ecosystems-bibliothecary 15.0.1 → 15.1.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 508531974284b48df7e084f6d0c7c3a4762f7cf5f1af7ed624c86f469a413bfb
-  data.tar.gz: 2442b323ba7169decede7da3c68284402440613dd1091fec7ff1dee8c5bdbe56
+  metadata.gz: 49988f4a70c1d5dcf6b7c05bffba8d885b3e63f04545f0c524d32b46de0804f2
+  data.tar.gz: 121b4e75f934770b9967b0e3b2427ddc1dc6aaaa19f8ed0d72f1001e50d4d575
 SHA512:
-  metadata.gz: bf3b5d65d9d02cbafa1e86f04652cdb7f00ffcefd04f55410850bd904e4e1f1e09bf95cd4893270cd93b5219af6fe14c1cc4e7954fe21bd1deb0979b450a37b4
-  data.tar.gz: 24d881e490fcd2dc28647a3936015d552ded40a0567a11f28fea160e277a3b70f736d9a640b3f3773d7aec5a6c8622d8a10349b2d0c820a0338d31cce9d0ba07
+  metadata.gz: 227adbf47ce52d6a9bb70be154f0cc204f5f327b68adeb8c91fd2e668036359eebd07d3fb940f0d4eef00128af04fb2073304147b9285589917efef1b1d5d5cf
+  data.tar.gz: ca3b36ddfa71702dae9737500dcf09ad6a9e6c4daf5758738c793614bcdcbd730a50083d081ee45a899536b0f01c1bd7d4eef90117cc3c1aeee6063a780e0b3f

data/CHANGELOG.md

@@ -13,6 +13,32 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Removed
 
+## [15.1.1]
+
+### Added
+
+- CPAN: cpanfile parser for Perl dependency declarations
+- CPAN: cpanfile.snapshot parser for Carton lockfiles
+- CPAN: Makefile.PL parser for ExtUtils::MakeMaker build scripts
+- CPAN: Build.PL parser for Module::Build scripts
+
+### Changed
+
+- CPAN: META.json and META.yml are now classified as lockfiles (they are generated, not hand-written)
+
+## [15.1.0]
+
+### Added
+
+- pdm.lock parser for Python PDM package manager
+- renv.lock parser for R package management
+- stack.yaml.lock parser for Haskell Stack
+- gradle.lockfile parser for Gradle dependency locking
+- .deps.json parser for .NET runtime dependencies
+- verification-metadata.xml parser for Gradle dependency verification
+- Nimble parser for Nim package manager (.nimble files)
+- LuaRocks parser for Lua package manager (.rockspec files)
+
 ## [15.0.1]
 
 ### Changed

data/README.md

@@ -62,6 +62,8 @@ All available config options are in: https://github.com/ecosyste-ms/bibliothecar
   - sbt-update-full.txt
   - maven-dependency-tree.txt
   - maven-dependency-tree.dot
+  - gradle.lockfile
+  - verification-metadata.xml
 - RubyGems
   - Gemfile
   - Gemfile.lock
@@ -84,6 +86,7 @@ All available config options are in: https://github.com/ecosyste-ms/bibliothecar
   - poetry.lock
   - uv.lock
   - pylock.toml
+  - pdm.lock
   - pip-resolved-dependencies.txt
   - pip-dependency-graph.json
 - Nuget
@@ -95,6 +98,7 @@ All available config options are in: https://github.com/ecosyste-ms/bibliothecar
   - paket.lock
   - *.csproj
   - project.assets.json
+  - \*.deps.json
 - Bower
   - bower.json
 - BentoML
@@ -102,6 +106,10 @@ All available config options are in: https://github.com/ecosyste-ms/bibliothecar
 - CPAN
   - META.json
   - META.yml
+  - cpanfile
+  - cpanfile.snapshot
+  - Makefile.PL
+  - Build.PL
 - CocoaPods
   - Podfile
   - Podfile.lock
@@ -124,6 +132,7 @@ All available config options are in: https://github.com/ecosyste-ms/bibliothecar
   - MLmodel
 - CRAN
   - DESCRIPTION
+  - renv.lock
 - Cargo
   - Cargo.toml
   - Cargo.lock
@@ -169,6 +178,7 @@ All available config options are in: https://github.com/ecosyste-ms/bibliothecar
 - Hackage
   - \*.cabal
   - cabal.config
+  - stack.yaml.lock
 - Actions
   - action.yml
   - action.yaml
@@ -188,6 +198,10 @@ All available config options are in: https://github.com/ecosyste-ms/bibliothecar
   - Brewfile.lock.json
 - Ollama
   - Modelfile
+- Nimble
+  - \*.nimble
+- LuaRocks
+  - \*.rockspec
 
