dependabot-python 0.212.0 → 0.214.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 4862b59513a97a33d51ff8ad57b6d9815842769c87f612426ffbcd8e75a9655c
-  data.tar.gz: 9543935b3ab8027344757b41aa8ff265d823beac956a06d20d4917e75962698d
+  metadata.gz: 940ed0c4abf7f4d3a496321e4898ba9c123091d6539f86ef54d7ee74dadf3344
+  data.tar.gz: 802abe558f75bc2e98f1b88e93be85fc48f8b71774a1ff37b8ea16311381f587
 SHA512:
-  metadata.gz: fd9e547d19f01addfdc2fcc4eeb7095bf8e886eded086772f81b9bfbd6acfb2fc6076c354c970ae5fad0691a25679d99db8eb0884121e986c1bcf39b17c041ba
-  data.tar.gz: be587fe031f132dd20d4fc023668e31d81c37608d915a9f586ca159b675302993a208b6e93209cfaedad83d08eaae1ca06f6af7eec8933bcc2c44e8a61293ccf
+  metadata.gz: 523ff39717afd9636f3d2f3115d6953817ab01585e2e218233eb0439a7cc9e5ac620c4b28d429b35256530a32bff6e71a73ffdfd72587ba53c8b10b6a3070175
+  data.tar.gz: a3d05a60ad4d1b08dfe8fed7cdac12384aa49fbb3ad130008bf4748ab710df9b20a8297c99f66e33bd672717b52be32c17434b2ed253fe4bb6556cfc87941b05

data/helpers/build

@@ -18,9 +18,8 @@ cp -r \
   "$install_dir"
 
 cd "$install_dir"
-PYENV_VERSION=3.10.5 pyenv exec pip --disable-pip-version-check install -r "requirements.txt"
-
-# Workaround of https://github.com/python-poetry/poetry/issues/3010
-# By default poetry config file is stored under ~/.config/pypoetry
-# and is not bound to any specific Python version
-PYENV_VERSION=3.10.5 pyenv exec poetry config experimental.new-installer false
+PYENV_VERSION=3.11.0 pyenv exec pip --disable-pip-version-check install --use-pep517 -r "requirements.txt"
+PYENV_VERSION=3.10.8 pyenv exec pip --disable-pip-version-check install --use-pep517 -r "requirements.txt"
+PYENV_VERSION=3.9.15 pyenv exec pip --disable-pip-version-check install --use-pep517 -r "requirements.txt"
+PYENV_VERSION=3.8.15 pyenv exec pip --disable-pip-version-check install --use-pep517 -r "requirements.txt"
+PYENV_VERSION=3.7.15 pyenv exec pip --disable-pip-version-check install --use-pep517 -r "requirements.txt"

data/helpers/lib/parser.py

@@ -11,11 +11,70 @@ from pip._internal.req.constructors import (
     install_req_from_line,
     install_req_from_parsed_requirement,
 )
+
+from packaging.requirements import InvalidRequirement, Requirement
+import toml
+
 # Inspired by pips internal check:
 # https://github.com/pypa/pip/blob/0bb3ac87f5bb149bd75cceac000844128b574385/src/pip/_internal/req/req_file.py#L35
 COMMENT_RE = re.compile(r'(^|\s+)#.*$')
 
