (!latestReleaseManifest) {
             trm_commons_1.Logger.info(`First time publishing "${context.rawInput.packageData.name}". Congratulations!`, registry.getRegistryType() === registry_1.RegistryType.LOCAL);
         }
         trm_commons_1.Logger.info(`Ready to publish ${context.rawInput.packageData.name} v${context.rawInput.packageData.version}`);
+        trm_commons_1.Logger.info(`Package visibility: ${chalk_1.default.bold(isPrivate ? 'private' : 'public')}`);
         context.runtime = {
             trmPackage: {
                 package: new trmPackage_1.TrmPackage(context.rawInput.packageData.name, registry),
@@ -154,7 +227,7 @@ exports.init = {
                 manifest: Object.assign(Object.assign({}, context.rawInput.packageData.manifest), {
                     name: context.rawInput.packageData.name,
                     version: context.rawInput.packageData.version,
-                    private: typeof (context.rawInput.publishData.private) === 'undefined' ? (latestReleaseManifest ? latestReleaseManifest.private : undefined) : context.rawInput.publishData.private
+                    private: isPrivate
                 })
             },
             systemData: {

package/dist/actions/publish/publishToRegistry.js

@@ -23,10 +23,14 @@ exports.publishToRegistry = {
             manifest: new manifest_1.Manifest(context.runtime.trmPackage.manifest),
             sourceCode: context.runtime.abapGitData.sourceCode.zip
         });
+        if (context.rawInput.packageData.tags.length > 0) {
+            trm_commons_1.Logger.info(`Publishing with tag${context.rawInput.packageData.tags.length === 1 ? '' : 's'}: ${context.rawInput.packageData.tags.join(', ')}`);
+        }
         trm_commons_1.Logger.loading(`Publishing...`);
         yield context.runtime.trmPackage.package.publish({
             artifact: context.runtime.trmPackage.artifact,
-            readme: context.rawInput.publishData.readme
+            readme: context.rawInput.publishData.readme,
+            tags: context.rawInput.packageData.tags
         });
     })
 };

package/dist/actions/publish/setManifestValues.js

@@ -16,9 +16,7 @@ exports.setManifestValues = void 0;
 const trm_commons_1 = require("trm-commons");
 const registry_1 = require("../../registry");
 const manifest_1 = require("../../manifest");
-const chalk_1 = __importDefault(require("chalk"));
 const FileSystem_1 = require("../../registry/FileSystem");
-const validators_1 = require("../../validators");
 const lodash_1 = __importDefault(require("lodash"));
 exports.setManifestValues = {
     name: 'set-manifest-values',
@@ -160,26 +158,6 @@ exports.setManifestValues = {
                 defaultKeywords = context.runtime.trmPackage.manifest.keywords;
             }
             var inq = yield trm_commons_1.Inquirer.prompt([{
-                    type: "list",
-                    message: "Package visibility",
-                    name: "private",
-                    default: context.runtime.trmPackage.manifest.private,
-                    choices: [{
-                            name: `Public`,
-                            value: false
-                        }, {
-                            name: `Private`,
-                            value: true
-                        }],
-                    when: () => {
-                        const r = context.rawInput.packageData.registry.getRegistryType();
-                        const hasLatest = !!context.runtime.trmPackage.latestReleaseManifest;
-                        return r !== registry_1.RegistryType.LOCAL && (r !== registry_1.RegistryType.PUBLIC || !hasLatest);
-                    },
-                    validate: (input) => {
-                        return (0, validators_1.validatePackageVisibility)(context.rawInput.packageData.registry.getRegistryType(), input, context.runtime.trmPackage.latestReleaseManifest ? context.runtime.trmPackage.latestReleaseManifest.private : undefined);
-                    },
-                }, {
                     type: "input",
                     message: "Short description",
                     name: "description",
@@ -251,12 +229,6 @@ exports.setManifestValues = {
                 }]);
             context.runtime.trmPackage.manifest = Object.assign(Object.assign({}, context.runtime.trmPackage.manifest), inq);
         }
-        if (context.rawInput.packageData.registry.getRegistryType() === registry_1.RegistryType.LOCAL) {
-            context.runtime.trmPackage.manifest.private = true;
-        }
-        else {
-            trm_commons_1.Logger.info(`Package visibility: ${chalk_1.default.bold(context.runtime.trmPackage.manifest.private ? 'private' : 'public')}`);
-        }
         if (context.runtime.packageData.namespace) {
             context.runtime.trmPackage.manifest.namespace = {
                 ns: context.runtime.packageData.namespace.trnspacet.namespace,

