RubyGems - ecosystems-bibliothecary - Versions diffs - 14.2.0 → 15.0.0 - Mend

ecosystems-bibliothecary 14.2.0 → 15.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (72) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +48 -0
data/README.md +9 -24
data/bibliothecary.gemspec +5 -9
data/lib/bibliothecary/analyser/analysis.rb +10 -5
data/lib/bibliothecary/analyser/matchers.rb +7 -5
data/lib/bibliothecary/analyser.rb +0 -30
data/lib/bibliothecary/cli.rb +35 -26
data/lib/bibliothecary/configuration.rb +1 -6
data/lib/bibliothecary/dependency.rb +1 -4
data/lib/bibliothecary/file_info.rb +7 -0
data/lib/bibliothecary/parsers/bentoml.rb +0 -2
data/lib/bibliothecary/parsers/bower.rb +0 -1
data/lib/bibliothecary/parsers/cargo.rb +12 -10
data/lib/bibliothecary/parsers/carthage.rb +51 -15
data/lib/bibliothecary/parsers/clojars.rb +14 -18
data/lib/bibliothecary/parsers/cocoapods.rb +100 -19
data/lib/bibliothecary/parsers/cog.rb +0 -2
data/lib/bibliothecary/parsers/conan.rb +156 -0
data/lib/bibliothecary/parsers/conda.rb +0 -3
data/lib/bibliothecary/parsers/cpan.rb +0 -2
data/lib/bibliothecary/parsers/cran.rb +40 -19
data/lib/bibliothecary/parsers/docker.rb +0 -2
data/lib/bibliothecary/parsers/dub.rb +33 -8
data/lib/bibliothecary/parsers/dvc.rb +0 -2
data/lib/bibliothecary/parsers/elm.rb +13 -3
data/lib/bibliothecary/parsers/go.rb +14 -5
data/lib/bibliothecary/parsers/hackage.rb +132 -24
data/lib/bibliothecary/parsers/haxelib.rb +14 -4
data/lib/bibliothecary/parsers/hex.rb +37 -20
data/lib/bibliothecary/parsers/homebrew.rb +0 -2
data/lib/bibliothecary/parsers/julia.rb +0 -2
data/lib/bibliothecary/parsers/maven.rb +35 -25
data/lib/bibliothecary/parsers/meteor.rb +14 -4
data/lib/bibliothecary/parsers/mlflow.rb +0 -2
data/lib/bibliothecary/parsers/npm.rb +47 -59
data/lib/bibliothecary/parsers/nuget.rb +23 -22
data/lib/bibliothecary/parsers/ollama.rb +0 -2
data/lib/bibliothecary/parsers/packagist.rb +0 -3
data/lib/bibliothecary/parsers/pub.rb +0 -2
data/lib/bibliothecary/parsers/pypi.rb +54 -35
data/lib/bibliothecary/parsers/rubygems.rb +92 -27
data/lib/bibliothecary/parsers/shard.rb +0 -1
data/lib/bibliothecary/parsers/swift_pm.rb +77 -29
data/lib/bibliothecary/parsers/vcpkg.rb +68 -17
data/lib/bibliothecary/runner.rb +169 -22
data/lib/bibliothecary/version.rb +1 -1
data/lib/bibliothecary.rb +3 -10
data/lib/dockerfile_parser.rb +1 -1
data/lib/modelfile_parser.rb +8 -8
metadata +2 -108
data/.codeclimate.yml +0 -25
data/.github/CONTRIBUTING.md +0 -195
data/.github/workflows/ci.yml +0 -25
data/.gitignore +0 -10
data/.rspec +0 -2
data/.rubocop.yml +0 -69
data/.ruby-version +0 -1
data/.tidelift +0 -1
data/CODE_OF_CONDUCT.md +0 -74
data/Gemfile +0 -34
data/Rakefile +0 -18
data/bin/console +0 -15
data/bin/setup +0 -8
data/lib/bibliothecary/multi_parsers/bundler_like_manifest.rb +0 -26
data/lib/bibliothecary/multi_parsers/cyclonedx.rb +0 -170
data/lib/bibliothecary/multi_parsers/dependencies_csv.rb +0 -155
data/lib/bibliothecary/multi_parsers/json_runtime.rb +0 -22
data/lib/bibliothecary/multi_parsers/spdx.rb +0 -149
data/lib/bibliothecary/purl_util.rb +0 -37
data/lib/bibliothecary/runner/multi_manifest_filter.rb +0 -92
data/lib/sdl_parser.rb +0 -30

