(node)
| 70 | // entry. Same trust rules as versionedKeyFor — returns `null` rather than |
| 71 | // falling back to tarball-controlled fields. |
| 72 | const nameKeyFor = (node) => { |
| 73 | if (!node) { |
| 74 | return null |
| 75 | } |
| 76 | const resolved = primaryResolvedSource(node) |
| 77 | if (resolved.startsWith('git')) { |
| 78 | try { |
| 79 | const parsed = npa(resolved) |
| 80 | if (parsed.hosted) { |
| 81 | return parsed.hosted.shortcut({ noCommittish: true }) |
| 82 | } |
| 83 | } catch { |
| 84 | /* istanbul ignore next: npa already parsed this string in keyTargetsNode */ |
| 85 | return null |
| 86 | } |
| 87 | return null |
| 88 | } |
| 89 | if (resolved.startsWith('file:') || resolved.startsWith('/')) { |
| 90 | return resolved |
| 91 | } |
| 92 | // Registry deps: only the URL-derived (or edges-derived, in the |
| 93 | // omit-lockfile case) trusted name is acceptable. |
| 94 | const trusted = getTrustedRegistryIdentity(node) |
| 95 | return trusted ? trusted.name : null |
| 96 | } |
| 97 | |
| 98 | const isSingleVersionPin = (key) => { |
| 99 | try { |
no test coverage detected
searching dependent graphs…