feat: Add shrinkwrap-extractor to the root project's lib

Author: d3xter666

lib/shrinkwrap-extractor/.editorconfig

@@ -0,0 +1,20 @@
+# see http://editorconfig.org
+
+root = true
+
+[*]
+charset = utf-8
+indent_style = tab
+
+[*.{css,html,js,cjs,mjs,jsx,ts,tsx,less,txt,json,yml,md}]
+trim_trailing_whitespace = true
+end_of_line = lf
+indent_size = 4
+insert_final_newline = true
+
+[*.{yml,yaml}]
+indent_style = space
+indent_size = 2
+
+[*.md]
+trim_trailing_whitespace = false

lib/shrinkwrap-extractor/.gitattributes

@@ -0,0 +1 @@
+* text=auto eol=lf

lib/shrinkwrap-extractor/.npmrc

@@ -0,0 +1,4 @@
+# Enforce public npm registry
+registry=https://registry.npmjs.org/
+lockfile-version=3
+ignore-scripts=true

lib/shrinkwrap-extractor/cli.js

@@ -0,0 +1,66 @@
+#!/usr/bin/env node
+
+import {readFile, writeFile} from "node:fs/promises";
+import {join} from "node:path";
+import convertPackageLockToShrinkwrap from "./lib/convertPackageLockToShrinkwrap.js";
+
+async function main() {
+	const args = process.argv.slice(2);
+
+	// Validate arguments
+	if (args.length !== 1) {
+		console.error("Error: Expected exactly 1 argument");
+		console.error("Usage: shrinkwrap-extractor <path-to-workspace-root>");
+		process.exit(1);
+	}
+
+	const [workspaceRootPath] = args;
+
+	try {
+		console.log(`Generating shrinkwrap in: ${process.cwd()}`);
+		console.log(`Using workspace root: ${workspaceRootPath}`);
+
+		// Read and parse package.json
+		const packageJsonContent = await readFile(join(process.cwd(), "package.json"), "utf-8");
+		const packageJson = JSON.parse(packageJsonContent);
+		const packageName = packageJson.name;
+
+		// Validate package name
+		if (!packageName || packageName.trim() === "") {
+			console.error("Error: Package name cannot be empty");
+			process.exit(1);
+		}
+
+		console.log(`Converting dependencies for package: ${packageName}`);
+
+		// Extract into shrinkwrap
+		const shrinkwrap = await convertPackageLockToShrinkwrap(workspaceRootPath, packageName);
+
+		// Write npm-shrinkwrap.json to current working directory
+		const outputPath = join(process.cwd(), "npm-shrinkwrap.json");
+		const shrinkwrapContent = JSON.stringify(shrinkwrap, null, "\t");
+
+		await writeFile(outputPath, shrinkwrapContent, "utf-8");
+
+		console.log(`Successfully generated npm-shrinkwrap.json with ${Object.keys(shrinkwrap.packages).length - 1} dependencies (excluding root)`);
+		console.log(`Output written to: ${outputPath}`);
+	} catch (error) {
+		console.error(`Unexpected error: ${error.message}`);
+		console.error("Stack trace:", error.stack);
+
+		process.exit(1);
+	}
+}
+
+// Handle uncaught exceptions
+process.on("uncaughtException", (error) => {
+	console.error("Uncaught exception:", error.message);
+	process.exit(1);
+});
+
+process.on("unhandledRejection", (reason, promise) => {
+	console.error("Unhandled rejection at:", promise, "reason:", reason);
+	process.exit(1);
+});
+
+main();

lib/shrinkwrap-extractor/eslint.config.js

@@ -0,0 +1,54 @@
+import js from "@eslint/js";
+import globals from "globals";
+import google from "eslint-config-google";
+
+export default [{
+	ignores: [
+		"**/coverage/",
+		"test/tmp/",
+		"test/expected/",
+		"test/fixtures/",
+	],
+}, js.configs.recommended, google, {
+	languageOptions: {
+		globals: {
+			...globals.node,
+		},
+
+		ecmaVersion: 2023,
+		sourceType: "module",
+	},
+
+	rules: {
+		"indent": ["error", "tab"],
+		"linebreak-style": ["error", "unix"],
+
+		"quotes": ["error", "double", {
+			allowTemplateLiterals: true,
+		}],
+
+		"semi": ["error", "always"],
+		"no-negated-condition": "off",
+		"require-jsdoc": "off",
+		"no-mixed-requires": "off",
+
+		"max-len": ["error", {
+			code: 160,
+			ignoreUrls: true,
+			ignoreRegExpLiterals: true,
+		}],
+
+		"no-implicit-coercion": [2, {
+			allow: ["!!"],
+		}],
+
+		"comma-dangle": "off",
+		"no-tabs": "off",
+		"no-eval": 2,
+		// The following rule must be disabled as of ESLint 9.
+		// It's removed and causes issues when present
+		// https://eslint.org/docs/latest/rules/valid-jsdoc
+		"valid-jsdoc": 0,
+	},
+}
+];

