Use uv to manage the optional python dependencies + goodies (#1870)

prabhu · web-flow · commit b4d93d012a46 · 2025-06-17T01:57:47.000+01:00
Use uv to manage the optional python dependencies



Upload atom and slices during release



Update container packages



Track pnpm alias packages

Signed-off-by: Prabhu Subramanian &lt;prabhu@appthreat.com&gt;
diff --git a/.github/workflows/nodejs.yml b/.github/workflows/nodejs.yml
@@ -16,7 +16,9 @@ jobs:
     continue-on-error: true
     runs-on: ["self-hosted", "ubuntu", "arm64"]
     permissions:
-      contents: read
+      contents: write
+      packages: write
+      id-token: write
     steps:
       - uses: actions/checkout@v4
       - name: Set up Python
@@ -46,6 +48,19 @@ jobs:
           COLUMNS: 140
           CDXGEN_DEBUG_MODE: debug
           JAVA_TOOL_OPTIONS: "-XX:UseSVE=0 -Dfile.encoding=UTF-8"
+      - name: Generate atom and slices
+        if: startsWith(github.ref, 'refs/tags/')
+        run: |
+          node bin/cdxgen.js -t js -o $(pwd)/reports/sbom-build-js.cdx.json --no-recurse --profile research $(pwd)
+      - name: Upload atom and slices
+        uses: softprops/action-gh-release@v2
+        if: startsWith(github.ref, 'refs/tags/')
+        with:
+          files: |
+            reports/js-app.atom
+            reports/js-reachables.slices.json
+            reports/js-usages.slices.json
+            reports/sbom-build-js.cdx.json
   matrix-unit-test:
     permissions:
       contents: read
diff --git a/.pnpmfile.cjs b/.pnpmfile.cjs
@@ -6,6 +6,15 @@ function readPackage(pkg) {
     } else if (pkg.name?.includes("linux-") && !pkg.libc) {
       pkg.libc = "glibc";
     }
+  } else if (
+    pkg.name?.includes("resolver-binding") &&
+    pkg.name.includes("linux")
+  ) {
+    if (pkg.name?.includes("musl") && !pkg.libc) {
+      pkg.libc = "musl";
+    } else if (pkg.name?.includes("gnu") && !pkg.libc) {
+      pkg.libc = "glibc";
+    }
   }
   return pkg;
 }
diff --git a/ci/Dockerfile b/ci/Dockerfile
@@ -2,14 +2,14 @@ FROM ghcr.io/cyclonedx/cdxgen-ruby-builder:master AS base
 
 ARG SWIFT_SIGNING_KEY=52BB7E3DE28A71BE22EC05FFEF80A866B47A981F
 ARG SWIFT_PLATFORM=ubi9
-ARG SWIFT_BRANCH=swift-6.1-release
-ARG SWIFT_VERSION=swift-6.1-RELEASE
+ARG SWIFT_BRANCH=swift-6.1.2-release
+ARG SWIFT_VERSION=swift-6.1.2-RELEASE
 ARG SWIFT_WEBROOT=https://download.swift.org
-ARG JAVA_VERSION=24-tem
-ARG SBT_VERSION=1.10.11
+ARG JAVA_VERSION=24.0.1-tem
+ARG SBT_VERSION=1.11.2
 ARG MAVEN_VERSION=3.9.10
-ARG GRADLE_VERSION=8.14.1
-ARG GO_VERSION=1.24.3
+ARG GRADLE_VERSION=8.14.2
+ARG GO_VERSION=1.24.4
 ARG NODE_VERSION=24.2.0
 ARG RUBY_VERSION=3.4.4
 ARG JAVA_TOOL_OPTIONS="-Dfile.encoding=UTF-8"
diff --git a/ci/Dockerfile-bun b/ci/Dockerfile-bun
@@ -13,14 +13,14 @@ LABEL maintainer="cyclonedx" \
 
 ARG SWIFT_SIGNING_KEY=52BB7E3DE28A71BE22EC05FFEF80A866B47A981F
 ARG SWIFT_PLATFORM=ubi9
-ARG SWIFT_BRANCH=swift-6.1-release
-ARG SWIFT_VERSION=swift-6.1-RELEASE
+ARG SWIFT_BRANCH=swift-6.1.2-release
+ARG SWIFT_VERSION=swift-6.1.2-RELEASE
 ARG SWIFT_WEBROOT=https://download.swift.org
-ARG JAVA_VERSION=24-tem
-ARG SBT_VERSION=1.10.11
+ARG JAVA_VERSION=24.0.1-tem
+ARG SBT_VERSION=1.11.2
 ARG MAVEN_VERSION=3.9.10
-ARG GRADLE_VERSION=8.14.1
-ARG GO_VERSION=1.24.3
+ARG GRADLE_VERSION=8.14.2
+ARG GO_VERSION=1.24.4
 ARG PYTHON_VERSION=3.12
 
 ENV GOPATH=/opt/app-root/go \
diff --git a/ci/Dockerfile-deno b/ci/Dockerfile-deno
@@ -13,14 +13,14 @@ LABEL maintainer="cyclonedx" \
 
 ARG SWIFT_SIGNING_KEY=52BB7E3DE28A71BE22EC05FFEF80A866B47A981F
 ARG SWIFT_PLATFORM=ubi9
-ARG SWIFT_BRANCH=swift-6.1-release
-ARG SWIFT_VERSION=swift-6.1-RELEASE
+ARG SWIFT_BRANCH=swift-6.1.2-release
+ARG SWIFT_VERSION=swift-6.1.2-RELEASE
 ARG SWIFT_WEBROOT=https://download.swift.org
-ARG JAVA_VERSION=24-tem
-ARG SBT_VERSION=1.10.11
+ARG JAVA_VERSION=24.0.1-tem
+ARG SBT_VERSION=1.11.2
 ARG MAVEN_VERSION=3.9.10
-ARG GRADLE_VERSION=8.14.1
-ARG GO_VERSION=1.24.3
+ARG GRADLE_VERSION=8.14.2
+ARG GO_VERSION=1.24.4
 ARG PYTHON_VERSION=3.12
 ARG RUBY_VERSION=3.4.4
 ARG SCALA_VERSION=3.7.1
diff --git a/ci/Dockerfile-ppc64 b/ci/Dockerfile-ppc64
@@ -11,10 +11,10 @@ LABEL maintainer="cyclonedx" \
       org.opencontainers.image.description="Container image for cdxgen SBOM generator" \
       org.opencontainers.docker.cmd="docker run --rm -v /tmp:/tmp -p 9090:9090 -v $(pwd):/app:rw -t ghcr.io/cyclonedx/cdxgen-ppc64 -r /app --server"
 
-ARG SBT_VERSION=1.10.11
+ARG SBT_VERSION=1.11.2
 ARG MAVEN_VERSION=3.9.10
-ARG GRADLE_VERSION=8.14.1
-ARG GO_VERSION=1.24.3
+ARG GRADLE_VERSION=8.14.2
+ARG GO_VERSION=1.24.4
 ARG PYTHON_VERSION=3.12
 
 ENV GOPATH=/opt/app-root/go \
diff --git a/ci/images/Dockerfile.java17 b/ci/images/Dockerfile.java17
@@ -1,9 +1,9 @@
 # Base-image
 FROM registry.suse.com/bci/openjdk-devel:17 AS base
 
-ARG SBT_VERSION=1.10.11
+ARG SBT_VERSION=1.11.2
 ARG MAVEN_VERSION=3.9.10
-ARG GRADLE_VERSION=8.14.1
+ARG GRADLE_VERSION=8.14.2
 ARG SCALA_VERSION=3.6.4
 
 ENV SBT_VERSION=$SBT_VERSION \
diff --git a/ci/images/Dockerfile.java17-slim b/ci/images/Dockerfile.java17-slim
@@ -1,9 +1,9 @@
 # Base-image
 FROM registry.suse.com/bci/openjdk-devel:17 AS base
 
-ARG SBT_VERSION=1.10.11
+ARG SBT_VERSION=1.11.2
 ARG MAVEN_VERSION=3.9.10
-ARG GRADLE_VERSION=8.14.1
+ARG GRADLE_VERSION=8.14.2
 
 ENV SBT_VERSION=$SBT_VERSION \
     MAVEN_VERSION=$MAVEN_VERSION \
diff --git a/ci/images/Dockerfile.python311 b/ci/images/Dockerfile.python311
@@ -1,11 +1,11 @@
 # Base-image
 FROM registry.suse.com/bci/python:3.11 AS base
 
-ARG JAVA_VERSION=24-tem
+ARG JAVA_VERSION=24.0.1-tem
 ARG MAVEN_VERSION=3.9.10
 ARG GCC_VERSION=13
 ARG NODE_VERSION=20.19.2
-ARG GO_VERSION=1.24.3
+ARG GO_VERSION=1.24.4
 
 ENV JAVA_VERSION=$JAVA_VERSION \
     MAVEN_VERSION=$MAVEN_VERSION \
diff --git a/ci/images/Dockerfile.python312 b/ci/images/Dockerfile.python312
@@ -1,7 +1,7 @@
 # Base-image
 FROM registry.suse.com/bci/python:3.12 AS base
 
-ARG JAVA_VERSION=24-tem
+ARG JAVA_VERSION=24.0.1-tem
 ARG MAVEN_VERSION=3.9.10
 ARG GCC_VERSION=13
 ARG NODE_VERSION=24.2.0
diff --git a/ci/images/Dockerfile.python313 b/ci/images/Dockerfile.python313
@@ -1,7 +1,7 @@
 # Base-image
 FROM registry.suse.com/bci/python:3.13 AS base
 
-ARG JAVA_VERSION=24-tem
+ARG JAVA_VERSION=24.0.1-tem
 ARG MAVEN_VERSION=3.9.10
 ARG GCC_VERSION=14 
 ARG NODE_VERSION=24.2.0
diff --git a/ci/images/alpine/Dockerfile.node20 b/ci/images/alpine/Dockerfile.node20
@@ -12,8 +12,10 @@ RUN apk update && apk add --no-cache \
     gcc \
     g++ \
     musl-dev \
-    npm yarn openjdk21 \
+    npm openjdk21 \
     && npm install -g npm corepack \
+    && /usr/bin/python --version \
+    && /usr/bin/python -m pip install --no-cache-dir --upgrade atom-tools --target /opt/pypi \
     && node -v \
     && npm -v \
     && rm -rf /var/cache/apk/*
@@ -39,7 +41,7 @@ ENV CDXGEN_IN_CONTAINER=true \
 
 COPY . /opt/cdxgen
 
-RUN cd /opt/cdxgen && corepack enable && corepack pnpm install --config.strict-dep-builds=true --prod --no-optional --package-import-method copy --frozen-lockfile && corepack pnpm cache delete \
+RUN cd /opt/cdxgen && corepack enable && corepack pnpm install --config.strict-dep-builds=true --prod --package-import-method copy --frozen-lockfile && corepack pnpm cache delete \
 	&& npm uninstall -g corepack \
 	&& apk del npm python3-dev py3-pip py3-virtualenv gcc g++ musl-dev make \
     && mkdir -p ${NODE_COMPILE_CACHE} \
diff --git a/ci/images/alpine/Dockerfile.node24 b/ci/images/alpine/Dockerfile.node24
@@ -12,7 +12,7 @@ RUN apk update && apk add --no-cache \
     gcc \
     g++ \
     musl-dev \
-    npm yarn openjdk21 \
+    npm openjdk21 \
     && npm install -g npm corepack \
     && /usr/bin/python --version \
     && /usr/bin/python -m pip install --no-cache-dir --upgrade atom-tools --target /opt/pypi \
@@ -41,12 +41,12 @@ ENV CDXGEN_IN_CONTAINER=true \
 
 COPY . /opt/cdxgen
 
-RUN cd /opt/cdxgen && corepack enable && corepack pnpm install --config.strict-dep-builds=true --prod --no-optional --package-import-method copy --frozen-lockfile && corepack pnpm cache delete \
+RUN cd /opt/cdxgen && corepack enable && corepack pnpm install --config.strict-dep-builds=true --prod --package-import-method copy --frozen-lockfile && corepack pnpm cache delete \
 	&& npm uninstall -g corepack \
 	&& apk del npm python3-dev py3-pip py3-virtualenv gcc g++ musl-dev make \
     && mkdir -p ${NODE_COMPILE_CACHE} \
     && node /opt/cdxgen/bin/cdxgen.js --help \
     && rm -rf /root/.cache/node \
     && chmod a-w -R /opt
 WORKDIR /app
-ENTRYPOINT ["node", "/opt/cdxgen/bin/cdxgen.js"]
+ENTRYPOINT ["node", "/opt/cdxgen/bin/cdxgen.js"]
diff --git a/ci/images/debian/Dockerfile.swift6 b/ci/images/debian/Dockerfile.swift6
@@ -3,8 +3,8 @@ FROM debian:12 AS base
 
 ARG SWIFT_SIGNING_KEY=52BB7E3DE28A71BE22EC05FFEF80A866B47A981F
 ARG SWIFT_PLATFORM=debian12
-ARG SWIFT_BRANCH=swift-6.1-release
-ARG SWIFT_VERSION=swift-6.1-RELEASE
+ARG SWIFT_BRANCH=swift-6.1.2-release
+ARG SWIFT_VERSION=swift-6.1.2-RELEASE
 ARG SWIFT_WEBROOT=https://download.swift.org
 ARG NODE_VERSION=22.16.0
 
diff --git a/ci/images/opensuse/Dockerfile.python310 b/ci/images/opensuse/Dockerfile.python310
@@ -1,7 +1,7 @@
 # Base-image
 FROM registry.opensuse.org/opensuse/bci/python:3.10 AS base
 
-ARG GO_VERSION=1.24.3
+ARG GO_VERSION=1.24.4
 
 ENV CC=gcc \
     LC_ALL=en_US.UTF-8 \
diff --git a/ci/images/opensuse/Dockerfile.rolling b/ci/images/opensuse/Dockerfile.rolling
@@ -2,8 +2,8 @@
 FROM opensuse/tumbleweed:latest AS base
 
 ARG MAVEN_VERSION=4.0.0-rc-3
-ARG SBT_VERSION=1.10.11
-ARG GRADLE_VERSION=8.14.1
+ARG SBT_VERSION=1.11.2
+ARG GRADLE_VERSION=8.14.2
 ARG DOTNET_SDK_VERSION=9.0.100
 ARG SCALA_VERSION=3.7.1
 
diff --git a/ci/images/temurin/Dockerfile.java21 b/ci/images/temurin/Dockerfile.java21
@@ -3,7 +3,7 @@ FROM eclipse-temurin:21-ubi9-minimal AS base
 
 ARG SBT_VERSION=1.10.10
 ARG MAVEN_VERSION=3.9.10
-ARG GRADLE_VERSION=8.14.1
+ARG GRADLE_VERSION=8.14.2
 ARG NODE_VERSION=24.2.0
 ARG SCALA_VERSION=3.7.1
 
diff --git a/ci/images/temurin/Dockerfile.java24 b/ci/images/temurin/Dockerfile.java24
@@ -3,7 +3,7 @@ FROM eclipse-temurin:24-ubi9-minimal AS base
 
 ARG SBT_VERSION=1.10.10
 ARG MAVEN_VERSION=3.9.10
-ARG GRADLE_VERSION=8.14.1
+ARG GRADLE_VERSION=8.14.2
 ARG NODE_VERSION=24.2.0
 ARG SCALA_VERSION=3.7.1
 
diff --git a/ci/images/temurin/Dockerfile.java8 b/ci/images/temurin/Dockerfile.java8
@@ -3,7 +3,7 @@ FROM eclipse-temurin:8-jdk-ubi9-minimal AS base
 
 ARG SBT_VERSION=1.10.10
 ARG MAVEN_VERSION=3.9.10
-ARG GRADLE_VERSION=8.14.1
+ARG GRADLE_VERSION=8.14.2
 ARG NODE_VERSION=24.2.0
 
