ecosystems-bibliothecary 15.0.1 → 15.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 508531974284b48df7e084f6d0c7c3a4762f7cf5f1af7ed624c86f469a413bfb
-  data.tar.gz: 2442b323ba7169decede7da3c68284402440613dd1091fec7ff1dee8c5bdbe56
+  metadata.gz: 78f959cefcb80f16e6e56d087449ec23576dc7177b5f4a2f0448654f9d7dd022
+  data.tar.gz: fe94e344c4d43098281d613bfaf6168ec4464766fddedc61a97a9028f16f7174
 SHA512:
-  metadata.gz: bf3b5d65d9d02cbafa1e86f04652cdb7f00ffcefd04f55410850bd904e4e1f1e09bf95cd4893270cd93b5219af6fe14c1cc4e7954fe21bd1deb0979b450a37b4
-  data.tar.gz: 24d881e490fcd2dc28647a3936015d552ded40a0567a11f28fea160e277a3b70f736d9a640b3f3773d7aec5a6c8622d8a10349b2d0c820a0338d31cce9d0ba07
+  metadata.gz: 51e844390f10db2667ef885ad5a0ce300d33b8845808b4f2511869c03512176ce196f8de51c04d11fcfc429ec106849aa5e090800a3ae3aa151f989e8cfe0270
+  data.tar.gz: 0f3a788b617189160bb45f9d73afc4e78ded47a010112a7369c28853a1dd842c3922e1dd7e22c2a62cf494ebaa6a550cf8e009c387e1c58fa27fe6f9bfedc724

data/CHANGELOG.md

@@ -13,6 +13,19 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Removed
 
+## [15.1.0]
+
+### Added
+
+- pdm.lock parser for Python PDM package manager
+- renv.lock parser for R package management
+- stack.yaml.lock parser for Haskell Stack
+- gradle.lockfile parser for Gradle dependency locking
+- .deps.json parser for .NET runtime dependencies
+- verification-metadata.xml parser for Gradle dependency verification
+- Nimble parser for Nim package manager (.nimble files)
+- LuaRocks parser for Lua package manager (.rockspec files)
+
 ## [15.0.1]
 
 ### Changed

data/README.md

@@ -62,6 +62,8 @@ All available config options are in: https://github.com/ecosyste-ms/bibliothecar
   - sbt-update-full.txt
   - maven-dependency-tree.txt
   - maven-dependency-tree.dot
+  - gradle.lockfile
+  - verification-metadata.xml
 - RubyGems
   - Gemfile
   - Gemfile.lock
@@ -84,6 +86,7 @@ All available config options are in: https://github.com/ecosyste-ms/bibliothecar
   - poetry.lock
   - uv.lock
   - pylock.toml
+  - pdm.lock
   - pip-resolved-dependencies.txt
   - pip-dependency-graph.json
 - Nuget
@@ -95,6 +98,7 @@ All available config options are in: https://github.com/ecosyste-ms/bibliothecar
   - paket.lock
   - *.csproj
   - project.assets.json
+  - \*.deps.json
 - Bower
   - bower.json
 - BentoML
@@ -124,6 +128,7 @@ All available config options are in: https://github.com/ecosyste-ms/bibliothecar
   - MLmodel
 - CRAN
   - DESCRIPTION
+  - renv.lock
 - Cargo
   - Cargo.toml
   - Cargo.lock
@@ -169,6 +174,7 @@ All available config options are in: https://github.com/ecosyste-ms/bibliothecar
 - Hackage
   - \*.cabal
   - cabal.config
+  - stack.yaml.lock
 - Actions
   - action.yml
   - action.yaml
@@ -188,6 +194,10 @@ All available config options are in: https://github.com/ecosyste-ms/bibliothecar
   - Brewfile.lock.json
 - Ollama
   - Modelfile
+- Nimble
+  - \*.nimble
+- LuaRocks
+  - \*.rockspec
 
 ## Development
 

data/lib/bibliothecary/parsers/cran.rb

@@ -1,5 +1,7 @@
 # frozen_string_literal: true
 
+require "json"
+
 module Bibliothecary
   module Parsers
     class CRAN
@@ -13,6 +15,10 @@ module Bibliothecary
             kind: "manifest",
             parser: :parse_description,
           },
+          match_filename("renv.lock") => {
+            kind: "lockfile",
+            parser: :parse_renv_lock,
+          },
         }
       end
 
