bibliothecary 9.1.0 → 10.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 663746258869345c2ab91235203d083b8c20862ceacc435726e0e903a5924a2c
-  data.tar.gz: d675d548e6c34bb985895087948753f43a132c09c28608a56d3cfce5cc14b0fa
+  metadata.gz: a5819573e0a53cf1f6d12f289f16a89318da9da6124cfbfcf2d5bf43f2a2c60a
+  data.tar.gz: 0521f708de33c56c3b9c271c68d61f630f88e4ba73923f781c71f6b117c71401
 SHA512:
-  metadata.gz: 65b0c2930fd92537908a604c94e2a12852e5cc5167838f3fb7c86325a16fc930479b746096a063506f01174c9eb40a792e7f88e1aacefce0f657059b630297a6
-  data.tar.gz: 1b29d13ee41d4a6aabe54854ebe316f1f17cea1be88ba9a73a290c645f3cad4853e2cc6497f419dff474809e1905c1ad851d1d214a58373eee013774830a23e6
+  metadata.gz: 9c1c1d84cfdf88a8b8d0b9b4692c4ce453c4c759a067e3ea99f5c0b0a4a3bf9136af9d600e0bb8a81cbb5d0ff2a3a24cdc7b9264b4455482dde0e12ef359e20c
+  data.tar.gz: 7628bb022b1daad35a3a826dfda54a46faa5437065ab36abf80de1fc9d64abf7e2b7636157eb00665b127a58792659a4b7dd3e74a35014bc731e973216c3df2d

data/CHANGELOG.md

@@ -0,0 +1,32 @@
+# Changelog
+
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [Unreleased]
+
+### Added
+
+### Changed
+
+### Removed
+
+## [10.1.0] - 2024-07-23
+
+### Changed
+
+- Skip self referencing package entries in yarn v4+ lockfiles.
+
+## [10.0.0] - 2024-07-08
+
+### Added
+
+- Added `CHANGELOG.md`, based on https://keepachangelog.com/en/1.1.0/.
+- New `Bibliothecary::Dependency` class.
+
+### Changed
+
+- **Breaking**: `Bibliothecary::Parsers` classes now return lists of `Bibliothecary::Dependency`
+  instances instead of `Hash` instances.

data/README.md

@@ -162,9 +162,14 @@ All available config options are in: https://github.com/librariesio/bibliothecar
 
 ## Development
 
-After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake spec` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
+After checking out the repo, run `bin/setup` to install dependencies. Then, run `bundle exec rspec` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
 
-To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, bump and commit the version number in `version.rb` in the `main` branch, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
+To install this gem onto your local machine, run `bundle exec rake install`.
+
+To release a new version:
+* in `CHANGELOG.md`, move the changes under `"Unreleased"` into a new section with your version number
+* bump and commit the version number in `version.rb` in the `main` branch
+* and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
 
 ## Contributing
 

data/lib/bibliothecary/analyser.rb

@@ -58,11 +58,11 @@ module Bibliothecary
 
       def map_dependencies(hash, key, type)
         hash.fetch(key,[]).map do |name, requirement|
-          {
+          Dependency.new(
             name: name,
             requirement: requirement,
             type: type,
-          }
+          )
         end
       end
 

data/lib/bibliothecary/dependency.rb

@@ -0,0 +1,83 @@
+module Bibliothecary
+  # Dependency represents a single unique dependency that was parsed out of a manifest.
+  #
+  # @attr_reader [String] name The name of the package, e.g. "ansi-string-colors"
+  # @attr_reader [String] requirement The version requirement of the release, e.g. "1.0.0" or "^1.0.0"
+  # @attr_reader [String] platform The platform of the package, e.g. "maven". This is optional because
+  #   it's implicit in most parser results, and the analyzer returns the platform name itself. One
+  #   exception are multi-parsers like DependenciesCSV, because they may return deps from multiple platforms.
+  #   Bibliothecary could start returning this field for *all* deps in future, and make it required. (default: nil)
+  # @attr_reader [String] type The type of dependency, e.g. "runtime" or "test"
+  # @attr_reader [Boolean] direct Is this dependency a direct dependency (vs transitive dependency)? (default: nil)
+  # @attr_reader [Boolean] deprecated Is this dependency deprecated? (default: nil)
+  # @attr_reader [Boolean] local Is this dependency local? (default: nil)
+  # @attr_reader [Boolean] optional Is this dependency optional? (default: nil)
+  # @attr_reader [String] original_name The original name used to require the dependency, for cases
+  #   where it did not match the resolved name. This can be used for features like aliasing.
+  # @attr_reader [String] original_requirement The original requirement used to require the dependency,
+  #   for cases where it did not match the resolved name. This can be used for features like aliasing.
+  # @attr_reader [String] lockfile_requirement The requirement found in the lockfile, e.g. "1.0.0" or "^1.0.0". This is
+  #   only returned from the yarn.lock parser and may not be used by downstream users. TODO: should this be deprecated?
+  # @source [String] source An optional string to store the location of the manifest that contained this
+  #   dependency, e.g. "src/package.json".
+  class Dependency
+    FIELDS = [
+      :name,
+      :requirement,
+      :original_requirement,
+      :lockfile_requirement,
+      :platform,
+      :type,
+      :direct,
+      :deprecated,
+      :local,
+      :optional,
+      :original_name,
+      :source,
+    ]
+
+    attr_reader *FIELDS
+
+    def initialize(
+      name:,
+      requirement:,
+      original_requirement: nil,
+      lockfile_requirement: nil,
+      platform: nil,
+      type: nil,
+      direct: nil,
+      deprecated: nil,
+      local: nil,
+      optional: nil,
+      original_name: nil,
+      source: nil
+    )
+      @name = name
+      @platform = platform
+      @requirement = requirement
+      @original_requirement = original_requirement
+      # TODO: maybe deprecate this field? Is it possible to replace it with original_requirement?
+      @lockfile_requirement = lockfile_requirement
+      @type = type
+      @direct = direct
+      @deprecated = deprecated
+      @local = local
+      @optional = optional
+      @original_name = original_name
+      @source = source
+    end
+
+    def eql?(other)
+      FIELDS.all? { |f| public_send(f) == other.public_send(f) }
+    end
+    alias :== :eql?
+
+    def to_h
+      FIELDS.to_h { |f| [f, public_send(f)] }
+    end
+
+    def hash
+      FIELDS.map { |f| public_send(f) }.hash
+    end
+  end
+end

