dependabot-python 0.211.0 → 0.212.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/helpers/requirements.txt +1 -1
- data/lib/dependabot/python/file_fetcher.rb +4 -3
- data/lib/dependabot/python/file_parser/poetry_files_parser.rb +4 -3
- data/lib/dependabot/python/file_parser/python_requirement_parser.rb +1 -2
- data/lib/dependabot/python/file_parser/setup_file_parser.rb +1 -1
- data/lib/dependabot/python/file_updater/pip_compile_file_updater.rb +11 -11
- data/lib/dependabot/python/file_updater/pipfile_file_updater.rb +6 -4
- data/lib/dependabot/python/file_updater/poetry_file_updater.rb +1 -1
- data/lib/dependabot/python/file_updater/pyproject_preparer.rb +2 -1
- data/lib/dependabot/python/file_updater/requirement_file_updater.rb +2 -2
- data/lib/dependabot/python/file_updater/requirement_replacer.rb +2 -2
- data/lib/dependabot/python/file_updater/setup_file_sanitizer.rb +8 -8
- data/lib/dependabot/python/file_updater.rb +2 -2
- data/lib/dependabot/python/native_helpers.rb +1 -1
- data/lib/dependabot/python/update_checker/index_finder.rb +1 -1
- data/lib/dependabot/python/update_checker/latest_version_finder.rb +10 -7
- data/lib/dependabot/python/update_checker/pip_compile_version_resolver.rb +1 -1
- data/lib/dependabot/python/update_checker/pipenv_version_resolver.rb +23 -19
- data/lib/dependabot/python/update_checker/poetry_version_resolver.rb +35 -18
- data/lib/dependabot/python/update_checker/requirements_updater.rb +1 -1
- data/lib/dependabot/python/update_checker.rb +3 -5
- metadata +22 -8
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 4862b59513a97a33d51ff8ad57b6d9815842769c87f612426ffbcd8e75a9655c
|
|
4
|
+
data.tar.gz: 9543935b3ab8027344757b41aa8ff265d823beac956a06d20d4917e75962698d
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: fd9e547d19f01addfdc2fcc4eeb7095bf8e886eded086772f81b9bfbd6acfb2fc6076c354c970ae5fad0691a25679d99db8eb0884121e986c1bcf39b17c041ba
|
|
7
|
+
data.tar.gz: be587fe031f132dd20d4fc023668e31d81c37608d915a9f586ca159b675302993a208b6e93209cfaedad83d08eaae1ca06f6af7eec8933bcc2c44e8a61293ccf
|
data/helpers/requirements.txt
CHANGED
|
@@ -13,6 +13,7 @@ module Dependabot
|
|
|
13
13
|
class FileFetcher < Dependabot::FileFetchers::Base
|
|
14
14
|
CHILD_REQUIREMENT_REGEX = /^-r\s?(?<path>.*\.(?:txt|in))/.freeze
|
|
15
15
|
CONSTRAINT_REGEX = /^-c\s?(?<path>.*\.(?:txt|in))/.freeze
|
|
16
|
+
DEPENDENCY_TYPES = %w(packages dev-packages).freeze
|
|
16
17
|
|
|
17
18
|
def self.required_files_in?(filenames)
|
|
18
19
|
return true if filenames.any? { |name| name.end_with?(".txt", ".in") }
|
|
@@ -32,8 +33,8 @@ module Dependabot
|
|
|
32
33
|
end
|
|
33
34
|
|
|
34
35
|
def self.required_files_message
|
|
35
|
-
"Repo must contain a requirements.txt, setup.py, setup.cfg, pyproject.toml, "\
|
|
36
|
-
|
|
36
|
+
"Repo must contain a requirements.txt, setup.py, setup.cfg, pyproject.toml, " \
|
|
37
|
+
"or a Pipfile."
|
|
37
38
|
end
|
|
38
39
|
|
|
39
40
|
private
|
|
@@ -372,7 +373,7 @@ module Dependabot
|
|
|
372
373
|
return [] unless pipfile
|
|
373
374
|
|
|
374
375
|
paths = []
|
|
375
|
-
|
|
376
|
+
DEPENDENCY_TYPES.each do |dep_type|
|
|
376
377
|
next unless parsed_pipfile[dep_type]
|
|
377
378
|
|
|
378
379
|
parsed_pipfile[dep_type].each do |_, req|
|
|
@@ -61,7 +61,7 @@ module Dependabot
|
|
|
61
61
|
|
|
62
62
|
# @param req can be an Array, Hash or String that represents the constraints for a dependency
|
|
63
63
|
def parse_requirements_from(req, type)
|
|
64
|
-
[req].flatten.compact.
|
|
64
|
+
[req].flatten.compact.filter_map do |requirement|
|
|
65
65
|
next if requirement.is_a?(Hash) && (UNSUPPORTED_DEPENDENCY_TYPES & requirement.keys).any?
|
|
66
66
|
|
|
67
67
|
check_requirements(requirement)
|
|
@@ -72,7 +72,7 @@ module Dependabot
|
|
|
72
72
|
source: nil,
|
|
73
73
|
groups: [type]
|
|
74
74
|
}
|
|
75
|
-
end
|
|
75
|
+
end
|
|
76
76
|
end
|
|
77
77
|
|
|
78
78
|
# Create a DependencySet where each element has no requirement. Any
|
|
@@ -81,8 +81,9 @@ module Dependabot
|
|
|
81
81
|
def lockfile_dependencies
|
|
82
82
|
dependencies = Dependabot::FileParsers::Base::DependencySet.new
|
|
83
83
|
|
|
84
|
+
source_types = %w(directory git url)
|
|
84
85
|
parsed_lockfile.fetch("package", []).each do |details|
|
|
85
|
-
next if
|
|
86
|
+
next if source_types.include?(details.dig("source", "type"))
|
|
86
87
|
|
|
87
88
|
dependencies <<
|
|
88
89
|
Dependency.new(
|
|
@@ -33,8 +33,7 @@ module Dependabot
|
|
|
33
33
|
requirement_files.flat_map do |file|
|
|
34
34
|
file.content.lines.
|
|
35
35
|
select { |l| l.include?(";") && l.include?("python") }.
|
|
36
|
-
|
|
37
|
-
compact.
|
|
36
|
+
filter_map { |l| l.match(/python_version(?<req>.*?["'].*?['"])/) }.
|
|
38
37
|
map { |re| re.named_captures.fetch("req").gsub(/['"]/, "") }.
|
|
39
38
|
select { |r| valid_requirement?(r) }
|
|
40
39
|
end
|
|
@@ -128,7 +128,7 @@ module Dependabot
|
|
|
128
128
|
tests_require = get_regexed_req_array(TESTS_REQUIRE_REGEX)
|
|
129
129
|
extras_require = get_regexed_req_dict(EXTRAS_REQUIRE_REGEX)
|
|
130
130
|
|
|
131
|
-
tmp = "from setuptools import setup\n\n"\
|
|
131
|
+
tmp = "from setuptools import setup\n\n" \
|
|
132
132
|
"setup(name=\"sanitized-package\",version=\"0.0.1\","
|
|
133
133
|
|
|
134
134
|
tmp += "install_requires=#{install_requires}," if install_requires
|
|
@@ -71,20 +71,20 @@ module Dependabot
|
|
|
71
71
|
filenames_to_compile.each do |filename|
|
|
72
72
|
# Shell out to pip-compile, generate a new set of requirements.
|
|
73
73
|
# This is slow, as pip-compile needs to do installs.
|
|
74
|
-
name_part = "pyenv exec pip-compile "\
|
|
75
|
-
"#{pip_compile_options(filename)} -P "\
|
|
74
|
+
name_part = "pyenv exec pip-compile " \
|
|
75
|
+
"#{pip_compile_options(filename)} -P " \
|
|
76
76
|
"#{dependency.name}"
|
|
77
77
|
version_part = "#{dependency.version} #{filename}"
|
|
78
78
|
# Don't escape pyenv `dep-name==version` syntax
|
|
79
79
|
run_pip_compile_command(
|
|
80
|
-
"#{SharedHelpers.escape_command(name_part)}=="\
|
|
80
|
+
"#{SharedHelpers.escape_command(name_part)}==" \
|
|
81
81
|
"#{SharedHelpers.escape_command(version_part)}",
|
|
82
82
|
allow_unsafe_shell_command: true
|
|
83
83
|
)
|
|
84
84
|
# Run pip-compile a second time, without an update argument, to
|
|
85
85
|
# ensure it resets the right comments.
|
|
86
86
|
run_pip_compile_command(
|
|
87
|
-
"pyenv exec pip-compile #{pip_compile_options(filename)} "\
|
|
87
|
+
"pyenv exec pip-compile #{pip_compile_options(filename)} " \
|
|
88
88
|
"#{filename}"
|
|
89
89
|
)
|
|
90
90
|
end
|
|
@@ -92,7 +92,7 @@ module Dependabot
|
|
|
92
92
|
# Remove any .python-version file before parsing the reqs
|
|
93
93
|
FileUtils.remove_entry(".python-version", true)
|
|
94
94
|
|
|
95
|
-
dependency_files.
|
|
95
|
+
dependency_files.filter_map do |file|
|
|
96
96
|
next unless file.name.end_with?(".txt")
|
|
97
97
|
|
|
98
98
|
updated_content = File.read(file.name)
|
|
@@ -102,12 +102,12 @@ module Dependabot
|
|
|
102
102
|
next if updated_content == file.content
|
|
103
103
|
|
|
104
104
|
file.dup.tap { |f| f.content = updated_content }
|
|
105
|
-
end
|
|
105
|
+
end
|
|
106
106
|
end
|
|
107
107
|
end
|
|
108
108
|
|
|
109
109
|
def update_manifest_files
|
|
110
|
-
dependency_files.
|
|
110
|
+
dependency_files.filter_map do |file|
|
|
111
111
|
next unless file.name.end_with?(".in")
|
|
112
112
|
|
|
113
113
|
file = file.dup
|
|
@@ -116,7 +116,7 @@ module Dependabot
|
|
|
116
116
|
|
|
117
117
|
file.content = updated_content
|
|
118
118
|
file
|
|
119
|
-
end
|
|
119
|
+
end
|
|
120
120
|
end
|
|
121
121
|
|
|
122
122
|
def update_uncompiled_files(updated_files)
|
|
@@ -132,7 +132,7 @@ module Dependabot
|
|
|
132
132
|
reject { |file| updated_filenames.include?(file.name) }
|
|
133
133
|
|
|
134
134
|
args = dependency.to_h
|
|
135
|
-
args = args.keys.
