Drop the [validation] extra from cyclonedx-python-lib runtime dependency

Author: kdeldycke

changelog.md

@@ -8,6 +8,7 @@
 - [mpm] Fix `pkg:cpan/…`, `pkg:guix/…`, and `pkg:nix/…` pURL specifiers raising `Unrecognized pURL type` even though those managers are implemented. The `cpan`, `guix`, and `nix` entries in `PURL_MAP` were set to `None`, which shadowed the manager-id fallback in `Specifier.parse_purl()`; they now map to their respective managers.
 - [mpm] Add a `scope` attribute (`ManagerScope.SYSTEM` or `ManagerScope.PROJECT`) to `PackageManager` to distinguish system-wide installers from project-local dependency managers, plus a `discover_projects()` extension point reserved for the latter. All maintained managers are system-scoped; project scope is not supported yet.
 - [zerobrew] Add `upgrade` and `upgrade_all` support by wrapping the `zb upgrade` command introduced in zerobrew `0.3.0`, and bump the minimum required `zb` version from `0.2.0` to `0.3.0`. `0.3.0` also fixes the Linux Python install failures reported in https://github.com/lucasgelfond/zerobrew/issues/336, so the `zerobrew` install tests now run as stable on both x86 and ARM Linux.
+- [mpm] Drop the `[validation]` extra from the `cyclonedx-python-lib` runtime dependency, removing `jsonschema`, `rfc3987-syntax`, `lark`, and `lxml` from `mpm`'s install footprint. CycloneDX SBOM schema validation now runs in the test suite instead of inside `CycloneDX.export()`.
 
 ## [`6.5.1` (2026-05-28)](https://github.com/kdeldycke/meta-package-manager/compare/v6.5.0...v6.5.1)
 

meta_package_manager/managers/pip.py

@@ -202,8 +202,8 @@ def _own_dependency_names() -> frozenset[str]:
         declared as an independent ``resource`` block in the formula and
         ``pip install``-ed individually into the formula's virtualenv. Because
         each resource is installed in isolation, pip never sees that (for
-        example) ``lxml`` is required by ``jsonschema[format-nongpl]`` which is
-        required by ``cyclonedx-python-lib[validation]`` which is required by
+        example) ``defusedxml`` is required by ``py-serializable`` which is
+        required by ``cyclonedx-python-lib`` which is required by
         ``meta-package-manager``. From pip's perspective every resource looks
         like a top-level package, so ``--not-required`` lets them through and
         they all appear as outdated.

meta_package_manager/sbom.py

@@ -39,8 +39,6 @@
 from cyclonedx.output import make_outputter
 from cyclonedx.output.json import JsonV1Dot5
 from cyclonedx.schema import OutputFormat, SchemaVersion
-from cyclonedx.validation import BaseSchemabasedValidator, make_schemabased_validator
-from cyclonedx.validation.json import JsonStrictValidator
 from extra_platforms import current_platform
 from packageurl import PackageURL
 from spdx_tools.spdx.model import (
@@ -390,25 +388,23 @@ def add_package(self, manager: PackageManager, package: Package) -> None:
         )
 
     def export(self) -> str:
-        validator: BaseSchemabasedValidator
-        if self.export_format == ExportFormat.JSON:
-            content = JsonV1Dot5(self.document).output_as_string(indent=2)
-            validator = JsonStrictValidator(SchemaVersion.V1_5)
+        """Serialize the document to its string representation.
 
-        elif self.export_format == ExportFormat.XML:
-            writer = make_outputter(self.document, OutputFormat.XML, SchemaVersion.V1_6)
-            content = writer.output_as_string(indent=2)
-            validator = make_schemabased_validator(
-                writer.output_format, writer.schema_version
-            )
+        .. note::
 
-        else:
-            raise ValueError(f"{self.export_format} not supported.")
+            Unlike :py:meth:`SPDX.export`, the generated document is not
+            validated against its schema here. CycloneDX schema validation
+            relies on ``cyclonedx-python-lib``'s ``[validation]`` extra, which
+            pulls in ``jsonschema`` and, transitively, ``rfc3987-syntax``,
+            ``lark``, and ``lxml``. To keep that stack out of ``mpm``'s runtime
+            dependencies, the validation runs in the test suite instead. See
+            ``tests/test_cli_sbom.py``.
+        """
+        if self.export_format == ExportFormat.JSON:
+            return JsonV1Dot5(self.document).output_as_string(indent=2)
 
