1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
use crate::{DepType, DirectDep, Error, LocalSource, LockedPackage, LockfileGraph};
use std::collections::{BTreeMap, BTreeSet};
use std::path::{Path, PathBuf};
use super::raw::{InstallPathInfo, RawNpmLockfile};
/// Parse a package-lock.json or npm-shrinkwrap.json file into a LockfileGraph.
pub fn parse(path: &Path) -> Result<LockfileGraph, Error> {
let content = crate::read_lockfile(path)?;
let raw: RawNpmLockfile = crate::parse_json(path, content)?;
if raw.lockfile_version < 2 {
return Err(Error::parse(
path,
format!(
"package-lock.json lockfileVersion {} is not supported (need v2 or v3)",
raw.lockfile_version
),
));
}
let mut graph = LockfileGraph {
importers: BTreeMap::new(),
packages: BTreeMap::new(),
..Default::default()
};
// npm workspace links come in pairs:
// - `node_modules/@scope/pkg: { resolved: "packages/pkg", link: true }`
// - `packages/pkg: { name, version, dependencies, ... }`
//
// The `node_modules/` entry is the actual edge consumers resolve through;
// the target path entry carries the package metadata. Skip the target-path
// record during the main loop and let the link entry synthesize a local
// package from it.
let link_targets: BTreeSet<String> = raw
.packages
.values()
.filter_map(|entry| entry.link.then(|| entry.resolved.clone()).flatten())
.collect();
// Map each install_path to the locked dep_path it resolves to. We need
// this for the nested-resolution walk, including local/workspace links
// whose dep_path isn't just `name@version`.
let mut install_path_info: BTreeMap<String, InstallPathInfo> = BTreeMap::new();
for (install_path, entry) in &raw.packages {
if install_path.is_empty() {
continue; // root project, handled separately
}
if link_targets.contains(install_path) {
continue;
}
// The install-path segment is what every other package in the
// tree refers to. For non-aliased deps that's the real package
// name; for `"h3-v2": "npm:h3@..."` it's the alias `h3-v2`.
// Keep it as the LockedPackage.name so the linker drops the
// dep into `node_modules/<alias>/` and transitive symlinks
// resolve by the string that appears in consumers'
// `dependencies` maps.
let install_name = crate::npm::layout::package_name_from_install_path(install_path)
.or_else(|| entry.name.clone())
.ok_or_else(|| {
Error::parse(
path,
format!("could not determine package name for '{install_path}'"),
)
})?;
// npm writes `name:` only for aliases. If present and different
// from the install-path segment, this is `"<alias>": "npm:<real>@..."`
// and the real name is what we hit the registry with. If absent
// or equal, it's a regular dep.
let alias_of = entry
.name
.as_ref()
.filter(|real| real.as_str() != install_name.as_str())
.cloned();
let (package_entry, version, dep_path, local_source) = if entry.link {
let target = entry.resolved.as_ref().ok_or_else(|| {
Error::parse(
path,
format!("linked package '{install_name}' has no resolved target"),
)
})?;
let target_entry = raw.packages.get(target).ok_or_else(|| {
Error::parse(
path,
format!("linked package '{install_name}' points to missing target '{target}'"),
)
})?;
let version = target_entry.version.clone().ok_or_else(|| {
Error::parse(
path,
format!("linked package '{install_name}' target '{target}' has no version"),
)
})?;
let local = LocalSource::Link(PathBuf::from(target));
(
target_entry,
version,
local.dep_path(&install_name),
Some(local),
)
} else {
let version = entry.version.clone().ok_or_else(|| {
Error::parse(path, format!("package '{install_name}' has no version"))
})?;
let local_source = entry.resolved.as_deref().and_then(|r| {
crate::npm::source::local_git_source_from_resolved(r)
.or_else(|| crate::npm::source::local_file_source_from_resolved(r))
});
let dep_path = local_source.as_ref().map_or_else(
|| format!("{install_name}@{version}"),
|l| l.dep_path(&install_name),
);
(entry, version.clone(), dep_path, local_source)
};
install_path_info.insert(
install_path.clone(),
InstallPathInfo {
name: install_name.clone(),
dep_path: dep_path.clone(),
},
);
// Same (name, version) may appear at multiple nest levels; keep the first occurrence.
if graph.packages.contains_key(&dep_path) {
continue;
}
let mut deps: BTreeMap<String, String> = BTreeMap::new();
for dep_name in package_entry
.dependencies
.keys()
.chain(package_entry.optional_dependencies.keys())
{
// Forward references — we'll resolve them in a second pass using
// the node nested-resolution walk.
deps.insert(dep_name.clone(), String::new());
}
// Preserve the declared ranges npm writes on each nested package
// entry. Round-tripping these is what keeps
// `aube install --no-frozen-lockfile` from rewriting every
// `"^4.1.0"` to `"4.3.0"` on re-emit.
