packagedcode: replace unmaintained toml with tomllib/tomli

toml has been unmaintained for years and was superseded by tomli on PyPI
which was eventually added to the stdlib as tomllib in Python 3.11.

Signed-off-by: Maxwell G <[email protected]>

Author: gotmax23

CHANGELOG.rst

@@ -10,6 +10,8 @@ Next release
   https://github.com/aboutcode-org/scancode-toolkit/pull/4474
   https://github.com/aboutcode-org/scancode-toolkit/issues/4101
 
+- Replace unmaintained ``toml`` library with ``tomllib`` / ``tomli``.
+  https://github.com/aboutcode-org/scancode-toolkit/issues/4532
 
 v32.4.1 - 2025-07-23
 --------------------

setup.cfg

@@ -110,7 +110,7 @@ install_requires =
     saneyaml >= 0.6.0
     spdx_tools == 0.8.2
     text_unidecode >= 1.0
-    toml >= 0.10.0
+    tomli >= 2; python_version < "3.11"
     urlpy
     xmltodict >= 0.11.0
     zipp >= 3.0.0; python_version < "3.9"

src/packagedcode/cargo.py

@@ -12,11 +12,19 @@
 import re
 import sys
 
-import toml
 from packageurl import PackageURL
 
 from packagedcode import models
 
+# tomli was added to the stdlib as tomllib in Python 3.11.
+# It's the same code.
+# Still, prefer tomli if it's installed, as on newer Python versions, it is
+# compiled with mypyc and is more performant.
+try:
+    import tomli as tomllib
+except ImportError:
+    import tomllib
+
 """
 Handle Rust cargo crates
 """
@@ -170,7 +178,8 @@ class CargoTomlHandler(CargoBaseHandler):
 
     @classmethod
     def parse(cls, location, package_only=False):
-        package_data_toml = toml.load(location, _dict=dict)
+        with open(location, "rb") as fp:
+            package_data_toml = tomllib.load(fp)
         workspace = package_data_toml.get('workspace', {})
         core_package_data = package_data_toml.get('package', {})
         extra_data = {}
@@ -283,7 +292,8 @@ class CargoLockHandler(CargoBaseHandler):
 
     @classmethod
     def parse(cls, location, package_only=False):
-        cargo_lock = toml.load(location, _dict=dict)
+        with open(location, "rb") as fp:
+            cargo_lock = tomllib.load(fp)
         dependencies = []
         package = cargo_lock.get('package', [])
         for dep in package:

src/packagedcode/pypi.py

@@ -29,7 +29,6 @@
 import packvers as packaging
 import pip_requirements_parser
 import pkginfo2
-import toml
 from commoncode import fileutils
 from commoncode.fileutils import as_posixpath
 from commoncode.resource import Resource
@@ -46,6 +45,15 @@
 from packagedcode.utils import yield_dependencies_from_package_resource
 from packagedcode.utils import get_base_purl
 
+# tomli was added to the stdlib as tomllib in Python 3.11.
+# It's the same code.
+# Still, prefer tomli if it's installed, as on newer Python versions, it is
+# compiled with mypyc and is more performant.
+try:
+    import tomli as tomllib
+except ImportError:
+    import tomllib
+
 try:
     from zipfile import Path as ZipPath
 except ImportError:
@@ -463,7 +471,8 @@ def is_datafile(cls, location, filetypes=tuple()):
 
     @classmethod
     def parse(cls, location, package_only=False):
-        package_data = toml.load(location, _dict=dict)
+        with open(location, "rb") as fp:
+            package_data = tomllib.load(fp)
         project_data = package_data.get("project")
         if not project_data:
             return
@@ -647,7 +656,8 @@ def parse_non_group_dependencies(
 
     @classmethod
     def parse(cls, location, package_only=False):
-        toml_data = toml.load(location, _dict=dict)
+        with open(location, "rb") as fp:
+            toml_data = tomllib.load(fp)
 
         tool_data = toml_data.get('tool')
         if not tool_data:
@@ -725,7 +735,8 @@ class PoetryLockHandler(BasePoetryPythonLayout):
 
     @classmethod
     def parse(cls, location, package_only=False):
-        toml_data = toml.load(location, _dict=dict)
+        with open(location, "rb") as fp:
+            toml_data = tomllib.load(fp)
 
         packages = toml_data.get('package')
         if not packages: