@merna/unhoist

A merna cli to undo hoisting on a given package-lock.json, reconstructing it using only the root package-lock.json and local packages' package-lock.jsons.

A tree roughly inspired by npm/arborist (the package used to construct and act on package-lock.json files) is used to update and prune dependencies.

A high level view of the algorithm used:

• Check for dependencies in the package.json that are not at the top level of the package-lock.json
• Add all missing remote, top level dependencies to the package-lock.json
• Add all missing local (to the repo) dependencies using their package-lock.json files recursively unhoisted using the above logic
• Parse the current temp lockfile into a tree and evaluate every entry in the requires map, adding each to the highest possible level in the tree and checking semver requirements. Each entry is copied from the root package-lock.json. This is naive and results in a ton of duplication.
• Parse the tree to prune all duplicate dependencies. Every identical dependency in lower levels of the tree that's provided in higher levels is removed
• Dehydrate the tree into the final lockfile