diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 0d745db06a..a02b023245 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -10,6 +10,8 @@ Next release https://github.com/aboutcode-org/scancode-toolkit/pull/4474 https://github.com/aboutcode-org/scancode-toolkit/issues/4101 +- Replace unmaintained ``toml`` library with ``tomllib`` / ``tomli``. + https://github.com/aboutcode-org/scancode-toolkit/issues/4532 v32.4.1 - 2025-07-23 -------------------- diff --git a/setup.cfg b/setup.cfg index aaad1349a9..7c3b6e1d9f 100644 --- a/setup.cfg +++ b/setup.cfg @@ -110,7 +110,7 @@ install_requires = saneyaml >= 0.6.0 spdx_tools == 0.8.2 text_unidecode >= 1.0 - toml >= 0.10.0 + tomli >= 2; python_version < "3.11" urlpy xmltodict >= 0.11.0 zipp >= 3.0.0; python_version < "3.9" diff --git a/src/packagedcode/cargo.py b/src/packagedcode/cargo.py index 3a0533d8f9..8cd087c2cc 100644 --- a/src/packagedcode/cargo.py +++ b/src/packagedcode/cargo.py @@ -12,11 +12,19 @@ import re import sys -import toml from packageurl import PackageURL from packagedcode import models +# tomli was added to the stdlib as tomllib in Python 3.11. +# It's the same code. +# Still, prefer tomli if it's installed, as on newer Python versions, it is +# compiled with mypyc and is more performant. +try: + import tomli as tomllib +except ImportError: + import tomllib + """ Handle Rust cargo crates """ @@ -170,7 +178,8 @@ class CargoTomlHandler(CargoBaseHandler): @classmethod def parse(cls, location, package_only=False): - package_data_toml = toml.load(location, _dict=dict) + with open(location, "rb") as fp: + package_data_toml = tomllib.load(fp) workspace = package_data_toml.get('workspace', {}) core_package_data = package_data_toml.get('package', {}) extra_data = {} @@ -283,7 +292,8 @@ class CargoLockHandler(CargoBaseHandler): @classmethod def parse(cls, location, package_only=False): - cargo_lock = toml.load(location, _dict=dict) + with open(location, "rb") as fp: + cargo_lock = tomllib.load(fp) dependencies = [] package = cargo_lock.get('package', []) for dep in package: diff --git a/src/packagedcode/pypi.py b/src/packagedcode/pypi.py index 2610f43a01..cff5a8335a 100644 --- a/src/packagedcode/pypi.py +++ b/src/packagedcode/pypi.py @@ -29,7 +29,6 @@ import packvers as packaging import pip_requirements_parser import pkginfo2 -import toml from commoncode import fileutils from commoncode.fileutils import as_posixpath from commoncode.resource import Resource @@ -46,6 +45,15 @@ from packagedcode.utils import yield_dependencies_from_package_resource from packagedcode.utils import get_base_purl +# tomli was added to the stdlib as tomllib in Python 3.11. +# It's the same code. +# Still, prefer tomli if it's installed, as on newer Python versions, it is +# compiled with mypyc and is more performant. +try: + import tomli as tomllib +except ImportError: + import tomllib + try: from zipfile import Path as ZipPath except ImportError: @@ -463,7 +471,8 @@ def is_datafile(cls, location, filetypes=tuple()): @classmethod def parse(cls, location, package_only=False): - package_data = toml.load(location, _dict=dict) + with open(location, "rb") as fp: + package_data = tomllib.load(fp) project_data = package_data.get("project") if not project_data: return @@ -647,7 +656,8 @@ def parse_non_group_dependencies( @classmethod def parse(cls, location, package_only=False): - toml_data = toml.load(location, _dict=dict) + with open(location, "rb") as fp: + toml_data = tomllib.load(fp) tool_data = toml_data.get('tool') if not tool_data: @@ -725,7 +735,8 @@ class PoetryLockHandler(BasePoetryPythonLayout): @classmethod def parse(cls, location, package_only=False): - toml_data = toml.load(location, _dict=dict) + with open(location, "rb") as fp: + toml_data = tomllib.load(fp) packages = toml_data.get('package') if not packages: