ecosystems-bibliothecary 15.1.1 → 15.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 49988f4a70c1d5dcf6b7c05bffba8d885b3e63f04545f0c524d32b46de0804f2
-  data.tar.gz: 121b4e75f934770b9967b0e3b2427ddc1dc6aaaa19f8ed0d72f1001e50d4d575
+  metadata.gz: c213dba45d6c84c67ecad66538e68fbd7ff843ec5fb6f6b1d80b757ae9ab5f15
+  data.tar.gz: a0b4a803b35d16820ed19b071ae8984efb9004ba712ca6457e6f9d9412d331e6
 SHA512:
-  metadata.gz: 227adbf47ce52d6a9bb70be154f0cc204f5f327b68adeb8c91fd2e668036359eebd07d3fb940f0d4eef00128af04fb2073304147b9285589917efef1b1d5d5cf
-  data.tar.gz: ca3b36ddfa71702dae9737500dcf09ad6a9e6c4daf5758738c793614bcdcbd730a50083d081ee45a899536b0f01c1bd7d4eef90117cc3c1aeee6063a780e0b3f
+  metadata.gz: ade8a88ba728b3d95e333000cdcde1ad8ed9ae885ab775678a1b45c3d3521705f553c293be26ce5d63002f5ec86666e29108b7b456b672c647a58d56af8dc568
+  data.tar.gz: e5fdf2c94bde72360926307a0df9cc6d796d476aa983a5236fa5d13691c4bcf74a5e20bd3c0090725ddd37bfad8a4d0733cc6a2d99b6cf25a64a92ac6a7d507b

data/CHANGELOG.md

@@ -13,6 +13,28 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Removed
 
+## [15.3.0]
+
+### Added
+
+- npm: pnpm-workspace.yaml support for catalog dependencies (pnpm 9+)
+- alpm: Arch Linux PKGBUILD parser for depends, makedepends, and checkdepends
+- apk: Alpine Linux APKBUILD parser for depends, makedepends, and checkdepends
+- deb: Debian control file parser for Build-Depends, Depends, Pre-Depends, Recommends, Suggests
+- rpm: RPM spec file parser for BuildRequires and Requires
+- integrity: Added `integrity` field to Dependency class for lockfile hashes (npm package-lock.json, pnpm-lock.yaml, yarn.lock v4, bun.lock, go.sum, Gemfile.lock, deno.lock, composer.lock, stack.yaml.lock, Cargo.lock, Podfile.lock, mix.lock, rebar.lock, manifest.toml, poetry.lock, uv.lock)
+
+## [15.2.0]
+
+### Added
+
+- Deno parser for deno.json, deno.jsonc, and deno.lock files (supports npm: and jsr: specifiers)
+- Nix parser for flake.nix, flake.lock, nix/sources.json (niv), and npins/sources.json (npins)
+- Gleam support in Hex parser for gleam.toml and manifest.toml
+- Rebar3 support in Hex parser for rebar.lock
+- Julia Project.toml and Manifest.toml support
+- Hackage cabal.project.freeze support
+
 ## [15.1.1]
 
 ### Added

data/README.md

@@ -42,166 +42,231 @@ Bibliothecary.analyse('./')
 
 All available config options are in: https://github.com/ecosyste-ms/bibliothecary/blob/master/lib/bibliothecary/configuration.rb
 
+## Dependency fields
+
+Each parsed dependency is a `Bibliothecary::Dependency` with:
+
+| Field | Type | Description |
+|-------|------|-------------|
+| `name` | String | Package name |
+| `requirement` | String | Version requirement (defaults to `"*"`) |
+| `platform` | String | Package manager platform (e.g. `"npm"`, `"maven"`) |
+| `type` | String | Dependency scope: `"runtime"`, `"development"`, `"test"`, etc. |
+| `direct` | Boolean | Direct dependency (vs transitive) |
+| `deprecated` | Boolean | Deprecated dependency |
+| `local` | Boolean | Local/file path dependency |
+| `optional` | Boolean | Optional dependency |
+| `original_name` | String | Original name before aliasing/normalization |
+| `original_requirement` | String | Original requirement before resolution |
+| `source` | String | Path to the manifest file |
+| `integrity` | String | Lockfile integrity hash (see table below) |
+
+## Integrity hash support
+
+The `integrity` field is populated for lockfiles that include per-dependency hashes:
+
+| Lockfile | Platform | Hash format |
+|----------|----------|-------------|
+| package-lock.json | npm | `sha512-...` |
+| pnpm-lock.yaml | npm | `sha512-...` |
+| yarn.lock (v2+) | npm | `sha512-...` |
+| bun.lock | npm | `sha512-...` |
+| deno.lock | deno | `sha512-...` |
+| go.sum | go | `h1:...` |
+| Gemfile.lock | rubygems | `sha256=...` |
+| poetry.lock | pypi | `sha256:...` |
+| uv.lock | pypi | `sha256:...` |
+| composer.lock | packagist | `sha1=...` |
+| Cargo.lock | cargo | `sha256=...` |
+| Podfile.lock | cocoapods | `sha1=...` |
+| mix.lock | hex | `sha256=...` |
+| rebar.lock | hex | `sha256=...` |
+| manifest.toml (Gleam) | hex | `sha256=...` |
+| stack.yaml.lock | hackage | `sha256=...` |
+
 ## Supported package manager file formats
 