 ## Development
 

data/lib/bibliothecary/parsers/cpan.rb

@@ -11,13 +11,29 @@ module Bibliothecary
       def self.mapping
         {
           match_filename("META.json", case_insensitive: true) => {
-            kind: "manifest",
+            kind: "lockfile",
             parser: :parse_json_manifest,
           },
           match_filename("META.yml", case_insensitive: true) => {
-            kind: "manifest",
+            kind: "lockfile",
             parser: :parse_yaml_manifest,
           },
+          match_filename("cpanfile", case_insensitive: true) => {
+            kind: "manifest",
+            parser: :parse_cpanfile,
+          },
+          match_filename("cpanfile.snapshot", case_insensitive: true) => {
+            kind: "lockfile",
+            parser: :parse_cpanfile_snapshot,
+          },
+          match_filename("Makefile.PL", case_insensitive: true) => {
+            kind: "manifest",
+            parser: :parse_makefile_pl,
+          },
+          match_filename("Build.PL", case_insensitive: true) => {
+            kind: "manifest",
+            parser: :parse_build_pl,
+          },
         }
       end
 
@@ -35,6 +51,174 @@ module Bibliothecary
         dependencies = map_dependencies(manifest, "requires", "runtime", options.fetch(:filename, nil))
         ParserResult.new(dependencies: dependencies)
       end
+
+      def self.parse_cpanfile(file_contents, options: {})
+        filename = options.fetch(:filename, nil)
+        dependencies = []
+        current_phase = "runtime"
+        current_feature = nil
+
+        file_contents.each_line do |line|
+          line = line.strip
+
+          # Track phase changes: on 'test' => sub {
+          if line =~ /\bon\s+['"](\w+)['"]\s*=>/
+            current_phase = $1
+            next
+          end
+
+          # Track feature blocks: feature 'name', 'desc' => sub {
+          if line =~ /\bfeature\s+['"]([\w-]+)['"]/
+            current_feature = $1
+            next
+          end
+
+          # End of block - reset to defaults
+          if line =~ /^\s*\};\s*$/
+            current_phase = "runtime"
+            current_feature = nil
+            next
+          end
+
+          # Parse dependency declarations
+          # requires 'Module::Name', 'version';
+          # requires 'Module::Name';
+          # recommends 'Module::Name', 'version';
+          if line =~ /\b(requires|recommends|suggests|conflicts)\s+['"]([^'"]+)['"](?:\s*,\s*['"]?([^'";]+)['"]?)?/
+            dep_type = $1
+            name = $2
+            version = $3&.strip || "*"
+
+            # Map cpanfile phases to our types
+            type = case current_phase
+                   when "test" then "test"
+                   when "develop" then "develop"
+                   when "build" then "build"
+                   when "configure" then "build"
+                   else dep_type == "requires" ? "runtime" : dep_type
+                   end
+
+            dependencies << Dependency.new(
+              name: name,
+              requirement: version,
+              type: type,
+              platform: "cpan",
+              source: filename
+            )
+          end
+        end
+
+        ParserResult.new(dependencies: dependencies)
+      end
+
+      def self.parse_cpanfile_snapshot(file_contents, options: {})
+        filename = options.fetch(:filename, nil)
+        dependencies = []
+
+        file_contents.each_line do |line|
+          # Match distribution header: Module-Name-1.23
+          if (match = line.match(/^  (\S+)-v?([\d._]+)$/))
+            dist_name = match[1].gsub("-", "::")
+            version = match[2]
+            dependencies << Dependency.new(