let mut declared: BTreeMap<String, String> = BTreeMap::new();
for (k, v) in package_entry
.dependencies
.iter()
.chain(package_entry.optional_dependencies.iter())
{
declared.insert(k.clone(), v.clone());
}
// Keep the `resolved` URL on every registry package so the
// npm writer can emit `resolved:` on every entry verbatim
// (what npm itself writes), not just the aliased /
// JSR-specific cases where the URL is strictly unrecoverable
// from name+version. Dropping it was the single largest
// source of churn against npm's own output.
let tarball_url = package_entry
.resolved
.as_ref()
.filter(|_| local_source.is_none())
.filter(|u| u.starts_with("http://") || u.starts_with("https://"))
.cloned();
// Peer fields are copied verbatim from the lockfile entry.
// Downstream (`aube-resolver::apply_peer_contexts`) reads
// these two maps to decide which packages need a peer-context
// suffix and which sibling symlinks to create in the isolated
// virtual store. An npm lockfile without these fields
// populated here would silently produce a tree where
// peer-dependent packages can't find their peers at runtime.
let peer_dependencies = package_entry.peer_dependencies.clone();
let peer_dependencies_meta: BTreeMap<String, crate::PeerDepMeta> = package_entry
.peer_dependencies_meta
.iter()
.map(|(k, v)| {
(
k.clone(),
crate::PeerDepMeta {
optional: v.optional,
},
)
})
.collect();
graph.packages.insert(
dep_path.clone(),
LockedPackage {
name: install_name,
version,
integrity: package_entry.integrity.clone(),
dependencies: deps,
peer_dependencies,
peer_dependencies_meta,
dep_path,
local_source,
os: package_entry.os.iter().cloned().collect(),
cpu: package_entry.cpu.iter().cloned().collect(),
libc: package_entry.libc.iter().cloned().collect(),
alias_of,
tarball_url,
declared_dependencies: declared,
engines: package_entry.engines.clone(),
bin: package_entry.bin.clone(),
license: package_entry.license.as_ref().and_then(|l| l.value.clone()),
funding_url: package_entry.funding.as_ref().and_then(|f| f.url.clone()),
..Default::default()
},
);
}
// Second pass: for each raw entry, resolve its transitive deps by walking
// the npm nesting hierarchy. For an entry at `node_modules/foo`, a dep
// `bar` resolves to whichever of `node_modules/foo/node_modules/bar` or
// `node_modules/bar` exists — npm hoists shared versions to the root but
// keeps conflicting versions nested.
//
// We then write the resolved (name → dep_path tail) back onto the
// LockedPackage keyed by the *first* dep_path (name@version) we
// stored. The map value is the substring that follows `<name>@` in
// the target dep_path (just the version for simple packages), per
// `LockedPackage.dependencies` doc — the linker recombines the
// name and tail with an `@` separator when walking siblings.
// Emitting the full dep_path here doubled the name and produced
// broken sibling symlinks like `rolldown@rolldown@1.0.0` for every
// transitive dep. This may lose fidelity if two entries share
// (name, version) but have different resolved transitives —
// npm.rs's data model doesn't express that, and in practice npm
// dedupes only when the transitives match anyway.
type ResolvedDepMap = BTreeMap<String, String>;
let mut resolved_by_dep_path: BTreeMap<String, (ResolvedDepMap, ResolvedDepMap)> =
BTreeMap::new();
for (install_path, entry) in &raw.packages {
if install_path.is_empty() {
continue;
}
if link_targets.contains(install_path) {
continue;
}
let Some(info) = install_path_info.get(install_path) else {
continue;
};
let package_entry = if entry.link {
let Some(target) = entry.resolved.as_ref() else {
continue;
};
let Some(target_entry) = raw.packages.get(target) else {
unreachable!("first pass validates that linked package target '{target}' exists");
};
target_entry
} else {
entry
};
let dep_path = info.dep_path.clone();
let lookup_path = if entry.link {
entry.resolved.as_deref().unwrap_or(install_path.as_str())
} else {
install_path.as_str()
};
// Skip if another occurrence already produced a resolution for this
// dep_path (first wins, matching how we built `graph.packages`).