-        logging.debug("Validate document...")
-        errors = validator.validate_str(content)
-        if errors:
-            logging.debug(content)
-            raise ValueError(f"Document is not valid. Errors: {errors}")
+        if self.export_format == ExportFormat.XML:
+            writer = make_outputter(self.document, OutputFormat.XML, SchemaVersion.V1_6)
+            return writer.output_as_string(indent=2)
 
-        return content
+        raise ValueError(f"{self.export_format} not supported.")

pyproject.toml

@@ -156,8 +156,11 @@ dependencies = [
   # by merge_default_map, which caused test isolation failures when a config
   # file was loaded in one test and affected subsequent tests.
   "click-extra>=7.16.1",
-  # cyclonedx-python-lib 11.2.0 is the first to support Python 3.14.
-  "cyclonedx-python-lib[validation]>=11.2",
+  # cyclonedx-python-lib 11.2.0 is the first to support Python 3.14. The [validation]
+  # extra is intentionally omitted: CycloneDX schema validation runs in the test suite
+  # (see tests/test_cli_sbom.py), which keeps jsonschema, rfc3987-syntax, lark, and lxml
+  # out of the runtime install.
+  "cyclonedx-python-lib>=11.2",
   # extra-platforms 10.0.0 drops the distro dependency.
   "extra-platforms>=10",
   # packageurl-python 0.16.0 is the first to support Python 3.13.
@@ -203,6 +206,10 @@ test = [
   "click-extra[pytest]",
   "click-extra[toml]",
   "coverage[toml]>=7.12",
+  # The [validation] extra provides the jsonschema-based validators used to assert
+  # generated CycloneDX SBOMs are schema-valid. Kept test-only (not a runtime dep) so
+  # the heavy validation stack stays out of the install. See tests/test_cli_sbom.py.
+  "cyclonedx-python-lib[validation]",
   "extra-platforms",
   "pytest>=9.0.1",
   "pytest-cov>=7",

tests/test_cli_sbom.py

@@ -22,6 +22,9 @@
 from xml.etree import ElementTree
 
 import pytest
+from cyclonedx.schema import OutputFormat, SchemaVersion
+from cyclonedx.validation import make_schemabased_validator
+from cyclonedx.validation.json import JsonStrictValidator
 from yaml import Loader, load
 
 from meta_package_manager.capabilities import Operations
@@ -30,6 +33,23 @@
 from .test_cli import CLISubCommandTests
 
 
+def assert_valid_cyclonedx(content: str, export_format: ExportFormat) -> None:
+    """Assert a CycloneDX export validates against its schema.
+
+    This guarantee used to live in
+    :py:meth:`meta_package_manager.sbom.CycloneDX.export` at runtime. It moved
+    here so the ``jsonschema``-based validation stack (``rfc3987-syntax``,
+    ``lark``, ``lxml``) stays out of ``mpm``'s runtime dependencies. See
+    :py:mod:`meta_package_manager.sbom`.
+    """
+    if export_format == ExportFormat.JSON:
+        validator = JsonStrictValidator(SchemaVersion.V1_5)
+    else:
+        validator = make_schemabased_validator(OutputFormat.XML, SchemaVersion.V1_6)
+    errors = validator.validate_str(content)
+    assert not errors, f"Invalid CycloneDX {export_format} export: {errors}"
+
+
 @pytest.fixture
 def subcmd():
     # The details of operations are only logged at INFO level.
@@ -182,6 +202,12 @@ def test_output_to_file(self, invoke, subcmd, export_format, standard_name):
             assert result.exit_code == 0
             self.check_manager_selection(result)
 
+            if standard_name == "CycloneDX" and export_format in (
+                ExportFormat.JSON,
+                ExportFormat.XML,
+            ):
+                assert_valid_cyclonedx(content, export_format)
+
             if export_format == ExportFormat.JSON:
                 json_content = json.loads(content)
                 assert json_content