ecosystems-bibliothecary 15.2.0 → 15.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c1399499146bc9abb6b2053d1e842cff2a33e05166f4fca7fed6fba222146f5e
-  data.tar.gz: 2b1460ba23303796a1b73bfa445fee11771857f5270effce6da04e6ed4ff920f
+  metadata.gz: c9b737a0f2ae5bf0446ef878a8f50074dff5b40eaaff1fbf487e35a4dc61dab7
+  data.tar.gz: bd98a9d57a7fab6169b011b9782bdc403dafda174505184564745963dda8c5a0
 SHA512:
-  metadata.gz: 2ab9631fd2e5472d6a60784685252961f75fcae716561d1e7bd6c1bc7f87bba18f346988b26f787cc13bd666fc06a99db133926726880ee983e01fbe4f64a5d9
-  data.tar.gz: 1dc6d4efca6e8b643ca7c76e495a6b40364169fc8b51d238f2708e5da1ec8d04515adafec8d2042951088729258b3552a547473c93a59ae3f12c7a89ff681065
+  metadata.gz: c4a8176935149d241d23abe6be2ed8566ff33ef16fb8ca4b08a2a053e4965fee3714f941b4da9adbf287e0ee87cc068c181e4b15f8197263c8988489e1acf39b
+  data.tar.gz: 63fd2a8f0c168af999f2ff785e3e34189b6afe09d8c66dc4974f365461b233ca52d396667647362b23cb17aea9c3bad7c48b0778dc731b4ce4162e290fd028c8

data/CHANGELOG.md

@@ -13,6 +13,23 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Removed
 
+## [15.4.0]
+
+### Added
+
+- Parser for MODULE.bazel manifests
+
+## [15.3.0]
+
+### Added
+
+- npm: pnpm-workspace.yaml support for catalog dependencies (pnpm 9+)
+- alpm: Arch Linux PKGBUILD parser for depends, makedepends, and checkdepends
+- apk: Alpine Linux APKBUILD parser for depends, makedepends, and checkdepends
+- deb: Debian control file parser for Build-Depends, Depends, Pre-Depends, Recommends, Suggests
+- rpm: RPM spec file parser for BuildRequires and Requires
+- integrity: Added `integrity` field to Dependency class for lockfile hashes (npm package-lock.json, pnpm-lock.yaml, yarn.lock v4, bun.lock, go.sum, Gemfile.lock, deno.lock, composer.lock, stack.yaml.lock, Cargo.lock, Podfile.lock, mix.lock, rebar.lock, manifest.toml, poetry.lock, uv.lock)
+
 ## [15.2.0]
 
 ### Added
@@ -147,7 +164,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Added
 
-- Added Bibliothecary::ParserResult class, which wraps the parsed dependencies along with the project name, if it was found in the manifest. 
+- Added Bibliothecary::ParserResult class, which wraps the parsed dependencies along with the project name, if it was found in the manifest.
 
 ### Changed
 

data/README.md

@@ -1,6 +1,6 @@
 # Bibliothecary
 
-Dependency manifest parsing library for https://github.com/ecosyste-ms 
+Dependency manifest parsing library for https://github.com/ecosyste-ms
 
 This is a maintained fork of the original [Bibliothecary](https://github.com/librariesio/bibliothecary) gem, with support for additional manifest formats and bug fixes.
 
@@ -42,6 +42,48 @@ Bibliothecary.analyse('./')
 
 All available config options are in: https://github.com/ecosyste-ms/bibliothecary/blob/master/lib/bibliothecary/configuration.rb
 
