Use smart detection when multiple lockfiles found

[Copilot]

Fix: Don't explode when finding multiple lockfiles

This PR addresses the issue where varlock throws an error when it finds multiple package manager lockfiles in a project.

Plan:

• Explore and understand the current package manager detection logic
• Analyze where detectJsPackageManager is called and why
• Modify detection to be more lenient (allow multiple lockfiles)
• Keep strict detection only where necessary (like during varlock init)
• Add tests for the new behavior
• Test the changes manually
• Address feedback to use env var detection before fallback
• Run code review
• Run security checks
• Add changeset

Changes Made:

1. Modified detectJsPackageManager in js-package-manager-utils.ts:

   • When multiple lockfiles are found at the same level, the function now:
     1. First tries env var based detection (npm_config_user_agent)
     2. If that fails, returns the first detected package manager as a fallback
   • Logs debug messages for troubleshooting
   • Added documentation explaining the fallback selection logic
   • Both call sites (init.command.ts and pretty-format.ts) already handle the result gracefully

2. Added comprehensive tests in js-package-manager-utils.test.ts:

   • Tests for detecting each package manager (npm, pnpm, yarn, bun)
   • Tests for handling multiple lockfiles (which now return a valid package manager)
   • All tests passing ✅

3. Added changeset documenting this fix for the next release

Behavior:

• When multiple lockfiles are found (e.g., both package-lock.json and bun.lockb):
  • The env var detection runs first (respects the currently active package manager)
  • If no env var is set, it falls back to the first detected package manager
  • This should handle rare edge cases better while still providing useful detection
• The code continues to work gracefully:
  • In init.command.ts: Auto-installs varlock as a dependency with detected package manager
  • In pretty-format.ts: Shows commands with the detected package manager prefix
• This is useful in monorepos or when switching package managers

Testing:

• ✅ All existing tests pass (141 tests)
• ✅ New tests added and passing
• ✅ Linting passes
• ✅ Code review completed and feedback addressed
• ✅ Security checks pass with no vulnerabilities

Security Summary:
No security vulnerabilities were found in the changes.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[Feature Request] dont always explode finding multiple lockfiles</issue_title>
<issue_description>### Description

currently varlock does some detection of the current js package manager, and when it finds multiple lockfiles (ie both package-lock.json and bun.lock - it will explode.

This may be necessary in some cases when we need to know the package manager for some reason, but I suspect most of the time we could ignore this, or infer the package manager from another method.

Motivation

No response

Proposed Solution

No response

Alternatives

No response

Additional Information

No response</issue_description>

<agent_instructions>explore why we are detecting this in the first place. It may be that we only care about which package manager is active during varlock init and that we can allow being unsure in some cases.</agent_instructions>

Comments on the Issue (you are @copilot in this section)

• Fixes [Feature Request] dont always explode finding multiple lockfiles #266

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[changeset-bot]

🦋 Changeset detected

Latest commit: 955597f

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 6 packages

Name	Type
varlock	Patch
@varlock/astro-integration	Patch
@varlock/nextjs-integration	Patch
@varlock/vite-integration	Patch
@varlock/1password-plugin	Patch
@varlock/google-secret-manager-plugin	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[theoephraim]

@copilot - instead of just bailing and leaving it undefined, lets let the env var based detection run as well, and then if that fails, return one of the detected ones. It may cause issues in rare cases but this should be very rare.

[Copilot]

@copilot - instead of just bailing and leaving it undefined, lets let the env var based detection run as well, and then if that fails, return one of the detected ones. It may cause issues in rare case...

Updated in c5adb84. When multiple lockfiles are detected, the function now:

1. First tries env var based detection (npm_config_user_agent)
2. If that fails, returns the first detected package manager as a fallback

This provides better handling of edge cases while maintaining deterministic behavior.

[theoephraim]

@copilot - add a changeset

[philmillman]

@copilot add a changeset

[Copilot]

@copilot - add a changeset

Added changeset in 955597f.

@copilot add a changeset

Added changeset in 955597f.

[pkg-pr-new]

Open in StackBlitz

npm i https://pkg.pr.new/dmno-dev/varlock@275

commit: 955597f