|
|
135
|
+
args = args.keys.to_h { |k| [k.to_sym, args[k]] }
|
|
136
136
|
args[:requirements] = new_reqs
|
|
137
137
|
args[:previous_requirements] = old_reqs
|
|
138
138
|
|
|
@@ -224,7 +224,7 @@ module Dependabot
|
|
|
224
224
|
|
|
225
225
|
run_command("pyenv install -s #{python_version}")
|
|
226
226
|
run_command("pyenv exec pip install --upgrade pip")
|
|
227
|
-
run_command("pyenv exec pip install -r "\
|
|
227
|
+
run_command("pyenv exec pip install -r " \
|
|
228
228
|
"#{NativeHelpers.python_requirements_path}")
|
|
229
229
|
end
|
|
230
230
|
|
|
@@ -352,7 +352,7 @@ module Dependabot
|
|
|
352
352
|
end
|
|
353
353
|
|
|
354
354
|
def deps_to_augment_hashes_for(updated_content, original_content)
|
|
355
|
-
regex = /^#{RequirementParser::INSTALL_REQ_WITH_REQUIREMENT}/
|
|
355
|
+
regex = /^#{RequirementParser::INSTALL_REQ_WITH_REQUIREMENT}/o
|
|
356
356
|
|
|
357
357
|
new_matches = []
|
|
358
358
|
updated_content.scan(regex) { new_matches << Regexp.last_match }
|
|
@@ -18,6 +18,8 @@ module Dependabot
|
|
|
18
18
|
require_relative "pipfile_manifest_updater"
|
|
19
19
|
require_relative "setup_file_sanitizer"
|
|
20
20
|
|
|
21
|
+
DEPENDENCY_TYPES = %w(packages dev-packages).freeze
|
|
22
|
+
|
|
21
23
|
attr_reader :dependencies, :dependency_files, :credentials
|
|
22
24
|
|
|
23
25
|
def initialize(dependencies:, dependency_files:, credentials:)
|
|
@@ -145,7 +147,7 @@ module Dependabot
|
|
|
145
147
|
pipfile_object = TomlRB.parse(pipfile_content)
|
|
146
148
|
|
|
147
149
|
dependencies.each do |dep|
|
|
148
|
-
|
|
150
|
+
DEPENDENCY_TYPES.each do |type|
|
|
149
151
|
names = pipfile_object[type]&.keys || []
|
|
150
152
|
pkg_name = names.find { |nm| normalise(nm) == dep.name }
|
|
151
153
|
next unless pkg_name || subdep_type?(type)
|
|
@@ -350,9 +352,9 @@ module Dependabot
|
|
|
350
352
|
|
|
351
353
|
# Otherwise we have to raise, giving details of the Python versions
|
|
352
354
|
# that Dependabot supports
|
|
353
|
-
msg = "Dependabot detected the following Python requirement "\
|
|
354
|
-
"for your project: '#{requirement_string}'.\n\nCurrently, the "\
|
|
355
|
-
"following Python versions are supported in Dependabot: "\
|
|
355
|
+
msg = "Dependabot detected the following Python requirement " \
|
|
356
|
+
"for your project: '#{requirement_string}'.\n\nCurrently, the " \
|
|
357
|
+
"following Python versions are supported in Dependabot: " \
|
|
356
358
|
"#{PythonVersions::SUPPORTED_VERSIONS.join(', ')}."
|
|
357
359
|
raise DependencyFileNotResolvable, msg
|
|
358
360
|
end
|
|
@@ -173,7 +173,7 @@ module Dependabot
|
|
|
173
173
|
if python_version && !pre_installed_python?(python_version)
|
|
174
174
|
run_poetry_command("pyenv install -s #{python_version}")
|
|
175
175
|
run_poetry_command("pyenv exec pip install --upgrade pip")
|
|
176
|
-
run_poetry_command("pyenv exec pip install -r"\
|
|
176
|
+
run_poetry_command("pyenv exec pip install -r" \
|
|
177
177
|
"#{NativeHelpers.python_requirements_path}")
|
|
178
178
|
end
|
|
179
179
|
|
|
@@ -55,6 +55,7 @@ module Dependabot
|
|
|
55
55
|
Dependabot::Python::FileParser::PoetryFilesParser::POETRY_DEPENDENCY_TYPES.each do |key|
|
|
56
56
|
next unless poetry_object[key]
|
|
57
57
|
|
|
58
|
+
source_types = %w(directory file url)
|
|
58
59
|
poetry_object.fetch(key).each do |dep_name, _|
|
|
59
60
|
next if excluded_names.include?(normalise(dep_name))
|
|
60
61
|
|
|
@@ -62,7 +63,7 @@ module Dependabot
|
|
|
62
63
|
|
|
63
64
|
next unless (locked_version = locked_details&.fetch("version"))
|
|
64
65
|
|
|
65
|
-
next if
|
|
66
|
+
next if source_types.include?(locked_details&.dig("source", "type"))
|
|
66
67
|
|
|
67
68
|
if locked_details&.dig("source", "type") == "git"
|
|
68
69
|
poetry_object[key][dep_name] = {
|
|
@@ -36,7 +36,7 @@ module Dependabot
|
|
|
36
36
|
def fetch_updated_dependency_files
|
|
37
37
|
reqs = dependency.requirements.zip(dependency.previous_requirements)
|
|
38
38
|
|
|
39
|
-
reqs.
|
|
39
|
+
reqs.filter_map do |(new_req, old_req)|
|
|
40
40
|
next if new_req == old_req
|
|
41
41
|
|
|
42
42
|
file = get_original_file(new_req.fetch(:file)).dup
|
|
@@ -46,7 +46,7 @@ module Dependabot
|
|
|
46
46
|
|
|
47
47
|
file.content = updated_content
|
|
48
48
|
file
|
|
49
|
-
end
|
|
49
|
+
end
|
|
50
50
|
end
|
|
51
51
|
|
|
52
52
|
def updated_requirement_or_setup_file_content(new_req, old_req)
|
|
@@ -52,7 +52,7 @@ module Dependabot
|
|
|
52
52
|
if add_space_after_operators?
|
|
53
53
|
new_req_string =
|
|
54
54
|
new_req_string.
