dependabot-python 0.212.0 → 0.214.0

data/lib/dependabot/python/file_updater/pyproject_preparer.rb

@@ -36,6 +36,17 @@ module Dependabot
           end
         end
 
+        def update_python_requirement(requirement)
+          pyproject_object = TomlRB.parse(@pyproject_content)
+          if (python_specification = pyproject_object.dig("tool", "poetry", "dependencies", "python"))
+            python_req = Python::Requirement.new(python_specification)
+            unless python_req.satisfied_by?(requirement)
+              pyproject_object["tool"]["poetry"]["dependencies"]["python"] = "~#{requirement}"
+            end
+          end
+          TomlRB.dump(pyproject_object)
+        end
+
         def sanitize
           # {{ name }} syntax not allowed
           pyproject_content.
@@ -52,7 +63,7 @@ module Dependabot
           poetry_object = pyproject_object["tool"]["poetry"]
           excluded_names = dependencies.map(&:name) + ["python"]
 
-          Dependabot::Python::FileParser::PoetryFilesParser::POETRY_DEPENDENCY_TYPES.each do |key|
+          Dependabot::Python::FileParser::PyprojectFilesParser::POETRY_DEPENDENCY_TYPES.each do |key|
             next unless poetry_object[key]
 
             source_types = %w(directory file url)
@@ -72,6 +83,10 @@ module Dependabot
                 }
               elsif poetry_object[key][dep_name].is_a?(Hash)
                 poetry_object[key][dep_name]["version"] = locked_version
+              elsif poetry_object[key][dep_name].is_a?(Array)
+                # if it has multiple-constraints, locking to a single version is
+                # going to result in a bad lockfile, ignore
+                next
               else
                 poetry_object[key][dep_name] = locked_version
               end

data/lib/dependabot/python/file_updater.rb

@@ -1,5 +1,6 @@
 # frozen_string_literal: true
 
+require "toml-rb"
 require "dependabot/file_updaters"
 require "dependabot/file_updaters/base"
 require "dependabot/shared_helpers"
@@ -61,7 +62,13 @@ module Dependabot
         # Otherwise, this is a top-level dependency, and we can figure out
         # which resolver to use based on the filename of its requirements
         return :pipfile if changed_req_files.any?("Pipfile")
-        return :poetry if changed_req_files.any?("pyproject.toml")
+
+        if changed_req_files.any?("pyproject.toml")
+          return :poetry if poetry_based?
+
+          return :requirements
+        end
+
         return :pip_compile if changed_req_files.any? { |f| f.end_with?(".in") }
 
         :requirements
@@ -119,6 +126,12 @@ module Dependabot
         raise "Missing required files!"
       end
 
+      def poetry_based?
+        return false unless pyproject
+
+        !TomlRB.parse(pyproject.content).dig("tool", "poetry").nil?
+      end
+
       def pipfile
         @pipfile ||= get_original_file("Pipfile")
       end

data/lib/dependabot/python/helpers.rb

@@ -0,0 +1,37 @@
+# frozen_string_literal: true
+
+require "dependabot/logger"
+require "dependabot/python/version"
+
+module Dependabot
+  module Python
+    module Helpers
+      def self.install_required_python(python_version)
+        # The leading space is important in the version check
+        return if SharedHelpers.run_shell_command("pyenv versions").include?(" #{python_major_minor(python_version)}.")
+
+        if File.exist?("/usr/local/.pyenv/#{python_major_minor(python_version)}.tar.gz")
+          SharedHelpers.run_shell_command(
+            "tar xzf /usr/local/.pyenv/#{python_major_minor(python_version)}.tar.gz -C /usr/local/.pyenv/"
+          )
+          return if SharedHelpers.run_shell_command("pyenv versions").
+                    include?(" #{python_major_minor(python_version)}.")
+        end
+
+        Dependabot.logger.info("Installing required Python #{python_version}.")
+        start = Time.now
+        SharedHelpers.run_shell_command("pyenv install -s #{python_version}")
+        SharedHelpers.run_shell_command("pyenv exec pip install --upgrade pip")
+        SharedHelpers.run_shell_command("pyenv exec pip install -r" \
+                                        "#{NativeHelpers.python_requirements_path}")
+        time_taken = Time.now - start
+        Dependabot.logger.info("Installing Python #{python_version} took #{time_taken}s.")
+      end
+
+      def self.python_major_minor(python_version)
+        python = Python::Version.new(python_version)
+        "#{python.segments[0]}.#{python.segments[1]}"
+      end
+    end
+  end
+end

data/lib/dependabot/python/metadata_finder.rb

@@ -131,6 +131,8 @@ module Dependabot
           return @pypi_listing
         rescue JSON::ParserError
           next
+        rescue Excon::Error::Timeout
+          next
         end
 