+## Dependency fields
+
+Each parsed dependency is a `Bibliothecary::Dependency` with:
+
+| Field | Type | Description |
+|-------|------|-------------|
+| `name` | String | Package name |
+| `requirement` | String | Version requirement (defaults to `"*"`) |
+| `platform` | String | Package manager platform (e.g. `"npm"`, `"maven"`) |
+| `type` | String | Dependency scope: `"runtime"`, `"development"`, `"test"`, etc. |
+| `direct` | Boolean | Direct dependency (vs transitive) |
+| `deprecated` | Boolean | Deprecated dependency |
+| `local` | Boolean | Local/file path dependency |
+| `optional` | Boolean | Optional dependency |
+| `original_name` | String | Original name before aliasing/normalization |
+| `original_requirement` | String | Original requirement before resolution |
+| `source` | String | Path to the manifest file |
+| `integrity` | String | Lockfile integrity hash (see table below) |
+
+## Integrity hash support
+
+The `integrity` field is populated for lockfiles that include per-dependency hashes:
+
+| Lockfile | Platform | Hash format |
+|----------|----------|-------------|
+| package-lock.json | npm | `sha512-...` |
+| pnpm-lock.yaml | npm | `sha512-...` |
+| yarn.lock (v2+) | npm | `sha512-...` |
+| bun.lock | npm | `sha512-...` |
+| deno.lock | deno | `sha512-...` |
+| go.sum | go | `h1:...` |
+| Gemfile.lock | rubygems | `sha256=...` |
+| poetry.lock | pypi | `sha256:...` |
+| uv.lock | pypi | `sha256:...` |
+| composer.lock | packagist | `sha1=...` |
+| Cargo.lock | cargo | `sha256=...` |
+| Podfile.lock | cocoapods | `sha1=...` |
+| mix.lock | hex | `sha256=...` |
+| rebar.lock | hex | `sha256=...` |
+| manifest.toml (Gleam) | hex | `sha256=...` |
+| stack.yaml.lock | hackage | `sha256=...` |
+
 ## Supported package manager file formats
 
 - Actions
@@ -49,9 +91,15 @@ All available config options are in: https://github.com/ecosyste-ms/bibliothecar
   - action.yaml
   - .github/workflows/\*.yml
   - .github/workflows/\*.yaml
+- Alpm
+  - PKGBUILD
 - Anaconda
   - environment.yml
   - environment.yaml
+- Apk
+  - APKBUILD
+- Bazel
+  - MODULE.bazel
 - BentoML
   - bentofile.yaml
 - Bower
@@ -86,6 +134,9 @@ All available config options are in: https://github.com/ecosyste-ms/bibliothecar
 - CRAN
   - DESCRIPTION
   - renv.lock
+- Deb
+  - debian/control
+  - control
 - Deno
   - deno.json
   - deno.jsonc
@@ -165,6 +216,7 @@ All available config options are in: https://github.com/ecosyste-ms/bibliothecar
   - npm-shrinkwrap.json
   - yarn.lock
   - pnpm-lock.yaml
+  - pnpm-workspace.yaml
   - bun.lock
   - npm-ls.json
 - Nuget
@@ -200,6 +252,8 @@ All available config options are in: https://github.com/ecosyste-ms/bibliothecar
   - pdm.lock
   - pip-resolved-dependencies.txt
   - pip-dependency-graph.json
+- Rpm
+  - \*.spec
 - RubyGems
   - Gemfile
   - Gemfile.lock
@@ -222,6 +276,8 @@ After checking out the repo, run `bin/setup` to install dependencies. Then, run
 
 To install this gem onto your local machine, run `bundle exec rake install`.
 
+To regenerate the supported file formats list in this README, run `bundle exec rake readme:update`.
+
 To release a new version:
 * in `CHANGELOG.md`, move the changes under `"Unreleased"` into a new section with your version number
 * bump and commit the version number in `version.rb` in the `main` branch

data/lib/bibliothecary/dependency.rb

@@ -18,6 +18,8 @@ module Bibliothecary
   #   for cases where it did not match the resolved name. This can be used for features like aliasing.
   # @source [String] source An optional string to store the location of the manifest that contained this
   #   dependency, e.g. "src/package.json".
+  # @attr_reader [String] integrity An optional integrity hash from the lockfile, stored as-is
+  #   (e.g. "sha512-abc123..." for npm, "h1:xyz..." for go.sum).
   class Dependency
     FIELDS = %i[
       name
@@ -31,6 +33,7 @@ module Bibliothecary
       optional
       original_name
       source
+      integrity
     ].freeze
 
