Parse resolve output into normalized JSON with PURLs

andrew · andrew · commit c3e7eab8b82f · 2026-02-16T10:46:46.000Z
Adds github.com/git-pkgs/resolve to parse raw package manager output
into a structured dependency graph. The resolve command now outputs
JSON with manager, ecosystem, and dependency tree including PURLs.
Use --raw for the previous behavior of printing unparsed output.
diff --git a/README.md b/README.md
@@ -272,7 +272,7 @@ git pkgs update lodash        # update specific package
 git pkgs resolve              # print dependency graph
 ```
 
-The `resolve` command prints raw dependency graph output from the package manager. Some managers produce JSON (npm, cargo, pip), others produce text trees (go, maven, poetry). Status lines go to stderr so stdout is clean for piping.
+The `resolve` command runs the package manager's dependency graph command, parses the output into a normalized JSON structure with [PURLs](https://github.com/package-url/purl-spec), and prints the result. Use `--raw` to get the unparsed manager output instead.
 
 Supports 35 package managers including npm, pnpm, yarn, bun, deno, bundler, gem, cargo, go, pip, uv, poetry, conda, composer, mix, rebar3, pub, cocoapods, swift, nuget, maven, gradle, sbt, cabal, stack, opam, luarocks, nimble, shards, cpanm, lein, vcpkg, conan, helm, and brew. The package manager is detected from lockfiles in the current directory.
 
diff --git a/cmd/resolve.go b/cmd/resolve.go
@@ -1,11 +1,15 @@
 package cmd
 
 import (
+	"bytes"
 	"context"
+	"encoding/json"
 	"fmt"
 	"time"
 
 	"github.com/git-pkgs/managers"
+	"github.com/git-pkgs/resolve"
+	_ "github.com/git-pkgs/resolve/parsers"
 	"github.com/spf13/cobra"
 )
 
@@ -14,24 +18,26 @@ const defaultResolveTimeout = 5 * time.Minute
 func addResolveCmd(parent *cobra.Command) {
 	resolveCmd := &cobra.Command{
 		Use:   "resolve",
-		Short: "Print dependency graph from the local package manager",
-		Long: `Run the detected package manager's dependency graph command and print
-the raw output. The output format depends on the manager: some produce
-JSON (npm, cargo, pip), others produce text trees (go, maven, poetry).
+		Short: "Print parsed dependency graph from the local package manager",
+		Long: `Run the detected package manager's dependency graph command, parse
+the output into a normalized dependency list with PURLs, and print
+the result as JSON.
 
 Assumes dependencies are already installed. Run 'git-pkgs install' first
 if needed.
 
 Examples:
   git-pkgs resolve              # resolve dependencies
   git-pkgs resolve -e go        # only resolve Go ecosystem
-  git-pkgs resolve -m cargo     # force cargo`,
+  git-pkgs resolve -m cargo     # force cargo
+  git-pkgs resolve --raw        # print raw manager output`,
 		RunE: runResolve,
 	}
 
 	resolveCmd.Flags().StringP("manager", "m", "", "Override detected package manager (takes precedence over -e)")
 	resolveCmd.Flags().StringP("ecosystem", "e", "", "Filter to specific ecosystem")
 	resolveCmd.Flags().Bool("dry-run", false, "Show what would be run without executing")
+	resolveCmd.Flags().Bool("raw", false, "Print raw manager output instead of parsed JSON")
 	resolveCmd.Flags().StringArrayP("extra", "x", nil, "Extra arguments to pass to package manager")
 	resolveCmd.Flags().DurationP("timeout", "t", defaultResolveTimeout, "Timeout for resolve operation")
 	parent.AddCommand(resolveCmd)
@@ -41,6 +47,7 @@ func runResolve(cmd *cobra.Command, args []string) error {
 	managerOverride, _ := cmd.Flags().GetString("manager")
 	ecosystem, _ := cmd.Flags().GetString("ecosystem")
 	dryRun, _ := cmd.Flags().GetBool("dry-run")
+	raw, _ := cmd.Flags().GetBool("raw")
 	quiet, _ := cmd.Flags().GetBool("quiet")
 	extra, _ := cmd.Flags().GetStringArray("extra")
 	timeout, _ := cmd.Flags().GetDuration("timeout")
@@ -107,9 +114,28 @@ func runResolve(cmd *cobra.Command, args []string) error {
 			}
 		}
 
-		if err := RunManagerCommands(ctx, dir, mgr.Name, "resolve", input, cmd.OutOrStdout(), cmd.ErrOrStderr()); err != nil {
+		if raw {
+			if err := RunManagerCommands(ctx, dir, mgr.Name, "resolve", input, cmd.OutOrStdout(), cmd.ErrOrStderr()); err != nil {
+				return fmt.Errorf("%s resolve failed: %w", mgr.Name, err)
+			}
+			continue
+		}
+
+		var stdout bytes.Buffer
+		if err := RunManagerCommands(ctx, dir, mgr.Name, "resolve", input, &stdout, cmd.ErrOrStderr()); err != nil {
 			return fmt.Errorf("%s resolve failed: %w", mgr.Name, err)
 		}
+
+		result, err := resolve.Parse(mgr.Name, stdout.Bytes())
+		if err != nil {
+			return fmt.Errorf("%s: %w", mgr.Name, err)
+		}
+
+		enc := json.NewEncoder(cmd.OutOrStdout())
+		enc.SetIndent("", "  ")
+		if err := enc.Encode(result); err != nil {
+			return fmt.Errorf("encoding result: %w", err)
+		}
 	}
 
 	return nil
diff --git a/go.mod b/go.mod
@@ -1,6 +1,6 @@
 module github.com/git-pkgs/git-pkgs
 
-go 1.25.6
+go 1.25.7
 
 require (
 	github.com/git-pkgs/enrichment v0.1.4
@@ -9,6 +9,7 @@ require (
 	github.com/git-pkgs/manifests v0.3.7
 	github.com/git-pkgs/purl v0.1.8
 	github.com/git-pkgs/registries v0.2.6
+	github.com/git-pkgs/resolve v0.1.0
 	github.com/git-pkgs/spdx v0.1.0
 	github.com/git-pkgs/vers v0.2.2
 	github.com/git-pkgs/vulns v0.1.3
diff --git a/go.sum b/go.sum
@@ -49,6 +49,8 @@ github.com/git-pkgs/purl v0.1.8 h1:iyjEHM2WIZUL9A3+q9ylrabqILsN4nOay9X6jfEjmzQ=
 github.com/git-pkgs/purl v0.1.8/go.mod h1:ihlHw3bnSLXat+9Nl9MsJZBYiG7s3NkwmvE3L/Es/sI=
 github.com/git-pkgs/registries v0.2.6 h1:hXPQ47mOzrgtZleOimydwpQjj/NJkU9P/4sTa0n6wTI=
 github.com/git-pkgs/registries v0.2.6/go.mod h1:54jwF9erSjyxE4qT7gmU9HebETrYiNPke7JCgzHbtDc=
+github.com/git-pkgs/resolve v0.1.0 h1:3L8YUj2ggpnCqAm2r8aEtt3MOlT40NUjQaQhcwd0ci4=
+github.com/git-pkgs/resolve v0.1.0/go.mod h1:So7rkvjSgz3qbFKcgQ8KQ2Tc8z3D8gmVlyvB5fG+UQM=
 github.com/git-pkgs/spdx v0.1.0 h1:kBcB2iIc3A8qSAU/MtqywKslEo+FRct2daFLX+pwZdU=
 github.com/git-pkgs/spdx v0.1.0/go.mod h1:Cmpseu5vIhDPnpFXhTVBCJhjZUW3ILck/zhycHHKcXA=
 github.com/git-pkgs/vers v0.2.2 h1:42QkiIURhGN2wM8AuYYU+FbzS1YV6jmdGd1RiFp7gXs=
