bibliothecary 14.0.2 → 14.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (11) hide show
  1. checksums.yaml +4 -4
  2. data/.circleci/config.yml +1 -1
  3. data/CHANGELOG.md +21 -0
  4. data/lib/bibliothecary/dependency.rb +2 -1
  5. data/lib/bibliothecary/parsers/cran.rb +1 -1
  6. data/lib/bibliothecary/parsers/maven.rb +3 -4
  7. data/lib/bibliothecary/parsers/npm.rb +1 -1
  8. data/lib/bibliothecary/parsers/nuget.rb +13 -1
  9. data/lib/bibliothecary/parsers/pypi.rb +2 -2
  10. data/lib/bibliothecary/version.rb +1 -1
  11. metadata +2 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: bded2f923188e40707913d6539d5e876d2ff0334233985528a1b4caa3e686037
4
- data.tar.gz: 49f76a339d1141d4b8f0940ad4dc66eb3533773e37d288825c71685f8f78ca3e
3
+ metadata.gz: 548767337e8898f61951f3e458310fd5299d88c81549a3332750c62427b93a28
4
+ data.tar.gz: 660e80fcdce7b4fc1ed9d498b4a8e39856498e709b16fbd0f3ffcdc5671a8942
5
5
  SHA512:
6
- metadata.gz: 3f9e93bbf8341d3a27b22a2661a79225ae64721f3ea63348364d215ca4b73e19bbce6b3a8409cb590851f332fc9c404b1dd18bd0c621418cd139f216e9ed509c
7
- data.tar.gz: 8483dc5f0ff491a9259f909e1cc8734a2c159c408733736e50d11c71b07810e0632e00d75bc8f05b5ab342389bfa0f271b430a6ea2ab74e80b3e3fdb9f05a26c
6
+ metadata.gz: 67d3cf0c77840be64458f50dac795a8a782e192db0138e316e21ef65fb9dd625a32fde8e5ef92fa4e47ce66bb666d5fd97d751930ad6eea4bd7a404836c03698
7
+ data.tar.gz: 4490815f18aac91bfa307349272699c16500f3452d88b0681ce2c927e4b7f6acc55e41afbb33299cfaa5d4330306c34b30598a42b092a732097b617de1f378a9
data/.circleci/config.yml CHANGED
@@ -1,6 +1,6 @@
1
1
  version: 2.1
2
2
  orbs:
3
- ruby: circleci/ruby@2.1.3
3
+ ruby: circleci/ruby@2.5.4
4
4
 
5
5
  executors:
6
6
  bibliothecary:
data/CHANGELOG.md CHANGED
@@ -13,6 +13,27 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
13
13
 
14
14
  ### Removed
15
15
 
16
+ ## [14.2.0]
17
+
18
+ ### Added
19
+
20
+ ### Changed
21
+
22
+ - Dependencies from yarn.lock will return a nil "type" instead of assuming "runtime".
23
+ - In Nuget .csproj files, ignored <Reference> tags that don't have a version.
24
+
25
+ ### Removed
26
+
27
+ ## [14.1.0] - 2025-10-01
28
+
29
+ ### Added
30
+
31
+ ### Changed
32
+
33
+ - Dependencies from pom.xml without a scope will now return a "type" of nil instead of guessing "runtime".
34
+
35
+ ### Removed
36
+
16
37
  ## [14.0.2] - 2025-07-29
17
38
 
18
39
  ### Added
data/lib/bibliothecary/dependency.rb CHANGED
@@ -9,7 +9,8 @@ module Bibliothecary
9
9
  # it's implicit in most parser results, and the analyzer returns the platform name itself. One
10
10
  # exception are multi-parsers like DependenciesCSV, because they may return deps from multiple platforms.
11
11
  # Bibliothecary could start returning this field for *all* deps in future, and make it required. (default: nil)
12
- # @attr_reader [String] type The type of dependency, e.g. "runtime" or "test"
12
+ # @attr_reader [String] type The type or scope of dependency, e.g. "runtime" or "test". In some ecosystems a
13
+ # default may be set and in other ecosystems it may make sense to return nil when not found.
13
14
  # @attr_reader [Boolean] direct Is this dependency a direct dependency (vs transitive dependency)? (default: nil)
14
15
  # @attr_reader [Boolean] deprecated Is this dependency deprecated? (default: nil)
15
16
  # @attr_reader [Boolean] local Is this dependency local? (default: nil)
data/lib/bibliothecary/parsers/cran.rb CHANGED
@@ -7,7 +7,7 @@ module Bibliothecary
7
7
  class CRAN
8
8
  include Bibliothecary::Analyser
9
9
 
