feat: supports clicking on dependency names to jump

[RYGRIT]

• resolves Request: turn deps into clickable links #58
• add npmx.documentLinks config, default version
  • off - Disable clickable links
  • latest - Link to package page (latest version)
  • version - Link to specific version page

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Adds a new configuration option npmx.packageLinks (string; enum: off, latest, declared, resolved; default declared) in README and package.json. Introduces and exports NpmxDocumentLinkProvider<T extends Extractor> which parses documents and returns VS Code DocumentLink objects for package names, resolving declared or resolved versions and batch-fetching package metadata when required. Registers the document link provider in the extension activation flow (src/index.ts) for each extractor pattern, gated by the npmx.packageLinks setting, and disposes providers on cleanup. No other public API signatures changed.

Possibly related PRs

• feat: version upgrade diagnostics and quick fix #36: Moves/centralises version-parsing utilities (e.g., parseVersion, isSupportedProtocol) that the new NpmxDocumentLinkProvider uses.
• refactor(code-actions): unify quick fix providers with strategy pattern #46: Changes how extractorEntries are exported/consumed and affects provider registration locations referenced by src/index.ts.
• refactor: migrate to fast-npm-meta #18: Alters package info fetching and URL helper functions (getPackageInfo, npmxPackageUrl/NPMJS URL) that the link provider depends on.

Suggested reviewers

• 9romise

🚥 Pre-merge checks | ✅ 1 | ❌ 2

❌ Failed checks (2 inconclusive)

Check name	Status	Explanation	Resolution
Description check	❓ Inconclusive	The PR description mentions resolving #58 and adding npmx.documentLinks configuration, but the actual implementation uses npmx.packageLinks instead.	Clarify whether npmx.documentLinks or npmx.packageLinks is the correct configuration name, as the description and implementation differ.
Linked Issues check	❓ Inconclusive	The PR implements clickable links for package dependencies matching issue #58 requirements, though with config naming discrepancy between PR description and implementation.	Verify that npmx.packageLinks (used in implementation) aligns with the intended feature described in #58 and the PR description.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Out of Scope Changes check	✅ Passed	All changes are directly related to implementing clickable links for package names as specified in issue #58; no unrelated modifications detected.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

README.md (1)

53-53: Consider documenting the allowed values inline.

The table entry is correct, but adding off | latest | version in the description would reduce context switching for users.

Suggested README tweak

-| `npmx.documentLinks`                | Enable clickable links for package names                                                | `string`  | `"version"`         |
+| `npmx.documentLinks`                | Enable clickable links for package names (`off`, `latest`, `version`)                  | `string`  | `"version"`         |

---

ℹ️ Review info

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between edd7278 and f4c25ee.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (5)

• README.md
• package.json
• pnpm-workspace.yaml
• src/index.ts
• src/providers/document-link/npmx.ts

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Add a defensive guard before range/link creation.

For transient malformed edits, skipping entries with missing/invalid nameNode would make this provider more robust.

Defensive tweak

-      const nameRange = this.extractor.getNodeRange(document, nameNode)
-      links.push(new VscodeDocumentLink(nameRange, Uri.parse(url)))
+      if (!nameNode)
+        continue
+      const nameRange = this.extractor.getNodeRange(document, nameNode)
+      links.push(new VscodeDocumentLink(nameRange, Uri.parse(url)))

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	const nameRange = this.extractor.getNodeRange(document, nameNode)
	links.push(new VscodeDocumentLink(nameRange, Uri.parse(url)))
	if (!nameNode)
	continue
	const nameRange = this.extractor.getNodeRange(document, nameNode)
	links.push(new VscodeDocumentLink(nameRange, Uri.parse(url)))

[9romise]

I'd like to something like this:

{
	"npmx.clickableLinks.enabled": true,
	"npmx.clickableLinks.versionMode": "resolved", // "declared" | "resolved" | "latest"
	"npmx.clickableLinks.target": "package" // "docs", "code".
}

documentLinks is a bit technical and not very intuitive for users, maybe we could rename it to clickableLinks?

[RYGRIT]

Thanks for the detailed suggestions! I've carefully considered the proposed configuration structure, and here's my thinking:

Regarding versionMode (declared/resolved/latest):

I agree that having a resolved option would be valuable. My initial concern was the complexity of parsing lock files (package-lock.json, pnpm-lock.yaml, yarn.lock), which have different formats and can be quite large.