@@ -67,6 +73,29 @@ module Bibliothecary
           )
         end.compact
       end
+
+      def self.parse_renv_lock(file_contents, options: {})
+        source = options.fetch(:filename, nil)
+        manifest = JSON.parse(file_contents)
+        packages = manifest.fetch("Packages", {})
+
+        dependencies = packages.map do |_key, pkg|
+          # Only include packages from CRAN repository
+          # Skip local packages and packages from other sources like Bioconductor
+          repository = pkg["Repository"]
+          next unless repository == "CRAN"
+
+          Dependency.new(
+            name: pkg["Package"],
+            requirement: pkg["Version"],
+            type: "runtime",
+            source: source,
+            platform: platform_name
+          )
+        end.compact
+
+        ParserResult.new(dependencies: dependencies)
+      end
     end
   end
 end

data/lib/bibliothecary/parsers/hackage.rb

@@ -12,6 +12,9 @@ module Bibliothecary
       # Matches build-tool-depends format: package:tool == version
       BUILD_TOOL_REGEXP = /^\s*([a-zA-Z][a-zA-Z0-9-]*):[a-zA-Z][a-zA-Z0-9-]*\s*((?:[<>=!]+\s*[\d.*]+(?:\s*&&\s*[<>=!]+\s*[\d.*]+)*)?)/
 
+      # Matches stack.yaml.lock hackage entries like: hackage: fuzzyset-0.2.4@sha256:...
+      STACK_LOCK_REGEXP = /hackage:\s*([a-zA-Z0-9-]+)-([0-9.]+)@/
+
       def self.mapping
         {
           match_extension(".cabal") => {
@@ -22,6 +25,10 @@ module Bibliothecary
             kind: "lockfile",
             parser: :parse_cabal_config,
           },
+          match_filename("stack.yaml.lock") => {
+            kind: "lockfile",
+            parser: :parse_stack_yaml_lock,
+          },
         }
       end
 
@@ -169,6 +176,26 @@ module Bibliothecary
 
         ParserResult.new(dependencies: deps)
       end
+
+      def self.parse_stack_yaml_lock(file_contents, options: {})
+        source = options.fetch(:filename, "stack.yaml.lock")
+        deps = []
+
+        file_contents.each_line do |line|
+          match = line.match(STACK_LOCK_REGEXP)
+          next unless match
+
+          deps << Dependency.new(
+            platform: platform_name,
+            name: match[1],
+            requirement: match[2],
+            type: "runtime",
+            source: source
+          )
+        end
+
+        ParserResult.new(dependencies: deps)
+      end
     end
   end
 end

data/lib/bibliothecary/parsers/luarocks.rb

@@ -0,0 +1,53 @@
+# frozen_string_literal: true
+
+module Bibliothecary
+  module Parsers
+    class LuaRocks
+      include Bibliothecary::Analyser
+
+      def self.mapping
+        {
+          match_extension(".rockspec") => {
+            kind: "manifest",
+            parser: :parse_rockspec,
+          },
+        }
+      end
+
+      def self.parse_rockspec(file_contents, options: {})
+        source = options.fetch(:filename, nil)
+        deps = []
+
+        # Find dependencies table in Lua format
+        # dependencies = { "lua >= 5.1", "package ~> 1.0" }
+        if file_contents =~ /dependencies\s*=\s*\{([^}]*)\}/m
+          deps_block = Regexp.last_match(1)
+
+          # Extract quoted strings from the dependencies table
+          deps_block.scan(/"([^"]+)"/).flatten.each do |spec|
+            spec = spec.strip
+            next if spec.empty?
+
+            # Parse "packagename" or "packagename >= version" or "packagename ~> version"
+            # Format: name [operator version]
+            if spec =~ /^([a-zA-Z0-9_-]+)\s*(.*)$/
+              name = Regexp.last_match(1)
+              requirement = Regexp.last_match(2).strip
+              requirement = "*" if requirement.empty?
+
+              deps << Dependency.new(
+                name: name,
+                requirement: requirement,
+                type: "runtime",
+                source: source,
+                platform: platform_name
+              )
+            end
+          end
+        end
+
+        ParserResult.new(dependencies: deps)
+      end
+    end
+  end
+end

