RubyGems - bibliothecary - Versions diffs - 12.1.4 → 12.1.5 - Mend

bibliothecary 12.1.4 → 12.1.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +11 -0
data/bibliothecary.gemspec +1 -0
data/lib/bibliothecary/parsers/npm.rb +135 -35
data/lib/bibliothecary/version.rb +1 -1
metadata +16 -2

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: bbe2270af80c93aaa2613434faa3c801337ec316a68bdd25d4b6d92d9979398a
-  data.tar.gz: ee84bbf8cb2bd2beae91c080e480fe5fc3f0c2773a305743388cf3f225355eb2
+  metadata.gz: e8b70e5a827feb678f61dc5d2f3760be0b627ad948556ccb22dc74521df046c9
+  data.tar.gz: de4f2d64c252570088d1c223002d6942247c45a18f3382e88448338e097273e9
 SHA512:
-  metadata.gz: 0ac214d1af05ecf0f156a81dc751421cbbe1d94c6306420d0aeb87c7dabf96eca819a0b199705d40d408b3a22b73227a523bb06e121c1e60c7dfbbb2f74dff10
-  data.tar.gz: 52d620bcd946c7197f129ebd59f2ba68676e67152dbeac297a4cdd5d72f74e9f3dc32c6c11b11f513443040721ccaa18b2c322e7b77162fb775fa7827fe3edd6
+  metadata.gz: cda3bfcd8d209364d5d8c6fe5b062f308437863f6e09ec05e05f473c486a425c6e0d68eaed3a8a8716119db7cb1ce65ee0921c781f9bacb1e927dd5a17bc7d58
+  data.tar.gz: efacaa12ee9cb7e88b876b4ea8fabf48bfa72ff2da49c4ee637d98bf4ad0f80219d3ad106c5cdc49560557dca078304729592fc89b79a9082ae501446a1d4236

data/CHANGELOG.md CHANGED Viewed

@@ -13,6 +13,17 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Removed
+## [12.1.5] - 2025-03-17
+### Added
+- Adds alias support for PNPM lockfiles.
+- Add support for bun.lock files
+### Changed
+### Removed
 ## [12.1.4] - 2025-03-14
 ### Added

data/bibliothecary.gemspec CHANGED Viewed

@@ -23,6 +23,7 @@ Gem::Specification.new do |spec|
   spec.add_dependency "commander"
   spec.add_dependency "deb_control"
+  spec.add_dependency "json", "~> 2.8"
   spec.add_dependency "librariesio-gem-parser"
   spec.add_dependency "ox", ">= 2.8.1"
   spec.add_dependency "packageurl-ruby"

