dependabot-python 0.180.2 → 0.180.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: b46cebe499916e73c9a4ec381c0de671bf2640ce94c57a175ea56ee95fb40dc9
-  data.tar.gz: 7af905744b8f3788aff72d3853609fc8915b725e1b08cfdfbc9872fc3cdbe0ab
+  metadata.gz: 640e6703b3bb9e7aead40b2c323d23ffaf6c52f3adfa09a551ca1d941f561d36
+  data.tar.gz: fa0c3160e37d6a53e074eb661b4137810e644a64498fc1f1b96e1728c3960b94
 SHA512:
-  metadata.gz: b3bb0b85bd4f4b768139cf048beafba203feb488cec3b794356bdff5facb42c82173dc434d088c11a31db331d45fabef263bbd9f67df227faad830cce5d21cc9
-  data.tar.gz: 7a0ddb89c91c6135eaba188f57c85447abb9965874d9c50121bfbd6106c842e3bb58b891d1548635f6442952ba0c3e5ce02860ebb1c3f9c05d66b9499aba24d8
+  metadata.gz: 10b638a550024566bdd242b5bbbb50c8d4db557c8ad74af19bf27268ec565303749a742365568727d00b77956dee71ec189d637984913044ad63270ec404c044
+  data.tar.gz: d23ae84a495f107d027ca8a774b6c32d3bbc95d382f84f4fb795c839ac6c7388985e22ced647c81d1df5aa2e0a64ee807a70786be28827f9bac8ab904b15d06f

data/helpers/requirements.txt

@@ -1,8 +1,8 @@
-pip==21.3.1
+pip==22.0.4
 pip-tools==6.5.1
 flake8==4.0.1
 hashin==0.17.0
-pipenv==2022.3.24
+pipenv==2022.3.28
 pipfile==0.0.2
 poetry==1.1.13
 wheel==0.37.1

data/lib/dependabot/python/requirement_parser.rb

@@ -6,7 +6,7 @@ module Dependabot
       NAME = /[a-zA-Z0-9](?:[a-zA-Z0-9\-_\.]*[a-zA-Z0-9])?/.freeze
       EXTRA = /[a-zA-Z0-9\-_\.]+/.freeze
       COMPARISON = /===|==|>=|<=|<|>|~=|!=/.freeze
-      VERSION = /[0-9]+[a-zA-Z0-9\-_\.*]*(\+[0-9a-zA-Z]+(\.[0-9a-zA-Z]+)*)?/.
+      VERSION = /([1-9][0-9]*!)?[0-9]+[a-zA-Z0-9\-_.*]*(\+[0-9a-zA-Z]+(\.[0-9a-zA-Z]+)*)?/.
                 freeze
       REQUIREMENT =
         /(?<comparison>#{COMPARISON})\s*\\?\s*(?<version>#{VERSION})/.freeze

data/lib/dependabot/python/update_checker/pip_compile_version_resolver.rb

@@ -25,11 +25,13 @@ module Dependabot
       # rubocop:disable Metrics/ClassLength
       class PipCompileVersionResolver
         GIT_DEPENDENCY_UNREACHABLE_REGEX =
-          /git clone --filter=blob:none -q (?<url>[^\s]+).* /.freeze
+          /git clone --filter=blob:none --quiet (?<url>[^\s]+).* /.freeze
         GIT_REFERENCE_NOT_FOUND_REGEX =
-          /egg=(?<name>\S+).*.*WARNING: Did not find branch or tag \'(?<tag>[^\n"]+)\'/m.freeze
+          /Did not find branch or tag '(?<tag>[^\n"]+)'/m.freeze
         NATIVE_COMPILATION_ERROR =
           "pip._internal.exceptions.InstallationSubprocessError: Command errored out with exit status 1:"
+        # See https://packaging.python.org/en/latest/tutorials/packaging-projects/#configuring-metadata
+        PYTHON_PACKAGE_NAME_REGEX = /[A-Za-z0-9_\-]+/.freeze
 
         attr_reader :dependency, :dependency_files, :credentials
 
@@ -110,6 +112,7 @@ module Dependabot
         end
 
         # rubocop:disable Metrics/AbcSize
+        # rubocop:disable Metrics/PerceivedComplexity
         def handle_pip_compile_errors(error)
           if error.message.include?("Could not find a version")
             check_original_requirements_resolvable
@@ -143,9 +146,15 @@ module Dependabot
           end
 
           if error.message.match?(GIT_REFERENCE_NOT_FOUND_REGEX)
-            name = error.message.match(GIT_REFERENCE_NOT_FOUND_REGEX).
-                   named_captures.fetch("name")
-            raise GitDependencyReferenceNotFound, name
+            tag = error.message.match(GIT_REFERENCE_NOT_FOUND_REGEX).named_captures.fetch("tag")
+            constraints_section = error.message.split("Finding the best candidates:").first
+            egg_regex = /#{Regexp.escape(tag)}#egg=(#{PYTHON_PACKAGE_NAME_REGEX})/
+            name_match = constraints_section.scan(egg_regex)
+
+            # We can determine the name of the package from another part of the logger output if it has a unique tag
+            raise GitDependencyReferenceNotFound, name_match.first.first if name_match.length == 1
+
+            raise GitDependencyReferenceNotFound, "(unknown package at #{tag})"
           end
 
           if error.message.match?(GIT_DEPENDENCY_UNREACHABLE_REGEX)
@@ -156,8 +165,8 @@ module Dependabot
 
           raise
         end
-
         # rubocop:enable Metrics/AbcSize
+        # rubocop:enable Metrics/PerceivedComplexity
 
