feat: improve lockfile v4 to store normalized version constraints and be more terse (#25247)

Stores normalized version constraints in the lockfile, which will
improve reproducibility and will fix a bug with duplicate specifiers
ending up in the lockfile. Also, gets rid of some duplicate data in the
specifiers area of the lockfile.

Cargo.lock

@@ -750,6 +750,7 @@ dependencies = [
  "deno_core",
  "deno_fetch",
  "deno_lockfile",
+ "deno_semver",
  "deno_terminal 0.2.0",
  "deno_tls",
  "deno_tower_lsp",
@@ -1734,10 +1735,11 @@ dependencies = [
 
 [[package]]
 name = "deno_lockfile"
-version = "0.22.0"
+version = "0.23.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "92d4e132d2930cf5fbbec8323f4ac98952ca3d1c4ff74d770bbdd7c2588b1783"
+checksum = "fb68a4a666c69eabd8fe505d6fdc4ed4a2d962fe1680dbfa8b0c8a2975d58ed0"
 dependencies = [
+ "deno_semver",
  "serde",
  "serde_json",
  "thiserror",
@@ -1882,9 +1884,9 @@ dependencies = [
 
 [[package]]
 name = "deno_npm"
-version = "0.24.0"
+version = "0.25.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "cafaa830cea11b37ad838ed9508c9cc00ac0235fdd42b3b31aa74d5cd6fe3d92"
+checksum = "efb2dd7efaf478d780a6ca43e6127667d5329ed9a5ff89f42cec0dc21ee58342"
 dependencies = [
  "anyhow",
  "async-trait",
@@ -2008,9 +2010,9 @@ dependencies = [
 
 [[package]]
 name = "deno_semver"
-version = "0.5.10"
+version = "0.5.12"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "56feaf035e29320d11adf89eafa14f5447d3089deb1ce7de61ba7969195f5ff1"
+checksum = "eef522937758930b9d6897631fa94bc69bcbbe78613c939ab2054ca96191afbd"
 dependencies = [
  "monch",
  "once_cell",
@@ -2817,9 +2819,9 @@ dependencies = [
 
 [[package]]
 name = "eszip"
-version = "0.76.0"
+version = "0.77.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7b3a54eb4f58493897fc2627e76e6714c9b52c84213c923ab1601a5daf722b00"
+checksum = "d14989a45cef01c2dd79546bec3c392a7bbb3e9928bbf71acae5551bb4e71be9"
 dependencies = [
  "anyhow",
  "async-trait",
@@ -3788,15 +3790,16 @@ dependencies = [
 
 [[package]]
 name = "import_map"
-version = "0.20.0"
+version = "0.20.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "373b8288ad259df0d1314e3e8b2fff0e5e63f22e01bc54ecd2c3c7ad77b9200c"
+checksum = "351a787decc56f38d65d16d32687265045d6d6a4531b4a0e1b649def3590354e"
 dependencies = [
  "indexmap",
  "log",
  "percent-encoding",
  "serde",
  "serde_json",
+ "thiserror",
  "url",
 ]
 

Cargo.toml

@@ -48,10 +48,11 @@ deno_ast = { version = "=0.41.2", features = ["transpiling"] }
 deno_core = { version = "0.306.0" }
 
 deno_bench_util = { version = "0.160.0", path = "./bench_util" }
-deno_lockfile = "=0.22.0"
+deno_lockfile = "=0.23.0"
 deno_media_type = { version = "0.1.4", features = ["module_specifier"] }
 deno_permissions = { version = "0.26.0", path = "./runtime/permissions" }
 deno_runtime = { version = "0.175.0", path = "./runtime" }
+deno_semver = "=0.5.12"
 deno_terminal = "0.2.0"
 napi_sym = { version = "0.96.0", path = "./cli/napi/sym" }
 test_util = { package = "test_server", path = "./tests/util/server" }

cli/Cargo.toml

@@ -72,13 +72,13 @@ deno_emit = "=0.44.0"
 deno_graph = { version = "=0.81.3" }
 deno_lint = { version = "=0.63.1", features = ["docs"] }
 deno_lockfile.workspace = true
-deno_npm = "=0.24.0"
+deno_npm = "=0.25.0"
 deno_package_json.workspace = true
 deno_runtime = { workspace = true, features = ["include_js_files_for_snapshotting"] }
-deno_semver = "=0.5.10"
+deno_semver.workspace = true
 deno_task_shell = "=0.17.0"
 deno_terminal.workspace = true
-eszip = "=0.76.0"
+eszip = "=0.77.0"
 libsui = "0.3.0"
 napi_sym.workspace = true
 node_resolver.workspace = true
@@ -115,7 +115,7 @@ http.workspace = true
 http-body.workspace = true
 http-body-util.workspace = true
 hyper-util.workspace = true
-import_map = { version = "=0.20.0", features = ["ext"] }
+import_map = { version = "=0.20.1", features = ["ext"] }
 indexmap.workspace = true
 jsonc-parser.workspace = true
 jupyter_runtime = { package = "runtimelib", version = "=0.14.0" }

cli/args/lockfile.rs

@@ -1,6 +1,6 @@
 // Copyright 2018-2024 the Deno authors. All rights reserved. MIT license.
 
