feat: add support for package-lock.json files

BREAKING CHANGE

Author: sdn4z

README.md

@@ -113,6 +113,7 @@ The following dependency file formats are supported:
 - `requirements.txt`
 - `poetry.lock`
 - `uv.lock`
+- `package-lock.json` (v1, v2, v3)
 
 ### Check dependencies introduced through the CLI
 
@@ -166,7 +167,7 @@ dependency_file="/my/path/requirements.txt"
 selector_method="first_letter"
 logging_level="debug"
 allowlist=["my_package"]
-pypi_reference="https://mirror-with-trusted-dependencies.com/file.json"
+source="https://mirror-with-trusted-dependencies.com/file.json"
 ```
 
 > [!WARNING]

src/twyn/base/constants.py

@@ -2,11 +2,13 @@
 
 from typing import TYPE_CHECKING, Literal
 
+from typing_extensions import TypeAlias
+
 from twyn import dependency_parser
 from twyn.trusted_packages import selectors
 
 if TYPE_CHECKING:
-    from twyn.dependency_parser.abstract_parser import AbstractParser
+    from twyn.dependency_parser.parsers.abstract_parser import AbstractParser
 
 
 SELECTOR_METHOD_MAPPING: dict[str, type[selectors.AbstractSelector]] = {
@@ -19,13 +21,17 @@
 SelectorMethod = Literal["first-letter", "nearby-letter", "all"]
 
 DEPENDENCY_FILE_MAPPING: dict[str, type[AbstractParser]] = {
-    "requirements.txt": dependency_parser.requirements_txt_parser.RequirementsTxtParser,
-    "poetry.lock": dependency_parser.lock_parser.PoetryLockParser,
-    "uv.lock": dependency_parser.lock_parser.UvLockParser,
+    "requirements.txt": dependency_parser.RequirementsTxtParser,
+    "poetry.lock": dependency_parser.PoetryLockParser,
+    "uv.lock": dependency_parser.UvLockParser,
+    "package-lock.json": dependency_parser.PackageLockJsonParser,
 }
 
+
 DEFAULT_SELECTOR_METHOD = "all"
 DEFAULT_PROJECT_TOML_FILE = "pyproject.toml"
 DEFAULT_TWYN_TOML_FILE = "twyn.toml"
-DEFAULT_TOP_PYPI_PACKAGES = "https://hugovk.github.io/top-pypi-packages/top-pypi-packages.min.json"
 DEFAULT_USE_CACHE = True
+
+
+PackageManagers: TypeAlias = Literal["pypi", "npm"]

src/twyn/cli.py

@@ -60,6 +60,12 @@ def entry_point() -> None:
         "against all of those in the reference."
     ),
 )
+@click.option(
+    "--language",
+    type=click.Choice(["pypi", "npm"]),
+    default=None,
+    help="Programming language for dependency analysis (pypi or npm). Overrides auto-detection.",
+)
 @click.option(
     "-v",
     default=False,
@@ -98,6 +104,7 @@ def run(
     no_cache: Optional[bool],
     no_track: bool,
     json: bool,
+    language: Optional[str],
 ) -> int:
     if vv:
         logger.setLevel(logging.DEBUG)
@@ -121,6 +128,7 @@ def run(
             use_cache=not no_cache if no_cache is not None else no_cache,
             show_progress_bar=False if json else not no_track,
             load_config_from_file=True,
+            package_manager=language,
         )
     except TwynError as e:
         raise CliError(str(e)) from e

src/twyn/config/config_handler.py

@@ -9,10 +9,10 @@
 from twyn.base.constants import (
     DEFAULT_PROJECT_TOML_FILE,
     DEFAULT_SELECTOR_METHOD,
-    DEFAULT_TOP_PYPI_PACKAGES,
     DEFAULT_TWYN_TOML_FILE,
     DEFAULT_USE_CACHE,
     SELECTOR_METHOD_KEYS,
+    PackageManagers,
 )
 from twyn.config.exceptions import (
     AllowlistPackageAlreadyExistsError,
@@ -34,8 +34,9 @@ class TwynConfiguration:
     dependency_file: Optional[str]
     selector_method: str
     allowlist: set[str]
-    pypi_reference: str
+    source: Optional[str]
     use_cache: bool
+    package_manager: Optional[PackageManagers]
 
 
 @dataclass
@@ -45,8 +46,9 @@ class ReadTwynConfiguration:
     dependency_file: Optional[str] = None
     selector_method: Optional[str] = None
     allowlist: set[str] = field(default_factory=set)
-    pypi_reference: Optional[str] = None
+    source: Optional[str] = None
     use_cache: Optional[bool] = None
+    package_manager: Optional[PackageManagers] = None
 
 
 class ConfigHandler:
@@ -60,6 +62,7 @@ def resolve_config(
         selector_method: Optional[str] = None,
         dependency_file: Optional[str] = None,
         use_cache: Optional[bool] = None,
+        package_manager: Optional[PackageManagers] = None,
     ) -> TwynConfiguration:
         """Resolve the configuration for Twyn.
 
@@ -96,8 +99,9 @@ def resolve_config(
             dependency_file=dependency_file or read_config.dependency_file,
             selector_method=final_selector_method,
             allowlist=read_config.allowlist,
-            pypi_reference=read_config.pypi_reference or DEFAULT_TOP_PYPI_PACKAGES,
+            source=read_config.source,
             use_cache=final_use_cache,
+            package_manager=package_manager or read_config.package_manager,
         )
 
     def add_package_to_allowlist(self, package_name: str) -> None:
@@ -129,7 +133,7 @@ def _get_read_config(self, toml: TOMLDocument) -> ReadTwynConfiguration:
             dependency_file=twyn_config_data.get("dependency_file"),
             selector_method=twyn_config_data.get("selector_method"),
             allowlist=set(twyn_config_data.get("allowlist", set())),
-            pypi_reference=twyn_config_data.get("pypi_reference"),
+            source=twyn_config_data.get("source"),
             use_cache=twyn_config_data.get("use_cache"),
         )
 

src/twyn/dependency_managers/__init__.py

@@ -0,0 +1,60 @@
+from dataclasses import dataclass
+from pathlib import Path
+
+from dparse import filetypes
+
+from twyn.dependency_managers.exceptions import NoMatchingDependencyManagerError
+from twyn.dependency_parser.parsers.constants import PACKAGE_LOCK_JSON, UV_LOCK
+from twyn.trusted_packages.references import AbstractPackageReference, TopNpmReference, TopPyPiReference
+
+
+@dataclass
+class BaseDependencyManager:
+    """Base class for all `DependencyManagers`.
+
+    It acts as a repository, linking programming languages with trusted packages sources and dependency file names.
+    """
+
+    name: str
+    trusted_packages_source: type[AbstractPackageReference]
+    dependency_files: set[str]
+
+    @classmethod
+    def matches_dependency_file(cls, dependency_file: str) -> bool:
+        return Path(dependency_file).name in cls.dependency_files
+
+    @classmethod
+    def matches_language_name(cls, name: str) -> bool:
+        return cls.name == Path(name).name.lower()
+
+
+@dataclass
+class PypiDependencyManager(BaseDependencyManager):
+    name = "pypi"
+    trusted_packages_source = TopPyPiReference
+    dependency_files = {UV_LOCK, filetypes.poetry_lock, filetypes.requirements_txt}
+
+
+@dataclass
+class NpmDependencyManager(BaseDependencyManager):
+    name = "npm"
+    trusted_packages_source = TopNpmReference
+    dependency_files = {PACKAGE_LOCK_JSON}
+
+
+DEPENDENCY_MANAGERS: list[type[BaseDependencyManager]] = [PypiDependencyManager, NpmDependencyManager]
+PACKAGE_MANAGERS = {x.name for x in DEPENDENCY_MANAGERS}
+
+
+def get_dependency_manager_from_file(dependency_file: str) -> type[BaseDependencyManager]:
+    for manager in DEPENDENCY_MANAGERS:
+        if manager.matches_dependency_file(dependency_file):
+            return manager
+    raise NoMatchingDependencyManagerError
+
+
+def get_dependency_manager_from_name(name: str) -> type[BaseDependencyManager]:
+    for manager in DEPENDENCY_MANAGERS:
+        if manager.matches_language_name(name):
+            return manager
+    raise NoMatchingDependencyManagerError

src/twyn/dependency_managers/dependency_manager.py

@@ -0,0 +1,5 @@
+from twyn.base.exceptions import TwynError
+
+
+class NoMatchingDependencyManagerError(TwynError):
+    """Error for when a DependencyManger cannot be retrieved based on the provided arguments."""

src/twyn/dependency_managers/exceptions.py

@@ -1,6 +1,7 @@
 """Dependency parsers."""
 
-from twyn.dependency_parser.lock_parser import PoetryLockParser, UvLockParser
-from twyn.dependency_parser.requirements_txt_parser import RequirementsTxtParser
+from twyn.dependency_parser.parsers.lock_parser import PoetryLockParser, UvLockParser
+from twyn.dependency_parser.parsers.package_lock_json import PackageLockJsonParser
+from twyn.dependency_parser.parsers.requirements_txt_parser import RequirementsTxtParser
 
-__all__ = ["RequirementsTxtParser", "PoetryLockParser", "UvLockParser"]
+__all__ = ["RequirementsTxtParser", "PoetryLockParser", "UvLockParser", "PackageLockJsonParser"]

src/twyn/dependency_parser/__init__.py

@@ -2,11 +2,11 @@
 from typing import Optional
 
 from twyn.base.constants import DEPENDENCY_FILE_MAPPING
-from twyn.dependency_parser.abstract_parser import AbstractParser
 from twyn.dependency_parser.exceptions import (
     MultipleParsersError,
     NoMatchingParserError,
 )
+from twyn.dependency_parser.parsers.abstract_parser import AbstractParser
 
 logger = logging.getLogger("twyn")
 
@@ -24,12 +24,13 @@ def _raise_for_selected_parsers(parsers: list[type[AbstractParser]]) -> None:
             raise NoMatchingParserError
 
     def auto_detect_dependency_file_parser(self) -> type[AbstractParser]:
-        parsers = [
+        parsers: list[AbstractParser] = [
             dependency_parser
             for dependency_parser in DEPENDENCY_FILE_MAPPING.values()
             if dependency_parser().file_exists()
         ]
         self._raise_for_selected_parsers(parsers)
+        self.dependency_file = parsers[0]().file_path
         logger.debug("Dependencies file found")
         return parsers[0]
 
@@ -45,8 +46,6 @@ def get_dependency_file_parser_from_file_name(
         return parsers[0]
 
     def get_dependency_parser(self) -> AbstractParser:
-        logger.debug("Dependency file: %s", self.dependency_file)
-
         if self.dependency_file:
             logger.debug("Dependency file provided. Assigning a parser.")
             dependency_file_parser = self.get_dependency_file_parser_from_file_name()