You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Closes#3
The parser-coverage doc previously documented general edge cases
(monorepos, nested node_modules, optional deps, private registries)
but did not spell out the format-specific behaviors each parser has
today. This section pulls those out per format, cross-referenced
against src/parsers/*.ts so bug reports can hit the right target.
- package-lock.json: v1/v2/v3 handling, node_modules path filter,
dev flag source.
- pnpm-lock.yaml: v5/v6/v9 branch, link: / workspace: stripping,
approximated path reconstruction.
- yarn.lock: --prod-only not honored (no dev/prod distinction in
Classic lockfiles), flattened paths.
- bun.lock: JSONC parsing, workspace-based dev inference.
- package.json fallback: 50-entry skipped-deps cap, no transitive
visibility.
Copy file name to clipboardExpand all lines: docs/parser-coverage.md
+36Lines changed: 36 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -40,6 +40,42 @@ For accurate transitive visibility and resolved version scanning, always use a l
40
40
41
41
---
42
42
43
+
## Format-specific limitations
44
+
45
+
Each parser handles some details differently. The behaviors below reflect the current implementation in `src/parsers/`.
46
+
47
+
### package-lock.json
48
+
49
+
-**v1, v2, and v3 supported.** v1 uses the legacy nested `dependencies` object; v2 and v3 use the flat `packages` map. Both paths are handled.
50
+
-**Entries without a `node_modules/` path are skipped.** Root-level `""` entries that describe the project itself are intentionally ignored.
51
+
-**Dev classification comes from the lockfile's `dev` flag.** Packages marked `devOptional` are classified as prod unless `dev: true` is also set.
52
+
53
+
### pnpm-lock.yaml
54
+
55
+
-**Lockfile versions v5, v6, and v9+ supported.** v9+ uses the newer `snapshots` model; earlier versions use the legacy `packages` map. The parser branches on `lockfileVersion`.
56
+
-**Non-registry resolutions are skipped.**`link:` and `workspace:` prefixes are stripped, and any resulting relative-path reference (`./`, `../`) is not scanned. Tarball URLs and `file:` references without a resolvable version are similarly skipped.
57
+
-**Dependency paths are approximated** from importer relationships and package snapshots, not a strict resolution tree.
58
+
59
+
### yarn.lock
60
+
61
+
-**Classic (v1) and Berry (v2/v3) formats supported** via `yarn-lockfile`.
62
+
-**`--prod-only` has no effect with yarn.lock.** Yarn Classic lockfiles don't record a dev/prod distinction, so every resolved entry is scanned regardless of the flag.
63
+
-**Dependency paths are flattened to `project > name`.** Transitive path reconstruction is limited for yarn.lock — this is the MVP behavior noted in the scan output.
64
+
65
+
### bun.lock
66
+
67
+
-**JSONC format** (Bun v1.1.38+). Trailing commas are stripped before JSON parsing.
68
+
-**Dev inference from workspace sections.** A package is treated as dev-only if its name appears in a workspace's `devDependencies` but not its `dependencies`. Transitive packages default to prod.
69
+
-**Dependency paths are flattened to `project > name`** (same as yarn.lock).
70
+
71
+
### package.json (fallback)
72
+
73
+
-**Only exact-pinned direct dependencies** are scanned (e.g. `"lodash": "4.17.20"`). Range specifiers (`^`, `~`, `>=`, `*`, `latest`, git/tarball URLs) are skipped and reported.
74
+
-**Skipped-dependency report is capped at 50 entries.** In projects with many non-pinned specs, only the first 50 are listed in the report; the scan itself still proceeds.
75
+
-**No transitive visibility.** Because no lockfile is present, resolved versions of sub-dependencies cannot be determined.
0 commit comments