     attr_reader(*FIELDS)
@@ -46,7 +49,8 @@ module Bibliothecary
       local: nil,
       optional: nil,
       original_name: nil,
-      source: nil
+      source: nil,
+      integrity: nil
     )
       @name = name
       @platform = platform
@@ -59,6 +63,7 @@ module Bibliothecary
       @optional = optional
       @original_name = original_name
       @source = source
+      @integrity = integrity
     end
 
     def eql?(other)

data/lib/bibliothecary/parsers/alpm.rb

@@ -0,0 +1,89 @@
+# frozen_string_literal: true
+
+module Bibliothecary
+  module Parsers
+    class Alpm
+      include Bibliothecary::Analyser
+
+      def self.file_patterns
+        ["PKGBUILD"]
+      end
+
+      def self.mapping
+        {
+          match_filename("PKGBUILD") => {
+            kind: "manifest",
+            parser: :parse_pkgbuild,
+            can_have_lockfile: false,
+          },
+        }
+      end
+
+      def self.parse_pkgbuild(file_contents, options: {})
+        source = options.fetch(:filename, "PKGBUILD")
+        dependencies = []
+
+        # Parse depends (runtime)
+        extract_variable(file_contents, "depends").each do |dep|
+          name, requirement = parse_dependency(dep)
+          dependencies << Dependency.new(
+            name: name,
+            requirement: requirement || "*",
+            type: "runtime",
+            source: source,
+            platform: platform_name
+          )
+        end
+
+        # Parse makedepends (build)
+        extract_variable(file_contents, "makedepends").each do |dep|
+          name, requirement = parse_dependency(dep)
+          dependencies << Dependency.new(
+            name: name,
+            requirement: requirement || "*",
+            type: "build",
+            source: source,
+            platform: platform_name
+          )
+        end
+
+        # Parse checkdepends (test)
+        extract_variable(file_contents, "checkdepends").each do |dep|
+          name, requirement = parse_dependency(dep)
+          dependencies << Dependency.new(
+            name: name,
+            requirement: requirement || "*",
+            type: "test",
+            source: source,
+            platform: platform_name
+          )
+        end
+
+        ParserResult.new(dependencies: dependencies)
+      end
+
+      def self.extract_variable(contents, var_name)
+        # PKGBUILD uses bash array syntax: depends=('pkg1' 'pkg2') or depends=(pkg1 pkg2)
+        # Can also span multiple lines
+        pattern = /^#{var_name}=\(([^)]*)\)/m
+        match = contents.match(pattern)
+        return [] unless match
+
+        # Extract items, handling both quoted and unquoted formats
+        # 'pkg1' 'pkg2' or "pkg1" "pkg2" or pkg1 pkg2
+        items = match[1].scan(/['"]([^'"]+)['"]|(\S+)/).flatten.compact
+        items.reject { |d| d.empty? || d.start_with?("$") }
+      end
+
+      def self.parse_dependency(dep_string)
+        # Parse version constraints like "glibc>=2.17" or "openssl>1.1"
+        # Operators: >=, <=, >, <, =
+        if dep_string =~ /^(.+?)([><=]+)(.+)$/
+          [$1, "#{$2}#{$3}"]
+        else
+          [dep_string, nil]
+        end
+      end
+    end
+  end
+end