However, I've been thinking about an alternative approach: reading the installed version from node_modules//package.json. This would be much simpler to implement:

// Read node_modules/<package>/package.json
// Get the actual installed version from the version field

Pros:

• No need to parse complex lock file formats
• Works for most development scenarios (when node_modules is installed)

Cons:

• Requires node_modules to be installed

What do you think of this method? Does it meet your needs for a parsed versioned pattern? If you have any ideas or better solutions, please feel free to share them!

Regarding target (package/docs/code):

I don't think we need separate docs and code targets because:

1. The package page is already comprehensive - When users click through to npmx.dev, they can access all the information they need, including links to docs and source code
2. Local access is more convenient - For installed dependencies, developers can already view the code in node_modules or use IDE shortcuts to jump to definitions
3. Low usage frequency - In practice, most users want to see package metadata (versions, dependencies, download stats), not jump directly to docs or code
4. Configuration complexity - Adding more options makes the feature harder to understand and configure

I'm open to adding this if you think there's a strong use case I'm missing.

Looking forward to your feedback!

[9romise]

Thank you for the detailed explanation.
I agree that npmx.clickableLinks.target isn't necessary.
As for versionMode, what I meant by declared is the version written in the file (e.g., package.json), which could be a range, a dist‑tag, etc. And, resolved refers to the specific version obtained after resolving via resolveExactVersion. What do you think?

[RYGRIT]

Got it. So declared refers to the raw string defined in package.json (preserving ranges like ^1.0.0 or dist-tags like latest), while resolved call getPackageInfo() + resolveExactVersion() to get the actual latest matching version (e.g., ^18.0.0 -> 18.2.0).

I fully agree with this definition and the plan to drop target. Let's proceed with this!

[RYGRIT]

@9romise What do you think of calling it packageLinks? I think one enumeration value is enough: off | latest | declared | resolved, with declared as the default.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

README.md (1)

53-53: Document the accepted npmx.packageLinks values in the README.

Line 53 is accurate but too generic. Please include the enum values (off, latest, declared, resolved) in this table row so users do not need to cross-check package.json.

src/providers/document-link/npmx.ts (1)

11-14: extractor can be immutable.

extractor is only set in the constructor, so marking it readonly would tighten the class contract and reduce accidental mutation risk.

Small tidy-up

-export class NpmxDocumentLinkProvider<T extends Extractor> implements DocumentLinkProvider {
-  extractor: T
+export class NpmxDocumentLinkProvider<T extends Extractor> implements DocumentLinkProvider {
+  readonly extractor: T

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 037a5e47-e036-4a4c-8659-3557e254a8c5

📥 Commits

Reviewing files that changed from the base of the PR and between 247c5d7 and c41c8b2.

📒 Files selected for processing (4)

• README.md
• package.json
• src/index.ts
• src/providers/document-link/npmx.ts

🚧 Files skipped from review as they are similar to previous changes (2)

• package.json
• src/index.ts

[coderabbitai]

Actionable comments posted: 2

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: a62f7eb1-f0d3-44b1-963f-7202a15ab7e2

📥 Commits

Reviewing files that changed from the base of the PR and between c41c8b2 and b6e42d3.

📒 Files selected for processing (1)

• src/providers/document-link/npmx.ts

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify whether npm alias syntax appears in repository package manifests
rg -nP '"[^"]+"\s*:\s*"npm:[^"]+"' -g '**/package.json' -g '!**/node_modules/**'

Repository: npmx-dev/vscode-npmx

Length of output: 113

---

🏁 Script executed:

# Get context around the relevant lines in npmx.ts
head -100 src/providers/document-link/npmx.ts | tail -50

Repository: npmx-dev/vscode-npmx

Length of output: 1864

---

🏁 Script executed:

# Look for the parseVersion function to understand protocol extraction
rg -A 10 'function parseVersion|const parseVersion' src/providers/document-link/npmx.ts

Repository: npmx-dev/vscode-npmx

Length of output: 46

---

🏁 Script executed:

# Check how the URL is actually built - look for the complete logic after parsedDeps.push
head -150 src/providers/document-link/npmx.ts | tail -100