package/dist/commons/getPackageHierarchy.d.ts

@@ -1,3 +1,3 @@
 import { TDEVC } from "../client";
 import { PackageHierarchy } from "./PackageHierarchy";
-export declare function getPackageHierarchy(input: TDEVC[]): PackageHierarchy;
+export declare function getPackageHierarchy(input: TDEVC[], ignoreMultiples?: boolean): PackageHierarchy;

package/dist/commons/getPackageHierarchy.js

@@ -1,7 +1,7 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.getPackageHierarchy = getPackageHierarchy;
-function getPackageHierarchy(input) {
+function getPackageHierarchy(input, ignoreMultiples) {
     const map = new Map();
     input.forEach(item => {
         map.set(item.devclass, {
@@ -24,7 +24,9 @@ function getPackageHierarchy(input) {
         throw new Error(`No root found in package hierarchy.`);
     }
     else if (roots.length > 1) {
-        throw new Error(`Multiple roots found in package hierarchy.`);
+        if (!ignoreMultiples) {
+            throw new Error(`Multiple roots found in package hierarchy.`);
+        }
     }
     return roots[0];
 }

package/dist/commons/index.d.ts

@@ -14,3 +14,4 @@ export * from "./getNodePackage";
 export * from "./getCoreTrmDependencies";
 export * from "./checkCoreTrmDependencies";
 export * from "./TrmServerUpgradeService";
+export * from "./jsonStringifyWithKeyOrder";

package/dist/commons/index.js

@@ -30,3 +30,4 @@ __exportStar(require("./getNodePackage"), exports);
 __exportStar(require("./getCoreTrmDependencies"), exports);
 __exportStar(require("./checkCoreTrmDependencies"), exports);
 __exportStar(require("./TrmServerUpgradeService"), exports);
+__exportStar(require("./jsonStringifyWithKeyOrder"), exports);

package/dist/commons/jsonStringifyWithKeyOrder.d.ts

@@ -0,0 +1 @@
+export declare function jsonStringifyWithKeyOrder<T extends object>(obj: T, order: readonly (keyof T & string)[], space?: number): string;

package/dist/commons/jsonStringifyWithKeyOrder.js

@@ -0,0 +1,18 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.jsonStringifyWithKeyOrder = jsonStringifyWithKeyOrder;
+function jsonStringifyWithKeyOrder(obj, order, space = 2) {
+    const out = {};
+    const seen = new Set(order);
+    for (const key of order) {
+        if (Object.prototype.hasOwnProperty.call(obj, key) && obj[key] !== undefined) {
+            out[key] = obj[key];
+        }
+    }
+    for (const key of Object.keys(obj)) {
+        if (!seen.has(key) && obj[key] !== undefined) {
+            out[key] = obj[key];
+        }
+    }
+    return JSON.stringify(out, null, space);
+}

package/dist/lockfile/Lockfile.d.ts

@@ -0,0 +1,22 @@
+import { TrmPackage } from "../trmPackage";
+export interface Lock {
+    name: string;
+    version: string;
+    registry: string;
+    integrity: string;
+}
+export interface LockfileContent {
+    lockfileVersion: number;
+    source: string;
+    name?: string;
+    version?: string;
+    packages?: Lock[];
+}
+export declare class Lockfile {
+    lockfile: LockfileContent;
+    constructor(lockfile: LockfileContent);
+    static generate(root: TrmPackage, packages?: TrmPackage[]): Promise<Lockfile>;
+    toJson(): string;
+    getLock(trmPackage: TrmPackage): Lock;
+    static testReleaseByLock(lock: Lock): Promise<boolean>;
+}