if resolved_by_dep_path.contains_key(&dep_path) {
continue;
}
let mut resolved: BTreeMap<String, String> = BTreeMap::new();
let mut resolved_optional: BTreeMap<String, String> = BTreeMap::new();
for (dep_name, is_optional) in package_entry
.dependencies
.keys()
.map(|name| (name, false))
.chain(
package_entry
.optional_dependencies
.keys()
.map(|name| (name, true)),
)
{
if let Some(target_install_path) =
crate::npm::layout::resolve_nested(lookup_path, dep_name, &install_path_info)
&& let Some(target_info) = install_path_info.get(&target_install_path)
{
let tail =
crate::npm::dep_path_tail(&target_info.name, &target_info.dep_path).to_string();
resolved.insert(dep_name.clone(), tail.clone());
if is_optional {
resolved_optional.insert(dep_name.clone(), tail);
}
}
}
resolved_by_dep_path.insert(dep_path, (resolved, resolved_optional));
}
for (dep_path, (deps, optional_deps)) in resolved_by_dep_path {
if let Some(pkg) = graph.packages.get_mut(&dep_path) {
pkg.dependencies = deps;
pkg.optional_dependencies = optional_deps;
}
}
// Root importer: resolve direct deps from the "" entry. For root, the
// only possible install path for `bar` is `node_modules/bar`.
let root = raw.packages.get("").cloned().unwrap_or_default();
let mut direct: Vec<DirectDep> = Vec::new();
let push_direct = |dep_name: &str, dep_type: DepType, direct: &mut Vec<DirectDep>| {
let root_path = format!("node_modules/{dep_name}");
if let Some(info) = install_path_info.get(&root_path) {
direct.push(DirectDep {
name: info.name.clone(),
dep_path: info.dep_path.clone(),
dep_type,
specifier: None,
});
}
};
for dep_name in root.dependencies.keys() {
push_direct(dep_name, DepType::Production, &mut direct);
}
for dep_name in root.dev_dependencies.keys() {
push_direct(dep_name, DepType::Dev, &mut direct);
}
for dep_name in root.optional_dependencies.keys() {
push_direct(dep_name, DepType::Optional, &mut direct);
}
// npm symlinks every workspace member (and any other top-level
// `npm install ../local-pkg` link) into the root `node_modules/`
// regardless of what the root manifest declares. Each one shows
// up in the lockfile as `node_modules/<name>: { link: true,
// resolved: "<rel>" }`. Surface those as direct deps of the
// root importer so the linker recreates the same symlinks on
// `aube install`. Without this, builds that resolve workspace
// packages from the repo root (Angular CLI / Nx / many monorepo
// build tools) silently break when migrating npm-managed
// workspaces over to aube — the root `node_modules/<ws-pkg>`
// entry simply isn't created. Sorted by name for deterministic
// ordering.
let already_added: BTreeSet<&str> = direct.iter().map(|d| d.name.as_str()).collect();
let mut workspace_links: Vec<DirectDep> = Vec::new();
for (install_path, raw_entry) in &raw.packages {
if !raw_entry.link {
continue;
}
let Some(rest) = install_path.strip_prefix("node_modules/") else {
continue;
};
// Only consider top-level entries: `node_modules/<name>` or
// `node_modules/@scope/<name>`. A nested `node_modules/`
// segment means this is a non-hoisted nested link, not a
// root symlink.
if rest.contains("/node_modules/") {
continue;
}
let segments = rest.split('/').count();
let expected = if rest.starts_with('@') { 2 } else { 1 };
if segments != expected {
continue;
}
let Some(info) = install_path_info.get(install_path) else {
continue;
};
if already_added.contains(info.name.as_str()) {
continue;
}
workspace_links.push(DirectDep {
name: info.name.clone(),
dep_path: info.dep_path.clone(),
dep_type: DepType::Production,
specifier: None,
});
}
workspace_links.sort_by(|a, b| a.name.cmp(&b.name));
direct.extend(workspace_links);
graph.importers.insert(".".to_string(), direct);
// Workspace importers: npm records each workspace package twice:
// `node_modules/<name>` is a link, while the target path (`web`,
// `packages/app`, ...) carries that package's own dependency sections.
// Preserve those target paths as graph importers so install/link and a
// later package-lock rewrite keep each workspace's node_modules tree.
for target in &link_targets {
if target.is_empty() {
continue;
}
let Some(package_entry) = raw.packages.get(target) else {
continue;
};
let mut direct = Vec::new();
for (dep_name, specifier, dep_type) in package_entry
.dependencies
.iter()
.map(|(name, spec)| (name, spec, DepType::Production))
.chain(
package_entry
.dev_dependencies
.iter()
.map(|(name, spec)| (name, spec, DepType::Dev)),
)
.chain(
package_entry
.optional_dependencies
.iter()
.map(|(name, spec)| (name, spec, DepType::Optional)),
)
{
if let Some(target_install_path) =
crate::npm::layout::resolve_nested(target, dep_name, &install_path_info)
&& let Some(info) = install_path_info.get(&target_install_path)
{
direct.push(DirectDep {
name: info.name.clone(),
dep_path: info.dep_path.clone(),
dep_type,
specifier: Some(specifier.clone()),
});
}
}
graph.importers.insert(target.clone(), direct);
}
Ok(graph)
}