data/lib/bibliothecary/multi_parsers/bundler_like_manifest.rb

@@ -5,7 +5,7 @@ module Bibliothecary
       # manifests and turns them into a list of dependencies.
       def parse_ruby_manifest(manifest)
         manifest.dependencies.inject([]) do |deps, dep|
-          deps.push({
+          deps.push(Dependency.new(
             name: dep.name,
             requirement: dep
               .requirement
@@ -13,8 +13,8 @@ module Bibliothecary
               .sort_by(&:last)
               .map { |op, version| "#{op} #{version}" }
               .join(", "),
-            type: dep.type,
-          })
+            type: dep.type.to_s,
+          ))
         end.uniq
       end
     end

data/lib/bibliothecary/multi_parsers/cyclonedx.rb

@@ -33,11 +33,11 @@ module Bibliothecary
           return unless mapping
 
           @manifests[mapping] ||= Set.new
-          @manifests[mapping] << {
+          @manifests[mapping] <<  Dependency.new(
             name: self.class.full_name_for_purl(purl),
             requirement: purl.version,
             type: "lockfile",
-          }
+          )
         end
 
         # Iterates over each manifest entry in the parse_queue, and accepts a block which will

data/lib/bibliothecary/multi_parsers/dependencies_csv.rb

@@ -143,9 +143,10 @@ module Bibliothecary
           raw_csv_file
         end
 
-        csv_file.result.find_all do |dependency|
-          dependency[:platform] == platform_name.to_s
-        end
+        csv_file
+          .result
+          .find_all { |dependency| dependency[:platform] == platform_name.to_s }
+          .map { |dep_kvs| Dependency.new(**dep_kvs) }
       end
     end
   end

data/lib/bibliothecary/multi_parsers/json_runtime.rb

@@ -4,11 +4,11 @@ module Bibliothecary
     module JSONRuntime
       def parse_json_runtime_manifest(file_contents, options: {}) # rubocop:disable Lint/UnusedMethodArgument
         JSON.parse(file_contents).fetch("dependencies",[]).map do |name, requirement|
-          {
+          Dependency.new(
             name: name,
             requirement: requirement,
             type: "runtime",
-          }
+          )
         end
       end
     end

data/lib/bibliothecary/multi_parsers/spdx.rb

@@ -76,11 +76,11 @@ module Bibliothecary
 
           unless package_name.nil? || package_version.nil? || platform.nil?
             entries[platform.to_sym] ||= []
-            entries[platform.to_sym] << {
+            entries[platform.to_sym] << Dependency.new(
               name: package_name,
               requirement: package_version,
               type: "lockfile",
-            }
+            )
 
             package_name = package_version = platform = nil
           end

data/lib/bibliothecary/parsers/cargo.rb

@@ -30,11 +30,11 @@ module Bibliothecary
             if requirement.respond_to?(:fetch)
               requirement = requirement["version"] or next
             end
-            {
+            Dependency.new(
               name: name,
               requirement: requirement,
               type: index.zero? ? "runtime" : "development",
-            }
+            )
           end
         end
 
