upd-cli 0.1.2__tar.gz → 0.1.3__tar.gz

{upd_cli-0.1.2 → upd_cli-0.1.3}/CHANGELOG.md

@@ -12,6 +12,22 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 
 
+
+## [0.1.3](https://github.com/rvben/upd/compare/v0.1.2...v0.1.3) - 2026-04-25
+
+### Added
+
+- **lock**: scope lockfile regeneration to the packages upd actually changed ([6b6cfa6](https://github.com/rvben/upd/commit/6b6cfa6fe3e8e8d787e78c7afea24883ebe67833))
+- **npm**: classify and rewrite comparator-range specs ([a60979a](https://github.com/rvben/upd/commit/a60979acd7edb7eb6adfac554a590412a6cf8271))
+
+### Fixed
+
+- **lock**: include config pins in targeted regenerate and update CLI help ([207fdf9](https://github.com/rvben/upd/commit/207fdf94af95c74865f828f258ec9cfa61d22085))
+- **npm**: preserve upper bound when pinning comparator-range specs ([fb7c863](https://github.com/rvben/upd/commit/fb7c863de9f07201af310ab13a59696d17fcb766))
+- **npm**: apply config policy and cooldown to comparator-range updates ([be095dd](https://github.com/rvben/upd/commit/be095dd30443dd547fb6913dae551cbd530cb019))
+- **npm**: update comparator-range specs via constraint-aware resolution ([4481b8b](https://github.com/rvben/upd/commit/4481b8bad6a02c6f761cf489a547b5546099e871))
+- **audit**: order fix versions numerically, not lexicographically ([069eb1d](https://github.com/rvben/upd/commit/069eb1dc8771640376957339e40ada7b60a82b0a))
+
 ## [0.1.2](https://github.com/rvben/upd/compare/v0.1.1...v0.1.2) - 2026-04-24
 
 ### Added

{upd_cli-0.1.2 → upd_cli-0.1.3}/Cargo.lock

@@ -2024,7 +2024,7 @@ checksum = "8ecb6da28b8a351d773b68d5825ac39017e680750f980f3a1a85cd8dd28a47c1"
 
 [[package]]
 name = "upd"
-version = "0.1.2"
+version = "0.1.3"
 dependencies = [
  "anyhow",
  "async-trait",

{upd_cli-0.1.2 → upd_cli-0.1.3}/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "upd"
-version = "0.1.2"
+version = "0.1.3"
 edition = "2024"
 rust-version = "1.95.0"
 description = "A fast dependency updater for Python, Node.js, Rust, Go, Ruby, Terraform, GitHub Actions, pre-commit, and Mise projects"

{upd_cli-0.1.2 → upd_cli-0.1.3}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: upd-cli
-Version: 0.1.2
+Version: 0.1.3
 Classifier: Development Status :: 4 - Beta
 Classifier: Environment :: Console
 Classifier: Intended Audience :: Developers
@@ -46,7 +46,10 @@ pipx run --spec upd-cli upd --apply
 
 - **Multi-ecosystem**: Python, Node.js, Rust, Go, Ruby, .NET, Terraform, GitHub Actions, pre-commit, Mise/asdf
 - **Fast**: Parallel registry requests for all dependencies
-- **Constraint-aware**: Respects version constraints like `>=2.0,<3` and `~> 7.1`
+- **Constraint-aware**: Respects `>=2.0,<3` (Python), `~> 7.1` (Ruby), and `^2.0.0` / `~2.0.0` (npm, Cargo).
+  For npm, comparator ranges such as `">=1.0.0 <2.0.0"` are rewritten with a **bump strategy**: the lower
+  bound moves to the highest version satisfying the constraint, preserving the upper bound. Hyphen
+  (`"1 - 2"`) and OR (`"^1 || ^2"`) ranges are reported as warnings and left untouched.
 - **Smart caching**: 24-hour version cache for faster subsequent runs
 - **Update filters**: Filter by bump level with `--only-bump <major|minor|patch>` (repeatable) or cap with `--max-bump`
 - **Interactive mode**: Approve updates individually with `-i`
@@ -767,6 +770,33 @@ Global flags (accepted on every subcommand):
 
 Subcommands: `update` (default), `align`, `audit`, `clean-cache`, `self-update`.
 
