ecosystems-bibliothecary 15.1.1 → 15.3.0

data/lib/bibliothecary/parsers/npm.rb

@@ -10,6 +10,10 @@ module Bibliothecary
       # Max depth to recurse into the "dependencies" property of package-lock.json
       PACKAGE_LOCK_JSON_MAX_DEPTH = 10
 
+      def self.file_patterns
+        ["package.json", "package-lock.json", "npm-shrinkwrap.json", "yarn.lock", "pnpm-lock.yaml", "pnpm-workspace.yaml", "bun.lock", "npm-ls.json"]
+      end
+
       def self.mapping
         {
           match_filename("package.json") => {
@@ -28,6 +32,11 @@ module Bibliothecary
             kind: "lockfile",
             parser: :parse_pnpm_lock,
           },
+          match_filename("pnpm-workspace.yaml") => {
+            kind: "manifest",
+            parser: :parse_pnpm_workspace,
+            related_to: ["lockfile"],
+          },
           match_filename("npm-ls.json") => {
             kind: "lockfile",
             parser: :parse_ls,
@@ -97,7 +106,8 @@ module Bibliothecary
               type: dep.fetch("dev", false) || dep.fetch("devOptional", false) ? "development" : "runtime",
               local: dep.fetch("link", false),
               source: source,
-              platform: platform_name
+              platform: platform_name,
+              integrity: dep["integrity"]
             )
           end
       end
@@ -118,7 +128,8 @@ module Bibliothecary
             requirement: version,
             type: type,
             source: source,
-            platform: platform_name
+            platform: platform_name,
+            integrity: requirement["integrity"]
           )] + child_dependencies
         end
       end
@@ -187,7 +198,8 @@ module Bibliothecary
             type: nil, # yarn.lock doesn't report on the type of dependency
             local: dep[:requirements]&.first&.start_with?("file:"),
             source: options.fetch(:filename, nil),
-            platform: platform_name
+            platform: platform_name,
+            integrity: dep[:integrity]
           )
         end
         ParserResult.new(dependencies: dependencies)
@@ -228,11 +240,23 @@ module Bibliothecary
 
       def self.parse_v2_yarn_lock(contents, source = nil)
         deps = []
-        # Match package blocks: "package@npm:req": followed by version: x.y.z
-        # Examples: "js-tokens@npm:^3.0.0 || ^4.0.0": or "pkg1@npm:req1, pkg2@npm:req2":
-        contents.scan(/^"([^"]+)":\s*\n\s+version:\s*([^\n]+)/m) do |packages_str, version|
+        # Split into blocks by double newlines or by unquoted key lines
+        # Each block starts with "package@npm:req": and continues until the next package
+        blocks = contents.split(/\n\n+/)
+
+        blocks.each do |block|
+          # Match the package header: "package@npm:...":\n  version: ...
+          match = block.match(/^"([^"]+)":\s*\n(.+)/m)
+          next unless match
+
+          packages_str = match[1]
+          body = match[2]
+
+          version = body[/version:\s*([^\n]+)/, 1]
+          checksum = body[/checksum:\s*([^\n]+)/, 1]
+
           # Skip workspace/local packages and patches
-          next if version.include?("use.local") && packages_str.include?("workspace")
+          next if version&.include?("use.local") && packages_str.include?("workspace")
           next if packages_str.include?("@patch:")
 
           packages = packages_str.split(", ")
@@ -247,6 +271,7 @@ module Bibliothecary
             original_requirement: alias_name.nil? ? nil : version.to_s,
             version: version.to_s,
             source: source,
+            integrity: checksum,
           }
         end
         deps
@@ -281,7 +306,8 @@ module Bibliothecary
               original_requirement: original_requirement,
               type: is_dev ? "development" : "runtime",
               source: source,
-              platform: platform_name
+              platform: platform_name,
+              integrity: details.dig("resolution", "integrity")
             )
           end
       end
@@ -318,7 +344,8 @@ module Bibliothecary
               original_requirement: original_requirement,
               type: is_dev ? "development" : "runtime",
               source: source,
-              platform: platform_name
+              platform: platform_name,
+              integrity: details.dig("resolution", "integrity")
             )
           end
       end
@@ -327,6 +354,7 @@ module Bibliothecary
         dependencies = parsed_contents.fetch("importers", {}).fetch(".", {}).fetch("dependencies", {})
         dev_dependencies = parsed_contents.fetch("importers", {}).fetch(".", {}).fetch("devDependencies", {})
         dependency_mapping = dependencies.merge(dev_dependencies)
+        packages = parsed_contents.fetch("packages", {})
 
