[SYNC] branch 'fix-lowercase-files-208' with 'dev-v5.6'

* dev-v5.6:
  [STYLE] Cleanup fixes from GHI #208 for release
  [STYLE] Cleanup fixes from GHI #292 for release
  [DOCUMENTATION] Update documentation and configs to match
  [DOCUMENTATION] Create SECURITY.md
  [FIX] Resolve regression in tests due to abbriviations in updated packages (- WIP #292 -)
  [FIX] resolve flaky test_different_python with improved diognostics (- WIP GHI #292 -)
  [FIX] resolve regression for test_fail_on_partial_match (- WIP GHI #292 -)
  [FIX] resolve regression for test_allow_only_partial (- WIP GHI #292 -)
  [DEBUG] revert some unstable changes to makefile
  Bump cryptography from 46.0.2 to 46.0.5

Author: reactive-firewall

CONTRIBUTING.md

@@ -13,17 +13,26 @@ The design policy of `pip-licenses` is as follows.
 
 1. Fork this repository on your GitHub account.
 2. Create a branch to represent changes.
-    * Branch name does **NOT** need `feature/` prefix. Because git-flow is too complicated.
-3. Create a new venv environment.
-4. Install package for development via `make setup` .
+    * Branch name does **NOT** need `feature/` prefix. Because git-flow is configured differently for maintainers.
+3. Create a new venv environment and Install package for development via `make setup` .
     * Dependencies are managed by [pip-tools](https://pypi.org/project/pip-tools/).
-    * If you want to add dependency packages for development, edit [dev-requirements.in](https://github.com/raimon49/pip-licenses/blob/master/dev-requirements.in) file and run `make update-depends` .
-    * When you want to install the code under development, run `make local-install` .
+    * If you want to add dependency packages for development, edit [the dev entry in pyproject.toml](https://github.com/raimon49/pip-licenses/blob/master/pyproject.toml) file and run `make update-depends` .
+    * If you want to install the code under development, run `make local-install` .
 
 ## Implementation and testing
 
-* `pip-licenses` always measures code coverage for code quality. If you implement the new feature, please also write unit test in [test\_piplicenses.py](https://github.com/raimon49/pip-licenses/blob/master/test_piplicenses.py).
+* `pip-licenses` always measures code coverage for code quality. If you implement a new feature, please also write unit test in [test\_piplicenses.py](https://github.com/raimon49/pip-licenses/blob/master/test_piplicenses.py).
     * Tests can be run with `make test` .
 * Code conventions follow the [PEP 8](https://www.python.org/dev/peps/pep-0008/).
     * You can format the code by running `make lint` .
-* Send pull request to master branch.
+* Send pull request to master branch. Maintainer(s) may adjust PRs to the appropriate development branch as realevant.
+
+## Security policy
+
+If you find a significant vulnerability, or evidence of one, please report it privately.
+
+* We prefer that you use the
+[GitHub mechanism for privately reporting a vulnerability](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability#privately-reporting-a-security-vulnerability).
+Under the
+[main repository's security tab](https://github.com/raimon49/pip-licenses/security), click
+"Report a vulnerability" to open the advisory form.

Makefile

@@ -1,6 +1,6 @@
 #!/usr/bin/env make -f
 
-# Pip-Licenses
+# Pip-Licenses Makefile
 # ..................................
 # Copyright (c) 2018-2024, raimon
 # Copyright (c) 2024-2026, Mr. Walls
@@ -69,7 +69,7 @@ ifeq "$(PYTHON)" ""
 	PYTHON=$(PY_CMD) $(PY_ARGS)
 endif
 