@@ -45,11 +45,11 @@ module Bibliothecary
         manifest = Tomlrb.parse(file_contents)
         manifest.fetch("package",[]).map do |dependency|
           next if not dependency["source"] or not dependency["source"].start_with?("registry+")
-          {
+          Dependency.new(
             name: dependency["name"],
             requirement: dependency["version"],
             type: "runtime",
-          }
+          )
         end
           .compact
       end

data/lib/bibliothecary/parsers/carthage.rb

@@ -40,11 +40,11 @@ module Bibliothecary
         json = JSON.parse(response.body)
 
         json.map do |dependency|
-          {
+          Dependency.new(
             name: dependency["name"],
             requirement: dependency["version"],
             type: dependency["type"],
-          }
+          )
         end
       end
     end

data/lib/bibliothecary/parsers/clojars.rb

@@ -26,11 +26,11 @@ module Bibliothecary
         return [] unless index;
         dependencies = json[index + 1]
         dependencies.map do |dependency|
-          {
+          Dependency.new(
             name: dependency[0],
             requirement: dependency[1],
             type: "runtime",
-          }
+          )
         end
       end
     end

data/lib/bibliothecary/parsers/cocoapods.rb

@@ -40,11 +40,11 @@ module Bibliothecary
         manifest["PODS"].map do |row|
           pod = row.is_a?(String) ? row : row.keys.first
           match = pod.match(/(.+?)\s\((.+?)\)/i)
-          {
+          Dependency.new(
             name: match[1].split("/").first,
             requirement: match[2],
             type: "runtime",
-          }
+          )
         end.compact
       end
 
@@ -61,11 +61,11 @@ module Bibliothecary
       def self.parse_json_manifest(file_contents, options: {}) # rubocop:disable Lint/UnusedMethodArgument
         manifest = JSON.parse(file_contents)
         manifest["dependencies"].inject([]) do |deps, dep|
-          deps.push({
+          deps.push(Dependency.new(
             name: dep[0],
             requirement: dep[1],
             type: "runtime",
-          })
+          ))
         end.uniq
       end
     end

data/lib/bibliothecary/parsers/conda.rb

@@ -40,7 +40,7 @@ module Bibliothecary
 
       def self.parse_conda_with_kind(info, kind)
         dependencies = call_conda_parser_web(info, kind)[kind.to_sym]
-        dependencies.map { |dep| dep.merge(type: "runtime") }
+        dependencies.map { |dep_kv| Dependency.new(**dep_kv.merge(type: "runtime")) }
       end
 
       private_class_method def self.call_conda_parser_web(file_contents, kind)

data/lib/bibliothecary/parsers/cran.rb

@@ -33,11 +33,11 @@ module Bibliothecary
         deps = manifest.first[name].delete("\n").split(",").map(&:strip)
         deps.map do |dependency|
           dep = dependency.match(REQUIRE_REGEXP)
-          {
+          Dependency.new(
             name: dep[1],
             requirement: dep[2] || "*",
             type: name.downcase,
-          }
+          )
         end
       end
     end

data/lib/bibliothecary/parsers/elm.rb

@@ -24,11 +24,11 @@ module Bibliothecary
       def self.parse_json_lock(file_contents, options: {}) # rubocop:disable Lint/UnusedMethodArgument
         manifest = JSON.parse file_contents
         manifest.map do |name, requirement|
-          {
+          Dependency.new(
             name: name,
             requirement: requirement,
             type: "runtime",
-          }
+          )
         end
       end
     end

data/lib/bibliothecary/parsers/go.rb

@@ -84,11 +84,11 @@ module Bibliothecary
         file_contents.split("\n").each do |line|
           match = line.gsub(/(\#(.*))/, "").match(GPM_REGEXP)
           next unless match
-          deps << {
+          deps << Dependency.new(
             name: match[1].strip,
             requirement: match[2].strip || "*",
             type: "runtime",
-          }
+          )
         end
         deps
       end
@@ -136,9 +136,9 @@ module Bibliothecary
             # the *source code*. So by replacing the deps here, we're giving more honest results than you'd get when asking go
             # about the versions used.
             replaced_dep = categorized_deps["replace"]
-              .find do |replacement_dep| 
-                replacement_dep[:original_name] == dep[:name] && 
-                  (replacement_dep[:original_requirement] == "*" || replacement_dep[:original_requirement] == dep[:requirement])
+              .find do |replacement_dep|
+                replacement_dep.original_name == dep.name &&
+                  (replacement_dep.original_requirement == "*" || replacement_dep.original_requirement == dep.requirement)
               end
               
             replaced_dep || dep
@@ -178,11 +178,11 @@ module Bibliothecary
         deps = []
         file_contents.lines.map(&:strip).each do |line|
           if (match = line.match(GOSUM_REGEXP))
-            deps << {
+            deps << Dependency.new(
               name: match[1].strip,
               requirement: match[2].strip.split("/").first || "*",
               type: "runtime",
-            }
+            )
           end
         end
         deps.uniq
@@ -198,20 +198,24 @@ module Bibliothecary
               # about the versions used.
               name, requirement = dep["Replace"].split(" ", 2)
               requirement = "*" if requirement.to_s.strip == ""
-              { name: name, requirement: requirement, original_name: dep["Path"], original_requirement: dep["Version"], type: dep.fetch("Scope") { "runtime" } }
+              Dependency.new(
+                name: name, requirement: requirement, original_name: dep["Path"], original_requirement: dep["Version"], type: dep.fetch("Scope") { "runtime" }
+              )
             else
-              { name: dep["Path"], requirement: dep["Version"], type: dep.fetch("Scope") { "runtime" } }
+              Dependency.new(
+                name: dep["Path"], requirement: dep["Version"], type: dep.fetch("Scope") { "runtime" }
+              )
             end
           end
       end
 
       def self.map_dependencies(manifest, attr_name, dep_attr_name, version_attr_name, type)
         manifest.fetch(attr_name,[]).map do |dependency|
-          {
+          Dependency.new(
             name: dependency[dep_attr_name],
             requirement: dependency[version_attr_name]  || "*",
             type: type,
-          }
+          )
         end
       end
 