         # "dependencies" is in "packages" for < v9 and in "snapshots" for >= v9
         # as of https://github.com/pnpm/pnpm/pull/7700.
@@ -360,6 +388,10 @@ module Bibliothecary
               dev_name == name && dev_details["version"] == version
             end
 
+            # In v9, integrity is stored in packages section, not snapshots
+            package_key = "#{name}@#{version}"
+            integrity = packages.dig(package_key, "resolution", "integrity")
+
             Dependency.new(
               name: name,
               requirement: version,
@@ -367,7 +399,8 @@ module Bibliothecary
               original_requirement: original_requirement,
               type: is_dev ? "development" : "runtime",
               source: source,
-              platform: platform_name
+              platform: platform_name,
+              integrity: integrity
             )
           end
       end
@@ -391,6 +424,45 @@ module Bibliothecary
         ParserResult.new(dependencies: dependencies)
       end
 
+      def self.parse_pnpm_workspace(contents, options: {})
+        parsed = YAML.load(contents)
+        source = options.fetch(:filename, nil)
+
+        dependencies = []
+
+        # Parse the default catalog (pnpm 9+)
+        if parsed["catalog"].is_a?(Hash)
+          parsed["catalog"].each do |name, requirement|
+            dependencies << Dependency.new(
+              name: name,
+              requirement: requirement,
+              type: "runtime",
+              source: source,
+              platform: platform_name
+            )
+          end
+        end
+
+        # Parse named catalogs (pnpm 9+)
+        if parsed["catalogs"].is_a?(Hash)
+          parsed["catalogs"].each do |_catalog_name, catalog_deps|
+            next unless catalog_deps.is_a?(Hash)
+
+            catalog_deps.each do |name, requirement|
+              dependencies << Dependency.new(
+                name: name,
+                requirement: requirement,
+                type: "runtime",
+                source: source,
+                platform: platform_name
+              )
+            end
+          end
+        end
+
+        ParserResult.new(dependencies: dependencies)
+      end
+
       def self.parse_ls(file_contents, options: {})
         manifest = JSON.parse(file_contents)
 
@@ -421,7 +493,8 @@ module Bibliothecary
             type: dev_deps&.include?(name) ? "development" : "runtime",
             local: is_local,
             source: source,
-            platform: platform_name
+            platform: platform_name,
+            integrity: info[3]
           )
         end
         ParserResult.new(dependencies: dependencies)

data/lib/bibliothecary/parsers/nuget.rb

@@ -8,6 +8,10 @@ module Bibliothecary
     class Nuget
       include Bibliothecary::Analyser
 
+      def self.file_patterns
+        ["Project.json", "Project.lock.json", "packages.lock.json", "packages.config", "*.nuspec", "*.csproj", "paket.lock", "project.assets.json", "*.deps.json"]
+      end
+
       def self.mapping
         {
           match_filename("Project.json") => {

data/lib/bibliothecary/parsers/ollama.rb

@@ -5,12 +5,16 @@ module Bibliothecary
     class Ollama
       include Bibliothecary::Analyser
 
+      def self.file_patterns
+        ["Modelfile"]
+      end
+
       def self.mapping
         {
           match_filename("Modelfile") => {
             kind: 'manifest',
             parser: :parse_modelfile,
-            related_to: [ 'manifest' ]
+            can_have_lockfile: false,
           }
         }
       end

data/lib/bibliothecary/parsers/packagist.rb

@@ -7,6 +7,10 @@ module Bibliothecary
     class Packagist
       include Bibliothecary::Analyser
 