-use std::collections::BTreeSet;
+use std::collections::HashSet;
 use std::path::PathBuf;
 
 use deno_config::deno_json::ConfigFile;
@@ -12,6 +12,7 @@ use deno_core::parking_lot::MutexGuard;
 use deno_lockfile::WorkspaceMemberConfig;
 use deno_package_json::PackageJsonDepValue;
 use deno_runtime::deno_node::PackageJson;
+use deno_semver::jsr::JsrDepPackageReq;
 
 use crate::cache;
 use crate::util::fs::atomic_write_file_with_retries;
@@ -98,7 +99,9 @@ impl CliLockfile {
     flags: &Flags,
     workspace: &Workspace,
   ) -> Result<Option<CliLockfile>, AnyError> {
-    fn pkg_json_deps(maybe_pkg_json: Option<&PackageJson>) -> BTreeSet<String> {
+    fn pkg_json_deps(
+      maybe_pkg_json: Option<&PackageJson>,
+    ) -> HashSet<JsrDepPackageReq> {
       let Some(pkg_json) = maybe_pkg_json else {
         return Default::default();
       };
@@ -107,21 +110,21 @@ impl CliLockfile {
         .values()
         .filter_map(|dep| dep.as_ref().ok())
         .filter_map(|dep| match dep {
-          PackageJsonDepValue::Req(req) => Some(req),
+          PackageJsonDepValue::Req(req) => {
+            Some(JsrDepPackageReq::npm(req.clone()))
+          }
           PackageJsonDepValue::Workspace(_) => None,
         })
-        .map(|r| format!("npm:{}", r))
         .collect()
     }
 
     fn deno_json_deps(
       maybe_deno_json: Option<&ConfigFile>,
-    ) -> BTreeSet<String> {
+    ) -> HashSet<JsrDepPackageReq> {
       maybe_deno_json
         .map(|c| {
           crate::args::deno_json::deno_json_deps(c)
             .into_iter()
-            .map(|req| req.to_string())
             .collect()
         })
         .unwrap_or_default()
@@ -207,6 +210,7 @@ impl CliLockfile {
 
     Ok(Some(lockfile))
   }
+
   pub fn read_from_path(
     file_path: PathBuf,
     frozen: bool,

cli/graph_util.rs

@@ -44,10 +44,13 @@ use deno_graph::SpecifierError;
 use deno_runtime::deno_fs::FileSystem;
 use deno_runtime::deno_node;
 use deno_runtime::deno_permissions::PermissionsContainer;
+use deno_semver::jsr::JsrDepPackageReq;
 use deno_semver::package::PackageNv;
-use deno_semver::package::PackageReq;
+use deno_semver::Version;
 use import_map::ImportMapError;
 use std::collections::HashSet;
+use std::error::Error;
+use std::ops::Deref;
 use std::path::PathBuf;
 use std::sync::Arc;
 
@@ -110,7 +113,7 @@ pub fn graph_valid(
         ModuleGraphError::ModuleError(error) => {
           enhanced_lockfile_error_message(error)
             .or_else(|| enhanced_sloppy_imports_error_message(fs, error))
-            .unwrap_or_else(|| format!("{}", error))
+            .unwrap_or_else(|| format_deno_graph_error(error))
         }
       };
 
@@ -164,7 +167,10 @@ pub fn graph_valid(
   } else {
     // finally surface the npm resolution result
     if let Err(err) = &graph.npm_dep_graph_result {
-      return Err(custom_error(get_error_class_name(err), format!("{}", err)));
+      return Err(custom_error(
+        get_error_class_name(err),
+        format_deno_graph_error(err.as_ref().deref()),
+      ));
     }
     Ok(())
   }
@@ -463,7 +469,7 @@ impl ModuleGraphBuilder {
           .content
           .packages
           .jsr
-          .get(&package_nv.to_string())
+          .get(package_nv)
           .map(|s| LoaderChecksum::new(s.integrity.clone()))
       }
 
@@ -477,7 +483,7 @@ impl ModuleGraphBuilder {
         self
           .0
           .lock()
-          .insert_package(package_nv.to_string(), checksum.into_string());
+          .insert_package(package_nv.clone(), checksum.into_string());
       }
     }
 
@@ -556,16 +562,21 @@ impl ModuleGraphBuilder {
             }
           }
         }
-        for (key, value) in &lockfile.content.packages.specifiers {
-          if let Some(key) = key
-            .strip_prefix("jsr:")
-            .and_then(|key| PackageReq::from_str(key).ok())
-          {
-            if let Some(value) = value
-              .strip_prefix("jsr:")
-              .and_then(|value| PackageNv::from_str(value).ok())
-            {
-              graph.packages.add_nv(key, value);
+        for (req_dep, value) in &lockfile.content.packages.specifiers {
+          match req_dep.kind {
+            deno_semver::package::PackageKind::Jsr => {
+              if let Ok(version) = Version::parse_standard(value) {
+                graph.packages.add_nv(
+                  req_dep.req.clone(),
+                  PackageNv {
+                    name: req_dep.req.name.clone(),
+                    version,
+                  },
+                );
+              }
+            }
+            deno_semver::package::PackageKind::Npm => {
+              // ignore
             }
           }
         }
@@ -603,16 +614,15 @@ impl ModuleGraphBuilder {
         if has_jsr_package_mappings_changed {
           for (from, to) in graph.packages.mappings() {
             lockfile.insert_package_specifier(
-              format!("jsr:{}", from),
-              format!("jsr:{}", to),
+              JsrDepPackageReq::jsr(from.clone()),
+              to.version.to_string(),
             );
           }
         }
         // jsr packages
         if has_jsr_package_deps_changed {
-          for (name, deps) in graph.packages.packages_with_deps() {
-            lockfile
-              .add_package_deps(&name.to_string(), deps.map(|s| s.to_string()));
+          for (nv, deps) in graph.packages.packages_with_deps() {
+            lockfile.add_package_deps(nv, deps.cloned());
           }
         }
       }
@@ -726,7 +736,7 @@ pub fn error_for_any_npm_specifier(
 
 /// Adds more explanatory information to a resolution error.
 pub fn enhanced_resolution_error_message(error: &ResolutionError) -> String {
-  let mut message = format!("{error}");
+  let mut message = format_deno_graph_error(error);
 
   if let Some(specifier) = get_resolution_error_bare_node_specifier(error) {
     if !*DENO_DISABLE_PEDANTIC_NODE_WARNINGS {
@@ -1022,6 +1032,49 @@ impl deno_graph::source::JsrUrlProvider for CliJsrUrlProvider {
   }
 }
 
