You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
fix(ingestion): parse npm/pnpm lockfiles natively, drop snyk-nodejs-lockfile-parser (#259)
## What
`npm install -g @opencodehub/cli` emitted **5 deprecation warnings**.
Three (`lodash.clone`, `lodash.isequal`, `uuid@8`) came from
`snyk-nodejs-lockfile-parser` — a ~126-package transitive tree the CLI
bundled *solely* to list resolved packages from a lockfile. This
replaces it with a native parser and removes the dependency from both
`@opencodehub/ingestion` and `@opencodehub/cli`.
Result: **warnings drop 5 → 2.** (The remaining `glob`/`inflight` come
from `@sourcegraph/scip-python` and need an upstream fix — tracked
separately.)
## Why native parsing is the right call
All the dependency-ingestion phase needs from a lockfile is the flat set
of resolved `name@version` pairs, and every lockfile shape already
carries that verbatim:
| Lockfile | Source of pairs |
|---|---|
| npm v2/v3 | `packages` map — keyed by `node_modules/<name>` path +
`version` |
| npm v1 | nested `dependencies` tree — `version` per node |
| pnpm 5/6/9 | `packages:`/`snapshots:` keys — `name@version` (or legacy
`/name/version`), peer suffixes stripped |
The license harvester in this same file **already string-scanned the raw
lockfile**, so the package list and its licenses now come from one pass
over one source of truth. No YAML dependency added — pnpm keys are
scanned exactly the way licenses already were.
This also sidesteps a real bundling failure: snyk's CJS graph does
dynamic `require()` of `fs` and `@snyk/error-catalog-nodejs-public`,
which broke when inlined via tsup (the alternative fix). Native parsing
has no such hazard.
## Verification (end-to-end, from the packed tarball)
Built → `pnpm pack` → installed the tarball into a clean prefix → ran
`codehub analyze`:
- **Warnings:** 5 → 2; `snyk-nodejs-lockfile-parser` absent from the
consumer tree; snyk symbols gone from `dist`.
- **npm v3 `package-lock.json`:** `analyze` exit 0 — indexed `left-pad`
+ `@scope/util` (scoped, with licenses).
- **pnpm v9 `pnpm-lock.yaml`:** `analyze` exit 0 — indexed `left-pad`,
`@scope/util`, `react-dom` (peer-suffix `(react@18.2.0)` correctly
stripped).
Gates: `typecheck` ✓ (CI-equivalent, excludes docs per ci.yml), **638
ingestion tests** ✓ (incl. +5 new dep-parser fixtures: npm v1/v2/v3,
pnpm v9/v6, missing-manifest), `biome` ✓ (686 files), docs build ✓ (64
pages).
## Also in this PR
- **Troubleshooting docs:** new section explaining the residual cosmetic
`glob`/`inflight` warnings are not security issues (CI runs
osv/grype/semgrep/npm-audit; overrides pin patched versions), and noting
the lockfile-parser warnings are now gone.
- **Stale-doc fix:** corrected `@duckdb/node-api` references in the
troubleshooting guide — DuckDB was removed in ADR 0019;
`onnxruntime-node` is the only remaining native binding.
## Blast radius
Internal lockfile-parsing implementation only; no public API change. The
dependency-ingestion phase output is unchanged (verified by the analyze
runs + existing tests).
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
0 commit comments