ecosystems-bibliothecary 15.2.0 → 15.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c1399499146bc9abb6b2053d1e842cff2a33e05166f4fca7fed6fba222146f5e
-  data.tar.gz: 2b1460ba23303796a1b73bfa445fee11771857f5270effce6da04e6ed4ff920f
+  metadata.gz: c213dba45d6c84c67ecad66538e68fbd7ff843ec5fb6f6b1d80b757ae9ab5f15
+  data.tar.gz: a0b4a803b35d16820ed19b071ae8984efb9004ba712ca6457e6f9d9412d331e6
 SHA512:
-  metadata.gz: 2ab9631fd2e5472d6a60784685252961f75fcae716561d1e7bd6c1bc7f87bba18f346988b26f787cc13bd666fc06a99db133926726880ee983e01fbe4f64a5d9
-  data.tar.gz: 1dc6d4efca6e8b643ca7c76e495a6b40364169fc8b51d238f2708e5da1ec8d04515adafec8d2042951088729258b3552a547473c93a59ae3f12c7a89ff681065
+  metadata.gz: ade8a88ba728b3d95e333000cdcde1ad8ed9ae885ab775678a1b45c3d3521705f553c293be26ce5d63002f5ec86666e29108b7b456b672c647a58d56af8dc568
+  data.tar.gz: e5fdf2c94bde72360926307a0df9cc6d796d476aa983a5236fa5d13691c4bcf74a5e20bd3c0090725ddd37bfad8a4d0733cc6a2d99b6cf25a64a92ac6a7d507b

data/CHANGELOG.md

@@ -13,6 +13,17 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Removed
 
+## [15.3.0]
+
+### Added
+
+- npm: pnpm-workspace.yaml support for catalog dependencies (pnpm 9+)
+- alpm: Arch Linux PKGBUILD parser for depends, makedepends, and checkdepends
+- apk: Alpine Linux APKBUILD parser for depends, makedepends, and checkdepends
+- deb: Debian control file parser for Build-Depends, Depends, Pre-Depends, Recommends, Suggests
+- rpm: RPM spec file parser for BuildRequires and Requires
+- integrity: Added `integrity` field to Dependency class for lockfile hashes (npm package-lock.json, pnpm-lock.yaml, yarn.lock v4, bun.lock, go.sum, Gemfile.lock, deno.lock, composer.lock, stack.yaml.lock, Cargo.lock, Podfile.lock, mix.lock, rebar.lock, manifest.toml, poetry.lock, uv.lock)
+
 ## [15.2.0]
 
 ### Added

data/README.md

@@ -42,6 +42,48 @@ Bibliothecary.analyse('./')
 
 All available config options are in: https://github.com/ecosyste-ms/bibliothecary/blob/master/lib/bibliothecary/configuration.rb
 
+## Dependency fields
+
+Each parsed dependency is a `Bibliothecary::Dependency` with:
+
+| Field | Type | Description |
+|-------|------|-------------|
+| `name` | String | Package name |
+| `requirement` | String | Version requirement (defaults to `"*"`) |
+| `platform` | String | Package manager platform (e.g. `"npm"`, `"maven"`) |
+| `type` | String | Dependency scope: `"runtime"`, `"development"`, `"test"`, etc. |
+| `direct` | Boolean | Direct dependency (vs transitive) |
+| `deprecated` | Boolean | Deprecated dependency |
+| `local` | Boolean | Local/file path dependency |
+| `optional` | Boolean | Optional dependency |
+| `original_name` | String | Original name before aliasing/normalization |
+| `original_requirement` | String | Original requirement before resolution |
+| `source` | String | Path to the manifest file |
+| `integrity` | String | Lockfile integrity hash (see table below) |
+
+## Integrity hash support
+
+The `integrity` field is populated for lockfiles that include per-dependency hashes:
+
+| Lockfile | Platform | Hash format |
+|----------|----------|-------------|
+| package-lock.json | npm | `sha512-...` |
+| pnpm-lock.yaml | npm | `sha512-...` |
+| yarn.lock (v2+) | npm | `sha512-...` |
+| bun.lock | npm | `sha512-...` |
+| deno.lock | deno | `sha512-...` |
+| go.sum | go | `h1:...` |
+| Gemfile.lock | rubygems | `sha256=...` |
+| poetry.lock | pypi | `sha256:...` |
+| uv.lock | pypi | `sha256:...` |
+| composer.lock | packagist | `sha1=...` |
+| Cargo.lock | cargo | `sha256=...` |
+| Podfile.lock | cocoapods | `sha1=...` |
+| mix.lock | hex | `sha256=...` |
+| rebar.lock | hex | `sha256=...` |
+| manifest.toml (Gleam) | hex | `sha256=...` |
+| stack.yaml.lock | hackage | `sha256=...` |
+
 ## Supported package manager file formats
 
 - Actions
@@ -49,9 +91,13 @@ All available config options are in: https://github.com/ecosyste-ms/bibliothecar
   - action.yaml
   - .github/workflows/\*.yml
   - .github/workflows/\*.yaml
+- Alpm
+  - PKGBUILD
 - Anaconda
   - environment.yml
   - environment.yaml
+- Apk
+  - APKBUILD
 - BentoML
   - bentofile.yaml
 - Bower
@@ -86,6 +132,9 @@ All available config options are in: https://github.com/ecosyste-ms/bibliothecar
 - CRAN
   - DESCRIPTION
   - renv.lock
+- Deb
+  - debian/control
+  - control
 - Deno
   - deno.json
   - deno.jsonc
@@ -165,6 +214,7 @@ All available config options are in: https://github.com/ecosyste-ms/bibliothecar
   - npm-shrinkwrap.json
   - yarn.lock
   - pnpm-lock.yaml
+  - pnpm-workspace.yaml
   - bun.lock
   - npm-ls.json
 - Nuget
@@ -200,6 +250,8 @@ All available config options are in: https://github.com/ecosyste-ms/bibliothecar
   - pdm.lock
   - pip-resolved-dependencies.txt
   - pip-dependency-graph.json
+- Rpm
+  - \*.spec
 - RubyGems
   - Gemfile
   - Gemfile.lock

data/lib/bibliothecary/dependency.rb

@@ -18,6 +18,8 @@ module Bibliothecary
   #   for cases where it did not match the resolved name. This can be used for features like aliasing.
   # @source [String] source An optional string to store the location of the manifest that contained this
   #   dependency, e.g. "src/package.json".
+  # @attr_reader [String] integrity An optional integrity hash from the lockfile, stored as-is
+  #   (e.g. "sha512-abc123..." for npm, "h1:xyz..." for go.sum).
   class Dependency
     FIELDS = %i[
       name
@@ -31,6 +33,7 @@ module Bibliothecary
       optional
       original_name
       source
+      integrity
     ].freeze
 
     attr_reader(*FIELDS)
@@ -46,7 +49,8 @@ module Bibliothecary
       local: nil,
       optional: nil,
       original_name: nil,
-      source: nil
+      source: nil,
+      integrity: nil
     )
       @name = name
       @platform = platform
@@ -59,6 +63,7 @@ module Bibliothecary
       @optional = optional
       @original_name = original_name
       @source = source
+      @integrity = integrity
     end
 
     def eql?(other)

