Bibliothecary
Dependency manifest parsing library for https://github.com/ecosyste-ms
This is a maintained fork of the original Bibliothecary gem, with support for additional manifest formats and bug fixes.
Installation
Requires Ruby 3.4 or above.
Add this line to your application's Gemfile:
gem "ecosystems-bibliothecary", git: "https://github.com/ecosyste-ms/bibliothecary.git", require: "bibliothecary"And then execute:
bundle installUsage
Identify package manager manifests from a list of files:
Bibliothecary.identify_manifests(['package.json', 'README.md', 'index.js']) #=> 'package.json'Parse a manifest file for it's dependencies:
Bibliothecary.analyse_file 'bower.json', File.open('bower.json').readSearch a directory for manifest files and parse the contents:
Bibliothecary.analyse('./')All available config options are in: https://github.com/ecosyste-ms/bibliothecary/blob/master/lib/bibliothecary/configuration.rb
Dependency fields
Each parsed dependency is a Bibliothecary::Dependency with:
| Field | Type | Description |
|---|---|---|
name |
String | Package name |
requirement |
String | Version requirement (defaults to "*") |
platform |
String | Package manager platform (e.g. "npm", "maven") |
type |
String | Dependency scope: "runtime", "development", "test", etc. |
direct |
Boolean | Direct dependency (vs transitive) |
deprecated |
Boolean | Deprecated dependency |
local |
Boolean | Local/file path dependency |
optional |
Boolean | Optional dependency |
original_name |
String | Original name before aliasing/normalization |
original_requirement |
String | Original requirement before resolution |
source |
String | Path to the manifest file |
integrity |
String | Lockfile integrity hash (see table below) |
Integrity hash support
The integrity field is populated for lockfiles that include per-dependency hashes:
| Lockfile | Platform | Hash format |
|---|---|---|
| package-lock.json | npm | sha512-... |
| pnpm-lock.yaml | npm | sha512-... |
| yarn.lock (v2+) | npm | sha512-... |
| bun.lock | npm | sha512-... |
| deno.lock | deno | sha512-... |
| go.sum | go | h1:... |
| Gemfile.lock | rubygems | sha256=... |
| poetry.lock | pypi | sha256:... |
| uv.lock | pypi | sha256:... |
| composer.lock | packagist | sha1=... |
| Cargo.lock | cargo | sha256=... |
| Podfile.lock | cocoapods | sha1=... |
| mix.lock | hex | sha256=... |
| rebar.lock | hex | sha256=... |
| manifest.toml (Gleam) | hex | sha256=... |
| stack.yaml.lock | hackage | sha256=... |
Supported package manager file formats
- Actions
- action.yml
- action.yaml
- .github/workflows/*.yml
- .github/workflows/*.yaml
- Alpm
- PKGBUILD
- Anaconda
- environment.yml
- environment.yaml
- Apk
- APKBUILD
- Bazel
- MODULE.bazel
- BentoML
- bentofile.yaml
- Bower
- bower.json
- Cargo
- Cargo.toml
- Cargo.lock
- Carthage
- Cartfile
- Cartfile.private
- Cartfile.resolved
- Clojars
- project.clj
- CocoaPods
- Podfile
- *.podspec
- Podfile.lock
- *.podspec.json
- Cog
- cog.yaml
- Conan
- conanfile.py
- conanfile.txt
- conan.lock
- CPAN
- META.json
- META.yml
- cpanfile
- cpanfile.snapshot
- Makefile.PL
- Build.PL
- CRAN
- DESCRIPTION
- renv.lock
- Deb
- debian/control
- control
- Deno
- deno.json
- deno.jsonc
- deno.lock
- Docker
- docker-compose*.yml
- Dockerfile
- Dub
- dub.json
- dub.sdl
- DVC
- dvc.yaml
- Elm
- elm-package.json
- elm_dependencies.json
- elm-stuff/exact-dependencies.json
- Go
- go.mod
- go.sum
- glide.yaml
- glide.lock
- Godeps/Godeps.json
- Godeps
- vendor/manifest
- vendor/vendor.json
- Gopkg.toml
- Gopkg.lock
- go-resolved-dependencies.json
- Hackage
- *.cabal
- *cabal.config
- stack.yaml.lock
- cabal.project.freeze
- Haxelib
- haxelib.json
- Hex
- mix.exs
- mix.lock
- gleam.toml
- manifest.toml
- rebar.lock
- Homebrew
- Brewfile
- Brewfile.lock.json
- Julia
- REQUIRE
- Project.toml
- Manifest.toml
- LuaRocks
- *.rockspec
- Maven
- ivy.xml
- pom.xml
- build.gradle
- build.gradle.kts
- gradle-dependencies-q.txt
- maven-resolved-dependencies.txt
- sbt-update-full.txt
- maven-dependency-tree.txt
- maven-dependency-tree.dot
- gradle.lockfile
- verification-metadata.xml
- Meteor
- versions.json
- MLflow
- MLmodel
- Nimble
- *.nimble
- Nix
- flake.nix
- flake.lock
- nix/sources.json
- npins/sources.json
- npm
- package.json
- package-lock.json
- npm-shrinkwrap.json
- yarn.lock
- pnpm-lock.yaml
- pnpm-workspace.yaml
- bun.lock
- npm-ls.json
- Nuget
- Project.json
- Project.lock.json
- packages.lock.json
- packages.config
- *.nuspec
- *.csproj
- paket.lock
- project.assets.json
- *.deps.json
- Ollama
- Modelfile
- Packagist
- composer.json
- composer.lock
- Pub
- pubspec.yaml
- pubspec.lock
- PyPi
- setup.py
- requirements*.txt
- requirements*.pip
- requirements*.in
- requirements.frozen
- Pipfile
- Pipfile.lock
- pyproject.toml
- poetry.lock
- uv.lock
- pylock.toml
- pdm.lock
- pip-resolved-dependencies.txt
- pip-dependency-graph.json
- Rpm
- *.spec
- RubyGems
- Gemfile
- Gemfile.lock
- gems.rb
- gems.locked
- *.gemspec
- Shards
- shard.yml
- shard.lock
- Swift
- Package.swift
- Package.resolved
- Vcpkg
- vcpkg.json
- _generated-vcpkg-list.json
Development
After checking out the repo, run bin/setup to install dependencies. Then, run bundle exec rspec to run the tests. You can also run bin/console for an interactive prompt that will allow you to experiment.
To install this gem onto your local machine, run bundle exec rake install.
To regenerate the supported file formats list in this README, run bundle exec rake readme:update.
To release a new version:
- in
CHANGELOG.md, move the changes under"Unreleased"into a new section with your version number - bump and commit the version number in
version.rbin themainbranch - and then run
bundle exec rake release, which will create a git tag for the version, push git commits and tags, and push the.gemfile to rubygems.org.
Contributing
Bug reports and pull requests are welcome on GitHub at https://github.com/ecosyste-ms/bibliothecary. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the Contributor Covenant code of conduct.