data/lib/bibliothecary/parsers/apk.rb

@@ -0,0 +1,91 @@
+# frozen_string_literal: true
+
+module Bibliothecary
+  module Parsers
+    class Apk
+      include Bibliothecary::Analyser
+
+      def self.file_patterns
+        ["APKBUILD"]
+      end
+
+      def self.mapping
+        {
+          match_filename("APKBUILD") => {
+            kind: "manifest",
+            parser: :parse_apkbuild,
+            can_have_lockfile: false,
+          },
+        }
+      end
+
+      def self.parse_apkbuild(file_contents, options: {})
+        source = options.fetch(:filename, "APKBUILD")
+        dependencies = []
+
+        # Parse depends (runtime)
+        extract_variable(file_contents, "depends").each do |dep|
+          name, requirement = parse_dependency(dep)
+          dependencies << Dependency.new(
+            name: name,
+            requirement: requirement || "*",
+            type: "runtime",
+            source: source,
+            platform: platform_name
+          )
+        end
+
+        # Parse makedepends (build)
+        extract_variable(file_contents, "makedepends").each do |dep|
+          name, requirement = parse_dependency(dep)
+          dependencies << Dependency.new(
+            name: name,
+            requirement: requirement || "*",
+            type: "build",
+            source: source,
+            platform: platform_name
+          )
+        end
+
+        # Parse checkdepends (test)
+        extract_variable(file_contents, "checkdepends").each do |dep|
+          name, requirement = parse_dependency(dep)
+          dependencies << Dependency.new(
+            name: name,
+            requirement: requirement || "*",
+            type: "test",
+            source: source,
+            platform: platform_name
+          )
+        end
+
+        ParserResult.new(dependencies: dependencies)
+      end
+
+      def self.extract_variable(contents, var_name)
+        # Match variable assignment with double or single quotes, handling multi-line with backslash
+        # Examples:
+        #   depends="foo bar"
+        #   makedepends="foo
+        #   bar"
+        #   checkdepends='foo bar'
+        pattern = /^#{var_name}=["']([^"']*?)["']/m
+        match = contents.match(pattern)
+        return [] unless match
+
+        # Split on whitespace and filter out empty strings, negated packages (!), and variable references ($)
+        match[1].split(/\s+/).reject { |d| d.empty? || d.start_with?("!") || d.start_with?("$") }
+      end
+
+      def self.parse_dependency(dep_string)
+        # Parse version constraints like "openssl-dev>3" or "zlib-dev>=1.2.3"
+        # Operators: >=, <=, >, <, =, ~
+        if dep_string =~ /^(.+?)([><=~]+)(.+)$/
+          [$1, "#{$2}#{$3}"]
+        else
+          [dep_string, nil]
+        end
+      end
+    end
+  end
+end

data/lib/bibliothecary/parsers/bazel.rb

@@ -0,0 +1,65 @@
+# frozen_string_literal: true
+
+module Bibliothecary
+  module Parsers
+    class Bazel
+      include Bibliothecary::Analyser
+
+      BAZEL_DEP_STATEMENT = %r{
+        ^\s*bazel_dep\s*
+        (?<bal>
+          \(
+            (?:
+              [^()"'\\]+
+              | "(?:\\.|[^"\\])*"
+              | '(?:\\.|[^'\\])*'
+              | \\ .
+              | \g<bal>
+            )*
+          \)
+        )
+      }mx
+
+      # key/value extraction inside the call
+      DEPENDENCY_NAME    = /(?:^|[,(]\s*)name\s*=\s*(?<quote>["'])(?<value>(?:\\.|(?!\k<quote>).)*)\k<quote>/m
+      DEPENDENCY_VERSION = /(?:^|[,(]\s*)version\s*=\s*(?<quote>["'])(?<value>(?:\\.|(?!\k<quote>).)*)\k<quote>/m
+      DEPENDENCY_TYPE     = /(?:^|[,(]\s*)dev_dependency\s*=\s*(?<value>True|False)\b/m
+
+      def self.file_patterns
+        ["MODULE.bazel"]
+      end
+
+      def self.mapping
+        {
+          match_filename("MODULE.bazel") => {
+            kind: "manifest",
+            parser: :parse_module_bazel,
+          }
+        }
+      end
+
+      def self.parse_module_bazel(file_contents, options: {})
+        source = options.fetch(:filename, nil)
+
+        dependencies = file_contents.scan(BAZEL_DEP_STATEMENT).filter_map do |(statement)|
+          name_match = statement.match(DEPENDENCY_NAME)
+          next unless name_match
+
+          parsed_version = statement.match(DEPENDENCY_VERSION)
+          parsed_type = statement.match(DEPENDENCY_TYPE)
+          version = parsed_version ? parsed_version[:value] : "*"
+          type = parsed_type && parsed_type[:value] == "True" ? "development" : "runtime"
+
+          Dependency.new(
+            platform: platform_name,
+            name: name_match[:value],
+            requirement: version,
+            type: type,
+            source: source
+          )
+        end
+        ParserResult.new(dependencies: dependencies)
+      end
+    end
+  end
+end

