dnx_core/

lockfile.rs

use crate::errors::{DnxError, Result};
use crate::resolver::{DependencyGraph, ResolvedPackage};
use serde::{Deserialize, Serialize};
use std::collections::HashMap;
use std::fs;
use std::path::Path;

#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct Lockfile {
    pub metadata: LockfileMetadata,
    pub packages: Vec<LockedPackage>,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct LockfileMetadata {
    pub version: u32,
    pub generated_by: String,
    /// Workspace member names → relative paths from root.
    #[serde(default, skip_serializing_if = "HashMap::is_empty")]
    pub workspace_members: HashMap<String, String>,
}

#[derive(Debug, Clone, Serialize, Deserialize, PartialEq)]
pub struct LockedPackage {
    pub name: String,
    pub version: String,
    pub integrity: String,
    pub resolved: String,
    #[serde(default)]
    pub dependencies: Vec<String>,
    #[serde(default, skip_serializing_if = "Vec::is_empty")]
    pub peer_dependencies: Vec<String>,
    #[serde(default, skip_serializing_if = "HashMap::is_empty")]
    pub bin: HashMap<String, String>,
    #[serde(default, skip_serializing_if = "std::ops::Not::not")]
    pub has_install_script: bool,
}

#[derive(Debug, Clone)]
pub struct ResolvedPackageInfo {
    pub name: String,
    pub version: String,
    pub integrity: String,
    pub resolved: String,
    pub dependencies: Vec<String>,
    pub peer_dependencies: Vec<String>,
    pub bin: HashMap<String, String>,
    pub has_install_script: bool,
}

#[derive(Debug, Default)]
pub struct LockfileDiff {
    pub added: Vec<LockedPackage>,
    pub removed: Vec<LockedPackage>,
    pub changed: Vec<(LockedPackage, LockedPackage)>,
}

impl Lockfile {
    /// Creates a new empty lockfile with default metadata
    pub fn new() -> Self {
        Self {
            metadata: LockfileMetadata {
                version: 1,
                generated_by: format!("dnx@{}", env!("CARGO_PKG_VERSION")),
                workspace_members: HashMap::new(),
            },
            packages: Vec::new(),
        }
    }

    /// Reads a lockfile from disk and parses it
    pub fn read(path: &Path) -> Result<Self> {
        let contents = fs::read_to_string(path).map_err(|e| {
            DnxError::Io(format!(
                "Failed to read lockfile at {}: {}",
                path.display(),
                e
            ))
        })?;

        let mut lockfile: Self = toml::from_str(&contents)
            .map_err(|e| DnxError::Toml(format!("Failed to parse lockfile: {}", e)))?;

        // Sort packages alphabetically by name
        lockfile.packages.sort_by(|a, b| a.name.cmp(&b.name));

        Ok(lockfile)
    }

    /// Writes the lockfile to disk
    pub fn write(&self, path: &Path) -> Result<()> {
        let mut sorted_lockfile = self.clone();

        // Sort packages alphabetically by name, then by version
        sorted_lockfile
            .packages
            .sort_by(|a, b| match a.name.cmp(&b.name) {
                std::cmp::Ordering::Equal => a.version.cmp(&b.version),
                other => other,
            });

        let contents = toml::to_string_pretty(&sorted_lockfile)
            .map_err(|e| DnxError::Toml(format!("Failed to serialize lockfile: {}", e)))?;

        // Create parent directory if it doesn't exist
        if let Some(parent) = path.parent() {
            fs::create_dir_all(parent).map_err(|e| {
                DnxError::Io(format!(
                    "Failed to create directory {}: {}",
                    parent.display(),
                    e
                ))
            })?;
        }

        fs::write(path, contents).map_err(|e| {
            DnxError::Io(format!(
                "Failed to write lockfile to {}: {}",
                path.display(),
                e
            ))
        })?;