+              name: dist_name,
+              requirement: version,
+              type: "runtime",
+              platform: "cpan",
+              source: filename
+            )
+          end
+        end
+
+        ParserResult.new(dependencies: dependencies)
+      end
+
+      # Parse Makefile.PL (ExtUtils::MakeMaker format)
+      # Looks for PREREQ_PM, BUILD_REQUIRES, TEST_REQUIRES, CONFIGURE_REQUIRES
+      def self.parse_makefile_pl(file_contents, options: {})
+        filename = options.fetch(:filename, nil)
+        dependencies = []
+
+        # Map of hash key names to dependency types
+        type_mapping = {
+          "PREREQ_PM" => "runtime",
+          "BUILD_REQUIRES" => "build",
+          "TEST_REQUIRES" => "test",
+          "CONFIGURE_REQUIRES" => "build",
+        }
+
+        type_mapping.each do |key, type|
+          deps = extract_perl_hash(file_contents, key)
+          deps.each do |name, version|
+            dependencies << Dependency.new(
+              name: name,
+              requirement: version,
+              type: type,
+              platform: "cpan",
+              source: filename
+            )
+          end
+        end
+
+        ParserResult.new(dependencies: dependencies)
+      end
+
+      # Parse Build.PL (Module::Build format)
+      # Looks for requires, build_requires, test_requires, configure_requires
+      def self.parse_build_pl(file_contents, options: {})
+        filename = options.fetch(:filename, nil)
+        dependencies = []
+
+        # Map of hash key names to dependency types
+        type_mapping = {
+          "requires" => "runtime",
+          "build_requires" => "build",
+          "test_requires" => "test",
+          "configure_requires" => "build",
+          "recommends" => "runtime",
+        }
+
+        type_mapping.each do |key, type|
+          deps = extract_perl_hash(file_contents, key)
+          deps.each do |name, version|
+            dependencies << Dependency.new(
+              name: name,
+              requirement: version,
+              type: type,
+              platform: "cpan",
+              source: filename
+            )
+          end
+        end
+
+        ParserResult.new(dependencies: dependencies)
+      end
+
+      # Extract a Perl hash from source code
+      # Handles patterns like: KEY => { 'Module' => '1.0', ... }
+      def self.extract_perl_hash(content, key)
+        deps = {}
+
+        # Match the hash assignment: KEY => { ... }
+        # Use word boundary to avoid matching configure_requires when looking for requires
+        pattern = /(?:^|[^\w])#{Regexp.escape(key)}\s*=>\s*\{([^{}]*(?:\{[^{}]*\}[^{}]*)*)\}/m
+
+        if (match = content.match(pattern))
+          hash_content = match[1]
+
+          # Extract 'Module::Name' => 'version' or 'Module::Name' => version patterns
+          hash_content.scan(/['"]([^'"]+)['"]\s*=>\s*['"]?([^'",}\s]+)['"]?/) do |name, version|
+            # Skip perl version requirements and non-module entries
+            next if name == "perl"
+
+            # Normalize version: 0 means any version
+            version = "*" if version == "0"
+            deps[name] = version
+          end
+        end
+
+        deps
+      end
     end
   end
 end

data/lib/bibliothecary/parsers/cran.rb

@@ -1,5 +1,7 @@
 # frozen_string_literal: true
 
+require "json"
+
 module Bibliothecary
   module Parsers
     class CRAN
@@ -13,6 +15,10 @@ module Bibliothecary
             kind: "manifest",
             parser: :parse_description,
           },
+          match_filename("renv.lock") => {
+            kind: "lockfile",
+            parser: :parse_renv_lock,
+          },
         }
       end
 
