@trustify-da/trustify-da-javascript-client 0.3.0-ea.0e9ba23 → 0.3.0-ea.1b02307

package/dist/src/providers/processors/yarn_berry_processor.js

@@ -15,7 +15,10 @@ export default class Yarn_berry_processor extends Yarn_processor {
      * @returns {string[]} Command arguments for listing dependencies
      */
     listCmdArgs(includeTransitive) {
-        return ['info', includeTransitive ? '--recursive' : '--all', '--json'];
+        // --all is needed to include workspace members in the output
+        return includeTransitive
+            ? ['info', '--recursive', '--all', '--json']
+            : ['info', '--all', '--json'];
     }
     /**
      * Returns the command arguments for updating the lock file
@@ -48,13 +51,15 @@ export default class Yarn_berry_processor extends Yarn_processor {
         if (!depTree) {
             return new Map();
         }
-        return new Map(depTree.filter(dep => !this.#isRoot(dep.value)).map(dep => {
+        return new Map(depTree.filter(dep => !this.#isRoot(dep.value))
+            .map(dep => {
             const depName = dep.value;
             const idx = depName.lastIndexOf('@');
             const name = depName.substring(0, idx);
             const version = dep.children.Version;
             return [name, toPurl(purlType, name, version)];
-        }));
+        })
+            .filter(([name]) => this._manifest.dependencies.includes(name)));
     }
     /**
    * Checks if a dependency is the root package
@@ -66,7 +71,8 @@ export default class Yarn_berry_processor extends Yarn_processor {
         if (!name) {
             return false;
         }
-        return name.endsWith("@workspace:.");
+        // Workspace members use paths like "member-a@workspace:packages/member-a", not just "@workspace:."
+        return name.startsWith(`${this._manifest.name}@workspace:`);
     }
     /**
    * Adds dependencies to the SBOM
@@ -77,14 +83,58 @@ export default class Yarn_berry_processor extends Yarn_processor {
         if (!depTree) {
             return;
         }
+        // Build index of nodes by their value for quick lookup
+        const nodeIndex = new Map();
+        depTree.forEach(n => nodeIndex.set(n.value, n));
+        // Determine the set of node values reachable from root via production deps
+        const prodDeps = new Set(this._manifest.dependencies);
+        const reachable = new Set();
+        const queue = [];
+        // Seed with root's production dependencies
+        const rootNode = depTree.find(n => this.#isRoot(n.value));
+        if (rootNode?.children?.Dependencies) {
+            for (const d of rootNode.children.Dependencies) {
+                const to = this.#purlFromLocator(d.locator);
+                if (to) {
+                    const fullName = to.namespace ? `${to.namespace}/${to.name}` : to.name;
+                    if (prodDeps.has(fullName)) {
+                        queue.push(d.locator);
+                    }
+                }
+            }
+        }
+        // BFS to find all transitively reachable packages
+        while (queue.length > 0) {
+            const locator = queue.shift();
+            if (reachable.has(locator)) {
+                continue;
+            }
+            reachable.add(locator);
+            const node = nodeIndex.get(this.#nodeValueFromLocator(locator));
+            if (node?.children?.Dependencies) {
+                for (const d of node.children.Dependencies) {
+                    if (!reachable.has(d.locator)) {
+                        queue.push(d.locator);
+                    }
+                }
+            }
+        }
+        // Only emit edges for root and reachable nodes
         depTree.forEach(n => {
             const depName = n.value;
-            const from = this.#isRoot(depName) ? toPurlFromString(sbom.getRoot().purl) : this.#purlFromNode(depName, n);
+            const isRoot = this.#isRoot(depName);
+            if (!isRoot && !this.#isReachableNode(depName, reachable)) {
+                return;
+            }
+            const from = isRoot ? toPurlFromString(sbom.getRoot().purl) : this.#purlFromNode(depName, n);
             const deps = n.children?.Dependencies;
             if (!deps) {
                 return;
             }
             deps.forEach(d => {
+                if (!reachable.has(d.locator)) {
+                    return;
+                }
                 const to = this.#purlFromLocator(d.locator);
                 if (to) {
                     sbom.addDependency(from, to);
@@ -92,6 +142,39 @@ export default class Yarn_berry_processor extends Yarn_processor {
             });
         });
     }
+    /**
+     * Converts a locator to the node value format used in yarn info output
+     * @param {string} locator - e.g. "express@npm:4.17.1"
+     * @returns {string} The node value, same as locator for non-virtual
+     * @private
+     */
+    #nodeValueFromLocator(locator) {
+        // Virtual locators: "@scope/name@virtual:hash#npm:version" → "@scope/name@npm:version"
+        const virtualMatch = Yarn_berry_processor.VIRTUAL_LOCATOR_PATTERN.exec(locator);
+        if (virtualMatch) {
+            return `${virtualMatch[1]}@npm:${virtualMatch[2]}`;
+        }
+        return locator;
+    }
+    /**
+     * Checks if a node is in the reachable set by matching its value against reachable locators
+     * @param {string} depName - The node value (e.g. "express@npm:4.17.1")
+     * @param {Set<string>} reachable - Set of reachable locators
+     * @returns {boolean}
+     * @private
+     */
+    #isReachableNode(depName, reachable) {
+        if (reachable.has(depName)) {
+            return true;
+        }
+        // Check if any reachable locator resolves to this node value
+        for (const locator of reachable) {
+            if (this.#nodeValueFromLocator(locator) === depName) {
+                return true;
+            }
+        }
+        return false;
+    }
     /**
    * Creates a PackageURL from a dependency locator
    * @param {string} locator - The dependency locator