@@ -221,29 +225,29 @@ module Bibliothecary
         when "replace" 
           replacement_dep = line.split(GOMOD_REPLACEMENT_SEPARATOR_REGEXP, 2).last
           replacement_match = replacement_dep.match(GOMOD_DEP_REGEXP)
-          {
+          Dependency.new(
             original_name: match[:name],
             original_requirement: match[:requirement] || "*",
             name: replacement_match[:name],
             requirement: replacement_match[:requirement] || "*",
             type: "runtime",
             direct: !match[:indirect],
-          }
+          )
         when "retract"
-          {
+          Dependency.new(
             name: match[:name],
             requirement: match[:requirement] || "*",
             type: "runtime",
             deprecated: true,
             direct: !match[:indirect],
-          }
+          )
         else
-          {
+          Dependency.new(
             name: match[:name],
             requirement: match[:requirement] || "*",
             type: "runtime",
             direct: !match[:indirect],
-          }
+          )
         end
       end
     end

data/lib/bibliothecary/parsers/hackage.rb

@@ -31,7 +31,9 @@ module Bibliothecary
         response = Typhoeus.post("#{Bibliothecary.configuration.cabal_parser_host}/parse", headers: headers, body: file_contents)
 
         raise Bibliothecary::RemoteParsingError.new("Http Error #{response.response_code} when contacting: #{Bibliothecary.configuration.cabal_parser_host}/parse", response.response_code) unless response.success?
-        JSON.parse(response.body, symbolize_names: true)
+        JSON
+          .parse(response.body, symbolize_names: true)
+          .map { |dep_kvs| Dependency.new(**dep_kvs) }
       end
 
       def self.parse_cabal_config(file_contents, options: {}) # rubocop:disable Lint/UnusedMethodArgument
@@ -39,11 +41,11 @@ module Bibliothecary
         deps = manifest.first["constraints"].delete("\n").split(",").map(&:strip)
         deps.map do |dependency|
           dep = dependency.delete("==").split(" ")
-          {
+          Dependency.new(
             name: dep[0],
             requirement: dep[1] || "*",
             type: "runtime",
-          }
+          )
         end
       end
     end

data/lib/bibliothecary/parsers/hex.rb

@@ -28,11 +28,11 @@ module Bibliothecary
         json = JSON.parse response.body
 
         json.map do |name, version|
-          {
+          Dependency.new(
             name: name,
             requirement: version,
             type: "runtime",
-          }
+          )
         end
       end
 
@@ -42,11 +42,11 @@ module Bibliothecary
         json = JSON.parse response.body
 
         json.map do |name, info|
-          {
+          Dependency.new(
             name: name,
             requirement: info["version"],
             type: "runtime",
-          }
+          )
         end
       end
     end

data/lib/bibliothecary/parsers/julia.rb

@@ -29,11 +29,11 @@ module Bibliothecary
           reqs = "*" if reqs.empty?
           next if name.empty?
 
-          deps << {
+          deps << Dependency.new(
             name: name,
             requirement: reqs,
             type: "runtime",
-          }
+          )
         end
         deps
       end

data/lib/bibliothecary/parsers/maven.rb

@@ -107,11 +107,11 @@ module Bibliothecary
         manifest = Ox.parse file_contents
         manifest.dependencies.locate("dependency").map do |dependency|
           attrs = dependency.attributes
-          {
+          Dependency.new(
             name: "#{attrs[:org]}:#{attrs[:name]}",
             requirement: attrs[:rev],
             type: "runtime",
-          }
+          )
         end
       end
 
@@ -143,11 +143,11 @@ module Bibliothecary
 
           next nil if org.nil? or name.nil? or version.nil?
 
