bibliothecary 14.0.1 → 14.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 473d02467e27047374ca2a13db7d60fa63bdb749e043eadbbc455a64b42366d3
-  data.tar.gz: 31e31e7cb80446f4a8e0e8a9ce59c4a7af8eb9d76086168a442e3eac47732495
+  metadata.gz: 8220f939e62ba68f9f9edebda8c1d5901d88f028c9caea6b173c2f9da14cb5b4
+  data.tar.gz: 2920b4cf85f4497bf1a2749e8c6c6b2cdfa5c0c0a9f3cb244bc86c7991041974
 SHA512:
-  metadata.gz: f0de19e738a8b76dd4afdbdacfb7f008bbafe61860cea67367613e3f1eee964a08e0f672b7e7fd3b7e6afd4c05cb1342926ba935ad8928fc12b9eb9ed3006000
-  data.tar.gz: dd653fed08d2c0ca27ab9c9276f547eca550060ecbd85dddfb5bd65fa8757216f7289909a4fa0b3405cb6cf20c05b448cac539fe1668813847e54894fc26525f
+  metadata.gz: 768d17a2954b4ccb4cad09da85074ef4958193fc10aea00cf33cbc8f7a309dc4d2b287a9d71e6b509b1861ddad06b0ad0508818fcd093147214cd836edd5cdf2
+  data.tar.gz: 4d345a0068501420508694bd5491de0584517e60021ff16e216486bc8329a1c5c7655c40df33a631e280c9977f8721d4b9a572f84f60fd6cf9e449134762b768

data/.circleci/config.yml

@@ -1,6 +1,6 @@
 version: 2.1
 orbs:
-  ruby: circleci/ruby@2.1.3
+  ruby: circleci/ruby@2.5.4
 
 executors:
   bibliothecary:

data/CHANGELOG.md

@@ -13,6 +13,28 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Removed
 
+## [14.1.0] - 2025-10-01
+
+### Added
+
+### Changed
+
+- Dependencies from pom.xml without a scope will not return a "type" of nil instead of guessing "runtime".
+
+### Removed
+
+## [14.0.2] - 2025-07-29
+
+### Added
+
+- Add support in Pypi parser for PEP-751's newly official "pylock.toml" lockfile
+
+### Changed
+
+- Added a regression test to ensure "file" entries in Pipfile/Pipfile.lock are considered local.
+
+### Removed
+
 ## [14.0.1] - 2025-07-24
 
 ### Changed

data/lib/bibliothecary/dependency.rb

@@ -9,7 +9,8 @@ module Bibliothecary
   #   it's implicit in most parser results, and the analyzer returns the platform name itself. One
   #   exception are multi-parsers like DependenciesCSV, because they may return deps from multiple platforms.
   #   Bibliothecary could start returning this field for *all* deps in future, and make it required. (default: nil)
-  # @attr_reader [String] type The type of dependency, e.g. "runtime" or "test"
+  # @attr_reader [String] type The type or scope of dependency, e.g. "runtime" or "test". In some ecosystems a
+  #   default may be set and in other ecosystems it may make sense to return nil when not found.
   # @attr_reader [Boolean] direct Is this dependency a direct dependency (vs transitive dependency)? (default: nil)
   # @attr_reader [Boolean] deprecated Is this dependency deprecated? (default: nil)
   # @attr_reader [Boolean] local Is this dependency local? (default: nil)

data/lib/bibliothecary/parsers/cran.rb

@@ -7,7 +7,7 @@ module Bibliothecary
     class CRAN
       include Bibliothecary::Analyser
 
-      REQUIRE_REGEXP = /([a-zA-Z0-9\-_\.]+)\s?\(?([><=\s\d\.,]+)?\)?/
+      REQUIRE_REGEXP = /([a-zA-Z0-9\-_.]+)\s?\(?([><=\s\d.,]+)?\)?/
 
       def self.mapping
         {

data/lib/bibliothecary/parsers/maven.rb

@@ -12,8 +12,8 @@ module Bibliothecary
       include Bibliothecary::Analyser
 
       # Matches digraph contents from the Maven dependency tree .dot file format.
-      MAVEN_DOT_PROJECT_REGEXP = /digraph\s+"([^\"]+)"\s+{/
-      MAVEN_DOT_RELATIONSHIP_REGEXP = /"([^\"]+)"\s+->\s+"([^\"]+)"/
+      MAVEN_DOT_PROJECT_REGEXP = /digraph\s+"([^"]+)"\s+{/
+      MAVEN_DOT_RELATIONSHIP_REGEXP = /"([^"]+)"\s+->\s+"([^"]+)"/
 