package/dist/src/providers/python_controller.d.ts

@@ -1,4 +1,4 @@
-/** @typedef {{name: string, version: string, dependencies: DependencyEntry[]}} DependencyEntry */
+/** @typedef {{name: string, version: string, dependencies: DependencyEntry[], hashes?: Array<{alg: string, content: string}>}} DependencyEntry */
 export default class Python_controller {
     /**
      * Constructor to create new python controller instance to interact with pip package manager
@@ -31,4 +31,8 @@ export type DependencyEntry = {
     name: string;
     version: string;
     dependencies: DependencyEntry[];
+    hashes?: Array<{
+        alg: string;
+        content: string;
+    }>;
 };

package/dist/src/providers/python_controller.js

@@ -19,7 +19,54 @@ function getPipShowOutput(depNames) {
         throw new Error('fail invoking \'pip show\' to fetch metadata for all installed packages in environment', { cause: error });
     }
 }
-/** @typedef {{name: string, version: string, dependencies: DependencyEntry[]}} DependencyEntry */
+/**
+ * Get pip inspect output from env var override or by invoking pip inspect.
+ * Returns null if pip inspect is unavailable (pip < 22.2) or if freeze/show
+ * env vars are set without an inspect override (to avoid inconsistent data).
+ * @return {string|null} pip inspect JSON output, or null on failure
+ */
+function getPipInspectOutput() {
+    if (environmentVariableIsPopulated("TRUSTIFY_DA_PIP_INSPECT")) {
+        return new Buffer.from(process.env["TRUSTIFY_DA_PIP_INSPECT"], 'base64').toString('ascii');
+    }
+    if (environmentVariableIsPopulated("TRUSTIFY_DA_PIP_FREEZE") || environmentVariableIsPopulated("TRUSTIFY_DA_PIP_SHOW")) {
+        return null;
+    }
+    try {
+        return invokeCommand(this.pathToPipBin, ['inspect']).toString();
+    }
+    catch (error) {
+        console.warn('pip inspect is not available (requires pip 22.2+), SBOM will be generated without hashes');
+        return null;
+    }
+}
+/**
+ * Parse pip inspect JSON output and build a hash lookup map.
+ * @param {string|null} inspectOutput - raw pip inspect JSON string
+ * @return {Map<string, Array<{alg: string, content: string}>>} map of lowercase package name to hashes
+ */
+function parsePipInspectHashes(inspectOutput) {
+    if (!inspectOutput) {
+        return new Map();
+    }
+    try {
+        let inspectData = JSON.parse(inspectOutput);
+        let hashMap = new Map();
+        for (let pkg of (inspectData.installed || [])) {
+            let name = pkg.metadata?.name;
+            let sha256 = pkg.download_info?.archive_info?.hashes?.sha256;
+            if (name && sha256) {
+                hashMap.set(name.toLowerCase(), [{ alg: "SHA-256", content: sha256 }]);
+            }
+        }
+        return hashMap;
+    }
+    catch (error) {
+        console.warn('Failed to parse pip inspect output, SBOM will be generated without hashes');
+        return new Map();
+    }
+}
+/** @typedef {{name: string, version: string, dependencies: DependencyEntry[], hashes?: Array<{alg: string, content: string}>}} DependencyEntry */
 export default class Python_controller {
     pythonEnvDir;
     pathToPipBin;
@@ -95,7 +142,7 @@ export default class Python_controller {
     }
     /**
      * Parse the requirements.txt file using tree-sitter and return structured requirement data.
-     * @return {Promise<{name: string, version: string|null}[]>}
+     * @return {Promise<{name: string, version: string|null, hasMarker: boolean}[]>}
      */
     async #parseRequirements() {
         const content = fs.readFileSync(this.pathToRequirements).toString();