        Ok(())
    }

    /// Creates a lockfile from a list of resolved packages
    pub fn from_dependency_graph(packages: &[ResolvedPackageInfo]) -> Self {
        let locked_packages: Vec<LockedPackage> = packages
            .iter()
            .map(|pkg| LockedPackage {
                name: pkg.name.clone(),
                version: pkg.version.clone(),
                integrity: pkg.integrity.clone(),
                resolved: pkg.resolved.clone(),
                dependencies: pkg.dependencies.clone(),
                peer_dependencies: pkg.peer_dependencies.clone(),
                bin: pkg.bin.clone(),
                has_install_script: pkg.has_install_script,
            })
            .collect();

        Self {
            metadata: LockfileMetadata {
                version: 1,
                generated_by: format!("dnx@{}", env!("CARGO_PKG_VERSION")),
                workspace_members: HashMap::new(),
            },
            packages: locked_packages,
        }
    }

    /// Converts the lockfile back into a DependencyGraph for the fast-path
    /// (skipping full network resolution when the lockfile is valid).
    pub fn to_dependency_graph(&self) -> DependencyGraph {
        let packages = self
            .packages
            .iter()
            .map(|locked| ResolvedPackage {
                name: locked.name.clone(),
                version: locked.version.clone(),
                tarball_url: locked.resolved.clone(),
                integrity: locked.integrity.clone(),
                dependencies: locked.dependencies.clone(),
                peer_dependencies: locked.peer_dependencies.clone(),
                bin: locked.bin.clone(),
                has_install_script: locked.has_install_script,
            })
            .collect();
        DependencyGraph { packages }
    }

    /// Compares this lockfile with another and returns the differences
    pub fn diff(&self, other: &Lockfile) -> LockfileDiff {
        let mut diff = LockfileDiff::default();

        // Create maps for efficient lookup
        let self_map: HashMap<(&str, &str), &LockedPackage> = self
            .packages
            .iter()
            .map(|pkg| ((pkg.name.as_str(), pkg.version.as_str()), pkg))
            .collect();

        let other_map: HashMap<(&str, &str), &LockedPackage> = other
            .packages
            .iter()
            .map(|pkg| ((pkg.name.as_str(), pkg.version.as_str()), pkg))
            .collect();

        // Find added and changed packages
        for pkg in &other.packages {
            let key = (pkg.name.as_str(), pkg.version.as_str());
            match self_map.get(&key) {
                None => {
                    // Package is in other but not in self - it's added
                    diff.added.push(pkg.clone());
                }
                Some(self_pkg) => {
                    // Package exists in both - check if it changed
                    if pkg != *self_pkg {
                        diff.changed.push(((*self_pkg).clone(), pkg.clone()));
                    }
                }
            }
        }

        // Find removed packages
        for pkg in &self.packages {
            let key = (pkg.name.as_str(), pkg.version.as_str());
            if !other_map.contains_key(&key) {
                diff.removed.push(pkg.clone());
            }
        }

        diff
    }
}

impl Default for Lockfile {
    fn default() -> Self {
        Self::new()
    }
}

/// Verifies that a lockfile contains all dependencies from package.json
/// and that locked versions satisfy the declared semver ranges
pub fn verify_against_package_json(lockfile: &Lockfile, deps: &HashMap<String, String>) -> bool {
    // Create a map of package name -> list of locked versions for efficient lookup
    let mut locked: HashMap<&str, Vec<&str>> = HashMap::new();
    for pkg in &lockfile.packages {
        locked
            .entry(pkg.name.as_str())
            .or_default()
            .push(pkg.version.as_str());
    }