-- npm
-  - package.json
-  - package-lock.json
-  - npm-shrinkwrap.json
-  - yarn.lock
-  - pnpm-lock.yaml
-  - bun.lock
-  - npm-ls.json
-- Maven
-  - pom.xml
-  - ivy.xml
-  - build.gradle
-  - build.gradle.kts
-  - gradle-dependencies-q.txt
-  - maven-resolved-dependencies.txt
-  - sbt-update-full.txt
-  - maven-dependency-tree.txt
-  - maven-dependency-tree.dot
-  - gradle.lockfile
-  - verification-metadata.xml
-- RubyGems
-  - Gemfile
-  - Gemfile.lock
-  - gems.rb
-  - gems.locked
-  - *.gemspec
-- Packagist
-  - composer.json
-  - composer.lock
-- PyPi
-  - setup.py
-  - req*.txt
-  - req*.pip
-  - requirements/*.txt
-  - requirements/*.pip
-  - requirements.frozen
-  - Pipfile
-  - Pipfile.lock
-  - pyproject.toml
-  - poetry.lock
-  - uv.lock
-  - pylock.toml
-  - pdm.lock
-  - pip-resolved-dependencies.txt
-  - pip-dependency-graph.json
-- Nuget
-  - packages.config
-  - packages.lock.json
-  - Project.json
-  - Project.lock.json
-  - *.nuspec
-  - paket.lock
-  - *.csproj
-  - project.assets.json
-  - \*.deps.json
-- Bower
-  - bower.json
-- BentoML
-  - bentofile.yaml
-- CPAN
-  - META.json
-  - META.yml
-  - cpanfile
-  - cpanfile.snapshot
-  - Makefile.PL
-  - Build.PL
-- CocoaPods
-  - Podfile
-  - Podfile.lock
-  - *.podspec
-  - *.podspec.json
+- Actions
+  - action.yml
+  - action.yaml
+  - .github/workflows/\*.yml
+  - .github/workflows/\*.yaml
+- Alpm
+  - PKGBUILD
 - Anaconda
   - environment.yml
   - environment.yaml
+- Apk
+  - APKBUILD
+- BentoML
+  - bentofile.yaml
+- Bower
+  - bower.json
+- Cargo
+  - Cargo.toml
+  - Cargo.lock
+- Carthage
+  - Cartfile
+  - Cartfile.private
+  - Cartfile.resolved
 - Clojars
   - project.clj
+- CocoaPods
+  - Podfile
+  - \*.podspec
+  - Podfile.lock
+  - \*.podspec.json
 - Cog
   - cog.yaml
 - Conan
   - conanfile.py
   - conanfile.txt
   - conan.lock
-- Meteor
-  - versions.json
-- MLflow
-  - MLmodel
+- CPAN
+  - META.json
+  - META.yml
+  - cpanfile
+  - cpanfile.snapshot
+  - Makefile.PL
+  - Build.PL
 - CRAN
   - DESCRIPTION
   - renv.lock
-- Cargo
-  - Cargo.toml
-  - Cargo.lock
-- Hex
-  - mix.exs
-  - mix.lock
-- Swift
-  - Package.swift
-  - Package.resolved
-- Pub
-  - pubspec.yaml
-  - pubspec.lock
-- Carthage
-  - Cartfile
-  - Cartfile.private
-  - Cartfile.resolved
+- Deb
+  - debian/control
+  - control
+- Deno
+  - deno.json
+  - deno.jsonc
+  - deno.lock
+- Docker
+  - docker-compose\*.yml
+  - Dockerfile
 - Dub
   - dub.json
   - dub.sdl
-- Julia
-  - REQUIRE
-- Shards
-  - shard.yml
-  - shard.lock
+- DVC
+  - dvc.yaml
+- Elm
+  - elm-package.json
+  - elm_dependencies.json
+  - elm-stuff/exact-dependencies.json
 - Go
+  - go.mod
+  - go.sum
   - glide.yaml
   - glide.lock
-  - Godeps
   - Godeps/Godeps.json
+  - Godeps
   - vendor/manifest
   - vendor/vendor.json
   - Gopkg.toml
   - Gopkg.lock
-  - go.mod
-  - go.sum
   - go-resolved-dependencies.json
-- Elm
-  - elm-package.json
-  - elm_dependencies.json
-  - elm-stuff/exact-dependencies.json
-- Haxelib
-  - haxelib.json
 - Hackage
   - \*.cabal
-  - cabal.config
+  - \*cabal.config
   - stack.yaml.lock
-- Actions
-  - action.yml
-  - action.yaml
-  - .github/workflows/*.yml
-  - .github/workflows/*.yaml
-- Docker
-  - Dockerfile
-  - docker-compose*.yml
-  - docker-compose*.yaml
-- DVC
-  - dvc.yaml
-- Vcpkg
-  - vcpkg.json
-  - _generated-vcpkg-list.json
+  - cabal.project.freeze
+- Haxelib
+  - haxelib.json
+- Hex
+  - mix.exs
+  - mix.lock
+  - gleam.toml
+  - manifest.toml
+  - rebar.lock
 - Homebrew
   - Brewfile
   - Brewfile.lock.json
-- Ollama
-  - Modelfile
-- Nimble
-  - \*.nimble
+- Julia
+  - REQUIRE
+  - Project.toml
+  - Manifest.toml
 - LuaRocks
   - \*.rockspec
+- Maven
+  - ivy.xml
+  - pom.xml
+  - build.gradle
+  - build.gradle.kts
+  - gradle-dependencies-q.txt
+  - maven-resolved-dependencies.txt
+  - sbt-update-full.txt
+  - maven-dependency-tree.txt
+  - maven-dependency-tree.dot
+  - gradle.lockfile
+  - verification-metadata.xml
+- Meteor
+  - versions.json
+- MLflow
+  - MLmodel
+- Nimble
+  - \*.nimble
+- Nix
+  - flake.nix
+  - flake.lock
+  - nix/sources.json
+  - npins/sources.json
+- npm
+  - package.json
+  - package-lock.json
+  - npm-shrinkwrap.json
+  - yarn.lock
+  - pnpm-lock.yaml
+  - pnpm-workspace.yaml
+  - bun.lock
+  - npm-ls.json
+- Nuget
+  - Project.json
+  - Project.lock.json
+  - packages.lock.json
+  - packages.config
+  - \*.nuspec
+  - \*.csproj
+  - paket.lock
+  - project.assets.json
+  - \*.deps.json
+- Ollama
+  - Modelfile
+- Packagist
+  - composer.json
+  - composer.lock
+- Pub
+  - pubspec.yaml
+  - pubspec.lock
+- PyPi
+  - setup.py
+  - requirements\*.txt
+  - requirements\*.pip
+  - requirements\*.in
+  - requirements.frozen
+  - Pipfile
+  - Pipfile.lock
+  - pyproject.toml
+  - poetry.lock
+  - uv.lock
+  - pylock.toml
+  - pdm.lock
+  - pip-resolved-dependencies.txt
+  - pip-dependency-graph.json
+- Rpm
+  - \*.spec
+- RubyGems
+  - Gemfile
+  - Gemfile.lock
+  - gems.rb
+  - gems.locked
+  - \*.gemspec
+- Shards
+  - shard.yml
+  - shard.lock
+- Swift
+  - Package.swift
+  - Package.resolved
+- Vcpkg
+  - vcpkg.json
+  - _generated-vcpkg-list.json
 
