RubyGems - dependabot-python - Versions diffs - 0.190.1 → 0.192.0 - Mend

dependabot-python 0.190.1 → 0.192.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

checksums.yaml +4 -4
data/helpers/requirements.txt +1 -1
data/lib/dependabot/python/file_updater/poetry_file_updater.rb +7 -7
data/lib/dependabot/python/file_updater/pyproject_preparer.rb +15 -43
data/lib/dependabot/python/update_checker/poetry_version_resolver.rb +7 -8
metadata +4 -4

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 5917477c2b230f16b8adf2bbc978965b4d7a0f4227cb0d8ad112048e8b441631
-  data.tar.gz: 65258925be87880a73abda0d22973b2b261b7fbc715ad11a4c47282a35799a04
+  metadata.gz: 48761e51e86628775e21e4dac763aa47f4416775d10dab55383cb78104163a89
+  data.tar.gz: 7f6f6012d8a022771b150677450f8957cc0affec91e5b7d52b0c4001133dfd78
 SHA512:
-  metadata.gz: 2e1322d26a9b9f1d44c1265f8deab747a7bc0ac1a527f4d50e43e7988a1eb11a6c90ba9c441a2b2ed2ee9d8cfa87ddd1990ff26ed8751c067dab793340fc4a64
-  data.tar.gz: f3c936af5d6bec1e925161c4b58c8fe4e148b69ae33bdb0fcba13a432262c777a64038ebd1ebb817ae35569f56a4373645c3ffdd172f1b8512a55c60a3cec91c
+  metadata.gz: 94b04dd86a804367df1b59c7cfd36d2e899acf251568b973bd7551ec27497b6c1b6fe862511089a8267cffb2645692b94e1c68b91c206a0c99e6acf57f362c0b
+  data.tar.gz: 50192edfbbe5d40ff0d49cc80800a09ec15b7bb1015ce7529d8ad67809875529b7adbd0b94434af586ee7fbb50320dae56c1832630190bc7ce5b5e020faf9b85

data/helpers/requirements.txt CHANGED Viewed

@@ -1,4 +1,4 @@
-pip>=21.3.1,<=22.1.1  # Allow earlier versions to retain python 3.6 support
+pip>=21.3.1,<22.1.3  # Allow earlier versions to retain python 3.6 support
 pip-tools>=6.4.0,<=6.6.2  # Allow earlier versions to retain python 3.6 support
 flake8==4.0.1
 hashin==0.17.0

data/lib/dependabot/python/file_updater/poetry_file_updater.rb CHANGED Viewed

@@ -105,7 +105,6 @@ module Dependabot
               content = sanitize(content)
               content = freeze_other_dependencies(content)
               content = freeze_dependencies_being_updated(content)
-              content = add_private_sources(content)
               content
             end
         end
@@ -150,12 +149,6 @@ module Dependabot
           poetry_object[subdep_type][dependency.name] = dep.version
         end
-        def add_private_sources(pyproject_content)
-          PyprojectPreparer.
-            new(pyproject_content: pyproject_content).
-            replace_sources(credentials)
-        end
         def subdep_type
           category =
             TomlRB.parse(lockfile.content).fetch("package", []).
@@ -175,6 +168,7 @@ module Dependabot
           SharedHelpers.in_a_temporary_directory do
             SharedHelpers.with_git_configured(credentials: credentials) do
               write_temporary_dependency_files(pyproject_content)
+              add_auth_env_vars
               if python_version && !pre_installed_python?(python_version)
                 run_poetry_command("pyenv install -s #{python_version}")
@@ -232,6 +226,12 @@ module Dependabot
           File.write("pyproject.toml", pyproject_content)
         end
+        def add_auth_env_vars
+          Python::FileUpdater::PyprojectPreparer.
+            new(pyproject_content: pyproject.content).
+            add_auth_env_vars(credentials)
+        end
         def python_version
           requirements = python_requirement_parser.user_specified_requirements
           requirements = requirements.