    // Check that all dependencies from package.json are in the lockfile
    // and that at least one locked version satisfies the declared range
    for (dep_name, range_str) in deps {
        match locked.get(dep_name.as_str()) {
            None => return false,
            Some(locked_versions) => {
                // Verify at least one locked version satisfies the declared range
                let range_str = range_str.trim();
                let effective = match range_str {
                    "" | "*" | "latest" => ">=0.0.0",
                    s => s,
                };
                if let Ok(range) = node_semver::Range::parse(effective) {
                    let any_satisfies = locked_versions.iter().any(|ver| {
                        node_semver::Version::parse(ver)
                            .map(|v| range.satisfies(&v))
                            .unwrap_or(true) // accept if parsing fails
                    });
                    if !any_satisfies {
                        return false;
                    }
                }
                // If range parsing fails, we accept (backward compat)
            }
        }
    }

    true
}

/// Verify that a lockfile covers all external dependencies of a workspace.
/// Checks both that all external deps are satisfied and that the workspace
/// member list in the lockfile metadata matches the actual workspace.
pub fn verify_against_workspace(
    lockfile: &Lockfile,
    all_external_deps: &HashMap<String, String>,
) -> bool {
    // First check that all external deps are satisfied
    if !verify_against_package_json(lockfile, all_external_deps) {
        return false;
    }

    // If the lockfile has workspace_members metadata, we accept it as-is
    // (a mismatch in workspace structure will surface through external deps
    // changing, which the check above already catches). This avoids requiring
    // a full workspace structure comparison on every install.
    true
}

/// Verify that a lockfile's workspace member list matches the given member set.
/// This is a stricter check that ensures the workspace hasn't structurally changed.
pub fn verify_workspace_members(
    lockfile: &Lockfile,
    actual_members: &HashMap<String, String>,
) -> bool {
    if lockfile.metadata.workspace_members.is_empty() && !actual_members.is_empty() {
        return false;
    }
    if lockfile.metadata.workspace_members.len() != actual_members.len() {
        return false;
    }
    for (name, path) in actual_members {
        match lockfile.metadata.workspace_members.get(name) {
            Some(locked_path) => {
                // Normalise path separators for comparison
                let locked_norm = locked_path.replace('\\', "/");
                let actual_norm = path.replace('\\', "/");
                if locked_norm != actual_norm {
                    return false;
                }
            }
            None => return false,
        }
    }
    true
}

#[cfg(test)]
mod tests {
    use super::*;
    use std::collections::HashMap;

    #[test]
    fn test_new_lockfile() {
        let lockfile = Lockfile::new();
        assert_eq!(lockfile.metadata.version, 1);
        assert_eq!(
            lockfile.metadata.generated_by,
            format!("dnx@{}", env!("CARGO_PKG_VERSION"))
        );
        assert!(lockfile.packages.is_empty());
    }

    #[test]
    fn test_from_dependency_graph() {
        let packages = vec![
            ResolvedPackageInfo {
                name: "lodash".to_string(),
                version: "4.17.21".to_string(),
                integrity: "sha512-abc123".to_string(),
                resolved: "https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz".to_string(),
                dependencies: vec![],
                peer_dependencies: vec![],
                bin: HashMap::new(),
                has_install_script: false,
            },
            ResolvedPackageInfo {
                name: "express".to_string(),
                version: "4.18.2".to_string(),
                integrity: "sha512-def456".to_string(),
                resolved: "https://registry.npmjs.org/express/-/express-4.18.2.tgz".to_string(),
                dependencies: vec!["accepts@1.3.8".to_string()],
                peer_dependencies: vec![],
                bin: HashMap::new(),
                has_install_script: false,
            },
        ];

        let lockfile = Lockfile::from_dependency_graph(&packages);
        assert_eq!(lockfile.packages.len(), 2);
        assert_eq!(lockfile.packages[0].name, "lodash");
        assert_eq!(lockfile.packages[1].name, "express");
        assert_eq!(lockfile.packages[1].dependencies.len(), 1);
    }