+// todo(dsherret): We should change ModuleError to use thiserror so that
+// we don't need to do this.
+fn format_deno_graph_error(err: &dyn Error) -> String {
+  use std::fmt::Write;
+
+  let mut message = format!("{}", err);
+  let mut maybe_source = err.source();
+
+  if maybe_source.is_some() {
+    let mut past_message = message.clone();
+    let mut count = 0;
+    let mut display_count = 0;
+    while let Some(source) = maybe_source {
+      let current_message = format!("{}", source);
+      maybe_source = source.source();
+
+      // sometimes an error might be repeated due to
+      // being boxed multiple times in another AnyError
+      if current_message != past_message {
+        write!(message, "\n    {}: ", display_count,).unwrap();
+        for (i, line) in current_message.lines().enumerate() {
+          if i > 0 {
+            write!(message, "\n       {}", line).unwrap();
+          } else {
+            write!(message, "{}", line).unwrap();
+          }
+        }
+        display_count += 1;
+      }
+
+      if count > 8 {
+        write!(message, "\n    {}: ...", count).unwrap();
+        break;
+      }
+
+      past_message = current_message;
+      count += 1;
+    }
+  }
+
+  message
+}
+
 #[cfg(test)]
 mod test {
   use std::sync::Arc;

cli/lsp/documents.rs

@@ -1410,11 +1410,9 @@ impl Documents {
       if let Some(lockfile) = config_data.lockfile.as_ref() {
         let reqs = npm_reqs_by_scope.entry(Some(scope.clone())).or_default();
         let lockfile = lockfile.lock();
-        for key in lockfile.content.packages.specifiers.keys() {
-          if let Some(key) = key.strip_prefix("npm:") {
-            if let Ok(req) = PackageReq::from_str(key) {
-              reqs.insert(req);
-            }
+        for dep_req in lockfile.content.packages.specifiers.keys() {
+          if dep_req.kind == deno_semver::package::PackageKind::Npm {
+            reqs.insert(dep_req.req.clone());
           }
         }
       }

cli/lsp/jsr.rs

@@ -92,20 +92,23 @@ impl JsrCacheResolver {
       }
     }
     if let Some(lockfile) = config_data.and_then(|d| d.lockfile.as_ref()) {
-      for (req_url, nv_url) in &lockfile.lock().content.packages.specifiers {
-        let Some(req) = req_url.strip_prefix("jsr:") else {
+      for (dep_req, version) in &lockfile.lock().content.packages.specifiers {
+        let req = match dep_req.kind {
+          deno_semver::package::PackageKind::Jsr => &dep_req.req,
+          deno_semver::package::PackageKind::Npm => {
+            continue;
+          }
+        };
+        let Ok(version) = Version::parse_standard(version) else {
           continue;
         };
-        let Some(nv) = nv_url.strip_prefix("jsr:") else {
-          continue;
-        };
-        let Ok(req) = PackageReq::from_str(req) else {
-          continue;
-        };
-        let Ok(nv) = PackageNv::from_str(nv) else {
-          continue;
-        };
-        nv_by_req.insert(req, Some(nv));
+        nv_by_req.insert(
+          req.clone(),
+          Some(PackageNv {
+            name: req.name.clone(),
+            version,
+          }),
+        );
       }
     }
     Self {

cli/npm/managed/mod.rs

@@ -406,8 +406,7 @@ impl ManagedCliNpmResolver {
       }
     }
     if result.dependencies_result.is_ok() {
-      result.dependencies_result =
-        self.cache_packages().await.map_err(AnyError::from);
+      result.dependencies_result = self.cache_packages().await;
     }
 
     result

cli/npm/managed/resolution.rs

@@ -22,6 +22,7 @@ use deno_npm::NpmPackageCacheFolderId;
 use deno_npm::NpmPackageId;
 use deno_npm::NpmResolutionPackage;
 use deno_npm::NpmSystemInfo;
+use deno_semver::jsr::JsrDepPackageReq;
 use deno_semver::package::PackageNv;
 use deno_semver::package::PackageReq;
 use deno_semver::VersionReq;
@@ -329,16 +330,10 @@ fn populate_lockfile_from_snapshot(
 ) {
   let mut lockfile = lockfile.lock();
   for (package_req, nv) in snapshot.package_reqs() {
+    let id = &snapshot.resolve_package_from_deno_module(nv).unwrap().id;
     lockfile.insert_package_specifier(
-      format!("npm:{}", package_req),
-      format!(
-        "npm:{}",
-        snapshot
-          .resolve_package_from_deno_module(nv)
-          .unwrap()
-          .id
-          .as_serialized()
-      ),
+      JsrDepPackageReq::npm(package_req.clone()),
+      format!("{}{}", id.nv.version, id.peer_deps_serialized()),
     );
   }
   for package in snapshot.all_packages_for_every_system() {

tests/Cargo.toml

@@ -41,6 +41,7 @@ deno_cache_dir = { workspace = true }
 deno_core = { workspace = true, features = ["include_js_files_for_snapshotting", "unsafe_use_unprotected_platform"] }
 deno_fetch.workspace = true
 deno_lockfile.workspace = true
+deno_semver.workspace = true
 deno_terminal.workspace = true
 deno_tls.workspace = true
 fastwebsockets = { workspace = true, features = ["upgrade", "unstable-split"] }

tests/integration/check_tests.rs

@@ -1,6 +1,7 @@
 // Copyright 2018-2024 the Deno authors. All rights reserved. MIT license.
 
 use deno_lockfile::NewLockfileOptions;
+use deno_semver::jsr::JsrDepPackageReq;
 use test_util as util;
 use test_util::itest;
 use util::env_vars_for_npm_tests;
@@ -372,8 +373,11 @@ fn npm_module_check_then_error() {
 
