Add lockfile version resolution for exact version checking

Similar to shakacode/shakapacker#170, this adds support for resolving
exact package versions from lockfiles (yarn.lock and package-lock.json)
when checking version compatibility between the gem and npm package.

Key improvements:
- Adds lockfile parsing to NodePackageVersion class
- Resolves exact versions from yarn.lock (v1 format)
- Resolves exact versions from package-lock.json (v1, v2, v3 formats)
- Falls back to package.json version if lockfiles are unavailable
- Prefers yarn.lock over package-lock.json when both exist
- Supports both react-on-rails and react-on-rails-pro packages

This enhancement improves version constraint checking by using the
exact resolved version from lockfiles instead of semver ranges in
package.json, making version mismatch detection more accurate.

Test coverage includes:
- Yarn.lock v1 parsing
- Package-lock.json v1 and v2 format parsing
- Pro package version resolution
- Lockfile preference order
- Fallback to package.json when no lockfile exists

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

Author: justin808

lib/react_on_rails/version_checker.rb

@@ -213,18 +213,28 @@ def package_json_location
     end
 
     class NodePackageVersion
-      attr_reader :package_json
+      attr_reader :package_json, :yarn_lock, :package_lock
 
       def self.build
-        new(package_json_path)
+        new(package_json_path, yarn_lock_path, package_lock_path)
       end
 
       def self.package_json_path
         Rails.root.join(ReactOnRails.configuration.node_modules_location, "package.json")
       end
 
-      def initialize(package_json)
+      def self.yarn_lock_path
+        Rails.root.join(ReactOnRails.configuration.node_modules_location, "..", "yarn.lock")
+      end
+
+      def self.package_lock_path
+        Rails.root.join(ReactOnRails.configuration.node_modules_location, "..", "package-lock.json")
+      end
+
+      def initialize(package_json, yarn_lock = nil, package_lock = nil)
         @package_json = package_json
+        @yarn_lock = yarn_lock
+        @package_lock = package_lock
       end
 
       def raw
@@ -238,10 +248,16 @@ def raw
         deps = parsed["dependencies"]
 
         # Check for react-on-rails-pro first (Pro takes precedence)
-        return @raw = deps["react-on-rails-pro"] if deps.key?("react-on-rails-pro")
+        if deps.key?("react-on-rails-pro")
+          @raw = resolve_version(deps["react-on-rails-pro"], "react-on-rails-pro")
+          return @raw
+        end
 
         # Fall back to react-on-rails
-        return @raw = deps["react-on-rails"] if deps.key?("react-on-rails")
+        if deps.key?("react-on-rails")
+          @raw = resolve_version(deps["react-on-rails"], "react-on-rails")
+          return @raw
+        end
 
         # Neither package found
         msg = "No 'react-on-rails' or 'react-on-rails-pro' entry in the dependencies of " \
@@ -314,6 +330,85 @@ def parts
 