data/lib/bibliothecary/parsers/alpm.rb

@@ -0,0 +1,89 @@
+# frozen_string_literal: true
+
+module Bibliothecary
+  module Parsers
+    class Alpm
+      include Bibliothecary::Analyser
+
+      def self.file_patterns
+        ["PKGBUILD"]
+      end
+
+      def self.mapping
+        {
+          match_filename("PKGBUILD") => {
+            kind: "manifest",
+            parser: :parse_pkgbuild,
+            can_have_lockfile: false,
+          },
+        }
+      end
+
+      def self.parse_pkgbuild(file_contents, options: {})
+        source = options.fetch(:filename, "PKGBUILD")
+        dependencies = []
+
+        # Parse depends (runtime)
+        extract_variable(file_contents, "depends").each do |dep|
+          name, requirement = parse_dependency(dep)
+          dependencies << Dependency.new(
+            name: name,
+            requirement: requirement || "*",
+            type: "runtime",
+            source: source,
+            platform: platform_name
+          )
+        end
+
+        # Parse makedepends (build)
+        extract_variable(file_contents, "makedepends").each do |dep|
+          name, requirement = parse_dependency(dep)
+          dependencies << Dependency.new(
+            name: name,
+            requirement: requirement || "*",
+            type: "build",
+            source: source,
+            platform: platform_name
+          )
+        end
+
+        # Parse checkdepends (test)
+        extract_variable(file_contents, "checkdepends").each do |dep|
+          name, requirement = parse_dependency(dep)
+          dependencies << Dependency.new(
+            name: name,
+            requirement: requirement || "*",
+            type: "test",
+            source: source,
+            platform: platform_name
+          )
+        end
+
+        ParserResult.new(dependencies: dependencies)
+      end
+
+      def self.extract_variable(contents, var_name)
+        # PKGBUILD uses bash array syntax: depends=('pkg1' 'pkg2') or depends=(pkg1 pkg2)
+        # Can also span multiple lines
+        pattern = /^#{var_name}=\(([^)]*)\)/m
+        match = contents.match(pattern)
+        return [] unless match
+
+        # Extract items, handling both quoted and unquoted formats
+        # 'pkg1' 'pkg2' or "pkg1" "pkg2" or pkg1 pkg2
+        items = match[1].scan(/['"]([^'"]+)['"]|(\S+)/).flatten.compact
+        items.reject { |d| d.empty? || d.start_with?("$") }
+      end
+
+      def self.parse_dependency(dep_string)
+        # Parse version constraints like "glibc>=2.17" or "openssl>1.1"
+        # Operators: >=, <=, >, <, =
+        if dep_string =~ /^(.+?)([><=]+)(.+)$/
+          [$1, "#{$2}#{$3}"]
+        else
+          [dep_string, nil]
+        end
+      end
+    end
+  end
+end

data/lib/bibliothecary/parsers/apk.rb

@@ -0,0 +1,91 @@
+# frozen_string_literal: true
+
+module Bibliothecary
+  module Parsers
+    class Apk
+      include Bibliothecary::Analyser
+
+      def self.file_patterns
+        ["APKBUILD"]
+      end
+
+      def self.mapping
+        {
+          match_filename("APKBUILD") => {
+            kind: "manifest",
+            parser: :parse_apkbuild,
+            can_have_lockfile: false,
+          },
+        }
+      end
+
+      def self.parse_apkbuild(file_contents, options: {})
+        source = options.fetch(:filename, "APKBUILD")
+        dependencies = []
+
+        # Parse depends (runtime)
+        extract_variable(file_contents, "depends").each do |dep|
+          name, requirement = parse_dependency(dep)
+          dependencies << Dependency.new(
+            name: name,
+            requirement: requirement || "*",
+            type: "runtime",
+            source: source,
+            platform: platform_name
+          )
+        end
+
+        # Parse makedepends (build)
+        extract_variable(file_contents, "makedepends").each do |dep|
+          name, requirement = parse_dependency(dep)
+          dependencies << Dependency.new(
+            name: name,
+            requirement: requirement || "*",
+            type: "build",
+            source: source,
+            platform: platform_name
+          )
+        end
+
+        # Parse checkdepends (test)
+        extract_variable(file_contents, "checkdepends").each do |dep|
+          name, requirement = parse_dependency(dep)
+          dependencies << Dependency.new(
+            name: name,
+            requirement: requirement || "*",
+            type: "test",
+            source: source,
+            platform: platform_name
+          )
+        end
+
+        ParserResult.new(dependencies: dependencies)
+      end
+
+      def self.extract_variable(contents, var_name)
+        # Match variable assignment with double or single quotes, handling multi-line with backslash
+        # Examples:
+        #   depends="foo bar"
+        #   makedepends="foo
+        #   bar"
+        #   checkdepends='foo bar'
+        pattern = /^#{var_name}=["']([^"']*?)["']/m
+        match = contents.match(pattern)
+        return [] unless match
+
+        # Split on whitespace and filter out empty strings, negated packages (!), and variable references ($)
+        match[1].split(/\s+/).reject { |d| d.empty? || d.start_with?("!") || d.start_with?("$") }
+      end
+
+      def self.parse_dependency(dep_string)
+        # Parse version constraints like "openssl-dev>3" or "zlib-dev>=1.2.3"
+        # Operators: >=, <=, >, <, =, ~
+        if dep_string =~ /^(.+?)([><=~]+)(.+)$/
+          [$1, "#{$2}#{$3}"]
+        else
+          [dep_string, nil]
+        end
+      end
+    end
+  end
+end

