JSON parse failure with enough info for miette’s fancy handler to
render a pointer at the offending byte. Boxed into Error::Parse so
the enum’s Err size stays small (clippy’s result_large_err).
Raw value shape for a single allowBuilds entry, preserved as-is
from the source JSON/YAML. Interpretation (allow / deny / warn
about unsupported shape) lives in aube-scripts::policy, keeping
this crate purely about parsing.
bundledDependencies shape from package.json. npm/pnpm accept
either an array of dep names or a boolean (true meaning “bundle
everything in dependencies”). We preserve both so the resolver
can compute the exact name set.
Tolerant dep-map deserializer. Same shape as scripts_tolerant
but used for dependencies / devDependencies / peerDependencies /
optionalDependencies. Real world manifests written by tools
sometimes emit "peerDependencies": null when a package has
none, and strict Record<string, string> deserialization rejects
that. npm and pnpm both tolerate null. Drop non-string values
(numbers, arrays, objects) silently since nothing sensible maps
those to a version range.
Union of package.json’s {pnpm,aube}.ignoredOptionalDependencies
and pnpm-workspace.yaml’s ignoredOptionalDependencies. Same
layering rule as effective_supported_architectures: workspace
yaml is pnpm v10’s canonical location for shared settings, so the
two sources union rather than override.
Union of package.json’s {pnpm,aube}.supportedArchitectures.* and
pnpm-workspace.yaml’s supportedArchitectures.*. pnpm v10 treats
the workspace yaml as the canonical home for shared platform
widening — a team generating a cross-platform lockfile on Linux CI
sets it there once rather than in every importer’s manifest.
Insertion order: manifest first, workspace appended, duplicates
dropped (same dedupe rule pnpm_supported_architectures already
uses between the pnpm.* and aube.* namespaces).
Deserialize engines tolerant to legacy non-map forms, e.g.
extsprintf@1.4.1 ships "engines": ["node >=0.6.0"] and some
old packument entries (such as qs) ship a bare string.
Modern npm ignores that shape (engine-strict only consults the map
form), so normalize to an empty map rather than failing the whole
manifest — a hard error there takes down every install that touches
one of these ancient packages, even when the user’s target engine
wouldn’t have matched any constraint anyway.
Parse a JSON document from content, returning an Error::Parse on
failure with the source content + span attached so miette’s fancy
handler can render a pointer into the offending file.
Parse a YAML document from content, returning an Error::Parse on
failure with the source content + span attached. yaml_serde reports
errors with a Location { index, line, column } we can feed straight
into a miette span; type-mismatch errors raised after from_str
succeeds (e.g. via from_value) have no location and render without
a pointer but still carry the file name.
Deserialize scripts tolerant to non-string values. firefox-profile
(and a handful of other legacy packages) ships junk like
"scripts": { "blanket": { "pattern": [...] } } — tool-specific
config that npm’s CLI treats as “not a runnable script” and ignores.
A strict Record<string, string> deserialization trips on the object
entry and fails the whole install. Drop non-string entries so the
real scripts still round-trip.