         @pypi_listing = {} # No listing found

data/lib/dependabot/python/python_versions.rb

@@ -4,18 +4,22 @@ module Dependabot
   module Python
     module PythonVersions
       PRE_INSTALLED_PYTHON_VERSIONS = %w(
-        3.10.5
+        3.11.0
       ).freeze
 
       # Due to an OpenSSL issue we can only install the following versions in
       # the Dependabot container.
+      # NOTE: When adding one version, always doublecheck for additional releases: https://www.python.org/downloads/
+      #
+      # WARNING: 3.9.3 is purposefully omitted as it was recalled: https://www.python.org/downloads/release/python-393/
       SUPPORTED_VERSIONS = %w(
-        3.10.5 3.10.4 3.10.3 3.10.2 3.10.1 3.10.0
-        3.9.13 3.9.12 3.9.11 3.9.10 3.9.9 3.9.8 3.9.7 3.9.6 3.9.5 3.9.4 3.9.2 3.9.1 3.9.0
-        3.8.13 3.8.12 3.8.11 3.8.10 3.8.9 3.8.8 3.8.7 3.8.6 3.8.5 3.8.4 3.8.3 3.8.2 3.8.1 3.8.0
-        3.7.13 3.7.12 3.7.11 3.7.10 3.7.9 3.7.8 3.7.7 3.7.6 3.7.5 3.7.4 3.7.3 3.7.2 3.7.1 3.7.0
-        3.6.15 3.6.14 3.6.13 3.6.12 3.6.11 3.6.10 3.6.9 3.6.8 3.6.7 3.6.6 3.6.5 3.6.4 3.6.3
-        3.6.2 3.6.1 3.6.0 3.5.10 3.5.8 3.5.7 3.5.6 3.5.5 3.5.4 3.5.3
+        3.11.0
+        3.10.8 3.10.7 3.10.6 3.10.5 3.10.4 3.10.3 3.10.2 3.10.1 3.10.0
+        3.9.15 3.9.14 3.9.13 3.9.12 3.9.11 3.9.10 3.9.9 3.9.8 3.9.7 3.9.6 3.9.5 3.9.4 3.9.2 3.9.1 3.9.0
+        3.8.15 3.8.14 3.8.13 3.8.12 3.8.11 3.8.10 3.8.9 3.8.8 3.8.7 3.8.6 3.8.5 3.8.4 3.8.3 3.8.2 3.8.1 3.8.0
+        3.7.15 3.7.14 3.7.13 3.7.12 3.7.11 3.7.10 3.7.9 3.7.8 3.7.7 3.7.6 3.7.5 3.7.4 3.7.3 3.7.2 3.7.1 3.7.0
+        3.6.15 3.6.14 3.6.13 3.6.12 3.6.11 3.6.10 3.6.9 3.6.8 3.6.7 3.6.6 3.6.5 3.6.4 3.6.3 3.6.2 3.6.1 3.6.0
+        3.5.10 3.5.8 3.5.7 3.5.6 3.5.5 3.5.4 3.5.3
       ).freeze
 
       # This list gets iterated through to find a valid version, so we have

data/lib/dependabot/python/requirement.rb

@@ -6,7 +6,7 @@ require "dependabot/python/version"
 module Dependabot
   module Python
     class Requirement < Gem::Requirement
-      OR_SEPARATOR = /(?<=[a-zA-Z0-9)*])\s*\|+/.freeze
+      OR_SEPARATOR = /(?<=[a-zA-Z0-9)*])\s*\|+/
 
       # Add equality and arbitrary-equality matchers
       OPS = OPS.merge(
@@ -19,8 +19,8 @@ module Dependabot
       version_pattern = Python::Version::VERSION_PATTERN
 
       PATTERN_RAW = "\\s*(#{quoted})?\\s*(#{version_pattern})\\s*"
-      PATTERN = /\A#{PATTERN_RAW}\z/.freeze
-      PARENS_PATTERN = /\A\(([^)]+)\)\z/.freeze
+      PATTERN = /\A#{PATTERN_RAW}\z/
+      PARENS_PATTERN = /\A\(([^)]+)\)\z/
 
       def self.parse(obj)
         return ["=", Python::Version.new(obj.to_s)] if obj.is_a?(Gem::Version)
@@ -60,6 +60,9 @@ module Dependabot
         requirements = requirements.flatten.flat_map do |req_string|
           next if req_string.nil?
 