   // make the specifier resolve to version 1
   lockfile.content.packages.specifiers.insert(
-    "npm:@denotest/breaking-change-between-versions".to_string(),
-    "npm:@denotest/breaking-change-between-versions@1.0.0".to_string(),
+    JsrDepPackageReq::from_str(
+      "npm:@denotest/breaking-change-between-versions",
+    )
+    .unwrap(),
+    "1.0.0".to_string(),
   );
   lockfile_path.write(lockfile.as_json_string());
   temp_dir.write(
@@ -387,8 +391,11 @@ fn npm_module_check_then_error() {
   // now update the lockfile to use version 2 instead, which should cause a
   // type checking error because the oldName no longer exists
   lockfile.content.packages.specifiers.insert(
-    "npm:@denotest/breaking-change-between-versions".to_string(),
-    "npm:@denotest/breaking-change-between-versions@2.0.0".to_string(),
+    JsrDepPackageReq::from_str(
+      "npm:@denotest/breaking-change-between-versions",
+    )
+    .unwrap(),
+    "2.0.0".to_string(),
   );
   lockfile_path.write(lockfile.as_json_string());
 

tests/integration/jsr_tests.rs

@@ -6,6 +6,8 @@ use deno_core::serde_json::json;
 use deno_core::serde_json::Value;
 use deno_lockfile::Lockfile;
 use deno_lockfile::NewLockfileOptions;
+use deno_semver::jsr::JsrDepPackageReq;
+use deno_semver::package::PackageNv;
 use test_util as util;
 use url::Url;
 use util::assert_contains;
@@ -154,8 +156,10 @@ console.log(version);"#,
     .content
     .packages
     .specifiers
-    .get_mut("jsr:@denotest/no-module-graph@0.1")
-    .unwrap() = "jsr:@denotest/no-module-graph@0.1.0".to_string();
+    .get_mut(
+      &JsrDepPackageReq::from_str("jsr:@denotest/no-module-graph@0.1").unwrap(),
+    )
+    .unwrap() = "0.1.0".to_string();
   lockfile_path.write(lockfile.as_json_string());
 
   test_context
@@ -276,9 +280,9 @@ console.log(version);"#,
     overwrite: false,
   })
   .unwrap();
-  let pkg_name = "@denotest/no-module-graph@0.1.1";
-  let original_integrity = get_lockfile_pkg_integrity(&lockfile, pkg_name);
-  set_lockfile_pkg_integrity(&mut lockfile, pkg_name, "bad_integrity");
+  let pkg_nv = "@denotest/no-module-graph@0.1.1";
+  let original_integrity = get_lockfile_pkg_integrity(&lockfile, pkg_nv);
+  set_lockfile_pkg_integrity(&mut lockfile, pkg_nv, "bad_integrity");
   lockfile_path.write(lockfile.as_json_string());
 
   let actual_integrity =
@@ -317,7 +321,7 @@ Investigate the lockfile; delete it to regenerate the lockfile or --reload to re
     .assert_exit_code(10);
 
   // now update to the correct integrity
-  set_lockfile_pkg_integrity(&mut lockfile, pkg_name, &original_integrity);
+  set_lockfile_pkg_integrity(&mut lockfile, pkg_nv, &original_integrity);
   lockfile_path.write(lockfile.as_json_string());
 
   // should pass now
@@ -329,7 +333,7 @@ Investigate the lockfile; delete it to regenerate the lockfile or --reload to re
     .assert_exit_code(0);
 
   // now update to a bad integrity again
-  set_lockfile_pkg_integrity(&mut lockfile, pkg_name, "bad_integrity");
+  set_lockfile_pkg_integrity(&mut lockfile, pkg_nv, "bad_integrity");
   lockfile_path.write(lockfile.as_json_string());
 
   // shouldn't matter because we have a vendor folder
@@ -400,12 +404,12 @@ If you modified your global cache, run again with the --reload flag to restore i
     .assert_exit_code(10);
 }
 
-fn get_lockfile_pkg_integrity(lockfile: &Lockfile, pkg_name: &str) -> String {
+fn get_lockfile_pkg_integrity(lockfile: &Lockfile, pkg_nv: &str) -> String {
   lockfile
     .content
     .packages
     .jsr
-    .get(pkg_name)
+    .get(&PackageNv::from_str(pkg_nv).unwrap())
     .unwrap()
     .integrity
     .clone()
@@ -413,14 +417,14 @@ fn get_lockfile_pkg_integrity(lockfile: &Lockfile, pkg_name: &str) -> String {
 
 fn set_lockfile_pkg_integrity(
   lockfile: &mut Lockfile,
-  pkg_name: &str,
+  pkg_nv: &str,
   integrity: &str,
 ) {
   lockfile
     .content
     .packages
     .jsr
-    .get_mut(pkg_name)
+    .get_mut(&PackageNv::from_str(pkg_nv).unwrap())
     .unwrap()
     .integrity = integrity.to_string();
 }

tests/integration/npm_tests.rs

@@ -272,13 +272,6 @@ itest!(nonexistent_file_node_modules_dir {
   exit_code: 1,
 });
 
-itest!(invalid_package_name {
-  args: "run -A --quiet npm/invalid_package_name/main.js",
-  output: "npm/invalid_package_name/main.out",
-  envs: env_vars_for_npm_tests(),
-  exit_code: 1,
-});
-
 itest!(require_json {
   args: "run -A --quiet npm/require_json/main.js",
   output: "npm/require_json/main.out",
@@ -1218,7 +1211,7 @@ fn lock_file_lock_write() {
   let lock_file_content = r#"{
   "version": "4",
   "specifiers": {
-    "npm:cowsay@1.5.0": "npm:cowsay@1.5.0"
+    "npm:cowsay@1.5.0": "1.5.0"
   },
   "npm": {
     "ansi-regex@3.0.1": {
@@ -1428,7 +1421,7 @@ fn auto_discover_lock_file() {
   let lock_file_content = r#"{
     "version": "4",
     "specifiers": {
-      "npm:@denotest/bin": "npm:@denotest/bin@1.0.0"
+      "npm:@denotest/bin": "1.0.0"
     },
     "npm": {
       "@denotest/bin@1.0.0": {