package/dist/lockfile/Lockfile.js

@@ -0,0 +1,103 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.Lockfile = void 0;
+const trm_commons_1 = require("trm-commons");
+const registry_1 = require("../registry");
+const systemConnector_1 = require("../systemConnector");
+const commons_1 = require("../commons");
+const crypto_1 = require("crypto");
+class Lockfile {
+    constructor(lockfile) {
+        this.lockfile = lockfile;
+    }
+    static generate(root, packages) {
+        return __awaiter(this, void 0, void 0, function* () {
+            var lock = {
+                lockfileVersion: 1,
+                source: systemConnector_1.SystemConnector.getDest(),
+                packages: []
+            };
+            if (!packages) {
+                packages = yield systemConnector_1.SystemConnector.getInstalledPackages(true, true, true);
+            }
+            const rootManifest = root.manifest.get();
+            var dependencies = rootManifest.dependencies || [];
+            lock.name = rootManifest.name;
+            lock.version = rootManifest.version;
+            for (const dep of dependencies) {
+                if (dep.registry === registry_1.LOCAL_RESERVED_KEYWORD) {
+                    throw new Error(`Cannot generate lockfile: dependency with local package "${dep.name}"`);
+                }
+                else {
+                    const depRegistry = registry_1.RegistryProvider.getRegistry(dep.registry);
+                    if (root.compareName(dep.name) && root.compareRegistry(depRegistry)) {
+                        throw new Error(`Package "${dep.name}" has declared invalid dependency with itself`);
+                    }
+                    if (!lock.packages.find(o => o.name === dep.name && o.registry === depRegistry.endpoint)) {
+                        const depPackage = packages.find(o => o.compareName(dep.name) && o.compareRegistry(depRegistry));
+                        if (depPackage) {
+                            const depManifest = depPackage.manifest.get();
+                            const depIntegrity = yield systemConnector_1.SystemConnector.getPackageIntegrity(depPackage);
+                            lock.packages.push({
+                                name: dep.name,
+                                version: depManifest.version,
+                                registry: depRegistry.endpoint,
+                                integrity: depIntegrity
+                            });
+                            dependencies = dependencies.concat(depManifest.dependencies || []);
+                        }
+                        else {
+                            trm_commons_1.Logger.warning(`Dependency "${dep.name}", registry "${depRegistry.endpoint}" not found in system ${systemConnector_1.SystemConnector.getDest()}`);
+                        }
+                    }
+                }
+            }
+            return new Lockfile(lock);
+        });
+    }
+    toJson() {
+        const KEYS_ORDER = [
+            "lockfileVersion",
+            "source",
+            "name",
+            "version"
+        ];
+        return (0, commons_1.jsonStringifyWithKeyOrder)(this.lockfile, KEYS_ORDER, 2);
+    }
+    getLock(trmPackage) {
+        var _a;
+        const lock = (_a = this.lockfile.packages) === null || _a === void 0 ? void 0 : _a.find(o => trmPackage.compareName(o.name) && trmPackage.compareRegistry(registry_1.RegistryProvider.getRegistry(o.registry)));
+        if (!lock) {
+            throw new Error(`Lock for package "${trmPackage.packageName}", registry "${trmPackage.registry.endpoint}" not found`);
+        }
+        return lock;
+    }
+    static testReleaseByLock(lock) {
+        return __awaiter(this, void 0, void 0, function* () {
+            const registry = registry_1.RegistryProvider.getRegistry(lock.registry);
+            const ping = yield registry.ping();
+            const release = yield registry.getPackage(lock.name, lock.version);
+            const artifact = yield registry.downloadArtifact(lock.name, lock.version);
+            const checksum = (0, crypto_1.createHash)("sha512").update(artifact.binary).digest("base64");
+            if (release.checksum !== lock.integrity || checksum !== lock.integrity) {
+                trm_commons_1.Logger.error(`SECURITY ISSUE! Release "${lock.name}", registry "${lock.registry}", integrity in lockfile does NOT match!`);
+                trm_commons_1.Logger.error(`SECURITY ISSUE! Registry SHA is ${release.checksum}`);
+                trm_commons_1.Logger.error(`SECURITY ISSUE! Artifact SHA is ${checksum}`);
+                trm_commons_1.Logger.error(`SECURITY ISSUE! Lockfile SHA is ${lock.integrity}`);
+                trm_commons_1.Logger.error(`SECURITY ISSUE! Please, report the issue to ${ping && ping.alert_email ? ping.alert_email : 'registry moderation team'}`);
+                return false;
+            }
+            return true;
+        });
+    }
+}
+exports.Lockfile = Lockfile;