 
+def parse_pep621_dependencies(pyproject_path):
+    project_toml = toml.load(pyproject_path)['project']
+
+    def parse_toml_section_pep621_dependencies(pyproject_path, dependencies):
+        requirement_packages = []
+
+        def version_from_req(specifier_set):
+            if (len(specifier_set) == 1 and
+                    next(iter(specifier_set)).operator in {"==", "==="}):
+                return next(iter(specifier_set)).version
+
+        for dependency in dependencies:
+            try:
+                req = Requirement(dependency)
+            except InvalidRequirement as e:
+                print(json.dumps({"error": repr(e)}))
+                exit(1)
+            else:
+                requirement_packages.append({
+                    "name": req.name,
+                    "version": version_from_req(req.specifier),
+                    "markers": str(req.marker) or None,
+                    "file": pyproject_path,
+                    "requirement": str(req.specifier),
+                    "extras": sorted(list(req.extras))
+                })
+
+        return requirement_packages
+
+    dependencies = []
+
+    if 'dependencies' in project_toml:
+        dependencies_toml = project_toml['dependencies']
+
+        runtime_dependencies = parse_toml_section_pep621_dependencies(
+            pyproject_path,
+            dependencies_toml
+        )
+
+        dependencies.extend(runtime_dependencies)
+
+    if 'optional-dependencies' in project_toml:
+        optional_dependencies_toml = project_toml['optional-dependencies']
+
+        for group in optional_dependencies_toml:
+            group_dependencies = parse_toml_section_pep621_dependencies(
+                pyproject_path,
+                optional_dependencies_toml[group]
+            )
+
+            dependencies.extend(group_dependencies)
+
+    return json.dumps({"result": dependencies})
+
+
 def parse_requirements(directory):
     # Parse the requirements.txt
     requirement_packages = []

data/helpers/requirements.txt

@@ -1,10 +1,10 @@
-pip>=21.3.1,<22.2.3  # Range maintains py36 support TODO: Review python 3.6 support in April 2023 (eol ubuntu 18.04)
-pip-tools>=6.4.0,<6.8.1  # Range maintains py36 support TODO: Review python 3.6 support in April 2023 (eol ubuntu 18.04)
+pip>=21.3.1,<22.4.0  # Range maintains py36 support TODO: Review python 3.6 support in April 2023 (eol ubuntu 18.04)
+pip-tools>=6.4.0,<6.10.1  # Range maintains py36 support TODO: Review python 3.6 support in April 2023 (eol ubuntu 18.04)
 flake8==5.0.4
 hashin==0.17.0
 pipenv==2022.4.8
 pipfile==0.0.2
-poetry>=1.1.15,<=1.2.0
+poetry>=1.1.15,<1.3.0
 wheel==0.37.1
 
 # Some dependencies will only install if Cython is present

data/helpers/run.py

@@ -10,6 +10,8 @@ if __name__ == "__main__":
         print(parser.parse_requirements(args["args"][0]))
     elif args["function"] == "parse_setup":
         print(parser.parse_setup(args["args"][0]))
+    elif args["function"] == "parse_pep621_dependencies":
+        print(parser.parse_pep621_dependencies(args["args"][0]))
     elif args["function"] == "get_dependency_hash":
         print(hasher.get_dependency_hash(*args["args"]))
     elif args["function"] == "get_pipfile_hash":

data/lib/dependabot/python/file_fetcher.rb

@@ -5,15 +5,15 @@ require "toml-rb"
 require "dependabot/file_fetchers"
 require "dependabot/file_fetchers/base"
 require "dependabot/python/requirement_parser"
-require "dependabot/python/file_parser/poetry_files_parser"
+require "dependabot/python/file_parser/pyproject_files_parser"
 require "dependabot/errors"
 
 module Dependabot
   module Python
     class FileFetcher < Dependabot::FileFetchers::Base
-      CHILD_REQUIREMENT_REGEX = /^-r\s?(?<path>.*\.(?:txt|in))/.freeze
-      CONSTRAINT_REGEX = /^-c\s?(?<path>.*\.(?:txt|in))/.freeze
-      DEPENDENCY_TYPES = %w(packages dev-packages).freeze
+      CHILD_REQUIREMENT_REGEX = /^-r\s?(?<path>.*\.(?:txt|in))/
+      CONSTRAINT_REGEX = /^-c\s?(?<path>.*\.(?:txt|in))/
+      DEPENDENCY_TYPES = %w(packages dev-packages)
 
       def self.required_files_in?(filenames)
         return true if filenames.any? { |name| name.end_with?(".txt", ".in") }
@@ -24,7 +24,7 @@ module Dependabot
         # If this repo is using a Pipfile return true
         return true if filenames.include?("Pipfile")
 