+      def self.file_patterns
+        ["composer.json", "composer.lock"]
+      end
+
       def self.mapping
         {
           match_filename("composer.json") => {
@@ -23,42 +27,39 @@ module Bibliothecary
 
       def self.parse_lockfile(file_contents, options: {})
         manifest = JSON.parse file_contents
-        dependencies = manifest.fetch("packages", []).map do |dependency|
-          requirement = dependency["version"]
+        source = options.fetch(:filename, nil)
 
-          # Store Drupal version if Drupal, but include the original manifest version for reference
-          if drupal_module?(dependency)
-            original_requirement = requirement
-            requirement = dependency.dig("source", "reference")
-          end
-
-          Dependency.new(
-            name: dependency["name"],
-            requirement: requirement,
-            type: "runtime",
-            original_requirement: original_requirement,
-            source: options.fetch(:filename, nil),
-            platform: platform_name
-          )
+        dependencies = manifest.fetch("packages", []).map do |dependency|
+          parse_composer_dependency(dependency, "runtime", source)
         end + manifest.fetch("packages-dev", []).map do |dependency|
-          requirement = dependency["version"]
+          parse_composer_dependency(dependency, "development", source)
+        end
+        ParserResult.new(dependencies: dependencies)
+      end
 
-          # Store Drupal version if Drupal, but include the original manifest version for reference
-          if drupal_module?(dependency)
-            original_requirement = requirement
-            requirement = dependency.dig("source", "reference")
-          end
+      def self.parse_composer_dependency(dependency, type, source)
+        requirement = dependency["version"]
+        original_requirement = nil
 
-          Dependency.new(
-            name: dependency["name"],
-            requirement: requirement,
-            type: "development",
-            original_requirement: original_requirement,
-            source: options.fetch(:filename, nil),
-            platform: platform_name
-          )
+        # Store Drupal version if Drupal, but include the original manifest version for reference
+        if drupal_module?(dependency)
+          original_requirement = requirement
+          requirement = dependency.dig("source", "reference")
         end
-        ParserResult.new(dependencies: dependencies)
+
+        # Extract shasum from dist if present and non-empty
+        shasum = dependency.dig("dist", "shasum")
+        integrity = shasum && !shasum.empty? ? "sha1=#{shasum}" : nil
+
+        Dependency.new(
+          name: dependency["name"],
+          requirement: requirement,
+          type: type,
+          original_requirement: original_requirement,
+          source: source,
+          platform: platform_name,
+          integrity: integrity
+        )
       end
 
       def self.parse_manifest(file_contents, options: {})

data/lib/bibliothecary/parsers/pub.rb

@@ -7,6 +7,10 @@ module Bibliothecary
     class Pub
       include Bibliothecary::Analyser
 
+      def self.file_patterns
+        ["pubspec.yaml", "pubspec.lock"]
+      end
+
       def self.mapping
         {
           match_filename("pubspec.yaml", case_insensitive: true) => {

data/lib/bibliothecary/parsers/pypi.rb

@@ -24,6 +24,15 @@ module Bibliothecary
       # https://packaging.python.org/en/latest/specifications/pylock-toml/
       PEP_751_LOCKFILE_REGEXP = /^pylock(\.[^.]+)?\.toml$/
 
+      def self.file_patterns
+        [
+          "setup.py", "requirements*.txt", "requirements*.pip", "requirements*.in",
+          "requirements.frozen", "Pipfile", "Pipfile.lock", "pyproject.toml",
+          "poetry.lock", "uv.lock", "pylock.toml", "pdm.lock",
+          "pip-resolved-dependencies.txt", "pip-dependency-graph.json"
+        ]
+      end
+
       def self.mapping
         {
           match_filenames("requirements-dev.txt", "requirements/dev.txt",
@@ -122,12 +131,16 @@ module Bibliothecary
           name = block[/name\s*=\s*"([^"]+)"/, 1]
           version = block[/version\s*=\s*"([^"]+)"/, 1]
 
