dependabot-python 0.211.0 → 0.213.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 48410b5617f95831c3ed5aba2c8e6cd9d48d7d9fc812c65e44eb853a9c46b336
-  data.tar.gz: 24c798b98475ad41a3600f7b168921f04c63d02029c87b96410585d9ad88af66
+  metadata.gz: 6cb23890c79504e40e7e4962485003c76c07179574ac89b210b6529d15d2c216
+  data.tar.gz: b96523f9cf991cbffc38fc2831221c43450c74ef560e8e80ff2d2bbf73c889c4
 SHA512:
-  metadata.gz: 3adfdad038c43c09ec2ce7cb3c04fa4606b4e538ffc418100bbe3bf3a6a4344e243f141a8c13b7215bd5e669cfc52e31b99b888791cbdf8ce9d75bc2d52cd013
-  data.tar.gz: 2b4972ad44a0f39a9a3355630baf7f088b1d988224b66d782c65779ed3f9e4f98956190d1ddb3ec4889796edbebb983b281dad9f79e12a0574bc7da3a71bd17a
+  metadata.gz: 5beeac4ec63193ce095e6a5d7223c11e4e9c2ace55b3ef5c94f0011d8cb0c70fc7b364108b68cd68f656a5ed79d712b64eecbb75998714325a0f3b101169592c
+  data.tar.gz: 17ec5483c750fe4bc35490feebf418a8bd7eaf0eb2d14e2bcfc811e06f94c02f69eca71bafb589cb2d51b8a73155d3d358b97fcc6125a8fb7229b54f06a42fbe

data/helpers/build

@@ -18,9 +18,4 @@ cp -r \
   "$install_dir"
 
 cd "$install_dir"
-PYENV_VERSION=3.10.5 pyenv exec pip --disable-pip-version-check install -r "requirements.txt"
-
-# Workaround of https://github.com/python-poetry/poetry/issues/3010
-# By default poetry config file is stored under ~/.config/pypoetry
-# and is not bound to any specific Python version
-PYENV_VERSION=3.10.5 pyenv exec poetry config experimental.new-installer false
+PYENV_VERSION=3.10.7 pyenv exec pip --disable-pip-version-check install --use-pep517 -r "requirements.txt"

data/helpers/lib/parser.py

@@ -11,11 +11,63 @@ from pip._internal.req.constructors import (
     install_req_from_line,
     install_req_from_parsed_requirement,
 )
+
+from packaging.requirements import InvalidRequirement, Requirement
+import toml
+
 # Inspired by pips internal check:
 # https://github.com/pypa/pip/blob/0bb3ac87f5bb149bd75cceac000844128b574385/src/pip/_internal/req/req_file.py#L35
 COMMENT_RE = re.compile(r'(^|\s+)#.*$')
 
 
+def parse_pep621_dependencies(pyproject_path):
+    project_toml = toml.load(pyproject_path)['project']
+
+    def parse_toml_section_pep621_dependencies(pyproject_path, dependencies):
+        requirement_packages = []
+
+        def version_from_req(specifier_set):
+            if (len(specifier_set) == 1 and
+                    next(iter(specifier_set)).operator in {"==", "==="}):
+                return next(iter(specifier_set)).version
+
+        for dependency in dependencies:
+            try:
+                req = Requirement(dependency)
+            except InvalidRequirement as e:
+                print(json.dumps({"error": repr(e)}))
+                exit(1)
+            else:
+                requirement_packages.append({
+                    "name": req.name,
+                    "version": version_from_req(req.specifier),
+                    "markers": str(req.marker) or None,
+                    "file": pyproject_path,
+                    "requirement": str(req.specifier),
+                    "extras": sorted(list(req.extras))
+                })
+
+        return requirement_packages
+
+    dependencies = parse_toml_section_pep621_dependencies(
+        pyproject_path,
+        project_toml['dependencies']
+    )
+
+    if 'optional-dependencies' in project_toml:
+        optional_dependencies_toml = project_toml['optional-dependencies']
+
+        for group in optional_dependencies_toml:
+            group_dependencies = parse_toml_section_pep621_dependencies(
+                pyproject_path,
+                optional_dependencies_toml[group]
+            )
+
+            dependencies.extend(group_dependencies)
+
+    return json.dumps({"result": dependencies})
+
+
 def parse_requirements(directory):
     # Parse the requirements.txt
     requirement_packages = []