data/lib/bibliothecary/parsers/maven.rb

@@ -130,6 +130,18 @@ module Bibliothecary
             kind: "lockfile",
             parser: :parse_maven_tree_dot,
           },
+          # gradle.lockfile is the output of Gradle dependency locking:
+          # https://docs.gradle.org/current/userguide/dependency_locking.html
+          match_filename("gradle.lockfile", case_insensitive: true) => {
+            kind: "lockfile",
+            parser: :parse_gradle_lockfile,
+          },
+          # gradle/verification-metadata.xml is used by Gradle for dependency verification
+          # https://docs.gradle.org/current/userguide/dependency_verification.html
+          match_filename("verification-metadata.xml", case_insensitive: true) => {
+            kind: "lockfile",
+            parser: :parse_gradle_verification_metadata,
+          },
         }
       end
 
@@ -413,6 +425,68 @@ module Bibliothecary
         )
       end
 
+      def self.parse_gradle_lockfile(file_contents, options: {})
+        source = options.fetch(:filename, nil)
+        deps = []
+
+        file_contents.each_line do |line|
+          line = line.strip
+          # Skip comments and empty lines
+          next if line.empty? || line.start_with?("#")
+
+          # Format: group:artifact:version=configurations
+          # Split on = first to separate the GAV from configurations
+          gav_part = line.split("=").first
+          next unless gav_part
+
+          parts = gav_part.split(":")
+          # Must have exactly 3 parts: group, artifact, version
+          next unless parts.length == 3
+
+          group, artifact, version = parts
+          # Skip empty entries (like "empty=")
+          next if version.nil? || version.empty?
+
+          deps << Dependency.new(
+            name: "#{group}:#{artifact}",
+            requirement: version,
+            type: "runtime",
+            source: source,
+            platform: platform_name
+          )
+        end
+
+        ParserResult.new(dependencies: deps)
+      end
+
+      def self.parse_gradle_verification_metadata(file_contents, options: {})
+        source = options.fetch(:filename, nil)
+        deps = []
+
+        doc = Ox.parse(file_contents)
+        components = doc.locate("verification-metadata/components/component")
+
+        components.each do |component|
+          attrs = component.attributes
+          group = attrs[:group]
+          name = attrs[:name]
+          version = attrs[:version]
+
+          next if group.nil? || name.nil? || version.nil?
+          next if group.empty? || name.empty? || version.empty?
+
+          deps << Dependency.new(
+            name: "#{group}:#{name}",
+            requirement: version,
+            type: "runtime",
+            source: source,
+            platform: platform_name
+          )
+        end
+
+        ParserResult.new(dependencies: deps)
+      end
+
       def self.parse_resolved_dep_line(line, options: {})
         # filter out anything that doesn't look like a
         # resolved dep line

data/lib/bibliothecary/parsers/nimble.rb

@@ -0,0 +1,55 @@
+# frozen_string_literal: true
+
+module Bibliothecary
+  module Parsers
+    class Nimble
+      include Bibliothecary::Analyser
+
+      # Matches requires statements like: requires "nim >= 1.0.0", "chronos >= 3.0.0"
+      # or: requires "packagename"
+      REQUIRES_REGEXP = /^\s*requires\s+"([^"]+)"/
+
+      def self.mapping
+        {
+          match_extension(".nimble") => {
+            kind: "manifest",
+            parser: :parse_nimble,
+          },
+        }
+      end
+
+      def self.parse_nimble(file_contents, options: {})
+        source = options.fetch(:filename, nil)
+        deps = []
+
+        file_contents.each_line do |line|
+          next unless line.strip.start_with?("requires")
+
+          # Extract all quoted strings from requires lines
+          # handles: requires "pkg1", "pkg2 >= 1.0"
+          line.scan(/"([^"]+)"/).flatten.each do |spec|
+            spec = spec.strip
+            next if spec.empty?
+
+            # Parse "packagename" or "packagename >= version" or "packagename == version"
+            if spec =~ /^([a-zA-Z0-9_]+)\s*(.*)$/
+              name = Regexp.last_match(1)
+              requirement = Regexp.last_match(2).strip
+              requirement = "*" if requirement.empty?
+
+              deps << Dependency.new(
+                name: name,
+                requirement: requirement,
+                type: "runtime",
+                source: source,
+                platform: platform_name
+              )
+            end
+          end
+        end
+
+        ParserResult.new(dependencies: deps)
+      end
+    end
+  end
+end

data/lib/bibliothecary/parsers/nuget.rb

@@ -42,6 +42,11 @@ module Bibliothecary
             kind: "lockfile",
             parser: :parse_project_assets_json,
           },
+          # .deps.json files end with .deps.json (e.g. myapp.deps.json)
+          match_extension(".deps.json") => {
+            kind: "lockfile",
+            parser: :parse_deps_json,
+          },
         }
       end
 