|
|
55
|
-
gsub(/(#{RequirementParser::COMPARISON})\s*(?=\d)
|
|
55
|
+
gsub(/(#{RequirementParser::COMPARISON})\s*(?=\d)/o, '\1 ')
|
|
56
56
|
end
|
|
57
57
|
|
|
58
58
|
new_req_string
|
|
@@ -92,7 +92,7 @@ module Dependabot
|
|
|
92
92
|
def add_space_after_operators?
|
|
93
93
|
original_dependency_declaration_string(old_requirement).
|
|
94
94
|
match(RequirementParser::REQUIREMENTS).
|
|
95
|
-
to_s.match?(/#{RequirementParser::COMPARISON}\s+\d/)
|
|
95
|
+
to_s.match?(/#{RequirementParser::COMPARISON}\s+\d/o)
|
|
96
96
|
end
|
|
97
97
|
|
|
98
98
|
def original_declaration_replacement_regex
|
|
@@ -19,9 +19,9 @@ module Dependabot
|
|
|
19
19
|
# install_requires. A name and version are required by don't end up
|
|
20
20
|
# in the lockfile.
|
|
21
21
|
content =
|
|
22
|
-
"from setuptools import setup\n\n"\
|
|
23
|
-
"setup(name=\"sanitized-package\",version=\"0.0.1\","\
|
|
24
|
-
"install_requires=#{install_requires_array.to_json},"\
|
|
22
|
+
"from setuptools import setup\n\n" \
|
|
23
|
+
"setup(name=\"sanitized-package\",version=\"0.0.1\"," \
|
|
24
|
+
"install_requires=#{install_requires_array.to_json}," \
|
|
25
25
|
"extras_require=#{extras_require_hash.to_json}"
|
|
26
26
|
|
|
27
27
|
content += ',setup_requires=["pbr"],pbr=True' if include_pbr?
|
|
@@ -38,22 +38,22 @@ module Dependabot
|
|
|
38
38
|
|
|
39
39
|
def install_requires_array
|
|
40
40
|
@install_requires_array ||=
|
|
41
|
-
parsed_setup_file.dependencies.
|
|
41
|
+
parsed_setup_file.dependencies.filter_map do |dep|
|
|
42
42
|
next unless dep.requirements.first[:groups].
|
|
43
43
|
include?("install_requires")
|
|
44
44
|
|
|
45
45
|
dep.name + dep.requirements.first[:requirement].to_s
|
|
46
|
-
end
|
|
46
|
+
end
|
|
47
47
|
end
|
|
48
48
|
|
|
49
49
|
def setup_requires_array
|
|
50
50
|
@setup_requires_array ||=
|
|
51
|
-
parsed_setup_file.dependencies.
|
|
51
|
+
parsed_setup_file.dependencies.filter_map do |dep|
|
|
52
52
|
next unless dep.requirements.first[:groups].
|
|
53
53
|
include?("setup_requires")
|
|
54
54
|
|
|
55
55
|
dep.name + dep.requirements.first[:requirement].to_s
|
|
56
|
-
end
|
|
56
|
+
end
|
|
57
57
|
end
|
|
58
58
|
|
|
59
59
|
def extras_require_hash
|
|
@@ -66,7 +66,7 @@ module Dependabot
|
|
|
66
66
|
|
|
67
67
|
hash[group.split(":").last] ||= []
|
|
68
68
|
hash[group.split(":").last] <<
|
|
69
|
-
dep.name + dep.requirements.first[:requirement].to_s
|
|
69
|
+
(dep.name + dep.requirements.first[:requirement].to_s)
|
|
70
70
|
end
|
|
71
71
|
end
|
|
72
72
|
|
|
@@ -60,8 +60,8 @@ module Dependabot
|
|
|
60
60
|
|
|
61
61
|
# Otherwise, this is a top-level dependency, and we can figure out
|
|
62
62
|
# which resolver to use based on the filename of its requirements
|
|
63
|
-
return :pipfile if changed_req_files.any?
|
|
64
|
-
return :poetry if changed_req_files.any?
|
|
63
|
+
return :pipfile if changed_req_files.any?("Pipfile")
|
|
64
|
+
return :poetry if changed_req_files.any?("pyproject.toml")
|
|
65
65
|
return :pip_compile if changed_req_files.any? { |f| f.end_with?(".in") }
|
|
66
66
|
|
|
67
67
|
:requirements
|
|
@@ -171,7 +171,7 @@ module Dependabot
|
|
|
171
171
|
authed_url = config_variable_urls.find { |u| u.match?(regexp) }
|
|
172
172
|
return authed_url if authed_url
|
|
173
173
|
|
|
174
|
-
cleaned_url = url.gsub(%r{#{ENVIRONMENT_VARIABLE_REGEX}/?}, "")
|
|
174
|
+
cleaned_url = url.gsub(%r{#{ENVIRONMENT_VARIABLE_REGEX}/?}o, "")
|
|
175
175
|
authed_url = authed_base_url(cleaned_url)
|
|
176
176
|
return authed_url if credential_for(cleaned_url)
|
|
177
177
|
|
|
@@ -85,14 +85,14 @@ module Dependabot
|
|
|
85
85
|
end
|
|
86
86
|
|
|
87
87
|
def filter_unsupported_versions(versions_array, python_version)
|
|
88
|
-
versions_array.