tests/integration/run_tests.rs

@@ -923,7 +923,7 @@ fn lock_redirects() {
     r#"{
   "version": "4",
   "specifiers": {
-    "npm:@denotest/esm-basic": "npm:@denotest/esm-basic@1.0.0"
+    "npm:@denotest/esm-basic@*": "1.0.0"
   },
   "npm": {
     "@denotest/esm-basic@1.0.0": {
@@ -974,8 +974,8 @@ fn lock_deno_json_package_json_deps() {
   lockfile.assert_matches_json(json!({
     "version": "4",
     "specifiers": {
-      "jsr:@denotest/module-graph@1.4": "jsr:@denotest/module-graph@1.4.0",
-      "npm:@denotest/esm-basic": "npm:@denotest/esm-basic@1.0.0"
+      "jsr:@denotest/module-graph@1.4": "1.4.0",
+      "npm:@denotest/esm-basic@*": "1.0.0"
     },
     "jsr": {
       "@denotest/module-graph@1.4.0": {
@@ -990,7 +990,7 @@ fn lock_deno_json_package_json_deps() {
     "workspace": {
       "dependencies": [
         "jsr:@denotest/module-graph@1.4",
-        "npm:@denotest/esm-basic"
+        "npm:@denotest/esm-basic@*"
       ]
     }
   }));
@@ -1022,8 +1022,8 @@ fn lock_deno_json_package_json_deps() {
   lockfile.assert_matches_json(json!({
     "version": "4",
     "specifiers": {
-      "jsr:@denotest/module-graph@1.4": "jsr:@denotest/module-graph@1.4.0",
-      "npm:@denotest/esm-basic": "npm:@denotest/esm-basic@1.0.0"
+      "jsr:@denotest/module-graph@1.4": "1.4.0",
+      "npm:@denotest/esm-basic@*": "1.0.0"
     },
     "jsr": {
       "@denotest/module-graph@1.4.0": {
@@ -1041,7 +1041,7 @@ fn lock_deno_json_package_json_deps() {
       ],
       "packageJson": {
         "dependencies": [
-          "npm:@denotest/esm-basic"
+          "npm:@denotest/esm-basic@*"
         ]
       }
     }
@@ -1059,7 +1059,7 @@ fn lock_deno_json_package_json_deps() {
   lockfile.assert_matches_json(json!({
     "version": "4",
     "specifiers": {
-      "jsr:@denotest/module-graph@1.4": "jsr:@denotest/module-graph@1.4.0",
+      "jsr:@denotest/module-graph@1.4": "1.4.0",
     },
     "jsr": {
       "@denotest/module-graph@1.4.0": {
@@ -1143,8 +1143,8 @@ fn lock_deno_json_package_json_deps_workspace() {
   lockfile.assert_matches_json(json!({
     "version": "4",
     "specifiers": {
-      "npm:@denotest/cjs-default-export@1": "npm:@denotest/cjs-default-export@1.0.0",
-      "npm:@denotest/esm-basic@1": "npm:@denotest/esm-basic@1.0.0"
+      "npm:@denotest/cjs-default-export@1": "1.0.0",
+      "npm:@denotest/esm-basic@1": "1.0.0"
     },
     "npm": {
       "@denotest/cjs-default-export@1.0.0": {
@@ -1186,8 +1186,8 @@ fn lock_deno_json_package_json_deps_workspace() {
   let expected_lockfile = json!({
     "version": "4",
     "specifiers": {
-      "npm:@denotest/cjs-default-export@1": "npm:@denotest/cjs-default-export@1.0.0",
-      "npm:@denotest/esm-basic@1": "npm:@denotest/esm-basic@1.0.0"
+      "npm:@denotest/cjs-default-export@1": "1.0.0",
+      "npm:@denotest/esm-basic@1": "1.0.0"
     },
     "npm": {
       "@denotest/cjs-default-export@1.0.0": {
@@ -3462,36 +3462,6 @@ fn package_json_with_deno_json() {
   assert_contains!(output, "Skipping top level install.");
 }
 
-#[test]
-fn package_json_error_dep_value_test() {
-  let context = TestContextBuilder::for_npm()
-    .use_copy_temp_dir("package_json/invalid_value")
-    .cwd("package_json/invalid_value")
-    .build();
-
-  // should run fine when not referencing a failing dep entry
-  context
-    .new_command()
-    .args("run ok.ts")
-    .run()
-    .assert_matches_file("package_json/invalid_value/ok.ts.out");
-
-  // should fail when referencing a failing dep entry
-  context
-    .new_command()
-    .args("run error.ts")
-    .run()
-    .assert_exit_code(1)
-    .assert_matches_file("package_json/invalid_value/error.ts.out");
-
-  // should output a warning about the failing dep entry
-  context
-    .new_command()
-    .args("task test")
-    .run()
-    .assert_matches_file("package_json/invalid_value/task.out");
-}
-
 #[test]
 fn package_json_no_node_modules_dir_created() {
   // it should not create a node_modules directory

tests/specs/install/future_install_local_deno/deno.lock.out

@@ -1,9 +1,9 @@
 {
   "version": "4",
   "specifiers": {
-    "jsr:@denotest/add": "jsr:@denotest/add@1.0.0",
-    "jsr:@std/testing": "jsr:@std/testing@1.0.0",
-    "npm:@denotest/esm-basic@^1.0.0": "npm:@denotest/esm-basic@1.0.0"
+    "jsr:@denotest/add@*": "1.0.0",
+    "jsr:@std/testing@*": "1.0.0",
+    "npm:@denotest/esm-basic@1": "1.0.0"
   },
   "jsr": {
     "@denotest/add@1.0.0": {
@@ -26,9 +26,9 @@
   },
   "workspace": {
     "dependencies": [
-      "jsr:@denotest/add",
-      "jsr:@std/testing",
-      "npm:@denotest/esm-basic@^1.0.0"
+      "jsr:@denotest/add@*",
+      "jsr:@std/testing@*",
+      "npm:@denotest/esm-basic@1"
     ]
   }
 }

