A git URL that maps to one of the three “hosted” providers npm /
pnpm both special-case (github / gitlab / bitbucket). For these
hosts a public read can be served as a flat HTTPS tarball over
codeload.github.com (or each host’s equivalent), bypassing git
entirely. The lockfile’s stored URL is canonical-identity only —
pnpm and npm both re-derive the fetch URL from (host, owner, repo) on every install rather than dialing whatever scheme
happens to be in resolved:.
A pinned runtime (Node.js) recorded in the lockfile. Mirrors pnpm
10.14+’s devEngines.runtime encoding: the manifest’s requested
range plus the exact resolved version, and one downloadable
artifact per supported platform so any machine reading the
lockfile can fetch the same release without re-resolving.
One (os, cpu, libc) triple a runtime variant targets. Values use
Node’s process.platform / process.arch vocabulary (win32,
darwin, linux; x64, arm64), with libc: Some("musl") only
on musl builds.
Collapse peer-context variants from graph into a single map keyed
by "name@version", pointing at the first-seen package. Several
writers (npm, yarn, …) share this shape: one canonical entry per
(name, version) pair regardless of how many peer suffixes the
full graph emits.
Render a DepType as the matching package.json field name
(dependencies / devDependencies / optionalDependencies).
Single source of truth so drift diagnostics, install summaries,
the outdated / why / deprecations renderers, and the
outdated --json shape all agree on the spelling.
Return the LockfileKind of the lockfile already on disk in
project_dir, if any. Follows the same precedence as
parse_lockfile_with_kind (aube > pnpm > bun > yarn >
npm-shrinkwrap > npm). Used by install to preserve a project’s
existing lockfile format when rewriting after a re-resolve — a
user with only pnpm-lock.yaml, package-lock.json, or another
supported lockfile gets that file written back, not a surprise
aube-lock.yaml alongside it.
Parse a clone URL — in any form parse_git_spec accepts as input
or produces as output — into its (host, owner, repo) components,
when the host is one of the three providers npm / pnpm route
through HTTPS tarballs. Returns None for any other host (including
self-hosted GitLab / Gitea / Bitbucket Data Center): those still
need a real git clone because no codeload-style HTTP archive is
available.
Resolve a dependency edge (name, tail) to the graph key of the child
package node, honoring every reader’s storage convention. Returns the
first candidate that satisfies contains (the caller’s “is this a real
package key?” predicate), or None when the edge points outside the
graph (a pruned optional, an unresolved peer, a link: target, …).
Resolve a transitive dependency’s recorded spec value to the same
dep_path key the lockfile parser assigns the target package, for
the two content-pinned source kinds that get shared globally (git
and remote tarball).
Write a lockfile to the given project directory using aube’s default
filename (aube-lock.yaml, or aube-lock.<branch>.yaml when branch
lockfiles are enabled).
Most npm packages declare zero or one entry in os, cpu,
libc. Two inline SmallVec slots cover empty on construction
(zero heap alloc) and one-entry push (still zero heap) for ~99%
of lockfile entries.