dependabot-python 0.237.0 → 0.238.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/helpers/requirements.txt +3 -3
- data/lib/dependabot/python/file_updater/poetry_file_updater.rb +2 -1
- data/lib/dependabot/python/pipenv_runner.rb +9 -7
- data/lib/dependabot/python/update_checker/index_finder.rb +4 -4
- data/lib/dependabot/python/update_checker/pipenv_version_resolver.rb +16 -20
- metadata +5 -5
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: b05bd36f835c00c6533153183b23d848d6b06759d20dc4e643cc2fd5e9a8c5e6
|
|
4
|
+
data.tar.gz: 0c08d7fdb367c16636cd558dca7ad36e16bba8851b4f906ac076d8a28b45bbdb
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 1a7faaff71e67be34ad8d152bb5f869313f69a7a031cf4ffe4f1b2e5cc565e40ca0d9e9e5e2c470ff5477b5ab8c166ac29fc2323ac2c7548ec7e684348fac98b
|
|
7
|
+
data.tar.gz: 78adf7610fff0b22a46ac7d105a6463e1040505de29ecb15e9b087930bdfe5ba54cf6755bdefbff610a9009ae6a6bac6ae59997cae050c9dae06cd31ec1eda0d
|
data/helpers/requirements.txt
CHANGED
|
@@ -2,9 +2,9 @@ pip==23.3.1
|
|
|
2
2
|
pip-tools==7.3.0
|
|
3
3
|
flake8==6.1.0
|
|
4
4
|
hashin==0.17.0
|
|
5
|
-
pipenv
|
|
5
|
+
pipenv@git+https://github.com/pypa/pipenv@main
|
|
6
6
|
pipfile==0.0.2
|
|
7
|
-
poetry==1.
|
|
7
|
+
poetry==1.7.1
|
|
8
8
|
|
|
9
9
|
# Some dependencies will only install if Cython is present
|
|
10
|
-
Cython==3.0.
|
|
10
|
+
Cython==3.0.5
|
|
@@ -247,7 +247,8 @@ module Dependabot
|
|
|
247
247
|
def declaration_regex(dep, old_req)
|
|
248
248
|
group = old_req[:groups].first
|
|
249
249
|
|
|
250
|
-
|
|
250
|
+
header_regex = "#{group}(?:\\.dependencies)?\\]\s*(?:\s*#.*?)*?"
|
|
251
|
+
/#{header_regex}\n.*?(?<declaration>(?:^\s*|["'])#{escape(dep)}["']?\s*=[^\n]*)$/mi
|
|
251
252
|
end
|
|
252
253
|
|
|
253
254
|
def table_declaration_regex(dep, old_req)
|
|
@@ -15,10 +15,11 @@ module Dependabot
|
|
|
15
15
|
end
|
|
16
16
|
|
|
17
17
|
def run_upgrade(constraint)
|
|
18
|
-
|
|
18
|
+
constraint = "" if constraint == "*"
|
|
19
|
+
command = "pyenv exec pipenv upgrade --verbose #{dependency_name}#{constraint}"
|
|
19
20
|
command << " --dev" if lockfile_section == "develop"
|
|
20
21
|
|
|
21
|
-
run(command, fingerprint: "pyenv exec pipenv upgrade <dependency_name><constraint>")
|
|
22
|
+
run(command, fingerprint: "pyenv exec pipenv upgrade --verbose <dependency_name><constraint>")
|
|
22
23
|
end
|
|
23
24
|
|
|
24
25
|
def run_upgrade_and_fetch_version(constraint)
|
|
@@ -70,11 +71,12 @@ module Dependabot
|
|
|
70
71
|
|
|
71
72
|
def pipenv_env_variables
|
|
72
73
|
{
|
|
73
|
-