data/lib/bibliothecary/parsers/bentoml.rb

@@ -14,7 +14,7 @@ module Bibliothecary
           match_filename("bentofile.yaml") => {
             kind: 'manifest',
             parser: :parse_bentofile,
-            related_to: [ 'manifest' ]
+            can_have_lockfile: false,
           }
         }
       end

data/lib/bibliothecary/parsers/bower.rb

@@ -16,6 +16,7 @@ module Bibliothecary
           match_filename("bower.json") => {
             kind: "manifest",
             parser: :parse_manifest,
+            can_have_lockfile: false,
           },
         }
       end

data/lib/bibliothecary/parsers/cargo.rb

@@ -55,6 +55,7 @@ module Bibliothecary
           name = block[/name\s*=\s*"([^"]+)"/, 1]
           version = block[/version\s*=\s*"([^"]+)"/, 1]
           source = block[/source\s*=\s*"([^"]+)"/, 1]
+          checksum = block[/checksum\s*=\s*"([^"]+)"/, 1]
 
           # Skip packages without a registry source (local/workspace packages)
           next unless source&.start_with?("registry+")
@@ -64,7 +65,8 @@ module Bibliothecary
             requirement: version,
             type: "runtime",
             source: options.fetch(:filename, nil),
-            platform: platform_name
+            platform: platform_name,
+            integrity: checksum ? "sha256=#{checksum}" : nil
           )
         end
         ParserResult.new(dependencies: dependencies)

data/lib/bibliothecary/parsers/clojars.rb

@@ -16,6 +16,7 @@ module Bibliothecary
           match_filename("project.clj") => {
             kind: "manifest",
             parser: :parse_manifest,
+            can_have_lockfile: false,
           },
         }
       end

data/lib/bibliothecary/parsers/cocoapods.rb

@@ -49,6 +49,9 @@ module Bibliothecary
         source = options.fetch(:filename, nil)
         dependencies = []
 
+        # Parse SPEC CHECKSUMS section to build lookup table
+        checksums = parse_spec_checksums(file_contents)
+
         # Match pod entries: "  - Name (version)" or "  - Name/Subspec (version)"
         # Only process lines in PODS section (before DEPENDENCIES section)
         pods_section = file_contents.split(/^DEPENDENCIES:/)[0]
@@ -60,13 +63,38 @@ module Bibliothecary
             name: base_name,
             requirement: version,
             type: "runtime",
-            source: source
+            source: source,
+            integrity: checksums[base_name]
           )
         end
 
         ParserResult.new(dependencies: dependencies)
       end
 
+      def self.parse_spec_checksums(file_contents)
+        checksums = {}
+        in_checksums = false
+
+        file_contents.each_line do |line|
+          if line.start_with?("SPEC CHECKSUMS:")
+            in_checksums = true
+            next
+          end
+
+          next unless in_checksums
+
+          # End of section (blank line or new section)
+          break if line.strip.empty? || (line !~ /^\s/ && line.strip != "")
+
+          # Match "  Name: sha1hash"
+          if (match = line.match(/^\s+([^:]+):\s*([a-f0-9]+)\s*$/))
+            checksums[match[1]] = "sha1=#{match[2]}"
+          end
+        end
+
+        checksums
+      end
+
       def self.parse_podspec(file_contents, options: {})
         source = options.fetch(:filename, nil)
         deps = []

data/lib/bibliothecary/parsers/cog.rb

@@ -14,7 +14,7 @@ module Bibliothecary
           match_filename("cog.yaml") => {
             kind: 'manifest',
             parser: :parse_cog_yaml,
-            related_to: [ 'manifest' ]
+            can_have_lockfile: false,
           }
         }
       end