data/lib/bibliothecary/parsers/nuget.rb CHANGED Viewed

@@ -7,13 +7,12 @@ module Bibliothecary
   module Parsers
     class Nuget
       include Bibliothecary::Analyser
-      extend Bibliothecary::MultiParsers::JSONRuntime
       def self.mapping
         {
           match_filename("Project.json") => {
             kind: "manifest",
-            parser: :parse_json_runtime_manifest,
+            parser: :parse_project_json,
           },
           match_filename("Project.lock.json") => {
             kind: "lockfile",
@@ -46,9 +45,19 @@ module Bibliothecary
         }
       end
-      add_multi_parser(Bibliothecary::MultiParsers::CycloneDX)
-      add_multi_parser(Bibliothecary::MultiParsers::DependenciesCSV)
-      add_multi_parser(Bibliothecary::MultiParsers::Spdx)
+      def self.parse_project_json(file_contents, options: {})
+        manifest = JSON.parse(file_contents)
+        dependencies = manifest.fetch("dependencies", {}).map do |name, requirement|
+          Dependency.new(
+            name: name,
+            requirement: requirement,
+            type: "runtime",
+            source: options.fetch(:filename, nil),
+            platform: platform_name
+          )
+        end
+        ParserResult.new(dependencies: dependencies)
+      end
       def self.parse_project_lock_json(file_contents, options: {})
         manifest = JSON.parse file_contents
@@ -68,32 +77,24 @@ module Bibliothecary
       def self.parse_packages_lock_json(file_contents, options: {})
         manifest = JSON.parse file_contents
-        frameworks = {}
-        manifest.fetch("dependencies", []).each do |framework, deps|
-          frameworks[framework] = deps
-            .reject { |_name, details| details["type"] == "Project" } # Projects do not have versions
+        # Merge dependencies from all target frameworks, deduping by name.
+        # Different frameworks may have different versions of the same package,
+        # but we can only report one version per package.
+        dependencies = manifest.fetch("dependencies", {}).flat_map do |_framework, deps|
+          deps
+            .reject { |_name, details| details["type"] == "Project" }
             .map do |name, details|
               Dependency.new(
                 name: name,
-                # 'resolved' has been set in all examples so far
-                # so fallback to requested is pure paranoia
                 requirement: details.fetch("resolved", details.fetch("requested", "*")),
                 type: "runtime",
                 source: options.fetch(:filename, nil),
                 platform: platform_name
               )
             end
-        end
+        end.uniq(&:name)
-        unless frameworks.empty?
-          # we should really return multiple manifests, but bibliothecary doesn't
-          # do that yet so at least pick deterministically.
-          # Note, frameworks can be empty, so remove empty ones and then return the last sorted item if any
-          frameworks.delete_if { |_k, v| v.empty? }
-          return ParserResult.new(dependencies: frameworks[frameworks.keys.max]) unless frameworks.empty?
-        end
-        ParserResult.new(dependencies: [])
+        ParserResult.new(dependencies: dependencies)
       end
       def self.parse_packages_config(file_contents, options: {})
@@ -201,7 +202,7 @@ module Bibliothecary
       def self.parse_paket_lock(file_contents, options: {})
         lines = file_contents.split("\n")
-        package_version_re = /\s+(?<name>\S+)\s\((?<version>\d+\.\d+[.\d+[.\d+]*]*)\)/
+        package_version_re = /\s+(?<name>\S+)\s\((?<version>\d+(?:\.\d+)+)\)/
         packages = lines.select { |line| package_version_re.match(line) }.map { |line| package_version_re.match(line) }.map do |match|
           Dependency.new(
             name: match[:name].strip,