-# SUPPORT PEP-517
+# SUPPORT PEP-517 with --use-pep517 when available
 
 ifndef PIP_COMMON_FLAGS
 	# Define probable pip install flags based on python command
@@ -81,24 +81,7 @@ ifndef PIP_COMMON_FLAGS
 		PIP_PREFIX_FLAGS := --no-input
 	endif
 	# Define common pip install flags
-	PIP_COMMON_FLAGS := --use-pep517 --exists-action s --upgrade --upgrade-strategy eager
-endif
-
-# Define environment-specific pip install flags
-ifeq ($(shell uname),Darwin)
-	# Check if pip supports --break-system-packages
-	PIP_VERSION := $(shell $(PYTHON) -m pip --version | awk '{print $2}')
-	PIP_MAJOR := $(word 2,$(subst ., ,$(PIP_VERSION)))
-	PIP_MINOR := $(word 3,$(subst ., ,$(PIP_VERSION)))
-	# --break-system-packages was added to pip in version 23.0.1 so check for 23.1+
-	ifeq ($(shell [ $(PIP_MAJOR) -ge 24 ] || { [ $(PIP_MAJOR) -eq 23 ] && [ $(PIP_MINOR) -ge 1 ]; } && printf "%d" 1 || printf "%d" 0), 1)
-		# workaround for specific xcode python + homebrew
-		PIP_ENV_FLAGS := --break-system-packages
-	else
-		PIP_ENV_FLAGS :=
-	endif
-else
-	PIP_ENV_FLAGS :=
+	PIP_COMMON_FLAGS := --exists-action s --upgrade --upgrade-strategy eager
 endif
 
 ifeq "$(LOG)" ""
@@ -162,14 +145,14 @@ $(VENV_NAME): venv
 	$(QUIET)test -d $(VENV_NAME) || exit 1 ;
 
 setup: $(VENV_NAME)
-	$(QUIET)$(VENV_NAME)/bin/python -m ensurepip || exit 2 ;
-	$(VENV_NAME)/bin/python -m pip $(PIP_PREFIX_FLAGS) install $(PIP_COMMON_FLAGS) $(PIP_ENV_FLAGS) -r $(DEV_DEPENDS).txt
+	$(QUIET)$(VENV_NAME)/bin/python -B -m ensurepip || exit 2 ;
+	$(VENV_NAME)/bin/python -B -m pip $(PIP_PREFIX_FLAGS) install $(PIP_COMMON_FLAGS) -r $(DEV_DEPENDS).txt
 
 local-install: $(VENV_NAME)
-	$(VENV_NAME)/bin/python -m pip $(PIP_PREFIX_FLAGS) install $(PIP_COMMON_FLAGS) $(PIP_ENV_FLAGS) -e .
+	$(VENV_NAME)/bin/python -m pip $(PIP_PREFIX_FLAGS) install $(PIP_COMMON_FLAGS) -e .
 
 local-uninstall:
-	$(VENV_NAME)/bin/python -m pip $(PIP_PREFIX_FLAGS) uninstall $(PIP_COMMON_FLAGS) $(PIP_ENV_FLAGS) -y pip-licenses
+	$(VENV_NAME)/bin/python -m pip $(PIP_PREFIX_FLAGS) uninstall -y pip-licenses
 
 local-ci-check: build lint test
 	$(QUIET)$(DO_FAIL)  # does nothing successfully (if reached)
@@ -183,8 +166,8 @@ build: clean
 	$(VENV_NAME)/bin/python -m build
 
 lint:
-	$(VENV_NAME)/bin/python -m ruff check .
-	$(VENV_NAME)/bin/python -m ruff format .
+	$(VENV_NAME)/bin/python -m ruff --config pyproject.toml check .
+	$(VENV_NAME)/bin/python -m ruff --config pyproject.toml format .
 	$(VENV_NAME)/bin/python -m mypy --install-types --non-interactive .
 
 test:

SECURITY.md

@@ -0,0 +1,9 @@
+# Security
+
+If you find a significant vulnerability, or evidence of one, please report it privately.
+
+* We prefer that you use the
+[GitHub mechanism for privately reporting a vulnerability](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability#privately-reporting-a-security-vulnerability).
+Under the
+[main repository's security tab](https://github.com/raimon49/pip-licenses/security), click
+"Report a vulnerability" to open the advisory form.