-          {
+          Dependency.new(
             name: "#{org}:#{name}",
             requirement: version,
             type: type,
-          }
+          )
         end.compact
       end
 
@@ -188,33 +188,33 @@ module Bibliothecary
 
           if dep.count == 6
             # get name from renamed package resolution "org:name:version -> renamed_org:name:version"
-            {
+            Dependency.new(
               original_name: dep[0,2].join(":"),
               original_requirement: dep[2],
               name: dep[-3..-2].join(":"),
               requirement: dep[-1],
               type: current_type,
-            }
+            )
           elsif dep.count == 5
             # get name from renamed package resolution "org:name -> renamed_org:name:version"
-            {
+            Dependency.new(
               original_name: dep[0,2].join(":"),
               original_requirement: "*",
               name: dep[-3..-2].join(":"),
               requirement: dep[-1],
               type: current_type,
-            }
+            )
           else
             # get name from version conflict resolution ("org:name:version -> version") and no-resolution ("org:name:version")
-            {
+            Dependency.new(
               name: dep[0..1].join(":"),
               requirement: dep[-1],
               type: current_type,
-            }
+            )
           end
         end
           .compact
-          .uniq { |item| item.values_at(:name, :requirement, :type, :original_name, :original_requirement) }
+          .uniq { |item| [item.name, item.requirement, item.type, item.original_name, item.original_requirement] }
       end
 
       def self.parse_maven_resolved(file_contents, options: {}) # rubocop:disable Lint/UnusedMethodArgument
@@ -241,16 +241,16 @@ module Bibliothecary
           when 5..6
             version, type = parts[-2..]
           end
-          {
+          Dependency.new(
             name: parts[0..1].join(":"),
             requirement: version,
             type: type,
-          }
+          )
         end
 
         # First dep line will be the package itself (unless we're only analyzing a single line)
         package = deps[0]
-        deps.size < 2 ? deps : deps[1..-1].reject { |d| d[:name] == package[:name] && d[:requirement] == package[:requirement] }
+        deps.size < 2 ? deps : deps[1..-1].reject { |d| d.name == package.name && d.requirement == package.requirement }
       end
 
       def self.parse_resolved_dep_line(line)
@@ -261,11 +261,11 @@ module Bibliothecary
         dep_parts = line.strip.split(":")
         return unless dep_parts.length == 5
         # org.springframework.boot:spring-boot-starter-web:jar:2.0.3.RELEASE:compile -- module spring.boot.starter.web [auto]
-        {
+        Dependency.new(
           name: dep_parts[0, 2].join(":"),
           requirement: dep_parts[3],
           type: dep_parts[4].split("--").first.strip,
-        }
+        )
       end
 
       def self.parse_standalone_pom_manifest(file_contents, options: {})
@@ -311,7 +311,7 @@ module Bibliothecary
             # optional field is, itself, optional, and will be either "true" or "false"
             optional = extract_pom_dep_info(xml, dep, "optional", parent_properties)
             dep_hash[:optional] = optional == "true" unless optional.nil?
-            deps.push(dep_hash)
+            deps.push(Dependency.new(**dep_hash))
           end
         end
       end
@@ -321,11 +321,11 @@ module Bibliothecary
           .scan(GRADLE_GROOVY_SIMPLE_REGEXP)                                                # match 'implementation "group:artifactId:version"'
           .reject { |(_type, group, artifactId, _version)| group.nil? || artifactId.nil? } # remove any matches with missing group/artifactId
           .map { |(type, group, artifactId, version)|
-          {
-            name: [group, artifactId].join(":"),
-            requirement: version || "*",
-            type: type,
-          }
+            Dependency.new(
+              name: [group, artifactId].join(":"),
+              requirement: version || "*",
+              type: type,
+            )
           }
       end
 
@@ -334,11 +334,11 @@ module Bibliothecary
           .scan(GRADLE_KOTLIN_SIMPLE_REGEXP)                                                # match 'implementation("group:artifactId:version")'
           .reject { |(_type, group, artifactId, _version)| group.nil? || artifactId.nil? } # remove any matches with missing group/artifactId
           .map { |(type, group, artifactId, version)|
-            {
+            Dependency.new(
               name: [group, artifactId].join(":"),
               requirement: version || "*",
               type: type,
-            }
+            )
           }
       end
 
@@ -458,7 +458,7 @@ module Bibliothecary
           dep.delete(:fields)
         end
 
-        return squished
+        return squished.map { |dep_kvs| Dependency.new(**dep_kvs) }
       end
 
       def self.parse_sbt_deps(type, lines)

data/lib/bibliothecary/parsers/npm.rb

@@ -70,12 +70,12 @@ module Bibliothecary
           #      * The other occurrence's name is the path to the local dependency (which has less information, and is duplicative, so we discard)
           .select { |name, _dep| name.start_with?("node_modules") }
           .map do |name, dep|
-            {
+            Dependency.new(
               name: name.split("node_modules/").last,
               requirement: dep["version"] || "*",
               type: dep.fetch("dev", false) || dep.fetch("devOptional", false)  ? "development" : "runtime",
               local: dep.fetch("link", false),
-            }
+            )
           end
       end
 
@@ -90,11 +90,11 @@ module Bibliothecary
             parse_package_lock_deps_recursively(requirement.fetch("dependencies", []), depth + 1)
                                end
 
-          [{
+          [Dependency.new(
             name: name,
             requirement: version,
             type: type,
-          }] + child_dependencies
+          )] + child_dependencies
         end
       end
 
@@ -102,14 +102,29 @@ module Bibliothecary
         manifest = JSON.parse(file_contents)
         raise "appears to be a lockfile rather than manifest format" if manifest.key?("lockfileVersion")
 