10
- REQUIRE_REGEXP = /([a-zA-Z0-9\-_\.]+)\s?\(?([><=\s\d\.,]+)?\)?/
10
+ REQUIRE_REGEXP = /([a-zA-Z0-9\-_.]+)\s?\(?([><=\s\d.,]+)?\)?/
11
11
 
12
12
  def self.mapping
13
13
  {
data/lib/bibliothecary/parsers/maven.rb CHANGED
@@ -12,8 +12,8 @@ module Bibliothecary
12
12
  include Bibliothecary::Analyser
13
13
 
14
14
  # Matches digraph contents from the Maven dependency tree .dot file format.
15
- MAVEN_DOT_PROJECT_REGEXP = /digraph\s+"([^\"]+)"\s+{/
16
- MAVEN_DOT_RELATIONSHIP_REGEXP = /"([^\"]+)"\s+->\s+"([^\"]+)"/
15
+ MAVEN_DOT_PROJECT_REGEXP = /digraph\s+"([^"]+)"\s+{/
16
+ MAVEN_DOT_RELATIONSHIP_REGEXP = /"([^"]+)"\s+->\s+"([^"]+)"/
17
17
 
18
18
  # e.g. "annotationProcessor - Annotation processors and their dependencies for source set 'main'."
19
19
  GRADLE_TYPE_REGEXP = /^(\w+)/
@@ -286,7 +286,7 @@ module Bibliothecary
286
286
  .encode(universal_newline: true)
287
287
  # capture two groups; one is the ASCII art telling us the tree depth,
288
288
  # and two is the actual dependency
289
- .scan(/^\[INFO\]\s((?:[-+|\\]|\s)*)((?:[\w\.-]+:)+[\w\.\-${}]+)/)
289
+ .scan(/^\[INFO\]\s((?:[-+|\\]|\s)*)((?:[\w.-]+:)+[\w.\-${}]+)/)
290
290
  # lines that start with "-" aren't part of the tree, example: "[INFO] --- dependency:3.8.1:tree"
291
291
  .reject { |(tree_ascii_art, _dep_info)| tree_ascii_art.start_with?("-") }
292
292
  .map do |(tree_ascii_art, dep_info)|
@@ -491,7 +491,6 @@ module Bibliothecary
491
491
  dep_hash[:type] ||= dependency_management[:scope]
492
492
  end
493
493
 
494
- dep_hash[:type] ||= "runtime"
495
494
  dep_hash[:source] = source
496
495
  end
497
496
 
data/lib/bibliothecary/parsers/npm.rb CHANGED
@@ -187,7 +187,7 @@ module Bibliothecary
187
187
  original_name: dep[:original_name],
188
188
  requirement: dep[:version],
189
189
  original_requirement: dep[:original_requirement],
190
- type: "runtime", # lockfile doesn't tell us more about the type of dep
190
+ type: nil, # yarn.lock doesn't report on the type of dependency
191
191
  local: dep[:requirements]&.first&.start_with?("file:"),
192
192
  source: options.fetch(:filename, nil),
193
193
  platform: platform_name
data/lib/bibliothecary/parsers/nuget.rb CHANGED
@@ -153,6 +153,17 @@ module Bibliothecary
153
153
  .select { |dep| dep.respond_to? "Include" }
154
154
  .map do |dependency|
155
155
  vals = *dependency.Include.split(",").map(&:strip)
156
+
157
+ # Skip <Reference> dependencies that only have the name value. Reasoning:
158
+ # Builtin assemblies like "System.Web" or "Microsoft.CSharp" can be required from the framework or by
159
+ # downloading via Nuget, and we only want to report on packages that are downloaded from Nuget. We are
160
+ # pretty sure that if they don't have a version in <Reference> then they're likely from the framework
161
+ # itself, which means they won't show up in the lockfile and we want to omit them.
162
+ # Note: if we omit a false positive here it should still show up in the lockfile, and it should be
163
+ # safer guess like this since <Reference> is an older standard.
164
+ # Note: this strategy could also skip on-disk 3rd-party packages with a <HintPath> but no version in <Reference>
165
+ next nil if vals.size == 1
166
+
156
167
  name = vals.shift
157
168
  vals = vals.to_h { |r| r.split("=", 2) }
158
169
 