+#### Commands run by `--lock`
+
+`upd --lock` runs the narrowest per-ecosystem refresh command that
+updates only the packages `upd` just rewrote. Targeted forms are used
+wherever the package manager supports them; targeting falls back to
+`--lockfile-only` flags where no per-package form exists; otherwise
+the manifest-wide refresh command is used.
+
+| Ecosystem | Lockfile                 | Command                                        |
+|-----------|--------------------------|------------------------------------------------|
+| Python    | `poetry.lock`            | `poetry lock --no-update`                      |
+| Python    | `uv.lock`                | `uv lock`                                      |
+| Node      | `package-lock.json`      | `npm install --package-lock-only`              |
+| Node      | `yarn.lock`              | `yarn install --mode update-lockfile` (Yarn 2+)|
+| Node      | `pnpm-lock.yaml`         | `pnpm install --lockfile-only`                 |
+| Node      | `bun.lockb`              | `bun install`                                  |
+| Rust      | `Cargo.lock`             | `cargo update -p <changed> -p <changed> …`     |
+| Go        | `go.sum`                 | `go mod tidy` (no targeted form)               |
+| Ruby      | `Gemfile.lock`           | `bundle lock --update <changed> …`             |
+| .NET      | `packages.lock.json`     | `dotnet restore` (no targeted form)            |
+| Terraform | `.terraform.lock.hcl`    | `terraform providers lock` (no targeted form)  |
+
+Manifests whose `upd` pass produced zero changes have their lockfile
+refresh skipped entirely. A directory where only config pins were
+applied is still refreshed, and the changed-package list includes
+those pinned packages so `cargo update -p <pkg>` / `bundle lock --update <pkg>` stay scoped.
+
 Stable `audit`-specific flags:
 
 | Flag | Purpose |

{upd_cli-0.1.2 → upd_cli-0.1.3}/README.md

@@ -23,7 +23,10 @@ pipx run --spec upd-cli upd --apply
 
 - **Multi-ecosystem**: Python, Node.js, Rust, Go, Ruby, .NET, Terraform, GitHub Actions, pre-commit, Mise/asdf
 - **Fast**: Parallel registry requests for all dependencies
-- **Constraint-aware**: Respects version constraints like `>=2.0,<3` and `~> 7.1`
+- **Constraint-aware**: Respects `>=2.0,<3` (Python), `~> 7.1` (Ruby), and `^2.0.0` / `~2.0.0` (npm, Cargo).
+  For npm, comparator ranges such as `">=1.0.0 <2.0.0"` are rewritten with a **bump strategy**: the lower
+  bound moves to the highest version satisfying the constraint, preserving the upper bound. Hyphen
+  (`"1 - 2"`) and OR (`"^1 || ^2"`) ranges are reported as warnings and left untouched.
 - **Smart caching**: 24-hour version cache for faster subsequent runs
 - **Update filters**: Filter by bump level with `--only-bump <major|minor|patch>` (repeatable) or cap with `--max-bump`
 - **Interactive mode**: Approve updates individually with `-i`
@@ -744,6 +747,33 @@ Global flags (accepted on every subcommand):
 
 Subcommands: `update` (default), `align`, `audit`, `clean-cache`, `self-update`.
 
+#### Commands run by `--lock`
+
+`upd --lock` runs the narrowest per-ecosystem refresh command that
+updates only the packages `upd` just rewrote. Targeted forms are used
+wherever the package manager supports them; targeting falls back to
+`--lockfile-only` flags where no per-package form exists; otherwise
+the manifest-wide refresh command is used.
+
+| Ecosystem | Lockfile                 | Command                                        |
+|-----------|--------------------------|------------------------------------------------|
+| Python    | `poetry.lock`            | `poetry lock --no-update`                      |
+| Python    | `uv.lock`                | `uv lock`                                      |
+| Node      | `package-lock.json`      | `npm install --package-lock-only`              |
+| Node      | `yarn.lock`              | `yarn install --mode update-lockfile` (Yarn 2+)|
+| Node      | `pnpm-lock.yaml`         | `pnpm install --lockfile-only`                 |
+| Node      | `bun.lockb`              | `bun install`                                  |
+| Rust      | `Cargo.lock`             | `cargo update -p <changed> -p <changed> …`     |
+| Go        | `go.sum`                 | `go mod tidy` (no targeted form)               |
+| Ruby      | `Gemfile.lock`           | `bundle lock --update <changed> …`             |
+| .NET      | `packages.lock.json`     | `dotnet restore` (no targeted form)            |
+| Terraform | `.terraform.lock.hcl`    | `terraform providers lock` (no targeted form)  |
+
+Manifests whose `upd` pass produced zero changes have their lockfile
+refresh skipped entirely. A directory where only config pins were
+applied is still refreshed, and the changed-package list includes
+those pinned packages so `cargo update -p <pkg>` / `bundle lock --update <pkg>` stay scoped.
+
 Stable `audit`-specific flags:
 
 | Flag | Purpose |

{upd_cli-0.1.2 → upd_cli-0.1.3}/src/audit/mod.rs

@@ -134,7 +134,7 @@ pub fn compute_fix_plan(audit: &AuditResult) -> (HashMap<String, String>, Vec<(S
             .vulnerabilities
             .iter()
             .filter_map(|v| v.fixed_version.as_deref())
-            .max_by(|a, b| compare_fix_versions(a, b));
+            .max_by(|a, b| crate::version::compare::compare_versions(a, b));
 
         if let Some(version) = max_fixed {
             fixable.insert(name.clone(), version.to_string());
@@ -144,44 +144,6 @@ pub fn compute_fix_plan(audit: &AuditResult) -> (HashMap<String, String>, Vec<(S
     (fixable, unfixable)
 }
 
-/// Compare two version strings for ordering, preferring semver but falling back
-/// to lexicographic comparison for non-semver ecosystems.
-fn compare_fix_versions(a: &str, b: &str) -> std::cmp::Ordering {
-    match (semver_parse(a), semver_parse(b)) {
-        (Some(va), Some(vb)) => va.cmp(&vb),
-        _ => a.cmp(b),
-    }
-}
-
-/// Parse a version string as semver, accepting an optional leading `v`.
-///
-/// Returns `(major, minor, patch, is_stable)` where `is_stable` is 1 for stable
-/// releases and 0 for pre-releases (e.g. `2.0.0-rc1`). This ensures stable
-/// versions beat pre-releases when all numeric components are equal.
-fn semver_parse(v: &str) -> Option<(u64, u64, u64, u8)> {
-    let v = v.trim_start_matches('v');
-    let parts: Vec<&str> = v.split('.').collect();
-    if parts.len() < 2 {
-        return None;
-    }
-    let major: u64 = parts[0].parse().ok()?;
-    let minor: u64 = parts[1].parse().ok()?;
-    // Patch may carry a pre-release or build suffix (e.g. "0-rc1", "3+build1").
-    // Take only the leading digit run so "0-rc1" → patch=0, rest="-rc1".
-    let patch_part = parts.get(2).copied().unwrap_or("0");
-    let (patch_digits, rest) = patch_part
-        .split_once(|c: char| !c.is_ascii_digit())
-        .unwrap_or((patch_part, ""));
-    let patch: u64 = if patch_digits.is_empty() {
-        0
-    } else {
-        patch_digits.parse().ok()?
-    };
-    // Stability flag: 1 = stable, 0 = pre-release. Stable wins ties.
-    let is_stable: u8 = if rest.is_empty() { 1 } else { 0 };
-    Some((major, minor, patch, is_stable))
-}
-
 /// Return a sort key for a severity string such that Critical sorts first.
 ///
 /// Lower numeric values sort earlier, so Critical = 0, Unknown = 5.
@@ -858,6 +820,43 @@ mod tests {
         assert_eq!(fixable.get("pkg").map(|s| s.as_str()), Some("2.10.0"));
     }
 