@@ -246,6 +251,33 @@ module Bibliothecary
         end
         ParserResult.new(dependencies: [])
       end
+
+      def self.parse_deps_json(file_contents, options: {})
+        manifest = JSON.parse(file_contents)
+        libraries = manifest.fetch("libraries", {})
+
+        dependencies = libraries.map do |name_version, details|
+          # Skip project-type entries (these are the root/main package)
+          next if details["type"] == "project"
+
+          # Split name/version format
+          parts = name_version.split("/")
+          next unless parts.length == 2
+
+          name, version = parts
+          next if name.nil? || name.empty? || version.nil? || version.empty?
+
+          Dependency.new(
+            name: name,
+            requirement: version,
+            type: "runtime",
+            source: options.fetch(:filename, nil),
+            platform: platform_name
+          )
+        end.compact
+
+        ParserResult.new(dependencies: dependencies)
+      end
     end
   end
 end

data/lib/bibliothecary/parsers/pypi.rb

@@ -85,6 +85,10 @@ module Bibliothecary
             kind: "lockfile",
             parser: :parser_pylock,
           },
+          match_filename("pdm.lock") => {
+            kind: "lockfile",
+            parser: :parse_pdm_lock,
+          },
         }
       end
 
@@ -129,6 +133,34 @@ module Bibliothecary
         ParserResult.new(dependencies: dependencies)
       end
 
+      def self.parse_pdm_lock(file_contents, options: {})
+        source = options.fetch(:filename, nil)
+        dependencies = []
+        # Split into [[package]] blocks and extract fields from each
+        file_contents.split(/\[\[package\]\]/).drop(1).each do |block|
+          name = block[/^name\s*=\s*"([^"]+)"/m, 1]
+          version = block[/^version\s*=\s*"([^"]+)"/m, 1]
+          # PDM stores groups as an array, e.g. groups = ["default"] or groups = ["dev"]
+          groups_match = block[/^groups\s*=\s*\[([^\]]+)\]/m, 1]
+          groups = groups_match ? groups_match.scan(/"([^"]+)"/).flatten : ["default"]
+
+          type = if groups.include?("dev")
+                   "develop"
+                 else
+                   "runtime"
+                 end
+
+          dependencies << Dependency.new(
+            platform: platform_name,
+            name: name,
+            requirement: version,
+            type: type,
+            source: source
+          )
+        end
+        ParserResult.new(dependencies: dependencies)
+      end
+
       def self.parse_pipfile(file_contents, options: {})
         manifest = Tomlrb.parse(file_contents)
         dependencies = map_dependencies(manifest["packages"], "runtime", options.fetch(:filename, nil)) +

data/lib/bibliothecary/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Bibliothecary
-  VERSION = "15.0.1"
+  VERSION = "15.1.0"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: ecosystems-bibliothecary
 version: !ruby/object:Gem::Version
-  version: 15.0.1
+  version: 15.1.0
 platform: ruby
 authors:
 - Andrew Nesbitt
@@ -138,9 +138,11 @@ files:
 - lib/bibliothecary/parsers/hex.rb
 - lib/bibliothecary/parsers/homebrew.rb
 - lib/bibliothecary/parsers/julia.rb
+- lib/bibliothecary/parsers/luarocks.rb
 - lib/bibliothecary/parsers/maven.rb
 - lib/bibliothecary/parsers/meteor.rb
 - lib/bibliothecary/parsers/mlflow.rb
+- lib/bibliothecary/parsers/nimble.rb
 - lib/bibliothecary/parsers/npm.rb
 - lib/bibliothecary/parsers/nuget.rb
 - lib/bibliothecary/parsers/ollama.rb