dependabot-python 0.237.0 → 0.238.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/helpers/requirements.txt +3 -3
- data/lib/dependabot/python/file_updater/poetry_file_updater.rb +2 -1
- data/lib/dependabot/python/pipenv_runner.rb +9 -7
- data/lib/dependabot/python/update_checker/index_finder.rb +4 -4
- data/lib/dependabot/python/update_checker/pipenv_version_resolver.rb +16 -20
- metadata +5 -5
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: b05bd36f835c00c6533153183b23d848d6b06759d20dc4e643cc2fd5e9a8c5e6
|
4
|
+
data.tar.gz: 0c08d7fdb367c16636cd558dca7ad36e16bba8851b4f906ac076d8a28b45bbdb
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 1a7faaff71e67be34ad8d152bb5f869313f69a7a031cf4ffe4f1b2e5cc565e40ca0d9e9e5e2c470ff5477b5ab8c166ac29fc2323ac2c7548ec7e684348fac98b
|
7
|
+
data.tar.gz: 78adf7610fff0b22a46ac7d105a6463e1040505de29ecb15e9b087930bdfe5ba54cf6755bdefbff610a9009ae6a6bac6ae59997cae050c9dae06cd31ec1eda0d
|
data/helpers/requirements.txt
CHANGED
@@ -2,9 +2,9 @@ pip==23.3.1
|
|
2
2
|
pip-tools==7.3.0
|
3
3
|
flake8==6.1.0
|
4
4
|
hashin==0.17.0
|
5
|
-
pipenv
|
5
|
+
pipenv@git+https://github.com/pypa/pipenv@main
|
6
6
|
pipfile==0.0.2
|
7
|
-
poetry==1.
|
7
|
+
poetry==1.7.1
|
8
8
|
|
9
9
|
# Some dependencies will only install if Cython is present
|
10
|
-
Cython==3.0.
|
10
|
+
Cython==3.0.5
|
@@ -247,7 +247,8 @@ module Dependabot
|
|
247
247
|
def declaration_regex(dep, old_req)
|
248
248
|
group = old_req[:groups].first
|
249
249
|
|
250
|
-
|
250
|
+
header_regex = "#{group}(?:\\.dependencies)?\\]\s*(?:\s*#.*?)*?"
|
251
|
+
/#{header_regex}\n.*?(?<declaration>(?:^\s*|["'])#{escape(dep)}["']?\s*=[^\n]*)$/mi
|
251
252
|
end
|
252
253
|
|
253
254
|
def table_declaration_regex(dep, old_req)
|
@@ -15,10 +15,11 @@ module Dependabot
|
|
15
15
|
end
|
16
16
|
|
17
17
|
def run_upgrade(constraint)
|
18
|
-
|
18
|
+
constraint = "" if constraint == "*"
|
19
|
+
command = "pyenv exec pipenv upgrade --verbose #{dependency_name}#{constraint}"
|
19
20
|
command << " --dev" if lockfile_section == "develop"
|
20
21
|
|
21
|
-
run(command, fingerprint: "pyenv exec pipenv upgrade <dependency_name><constraint>")
|
22
|
+
run(command, fingerprint: "pyenv exec pipenv upgrade --verbose <dependency_name><constraint>")
|
22
23
|
end
|
23
24
|
|
24
25
|
def run_upgrade_and_fetch_version(constraint)
|
@@ -70,11 +71,12 @@ module Dependabot
|
|
70
71
|
|
71
72
|
def pipenv_env_variables
|
72
73
|
{
|
73
|
-
"PIPENV_YES" => "true",
|
74
|
-
"PIPENV_MAX_RETRIES" => "3",
|
75
|
-
"PIPENV_NOSPIN" => "1",
|
76
|
-
"PIPENV_TIMEOUT" => "600",
|
77
|
-
"PIP_DEFAULT_TIMEOUT" => "60" # Set pip timeout to 1 minute
|
74
|
+
"PIPENV_YES" => "true", # Install new Python ver if needed
|
75
|
+
"PIPENV_MAX_RETRIES" => "3", # Retry timeouts
|
76
|
+
"PIPENV_NOSPIN" => "1", # Don't pollute logs with spinner
|
77
|
+
"PIPENV_TIMEOUT" => "600", # Set install timeout to 10 minutes
|
78
|
+
"PIP_DEFAULT_TIMEOUT" => "60", # Set pip timeout to 1 minute
|
79
|
+
"COLUMNS" => "250" # Avoid line wrapping
|
78
80
|
}
|
79
81
|
end
|
80
82
|
end
|
@@ -123,14 +123,14 @@ module Dependabot
|
|
123
123
|
# If source is PyPI, skip it, and let it pick the default URI
|
124
124
|
next if source["name"].casecmp?("PyPI")
|
125
125
|
|
126
|
-
if source["
|
126
|
+
if @dependency.all_sources.include?(source["name"])
|
127
|
+
# If dependency has specified this source, use it
|
128
|
+
return { main: source["url"], extra: [] }
|
129
|
+
elsif source["default"]
|
127
130
|
urls[:main] = source["url"]
|
128
131
|
elsif source["priority"] != "explicit"
|
129
132
|
# if source is not explicit, add it to extra
|
130
133
|
urls[:extra] << source["url"]
|
131
|
-
elsif @dependency.all_sources.include?(source["name"])
|
132
|
-
# if source is explicit, and dependency has specified it as a source, add it to extra
|
133
|
-
urls[:extra] << source["url"]
|
134
134
|
end
|
135
135
|
end
|
136
136
|
urls[:extra] = urls[:extra].uniq
|
@@ -1,4 +1,4 @@
|
|
1
|
-
# typed:
|
1
|
+
# typed: true
|
2
2
|
# frozen_string_literal: true
|
3
3
|
|
4
4
|
require "excon"
|
@@ -19,7 +19,7 @@ module Dependabot
|
|
19
19
|
module Python
|
20
20
|
class UpdateChecker
|
21
21
|
class PipenvVersionResolver
|
22
|
-
GIT_DEPENDENCY_UNREACHABLE_REGEX = /git clone --filter=blob:none (?<url>[^\s]+).*/
|
22
|
+
GIT_DEPENDENCY_UNREACHABLE_REGEX = /git clone --filter=blob:none --quiet (?<url>[^\s]+).*/
|
23
23
|
GIT_REFERENCE_NOT_FOUND_REGEX = /git checkout -q (?<tag>[^\s]+).*/
|
24
24
|
PIPENV_INSTALLATION_ERROR = "python setup.py egg_info exited with 1"
|
25
25
|
PIPENV_INSTALLATION_ERROR_REGEX =
|
@@ -90,6 +90,19 @@ module Dependabot
|
|
90
90
|
raise DependencyFileNotResolvable, msg
|
91
91
|
end
|
92
92
|
|
93
|
+
if error.message.match?(GIT_REFERENCE_NOT_FOUND_REGEX)
|
94
|
+
tag = error.message.match(GIT_REFERENCE_NOT_FOUND_REGEX).named_captures.fetch("tag")
|
95
|
+
# Unfortunately the error message doesn't include the package name.
|
96
|
+
# TODO: Talk with pipenv maintainers about exposing the package name, it used to be part of the error output
|
97
|
+
raise GitDependencyReferenceNotFound, "(unknown package at #{tag})"
|
98
|
+
end
|
99
|
+
|
100
|
+
if error.message.match?(GIT_DEPENDENCY_UNREACHABLE_REGEX)
|
101
|
+
url = error.message.match(GIT_DEPENDENCY_UNREACHABLE_REGEX)
|
102
|
+
.named_captures.fetch("url")
|
103
|
+
raise GitDependenciesNotReachable, url
|
104
|
+
end
|
105
|
+
|
93
106
|
if error.message.include?("Could not find a version") || error.message.include?("ResolutionFailure")
|
94
107
|
check_original_requirements_resolvable
|
95
108
|
end
|
@@ -119,20 +132,7 @@ module Dependabot
|
|
119
132
|
return if error.message.match?(/#{Regexp.quote(dependency.name)}/i)
|
120
133
|
end
|
121
134
|
|
122
|
-
|
123
|
-
tag = error.message.match(GIT_REFERENCE_NOT_FOUND_REGEX).named_captures.fetch("tag")
|
124
|
-
# Unfortunately the error message doesn't include the package name.
|
125
|
-
# TODO: Talk with pipenv maintainers about exposing the package name, it used to be part of the error output
|
126
|
-
raise GitDependencyReferenceNotFound, "(unknown package at #{tag})"
|
127
|
-
end
|
128
|
-
|
129
|
-
if error.message.match?(GIT_DEPENDENCY_UNREACHABLE_REGEX)
|
130
|
-
url = error.message.match(GIT_DEPENDENCY_UNREACHABLE_REGEX)
|
131
|
-
.named_captures.fetch("url")
|
132
|
-
raise GitDependenciesNotReachable, url
|
133
|
-
end
|
134
|
-
|
135
|
-
raise unless error.message.include?("could not be resolved")
|
135
|
+
raise unless error.message.include?("ResolutionFailure")
|
136
136
|
end
|
137
137
|
# rubocop:enable Metrics/CyclomaticComplexity
|
138
138
|
# rubocop:enable Metrics/PerceivedComplexity
|
@@ -178,10 +178,6 @@ module Dependabot
|
|
178
178
|
raise DependencyFileNotResolvable, msg
|
179
179
|
end
|
180
180
|
|
181
|
-
# NOTE: Pipenv masks the actual error, see this issue for updates:
|
182
|
-
# https://github.com/pypa/pipenv/issues/2791
|
183
|
-
# TODO: This may no longer be reproducible on latest pipenv, see linked issue,
|
184
|
-
# so investigate when we next bump to newer pipenv...
|
185
181
|
handle_pipenv_installation_error(error.message) if error.message.match?(PIPENV_INSTALLATION_ERROR_REGEX)
|
186
182
|
|
187
183
|
# Raise an unhandled error, as this could be a problem with
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: dependabot-python
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.
|
4
|
+
version: 0.238.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Dependabot
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2023-
|
11
|
+
date: 2023-12-07 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: dependabot-common
|
@@ -16,14 +16,14 @@ dependencies:
|
|
16
16
|
requirements:
|
17
17
|
- - '='
|
18
18
|
- !ruby/object:Gem::Version
|
19
|
-
version: 0.
|
19
|
+
version: 0.238.0
|
20
20
|
type: :runtime
|
21
21
|
prerelease: false
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
23
23
|
requirements:
|
24
24
|
- - '='
|
25
25
|
- !ruby/object:Gem::Version
|
26
|
-
version: 0.
|
26
|
+
version: 0.238.0
|
27
27
|
- !ruby/object:Gem::Dependency
|
28
28
|
name: debug
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|
@@ -260,7 +260,7 @@ licenses:
|
|
260
260
|
- Nonstandard
|
261
261
|
metadata:
|
262
262
|
bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
|
263
|
-
changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.
|
263
|
+
changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.238.0
|
264
264
|
post_install_message:
|
265
265
|
rdoc_options: []
|
266
266
|
require_paths:
|