feat(js): add JavaScript language support (#72)

omnibump doesn't support JS right now. There's no pipeline in `melange`
for bumping JS dependencies either. This means that JS users have to
manually update their package.json with error-prone scripts or direct
calls to the package managers.

Here we add `js` as a first-class language. JS is detected by looking
for package.json. In contrast to the other supported languages, JS has
multiple package managers. We support pnpm, yarn, npm and bun. The
manager can be auto-detected by looking for a lock file (e.g.
`pnpm-lock.yaml`), or it can be manually specified via --manager. When
manually specifying, a list may be given, for cases when there is more
than one manager involved (e.g. in a migration).

The updater tries to make minimal edits: to preserve existing keys and
formatting.

Author: iainlane

README.md

@@ -8,7 +8,7 @@
 
 ## Features
 
-- **Multi-Language Support**: Go, Rust, and Java (Maven, Gradle)
+- **Multi-Language Support**: Go, Rust, Java (Maven, Gradle), and JavaScript (pnpm, yarn, npm, bun)
 - **Automatic Detection**: Identifies project language automatically
 - **Unified Configuration**: Single configuration format across all languages
 - **Property-Based Updates**: Smart property management for Maven
@@ -27,6 +27,11 @@
 | Rust | Cargo | `Cargo.lock`, `Cargo.toml` |
 | Java | Maven | `pom.xml` |
 | Java | Gradle | `build.gradle`, `build.gradle.kts` |
+| JavaScript | pnpm | `package.json`, `pnpm-lock.yaml` |
+| JavaScript | yarn | `package.json`, `yarn.lock` |
+| JavaScript | npm | `package.json`, `package-lock.json` |
+| JavaScript | bun | `package.json`, `bun.lock`, `bun.lockb` |
+
 
 ## Installation
 

cmd/omnibump/analyze.go

@@ -19,6 +19,7 @@ import (
 	"github.com/chainguard-dev/omnibump/pkg/languages"
 	"github.com/chainguard-dev/omnibump/pkg/languages/golang"
 	"github.com/chainguard-dev/omnibump/pkg/languages/java"
+	"github.com/chainguard-dev/omnibump/pkg/languages/js"
 	"github.com/chainguard-dev/omnibump/pkg/languages/php"
 	"github.com/chainguard-dev/omnibump/pkg/languages/rust"
 	"github.com/ghodss/yaml"
@@ -61,7 +62,7 @@ func analyzeCmd() *cobra.Command {
 		Long: `Analyze a project to understand how dependencies are defined.
 This helps determine whether to use direct dependency patches or property updates.
 
-Supports Java (Maven), Go, and Rust projects with automatic language detection.
+Supports Java (Maven), Go, Rust, and JavaScript projects with automatic language detection.
 
 Examples:
   # Analyze current directory
@@ -77,7 +78,7 @@ Examples:
 	}
 
 	f := cmd.Flags()
-	f.StringVarP(&analyzeF.language, "language", "l", "auto", "language to analyze (auto, java, go, rust, or deprecated: maven)")
+	f.StringVarP(&analyzeF.language, "language", "l", "auto", "language to analyze (auto, java, go, rust, js, or deprecated: maven)")
 	f.StringVar(&analyzeF.outputFormat, "output", "text", "output format (text, json, yaml)")
 	f.StringVar(&analyzeF.depsFile, "deps", "", "dependencies file to analyze strategy for")
 	f.StringVar(&analyzeF.packages, "packages", "", "inline package list to analyze")
@@ -138,6 +139,8 @@ func runAnalyze(cmd *cobra.Command, args []string) error {
 		projectAnalyzer = &golang.GolangAnalyzer{}
 	case "rust":
 		projectAnalyzer = &rust.RustAnalyzer{}
+	case "js":
+		projectAnalyzer = &js.JSAnalyzer{}
 	case "php":
 		// Get the PHP language and detect build tool
 		phpLang := &php.PHP{}