    #[test]
    fn test_diff_added() {
        let old = Lockfile::new();
        let mut new = Lockfile::new();
        new.packages.push(LockedPackage {
            name: "lodash".to_string(),
            version: "4.17.21".to_string(),
            integrity: "sha512-abc123".to_string(),
            resolved: "https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz".to_string(),
            dependencies: vec![],
            peer_dependencies: vec![],
            bin: HashMap::new(),
            has_install_script: false,
        });

        let diff = old.diff(&new);
        assert_eq!(diff.added.len(), 1);
        assert_eq!(diff.removed.len(), 0);
        assert_eq!(diff.changed.len(), 0);
        assert_eq!(diff.added[0].name, "lodash");
    }

    #[test]
    fn test_diff_removed() {
        let mut old = Lockfile::new();
        old.packages.push(LockedPackage {
            name: "lodash".to_string(),
            version: "4.17.21".to_string(),
            integrity: "sha512-abc123".to_string(),
            resolved: "https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz".to_string(),
            dependencies: vec![],
            peer_dependencies: vec![],
            bin: HashMap::new(),
            has_install_script: false,
        });
        let new = Lockfile::new();

        let diff = old.diff(&new);
        assert_eq!(diff.added.len(), 0);
        assert_eq!(diff.removed.len(), 1);
        assert_eq!(diff.changed.len(), 0);
        assert_eq!(diff.removed[0].name, "lodash");
    }

    #[test]
    fn test_diff_changed() {
        let mut old = Lockfile::new();
        old.packages.push(LockedPackage {
            name: "lodash".to_string(),
            version: "4.17.21".to_string(),
            integrity: "sha512-abc123".to_string(),
            resolved: "https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz".to_string(),
            dependencies: vec![],
            peer_dependencies: vec![],
            bin: HashMap::new(),
            has_install_script: false,
        });

        let mut new = Lockfile::new();
        new.packages.push(LockedPackage {
            name: "lodash".to_string(),
            version: "4.17.21".to_string(),
            integrity: "sha512-xyz789".to_string(), // Changed integrity
            resolved: "https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz".to_string(),
            dependencies: vec![],
            peer_dependencies: vec![],
            bin: HashMap::new(),
            has_install_script: false,
        });

        let diff = old.diff(&new);
        assert_eq!(diff.added.len(), 0);
        assert_eq!(diff.removed.len(), 0);
        assert_eq!(diff.changed.len(), 1);
        assert_eq!(diff.changed[0].0.integrity, "sha512-abc123");
        assert_eq!(diff.changed[0].1.integrity, "sha512-xyz789");
    }

    #[test]
    fn test_verify_against_package_json() {
        let mut lockfile = Lockfile::new();
        lockfile.packages.push(LockedPackage {
            name: "lodash".to_string(),
            version: "4.17.21".to_string(),
            integrity: "sha512-abc123".to_string(),
            resolved: "https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz".to_string(),
            dependencies: vec![],
            peer_dependencies: vec![],
            bin: HashMap::new(),
            has_install_script: false,
        });
        lockfile.packages.push(LockedPackage {
            name: "express".to_string(),
            version: "4.18.2".to_string(),
            integrity: "sha512-def456".to_string(),
            resolved: "https://registry.npmjs.org/express/-/express-4.18.2.tgz".to_string(),
            dependencies: vec![],
            peer_dependencies: vec![],
            bin: HashMap::new(),
            has_install_script: false,
        });

        let mut deps = HashMap::new();
        deps.insert("lodash".to_string(), "^4.17.21".to_string());
        deps.insert("express".to_string(), "^4.18.2".to_string());

        assert!(verify_against_package_json(&lockfile, &deps));

        // Add a dependency that's not in the lockfile
        deps.insert("react".to_string(), "^18.0.0".to_string());
        assert!(!verify_against_package_json(&lockfile, &deps));
    }

    #[test]
    fn test_verify_empty_deps() {
        let lockfile = Lockfile::new();
        let deps = HashMap::new();
        assert!(verify_against_package_json(&lockfile, &deps));
    }
}