-        # If this repo is using Poetry return true
+        # If this repo is using pyproject.toml return true
         return true if filenames.include?("pyproject.toml")
 
         return true if filenames.include?("setup.py")
@@ -69,7 +69,7 @@ module Dependabot
       end
 
       def pyproject_files
-        [pyproject, pyproject_lock, poetry_lock].compact
+        [pyproject, pyproject_lock, poetry_lock, pdm_lock].compact
       end
 
       def requirement_files
@@ -81,7 +81,12 @@ module Dependabot
       end
 
       def check_required_files_present
-        return if requirements_txt_files.any? || setup_file || setup_cfg_file || pipfile || pyproject
+        return if requirements_txt_files.any? ||
+                  requirements_in_files.any? ||
+                  setup_file ||
+                  setup_cfg_file ||
+                  pipfile ||
+                  pyproject
 
         path = Pathname.new(File.join(directory, "requirements.txt")).
                cleanpath.to_path
@@ -136,6 +141,10 @@ module Dependabot
         @poetry_lock ||= fetch_file_if_present("poetry.lock")
       end
 
+      def pdm_lock
+        @pdm_lock ||= fetch_file_if_present("pdm.lock")
+      end
+
       def requirements_txt_files
         req_txt_and_in_files.select { |f| f.name.end_with?(".txt") }
       end
@@ -169,7 +178,7 @@ module Dependabot
         repo_contents.
           select { |f| f.type == "file" }.
           select { |f| f.name.end_with?(".txt", ".in") }.
-          reject { |f| f.size > 200_000 }.
+          reject { |f| f.size > 500_000 }.
           map { |f| fetch_file_from_host(f.name) }.
           select { |f| requirements_file?(f) }.
           each { |f| @req_txt_and_in_files << f }
@@ -189,7 +198,7 @@ module Dependabot
         repo_contents(dir: relative_reqs_dir).
           select { |f| f.type == "file" }.
           select { |f| f.name.end_with?(".txt", ".in") }.
-          reject { |f| f.size > 200_000 }.
+          reject { |f| f.size > 500_000 }.
           map { |f| fetch_file_from_host("#{relative_reqs_dir}/#{f.name}") }.
           select { |f| requirements_file?(f) }
       end
@@ -291,8 +300,8 @@ module Dependabot
               fetch_submodules: true
             ).tap { |f| f.support_file = true }
           rescue Dependabot::DependencyFileNotFound
-            # For Poetry projects attempt to fetch a pyproject.toml at the
-            # given path instead of a setup.py. We do not require a
+            # For projects with pyproject.toml attempt to fetch a pyproject.toml
+            # at the given path instead of a setup.py. We do not require a
             # setup.py to be present, so if none can be found, simply return
             return [] unless allow_pyproject
 
@@ -390,7 +399,7 @@ module Dependabot
         return [] unless pyproject
 
         paths = []
-        Dependabot::Python::FileParser::PoetryFilesParser::POETRY_DEPENDENCY_TYPES.each do |dep_type|
+        Dependabot::Python::FileParser::PyprojectFilesParser::POETRY_DEPENDENCY_TYPES.each do |dep_type|
           next unless parsed_pyproject.dig("tool", "poetry", dep_type)
 
           parsed_pyproject.dig("tool", "poetry", dep_type).each do |_, req|

data/lib/dependabot/python/file_parser/{poetry_files_parser.rb → pyproject_files_parser.rb}

@@ -12,7 +12,7 @@ require "dependabot/python/name_normaliser"
 module Dependabot
   module Python
     class FileParser
-      class PoetryFilesParser
+      class PyprojectFilesParser
         POETRY_DEPENDENCY_TYPES = %w(dependencies dev-dependencies).freeze
 
         # https://python-poetry.org/docs/dependency-specification/
@@ -25,7 +25,7 @@ module Dependabot
         def dependency_set
           dependency_set = Dependabot::FileParsers::Base::DependencySet.new
 
-          dependency_set += pyproject_dependencies
+          dependency_set += pyproject_dependencies if using_poetry? || using_pep621?
           dependency_set += lockfile_dependencies if lockfile
 
           dependency_set
@@ -36,6 +36,14 @@ module Dependabot
         attr_reader :dependency_files
 
         def pyproject_dependencies
+          if using_poetry?
+            poetry_dependencies
+          else
+            pep621_dependencies
+          end
+        end
+
+        def poetry_dependencies
           dependencies = Dependabot::FileParsers::Base::DependencySet.new
 