data/helpers/requirements.txt

@@ -1,10 +1,10 @@
-pip>=21.3.1,<22.2.3  # Range maintains py36 support TODO: Review python 3.6 support in April 2023 (eol ubuntu 18.04)
-pip-tools>=6.4.0,<6.8.1  # Range maintains py36 support TODO: Review python 3.6 support in April 2023 (eol ubuntu 18.04)
+pip>=21.3.1,<22.4.0  # Range maintains py36 support TODO: Review python 3.6 support in April 2023 (eol ubuntu 18.04)
+pip-tools>=6.4.0,<6.9.1  # Range maintains py36 support TODO: Review python 3.6 support in April 2023 (eol ubuntu 18.04)
 flake8==5.0.4
 hashin==0.17.0
 pipenv==2022.4.8
 pipfile==0.0.2
-poetry==1.1.15
+poetry>=1.1.15,<1.3.0
 wheel==0.37.1
 
 # Some dependencies will only install if Cython is present

data/helpers/run.py

@@ -10,6 +10,8 @@ if __name__ == "__main__":
         print(parser.parse_requirements(args["args"][0]))
     elif args["function"] == "parse_setup":
         print(parser.parse_setup(args["args"][0]))
+    elif args["function"] == "parse_pep621_dependencies":
+        print(parser.parse_pep621_dependencies(args["args"][0]))
     elif args["function"] == "get_dependency_hash":
         print(hasher.get_dependency_hash(*args["args"]))
     elif args["function"] == "get_pipfile_hash":

data/lib/dependabot/python/file_fetcher.rb

@@ -5,14 +5,15 @@ require "toml-rb"
 require "dependabot/file_fetchers"
 require "dependabot/file_fetchers/base"
 require "dependabot/python/requirement_parser"
-require "dependabot/python/file_parser/poetry_files_parser"
+require "dependabot/python/file_parser/pyproject_files_parser"
 require "dependabot/errors"
 
 module Dependabot
   module Python
     class FileFetcher < Dependabot::FileFetchers::Base
-      CHILD_REQUIREMENT_REGEX = /^-r\s?(?<path>.*\.(?:txt|in))/.freeze
-      CONSTRAINT_REGEX = /^-c\s?(?<path>.*\.(?:txt|in))/.freeze
+      CHILD_REQUIREMENT_REGEX = /^-r\s?(?<path>.*\.(?:txt|in))/
+      CONSTRAINT_REGEX = /^-c\s?(?<path>.*\.(?:txt|in))/
+      DEPENDENCY_TYPES = %w(packages dev-packages)
 
       def self.required_files_in?(filenames)
         return true if filenames.any? { |name| name.end_with?(".txt", ".in") }
@@ -23,7 +24,7 @@ module Dependabot
         # If this repo is using a Pipfile return true
         return true if filenames.include?("Pipfile")
 
-        # If this repo is using Poetry return true
+        # If this repo is using pyproject.toml return true
         return true if filenames.include?("pyproject.toml")
 
         return true if filenames.include?("setup.py")
@@ -32,8 +33,8 @@ module Dependabot
       end
 
       def self.required_files_message
-        "Repo must contain a requirements.txt, setup.py, setup.cfg, pyproject.toml, "\
-        "or a Pipfile."
+        "Repo must contain a requirements.txt, setup.py, setup.cfg, pyproject.toml, " \
+          "or a Pipfile."
       end
 
       private
@@ -68,7 +69,7 @@ module Dependabot
       end
 
       def pyproject_files
-        [pyproject, pyproject_lock, poetry_lock].compact
+        [pyproject, pyproject_lock, poetry_lock, pdm_lock].compact
       end
 
       def requirement_files
@@ -80,7 +81,12 @@ module Dependabot
       end
 
       def check_required_files_present
-        return if requirements_txt_files.any? || setup_file || setup_cfg_file || pipfile || pyproject
+        return if requirements_txt_files.any? ||
+                  requirements_in_files.any? ||
+                  setup_file ||
+                  setup_cfg_file ||
+                  pipfile ||
+                  pyproject
 
         path = Pathname.new(File.join(directory, "requirements.txt")).
                cleanpath.to_path
@@ -135,6 +141,10 @@ module Dependabot
         @poetry_lock ||= fetch_file_if_present("poetry.lock")
       end
 
+      def pdm_lock
+        @pdm_lock ||= fetch_file_if_present("pdm.lock")
+      end
+
       def requirements_txt_files
         req_txt_and_in_files.select { |f| f.name.end_with?(".txt") }
       end
@@ -168,7 +178,7 @@ module Dependabot
         repo_contents.
           select { |f| f.type == "file" }.
           select { |f| f.name.end_with?(".txt", ".in") }.
-          reject { |f| f.size > 200_000 }.
+          reject { |f| f.size > 500_000 }.
           map { |f| fetch_file_from_host(f.name) }.
           select { |f| requirements_file?(f) }.
           each { |f| @req_txt_and_in_files << f }
@@ -188,7 +198,7 @@ module Dependabot
         repo_contents(dir: relative_reqs_dir).
           select { |f| f.type == "file" }.
           select { |f| f.name.end_with?(".txt", ".in") }.
-          reject { |f| f.size > 200_000 }.
+          reject { |f| f.size > 500_000 }.
           map { |f| fetch_file_from_host("#{relative_reqs_dir}/#{f.name}") }.
           select { |f| requirements_file?(f) }
       end
@@ -290,8 +300,8 @@ module Dependabot
               fetch_submodules: true
             ).tap { |f| f.support_file = true }
           rescue Dependabot::DependencyFileNotFound
-            # For Poetry projects attempt to fetch a pyproject.toml at the
-            # given path instead of a setup.py. We do not require a
+            # For projects with pyproject.toml attempt to fetch a pyproject.toml
+            # at the given path instead of a setup.py. We do not require a
             # setup.py to be present, so if none can be found, simply return
             return [] unless allow_pyproject
 
@@ -372,7 +382,7 @@ module Dependabot
         return [] unless pipfile
 
         paths = []
-        %w(packages dev-packages).each do |dep_type|
+        DEPENDENCY_TYPES.each do |dep_type|
           next unless parsed_pipfile[dep_type]
 
           parsed_pipfile[dep_type].each do |_, req|
@@ -389,7 +399,7 @@ module Dependabot
         return [] unless pyproject
 
         paths = []
-        Dependabot::Python::FileParser::PoetryFilesParser::POETRY_DEPENDENCY_TYPES.each do |dep_type|
+        Dependabot::Python::FileParser::PyprojectFilesParser::POETRY_DEPENDENCY_TYPES.each do |dep_type|
           next unless parsed_pyproject.dig("tool", "poetry", dep_type)
 
           parsed_pyproject.dig("tool", "poetry", dep_type).each do |_, req|

data/lib/dependabot/python/file_parser/{poetry_files_parser.rb → pyproject_files_parser.rb}

@@ -12,7 +12,7 @@ require "dependabot/python/name_normaliser"
 module Dependabot
   module Python
     class FileParser
-      class PoetryFilesParser
+      class PyprojectFilesParser
         POETRY_DEPENDENCY_TYPES = %w(dependencies dev-dependencies).freeze
 
         # https://python-poetry.org/docs/dependency-specification/
@@ -25,7 +25,7 @@ module Dependabot
         def dependency_set
           dependency_set = Dependabot::FileParsers::Base::DependencySet.new
 
-          dependency_set += pyproject_dependencies
+          dependency_set += pyproject_dependencies if using_poetry? || using_pep621?
           dependency_set += lockfile_dependencies if lockfile
 
           dependency_set
@@ -36,6 +36,14 @@ module Dependabot
         attr_reader :dependency_files
 
         def pyproject_dependencies
+          if using_poetry?
+            poetry_dependencies
+          else
+            pep621_dependencies
+          end
+        end
+
+        def poetry_dependencies
           dependencies = Dependabot::FileParsers::Base::DependencySet.new
 
           POETRY_DEPENDENCY_TYPES.each do |type|
@@ -59,9 +67,47 @@ module Dependabot
           dependencies
         end
 
+        def pep621_dependencies
+          dependencies = Dependabot::FileParsers::Base::DependencySet.new
+
+          # PDM is not yet supported, so we want to ignore it for now because in
+          # the current state of things, going on would result in updating
+          # pyproject.toml but leaving pdm.lock out of sync, which is
+          # undesirable. Leave PDM alone until properly supported
+          return dependencies if using_pdm?
+
+          parsed_pep621_dependencies.each do |dep|
+            # If a requirement has a `<` or `<=` marker then updating it is
+            # probably blocked. Ignore it.
+            next if dep["markers"].include?("<")
+
+            # If no requirement, don't add it
+            next if dep["requirement"].empty?
+
+            dependencies <<
+              Dependency.new(
+                name: normalised_name(dep["name"], dep["extras"]),
+                version: dep["version"]&.include?("*") ? nil : dep["version"],
+                requirements: [{
+                  requirement: dep["requirement"],
+                  file: Pathname.new(dep["file"]).cleanpath.to_path,
+                  source: nil,
+                  groups: [dep["requirement_type"]]
+                }],
+                package_manager: "pip"
+              )
+          end
+
+          dependencies
+        end
+
+        def normalised_name(name, extras)
+          NameNormaliser.normalise_including_extras(name, extras)
+        end
+
         # @param req can be an Array, Hash or String that represents the constraints for a dependency
         def parse_requirements_from(req, type)
-          [req].flatten.compact.map do |requirement|
+          [req].flatten.compact.filter_map do |requirement|
             next if requirement.is_a?(Hash) && (UNSUPPORTED_DEPENDENCY_TYPES & requirement.keys).any?
 
             check_requirements(requirement)
@@ -72,7 +118,19 @@ module Dependabot
               source: nil,
               groups: [type]
             }
-          end.compact
+          end
+        end
+
+        def using_poetry?
+          !parsed_pyproject.dig("tool", "poetry").nil?
+        end
+
+        def using_pep621?
+          !parsed_pyproject.dig("project", "dependencies").nil?
+        end
+
+        def using_pdm?
+          using_pep621? && pdm_lock
         end
 
         # Create a DependencySet where each element has no requirement. Any
@@ -81,8 +139,9 @@ module Dependabot
         def lockfile_dependencies
           dependencies = Dependabot::FileParsers::Base::DependencySet.new
 
+          source_types = %w(directory git url)
           parsed_lockfile.fetch("package", []).each do |details|
-            next if %w(directory git url).include?(details.dig("source", "type"))
+            next if source_types.include?(details.dig("source", "type"))
 
             dependencies <<
               Dependency.new(
@@ -145,6 +204,24 @@ module Dependabot
           poetry_lock || pyproject_lock
         end
 
+        def parsed_pep621_dependencies
+          SharedHelpers.in_a_temporary_directory do
+            write_temporary_pyproject
+
+            SharedHelpers.run_helper_subprocess(
+              command: "pyenv exec python #{NativeHelpers.python_helper_path}",
+              function: "parse_pep621_dependencies",
+              args: [pyproject.name]
+            )
+          end
+        end
+
+        def write_temporary_pyproject
+          path = pyproject.name
+          FileUtils.mkdir_p(Pathname.new(path).dirname)
+          File.write(path, pyproject.content)
+        end
+
         def parsed_lockfile
           return parsed_poetry_lock if poetry_lock
           return parsed_pyproject_lock if pyproject_lock
@@ -159,6 +236,11 @@ module Dependabot
           @poetry_lock ||=
             dependency_files.find { |f| f.name == "poetry.lock" }
         end
+
+        def pdm_lock
+          @pdm_lock ||=
+            dependency_files.find { |f| f.name == "pdm.lock" }
+        end
       end
     end
   end

data/lib/dependabot/python/file_parser/python_requirement_parser.rb

@@ -33,8 +33,7 @@ module Dependabot
           requirement_files.flat_map do |file|
             file.content.lines.
               select { |l| l.include?(";") && l.include?("python") }.
-              map { |l| l.match(/python_version(?<req>.*?["'].*?['"])/) }.
-              compact.
+              filter_map { |l| l.match(/python_version(?<req>.*?["'].*?['"])/) }.
               map { |re| re.named_captures.fetch("req").gsub(/['"]/, "") }.
               select { |r| valid_requirement?(r) }
           end

data/lib/dependabot/python/file_parser/setup_file_parser.rb

@@ -12,10 +12,10 @@ module Dependabot
   module Python
     class FileParser
       class SetupFileParser
-        INSTALL_REQUIRES_REGEX = /install_requires\s*=\s*\[/m.freeze
-        SETUP_REQUIRES_REGEX = /setup_requires\s*=\s*\[/m.freeze
-        TESTS_REQUIRE_REGEX = /tests_require\s*=\s*\[/m.freeze
-        EXTRAS_REQUIRE_REGEX = /extras_require\s*=\s*\{/m.freeze
+        INSTALL_REQUIRES_REGEX = /install_requires\s*=\s*\[/m
+        SETUP_REQUIRES_REGEX = /setup_requires\s*=\s*\[/m
+        TESTS_REQUIRE_REGEX = /tests_require\s*=\s*\[/m
+        EXTRAS_REQUIRE_REGEX = /extras_require\s*=\s*\{/m
 
         CLOSING_BRACKET = { "[" => "]", "{" => "}" }.freeze
 
@@ -128,7 +128,7 @@ module Dependabot
           tests_require = get_regexed_req_array(TESTS_REQUIRE_REGEX)
           extras_require = get_regexed_req_dict(EXTRAS_REQUIRE_REGEX)
 
-          tmp = "from setuptools import setup\n\n"\
+          tmp = "from setuptools import setup\n\n" \
                 "setup(name=\"sanitized-package\",version=\"0.0.1\","
 
           tmp += "install_requires=#{install_requires}," if install_requires

data/lib/dependabot/python/file_parser.rb

@@ -1,6 +1,5 @@
 # frozen_string_literal: true
 
-require "toml-rb"
 require "dependabot/dependency"
 require "dependabot/file_parsers"
 require "dependabot/file_parsers/base"
@@ -15,11 +14,9 @@ module Dependabot
   module Python
     class FileParser < Dependabot::FileParsers::Base
       require_relative "file_parser/pipfile_files_parser"
-      require_relative "file_parser/poetry_files_parser"
+      require_relative "file_parser/pyproject_files_parser"
       require_relative "file_parser/setup_file_parser"
 
-      POETRY_DEPENDENCY_TYPES =
-        %w(tool.poetry.dependencies tool.poetry.dev-dependencies).freeze
       DEPENDENCY_GROUP_KEYS = [
         {
           pipfile: "packages",
@@ -42,7 +39,7 @@ module Dependabot
         dependency_set = DependencySet.new
 
         dependency_set += pipenv_dependencies if pipfile
-        dependency_set += poetry_dependencies if using_poetry?
+        dependency_set += pyproject_file_dependencies if pyproject
         dependency_set += requirement_dependencies if requirement_files.any?
         dependency_set += setup_file_dependencies if setup_file || setup_cfg_file
 
@@ -62,9 +59,9 @@ module Dependabot
           dependency_set
       end
 
-      def poetry_dependencies
-        @poetry_dependencies ||=
-          PoetryFilesParser.
+      def pyproject_file_dependencies
+        @pyproject_file_dependencies ||=
+          PyprojectFilesParser.
           new(dependency_files: dependency_files).
           dependency_set
       end
@@ -105,18 +102,6 @@ module Dependabot
         end
       end
 