data/lib/bibliothecary/parsers/ollama.rb CHANGED Viewed

@@ -15,8 +15,6 @@ module Bibliothecary
         }
       end
-      add_multi_parser(Bibliothecary::MultiParsers::CycloneDX)
-      add_multi_parser(Bibliothecary::MultiParsers::DependenciesCSV)
       def self.parse_modelfile(file_contents, options: {})
         source = options.fetch(:filename, 'Modelfile')

data/lib/bibliothecary/parsers/packagist.rb CHANGED Viewed

@@ -20,9 +20,6 @@ module Bibliothecary
         }
       end
-      add_multi_parser(Bibliothecary::MultiParsers::CycloneDX)
-      add_multi_parser(Bibliothecary::MultiParsers::DependenciesCSV)
-      add_multi_parser(Bibliothecary::MultiParsers::Spdx)
       def self.parse_lockfile(file_contents, options: {})
         manifest = JSON.parse file_contents

data/lib/bibliothecary/parsers/pub.rb CHANGED Viewed

@@ -20,8 +20,6 @@ module Bibliothecary
         }
       end
-      add_multi_parser(Bibliothecary::MultiParsers::CycloneDX)
-      add_multi_parser(Bibliothecary::MultiParsers::DependenciesCSV)
       def self.parse_yaml_manifest(file_contents, options: {})
         manifest = YAML.load file_contents

