npm - @trustify-da/trustify-da-javascript-client - Versions diffs - 0.3.0-ea.d84439a → 0.3.0-ea.d9c1ae4 - Mend

@trustify-da/trustify-da-javascript-client 0.3.0-ea.d84439a → 0.3.0-ea.d9c1ae4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (14) hide show

package/dist/src/provider.js +2 -0
package/dist/src/providers/base_pyproject.d.ts +4 -25
package/dist/src/providers/base_pyproject.js +48 -72
package/dist/src/providers/javascript_npm.d.ts +1 -0
package/dist/src/providers/javascript_npm.js +21 -0
package/dist/src/providers/javascript_pnpm.js +6 -2
package/dist/src/providers/processors/yarn_berry_processor.js +6 -2
package/dist/src/providers/python_controller.js +7 -3
package/dist/src/providers/python_pip_pyproject.d.ts +61 -0
package/dist/src/providers/python_pip_pyproject.js +144 -0
package/dist/src/providers/python_poetry.d.ts +2 -1
package/dist/src/providers/python_poetry.js +9 -3
package/dist/src/providers/python_uv.js +4 -1
package/package.json +1 -1

package/dist/src/provider.js CHANGED Viewed

@@ -7,6 +7,7 @@ import Javascript_npm from './providers/javascript_npm.js';
 import Javascript_pnpm from './providers/javascript_pnpm.js';
 import Javascript_yarn from './providers/javascript_yarn.js';
 import pythonPipProvider from './providers/python_pip.js';
+import Python_pip_pyproject from './providers/python_pip_pyproject.js';
 import Python_poetry from './providers/python_poetry.js';
 import Python_uv from './providers/python_uv.js';
 import rustCargoProvider from './providers/rust_cargo.js';
@@ -27,6 +28,7 @@ export const availableProviders = [
     pythonPipProvider,
     new Python_poetry(),
     new Python_uv(),
+    new Python_pip_pyproject(),
     rustCargoProvider
 ];
 /**

package/dist/src/providers/base_pyproject.d.ts CHANGED Viewed

@@ -102,26 +102,14 @@ export default class Base_pyproject {
      */
     protected _getIgnoredDeps(manifestPath: string): Set<string>;
     /**
-     * Build dependency tree from graph, starting from direct deps.
+     * Compute the set of graph nodes reachable from direct deps, excluding ignored.
      * @param {Map<string, GraphEntry>} graph
-     * @param {string[]} directDeps - canonical names of direct deps
+     * @param {string[]} directDeps
      * @param {Set<string>} ignoredDeps
-     * @param {boolean} includeTransitive
-     * @returns {DepTreeEntry[]}
-     * @protected
-     */
-    protected _buildDependencyTree(graph: Map<string, GraphEntry>, directDeps: string[], ignoredDeps: Set<string>, includeTransitive: boolean): DepTreeEntry[];
-    /**
-     * Recursively collect transitive dependencies.
-     * @param {Map<string, GraphEntry>} graph
-     * @param {string[]} childKeys
-     * @param {DepTreeEntry[]} result - mutated in place
-     * @param {Set<string>} ignoredDeps
-     * @param {Set<string>} visited
-     * @returns {void}
+     * @returns {Set<string>}
      * @protected
      */
-    protected _collectTransitive(graph: Map<string, GraphEntry>, childKeys: string[], result: DepTreeEntry[], ignoredDeps: Set<string>, visited: Set<string>): void;
+    protected _reachableNodes(graph: Map<string, GraphEntry>, directDeps: string[], ignoredDeps: Set<string>): Set<string>;
     /**
      * @param {string} name
      * @param {string} version
@@ -129,15 +117,6 @@ export default class Base_pyproject {
      * @protected
      */
     protected _toPurl(name: string, version: string): PackageURL;
-    /**
-     * Recursively add a dependency and its transitive deps to the SBOM.
-     * @param {PackageURL} source
-     * @param {DepTreeEntry} dep
-     * @param {Sbom} sbom
-     * @returns {void}
-     * @private
-     */
-    private _addAllDependencies;
     /**
      * Create SBOM json string for a pyproject.toml project.
      * @param {string} manifest - path to pyproject.toml

