build(deps): replace toml with tomli

Molkree · Molkree · commit 6e5fbc3301e8 · 2025-10-14T17:45:30.000+04:00
toml library is abandoned, last release was in 2020
tomli library is the community recognized replacement

change required because toml can't parse our pyproject.toml
diff --git a/cve_bin_tool/config.py b/cve_bin_tool/config.py
@@ -10,9 +10,9 @@
 from typing import Mapping
 
 if sys.version_info >= (3, 11):
-    import tomllib as toml
+    import tomllib
 else:
-    import toml
+    import tomli as tomllib
 
 import yaml
 
@@ -65,12 +65,8 @@ def parse_config(
             with ErrorHandler(mode=self.error_mode):
                 raise FileNotFoundError(self.filename)
         if self.filename.endswith(".toml"):
-            if sys.version_info >= (3, 11):
-                with open(self.filename, "rb") as f:
-                    raw_config_data = toml.load(f)
-            else:
-                with open(self.filename) as f:
-                    raw_config_data = toml.load(f)
+            with open(self.filename, "rb") as f:
+                raw_config_data = tomllib.load(f)
             self.config_data = ChainMap(*raw_config_data.values())
         elif self.filename.endswith(".yaml"):
             with open(self.filename) as f:
diff --git a/pyproject.toml b/pyproject.toml
@@ -48,7 +48,7 @@ dependencies = [
     "rich",
     "rpmfile>=1.0.6",
     "setuptools>=70.0.0",                               # pinned by Snyk to avoid a vulnerability
-    "toml; python_version < '3.11'",
+    "tomli; python_version < '3.11'",
     "urllib3>=2.2.2",                                   # dependency of requests added explicitly to avoid CVEs
     "xmlschema",
     "zipp>=3.19.1",                                     # not directly required, pinned by Snyk to avoid a vulnerability
@@ -84,7 +84,6 @@ dev = [
     "types-PyYAML",
     "types-requests",
     "types-setuptools",
-    "types-toml",
 ]
 
 [project.urls]