+    #[test]
+    fn test_compute_fix_plan_picks_numerically_highest_non_semver_fix() {
+        // Regression test for 4-segment versions (e.g. Ruby or multi-segment tags)
+        // where the legacy `semver_parse` dropped the 4th segment, making
+        // `1.0.0.10` and `1.0.0.9` compare equal. `max_by` then returned the
+        // *last* element, so the answer depended on fix_version ordering.
+        //
+        // The correct "minimum safe fix" must order by full numeric value.
+        let mut audit = AuditResult::default();
+        audit.vulnerable.push(PackageAuditResult {
+            package: Package {
+                name: "pkg".to_string(),
+                version: "1.0.0.1".to_string(),
+                ecosystem: Ecosystem::RubyGems,
+            },
+            vulnerabilities: vec![
+                Vulnerability {
+                    id: "CVE-A".to_string(),
+                    summary: None,
+                    severity: None,
+                    url: None,
+                    fixed_version: Some("1.0.0.10".to_string()),
+                },
+                Vulnerability {
+                    id: "CVE-B".to_string(),
+                    summary: None,
+                    severity: None,
+                    url: None,
+                    fixed_version: Some("1.0.0.9".to_string()),
+                },
+            ],
+        });
+
+        let (fixable, _) = compute_fix_plan(&audit);
+        assert_eq!(fixable.get("pkg").map(String::as_str), Some("1.0.0.10"));
+    }
+
     // ─── check_packages_cached unit tests ────────────────────────────────────
 
     fn sample_package(name: &str) -> Package {

{upd_cli-0.1.2 → upd_cli-0.1.3}/src/cli.rs

@@ -130,8 +130,9 @@ pub struct Cli {
 
     /// Regenerate lockfiles after updating.
     ///
-    /// Runs the appropriate lock command for each ecosystem (e.g. `poetry lock`,
-    /// `npm install`, `cargo update`).
+    /// Runs the narrowest per-ecosystem refresh command that updates only the
+    /// packages `upd` just rewrote (e.g. `cargo update -p <pkg>`,
+    /// `bundle lock --update <pkg>`, `npm install --package-lock-only`).
     #[arg(long, global = true)]
     pub lock: bool,
 

{upd_cli-0.1.2 → upd_cli-0.1.3}/src/cooldown.rs

@@ -6,6 +6,7 @@ use anyhow::{Result, anyhow};
 use chrono::{DateTime, Duration, Utc};
 
 use crate::registry::VersionMeta;
+use crate::version::compare::compare_versions;
 
 /// Parse a cooldown duration string.
 ///
@@ -238,46 +239,6 @@ pub fn select(
     }
 }
 
-/// Version comparison: try semver first, fall back to numeric-aware segment
-/// comparison.
-///
-/// The fallback splits on `.` and `-` and compares integer segments as numbers
-/// (so `1.10 > 1.9` and `v0.10.0.0 > v0.9.0.0`). Lexicographic string compare
-/// would get those wrong, which breaks selection across non-strict-semver
-/// ecosystems like PyPI and multi-segment GitHub tags.
-fn compare_versions(a: &str, b: &str) -> std::cmp::Ordering {
-    let stripped_a = a.strip_prefix('v').unwrap_or(a);
-    let stripped_b = b.strip_prefix('v').unwrap_or(b);
-    if let (Ok(va), Ok(vb)) = (
-        semver::Version::parse(stripped_a),
-        semver::Version::parse(stripped_b),
-    ) {
-        return va.cmp(&vb);
-    }
-    compare_loose(stripped_a, stripped_b)
-}
-
-fn compare_loose(a: &str, b: &str) -> std::cmp::Ordering {
-    let mut a_parts = a.split(['.', '-']);
-    let mut b_parts = b.split(['.', '-']);
-    loop {
-        match (a_parts.next(), b_parts.next()) {
-            (None, None) => return std::cmp::Ordering::Equal,
-            (None, Some(_)) => return std::cmp::Ordering::Less,
-            (Some(_), None) => return std::cmp::Ordering::Greater,
-            (Some(x), Some(y)) => {
-                let ord = match (x.parse::<u64>(), y.parse::<u64>()) {
-                    (Ok(nx), Ok(ny)) => nx.cmp(&ny),
-                    _ => x.cmp(y),
-                };
-                if ord != std::cmp::Ordering::Equal {
-                    return ord;
-                }
-            }
-        }
-    }
-}
-
 fn is_newer(candidate: &str, current: &str) -> bool {
     compare_versions(candidate, current) == std::cmp::Ordering::Greater
 }

{upd_cli-0.1.2 → upd_cli-0.1.3}/src/lockfile.rs

@@ -50,30 +50,20 @@ impl RegenOutcome {
     }
 }
 
-/// Lockfile types and their associated commands
+/// Lockfile variants supported by `upd --lock`. See `command()` for the
+/// concrete invocation used per variant.
 #[derive(Debug, Clone, Copy, PartialEq, Eq)]
 pub enum LockfileType {
-    /// poetry.lock - regenerated with `poetry lock --no-update`
     PoetryLock,
-    /// uv.lock - regenerated with `uv lock`
     UvLock,
-    /// package-lock.json - regenerated with `npm install`
     PackageLockJson,
-    /// yarn.lock - regenerated with `yarn install`
     YarnLock,
-    /// pnpm-lock.yaml - regenerated with `pnpm install`
     PnpmLock,
-    /// bun.lockb - regenerated with `bun install`
     BunLock,
-    /// Cargo.lock - regenerated with `cargo update`
     CargoLock,
-    /// go.sum - regenerated with `go mod tidy`
     GoSum,
-    /// Gemfile.lock - regenerated with `bundle install`
     GemfileLock,
-    /// packages.lock.json - regenerated with `dotnet restore`
     PackagesLockJson,
-    /// .terraform.lock.hcl - regenerated with `terraform providers lock`
     TerraformLock,
 }
 
@@ -95,20 +85,71 @@ impl LockfileType {
         }
     }
 
-    /// Get the command to regenerate this lockfile
-    pub fn command(&self) -> (&'static str, &'static [&'static str]) {
+    /// Returns the command + args to regenerate this lockfile.
+    ///
+    /// `changed` is the list of package names that `upd` just rewrote in the
+    /// corresponding manifest. Ecosystems whose CLI supports a targeted form use
+    /// it (`cargo update -p …`, `bundle lock --update …`). Ecosystems whose CLI
+    /// supports a lockfile-only flag prefer that over a full install. Everything
+    /// else falls back to the manifest-wide refresh command.
+    pub fn command(&self, changed: &[String]) -> (&'static str, Vec<String>) {
         match self {
-            LockfileType::PoetryLock => ("poetry", &["lock", "--no-update"]),
-            LockfileType::UvLock => ("uv", &["lock"]),
-            LockfileType::PackageLockJson => ("npm", &["install"]),
-            LockfileType::YarnLock => ("yarn", &["install"]),
-            LockfileType::PnpmLock => ("pnpm", &["install"]),
-            LockfileType::BunLock => ("bun", &["install"]),
-            LockfileType::CargoLock => ("cargo", &["update"]),
-            LockfileType::GoSum => ("go", &["mod", "tidy"]),
-            LockfileType::GemfileLock => ("bundle", &["install"]),
-            LockfileType::PackagesLockJson => ("dotnet", &["restore"]),
-            LockfileType::TerraformLock => ("terraform", &["providers", "lock"]),
+            LockfileType::PoetryLock => (
+                "poetry",
+                vec!["lock".to_string(), "--no-update".to_string()],
+            ),
+            LockfileType::UvLock => ("uv", vec!["lock".to_string()]),
+            LockfileType::PackageLockJson => (
+                "npm",
+                vec!["install".to_string(), "--package-lock-only".to_string()],
+            ),
+            // Yarn Berry (v2+) only: `--mode update-lockfile` is the only
+            // documented form that refreshes `yarn.lock` without running
+            // install scripts. Yarn 1 (Classic) does not accept `--mode` and
+            // will error; Yarn 1 reached EOL in 2023 and is unsupported here.
+            LockfileType::YarnLock => (
+                "yarn",
+                vec![
+                    "install".to_string(),
+                    "--mode".to_string(),
+                    "update-lockfile".to_string(),
+                ],
+            ),
+            LockfileType::PnpmLock => (
+                "pnpm",
+                vec!["install".to_string(), "--lockfile-only".to_string()],
+            ),
+            LockfileType::BunLock => ("bun", vec!["install".to_string()]),
+            LockfileType::CargoLock => {
+                if changed.is_empty() {
+                    (
+                        "cargo",
+                        vec!["update".to_string(), "--workspace".to_string()],
+                    )
+                } else {
+                    let mut args = vec!["update".to_string()];
+                    for pkg in changed {
+                        args.push("-p".to_string());
+                        args.push(pkg.clone());
+                    }
+                    ("cargo", args)
+                }
+            }
+            LockfileType::GoSum => ("go", vec!["mod".to_string(), "tidy".to_string()]),
+            LockfileType::GemfileLock => {
+                if changed.is_empty() {
+                    ("bundle", vec!["lock".to_string()])
+                } else {
+                    let mut args = vec!["lock".to_string(), "--update".to_string()];
+                    args.extend(changed.iter().cloned());
+                    ("bundle", args)
+                }
+            }
+            LockfileType::PackagesLockJson => ("dotnet", vec!["restore".to_string()]),
+            LockfileType::TerraformLock => (
+                "terraform",
+                vec!["providers".to_string(), "lock".to_string()],
+            ),
         }
     }
 