-        (
-          map_dependencies(manifest, "dependencies", "runtime") +
-          map_dependencies(manifest, "devDependencies", "development")
-        )
-          .reject { |dep| dep[:name].start_with?("//") } # Omit comment keys. They are valid in package.json: https://groups.google.com/g/nodejs/c/NmL7jdeuw0M/m/yTqI05DRQrIJ
-          .each do |dep|
-            dep[:local] = dep[:requirement].start_with?("file:")
+        dependencies = manifest.fetch("dependencies", [])
+          .reject { |name, _requirement| name.start_with?("//") } # Omit comment keys. They are valid in package.json: https://groups.google.com/g/nodejs/c/NmL7jdeuw0M/m/yTqI05DRQrIJ
+          .map do |name, requirement|
+            Dependency.new(
+              name: name,
+              requirement: requirement,
+              type: "runtime",
+              local: requirement.start_with?("file:")
+            )
+          end
+
+        dependencies += manifest.fetch("devDependencies", [])
+          .reject { |name, _requirement| name.start_with?("//") } # Omit comment keys. They are valid in package.json: https://groups.google.com/g/nodejs/c/NmL7jdeuw0M/m/yTqI05DRQrIJ
+          .map do |name, requirement|
+            Dependency.new(
+              name: name,
+              requirement: requirement,
+              type: "development",
+              local: requirement.start_with?("file:")
+            )
           end
+
+        dependencies
       end
 
       def self.parse_yarn_lock(file_contents, options: {}) # rubocop:disable Lint/UnusedMethodArgument
@@ -118,15 +133,20 @@ module Bibliothecary
         raise Bibliothecary::RemoteParsingError.new("Http Error #{response.response_code} when contacting: #{Bibliothecary.configuration.yarn_parser_host}/parse", response.response_code) unless response.success?
 
         json = JSON.parse(response.body, symbolize_names: true)
-        json.uniq.map do |dep|
-          {
-            name: dep[:name],
-            requirement: dep[:version],
-            lockfile_requirement: dep[:requirement],
-            type: dep[:type],
-            local: dep[:requirement]&.start_with?("file:"),
-          }
-        end
+        json
+          .uniq
+          .reject do |dep|
+            dep[:requirement]&.include?("workspace") && dep[:version].include?("use.local")
+          end
+          .map do |dep|
+            Dependency.new(
+              name: dep[:name],
+              requirement: dep[:version],
+              lockfile_requirement: dep[:requirement],
+              type: dep[:type],
+              local: dep[:requirement]&.start_with?("file:"),
+            )
+          end
       end
 
       def self.parse_ls(file_contents, options: {}) # rubocop:disable Lint/UnusedMethodArgument
@@ -150,12 +170,12 @@ module Bibliothecary
       private_class_method def self.transform_tree_to_array(deps_by_name)
         deps_by_name.map do |name, metadata|
           [
-            {
+            Dependency.new(
               name: name,
               requirement: metadata["version"],
               lockfile_requirement: metadata.fetch("from", "").split("@").last,
               type: "runtime",
-            },
+            ),
           ] + transform_tree_to_array(metadata.fetch("dependencies", {}))
         end.flatten(1)
       end

data/lib/bibliothecary/parsers/nuget.rb

@@ -52,11 +52,11 @@ module Bibliothecary
         manifest = JSON.parse file_contents
         manifest.fetch("libraries",[]).map do |name, _requirement|
           dep = name.split("/")
-          {
+          Dependency.new(
             name: dep[0],
             requirement: dep[1],
             type: "runtime",
-          }
+          )
         end
       end
 
@@ -68,13 +68,13 @@ module Bibliothecary
           frameworks[framework] = deps
             .reject { |_name, details| details["type"] == "Project" } # Projects do not have versions
             .map do |name, details|
-              {
+              Dependency.new(
                 name: name,
                 # 'resolved' has been set in all examples so far
                 # so fallback to requested is pure paranoia
                 requirement: details.fetch("resolved", details.fetch("requested", "*")),
                 type: "runtime",
-              }
+              )
             end
         end
 
@@ -92,11 +92,11 @@ module Bibliothecary
       def self.parse_packages_config(file_contents, options: {}) # rubocop:disable Lint/UnusedMethodArgument
         manifest = Ox.parse file_contents
         manifest.packages.locate("package").map do |dependency|
-          {
+          Dependency.new(
             name: dependency.id,
             requirement: (dependency.version if dependency.respond_to? "version") || "*",
             type: dependency.respond_to?("developmentDependency") && dependency.developmentDependency == "true" ? "development" : "runtime",
-          }
+          )
         end
       rescue
         []
@@ -117,13 +117,13 @@ module Bibliothecary
                    "runtime"
                  end
 