tests/specs/install/future_install_node_modules/deno.lock.out

@@ -1,7 +1,7 @@
 {
   "version": "4",
   "specifiers": {
-    "npm:@denotest/esm-basic": "npm:@denotest/esm-basic@1.0.0"
+    "npm:@denotest/esm-basic@*": "1.0.0"
   },
   "npm": {
     "@denotest/esm-basic@1.0.0": {
@@ -11,7 +11,7 @@
   "workspace": {
     "packageJson": {
       "dependencies": [
-        "npm:@denotest/esm-basic"
+        "npm:@denotest/esm-basic@*"
       ]
     }
   }

tests/specs/lockfile/adding_jsr_dep/lock01.out

@@ -1,7 +1,7 @@
 {
   "version": "4",
   "specifiers": {
-    "jsr:@denotest/add@1": "jsr:@denotest/add@1.0.0"
+    "jsr:@denotest/add@1": "1.0.0"
   },
   "jsr": {
     "@denotest/add@1.0.0": {

tests/specs/lockfile/adding_jsr_dep/lock02.out

@@ -1,8 +1,8 @@
 {
   "version": "4",
   "specifiers": {
-    "jsr:@denotest/add@1": "jsr:@denotest/add@1.0.0",
-    "jsr:@denotest/subtract@1": "jsr:@denotest/subtract@1.0.0"
+    "jsr:@denotest/add@1": "1.0.0",
+    "jsr:@denotest/subtract@1": "1.0.0"
   },
   "jsr": {
     "@denotest/add@1.0.0": {

tests/specs/lockfile/adding_jsr_export_new_dep/lock01.out

@@ -1,8 +1,8 @@
 {
   "version": "4",
   "specifiers": {
-    "jsr:@denotest/add@1": "jsr:@denotest/add@1.0.0",
-    "jsr:@denotest/different-deps-per-export@1": "jsr:@denotest/different-deps-per-export@1.0.0"
+    "jsr:@denotest/add@1": "1.0.0",
+    "jsr:@denotest/different-deps-per-export@1": "1.0.0"
   },
   "jsr": {
     "@denotest/add@1.0.0": {

tests/specs/lockfile/adding_jsr_export_new_dep/lock02.out

@@ -1,9 +1,9 @@
 {
   "version": "4",
   "specifiers": {
-    "jsr:@denotest/add@1": "jsr:@denotest/add@1.0.0",
-    "jsr:@denotest/different-deps-per-export@1": "jsr:@denotest/different-deps-per-export@1.0.0",
-    "jsr:@denotest/subtract@1": "jsr:@denotest/subtract@1.0.0"
+    "jsr:@denotest/add@1": "1.0.0",
+    "jsr:@denotest/different-deps-per-export@1": "1.0.0",
+    "jsr:@denotest/subtract@1": "1.0.0"
   },
   "jsr": {
     "@denotest/add@1.0.0": {

tests/specs/lockfile/adding_npm_dep/lock01.out

@@ -1,7 +1,7 @@
 {
   "version": "4",
   "specifiers": {
-    "npm:@denotest/add@1": "npm:@denotest/add@1.0.0"
+    "npm:@denotest/add@1": "1.0.0"
   },
   "npm": {
     "@denotest/add@1.0.0": {

tests/specs/lockfile/adding_npm_dep/lock02.out

@@ -1,8 +1,8 @@
 {
   "version": "4",
   "specifiers": {
-    "npm:@denotest/add@1": "npm:@denotest/add@1.0.0",
-    "npm:@denotest/subtract@1": "npm:@denotest/subtract@1.0.0"
+    "npm:@denotest/add@1": "1.0.0",
+    "npm:@denotest/subtract@1": "1.0.0"
   },
   "npm": {
     "@denotest/add@1.0.0": {

tests/specs/lockfile/frozen_lockfile/frozen_new_dep_cache.out

@@ -1,8 +1,8 @@
 error: The lockfile is out of date. Run `deno cache --frozen=false` or rerun with `--frozen=false` to update it.
 changes:
- 4 | -    "npm:@denotest/add@1": "npm:@denotest/add@1.0.0"
- 4 | +    "npm:@denotest/add@1": "npm:@denotest/add@1.0.0",
- 5 | +    "npm:@denotest/subtract@1": "npm:@denotest/subtract@1.0.0"
+ 4 | -    "npm:@denotest/add@1": "1.0.0"
+ 4 | +    "npm:@denotest/add@1": "1.0.0",
+ 5 | +    "npm:@denotest/subtract@1": "1.0.0"
  9 | -    }
 10 | +    },
 11 | +    "@denotest/subtract@1.0.0": {

tests/specs/lockfile/frozen_lockfile/frozen_new_dep_dynamic_jsr.out

@@ -3,9 +3,9 @@ Download http://127.0.0.1:4250/@denotest/add/1.0.0_meta.json
 Download http://127.0.0.1:4250/@denotest/add/1.0.0/mod.ts
 error: Uncaught (in promise) TypeError: The lockfile is out of date. Run `deno cache --frozen=false` or rerun with `--frozen=false` to update it.
 changes:
- 4 | -    "npm:@denotest/add@1": "npm:@denotest/add@1.0.0"
- 4 | +    "jsr:@denotest/add@1": "jsr:@denotest/add@1.0.0",
- 5 | +    "npm:@denotest/add@1": "npm:@denotest/add@1.0.0"
+ 4 | -    "npm:@denotest/add@1": "1.0.0"
+ 4 | +    "jsr:@denotest/add@1": "1.0.0",
+ 5 | +    "npm:@denotest/add@1": "1.0.0"
  6 | +  },
  7 | +  "jsr": {
  8 | +    "@denotest/add@1.0.0": {

