bibliothecary 12.1.3 → 12.1.4
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +45 -0
- data/lib/bibliothecary/parsers/npm.rb +67 -4
- data/lib/bibliothecary/version.rb +1 -1
- metadata +1 -1
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: bbe2270af80c93aaa2613434faa3c801337ec316a68bdd25d4b6d92d9979398a
|
|
4
|
+
data.tar.gz: ee84bbf8cb2bd2beae91c080e480fe5fc3f0c2773a305743388cf3f225355eb2
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 0ac214d1af05ecf0f156a81dc751421cbbe1d94c6306420d0aeb87c7dabf96eca819a0b199705d40d408b3a22b73227a523bb06e121c1e60c7dfbbb2f74dff10
|
|
7
|
+
data.tar.gz: 52d620bcd946c7197f129ebd59f2ba68676e67152dbeac297a4cdd5d72f74e9f3dc32c6c11b11f513443040721ccaa18b2c322e7b77162fb775fa7827fe3edd6
|
data/CHANGELOG.md
CHANGED
|
@@ -13,6 +13,51 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
|
|
|
13
13
|
|
|
14
14
|
### Removed
|
|
15
15
|
|
|
16
|
+
## [12.1.4] - 2025-03-14
|
|
17
|
+
|
|
18
|
+
### Added
|
|
19
|
+
|
|
20
|
+
- Add support for PNPM lockfiles (lockfile versions 5, 6, and 9).
|
|
21
|
+
- Add 'parser_options' arg to Bilbiothecary::Runner constructor.
|
|
22
|
+
|
|
23
|
+
### Changed
|
|
24
|
+
|
|
25
|
+
### Removed
|
|
26
|
+
|
|
27
|
+
## [12.1.3] - 2025-02-26
|
|
28
|
+
|
|
29
|
+
### Added
|
|
30
|
+
|
|
31
|
+
- Add 'local' property to dependencies from Pipfile and Pipfile.lock
|
|
32
|
+
|
|
33
|
+
### Changed
|
|
34
|
+
|
|
35
|
+
- Handle aliases and NPM and Yarn, and ignore patched dependencies.
|
|
36
|
+
- Fix a PyPI parser's regex to exclude false positive "require" names.
|
|
37
|
+
- Drop all sub-projects from list of deps in a Maven maven-dependency-tree.txt.
|
|
38
|
+
|
|
39
|
+
### Removed
|
|
40
|
+
|
|
41
|
+
## [12.1.2] - 2025-02-26
|
|
42
|
+
|
|
43
|
+
### Added
|
|
44
|
+
|
|
45
|
+
- Add 'local' property to dependencies from Pipfile and Pipfile.lock
|
|
46
|
+
|
|
47
|
+
### Changed
|
|
48
|
+
|
|
49
|
+
### Removed
|
|
50
|
+
|
|
51
|
+
## [12.1.1] - 2025-02-21
|
|
52
|
+
|
|
53
|
+
### Added
|
|
54
|
+
|
|
55
|
+
- Add test coverage for Go 1.24's new "tool" directive.
|
|
56
|
+
|
|
57
|
+
### Changed
|
|
58
|
+
|
|
59
|
+
### Removed
|
|
60
|
+
|
|
16
61
|
## [12.1.0] - 2025-01-30
|
|
17
62
|
|
|
18
63
|
### Added
|
|
@@ -16,10 +16,6 @@ module Bibliothecary
|
|
|
16
16
|
kind: "manifest",
|
|
17
17
|
parser: :parse_manifest,
|
|
18
18
|
},
|
|
19
|
-
match_filename("npm-shrinkwrap.json") => {
|
|
20
|
-
kind: "lockfile",
|
|
21
|
-
parser: :parse_shrinkwrap,
|
|
22
|
-
},
|
|
23
19
|
match_filename("yarn.lock") => {
|
|
24
20
|
kind: "lockfile",
|
|
25
21
|
parser: :parse_yarn_lock,
|
|
@@ -28,10 +24,18 @@ module Bibliothecary
|
|
|
28
24
|
kind: "lockfile",
|
|
29
25
|
parser: :parse_package_lock,
|
|
30
26
|
},
|
|
27
|
+
match_filename("pnpm-lock.yaml") => {
|
|
28
|
+
kind: "lockfile",
|
|
29
|
+
parser: :parse_pnpm_lock,
|
|
30
|
+
},
|
|
31
31
|
match_filename("npm-ls.json") => {
|
|
32
32
|
kind: "lockfile",
|
|
33
33
|
parser: :parse_ls,
|
|
34
34
|
},
|
|
35
|
+
match_filename("npm-shrinkwrap.json") => {
|
|
36
|
+
kind: "lockfile",