|
|
88
|
+
versions_array.filter_map do |details|
|
|
89
89
|
python_requirement = details.fetch(:python_requirement)
|
|
90
90
|
next details.fetch(:version) unless python_version
|
|
91
91
|
next details.fetch(:version) unless python_requirement
|
|
92
92
|
next unless python_requirement.satisfied_by?(python_version)
|
|
93
93
|
|
|
94
94
|
details.fetch(:version)
|
|
95
|
-
end
|
|
95
|
+
end
|
|
96
96
|
end
|
|
97
97
|
|
|
98
98
|
def filter_prerelease_versions(versions_array)
|
|
@@ -118,9 +118,9 @@ module Dependabot
|
|
|
118
118
|
end
|
|
119
119
|
|
|
120
120
|
def filter_out_of_range_versions(versions_array)
|
|
121
|
-
reqs = dependency.requirements.
|
|
121
|
+
reqs = dependency.requirements.filter_map do |r|
|
|
122
122
|
requirement_class.requirements_array(r.fetch(:requirement))
|
|
123
|
-
end
|
|
123
|
+
end
|
|
124
124
|
|
|
125
125
|
versions_array.
|
|
126
126
|
select { |v| reqs.all? { |r| r.any? { |o| o.satisfied_by?(v) } } }
|
|
@@ -144,11 +144,14 @@ module Dependabot
|
|
|
144
144
|
@available_versions ||=
|
|
145
145
|
index_urls.flat_map do |index_url|
|
|
146
146
|
sanitized_url = index_url.gsub(%r{(?<=//).*(?=@)}, "redacted")
|
|
147
|
+
|
|
147
148
|
index_response = registry_response_for_dependency(index_url)
|
|
149
|
+
if index_response.status == 401 || index_response.status == 403
|
|
150
|
+
registry_index_response = registry_index_response(index_url)
|
|
148
151
|
|
|
149
|
-
|
|
150
|
-
|
|
151
|
-
|
|
152
|
+
if registry_index_response.status == 401 || registry_index_response.status == 403
|
|
153
|
+
raise PrivateSourceAuthenticationFailure, sanitized_url
|
|
154
|
+
end
|
|
152
155
|
end
|
|
153
156
|
|
|
154
157
|
version_links = []
|
|
@@ -318,7 +318,7 @@ module Dependabot
|
|
|
318
318
|
|
|
319
319
|
run_command("pyenv install -s #{python_version}")
|
|
320
320
|
run_command("pyenv exec pip install --upgrade pip")
|
|
321
|
-
run_command("pyenv exec pip install -r"\
|
|
321
|
+
run_command("pyenv exec pip install -r" \
|
|
322
322
|
"#{NativeHelpers.python_requirements_path}")
|
|
323
323
|
end
|
|
324
324
|
|
|
@@ -29,12 +29,13 @@ module Dependabot
|
|
|
29
29
|
# just raise if the latest version can't be resolved. Knowing that is
|
|
30
30
|
# still better than nothing, though.
|
|
31
31
|
class PipenvVersionResolver
|
|
32
|
+
# rubocop:disable Layout/LineLength
|
|
32
33
|
GIT_DEPENDENCY_UNREACHABLE_REGEX =
|
|
33
34
|
/git clone -q (?<url>[^\s]+).* /.freeze
|
|
34
35
|
GIT_REFERENCE_NOT_FOUND_REGEX =
|
|
35
36
|
%r{git checkout -q (?<tag>[^\n"]+)\n?[^\n]*/(?<name>.*?)(\\n'\]|$)}m.
|
|
36
37
|
freeze
|
|
37
|
-
PIPENV_INSTALLATION_ERROR = "pipenv.patched.notpip._internal.exceptions.InstallationError: Command errored out"\
|
|
38
|
+
PIPENV_INSTALLATION_ERROR = "pipenv.patched.notpip._internal.exceptions.InstallationError: Command errored out" \
|
|
38
39
|
" with exit status 1: python setup.py egg_info"
|
|
39
40
|
TRACEBACK = "Traceback (most recent call last):"
|
|
40
41
|
PIPENV_INSTALLATION_ERROR_REGEX =
|
|
@@ -44,6 +45,9 @@ module Dependabot
|
|
|
44
45
|
UNSUPPORTED_DEP_REGEX =
|
|
45
46
|
/Could not find a version that satisfies the requirement.*(?:#{UNSUPPORTED_DEPS.join("|")})/.freeze
|
|
46
47
|
PIPENV_RANGE_WARNING = /Warning:\sPython\s[<>].* was not found/.freeze
|
|
48
|
+
# rubocop:enable Layout/LineLength
|
|
49
|
+
|
|
50
|
+
DEPENDENCY_TYPES = %w(packages dev-packages).freeze
|
|
47
51
|
|
|
48
52
|
attr_reader :dependency, :dependency_files, :credentials
|
|
49
53
|
|
|
@@ -136,20 +140,20 @@ module Dependabot
|
|
|
136
140
|
end
|
|
137
141
|
|
|
138
142
|
if error.message.match?(UNSUPPORTED_DEP_REGEX)
|
|
139
|
-
msg = "Dependabot detected a dependency that can't be built on "\
|
|
140
|
-
"linux. Currently, all Dependabot builds happen on linux "\
|
|
141
|
-
"boxes, so there is no way for Dependabot to resolve your "\
|
|
142
|
-
"dependency files.\n\n"\
|
|
143
|
-
"Unless you think Dependabot has made a mistake (please "\
|
|
144
|
-
"tag us if so) you may wish to disable Dependabot on this "\
|
|
143
|
+
msg = "Dependabot detected a dependency that can't be built on " \
|
|
144
|
+
"linux. Currently, all Dependabot builds happen on linux " \
|
|
145
|
+
"boxes, so there is no way for Dependabot to resolve your " \
|
|
146
|
+
"dependency files.\n\n" \
|
|
147
|
+
"Unless you think Dependabot has made a mistake (please " \
|
|
148
|
+
"tag us if so) you may wish to disable Dependabot on this " \
|
|
145
149
|
"repo."
|
|
146
150
|
raise DependencyFileNotResolvable, msg
|
|
147
151
|
end
|
|
148
152
|
|
|
149
153
|
if error.message.match?(PIPENV_RANGE_WARNING)
|
|
150
|
-
msg = "Pipenv does not support specifying Python ranges "\
|
|
151
|
-
|
|
152
|
-
|
|
154
|
+
msg = "Pipenv does not support specifying Python ranges " \
|
|
155
|
+
"(see https://github.com/pypa/pipenv/issues/1050 for more " \
|
|
156
|
+
"details)."
|
|
153
157
|
raise DependencyFileNotResolvable, msg
|
|
154
158
|
end
|
|
155
159
|
|
|
@@ -159,7 +163,7 @@ module Dependabot
|
|
|
159
163
|
|
|
160
164
|
if error.message.include?("SyntaxError: invalid syntax")
|
|
161
165
|
raise DependencyFileNotResolvable,
|
|
162
|
-
"SyntaxError while installing dependencies. Is one of the dependencies not Python 3 compatible? "\
|
|
166
|
+
"SyntaxError while installing dependencies. Is one of the dependencies not Python 3 compatible? " \
|
|
163
167
|
"Pip v21 no longer supports Python 2."
|
|
164
168
|
end
|
|
165
169
|
|
|
@@ -272,9 +276,9 @@ module Dependabot
|
|
|
272
276
|
dependency_name = error_message.match(PIPENV_INSTALLATION_ERROR_REGEX).named_captures["name"]
|
|
273
277
|
raise unless dependency_name
|
|
274
278
|
|
|
275
|
-
msg = "Pipenv failed to install \"#{dependency_name}\". This could be caused by missing system "\
|
|
276
|
-
"dependencies that can't be installed by Dependabot or required installation flags.\n\n"\
|
|
277
|
-
"Error output from running \"pipenv lock\":\n"\
|
|
279
|
+
msg = "Pipenv failed to install \"#{dependency_name}\". This could be caused by missing system " \
|
|
280
|
+
"dependencies that can't be installed by Dependabot or required installation flags.\n\n" \
|
|
281
|
+
"Error output from running \"pipenv lock\":\n" \
|
|
278
282
|
"#{clean_error_message(error_message)}"
|
|
279
283
|
|
|
280
284
|
raise DependencyFileNotResolvable, msg
|
|
@@ -324,7 +328,7 @@ module Dependabot
|
|
|
324
328
|
requirements_path = NativeHelpers.python_requirements_path
|
|
325
329
|
run_command("pyenv install -s #{python_version}")
|
|
326
330
|
run_command("pyenv exec pip install --upgrade pip")
|
|
327
|
-
run_command("pyenv exec pip install -r "\
|
|
331
|
+
run_command("pyenv exec pip install -r " \
|
|
328
332
|
"#{requirements_path}")
|
|
329
333
|
end
|
|
330
334
|
|
|
@@ -361,7 +365,7 @@ module Dependabot
|
|
|
361
365
|
|
|
362
366
|
pipfile_object = TomlRB.parse(pipfile_content)
|
|
363
367
|
|
|
364
|
-
|
|
368
|
+
DEPENDENCY_TYPES.each do |type|
|
|
365
369
|
names = pipfile_object[type]&.keys || []
|
|
366
370
|
pkg_name = names.find { |nm| normalise(nm) == dependency.name }
|
|
367
371
|
next unless pkg_name || subdep_type?(type)
|
|
@@ -429,9 +433,9 @@ module Dependabot
|
|
|
429
433
|
|
|
430
434
|
# Otherwise we have to raise, giving details of the Python versions
|
|
431
435
|
# that Dependabot supports
|
|
432
|
-
msg = "Dependabot detected the following Python requirement "\
|
|
433
|
-
"for your project: '#{requirement_string}'.\n\nCurrently, the "\
|
|
434
|
-
"following Python versions are supported in Dependabot: "\
|
|
436
|
+
msg = "Dependabot detected the following Python requirement " \
|
|
437
|
+
"for your project: '#{requirement_string}'.\n\nCurrently, the " \
|
|
438
|
+
"following Python versions are supported in Dependabot: " \
|
|
435
439
|
"#{PythonVersions::SUPPORTED_VERSIONS.join(', ')}."
|
|
436
440
|
raise DependencyFileNotResolvable, msg
|
|
437
441
|
end
|
|
@@ -3,6 +3,7 @@
|
|
|
3
3
|
require "excon"
|
|
4
4
|
require "toml-rb"
|
|
5
5
|
require "open3"
|
|
6
|
+
require "uri"
|
|
6
7
|
require "dependabot/dependency"
|
|
7
8
|
require "dependabot/errors"
|
|
8
9
|
require "dependabot/shared_helpers"
|
|
@@ -23,18 +24,26 @@ module Dependabot
|
|
|
23
24
|
# This class does version resolution for pyproject.toml files.
|
|
24
25
|
class PoetryVersionResolver
|
|
25
26
|
GIT_REFERENCE_NOT_FOUND_REGEX = /
|
|
26
|
-
'git'.*pypoetry-git-(?<name>.+?).{8}',
|
|
27
|
+
(?:'git'.*pypoetry-git-(?<name>.+?).{8}',
|
|
27
28
|
'checkout',
|
|
28
29
|
'(?<tag>.+?)'