         # Needed because pip-compile's resolver isn't perfect.
         # Note: We raise errors from this method, rather than returning a

data/lib/dependabot/python/version.rb

@@ -4,16 +4,18 @@ require "dependabot/utils"
 require "rubygems_version_patch"
 
 # Python versions can include a local version identifier, which Ruby can't
-# parser. This class augments Gem::Version with local version identifier info.
+# parse. This class augments Gem::Version with local version identifier info.
 # See https://www.python.org/dev/peps/pep-0440 for details.
 
 module Dependabot
   module Python
     class Version < Gem::Version
+      attr_reader :epoch
       attr_reader :local_version
       attr_reader :post_release_version
 
-      VERSION_PATTERN = 'v?[0-9]+[0-9a-zA-Z]*(?>\.[0-9a-zA-Z]+)*' \
+      # See https://peps.python.org/pep-0440/#appendix-b-parsing-version-strings-with-regular-expressions
+      VERSION_PATTERN = 'v?([1-9][0-9]*!)?[0-9]+[0-9a-zA-Z]*(?>\.[0-9a-zA-Z]+)*' \
                         '(-[0-9A-Za-z-]+(\.[0-9a-zA-Z-]+)*)?' \
                         '(\+[0-9a-zA-Z]+(\.[0-9a-zA-Z]+)*)?'
       ANCHORED_VERSION_PATTERN = /\A\s*(#{VERSION_PATTERN})?\s*\z/.freeze
@@ -29,6 +31,11 @@ module Dependabot
         version, @local_version = version.split("+")
         version ||= ""
         version = version.gsub(/^v/, "")
+        if version.include?("!")
+          @epoch, version = version.split("!")
+        else
+          @epoch = "0"
+        end
         version = normalise_prerelease(version)
         version, @post_release_version = version.split(/\.r(?=\d)/)
         version ||= ""
@@ -45,33 +52,37 @@ module Dependabot
       end
 
       def <=>(other)
-        version_comparison = old_comp(other)
+        other = Version.new(other.to_s) unless other.is_a?(Python::Version)
+
+        epoch_comparison = epoch_comparison(other)
+        return epoch_comparison unless epoch_comparison.zero?
+
+        version_comparison = super(other)
         return version_comparison unless version_comparison.zero?
 
-        return post_version_comparison(other) unless post_version_comparison(other).zero?
+        post_version_comparison = post_version_comparison(other)
+        return post_version_comparison unless post_version_comparison.zero?
 
         local_version_comparison(other)
       end
 
+      private
+
+      def epoch_comparison(other)
+        epoch.to_i <=> other.epoch.to_i
+      end
+
       def post_version_comparison(other)
-        unless other.is_a?(Python::Version) && other.post_release_version
+        unless other.post_release_version
           return post_release_version.nil? ? 0 : 1
         end
 
         return -1 if post_release_version.nil?
 
-        # Post release versions should only ever be a single number, so we can
-        # just string-comparison them.
-        return 0 if post_release_version.to_i == other.post_release_version.to_i
-
-        post_release_version.to_i > other.post_release_version.to_i ? 1 : -1
+        post_release_version.to_i <=> other.post_release_version.to_i
       end
 
       def local_version_comparison(other)
-        unless other.is_a?(Python::Version)
-          return local_version.nil? ? 0 : 1
-        end
-
         # Local version comparison works differently in Python: `1.0.beta`
         # compares as greater than `1.0`. To accommodate, we make the
         # strings the same length before comparing.
@@ -89,8 +100,6 @@ module Dependabot
         lhsegments.count <=> rhsegments.count
       end
 
-      private
-
       def normalise_prerelease(version)
         # Python has reserved words for release states, which are treated
         # as equal (e.g., preview, pre and rc).
@@ -108,44 +117,6 @@ module Dependabot
           tr("-", ".").
           gsub(/(\d)([a-z])/i, '\1.\2')
       end
-
-      # TODO: Delete this once we're using a version of Rubygems that includes
-      # https://github.com/rubygems/rubygems/pull/2651
-      #
-      # rubocop:disable Metrics/PerceivedComplexity
-      # rubocop:disable Style/CaseEquality
-      # rubocop:disable Style/ParallelAssignment
-      # rubocop:disable Style/RedundantReturn
-      def old_comp(other)
-        return unless Gem::Version === other
-        return 0 if @version == other._version || canonical_segments == other.canonical_segments
-
-        lhsegments = canonical_segments
-        rhsegments = other.canonical_segments
-
-        lhsize = lhsegments.size
-        rhsize = rhsegments.size
-        limit  = (lhsize > rhsize ? lhsize : rhsize) - 1
-
-        i = 0
-
-        while i <= limit
-          lhs, rhs = lhsegments[i] || 0, rhsegments[i] || 0
-          i += 1
-
-          next      if lhs == rhs
-          return -1 if String  === lhs && Numeric === rhs
-          return  1 if Numeric === lhs && String  === rhs
-
-          return lhs <=> rhs
-        end
-
-        return 0
-      end
-      # rubocop:enable Metrics/PerceivedComplexity
-      # rubocop:enable Style/CaseEquality
-      # rubocop:enable Style/ParallelAssignment
-      # rubocop:enable Style/RedundantReturn
     end
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-python
 version: !ruby/object:Gem::Version
-  version: 0.180.2
+  version: 0.180.3
 platform: ruby
 authors:
 - Dependabot
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2022-03-28 00:00:00.000000000 Z
+date: 2022-04-04 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dependabot-common
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.180.2
+        version: 0.180.3
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.180.2
+        version: 0.180.3
 - !ruby/object:Gem::Dependency
   name: debug
   requirement: !ruby/object:Gem::Requirement