dependabot-core 0.78.0 → 0.79.0

data/lib/dependabot/file_updaters/python/pip/requirement_replacer.rb

@@ -1,95 +0,0 @@
-# frozen_string_literal: true
-
-require "python_requirement_parser"
-require "dependabot/file_updaters/python/pip"
-require "dependabot/shared_helpers"
-
-module Dependabot
-  module FileUpdaters
-    module Python
-      class Pip
-        class RequirementReplacer
-          attr_reader :content, :dependency_name, :old_requirement,
-                      :new_requirement
-
-          def initialize(content:, dependency_name:, old_requirement:,
-                         new_requirement:)
-            @content         = content
-            @dependency_name = dependency_name
-            @old_requirement = old_requirement
-            @new_requirement = new_requirement
-          end
-
-          def updated_content
-            updated_content =
-              content.gsub(original_declaration_replacement_regex) do |mtch|
-                # If the "declaration" is setting an option (e.g., no-binary)
-                # ignore it, since it isn't actually a declaration
-                next mtch if Regexp.last_match.pre_match.match?(/--.*\z/)
-
-                updated_dependency_declaration_string(
-                  old_requirement,
-                  new_requirement
-                )
-              end
-
-            raise "Expected content to change!" if content == updated_content
-
-            updated_content
-          end
-
-          private
-
-          def original_dependency_declaration_string(old_req)
-            matches = []
-
-            dec =
-              if old_req.nil?
-                regex = PythonRequirementParser::INSTALL_REQ_WITHOUT_REQUIREMENT
-                content.scan(regex) { matches << Regexp.last_match }
-                matches.find { |m| normalise(m[:name]) == dependency_name }
-              else
-                regex = PythonRequirementParser::INSTALL_REQ_WITH_REQUIREMENT
-                content.scan(regex) { matches << Regexp.last_match }
-                matches.
-                  select { |m| normalise(m[:name]) == dependency_name }.
-                  find { |m| requirements_match(m[:requirements], old_req) }
-              end
-
-            raise "Declaration not found for #{dependency_name}!" unless dec
-
-            dec.to_s.strip
-          end
-
-          def updated_dependency_declaration_string(old_req, new_req)
-            if old_req
-              original_dependency_declaration_string(old_req).
-                sub(PythonRequirementParser::REQUIREMENTS, new_req)
-            else
-              original_dependency_declaration_string(old_req).
-                sub(PythonRequirementParser::NAME_WITH_EXTRAS) do |nm|
-                  nm + new_req
-                end
-            end
-          end
-
-          def original_declaration_replacement_regex
-            original_string =
-              original_dependency_declaration_string(old_requirement)
-            /(?<![\-\w\.])#{Regexp.escape(original_string)}(?![\-\w\.])/
-          end
-
-          # See https://www.python.org/dev/peps/pep-0503/#normalized-names
-          def normalise(name)
-            name.downcase.gsub(/[-_.]+/, "-")
-          end
-
-          def requirements_match(req1, req2)
-            req1&.split(",")&.map { |r| r.gsub(/\s/, "") }&.sort ==
-              req2&.split(",")&.map { |r| r.gsub(/\s/, "") }&.sort
-          end
-        end
-      end
-    end
-  end
-end

