dependabot-python 0.214.0 → 0.216.0

data/lib/dependabot/python/update_checker/poetry_version_resolver.rb

@@ -92,15 +92,15 @@ module Dependabot
                 write_temporary_dependency_files(updated_req: requirement)
                 add_auth_env_vars
 
-                Helpers.install_required_python(python_version)
+                language_version_manager.install_required_python
 
                 # use system git instead of the pure Python dulwich
-                unless python_version&.start_with?("3.6")
+                unless language_version_manager.python_version&.start_with?("3.6")
                   run_poetry_command("pyenv exec poetry config experimental.system-git-client true")
                 end
 
                 # Shell out to Poetry, which handles everything for us.
-                run_poetry_command(poetry_update_command)
+                run_poetry_update_command
 
                 updated_lockfile =
                   if File.exist?("poetry.lock") then File.read("poetry.lock")
@@ -163,8 +163,11 @@ module Dependabot
 
         # Using `--lock` avoids doing an install.
         # Using `--no-interaction` avoids asking for passwords.
-        def poetry_update_command
-          "pyenv exec poetry update #{dependency.name} --lock --no-interaction"
+        def run_poetry_update_command
+          run_poetry_command(
+            "pyenv exec poetry update #{dependency.name} --lock --no-interaction",
+            fingerprint: "pyenv exec poetry update <dependency_name> --lock --no-interaction"
+          )
         end
 
         def check_original_requirements_resolvable
@@ -174,7 +177,7 @@ module Dependabot
             SharedHelpers.with_git_configured(credentials: credentials) do
               write_temporary_dependency_files(update_pyproject: false)
 
-              run_poetry_command(poetry_update_command)
+              run_poetry_update_command
 
               @original_reqs_resolvable = true
             rescue SharedHelpers::HelperSubprocessFailed => e
@@ -202,7 +205,7 @@ module Dependabot
           end
 
           # Overwrite the .python-version with updated content
-          File.write(".python-version", Helpers.python_major_minor(python_version)) if python_version
+          File.write(".python-version", language_version_manager.python_major_minor)
 
           # Overwrite the pyproject with updated content
           if update_pyproject
@@ -221,39 +224,10 @@ module Dependabot
             add_auth_env_vars(credentials)
         end
 
-        def python_version
-          requirements = python_requirement_parser.user_specified_requirements
-          requirements = requirements.
-                         map { |r| Python::Requirement.requirements_array(r) }
-
-          version = PythonVersions::SUPPORTED_VERSIONS_TO_ITERATE.find do |v|
-            requirements.all? do |reqs|
-              reqs.any? { |r| r.satisfied_by?(Python::Version.new(v)) }
-            end
-          end
-          return version if version
-
-          msg = "Dependabot detected the following Python requirements " \
-                "for your project: '#{requirements}'.\n\nCurrently, the " \
-                "following Python versions are supported in Dependabot: " \
-                "#{PythonVersions::SUPPORTED_VERSIONS.join(', ')}."
-          raise DependencyFileNotResolvable, msg
-        end
-
-        def python_requirement_parser
-          @python_requirement_parser ||=
-            FileParser::PythonRequirementParser.new(
-              dependency_files: dependency_files
-            )
-        end
-
-        def pre_installed_python?(version)
-          PythonVersions::PRE_INSTALLED_PYTHON_VERSIONS.include?(version)
-        end
-
         def updated_pyproject_content(updated_requirement:)
           content = pyproject.content
           content = sanitize_pyproject_content(content)
+          content = update_python_requirement(content)
           content = freeze_other_dependencies(content)
           content = set_target_dependency_req(content, updated_requirement)
           content
@@ -262,6 +236,7 @@ module Dependabot
         def sanitized_pyproject_content
           content = pyproject.content
           content = sanitize_pyproject_content(content)
+          content = update_python_requirement(content)
           content
         end
 