+          # Standard python doesn't support whitespace in requirements, but Poetry does.
+          req_string = req_string.gsub(/(\d +)([<=>])/, '\1,\2')
+
           req_string.split(",").map(&:strip).map do |r|
             convert_python_constraint_to_ruby_constraint(r)
           end
@@ -87,7 +90,7 @@ module Dependabot
         return nil if req_string == "*"
 
         req_string = req_string.gsub("~=", "~>")
-        req_string = req_string.gsub(/(?<=\d)[<=>].*/, "")
+        req_string = req_string.gsub(/(?<=\d)[<=>].*\Z/, "")
 
         if req_string.match?(/~[^>]/) then convert_tilde_req(req_string)
         elsif req_string.start_with?("^") then convert_caret_req(req_string)

data/lib/dependabot/python/requirement_parser.rb

@@ -3,29 +3,26 @@
 module Dependabot
   module Python
     class RequirementParser
-      NAME = /[a-zA-Z0-9](?:[a-zA-Z0-9\-_\.]*[a-zA-Z0-9])?/.freeze
-      EXTRA = /[a-zA-Z0-9\-_\.]+/.freeze
-      COMPARISON = /===|==|>=|<=|<|>|~=|!=/.freeze
-      VERSION = /([1-9][0-9]*!)?[0-9]+[a-zA-Z0-9\-_.*]*(\+[0-9a-zA-Z]+(\.[0-9a-zA-Z]+)*)?/.
-                freeze
-      REQUIREMENT =
-        /(?<comparison>#{COMPARISON})\s*\\?\s*(?<version>#{VERSION})/.freeze
-      HASH = /--hash=(?<algorithm>.*?):(?<hash>.*?)(?=\s|$)/.freeze
-      REQUIREMENTS = /#{REQUIREMENT}(\s*,\s*\\?\s*#{REQUIREMENT})*/.freeze
-      HASHES = /#{HASH}(\s*\\?\s*#{HASH})*/.freeze
-      MARKER_OP = /\s*(#{COMPARISON}|(\s*in)|(\s*not\s*in))/.freeze
-      PYTHON_STR_C =
-        %r{[a-zA-Z0-9\s\(\)\.\{\}\-_\*#:;/\?\[\]!~`@\$%\^&=\+\|<>]}.freeze
-      PYTHON_STR = /('(#{PYTHON_STR_C}|")*'|"(#{PYTHON_STR_C}|')*")/.freeze
+      NAME = /[a-zA-Z0-9](?:[a-zA-Z0-9\-_\.]*[a-zA-Z0-9])?/
+      EXTRA = /[a-zA-Z0-9\-_\.]+/
+      COMPARISON = /===|==|>=|<=|<|>|~=|!=/
+      VERSION = /([1-9][0-9]*!)?[0-9]+[a-zA-Z0-9\-_.*]*(\+[0-9a-zA-Z]+(\.[0-9a-zA-Z]+)*)?/
+
+      REQUIREMENT = /(?<comparison>#{COMPARISON})\s*\\?\s*(?<version>#{VERSION})/
+      HASH = /--hash=(?<algorithm>.*?):(?<hash>.*?)(?=\s|$)/
+      REQUIREMENTS = /#{REQUIREMENT}(\s*,\s*\\?\s*#{REQUIREMENT})*/
+      HASHES = /#{HASH}(\s*\\?\s*#{HASH})*/
+      MARKER_OP = /\s*(#{COMPARISON}|(\s*in)|(\s*not\s*in))/
+      PYTHON_STR_C = %r{[a-zA-Z0-9\s\(\)\.\{\}\-_\*#:;/\?\[\]!~`@\$%\^&=\+\|<>]}
+      PYTHON_STR = /('(#{PYTHON_STR_C}|")*'|"(#{PYTHON_STR_C}|')*")/
       ENV_VAR =
         /python_version|python_full_version|os_name|sys_platform|
          platform_release|platform_system|platform_version|platform_machine|
          platform_python_implementation|implementation_name|
-         implementation_version/.freeze
-      MARKER_VAR = /\s*(#{ENV_VAR}|#{PYTHON_STR})/.freeze
-      MARKER_EXPR_ONE = /#{MARKER_VAR}#{MARKER_OP}#{MARKER_VAR}/.freeze
-      MARKER_EXPR =
-        /(#{MARKER_EXPR_ONE}|\(\s*|\s*\)|\s+and\s+|\s+or\s+)+/.freeze
+         implementation_version/
+      MARKER_VAR = /\s*(#{ENV_VAR}|#{PYTHON_STR})/
+      MARKER_EXPR_ONE = /#{MARKER_VAR}#{MARKER_OP}#{MARKER_VAR}/
+      MARKER_EXPR = /(#{MARKER_EXPR_ONE}|\(\s*|\s*\)|\s+and\s+|\s+or\s+)+/
 
