fix: show and link aliased deps correctly

[Flo0806]

🔗 Linked issue

Fixes: #2010

🧭 Context

Aliased dependencies got wrong name, link and version.

📚 Description

isNonSemverConstraint was ignoring npm: in given constraint. Now we check explicitly to npm: as a alias and show it correclty in the sidebar, including outdated and vulns tooltips e.g.

Before:

Now:

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
npmx.dev	Ready	Preview, Comment	Mar 22, 2026 10:01am

2 Skipped Deployments

Project	Deployment	Actions	Updated (UTC)
docs.npmx.dev	Ignored	Preview	Mar 22, 2026 10:01am
npmx-lunaria	Ignored		Mar 22, 2026 10:01am

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: f49ef98f-c030-4293-aa2f-f89734b685b6

📥 Commits

Reviewing files that changed from the base of the PR and between 74cc718 and cfc3b62.

📒 Files selected for processing (2)

• app/composables/npm/useReplacementDependencies.ts
• app/utils/npm/outdated-dependencies.ts

🚧 Files skipped from review as they are similar to previous changes (1)

• app/utils/npm/outdated-dependencies.ts

---

📝 Walkthrough

Walkthrough

This PR adds parsing and resolution for npm alias dependency syntax across dependency-related code. A new exported parseDepValue(value) function classifies dependency strings into aliased npm forms, non-semver references, or semver ranges and returns a resolved name and range. The Dependencies component, outdated-dependencies and replacement composables now use the resolved package name and range for routing, vulnerability/deprecation/replacement lookups and UI displays while preserving original dependency keys for result storage. Non-semver constraints are filtered out from semver-based lookups.

Possibly related PRs

• feat: show replaceable dependencies #1468: Touches the same replacement-feature code paths and per-dependency UI helpers, introducing replacement lookup flow and a replacements composable that this change adapts to handle resolved npm alias names.

Suggested reviewers

• ghostdevv

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description check	✅ Passed	The pull request description clearly relates to the changeset, explaining the bug with aliased dependencies and the fix applied.
Linked Issues check	✅ Passed	The pull request implementation correctly addresses all coding requirements from issue #2010: resolving npm alias syntax, displaying resolved package names/versions, and fixing routing to target the aliased package rather than the alias name.
Out of Scope Changes check	✅ Passed	All changes are directly scoped to fixing aliased dependency handling across components and utilities; no extraneous modifications detected.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

app/components/Package/Dependencies.vue (1)

163-217: Consider computing resolved values once per dependency item.

Within each <li> iteration, depName(dep, version) is called up to 14 times and getVulnerableDepInfo(...) up to 6 times. Each invocation re-parses the value and re-searches the array respectively.

For most package lists this won't be noticeable, but if you'd like to tidy it up:

♻️ Optional: extract a computed list with pre-resolved values

const resolvedDependencies = computed(() =>
  sortedDependencies.value.map(([key, value]) => {
    const realName = depName(key, value)
    return {
      key,
      value,
      realName,
      range: depRange(value),
      vulnInfo: getVulnerableDepInfo(realName),
      deprecatedInfo: getDeprecatedDepInfo(realName),
    }
  })
)

Then iterate over resolvedDependencies in the template, accessing pre-computed properties.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: f671524c-1347-4a26-b64d-495f5696082e

📥 Commits

Reviewing files that changed from the base of the PR and between 7f2fc1a and 74cc718.

📒 Files selected for processing (3)

• app/components/Package/Dependencies.vue
• app/composables/npm/useOutdatedDependencies.ts
• app/utils/npm/outdated-dependencies.ts

[codecov]

Codecov Report

❌ Patch coverage is 66.66667% with 16 lines in your changes missing coverage. Please review.
✅ All tests successful. No failed tests found.

Files with missing lines	Patch %	Lines
app/utils/npm/outdated-dependencies.ts	31.25%	8 Missing and 3 partials ⚠️
app/components/Package/Dependencies.vue	78.94%	4 Missing ⚠️
app/composables/npm/useOutdatedDependencies.ts	90.90%	1 Missing ⚠️

📢 Thoughts on this report? Let us know!