       private
 
+      # Resolve version from lockfiles if available, otherwise use package.json version
+      def resolve_version(package_json_version, package_name)
+        # Try yarn.lock first
+        if yarn_lock && File.exist?(yarn_lock)
+          lockfile_version = version_from_yarn_lock(package_name)
+          return lockfile_version if lockfile_version
+        end
+
+        # Try package-lock.json
+        if package_lock && File.exist?(package_lock)
+          lockfile_version = version_from_package_lock(package_name)
+          return lockfile_version if lockfile_version
+        end
+
+        # Fall back to package.json version
+        package_json_version
+      end
+
+      # Parse version from yarn.lock
+      # Looks for entries like:
+      #   react-on-rails@^16.1.1:
+      #     version "16.1.1"
+      # rubocop:disable Metrics/CyclomaticComplexity
+      def version_from_yarn_lock(package_name)
+        return nil unless yarn_lock && File.exist?(yarn_lock)
+
+        in_package_block = false
+        File.foreach(yarn_lock) do |line|
+          # Check if we're starting the block for our package
+          if line.match?(/^"?#{Regexp.escape(package_name)}@/)
+            in_package_block = true
+            next
+          end
+
+          # If we're in the package block, look for the version line
+          if in_package_block
+            # Version line looks like:  version "16.1.1"
+            if (match = line.match(/^\s+version\s+"([^"]+)"/))
+              return match[1]
+            end
+
+            # If we hit a blank line or new package, we've left the block
+            break if line.strip.empty? || (line[0] != " " && line[0] != "\t")
+          end
+        end
+
+        nil
+      end
+      # rubocop:enable Metrics/CyclomaticComplexity
+
+      # Parse version from package-lock.json
+      # Supports both v1 (dependencies) and v2/v3 (packages) formats
+      # rubocop:disable Metrics/CyclomaticComplexity
+      def version_from_package_lock(package_name)
+        return nil unless package_lock && File.exist?(package_lock)
+
+        begin
+          parsed = JSON.parse(File.read(package_lock))
+
+          # Try v2/v3 format first (packages)
+          if parsed["packages"]
+            # Look for node_modules/package-name entry
+            node_modules_key = "node_modules/#{package_name}"
+            return parsed["packages"][node_modules_key]["version"] if parsed["packages"][node_modules_key]
+          end
+
+          # Fall back to v1 format (dependencies)
+          if parsed["dependencies"] && parsed["dependencies"][package_name]
+            return parsed["dependencies"][package_name]["version"]
+          end
+        rescue JSON::ParserError
+          # If we can't parse the lockfile, fall back to package.json version
+          nil
+        end
+
+        nil
+      end
+      # rubocop:enable Metrics/CyclomaticComplexity
+
       def package_installed?(package_name)
         return false unless File.exist?(package_json)
 

spec/react_on_rails/fixtures/pro_semver_caret_package-lock.json

@@ -0,0 +1,8 @@
+# THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY.
+# yarn lockfile v1
+
+
+react-on-rails-pro@^16.1.1:
+  version "16.1.1"
+  resolved "https://registry.yarnpkg.com/react-on-rails-pro/-/react-on-rails-pro-16.1.1.tgz"
+  integrity sha512-abc123def456ghi789jkl012mno345pqr678stu901vwx234yz=

spec/react_on_rails/fixtures/pro_semver_caret_yarn.lock

@@ -0,0 +1,18 @@
+# THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY.
+# yarn lockfile v1
+
+
+babel@^6.3.26:
+  version "6.23.0"
+  resolved "https://registry.yarnpkg.com/babel/-/babel-6.23.0.tgz"
+  integrity sha1-0NHn2APpdHZb7qMjLU4VPA77kPQ=
+
+react-on-rails@^1.2.3:
+  version "1.2.3"
+  resolved "https://registry.yarnpkg.com/react-on-rails/-/react-on-rails-1.2.3.tgz"
+  integrity sha512-abc123def456ghi789jkl012mno345pqr678stu901vwx234yz=
+
+webpack@^1.12.8:
+  version "1.15.0"
+  resolved "https://registry.yarnpkg.com/webpack/-/webpack-1.15.0.tgz"
+  integrity sha1-v4SbvGJWkYqkKVBKjNJlJQQNqZg=

spec/react_on_rails/fixtures/semver_caret_package-lock.json

@@ -0,0 +1,5 @@
+{
+  "dependencies": {
+    "react-on-rails": "16.1.1"
+  }
+}

spec/react_on_rails/fixtures/semver_caret_yarn.lock

@@ -0,0 +1,8 @@
+# THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY.
+# yarn lockfile v1
+
+
+[email protected]:
+  version "16.1.1"
+  resolved "https://registry.yarnpkg.com/react-on-rails/-/react-on-rails-16.1.1.tgz"
+  integrity sha512-abc123def456ghi789jkl012mno345pqr678stu901vwx234yz=

spec/react_on_rails/fixtures/semver_exact_package-lock.json

@@ -428,6 +428,92 @@ def check_version_and_raise(node_package_version)
         end
       end
 