@@ -107,7 +154,8 @@ export default class Python_controller {
             const version = versionMatches.length > 0
                 ? versionMatches[0].captures.find(c => c.name === 'version').node.text
                 : null;
-            return { name, version };
+            const hasMarker = reqNode.children.some(c => c.type === 'marker_spec');
+            return { name, version, hasMarker };
         }));
     }
     #decideIfWindowsOrLinuxPath(fileName) {
@@ -224,7 +272,12 @@ export default class Python_controller {
                 CachedEnvironmentDeps[packageName.replace("_", "-")] = pipDepTreeEntryForCache;
             });
         }
-        parsedRequirements.forEach(({ name: depName, version: manifestVersion }) => {
+        const inspectOutput = getPipInspectOutput.call(this);
+        const hashMap = parsePipInspectHashes(inspectOutput);
+        parsedRequirements.forEach(({ name: depName, version: manifestVersion, hasMarker }) => {
+            if (hasMarker && CachedEnvironmentDeps[depName.toLowerCase()] === undefined) {
+                return;
+            }
             if (matchManifestVersions === "true" && manifestVersion != null) {
                 let installedVersion;
                 if (CachedEnvironmentDeps[depName.toLowerCase()] !== undefined) {
@@ -243,7 +296,7 @@ export default class Python_controller {
             }
             let path = [];
             path.push(depName.toLowerCase());
-            bringAllDependencies(dependencies, depName, CachedEnvironmentDeps, includeTransitive, path, usePipDepTree);
+            bringAllDependencies(dependencies, depName, CachedEnvironmentDeps, includeTransitive, path, usePipDepTree, hashMap);
         });
         dependencies.sort((dep1, dep2) => {
             const DEP1 = dep1.name.toLowerCase();
@@ -323,8 +376,9 @@ function getDepsList(record) {
  * @param includeTransitive
  * @param usePipDepTree
  * @param {[string]}path array representing the path of the current branch in dependency tree, starting with a root dependency - that is - a given dependency in requirements.txt
+ * @param {Map<string, Array<{alg: string, content: string}>>} hashMap - map of lowercase package name to hashes
  */
-function bringAllDependencies(dependencies, dependencyName, cachedEnvironmentDeps, includeTransitive, path, usePipDepTree) {
+function bringAllDependencies(dependencies, dependencyName, cachedEnvironmentDeps, includeTransitive, path, usePipDepTree, hashMap) {
     if (dependencyName?.trim() === "") {
         return;
     }
@@ -346,7 +400,11 @@ function bringAllDependencies(dependencies, dependencyName, cachedEnvironmentDep
         directDeps = record.dependencies;
     }
     let targetDeps = [];
+    let hashes = hashMap?.get(depName.toLowerCase());
     let entry = { "name": depName, "version": version, "dependencies": [] };
+    if (hashes) {
+        entry.hashes = hashes;
+    }
     dependencies.push(entry);
     directDeps.forEach((dep) => {
         let depArray = [];
@@ -356,7 +414,7 @@ function bringAllDependencies(dependencies, dependencyName, cachedEnvironmentDep
             depArray.push(dep.toLowerCase());
             if (includeTransitive) {
                 // send to recurrsion the array of all deps in path + the current dependency name which is not on the path.
-                bringAllDependencies(targetDeps, dep, cachedEnvironmentDeps, includeTransitive, path.concat(depArray), usePipDepTree);
+                bringAllDependencies(targetDeps, dep, cachedEnvironmentDeps, includeTransitive, path.concat(depArray), usePipDepTree, hashMap);
             }
         }
         // sort ra