data/lib/bibliothecary/parsers/conda.rb

@@ -16,10 +16,12 @@ module Bibliothecary
           match_filename("environment.yml") => {
             parser: :parse_conda,
             kind: "manifest",
+            can_have_lockfile: false,
           },
           match_filename("environment.yaml") => {
             parser: :parse_conda,
             kind: "manifest",
+            can_have_lockfile: false,
           },
         }
       end

data/lib/bibliothecary/parsers/deb.rb

@@ -0,0 +1,132 @@
+# frozen_string_literal: true
+
+module Bibliothecary
+  module Parsers
+    class Deb
+      include Bibliothecary::Analyser
+
+      def self.file_patterns
+        ["debian/control", "control"]
+      end
+
+      def self.mapping
+        {
+          match_filename("debian/control") => {
+            kind: "manifest",
+            parser: :parse_control,
+            can_have_lockfile: false,
+          },
+          match_filename("control") => {
+            kind: "manifest",
+            parser: :parse_control,
+            can_have_lockfile: false,
+          },
+        }
+      end
+
+      BUILD_DEP_FIELDS = %w[Build-Depends Build-Depends-Indep Build-Depends-Arch].freeze
+      RUNTIME_DEP_FIELDS = %w[Depends Pre-Depends Recommends Suggests].freeze
+
+      def self.parse_control(file_contents, options: {})
+        source = options.fetch(:filename, nil)
+        dependencies = []
+
+        # Parse the control file - it's in RFC 822 format with continuation lines
+        # Fields can span multiple lines if continuation lines start with whitespace
+        fields = parse_fields(file_contents)
+
+        # Build dependencies
+        BUILD_DEP_FIELDS.each do |field_name|
+          next unless fields[field_name.downcase]
+
+          parse_dependency_list(fields[field_name.downcase]).each do |dep|
+            dependencies << Dependency.new(
+              name: dep[:name],
+              requirement: dep[:requirement] || "*",
+              type: "build",
+              source: source,
+              platform: platform_name
+            )
+          end
+        end
+
+        # Runtime dependencies
+        RUNTIME_DEP_FIELDS.each do |field_name|
+          next unless fields[field_name.downcase]
+
+          parse_dependency_list(fields[field_name.downcase]).each do |dep|
+            dependencies << Dependency.new(
+              name: dep[:name],
+              requirement: dep[:requirement] || "*",
+              type: "runtime",
+              source: source,
+              platform: platform_name
+            )
+          end
+        end
+
+        ParserResult.new(dependencies: dependencies)
+      end
+
+      def self.parse_fields(contents)
+        fields = {}
+        current_field = nil
+        current_value = []
+
+        contents.each_line do |line|
+          if line =~ /^(\S+):\s*(.*)$/
+            # Save previous field
+            if current_field
+              fields[current_field] = current_value.join(" ").strip
+            end
+            current_field = $1.downcase
+            current_value = [$2]
+          elsif line =~ /^\s+(.*)$/ && current_field
+            # Continuation line
+            current_value << $1
+          elsif line.strip.empty?
+            # Empty line - save current field and reset
+            if current_field
+              fields[current_field] = current_value.join(" ").strip
+            end
+            current_field = nil
+            current_value = []
+          end
+        end
+
+        # Save last field
+        if current_field
+          fields[current_field] = current_value.join(" ").strip
+        end
+
+        fields
+      end
+
+      def self.parse_dependency_list(dep_string)
+        deps = []
+
+        # Dependencies are comma-separated
+        dep_string.split(/,/).each do |dep|
+          dep = dep.strip
+          next if dep.empty?
+          next if dep.start_with?("$") # Skip substitution variables like ${shlibs:Depends}
+
+          # Handle alternatives (pkg1 | pkg2) - just take the first one
+          dep = dep.split("|").first.strip
+
+          # Parse package name and optional version constraint
+          # Format: package (>= 1.0) or just package
+          if dep =~ /^(\S+)\s*\(([^)]+)\)$/
+            name = $1
+            constraint = $2.strip
+            deps << { name: name, requirement: constraint }
+          elsif dep =~ /^(\S+)$/
+            deps << { name: $1, requirement: nil }
+          end
+        end
+
+        deps
+      end
+    end
+  end
+end