package/dist/lockfile/index.d.ts

@@ -0,0 +1 @@
+export * from "./Lockfile";

package/dist/lockfile/index.js

@@ -0,0 +1,17 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+__exportStar(require("./Lockfile"), exports);

package/dist/manifest/Manifest.d.ts

@@ -23,5 +23,4 @@ export declare class Manifest {
     static compare(o1: Manifest, o2: Manifest, checkVersion?: boolean): boolean;
     static stringAuthorsToArray(sAuthors: string): TrmManifestAuthor[];
     static stringKeywordsToArray(sKeywords: string): string[];
-    private jsonStringifyWithKeyOrder;
 }

package/dist/manifest/Manifest.js

@@ -109,13 +109,13 @@ class Manifest {
             "keywords",
             "dependencies",
             "sapEntries",
-            "postActivities",
+            "postActivities"
         ];
         var obj = this.get(false);
         ignoredKeys.forEach(k => {
             delete obj[k];
         });
-        return this.jsonStringifyWithKeyOrder(obj, KEYS_ORDER, 2);
+        return (0, commons_1.jsonStringifyWithKeyOrder)(obj, KEYS_ORDER, 2);
     }
     getAbapXml() {
         const manifest = this.get();
@@ -823,20 +823,5 @@ class Manifest {
             return [];
         }
     }
-    jsonStringifyWithKeyOrder(obj, order, space = 2) {
-        const out = {};
-        const seen = new Set(order);
-        for (const key of order) {
-            if (Object.prototype.hasOwnProperty.call(obj, key) && obj[key] !== undefined) {
-                out[key] = obj[key];
-            }
-        }
-        for (const key of Object.keys(obj)) {
-            if (!seen.has(key) && obj[key] !== undefined) {
-                out[key] = obj[key];
-            }
-        }
-        return JSON.stringify(out, null, space);
-    }
 }
 exports.Manifest = Manifest;

package/dist/registry/AbstractRegistry.d.ts

@@ -1,19 +1,21 @@
-import { Package, Ping, WhoAmI } from "trm-registry-types";
+import { Deprecate, DistTagAdd, DistTagRm, Package, Ping, WhoAmI } from "trm-registry-types";
 import { RegistryType } from "./RegistryType";
 import { TrmArtifact } from "../trmPackage";
 export declare abstract class AbstractRegistry {
     endpoint: string;
     name: string;
     abstract compare: (registry: AbstractRegistry) => boolean;
-    getRegistryType: () => RegistryType;
-    authenticate: (defaultData: any) => Promise<AbstractRegistry>;
-    getAuthData: () => any;
-    ping: () => Promise<Ping>;
-    whoAmI: () => Promise<WhoAmI>;
-    getPackage: (fullName: string, version: string) => Promise<Package>;
-    downloadArtifact: (fullName: string, version: string) => Promise<TrmArtifact>;
-    validatePublish: (fullName: string, version: string) => Promise<void>;
-    publish: (fullName: string, version: string, artifact: TrmArtifact, readme?: string) => Promise<Package>;
-    unpublish: (fullName: string, version: string) => Promise<void>;
-    deprecate: (fullName: string, version: string, reason: string) => Promise<void>;
+    abstract getRegistryType: () => RegistryType;
+    abstract authenticate: (defaultData: any) => Promise<AbstractRegistry>;
+    abstract getAuthData: () => any;
+    abstract ping: () => Promise<Ping>;
+    abstract whoAmI: () => Promise<WhoAmI>;
+    abstract getPackage: (fullName: string, version: string) => Promise<Package>;
+    abstract downloadArtifact: (fullName: string, version: string) => Promise<TrmArtifact>;
+    abstract validatePublish: (fullName: string, version: string, isPrivate: boolean) => Promise<void>;
+    abstract publish: (fullName: string, version: string, artifact: TrmArtifact, readme?: string, tags?: string) => Promise<Package>;
+    abstract unpublish: (fullName: string, version: string) => Promise<void>;
+    abstract deprecate: (fullName: string, version: string, deprecate: Deprecate) => Promise<void>;
+    abstract addDistTag: (fullName: string, distTag: DistTagAdd) => Promise<void>;
+    abstract rmDistTag: (fullName: string, distTag: DistTagRm) => Promise<void>;
 }