data/lib/bibliothecary/parsers/pypi.rb CHANGED Viewed

@@ -88,34 +88,40 @@ module Bibliothecary
         }
       end
-      add_multi_parser(Bibliothecary::MultiParsers::CycloneDX)
-      add_multi_parser(Bibliothecary::MultiParsers::DependenciesCSV)
-      add_multi_parser(Bibliothecary::MultiParsers::Spdx)
       def self.parser_pylock(file_contents, options: {})
-        lockfile = Tomlrb.parse(file_contents)
-        dependencies = lockfile["packages"].map do |d|
-          is_local = true if d.key?("archive") || d.key?("directory")
-          Dependency.new(
+        dependencies = []
+        # Split into [[packages]] blocks and extract fields from each
+        file_contents.split(/\[\[packages\]\]/).drop(1).each do |block|
+          name = block[/^name\s*=\s*"([^"]+)"/m, 1]
+          version = block[/^version\s*=\s*"([^"]+)"/m, 1]
+          # Local packages have [packages.archive] or [packages.directory] sections
+          is_local = block.include?("[packages.archive]") || block.include?("[packages.directory]")
+          dependencies << Dependency.new(
             platform: platform_name,
-            name: d["name"],
+            name: name,
             type: "runtime",
             source: options.fetch(:filename, nil),
-            requirement: d["version"] || "*",
-            local: is_local
+            requirement: version || "*",
+            local: is_local || nil
           )
         end
         ParserResult.new(dependencies: dependencies)
       end
       def self.parse_uv_lock(file_contents, options: {})
-        manifest = Tomlrb.parse(file_contents)
         source = options.fetch(:filename, nil)
-        dependencies = manifest.fetch("package", []).map do |package|
-          Dependency.new(
+        dependencies = []
+        # Split into [[package]] blocks and extract fields from each
+        file_contents.split(/\[\[package\]\]/).drop(1).each do |block|
+          name = block[/name\s*=\s*"([^"]+)"/, 1]
+          version = block[/version\s*=\s*"([^"]+)"/, 1]
+          dependencies << Dependency.new(
             platform: platform_name,
-            name: package["name"],
-            requirement: map_requirements(package),
+            name: name,
+            requirement: version,
             type: "runtime", # All dependencies are considered runtime
             source: source
           )
@@ -230,32 +236,43 @@ module Bibliothecary
       end
       def self.parse_poetry_lock(file_contents, options: {})
-        manifest = Tomlrb.parse(file_contents)
         deps = []
-        manifest["package"].each do |package|
-          # next if group == "_meta"
+        # Split into [[package]] blocks and extract fields from each
+        file_contents.split(/\[\[package\]\]/).drop(1).each do |block|
+          name = block[/^name\s*=\s*"([^"]+)"/m, 1]
+          version = block[/^version\s*=\s*"([^"]+)"/m, 1]
           # Poetry <1.2.0 used singular "category" for kind
           # Poetry >=1.2.0 uses plural "groups" field for kind(s)
-          groups = package.values_at("category", "groups").flatten.compact
-            .map do |g|
-              if g == "dev"
-                "develop"
-              else
-                (g == "main" ? "runtime" : g)
-              end
+          # Use ^ anchor to avoid matching commented lines
+          category = block[/^category\s*=\s*"([^"]+)"/m, 1]
+          groups_match = block[/^groups\s*=\s*\[([^\]]+)\]/m, 1]
+          groups = if groups_match
+                     groups_match.scan(/"([^"]+)"/).flatten
+                   elsif category
+                     [category]
+                   else
+                     []
+                   end
+          groups = groups.map do |g|
+            if g == "dev"
+              "develop"
+            else
+              (g == "main" ? "runtime" : g)
             end
+          end
           groups = ["runtime"] if groups.empty?
           groups.each do |group|
-            # Poetry lockfiles should already contain normalizated names, but we'll
+            # Poetry lockfiles should already contain normalized names, but we'll
             # apply it here as well just to be consistent with pyproject.toml parsing.
-            normalized_name = normalize_name(package["name"])
+            normalized_name = normalize_name(name)
             deps << Dependency.new(
               name: normalized_name,
-              original_name: normalized_name == package["name"] ? nil : package["name"],
-              requirement: map_requirements(package),
+              original_name: normalized_name == name ? nil : name,
+              requirement: version,
               type: group,
               source: options.fetch(:filename, nil),
               platform: platform_name
@@ -314,7 +331,8 @@ module Bibliothecary
       # Invalid lines in requirements.txt are skipped.
       def self.parse_requirements_txt(file_contents, options: {})
         deps = []
-        type = case options[:filename]
+        source = options.fetch(:filename, nil)
+        type = case source
                when /dev/ || /docs/ || /tools/
                  "development"
                when /test/
@@ -323,21 +341,22 @@ module Bibliothecary
                  "runtime"
                end
-        file_contents.split("\n").each do |line|
-          if line["://"]
+        file_contents.each_line do |line|
+          line = line.chomp
+          if line.include?("://")
             begin
-              result = parse_requirements_txt_url(line, type, options.fetch(:filename, nil))
+              result = parse_requirements_txt_url(line, type, source)
             rescue URI::Error, NoEggSpecified
               next
             end
             deps << result
-          elsif (match = line.delete(" ").match(REQUIREMENTS_REGEXP))
+          elsif (match = line.tr(" ", "").match(REQUIREMENTS_REGEXP))
             deps << Dependency.new(
               name: match[1],
               requirement: match[-1],
               type: type,
-              source: options.fetch(:filename, nil),
+              source: source,
               platform: platform_name
             )
           end