-      def included_in_pipenv_deps?(dep_name)
-        return false unless pipfile
-
-        pipenv_dependencies.dependencies.map(&:name).include?(dep_name)
-      end
-
-      def included_in_poetry_deps?(dep_name)
-        return false unless using_poetry?
-
-        poetry_dependencies.dependencies.map(&:name).include?(dep_name)
-      end
-
       def blocking_marker?(dep)
         return false if dep["markers"] == "None"
         return true if dep["markers"].include?("<")
@@ -215,15 +200,6 @@ module Dependabot
         @pipfile_lock ||= get_original_file("Pipfile.lock")
       end
 
-      def using_poetry?
-        return false unless pyproject
-        return true if poetry_lock || pyproject_lock
-
-        !TomlRB.parse(pyproject.content).dig("tool", "poetry").nil?
-      rescue TomlRB::ParseError, TomlRB::ValueOverwriteError
-        raise Dependabot::DependencyFileNotParseable, pyproject.path
-      end
-
       def output_file_regex(filename)
         "--output-file[=\s]+#{Regexp.escape(filename)}(?:\s|$)"
       end

data/lib/dependabot/python/file_updater/pip_compile_file_updater.rb

@@ -7,6 +7,7 @@ require "dependabot/python/file_fetcher"
 require "dependabot/python/file_parser/python_requirement_parser"
 require "dependabot/python/file_updater"
 require "dependabot/shared_helpers"
+require "dependabot/python/helpers"
 require "dependabot/python/native_helpers"
 require "dependabot/python/python_versions"
 require "dependabot/python/name_normaliser"
@@ -22,10 +23,9 @@ module Dependabot
         require_relative "setup_file_sanitizer"
 
         UNSAFE_PACKAGES = %w(setuptools distribute pip).freeze
-        INCOMPATIBLE_VERSIONS_REGEX = /There are incompatible versions in the resolved dependencies:.*\z/m.freeze
-        WARNINGS = /\s*# WARNING:.*\Z/m.freeze
-        UNSAFE_NOTE =
-          /\s*# The following packages are considered to be unsafe.*\Z/m.freeze
+        INCOMPATIBLE_VERSIONS_REGEX = /There are incompatible versions in the resolved dependencies:.*\z/m
+        WARNINGS = /\s*# WARNING:.*\Z/m
+        UNSAFE_NOTE = /\s*# The following packages are considered to be unsafe.*\Z/m
 
         attr_reader :dependencies, :dependency_files, :credentials
 
@@ -66,33 +66,27 @@ module Dependabot
         def compile_new_requirement_files
           SharedHelpers.in_a_temporary_directory do
             write_updated_dependency_files
-            install_required_python
+            Helpers.install_required_python(python_version)
 
             filenames_to_compile.each do |filename|
               # Shell out to pip-compile, generate a new set of requirements.
               # This is slow, as pip-compile needs to do installs.
-              name_part = "pyenv exec pip-compile "\
-                          "#{pip_compile_options(filename)} -P "\
+              name_part = "pyenv exec pip-compile " \
+                          "#{pip_compile_options(filename)} -P " \
                           "#{dependency.name}"
               version_part = "#{dependency.version} #{filename}"
               # Don't escape pyenv `dep-name==version` syntax
               run_pip_compile_command(
-                "#{SharedHelpers.escape_command(name_part)}=="\
+                "#{SharedHelpers.escape_command(name_part)}==" \
                 "#{SharedHelpers.escape_command(version_part)}",
                 allow_unsafe_shell_command: true
               )
-              # Run pip-compile a second time, without an update argument, to
-              # ensure it resets the right comments.
-              run_pip_compile_command(
-                "pyenv exec pip-compile #{pip_compile_options(filename)} "\
-                "#{filename}"
-              )
             end
 