 ## Development
 

data/lib/bibliothecary/analyser.rb

@@ -43,6 +43,10 @@ module Bibliothecary
         @platform_name ||= name.to_s.split("::").last.downcase.freeze
       end
 
+      def file_patterns
+        []
+      end
+
       def map_dependencies(hash, key, type, source = nil)
         hash.fetch(key, []).map do |name, requirement|
           Dependency.new(

data/lib/bibliothecary/dependency.rb

@@ -18,6 +18,8 @@ module Bibliothecary
   #   for cases where it did not match the resolved name. This can be used for features like aliasing.
   # @source [String] source An optional string to store the location of the manifest that contained this
   #   dependency, e.g. "src/package.json".
+  # @attr_reader [String] integrity An optional integrity hash from the lockfile, stored as-is
+  #   (e.g. "sha512-abc123..." for npm, "h1:xyz..." for go.sum).
   class Dependency
     FIELDS = %i[
       name
@@ -31,6 +33,7 @@ module Bibliothecary
       optional
       original_name
       source
+      integrity
     ].freeze
 
     attr_reader(*FIELDS)
@@ -46,7 +49,8 @@ module Bibliothecary
       local: nil,
       optional: nil,
       original_name: nil,
-      source: nil
+      source: nil,
+      integrity: nil
     )
       @name = name
       @platform = platform
@@ -59,6 +63,7 @@ module Bibliothecary
       @optional = optional
       @original_name = original_name
       @source = source
+      @integrity = integrity
     end
 
     def eql?(other)

data/lib/bibliothecary/parsers/actions.rb

@@ -7,6 +7,10 @@ module Bibliothecary
 
       WORKFLOW_REGEX = /^\.github\/workflows\/.*.y(a)?ml/
 
+      def self.file_patterns
+        ["action.yml", "action.yaml", ".github/workflows/*.yml", ".github/workflows/*.yaml"]
+      end
+
       def self.mapping
         {
           match_filenames("action.yml","action.yaml") => {

data/lib/bibliothecary/parsers/alpm.rb

@@ -0,0 +1,89 @@
+# frozen_string_literal: true
+
+module Bibliothecary
+  module Parsers
+    class Alpm
+      include Bibliothecary::Analyser
+
+      def self.file_patterns
+        ["PKGBUILD"]
+      end
+
+      def self.mapping
+        {
+          match_filename("PKGBUILD") => {
+            kind: "manifest",
+            parser: :parse_pkgbuild,
+            can_have_lockfile: false,
+          },
+        }
+      end
+
+      def self.parse_pkgbuild(file_contents, options: {})
+        source = options.fetch(:filename, "PKGBUILD")
+        dependencies = []
+
+        # Parse depends (runtime)
+        extract_variable(file_contents, "depends").each do |dep|
+          name, requirement = parse_dependency(dep)
+          dependencies << Dependency.new(
+            name: name,
+            requirement: requirement || "*",
+            type: "runtime",
+            source: source,
+            platform: platform_name
+          )
+        end
+
+        # Parse makedepends (build)
+        extract_variable(file_contents, "makedepends").each do |dep|
+          name, requirement = parse_dependency(dep)
+          dependencies << Dependency.new(
+            name: name,
+            requirement: requirement || "*",
+            type: "build",
+            source: source,
+            platform: platform_name
+          )
+        end
+
+        # Parse checkdepends (test)
+        extract_variable(file_contents, "checkdepends").each do |dep|
+          name, requirement = parse_dependency(dep)
+          dependencies << Dependency.new(
+            name: name,
+            requirement: requirement || "*",
+            type: "test",
+            source: source,
+            platform: platform_name
+          )
+        end
+
+        ParserResult.new(dependencies: dependencies)
+      end
+
+      def self.extract_variable(contents, var_name)
+        # PKGBUILD uses bash array syntax: depends=('pkg1' 'pkg2') or depends=(pkg1 pkg2)
+        # Can also span multiple lines
+        pattern = /^#{var_name}=\(([^)]*)\)/m
+        match = contents.match(pattern)
+        return [] unless match
+
+        # Extract items, handling both quoted and unquoted formats
+        # 'pkg1' 'pkg2' or "pkg1" "pkg2" or pkg1 pkg2
+        items = match[1].scan(/['"]([^'"]+)['"]|(\S+)/).flatten.compact
+        items.reject { |d| d.empty? || d.start_with?("$") }
+      end
+
+      def self.parse_dependency(dep_string)
+        # Parse version constraints like "glibc>=2.17" or "openssl>1.1"
+        # Operators: >=, <=, >, <, =
+        if dep_string =~ /^(.+?)([><=]+)(.+)$/
+          [$1, "#{$2}#{$3}"]
+        else
+          [dep_string, nil]
+        end
+      end
+    end
+  end
+end