 ENV SBT_VERSION=$SBT_VERSION \
diff --git a/contrib/cloud-init.txt b/contrib/cloud-init.txt
@@ -144,8 +144,8 @@ runcmd:
   - sed -i '$a AllowUsers ubuntu' /etc/ssh/sshd_config
   - export SWIFT_SIGNING_KEY=52BB7E3DE28A71BE22EC05FFEF80A866B47A981F
   - export SWIFT_PLATFORM=ubuntu24.04
-  - export SWIFT_BRANCH=swift-6.1-release
-  - export SWIFT_VERSION=swift-6.1-RELEASE
+  - export SWIFT_BRANCH=swift-6.1.2-release
+  - export SWIFT_VERSION=swift-6.1.2-RELEASE
   - export SWIFT_WEBROOT=https://download.swift.org
   - export OS_ARCH_SUFFIX='-aarch64'
   - export SWIFT_WEBDIR="$SWIFT_WEBROOT/$SWIFT_BRANCH/$(echo $SWIFT_PLATFORM | tr -d .)$OS_ARCH_SUFFIX"
diff --git a/contrib/lima/cdxgen-opensuse.yaml b/contrib/lima/cdxgen-opensuse.yaml
@@ -50,7 +50,7 @@ provision:
     #!/bin/bash
     set -e -o pipefail
     export MAVEN_VERSION=3.9.10
-    export SBT_VERSION=1.10.11
+    export SBT_VERSION=1.11.2
     export GRADLE_VERSION=8.14
     export MAVEN_HOME="/.sdkman/candidates/maven/${MAVEN_VERSION}"
     export GRADLE_HOME="/.sdkman/candidates/gradle/${GRADLE_VERSION}"
diff --git a/contrib/lima/cdxgen-ubuntu.yaml b/contrib/lima/cdxgen-ubuntu.yaml
@@ -53,7 +53,7 @@ provision:
     #!/bin/bash
     set -e -o pipefail
     export MAVEN_VERSION=3.9.10
-    export SBT_VERSION=1.10.11
+    export SBT_VERSION=1.11.2
     export GRADLE_VERSION=8.14
     export MAVEN_HOME="/.sdkman/candidates/maven/${MAVEN_VERSION}"
     export GRADLE_HOME="/.sdkman/candidates/gradle/${GRADLE_VERSION}"
@@ -79,8 +79,8 @@ provision:
     cdxgen --version
     export SWIFT_SIGNING_KEY=52BB7E3DE28A71BE22EC05FFEF80A866B47A981F
     export SWIFT_PLATFORM=ubuntu24.04
-    export SWIFT_BRANCH=swift-6.1-release
-    export SWIFT_VERSION=swift-6.1-RELEASE
+    export SWIFT_BRANCH=swift-6.1.2-release
+    export SWIFT_VERSION=swift-6.1.2-RELEASE
     export SWIFT_WEBROOT=https://download.swift.org
     export OS_ARCH_SUFFIX='-aarch64'
     export SWIFT_WEBDIR="$SWIFT_WEBROOT/$SWIFT_BRANCH/$(echo $SWIFT_PLATFORM | tr -d .)$OS_ARCH_SUFFIX"
diff --git a/devenv.lock b/devenv.lock
@@ -3,10 +3,10 @@
     "devenv": {
       "locked": {
         "dir": "src/modules",
-        "lastModified": 1749934215,
+        "lastModified": 1750097069,
         "owner": "cachix",
         "repo": "devenv",
-        "rev": "0ad2d684f722b41578b34670428161d996382e64",
+        "rev": "ab8a1563714393d366b2db7d93f021afb45e7a6f",
         "type": "github"
       },
       "original": {
diff --git a/devenv.nix b/devenv.nix
@@ -28,7 +28,9 @@ in
           venv.quiet = true;
           version = "3.13";
           poetry.enable = lib.mkIf (config.profile == "poetry") true;
-          uv.enable = lib.mkIf (config.profile == "uv") true;
+          uv.enable = lib.mkIf (lib.elem config.profile [ "python" "uv" ] == true) true;
+          uv.sync.enable = lib.mkIf (lib.elem config.profile [ "python" "uv" ] == true) true;
+          uv.sync.allExtras = true;
         };
         javascript = {
           enable = true;
diff --git a/docs/ENV.md b/docs/ENV.md
@@ -32,7 +32,7 @@ These variables are used either by cdxgen itself or by multiple scanners.
 | JAVA21_TOOL                                 | Specifies the Java 21 toolchain version to use. Defaults to `21.0.7-tem` if not explicitly set. Can be overridden to point to a custom Java 21 version.                                                                                     |
 | JAVA22_TOOL                                 | Specifies the Java 22 toolchain version to use. Defaults to `22.0.2-tem` if not explicitly set. Can be overridden to point to a custom Java 22 version.                                                                                     |
 | JAVA23_TOOL                                 | Specifies the Java 23 toolchain version to use. Defaults to `23.0.2-tem` if not explicitly set. Can be overridden to point to a custom Java 23 version.                                                                                     |
-| JAVA24_TOOL                                 | Specifies the Java 24 toolchain version to use. Defaults to `24-tem` if not explicitly set. Can be overridden to point to a custom Java 24 version.                                                                                         |
+| JAVA24_TOOL                                 | Specifies the Java 24 toolchain version to use. Defaults to `24.0.1-tem` if not explicitly set. Can be overridden to point to a custom Java 24 version.                                                                                         |
 | MAVEN_CENTRAL_URL                           | Specify URL of Maven Central for metadata fetching (e.g. when private repo is used). This is used by all Java-based scanners (Gradle, Maven, etc).                                                                                          |
 | NODE_NO_READLINE                            | Set to `1` to disable canonical terminal settings and enable custom readline behavior for Node.js REPL or command-line tools.                                                                                                               |
 | SBOM_SIGN_ALGORITHM                         | Signature algorithm. Some valid values are RS256, RS384, RS512, PS256, PS384, PS512, ES256 etc                                                                                                                                              |
diff --git a/lib/cli/index.js b/lib/cli/index.js
@@ -3144,6 +3144,10 @@ export async function createNodejsBom(path, options) {
       const basePath = dirname(f);
       // Determine the parent component
       const packageJsonF = join(basePath, "package.json");
+      const pnpmHooks = join(basePath, ".pnpmfile.cjs");
+      if (safeExistsSync(pnpmHooks)) {
+        thoughtLog("Wait, this pnpm project uses install hooks.");
+      }
       if (!Object.keys(parentComponent).length) {
         if (safeExistsSync(packageJsonF)) {
           const pcs = await parsePkgJson(packageJsonF, true);
diff --git a/lib/evinser/evinser.js b/lib/evinser/evinser.js
@@ -286,7 +286,11 @@ export async function createSlice(
   if (sliceType === "usages") {
     // Generate OpenAPI specification for endpoints. Needs atom-tools pypi package to be installed.
     args.push("--extract-endpoints");
-    if (process.env?.CDXGEN_IN_CONTAINER !== "true") {
+    if (
+      process.env?.CDXGEN_IN_CONTAINER !== "true" &&
+      !process.env?.DEVENV_NIX &&
+      !process.env?.NIX_STORE
+    ) {
       console.log(
         "Use an official cdxgen container image to improve the precision of endpoints detection (for SaaSBOM).",
       );
diff --git a/lib/helpers/envcontext.js b/lib/helpers/envcontext.js
@@ -35,7 +35,7 @@ export const SDKMAN_JAVA_TOOL_ALIASES = {
   java21: process.env.JAVA21_TOOL || "21.0.7-tem",
   java22: process.env.JAVA22_TOOL || "22.0.2-tem",
   java23: process.env.JAVA23_TOOL || "23.0.2-tem",
-  java24: process.env.JAVA24_TOOL || "24-tem",
+  java24: process.env.JAVA24_TOOL || "24.0.1-tem",
 };
 