package/dist/src/providers/base_pyproject.js CHANGED Viewed

@@ -220,64 +220,29 @@ export default class Base_pyproject {
         return ignored;
     }
     /**
-     * Build dependency tree from graph, starting from direct deps.
+     * Compute the set of graph nodes reachable from direct deps, excluding ignored.
      * @param {Map<string, GraphEntry>} graph
-     * @param {string[]} directDeps - canonical names of direct deps
+     * @param {string[]} directDeps
      * @param {Set<string>} ignoredDeps
-     * @param {boolean} includeTransitive
-     * @returns {DepTreeEntry[]}
-     * @protected
-     */
-    _buildDependencyTree(graph, directDeps, ignoredDeps, includeTransitive) {
-        let result = [];
-        for (let key of directDeps) {
-            if (ignoredDeps.has(key)) {
-                continue;
-            }
-            let entry = graph.get(key);
-            if (!entry) {
-                continue;
-            }
-            let depTree = [];
-            if (includeTransitive) {
-                let visited = new Set();
-                visited.add(key);
-                this._collectTransitive(graph, entry.children, depTree, ignoredDeps, visited);
-            }
-            result.push({ name: entry.name, version: entry.version, dependencies: depTree });
-        }
-        result.sort((a, b) => a.name.toLowerCase().localeCompare(b.name.toLowerCase()));
-        return result;
-    }
-    /**
-     * Recursively collect transitive dependencies.
-     * @param {Map<string, GraphEntry>} graph
-     * @param {string[]} childKeys
-     * @param {DepTreeEntry[]} result - mutated in place
-     * @param {Set<string>} ignoredDeps
-     * @param {Set<string>} visited
-     * @returns {void}
+     * @returns {Set<string>}
      * @protected
      */
-    _collectTransitive(graph, childKeys, result, ignoredDeps, visited) {
-        for (let childKey of childKeys) {
-            let canonKey = this._canonicalize(childKey);
-            if (ignoredDeps.has(canonKey)) {
-                continue;
-            }
-            if (visited.has(canonKey)) {
+    _reachableNodes(graph, directDeps, ignoredDeps) {
+        let reachable = new Set();
+        let queue = directDeps.filter(k => !ignoredDeps.has(k) && graph.has(k));
+        while (queue.length > 0) {
+            let key = queue.shift();
+            if (reachable.has(key)) {
                 continue;
             }
-            visited.add(canonKey);
-            let entry = graph.get(canonKey);
-            if (!entry) {
-                continue;
+            reachable.add(key);
+            for (let child of graph.get(key).children) {
+                if (!ignoredDeps.has(child) && graph.has(child) && !reachable.has(child)) {
+                    queue.push(child);
+                }
             }
-            let childDeps = [];
-            this._collectTransitive(graph, entry.children, childDeps, ignoredDeps, visited);
-            result.push({ name: entry.name, version: entry.version, dependencies: childDeps });
         }
-        result.sort((a, b) => a.name.toLowerCase().localeCompare(b.name.toLowerCase()));
+        return reachable;
     }
     /**
      * @param {string} name
@@ -288,21 +253,6 @@ export default class Base_pyproject {
     _toPurl(name, version) {
         return new PackageURL('pypi', undefined, name, version, undefined, undefined);
     }
-    /**
-     * Recursively add a dependency and its transitive deps to the SBOM.
-     * @param {PackageURL} source
-     * @param {DepTreeEntry} dep
-     * @param {Sbom} sbom
-     * @returns {void}
-     * @private
-     */
-    _addAllDependencies(source, dep, sbom) {
-        let targetPurl = this._toPurl(dep.name, dep.version);
-        sbom.addDependency(source, targetPurl);
-        if (dep.dependencies && dep.dependencies.length > 0) {
-            dep.dependencies.forEach(child => this._addAllDependencies(this._toPurl(dep.name, dep.version), child, sbom));
-        }
-    }
     /**
      * Create SBOM json string for a pyproject.toml project.
      * @param {string} manifest - path to pyproject.toml
@@ -318,21 +268,47 @@ export default class Base_pyproject {
         let workspaceDir = this._findLockFileDir(manifestDir, opts) || manifestDir;
         let { directDeps, graph } = await this._getDependencyData(manifestDir, workspaceDir, parsed, opts);
         let ignoredDeps = this._getIgnoredDeps(manifest);
-        let dependencies = this._buildDependencyTree(graph, directDeps, ignoredDeps, includeTransitive);
         let sbom = new Sbom();
         let rootName = this._getProjectName(parsed) || DEFAULT_ROOT_NAME;
         let rootVersion = this._getProjectVersion(parsed) || DEFAULT_ROOT_VERSION;
         let rootPurl = this._toPurl(rootName, rootVersion);
         let license = this.readLicenseFromManifest(manifest);
         sbom.addRoot(rootPurl, license);
-        dependencies.forEach(dep => {
-            if (includeTransitive) {
-                this._addAllDependencies(rootPurl, dep, sbom);
+        if (includeTransitive) {
+            let reachable = this._reachableNodes(graph, directDeps, ignoredDeps);
+            for (let key of directDeps) {
+                if (!reachable.has(key)) {
+                    continue;
+                }
+                let entry = graph.get(key);
+                sbom.addDependency(rootPurl, this._toPurl(entry.name, entry.version));
             }
-            else {
-                sbom.addDependency(rootPurl, this._toPurl(dep.name, dep.version));
+            for (let [key, entry] of graph) {
+                if (!reachable.has(key)) {
+                    continue;
+                }
+                let parentPurl = this._toPurl(entry.name, entry.version);
+                for (let child of entry.children) {
+                    if (!reachable.has(child)) {
+                        continue;
+                    }
+                    let childEntry = graph.get(child);
+                    sbom.addDependency(parentPurl, this._toPurl(childEntry.name, childEntry.version));
+                }
             }
-        });
+        }
+        else {
+            for (let key of directDeps) {
+                if (ignoredDeps.has(key)) {
+                    continue;
+                }
+                let entry = graph.get(key);
+                if (!entry) {
+                    continue;
+                }
+                sbom.addDependency(rootPurl, this._toPurl(entry.name, entry.version));
+            }
+        }
         return sbom.getAsJsonString(opts);
     }
 }

