Skip old dep stats deps that are replaced with higher versions

Author: jdalton

.config/rollup.dist.config.mjs

@@ -1,6 +1,7 @@
 import { existsSync, mkdirSync, rmSync, writeFileSync } from 'node:fs'
 import path from 'node:path'
 
+import semver from 'semver'
 import { globSync as tinyGlobSync } from 'tinyglobby'
 
 import { toSortedObject } from '@socketsecurity/registry/lib/objects'
@@ -22,6 +23,8 @@ import {
 
 const {
   BABEL_RUNTIME,
+  CYCLONEDX_CDXGEN,
+  SYNP,
   ROLLUP_EXTERNAL_SUFFIX,
   depStatsPath,
   rootDistPath,
@@ -52,13 +55,20 @@ function updateDepStatsSync(depStats) {
   const oldDepStats = existsSync(depStatsPath)
     ? readJsonSync(depStatsPath)
     : undefined
+  const oldDeps = oldDepStats?.dependencies
   Object.assign(depStats.dependencies, {
     // Manually add @cyclonedx/cdxgen and synp as they are not directly
     // referenced in the code but used through spawned processes.
-    '@cyclonedx/cdxgen': pkgJson.dependencies['@cyclonedx/cdxgen'],
-    synp: pkgJson.dependencies.synp,
-    // Assign old dep stats dependencies to preserve them.
-    ...oldDepStats?.dependencies
+    [CYCLONEDX_CDXGEN]: pkgJson.dependencies[CYCLONEDX_CDXGEN],
+    [SYNP]: pkgJson.dependencies[SYNP],
+    ...Object.fromEntries(
+      // Assign old dep stats dependencies to preserve them.
+      Object.entries(oldDeps ?? {}).filter(({ 0: key, 1: oldSpec }) => {
+        // Skip old deps that are replaced with higher versions.
+        const s = depStats.dependencies[key]
+        return !s || semver.gt(semver.coerce(oldSpec), semver.coerce(s))
+      })
+    )
   })
   // Remove transitives from dependencies.
   for (const key of Object.keys(oldDepStats?.transitives ?? {})) {