data/lib/bibliothecary/parsers/npm.rb CHANGED Viewed

@@ -36,6 +36,10 @@ module Bibliothecary
             kind: "lockfile",
             parser: :parse_shrinkwrap,
           },
+          match_filename("bun.lock") => {
+            kind: "lockfile",
+            parser: :parse_bun_lock,
+          },
         }
       end
@@ -252,53 +256,106 @@ module Bibliothecary
           end
       end
-      # This method currently has been tested to support:
-      #   lockfileVersion: '9.0'
-      #   lockfileVersion: '6.0'
-      #   lockfileVersion: '5.4'
-      def self.parse_pnpm_lock(contents, _source = nil)
-        parsed = YAML.load(contents)
-        lockfile_version = parsed["lockfileVersion"].to_i
+      def self.parse_v5_pnpm_lock(parsed_contents, _source = nil)
+        dependency_mapping = parsed_contents.fetch("dependencies", {})
+          .merge(parsed_contents.fetch("devDependencies", {}))
+        parsed_contents["packages"]
+          .map do |name_version, details|
+            # e.g. "/debug/2.6.9:"
+            name, version = name_version.sub(/^\//, "").split("/", 2)
+            # e.g. "/debug/2.2.0_supports-color@1.2.0:"
+            version = version.split("_", 2)[0]
+            # e.g. "alias-package: /zod/3.24.2"
+            original_name = nil
+            original_requirement = nil
+            if (alias_dep = dependency_mapping.find { |_n, v| v.start_with?("/#{name}/") })
+              original_name = alias_dep[0]
+              original_requirement = alias_dep[1].split("/", 3)[2] # e.g. "/zod/3.24.2"
+            end
+            is_dev = details["dev"] == true
+            Dependency.new(
+              name: name,
+              requirement: version,
+              original_name: original_name,
+              original_requirement: original_requirement,
+              type: is_dev ? "development" : "runtime"
+            )
+          end
+      end
+      def self.parse_v6_pnpm_lock(parsed_contents, _source = nil)
+        dependency_mapping = parsed_contents.fetch("dependencies", {})
+          .merge(parsed_contents.fetch("devDependencies", {}))
+        parsed_contents["packages"]
+          .map do |name_version, details|
+            # e.g. "/debug@2.6.9:"
+            name, version = name_version.sub(/^\//, "").split("@", 2)
+            # e.g. "debug@2.2.0(supports-color@1.2.0)"
+            version = version.split("(", 2).first
+            # e.g.
+            #  alias-package:
+            #    specifier: npm:zod
+            #    version: /zod@3.24.2
+            original_name = nil
+            original_requirement = nil
+            if (alias_dep = dependency_mapping.find { |_n, info| info["specifier"] == "npm:#{name}" })
+              original_name = alias_dep[0]
+              original_requirement = alias_dep[1]["version"].sub(/^\//, "").split("@", 2)[1]
+            end
+            is_dev = details["dev"] == true
+            Dependency.new(
+              name: name,
+              requirement: version,
+              original_name: original_name,
+              original_requirement: original_requirement,
+              type: is_dev ? "development" : "runtime"
+            )
+          end
+      end
-        dev_dependencies = parsed.dig("importers", ".", "devDependencies") # <= v9
-        dev_dependencies ||= parsed["devDependencies"] # <v9
+      def self.parse_v9_pnpm_lock(parsed_contents, _source = nil)
+        dependencies = parsed_contents.fetch("importers", {}).fetch(".", {}).fetch("dependencies")
+        dev_dependencies = parsed_contents.fetch("importers", {}).fetch(".", {}).fetch("devDependencies")
+        dependency_mapping = dependencies.merge(dev_dependencies)
         # "dependencies" is in "packages" for < v9 and in "snapshots" for >= v9
         # as of https://github.com/pnpm/pnpm/pull/7700.
-        (parsed["snapshots"] || parsed["packages"])
-          .map do |name_version, details|
-            name, version = case lockfile_version
-                            when 5
-                              # e.g. '/debug/2.6.9:'
-                              n, v = name_version.sub(/^\//, "").split("/", 2)
-                              # e.g. '/debug/2.2.0_supports-color@1.2.0:'
-                              v = v.split("_", 2)[0]
-                              [n, v] # rubocop:disable Style/IdenticalConditionalBranches
-                            when 6
-                              # e.g. '/debug@2.6.9:'
-                              n, v = name_version.sub(/^\//, "").split("@", 2)
-                              # e.g. "debug@2.2.0(supports-color@1.2.0)"
-                              v = v.split("(", 2).first
-                              [n, v] # rubocop:disable Style/IdenticalConditionalBranches
-                            else
-                              # e.g. 'debug@2.6.9:'