data/lib/dependabot/python/file_updater/pyproject_preparer.rb CHANGED Viewed

@@ -18,24 +18,22 @@ module Dependabot
           @lockfile = lockfile
         end
-        def replace_sources(credentials)
-          pyproject_object = TomlRB.parse(pyproject_content)
-          poetry_object = pyproject_object.fetch("tool").fetch("poetry")
-          sources_hash = pyproject_sources.map { |source| [source["url"], source] }.to_h
-          config_variable_sources(credentials).each do |source|
-            if sources_hash.key?(source["original_url"])
-              sources_hash[source["original_url"]]["url"] = source["url"]
-            else
-              source.delete("original_url")
-              sources_hash[source["url"]] = source
-            end
+        # For hosted Dependabot token will be nil since the credentials aren't present.
+        # This is for those running Dependabot themselves and for dry-run.
+        def add_auth_env_vars(credentials)
+          TomlRB.parse(@pyproject_content).dig("tool", "poetry", "source")&.each do |source|
+            cred = credentials&.find { |c| c["index-url"] == source["url"] }
+            next unless cred
+            token = cred.fetch("token", nil)
+            next unless token && token.count(":") == 1
+            arr = token.split(":")
+            # https://python-poetry.org/docs/configuration/#using-environment-variables
+            name = source["name"]&.upcase&.gsub(/\W/, "_")
+            ENV["POETRY_HTTP_BASIC_#{name}_USERNAME"] = arr[0]
+            ENV["POETRY_HTTP_BASIC_#{name}_PASSWORD"] = arr[1]
           end
-          poetry_object["source"] = sources_hash.values unless sources_hash.empty?
-          TomlRB.dump(pyproject_object)
         end
         def sanitize
@@ -97,32 +95,6 @@ module Dependabot
           NameNormaliser.normalise(name)
         end
-        def pyproject_sources
-          return @pyproject_sources if @pyproject_sources
-          pyproject_sources ||=
-            TomlRB.parse(pyproject_content).
-            dig("tool", "poetry", "source")
-          @pyproject_sources ||=
-            (pyproject_sources || []).
-            map { |h| h.dup.merge("url" => h["url"].gsub(%r{/*$}, "") + "/") }
-        end
-        def config_variable_sources(credentials)
-          @config_variable_sources ||=
-            credentials.
-            select { |cred| cred["type"] == "python_index" }.
-            map do |c|
-              {
-                "original_url" => c["index-url"],
-                "url" => AuthedUrlBuilder.authed_url(credential: c),
-                "name" => SecureRandom.hex[0..3],
-                "default" => c["replaces-base"]
-              }.compact
-            end
-        end
         def parsed_lockfile
           @parsed_lockfile ||= TomlRB.parse(lockfile.content)
         end

data/lib/dependabot/python/update_checker/poetry_version_resolver.rb CHANGED Viewed

@@ -76,6 +76,7 @@ module Dependabot
             SharedHelpers.in_a_temporary_directory do
               SharedHelpers.with_git_configured(credentials: credentials) do
                 write_temporary_dependency_files(updated_req: requirement)
+                add_auth_env_vars
                 if python_version && !pre_installed_python?(python_version)
                   run_poetry_command("pyenv install -s #{python_version}")
@@ -195,6 +196,12 @@ module Dependabot
           end
         end
+        def add_auth_env_vars
+          Python::FileUpdater::PyprojectPreparer.
+            new(pyproject_content: pyproject.content).
+            add_auth_env_vars(credentials)
+        end
         def python_version
           requirements = python_requirement_parser.user_specified_requirements
           requirements = requirements.
@@ -228,7 +235,6 @@ module Dependabot
         def updated_pyproject_content(updated_requirement:)
           content = pyproject.content
           content = sanitize_pyproject_content(content)
-          content = add_private_sources(content)
           content = freeze_other_dependencies(content)
           content = set_target_dependency_req(content, updated_requirement)
           content
@@ -237,7 +243,6 @@ module Dependabot
         def sanitized_pyproject_content
           content = pyproject.content
           content = sanitize_pyproject_content(content)
-          content = add_private_sources(content)
           content
         end
@@ -247,12 +252,6 @@ module Dependabot
             sanitize
         end
-        def add_private_sources(pyproject_content)
-          Python::FileUpdater::PyprojectPreparer.
-            new(pyproject_content: pyproject_content).
-            replace_sources(credentials)
-        end
         def freeze_other_dependencies(pyproject_content)
           Python::FileUpdater::PyprojectPreparer.
             new(pyproject_content: pyproject_content, lockfile: lockfile).

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-python
 version: !ruby/object:Gem::Version
-  version: 0.190.1
+  version: 0.192.0
 platform: ruby
 authors:
 - Dependabot
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2022-05-31 00:00:00.000000000 Z
+date: 2022-06-13 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dependabot-common
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.190.1
+        version: 0.192.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.190.1
+        version: 0.192.0
 - !ruby/object:Gem::Dependency
   name: debase
   requirement: !ruby/object:Gem::Requirement