@@ -67,6 +73,29 @@ module Bibliothecary
           )
         end.compact
       end
+
+      def self.parse_renv_lock(file_contents, options: {})
+        source = options.fetch(:filename, nil)
+        manifest = JSON.parse(file_contents)
+        packages = manifest.fetch("Packages", {})
+
+        dependencies = packages.map do |_key, pkg|
+          # Only include packages from CRAN repository
+          # Skip local packages and packages from other sources like Bioconductor
+          repository = pkg["Repository"]
+          next unless repository == "CRAN"
+
+          Dependency.new(
+            name: pkg["Package"],
+            requirement: pkg["Version"],
+            type: "runtime",
+            source: source,
+            platform: platform_name
+          )
+        end.compact
+
+        ParserResult.new(dependencies: dependencies)
+      end
     end
   end
 end

data/lib/bibliothecary/parsers/hackage.rb

@@ -12,6 +12,9 @@ module Bibliothecary
       # Matches build-tool-depends format: package:tool == version
       BUILD_TOOL_REGEXP = /^\s*([a-zA-Z][a-zA-Z0-9-]*):[a-zA-Z][a-zA-Z0-9-]*\s*((?:[<>=!]+\s*[\d.*]+(?:\s*&&\s*[<>=!]+\s*[\d.*]+)*)?)/
 
+      # Matches stack.yaml.lock hackage entries like: hackage: fuzzyset-0.2.4@sha256:...
+      STACK_LOCK_REGEXP = /hackage:\s*([a-zA-Z0-9-]+)-([0-9.]+)@/
+
       def self.mapping
         {
           match_extension(".cabal") => {
@@ -22,6 +25,10 @@ module Bibliothecary
             kind: "lockfile",
             parser: :parse_cabal_config,
           },
+          match_filename("stack.yaml.lock") => {
+            kind: "lockfile",
+            parser: :parse_stack_yaml_lock,
+          },
         }
       end
 
@@ -169,6 +176,26 @@ module Bibliothecary
 
         ParserResult.new(dependencies: deps)
       end
+
+      def self.parse_stack_yaml_lock(file_contents, options: {})
+        source = options.fetch(:filename, "stack.yaml.lock")
+        deps = []
+
+        file_contents.each_line do |line|
+          match = line.match(STACK_LOCK_REGEXP)
+          next unless match
+
+          deps << Dependency.new(
+            platform: platform_name,
+            name: match[1],
+            requirement: match[2],
+            type: "runtime",
+            source: source
+          )
+        end
+
+        ParserResult.new(dependencies: deps)
+      end
     end
   end
 end

data/lib/bibliothecary/parsers/luarocks.rb

@@ -0,0 +1,53 @@
+# frozen_string_literal: true
+
+module Bibliothecary
+  module Parsers
+    class LuaRocks
+      include Bibliothecary::Analyser
+
+      def self.mapping
+        {
+          match_extension(".rockspec") => {
+            kind: "manifest",
+            parser: :parse_rockspec,
+          },
+        }
+      end
+
+      def self.parse_rockspec(file_contents, options: {})
+        source = options.fetch(:filename, nil)
+        deps = []
+
+        # Find dependencies table in Lua format
+        # dependencies = { "lua >= 5.1", "package ~> 1.0" }
+        if file_contents =~ /dependencies\s*=\s*\{([^}]*)\}/m
+          deps_block = Regexp.last_match(1)
+
+          # Extract quoted strings from the dependencies table
+          deps_block.scan(/"([^"]+)"/).flatten.each do |spec|
+            spec = spec.strip
+            next if spec.empty?
+
+            # Parse "packagename" or "packagename >= version" or "packagename ~> version"
+            # Format: name [operator version]
+            if spec =~ /^([a-zA-Z0-9_-]+)\s*(.*)$/
+              name = Regexp.last_match(1)
+              requirement = Regexp.last_match(2).strip
+              requirement = "*" if requirement.empty?
+
+              deps << Dependency.new(
+                name: name,
+                requirement: requirement,
+                type: "runtime",
+                source: source,
+                platform: platform_name
+              )
+            end
+          end
+        end
+
+        ParserResult.new(dependencies: deps)
+      end
+    end
+  end
+end

data/lib/bibliothecary/parsers/maven.rb

@@ -130,6 +130,18 @@ module Bibliothecary
             kind: "lockfile",
             parser: :parse_maven_tree_dot,
           },
+          # gradle.lockfile is the output of Gradle dependency locking:
+          # https://docs.gradle.org/current/userguide/dependency_locking.html
+          match_filename("gradle.lockfile", case_insensitive: true) => {
+            kind: "lockfile",
+            parser: :parse_gradle_lockfile,
+          },
+          # gradle/verification-metadata.xml is used by Gradle for dependency verification
+          # https://docs.gradle.org/current/userguide/dependency_verification.html
+          match_filename("verification-metadata.xml", case_insensitive: true) => {
+            kind: "lockfile",
+            parser: :parse_gradle_verification_metadata,
+          },
         }
       end
 
