@opencodehub/ingestion 0.1.0

package/dist/pipeline/dep-parsers/npm.js

@@ -0,0 +1,309 @@
+/**
+ * npm ecosystem manifest parser.
+ *
+ * Entry manifest path kinds we recognise:
+ *   - `package-lock.json` — npm lockfile (v1, v2, v3)
+ *   - `pnpm-lock.yaml` — pnpm lockfile (5.x, 6.x, 9.x)
+ *   - `package.json` — fallback when no lockfile sits beside it
+ *
+ * For lockfiles we lean on `snyk-nodejs-lockfile-parser` (Apache-2.0).
+ * The top-level `buildDepTree` shim only supports the legacy v1
+ * lockfile format; we therefore call the ecosystem-specific dep-graph
+ * builders (`parseNpmLockV2Project`, `parsePnpmProject`) which handle
+ * lockfileVersion 2/3 and modern pnpm layouts.
+ *
+ * For bare `package.json` (no lockfile), we parse top-level
+ * `dependencies` + `devDependencies` directly — the version is the raw
+ * semver specifier from the manifest (e.g. `^1.2.3`), which is the best
+ * signal available without a resolver.
+ *
+ * Errors (malformed JSON/YAML, snyk parser throws) are captured and
+ * reported via `onWarn`; the parser returns `[]` in that case.
+ */
+import { promises as fs } from "node:fs";
+import path from "node:path";
+import { InvalidUserInputError, OutOfSyncError, parseNpmLockV2Project, parsePnpmProject, } from "snyk-nodejs-lockfile-parser";
+const NPM_ECO = "npm";
+/**
+ * Dispatcher keyed on the final path segment.
+ * `package.json` files are only parsed in "bare" mode when no lockfile
+ * sits beside them; the phase passes only manifests that earned this.
+ */
+export const parseNpmDeps = async (input) => {
+    const basename = path.basename(input.relPath);
+    try {
+        if (basename === "package-lock.json") {
+            return await parsePackageLock(input.absPath, input.relPath, input.onWarn);
+        }
+        if (basename === "pnpm-lock.yaml") {
+            return await parsePnpmLock(input.absPath, input.relPath, input.onWarn);
+        }
+        if (basename === "package.json") {
+            return await parseBarePackageJson(input.absPath, input.relPath, input.onWarn);
+        }
+    }
+    catch (err) {
+        input.onWarn(`npm: failed to parse ${input.relPath}: ${err instanceof Error ? err.message : String(err)}`);
+        return [];
+    }
+    return [];
+};
+async function parsePackageLock(absPath, relPath, onWarn) {
+    const { manifestContents, lockContents } = await readManifestAndLock(absPath, relPath, onWarn, "package-lock.json");
+    if (manifestContents === undefined || lockContents === undefined)
+        return [];
+    let graph;
+    try {
+        graph = (await parseNpmLockV2Project(manifestContents, lockContents, {
+            includeDevDeps: true,
+            includeOptionalDeps: true,
+            strictOutOfSync: false,
+            pruneCycles: true,
+        }));
+    }
+    catch (err) {
+        if (err instanceof InvalidUserInputError || err instanceof OutOfSyncError) {
+            onWarn(`npm: ${relPath} parse error: ${err.message}`);
+            return [];
+        }
+        onWarn(`npm: ${relPath} parse error: ${err instanceof Error ? err.message : String(err)}`);
+        return [];
+    }
+    const licenses = harvestLicensesFromLockJson(lockContents);
+    return collectFromGraph(graph, relPath, licenses);
+}
+async function parsePnpmLock(absPath, relPath, onWarn) {
+    const { manifestContents, lockContents } = await readManifestAndLock(absPath, relPath, onWarn, "pnpm-lock.yaml");
+    if (manifestContents === undefined || lockContents === undefined)
+        return [];
+    let graph;
+    try {
+        graph = (await parsePnpmProject(manifestContents, lockContents, {
+            includeDevDeps: true,
+            includeOptionalDeps: true,
+            strictOutOfSync: false,
+            pruneWithinTopLevelDeps: true,
+        }));
+    }
+    catch (err) {
+        if (err instanceof InvalidUserInputError || err instanceof OutOfSyncError) {
+            onWarn(`npm: ${relPath} parse error: ${err.message}`);
+            return [];
+        }
+        onWarn(`npm: ${relPath} parse error: ${err instanceof Error ? err.message : String(err)}`);
+        return [];
+    }
+    // pnpm v9+ lockfiles inline `resolution.integrity` + optionally
+    // per-snapshot licenses — harvest what's present, best-effort.
+    const licenses = harvestLicensesFromPnpmLockYaml(lockContents);
+    return collectFromGraph(graph, relPath, licenses);
+}
+/**
+ * Parse `pnpm-lock.yaml` text for `name@version → license` pairs.
+ * Pure string scanning to avoid pulling in a YAML parser for a
+ * best-effort field.
+ */
+function harvestLicensesFromPnpmLockYaml(lockContents) {
+    const out = new Map();
+    let currentKey;
+    for (const rawLine of lockContents.split(/\r?\n/)) {
+        // pnpm snapshot keys: `  '/foo@1.2.3':` or `  '/@scope/foo@1.2.3':`.
+        const snapshot = /^\s+['"]?(\/?[^'"\s@]+(?:\/[^'"\s@]+)?@[^'"\s]+)['"]?:\s*$/.exec(rawLine);
+        if (snapshot !== null) {
+            currentKey = (snapshot[1] ?? "").replace(/^\//, "");
+            continue;
+        }
+        const lic = /^\s+license:\s*(.+?)\s*$/.exec(rawLine);
+        if (lic !== null && currentKey !== undefined) {
+            const val = (lic[1] ?? "").replace(/^['"]|['"]$/g, "");
+            if (val.length > 0)
+                out.set(currentKey, val);
+        }
+    }
+    return out;
+}
+/**
+ * Scan `package-lock.json` / `pnpm-lock.yaml` contents for a
+ * `name@version → license` map. Best-effort; returns an empty map on any
+ * parse issue (licenses are optional metadata, not a pipeline invariant).