package/dist/registry/FileSystem.d.ts

@@ -1,4 +1,4 @@
-import { Package, Ping, WhoAmI } from "trm-registry-types";
+import { Deprecate, DistTagAdd, DistTagRm, Package, Ping, WhoAmI } from "trm-registry-types";
 import { AbstractRegistry } from "./AbstractRegistry";
 import { RegistryType } from "./RegistryType";
 import { TrmArtifact } from "../trmPackage";
@@ -21,5 +21,7 @@ export declare class FileSystem implements AbstractRegistry {
     validatePublish(fullName: string, version: string): Promise<void>;
     publish(fullName: string, version: string, artifact: TrmArtifact, readme?: string): Promise<Package>;
     unpublish(fullName: string, version: string): Promise<void>;
-    deprecate(fullName: string, version: string, reason: string): Promise<void>;
+    deprecate(fullName: string, version: string, deprecate: Deprecate): Promise<void>;
+    addDistTag(fullName: string, distTag: DistTagAdd): Promise<void>;
+    rmDistTag(fullName: string, distTag: DistTagRm): Promise<void>;
 }

package/dist/registry/FileSystem.js

@@ -103,7 +103,9 @@ class FileSystem {
             if (this._filePath) {
                 return {
                     name: fullName,
-                    latest: version,
+                    dist_tags: {
+                        latest: version
+                    },
                     versions: [],
                     yanked_versions: [],
                     deprecated: false,
@@ -157,10 +159,20 @@ class FileSystem {
             throw new Error(`File system can't delete packages!`);
         });
     }
-    deprecate(fullName, version, reason) {
+    deprecate(fullName, version, deprecate) {
         return __awaiter(this, void 0, void 0, function* () {
             throw new Error(`File system can't deprecate packages!`);
         });
     }
+    addDistTag(fullName, distTag) {
+        return __awaiter(this, void 0, void 0, function* () {
+            throw new Error(`File system can't add dist tags!`);
+        });
+    }
+    rmDistTag(fullName, distTag) {
+        return __awaiter(this, void 0, void 0, function* () {
+            throw new Error(`File system can't remove dist tags!`);
+        });
+    }
 }
 exports.FileSystem = FileSystem;

package/dist/registry/RegistryV2.d.ts

@@ -1,5 +1,5 @@
 import { RegistryType } from "./RegistryType";
-import { Package, Ping, WhoAmI } from "trm-registry-types";
+import { Deprecate, DistTagAdd, DistTagRm, Package, Ping, WhoAmI } from "trm-registry-types";
 import { TrmArtifact } from "../trmPackage/TrmArtifact";
 import { AbstractRegistry } from "./AbstractRegistry";
 export declare const PUBLIC_RESERVED_KEYWORD = "public";
@@ -24,8 +24,10 @@ export declare class RegistryV2 implements AbstractRegistry {
     whoAmI(): Promise<WhoAmI>;
     getPackage(fullName: string, version?: string): Promise<Package>;
     downloadArtifact(fullName: string, version?: string): Promise<TrmArtifact>;
-    validatePublish(fullName: string, version?: string): Promise<void>;
-    publish(fullName: string, version: string, artifact: TrmArtifact, readme?: string): Promise<Package>;
+    validatePublish(fullName: string, version: string, isPrivate: boolean): Promise<void>;
+    publish(fullName: string, version: string, artifact: TrmArtifact, readme?: string, tags?: string): Promise<Package>;
     unpublish(fullName: string, version: string): Promise<void>;
-    deprecate(fullName: string, version: string, reason: string): Promise<void>;
+    deprecate(fullName: string, version: string, deprecate: Deprecate): Promise<void>;
+    addDistTag(fullName: string, distTag: DistTagAdd): Promise<void>;
+    rmDistTag(fullName: string, distTag: DistTagRm): Promise<void>;
 }