             # Remove any .python-version file before parsing the reqs
             FileUtils.remove_entry(".python-version", true)
 
-            dependency_files.map do |file|
+            dependency_files.filter_map do |file|
               next unless file.name.end_with?(".txt")
 
               updated_content = File.read(file.name)
@@ -102,12 +96,12 @@ module Dependabot
               next if updated_content == file.content
 
               file.dup.tap { |f| f.content = updated_content }
-            end.compact
+            end
           end
         end
 
         def update_manifest_files
-          dependency_files.map do |file|
+          dependency_files.filter_map do |file|
             next unless file.name.end_with?(".in")
 
             file = file.dup
@@ -116,7 +110,7 @@ module Dependabot
 
             file.content = updated_content
             file
-          end.compact
+          end
         end
 
         def update_uncompiled_files(updated_files)
@@ -132,7 +126,7 @@ module Dependabot
                   reject { |file| updated_filenames.include?(file.name) }
 
           args = dependency.to_h
-          args = args.keys.map { |k| [k.to_sym, args[k]] }.to_h
+          args = args.keys.to_h { |k| [k.to_sym, args[k]] }
           args[:requirements] = new_reqs
           args[:previous_requirements] = old_reqs
 
@@ -219,15 +213,6 @@ module Dependabot
           end
         end
 
-        def install_required_python
-          return if run_command("pyenv versions").include?("#{python_version}\n")
-
-          run_command("pyenv install -s #{python_version}")
-          run_command("pyenv exec pip install --upgrade pip")
-          run_command("pyenv exec pip install -r "\
-                      "#{NativeHelpers.python_requirements_path}")
-        end
-
         def sanitized_setup_file_content(file)
           @sanitized_setup_file_content ||= {}
           return @sanitized_setup_file_content[file.name] if @sanitized_setup_file_content[file.name]
@@ -352,7 +337,7 @@ module Dependabot
         end
 
         def deps_to_augment_hashes_for(updated_content, original_content)
-          regex = /^#{RequirementParser::INSTALL_REQ_WITH_REQUIREMENT}/
+          regex = /^#{RequirementParser::INSTALL_REQ_WITH_REQUIREMENT}/o
 
           new_matches = []
           updated_content.scan(regex) { new_matches << Regexp.last_match }

data/lib/dependabot/python/file_updater/pipfile_file_updater.rb

@@ -18,6 +18,8 @@ module Dependabot
         require_relative "pipfile_manifest_updater"
         require_relative "setup_file_sanitizer"
 
+        DEPENDENCY_TYPES = %w(packages dev-packages).freeze
+
         attr_reader :dependencies, :dependency_files, :credentials
 
         def initialize(dependencies:, dependency_files:, credentials:)
@@ -145,7 +147,7 @@ module Dependabot
           pipfile_object = TomlRB.parse(pipfile_content)
 
           dependencies.each do |dep|
-            %w(packages dev-packages).each do |type|
+            DEPENDENCY_TYPES.each do |type|
               names = pipfile_object[type]&.keys || []
               pkg_name = names.find { |nm| normalise(nm) == dep.name }
               next unless pkg_name || subdep_type?(type)
@@ -300,11 +302,7 @@ module Dependabot
             nil
           end
 
-          return if run_command("pyenv versions").include?("#{python_version}\n")
-
-          requirements_path = NativeHelpers.python_requirements_path
-          run_command("pyenv install -s #{python_version}")
-          run_command("pyenv exec pip install -r #{requirements_path}")
+          Helpers.install_required_python(python_version)
         end
 
         def sanitized_setup_file_content(file)
@@ -350,9 +348,9 @@ module Dependabot
 
           # Otherwise we have to raise, giving details of the Python versions
           # that Dependabot supports
-          msg = "Dependabot detected the following Python requirement "\
-                "for your project: '#{requirement_string}'.\n\nCurrently, the "\
-                "following Python versions are supported in Dependabot: "\
+          msg = "Dependabot detected the following Python requirement " \
+                "for your project: '#{requirement_string}'.\n\nCurrently, the " \
+                "following Python versions are supported in Dependabot: " \
                 "#{PythonVersions::SUPPORTED_VERSIONS.join(', ')}."
           raise DependencyFileNotResolvable, msg
         end