Rewrite lockfile parsers with transitive pnpm resolution#51
Merged
Conversation
The previous regex-based parsers misidentified versions in several common real-world cases: yarn multi-specifier headers only matched the first specifier, pnpm peer-dep suffixes like `18.2.0(react@17.0.0)` leaked false matches for the inner package, and pnpm monorepos returned whichever version the regex engine encountered first. Replace both with format-aware hand-rolled parsers: - pnpm: indent-aware stack parser covering v5 through v9, including importers, devDependencies, optionalDependencies, and nested peer-dep suffixes. - yarn: block-based parser handling both classic v1 and Berry v2+ in one code path. For pnpm, add BFS-based transitive resolution: while parsing, build a dep graph from `snapshots:` (v9) or `packages:` (v6-v8), and when a direct lookup misses, walk the graph from root importers to pick the root-reachable version instead of a lexicographic first match. Also applies defensive YAML inline-comment stripping in both parsers and adds realistic yarn v1, yarn Berry, and pnpm v9 monorepo fixtures plus 31 new unit tests. No new dependencies.
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
Merged
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
importers,devDependencies/optionalDependencies, and nested peer-dep suffixes like15.5.15(@opentelemetry/api@1.9.0)(react-dom@19.2.5(react@19.2.5))(react@19.2.5). Drops the old regex that misidentified versions inside peer-dep parens and returned non-deterministic results in monorepos.snapshots:(v9) orpackages:(v6–v8); on direct-lookup miss, BFS from root-importer deps and return the root-reachable version. Replaces the old lexicographic first-match, which often returned the lowest version among several transitive copies."foo@^1", "foo@~1.2":) only matched the first specifier, and adds support for Berry'snpm:protocol and comma-separated single-quoted specifiers.#follows whitespace, so git fragment URLs pass through), CRLF handling, empty/comment-only file handling, cycle-safe BFS.Cargo.tomluntouched.packages/opensrc/cli/tests/fixtures/covering scoped packages, multi-specifier headers, multi-version resolution, workspace importers, and transitive graphs.