@@ -164,6 +175,7 @@ module Bibliothecary
164
175
  platform: platform_name
165
176
  )
166
177
  end
178
+ .compact
167
179
 
168
180
  dependencies = packages.uniq(&:name)
169
181
  ParserResult.new(dependencies: dependencies)
@@ -189,7 +201,7 @@ module Bibliothecary
189
201
 
190
202
  def self.parse_paket_lock(file_contents, options: {})
191
203
  lines = file_contents.split("\n")
192
- package_version_re = /\s+(?<name>\S+)\s\((?<version>\d+\.\d+[\.\d+[\.\d+]*]*)\)/
204
+ package_version_re = /\s+(?<name>\S+)\s\((?<version>\d+\.\d+[.\d+[.\d+]*]*)\)/
193
205
  packages = lines.select { |line| package_version_re.match(line) }.map { |line| package_version_re.match(line) }.map do |match|
194
206
  Dependency.new(
195
207
  name: match[:name].strip,
data/lib/bibliothecary/parsers/pypi.rb CHANGED
@@ -10,7 +10,7 @@ module Bibliothecary
10
10
  # Capture Group 1 is package.
11
11
  # Optional Group 2 is [extras].
12
12
  # Capture Group 3 is Version
13
- REQUIRE_REGEXP = /([a-zA-Z0-9]+[a-zA-Z0-9\-_\.]+)(?:\[.*?\])*([><=\w\.,]+)?/
13
+ REQUIRE_REGEXP = /([a-zA-Z0-9]+[a-zA-Z0-9\-_.]+)(?:\[.*?\])*([><=\w.,]+)?/
14
14
  REQUIREMENTS_REGEXP = /^#{REQUIRE_REGEXP}/
15
15
 
16
16
  MANIFEST_REGEXP = /.*require[^\/]*\.(txt|pip|in)$/
@@ -332,7 +332,7 @@ module Bibliothecary
332
332
  uri = URI.parse(url)
333
333
  raise NoEggSpecified, "No egg specified in #{url}" unless uri.fragment
334
334
 
335
- name = uri.fragment[/^egg=([^&]+)([&]|$)/, 1]
335
+ name = uri.fragment[/^egg=([^&]+)(&|$)/, 1]
336
336
  raise NoEggSpecified, "No egg specified in #{url}" unless name
337
337
 
338
338
  requirement = uri.path[/@(.+)$/, 1]
data/lib/bibliothecary/version.rb CHANGED
@@ -1,5 +1,5 @@
1
1
  # frozen_string_literal: true
2
2
 
3
3
  module Bibliothecary
4
- VERSION = "14.0.2"
4
+ VERSION = "14.2.0"
5
5
  end
metadata CHANGED
@@ -1,13 +1,13 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: bibliothecary
3
3
  version: !ruby/object:Gem::Version
4
- version: 14.0.2
4
+ version: 14.2.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Andrew Nesbitt
8
8
  bindir: bin
9
9
  cert_chain: []
10
- date: 2025-07-29 00:00:00.000000000 Z
10
+ date: 2025-10-02 00:00:00.000000000 Z
11
11
  dependencies:
12
12
  - !ruby/object:Gem::Dependency
13
13
  name: commander