-                              n, v = name_version.split("@", 2)
-                              # e.g. "debug@2.2.0(supports-color@1.2.0)"
-                              v = v.split("(", 2).first
-                              [n, v] # rubocop:disable Style/IdenticalConditionalBranches
-                            end
+        parsed_contents["snapshots"]
+          .map do |name_version, _details|
+            # e.g. "debug@2.6.9:"
+            name, version = name_version.split("@", 2)
+            # e.g. "debug@2.2.0(supports-color@1.2.0)"
+            version = version.split("(", 2).first
+            # e.g.
+            #  alias-package:
+            #    specifier: npm:zod
+            #    version: zod@3.24.2
+            original_name = nil
+            original_requirement = nil
+            if (alias_dep = dependency_mapping.find { |_n, info| info["specifier"] == "npm:#{name}" })
+              original_name = alias_dep[0]
+              original_requirement = alias_dep[1]["version"].split("@", 2)[1]
+            end
             # TODO: the "dev" field was removed in v9 lockfiles (https://github.com/pnpm/pnpm/pull/7808)
-            # so this will only exist in v6 and below and might be unreliable.
             # The proper way to set this for v9+ is to build a lookup of deps to
             # their "dependencies", and then recurse through each package's
             # parents. If the direct dep(s) that required them are all
             # "devDependencies" then we can consider them "dev == true". This
             # should be done using a DAG data structure, though, to be efficient
             # and avoid cycles.
-            is_dev = details["dev"] == true
-            # Fallback for v9+: this only detects dev deps that are direct.
             is_dev ||= dev_dependencies.any? do |dev_name, dev_details|
               dev_name == name && dev_details["version"] == version
             end
@@ -306,17 +363,60 @@ module Bibliothecary
             Dependency.new(
               name: name,
               requirement: version,
+              original_name: original_name,
+              original_requirement: original_requirement,
               type: is_dev ? "development" : "runtime"
             )
           end
       end
+      # This method currently has been tested to support:
+      #   lockfileVersion: '9.0'
+      #   lockfileVersion: '6.0'
+      #   lockfileVersion: '5.4'
+      def self.parse_pnpm_lock(contents, _source = nil)
+        parsed = YAML.load(contents)
+        lockfile_version = parsed["lockfileVersion"].to_i
+        case lockfile_version
+        when 5
+          parse_v5_pnpm_lock(parsed)
+        when 6
+          parse_v6_pnpm_lock(parsed)
+        else # v9+
+          parse_v9_pnpm_lock(parsed)
+        end
+      end
       def self.parse_ls(file_contents, options: {})
         manifest = JSON.parse(file_contents)
         transform_tree_to_array(manifest.fetch("dependencies", {}), options.fetch(:filename, nil))
       end
+      def self.parse_bun_lock(file_contents, options: {})
+        manifest = JSON.parse(file_contents, allow_trailing_comma: true)
+        source = options.fetch(:filename, nil)
+        dev_deps = manifest.dig("workspaces", "", "devDependencies")&.keys&.to_set
+        manifest.fetch("packages", []).map do |name, info|
+          info_name, _, version = info.first.rpartition("@")
+          is_local = version&.start_with?("file:")
+          is_alias = info_name != name
+          Dependency.new(
+            name: info_name,
+            original_name: is_alias ? name : nil,
+            requirement: version,
+            original_requirement: is_alias ? version : nil,
+            type: dev_deps&.include?(name) ? "development" : "runtime",
+            local: is_local,
+            source: source
+          )
+        end
+      end
       def self.lockfile_preference_order(file_infos)
         files = file_infos.each_with_object({}) do |file_info, obj|
           obj[File.basename(file_info.full_path)] = file_info

data/lib/bibliothecary/version.rb CHANGED Viewed

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 module Bibliothecary
-  VERSION = "12.1.4"
+  VERSION = "12.1.5"
 end

metadata CHANGED Viewed

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: bibliothecary
 version: !ruby/object:Gem::Version
-  version: 12.1.4
+  version: 12.1.5
 platform: ruby
 authors:
 - Andrew Nesbitt
 bindir: bin
 cert_chain: []
-date: 2025-03-14 00:00:00.000000000 Z
+date: 2025-03-18 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: commander
@@ -37,6 +37,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: json
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.8'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.8'
 - !ruby/object:Gem::Dependency
   name: librariesio-gem-parser
   requirement: !ruby/object:Gem::Requirement