           POETRY_DEPENDENCY_TYPES.each do |type|
@@ -59,6 +67,44 @@ module Dependabot
           dependencies
         end
 
+        def pep621_dependencies
+          dependencies = Dependabot::FileParsers::Base::DependencySet.new
+
+          # PDM is not yet supported, so we want to ignore it for now because in
+          # the current state of things, going on would result in updating
+          # pyproject.toml but leaving pdm.lock out of sync, which is
+          # undesirable. Leave PDM alone until properly supported
+          return dependencies if using_pdm?
+
+          parsed_pep621_dependencies.each do |dep|
+            # If a requirement has a `<` or `<=` marker then updating it is
+            # probably blocked. Ignore it.
+            next if dep["markers"].include?("<")
+
+            # If no requirement, don't add it
+            next if dep["requirement"].empty?
+
+            dependencies <<
+              Dependency.new(
+                name: normalised_name(dep["name"], dep["extras"]),
+                version: dep["version"]&.include?("*") ? nil : dep["version"],
+                requirements: [{
+                  requirement: dep["requirement"],
+                  file: Pathname.new(dep["file"]).cleanpath.to_path,
+                  source: nil,
+                  groups: [dep["requirement_type"]]
+                }],
+                package_manager: "pip"
+              )
+          end
+
+          dependencies
+        end
+
+        def normalised_name(name, extras)
+          NameNormaliser.normalise_including_extras(name, extras)
+        end
+
         # @param req can be an Array, Hash or String that represents the constraints for a dependency
         def parse_requirements_from(req, type)
           [req].flatten.compact.filter_map do |requirement|
@@ -75,6 +121,19 @@ module Dependabot
           end
         end
 
+        def using_poetry?
+          !parsed_pyproject.dig("tool", "poetry").nil?
+        end
+
+        def using_pep621?
+          !parsed_pyproject.dig("project", "dependencies").nil? ||
+            !parsed_pyproject.dig("project", "optional-dependencies").nil?
+        end
+
+        def using_pdm?
+          using_pep621? && pdm_lock
+        end
+
         # Create a DependencySet where each element has no requirement. Any
         # requirements will be added when combining the DependencySet with
         # other DependencySets.
@@ -146,6 +205,24 @@ module Dependabot
           poetry_lock || pyproject_lock
         end
 
+        def parsed_pep621_dependencies
+          SharedHelpers.in_a_temporary_directory do
+            write_temporary_pyproject
+
+            SharedHelpers.run_helper_subprocess(
+              command: "pyenv exec python #{NativeHelpers.python_helper_path}",
+              function: "parse_pep621_dependencies",
+              args: [pyproject.name]
+            )
+          end
+        end
+
+        def write_temporary_pyproject
+          path = pyproject.name
+          FileUtils.mkdir_p(Pathname.new(path).dirname)
+          File.write(path, pyproject.content)
+        end
+
         def parsed_lockfile
           return parsed_poetry_lock if poetry_lock
           return parsed_pyproject_lock if pyproject_lock
@@ -160,6 +237,11 @@ module Dependabot
           @poetry_lock ||=
             dependency_files.find { |f| f.name == "poetry.lock" }
         end
+
+        def pdm_lock
+          @pdm_lock ||=
+            dependency_files.find { |f| f.name == "pdm.lock" }
+        end
       end
     end
   end

data/lib/dependabot/python/file_parser/setup_file_parser.rb

@@ -12,10 +12,10 @@ module Dependabot
   module Python
     class FileParser
       class SetupFileParser
-        INSTALL_REQUIRES_REGEX = /install_requires\s*=\s*\[/m.freeze
-        SETUP_REQUIRES_REGEX = /setup_requires\s*=\s*\[/m.freeze
-        TESTS_REQUIRE_REGEX = /tests_require\s*=\s*\[/m.freeze
-        EXTRAS_REQUIRE_REGEX = /extras_require\s*=\s*\{/m.freeze
+        INSTALL_REQUIRES_REGEX = /install_requires\s*=\s*\[/m
+        SETUP_REQUIRES_REGEX = /setup_requires\s*=\s*\[/m
+        TESTS_REQUIRE_REGEX = /tests_require\s*=\s*\[/m
+        EXTRAS_REQUIRE_REGEX = /extras_require\s*=\s*\{/m
 