@@ -249,15 +290,21 @@ pub fn tool_available(tool: &str) -> bool {
 
 /// Regenerate a single lockfile by running the appropriate package manager.
 ///
+/// `changed` is the list of package names that `upd` just rewrote in the
+/// corresponding manifest. This is forwarded to [`LockfileType::command`] so
+/// ecosystems that support targeted commands (e.g. `cargo update -p …`) only
+/// touch the packages that actually changed.
+///
 /// Returns a [`RegenOutcome`] distinguishing success, missing tool, and
 /// command failure.
-pub fn regenerate_lockfile(
+pub(crate) fn regenerate_lockfile(
     manifest_path: &Path,
     lockfile_type: LockfileType,
+    changed: &[String],
     verbose: bool,
 ) -> RegenOutcome {
     let dir = manifest_path.parent().unwrap_or(Path::new("."));
-    let (cmd, args) = lockfile_type.command();
+    let (cmd, args) = lockfile_type.command(changed);
 
     if !tool_available(cmd) {
         return RegenOutcome::ToolMissing {
@@ -279,7 +326,7 @@ pub fn regenerate_lockfile(
         );
     }
 
-    let output = match Command::new(cmd).args(args).current_dir(dir).output() {
+    let output = match Command::new(cmd).args(&args).current_dir(dir).output() {
         Ok(o) => o,
         Err(e) => {
             return RegenOutcome::Failed {
@@ -330,10 +377,19 @@ impl LockfileRegenResult {
 
 /// Regenerate all lockfiles for a manifest, returning a structured result.
 ///
+/// `changed` is the list of package names that `upd` just rewrote in the
+/// corresponding manifest. It is forwarded to each [`regenerate_lockfile`]
+/// call so ecosystems that support targeted commands only touch the packages
+/// that actually changed.
+///
 /// If no lockfiles are detected the caller is responsible for emitting the
 /// `note:` skip message; this function sets `no_lockfiles = true` to signal
 /// that.
-pub fn regenerate_lockfiles(manifest_path: &Path, verbose: bool) -> LockfileRegenResult {
+pub fn regenerate_lockfiles(
+    manifest_path: &Path,
+    changed: &[String],
+    verbose: bool,
+) -> LockfileRegenResult {
     let lockfiles = detect_lockfiles(manifest_path);
 
     if lockfiles.is_empty() {
@@ -345,7 +401,7 @@ pub fn regenerate_lockfiles(manifest_path: &Path, verbose: bool) -> LockfileRege
 
     let outcomes = lockfiles
         .into_iter()
-        .map(|lf| regenerate_lockfile(manifest_path, lf, verbose))
+        .map(|lf| regenerate_lockfile(manifest_path, lf, changed, verbose))
         .collect();
 
