lock

package
v0.1.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 13, 2026 License: MIT Imports: 10 Imported by: 0

Documentation

Overview

Package lock reads and writes pin.lock as a CycloneDX 1.6 BOM.

The in-memory model (Lock, Asset) is flat — one Asset per vendored file. CycloneDX nesting (one library component per package, file components nested under each) is a serialisation detail handled by Read and Write.

Index

Constants

View Source 
const MaxLockfileBytes = 16 << 20

MaxLockfileBytes is a DoS-prevention cap. A 1000-file monorepo lockfile stays under 1 MiB; 16 MiB is the comfortable upper bound.

View Source 
const Version = 1

Variables

This section is empty.

Functions

func Write 

func Write(w io.Writer, l *Lock, toolName, toolVersion string) error

Types

type Asset 

type Asset struct {
	Name             string
	Version          string
	PURL             string
	Type             string
	Format           string
	Path             string
	Out              string
	URL              string
	Integrity        string
	Size             int64
	PackageIntegrity string
	License          string
	// Repository is the package's *declared* repository URL. NOT to
	// be conflated with Attestation.SourceRepository (the repo the
	// attestation says the build came from); the
	// publisher-matches-repository check compares the two.
	Repository  string
	Attestation *Attestation
}

type AssetType 

type AssetType string
const (
	TypeScript AssetType = "script"
	TypeStyle  AssetType = "style"
	TypeFont   AssetType = "font"
	TypeImage  AssetType = "image"
	TypeWASM   AssetType = "wasm"
	TypeMap    AssetType = "map"
	TypeOther  AssetType = "other"
)

func ClassifyType 

func ClassifyType(p string) AssetType

type Attestation 

type Attestation struct {
	PredicateType    string
	BuilderID        string
	SourceRepository string
	SourceRevision   string
	SignerIdentity   string
	BundleURL        string
}

Attestation holds SLSA Provenance v1 identity fields. Cryptographic verification of the underlying bundle is gated separately on --verify-provenance.

type Changes 

type Changes struct {
	Added     []Asset
	Updated   []Asset
	Removed   []Asset
	Unchanged []Asset
}

func Diff 

func Diff(prev, next *Lock) Changes

type Lock 

type Lock struct {
	LockfileVersion int
	GeneratedBy     string
	OutDir          string
	Assets          []Asset
}

func Read 

func Read(r io.Reader) (*Lock, error)

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.