data/lib/bibliothecary/parsers/rubygems.rb CHANGED Viewed

@@ -1,18 +1,24 @@
 # frozen_string_literal: true
 require "bundler"
-require "gemnasium/parser"
 module Bibliothecary
   module Parsers
     class Rubygems
       include Bibliothecary::Analyser
-      extend Bibliothecary::MultiParsers::BundlerLikeManifest
       NAME_VERSION = '(?! )(.*?)(?: \(([^-]*)(?:-(.*))?\))?'
       NAME_VERSION_4 = /^ {4}#{NAME_VERSION}$/
       BUNDLED_WITH = /BUNDLED WITH/
+      # Gemfile patterns
+      GEM_REGEXP = /^\s*gem\s+['"]([^'"]+)['"]\s*(?:,\s*['"]([^'"]+)['"])?/
+      GROUP_START = /^\s*group\s+(.+?)\s+do/
+      BLOCK_END = /^\s*end\s*$/
+      # Gemspec pattern - captures type in first group
+      GEMSPEC_DEPENDENCY = /\.add_(development_|runtime_)?dependency\s*\(?\s*['"]([^'"]+)['"]\s*(?:,\s*['"]([^'"]+)['"])?(?:\s*,\s*['"]([^'"]+)['"])?\s*\)?/
       def self.mapping
         {
           match_filenames("Gemfile", "gems.rb") => {
@@ -33,55 +39,114 @@ module Bibliothecary
         }
       end
-      add_multi_parser(Bibliothecary::MultiParsers::CycloneDX)
-      add_multi_parser(Bibliothecary::MultiParsers::DependenciesCSV)
-      add_multi_parser(Bibliothecary::MultiParsers::Spdx)
       def self.parse_gemfile_lock(file_contents, options: {})
-        lockfile = Bundler::LockfileParser.new(file_contents)
         source = options.fetch(:filename, nil)
+        dependencies = []
-        dependencies = lockfile.specs.map do |spec|
-          Dependency.new(
-            platform: platform_name,
-            name: spec.name,
-            requirement: spec.version.to_s,
-            type: "runtime",
-            source: source
-          )
-        end
+        file_contents.each_line do |line|
+          line = line.chomp.gsub(/\r$/, "")
+          next unless (match = line.match(NAME_VERSION_4))
+          name, version, _platform = match.captures
+          next if name.nil? || name.empty?
-        bundler_version = lockfile.bundler_version
-        if bundler_version
           dependencies << Dependency.new(
             platform: platform_name,
-            name: "bundler",
-            requirement: bundler_version.to_s,
+            name: name,
+            requirement: version,
             type: "runtime",
             source: source
           )
         end
+        if (bundler_dep = parse_bundler(file_contents, source))
+          dependencies << bundler_dep
+        end
         ParserResult.new(dependencies: dependencies)
       end
       def self.parse_gemfile(file_contents, options: {})
-        manifest = Gemnasium::Parser.send(:gemfile, file_contents)
-        dependencies = parse_ruby_manifest(manifest, platform_name, options.fetch(:filename, nil))
-        ParserResult.new(dependencies: dependencies)
+        source = options.fetch(:filename, nil)
+        deps = []
+        current_type = "runtime"
+        block_depth = 0
+        file_contents.each_line do |line|
+          # Track group blocks
+          if (group_match = line.match(GROUP_START))
+            block_depth += 1
+            groups = group_match[1]
+            current_type = groups.include?(":development") ? "development" : "runtime"
+            next
+          end
+          if line.match?(BLOCK_END) && block_depth > 0
+            block_depth -= 1
+            current_type = "runtime" if block_depth == 0
+            next
+          end
+          # Match gem declarations
+          if (match = line.match(GEM_REGEXP))
+            name = match[1]
+            version = match[2]
+            requirement = version ? "= #{version}" : ">= 0"
+            deps << Dependency.new(
+              platform: platform_name,
+              name: name,
+              requirement: requirement,
+              type: current_type,
+              source: source
+            )
+          end
+        end
+        ParserResult.new(dependencies: deps)
       end
       def self.parse_gemspec(file_contents, options: {})
-        manifest = Gemnasium::Parser.send(:gemspec, file_contents)
-        dependencies = parse_ruby_manifest(manifest, platform_name, options.fetch(:filename, nil))
-        ParserResult.new(dependencies: dependencies)
+        source = options.fetch(:filename, nil)
+        deps = []
+        file_contents.each_line do |line|
+          match = line.match(GEMSPEC_DEPENDENCY)
+          next unless match
+          type_prefix, name, ver1, ver2 = match.captures
+          type = type_prefix == "development_" ? "development" : "runtime"
+          requirement = build_requirement(ver1, ver2)
+          deps << Dependency.new(
+            platform: platform_name,
+            name: name,
+            requirement: requirement,
+            type: type,
+            source: source
+          )
+        end
+        ParserResult.new(dependencies: deps)
+      end
+      def self.build_requirement(ver1, ver2)
+        if ver1 && ver2
+          "#{ver1}, #{ver2}"
+        elsif ver1
+          ver1
+        else
+          ">= 0"
+        end
       end
       def self.parse_bundler(file_contents, source = nil)
         bundled_with_index = file_contents.lines(chomp: true).find_index { |line| line.match(BUNDLED_WITH) }
-        version = file_contents.lines(chomp: true).fetch(bundled_with_index + 1)&.strip
+        return nil unless bundled_with_index
-        return nil unless version
+        version = file_contents.lines(chomp: true).fetch(bundled_with_index + 1, nil)&.strip
+        return nil unless version && !version.empty?
         Dependency.new(
           name: "bundler",