+          # Extract sdist hash: sdist = { url = "...", hash = "sha256:...", size = ... }
+          integrity = block[/^sdist\s*=\s*\{[^}]*hash\s*=\s*"([^"]+)"/m, 1]
+
           dependencies << Dependency.new(
             platform: platform_name,
             name: name,
             requirement: version,
             type: "runtime", # All dependencies are considered runtime
-            source: source
+            source: source,
+            integrity: integrity
           )
         end
         ParserResult.new(dependencies: dependencies)
@@ -297,6 +310,15 @@ module Bibliothecary
 
           groups = ["runtime"] if groups.empty?
 
+          # Extract sdist hash from files array (look for .tar.gz entry)
+          integrity = nil
+          if (files_match = block[/^files\s*=\s*\[(.*?)\]/m, 1])
+            # Match .tar.gz file entry and extract hash
+            if (sdist_match = files_match.match(/\{file\s*=\s*"[^"]+\.tar\.gz",\s*hash\s*=\s*"([^"]+)"\}/))
+              integrity = sdist_match[1]
+            end
+          end
+
           groups.each do |group|
             # Poetry lockfiles should already contain normalized names, but we'll
             # apply it here as well just to be consistent with pyproject.toml parsing.
@@ -307,7 +329,8 @@ module Bibliothecary
               requirement: version,
               type: group,
               source: options.fetch(:filename, nil),
-              platform: platform_name
+              platform: platform_name,
+              integrity: integrity
             )
           end
         end

data/lib/bibliothecary/parsers/rpm.rb

@@ -0,0 +1,80 @@
+# frozen_string_literal: true
+
+module Bibliothecary
+  module Parsers
+    class Rpm
+      include Bibliothecary::Analyser
+
+      def self.file_patterns
+        ["*.spec"]
+      end
+
+      def self.mapping
+        {
+          match_extension(".spec") => {
+            kind: "manifest",
+            parser: :parse_spec,
+            can_have_lockfile: false,
+          },
+        }
+      end
+
+      def self.parse_spec(file_contents, options: {})
+        source = options.fetch(:filename, nil)
+        dependencies = []
+
+        # Parse BuildRequires (build dependencies)
+        file_contents.scan(/^BuildRequires:\s*(.+)$/i) do |match|
+          parse_dependency_line(match[0]).each do |dep|
+            dependencies << Dependency.new(
+              name: dep[:name],
+              requirement: dep[:requirement] || "*",
+              type: "build",
+              source: source,
+              platform: platform_name
+            )
+          end
+        end
+
+        # Parse Requires (runtime dependencies), including Requires(pre), Requires(post), etc.
+        file_contents.scan(/^Requires(?:\([^)]+\))?:\s*(.+)$/i) do |match|
+          parse_dependency_line(match[0]).each do |dep|
+            dependencies << Dependency.new(
+              name: dep[:name],
+              requirement: dep[:requirement] || "*",
+              type: "runtime",
+              source: source,
+              platform: platform_name
+            )
+          end
+        end
+
+        ParserResult.new(dependencies: dependencies)
+      end
+
+      def self.parse_dependency_line(line)
+        # Dependencies can be comma or whitespace separated
+        # Each dependency can have version constraints like: pkg >= 1.0
+        # Also filter out RPM macros like %{name}
+        deps = []
+
+        # Split on commas first, then handle each part
+        line.split(/,/).each do |part|
+          part = part.strip
+          next if part.empty?
+          next if part.start_with?("%") # Skip RPM macros
+          next if part.start_with?("/") # Skip file paths like /bin/sh
+
+          # Check for version constraint (pkg >= 1.0, pkg < 2.0, etc.)
+          if part =~ /^(\S+)\s+([<>=]+)\s*(\S+)$/
+            deps << { name: $1, requirement: "#{$2} #{$3}" }
+          elsif part =~ /^(\S+)$/
+            deps << { name: $1, requirement: nil }
+          end
+        end
+
+        deps
+      end
+    end
+  end
+end