data/lib/bibliothecary/parsers/apk.rb

@@ -0,0 +1,91 @@
+# frozen_string_literal: true
+
+module Bibliothecary
+  module Parsers
+    class Apk
+      include Bibliothecary::Analyser
+
+      def self.file_patterns
+        ["APKBUILD"]
+      end
+
+      def self.mapping
+        {
+          match_filename("APKBUILD") => {
+            kind: "manifest",
+            parser: :parse_apkbuild,
+            can_have_lockfile: false,
+          },
+        }
+      end
+
+      def self.parse_apkbuild(file_contents, options: {})
+        source = options.fetch(:filename, "APKBUILD")
+        dependencies = []
+
+        # Parse depends (runtime)
+        extract_variable(file_contents, "depends").each do |dep|
+          name, requirement = parse_dependency(dep)
+          dependencies << Dependency.new(
+            name: name,
+            requirement: requirement || "*",
+            type: "runtime",
+            source: source,
+            platform: platform_name
+          )
+        end
+
+        # Parse makedepends (build)
+        extract_variable(file_contents, "makedepends").each do |dep|
+          name, requirement = parse_dependency(dep)
+          dependencies << Dependency.new(
+            name: name,
+            requirement: requirement || "*",
+            type: "build",
+            source: source,
+            platform: platform_name
+          )
+        end
+
+        # Parse checkdepends (test)
+        extract_variable(file_contents, "checkdepends").each do |dep|
+          name, requirement = parse_dependency(dep)
+          dependencies << Dependency.new(
+            name: name,
+            requirement: requirement || "*",
+            type: "test",
+            source: source,
+            platform: platform_name
+          )
+        end
+
+        ParserResult.new(dependencies: dependencies)
+      end
+
+      def self.extract_variable(contents, var_name)
+        # Match variable assignment with double or single quotes, handling multi-line with backslash
+        # Examples:
+        #   depends="foo bar"
+        #   makedepends="foo
+        #   bar"
+        #   checkdepends='foo bar'
+        pattern = /^#{var_name}=["']([^"']*?)["']/m
+        match = contents.match(pattern)
+        return [] unless match
+
+        # Split on whitespace and filter out empty strings, negated packages (!), and variable references ($)
+        match[1].split(/\s+/).reject { |d| d.empty? || d.start_with?("!") || d.start_with?("$") }
+      end
+
+      def self.parse_dependency(dep_string)
+        # Parse version constraints like "openssl-dev>3" or "zlib-dev>=1.2.3"
+        # Operators: >=, <=, >, <, =, ~
+        if dep_string =~ /^(.+?)([><=~]+)(.+)$/
+          [$1, "#{$2}#{$3}"]
+        else
+          [dep_string, nil]
+        end
+      end
+    end
+  end
+end

data/lib/bibliothecary/parsers/bentoml.rb

@@ -5,12 +5,16 @@ module Bibliothecary
     class BentoML
       include Bibliothecary::Analyser
 
+      def self.file_patterns
+        ["bentofile.yaml"]
+      end
+
       def self.mapping
         {
           match_filename("bentofile.yaml") => {
             kind: 'manifest',
             parser: :parse_bentofile,
-            related_to: [ 'manifest' ]
+            can_have_lockfile: false,
           }
         }
       end

data/lib/bibliothecary/parsers/bower.rb

@@ -7,11 +7,16 @@ module Bibliothecary
     class Bower
       include Bibliothecary::Analyser
 
+      def self.file_patterns
+        ["bower.json"]
+      end
+
       def self.mapping
         {
           match_filename("bower.json") => {
             kind: "manifest",
             parser: :parse_manifest,
+            can_have_lockfile: false,
           },
         }
       end

data/lib/bibliothecary/parsers/cargo.rb

@@ -5,6 +5,10 @@ module Bibliothecary
     class Cargo
       include Bibliothecary::Analyser
 
+      def self.file_patterns
+        ["Cargo.toml", "Cargo.lock"]
+      end
+
       def self.mapping
         {
           match_filename("Cargo.toml") => {
@@ -51,6 +55,7 @@ module Bibliothecary
           name = block[/name\s*=\s*"([^"]+)"/, 1]
           version = block[/version\s*=\s*"([^"]+)"/, 1]
           source = block[/source\s*=\s*"([^"]+)"/, 1]
+          checksum = block[/checksum\s*=\s*"([^"]+)"/, 1]
 
           # Skip packages without a registry source (local/workspace packages)
           next unless source&.start_with?("registry+")
@@ -60,7 +65,8 @@ module Bibliothecary
             requirement: version,
             type: "runtime",
             source: options.fetch(:filename, nil),
-            platform: platform_name
+            platform: platform_name,
+            integrity: checksum ? "sha256=#{checksum}" : nil
           )
         end
         ParserResult.new(dependencies: dependencies)