package/dist/registry/RegistryV2.js

@@ -368,9 +368,9 @@ class RegistryV2 {
             if (!data) {
                 var ttl;
                 try {
-                    data = (yield this._axiosInstance.get(`/package/${fullName}`, {
+                    data = (yield this._axiosInstance.get(`/package/${encodeURIComponent(fullName)}`, {
                         params: {
-                            version
+                            version: encodeURIComponent(version)
                         }
                     })).data;
                     if (data.download_link_expiry) {
@@ -416,10 +416,11 @@ class RegistryV2 {
         });
     }
     validatePublish(fullName_1) {
-        return __awaiter(this, arguments, void 0, function* (fullName, version = 'latest') {
-            const status = (yield this._axiosInstance.get(`/publish/check/${fullName}`, {
+        return __awaiter(this, arguments, void 0, function* (fullName, version = 'latest', isPrivate) {
+            const status = (yield this._axiosInstance.get(`/publish/check/${encodeURIComponent(fullName)}`, {
                 params: {
-                    version
+                    version: encodeURIComponent(version),
+                    private: isPrivate ? 'X' : 'N'
                 }
             })).status;
             if (status !== 204) {
@@ -427,7 +428,7 @@ class RegistryV2 {
             }
         });
     }
-    publish(fullName, version, artifact, readme) {
+    publish(fullName, version, artifact, readme, tags) {
         return __awaiter(this, void 0, void 0, function* () {
             const fileName = `${fullName}_v${version}`.replace('.', '_') + '.trm';
             const formData = new FormData.default();
@@ -441,33 +442,53 @@ class RegistryV2 {
                     contentType: 'text/markdown'
                 });
             }
-            return (yield this._axiosInstance.post(`/publish/${fullName}`, formData, {
-                params: {
-                    version
-                },
+            var params = { version, tags };
+            if (!tags) {
+                delete params.tags;
+            }
+            return (yield this._axiosInstance.post(`/publish/${encodeURIComponent(fullName)}`, formData, {
+                params,
                 headers: formData.getHeaders()
             })).data;
         });
     }
     unpublish(fullName, version) {
         return __awaiter(this, void 0, void 0, function* () {
-            yield this._axiosInstance.post(`/unpublish/${fullName}`, null, {
+            yield this._axiosInstance.post(`/unpublish/${encodeURIComponent(fullName)}`, null, {
                 params: {
-                    version
+                    version: encodeURIComponent(version)
                 }
             });
         });
     }
-    deprecate(fullName, version, reason) {
+    deprecate(fullName, version, deprecate) {
         return __awaiter(this, void 0, void 0, function* () {
-            yield this._axiosInstance.post(`/deprecate/${fullName}`, {
-                deprecate_note: reason
+            yield this._axiosInstance.post(`/deprecate/${encodeURIComponent(fullName)}`, {
+                deprecate_note: deprecate.deprecate_note
             }, {
                 params: {
-                    version
+                    version: encodeURIComponent(version)
                 }
             });
         });
     }
+    addDistTag(fullName, distTag) {
+        return __awaiter(this, void 0, void 0, function* () {
+            const status = (yield this._axiosInstance.put(`/package/tag/${encodeURIComponent(fullName)}`, distTag)).status;
+            if (status !== 204) {
+                throw new Error(`Cannot add tag "${distTag.tag.trim().toUpperCase()}"`);
+            }
+        });
+    }
+    rmDistTag(fullName, distTag) {
+        return __awaiter(this, void 0, void 0, function* () {
+            const status = (yield this._axiosInstance.delete(`/package/tag/${encodeURIComponent(fullName)}`, {
+                data: distTag
+            })).status;
+            if (status !== 204) {
+                throw new Error(`Cannot remove tag "${distTag.tag.trim().toLowerCase()}"`);
+            }
+        });
+    }
 }
 exports.RegistryV2 = RegistryV2;