+ */
+function harvestLicensesFromLockJson(lockContents) {
+    const out = new Map();
+    let json;
+    try {
+        json = JSON.parse(lockContents);
+    }
+    catch {
+        return out;
+    }
+    if (!isObject(json))
+        return out;
+    // v2/v3 lockfile: `packages: { "node_modules/foo": { version, license } }`.
+    const pkgs = json["packages"];
+    if (isObject(pkgs)) {
+        for (const [path, entry] of Object.entries(pkgs)) {
+            if (path === "")
+                continue;
+            if (!isObject(entry))
+                continue;
+            const version = typeof entry["version"] === "string" ? entry["version"] : "";
+            const license = readLicenseField(entry["license"]);
+            const name = pathToPackageName(path);
+            if (name === undefined || version === "" || license === undefined)
+                continue;
+            out.set(`${name}@${version}`, license);
+        }
+    }
+    // Legacy v1 lockfile: `dependencies: { foo: { version, license } }`.
+    const deps = json["dependencies"];
+    if (isObject(deps))
+        collectLegacyLockLicenses(deps, out);
+    return out;
+}
+function pathToPackageName(lockPath) {
+    // `node_modules/foo` or `node_modules/@scope/name` — return the
+    // rightmost `node_modules/<name>` segment. Nested forms follow the
+    // same suffix shape so the same scan works.
+    const idx = lockPath.lastIndexOf("node_modules/");
+    if (idx < 0)
+        return undefined;
+    const tail = lockPath.slice(idx + "node_modules/".length);
+    if (tail === "")
+        return undefined;
+    if (tail.startsWith("@")) {
+        const parts = tail.split("/");
+        if (parts.length < 2)
+            return undefined;
+        return `${parts[0]}/${parts[1]}`;
+    }
+    return tail.split("/")[0];
+}
+function collectLegacyLockLicenses(deps, out) {
+    for (const [name, entry] of Object.entries(deps)) {
+        if (!isObject(entry))
+            continue;
+        const version = typeof entry["version"] === "string" ? entry["version"] : "";
+        const license = readLicenseField(entry["license"]);
+        if (version !== "" && license !== undefined)
+            out.set(`${name}@${version}`, license);
+        const nested = entry["dependencies"];
+        if (isObject(nested))
+            collectLegacyLockLicenses(nested, out);
+    }
+}
+/** `license` may be a string, `{ type, url }`, or an array of those. */
+function readLicenseField(raw) {
+    if (typeof raw === "string" && raw.length > 0)
+        return raw;
+    if (isObject(raw)) {
+        const t = raw["type"];
+        if (typeof t === "string" && t.length > 0)
+            return t;
+    }
+    if (Array.isArray(raw)) {
+        const parts = [];
+        for (const item of raw) {
+            const got = readLicenseField(item);
+            if (got !== undefined)
+                parts.push(got);
+        }
+        if (parts.length > 0)
+            return parts.join(" OR ");
+    }
+    return undefined;
+}
+async function parseBarePackageJson(absPath, relPath, onWarn) {
+    let raw;
+    try {
+        raw = await fs.readFile(absPath, "utf8");
+    }
+    catch (err) {
+        onWarn(`npm: cannot read ${relPath}: ${err instanceof Error ? err.message : String(err)}`);
+        return [];
+    }
+    let json;
+    try {
+        json = JSON.parse(raw);
+    }
+    catch (err) {
+        onWarn(`npm: ${relPath} is not valid JSON: ${err instanceof Error ? err.message : String(err)}`);
+        return [];
+    }
+    if (!isObject(json)) {
+        onWarn(`npm: ${relPath} top-level is not an object`);
+        return [];
+    }
+    const out = [];
+    for (const field of ["dependencies", "devDependencies"]) {
+        const bag = json[field];
+        if (!isObject(bag))
+            continue;
+        for (const [name, version] of Object.entries(bag)) {
+            if (typeof version !== "string")
+                continue;
+            out.push({
+                ecosystem: NPM_ECO,
+                name,
+                version,
+                lockfileSource: relPath,
+            });
+        }
+    }
+    return out;
+}
+async function readManifestAndLock(absPath, relPath, onWarn, lockLabel) {
+    const lockDir = path.dirname(absPath);
+    const manifestPath = path.join(lockDir, "package.json");
+    let manifestContents;
+    try {
+        manifestContents = await fs.readFile(manifestPath, "utf8");
+    }
+    catch (err) {
+        onWarn(`npm: ${lockLabel} at ${relPath} lacks sibling package.json (${err instanceof Error ? err.message : String(err)})`);
+        return {};
+    }
+    let lockContents;
+    try {
+        lockContents = await fs.readFile(absPath, "utf8");
+    }
+    catch (err) {
+        onWarn(`npm: cannot read ${relPath}: ${err instanceof Error ? err.message : String(err)}`);
+        return {};
+    }
+    return { manifestContents, lockContents };
+}
+function collectFromGraph(graph, lockfileSource, licenses = new Map()) {
+    const out = [];
+    const seen = new Set();
+    const rootName = lockfileSource;
+    for (const pkg of graph.getPkgs()) {
+        const name = pkg.name;
+        const version = pkg.version ?? "";
+        if (!name || !version)
+            continue;
+        // `getPkgs` includes the root package keyed by the manifest's
+        // declared name — drop it so the manifest itself doesn't appear as
+        // its own dependency. We detect it by "no version" OR root-name
+        // string; the former already short-circuits above, the latter is a
+        // belt-and-suspenders extra check.