@@ -413,6 +425,68 @@ module Bibliothecary
         )
       end
 
+      def self.parse_gradle_lockfile(file_contents, options: {})
+        source = options.fetch(:filename, nil)
+        deps = []
+
+        file_contents.each_line do |line|
+          line = line.strip
+          # Skip comments and empty lines
+          next if line.empty? || line.start_with?("#")
+
+          # Format: group:artifact:version=configurations
+          # Split on = first to separate the GAV from configurations
+          gav_part = line.split("=").first
+          next unless gav_part
+
+          parts = gav_part.split(":")
+          # Must have exactly 3 parts: group, artifact, version
+          next unless parts.length == 3
+
+          group, artifact, version = parts
+          # Skip empty entries (like "empty=")
+          next if version.nil? || version.empty?
+
+          deps << Dependency.new(
+            name: "#{group}:#{artifact}",
+            requirement: version,
+            type: "runtime",
+            source: source,
+            platform: platform_name
+          )
+        end
+
+        ParserResult.new(dependencies: deps)
+      end
+
+      def self.parse_gradle_verification_metadata(file_contents, options: {})
+        source = options.fetch(:filename, nil)
+        deps = []
+
+        doc = Ox.parse(file_contents)
+        components = doc.locate("verification-metadata/components/component")
+
+        components.each do |component|
+          attrs = component.attributes
+          group = attrs[:group]
+          name = attrs[:name]
+          version = attrs[:version]
+
+          next if group.nil? || name.nil? || version.nil?
+          next if group.empty? || name.empty? || version.empty?
+
+          deps << Dependency.new(
+            name: "#{group}:#{name}",
+            requirement: version,
+            type: "runtime",
+            source: source,
+            platform: platform_name
+          )
+        end
+
+        ParserResult.new(dependencies: deps)
+      end
+
       def self.parse_resolved_dep_line(line, options: {})
         # filter out anything that doesn't look like a
         # resolved dep line

data/lib/bibliothecary/parsers/nimble.rb

@@ -0,0 +1,55 @@
+# frozen_string_literal: true
+
+module Bibliothecary
+  module Parsers
+    class Nimble
+      include Bibliothecary::Analyser
+
+      # Matches requires statements like: requires "nim >= 1.0.0", "chronos >= 3.0.0"
+      # or: requires "packagename"
+      REQUIRES_REGEXP = /^\s*requires\s+"([^"]+)"/
+
+      def self.mapping
+        {
+          match_extension(".nimble") => {
+            kind: "manifest",
+            parser: :parse_nimble,
+          },
+        }
+      end
+
+      def self.parse_nimble(file_contents, options: {})
+        source = options.fetch(:filename, nil)
+        deps = []
+
+        file_contents.each_line do |line|
+          next unless line.strip.start_with?("requires")
+
+          # Extract all quoted strings from requires lines
+          # handles: requires "pkg1", "pkg2 >= 1.0"
+          line.scan(/"([^"]+)"/).flatten.each do |spec|
+            spec = spec.strip
+            next if spec.empty?
+
+            # Parse "packagename" or "packagename >= version" or "packagename == version"
+            if spec =~ /^([a-zA-Z0-9_]+)\s*(.*)$/
+              name = Regexp.last_match(1)
+              requirement = Regexp.last_match(2).strip
+              requirement = "*" if requirement.empty?
+
+              deps << Dependency.new(
+                name: name,
+                requirement: requirement,
+                type: "runtime",
+                source: source,
+                platform: platform_name
+              )
+            end
+          end
+        end
+
+        ParserResult.new(dependencies: deps)
+      end
+    end
+  end
+end

data/lib/bibliothecary/parsers/nuget.rb

@@ -42,6 +42,11 @@ module Bibliothecary
             kind: "lockfile",
             parser: :parse_project_assets_json,
           },
+          # .deps.json files end with .deps.json (e.g. myapp.deps.json)
+          match_extension(".deps.json") => {
+            kind: "lockfile",
+            parser: :parse_deps_json,
+          },
         }
       end
 
