dependabot-python 0.107.29 → 0.107.30

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: df353b2040be543f084934407f04c1782139b91186d10caed3e974076098c269
-  data.tar.gz: 25f591e50432ee5d8a58ff3310897092f11e18b666cdfb0c5e84e32e2504fb15
+  metadata.gz: ad7594255569680eeb99d23ae923518ae03626c9175fbfd74a8c2de6b2e30516
+  data.tar.gz: 01b0f734d5c59c70818e9e095ce71e05960989471a7549444e71744a5a98e35c
 SHA512:
-  metadata.gz: dc4d34fa5269805adf5d7d91dc20dd0297e938bf79c8e43c017804dddc65795bd5e1c7b0ac1a3ff21514040503c83831b7fd70a57393849d2bc18f013b0effb7
-  data.tar.gz: f819ca462c000d01739c43b480e1fa88d26a031aabbb939677368f4e13baefe9ca96c51d884877370ee2f25fd28459f8e20317b3739541f36be18c9de5143007
+  metadata.gz: 215dfcb94fabeec7f58e7bdab73326b71236fe62ab1f1d4e89b748c201aafdc563158da8e1d0c1cda33ffe636d41a98a900fc886bad5e301cc7e387b2ca213ee
+  data.tar.gz: 2d7912b3e13a1ff0eb22fe6b0b326ebaa753de1dee63db3e37829d62158f9a66dd7e00961c6656ede146bb29cd4a5f23acd89d10a2c217b4d3ee8d18ce422b9d

data/lib/dependabot/python/update_checker/index_finder.rb

@@ -21,7 +21,8 @@ module Dependabot
             config_variable_index_urls[:extra] +
             pipfile_index_urls[:extra] +
             requirement_file_index_urls[:extra] +
-            pip_conf_index_urls[:extra]
+            pip_conf_index_urls[:extra] +
+            pyproject_index_urls[:extra]
 
           extra_index_urls = extra_index_urls.map do |url|
             clean_check_and_remove_environment_variables(url)
@@ -45,6 +46,7 @@ module Dependabot
             pipfile_index_urls[:main] ||
             requirement_file_index_urls[:main] ||
             pip_conf_index_urls[:main] ||
+            pyproject_index_urls[:main] ||
             PYPI_BASE_URL
 
           return unless url
@@ -102,6 +104,29 @@ module Dependabot
           urls
         end
 
+        def pyproject_index_urls
+          urls = { main: nil, extra: [] }
+
+          return urls unless pyproject
+
+          sources =
+            TomlRB.parse(pyproject.content).dig("tool", "poetry", "source") ||
+            []
+
+          sources.each do |source|
+            if source["default"]
+              urls[:main] = source["url"]
+            else
+              urls[:extra] << source["url"]
+            end
+          end
+          urls[:extra] = urls[:extra].uniq
+
+          urls
+        rescue TomlRB::ParseError, TomlRB::ValueOverwriteError
+          urls
+        end
+
         def config_variable_index_urls
           urls = { main: nil, extra: [] }
 

data/lib/dependabot/python/update_checker/latest_version_finder.rb

@@ -134,7 +134,7 @@ module Dependabot
             rescue Excon::Error::Timeout, Excon::Error::Socket
               raise if MAIN_PYPI_INDEXES.include?(index_url)
 
-              raise PrivateSourceAuthenticationFailure, sanitized_url
+              raise PrivateSourceTimedOut, sanitized_url
             end
         end
 

data/lib/dependabot/python/update_checker/pipenv_version_resolver.rb

@@ -44,8 +44,6 @@ module Dependabot
           @dependency               = dependency
           @dependency_files         = dependency_files
           @credentials              = credentials
-
-          check_private_sources_are_reachable
         end
 
         def latest_resolvable_version(requirement: nil)
@@ -442,31 +440,6 @@ module Dependabot
             parsed_pipfile.dig("requires", "python_version")
         end
 
