ecosystems-bibliothecary 15.1.0 → 15.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 78f959cefcb80f16e6e56d087449ec23576dc7177b5f4a2f0448654f9d7dd022
-  data.tar.gz: fe94e344c4d43098281d613bfaf6168ec4464766fddedc61a97a9028f16f7174
+  metadata.gz: c1399499146bc9abb6b2053d1e842cff2a33e05166f4fca7fed6fba222146f5e
+  data.tar.gz: 2b1460ba23303796a1b73bfa445fee11771857f5270effce6da04e6ed4ff920f
 SHA512:
-  metadata.gz: 51e844390f10db2667ef885ad5a0ce300d33b8845808b4f2511869c03512176ce196f8de51c04d11fcfc429ec106849aa5e090800a3ae3aa151f989e8cfe0270
-  data.tar.gz: 0f3a788b617189160bb45f9d73afc4e78ded47a010112a7369c28853a1dd842c3922e1dd7e22c2a62cf494ebaa6a550cf8e009c387e1c58fa27fe6f9bfedc724
+  metadata.gz: 2ab9631fd2e5472d6a60784685252961f75fcae716561d1e7bd6c1bc7f87bba18f346988b26f787cc13bd666fc06a99db133926726880ee983e01fbe4f64a5d9
+  data.tar.gz: 1dc6d4efca6e8b643ca7c76e495a6b40364169fc8b51d238f2708e5da1ec8d04515adafec8d2042951088729258b3552a547473c93a59ae3f12c7a89ff681065

data/CHANGELOG.md

@@ -13,6 +13,30 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Removed
 
+## [15.2.0]
+
+### Added
+
+- Deno parser for deno.json, deno.jsonc, and deno.lock files (supports npm: and jsr: specifiers)
+- Nix parser for flake.nix, flake.lock, nix/sources.json (niv), and npins/sources.json (npins)
+- Gleam support in Hex parser for gleam.toml and manifest.toml
+- Rebar3 support in Hex parser for rebar.lock
+- Julia Project.toml and Manifest.toml support
+- Hackage cabal.project.freeze support
+
+## [15.1.1]
+
+### Added
+
+- CPAN: cpanfile parser for Perl dependency declarations
+- CPAN: cpanfile.snapshot parser for Carton lockfiles
+- CPAN: Makefile.PL parser for ExtUtils::MakeMaker build scripts
+- CPAN: Build.PL parser for Module::Build scripts
+
+### Changed
+
+- CPAN: META.json and META.yml are now classified as lockfiles (they are generated, not hand-written)
+
 ## [15.1.0]
 
 ### Added

data/README.md

@@ -44,160 +44,177 @@ All available config options are in: https://github.com/ecosyste-ms/bibliothecar
 