data/lib/bibliothecary/parsers/shard.rb CHANGED Viewed

@@ -20,7 +20,6 @@ module Bibliothecary
         }
       end
-      add_multi_parser(Bibliothecary::MultiParsers::DependenciesCSV)
       def self.parse_yaml_lockfile(file_contents, options: {})
         manifest = YAML.load file_contents

data/lib/bibliothecary/parsers/swift_pm.rb CHANGED Viewed

@@ -1,75 +1,123 @@
+require "json"
 module Bibliothecary
   module Parsers
     class SwiftPM
       include Bibliothecary::Analyser
+      # Matches .Package(url: "...", majorVersion: X, minor: Y)
+      # Also matches .package(url: "...", from: "X.Y.Z") (Swift 4+)
+      PACKAGE_REGEXP_LEGACY = /\.Package\s*\(\s*url:\s*"([^"]+)"[^)]*majorVersion:\s*(\d+)[^)]*minor:\s*(\d+)/
+      PACKAGE_REGEXP_FROM = /\.package\s*\(\s*(?:name:\s*"[^"]+",\s*)?url:\s*"([^"]+)"[^)]*from:\s*"([^"]+)"/i
+      PACKAGE_REGEXP_EXACT = /\.package\s*\(\s*(?:name:\s*"[^"]+",\s*)?url:\s*"([^"]+)"[^)]*(?:\.exact|exact)\s*\(\s*"([^"]+)"\s*\)/i
+      PACKAGE_REGEXP_RANGE = /\.package\s*\(\s*(?:name:\s*"[^"]+",\s*)?url:\s*"([^"]+)"[^)]*"([^"]+)"\s*(?:\.\.|\.\.\.)\s*"([^"]+)"/i
       def self.mapping
         {
           match_filename("Package.swift", case_insensitive: true) => {
-            kind: 'manifest',
+            kind: "manifest",
             parser: :parse_package_swift,
-            related_to: ['lockfile']
+            related_to: ["lockfile"],
           },
           match_filename("Package.resolved", case_insensitive: true) => {
-            kind: 'lockfile',
+            kind: "lockfile",
             parser: :parse_package_resolved,
-            related_to: ['manifest']
-          }
+            related_to: ["manifest"],
+          },
         }
       end
-      add_multi_parser(Bibliothecary::MultiParsers::CycloneDX)
-      add_multi_parser(Bibliothecary::MultiParsers::DependenciesCSV)
-      add_multi_parser(Bibliothecary::MultiParsers::Spdx)
       def self.parse_package_swift(file_contents, options: {})
-        source = options.fetch(:filename, 'Package.swift')
-        response = Typhoeus.post("#{Bibliothecary.configuration.swift_parser_host}/to-json", body: file_contents, timeout: 60)
-        raise Bibliothecary::RemoteParsingError.new("Http Error #{response.response_code} when contacting: #{Bibliothecary.configuration.swift_parser_host}/to-json", response.response_code) unless response.success?
-        json = JSON.parse(response.body)
-        deps = json["dependencies"].map do |dependency|
-          name = dependency["url"].gsub(/^https?:\/\//, "").gsub(/\.git$/,"")
-          version = "#{dependency['version']['lowerBound']} - #{dependency['version']['upperBound']}"
-          Bibliothecary::Dependency.new(
+        source = options.fetch(:filename, "Package.swift")
+        deps = []
+        # Remove comments (but not :// in URLs)
+        content = file_contents.gsub(%r{(?<!:)//.*$}, "")
+        # Legacy format: .Package(url: "...", majorVersion: X, minor: Y)
+        content.scan(PACKAGE_REGEXP_LEGACY) do |url, major, minor|
+          name = url.gsub(%r{^https?://}, "").gsub(/\.git$/, "")
+          # Match the remote parser format: lowerBound - upperBound
+          lower = "#{major}.#{minor}.0"
+          upper = "#{major}.#{minor}.9223372036854775807"
+          deps << Dependency.new(
+            platform: platform_name,