package/dist/src/providers/javascript_npm.d.ts CHANGED Viewed

@@ -1,4 +1,5 @@
 export default class Javascript_npm extends Base_javascript {
     _listCmdArgs(includeTransitive: any): string[];
+    _buildDependencyTree(includeTransitive: any, opts?: {}): any;
 }
 import Base_javascript from './base_javascript.js';

package/dist/src/providers/javascript_npm.js CHANGED Viewed

@@ -12,4 +12,25 @@ export default class Javascript_npm extends Base_javascript {
     _updateLockFileCmdArgs() {
         return ['install', '--package-lock-only'];
     }
+    _buildDependencyTree(includeTransitive, opts = {}) {
+        // npm ls --json returns a single tree rooted at the workspace root.
+        // When analyzing a workspace member, its deps are nested under the
+        // root's dependencies keyed by the member name — extract that subtree
+        // so downstream analysis sees only the member's dependencies.
+        const tree = super._buildDependencyTree(includeTransitive, opts);
+        const memberName = this._getManifest().name;
+        if (tree.name === memberName) {
+            return tree;
+        }
+        const memberEntry = tree.dependencies?.[memberName];
+        if (memberEntry) {
+            return {
+                name: memberName,
+                version: memberEntry.version || this._getManifest().version,
+                dependencies: memberEntry.dependencies,
+                optionalDependencies: memberEntry.optionalDependencies,
+            };
+        }
+        return tree;
+    }
 }

