parse-package-lock

parse lockfiles of npm, yarn, pnpm

• only 300 lines of code: readable, hackable
• using the original code to parse lockfiles

why

useful for

• implementing a custom npm install
  • example: pnpm-install-only
• analysis of the dependency tree

todo

• workspaces
  • npm (TODO verify)
  • yarn
  • pnpm (TODO verify)
• test cycles (cyclic dependency graphs)
  • fix infinite recursion: RangeError: Maximum call stack size exceeded
    • caused by ./bin/print-package-lock.js ./test/tmp/test/workspace-npm/npm/workspaces/arborist/ ./test/tmp/test/workspace-npm/npm/package-lock.json
    • fix: name → dep.name
• convert to ESM
• add typescript declaration file *.d.ts
• separate code: lib vs bin
• validate lockfile: must be in sync with package.json
  • this should be covered by ErrorCode.NotResolved (TODO verify)
• tolerate missing dependencies? peerDependencies, devDependencies. just install as much as possible from the lockfile
• alias names are needed in the result
• protocols for spec-versions
  • npm:
  • file:
    • https://docs.npmjs.com/cli/v7/configuring-npm/package-json#local-paths
  • workspace:
  • github:
    • https://docs.npmjs.com/cli/v7/configuring-npm/package-json#github-urls
  • git: git+ssh: git+http: git+https: git+file:
  • https: ftps:
    • https://docs.npmjs.com/cli/v7/configuring-npm/package-json#urls-as-dependencies
  • more?

similar projects

• snyk-nodejs-lockfile-parser
  • pnpm is not supported
  • integrity is missing
  • 1354 lines of code in lib/
• pnpm import - generate a pnpm-lock.yaml from another package manager's lockfile. Supported source files: package-lock.json npm-shrinkwrap.json yarn.lock. note: workspaces must be declared in pnpm-workspace.yaml
• antongolub/lockfile - many protocols for spec-versions ("dependency protocols"), no pnpm support