package/dist/src/providers/python_pip.d.ts

@@ -4,12 +4,17 @@ declare namespace _default {
     export { provideComponent };
     export { provideStack };
     export { readLicenseFromManifest };
+    export function packageManagerName(): string;
 }
 export default _default;
 export type DependencyEntry = {
     name: string;
     version: string;
     dependencies: DependencyEntry[];
+    hashes?: Array<{
+        alg: string;
+        content: string;
+    }>;
 };
 /**
  * @param {string} manifestName - the subject manifest name-type

package/dist/src/providers/python_pip.js

@@ -1,16 +1,18 @@
 import fs from 'node:fs';
 import { PackageURL } from 'packageurl-js';
+import { readLicenseFile } from '../license/license_utils.js';
 import Sbom from '../sbom.js';
 import { environmentVariableIsPopulated, getCustom, getCustomPath, invokeCommand } from "../tools.js";
 import Python_controller from './python_controller.js';
 import { getParser, getIgnoreQuery, getPinnedVersionQuery } from './requirements_parser.js';
-export default { isSupported, validateLockFile, provideComponent, provideStack, readLicenseFromManifest };
-/** @typedef {{name: string, version: string, dependencies: DependencyEntry[]}} DependencyEntry */
+export default { isSupported, validateLockFile, provideComponent, provideStack, readLicenseFromManifest, packageManagerName() { return 'pip'; } };
+/** @typedef {{name: string, version: string, dependencies: DependencyEntry[], hashes?: Array<{alg: string, content: string}>}} DependencyEntry */
 /**
  * @type {string} ecosystem for python-pip is 'pip'
  * @private
  */
 const ecosystem = 'pip';
+const NO_SCOPE = undefined;
 /**
  * @param {string} manifestName - the subject manifest name-type
  * @returns {boolean} - return true if `requirements.txt` is the manifest name-type
@@ -24,7 +26,7 @@ function isSupported(manifestName) {
  * @returns {string|null}
  */
 // eslint-disable-next-line no-unused-vars
-function readLicenseFromManifest(manifestPath) { return null; }
+function readLicenseFromManifest(manifestPath) { return readLicenseFile(manifestPath); }
 /**
  * @param {string} manifestDir - the directory where the manifest lies
  */
@@ -55,7 +57,6 @@ async function provideComponent(manifest, opts = {}) {
         contentType: 'application/vnd.cyclonedx+json'
     };
 }
-/** @typedef {{name: string, , version: string, dependencies: DependencyEntry[]}} DependencyEntry */
 /**
  *
  * @param {PackageURL}source
@@ -65,7 +66,7 @@ async function provideComponent(manifest, opts = {}) {
  */
 function addAllDependencies(source, dep, sbom) {
     let targetPurl = toPurl(dep["name"], dep["version"]);
-    sbom.addDependency(source, targetPurl);
+    sbom.addDependency(source, targetPurl, NO_SCOPE, dep["hashes"]);
     let directDeps = dep["dependencies"];
     if (directDeps !== undefined && directDeps.length > 0) {
         directDeps.forEach((dependency) => { addAllDependencies(toPurl(dep["name"], dep["version"]), dependency, sbom); });
@@ -74,7 +75,7 @@ function addAllDependencies(source, dep, sbom) {
 /**
  *
  * @param {string} manifest - path to requirements.txt
- * @return {PackageURL []}
+ * @return {Promise<PackageURL[]>}
  */
 async function getIgnoredDependencies(manifest) {
     const [parser, ignoreQuery, pinnedVersionQuery] = await Promise.all([
@@ -201,7 +202,7 @@ async function getSbomForComponentAnalysis(manifest, opts = {}) {
     const license = readLicenseFromManifest(manifest);
     sbom.addRoot(rootPurl, license);
     dependencies.forEach(dep => {
-        sbom.addDependency(rootPurl, toPurl(dep.name, dep.version));
+        sbom.addDependency(rootPurl, toPurl(dep.name, dep.version), NO_SCOPE, dep.hashes);
     });
     await handleIgnoredDependencies(manifest, sbom, opts);
     // In python there is no root component, then we must remove the dummy root we added, so the sbom json will be accepted by the DA backend