lib/shrinkwrap-extractor/lib/convertPackageLockToShrinkwrap.js

@@ -0,0 +1,131 @@
+import {readFile} from "node:fs/promises";
+import path from "path";
+import {Arborist} from "@npmcli/arborist";
+import pacote from "pacote";
+
+async function readJson(filePath) {
+	const jsonString = await readFile(filePath, {encoding: "utf-8"});
+	return JSON.parse(jsonString);
+}
+
+export default async function convertPackageLockToShrinkwrap(workspaceRootDir, targetPackageName) {
+	const packageLockJson = await readJson(path.join(workspaceRootDir, "package-lock.json"));
+
+	// Input validation
+	if (!packageLockJson || typeof packageLockJson !== "object") {
+		throw new Error("Invalid package-lock.json: must be a valid JSON object");
+	}
+
+	if (!targetPackageName || typeof targetPackageName !== "string" || targetPackageName.trim() === "") {
+		throw new Error("Invalid target package name: must be a non-empty string");
+	}
+
+	if (!packageLockJson.packages) {
+		throw new Error("Invalid package-lock.json: missing packages field");
+	}
+
+	if (typeof packageLockJson.packages !== "object") {
+		throw new Error("Invalid package-lock.json: packages field must be an object");
+	}
+
+	// Validate lockfile version - only support version 3
+	if (packageLockJson.lockfileVersion && packageLockJson.lockfileVersion !== 3) {
+		throw new Error(`Unsupported lockfile version: ${packageLockJson.lockfileVersion}. Only lockfile version 3 is supported`);
+	}
+
+	// Default to version 3 if not specified
+	if (!packageLockJson.lockfileVersion) {
+		packageLockJson.lockfileVersion = 3;
+	}
+
+	// We use arborist to traverse the dependency graph correctly. It handles various edge cases such as
+	// dependencies installed via "npm:xyz", which required special parsing (see package "@isaacs/cliui").
+	const arb = new Arborist({
+		path: workspaceRootDir,
+	});
+	const tree = await arb.loadVirtual();
+	const cliNode = Array.from(tree.tops).find((node) => node.packageName === targetPackageName);
+	if (!cliNode) {
+		throw new Error(`Target package "${targetPackageName}" not found in workspace`);
+	}
+
+	const relevantPackageLocations = new Map();
+	// Collect all package keys using arborist
+	collectDependencies(cliNode, relevantPackageLocations);
+
+	// Using the keys, extract relevant package-entries from package-lock.json
+	const extractedPackages = Object.create(null);
+	for (let [packageLoc, node] of relevantPackageLocations) {
+		let pkg = packageLockJson.packages[packageLoc];
+		if (pkg.link) {
+			pkg = packageLockJson.packages[pkg.resolved];
+		}
+		if (pkg.name === targetPackageName) {
+			// Make the target package the root package
+			packageLoc = "";
+			if (extractedPackages[packageLoc]) {
+				throw new Error(`Duplicate root package entry for "${targetPackageName}"`);
+			}
+		} else if (!pkg.resolved) {
+			// For all but the root package, ensure that "resolved" and "integrity" fields are present
+			// These are always missing for locally linked packages, but sometimes also for others (e.g. if installed
+			// from local cache)
+			const {resolved, integrity} = await fetchPackageMetadata(node.packageName, node.version);
+			pkg.resolved = resolved;
+			pkg.integrity = integrity;
+		}
+		extractedPackages[packageLoc] = pkg;
+	}
+
+	// Sort packages by key to ensure consistent order (just like the npm cli does it)
+	const sortedExtractedPackages = Object.create(null);
+	const sortedKeys = Object.keys(extractedPackages).sort((a, b) => a.localeCompare(b));
+	for (const key of sortedKeys) {
+		sortedExtractedPackages[key] = extractedPackages[key];
+	}
+
+	// Generate npm-shrinkwrap.json
+	const shrinkwrap = {
+		name: targetPackageName,
+		version: cliNode.version,
+		lockfileVersion: 3,
+		requires: true,
+		packages: sortedExtractedPackages
+	};
+
+	return shrinkwrap;
+}
+
+function collectDependencies(node, relevantPackageLocations) {
+	if (relevantPackageLocations.has(node.location)) {
+		// Already processed
+		return;
+	}
+	relevantPackageLocations.set(node.location, node);
+	if (node.isLink) {
+		node = node.target;
+	}
+	for (const edge of node.edgesOut.values()) {
+		if (edge.dev) {
+			continue;
+		}
+		collectDependencies(edge.to, relevantPackageLocations);
+	}
+}
+
+/**
+ * Fetch package metadata from npm registry using pacote
+ */
+async function fetchPackageMetadata(packageName, version) {
+	try {
+		const spec = `${packageName}@${version}`;
+		const manifest = await pacote.manifest(spec);
+
+		return {
+			resolved: manifest.dist.tarball,
+			integrity: manifest.dist.integrity
+		};
+	} catch (error) {
+		throw new Error(`Could not fetch registry metadata for ${packageName}@${version}: ${error.message}`);
+	}
+}