package/dist/transport/Transport.js

@@ -165,7 +165,7 @@ class Transport {
                     }
                 }
                 while (aTdevc.length > 0 && !this._rootDevclass) {
-                    const hierarchy = (0, commons_1.getPackageHierarchy)(aTdevc);
+                    const hierarchy = (0, commons_1.getPackageHierarchy)(aTdevc, true);
                     if (aTdevc.find(o => o.devclass === hierarchy.devclass)) {
                         this._rootDevclass = hierarchy.devclass;
                     }

package/dist/trmPackage/TrmPackage.d.ts

@@ -3,6 +3,7 @@ import { AbstractRegistry } from "../registry";
 import { TrmArtifact } from "./TrmArtifact";
 import { DEVCLASS } from "../client";
 import { Transport } from "../transport";
+import { Lockfile } from "../lockfile";
 export declare class TrmPackage {
     packageName: string;
     registry: AbstractRegistry;
@@ -17,9 +18,11 @@ export declare class TrmPackage {
     publish(data: {
         artifact: TrmArtifact;
         readme?: string;
+        tags?: string[];
     }): Promise<TrmPackage>;
     compareRegistry(registry: AbstractRegistry): boolean;
     compareName(name: string): boolean;
+    getLockfile(systemPackages?: TrmPackage[]): Promise<Lockfile>;
     static create(manifest: Manifest, registry: AbstractRegistry): Promise<TrmPackage>;
     static compare(o1: TrmPackage, o2: TrmPackage): boolean;
 }

package/dist/trmPackage/TrmPackage.js

@@ -13,6 +13,7 @@ exports.TrmPackage = void 0;
 const trm_commons_1 = require("trm-commons");
 const manifest_1 = require("../manifest");
 const systemConnector_1 = require("../systemConnector");
+const lockfile_1 = require("../lockfile");
 class TrmPackage {
     constructor(packageName, registry, manifest) {
         this.packageName = packageName;
@@ -52,12 +53,16 @@ class TrmPackage {
             const artifact = data.artifact;
             const trmManifest = artifact.getManifest().get();
             const packageName = trmManifest.name;
+            var tags;
             if (packageName !== this.packageName) {
                 throw new Error(`Cannot publish package ${packageName}: expected name is ${this.packageName}`);
             }
             const packageVersion = trmManifest.version;
+            if (data.tags) {
+                tags = data.tags.join(',');
+            }
             trm_commons_1.Logger.loading(`Publishing "${packageName}" ${packageVersion} to registry "${this.registry.name}"...`, false);
-            yield this.registry.publish(packageName, packageVersion, artifact, data.readme);
+            yield this.registry.publish(packageName, packageVersion, artifact, data.readme, tags);
             this.manifest = new manifest_1.Manifest(trmManifest);
             return this;
         });
@@ -68,6 +73,11 @@ class TrmPackage {
     compareName(name) {
         return this.packageName.trim().toUpperCase() === name.trim().toUpperCase();
     }
+    getLockfile(systemPackages) {
+        return __awaiter(this, void 0, void 0, function* () {
+            return lockfile_1.Lockfile.generate(this, systemPackages);
+        });
+    }
     static create(manifest, registry) {
         return __awaiter(this, void 0, void 0, function* () {
             return new TrmPackage(manifest.get().name, registry, manifest);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "trm-core",
-  "version": "8.0.2",
+  "version": "8.1.1",
   "description": "TRM (Transport Request Manager) Core",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -63,7 +63,7 @@
     "semver": "^7.5.4",
     "semver-sort": "^1.0.0",
     "spdx-license-ids": "^3.0.13",
-    "trm-registry-types": "^2.0.0",
+    "trm-registry-types": "^2.1.0",
     "uuid": "^9.0.1",
     "xml-beautify": "^1.2.3",
     "xml-js": "^1.6.11"