     LockfileRegenResult {
@@ -377,29 +433,104 @@ mod tests {
 
     #[test]
     fn test_lockfile_type_command() {
-        let (cmd, args) = LockfileType::PoetryLock.command();
+        let (cmd, args) = LockfileType::PoetryLock.command(&[]);
         assert_eq!(cmd, "poetry");
         assert_eq!(args, &["lock", "--no-update"]);
 
-        let (cmd, args) = LockfileType::UvLock.command();
+        let (cmd, args) = LockfileType::UvLock.command(&[]);
         assert_eq!(cmd, "uv");
         assert_eq!(args, &["lock"]);
+    }
 
-        let (cmd, args) = LockfileType::PackageLockJson.command();
+    #[test]
+    fn test_package_lock_json_uses_package_lock_only_flag() {
+        let (cmd, args) = LockfileType::PackageLockJson.command(&["react".to_string()]);
         assert_eq!(cmd, "npm");
-        assert_eq!(args, &["install"]);
+        assert_eq!(args, vec!["install", "--package-lock-only"]);
+    }
 
-        let (cmd, args) = LockfileType::BunLock.command();
-        assert_eq!(cmd, "bun");
-        assert_eq!(args, &["install"]);
+    #[test]
+    fn test_pnpm_lock_uses_lockfile_only_flag() {
+        let (cmd, args) = LockfileType::PnpmLock.command(&["react".to_string()]);
+        assert_eq!(cmd, "pnpm");
+        assert_eq!(args, vec!["install", "--lockfile-only"]);
+    }
 
-        let (cmd, args) = LockfileType::CargoLock.command();
+    #[test]
+    fn test_yarn_lock_uses_mode_update_lockfile_flag() {
+        // Yarn Berry (2+) supports --mode update-lockfile; it is the only
+        // documented flag that refreshes the lockfile without running install
+        // scripts.
+        let (cmd, args) = LockfileType::YarnLock.command(&["react".to_string()]);
+        assert_eq!(cmd, "yarn");
+        assert_eq!(args, vec!["install", "--mode", "update-lockfile"]);
+    }
+
+    #[test]
+    fn test_cargo_lock_passes_each_changed_package_to_update_p() {
+        let changed = vec!["serde".to_string(), "tokio".to_string()];
+        let (cmd, args) = LockfileType::CargoLock.command(&changed);
+        assert_eq!(cmd, "cargo");
+        assert_eq!(args, vec!["update", "-p", "serde", "-p", "tokio"]);
+    }
+
+    #[test]
+    fn test_cargo_lock_with_empty_changed_list_stays_workspace_broad() {
+        // Defensive: an empty changed list should never reach command() from the
+        // update path, but if it does (e.g. the `upd lock` subcommand) we emit the
+        // broad workspace update so nothing silently regresses.
+        let (cmd, args) = LockfileType::CargoLock.command(&[]);
         assert_eq!(cmd, "cargo");
-        assert_eq!(args, &["update"]);
+        assert_eq!(args, vec!["update", "--workspace"]);
+    }
 