+        if (name === rootName)
+            continue;
+        const key = `${name}@${version}`;
+        if (seen.has(key))
+            continue;
+        seen.add(key);
+        const license = licenses.get(key);
+        out.push({
+            ecosystem: NPM_ECO,
+            name,
+            version,
+            lockfileSource,
+            ...(license !== undefined ? { license } : {}),
+        });
+    }
+    return out;
+}
+function isObject(x) {
+    return typeof x === "object" && x !== null && !Array.isArray(x);
+}
+//# sourceMappingURL=npm.js.map

package/dist/pipeline/dep-parsers/npm.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"npm.js","sourceRoot":"","sources":["../../../src/pipeline/dep-parsers/npm.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;GAqBG;AAEH,OAAO,EAAE,QAAQ,IAAI,EAAE,EAAE,MAAM,SAAS,CAAC;AACzC,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EACL,qBAAqB,EACrB,cAAc,EACd,qBAAqB,EACrB,gBAAgB,GACjB,MAAM,6BAA6B,CAAC;AAGrC,MAAM,OAAO,GAAG,KAAc,CAAC;AAO/B;;;;GAIG;AACH,MAAM,CAAC,MAAM,YAAY,GAAgB,KAAK,EAAE,KAAK,EAAE,EAAE;IACvD,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;IAC9C,IAAI,CAAC;QACH,IAAI,QAAQ,KAAK,mBAAmB,EAAE,CAAC;YACrC,OAAO,MAAM,gBAAgB,CAAC,KAAK,CAAC,OAAO,EAAE,KAAK,CAAC,OAAO,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;QAC5E,CAAC;QACD,IAAI,QAAQ,KAAK,gBAAgB,EAAE,CAAC;YAClC,OAAO,MAAM,aAAa,CAAC,KAAK,CAAC,OAAO,EAAE,KAAK,CAAC,OAAO,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;QACzE,CAAC;QACD,IAAI,QAAQ,KAAK,cAAc,EAAE,CAAC;YAChC,OAAO,MAAM,oBAAoB,CAAC,KAAK,CAAC,OAAO,EAAE,KAAK,CAAC,OAAO,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;QAChF,CAAC;IACH,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,KAAK,CAAC,MAAM,CACV,wBAAwB,KAAK,CAAC,OAAO,KAAK,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAC7F,CAAC;QACF,OAAO,EAAE,CAAC;IACZ,CAAC;IACD,OAAO,EAAE,CAAC;AACZ,CAAC,CAAC;AAEF,KAAK,UAAU,gBAAgB,CAC7B,OAAe,EACf,OAAe,EACf,MAA2B;IAE3B,MAAM,EAAE,gBAAgB,EAAE,YAAY,EAAE,GAAG,MAAM,mBAAmB,CAClE,OAAO,EACP,OAAO,EACP,MAAM,EACN,mBAAmB,CACpB,CAAC;IACF,IAAI,gBAAgB,KAAK,SAAS,IAAI,YAAY,KAAK,SAAS;QAAE,OAAO,EAAE,CAAC;IAE5E,IAAI,KAAmB,CAAC;IACxB,IAAI,CAAC;QACH,KAAK,GAAG,CAAC,MAAM,qBAAqB,CAAC,gBAAgB,EAAE,YAAY,EAAE;YACnE,cAAc,EAAE,IAAI;YACpB,mBAAmB,EAAE,IAAI;YACzB,eAAe,EAAE,KAAK;YACtB,WAAW,EAAE,IAAI;SAClB,CAAC,CAA4B,CAAC;IACjC,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAI,GAAG,YAAY,qBAAqB,IAAI,GAAG,YAAY,cAAc,EAAE,CAAC;YAC1E,MAAM,CAAC,QAAQ,OAAO,iBAAiB,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC;YACtD,OAAO,EAAE,CAAC;QACZ,CAAC;QACD,MAAM,CAAC,QAAQ,OAAO,iBAAiB,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAC3F,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,MAAM,QAAQ,GAAG,2BAA2B,CAAC,YAAY,CAAC,CAAC;IAC3D,OAAO,gBAAgB,CAAC,KAAK,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;AACpD,CAAC;AAED,KAAK,UAAU,aAAa,CAC1B,OAAe,EACf,OAAe,EACf,MAA2B;IAE3B,MAAM,EAAE,gBAAgB,EAAE,YAAY,EAAE,GAAG,MAAM,mBAAmB,CAClE,OAAO,EACP,OAAO,EACP,MAAM,EACN,gBAAgB,CACjB,CAAC;IACF,IAAI,gBAAgB,KAAK,SAAS,IAAI,YAAY,KAAK,SAAS;QAAE,OAAO,EAAE,CAAC;IAE5E,IAAI,KAAmB,CAAC;IACxB,IAAI,CAAC;QACH,KAAK,GAAG,CAAC,MAAM,gBAAgB,CAAC,gBAAgB,EAAE,YAAY,EAAE;YAC9D,cAAc,EAAE,IAAI;YACpB,mBAAmB,EAAE,IAAI;YACzB,eAAe,EAAE,KAAK;YACtB,uBAAuB,EAAE,IAAI;SAC9B,CAAC,CAA4B,CAAC;IACjC,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAI,GAAG,YAAY,qBAAqB,IAAI,GAAG,YAAY,cAAc,EAAE,CAAC;YAC1E,MAAM,CAAC,QAAQ,OAAO,iBAAiB,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC;YACtD,OAAO,EAAE,CAAC;QACZ,CAAC;QACD,MAAM,CAAC,QAAQ,OAAO,iBAAiB,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAC3F,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,gEAAgE;IAChE,+DAA+D;IAC/D,MAAM,QAAQ,GAAG,+BAA+B,CAAC,YAAY,CAAC,CAAC;IAC/D,OAAO,gBAAgB,CAAC,KAAK,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;AACpD,CAAC;AAED;;;;GAIG;AACH,SAAS,+BAA+B,CAAC,YAAoB;IAC3D,MAAM,GAAG,GAAG,IAAI,GAAG,EAAkB,CAAC;IACtC,IAAI,UAA8B,CAAC;IACnC,KAAK,MAAM,OAAO,IAAI,YAAY,CAAC,KAAK,CAAC,OAAO,CAAC,EAAE,CAAC;QAClD,qEAAqE;QACrE,MAAM,QAAQ,GAAG,4DAA4D,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAC5F,IAAI,QAAQ,KAAK,IAAI,EAAE,CAAC;YACtB,UAAU,GAAG,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;YACpD,SAAS;QACX,CAAC;QACD,MAAM,GAAG,GAAG,0BAA0B,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACrD,IAAI,GAAG,KAAK,IAAI,IAAI,UAAU,KAAK,SAAS,EAAE,CAAC;YAC7C,MAAM,GAAG,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,OAAO,CAAC,cAAc,EAAE,EAAE,CAAC,CAAC;YACvD,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC;gBAAE,GAAG,CAAC,GAAG,CAAC,UAAU,EAAE,GAAG,CAAC,CAAC;QAC/C,CAAC;IACH,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED;;;;GAIG;AACH,SAAS,2BAA2B,CAAC,YAAoB;IACvD,MAAM,GAAG,GAAG,IAAI,GAAG,EAAkB,CAAC;IACtC,IAAI,IAAa,CAAC;IAClB,IAAI,CAAC;QACH,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,CAAC;IAClC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,GAAG,CAAC;IACb,CAAC;IACD,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC;QAAE,OAAO,GAAG,CAAC;IAChC,4EAA4E;IAC5E,MAAM,IAAI,GAAG,IAAI,CAAC,UAAU,CAAC,CAAC;IAC9B,IAAI,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;QACnB,KAAK,MAAM,CAAC,IAAI,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;YACjD,IAAI,IAAI,KAAK,EAAE;gBAAE,SAAS;YAC1B,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC;gBAAE,SAAS;YAC/B,MAAM,OAAO,GAAG,OAAO,KAAK,CAAC,SAAS,CAAC,KAAK,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;YAC7E,MAAM,OAAO,GAAG,gBAAgB,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC,CAAC;YACnD,MAAM,IAAI,GAAG,iBAAiB,CAAC,IAAI,CAAC,CAAC;YACrC,IAAI,IAAI,KAAK,SAAS,IAAI,OAAO,KAAK,EAAE,IAAI,OAAO,KAAK,SAAS;gBAAE,SAAS;YAC5E,GAAG,CAAC,GAAG,CAAC,GAAG,IAAI,IAAI,OAAO,EAAE,EAAE,OAAO,CAAC,CAAC;QACzC,CAAC;IACH,CAAC;IACD,qEAAqE;IACrE,MAAM,IAAI,GAAG,IAAI,CAAC,cAAc,CAAC,CAAC;IAClC,IAAI,QAAQ,CAAC,IAAI,CAAC;QAAE,yBAAyB,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;IACzD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,SAAS,iBAAiB,CAAC,QAAgB;IACzC,gEAAgE;IAChE,mEAAmE;IACnE,4CAA4C;IAC5C,MAAM,GAAG,GAAG,QAAQ,CAAC,WAAW,CAAC,eAAe,CAAC,CAAC;IAClD,IAAI,GAAG,GAAG,CAAC;QAAE,OAAO,SAAS,CAAC;IAC9B,MAAM,IAAI,GAAG,QAAQ,CAAC,KAAK,CAAC,GAAG,GAAG,eAAe,CAAC,MAAM,CAAC,CAAC;IAC1D,IAAI,IAAI,KAAK,EAAE;QAAE,OAAO,SAAS,CAAC;IAClC,IAAI,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;QACzB,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC9B,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC;YAAE,OAAO,SAAS,CAAC;QACvC,OAAO,GAAG,KAAK,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC;IACnC,CAAC;IACD,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;AAC5B,CAAC;AAED,SAAS,yBAAyB,CAAC,IAA6B,EAAE,GAAwB;IACxF,KAAK,MAAM,CAAC,IAAI,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;QACjD,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC;YAAE,SAAS;QAC/B,MAAM,OAAO,GAAG,OAAO,KAAK,CAAC,SAAS,CAAC,KAAK,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;QAC7E,MAAM,OAAO,GAAG,gBAAgB,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC,CAAC;QACnD,IAAI,OAAO,KAAK,EAAE,IAAI,OAAO,KAAK,SAAS;YAAE,GAAG,CAAC,GAAG,CAAC,GAAG,IAAI,IAAI,OAAO,EAAE,EAAE,OAAO,CAAC,CAAC;QACpF,MAAM,MAAM,GAAG,KAAK,CAAC,cAAc,CAAC,CAAC;QACrC,IAAI,QAAQ,CAAC,MAAM,CAAC;YAAE,yBAAyB,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;IAC/D,CAAC;AACH,CAAC;AAED,wEAAwE;AACxE,SAAS,gBAAgB,CAAC,GAAY;IACpC,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC;QAAE,OAAO,GAAG,CAAC;IAC1D,IAAI,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QAClB,MAAM,CAAC,GAAG,GAAG,CAAC,MAAM,CAAC,CAAC;QACtB,IAAI,OAAO,CAAC,KAAK,QAAQ,IAAI,CAAC,CAAC,MAAM,GAAG,CAAC;YAAE,OAAO,CAAC,CAAC;IACtD,CAAC;IACD,IAAI,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;QACvB,MAAM,KAAK,GAAa,EAAE,CAAC;QAC3B,KAAK,MAAM,IAAI,IAAI,GAAG,EAAE,CAAC;YACvB,MAAM,GAAG,GAAG,gBAAgB,CAAC,IAAI,CAAC,CAAC;YACnC,IAAI,GAAG,KAAK,SAAS;gBAAE,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACzC,CAAC;QACD,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC;YAAE,OAAO,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IAClD,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,KAAK,UAAU,oBAAoB,CACjC,OAAe,EACf,OAAe,EACf,MAA2B;IAE3B,IAAI,GAAW,CAAC;IAChB,IAAI,CAAC;QACH,GAAG,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;IAC3C,