+            name: name,
+            requirement: "#{lower} - #{upper}",
+            type: "runtime",
+            source: source
+          )
+        end
+        # Swift 4+ format: .package(url: "...", from: "X.Y.Z")
+        content.scan(PACKAGE_REGEXP_FROM) do |url, version|
+          name = url.gsub(%r{^https?://}, "").gsub(/\.git$/, "")
+          deps << Dependency.new(
             platform: platform_name,
             name: name,
-            requirement: version,
+            requirement: ">= #{version}",
             type: "runtime",
             source: source
           )
         end
-        Bibliothecary::ParserResult.new(dependencies: deps)
+        # Swift 4+ exact version: .package(url: "...", .exact("X.Y.Z"))
+        content.scan(PACKAGE_REGEXP_EXACT) do |url, version|
+          name = url.gsub(%r{^https?://}, "").gsub(/\.git$/, "")
+          deps << Dependency.new(
+            platform: platform_name,
+            name: name,
+            requirement: "= #{version}",
+            type: "runtime",
+            source: source
+          )
+        end
+        # Swift 4+ range: .package(url: "...", "1.0.0"..<"2.0.0")
+        content.scan(PACKAGE_REGEXP_RANGE) do |url, lower, upper|
+          name = url.gsub(%r{^https?://}, "").gsub(/\.git$/, "")
+          deps << Dependency.new(
+            platform: platform_name,
+            name: name,
+            requirement: "#{lower} - #{upper}",
+            type: "runtime",
+            source: source
+          )
+        end
+        ParserResult.new(dependencies: deps)
       end
       def self.parse_package_resolved(file_contents, options: {})
-        source = options.fetch(:filename, 'Package.resolved')
+        source = options.fetch(:filename, "Package.resolved")
         json = JSON.parse(file_contents)
         deps = if json["version"] == 1
           json["object"]["pins"].map do |dependency|
-            name = dependency['repositoryURL'].gsub(/^https?:\/\//, '').gsub(/\.git$/,'')
-            version = dependency['state']['version']
-            Bibliothecary::Dependency.new(
+            name = dependency["repositoryURL"].gsub(%r{^https?://}, "").gsub(/\.git$/, "")
+            version = dependency["state"]["version"]
+            Dependency.new(
               platform: platform_name,
               name: name,
               requirement: version,
-              type: 'runtime',
+              type: "runtime",
               source: source
             )
           end
-        else # version 2
+        else # version 2+
           json["pins"].map do |dependency|
-            name = dependency['location'].gsub(/^https?:\/\//, '').gsub(/\.git$/,'')
-            version = dependency['state']['version']
-            Bibliothecary::Dependency.new(
+            name = dependency["location"].gsub(%r{^https?://}, "").gsub(/\.git$/, "")
+            version = dependency["state"]["version"]
+            Dependency.new(
               platform: platform_name,
               name: name,
               requirement: version,
-              type: 'runtime',
+              type: "runtime",
               source: source
             )
           end
         end
-        Bibliothecary::ParserResult.new(dependencies: deps)
+        ParserResult.new(dependencies: deps)
       end
     end
   end