|
|
29
|
-
|
|
30
|
+
|
|
|
31
|
+
...Failedtoclone
|
|
32
|
+
(?<url>.+?).gitat'(?<tag>.+?)',
|
|
33
|
+
verifyrefexistsonremote)
|
|
34
|
+
/x.freeze # TODO: remove the first clause and | when py3.6 support is EoL
|
|
30
35
|
GIT_DEPENDENCY_UNREACHABLE_REGEX = /
|
|
31
|
-
|
|
32
|
-
|
|
33
|
-
|
|
34
|
-
|
|
35
|
-
|
|
36
|
-
|
|
37
|
-
|
|
36
|
+
(?:'\['git',
|
|
37
|
+
\s+'clone',
|
|
38
|
+
\s+'--recurse-submodules',
|
|
39
|
+
\s+'(--)?',
|
|
40
|
+
\s+'(?<url>.+?)'.*
|
|
41
|
+
\s+exit\s+status\s+128
|
|
42
|
+
|
|
|
43
|
+
\s+Failed\sto\sclone
|
|
44
|
+
\s+(?<url>.+?),
|
|
45
|
+
\s+check\syour\sgit\sconfiguration)
|
|
46
|
+
/mx.freeze # TODO: remove the first clause and | when py3.6 support is EoL
|
|
38
47
|
|
|
39
48
|
attr_reader :dependency, :dependency_files, :credentials
|
|
40
49
|
|
|
@@ -61,7 +70,8 @@ module Dependabot
|
|
|
61
70
|
false
|
|
62
71
|
end
|
|
63
72
|
rescue SharedHelpers::HelperSubprocessFailed => e
|
|
64
|
-
raise unless e.message.include?("SolverProblemError")
|
|
73
|
+
raise unless e.message.include?("SolverProblemError") || # TODO: Remove once py3.6 is EoL
|
|
74
|
+
e.message.include?("version solving failed.")
|
|
65
75
|
|
|
66
76
|
@resolvable[version] = false
|
|
67
77
|
end
|
|
@@ -82,7 +92,7 @@ module Dependabot
|
|
|
82
92
|
run_poetry_command("pyenv install -s #{python_version}")
|
|
83
93
|
run_poetry_command("pyenv exec pip install --upgrade pip")
|
|
84
94
|
run_poetry_command(
|
|
85
|
-
"pyenv exec pip install -r "\
|
|
95
|
+
"pyenv exec pip install -r " \
|
|
86
96
|
"#{NativeHelpers.python_requirements_path}"
|
|
87
97
|
)
|
|
88
98
|
end
|
|
@@ -118,8 +128,13 @@ module Dependabot
|
|
|
118
128
|
def handle_poetry_errors(error)
|
|
119
129
|
if error.message.gsub(/\s/, "").match?(GIT_REFERENCE_NOT_FOUND_REGEX)
|
|
120
130
|
message = error.message.gsub(/\s/, "")
|
|
121
|
-
|
|
122
|
-
|
|
131
|
+
match = message.match(GIT_REFERENCE_NOT_FOUND_REGEX)
|
|
132
|
+
name = if (url = match.named_captures.fetch("url"))
|
|
133
|
+
File.basename(URI.parse(url).path)
|
|
134
|
+
else
|
|
135
|
+
message.match(GIT_REFERENCE_NOT_FOUND_REGEX).
|
|
136
|
+
named_captures.fetch("name")
|
|
137
|
+
end
|
|
123
138
|
raise GitDependencyReferenceNotFound, name
|
|
124
139
|
end
|
|
125
140
|
|
|
@@ -130,7 +145,8 @@ module Dependabot
|
|
|
130
145
|
end
|
|
131
146
|
|
|
132
147
|
raise unless error.message.include?("SolverProblemError") ||
|
|
133
|
-
error.message.include?("PackageNotFound")
|
|
148
|
+
error.message.include?("PackageNotFound") ||
|
|
149
|
+
error.message.include?("version solving failed.")
|
|
134
150
|
|
|
135
151
|
check_original_requirements_resolvable
|
|
136
152
|
|
|
@@ -161,7 +177,8 @@ module Dependabot
|
|
|
161
177
|
@original_reqs_resolvable = true
|
|
162
178
|
rescue SharedHelpers::HelperSubprocessFailed => e
|
|
163
179
|
raise unless e.message.include?("SolverProblemError") ||
|
|
164
|
-
e.message.include?("PackageNotFound")
|
|
180
|
+
e.message.include?("PackageNotFound") ||
|
|
181
|
+
e.message.include?("version solving failed.")
|
|
165
182
|
|
|
166
183
|
msg = clean_error_message(e.message)
|
|
167
184
|
raise DependencyFileNotResolvable, msg
|
|
@@ -214,9 +231,9 @@ module Dependabot
|
|
|
214
231
|
end
|
|
215
232
|
return version if version
|
|
216
233
|
|
|
217
|
-
msg = "Dependabot detected the following Python requirements "\
|
|
218
|
-
"for your project: '#{requirements}'.\n\nCurrently, the "\
|
|
219
|
-
"following Python versions are supported in Dependabot: "\
|
|
234
|
+
msg = "Dependabot detected the following Python requirements " \
|
|
235
|
+
"for your project: '#{requirements}'.\n\nCurrently, the " \
|
|
236
|
+
"following Python versions are supported in Dependabot: " \
|
|
220
237
|
"#{PythonVersions::SUPPORTED_VERSIONS.join(', ')}."
|
|
221
238
|
raise DependencyFileNotResolvable, msg
|
|
222
239
|
end
|
|
@@ -260,7 +260,7 @@ module Dependabot
|
|
|
260
260
|
# Updates the version in a constraint to be the given version
|
|
261
261
|
def bump_version(req_string, version_to_be_permitted)
|
|
262
262
|
old_version = req_string.