package/dist/src/providers/python_pip_pyproject.d.ts

@@ -0,0 +1,61 @@
+/**
+ * Python provider for pyproject.toml files using PEP 621 format without a lock file.
+ * Uses `pip install --dry-run --ignore-installed --report` to resolve the full dependency tree.
+ * Acts as the fallback provider when no lock file (uv.lock/poetry.lock) is found.
+ */
+export default class Python_pip_pyproject extends Base_pyproject {
+    /**
+     * Always returns true — pip provider is the fallback when no lock file is found.
+     * @param {string} manifestDir
+     * @param {{}} [opts={}]
+     * @returns {boolean}
+     */
+    validateLockFile(manifestDir: string, opts?: {}): boolean;
+    /**
+     * Get pip report output from env var override or by running pip.
+     * @param {string} manifestDir - directory containing pyproject.toml
+     * @param {{}} [opts={}]
+     * @returns {string} pip report JSON string
+     */
+    _getPipReportOutput(manifestDir: string, opts?: {}): string;
+    /**
+     * Parse pip report JSON and build dependency graph.
+     * @param {string} reportJson - pip report JSON string
+     * @returns {{directDeps: string[], graph: Map<string, {name: string, version: string, children: string[]}>}}
+     */
+    _parsePipReport(reportJson: string): {
+        directDeps: string[];
+        graph: Map<string, {
+            name: string;
+            version: string;
+            children: string[];
+        }>;
+    };
+    /**
+     * Check if a requires_dist entry is an extras-only dependency.
+     * @param {string} req - e.g. "PySocks!=1.5.7,>=1.5.6; extra == \"socks\""
+     * @returns {boolean}
+     */
+    _hasExtraMarker(req: string): boolean;
+    /**
+     * Extract package name from a requires_dist entry.
+     * @param {string} req - e.g. "charset_normalizer<4,>=2"
+     * @returns {string|null}
+     */
+    _extractDepName(req: string): string | null;
+    /**
+     * Resolve dependencies using pip install --dry-run --report.
+     * @param {string} manifestDir
+     * @param {string} _workspaceDir - unused (pip resolves from manifest directory)
+     * @param {object} parsed - parsed pyproject.toml
+     * @param {{}} [opts={}]
+     * @returns {Promise<{directDeps: string[], graph: Map}>}
+     */
+    _getDependencyData(manifestDir: string, _workspaceDir: string, parsed: object, opts?: {}): Promise<{
+        directDeps: string[];
+        graph: Map<any, any>;
+    }>;
+    _findEggInfoDirs(dir: any): string[];
+    _cleanupEggInfo(dir: any, existing: any): void;
+}
+import Base_pyproject from './base_pyproject.js';

