feat: display dependency paths when showing duplicates

This shows the path to each version of a duplicate package.

Author: 43081j

package-lock.json

@@ -44,7 +44,7 @@
     "@types/node": "^24.9.0",
     "esbuild": "^0.25.11",
     "eslint": "^9.38.0",
-    "lockparse": "^0.3.0",
+    "lockparse": "^0.4.0",
     "module-replacements": "^2.9.0",
     "pkg-types": "^2.3.0",
     "prettier": "^3.6.2",

package.json

@@ -1,3 +1,5 @@
+import {type ParsedLockFile, traverse, type ParsedDependency} from 'lockparse';
+
 function getLsCommand(
   lockfilePath: string,
   packageName: string
@@ -17,20 +19,104 @@ function getLsCommand(
   return undefined;
 }
 
+function getParentPath(
+  node: ParsedDependency,
+  parentMap: WeakMap<ParsedDependency, ParsedDependency> | undefined
+): string[] {
+  const parentPath: string[] = [];
+  if (!parentMap) {
+    return parentPath;
+  }
+  let currentParent = parentMap.get(node);
+  while (currentParent) {
+    parentPath.push(`${currentParent.name}@${currentParent.version}`);
+    currentParent = parentMap.get(currentParent);
+  }
+  return parentPath;
+}
+
+function computeParentPaths(
+  lockfile: ParsedLockFile,
+  duplicateDependencyNames: Set<string>,
+  dependencyMap: Map<string, Set<string>>
+): Map<string, string> {
+  const parentPaths = new Map<string, string>();
+
+  const visitorFn = (
+    node: ParsedDependency,
+    _parent: ParsedDependency | null,
+    parentMap?: WeakMap<ParsedDependency, ParsedDependency>
+  ) => {
+    if (!duplicateDependencyNames.has(node.name)) {
+      return;
+    }
+    const versionSet = dependencyMap.get(node.name);
+    if (!versionSet) {
+      return;
+    }
+    const parentPath = getParentPath(node, parentMap);
+    parentPaths.set(`${node.name}@${node.version}`, parentPath.join(' -> '));
+  };
+  const visitor = {
+    dependency: visitorFn,
+    devDependency: visitorFn,
+    peerDependency: visitorFn,
+    optionalDependency: visitorFn
+  };
+  for (const pkg of lockfile.packages) {
+    visitorFn(pkg, null);
+    traverse(pkg, visitor);
+  }
+
+  return parentPaths;
+}
+
 export function scanForDuplicates(
   messages: string[],
   threshold: number,
   dependencyMap: Map<string, Set<string>>,
-  lockfilePath: string
+  lockfilePath: string,
+  lockfile: ParsedLockFile
 ): void {
   const duplicateRows: string[] = [];
+  const duplicateDependencyNames = new Set<string>();
+
   for (const [packageName, currentVersionSet] of dependencyMap) {
     if (currentVersionSet.size > threshold) {
-      const versions = Array.from(currentVersionSet).sort();
-      duplicateRows.push(
-        `| ${packageName} | ${currentVersionSet.size} versions | ${versions.join(', ')} |`
-      );
+      duplicateDependencyNames.add(packageName);
+    }
+  }
+
+  if (duplicateDependencyNames.size === 0) {
+    return;
+  }
+
+  const parentPaths = computeParentPaths(
+    lockfile,
+    duplicateDependencyNames,
+    dependencyMap
+  );
+
+  for (const name of duplicateDependencyNames) {
+    const versionSet = dependencyMap.get(name);
+    if (!versionSet) {
+      continue;
+    }
+    const versions = Array.from(versionSet).sort();
+
+    // Build collapsible details showing where each version comes from
+    const detailsLines: string[] = [];
+    for (const version of versions) {
+      const pathKey = `${name}@${version}`;
+      const path = parentPaths.get(pathKey);
+      const pathDisplay = path || '(root)';
+      detailsLines.push(`**${version}**: ${pathDisplay}`);
     }
+
+    const detailsContent = detailsLines.join('  \n');
+    const collapsibleSection = `<details><summary>${versionSet.size} version${versionSet.size > 1 ? 's' : ''}</summary>\n\n${detailsContent}\n\n</details>`;
+
+    duplicateRows.push(`| ${name} | ${collapsibleSection} |`);
   }
 
   if (duplicateRows.length > 0) {
@@ -41,8 +127,8 @@ export function scanForDuplicates(
     messages.push(
       `## ⚠️ Duplicate Dependencies (threshold: ${threshold})
 
-| 📦 Package | 🔢 Version Count | 📋 Versions |
-| --- | --- | --- |
+| 📦 Package | 📋 Versions |
+| --- | --- |
 ${duplicateRows.join('\n')}${helpMessage}`
     );
   }

src/checks/duplicates.ts

@@ -143,7 +143,13 @@ async function run(): Promise<void> {
       currentDeps,
       baseDeps
     );
-    scanForDuplicates(messages, duplicateThreshold, currentDeps, lockfilePath);
+    scanForDuplicates(
+      messages,
+      duplicateThreshold,
+      currentDeps,
+      lockfilePath,
+      parsedCurrentLock
+    );
 
     await scanForDependencySize(
       messages,