lockfiles

Multi-ecosystem lockfile parser that turns lockfile contents into normalized, resolved dependencies keyed by PURL.

[!WARNING] WIP: name reserved, implementation to come. This repository currently contains only the project scaffold (packaging, CI, and binding stubs). There is no parsing logic yet. The 0.0.1 placeholder releases on crates.io, PyPI, and npm exist solely to reserve the lockfiles name.

What it will be

A Rust core (library + CLI) that parses lockfiles from multiple ecosystems and emits normalized resolved dependencies. It is content-in: it consumes lockfile contents, not paths. Its boundary is facts, not verdicts: it reports what a lockfile resolves to, and leaves policy decisions to downstream tooling.

Bindings expose the same core to other ecosystems:

• Python via PyO3 / maturin
• Node.js via napi-rs

Layout

.                 core crate `lockfiles` (library + CLI)
bindings/python   PyO3 + maturin binding   -> PyPI: lockfiles
bindings/node     napi-rs binding          -> npm:  lockfiles

Development

cargo nextest run        # tests (or: cargo test)
cargo clippy --all-targets -- -D warnings
cargo fmt --all

Bindings are built out of band (they are excluded from the default workspace members):

# Python (uses uv)
cd bindings/python && uv run --with maturin maturin develop && uv run pytest

# Node
cd bindings/node && npm install && npm run build:debug && npm test

License

Dual-licensed under either of MIT or Apache-2.0, at your option.