package/dist/src/providers/python_pip_pyproject.js

@@ -0,0 +1,146 @@
+import fs from 'node:fs';
+import path from 'node:path';
+import { environmentVariableIsPopulated, getCustomPath, invokeCommand } from '../tools.js';
+import Base_pyproject from './base_pyproject.js';
+/**
+ * Python provider for pyproject.toml files using PEP 621 format without a lock file.
+ * Uses `pip install --dry-run --ignore-installed --report` to resolve the full dependency tree.
+ * Acts as the fallback provider when no lock file (uv.lock/poetry.lock) is found.
+ */
+export default class Python_pip_pyproject extends Base_pyproject {
+    /** @returns {string} */
+    _lockFileName() {
+        return '.pip-lock-nonexistent';
+    }
+    /** @returns {string} */
+    _cmdName() {
+        return 'pip';
+    }
+    /**
+     * Always returns true — pip provider is the fallback when no lock file is found.
+     * @param {string} manifestDir
+     * @param {{}} [opts={}]
+     * @returns {boolean}
+     */
+    // eslint-disable-next-line no-unused-vars
+    validateLockFile(manifestDir, opts = {}) {
+        return true;
+    }
+    /**
+     * Get pip report output from env var override or by running pip.
+     * @param {string} manifestDir - directory containing pyproject.toml
+     * @param {{}} [opts={}]
+     * @returns {string} pip report JSON string
+     */
+    _getPipReportOutput(manifestDir, opts) {
+        if (environmentVariableIsPopulated('TRUSTIFY_DA_PIP_REPORT')) {
+            return Buffer.from(process.env['TRUSTIFY_DA_PIP_REPORT'], 'base64').toString('ascii');
+        }
+        let pipBin = getCustomPath('pip3', opts);
+        try {
+            invokeCommand(pipBin, ['--version']);
+        }
+        catch {
+            pipBin = getCustomPath('pip', opts);
+        }
+        let eggInfoDirs = this._findEggInfoDirs(manifestDir);
+        let result = invokeCommand(pipBin, [
+            'install', '--dry-run', '--ignore-installed', '--quiet', '--report', '-', '.'
+        ], { cwd: manifestDir }).toString();
+        this._cleanupEggInfo(manifestDir, eggInfoDirs);
+        return result;
+    }
+    /**
+     * Parse pip report JSON and build dependency graph.
+     * @param {string} reportJson - pip report JSON string
+     * @returns {{directDeps: string[], graph: Map<string, {name: string, version: string, children: string[]}>}}
+     */
+    _parsePipReport(reportJson) {
+        let report = JSON.parse(reportJson);
+        let packages = report.install || [];
+        let rootEntry = packages.find(p => p.download_info?.dir_info !== undefined);
+        let rootRequires = rootEntry?.metadata?.requires_dist || [];
+        let directDepNames = new Set();
+        for (let req of rootRequires) {
+            if (this._hasExtraMarker(req)) {
+                continue;
+            }
+            let name = this._extractDepName(req);
+            if (name) {
+                directDepNames.add(this._canonicalize(name));
+            }
+        }
+        let graph = new Map();
+        let nonRootPackages = packages.filter(p => p !== rootEntry);
+        for (let pkg of nonRootPackages) {
+            let name = pkg.metadata.name;
+            let version = pkg.metadata.version;
+            let key = this._canonicalize(name);
+            let sha256 = pkg.download_info?.archive_info?.hashes?.sha256;
+            let hashes = sha256 ? [{ alg: "SHA-256", content: sha256 }] : undefined;
+            graph.set(key, { name, version, children: [], hashes });
+        }
+        for (let pkg of nonRootPackages) {
+            let key = this._canonicalize(pkg.metadata.name);
+            let entry = graph.get(key);
+            let requires = pkg.metadata.requires_dist || [];
+            for (let req of requires) {
+                let depName = this._extractDepName(req);
+                if (!depName) {
+                    continue;
+                }
+                let depKey = this._canonicalize(depName);
+                if (graph.has(depKey)) {
+                    entry.children.push(depKey);
+                }
+            }
+        }
+        let directDeps = [...directDepNames].filter(key => graph.has(key));
+        return { directDeps, graph };
+    }
+    /**
+     * Check if a requires_dist entry is an extras-only dependency.
+     * @param {string} req - e.g. "PySocks!=1.5.7,>=1.5.6; extra == \"socks\""
+     * @returns {boolean}
+     */
+    _hasExtraMarker(req) {
+        return /;\s*.*extra\s*==/.test(req);
+    }
+    /**
+     * Extract package name from a requires_dist entry.
+     * @param {string} req - e.g. "charset_normalizer<4,>=2"
+     * @returns {string|null}
+     */
+    _extractDepName(req) {
+        let match = req.match(/^([A-Za-z0-9]([A-Za-z0-9._-]*[A-Za-z0-9])?)/);
+        return match ? match[1] : null;
+    }
+    /**
+     * Resolve dependencies using pip install --dry-run --report.
+     * @param {string} manifestDir
+     * @param {string} _workspaceDir - unused (pip resolves from manifest directory)
+     * @param {object} parsed - parsed pyproject.toml
+     * @param {{}} [opts={}]
+     * @returns {Promise<{directDeps: string[], graph: Map}>}
+     */
+    // eslint-disable-next-line no-unused-vars
+    async _getDependencyData(manifestDir, _workspaceDir, parsed, opts) {
+        let reportOutput = this._getPipReportOutput(manifestDir, opts);
+        return this._parsePipReport(reportOutput);
+    }
+    _findEggInfoDirs(dir) {
+        try {
+            return fs.readdirSync(dir).filter(f => f.endsWith('.egg-info'));
+        }
+        catch {
+            return [];
+        }
+    }
+    _cleanupEggInfo(dir, existing) {
+        for (let entry of this._findEggInfoDirs(dir)) {
+            if (!existing.includes(entry)) {
+                fs.rmSync(path.join(dir, entry), { recursive: true, force: true });
+            }
+        }
+    }
+}