Repository: npmx-dev/vscode-npmx

Length of output: 3639

---

🏁 Script executed:

# Find and read the version utilities
fd 'version' src/utils --type f

Repository: npmx-dev/vscode-npmx

Length of output: 84

---

🏁 Script executed:

# Search for parseVersion implementation
rg -n 'parseVersion|isSupportedProtocol' src/utils/version.ts -A 15

Repository: npmx-dev/vscode-npmx

Length of output: 842

---

🏁 Script executed:

# Get complete context of the version utility file
wc -l src/utils/version.ts && cat -n src/utils/version.ts

Repository: npmx-dev/vscode-npmx

Length of output: 2685

---

npm alias dependencies generate incorrect link targets.

When a dependency uses npm alias syntax (e.g., "nuxt": "npm:4.3.0"), the current code generates links using the alias key as the package name. The parseVersion function extracts only the protocol and version, not the target package name. This causes links to point to the wrong package.

A safe mitigation is to skip npm protocol entries until full alias parsing is implemented.

Suggested mitigation

-      if (!isSupportedProtocol(parsed.protocol))
+      if (!isSupportedProtocol(parsed.protocol) || parsed.protocol === 'npm')
         continue

Also applies to: 75–86

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Encode package/version path segments before URL generation.

Raw values in path segments can break links for scoped packages (e.g. @scope/pkg) and special version strings.

Suggested fix

-      const url = targetVersion
-        ? npmxPackageUrl(name, targetVersion)
-        : npmxPackageUrl(name)
+      const encodedName = encodeURIComponent(name)
+      const encodedVersion = targetVersion ? encodeURIComponent(targetVersion) : undefined
+      const url = encodedVersion
+        ? npmxPackageUrl(encodedName, encodedVersion)
+        : npmxPackageUrl(encodedName)

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (3)

src/providers/document-link/npmx.ts (3)

58-67: ⚠️ Potential issue | 🟠 Major

Handle npm: alias specs before link generation.

Line 59 parses protocol, but link construction later still uses the alias key (dep.name) as the package path. For alias specs, this points to the wrong package page.

Mitigation (safe until full alias parsing is added)

-      if (!isSupportedProtocol(parsed.protocol))
+      if (!isSupportedProtocol(parsed.protocol) || parsed.protocol === 'npm')
         continue

---

90-92: ⚠️ Potential issue | 🟠 Major

Encode URL path segments before calling npmxPackageUrl.

Lines 90-92 pass raw name / targetVersion into path segments. Scoped package names and special version strings can produce invalid routes.

Suggested fix

-      const url = targetVersion
-        ? npmxPackageUrl(name, targetVersion)
-        : npmxPackageUrl(name)
+      const encodedName = encodeURIComponent(name)
+      const encodedVersion = targetVersion ? encodeURIComponent(targetVersion) : undefined
+      const url = encodedVersion
+        ? npmxPackageUrl(encodedName, encodedVersion)
+        : npmxPackageUrl(encodedName)

---

94-95: ⚠️ Potential issue | 🟡 Minor

Add a defensive nameNode guard before getNodeRange.

Line 94 assumes nameNode is always present. During transient malformed edits, this can throw and abort link generation for the whole document.

Suggested fix

-      const nameRange = this.extractor.getNodeRange(document, nameNode)
+      if (!nameNode)
+        continue
+      const nameRange = this.extractor.getNodeRange(document, nameNode)

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: c8192cf9-86db-480a-900f-8dd5265b93c6

📥 Commits

Reviewing files that changed from the base of the PR and between b6e42d3 and 7cfcf4b.

📒 Files selected for processing (1)

• src/providers/document-link/npmx.ts

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Tooltip text is incorrect in latest mode.

At Line 96, targetVersion ?? parsed.version shows the declared spec even when linkMode === 'latest', so the tooltip can claim a version that is not the link target.

Suggested fix

-      link.tooltip = `Open ${name}@${targetVersion ?? parsed.version} on npmx`
+      const tooltipVersion = linkMode === 'latest'
+        ? 'latest'
+        : (targetVersion ?? parsed.version ?? 'latest')
+      link.tooltip = `Open ${name}@${tooltipVersion} on npmx`