parse lockfiles of npm, yarn, pnpm
- only 300 lines of code: readable, hackable
- using the original code to parse lockfiles
useful for
- implementing a custom
npm install
- example: pnpm-install-only
- analysis of the dependency tree
- workspaces
- test cycles (cyclic dependency graphs)
- fix infinite recursion:
RangeError: Maximum call stack size exceeded
- caused by
./bin/print-package-lock.js ./test/tmp/test/workspace-npm/npm/workspaces/arborist/ ./test/tmp/test/workspace-npm/npm/package-lock.json
- fix:
name
→dep.name
- caused by
- fix infinite recursion:
- convert to ESM
- add typescript declaration file
*.d.ts
- separate code: lib vs bin
- validate lockfile: must be in sync with package.json
- this should be covered by
ErrorCode.NotResolved
(TODO verify)
- this should be covered by
- tolerate missing dependencies? peerDependencies, devDependencies. just install as much as possible from the lockfile
- alias names are needed in the result
- protocols for spec-versions
-
npm:
-
file:
-
workspace:
-
github:
-
git:
git+ssh:
git+http:
git+https:
git+file:
-
https:
ftps:
- more?
-
- snyk-nodejs-lockfile-parser
- pnpm is not supported
- integrity is missing
- 1354 lines of code in
lib/
- pnpm import - generate a pnpm-lock.yaml from another package manager's lockfile. Supported source files: package-lock.json npm-shrinkwrap.json yarn.lock. note: workspaces must be declared in pnpm-workspace.yaml
- antongolub/lockfile - many protocols for spec-versions ("dependency protocols"), no pnpm support