@@ -271,13 +246,18 @@ module Dependabot
             sanitize
         end
 
+        def update_python_requirement(pyproject_content)
+          Python::FileUpdater::PyprojectPreparer.
+            new(pyproject_content: pyproject_content).
+            update_python_requirement(language_version_manager.python_major_minor)
+        end
+
         def freeze_other_dependencies(pyproject_content)
           Python::FileUpdater::PyprojectPreparer.
             new(pyproject_content: pyproject_content, lockfile: lockfile).
             freeze_top_level_dependencies_except([dependency])
         end
 
-        # rubocop:disable Metrics/PerceivedComplexity
         def set_target_dependency_req(pyproject_content, updated_requirement)
           return pyproject_content unless updated_requirement
 
@@ -285,15 +265,15 @@ module Dependabot
           poetry_object = pyproject_object.dig("tool", "poetry")
 
           Dependabot::Python::FileParser::PyprojectFilesParser::POETRY_DEPENDENCY_TYPES.each do |type|
-            names = poetry_object[type]&.keys || []
-            pkg_name = names.find { |nm| normalise(nm) == dependency.name }
-            next unless pkg_name
-
-            if poetry_object.dig(type, pkg_name).is_a?(Hash)
-              poetry_object[type][pkg_name]["version"] = updated_requirement
-            else
-              poetry_object[type][pkg_name] = updated_requirement
-            end
+            dependencies = poetry_object[type]
+            next unless dependencies
+
+            update_dependency_requirement(dependencies, updated_requirement)
+          end
+
+          groups = poetry_object["group"]&.values || []
+          groups.each do |group_spec|
+            update_dependency_requirement(group_spec["dependencies"], updated_requirement)
           end
 
           # If this is a sub-dependency, add the new requirement
@@ -304,7 +284,18 @@ module Dependabot
 
           TomlRB.dump(pyproject_object)
         end
-        # rubocop:enable Metrics/PerceivedComplexity
+
+        def update_dependency_requirement(toml_node, requirement)
+          names = toml_node.keys
+          pkg_name = names.find { |nm| normalise(nm) == dependency.name }
+          return unless pkg_name
+
+          if toml_node[pkg_name].is_a?(Hash)
+            toml_node[pkg_name]["version"] = requirement
+          else
+            toml_node[pkg_name] = requirement
+          end
+        end
 
         def subdep_type
           category =
@@ -315,6 +306,20 @@ module Dependabot
           category == "dev" ? "dev-dependencies" : "dependencies"
         end
 
+        def python_requirement_parser
+          @python_requirement_parser ||=
+            FileParser::PythonRequirementParser.new(
+              dependency_files: dependency_files
+            )
+        end
+
+        def language_version_manager
+          @language_version_manager ||=
+            LanguageVersionManager.new(
+              python_requirement_parser: python_requirement_parser
+            )
+        end
+
         def pyproject
           dependency_files.find { |f| f.name == "pyproject.toml" }
         end
@@ -331,7 +336,7 @@ module Dependabot
           poetry_lock || pyproject_lock
         end
 
-        def run_poetry_command(command)
+        def run_poetry_command(command, fingerprint: nil)
           start = Time.now
           command = SharedHelpers.escape_command(command)
           stdout, process = Open3.capture2e(command)
@@ -345,6 +350,7 @@ module Dependabot
             message: stdout,
             error_context: {
               command: command,
+              fingerprint: fingerprint,
               time_taken: time_taken,
               process_exit_value: process.to_s
             }

data/lib/dependabot/python/update_checker/requirements_updater.rb

@@ -88,12 +88,19 @@ module Dependabot
           case update_strategy
           when :widen_ranges then widen_pyproject_requirement(req)
           when :bump_versions then update_pyproject_version(req)
+          when :bump_versions_if_necessary then update_pyproject_version_if_needed(req)
           else raise "Unexpected update strategy: #{update_strategy}"
           end
         rescue UnfixableRequirement
           req.merge(requirement: :unfixable)
         end
 