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,CAAC,oBAAoB,OAAO,KAAK,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAC3F,OAAO,EAAE,CAAC;IACZ,CAAC;IACD,IAAI,IAAa,CAAC;IAClB,IAAI,CAAC;QACH,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IACzB,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,CACJ,QAAQ,OAAO,uBAAuB,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CACzF,CAAC;QACF,OAAO,EAAE,CAAC;IACZ,CAAC;IACD,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;QACpB,MAAM,CAAC,QAAQ,OAAO,6BAA6B,CAAC,CAAC;QACrD,OAAO,EAAE,CAAC;IACZ,CAAC;IACD,MAAM,GAAG,GAAuB,EAAE,CAAC;IACnC,KAAK,MAAM,KAAK,IAAI,CAAC,cAAc,EAAE,iBAAiB,CAAU,EAAE,CAAC;QACjE,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC;QACxB,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC;YAAE,SAAS;QAC7B,KAAK,MAAM,CAAC,IAAI,EAAE,OAAO,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;YAClD,IAAI,OAAO,OAAO,KAAK,QAAQ;gBAAE,SAAS;YAC1C,GAAG,CAAC,IAAI,CAAC;gBACP,SAAS,EAAE,OAAO;gBAClB,IAAI;gBACJ,OAAO;gBACP,cAAc,EAAE,OAAO;aACxB,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,KAAK,UAAU,mBAAmB,CAChC,OAAe,EACf,OAAe,EACf,MAA2B,EAC3B,SAAiB;IAEjB,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;IACtC,MAAM,YAAY,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,cAAc,CAAC,CAAC;IACxD,IAAI,gBAAwB,CAAC;IAC7B,IAAI,CAAC;QACH,gBAAgB,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC,CAAC;IAC7D,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,CACJ,QAAQ,SAAS,OAAO,OAAO,gCAAgC,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,GAAG,CACnH,CAAC;QACF,OAAO,EAAE,CAAC;IACZ,CAAC;IACD,IAAI,YAAoB,CAAC;IACzB,IAAI,CAAC;QACH,YAAY,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;IACpD,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,CAAC,oBAAoB,OAAO,KAAK,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAC3F,OAAO,EAAE,CAAC;IACZ,CAAC;IACD,OAAO,EAAE,gBAAgB,EAAE,YAAY,EAAE,CAAC;AAC5C,CAAC;AAED,SAAS,gBAAgB,CACvB,KAAmB,EACnB,cAAsB,EACtB,WAAwC,IAAI,GAAG,EAAE;IAEjD,MAAM,GAAG,GAAuB,EAAE,CAAC;IACnC,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC;IAC/B,MAAM,QAAQ,GAAG,cAAc,CAAC;IAChC,KAAK,MAAM,GAAG,IAAI,KAAK,CAAC,OAAO,EAAE,EAAE,CAAC;QAClC,MAAM,IAAI,GAAG,GAAG,CAAC,IAAI,CAAC;QACtB,MAAM,OAAO,GAAG,GAAG,CAAC,OAAO,IAAI,EAAE,CAAC;QAClC,IAAI,CAAC,IAAI,IAAI,CAAC,OAAO;YAAE,SAAS;QAChC,8DAA8D;QAC9D,mEAAmE;QACnE,gEAAgE;QAChE,mEAAmE;QACnE,mCAAmC;QACnC,IAAI,IAAI,KAAK,QAAQ;YAAE,SAAS;QAChC,MAAM,GAAG,GAAG,GAAG,IAAI,IAAI,OAAO,EAAE,CAAC;QACjC,IAAI,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC;YAAE,SAAS;QAC5B,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QACd,MAAM,OAAO,GAAG,QAAQ,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QAClC,GAAG,CAAC,IAAI,CAAC;YACP,SAAS,EAAE,OAAO;YAClB,IAAI;YACJ,OAAO;YACP,cAAc;YACd,GAAG,CAAC,OAAO,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,OAAO,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SAC9C,CAAC,CAAC;IACL,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,SAAS,QAAQ,CAAC,CAAU;IAC1B,OAAO,OAAO,CAAC,KAAK,QAAQ,IAAI,CAAC,KAAK,IAAI,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;AAClE,CAAC"}

package/dist/pipeline/dep-parsers/nuget.d.ts

@@ -0,0 +1,24 @@
+/**
+ * NuGet ecosystem manifest parser.
+ *
+ * Supported inputs:
+ *   - `*.csproj` / `*.fsproj` / `*.vbproj` — MSBuild XML containing
+ *     `<PackageReference Include="..." Version="..." />` entries inside
+ *     `<ItemGroup>` blocks.
+ *   - `packages.lock.json` — JSON emitted by
+ *     `dotnet restore --use-lock-file`; direct + transitive deps keyed by
+ *     framework.
+ *
+ * The direct-dependency version is captured verbatim from the manifest.
+ * For packages.lock.json we emit every package regardless of whether it
+ * was declared `Direct` or `Transitive` — the SBOM needs the full set.
+ *
+ * License detection: csproj / packages.lock.json rarely carry per-dep
+ * licenses (those live in each `.nupkg`'s nuspec). The parser still
+ * looks for a non-standard `<License>` child on `<PackageReference>` and
+ * for a `license` field on lockfile entries (used by a few custom
+ * tooling pipelines); it leaves the field undefined otherwise.