data/lib/dependabot/file_updaters/python/pip/setup_file_sanitizer.rb

@@ -1,91 +0,0 @@
-# frozen_string_literal: true
-
-require "dependabot/file_updaters/python/pip"
-require "dependabot/file_parsers/python/pip/setup_file_parser"
-
-module Dependabot
-  module FileUpdaters
-    module Python
-      class Pip
-        # Take a setup.py, parses it (carefully!) and then create a new, clean
-        # setup.py using only the information which will appear in the lockfile.
-        class SetupFileSanitizer
-          def initialize(setup_file:, setup_cfg:)
-            @setup_file = setup_file
-            @setup_cfg = setup_cfg
-          end
-
-          def sanitized_content
-            # The part of the setup.py that Pipenv cares about appears to be the
-            # install_requires. A name and version are required by don't end up
-            # in the lockfile.
-            content =
-              "from setuptools import setup\n\n"\
-              "setup(name=\"sanitized-package\",version=\"0.0.1\","\
-              "install_requires=#{install_requires_array.to_json},"\
-              "extras_require=#{extras_require_hash.to_json}"
-
-            content += ',setup_requires=["pbr"],pbr=True' if include_pbr?
-            content + ")"
-          end
-
-          private
-
-          attr_reader :setup_file, :setup_cfg
-
-          def include_pbr?
-            setup_requires_array.any? { |d| d.start_with?("pbr") }
-          end
-
-          def install_requires_array
-            @install_requires_array ||=
-              parsed_setup_file.dependencies.map do |dep|
-                next unless dep.requirements.first[:groups].
-                            include?("install_requires")
-
-                dep.name + dep.requirements.first[:requirement].to_s
-              end.compact
-          end
-
-          def setup_requires_array
-            @setup_requires_array ||=
-              parsed_setup_file.dependencies.map do |dep|
-                next unless dep.requirements.first[:groups].
-                            include?("setup_requires")
-
-                dep.name + dep.requirements.first[:requirement].to_s
-              end.compact
-          end
-
-          def extras_require_hash
-            @extras_require_hash ||=
-              begin
-                hash = {}
-                parsed_setup_file.dependencies.each do |dep|
-                  dep.requirements.first[:groups].each do |group|
-                    next unless group.start_with?("extras_require:")
-
-                    hash[group.split(":").last] ||= []
-                    hash[group.split(":").last] <<
-                      dep.name + dep.requirements.first[:requirement].to_s
-                  end
-                end
-
-                hash
-              end
-          end
-
-          def parsed_setup_file
-            @parsed_setup_file ||=
-              FileParsers::Python::Pip::SetupFileParser.new(
-                dependency_files: [
-                  setup_file&.dup&.tap { |f| f.name = "setup.py" },
-                  setup_cfg&.dup&.tap { |f| f.name = "setup.cfg" }
-                ].compact
-              ).dependency_set
-          end
-        end
-      end
-    end
-  end
-end

data/lib/dependabot/metadata_finders/python/pip.rb

@@ -1,120 +0,0 @@
-# frozen_string_literal: true
-
-require "excon"
-require "dependabot/metadata_finders/base"
-require "dependabot/shared_helpers"
-
-module Dependabot
-  module MetadataFinders
-    module Python
-      class Pip < Dependabot::MetadataFinders::Base
-        MAIN_PYPI_URL = "https://pypi.org/pypi"
-
-        def homepage_url
-          pypi_listing.dig("info", "home_page") || super
-        end
-
-        private
-
-        def look_up_source
-          potential_source_urls = [
-            pypi_listing.dig("info", "home_page"),
-            pypi_listing.dig("info", "bugtrack_url"),
-            pypi_listing.dig("info", "download_url"),
-            pypi_listing.dig("info", "docs_url")
-          ].compact
-
-          source_url = potential_source_urls.find { |url| Source.from_url(url) }
-          source_url ||= source_from_description
-          source_url ||= source_from_homepage
-
-          Source.from_url(source_url)
-        end
-
-        def source_from_description
-          github_urls = []
-          desc = pypi_listing.dig("info", "description")
-          return unless desc
-
-          desc.scan(Source::SOURCE_REGEX) do
-            github_urls << Regexp.last_match.to_s
-          end
-
-          github_urls.find do |url|
-            repo = Source.from_url(url).repo
-            repo.downcase.end_with?(dependency.name)
-          end
-        end
-
-        def source_from_homepage
-          return unless homepage_body
-
-          github_urls = []
-          homepage_body.scan(Source::SOURCE_REGEX) do
-            github_urls << Regexp.last_match.to_s
-          end
-
-          github_urls.find do |url|
-            repo = Source.from_url(url).repo
-            repo.downcase.end_with?(dependency.name)
-          end
-        end
-
-        def homepage_body
-          homepage_url = pypi_listing.dig("info", "home_page")
-
-          return unless homepage_url
-          return if homepage_url.include?("pypi.python.org")
-          return if homepage_url.include?("pypi.org")
-
-          @homepage_response ||=
-            begin
-              Excon.get(
-                homepage_url,
-                idempotent: true,
-                **SharedHelpers.excon_defaults
-              )
-            rescue Excon::Error::Timeout, Excon::Error::Socket, ArgumentError
-              nil
-            end
-
-          return unless @homepage_response&.status == 200
-
-          @homepage_response.body
-        end
-
-        def pypi_listing
-          return @pypi_listing unless @pypi_listing.nil?
-          return @pypi_listing = {} if dependency.version.include?("+")
-
-          possible_listing_urls.each do |url|
-            response = Excon.get(
-              url,
-              idempotent: true,
-              **SharedHelpers.excon_defaults
-            )
-            next unless response.status == 200
-
-            @pypi_listing = JSON.parse(response.body)
-            return @pypi_listing
-          rescue JSON::ParserError
-            next
-          end
-
-          @pypi_listing = {} # No listing found
-        end
-
-        def possible_listing_urls
-          credential_urls =
-            credentials.
-            select { |cred| cred["type"] == "python_index" }.
-            map { |cred| cred["index-url"].gsub(%r{/$}, "") }
-
-          (credential_urls + [MAIN_PYPI_URL]).map do |base_url|
-            base_url + "/#{dependency.name}/json"
-          end
-        end
-      end
-    end
-  end
-end