         CLOSING_BRACKET = { "[" => "]", "{" => "}" }.freeze
 

data/lib/dependabot/python/file_parser.rb

@@ -1,6 +1,5 @@
 # frozen_string_literal: true
 
-require "toml-rb"
 require "dependabot/dependency"
 require "dependabot/file_parsers"
 require "dependabot/file_parsers/base"
@@ -15,11 +14,9 @@ module Dependabot
   module Python
     class FileParser < Dependabot::FileParsers::Base
       require_relative "file_parser/pipfile_files_parser"
-      require_relative "file_parser/poetry_files_parser"
+      require_relative "file_parser/pyproject_files_parser"
       require_relative "file_parser/setup_file_parser"
 
-      POETRY_DEPENDENCY_TYPES =
-        %w(tool.poetry.dependencies tool.poetry.dev-dependencies).freeze
       DEPENDENCY_GROUP_KEYS = [
         {
           pipfile: "packages",
@@ -42,7 +39,7 @@ module Dependabot
         dependency_set = DependencySet.new
 
         dependency_set += pipenv_dependencies if pipfile
-        dependency_set += poetry_dependencies if using_poetry?
+        dependency_set += pyproject_file_dependencies if pyproject
         dependency_set += requirement_dependencies if requirement_files.any?
         dependency_set += setup_file_dependencies if setup_file || setup_cfg_file
 
@@ -62,9 +59,9 @@ module Dependabot
           dependency_set
       end
 
-      def poetry_dependencies
-        @poetry_dependencies ||=
-          PoetryFilesParser.
+      def pyproject_file_dependencies
+        @pyproject_file_dependencies ||=
+          PyprojectFilesParser.
           new(dependency_files: dependency_files).
           dependency_set
       end
@@ -105,18 +102,6 @@ module Dependabot
         end
       end
 
-      def included_in_pipenv_deps?(dep_name)
-        return false unless pipfile
-
-        pipenv_dependencies.dependencies.map(&:name).include?(dep_name)
-      end
-
-      def included_in_poetry_deps?(dep_name)
-        return false unless using_poetry?
-
-        poetry_dependencies.dependencies.map(&:name).include?(dep_name)
-      end
-
       def blocking_marker?(dep)
         return false if dep["markers"] == "None"
         return true if dep["markers"].include?("<")
@@ -215,15 +200,6 @@ module Dependabot
         @pipfile_lock ||= get_original_file("Pipfile.lock")
       end
 
-      def using_poetry?
-        return false unless pyproject
-        return true if poetry_lock || pyproject_lock
-
-        !TomlRB.parse(pyproject.content).dig("tool", "poetry").nil?
-      rescue TomlRB::ParseError, TomlRB::ValueOverwriteError
-        raise Dependabot::DependencyFileNotParseable, pyproject.path
-      end
-
       def output_file_regex(filename)
         "--output-file[=\s]+#{Regexp.escape(filename)}(?:\s|$)"
       end

data/lib/dependabot/python/file_updater/pip_compile_file_updater.rb

@@ -7,6 +7,7 @@ require "dependabot/python/file_fetcher"
 require "dependabot/python/file_parser/python_requirement_parser"
 require "dependabot/python/file_updater"
 require "dependabot/shared_helpers"
+require "dependabot/python/helpers"
 require "dependabot/python/native_helpers"
 require "dependabot/python/python_versions"
 require "dependabot/python/name_normaliser"
@@ -22,10 +23,9 @@ module Dependabot
         require_relative "setup_file_sanitizer"
 
