dependabot-python 0.212.0 → 0.214.0

data/lib/dependabot/python/update_checker.rb

@@ -26,7 +26,7 @@ module Dependabot
         https://pypi.python.org/simple/
         https://pypi.org/simple/
       ).freeze
-      VERSION_REGEX = /[0-9]+(?:\.[A-Za-z0-9\-_]+)*/.freeze
+      VERSION_REGEX = /[0-9]+(?:\.[A-Za-z0-9\-_]+)*/
 
       def latest_version
         @latest_version ||= fetch_latest_version
@@ -89,7 +89,7 @@ module Dependabot
 
       def updated_requirements
         RequirementsUpdater.new(
-          requirements: dependency.requirements,
+          requirements: requirements,
           latest_resolvable_version: preferred_resolvable_version&.to_s,
           update_strategy: requirements_update_strategy,
           has_lockfile: !(pipfile_lock || poetry_lock || pyproject_lock).nil?
@@ -100,8 +100,8 @@ module Dependabot
         # If passed in as an option (in the base class) honour that option
         return @requirements_update_strategy.to_sym if @requirements_update_strategy
 
-        # Otherwise, check if this is a poetry library or not
-        poetry_library? ? :widen_ranges : :bump_versions
+        # Otherwise, check if this is a library or not
+        library? ? :widen_ranges : :bump_versions
       end
 
       private
@@ -115,6 +115,17 @@ module Dependabot
         raise NotImplementedError
       end
 
+      def preferred_version_resolvable_with_unlock?
+        # Our requirements file updater doesn't currently support widening
+        # ranges, so avoid updating this dependency if widening ranges has been
+        # required and the dependency is present on a requirements file.
+        # Otherwise, we will crash later on. TODO: Consider what the correct
+        # behavior is in these cases.
+        return false if requirements_update_strategy == :widen_ranges && updating_requirements_file?
+
+        super
+      end
+
       def fetch_lowest_resolvable_security_fix_version
         fix_version = lowest_security_fix_version
         return latest_resolvable_version if fix_version.nil?
@@ -133,8 +144,7 @@ module Dependabot
       end
 
       def resolver_type
-        reqs = dependency.requirements
-        req_files = reqs.map { |r| r.fetch(:file) }
+        reqs = requirements
 
         # If there are no requirements then this is a sub-dependency. It
         # must come from one of Pipenv, Poetry or pip-tools, and can't come
@@ -143,9 +153,9 @@ module Dependabot
 
         # Otherwise, this is a top-level dependency, and we can figure out
         # which resolver to use based on the filename of its requirements
-        return :pipenv if req_files.any?("Pipfile")
-        return :poetry if req_files.any?("pyproject.toml")
-        return :pip_compile if req_files.any? { |f| f.end_with?(".in") }
+        return :pipenv if updating_pipfile?
+        return pyproject_resolver if updating_pyproject?
+        return :pip_compile if updating_in_file?
 
         if dependency.version && !exact_requirement?(reqs)
           subdependency_resolver
@@ -162,6 +172,12 @@ module Dependabot
         raise "Claimed to be a sub-dependency, but no lockfile exists!"
       end
 
+      def pyproject_resolver
+        return :poetry if poetry_based?
+
+        :requirements
+      end
+
       def exact_requirement?(reqs)
         reqs = reqs.map { |r| r.fetch(:requirement) }
         reqs = reqs.compact
@@ -202,16 +218,14 @@ module Dependabot
       end
 
       def current_requirement_string
-        reqs = dependency.requirements
+        reqs = requirements
         return if reqs.none?
 
-        requirement =
-          case resolver_type
-          when :pipenv then reqs.find { |r| r[:file] == "Pipfile" }
-          when :poetry then reqs.find { |r| r[:file] == "pyproject.toml" }
-          when :pip_compile then reqs.find { |r| r[:file].end_with?(".in") }
-          when :requirements then reqs.find { |r| r[:file].end_with?(".txt") }
-          end
+        requirement = reqs.find do |r|
+          file = r[:file]
+
+          file == "Pipfile" || file == "pyproject.toml" || file.end_with?(".in") || file.end_with?(".txt")
+        end
 
         requirement&.fetch(:requirement)
       end
@@ -236,7 +250,7 @@ module Dependabot
         return ">= #{dependency.version}" if dependency.version
 
         version_for_requirement =
-          dependency.requirements.filter_map { |r| r[:requirement] }.
+          requirements.filter_map { |r| r[:requirement] }.
           reject { |req_string| req_string.start_with?("<") }.
           select { |req_string| req_string.match?(VERSION_REGEX) }.
           map { |req_string| req_string.match(VERSION_REGEX) }.
@@ -261,26 +275,53 @@ module Dependabot
         )
       end
 
-      def poetry_library?
-        return false unless pyproject
+      def poetry_based?
+        updating_pyproject? && !poetry_details.nil?
+      end
+
+      def library?
+        return unless updating_pyproject?
 
         # Hit PyPi and check whether there are details for a library with a
         # matching name and description
-        details = TomlRB.parse(pyproject.content).dig("tool", "poetry")
-        return false unless details
-
         index_response = Dependabot::RegistryClient.get(
-          url: "https://pypi.org/pypi/#{normalised_name(details['name'])}/json/"
+          url: "https://pypi.org/pypi/#{normalised_name(library_details['name'])}/json/"
         )
 
         return false unless index_response.status == 200
 
         pypi_info = JSON.parse(index_response.body)["info"] || {}
-        pypi_info["summary"] == details["description"]
+        pypi_info["summary"] == library_details["description"]
+      rescue Excon::Error::Timeout
+        false
       rescue URI::InvalidURIError
         false
       end
 
+      def updating_pipfile?
+        requirement_files.any?("Pipfile")
+      end
+
+      def updating_pyproject?
+        requirement_files.any?("pyproject.toml")
+      end
+
+      def updating_in_file?
+        requirement_files.any? { |f| f.end_with?(".in") }
+      end
+
+      def updating_requirements_file?
+        requirement_files.any? { |f| f =~ /\.txt$|\.in$/ }
+      end
+
+      def requirement_files
+        requirements.map { |r| r.fetch(:file) }
+      end
+
+      def requirements
+        dependency.requirements
+      end
+
       def normalised_name(name)
         NameNormaliser.normalise(name)
       end
@@ -305,6 +346,22 @@ module Dependabot
         dependency_files.find { |f| f.name == "poetry.lock" }
       end
 
+      def library_details
+        @library_details ||= poetry_details || standard_details
+      end
+
+      def poetry_details
+        @poetry_details ||= toml_content.dig("tool", "poetry")
+      end
+
+      def standard_details
+        @standard_details ||= toml_content["project"]
+      end
+
+      def toml_content
+        @toml_content ||= TomlRB.parse(pyproject.content)
+      end
+
       def pip_compile_files
         dependency_files.select { |f| f.name.end_with?(".in") }
       end

data/lib/dependabot/python/version.rb

@@ -16,9 +16,9 @@ module Dependabot
 
       # See https://peps.python.org/pep-0440/#appendix-b-parsing-version-strings-with-regular-expressions
       VERSION_PATTERN = 'v?([1-9][0-9]*!)?[0-9]+[0-9a-zA-Z]*(?>\.[0-9a-zA-Z]+)*' \
-                        '(-[0-9A-Za-z-]+(\.[0-9a-zA-Z-]+)*)?' \
+                        '(-[0-9A-Za-z]+(\.[0-9a-zA-Z]+)*)?' \
                         '(\+[0-9a-zA-Z]+(\.[0-9a-zA-Z]+)*)?'
-      ANCHORED_VERSION_PATTERN = /\A\s*(#{VERSION_PATTERN})?\s*\z/.freeze
+      ANCHORED_VERSION_PATTERN = /\A\s*(#{VERSION_PATTERN})?\s*\z/
 
       def self.correct?(version)
         return false if version.nil?

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-python
 version: !ruby/object:Gem::Version
-  version: 0.212.0
+  version: 0.214.0
 platform: ruby
 authors:
 - Dependabot
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2022-09-06 00:00:00.000000000 Z
+date: 2022-12-01 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dependabot-common
@@ -16,42 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.212.0
+        version: 0.214.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.212.0
-- !ruby/object:Gem::Dependency
-  name: debase
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - '='
-      - !ruby/object:Gem::Version
-        version: 0.2.3
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - '='
-      - !ruby/object:Gem::Version
-        version: 0.2.3
-- !ruby/object:Gem::Dependency
-  name: debase-ruby_core_source
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - '='
-      - !ruby/object:Gem::Version
-        version: 0.10.16
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - '='
-      - !ruby/object:Gem::Version
-        version: 0.10.16
+        version: 0.214.0
 - !ruby/object:Gem::Dependency
   name: debug
   requirement: !ruby/object:Gem::Requirement
@@ -86,14 +58,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 3.12.0
+        version: 4.0.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 3.12.0
+        version: 4.0.0
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
@@ -142,42 +114,28 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.36.0
+        version: 1.39.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.36.0
+        version: 1.39.0
 - !ruby/object:Gem::Dependency
   name: rubocop-performance
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.14.2
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: 1.14.2
-- !ruby/object:Gem::Dependency
-  name: ruby-debug-ide
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: 0.7.3
+        version: 1.15.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.7.3
+        version: 1.15.0
 - !ruby/object:Gem::Dependency
   name: simplecov
   requirement: !ruby/object:Gem::Requirement
@@ -266,7 +224,7 @@ files:
 - lib/dependabot/python/file_fetcher.rb
 - lib/dependabot/python/file_parser.rb
 - lib/dependabot/python/file_parser/pipfile_files_parser.rb
-- lib/dependabot/python/file_parser/poetry_files_parser.rb
+- lib/dependabot/python/file_parser/pyproject_files_parser.rb
 - lib/dependabot/python/file_parser/python_requirement_parser.rb
 - lib/dependabot/python/file_parser/setup_file_parser.rb
 - lib/dependabot/python/file_updater.rb
@@ -279,6 +237,7 @@ files:
 - lib/dependabot/python/file_updater/requirement_file_updater.rb
 - lib/dependabot/python/file_updater/requirement_replacer.rb
 - lib/dependabot/python/file_updater/setup_file_sanitizer.rb
+- lib/dependabot/python/helpers.rb
 - lib/dependabot/python/metadata_finder.rb
 - lib/dependabot/python/name_normaliser.rb
 - lib/dependabot/python/native_helpers.rb
@@ -306,14 +265,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: 2.7.0
+      version: 3.1.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: 2.7.0
+      version: 3.1.0
 requirements: []
-rubygems_version: 3.1.6
+rubygems_version: 3.3.7
 signing_key: 
 specification_version: 4
 summary: Python support for dependabot