-        let (cmd, args) = LockfileType::GoSum.command();
+    #[test]
+    fn test_gemfile_lock_uses_bundle_lock_update_with_changed_packages() {
+        let changed = vec!["rails".to_string(), "pg".to_string()];
+        let (cmd, args) = LockfileType::GemfileLock.command(&changed);
+        assert_eq!(cmd, "bundle");
+        assert_eq!(args, vec!["lock", "--update", "rails", "pg"]);
+    }
+
+    #[test]
+    fn test_gemfile_lock_with_empty_changed_list_uses_plain_bundle_lock() {
+        // Without targeted packages, `bundle lock --update` would bump every gem;
+        // we emit plain `bundle lock` (refreshes against the current Gemfile
+        // without bumping anything).
+        let (cmd, args) = LockfileType::GemfileLock.command(&[]);
+        assert_eq!(cmd, "bundle");
+        assert_eq!(args, vec!["lock"]);
+    }
+
+    #[test]
+    fn test_go_sum_falls_back_to_mod_tidy_regardless_of_changed_list() {
+        let (cmd, args) = LockfileType::GoSum.command(&["golang.org/x/net".to_string()]);
         assert_eq!(cmd, "go");
-        assert_eq!(args, &["mod", "tidy"]);
+        assert_eq!(args, vec!["mod", "tidy"]);
+    }
+
+    #[test]
+    fn test_packages_lock_json_falls_back_to_dotnet_restore() {
+        let (cmd, args) = LockfileType::PackagesLockJson.command(&["Newtonsoft.Json".to_string()]);
+        assert_eq!(cmd, "dotnet");
+        assert_eq!(args, vec!["restore"]);
+    }
+
+    #[test]
+    fn test_terraform_lock_falls_back_to_providers_lock() {
+        let (cmd, args) = LockfileType::TerraformLock.command(&["hashicorp/aws".to_string()]);
+        assert_eq!(cmd, "terraform");
+        assert_eq!(args, vec!["providers", "lock"]);
+    }
+
+    #[test]
+    fn test_bun_lock_uses_bun_install() {
+        // Bun does not have a stable lockfile-only mode; plain `install` is the
+        // minimum reliable form. Keeping the test pins the decision so changes
+        // here are intentional.
+        let (cmd, args) = LockfileType::BunLock.command(&["react".to_string()]);
+        assert_eq!(cmd, "bun");
+        assert_eq!(args, vec!["install"]);
     }
 
     #[test]
@@ -570,13 +701,6 @@ mod tests {
         assert_eq!(LockfileType::GemfileLock.filename(), "Gemfile.lock");
     }
 
-    #[test]
-    fn test_lockfile_type_gemfile_command() {
-        let (cmd, args) = LockfileType::GemfileLock.command();
-        assert_eq!(cmd, "bundle");
-        assert_eq!(args, &["install"]);
-    }
-
     #[test]
     fn test_lockfile_type_gemfile_manifest() {
         assert_eq!(LockfileType::GemfileLock.manifest(), "Gemfile");
@@ -630,16 +754,6 @@ mod tests {
         );
     }
 
-    #[test]
-    fn test_lockfile_type_packages_lock_json_command() {
-        // .NET lockfiles are regenerated via `dotnet restore` (which
-        // rewrites `packages.lock.json` next to each .csproj when
-        // `RestorePackagesWithLockFile` is enabled).
-        let (cmd, args) = LockfileType::PackagesLockJson.command();
-        assert_eq!(cmd, "dotnet");
-        assert_eq!(args, &["restore"]);
-    }
-
     #[test]
     fn test_detect_lockfiles_packages_lock_json_for_csproj() {
         let dir = tempdir().unwrap();
@@ -681,17 +795,6 @@ mod tests {
         );
     }
 
-    #[test]
-    fn test_lockfile_type_terraform_lock_hcl_command() {
-        // Terraform's dependency-lock file is regenerated with
-        // `terraform providers lock -platform=...`. We use the bare form
-        // which updates the existing lock in-place for all platforms
-        // currently pinned.
-        let (cmd, args) = LockfileType::TerraformLock.command();
-        assert_eq!(cmd, "terraform");
-        assert_eq!(args, &["providers", "lock"]);
-    }
-
     #[test]
     fn test_detect_lockfiles_terraform_lock_hcl_for_tf_file() {
         let dir = tempdir().unwrap();
@@ -743,7 +846,7 @@ mod tests {
         fs::write(&manifest, "{}").unwrap();
         // Deliberately do NOT create package-lock.json
 
-        let result = regenerate_lockfiles(&manifest, false);
+        let result = regenerate_lockfiles(&manifest, &[], false);
         assert!(
             result.no_lockfiles,
             "no_lockfiles should be true when no lockfile exists beside the manifest"
@@ -762,7 +865,7 @@ mod tests {
         fs::write(&manifest, "[package]").unwrap();
         // Deliberately do NOT create Cargo.lock
 
-        let result = regenerate_lockfiles(&manifest, false);
+        let result = regenerate_lockfiles(&manifest, &[], false);
         assert!(
             result.no_lockfiles,
             "no_lockfiles should be true when Cargo.lock is absent"