       # e.g. "annotationProcessor - Annotation processors and their dependencies for source set 'main'."
       GRADLE_TYPE_REGEXP = /^(\w+)/
@@ -286,7 +286,7 @@ module Bibliothecary
           .encode(universal_newline: true)
           # capture two groups; one is the ASCII art telling us the tree depth,
           # and two is the actual dependency
-          .scan(/^\[INFO\]\s((?:[-+|\\]|\s)*)((?:[\w\.-]+:)+[\w\.\-${}]+)/)
+          .scan(/^\[INFO\]\s((?:[-+|\\]|\s)*)((?:[\w.-]+:)+[\w.\-${}]+)/)
           # lines that start with "-" aren't part of the tree, example: "[INFO] --- dependency:3.8.1:tree"
           .reject { |(tree_ascii_art, _dep_info)| tree_ascii_art.start_with?("-") }
           .map do |(tree_ascii_art, dep_info)|
@@ -491,7 +491,6 @@ module Bibliothecary
             dep_hash[:type] ||= dependency_management[:scope]
           end
 
-          dep_hash[:type] ||= "runtime"
           dep_hash[:source] = source
         end
 

data/lib/bibliothecary/parsers/nuget.rb

@@ -189,7 +189,7 @@ module Bibliothecary
 
       def self.parse_paket_lock(file_contents, options: {})
         lines = file_contents.split("\n")
-        package_version_re = /\s+(?<name>\S+)\s\((?<version>\d+\.\d+[\.\d+[\.\d+]*]*)\)/
+        package_version_re = /\s+(?<name>\S+)\s\((?<version>\d+\.\d+[.\d+[.\d+]*]*)\)/
         packages = lines.select { |line| package_version_re.match(line) }.map { |line| package_version_re.match(line) }.map do |match|
           Dependency.new(
             name: match[:name].strip,

data/lib/bibliothecary/parsers/pypi.rb

@@ -10,7 +10,7 @@ module Bibliothecary
       # Capture Group 1 is package.
       # Optional Group 2 is [extras].
       # Capture Group 3 is Version
-      REQUIRE_REGEXP = /([a-zA-Z0-9]+[a-zA-Z0-9\-_\.]+)(?:\[.*?\])*([><=\w\.,]+)?/
+      REQUIRE_REGEXP = /([a-zA-Z0-9]+[a-zA-Z0-9\-_.]+)(?:\[.*?\])*([><=\w.,]+)?/
       REQUIREMENTS_REGEXP = /^#{REQUIRE_REGEXP}/
 
       MANIFEST_REGEXP = /.*require[^\/]*\.(txt|pip|in)$/
@@ -20,6 +20,10 @@ module Bibliothecary
       # Adapted from https://peps.python.org/pep-0508/#names
       PEP_508_NAME_REGEXP = /^([A-Z0-9][A-Z0-9._-]*[A-Z0-9]|[A-Z0-9])/i
 
+      # A modified version of the regexp from the docs, to catch all cases:
+      # https://packaging.python.org/en/latest/specifications/pylock-toml/
+      PEP_751_LOCKFILE_REGEXP = /^pylock(\.[^.]+)?\.toml$/
+
       def self.mapping
         {
           match_filenames("requirements-dev.txt", "requirements/dev.txt",
@@ -72,6 +76,11 @@ module Bibliothecary
             kind: "lockfile",
             parser: :parse_poetry_lock,
           },
+          # PEP-751: official python lockfile format (https://peps.python.org/pep-0751/)
+          ->(p) { PEP_751_LOCKFILE_REGEXP.match(p) } => {
+            kind: "lockfile",
+            parser: :parser_pylock,
+          },
         }
       end
 
@@ -79,6 +88,22 @@ module Bibliothecary
       add_multi_parser(Bibliothecary::MultiParsers::DependenciesCSV)
       add_multi_parser(Bibliothecary::MultiParsers::Spdx)
 
+      def self.parser_pylock(file_contents, options: {})
+        lockfile = Tomlrb.parse(file_contents)
+        dependencies = lockfile["packages"].map do |d|
+          is_local = true if d.key?("archive") || d.key?("directory")
+          Dependency.new(
+            platform: platform_name,
+            name: d["name"],
+            type: "runtime",
+            source: options.fetch(:filename, nil),
+            requirement: d["version"] || "*",
+            local: is_local
+          )
+        end
+        ParserResult.new(dependencies: dependencies)
+      end
+
       def self.parse_pipfile(file_contents, options: {})
         manifest = Tomlrb.parse(file_contents)
         dependencies = map_dependencies(manifest["packages"], "runtime", options.fetch(:filename, nil)) +
@@ -307,7 +332,7 @@ module Bibliothecary
         uri = URI.parse(url)
         raise NoEggSpecified, "No egg specified in #{url}" unless uri.fragment
 
-        name = uri.fragment[/^egg=([^&]+)([&]|$)/, 1]
+        name = uri.fragment[/^egg=([^&]+)(&|$)/, 1]
         raise NoEggSpecified, "No egg specified in #{url}" unless name
 
         requirement = uri.path[/@(.+)$/, 1]

data/lib/bibliothecary/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Bibliothecary
-  VERSION = "14.0.1"
+  VERSION = "14.1.0"
 end

metadata

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: bibliothecary
 version: !ruby/object:Gem::Version
-  version: 14.0.1
+  version: 14.1.0
 platform: ruby
 authors:
 - Andrew Nesbitt
 bindir: bin
 cert_chain: []
-date: 2025-07-24 00:00:00.000000000 Z
+date: 2025-10-01 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: commander