"PIPENV_YES" => "true",
|
|
74
|
-
"PIPENV_MAX_RETRIES" => "3",
|
|
75
|
-
"PIPENV_NOSPIN" => "1",
|
|
76
|
-
"PIPENV_TIMEOUT" => "600",
|
|
77
|
-
"PIP_DEFAULT_TIMEOUT" => "60" # Set pip timeout to 1 minute
|
|
74
|
+
"PIPENV_YES" => "true", # Install new Python ver if needed
|
|
75
|
+
"PIPENV_MAX_RETRIES" => "3", # Retry timeouts
|
|
76
|
+
"PIPENV_NOSPIN" => "1", # Don't pollute logs with spinner
|
|
77
|
+
"PIPENV_TIMEOUT" => "600", # Set install timeout to 10 minutes
|
|
78
|
+
"PIP_DEFAULT_TIMEOUT" => "60", # Set pip timeout to 1 minute
|
|
79
|
+
"COLUMNS" => "250" # Avoid line wrapping
|
|
78
80
|
}
|
|
79
81
|
end
|
|
80
82
|
end
|
|
@@ -123,14 +123,14 @@ module Dependabot
|
|
|
123
123
|
# If source is PyPI, skip it, and let it pick the default URI
|
|
124
124
|
next if source["name"].casecmp?("PyPI")
|
|
125
125
|
|
|
126
|
-
if source["
|
|
126
|
+
if @dependency.all_sources.include?(source["name"])
|
|
127
|
+
# If dependency has specified this source, use it
|
|
128
|
+
return { main: source["url"], extra: [] }
|
|
129
|
+
elsif source["default"]
|
|
127
130
|
urls[:main] = source["url"]
|
|
128
131
|
elsif source["priority"] != "explicit"
|
|
129
132
|
# if source is not explicit, add it to extra
|
|
130
133
|
urls[:extra] << source["url"]
|
|
131
|
-
elsif @dependency.all_sources.include?(source["name"])
|
|
132
|
-
# if source is explicit, and dependency has specified it as a source, add it to extra
|
|
133
|
-
urls[:extra] << source["url"]
|
|
134
134
|
end
|
|
135
135
|
end
|
|
136
136
|
urls[:extra] = urls[:extra].uniq
|
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
# typed:
|
|
1
|
+
# typed: true
|
|
2
2
|
# frozen_string_literal: true
|
|
3
3
|
|
|
4
4
|
require "excon"
|
|
@@ -19,7 +19,7 @@ module Dependabot
|
|
|
19
19
|
module Python
|
|
20
20
|
class UpdateChecker
|
|
21
21
|
class PipenvVersionResolver
|
|
22
|
-
GIT_DEPENDENCY_UNREACHABLE_REGEX = /git clone --filter=blob:none (?<url>[^\s]+).*/
|
|
22
|
+
GIT_DEPENDENCY_UNREACHABLE_REGEX = /git clone --filter=blob:none --quiet (?<url>[^\s]+).*/
|
|
23
23
|
GIT_REFERENCE_NOT_FOUND_REGEX = /git checkout -q (?<tag>[^\s]+).*/
|
|
24
24
|
PIPENV_INSTALLATION_ERROR = "python setup.py egg_info exited with 1"
|
|
25
25
|
PIPENV_INSTALLATION_ERROR_REGEX =
|
|
@@ -90,6 +90,19 @@ module Dependabot
|
|
|
90
90
|
raise DependencyFileNotResolvable, msg
|
|
91
91
|
end
|
|
92
92
|
|
|
93
|
+
if error.message.match?(GIT_REFERENCE_NOT_FOUND_REGEX)
|
|
94
|
+
tag = error.message.match(GIT_REFERENCE_NOT_FOUND_REGEX).named_captures.fetch("tag")
|
|
95
|
+
# Unfortunately the error message doesn't include the package name.
|
|
96
|
+
# TODO: Talk with pipenv maintainers about exposing the package name, it used to be part of the error output
|
|
97
|
+
raise GitDependencyReferenceNotFound, "(unknown package at #{tag})"
|
|
98
|
+
end
|
|
99
|
+
|
|
100
|
+
if error.message.match?(GIT_DEPENDENCY_UNREACHABLE_REGEX)
|
|
101
|
+
url = error.message.match(GIT_DEPENDENCY_UNREACHABLE_REGEX)
|
|
102
|
+
.named_captures.fetch("url")
|
|
103
|
+
raise GitDependenciesNotReachable, url
|
|
104
|
+
end
|
|
105
|
+
|
|
93
106
|
if error.message.include?("Could not find a version") || error.message.include?("ResolutionFailure")
|
|
94
107
|
check_original_requirements_resolvable
|
|
95
108
|
end
|
|
@@ -119,20 +132,7 @@ module Dependabot
|
|
|
119
132
|
return if error.message.match?(/#{Regexp.quote(dependency.name)}/i)
|
|
120
133
|
end
|
|
121
134
|
|
|
122
|
-
|
|
123
|
-
tag = error.message.match(GIT_REFERENCE_NOT_FOUND_REGEX).named_captures.fetch("tag")
|
|
124
|
-
# Unfortunately the error message doesn't include the package name.
|
|
125
|
-
# TODO: Talk with pipenv maintainers about exposing the package name, it used to be part of the error output
|
|
126
|
-
raise GitDependencyReferenceNotFound, "(unknown package at #{tag})"
|
|
127
|
-
end
|
|
128
|
-
|
|
129
|
-
if error.message.match?(GIT_DEPENDENCY_UNREACHABLE_REGEX)
|
|
130
|
-
url = error.message.match(GIT_DEPENDENCY_UNREACHABLE_REGEX)
|
|
131
|
-
.named_captures.fetch("url")
|
|
132
|
-
raise GitDependenciesNotReachable, url
|
|
133
|
-
end
|
|
134
|
-
|
|
135
|
-
raise unless error.message.include?("could not be resolved")
|
|
135
|
+
raise unless error.message.include?("ResolutionFailure")
|
|
136
136
|
end
|
|
137
137
|
# rubocop:enable Metrics/CyclomaticComplexity
|
|
138
138
|
# rubocop:enable Metrics/PerceivedComplexity
|
|
@@ -178,10 +178,6 @@ module Dependabot
|
|
|
178
178
|
raise DependencyFileNotResolvable, msg
|
|
179
179
|
end
|
|
180
180
|
|
|
181
|
-
# NOTE: Pipenv masks the actual error, see this issue for updates:
|
|
182
|
-
# https://github.com/pypa/pipenv/issues/2791
|
|
183
|
-
# TODO: This may no longer be reproducible on latest pipenv, see linked issue,
|
|
184
|
-
# so investigate when we next bump to newer pipenv...
|
|
185
181
|
handle_pipenv_installation_error(error.message) if error.message.match?(PIPENV_INSTALLATION_ERROR_REGEX)
|
|
186
182
|
|
|
187
183
|
# Raise an unhandled error, as this could be a problem with
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: dependabot-python
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.238.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Dependabot
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2023-
|
|
11
|
+
date: 2023-12-07 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: dependabot-common
|
|
@@ -16,14 +16,14 @@ dependencies:
|
|
|
16
16
|
requirements:
|
|
17
17
|
- - '='
|
|
18
18
|
- !ruby/object:Gem::Version
|
|
19
|
-
version: 0.
|
|
19
|
+
version: 0.238.0
|
|
20
20
|
type: :runtime
|
|
21
21
|
prerelease: false
|
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
|
23
23
|
requirements:
|
|
24
24
|
- - '='
|
|
25
25
|
- !ruby/object:Gem::Version
|
|
26
|
-
version: 0.
|
|
26
|
+
version: 0.238.0
|
|
27
27
|
- !ruby/object:Gem::Dependency
|
|
28
28
|
name: debug
|
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -260,7 +260,7 @@ licenses:
|
|
|
260
260
|
- Nonstandard
|
|
261
261
|
metadata:
|
|
262
262
|
bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
|
|
263
|
-
changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.
|
|
263
|
+
changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.238.0
|
|
264
264
|
post_install_message:
|
|
265
265
|
rdoc_options: []
|
|
266
266
|
require_paths:
|