@@ -246,6 +251,33 @@ module Bibliothecary
         end
         ParserResult.new(dependencies: [])
       end
+
+      def self.parse_deps_json(file_contents, options: {})
+        manifest = JSON.parse(file_contents)
+        libraries = manifest.fetch("libraries", {})
+
+        dependencies = libraries.map do |name_version, details|
+          # Skip project-type entries (these are the root/main package)
+          next if details["type"] == "project"
+
+          # Split name/version format
+          parts = name_version.split("/")
+          next unless parts.length == 2
+
+          name, version = parts
+          next if name.nil? || name.empty? || version.nil? || version.empty?
+
+          Dependency.new(
+            name: name,
+            requirement: version,
+            type: "runtime",
+            source: options.fetch(:filename, nil),
+            platform: platform_name
+          )
+        end.compact
+
+        ParserResult.new(dependencies: dependencies)
+      end
     end
   end
 end

data/lib/bibliothecary/parsers/pypi.rb

@@ -85,6 +85,10 @@ module Bibliothecary
             kind: "lockfile",
             parser: :parser_pylock,
           },
+          match_filename("pdm.lock") => {
+            kind: "lockfile",
+            parser: :parse_pdm_lock,
+          },
         }
       end
 
@@ -129,6 +133,34 @@ module Bibliothecary
         ParserResult.new(dependencies: dependencies)
       end
 
+      def self.parse_pdm_lock(file_contents, options: {})
+        source = options.fetch(:filename, nil)
+        dependencies = []
+        # Split into [[package]] blocks and extract fields from each
+        file_contents.split(/\[\[package\]\]/).drop(1).each do |block|
+          name = block[/^name\s*=\s*"([^"]+)"/m, 1]
+          version = block[/^version\s*=\s*"([^"]+)"/m, 1]
+          # PDM stores groups as an array, e.g. groups = ["default"] or groups = ["dev"]
+          groups_match = block[/^groups\s*=\s*\[([^\]]+)\]/m, 1]
+          groups = groups_match ? groups_match.scan(/"([^"]+)"/).flatten : ["default"]
+
+          type = if groups.include?("dev")
+                   "develop"
+                 else
+                   "runtime"
+                 end
+
+          dependencies << Dependency.new(
+            platform: platform_name,
+            name: name,
+            requirement: version,
+            type: type,
+            source: source
+          )
+        end
+        ParserResult.new(dependencies: dependencies)
+      end
+
       def self.parse_pipfile(file_contents, options: {})
         manifest = Tomlrb.parse(file_contents)
         dependencies = map_dependencies(manifest["packages"], "runtime", options.fetch(:filename, nil)) +

data/lib/bibliothecary/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Bibliothecary
-  VERSION = "15.0.1"
+  VERSION = "15.1.1"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: ecosystems-bibliothecary
 version: !ruby/object:Gem::Version
-  version: 15.0.1
+  version: 15.1.1
 platform: ruby
 authors:
 - Andrew Nesbitt
@@ -138,9 +138,11 @@ files:
 - lib/bibliothecary/parsers/hex.rb
 - lib/bibliothecary/parsers/homebrew.rb
 - lib/bibliothecary/parsers/julia.rb
+- lib/bibliothecary/parsers/luarocks.rb
 - lib/bibliothecary/parsers/maven.rb
 - lib/bibliothecary/parsers/meteor.rb
 - lib/bibliothecary/parsers/mlflow.rb
+- lib/bibliothecary/parsers/nimble.rb
 - lib/bibliothecary/parsers/npm.rb
 - lib/bibliothecary/parsers/nuget.rb
 - lib/bibliothecary/parsers/ollama.rb