data/lib/bibliothecary/parsers/bentoml.rb

@@ -14,7 +14,7 @@ module Bibliothecary
           match_filename("bentofile.yaml") => {
             kind: 'manifest',
             parser: :parse_bentofile,
-            related_to: [ 'manifest' ]
+            can_have_lockfile: false,
           }
         }
       end

data/lib/bibliothecary/parsers/bower.rb

@@ -16,6 +16,7 @@ module Bibliothecary
           match_filename("bower.json") => {
             kind: "manifest",
             parser: :parse_manifest,
+            can_have_lockfile: false,
           },
         }
       end

data/lib/bibliothecary/parsers/cargo.rb

@@ -55,6 +55,7 @@ module Bibliothecary
           name = block[/name\s*=\s*"([^"]+)"/, 1]
           version = block[/version\s*=\s*"([^"]+)"/, 1]
           source = block[/source\s*=\s*"([^"]+)"/, 1]
+          checksum = block[/checksum\s*=\s*"([^"]+)"/, 1]
 
           # Skip packages without a registry source (local/workspace packages)
           next unless source&.start_with?("registry+")
@@ -64,7 +65,8 @@ module Bibliothecary
             requirement: version,
             type: "runtime",
             source: options.fetch(:filename, nil),
-            platform: platform_name
+            platform: platform_name,
+            integrity: checksum ? "sha256=#{checksum}" : nil
           )
         end
         ParserResult.new(dependencies: dependencies)

data/lib/bibliothecary/parsers/clojars.rb

@@ -16,6 +16,7 @@ module Bibliothecary
           match_filename("project.clj") => {
             kind: "manifest",
             parser: :parse_manifest,
+            can_have_lockfile: false,
           },
         }
       end

data/lib/bibliothecary/parsers/cocoapods.rb

@@ -49,6 +49,9 @@ module Bibliothecary
         source = options.fetch(:filename, nil)
         dependencies = []
 
+        # Parse SPEC CHECKSUMS section to build lookup table
+        checksums = parse_spec_checksums(file_contents)
+
         # Match pod entries: "  - Name (version)" or "  - Name/Subspec (version)"
         # Only process lines in PODS section (before DEPENDENCIES section)
         pods_section = file_contents.split(/^DEPENDENCIES:/)[0]
@@ -60,13 +63,38 @@ module Bibliothecary
             name: base_name,
             requirement: version,
             type: "runtime",
-            source: source
+            source: source,
+            integrity: checksums[base_name]
           )
         end
 
         ParserResult.new(dependencies: dependencies)
       end
 
+      def self.parse_spec_checksums(file_contents)
+        checksums = {}
+        in_checksums = false
+
+        file_contents.each_line do |line|
+          if line.start_with?("SPEC CHECKSUMS:")
+            in_checksums = true
+            next
+          end
+
+          next unless in_checksums
+
+          # End of section (blank line or new section)
+          break if line.strip.empty? || (line !~ /^\s/ && line.strip != "")
+
+          # Match "  Name: sha1hash"
+          if (match = line.match(/^\s+([^:]+):\s*([a-f0-9]+)\s*$/))
+            checksums[match[1]] = "sha1=#{match[2]}"
+          end
+        end
+
+        checksums
+      end
+
       def self.parse_podspec(file_contents, options: {})
         source = options.fetch(:filename, nil)
         deps = []

data/lib/bibliothecary/parsers/cog.rb

@@ -14,7 +14,7 @@ module Bibliothecary
           match_filename("cog.yaml") => {
             kind: 'manifest',
             parser: :parse_cog_yaml,
-            related_to: [ 'manifest' ]
+            can_have_lockfile: false,
           }
         }
       end