       INSTALL_REQ_WITH_REQUIREMENT =
         /\s*\\?\s*(?<name>#{NAME})
@@ -34,7 +31,7 @@ module Dependabot
           \s*\\?\s*(;\s*(?<markers>#{MARKER_EXPR}))?
           \s*\\?\s*(?<hashes>#{HASHES})?
           \s*#*\s*(?<comment>.+)?
-        /x.freeze
+        /x
 
       INSTALL_REQ_WITHOUT_REQUIREMENT =
         /^\s*\\?\s*(?<name>#{NAME})
@@ -42,7 +39,7 @@ module Dependabot
           \s*\\?\s*(;\s*(?<markers>#{MARKER_EXPR}))?
           \s*\\?\s*(?<hashes>#{HASHES})?
           \s*#*\s*(?<comment>.+)?$
-        /x.freeze
+        /x
 
       VALID_REQ_TXT_REQUIREMENT =
         /^\s*\\?\s*(?<name>#{NAME})
@@ -51,12 +48,12 @@ module Dependabot
           \s*\\?\s*(;\s*(?<markers>#{MARKER_EXPR}))?
           \s*\\?\s*(?<hashes>#{HASHES})?
           \s*(\#+\s*(?<comment>.*))?$
-        /x.freeze
+        /x
 
       NAME_WITH_EXTRAS =
         /\s*\\?\s*(?<name>#{NAME})
           (\s*\\?\s*\[\s*(?<extras>#{EXTRA}(\s*,\s*#{EXTRA})*)\s*\])?
-        /x.freeze
+        /x
     end
   end
 end

data/lib/dependabot/python/update_checker/index_finder.rb

@@ -9,7 +9,7 @@ module Dependabot
     class UpdateChecker
       class IndexFinder
         PYPI_BASE_URL = "https://pypi.org/simple/"
-        ENVIRONMENT_VARIABLE_REGEX = /\$\{.+\}/.freeze
+        ENVIRONMENT_VARIABLE_REGEX = /\$\{.+\}/
 
         def initialize(dependency_files:, credentials:)
           @dependency_files = dependency_files

data/lib/dependabot/python/update_checker/latest_version_finder.rb

@@ -112,9 +112,9 @@ module Dependabot
         end
 
         def filter_lower_versions(versions_array)
-          return versions_array unless dependency.version && version_class.correct?(dependency.version)
+          return versions_array unless dependency.numeric_version
 
-          versions_array.select { |version| version > version_class.new(dependency.version) }
+          versions_array.select { |version| version > dependency.numeric_version }
         end
 
         def filter_out_of_range_versions(versions_array)