+      describe "Lockfile version resolution" do
+        context "with semver caret in package.json and yarn.lock" do
+          let(:package_json) { File.expand_path("fixtures/semver_caret_package.json", __dir__) }
+          let(:yarn_lock) { File.expand_path("fixtures/semver_caret_yarn.lock", __dir__) }
+          let(:node_package_version) { described_class.new(package_json, yarn_lock, nil) }
+
+          describe "#raw" do
+            it "returns exact version from yarn.lock instead of semver range" do
+              expect(node_package_version.raw).to eq("1.2.3")
+            end
+          end
+        end
+
+        context "with semver caret in package.json and package-lock.json" do
+          let(:package_json) { File.expand_path("fixtures/semver_caret_package.json", __dir__) }
+          let(:package_lock) { File.expand_path("fixtures/semver_caret_package-lock.json", __dir__) }
+          let(:node_package_version) { described_class.new(package_json, nil, package_lock) }
+
+          describe "#raw" do
+            it "returns exact version from package-lock.json instead of semver range" do
+              expect(node_package_version.raw).to eq("1.2.3")
+            end
+          end
+        end
+
+        context "with pro package semver caret and yarn.lock" do
+          let(:package_json) { File.expand_path("fixtures/pro_semver_caret_package.json", __dir__) }
+          let(:yarn_lock) { File.expand_path("fixtures/pro_semver_caret_yarn.lock", __dir__) }
+          let(:node_package_version) { described_class.new(package_json, yarn_lock, nil) }
+
+          describe "#raw" do
+            it "returns exact version from yarn.lock for pro package" do
+              expect(node_package_version.raw).to eq("16.1.1")
+            end
+          end
+        end
+
+        context "with pro package semver caret and package-lock.json" do
+          let(:package_json) { File.expand_path("fixtures/pro_semver_caret_package.json", __dir__) }
+          let(:package_lock) { File.expand_path("fixtures/pro_semver_caret_package-lock.json", __dir__) }
+          let(:node_package_version) { described_class.new(package_json, nil, package_lock) }
+
+          describe "#raw" do
+            it "returns exact version from package-lock.json for pro package" do
+              expect(node_package_version.raw).to eq("16.1.1")
+            end
+          end
+        end
+
+        context "with exact version and yarn.lock" do
+          let(:package_json) { File.expand_path("fixtures/semver_exact_package.json", __dir__) }
+          let(:yarn_lock) { File.expand_path("fixtures/semver_exact_yarn.lock", __dir__) }
+          let(:node_package_version) { described_class.new(package_json, yarn_lock, nil) }
+
+          describe "#raw" do
+            it "returns exact version from yarn.lock matching package.json" do
+              expect(node_package_version.raw).to eq("16.1.1")
+            end
+          end
+        end
+
+        context "with semver caret but no lockfile" do
+          let(:package_json) { File.expand_path("fixtures/semver_caret_package.json", __dir__) }
+          let(:node_package_version) { described_class.new(package_json, nil, nil) }
+
+          describe "#raw" do
+            it "falls back to package.json version when no lockfile exists" do
+              expect(node_package_version.raw).to eq("^1.2.3")
+            end
+          end
+        end
+
+        context "when both yarn.lock and package-lock.json exist" do
+          let(:package_json) { File.expand_path("fixtures/semver_caret_package.json", __dir__) }
+          let(:yarn_lock) { File.expand_path("fixtures/semver_caret_yarn.lock", __dir__) }
+          let(:package_lock) { File.expand_path("fixtures/semver_caret_package-lock.json", __dir__) }
+          let(:node_package_version) { described_class.new(package_json, yarn_lock, package_lock) }
+
+          describe "#raw" do
+            it "prefers yarn.lock over package-lock.json" do
+              expect(node_package_version.raw).to eq("1.2.3")
+            end
+          end
+        end
+      end
+
       describe "Pro package detection" do
         context "with react-on-rails package" do
           let(:package_json) { File.expand_path("fixtures/normal_package.json", __dir__) }