|
|
263
|
-
match(/(#{RequirementParser::VERSION})/).
|
|
263
|
+
match(/(#{RequirementParser::VERSION})/o).
|
|
264
264
|
captures.first
|
|
265
265
|
|
|
266
266
|
req_string.sub(
|
|
@@ -132,7 +132,6 @@ module Dependabot
|
|
|
132
132
|
resolver.resolvable?(version: fix_version) ? fix_version : nil
|
|
133
133
|
end
|
|
134
134
|
|
|
135
|
-
# rubocop:disable Metrics/PerceivedComplexity
|
|
136
135
|
def resolver_type
|
|
137
136
|
reqs = dependency.requirements
|
|
138
137
|
req_files = reqs.map { |r| r.fetch(:file) }
|
|
@@ -144,8 +143,8 @@ module Dependabot
|
|
|
144
143
|
|
|
145
144
|
# Otherwise, this is a top-level dependency, and we can figure out
|
|
146
145
|
# which resolver to use based on the filename of its requirements
|
|
147
|
-
return :pipenv if req_files.any?
|
|
148
|
-
return :poetry if req_files.any?
|
|
146
|
+
return :pipenv if req_files.any?("Pipfile")
|
|
147
|
+
return :poetry if req_files.any?("pyproject.toml")
|
|
149
148
|
return :pip_compile if req_files.any? { |f| f.end_with?(".in") }
|
|
150
149
|
|
|
151
150
|
if dependency.version && !exact_requirement?(reqs)
|
|
@@ -154,7 +153,6 @@ module Dependabot
|
|
|
154
153
|
:requirements
|
|
155
154
|
end
|
|
156
155
|
end
|
|
157
|
-
# rubocop:enable Metrics/PerceivedComplexity
|
|
158
156
|
|
|
159
157
|
def subdependency_resolver
|
|
160
158
|
return :pipenv if pipfile_lock
|
|
@@ -238,7 +236,7 @@ module Dependabot
|
|
|
238
236
|
return ">= #{dependency.version}" if dependency.version
|
|
239
237
|
|
|
240
238
|
version_for_requirement =
|
|
241
|
-
dependency.requirements.
|
|
239
|
+
dependency.requirements.filter_map { |r| r[:requirement] }.
|
|
242
240
|
reject { |req_string| req_string.start_with?("<") }.
|
|
243
241
|
select { |req_string| req_string.match?(VERSION_REGEX) }.
|
|
244
242
|
map { |req_string| req_string.match(VERSION_REGEX) }.
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: dependabot-python
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.212.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Dependabot
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2022-
|
|
11
|
+
date: 2022-09-06 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: dependabot-common
|
|
@@ -16,14 +16,14 @@ dependencies:
|
|
|
16
16
|
requirements:
|
|
17
17
|
- - '='
|
|
18
18
|
- !ruby/object:Gem::Version
|
|
19
|
-
version: 0.
|
|
19
|
+
version: 0.212.0
|
|
20
20
|
type: :runtime
|
|
21
21
|
prerelease: false
|
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
|
23
23
|
requirements:
|
|
24
24
|
- - '='
|
|
25
25
|
- !ruby/object:Gem::Version
|
|
26
|
-
version: 0.
|
|
26
|
+
version: 0.212.0
|
|
27
27
|
- !ruby/object:Gem::Dependency
|
|
28
28
|
name: debase
|
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -86,14 +86,14 @@ dependencies:
|
|
|
86
86
|
requirements:
|
|
87
87
|
- - "~>"
|
|
88
88
|
- !ruby/object:Gem::Version
|
|
89
|
-
version: 3.
|
|
89
|
+
version: 3.12.0
|
|
90
90
|
type: :development
|
|
91
91
|
prerelease: false
|
|
92
92
|
version_requirements: !ruby/object:Gem::Requirement
|
|
93
93
|
requirements:
|
|
94
94
|
- - "~>"
|
|
95
95
|
- !ruby/object:Gem::Version
|
|
96
|
-
version: 3.
|
|
96
|
+
version: 3.12.0
|
|
97
97
|
- !ruby/object:Gem::Dependency
|
|
98
98
|
name: rake
|
|
99
99
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -142,14 +142,28 @@ dependencies:
|
|
|
142
142
|
requirements:
|
|
143
143
|
- - "~>"
|
|
144
144
|
- !ruby/object:Gem::Version
|
|
145
|
-
version: 1.
|
|
145
|
+
version: 1.36.0
|
|
146
146
|
type: :development
|
|
147
147
|
prerelease: false
|
|
148
148
|
version_requirements: !ruby/object:Gem::Requirement
|
|
149
149
|
requirements:
|
|
150
150
|
- - "~>"
|
|
151
151
|
- !ruby/object:Gem::Version
|
|
152
|
-
version: 1.
|
|
152
|
+
version: 1.36.0
|
|
153
|
+
- !ruby/object:Gem::Dependency
|
|
154
|
+
name: rubocop-performance
|
|
155
|
+
requirement: !ruby/object:Gem::Requirement
|
|
156
|
+
requirements:
|
|
157
|
+
- - "~>"
|
|
158
|
+
- !ruby/object:Gem::Version
|
|
159
|
+
version: 1.14.2
|
|
160
|
+
type: :development
|
|
161
|
+
prerelease: false
|
|
162
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
163
|
+
requirements:
|
|
164
|
+
- - "~>"
|
|
165
|
+
- !ruby/object:Gem::Version
|
|
166
|
+
version: 1.14.2
|
|
153
167
|
- !ruby/object:Gem::Dependency
|
|
154
168
|
name: ruby-debug-ide
|
|
155
169
|
requirement: !ruby/object:Gem::Requirement
|