-        def check_private_sources_are_reachable
-          sources_to_check =
-            pipfile_sources.reject { |h| h["url"].include?("${") } +
-            config_variable_sources
-
-          sources_to_check.
-            map { |details| details["url"] }.
-            reject { |url| MAIN_PYPI_INDEXES.include?(url) }.
-            each do |url|
-              sanitized_url = url.gsub(%r{(?<=//).*(?=@)}, "redacted")
-
-              response = Excon.get(
-                url,
-                idempotent: true,
-                **SharedHelpers.excon_defaults
-              )
-
-              if response.status == 401 || response.status == 403
-                raise PrivateSourceAuthenticationFailure, sanitized_url
-              end
-            rescue Excon::Error::Timeout, Excon::Error::Socket
-              raise PrivateSourceTimedOut, sanitized_url
-            end
-        end
-
         def run_command(command, env: {})
           start = Time.now
           command = SharedHelpers.escape_command(command)
@@ -528,12 +501,6 @@ module Dependabot
             end
         end
 
-        def pipfile_sources
-          @pipfile_sources ||=
-            TomlRB.parse(pipfile.content).fetch("source", []).
-            map { |h| h.dup.merge("url" => h["url"].gsub(%r{/*$}, "") + "/") }
-        end
-
         def pipenv_env_variables
           {
             "PIPENV_YES" => "true",       # Install new Python ver if needed

data/lib/dependabot/python/update_checker/poetry_version_resolver.rb

@@ -14,7 +14,6 @@ require "dependabot/python/native_helpers"
 require "dependabot/python/python_versions"
 require "dependabot/python/authed_url_builder"
 
-# rubocop:disable Metrics/ClassLength
 module Dependabot
   module Python
     class UpdateChecker
@@ -33,8 +32,6 @@ module Dependabot
           @dependency               = dependency
           @dependency_files         = dependency_files
           @credentials              = credentials
-
-          check_private_sources_are_reachable
         end
 
         def latest_resolvable_version(requirement: nil)
@@ -302,31 +299,6 @@ module Dependabot
           category == "dev" ? "dev-dependencies" : "dependencies"
         end
 
-        def check_private_sources_are_reachable
-          sources_to_check =
-            pyproject_sources +
-            config_variable_sources
-
-          sources_to_check.
-            map { |details| details["url"] }.
-            reject { |url| MAIN_PYPI_INDEXES.include?(url) }.
-            each do |url|
-              sanitized_url = url.gsub(%r{(?<=//).*(?=@)}, "redacted")
-
-              response = Excon.get(
-                url,
-                idempotent: true,
-                **SharedHelpers.excon_defaults
-              )
-
-              if response.status == 401 || response.status == 403
-                raise PrivateSourceAuthenticationFailure, sanitized_url
-              end
-            rescue Excon::Error::Timeout, Excon::Error::Socket
-              raise PrivateSourceTimedOut, sanitized_url
-            end
-        end
-
         def pyproject
           dependency_files.find { |f| f.name == "pyproject.toml" }
         end
@@ -375,28 +347,7 @@ module Dependabot
         def normalise(name)
           name.downcase.gsub(/[-_.]+/, "-")
         end
-
-        def config_variable_sources
-          @config_variable_sources ||=
-            credentials.
-            select { |cred| cred["type"] == "python_index" }.
-            map do |h|
-              url = AuthedUrlBuilder.authed_url(credential: h)
-              { "url" => url.gsub(%r{/*$}, "") + "/" }
-            end
-        end
-
-        def pyproject_sources
-          sources =
-            TomlRB.parse(pyproject.content).dig("tool", "poetry", "source") ||
-            []
-
-          @pyproject_sources ||=
-            sources.
-            map { |h| h.dup.merge("url" => h["url"].gsub(%r{/*$}, "") + "/") }
-        end
       end
     end
   end
 end
-# rubocop:enable Metrics/ClassLength

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-python
 version: !ruby/object:Gem::Version
-  version: 0.107.29
+  version: 0.107.30
 platform: ruby
 authors:
 - Dependabot
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.107.29
+        version: 0.107.30
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.107.29
+        version: 0.107.30
 - !ruby/object:Gem::Dependency
   name: byebug
   requirement: !ruby/object:Gem::Requirement