dev-requirements.txt

@@ -18,7 +18,7 @@ click==8.1.8
     # via pip-tools
 coverage[toml]==7.10.7
     # via pytest-cov
-cryptography==46.0.4
+cryptography==46.0.5
     # via secretstorage
 docutils==0.22.4
     # via

piplicenses.py

@@ -346,11 +346,13 @@ def get_pkg_included_file(
 
     def get_pkg_info(pkg: Distribution) -> dict[str, str | list[str]]:
         license_file, license_text = get_pkg_included_file(
-            pkg, "[Ll][Ii][Cc][Ee][Nn][CScs][Ee].*|[Cc][Oo][Pp][Yy][Ii][Nn][Gg].*",
+            pkg,
+            "[Ll][Ii][Cc][Ee][Nn][CScs][Ee].*|[Cc][Oo][Pp][Yy][Ii][Nn][Gg].*",
         )
         notice_file, notice_text = get_pkg_included_file(pkg, "NOTICE.*")
         other_file, other_text = get_pkg_included_file(
-            pkg, "[Aa][Uu][Tt][Hh][Oo][Rr][Ss].*",
+            pkg,
+            "[Aa][Uu][Tt][Hh][Oo][Rr][Ss].*",
         )
         pkg_info: dict[str, str | list[str]] = {
             "name": pkg.metadata["name"],

pyproject.toml

@@ -97,7 +97,7 @@ ignore = [
 isort.known-first-party = ["piplicenses"]
 
 [tool.mypy]
-exclude = ["venv"]
+exclude = ["venv"] # and thus venv[subprocess].CalledProcessError
 
 [tool.coverage.run]
 include = ["piplicenses.py"]

test_piplicenses.py

@@ -938,7 +938,10 @@ def test_allow_only(monkeypatch) -> None:
     assert (
         "license MIT License not in allow-only licenses was found for "
         "package" in mocked_stderr.printed
-    )
+    ) or (
+        "license MIT not in allow-only licenses was found for "
+        "package" in mocked_stderr.printed
+    )  # GHI #292 -- MIT License has become abreviated to just MIT for some
 
 
 def test_allow_only_partial(monkeypatch) -> None:
@@ -965,7 +968,9 @@ def test_allow_only_partial(monkeypatch) -> None:
 
     assert "" == mocked_stdout.printed
     assert (
-        "license MIT License not in allow-only licenses was found for "
+        "license MIT" in mocked_stderr.printed
+    ) and (  # GHI #292 -- partial match may ommit 'License'
+        " not in allow-only licenses was found for "
         "package" in mocked_stderr.printed
     )
 
@@ -995,7 +1000,10 @@ def test_allow_only_with_empty_tokens(monkeypatch) -> None:
     assert (
         "license MIT License not in allow-only licenses was found for "
         "package" in mocked_stderr.printed
-    )
+    ) or (
+        "license MIT not in allow-only licenses was found for "
+        "package" in mocked_stderr.printed
+    )  # GHI #292 -- MIT License has become abreviated to just MIT for some
 
 
 def test_fail_on_with_empty_tokens(monkeypatch) -> None:
@@ -1019,16 +1027,25 @@ def test_fail_on_with_empty_tokens(monkeypatch) -> None:
 
 def test_different_python() -> None:
     import tempfile
+    from venv import (  # type: ignore[attr-defined]
+        subprocess as venv_subprocess,
+    )
+
+    _warning_skip: str = "Testing via venv unsupported. Skipping."
 
     class TempEnvBuild(venv.EnvBuilder):
         def post_setup(self, context: SimpleNamespace) -> None:
             self.context = context
 
     with tempfile.TemporaryDirectory() as target_dir_path:
-        venv_builder = TempEnvBuild(with_pip=True)
-        venv_builder.create(str(target_dir_path))
-        python_exec = venv_builder.context.env_exe
-        python_arg = f"--python={python_exec}"
+        python_exec = None
+        try:
+            venv_builder = TempEnvBuild(with_pip=True)
+            venv_builder.create(str(target_dir_path))
+            python_exec = venv_builder.context.env_exe
+        except venv_subprocess.CalledProcessError as skip_cause:
+            raise unittest.SkipTest(_warning_skip) from skip_cause
+        python_arg = f"--python={python_exec}" if python_exec else ""
         args = create_parser().parse_args([python_arg, "-s", "-f=json"])
         pkgs = get_packages(args)
         package_names = sorted(set(p["name"] for p in pkgs))
@@ -1074,8 +1091,9 @@ def test_fail_on_partial_match(monkeypatch) -> None:
 
     assert "" == mocked_stdout.printed
     assert (
-        "fail-on license MIT License was found for "
-        "package" in mocked_stderr.printed
+        "fail-on license MIT" in mocked_stderr.printed
+    ) and (  # GHI 292 -- partial match may ommit 'License'
+        " was found for package" in mocked_stderr.printed
     )