cmd/omnibump/root.go

@@ -21,6 +21,7 @@ import (
 	_ "github.com/chainguard-dev/omnibump/pkg/languages/golang" // Register Go
 	_ "github.com/chainguard-dev/omnibump/pkg/languages/java"   // Register Java (Maven, Gradle, etc.)
 	"github.com/chainguard-dev/omnibump/pkg/languages/java/maven"
+	"github.com/chainguard-dev/omnibump/pkg/languages/js"
 	_ "github.com/chainguard-dev/omnibump/pkg/languages/php"  // Register PHP (Composer, etc.)
 	_ "github.com/chainguard-dev/omnibump/pkg/languages/rust" // Register Rust
 	charmlog "github.com/charmbracelet/log"
@@ -30,6 +31,7 @@ import (
 
 type rootFlags struct {
 	language       string
+	managers       []string
 	depsFile       string
 	propertiesFile string
 	packages       string
@@ -77,7 +79,8 @@ func New() *cobra.Command {
 
 	// Add root command flags
 	f := cmd.Flags()
-	f.StringVarP(&flags.language, "language", "l", "auto", "language to use (auto, java, go, rust, or deprecated: maven)")
+	f.StringVarP(&flags.language, "language", "l", "auto", "language to use (auto, java, go, rust, js, or deprecated: maven)")
+	f.StringSliceVar(&flags.managers, "manager", nil, "build tool(s) within a language (currently only used for js: pnpm, yarn, npm, bun). May be repeated or comma-separated to write the same overrides under more than one manager's field.")
 	f.StringVar(&flags.depsFile, "deps", "", "dependencies file (deps.yaml, or legacy names)")
 	f.StringVar(&flags.propertiesFile, "properties", "", "properties file (properties.yaml)")
 	f.StringVar(&flags.packages, "packages", "", "inline package list (space-separated)")
@@ -259,67 +262,33 @@ func runUpdate(cmd *cobra.Command, _ []string) error { // args unused but requir
 	ctx := cmd.Context()
 	log := clog.FromContext(ctx)
 
-	// Validate input - require at least one input source
-	hasFileInput := flags.depsFile != "" || flags.propertiesFile != ""
-	hasInlineInput := flags.packages != "" || flags.replaces != "" || flags.properties != ""
-
-	if !hasFileInput && !hasInlineInput {
-		return fmt.Errorf("%w: at least one of --deps, --properties, --packages, --replaces, or --props must be specified", ErrMissingInput)
-	}
-
-	if flags.depsFile != "" && flags.packages != "" {
-		return fmt.Errorf("%w: cannot use both --deps and --packages", ErrConflictingInput)
-	}
-
-	if flags.propertiesFile != "" && flags.properties != "" {
-		return fmt.Errorf("%w: cannot use both --properties (file) and --props (inline)", ErrConflictingInput)
+	if err := validateUpdateFlags(); err != nil {
+		return err
 	}
 
-	// Load configuration
-	var cfg *config.Config
-
-	if hasFileInput {
-		var err error
-		cfg, err = loadFileInputConfig(ctx)
-		if err != nil {
-			return err
-		}
-	} else {
-		var err error
-		cfg, err = loadInlineInputConfig()
-		if err != nil {
-			return err
-		}
+	cfg, err := loadUpdateConfig(ctx)
+	if err != nil {
+		return err
 	}
 
-	// Detect language
-	detectedLang, err := resolveLanguage(ctx, log, cfg)
+	detectedLang, err := resolveLanguage(ctx, cfg)
 	if err != nil {
 		return err
 	}
 
-	// Get language implementation
 	lang, err := languages.Get(detectedLang)
 	if err != nil {
 		return fmt.Errorf("failed to get language implementation: %w", err)
 	}
 
 	log.Infof("Using language: %s", lang.Name())
 
-	// Convert config to UpdateConfig
-	updateCfg := convertToUpdateConfig(cfg)
-	updateCfg.RootDir = flags.rootDir
-	updateCfg.Tidy = flags.tidy
-	updateCfg.ShowDiff = flags.showDiff
-	updateCfg.DryRun = flags.dryRun
-	updateCfg.ManifestFile = flags.manifestFile
+	updateCfg := buildUpdateConfig(cfg)
 