tests/specs/lockfile/frozen_lockfile/frozen_new_dep_dynamic_npm.out

@@ -1,9 +1,9 @@
 Download http://localhost:4260/@denotest/subtract
 error: Uncaught (in promise) TypeError: The lockfile is out of date. Run `deno cache --frozen=false` or rerun with `--frozen=false` to update it.
 changes:
- 4 | -    "npm:@denotest/add@1": "npm:@denotest/add@1.0.0"
- 4 | +    "npm:@denotest/add@1": "npm:@denotest/add@1.0.0",
- 5 | +    "npm:@denotest/subtract@1": "npm:@denotest/subtract@1.0.0"
+ 4 | -    "npm:@denotest/add@1": "1.0.0"
+ 4 | +    "npm:@denotest/add@1": "1.0.0",
+ 5 | +    "npm:@denotest/subtract@1": "1.0.0"
  9 | -    }
 10 | +    },
 11 | +    "@denotest/subtract@1.0.0": {

tests/specs/lockfile/frozen_lockfile/frozen_new_dep_jsr_cache.out

@@ -1,10 +1,10 @@
 error: The lockfile is out of date. Run `deno cache --frozen=false` or rerun with `--frozen=false` to update it.
 changes:
- 4 | -    "jsr:@denotest/add@1": "jsr:@denotest/add@1.0.0"
+ 4 | -    "jsr:@denotest/add@1": "1.0.0"
  5 | -  },
  6 | -  "jsr": {
- 4 | +    "jsr:@denotest/add@0.2.0": "jsr:@denotest/add@0.2.0",
- 5 | +    "jsr:@denotest/add@1": "jsr:@denotest/add@1.0.0"
+ 4 | +    "jsr:@denotest/add@0.2.0": "0.2.0",
+ 5 | +    "jsr:@denotest/add@1": "1.0.0"
  6 | +  },
  7 | +  "jsr": {
  8 | +    "@denotest/add@0.2.0": {

tests/specs/lockfile/frozen_lockfile/frozen_new_dep_jsr_run.out

@@ -2,11 +2,11 @@ Download http://127.0.0.1:4250/@denotest/add/0.2.0_meta.json
 Download http://127.0.0.1:4250/@denotest/add/0.2.0/mod.ts
 error: The lockfile is out of date. Run `deno cache --frozen=false` or rerun with `--frozen=false` to update it.
 changes:
- 4 | -    "jsr:@denotest/add@1": "jsr:@denotest/add@1.0.0"
+ 4 | -    "jsr:@denotest/add@1": "1.0.0"
  5 | -  },
  6 | -  "jsr": {
- 4 | +    "jsr:@denotest/add@0.2.0": "jsr:@denotest/add@0.2.0",
- 5 | +    "jsr:@denotest/add@1": "jsr:@denotest/add@1.0.0"
+ 4 | +    "jsr:@denotest/add@0.2.0": "0.2.0",
+ 5 | +    "jsr:@denotest/add@1": "1.0.0"
  6 | +  },
  7 | +  "jsr": {
  8 | +    "@denotest/add@0.2.0": {

tests/specs/lockfile/frozen_lockfile/frozen_new_dep_run.out

@@ -1,9 +1,9 @@
 Download http://localhost:4260/@denotest/subtract
 error: The lockfile is out of date. Run `deno cache --frozen=false` or rerun with `--frozen=false` to update it.
 changes:
- 4 | -    "npm:@denotest/add@1": "npm:@denotest/add@1.0.0"
- 4 | +    "npm:@denotest/add@1": "npm:@denotest/add@1.0.0",
- 5 | +    "npm:@denotest/subtract@1": "npm:@denotest/subtract@1.0.0"
+ 4 | -    "npm:@denotest/add@1": "1.0.0"
+ 4 | +    "npm:@denotest/add@1": "1.0.0",
+ 5 | +    "npm:@denotest/subtract@1": "1.0.0"
  9 | -    }
 10 | +    },
 11 | +    "@denotest/subtract@1.0.0": {

tests/specs/lockfile/frozen_lockfile/frozen_package_json_changed.out

@@ -1,9 +1,9 @@
 Download http://localhost:4260/@denotest/bin
 error: The lockfile is out of date. Run `deno cache --frozen=false`, `deno install --frozen=false`, or rerun with `--frozen=false` to update it.
 changes:
- 4 | -    "npm:@denotest/add@1": "npm:@denotest/add@1.0.0"
- 4 | +    "npm:@denotest/add@1": "npm:@denotest/add@1.0.0",
- 5 | +    "npm:@denotest/bin@0.7.0": "npm:@denotest/bin@0.7.0"
+ 4 | -    "npm:@denotest/add@1": "1.0.0"
+ 4 | +    "npm:@denotest/add@1": "1.0.0",
+ 5 | +    "npm:@denotest/bin@0.7.0": "0.7.0"
  9 | -    }
 10 | +    },
 11 | +    "@denotest/bin@0.7.0": {

tests/specs/lockfile/frozen_lockfile/frozen_package_json_changed_install.out

@@ -1,8 +1,8 @@
 error: The lockfile is out of date. Run `deno cache --frozen=false`, `deno install --frozen=false`, or rerun with `--frozen=false` to update it.
 changes:
- 4 | -    "npm:@denotest/add@1": "npm:@denotest/add@1.0.0"
- 4 | +    "npm:@denotest/add@1": "npm:@denotest/add@1.0.0",
- 5 | +    "npm:@denotest/bin@0.7.0": "npm:@denotest/bin@0.7.0"
+ 4 | -    "npm:@denotest/add@1": "1.0.0"
+ 4 | +    "npm:@denotest/add@1": "1.0.0",
+ 5 | +    "npm:@denotest/bin@0.7.0": "0.7.0"
  9 | -    }
 10 | +    },
 11 | +    "@denotest/bin@0.7.0": {

tests/specs/lockfile/frozen_lockfile/no_lockfile_run.out

@@ -5,7 +5,7 @@ changes:
  1 | +{
  2 | +  "version": "4",
  3 | +  "specifiers": {
- 4 | +    "npm:@denotest/add@1": "npm:@denotest/add@1.0.0"
+ 4 | +    "npm:@denotest/add@1": "1.0.0"
  5 | +  },
  6 | +  "npm": {
  7 | +    "@denotest/add@1.0.0": {