data/lib/dependabot/update_checkers/python/pip.rb

@@ -1,227 +0,0 @@
-# frozen_string_literal: true
-
-require "excon"
-require "toml-rb"
-
-require "python_requirement_parser"
-require "dependabot/update_checkers/base"
-require "dependabot/shared_helpers"
-require "dependabot/utils/python/requirement"
-
-module Dependabot
-  module UpdateCheckers
-    module Python
-      class Pip < Dependabot::UpdateCheckers::Base
-        require_relative "pip/poetry_version_resolver"
-        require_relative "pip/pipfile_version_resolver"
-        require_relative "pip/pip_compile_version_resolver"
-        require_relative "pip/requirements_updater"
-        require_relative "pip/latest_version_finder"
-
-        MAIN_PYPI_INDEXES = %w(
-          https://pypi.python.org/simple/
-          https://pypi.org/simple/
-        ).freeze
-
-        def latest_version
-          @latest_version ||= fetch_latest_version
-        end
-
-        def latest_resolvable_version
-          @latest_resolvable_version ||=
-            case resolver_type
-            when :pipfile
-              PipfileVersionResolver.new(
-                resolver_args.merge(unlock_requirement: true)
-              ).latest_resolvable_version
-            when :poetry
-              PoetryVersionResolver.new(
-                resolver_args.merge(unlock_requirement: true)
-              ).latest_resolvable_version
-            when :pip_compile
-              PipCompileVersionResolver.new(
-                resolver_args.merge(unlock_requirement: true)
-              ).latest_resolvable_version
-            when :requirements
-              # pip doesn't (yet) do any dependency resolution, so if we don't
-              # have a Pipfile or a pip-compile file, we just return the latest
-              # version.
-              latest_version
-            else raise "Unexpected resolver type #{resolver_type}"
-            end
-        end
-
-        def latest_resolvable_version_with_no_unlock
-          @latest_resolvable_version_with_no_unlock ||=
-            case resolver_type
-            when :pipfile
-              PipfileVersionResolver.new(
-                resolver_args.merge(unlock_requirement: false)
-              ).latest_resolvable_version
-            when :poetry
-              PoetryVersionResolver.new(
-                resolver_args.merge(unlock_requirement: false)
-              ).latest_resolvable_version
-            when :pip_compile
-              PipCompileVersionResolver.new(
-                resolver_args.merge(unlock_requirement: false)
-              ).latest_resolvable_version
-            when :requirements
-              latest_pip_version_with_no_unlock
-            else raise "Unexpected resolver type #{resolver_type}"
-            end
-        end
-
-        def updated_requirements
-          RequirementsUpdater.new(
-            requirements: dependency.requirements,
-            latest_version: latest_version&.to_s,
-            latest_resolvable_version: latest_resolvable_version&.to_s,
-            update_strategy: requirements_update_strategy,
-            has_lockfile: !(pipfile_lock || poetry_lock || pyproject_lock).nil?
-          ).updated_requirements
-        end
-
-        def requirements_update_strategy
-          # If passed in as an option (in the base class) honour that option
-          if @requirements_update_strategy
-            return @requirements_update_strategy.to_sym
-          end
-
-          # Otherwise, check if this is a poetry library or not
-          poetry_library? ? :widen_ranges : :bump_versions
-        end
-
-        private
-
-        def latest_version_resolvable_with_full_unlock?
-          # Full unlock checks aren't implemented for pip because they're not
-          # relevant (pip doesn't have a resolver). This method always returns
-          # false to ensure `updated_dependencies_after_full_unlock` is never
-          # called.
-          false
-        end
-
-        def updated_dependencies_after_full_unlock
-          raise NotImplementedError
-        end
-
-        # rubocop:disable Metrics/PerceivedComplexity
-        def resolver_type
-          reqs = dependency.requirements
-          req_files = reqs.map { |r| r.fetch(:file) }
-
-          # If there are no requirements then this is a sub-dependency. It
-          # must come from one of Pipenv, Poetry or pip-tools, and can't come
-          # from the first two unless they have a lockfile.
-          return subdependency_resolver if reqs.none?
-
-          # Otherwise, this is a top-level dependency, and we can figure out
-          # which resolver to use based on the filename of its requirements
-          return :pipfile if req_files.any? { |f| f == "Pipfile" }
-          return :poetry if req_files.any? { |f| f == "pyproject.toml" }
-          return :pip_compile if req_files.any? { |f| f.end_with?(".in") }
-
-          if dependency.version && !exact_requirement?(reqs)
-            subdependency_resolver
-          else
-            :requirements
-          end
-        end
-        # rubocop:enable Metrics/PerceivedComplexity
-
-        def subdependency_resolver
-          return :pipfile if pipfile_lock
-          return :poetry if poetry_lock || pyproject_lock
-          return :pip_compile if pip_compile_files.any?
-
-          raise "Claimed to be a sub-dependency, but no lockfile exists!"
-        end
-
-        def exact_requirement?(reqs)
-          reqs = reqs.map { |r| r.fetch(:requirement) }
-          reqs = reqs.compact
-          reqs = reqs.flat_map { |r| r.split(",").map(&:strip) }
-          reqs.any? { |r| Utils::Python::Requirement.new(r).exact? }
-        end
-
-        def resolver_args
-          {
-            dependency: dependency,
-            dependency_files: dependency_files,
-            credentials: credentials,
-            latest_allowable_version: latest_version
-          }
-        end
-
-        def fetch_latest_version
-          latest_version_finder.latest_version
-        end
-
-        def latest_pip_version_with_no_unlock
-          latest_version_finder.latest_version_with_no_unlock
-        end
-
-        def latest_version_finder
-          @latest_version_finder ||= LatestVersionFinder.new(
-            dependency: dependency,
-            dependency_files: dependency_files,
-            credentials: credentials,
-            ignored_versions: ignored_versions
-          )
-        end
-
-        def poetry_library?
-          return false unless pyproject
-
-          # Hit PyPi and check whether there are details for a library with a
-          # matching name and description
-          details = TomlRB.parse(pyproject.content).dig("tool", "poetry")
-          return false unless details
-
-          index_response = Excon.get(
-            "https://pypi.org/pypi/#{normalised_name(details['name'])}/json",
-            idempotent: true,
-            **SharedHelpers.excon_defaults
-          )
-
-          return false unless index_response.status == 200
-
-          pypi_info = JSON.parse(index_response.body)["info"] || {}
-          pypi_info["summary"] == details["description"]
-        rescue URI::InvalidURIError
-          false
-        end
-
-        # See https://www.python.org/dev/peps/pep-0503/#normalized-names
-        def normalised_name(name)
-          name.downcase.gsub(/[-_.]+/, "-")
-        end
-
-        def pipfile
-          dependency_files.find { |f| f.name == "Pipfile" }
-        end
-
-        def pipfile_lock
-          dependency_files.find { |f| f.name == "Pipfile.lock" }
-        end
-
-        def pyproject
-          dependency_files.find { |f| f.name == "pyproject.toml" }
-        end
-
-        def pyproject_lock
-          dependency_files.find { |f| f.name == "pyproject.lock" }
-        end
-
-        def poetry_lock
-          dependency_files.find { |f| f.name == "poetry.lock" }
-        end
-
-        def pip_compile_files
-          dependency_files.select { |f| f.name.end_with?(".in") }
-        end
-      end
-    end
-  end
-end