data/lib/bibliothecary/parsers/rubygems.rb

@@ -10,6 +10,8 @@ module Bibliothecary
       NAME_VERSION = '(?! )(.*?)(?: \(([^-]*)(?:-(.*))?\))?'
       NAME_VERSION_4 = /^ {4}#{NAME_VERSION}$/
       BUNDLED_WITH = /BUNDLED WITH/
+      CHECKSUMS_START = /^CHECKSUMS$/
+      CHECKSUM_LINE = /^  (.+) \(([^)]+)\) sha256=([a-f0-9]+)$/
 
       # Gemfile patterns
       GEM_REGEXP = /^\s*gem\s+['"]([^'"]+)['"]\s*(?:,\s*['"]([^'"]+)['"])?/
@@ -19,6 +21,10 @@ module Bibliothecary
       # Gemspec pattern - captures type in first group
       GEMSPEC_DEPENDENCY = /\.add_(development_|runtime_)?dependency\s*\(?\s*['"]([^'"]+)['"]\s*(?:,\s*['"]([^'"]+)['"])?(?:\s*,\s*['"]([^'"]+)['"])?\s*\)?/
 
+      def self.file_patterns
+        ["Gemfile", "Gemfile.lock", "gems.rb", "gems.locked", "*.gemspec"]
+      end
+
       def self.mapping
         {
           match_filenames("Gemfile", "gems.rb") => {
@@ -43,6 +49,7 @@ module Bibliothecary
       def self.parse_gemfile_lock(file_contents, options: {})
         source = options.fetch(:filename, nil)
         dependencies = []
+        checksums = parse_checksums(file_contents)
 
         file_contents.each_line do |line|
           line = line.chomp.gsub(/\r$/, "")
@@ -56,17 +63,43 @@ module Bibliothecary
             name: name,
             requirement: version,
             type: "runtime",
-            source: source
+            source: source,
+            integrity: checksums["#{name}-#{version}"]
           )
         end
 
-        if (bundler_dep = parse_bundler(file_contents, source))
+        if (bundler_dep = parse_bundler(file_contents, source, checksums))
           dependencies << bundler_dep
         end
 
         ParserResult.new(dependencies: dependencies)
       end
 
+      def self.parse_checksums(file_contents)
+        checksums = {}
+        in_checksums = false
+
+        file_contents.each_line do |line|
+          line = line.chomp
+          if line.match?(CHECKSUMS_START)
+            in_checksums = true
+            next
+          end
+
+          next unless in_checksums
+
+          # End of CHECKSUMS section (blank line or new section)
+          break if line.empty? || line.match?(/^[A-Z]/)
+
+          if (match = line.match(CHECKSUM_LINE))
+            name, version, sha256 = match.captures
+            checksums["#{name}-#{version}"] = "sha256=#{sha256}"
+          end
+        end
+
+        checksums
+      end
+
       def self.parse_gemfile(file_contents, options: {})
         source = options.fetch(:filename, nil)
         deps = []
@@ -147,7 +180,7 @@ module Bibliothecary
         end
       end
 
-      def self.parse_bundler(file_contents, source = nil)
+      def self.parse_bundler(file_contents, source = nil, checksums = {})
         bundled_with_index = file_contents.lines(chomp: true).find_index { |line| line.match(BUNDLED_WITH) }
         return nil unless bundled_with_index
 
@@ -159,7 +192,8 @@ module Bibliothecary
           requirement: version,
           type: "runtime",
           source: source,
-          platform: platform_name
+          platform: platform_name,
+          integrity: checksums["bundler-#{version}"]
         )
       end
     end

data/lib/bibliothecary/parsers/shard.rb

@@ -7,6 +7,10 @@ module Bibliothecary
     class Shard
       include Bibliothecary::Analyser
 
+      def self.file_patterns
+        ["shard.yml", "shard.lock"]
+      end
+
       def self.mapping
         {
           match_filename("shard.yml", case_insensitive: true) => {

data/lib/bibliothecary/parsers/swift_pm.rb

@@ -12,6 +12,10 @@ module Bibliothecary
       PACKAGE_REGEXP_EXACT = /\.package\s*\(\s*(?:name:\s*"[^"]+",\s*)?url:\s*"([^"]+)"[^)]*(?:\.exact|exact)\s*\(\s*"([^"]+)"\s*\)/i
       PACKAGE_REGEXP_RANGE = /\.package\s*\(\s*(?:name:\s*"[^"]+",\s*)?url:\s*"([^"]+)"[^)]*"([^"]+)"\s*(?:\.\.|\.\.\.)\s*"([^"]+)"/i
 
+      def self.file_patterns
+        ["Package.swift", "Package.resolved"]
+      end
+
       def self.mapping
         {
           match_filename("Package.swift", case_insensitive: true) => {

data/lib/bibliothecary/parsers/vcpkg.rb

@@ -3,6 +3,10 @@ module Bibliothecary
     class Vcpkg
       include Bibliothecary::Analyser
 
+      def self.file_patterns
+        ["vcpkg.json", "_generated-vcpkg-list.json"]
+      end
+
       def self.mapping
         {
           match_filename("vcpkg.json", case_insensitive: true) => {

data/lib/bibliothecary/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Bibliothecary
-  VERSION = "15.1.1"
+  VERSION = "15.3.0"
 end

data/lib/bibliothecary.rb

@@ -57,6 +57,13 @@ module Bibliothecary
     runner.package_managers
   end
 
+  def self.supported_files
+    package_managers.each_with_object({}) do |pm, hash|
+      patterns = pm.file_patterns
+      hash[pm.platform_name] = patterns unless patterns.empty?
+    end
+  end
+
   def self.find_manifests(path)
     runner.find_manifests(path)
   end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: ecosystems-bibliothecary
 version: !ruby/object:Gem::Version
-  version: 15.1.1
+  version: 15.3.0
 platform: ruby
 authors:
 - Andrew Nesbitt
@@ -117,6 +117,8 @@ files:
 - lib/bibliothecary/file_info.rb
 - lib/bibliothecary/parser_result.rb
 - lib/bibliothecary/parsers/actions.rb
+- lib/bibliothecary/parsers/alpm.rb
+- lib/bibliothecary/parsers/apk.rb
 - lib/bibliothecary/parsers/bentoml.rb
 - lib/bibliothecary/parsers/bower.rb
 - lib/bibliothecary/parsers/cargo.rb
@@ -128,6 +130,8 @@ files:
 - lib/bibliothecary/parsers/conda.rb
 - lib/bibliothecary/parsers/cpan.rb
 - lib/bibliothecary/parsers/cran.rb
+- lib/bibliothecary/parsers/deb.rb
+- lib/bibliothecary/parsers/deno.rb
 - lib/bibliothecary/parsers/docker.rb
 - lib/bibliothecary/parsers/dub.rb
 - lib/bibliothecary/parsers/dvc.rb
@@ -143,12 +147,14 @@ files:
 - lib/bibliothecary/parsers/meteor.rb
 - lib/bibliothecary/parsers/mlflow.rb
 - lib/bibliothecary/parsers/nimble.rb
+- lib/bibliothecary/parsers/nix.rb
 - lib/bibliothecary/parsers/npm.rb
 - lib/bibliothecary/parsers/nuget.rb
 - lib/bibliothecary/parsers/ollama.rb
 - lib/bibliothecary/parsers/packagist.rb
 - lib/bibliothecary/parsers/pub.rb
 - lib/bibliothecary/parsers/pypi.rb
+- lib/bibliothecary/parsers/rpm.rb
 - lib/bibliothecary/parsers/rubygems.rb
 - lib/bibliothecary/parsers/shard.rb
 - lib/bibliothecary/parsers/swift_pm.rb