tests/specs/lockfile/only_package_json/deno.lock.out

@@ -1,7 +1,7 @@
 {
   "version": "4",
   "specifiers": {
-    "npm:@denotest/esm-basic": "npm:@denotest/esm-basic@1.0.0"
+    "npm:@denotest/esm-basic@*": "1.0.0"
   },
   "npm": {
     "@denotest/esm-basic@1.0.0": [WILDCARD]
@@ -9,7 +9,7 @@
   "workspace": {
     "packageJson": {
       "dependencies": [
-        "npm:@denotest/esm-basic"
+        "npm:@denotest/esm-basic@*"
       ]
     }
   }

tests/specs/npm/adding_npm_dep_in_dynamic_import/lock.out

@@ -1,8 +1,8 @@
 {
   "version": "4",
   "specifiers": {
-    "npm:@denotest/add": "npm:@denotest/add@1.0.0",
-    "npm:@denotest/subtract": "npm:@denotest/subtract@1.0.0"
+    "npm:@denotest/add@*": "1.0.0",
+    "npm:@denotest/subtract@*": "1.0.0"
   },
   "npm": {
     "@denotest/add@1.0.0": {

tests/specs/npm/dynamic_npm_resolution_failure/main.out

@@ -5,8 +5,8 @@ Download http://localhost:4260/@denotest/dep-cannot-parse
 Download http://localhost:4260/chalk/chalk-5.0.1.tgz
 Hi
 TypeError: Error in @denotest/dep-cannot-parse@1.0.0 parsing version requirement for dependency: @denotest/esm-basic@unknown-scheme:unknown
-
-Invalid npm version requirement. Unexpected character.
+    0: Invalid version requirement
+    1: Unexpected character.
          unknown-scheme:unknown
          ~
     at async file:///[WILDLINE]main.ts:5:3 {

tests/specs/npm/invalid_package_name/__test__.jsonc

@@ -0,0 +1,5 @@
+{
+  "args": "run -A main.js",
+  "output": "main.out",
+  "exitCode": 1
+}

tests/specs/npm/invalid_package_name/main.out

@@ -0,0 +1,3 @@
+error: Invalid package specifier 'npm:@foo'
+    0: Did not contain a valid package name
+    at [WILDCARD]/invalid_package_name/main.js:1:22

tests/specs/remove/basic/add_lock.out

@@ -1,8 +1,8 @@
 {
   "version": "4",
   "specifiers": {
-    "jsr:@std/assert@^1.0.0": "jsr:@std/assert@1.0.0",
-    "jsr:@std/http@^1.0.0": "jsr:@std/http@1.0.0"
+    "jsr:@std/assert@1": "1.0.0",
+    "jsr:@std/http@1": "1.0.0"
   },
   "jsr": {
     "@std/assert@1.0.0": {
@@ -14,8 +14,8 @@
   },
   "workspace": {
     "dependencies": [
-      "jsr:@std/assert@^1.0.0",
-      "jsr:@std/http@^1.0.0"
+      "jsr:@std/assert@1",
+      "jsr:@std/http@1"
     ]
   }
 }

tests/specs/run/package_json/invalid_value/__test__.jsonc

@@ -0,0 +1,21 @@
+{
+  "tempDir": true,
+  "tests": {
+    // should run fine when not referencing a failing dep entry
+    "run_ok": {
+      "args": "run ok.ts",
+      "output": "ok.ts.out"
+    },
+    // should fail when referencing a failing dep entry
+    "run_error": {
+      "args": "run error.ts",
+      "exitCode": 1,
+      "output": "error.ts.out"
+    },
+    // should output a warning about the failing dep entry
+    "task_test": {
+      "args": "task test",
+      "output": "task.out"
+    }
+  }
+}

tests/specs/run/package_json/invalid_value/error.ts.out

@@ -0,0 +1,5 @@
+error: Invalid version requirement
+    0: Unexpected character.
+         invalid stuff that won't parse
+         ~
+    at file:///[WILDCARD]/error.ts:2:23

tests/specs/run/package_json/invalid_value/task.out

@@ -0,0 +1,5 @@
+Download http://localhost:4260/@denotest/esm-basic
+Download http://localhost:4260/@denotest/esm-basic/1.0.0.tgz
+Initialize @denotest/esm-basic@1.0.0
+Task test echo 1
+1

tests/specs/workspaces/lockfile/expected-lock.out

@@ -1,7 +1,7 @@
 {
   "version": "4",
   "specifiers": {
-    "jsr:@denotest/add@1": "jsr:@denotest/add@1.0.0"
+    "jsr:@denotest/add@1": "1.0.0"
   },
   "jsr": {
     "@denotest/add@1.0.0": {

tests/testdata/npm/invalid_package_name/main.out

@@ -1,2 +0,0 @@
-error: Invalid package specifier 'npm:@foo'. Did not contain a valid package name.
-    at [WILDCARD]/invalid_package_name/main.js:1:22

tests/testdata/package_json/invalid_value/error.ts.out

@@ -1,4 +0,0 @@
-error: Invalid npm version requirement. Unexpected character.
-  invalid stuff that won't parse
-  ~
-    at file:///[WILDCARD]/error.ts:2:23

tests/testdata/package_json/invalid_value/task.out

@@ -1,2 +0,0 @@
-Task test echo 1
-1

tools/lint.js

@@ -213,7 +213,7 @@ async function ensureNoNewITests() {
     "lsp_tests.rs": 0,
     "node_compat_tests.rs": 4,
     "node_unit_tests.rs": 2,
-    "npm_tests.rs": 93,
+    "npm_tests.rs": 92,
     "pm_tests.rs": 0,
     "publish_tests.rs": 0,
     "repl_tests.rs": 0,