Skip to content

feat!: use hierarchical lockfile snapshots for per-context detection#4

Merged
split merged 7 commits into
mainfrom
feat/hierarchical-lockfile-snapshots
Mar 31, 2026
Merged

feat!: use hierarchical lockfile snapshots for per-context detection#4
split merged 7 commits into
mainfrom
feat/hierarchical-lockfile-snapshots

Conversation

@split

@split split commented Mar 30, 2026

Copy link
Copy Markdown
Owner

Summary

This PR changes the LockfileSnapshot type from a flat Map<name, version> to a hierarchical Map<context, Map<name, version>> to preserve per-importer/package resolution.

Breaking Change

The LockfileSnapshot and LockfileDiff types have been updated:

  • Before: Map<string, string> (name → version)
  • After: Map<string, Map<string, string>> (context → name → version)

This enables detecting changes in specific workspace packages even when the same package exists elsewhere with a different version.

Changes

  • Core types: New hierarchical snapshot format with ContextDiff
  • Diff logic: Compares per-context instead of globally
  • Parsers:
    • pnpm: Uses YAML parsing directly, extracts importers as contexts
    • bun: Uses JSONC parsing, extracts workspaces as contexts
    • npm: Groups packages under root context (package-lock.json format limitation)
    • yarn: Uses YAML parsing directly, extracts workspace packages as contexts (Yarn Berry v2+ only)
  • Tests: Added E2E tests for all 4 package managers

Backwards Compatibility Note

  • Yarn v1 (classic) support has been dropped. Yarn Berry (v2+) uses a YAML-based format that enables per-workspace detection.
  • The ALL_DEPENDENCY_TYPES export has been renamed to allDependencyTypes for consistency.

Why this matters

Previously, if @foo/bar changed from 3.984.0 → 3.1010.0 in package-b, but version 3.989.0 already existed elsewhere in the lockfile, the parser would store 3.989.0 (first encountered) for both before and after, making the diff see no change. Now each importer's dependencies are tracked separately.

@split split force-pushed the feat/hierarchical-lockfile-snapshots branch 3 times, most recently from 3234367 to 4a7bd88 Compare March 30, 2026 22:35
BREAKING CHANGE: LockfileSnapshot type changed from Map<name, version>
to Map<context, Map<name, version>> to preserve per-importer/package
resolution. This enables detecting changes in specific workspace
packages even when the same package exists elsewhere with a different
version.

- Core types updated with new LockfileSnapshot and LockfileDiff formats
- Diff logic updated to compare per-context
- Affected resolution updated for new diff format
- Parsers updated: pnpm (YAML), bun (JSONC), npm (direct JSON)
- npm parser now extracts per-workspace dependencies
- Added E2E tests for all 4 package managers
- Added per-importer detection test
- pnpm parser now properly handles multiple importers
@split split force-pushed the feat/hierarchical-lockfile-snapshots branch from 4a7bd88 to b92ce3f Compare March 30, 2026 22:43
split added 6 commits March 31, 2026 08:39
- Add missing parser adapter tests (format, lockfileNames, delegation)
- Add empty lockfile handling tests for all parsers
- Add multi-context extraction tests for npm, bun, pnpm
- Add scoped package test for npm parser
- Fix npm fixtures to include nested node_modules entries
- Fix bun fixtures to include workspace declarations
- Add deep transitive chain (4+ levels) E2E fixture and test
- Add diamond dependency test
- Add cycle handling tests (mutual, long, self-reference)
- Update README with warning and development note
ESLint complains about async functions without await. These parsers
use synchronous JSON/YAML parsing, so returning Promise.resolve() is cleaner.
- Rewrite Yarn parser to use YAML directly instead of lockparse
- Convert yarn-transitive fixtures to Yarn Berry format
- Drop support for Yarn v1 lockfiles (incompatible with YAML parsing)
- Remove lockparse dependency, use yaml package instead
- Add yarn-berry-research fixtures for format exploration
- Create deep-chain fixtures (4-level transitive dependency) for npm, yarn, bun
- Create diamond dependency fixtures for all 4 package managers (pnpm, npm, yarn, bun)
- Parameterize E2E tests to run for all formats
- Keep per-importer detection test pnpm-only (pnpm-specific feature)
@split split merged commit c803ac7 into main Mar 31, 2026
3 checks passed
@split split deleted the feat/hierarchical-lockfile-snapshots branch March 31, 2026 06:30
@github-actions

Copy link
Copy Markdown

🎉 This PR is included in version 2.0.0 🎉

The release is available on:

Your semantic-release bot 📦🚀

@github-actions

Copy link
Copy Markdown

🎉 This PR is included in version 3.0.0 🎉

The release is available on:

Your semantic-release bot 📦🚀

@github-actions

Copy link
Copy Markdown

🎉 This PR is included in version 2.0.0 🎉

The release is available on:

Your semantic-release bot 📦🚀

@github-actions

Copy link
Copy Markdown

🎉 This PR is included in version 2.0.0 🎉

The release is available on:

Your semantic-release bot 📦🚀

@github-actions

Copy link
Copy Markdown

🎉 This PR is included in version 2.0.0 🎉

The release is available on:

Your semantic-release bot 📦🚀

@github-actions

Copy link
Copy Markdown

🎉 This PR is included in version 2.0.0 🎉

The release is available on:

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant