|
1 | 1 | /** |
2 | | - * Parse `requirements_lock.txt`, `bazel query` output, and spoke-repo |
3 | | - * `--output=build` tags into a uniform shape for PyPI requirements.txt |
4 | | - * generation. |
| 2 | + * Parse Bazel PyPI extraction inputs into the pinned `name==version` lines |
| 3 | + * needed for generated `requirements.txt` output. |
| 4 | + * |
| 5 | + * This is deliberately not a general-purpose requirements.txt parser. It only |
| 6 | + * accepts pinned lockfile-style entries needed to map reached Bazel labels to |
| 7 | + * exact package versions; depscan remains the owner of full PEP 508 |
| 8 | + * requirements ingestion during scan processing. |
5 | 9 | * |
6 | 10 | * Security gate: every regex uses bounded character classes to prevent |
7 | 11 | * catastrophic backtracking on hostile input. |
@@ -113,7 +117,7 @@ export function resolveRequirementsLockPath( |
113 | 117 | return resolved |
114 | 118 | } |
115 | 119 |
|
116 | | -// Parses a single `name==version` line. |
| 120 | +// Parses a single pinned `name==version` lockfile line. |
117 | 121 | // Group 1 = package name, Group 2 = version string (includes ==). |
118 | 122 | const REQUIREMENT_LINE_RE = /^([A-Za-z0-9][A-Za-z0-9._-]*)==([A-Za-z0-9._+!]+)/ |
119 | 123 |
|
@@ -149,8 +153,9 @@ function shouldSkipLine(line: string): boolean { |
149 | 153 | return false |
150 | 154 | } |
151 | 155 |
|
152 | | -// Parse a `requirements_lock.txt`-style file into a map keyed by |
153 | | -// normalized PyPI name. |
| 156 | +// Parse a `requirements_lock.txt`-style file into a map keyed by normalized |
| 157 | +// PyPI name. This intentionally ignores unpinned PEP 508 requirement forms |
| 158 | +// because the Bazel extractor must emit exact package versions. |
154 | 159 | export function parseRequirementsLock( |
155 | 160 | text: string, |
156 | 161 | ): Map<string, ExtractedPypiPackage> { |
|
0 commit comments