Skip to content

feat(npm) add lockfileVersion 1 support via fromDependenciesTree#20

Merged
indexzero merged 5 commits intomainfrom
feat/link-resolve-v1
Apr 14, 2026
Merged

feat(npm) add lockfileVersion 1 support via fromDependenciesTree#20
indexzero merged 5 commits intomainfrom
feat/link-resolve-v1

Conversation

@indexzero
Copy link
Copy Markdown
Owner

@indexzero indexzero commented Apr 14, 2026
edited
Loading

What

fromPackageLock now parses npm lockfileVersion 1 files by falling back to a new fromDependenciesTree generator when the packages map is empty and dependencies exists. The new function walks the nested v1 tree iteratively and yields the same Dependency shape (name, version, integrity?, resolved?).

Why

v1 lockfiles use a nested dependencies tree instead of the v2/v3 packages map. fromPackageLock iterated packages || {}, so v1 files silently produced zero results. The v2/v3 path is unchanged — v2 lockfiles that have both packages and dependencies always use packages.

Risk Assessment

Low risk: v2/v3 codepath is unchanged. The fallback only activates when packages has zero non-root entries AND dependencies exists. 465 tests pass including 12 new fromDependenciesTree tests and the updated v1 fixture test.

@indexzero indexzero force-pushed the feat/link-resolve-v1 branch from 2efd18a to 10a7f13 Compare April 14, 2026 14:13
indexzero and others added 2 commits April 14, 2026 10:14
@indexzero @claude
feat(npm) add fromDependenciesTree for lockfileVersion 1 support
dc82d54 
fromPackageLock only iterates the v2/v3 packages map. v1 lockfiles
store deps in a nested dependencies tree and produced zero results.

fromDependenciesTree walks the v1 tree iteratively (depth-first)
and yields the same Dependency shape. fromPackageLock falls back to
it when packages is empty and dependencies exists.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@indexzero @claude
test(npm) add v1 lockfile and fromDependenciesTree coverage
e22cdf0 
Replace the assertion that v1 returns empty with tests proving
v1 now yields deps. Add 12 tests for fromDependenciesTree covering
flat deps, nested conflict resolution, scoped packages, string vs
object input, and fallback delegation from fromPackageLock.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@indexzero indexzero force-pushed the feat/link-resolve-v1 branch from 10a7f13 to e22cdf0 Compare April 14, 2026 14:14
indexzero and others added 3 commits April 14, 2026 10:18
@indexzero @claude
doc(changelog) add unreleased entry for v1 lockfile support
dbe8cb6 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@indexzero @claude
doc(readme) add link field to Output Format type definition
27bd4f0 
The Dependency type has included resolved and link since they were
added to types.js, but the README output example omitted link.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@indexzero @claude
nit(format) fix biome line-length violation in re-export
3cdb809 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@indexzero indexzero merged commit 8df0a6b into main Apr 14, 2026
5 checks passed
@indexzero indexzero deleted the feat/link-resolve-v1 branch April 14, 2026 18:31
@indexzero indexzero mentioned this pull request Apr 15, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@indexzero