data/lib/bibliothecary/parsers/conda.rb

@@ -16,10 +16,12 @@ module Bibliothecary
           match_filename("environment.yml") => {
             parser: :parse_conda,
             kind: "manifest",
+            can_have_lockfile: false,
           },
           match_filename("environment.yaml") => {
             parser: :parse_conda,
             kind: "manifest",
+            can_have_lockfile: false,
           },
         }
       end

data/lib/bibliothecary/parsers/deb.rb

@@ -0,0 +1,132 @@
+# frozen_string_literal: true
+
+module Bibliothecary
+  module Parsers
+    class Deb
+      include Bibliothecary::Analyser
+
+      def self.file_patterns
+        ["debian/control", "control"]
+      end
+
+      def self.mapping
+        {
+          match_filename("debian/control") => {
+            kind: "manifest",
+            parser: :parse_control,
+            can_have_lockfile: false,
+          },
+          match_filename("control") => {
+            kind: "manifest",
+            parser: :parse_control,
+            can_have_lockfile: false,
+          },
+        }
+      end
+
+      BUILD_DEP_FIELDS = %w[Build-Depends Build-Depends-Indep Build-Depends-Arch].freeze
+      RUNTIME_DEP_FIELDS = %w[Depends Pre-Depends Recommends Suggests].freeze
+
+      def self.parse_control(file_contents, options: {})
+        source = options.fetch(:filename, nil)
+        dependencies = []
+
+        # Parse the control file - it's in RFC 822 format with continuation lines
+        # Fields can span multiple lines if continuation lines start with whitespace
+        fields = parse_fields(file_contents)
+
+        # Build dependencies
+        BUILD_DEP_FIELDS.each do |field_name|
+          next unless fields[field_name.downcase]
+
+          parse_dependency_list(fields[field_name.downcase]).each do |dep|
+            dependencies << Dependency.new(
+              name: dep[:name],
+              requirement: dep[:requirement] || "*",
+              type: "build",
+              source: source,
+              platform: platform_name
+            )
+          end
+        end
+
+        # Runtime dependencies
+        RUNTIME_DEP_FIELDS.each do |field_name|
+          next unless fields[field_name.downcase]
+
+          parse_dependency_list(fields[field_name.downcase]).each do |dep|
+            dependencies << Dependency.new(
+              name: dep[:name],
+              requirement: dep[:requirement] || "*",
+              type: "runtime",
+              source: source,
+              platform: platform_name
+            )
+          end
+        end
+
+        ParserResult.new(dependencies: dependencies)
+      end
+
+      def self.parse_fields(contents)
+        fields = {}
+        current_field = nil
+        current_value = []
+
+        contents.each_line do |line|
+          if line =~ /^(\S+):\s*(.*)$/
+            # Save previous field
+            if current_field
+              fields[current_field] = current_value.join(" ").strip
+            end
+            current_field = $1.downcase
+            current_value = [$2]
+          elsif line =~ /^\s+(.*)$/ && current_field
+            # Continuation line
+            current_value << $1
+          elsif line.strip.empty?
+            # Empty line - save current field and reset
+            if current_field
+              fields[current_field] = current_value.join(" ").strip
+            end
+            current_field = nil
+            current_value = []
+          end
+        end
+
+        # Save last field
+        if current_field
+          fields[current_field] = current_value.join(" ").strip
+        end
+
+        fields
+      end
+
+      def self.parse_dependency_list(dep_string)
+        deps = []
+
+        # Dependencies are comma-separated
+        dep_string.split(/,/).each do |dep|
+          dep = dep.strip
+          next if dep.empty?
+          next if dep.start_with?("$") # Skip substitution variables like ${shlibs:Depends}
+
+          # Handle alternatives (pkg1 | pkg2) - just take the first one
+          dep = dep.split("|").first.strip
+
+          # Parse package name and optional version constraint
+          # Format: package (>= 1.0) or just package
+          if dep =~ /^(\S+)\s*\(([^)]+)\)$/
+            name = $1
+            constraint = $2.strip
+            deps << { name: name, requirement: constraint }
+          elsif dep =~ /^(\S+)$/
+            deps << { name: $1, requirement: nil }
+          end
+        end
+
+        deps
+      end
+    end
+  end
+end

data/lib/bibliothecary/parsers/deno.rb

@@ -52,16 +52,30 @@ module Bibliothecary
         manifest = JSON.parse(file_contents)
         source = options.fetch(:filename, nil)
 