         UNSAFE_PACKAGES = %w(setuptools distribute pip).freeze
-        INCOMPATIBLE_VERSIONS_REGEX = /There are incompatible versions in the resolved dependencies:.*\z/m.freeze
-        WARNINGS = /\s*# WARNING:.*\Z/m.freeze
-        UNSAFE_NOTE =
-          /\s*# The following packages are considered to be unsafe.*\Z/m.freeze
+        INCOMPATIBLE_VERSIONS_REGEX = /There are incompatible versions in the resolved dependencies:.*\z/m
+        WARNINGS = /\s*# WARNING:.*\Z/m
+        UNSAFE_NOTE = /\s*# The following packages are considered to be unsafe.*\Z/m
 
         attr_reader :dependencies, :dependency_files, :credentials
 
@@ -66,7 +66,7 @@ module Dependabot
         def compile_new_requirement_files
           SharedHelpers.in_a_temporary_directory do
             write_updated_dependency_files
-            install_required_python
+            Helpers.install_required_python(python_version)
 
             filenames_to_compile.each do |filename|
               # Shell out to pip-compile, generate a new set of requirements.
@@ -81,12 +81,6 @@ module Dependabot
                 "#{SharedHelpers.escape_command(version_part)}",
                 allow_unsafe_shell_command: true
               )
-              # Run pip-compile a second time, without an update argument, to
-              # ensure it resets the right comments.
-              run_pip_compile_command(
-                "pyenv exec pip-compile #{pip_compile_options(filename)} " \
-                "#{filename}"
-              )
             end
 
             # Remove any .python-version file before parsing the reqs
@@ -174,7 +168,7 @@ module Dependabot
         end
 
         def run_pip_compile_command(command, allow_unsafe_shell_command: false)
-          run_command("pyenv local #{python_version}")
+          run_command("pyenv local #{Helpers.python_major_minor(python_version)}")
           run_command(
             command,
             allow_unsafe_shell_command: allow_unsafe_shell_command
@@ -204,7 +198,7 @@ module Dependabot
           end
 
           # Overwrite the .python-version with updated content
-          File.write(".python-version", python_version)
+          File.write(".python-version", Helpers.python_major_minor(python_version))
 
           setup_files.each do |file|
             path = file.name
@@ -219,15 +213,6 @@ module Dependabot
           end
         end
 
-        def install_required_python
-          return if run_command("pyenv versions").include?("#{python_version}\n")
-
-          run_command("pyenv install -s #{python_version}")
-          run_command("pyenv exec pip install --upgrade pip")
-          run_command("pyenv exec pip install -r " \
-                      "#{NativeHelpers.python_requirements_path}")
-        end
-
         def sanitized_setup_file_content(file)
           @sanitized_setup_file_content ||= {}
           return @sanitized_setup_file_content[file.name] if @sanitized_setup_file_content[file.name]

data/lib/dependabot/python/file_updater/pipfile_file_updater.rb

@@ -133,6 +133,7 @@ module Dependabot
           content = freeze_other_dependencies(content)
           content = freeze_dependencies_being_updated(content)
           content = add_private_sources(content)
+          content = update_python_requirement(content)
           content
         end
 
@@ -142,6 +143,12 @@ module Dependabot
             freeze_top_level_dependencies_except(dependencies)
         end
 
+        def update_python_requirement(pipfile_content)
+          PipfilePreparer.
+            new(pipfile_content: pipfile_content).
+            update_python_requirement(Helpers.python_major_minor(python_version))
+        end
+
         # rubocop:disable Metrics/PerceivedComplexity
         def freeze_dependencies_being_updated(pipfile_content)
           pipfile_object = TomlRB.parse(pipfile_content)
@@ -246,7 +253,7 @@ module Dependabot
         def run_command(command, env: {})
           start = Time.now
           command = SharedHelpers.escape_command(command)
-          stdout, process = Open3.capture2e(env, command)
+          stdout, _, process = Open3.capture3(env, command)
           time_taken = Time.now - start
 
           # Raise an error with the output from the shell session if Pipenv
@@ -264,7 +271,7 @@ module Dependabot
         end
 
         def run_pipenv_command(command, env: pipenv_env_variables)
-          run_command("pyenv local #{python_version}")
+          run_command("pyenv local #{Helpers.python_major_minor(python_version)}")
           run_command(command, env: env)
         end
 
@@ -276,7 +283,7 @@ module Dependabot
           end
 
           # Overwrite the .python-version with updated content
-          File.write(".python-version", python_version)
+          File.write(".python-version", Helpers.python_major_minor(python_version))
 
           setup_files.each do |file|
             path = file.name
@@ -302,11 +309,7 @@ module Dependabot
             nil
           end
 
-          return if run_command("pyenv versions").include?("#{python_version}\n")
-
-          requirements_path = NativeHelpers.python_requirements_path
-          run_command("pyenv install -s #{python_version}")
-          run_command("pyenv exec pip install -r #{requirements_path}")
+          Helpers.install_required_python(python_version)
         end
 
         def sanitized_setup_file_content(file)

data/lib/dependabot/python/file_updater/pipfile_preparer.rb

@@ -70,10 +70,12 @@ module Dependabot
           pipfile_object = TomlRB.parse(pipfile_content)
 
           pipfile_object["requires"] ||= {}
-          pipfile_object["requires"].delete("python_full_version")
-          pipfile_object["requires"].delete("python_version")
-          pipfile_object["requires"]["python_full_version"] = requirement
-
+          if pipfile_object.dig("requires", "python_full_version") && pipfile_object.dig("requires", "python_version")
+            pipfile_object["requires"].delete("python_full_version")
+          elsif pipfile_object.dig("requires", "python_full_version")
+            pipfile_object["requires"].delete("python_full_version")
+            pipfile_object["requires"]["python_version"] = requirement
+          end
           TomlRB.dump(pipfile_object)
         end
 

data/lib/dependabot/python/file_updater/poetry_file_updater.rb

@@ -4,6 +4,7 @@ require "toml-rb"
 require "open3"
 require "dependabot/dependency"
 require "dependabot/shared_helpers"
+require "dependabot/python/helpers"
 require "dependabot/python/version"
 require "dependabot/python/requirement"
 require "dependabot/python/python_versions"
@@ -105,6 +106,7 @@ module Dependabot
               content = sanitize(content)
               content = freeze_other_dependencies(content)
               content = freeze_dependencies_being_updated(content)
+              content = update_python_requirement(content)
               content
             end
         end
@@ -130,8 +132,14 @@ module Dependabot
           TomlRB.dump(pyproject_object)
         end
 
+        def update_python_requirement(pyproject_content)
+          PyprojectPreparer.
+            new(pyproject_content: pyproject_content).
+            update_python_requirement(Helpers.python_major_minor(python_version))
+        end
+
         def lock_declaration_to_new_version!(poetry_object, dep)
-          Dependabot::Python::FileParser::PoetryFilesParser::POETRY_DEPENDENCY_TYPES.each do |type|
+          Dependabot::Python::FileParser::PyprojectFilesParser::POETRY_DEPENDENCY_TYPES.each do |type|
             names = poetry_object[type]&.keys || []
             pkg_name = names.find { |nm| normalise(nm) == dep.name }
             next unless pkg_name
@@ -170,11 +178,11 @@ module Dependabot
               write_temporary_dependency_files(pyproject_content)
               add_auth_env_vars
 
-              if python_version && !pre_installed_python?(python_version)
-                run_poetry_command("pyenv install -s #{python_version}")
-                run_poetry_command("pyenv exec pip install --upgrade pip")
-                run_poetry_command("pyenv exec pip install -r" \
-                                   "#{NativeHelpers.python_requirements_path}")
+              Helpers.install_required_python(python_version)
+
+              # use system git instead of the pure Python dulwich
+              unless python_version&.start_with?("3.6")
+                run_poetry_command("pyenv exec poetry config experimental.system-git-client true")
               end
 
               run_poetry_command(poetry_update_command)
@@ -220,7 +228,7 @@ module Dependabot
           end
 
           # Overwrite the .python-version with updated content
-          File.write(".python-version", python_version) if python_version
+          File.write(".python-version", Helpers.python_major_minor(python_version)) if python_version
 
           # Overwrite the pyproject with updated content
           File.write("pyproject.toml", pyproject_content)