+ */
+import type { ParseDepsFn } from "./types.js";
+export declare const parseNugetDeps: ParseDepsFn;
+//# sourceMappingURL=nuget.d.ts.map

package/dist/pipeline/dep-parsers/nuget.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"nuget.d.ts","sourceRoot":"","sources":["../../../src/pipeline/dep-parsers/nuget.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;GAoBG;AAKH,OAAO,KAAK,EAAE,WAAW,EAAoB,MAAM,YAAY,CAAC;AAKhE,eAAO,MAAM,cAAc,EAAE,WAiB5B,CAAC"}

package/dist/pipeline/dep-parsers/nuget.js

@@ -0,0 +1,178 @@
+/**
+ * NuGet ecosystem manifest parser.
+ *
+ * Supported inputs:
+ *   - `*.csproj` / `*.fsproj` / `*.vbproj` — MSBuild XML containing
+ *     `<PackageReference Include="..." Version="..." />` entries inside
+ *     `<ItemGroup>` blocks.
+ *   - `packages.lock.json` — JSON emitted by
+ *     `dotnet restore --use-lock-file`; direct + transitive deps keyed by
+ *     framework.
+ *
+ * The direct-dependency version is captured verbatim from the manifest.
+ * For packages.lock.json we emit every package regardless of whether it
+ * was declared `Direct` or `Transitive` — the SBOM needs the full set.
+ *
+ * License detection: csproj / packages.lock.json rarely carry per-dep
+ * licenses (those live in each `.nupkg`'s nuspec). The parser still
+ * looks for a non-standard `<License>` child on `<PackageReference>` and
+ * for a `license` field on lockfile entries (used by a few custom
+ * tooling pipelines); it leaves the field undefined otherwise.
+ */
+import { promises as fs } from "node:fs";
+import path from "node:path";
+import { XMLParser } from "fast-xml-parser";
+const NUGET_ECO = "nuget";
+const MSBUILD_EXTS = new Set([".csproj", ".fsproj", ".vbproj"]);
+export const parseNugetDeps = async (input) => {
+    const basename = path.basename(input.relPath);
+    const ext = path.extname(basename).toLowerCase();
+    try {
+        if (MSBUILD_EXTS.has(ext)) {
+            return await parseMsbuildProject(input.absPath, input.relPath, input.onWarn);
+        }
+        if (basename === "packages.lock.json") {
+            return await parsePackagesLock(input.absPath, input.relPath, input.onWarn);
+        }
+    }
+    catch (err) {
+        input.onWarn(`nuget: failed to parse ${input.relPath}: ${err instanceof Error ? err.message : String(err)}`);
+        return [];
+    }
+    return [];
+};
+async function parseMsbuildProject(absPath, relPath, onWarn) {
+    let raw;
+    try {
+        raw = await fs.readFile(absPath, "utf8");
+    }
+    catch (err) {
+        onWarn(`nuget: cannot read ${relPath}: ${err instanceof Error ? err.message : String(err)}`);
+        return [];
+    }
+    const parser = new XMLParser({
+        ignoreAttributes: false,
+        attributeNamePrefix: "@_",
+        allowBooleanAttributes: true,
+        parseTagValue: true,
+        trimValues: true,
+    });
+    let parsed;
+    try {
+        parsed = parser.parse(raw);
+    }
+    catch (err) {
+        onWarn(`nuget: ${relPath} is not valid XML: ${err instanceof Error ? err.message : String(err)}`);
+        return [];
+    }
+    if (!isObject(parsed))
+        return [];
+    const project = parsed["Project"];
+    if (!isObject(project))
+        return [];
+    const out = [];
+    const itemGroupRaw = project["ItemGroup"];
+    const itemGroups = Array.isArray(itemGroupRaw)
+        ? itemGroupRaw
+        : itemGroupRaw === undefined
+            ? []
+            : [itemGroupRaw];
+    for (const group of itemGroups) {
+        if (!isObject(group))
+            continue;
+        const refRaw = group["PackageReference"];
+        const refs = Array.isArray(refRaw) ? refRaw : refRaw === undefined ? [] : [refRaw];
+        for (const ref of refs) {
+            const { name, version, license } = extractPackageRef(ref);
+            if (!name)
+                continue;
+            out.push({
+                ecosystem: NUGET_ECO,
+                name,
+                version: version ?? "UNKNOWN",
+                lockfileSource: relPath,
+                ...(license !== undefined ? { license } : {}),
+            });
+        }
+    }
+    return out;
+}
+async function parsePackagesLock(absPath, relPath, onWarn) {
+    let raw;
+    try {
+        raw = await fs.readFile(absPath, "utf8");
+    }
+    catch (err) {
+        onWarn(`nuget: cannot read ${relPath}: ${err instanceof Error ? err.message : String(err)}`);
+        return [];
+    }
+    let json;
+    try {
+        json = JSON.parse(raw);
+    }
+    catch (err) {
+        onWarn(`nuget: ${relPath} is not valid JSON: ${err instanceof Error ? err.message : String(err)}`);
+        return [];
+    }
+    if (!isObject(json))
+        return [];
+    const deps = json["dependencies"];
+    if (!isObject(deps))
+        return [];
+    const out = [];
+    for (const framework of Object.values(deps)) {
+        if (!isObject(framework))
+            continue;
+        for (const [name, entry] of Object.entries(framework)) {
+            if (!isObject(entry))
+                continue;
+            const resolved = entry["resolved"];
+            if (typeof resolved !== "string")
+                continue;
+            out.push({
+                ecosystem: NUGET_ECO,
+                name,
+                version: resolved,
+                lockfileSource: relPath,
+            });
+        }
+    }
+    return out;
+}
+function extractPackageRef(ref) {
+    if (!isObject(ref))
+        return {};
+    const includeAttr = ref["@_Include"];
+    const versionAttr = ref["@_Version"];
+    // Version may also be supplied as a child element <Version>.
+    const versionChild = ref["Version"];
+    const name = typeof includeAttr === "string" ? includeAttr.trim() : undefined;
+    let version;
+    if (typeof versionAttr === "string")
+        version = versionAttr.trim();
+    else if (typeof versionAttr === "number")
+        version = String(versionAttr);
+    else if (typeof versionChild === "string")
+        version = versionChild.trim();
+    else if (typeof versionChild === "number")
+        version = String(versionChild);
+    // Non-standard `<License>` attribute / element, emitted by a few
+    // custom tooling pipelines that predeclare license metadata next to
+    // the version pin.
+    const licenseAttr = ref["@_License"];
+    const licenseChild = ref["License"];
+    let license;
+    if (typeof licenseAttr === "string" && licenseAttr.length > 0)
+        license = licenseAttr.trim();
+    else if (typeof licenseChild === "string" && licenseChild.length > 0)
+        license = licenseChild.trim();
+    return {
+        ...(name !== undefined ? { name } : {}),
+        ...(version !== undefined ? { version } : {}),
+        ...(license !== undefined ? { license } : {}),
+    };
+}
+function isObject(x) {
+    return typeof x === "object" && x !== null && !Array.isArray(x);
+}
+//# sourceMappingURL=nuget.js.map

package/dist/pipeline/dep-parsers/nuget.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"nuget.js","sourceRoot":"","sources":["../../../src/pipeline/dep-parsers/nuget.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;GAoBG;AAEH,OAAO,EAAE,QAAQ,IAAI,EAAE,EAAE,MAAM,SAAS,CAAC;AACzC,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAG5C,MAAM,SAAS,GAAG,OAAgB,CAAC;AACnC,MAAM,YAAY,GAAwB,IAAI,GAAG,CAAC,CAAC,SAAS,EAAE,SAAS,EAAE,SAAS,CAAC,CAAC,CAAC;AAErF,MAAM,CAAC,MAAM,cAAc,GAAgB,KAAK,EAAE,KAAK,EAAE,EAAE;IACzD,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;IAC9C,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,WAAW,EAAE,CAAC;IACjD,IAAI,CAAC;QACH,IAAI,YAAY,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;YAC1B,OAAO,MAAM,mBAAmB,CAAC,KAAK,CAAC,OAAO,EAAE,KAAK,CAAC,OAAO,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;QAC/E,CAAC;QACD,IAAI,QAAQ,KAAK,oBAAoB,EAAE,CAAC;YACtC,OAAO,MAAM,iBAAiB,CAAC,KAAK,CAAC,OAAO,EAAE,KAAK,CAAC,OAAO,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;QAC7E,CAAC;IACH,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,KAAK,CAAC,MAAM,CACV,0BAA0B,KAAK,CAAC,OAAO,KAAK,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAC/F,CAAC;QACF,OAAO,EAAE,CAAC;IACZ,CAAC;IACD,OAAO,EAAE,CAAC;AACZ,CAAC,CAAC;AAEF,KAAK,UAAU,mBAAmB,CAChC,OAAe,EACf,OAAe,EACf,MAA2B;IAE3B,IAAI,GAAW,CAAC;IAChB,IAAI,CAAC;QACH,GAAG,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;IAC3C,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,CAAC,sBAAsB,OAAO,KAAK,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAC7F,OAAO,EAAE,CAAC;IACZ,CAAC;IACD,MAAM,MAAM,GAAG,IAAI,SAAS,CAAC;QAC3B,gBAAgB,EAAE,KAAK;QACvB,mBAAmB,EAAE,IAAI;QACzB,sBAAsB,EAAE,IAAI;QAC5B,aAAa,EAAE,IAAI;QACnB,UAAU,EAAE,IAAI;KACjB,CAAC,CAAC;IACH,IAAI,MAAe,CAAC;IACpB,IAAI,CAAC;QACH,MAAM,GAAG,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC7B,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,CACJ,UAAU,OAAO,sBAAsB,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAC1F,CAAC;QACF,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC;QAAE,OAAO,EAAE,CAAC;IACjC,MAAM,OAAO,GAAG,MAAM,CAAC,SAAS,CAAC,CAAC;IAClC,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC;QAAE,OAAO,EAAE,CAAC;IAElC,MAAM,GAAG,GAAuB,EAAE,CAAC;IAEnC,MAAM,YAAY,GAAG,OAAO,CAAC,WAAW,CAAC,CAAC;IAC1C,MAAM,UAAU,GAAc,KAAK,CAAC,OAAO,CAAC,YAAY,CAAC;QACvD,CAAC,CAAC,YAAY;QACd,CAAC,CAAC,YAAY,KAAK,SAAS;YAC1B,CAAC,CAAC,EAAE;YACJ,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC;IACrB,KAAK,MAAM,KAAK,IAAI,UAAU,EAAE,CAAC;QAC/B,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC;YAAE,SAAS;QAC/B,MAAM,MAAM,GAAG,KAAK,CAAC,kBAAkB,CAAC,CAAC;QACzC,MAAM,IAAI,GAAc,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC;QAC9F,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;YACvB,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,OAAO,EAAE,GAAG,iBAAiB,CAAC,GAAG,CAAC,CAAC;YAC1D,IAAI,CAAC,IAAI;gBAAE,SAAS;YACpB,GAAG,CAAC,IAAI,CAAC;gBACP,SAAS,EAAE,SAAS;gBACpB,IAAI;gBACJ,OAAO,EAAE,OAAO,IAAI,SAAS;gBAC7B,cAAc,EAAE,OAAO;gBACvB,GAAG,CAAC,OAAO,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,OAAO,