+        # Build integrity lookup from jsr and npm sections
+        integrity_map = {}
+        manifest.fetch("jsr", {}).each do |key, value|
+          integrity_map["jsr:#{key}"] = value["integrity"] if value.is_a?(Hash) && value["integrity"]
+        end
+        manifest.fetch("npm", {}).each do |key, value|
+          integrity_map["npm:#{key}"] = value["integrity"] if value.is_a?(Hash) && value["integrity"]
+        end
+
         dependencies = manifest.fetch("specifiers", {}).map do |specifier, resolved_version|
           name, _requirement = parse_specifier(specifier)
           next unless name
 
+          # Determine protocol (npm: or jsr:) and build lookup key
+          protocol = specifier.start_with?("jsr:") ? "jsr" : "npm"
+          integrity_key = "#{protocol}:#{name}@#{resolved_version}"
+
           Dependency.new(
             name: name,
             requirement: resolved_version,
             type: "runtime",
             source: source,
-            platform: platform_name
+            platform: platform_name,
+            integrity: integrity_map[integrity_key]
           )
         end.compact
 

data/lib/bibliothecary/parsers/dub.rb

@@ -18,10 +18,12 @@ module Bibliothecary
           match_filename("dub.json") => {
             kind: "manifest",
             parser: :parse_json_manifest,
+            can_have_lockfile: false,
           },
           match_filename("dub.sdl") => {
             kind: "manifest",
             parser: :parse_sdl_manifest,
+            can_have_lockfile: false,
           },
         }
       end

data/lib/bibliothecary/parsers/dvc.rb

@@ -14,7 +14,7 @@ module Bibliothecary
           match_filename("dvc.yaml") => {
             kind: 'manifest',
             parser: :parse_dvc_yaml,
-            related_to: [ 'manifest' ]
+            can_have_lockfile: false,
           }
         }
       end

data/lib/bibliothecary/parsers/go.rb

@@ -209,10 +209,12 @@ module Bibliothecary
             requirement: match[2].strip.split("/").first,
             type: "runtime",
             source: options.fetch(:filename, nil),
-            platform: platform_name
+            platform: platform_name,
+            integrity: match[3].strip
           )
         end
-        dependencies = deps.uniq
+        # Dedupe by name+requirement, keeping the first occurrence (h1 hash, not go.mod hash)
+        dependencies = deps.uniq { |d| [d.name, d.requirement] }
         ParserResult.new(dependencies: dependencies)
       end
 

data/lib/bibliothecary/parsers/hackage.rb

@@ -12,8 +12,8 @@ module Bibliothecary
       # Matches build-tool-depends format: package:tool == version
       BUILD_TOOL_REGEXP = /^\s*([a-zA-Z][a-zA-Z0-9-]*):[a-zA-Z][a-zA-Z0-9-]*\s*((?:[<>=!]+\s*[\d.*]+(?:\s*&&\s*[<>=!]+\s*[\d.*]+)*)?)/
 
-      # Matches stack.yaml.lock hackage entries like: hackage: fuzzyset-0.2.4@sha256:...
-      STACK_LOCK_REGEXP = /hackage:\s*([a-zA-Z0-9-]+)-([0-9.]+)@/
+      # Matches stack.yaml.lock hackage entries like: hackage: fuzzyset-0.2.4@sha256:hash,size
+      STACK_LOCK_REGEXP = /hackage:\s*([a-zA-Z0-9-]+)-([0-9.]+)@sha256:([a-f0-9]+)/
 
       def self.file_patterns
         ["*.cabal", "*cabal.config", "stack.yaml.lock", "cabal.project.freeze"]
@@ -198,7 +198,8 @@ module Bibliothecary
             name: match[1],
             requirement: match[2],
             type: "runtime",
-            source: source
+            source: source,
+            integrity: "sha256=#{match[3]}"
           )
         end