-	// Perform update
 	if err := lang.Update(ctx, updateCfg); err != nil {
 		return fmt.Errorf("update failed: %w", err)
 	}
 
-	// Validate
 	if !flags.dryRun {
 		if err := lang.Validate(ctx, updateCfg); err != nil {
 			log.Warnf("Validation completed with warnings: %v", err)
@@ -330,100 +299,99 @@ func runUpdate(cmd *cobra.Command, _ []string) error { // args unused but requir
 	return nil
 }
 
-// resolveLanguage determines the target language from flags, manifest detection,
-// config overrides, and auto-detection — in that priority order.
-func resolveLanguage(ctx context.Context, log *clog.Logger, cfg *config.Config) (string, error) {
-	lang := flags.language
+// validateUpdateFlags checks the CLI flags for mutually exclusive or missing inputs.
+func validateUpdateFlags() error {
+	hasFileInput := flags.depsFile != "" || flags.propertiesFile != ""
+	hasInlineInput := flags.packages != "" || flags.replaces != "" || flags.properties != ""
 
-	// Handle backward compatibility: "maven" -> "java"
-	if lang == languageMaven {
-		log.Warnf("Language 'maven' is deprecated, use 'java' instead")
-		lang = languageJava
+	if !hasFileInput && !hasInlineInput {
+		return fmt.Errorf("%w: at least one of --deps, --properties, --packages, --replaces, or --props must be specified", ErrMissingInput)
 	}
 
-	// When --manifest is set, detect language from the file content directly.
-	if flags.manifestFile != "" && (lang == languageAuto || lang == "") {
+	if flags.depsFile != "" && flags.packages != "" {
+		return fmt.Errorf("%w: cannot use both --deps and --packages", ErrConflictingInput)
+	}
+
+	if flags.propertiesFile != "" && flags.properties != "" {
+		return fmt.Errorf("%w: cannot use both --properties (file) and --props (inline)", ErrConflictingInput)
+	}
+
+	return nil
+}
+
+// loadUpdateConfig loads configuration from file or inline sources based on the flags.
+func loadUpdateConfig(ctx context.Context) (*config.Config, error) {
+	if flags.depsFile != "" || flags.propertiesFile != "" {
+		return loadFileInputConfig(ctx)
+	}
+	return loadInlineInputConfig()
+}
+
+// resolveLanguage determines which language implementation to use, honouring
+// --language, --manifest, config overrides and auto-detection.
+func resolveLanguage(ctx context.Context, cfg *config.Config) (string, error) {
+	log := clog.FromContext(ctx)
+
+	detectedLang := normaliseLanguage(flags.language, "Language 'maven' is deprecated, use 'java' instead", log)
+
+	if flags.manifestFile != "" && (detectedLang == languageAuto || detectedLang == "") {
 		ok, err := maven.IsMavenPom(flags.manifestFile)
 		if err != nil {
 			return "", fmt.Errorf("failed to read manifest file: %w", err)
 		}
 		if !ok {
 			return "", fmt.Errorf("--manifest %q: %w", flags.manifestFile, maven.ErrNotMavenPOM)
 		}
-		lang = languageJava
-		log.Infof("Detected language: %s", lang)
+		detectedLang = languageJava
+		log.Infof("Detected language: %s", detectedLang)
 	}
 
-	if lang == languageAuto || lang == "" {
-		detected, err := languages.DetectLanguage(ctx, flags.rootDir)
-		if err != nil && detected == "" {
+	if detectedLang == languageAuto || detectedLang == "" {
+		auto, err := languages.DetectLanguage(ctx, flags.rootDir)
+		if err != nil && auto == "" {
 			return "", fmt.Errorf("failed to detect language: %w (try specifying --language explicitly)", err)
 		}
 		if err != nil {
 			// Multiple languages detected — warn but proceed with the chosen one.
 			log.Warnf("%v", err)
 		}
-		lang = detected
-		log.Infof("Detected language: %s", lang)
+		detectedLang = auto
+		log.Infof("Detected language: %s", detectedLang)
 	}
 