-          {
+          Dependency.new(
             name: dependency.Include,
             requirement: requirement,
             type: type,
-          }
+          )
         end
-        packages.uniq {|package| package[:name] }
+        packages.uniq {|package| package.name }
       rescue
         []
       end
@@ -131,11 +131,11 @@ module Bibliothecary
       def self.parse_nuspec(file_contents, options: {}) # rubocop:disable Lint/UnusedMethodArgument
         manifest = Ox.parse file_contents
         manifest.package.metadata.dependencies.locate("dependency").map do |dependency|
-          {
+          Dependency.new(
             name: dependency.id,
             requirement: dependency.attributes[:version] || "*",
             type: dependency.respond_to?("developmentDependency") && dependency.developmentDependency == "true" ? "development" : "runtime",
-          }
+          )
         end
       rescue
         []
@@ -145,14 +145,14 @@ module Bibliothecary
         lines = file_contents.split("\n")
         package_version_re = /\s+(?<name>\S+)\s\((?<version>\d+\.\d+[\.\d+[\.\d+]*]*)\)/
         packages = lines.select { |line| package_version_re.match(line) }.map { |line| package_version_re.match(line) }.map do |match|
-          {
+          Dependency.new(
             name: match[:name].strip,
             requirement: match[:version],
             type: "runtime",
-          }
+          )
         end
         # we only have to enforce uniqueness by name because paket ensures that there is only the single version globally in the project
-        packages.uniq {|package| package[:name] }
+        packages.uniq {|package| package.name }
       end
 
       def self.parse_project_assets_json(file_contents, options: {}) # rubocop:disable Lint/UnusedMethodArgument
@@ -164,11 +164,11 @@ module Bibliothecary
             .select { |_name, details| details["type"] == "package" }
             .map do |name, _details|
             name_split = name.split("/")
-            {
+            Dependency.new(
               name: name_split[0],
               requirement: name_split[1],
               type: "runtime",
-            }
+            )
             end
         end
 

data/lib/bibliothecary/parsers/packagist.rb

@@ -25,23 +25,29 @@ module Bibliothecary
       def self.parse_lockfile(file_contents, options: {}) # rubocop:disable Lint/UnusedMethodArgument
         manifest = JSON.parse file_contents
         manifest.fetch("packages",[]).map do |dependency|
-          {
+          requirement = dependency["version"]
+
+          # Store Drupal version if Drupal, but include the original manifest version for reference
+          original_requirement, requirement = requirement, dependency.dig("source", "reference") if is_drupal_module(dependency)
+
+          Dependency.new(
             name: dependency["name"],
-            requirement: dependency["version"],
+            requirement: requirement,
             type: "runtime",
-          }.tap do |result|
-            # Store Drupal version if Drupal, but include the original manifest version for reference
-            result[:original_requirement], result[:requirement] = result[:requirement], dependency.dig("source", "reference") if is_drupal_module(dependency)
-          end
+            original_requirement: original_requirement
+          )
         end + manifest.fetch("packages-dev",[]).map do |dependency|
-          {
+          requirement = dependency["version"]
+
+          # Store Drupal version if Drupal, but include the original manifest version for reference
+          original_requirement, requirement = requirement, dependency.dig("source", "reference") if is_drupal_module(dependency)
+
+          Dependency.new(
             name: dependency["name"],
-            requirement: dependency["version"],
+            requirement: requirement,
             type: "development",
-          }.tap do |result|
-            # Store Drupal version if Drupal, but include the original manifest version for reference
-            result[:original_requirement], result[:requirement] = result[:requirement], dependency.dig("source", "reference") if is_drupal_module(dependency)
-          end
+            original_requirement: original_requirement
+          )
         end
       end
 

data/lib/bibliothecary/parsers/pub.rb

@@ -29,11 +29,11 @@ module Bibliothecary
       def self.parse_yaml_lockfile(file_contents, options: {}) # rubocop:disable Lint/UnusedMethodArgument
         manifest = YAML.load file_contents
         manifest.fetch("packages", []).map do |name, dep|
-          {
+          Dependency.new(
             name: name,
             requirement: dep["version"],
             type: "runtime",
-          }
+          )
         end
       end
     end

data/lib/bibliothecary/parsers/pypi.rb

@@ -147,11 +147,11 @@ module Bibliothecary
       def self.map_dependencies(packages, type)
         return [] unless packages
         packages.map do |name, info|
-          {
+          Dependency.new(
             name: name,
             requirement: map_requirements(info),
             type: type,
-          }
+          )
         end
       end
 
@@ -176,11 +176,11 @@ module Bibliothecary
           next if group == "_meta"
           group = "runtime" if group == "default"
           dependencies.each do |name, info|
-            deps << {
+            deps << Dependency.new(
               name: name,
               requirement: map_requirements(info),
               type: group,
-            }
+            )
           end
         end
         deps
@@ -198,11 +198,11 @@ module Bibliothecary
                     "runtime"
                   end
 