package/dist/src/providers/javascript_pnpm.js CHANGED Viewed

@@ -7,15 +7,19 @@ export default class Javascript_pnpm extends Base_javascript {
         return "pnpm";
     }
     _listCmdArgs(includeTransitive) {
-        return ['ls', includeTransitive ? '--depth=Infinity' : '--depth=0', '--prod', '--json'];
+        return ['ls', includeTransitive ? '--depth=Infinity' : '--depth=0', '--prod', '--json', '-r'];
     }
     _updateLockFileCmdArgs() {
         return ['install', '--frozen-lockfile'];
     }
     _buildDependencyTree(includeTransitive, opts = {}) {
+        // pnpm ls --json returns an array with one entry per workspace package.
+        // When analyzing a workspace member, find its entry by name instead of
+        // blindly taking the first element (which is the workspace root).
         const tree = super._buildDependencyTree(includeTransitive, opts);
         if (Array.isArray(tree) && tree.length > 0) {
-            return tree[0];
+            const memberName = this._getManifest().name;
+            return tree.find(pkg => pkg.name === memberName) || tree[0];
         }
         return {};
     }

package/dist/src/providers/processors/yarn_berry_processor.js CHANGED Viewed

@@ -15,7 +15,10 @@ export default class Yarn_berry_processor extends Yarn_processor {
      * @returns {string[]} Command arguments for listing dependencies
      */
     listCmdArgs(includeTransitive) {
-        return ['info', includeTransitive ? '--recursive' : '--all', '--json'];
+        // --all is needed to include workspace members in the output
+        return includeTransitive
+            ? ['info', '--recursive', '--all', '--json']
+            : ['info', '--all', '--json'];
     }
     /**
      * Returns the command arguments for updating the lock file
@@ -68,7 +71,8 @@ export default class Yarn_berry_processor extends Yarn_processor {
         if (!name) {
             return false;
         }
-        return name.endsWith("@workspace:.");
+        // Workspace members use paths like "member-a@workspace:packages/member-a", not just "@workspace:."
+        return name.startsWith(`${this._manifest.name}@workspace:`);
     }
     /**
    * Adds dependencies to the SBOM

package/dist/src/providers/python_controller.js CHANGED Viewed

@@ -95,7 +95,7 @@ export default class Python_controller {
     }
     /**
      * Parse the requirements.txt file using tree-sitter and return structured requirement data.
-     * @return {Promise<{name: string, version: string|null}[]>}
+     * @return {Promise<{name: string, version: string|null, hasMarker: boolean}[]>}
      */
     async #parseRequirements() {
         const content = fs.readFileSync(this.pathToRequirements).toString();
@@ -107,7 +107,8 @@ export default class Python_controller {
             const version = versionMatches.length > 0
                 ? versionMatches[0].captures.find(c => c.name === 'version').node.text
                 : null;
-            return { name, version };
+            const hasMarker = reqNode.children.some(c => c.type === 'marker_spec');
+            return { name, version, hasMarker };
         }));
     }
     #decideIfWindowsOrLinuxPath(fileName) {
@@ -224,7 +225,10 @@ export default class Python_controller {
                 CachedEnvironmentDeps[packageName.replace("_", "-")] = pipDepTreeEntryForCache;
             });
         }
-        parsedRequirements.forEach(({ name: depName, version: manifestVersion }) => {
+        parsedRequirements.forEach(({ name: depName, version: manifestVersion, hasMarker }) => {
+            if (hasMarker && CachedEnvironmentDeps[depName.toLowerCase()] === undefined) {
+                return;
+            }
             if (matchManifestVersions === "true" && manifestVersion != null) {
                 let installedVersion;
                 if (CachedEnvironmentDeps[depName.toLowerCase()] !== undefined) {

package/dist/src/providers/python_pip_pyproject.d.ts ADDED Viewed

@@ -0,0 +1,61 @@
+/**
+ * Python provider for pyproject.toml files using PEP 621 format without a lock file.
+ * Uses `pip install --dry-run --ignore-installed --report` to resolve the full dependency tree.
+ * Acts as the fallback provider when no lock file (uv.lock/poetry.lock) is found.
+ */
+export default class Python_pip_pyproject extends Base_pyproject {
+    /**
+     * Always returns true — pip provider is the fallback when no lock file is found.
+     * @param {string} manifestDir
+     * @param {{}} [opts={}]
+     * @returns {boolean}
+     */
+    validateLockFile(manifestDir: string, opts?: {}): boolean;
+    /**
+     * Get pip report output from env var override or by running pip.
+     * @param {string} manifestDir - directory containing pyproject.toml
+     * @param {{}} [opts={}]
+     * @returns {string} pip report JSON string
+     */
+    _getPipReportOutput(manifestDir: string, opts?: {}): string;
+    /**
+     * Parse pip report JSON and build dependency graph.
+     * @param {string} reportJson - pip report JSON string
+     * @returns {{directDeps: string[], graph: Map<string, {name: string, version: string, children: string[]}>}}
+     */
+    _parsePipReport(reportJson: string): {
+        directDeps: string[];
+        graph: Map<string, {
+            name: string;
+            version: string;
+            children: string[];
+        }>;
+    };
+    /**
+     * Check if a requires_dist entry is an extras-only dependency.
+     * @param {string} req - e.g. "PySocks!=1.5.7,>=1.5.6; extra == \"socks\""
+     * @returns {boolean}
+     */
+    _hasExtraMarker(req: string): boolean;
+    /**
+     * Extract package name from a requires_dist entry.
+     * @param {string} req - e.g. "charset_normalizer<4,>=2"
+     * @returns {string|null}
+     */
+    _extractDepName(req: string): string | null;
+    /**
+     * Resolve dependencies using pip install --dry-run --report.
+     * @param {string} manifestDir
+     * @param {string} _workspaceDir - unused (pip resolves from manifest directory)
+     * @param {object} parsed - parsed pyproject.toml
+     * @param {{}} [opts={}]
+     * @returns {Promise<{directDeps: string[], graph: Map}>}
+     */
+    _getDependencyData(manifestDir: string, _workspaceDir: string, parsed: object, opts?: {}): Promise<{
+        directDeps: string[];
+        graph: Map<any, any>;
+    }>;
+    _findEggInfoDirs(dir: any): string[];
+    _cleanupEggInfo(dir: any, existing: any): void;
+}
+import Base_pyproject from './base_pyproject.js';

package/dist/src/providers/python_pip_pyproject.js ADDED Viewed

@@ -0,0 +1,144 @@
+import fs from 'node:fs';
+import path from 'node:path';
+import { environmentVariableIsPopulated, getCustomPath, invokeCommand } from '../tools.js';
+import Base_pyproject from './base_pyproject.js';
+/**
+ * Python provider for pyproject.toml files using PEP 621 format without a lock file.
+ * Uses `pip install --dry-run --ignore-installed --report` to resolve the full dependency tree.
+ * Acts as the fallback provider when no lock file (uv.lock/poetry.lock) is found.
+ */
+export default class Python_pip_pyproject extends Base_pyproject {
+    /** @returns {string} */
+    _lockFileName() {
+        return '.pip-lock-nonexistent';
+    }
+    /** @returns {string} */
+    _cmdName() {
+        return 'pip';
+    }
+    /**
+     * Always returns true — pip provider is the fallback when no lock file is found.
+     * @param {string} manifestDir
+     * @param {{}} [opts={}]
+     * @returns {boolean}
+     */
+    // eslint-disable-next-line no-unused-vars
+    validateLockFile(manifestDir, opts = {}) {
+        return true;
+    }
+    /**
+     * Get pip report output from env var override or by running pip.
+     * @param {string} manifestDir - directory containing pyproject.toml
+     * @param {{}} [opts={}]
+     * @returns {string} pip report JSON string
+     */
+    _getPipReportOutput(manifestDir, opts) {
+        if (environmentVariableIsPopulated('TRUSTIFY_DA_PIP_REPORT')) {
+            return Buffer.from(process.env['TRUSTIFY_DA_PIP_REPORT'], 'base64').toString('ascii');
+        }
+        let pipBin = getCustomPath('pip3', opts);
+        try {
+            invokeCommand(pipBin, ['--version']);
+        }
+        catch {
+            pipBin = getCustomPath('pip', opts);
+        }
+        let eggInfoDirs = this._findEggInfoDirs(manifestDir);
+        let result = invokeCommand(pipBin, [
+            'install', '--dry-run', '--ignore-installed', '--quiet', '--report', '-', '.'
+        ], { cwd: manifestDir }).toString();
+        this._cleanupEggInfo(manifestDir, eggInfoDirs);
+        return result;
+    }
+    /**
+     * Parse pip report JSON and build dependency graph.
+     * @param {string} reportJson - pip report JSON string
+     * @returns {{directDeps: string[], graph: Map<string, {name: string, version: string, children: string[]}>}}
+     */
+    _parsePipReport(reportJson) {
+        let report = JSON.parse(reportJson);
+        let packages = report.install || [];
+        let rootEntry = packages.find(p => p.download_info?.dir_info !== undefined);
+        let rootRequires = rootEntry?.metadata?.requires_dist || [];
+        let directDepNames = new Set();
+        for (let req of rootRequires) {
+            if (this._hasExtraMarker(req)) {
+                continue;
+            }
+            let name = this._extractDepName(req);
+            if (name) {
+                directDepNames.add(this._canonicalize(name));
+            }
+        }
+        let graph = new Map();
+        let nonRootPackages = packages.filter(p => p !== rootEntry);
+        for (let pkg of nonRootPackages) {
+            let name = pkg.metadata.name;
+            let version = pkg.metadata.version;
+            let key = this._canonicalize(name);
+            graph.set(key, { name, version, children: [] });
+        }
+        for (let pkg of nonRootPackages) {
+            let key = this._canonicalize(pkg.metadata.name);
+            let entry = graph.get(key);
+            let requires = pkg.metadata.requires_dist || [];
+            for (let req of requires) {
+                let depName = this._extractDepName(req);
+                if (!depName) {
+                    continue;
+                }
+                let depKey = this._canonicalize(depName);
+                if (graph.has(depKey)) {
+                    entry.children.push(depKey);
+                }
+            }
+        }
+        let directDeps = [...directDepNames].filter(key => graph.has(key));
+        return { directDeps, graph };
+    }
+    /**
+     * Check if a requires_dist entry is an extras-only dependency.
+     * @param {string} req - e.g. "PySocks!=1.5.7,>=1.5.6; extra == \"socks\""
+     * @returns {boolean}
+     */
+    _hasExtraMarker(req) {
+        return /;\s*.*extra\s*==/.test(req);
+    }
+    /**
+     * Extract package name from a requires_dist entry.
+     * @param {string} req - e.g. "charset_normalizer<4,>=2"
+     * @returns {string|null}
+     */
+    _extractDepName(req) {
+        let match = req.match(/^([A-Za-z0-9]([A-Za-z0-9._-]*[A-Za-z0-9])?)/);
+        return match ? match[1] : null;
+    }
+    /**
+     * Resolve dependencies using pip install --dry-run --report.
+     * @param {string} manifestDir
+     * @param {string} _workspaceDir - unused (pip resolves from manifest directory)
+     * @param {object} parsed - parsed pyproject.toml
+     * @param {{}} [opts={}]
+     * @returns {Promise<{directDeps: string[], graph: Map}>}
+     */
+    // eslint-disable-next-line no-unused-vars
+    async _getDependencyData(manifestDir, _workspaceDir, parsed, opts) {
+        let reportOutput = this._getPipReportOutput(manifestDir, opts);
+        return this._parsePipReport(reportOutput);
+    }
+    _findEggInfoDirs(dir) {
+        try {
+            return fs.readdirSync(dir).filter(f => f.endsWith('.egg-info'));
+        }
+        catch {
+            return [];
+        }
+    }
+    _cleanupEggInfo(dir, existing) {
+        for (let entry of this._findEggInfoDirs(dir)) {
+            if (!existing.includes(entry)) {
+                fs.rmSync(path.join(dir, entry), { recursive: true, force: true });
+            }
+        }
+    }
+}