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;aAC9C,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,KAAK,UAAU,iBAAiB,CAC9B,OAAe,EACf,OAAe,EACf,MAA2B;IAE3B,IAAI,GAAW,CAAC;IAChB,IAAI,CAAC;QACH,GAAG,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;IAC3C,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,CAAC,sBAAsB,OAAO,KAAK,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAC7F,OAAO,EAAE,CAAC;IACZ,CAAC;IACD,IAAI,IAAa,CAAC;IAClB,IAAI,CAAC;QACH,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IACzB,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,CACJ,UAAU,OAAO,uBAAuB,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAC3F,CAAC;QACF,OAAO,EAAE,CAAC;IACZ,CAAC;IACD,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC;QAAE,OAAO,EAAE,CAAC;IAC/B,MAAM,IAAI,GAAG,IAAI,CAAC,cAAc,CAAC,CAAC;IAClC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC;QAAE,OAAO,EAAE,CAAC;IAE/B,MAAM,GAAG,GAAuB,EAAE,CAAC;IACnC,KAAK,MAAM,SAAS,IAAI,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC;QAC5C,IAAI,CAAC,QAAQ,CAAC,SAAS,CAAC;YAAE,SAAS;QACnC,KAAK,MAAM,CAAC,IAAI,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,EAAE,CAAC;YACtD,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC;gBAAE,SAAS;YAC/B,MAAM,QAAQ,GAAG,KAAK,CAAC,UAAU,CAAC,CAAC;YACnC,IAAI,OAAO,QAAQ,KAAK,QAAQ;gBAAE,SAAS;YAC3C,GAAG,CAAC,IAAI,CAAC;gBACP,SAAS,EAAE,SAAS;gBACpB,IAAI;gBACJ,OAAO,EAAE,QAAQ;gBACjB,cAAc,EAAE,OAAO;aACxB,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,SAAS,iBAAiB,CAAC,GAAY;IAKrC,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC;QAAE,OAAO,EAAE,CAAC;IAC9B,MAAM,WAAW,GAAG,GAAG,CAAC,WAAW,CAAC,CAAC;IACrC,MAAM,WAAW,GAAG,GAAG,CAAC,WAAW,CAAC,CAAC;IACrC,6DAA6D;IAC7D,MAAM,YAAY,GAAG,GAAG,CAAC,SAAS,CAAC,CAAC;IACpC,MAAM,IAAI,GAAG,OAAO,WAAW,KAAK,QAAQ,CAAC,CAAC,CAAC,WAAW,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC;IAC9E,IAAI,OAA2B,CAAC;IAChC,IAAI,OAAO,WAAW,KAAK,QAAQ;QAAE,OAAO,GAAG,WAAW,CAAC,IAAI,EAAE,CAAC;SAC7D,IAAI,OAAO,WAAW,KAAK,QAAQ;QAAE,OAAO,GAAG,MAAM,CAAC,WAAW,CAAC,CAAC;SACnE,IAAI,OAAO,YAAY,KAAK,QAAQ;QAAE,OAAO,GAAG,YAAY,CAAC,IAAI,EAAE,CAAC;SACpE,IAAI,OAAO,YAAY,KAAK,QAAQ;QAAE,OAAO,GAAG,MAAM,CAAC,YAAY,CAAC,CAAC;IAE1E,iEAAiE;IACjE,oEAAoE;IACpE,mBAAmB;IACnB,MAAM,WAAW,GAAG,GAAG,CAAC,WAAW,CAAC,CAAC;IACrC,MAAM,YAAY,GAAG,GAAG,CAAC,SAAS,CAAC,CAAC;IACpC,IAAI,OAA2B,CAAC;IAChC,IAAI,OAAO,WAAW,KAAK,QAAQ,IAAI,WAAW,CAAC,MAAM,GAAG,CAAC;QAAE,OAAO,GAAG,WAAW,CAAC,IAAI,EAAE,CAAC;SACvF,IAAI,OAAO,YAAY,KAAK,QAAQ,IAAI,YAAY,CAAC,MAAM,GAAG,CAAC;QAClE,OAAO,GAAG,YAAY,CAAC,IAAI,EAAE,CAAC;IAEhC,OAAO;QACL,GAAG,CAAC,IAAI,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QACvC,GAAG,CAAC,OAAO,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,OAAO,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QAC7C,GAAG,CAAC,OAAO,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,OAAO,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KAC9C,CAAC;AACJ,CAAC;AAED,SAAS,QAAQ,CAAC,CAAU;IAC1B,OAAO,OAAO,CAAC,KAAK,QAAQ,IAAI,CAAC,KAAK,IAAI,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;AAClE,CAAC"}

package/dist/pipeline/dep-parsers/python.d.ts

@@ -0,0 +1,21 @@
+/**
+ * Python ecosystem manifest parser.
+ *
+ * Supported inputs:
+ *   - `pyproject.toml` — PEP 621 `[project.dependencies]` + PEP 508
+ *     requirement specifiers, plus the legacy `[tool.poetry.dependencies]`
+ *     table for older Poetry projects.
+ *   - `requirements.txt` — one requirement per line; tolerates `-e`
+ *     (editable installs), `--hash=` lines, `#` comments, blank lines,
+ *     and the `-r` / `-c` include directives (which we skip).
+ *   - `uv.lock` — TOML with a top-level `package = [[...]]` array; each
+ *     entry has `name` and `version`.
+ *
+ * Versions are captured verbatim from the source; v1.0 makes no attempt
+ * to resolve `>=1.0` style ranges into concrete versions (that would
+ * require a PyPI lookup which this phase forbids). Callers consuming
+ * Dependency nodes for SBOM emission can treat "UNKNOWN" as unresolved.
+ */
+import type { ParseDepsFn } from "./types.js";
+export declare const parsePythonDeps: ParseDepsFn;
+//# sourceMappingURL=python.d.ts.map

package/dist/pipeline/dep-parsers/python.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"python.d.ts","sourceRoot":"","sources":["../../../src/pipeline/dep-parsers/python.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAKH,OAAO,KAAK,EAAE,WAAW,EAAoB,MAAM,YAAY,CAAC;AAIhE,eAAO,MAAM,eAAe,EAAE,WAmB7B,CAAC"}