|
|
37
|
+
parser: :parse_shrinkwrap,
|
|
38
|
+
},
|
|
35
39
|
}
|
|
36
40
|
end
|
|
37
41
|
|
|
@@ -248,6 +252,65 @@ module Bibliothecary
|
|
|
248
252
|
end
|
|
249
253
|
end
|
|
250
254
|
|
|
255
|
+
# This method currently has been tested to support:
|
|
256
|
+
# lockfileVersion: '9.0'
|
|
257
|
+
# lockfileVersion: '6.0'
|
|
258
|
+
# lockfileVersion: '5.4'
|
|
259
|
+
def self.parse_pnpm_lock(contents, _source = nil)
|
|
260
|
+
parsed = YAML.load(contents)
|
|
261
|
+
lockfile_version = parsed["lockfileVersion"].to_i
|
|
262
|
+
|
|
263
|
+
dev_dependencies = parsed.dig("importers", ".", "devDependencies") # <= v9
|
|
264
|
+
dev_dependencies ||= parsed["devDependencies"] # <v9
|
|
265
|
+
|
|
266
|
+
# "dependencies" is in "packages" for < v9 and in "snapshots" for >= v9
|
|
267
|
+
# as of https://github.com/pnpm/pnpm/pull/7700.
|
|
268
|
+
(parsed["snapshots"] || parsed["packages"])
|
|
269
|
+
.map do |name_version, details|
|
|
270
|
+
name, version = case lockfile_version
|
|
271
|
+
when 5
|
|
272
|
+
# e.g. '/debug/2.6.9:'
|
|
273
|
+
n, v = name_version.sub(/^\//, "").split("/", 2)
|
|
274
|
+
# e.g. '/debug/2.2.0_supports-color@1.2.0:'
|
|
275
|
+
v = v.split("_", 2)[0]
|
|
276
|
+
[n, v] # rubocop:disable Style/IdenticalConditionalBranches
|
|
277
|
+
when 6
|
|
278
|
+
# e.g. '/debug@2.6.9:'
|
|
279
|
+
n, v = name_version.sub(/^\//, "").split("@", 2)
|
|
280
|
+
# e.g. "debug@2.2.0(supports-color@1.2.0)"
|
|
281
|
+
v = v.split("(", 2).first
|
|
282
|
+
[n, v] # rubocop:disable Style/IdenticalConditionalBranches
|
|
283
|
+
else
|
|
284
|
+
# e.g. 'debug@2.6.9:'
|
|
285
|
+
n, v = name_version.split("@", 2)
|
|
286
|
+
# e.g. "debug@2.2.0(supports-color@1.2.0)"
|
|
287
|
+
v = v.split("(", 2).first
|
|
288
|
+
[n, v] # rubocop:disable Style/IdenticalConditionalBranches
|
|
289
|
+
end
|
|
290
|
+
|
|
291
|
+
# TODO: the "dev" field was removed in v9 lockfiles (https://github.com/pnpm/pnpm/pull/7808)
|
|
292
|
+
# so this will only exist in v6 and below and might be unreliable.
|
|
293
|
+
# The proper way to set this for v9+ is to build a lookup of deps to
|
|
294
|
+
# their "dependencies", and then recurse through each package's
|
|
295
|
+
# parents. If the direct dep(s) that required them are all
|
|
296
|
+
# "devDependencies" then we can consider them "dev == true". This
|
|
297
|
+
# should be done using a DAG data structure, though, to be efficient
|
|
298
|
+
# and avoid cycles.
|
|
299
|
+
is_dev = details["dev"] == true
|
|
300
|
+
|
|
301
|
+
# Fallback for v9+: this only detects dev deps that are direct.
|
|
302
|
+
is_dev ||= dev_dependencies.any? do |dev_name, dev_details|
|
|
303
|
+
dev_name == name && dev_details["version"] == version
|
|
304
|
+
end
|
|
305
|
+
|
|
306
|
+
Dependency.new(
|
|
307
|
+
name: name,
|
|
308
|
+
requirement: version,
|
|
309
|
+
type: is_dev ? "development" : "runtime"
|
|
310
|
+
)
|
|
311
|
+
end
|
|
312
|
+
end
|
|
313
|
+
|
|
251
314
|
def self.parse_ls(file_contents, options: {})
|
|
252
315
|
manifest = JSON.parse(file_contents)
|
|
253
316
|
|