-	// Override language from config if specified
-	if cfg.Language != "" && cfg.Language != "auto" {
-		lang = cfg.Language
-		// Handle backward compatibility in config too
-		if lang == "maven" {
-			log.Warnf("Language 'maven' in config is deprecated, use 'java' instead")
-			lang = "java"
-		}
+	if cfg.Language != "" && cfg.Language != languageAuto {
+		detectedLang = normaliseLanguage(cfg.Language, "Language 'maven' in config is deprecated, use 'java' instead", log)
 	}
 
-	return lang, nil
+	return detectedLang, nil
 }
 
-func convertToUpdateConfig(cfg *config.Config) *languages.UpdateConfig {
-	updateCfg := &languages.UpdateConfig{
-		Dependencies: make([]languages.Dependency, 0, len(cfg.Packages)),
-		Properties:   make(map[string]string),
-		Options:      make(map[string]any),
-	}
-
-	// Convert packages
-	for _, pkg := range cfg.Packages {
-		dep := languages.Dependency{
-			Name:     pkg.Name,
-			Version:  pkg.Version,
-			Scope:    pkg.Scope,
-			Type:     pkg.Type,
-			Metadata: make(map[string]any),
-		}
-
-		// Store Maven-specific fields in metadata
-		if pkg.GroupID != "" {
-			dep.Metadata["groupId"] = pkg.GroupID
-		}
-		if pkg.ArtifactID != "" {
-			dep.Metadata["artifactId"] = pkg.ArtifactID
-		}
-
-		updateCfg.Dependencies = append(updateCfg.Dependencies, dep)
+// normaliseLanguage applies backward-compatibility aliasing (e.g. "maven" -> "java").
+func normaliseLanguage(name, deprecationMsg string, log *clog.Logger) string {
+	if name == languageMaven {
+		log.Warnf("%s", deprecationMsg)
+		return languageJava
 	}
+	return name
+}
 
-	// Convert properties
-	for _, prop := range cfg.Properties {
-		updateCfg.Properties[prop.Property] = prop.Value
-	}
+// buildUpdateConfig converts the loaded config plus CLI flags into an UpdateConfig.
+func buildUpdateConfig(cfg *config.Config) *languages.UpdateConfig {
+	updateCfg := cfg.ToUpdateConfig()
+	updateCfg.RootDir = flags.rootDir
+	updateCfg.Tidy = flags.tidy
+	updateCfg.ShowDiff = flags.showDiff
+	updateCfg.DryRun = flags.dryRun
+	updateCfg.ManifestFile = flags.manifestFile
 
-	// Convert replaces (Go-specific)
-	if len(cfg.Replaces) > 0 {
-		for _, repl := range cfg.Replaces {
-			dep := languages.Dependency{
-				OldName: repl.OldName,
-				Name:    repl.Name,
-				Version: repl.Version,
-				Replace: true,
-			}
-			updateCfg.Dependencies = append(updateCfg.Dependencies, dep)
+	// The CLI's --manager flag always wins over a value in the deps file
+	// (which ToUpdateConfig already stamped into Options).
+	if len(flags.managers) > 0 {
+		managers := make([]js.Manager, len(flags.managers))
+		for i, s := range flags.managers {
+			managers[i] = js.Manager(s)
 		}
+		updateCfg.Options["manager"] = managers
 	}
 
 	return updateCfg

cmd/omnibump/root_test.go

@@ -212,7 +212,7 @@ func TestConvertToUpdateConfig_WithManifestFile(t *testing.T) {
 	flags.manifestFile = "/some/path/custom-pom.xml"
 
 	cfg := &config.Config{}
-	updateCfg := convertToUpdateConfig(cfg)
+	updateCfg := cfg.ToUpdateConfig()
 	updateCfg.ManifestFile = flags.manifestFile
 
 	if updateCfg.ManifestFile != "/some/path/custom-pom.xml" {
@@ -228,7 +228,7 @@ func TestConvertToUpdateConfig_WithoutManifestFile(t *testing.T) {
 	flags.manifestFile = ""
 
 	cfg := &config.Config{}
-	updateCfg := convertToUpdateConfig(cfg)
+	updateCfg := cfg.ToUpdateConfig()
 	updateCfg.ManifestFile = flags.manifestFile
 
 	if updateCfg.ManifestFile != "" {
@@ -248,7 +248,7 @@ func TestConvertToUpdateConfig_WithProperties(t *testing.T) {
 		},
 	}
 