data/lib/dependabot/python/update_checker/pip_compile_version_resolver.rb

@@ -11,6 +11,7 @@ require "dependabot/python/file_updater/requirement_replacer"
 require "dependabot/python/file_updater/setup_file_sanitizer"
 require "dependabot/python/version"
 require "dependabot/shared_helpers"
+require "dependabot/python/helpers"
 require "dependabot/python/native_helpers"
 require "dependabot/python/python_versions"
 require "dependabot/python/name_normaliser"
@@ -24,16 +25,14 @@ module Dependabot
       # - Run `pip-compile` and see what the result is
       # rubocop:disable Metrics/ClassLength
       class PipCompileVersionResolver
-        GIT_DEPENDENCY_UNREACHABLE_REGEX =
-          /git clone --filter=blob:none --quiet (?<url>[^\s]+).* /.freeze
-        GIT_REFERENCE_NOT_FOUND_REGEX =
-          /Did not find branch or tag '(?<tag>[^\n"]+)'/m.freeze
+        GIT_DEPENDENCY_UNREACHABLE_REGEX = /git clone --filter=blob:none --quiet (?<url>[^\s]+).* /
+        GIT_REFERENCE_NOT_FOUND_REGEX = /Did not find branch or tag '(?<tag>[^\n"]+)'/m
         NATIVE_COMPILATION_ERROR =
           "pip._internal.exceptions.InstallationSubprocessError: Command errored out with exit status 1:"
         # See https://packaging.python.org/en/latest/tutorials/packaging-projects/#configuring-metadata
-        PYTHON_PACKAGE_NAME_REGEX = /[A-Za-z0-9_\-]+/.freeze
+        PYTHON_PACKAGE_NAME_REGEX = /[A-Za-z0-9_\-]+/
         RESOLUTION_IMPOSSIBLE_ERROR = "ResolutionImpossible"
-        ERROR_REGEX = /(?<=ERROR\:\W).*$/.freeze
+        ERROR_REGEX = /(?<=ERROR\:\W).*$/
 
         attr_reader :dependency, :dependency_files, :credentials
 
@@ -72,7 +71,7 @@ module Dependabot
             SharedHelpers.in_a_temporary_directory do
               SharedHelpers.with_git_configured(credentials: credentials) do
                 write_temporary_dependency_files(updated_req: requirement)
-                install_required_python
+                Helpers.install_required_python(python_version)
 
                 filenames_to_compile.each do |filename|
                   # Shell out to pip-compile.
@@ -80,9 +79,17 @@ module Dependabot
                   run_pip_compile_command(
                     "pyenv exec pip-compile -v #{pip_compile_options(filename)} -P #{dependency.name} #{filename}"
                   )
-                  # Run pip-compile a second time, without an update argument,
-                  # to ensure it handles markers correctly
-                  write_original_manifest_files unless dependency.top_level?
+
+                  next if dependency.top_level?
+
+                  # Run pip-compile a second time for transient dependencies
+                  # to make sure we do not update dependencies that are
+                  # superfluous. pip-compile does not detect these when
+                  # updating a specific dependency with the -P option.
+                  # Running pip-compile a second time will automatically remove
+                  # superfluous dependencies. Dependabot then marks those with
+                  # update_not_possible.
+                  write_original_manifest_files
                   run_pip_compile_command(
                     "pyenv exec pip-compile #{pip_compile_options(filename)} #{filename}"
                   )
@@ -247,7 +254,7 @@ module Dependabot
         end
 
         def run_pip_compile_command(command)
-          run_command("pyenv local #{python_version}")
+          run_command("pyenv local #{Helpers.python_major_minor(python_version)}")
           run_command(command)
         end
 
@@ -291,7 +298,7 @@ module Dependabot
           end
 
           # Overwrite the .python-version with updated content
-          File.write(".python-version", python_version)
+          File.write(".python-version", Helpers.python_major_minor(python_version))
 
           setup_files.each do |file|
             path = file.name
@@ -313,15 +320,6 @@ module Dependabot
           end
         end
 
-        def install_required_python
-          return if run_command("pyenv versions").include?("#{python_version}\n")
-
-          run_command("pyenv install -s #{python_version}")
-          run_command("pyenv exec pip install --upgrade pip")
-          run_command("pyenv exec pip install -r" \
-                      "#{NativeHelpers.python_requirements_path}")
-        end
-
         def sanitized_setup_file_content(file)
           @sanitized_setup_file_content ||= {}
           return @sanitized_setup_file_content[file.name] if @sanitized_setup_file_content[file.name]

data/lib/dependabot/python/update_checker/pipenv_version_resolver.rb

@@ -30,21 +30,18 @@ module Dependabot
       # still better than nothing, though.
       class PipenvVersionResolver
         # rubocop:disable Layout/LineLength
-        GIT_DEPENDENCY_UNREACHABLE_REGEX =
-          /git clone -q (?<url>[^\s]+).* /.freeze
-        GIT_REFERENCE_NOT_FOUND_REGEX =
-          %r{git checkout -q (?<tag>[^\n"]+)\n?[^\n]*/(?<name>.*?)(\\n'\]|$)}m.
-          freeze
+        GIT_DEPENDENCY_UNREACHABLE_REGEX = /git clone -q (?<url>[^\s]+).* /
+        GIT_REFERENCE_NOT_FOUND_REGEX = %r{git checkout -q (?<tag>[^\n"]+)\n?[^\n]*/(?<name>.*?)(\\n'\]|$)}m
         PIPENV_INSTALLATION_ERROR = "pipenv.patched.notpip._internal.exceptions.InstallationError: Command errored out" \
                                     " with exit status 1: python setup.py egg_info"
         TRACEBACK = "Traceback (most recent call last):"
         PIPENV_INSTALLATION_ERROR_REGEX =
-          /#{Regexp.quote(TRACEBACK)}[\s\S]*^\s+import\s(?<name>.+)[\s\S]*^#{Regexp.quote(PIPENV_INSTALLATION_ERROR)}/.
-          freeze
+          /#{Regexp.quote(TRACEBACK)}[\s\S]*^\s+import\s(?<name>.+)[\s\S]*^#{Regexp.quote(PIPENV_INSTALLATION_ERROR)}/
+
         UNSUPPORTED_DEPS = %w(pyobjc).freeze
         UNSUPPORTED_DEP_REGEX =
-          /Could not find a version that satisfies the requirement.*(?:#{UNSUPPORTED_DEPS.join("|")})/.freeze
-        PIPENV_RANGE_WARNING = /Warning:\sPython\s[<>].* was not found/.freeze
+          /Could not find a version that satisfies the requirement.*(?:#{UNSUPPORTED_DEPS.join("|")})/
+        PIPENV_RANGE_WARNING = /Warning:\sPython\s[<>].* was not found/
         # rubocop:enable Layout/LineLength
 
         DEPENDENCY_TYPES = %w(packages dev-packages).freeze
@@ -293,7 +290,7 @@ module Dependabot
           end
 
           # Overwrite the .python-version with updated content
-          File.write(".python-version", python_version)
+          File.write(".python-version", Helpers.python_major_minor(python_version))
 
           setup_files.each do |file|
             path = file.name
@@ -323,13 +320,7 @@ module Dependabot
             nil
           end
 
-          return if run_command("pyenv versions").include?("#{python_version}\n")
-
-          requirements_path = NativeHelpers.python_requirements_path
-          run_command("pyenv install -s #{python_version}")
-          run_command("pyenv exec pip install --upgrade pip")
-          run_command("pyenv exec pip install -r " \
-                      "#{requirements_path}")
+          Helpers.install_required_python(python_version)
         end
 
         def sanitized_setup_file_content(file)
@@ -350,6 +341,7 @@ module Dependabot
           content = freeze_other_dependencies(content)
           content = set_target_dependency_req(content, updated_requirement)
           content = add_private_sources(content)
+          content = update_python_requirement(content)
           content
         end
 
@@ -359,6 +351,12 @@ module Dependabot
             freeze_top_level_dependencies_except([dependency])
         end
 
+        def update_python_requirement(pipfile_content)
+          Python::FileUpdater::PipfilePreparer.
+            new(pipfile_content: pipfile_content).
+            update_python_requirement(Helpers.python_major_minor(python_version))
+        end
+
         # rubocop:disable Metrics/PerceivedComplexity
         def set_target_dependency_req(pipfile_content, updated_requirement)
           return pipfile_content unless updated_requirement
@@ -470,7 +468,7 @@ module Dependabot
         end
 
         def run_pipenv_command(command, env: pipenv_env_variables)
-          run_command("pyenv local #{python_version}")
+          run_command("pyenv local #{Helpers.python_major_minor(python_version)}")
           run_command(command, env: env)
         end
 

data/lib/dependabot/python/update_checker/poetry_version_resolver.rb

@@ -28,10 +28,14 @@ module Dependabot
           'checkout',
           '(?<tag>.+?)'
           |
+          Failed to checkout
+          (?<tag>.+?)
+          (?<url>.+?).git at '(?<tag>.+?)'
+          |
           ...Failedtoclone
           (?<url>.+?).gitat'(?<tag>.+?)',
           verifyrefexistsonremote)
-        /x.freeze # TODO: remove the first clause and | when py3.6 support is EoL
+        /x # TODO: remove the first clause and | when py3.6 support is EoL
         GIT_DEPENDENCY_UNREACHABLE_REGEX = /
           (?:'\['git',
           \s+'clone',
@@ -43,7 +47,7 @@ module Dependabot
           \s+Failed\sto\sclone
           \s+(?<url>.+?),
           \s+check\syour\sgit\sconfiguration)
-        /mx.freeze # TODO: remove the first clause and | when py3.6 support is EoL
+        /mx # TODO: remove the first clause and | when py3.6 support is EoL
 
         attr_reader :dependency, :dependency_files, :credentials
 
@@ -88,13 +92,11 @@ module Dependabot
                 write_temporary_dependency_files(updated_req: requirement)
                 add_auth_env_vars
 
-                if python_version && !pre_installed_python?(python_version)
-                  run_poetry_command("pyenv install -s #{python_version}")
-                  run_poetry_command("pyenv exec pip install --upgrade pip")
-                  run_poetry_command(
-                    "pyenv exec pip install -r " \
-                    "#{NativeHelpers.python_requirements_path}"
-                  )
+                Helpers.install_required_python(python_version)
+
+                # use system git instead of the pure Python dulwich
+                unless python_version&.start_with?("3.6")
+                  run_poetry_command("pyenv exec poetry config experimental.system-git-client true")
                 end
 
                 # Shell out to Poetry, which handles everything for us.
@@ -200,7 +202,7 @@ module Dependabot
           end
 
           # Overwrite the .python-version with updated content
-          File.write(".python-version", python_version) if python_version
+          File.write(".python-version", Helpers.python_major_minor(python_version)) if python_version
 
           # Overwrite the pyproject with updated content
           if update_pyproject
@@ -282,7 +284,7 @@ module Dependabot
           pyproject_object = TomlRB.parse(pyproject_content)
           poetry_object = pyproject_object.dig("tool", "poetry")
 
-          Dependabot::Python::FileParser::PoetryFilesParser::POETRY_DEPENDENCY_TYPES.each do |type|
+          Dependabot::Python::FileParser::PyprojectFilesParser::POETRY_DEPENDENCY_TYPES.each do |type|
             names = poetry_object[type]&.keys || []
             pkg_name = names.find { |nm| normalise(nm) == dependency.name }
             next unless pkg_name
@@ -335,7 +337,7 @@ module Dependabot
           stdout, process = Open3.capture2e(command)
           time_taken = Time.now - start
 
-          # Raise an error with the output from the shell session if Pipenv
+          # Raise an error with the output from the shell session if poetry
           # returns a non-zero status
           return if process.success?
 

data/lib/dependabot/python/update_checker/requirements_updater.rb

@@ -9,8 +9,8 @@ module Dependabot
   module Python
     class UpdateChecker
       class RequirementsUpdater
-        PYPROJECT_OR_SEPARATOR = /(?<=[a-zA-Z0-9*])\s*\|+/.freeze
-        PYPROJECT_SEPARATOR = /#{PYPROJECT_OR_SEPARATOR}|,/.freeze
+        PYPROJECT_OR_SEPARATOR = /(?<=[a-zA-Z0-9*])\s*\|+/
+        PYPROJECT_SEPARATOR = /#{PYPROJECT_OR_SEPARATOR}|,/
 
         class UnfixableRequirement < StandardError; end
 
@@ -175,11 +175,25 @@ module Dependabot
         end
         # rubocop:enable Metrics/PerceivedComplexity
 
-        # rubocop:disable Metrics/PerceivedComplexity
         def updated_requirement(req)
           return req unless latest_resolvable_version
           return req unless req.fetch(:requirement)
 
+          case update_strategy
+          when :bump_versions
+            update_requirement(req)
+          when :bump_versions_if_necessary
+            update_requirement_if_needed(req)
+          end
+        end
+
+        def update_requirement_if_needed(req)
+          return req if new_version_satisfies?(req)
+
+          update_requirement(req)
+        end
+
+        def update_requirement(req)
           requirement_strings = req[:requirement].split(",").map(&:strip)
 
           new_requirement =
@@ -197,7 +211,6 @@ module Dependabot
         rescue UnfixableRequirement
           req.merge(requirement: :unfixable)
         end
-        # rubocop:enable Metrics/PerceivedComplexity
 
         def new_version_satisfies?(req)
           requirement_class.