 /**
diff --git a/lib/helpers/utils.js b/lib/helpers/utils.js
diff --git a/lib/helpers/utils.test.js b/lib/helpers/utils.test.js
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
diff --git a/pyproject.toml b/pyproject.toml
diff --git a/types/lib/cli/index.d.ts.map b/types/lib/cli/index.d.ts.map
diff --git a/types/lib/helpers/utils.d.ts.map b/types/lib/helpers/utils.d.ts.map
diff --git a/uv.lock b/uv.lock

Original file line number	Diff line number	Diff line change
`@@ -6,6 +6,15 @@ function readPackage(pkg) {`
`6`	`6`	`} else if (pkg.name?.includes("linux-") && !pkg.libc) {`
`7`	`7`	`pkg.libc = "glibc";`
`8`	`8`	`}`
	`9`	`+ } else if (`
	`10`	`+ pkg.name?.includes("resolver-binding") &&`
	`11`	`+ pkg.name.includes("linux")`
	`12`	`+ ) {`
	`13`	`+ if (pkg.name?.includes("musl") && !pkg.libc) {`
	`14`	`+ pkg.libc = "musl";`
	`15`	`+ } else if (pkg.name?.includes("gnu") && !pkg.libc) {`
	`16`	`+ pkg.libc = "glibc";`
	`17`	`+ }`
`9`	`18`	`}`
`10`	`19`	`return pkg;`
`11`	`20`	`}`