npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

lockfile-subset

v1.2.1

Published

Extract a subset of package-lock.json, pnpm-lock.yaml, or yarn.lock for specified packages and their transitive dependencies

Downloads

699

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

tmokmsstmokmss

Keywords

npmpnpmyarnlockfilepackage-locksubsetdockerdependencies

Readme

lockfile-subset

Extract a subset of package-lock.json, pnpm-lock.yaml, or yarn.lock for specified packages and their transitive dependencies.

Why?

When using bundlers like esbuild with --external, you need to ship those external packages separately (e.g., in a Docker multi-stage build or Lambda layer). Getting the exact right set of dependencies is surprisingly hard:

| Approach | Problem | |---|---| | Manually copy node_modules dirs | Breaks when transitive deps change (e.g., Prisma v6 added new deps) | | npm install <pkg> in runner stage | Resolves versions independently — may differ from your lockfile | | npm ci --omit=dev | Installs all prod dependencies, not just the ones you need | | pnpm deploy | Only works with workspaces, not arbitrary packages |

lockfile-subset solves this by extracting a precise subset from your existing lockfile — only the packages you specify and their transitive dependencies, with versions exactly matching the original lockfile.

Install

npm install -g lockfile-subset
# or use directly with npx
npx lockfile-subset

Usage

# Extract @prisma/client and sharp with their transitive deps
lockfile-subset @prisma/client sharp

# Specify output directory
lockfile-subset @prisma/client sharp -o /standalone

# Use a different lockfile path
lockfile-subset @prisma/client sharp -l /build/package-lock.json

# Use a pnpm lockfile
lockfile-subset @prisma/client sharp -l pnpm-lock.yaml

# Use a yarn lockfile
lockfile-subset @prisma/client sharp -l yarn.lock

# Generate + install in one step
lockfile-subset @prisma/client sharp -o /standalone --install

# Preview without writing files
lockfile-subset chalk --dry-run

The lockfile type (npm, pnpm, or yarn) is auto-detected from the project directory. This generates a minimal package.json and lockfile in the output directory. Then run npm ci, pnpm install --frozen-lockfile, or yarn install --frozen-lockfile to install exactly those packages.

Dockerfile example

# === Builder ===
FROM node AS builder
WORKDIR /build
COPY package*.json ./
RUN npm ci

COPY . .
RUN npx esbuild src/index.ts --bundle --outdir=dist \
    --external:@prisma/client --external:sharp

# Generate subset lockfile + install
RUN npx lockfile-subset @prisma/client sharp \
    -o /standalone --install

# === Runner ===
FROM node AS runner
WORKDIR /app

# Only the packages you need, at exact lockfile versions
COPY --from=builder /standalone/node_modules ./node_modules
COPY --from=builder /build/dist ./dist

CMD ["node", "dist/index.js"]

Options

Run lockfile-subset --help for the full list of options.

How it works

  1. Loads your lockfile (package-lock.json via @npmcli/arborist, pnpm-lock.yaml, or yarn.lock directly)
  2. Starting from the specified packages, walks the dependency tree via BFS to collect all transitive dependencies
  3. Copies the matching entries from the original lockfile — no re-resolution, no version drift
  4. Outputs a minimal package.json + lockfile ready for npm ci, pnpm install --frozen-lockfile, or yarn install --frozen-lockfile

Dev dependencies of each package are excluded from traversal. Optional dependencies are included by default (use --no-optional to exclude).

Supported lockfile formats

| Package manager | Lockfile | Supported versions | |---|---|---| | npm | package-lock.json | v2 (npm 7-8), v3 (npm 9+) | | pnpm | pnpm-lock.yaml | v9 (pnpm 9-10) | | yarn | yarn.lock | v1 (Classic), v2+ (Berry) |

Limitations

  • Platform-specific optional deps — Packages like sharp have OS/arch-specific optional dependencies (e.g., @img/sharp-linux-x64). If your lockfile was generated on macOS but you run npm ci on Linux (e.g., in Docker), those Linux-specific packages may be missing from the lockfile. In that case, generate the lockfile on the target platform, or use npm install instead of npm ci.

License

MIT