package/dist/src/providers/python_poetry.d.ts CHANGED Viewed

@@ -2,10 +2,11 @@ export default class Python_poetry extends Base_pyproject {
     /**
      * Get poetry show --tree output.
      * @param {string} manifestDir
+     * @param {boolean} hasDevGroup
      * @param {Object} opts
      * @returns {string}
      */
-    _getPoetryShowTreeOutput(manifestDir: string, opts: any): string;
+    _getPoetryShowTreeOutput(manifestDir: string, hasDevGroup: boolean, opts: any): string;
     /**
      * Get poetry show --all output (flat list with resolved versions).
      * @param {string} manifestDir

package/dist/src/providers/python_poetry.js CHANGED Viewed

@@ -39,7 +39,8 @@ export default class Python_poetry extends Base_pyproject {
      */
     // eslint-disable-next-line no-unused-vars
     async _getDependencyData(manifestDir, _workspaceDir, parsed, opts) {
-        let treeOutput = this._getPoetryShowTreeOutput(manifestDir, opts);
+        let hasDevGroup = !!(parsed.tool?.poetry?.group?.dev || parsed.tool?.poetry?.['dev-dependencies']);
+        let treeOutput = this._getPoetryShowTreeOutput(manifestDir, hasDevGroup, opts);
         let showAllOutput = this._getPoetryShowAllOutput(manifestDir, opts);
         let versionMap = this._parsePoetryShowAll(showAllOutput);
         return this._parsePoetryTree(treeOutput, versionMap);
@@ -47,15 +48,20 @@ export default class Python_poetry extends Base_pyproject {
     /**
      * Get poetry show --tree output.
      * @param {string} manifestDir
+     * @param {boolean} hasDevGroup
      * @param {Object} opts
      * @returns {string}
      */
-    _getPoetryShowTreeOutput(manifestDir, opts) {
+    _getPoetryShowTreeOutput(manifestDir, hasDevGroup, opts) {
         if (environmentVariableIsPopulated('TRUSTIFY_DA_POETRY_SHOW_TREE')) {
             return Buffer.from(process.env['TRUSTIFY_DA_POETRY_SHOW_TREE'], 'base64').toString('utf-8');
         }
         let poetryBin = getCustomPath('poetry', opts);
-        return invokeCommand(poetryBin, ['show', '--tree', '--no-ansi'], { cwd: manifestDir }).toString();
+        let args = ['show', '--tree', '--no-ansi'];
+        if (hasDevGroup) {
+            args.push('--without', 'dev');
+        }
+        return invokeCommand(poetryBin, args, { cwd: manifestDir }).toString();
     }
     /**
      * Get poetry show --all output (flat list with resolved versions).

package/dist/src/providers/python_uv.js CHANGED Viewed

@@ -36,7 +36,7 @@ export default class Python_uv extends Base_pyproject {
             return Buffer.from(process.env['TRUSTIFY_DA_UV_EXPORT'], 'base64').toString('ascii');
         }
         let uvBin = getCustomPath('uv', opts);
-        return invokeCommand(uvBin, ['export', '--format', 'requirements.txt', '--frozen', '--no-hashes'], { cwd: manifestDir }).toString();
+        return invokeCommand(uvBin, ['export', '--format', 'requirements.txt', '--frozen', '--no-hashes', '--no-dev', '--no-emit-project'], { cwd: manifestDir }).toString();
     }
     /**
      * Parse uv export output into a dependency graph using tree-sitter-requirements
@@ -70,6 +70,9 @@ export default class Python_uv extends Base_pyproject {
                         let version = memberParsed.project?.version || memberParsed.tool?.poetry?.version;
                         if (name && version) {
                             let key = this._canonicalize(name);
+                            if (key === canonProjectName) {
+                                continue;
+                            }
                             currentPkg = { name, version, parents: new Set() };
                             packages.set(key, currentPkg);
                             collectingVia = false;

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
 	"name": "@trustify-da/trustify-da-javascript-client",
-	"version": "0.3.0-ea.d84439a",
+	"version": "0.3.0-ea.d9c1ae4",
 	"description": "Code-Ready Dependency Analytics JavaScript API.",
 	"license": "Apache-2.0",
 	"homepage": "https://github.com/guacsec/trustify-da-javascript-client#README.md",