+        def update_pyproject_version_if_needed(req)
+          return req if new_version_satisfies?(req)
+
+          update_pyproject_version(req)
+        end
+
         def update_pyproject_version(req)
           requirement_strings = req[:requirement].split(",").map(&:strip)
 
@@ -180,10 +187,14 @@ module Dependabot
           return req unless req.fetch(:requirement)
 
           case update_strategy
+          when :widen_ranges
+            widen_requirement(req)
           when :bump_versions
             update_requirement(req)
           when :bump_versions_if_necessary
             update_requirement_if_needed(req)
+          else
+            raise "Unexpected update strategy: #{update_strategy}"
           end
         end
 
@@ -212,6 +223,14 @@ module Dependabot
           req.merge(requirement: :unfixable)
         end
 
+        def widen_requirement(req)
+          return req if new_version_satisfies?(req)
+
+          new_requirement = widen_requirement_range(req[:requirement])
+
+          req.merge(requirement: new_requirement)
+        end
+
         def new_version_satisfies?(req)
           requirement_class.
             requirements_array(req.fetch(:requirement)).
@@ -256,8 +275,10 @@ module Dependabot
             next r.to_s if r.satisfied_by?(latest_resolvable_version)
 
             case op = r.requirements.first.first
-            when "<", "<="
-              "<" + update_greatest_version(r.to_s, latest_resolvable_version)
+            when "<"
+              "<" + update_greatest_version(r.requirements.first.last, latest_resolvable_version)
+            when "<="
+              "<=" + latest_resolvable_version.to_s
             when "!=", ">", ">="
               raise UnfixableRequirement
             else
@@ -329,14 +350,12 @@ module Dependabot
           end
         end
 
-        # Updates the version in a "<" or "<=" constraint to allow the given
-        # version
-        def update_greatest_version(req_string, version_to_be_permitted)
+        # Updates the version in a "<" constraint to allow the given version
+        def update_greatest_version(version, version_to_be_permitted)
           if version_to_be_permitted.is_a?(String)
             version_to_be_permitted =
               Python::Version.new(version_to_be_permitted)
           end
-          version = Python::Version.new(req_string.gsub(/<=?/, ""))
           version = version.release if version.prerelease?
 
           index_to_update = [

data/lib/dependabot/python/update_checker.rb

@@ -34,43 +34,25 @@ module Dependabot
 
       def latest_resolvable_version
         @latest_resolvable_version ||=
-          case resolver_type
-          when :pipenv
-            pipenv_version_resolver.latest_resolvable_version(
+          if resolver_type == :requirements
+            resolver.latest_resolvable_version
+          elsif resolver_type == :pip_compile && resolver.resolvable?(version: latest_version)
+            latest_version
+          else
+            resolver.latest_resolvable_version(
               requirement: unlocked_requirement_string
             )
-          when :poetry
-            poetry_version_resolver.latest_resolvable_version(
-              requirement: unlocked_requirement_string
-            )
-          when :pip_compile
-            pip_compile_version_resolver.latest_resolvable_version(
-              requirement: unlocked_requirement_string
-            )
-          when :requirements
-            pip_version_resolver.latest_resolvable_version
-          else raise "Unexpected resolver type #{resolver_type}"
           end
       end
 
       def latest_resolvable_version_with_no_unlock
         @latest_resolvable_version_with_no_unlock ||=
-          case resolver_type
-          when :pipenv
-            pipenv_version_resolver.latest_resolvable_version(
-              requirement: current_requirement_string
-            )
-          when :poetry
-            poetry_version_resolver.latest_resolvable_version(
-              requirement: current_requirement_string
-            )
-          when :pip_compile
-            pip_compile_version_resolver.latest_resolvable_version(
+          if resolver_type == :requirements
+            resolver.latest_resolvable_version_with_no_unlock
+          else
+            resolver.latest_resolvable_version(
               requirement: current_requirement_string
             )
-          when :requirements
-            pip_version_resolver.latest_resolvable_version_with_no_unlock
-          else raise "Unexpected resolver type #{resolver_type}"
           end
       end
 
@@ -115,34 +97,25 @@ module Dependabot
         raise NotImplementedError
       end
 
-      def preferred_version_resolvable_with_unlock?
-        # Our requirements file updater doesn't currently support widening
-        # ranges, so avoid updating this dependency if widening ranges has been
-        # required and the dependency is present on a requirements file.
-        # Otherwise, we will crash later on. TODO: Consider what the correct
-        # behavior is in these cases.
-        return false if requirements_update_strategy == :widen_ranges && updating_requirements_file?
-
-        super
-      end
-
       def fetch_lowest_resolvable_security_fix_version
         fix_version = lowest_security_fix_version
         return latest_resolvable_version if fix_version.nil?
 
-        return pip_version_resolver.lowest_resolvable_security_fix_version if resolver_type == :requirements
-
-        resolver =
-          case resolver_type
-          when :pip_compile then pip_compile_version_resolver
-          when :pipenv then pipenv_version_resolver
-          when :poetry then poetry_version_resolver
-          else raise "Unexpected resolver type #{resolver_type}"
-          end
+        return resolver.lowest_resolvable_security_fix_version if resolver_type == :requirements
 
         resolver.resolvable?(version: fix_version) ? fix_version : nil
       end
 
+      def resolver
+        case resolver_type
+        when :pip_compile then pip_compile_version_resolver
+        when :pipenv then pipenv_version_resolver
+        when :poetry then poetry_version_resolver
+        when :requirements then pip_version_resolver
+        else raise "Unexpected resolver type #{resolver_type}"
+        end
+      end
+
       def resolver_type
         reqs = requirements
 
@@ -292,7 +265,7 @@ module Dependabot
 
         pypi_info = JSON.parse(index_response.body)["info"] || {}
         pypi_info["summary"] == library_details["description"]
-      rescue Excon::Error::Timeout
+      rescue Excon::Error::Timeout, Excon::Error::Socket
         false
       rescue URI::InvalidURIError
         false

data/lib/dependabot/python/version.rb

@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 
+require "dependabot/version"
 require "dependabot/utils"
-require "rubygems_version_patch"
 
 # Python versions can include a local version identifier, which Ruby can't
 # parse. This class augments Gem::Version with local version identifier info.
@@ -9,7 +9,7 @@ require "rubygems_version_patch"
 
 module Dependabot
   module Python
-    class Version < Gem::Version
+    class Version < Dependabot::Version
       attr_reader :epoch
       attr_reader :local_version
       attr_reader :post_release_version

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-python
 version: !ruby/object:Gem::Version
-  version: 0.214.0
+  version: 0.216.0
 platform: ruby
 authors:
 - Dependabot
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2022-12-01 00:00:00.000000000 Z
+date: 2023-04-12 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dependabot-common
@@ -16,28 +16,28 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.214.0
+        version: 0.216.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.214.0
+        version: 0.216.0
 - !ruby/object:Gem::Dependency
   name: debug
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.0.0
+        version: 1.7.1
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.0.0
+        version: 1.7.1
 - !ruby/object:Gem::Dependency
   name: gpgme
   requirement: !ruby/object:Gem::Requirement
@@ -58,14 +58,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 4.0.0
+        version: 4.2.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 4.0.0
+        version: 4.2.0
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
@@ -86,70 +86,70 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.8'
+        version: '3.12'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.8'
+        version: '3.12'
 - !ruby/object:Gem::Dependency
   name: rspec-its
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.2'
+        version: '1.3'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.2'
+        version: '1.3'
 - !ruby/object:Gem::Dependency
   name: rubocop
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.39.0
+        version: 1.48.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.39.0
+        version: 1.48.0
 - !ruby/object:Gem::Dependency
   name: rubocop-performance
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.15.0
+        version: 1.17.1
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.15.0
+        version: 1.17.1
 - !ruby/object:Gem::Dependency
   name: simplecov
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.21.0
+        version: 0.22.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.21.0
+        version: 0.22.0
 - !ruby/object:Gem::Dependency
   name: simplecov-console
   requirement: !ruby/object:Gem::Requirement
@@ -182,38 +182,40 @@ dependencies:
   name: vcr
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '='
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: 6.1.0
+        version: '6.1'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '='
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: 6.1.0
+        version: '6.1'
 - !ruby/object:Gem::Dependency
   name: webmock
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.4'
+        version: '3.18'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.4'
-description: Automated dependency management for Ruby, JavaScript, Python, PHP, Elixir,
-  Rust, Java, .NET, Elm and Go
-email: support@dependabot.com
+        version: '3.18'
+description: Dependabot-Python provides support for bumping Python packages via Dependabot.
+  If you want support for multiple package managers, you probably want the meta-gem
+  dependabot-omnibus.
+email: opensource@github.com
 executables: []
 extensions: []
 extra_rdoc_files: []
 files:
 - helpers/build
+- helpers/build_for_version
 - helpers/lib/__init__.py
 - helpers/lib/hasher.py
 - helpers/lib/parser.py
@@ -237,7 +239,7 @@ files:
 - lib/dependabot/python/file_updater/requirement_file_updater.rb
 - lib/dependabot/python/file_updater/requirement_replacer.rb
 - lib/dependabot/python/file_updater/setup_file_sanitizer.rb
-- lib/dependabot/python/helpers.rb
+- lib/dependabot/python/language_version_manager.rb
 - lib/dependabot/python/metadata_finder.rb
 - lib/dependabot/python/name_normaliser.rb
 - lib/dependabot/python/native_helpers.rb
@@ -256,7 +258,9 @@ files:
 homepage: https://github.com/dependabot/dependabot-core
 licenses:
 - Nonstandard
-metadata: {}
+metadata:
+  issue_tracker_uri: https://github.com/dependabot/dependabot-core/issues
+  changelog_uri: https://github.com/dependabot/dependabot-core/blob/main/CHANGELOG.md
 post_install_message: 
 rdoc_options: []
 require_paths:
@@ -272,8 +276,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: 3.1.0
 requirements: []
-rubygems_version: 3.3.7
+rubygems_version: 3.3.26
 signing_key: 
 specification_version: 4
-summary: Python support for dependabot
+summary: Provides Dependabot support for Python
 test_files: []

data/lib/dependabot/python/helpers.rb

@@ -1,37 +0,0 @@
-# frozen_string_literal: true
-
-require "dependabot/logger"
-require "dependabot/python/version"
-
-module Dependabot
-  module Python
-    module Helpers
-      def self.install_required_python(python_version)
-        # The leading space is important in the version check
-        return if SharedHelpers.run_shell_command("pyenv versions").include?(" #{python_major_minor(python_version)}.")
-
-        if File.exist?("/usr/local/.pyenv/#{python_major_minor(python_version)}.tar.gz")
-          SharedHelpers.run_shell_command(
-            "tar xzf /usr/local/.pyenv/#{python_major_minor(python_version)}.tar.gz -C /usr/local/.pyenv/"
-          )
-          return if SharedHelpers.run_shell_command("pyenv versions").
-                    include?(" #{python_major_minor(python_version)}.")
-        end
-
-        Dependabot.logger.info("Installing required Python #{python_version}.")
-        start = Time.now
-        SharedHelpers.run_shell_command("pyenv install -s #{python_version}")
-        SharedHelpers.run_shell_command("pyenv exec pip install --upgrade pip")
-        SharedHelpers.run_shell_command("pyenv exec pip install -r" \
-                                        "#{NativeHelpers.python_requirements_path}")
-        time_taken = Time.now - start
-        Dependabot.logger.info("Installing Python #{python_version} took #{time_taken}s.")
-      end
-
-      def self.python_major_minor(python_version)
-        python = Python::Version.new(python_version)
-        "#{python.segments[0]}.#{python.segments[1]}"
-      end
-    end
-  end
-end