-          deps << {
+          deps << Dependency.new(
             name: package["name"],
             requirement: map_requirements(package),
             type: group,
-          }
+          )
         end
         deps
       end
@@ -215,11 +215,11 @@ module Bibliothecary
           next if line.match(/^#/)
           match = line.match(REQUIRE_REGEXP)
           next unless match
-          deps << {
+          deps << Dependency.new(
             name: match[1],
             requirement: match[-1] || "*",
             type: "runtime",
-          }
+          )
         end
         deps
       end
@@ -233,11 +233,11 @@ module Bibliothecary
       def self.parse_dependency_tree_json(file_contents, options: {})
         JSON.parse(file_contents)
           .map do |pkg|
-            {
+            Dependency.new(
                 name: pkg.dig("package", "package_name"),
                 requirement: pkg.dig("package", "installed_version"),
                 type: "runtime",
-              }
+            )
           end
           .uniq
       end
@@ -260,27 +260,25 @@ module Bibliothecary
         file_contents.split("\n").each do |line|
           if line["://"]
             begin
-              result = parse_requirements_txt_url(line)
+              result = parse_requirements_txt_url(line, type)
             rescue URI::Error, NoEggSpecified
               next
             end
 
-            deps << result.merge(
-              type: type
-            )
+            deps << result
           elsif (match = line.delete(" ").match(REQUIREMENTS_REGEXP))
-            deps << {
+            deps << Dependency.new(
               name: match[1],
               requirement: match[-1] || "*",
               type: type,
-            }
+            )
           end
         end
 
         deps.uniq
       end
 
-      def self.parse_requirements_txt_url(url)
+      def self.parse_requirements_txt_url(url, type=nil)
         uri = URI.parse(url)
         raise NoEggSpecified, "No egg specified in #{url}" unless uri.fragment
 
@@ -289,7 +287,7 @@ module Bibliothecary
 
         requirement = uri.path[/@(.+)$/, 1]
 
-        { name: name, requirement: requirement || "*" }
+        Dependency.new(name: name, requirement: requirement || "*", type: type)
       end
 
       def self.pip_compile?(file_contents)

data/lib/bibliothecary/parsers/rubygems.rb

@@ -43,11 +43,11 @@ module Bibliothecary
           if match
             name = match[1]
             version = match[2].gsub(/\(|\)/,"")
-            {
+            Dependency.new(
               name: name,
               requirement: version,
               type: "runtime",
-            }
+            )
           else
             parse_bundler(file_contents)
           end
@@ -70,11 +70,11 @@ module Bibliothecary
 
         return nil unless version
 
-        {
+        Dependency.new(
           name: "bundler",
           requirement: version,
           type: "runtime",
-        }
+        )
       end
     end
   end

data/lib/bibliothecary/parsers/shard.rb

@@ -33,11 +33,11 @@ module Bibliothecary
 
       def self.map_dependencies(hash, key, type)
         hash.fetch(key,[]).map do |name, requirement|
-          {
+          Dependency.new(
             name: name,
             requirement: requirement["version"] || "*",
             type: type,
-          }
+          )
         end
       end
     end

data/lib/bibliothecary/parsers/swift_pm.rb

@@ -23,11 +23,11 @@ module Bibliothecary
         json["dependencies"].map do |dependency|
           name = dependency["url"].gsub(/^https?:\/\//, "").gsub(/\.git$/,"")
           version = "#{dependency['version']['lowerBound']} - #{dependency['version']['upperBound']}"
-          {
+          Dependency.new(
             name: name,
             requirement: version,
             type: "runtime",
-          }
+          )
         end
       end
     end

data/lib/bibliothecary/version.rb

@@ -1,3 +1,3 @@
 module Bibliothecary
-  VERSION = "9.1.0"
+  VERSION = "10.1.0"
 end

data/lib/bibliothecary.rb

@@ -1,4 +1,5 @@
 require "bibliothecary/version"
+require "bibliothecary/dependency"
 require "bibliothecary/analyser"
 require "bibliothecary/configuration"
 require "bibliothecary/runner"

data/lib/sdl_parser.rb

@@ -9,11 +9,11 @@ class SdlParser
 
   def dependencies
     parse.children("dependency").inject([]) do |deps, dep|
-      deps.push({
+      deps.push(Bibliothecary::Dependency.new(
         name: dep.value,
         requirement: dep.attribute("version") || ">= 0",
         type: type,
-      })
+      ))
     end.uniq
   end
 

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: bibliothecary
 version: !ruby/object:Gem::Version
-  version: 9.1.0
+  version: 10.1.0
 platform: ruby
 authors:
 - Andrew Nesbitt
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-06-18 00:00:00.000000000 Z
+date: 2024-07-23 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: tomlrb
@@ -267,6 +267,7 @@ files:
 - ".ruby-version"
 - ".tidelift.yml"
 - ".travis.yml"
+- CHANGELOG.md
 - CODE_OF_CONDUCT.md
 - Gemfile
 - LICENSE.txt
@@ -284,6 +285,7 @@ files:
 - lib/bibliothecary/analyser/matchers.rb
 - lib/bibliothecary/cli.rb
 - lib/bibliothecary/configuration.rb
+- lib/bibliothecary/dependency.rb
 - lib/bibliothecary/exceptions.rb
 - lib/bibliothecary/file_info.rb
 - lib/bibliothecary/multi_parsers/bundler_like_manifest.rb