 ## Supported package manager file formats
 
-- npm
-  - package.json
-  - package-lock.json
-  - npm-shrinkwrap.json
-  - yarn.lock
-  - pnpm-lock.yaml
-  - bun.lock
-  - npm-ls.json
-- Maven
-  - pom.xml
-  - ivy.xml
-  - build.gradle
-  - build.gradle.kts
-  - gradle-dependencies-q.txt
-  - maven-resolved-dependencies.txt
-  - sbt-update-full.txt
-  - maven-dependency-tree.txt
-  - maven-dependency-tree.dot
-  - gradle.lockfile
-  - verification-metadata.xml
-- RubyGems
-  - Gemfile
-  - Gemfile.lock
-  - gems.rb
-  - gems.locked
-  - *.gemspec
-- Packagist
-  - composer.json
-  - composer.lock
-- PyPi
-  - setup.py
-  - req*.txt
-  - req*.pip
-  - requirements/*.txt
-  - requirements/*.pip
-  - requirements.frozen
-  - Pipfile
-  - Pipfile.lock
-  - pyproject.toml
-  - poetry.lock
-  - uv.lock
-  - pylock.toml
-  - pdm.lock
-  - pip-resolved-dependencies.txt
-  - pip-dependency-graph.json
-- Nuget
-  - packages.config
-  - packages.lock.json
-  - Project.json
-  - Project.lock.json
-  - *.nuspec
-  - paket.lock
-  - *.csproj
-  - project.assets.json
-  - \*.deps.json
-- Bower
-  - bower.json
-- BentoML
-  - bentofile.yaml
-- CPAN
-  - META.json
-  - META.yml
-- CocoaPods
-  - Podfile
-  - Podfile.lock
-  - *.podspec
-  - *.podspec.json
+- Actions
+  - action.yml
+  - action.yaml
+  - .github/workflows/\*.yml
+  - .github/workflows/\*.yaml
 - Anaconda
   - environment.yml
   - environment.yaml
+- BentoML
+  - bentofile.yaml
+- Bower
+  - bower.json
+- Cargo
+  - Cargo.toml
+  - Cargo.lock
+- Carthage
+  - Cartfile
+  - Cartfile.private
+  - Cartfile.resolved
 - Clojars
   - project.clj
+- CocoaPods
+  - Podfile
+  - \*.podspec
+  - Podfile.lock
+  - \*.podspec.json
 - Cog
   - cog.yaml
 - Conan
   - conanfile.py
   - conanfile.txt
   - conan.lock
-- Meteor
-  - versions.json
-- MLflow
-  - MLmodel
+- CPAN
+  - META.json
+  - META.yml
+  - cpanfile
+  - cpanfile.snapshot
+  - Makefile.PL
+  - Build.PL
 - CRAN
   - DESCRIPTION
   - renv.lock
-- Cargo
-  - Cargo.toml
-  - Cargo.lock
-- Hex
-  - mix.exs
-  - mix.lock
-- Swift
-  - Package.swift
-  - Package.resolved
-- Pub
-  - pubspec.yaml
-  - pubspec.lock
-- Carthage
-  - Cartfile
-  - Cartfile.private
-  - Cartfile.resolved
+- Deno
+  - deno.json
+  - deno.jsonc
+  - deno.lock
+- Docker
+  - docker-compose\*.yml
+  - Dockerfile
 - Dub
   - dub.json
   - dub.sdl
-- Julia
-  - REQUIRE
-- Shards
-  - shard.yml
-  - shard.lock
+- DVC
+  - dvc.yaml
+- Elm
+  - elm-package.json
+  - elm_dependencies.json
+  - elm-stuff/exact-dependencies.json
 - Go
+  - go.mod
+  - go.sum
   - glide.yaml
   - glide.lock
-  - Godeps
   - Godeps/Godeps.json
+  - Godeps
   - vendor/manifest
   - vendor/vendor.json
   - Gopkg.toml
   - Gopkg.lock
-  - go.mod
-  - go.sum
   - go-resolved-dependencies.json
-- Elm
-  - elm-package.json
-  - elm_dependencies.json
-  - elm-stuff/exact-dependencies.json
-- Haxelib
-  - haxelib.json
 - Hackage
   - \*.cabal
-  - cabal.config
+  - \*cabal.config
   - stack.yaml.lock
-- Actions
-  - action.yml
-  - action.yaml
-  - .github/workflows/*.yml
-  - .github/workflows/*.yaml
-- Docker
-  - Dockerfile
-  - docker-compose*.yml
-  - docker-compose*.yaml
-- DVC
-  - dvc.yaml
-- Vcpkg
-  - vcpkg.json
-  - _generated-vcpkg-list.json
+  - cabal.project.freeze
+- Haxelib
+  - haxelib.json
+- Hex
+  - mix.exs
+  - mix.lock
+  - gleam.toml
+  - manifest.toml
+  - rebar.lock
 - Homebrew
   - Brewfile
   - Brewfile.lock.json
-- Ollama
-  - Modelfile
-- Nimble
-  - \*.nimble
+- Julia
+  - REQUIRE
+  - Project.toml
+  - Manifest.toml
 - LuaRocks
   - \*.rockspec
+- Maven
+  - ivy.xml
+  - pom.xml
+  - build.gradle
+  - build.gradle.kts
+  - gradle-dependencies-q.txt
+  - maven-resolved-dependencies.txt
+  - sbt-update-full.txt
+  - maven-dependency-tree.txt
+  - maven-dependency-tree.dot
+  - gradle.lockfile
+  - verification-metadata.xml
+- Meteor
+  - versions.json
+- MLflow
+  - MLmodel
+- Nimble
+  - \*.nimble
+- Nix
+  - flake.nix
+  - flake.lock
+  - nix/sources.json
+  - npins/sources.json
+- npm
+  - package.json
+  - package-lock.json
+  - npm-shrinkwrap.json
+  - yarn.lock
+  - pnpm-lock.yaml
+  - bun.lock
+  - npm-ls.json
+- Nuget
+  - Project.json
+  - Project.lock.json
+  - packages.lock.json
+  - packages.config
+  - \*.nuspec
+  - \*.csproj
+  - paket.lock
+  - project.assets.json
+  - \*.deps.json
+- Ollama
+  - Modelfile
+- Packagist
+  - composer.json
+  - composer.lock
+- Pub
+  - pubspec.yaml
+  - pubspec.lock
+- PyPi
+  - setup.py
+  - requirements\*.txt
+  - requirements\*.pip
+  - requirements\*.in
+  - requirements.frozen
+  - Pipfile
+  - Pipfile.lock
+  - pyproject.toml
+  - poetry.lock
+  - uv.lock
+  - pylock.toml
+  - pdm.lock
+  - pip-resolved-dependencies.txt
+  - pip-dependency-graph.json
+- RubyGems
+  - Gemfile
+  - Gemfile.lock
+  - gems.rb
+  - gems.locked
+  - \*.gemspec
+- Shards
+  - shard.yml
+  - shard.lock
+- Swift
+  - Package.swift
+  - Package.resolved
+- Vcpkg
+  - vcpkg.json
+  - _generated-vcpkg-list.json
 
 ## Development
 

data/lib/bibliothecary/analyser.rb

@@ -43,6 +43,10 @@ module Bibliothecary
         @platform_name ||= name.to_s.split("::").last.downcase.freeze
       end
 
+      def file_patterns
+        []
+      end
+
       def map_dependencies(hash, key, type, source = nil)
         hash.fetch(key, []).map do |name, requirement|
           Dependency.new(

data/lib/bibliothecary/parsers/actions.rb

@@ -7,6 +7,10 @@ module Bibliothecary
 
       WORKFLOW_REGEX = /^\.github\/workflows\/.*.y(a)?ml/
 
+      def self.file_patterns
+        ["action.yml", "action.yaml", ".github/workflows/*.yml", ".github/workflows/*.yaml"]
+      end
+
       def self.mapping
         {
           match_filenames("action.yml","action.yaml") => {

data/lib/bibliothecary/parsers/bentoml.rb

@@ -5,6 +5,10 @@ module Bibliothecary
     class BentoML
       include Bibliothecary::Analyser
 
+      def self.file_patterns
+        ["bentofile.yaml"]
+      end
+
       def self.mapping
         {
           match_filename("bentofile.yaml") => {

data/lib/bibliothecary/parsers/bower.rb

@@ -7,6 +7,10 @@ module Bibliothecary
     class Bower
       include Bibliothecary::Analyser
 
+      def self.file_patterns
+        ["bower.json"]
+      end
+
       def self.mapping
         {
           match_filename("bower.json") => {

data/lib/bibliothecary/parsers/cargo.rb

@@ -5,6 +5,10 @@ module Bibliothecary
     class Cargo
       include Bibliothecary::Analyser
 
+      def self.file_patterns
+        ["Cargo.toml", "Cargo.lock"]
+      end
+
       def self.mapping
         {
           match_filename("Cargo.toml") => {

data/lib/bibliothecary/parsers/carthage.rb

@@ -15,6 +15,10 @@ module Bibliothecary
       # Group 4: unquoted requirement (e.g., >= 1.0, ~> 2.0)
       CARTFILE_REGEXP = /^(github|git|binary)\s+"([^"]+)"(?:\s+(?:"([^"]+)"|((?:>=|<=|~>|==|>|<)\s*[\d.]+)))?/
 
+      def self.file_patterns
+        ["Cartfile", "Cartfile.private", "Cartfile.resolved"]
+      end
+
       def self.mapping
         {
           match_filename("Cartfile") => {

data/lib/bibliothecary/parsers/clojars.rb

@@ -7,6 +7,10 @@ module Bibliothecary
       # Name can be like: org.clojure/clojure, cheshire, ring/ring-defaults
       DEPENDENCY_REGEXP = %r{\[([a-zA-Z0-9_./\-]+)\s+"([^"]+)"\]}
 
+      def self.file_patterns
+        ["project.clj"]
+      end
+
       def self.mapping
         {
           match_filename("project.clj") => {

data/lib/bibliothecary/parsers/cocoapods.rb

@@ -17,6 +17,10 @@ module Bibliothecary
       # Podspec pattern: .dependency "Name", "version"
       PODSPEC_DEPENDENCY = /\.dependency\s+['"]([^'"]+)['"]\s*(?:,\s*['"]([^'"]+)['"])?/
 
+      def self.file_patterns
+        ["Podfile", "*.podspec", "Podfile.lock", "*.podspec.json"]
+      end
+
       def self.mapping
         {
           match_filename("Podfile") => {

data/lib/bibliothecary/parsers/cog.rb

@@ -5,6 +5,10 @@ module Bibliothecary
     class Cog
       include Bibliothecary::Analyser
 
+      def self.file_patterns
+        ["cog.yaml"]
+      end
+
       def self.mapping
         {
           match_filename("cog.yaml") => {

data/lib/bibliothecary/parsers/conan.rb

@@ -5,6 +5,10 @@ module Bibliothecary
     class Conan
       include Bibliothecary::Analyser
 
+      def self.file_patterns
+        ["conanfile.py", "conanfile.txt", "conan.lock"]
+      end
+
       def self.mapping
         {
           match_filename("conanfile.py") => {

data/lib/bibliothecary/parsers/conda.rb

@@ -7,6 +7,10 @@ module Bibliothecary
     class Conda
       include Bibliothecary::Analyser
 
+      def self.file_patterns
+        ["environment.yml", "environment.yaml"]
+      end
+
       def self.mapping
         {
           match_filename("environment.yml") => {

data/lib/bibliothecary/parsers/cpan.rb

@@ -8,16 +8,36 @@ module Bibliothecary
     class CPAN
       include Bibliothecary::Analyser
 
+      def self.file_patterns
+        ["META.json", "META.yml", "cpanfile", "cpanfile.snapshot", "Makefile.PL", "Build.PL"]
+      end
+
       def self.mapping
         {
           match_filename("META.json", case_insensitive: true) => {
-            kind: "manifest",
+            kind: "lockfile",
             parser: :parse_json_manifest,
           },
           match_filename("META.yml", case_insensitive: true) => {
-            kind: "manifest",
+            kind: "lockfile",
             parser: :parse_yaml_manifest,
           },
+          match_filename("cpanfile", case_insensitive: true) => {
+            kind: "manifest",
+            parser: :parse_cpanfile,
+          },
+          match_filename("cpanfile.snapshot", case_insensitive: true) => {
+            kind: "lockfile",
+            parser: :parse_cpanfile_snapshot,
+          },
+          match_filename("Makefile.PL", case_insensitive: true) => {
+            kind: "manifest",
+            parser: :parse_makefile_pl,
+          },
+          match_filename("Build.PL", case_insensitive: true) => {
+            kind: "manifest",
+            parser: :parse_build_pl,
+          },
         }
       end
 
@@ -35,6 +55,174 @@ module Bibliothecary
         dependencies = map_dependencies(manifest, "requires", "runtime", options.fetch(:filename, nil))
         ParserResult.new(dependencies: dependencies)
       end
+
+      def self.parse_cpanfile(file_contents, options: {})
+        filename = options.fetch(:filename, nil)
+        dependencies = []
+        current_phase = "runtime"
+        current_feature = nil
+
+        file_contents.each_line do |line|
+          line = line.strip
+
+          # Track phase changes: on 'test' => sub {
+          if line =~ /\bon\s+['"](\w+)['"]\s*=>/
+            current_phase = $1
+            next
+          end
+
+          # Track feature blocks: feature 'name', 'desc' => sub {
+          if line =~ /\bfeature\s+['"]([\w-]+)['"]/
+            current_feature = $1
+            next
+          end
+
+          # End of block - reset to defaults
+          if line =~ /^\s*\};\s*$/
+            current_phase = "runtime"
+            current_feature = nil
+            next
+          end
+
+          # Parse dependency declarations
+          # requires 'Module::Name', 'version';
+          # requires 'Module::Name';
+          # recommends 'Module::Name', 'version';
+          if line =~ /\b(requires|recommends|suggests|conflicts)\s+['"]([^'"]+)['"](?:\s*,\s*['"]?([^'";]+)['"]?)?/
+            dep_type = $1
+            name = $2
+            version = $3&.strip || "*"
+
+            # Map cpanfile phases to our types
+            type = case current_phase
+                   when "test" then "test"
+                   when "develop" then "develop"
+                   when "build" then "build"
+                   when "configure" then "build"
+                   else dep_type == "requires" ? "runtime" : dep_type
+                   end
+
+            dependencies << Dependency.new(
+              name: name,
+              requirement: version,
+              type: type,
+              platform: "cpan",
+              source: filename
+            )
+          end
+        end
+
+        ParserResult.new(dependencies: dependencies)
+      end
+
+      def self.parse_cpanfile_snapshot(file_contents, options: {})
+        filename = options.fetch(:filename, nil)
+        dependencies = []
+
+        file_contents.each_line do |line|
+          # Match distribution header: Module-Name-1.23
+          if (match = line.match(/^  (\S+)-v?([\d._]+)$/))
+            dist_name = match[1].gsub("-", "::")
+            version = match[2]
+            dependencies << Dependency.new(
+              name: dist_name,
+              requirement: version,
+              type: "runtime",
+              platform: "cpan",
+              source: filename
+            )
+          end
+        end
+
+        ParserResult.new(dependencies: dependencies)
+      end
+
+      # Parse Makefile.PL (ExtUtils::MakeMaker format)
+      # Looks for PREREQ_PM, BUILD_REQUIRES, TEST_REQUIRES, CONFIGURE_REQUIRES
+      def self.parse_makefile_pl(file_contents, options: {})
+        filename = options.fetch(:filename, nil)
+        dependencies = []
+
+        # Map of hash key names to dependency types
+        type_mapping = {
+          "PREREQ_PM" => "runtime",
+          "BUILD_REQUIRES" => "build",
+          "TEST_REQUIRES" => "test",
+          "CONFIGURE_REQUIRES" => "build",
+        }
+
+        type_mapping.each do |key, type|
+          deps = extract_perl_hash(file_contents, key)
+          deps.each do |name, version|
+            dependencies << Dependency.new(
+              name: name,
+              requirement: version,
+              type: type,
+              platform: "cpan",
+              source: filename
+            )
+          end
+        end
+
+        ParserResult.new(dependencies: dependencies)
+      end
+
+      # Parse Build.PL (Module::Build format)
+      # Looks for requires, build_requires, test_requires, configure_requires
+      def self.parse_build_pl(file_contents, options: {})
+        filename = options.fetch(:filename, nil)
+        dependencies = []
+
+        # Map of hash key names to dependency types
+        type_mapping = {
+          "requires" => "runtime",
+          "build_requires" => "build",
+          "test_requires" => "test",
+          "configure_requires" => "build",
+          "recommends" => "runtime",
+        }
+
+        type_mapping.each do |key, type|
+          deps = extract_perl_hash(file_contents, key)
+          deps.each do |name, version|
+            dependencies << Dependency.new(
+              name: name,
+              requirement: version,
+              type: type,
+              platform: "cpan",
+              source: filename
+            )
+          end
+        end
+
+        ParserResult.new(dependencies: dependencies)
+      end
+
+      # Extract a Perl hash from source code
+      # Handles patterns like: KEY => { 'Module' => '1.0', ... }
+      def self.extract_perl_hash(content, key)
+        deps = {}
+
+        # Match the hash assignment: KEY => { ... }
+        # Use word boundary to avoid matching configure_requires when looking for requires
+        pattern = /(?:^|[^\w])#{Regexp.escape(key)}\s*=>\s*\{([^{}]*(?:\{[^{}]*\}[^{}]*)*)\}/m
+
+        if (match = content.match(pattern))
+          hash_content = match[1]
+
+          # Extract 'Module::Name' => 'version' or 'Module::Name' => version patterns
+          hash_content.scan(/['"]([^'"]+)['"]\s*=>\s*['"]?([^'",}\s]+)['"]?/) do |name, version|
+            # Skip perl version requirements and non-module entries
+            next if name == "perl"
+
+            # Normalize version: 0 means any version
+            version = "*" if version == "0"
+            deps[name] = version
+          end
+        end
+
+        deps
+      end
     end
   end
 end

data/lib/bibliothecary/parsers/cran.rb

@@ -9,6 +9,10 @@ module Bibliothecary
 
       REQUIRE_REGEXP = /([a-zA-Z0-9\-_.]+)\s?\(?([><=\s\d.,]+)?\)?/
 
+      def self.file_patterns
+        ["DESCRIPTION", "renv.lock"]
+      end
+
       def self.mapping
         {
           match_filename("DESCRIPTION", case_insensitive: true) => {