package/dist/src/providers/python_poetry.d.ts

@@ -0,0 +1,75 @@
+export default class Python_poetry extends Base_pyproject {
+    /**
+     * @param {string} manifestDir
+     * @param {string} _workspaceDir - unused (poetry has no workspace support)
+     * @param {object} parsed - parsed pyproject.toml
+     * @param {Object} opts
+     * @returns {Promise<{directDeps: string[], graph: Map<string, {name: string, version: string, children: string[]}>}>}
+     */
+    _getDependencyData(manifestDir: string, _workspaceDir: string, parsed: object, opts: any): Promise<{
+        directDeps: string[];
+        graph: Map<string, {
+            name: string;
+            version: string;
+            children: string[];
+        }>;
+    }>;
+    /**
+     * Get poetry show --tree output.
+     * @param {string} manifestDir
+     * @param {boolean} hasDevGroup
+     * @param {Object} opts
+     * @returns {string}
+     */
+    _getPoetryShowTreeOutput(manifestDir: string, hasDevGroup: boolean, opts: any): string;
+    /**
+     * Get poetry show --all output (flat list with resolved versions).
+     * @param {string} manifestDir
+     * @param {Object} opts
+     * @returns {string}
+     */
+    _getPoetryShowAllOutput(manifestDir: string, opts: any): string;
+    /**
+     * Parse poetry show --all output into a version map.
+     * Lines look like: "name         (!) 1.2.3  Description text..."
+     * or:              "name             1.2.3  Description text..."
+     * @param {string} output
+     * @returns {Map<string, string>} canonical name -> version
+     */
+    _parsePoetryShowAll(output: string): Map<string, string>;
+    /**
+     * Collects PEP 508 marker expressions for direct and transitive deps.
+     * Direct markers come from pyproject.toml dependency strings, e.g.:
+     *   "pywin32>=311 ; sys_platform == 'win32'"  → directMarkers['pywin32'] = "sys_platform == 'win32'"
+     * Transitive markers come from poetry.lock [package.dependencies] entries, e.g.:
+     *   colorama = {version = "*", markers = "sys_platform == 'win32'"}
+     *   → transitiveMarkers['click']['colorama'] = "sys_platform == 'win32'"
+     * @param {string|null} lockDir
+     * @param {object} parsed - parsed pyproject.toml
+     * @returns {{directMarkers: Map<string, string>, transitiveMarkers: Map<string, Map<string, string>>}}
+     */
+    _extractMarkerData(lockDir: string | null, parsed: object): {
+        directMarkers: Map<string, string>;
+        transitiveMarkers: Map<string, Map<string, string>>;
+    };
+    /**
+     * Parse poetry show --tree output into a dependency graph structure.
+     *
+     * @param {string} treeOutput
+     * @param {Map<string, string>} versionMap - canonical name -> resolved version
+     * @param {{directMarkers: Map<string, string>, transitiveMarkers: Map<string, Map<string, string>>}} markerData
+     * @returns {{directDeps: string[], graph: Map<string, {name: string, version: string, children: string[]}>}}
+     */
+    _parsePoetryTree(treeOutput: string, versionMap: Map<string, string>, markerData: {
+        directMarkers: Map<string, string>;
+        transitiveMarkers: Map<string, Map<string, string>>;
+    }): {
+        directDeps: string[];
+        graph: Map<string, {
+            name: string;
+            version: string;
+            children: string[];
+        }>;
+    };
+}
+import Base_pyproject from './base_pyproject.js';