-	updateCfg := convertToUpdateConfig(cfg)
+	updateCfg := cfg.ToUpdateConfig()
 
 	if len(updateCfg.Dependencies) != 1 {
 		t.Errorf("expected 1 dependency, got %d", len(updateCfg.Dependencies))

cmd/omnibump/supported.go

@@ -60,6 +60,13 @@ func runSupported(_ *cobra.Command, _ []string) error { // Both unused but requi
 			fmt.Println("  Build Tools:")
 			fmt.Println("    - Composer (composer.json, composer.lock)")
 		}
+		if langName == "js" {
+			fmt.Println("  Package Managers (selected via lock file or --manager):")
+			fmt.Println("    - pnpm  (pnpm-lock.yaml,    writes pnpm.overrides)")
+			fmt.Println("    - yarn  (yarn.lock,         writes resolutions)")
+			fmt.Println("    - npm   (package-lock.json, writes overrides)")
+			fmt.Println("    - bun   (bun.lock(b),       writes overrides)")
+		}
 
 		fmt.Println()
 	}

go.mod

@@ -13,6 +13,8 @@ require (
 	github.com/samber/lo v1.53.0
 	github.com/spf13/cobra v1.10.2
 	github.com/stretchr/testify v1.11.1
+	github.com/tidwall/gjson v1.19.0
+	github.com/tidwall/sjson v1.2.5
 	golang.org/x/exp v0.0.0-20231006140011-7918f672742d
 	golang.org/x/mod v0.35.0
 	golang.org/x/tools v0.44.0
@@ -41,6 +43,8 @@ require (
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/rivo/uniseg v0.4.7 // indirect
 	github.com/spf13/pflag v1.0.9 // indirect
+	github.com/tidwall/match v1.1.1 // indirect
+	github.com/tidwall/pretty v1.2.0 // indirect
 	github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e // indirect
 	golang.org/x/sync v0.20.0 // indirect
 	golang.org/x/sys v0.43.0 // indirect

go.sum

@@ -66,6 +66,15 @@ github.com/spf13/pflag v1.0.9 h1:9exaQaMOCwffKiiiYk6/BndUBv+iRViNW+4lEMi0PvY=
 github.com/spf13/pflag v1.0.9/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
 github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
+github.com/tidwall/gjson v1.14.2/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk=
+github.com/tidwall/gjson v1.19.0 h1:xwxm7n691Uf3u5OFjzngavjGTh55KX5q/9w9xHW88JU=
+github.com/tidwall/gjson v1.19.0/go.mod h1:V37/opeE/JbLUOfH0QTXiNez2l0RUjYUhpT4szFQAfc=
+github.com/tidwall/match v1.1.1 h1:+Ho715JplO36QYgwN9PGYNhgZvoUSc9X2c80KVTi+GA=
+github.com/tidwall/match v1.1.1/go.mod h1:eRSPERbgtNPcGhD8UCthc6PmLEQXEWd3PRB5JTxsfmM=
+github.com/tidwall/pretty v1.2.0 h1:RWIZEg2iJ8/g6fDDYzMpobmaoGh5OLl4AXtGUGPcqCs=
+github.com/tidwall/pretty v1.2.0/go.mod h1:ITEVvHYasfjBbM0u2Pg8T2nJnzm8xPwvNhhsoaGGjNU=
+github.com/tidwall/sjson v1.2.5 h1:kLy8mja+1c9jlljvWTlSazM7cKDRfJuR/bOJhcY5NcY=
+github.com/tidwall/sjson v1.2.5/go.mod h1:Fvgq9kS/6ociJEDnK0Fk1cpYF4FIW6ZF7LAe+6jwd28=
 github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e h1:JVG44RsyaB9T2KIHavMF/ppJZNG9ZpyihvCd0w101no=
 github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e/go.mod h1:RbqR21r5mrJuqunuUZ/Dhy/avygyECGrLceyNeo4LiM=
 go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg=