dependabot-python 0.237.0 → 0.239.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/helpers/build +1 -2
- data/helpers/requirements.txt +3 -3
- data/lib/dependabot/python/file_fetcher.rb +1 -0
- data/lib/dependabot/python/file_updater/poetry_file_updater.rb +2 -1
- data/lib/dependabot/python/language_version_manager.rb +1 -1
- data/lib/dependabot/python/pipenv_runner.rb +9 -7
- data/lib/dependabot/python/requirement.rb +8 -2
- data/lib/dependabot/python/update_checker/index_finder.rb +4 -4
- data/lib/dependabot/python/update_checker/pipenv_version_resolver.rb +16 -20
- metadata +7 -7
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: bf1b0e7ca12b4aba6ded391d6d075669510d4c0159d0d59fc00f2eb92af5690c
|
4
|
+
data.tar.gz: 61ecd20ccae579ed44f8faa0e0f06f7a0a9b291d3147d7bb2b5a0d8995c41a18
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: fe6af7078145dfdaba758734bd0c5a687827a6f899c0498e1968b00144c4350f9717fa829b30b078656c16d9c534dea952c5e02cc7b3e59192ee4ec080dd8df3
|
7
|
+
data.tar.gz: '0268b8a34839f4609c1537ed34cbc965b7d60118fa4f810412c0339d63d997fa11e88ccf9f20e7d7542cb44669f2dd50f526c648f5dfeda31ae67296aa0dd540'
|
data/helpers/build
CHANGED
data/helpers/requirements.txt
CHANGED
@@ -2,9 +2,9 @@ pip==23.3.1
|
|
2
2
|
pip-tools==7.3.0
|
3
3
|
flake8==6.1.0
|
4
4
|
hashin==0.17.0
|
5
|
-
pipenv
|
5
|
+
pipenv@git+https://github.com/pypa/pipenv@main
|
6
6
|
pipfile==0.0.2
|
7
|
-
poetry==1.
|
7
|
+
poetry==1.7.1
|
8
8
|
|
9
9
|
# Some dependencies will only install if Cython is present
|
10
|
-
Cython==3.0.
|
10
|
+
Cython==3.0.5
|
@@ -53,6 +53,7 @@ module Dependabot
|
|
53
53
|
# the user-specified range of versions, not the version Dependabot chose to run.
|
54
54
|
python_requirement_parser = FileParser::PythonRequirementParser.new(dependency_files: files)
|
55
55
|
language_version_manager = LanguageVersionManager.new(python_requirement_parser: python_requirement_parser)
|
56
|
+
Dependabot.logger.info("Dependabot is using Python version '#{language_version_manager.python_major_minor}'.")
|
56
57
|
{
|
57
58
|
languages: {
|
58
59
|
python: {
|
@@ -247,7 +247,8 @@ module Dependabot
|
|
247
247
|
def declaration_regex(dep, old_req)
|
248
248
|
group = old_req[:groups].first
|
249
249
|
|
250
|
-
|
250
|
+
header_regex = "#{group}(?:\\.dependencies)?\\]\s*(?:\s*#.*?)*?"
|
251
|
+
/#{header_regex}\n.*?(?<declaration>(?:^\s*|["'])#{escape(dep)}["']?\s*=[^\n]*)$/mi
|
251
252
|
end
|
252
253
|
|
253
254
|
def table_declaration_regex(dep, old_req)
|
@@ -57,7 +57,7 @@ module Dependabot
|
|
57
57
|
requirement_string = requirement_string.gsub(/\.\d+$/, ".*") if requirement_string.start_with?(/\d/)
|
58
58
|
|
59
59
|
# Try to match one of our pre-installed Python versions
|
60
|
-
requirement = Python::Requirement.requirements_array(requirement_string).first
|
60
|
+
requirement = T.must(Python::Requirement.requirements_array(requirement_string).first)
|
61
61
|
version = PRE_INSTALLED_PYTHON_VERSIONS.find { |v| requirement.satisfied_by?(Python::Version.new(v)) }
|
62
62
|
return version if version
|
63
63
|
|
@@ -15,10 +15,11 @@ module Dependabot
|
|
15
15
|
end
|
16
16
|
|
17
17
|
def run_upgrade(constraint)
|
18
|
-
|
18
|
+
constraint = "" if constraint == "*"
|
19
|
+
command = "pyenv exec pipenv upgrade --verbose #{dependency_name}#{constraint}"
|
19
20
|
command << " --dev" if lockfile_section == "develop"
|
20
21
|
|
21
|
-
run(command, fingerprint: "pyenv exec pipenv upgrade <dependency_name><constraint>")
|
22
|
+
run(command, fingerprint: "pyenv exec pipenv upgrade --verbose <dependency_name><constraint>")
|
22
23
|
end
|
23
24
|
|
24
25
|
def run_upgrade_and_fetch_version(constraint)
|
@@ -70,11 +71,12 @@ module Dependabot
|
|
70
71
|
|
71
72
|
def pipenv_env_variables
|
72
73
|
{
|
73
|
-
"PIPENV_YES" => "true",
|
74
|
-
"PIPENV_MAX_RETRIES" => "3",
|
75
|
-
"PIPENV_NOSPIN" => "1",
|
76
|
-
"PIPENV_TIMEOUT" => "600",
|
77
|
-
"PIP_DEFAULT_TIMEOUT" => "60" # Set pip timeout to 1 minute
|
74
|
+
"PIPENV_YES" => "true", # Install new Python ver if needed
|
75
|
+
"PIPENV_MAX_RETRIES" => "3", # Retry timeouts
|
76
|
+
"PIPENV_NOSPIN" => "1", # Don't pollute logs with spinner
|
77
|
+
"PIPENV_TIMEOUT" => "600", # Set install timeout to 10 minutes
|
78
|
+
"PIP_DEFAULT_TIMEOUT" => "60", # Set pip timeout to 1 minute
|
79
|
+
"COLUMNS" => "250" # Avoid line wrapping
|
78
80
|
}
|
79
81
|
end
|
80
82
|
end
|
@@ -1,12 +1,17 @@
|
|
1
1
|
# typed: true
|
2
2
|
# frozen_string_literal: true
|
3
3
|
|
4
|
+
require "sorbet-runtime"
|
5
|
+
|
6
|
+
require "dependabot/requirement"
|
4
7
|
require "dependabot/utils"
|
5
8
|
require "dependabot/python/version"
|
6
9
|
|
7
10
|
module Dependabot
|
8
11
|
module Python
|
9
|
-
class Requirement <
|
12
|
+
class Requirement < Dependabot::Requirement
|
13
|
+
extend T::Sig
|
14
|
+
|
10
15
|
OR_SEPARATOR = /(?<=[a-zA-Z0-9)*])\s*\|+/
|
11
16
|
|
12
17
|
# Add equality and arbitrary-equality matchers
|
@@ -45,6 +50,7 @@ module Dependabot
|
|
45
50
|
# returned array must be satisfied for a version to be valid.
|
46
51
|
#
|
47
52
|
# NOTE: Or requirements are only valid for Poetry.
|
53
|
+
sig { override.params(requirement_string: T.nilable(String)).returns(T::Array[Requirement]) }
|
48
54
|
def self.requirements_array(requirement_string)
|
49
55
|
return [new(nil)] if requirement_string.nil?
|
50
56
|
|
@@ -52,7 +58,7 @@ module Dependabot
|
|
52
58
|
requirement_string = matches[1]
|
53
59
|
end
|
54
60
|
|
55
|
-
requirement_string.strip.split(OR_SEPARATOR).map do |req_string|
|
61
|
+
T.must(requirement_string).strip.split(OR_SEPARATOR).map do |req_string|
|
56
62
|
new(req_string.strip)
|
57
63
|
end
|
58
64
|
end
|
@@ -123,14 +123,14 @@ module Dependabot
|
|
123
123
|
# If source is PyPI, skip it, and let it pick the default URI
|
124
124
|
next if source["name"].casecmp?("PyPI")
|
125
125
|
|
126
|
-
if source["
|
126
|
+
if @dependency.all_sources.include?(source["name"])
|
127
|
+
# If dependency has specified this source, use it
|
128
|
+
return { main: source["url"], extra: [] }
|
129
|
+
elsif source["default"]
|
127
130
|
urls[:main] = source["url"]
|
128
131
|
elsif source["priority"] != "explicit"
|
129
132
|
# if source is not explicit, add it to extra
|
130
133
|
urls[:extra] << source["url"]
|
131
|
-
elsif @dependency.all_sources.include?(source["name"])
|
132
|
-
# if source is explicit, and dependency has specified it as a source, add it to extra
|
133
|
-
urls[:extra] << source["url"]
|
134
134
|
end
|
135
135
|
end
|
136
136
|
urls[:extra] = urls[:extra].uniq
|
@@ -1,4 +1,4 @@
|
|
1
|
-
# typed:
|
1
|
+
# typed: true
|
2
2
|
# frozen_string_literal: true
|
3
3
|
|
4
4
|
require "excon"
|
@@ -19,7 +19,7 @@ module Dependabot
|
|
19
19
|
module Python
|
20
20
|
class UpdateChecker
|
21
21
|
class PipenvVersionResolver
|
22
|
-
GIT_DEPENDENCY_UNREACHABLE_REGEX = /git clone --filter=blob:none (?<url>[^\s]+).*/
|
22
|
+
GIT_DEPENDENCY_UNREACHABLE_REGEX = /git clone --filter=blob:none --quiet (?<url>[^\s]+).*/
|
23
23
|
GIT_REFERENCE_NOT_FOUND_REGEX = /git checkout -q (?<tag>[^\s]+).*/
|
24
24
|
PIPENV_INSTALLATION_ERROR = "python setup.py egg_info exited with 1"
|
25
25
|
PIPENV_INSTALLATION_ERROR_REGEX =
|
@@ -90,6 +90,19 @@ module Dependabot
|
|
90
90
|
raise DependencyFileNotResolvable, msg
|
91
91
|
end
|
92
92
|
|
93
|
+
if error.message.match?(GIT_REFERENCE_NOT_FOUND_REGEX)
|
94
|
+
tag = error.message.match(GIT_REFERENCE_NOT_FOUND_REGEX).named_captures.fetch("tag")
|
95
|
+
# Unfortunately the error message doesn't include the package name.
|
96
|
+
# TODO: Talk with pipenv maintainers about exposing the package name, it used to be part of the error output
|
97
|
+
raise GitDependencyReferenceNotFound, "(unknown package at #{tag})"
|
98
|
+
end
|
99
|
+
|
100
|
+
if error.message.match?(GIT_DEPENDENCY_UNREACHABLE_REGEX)
|
101
|
+
url = error.message.match(GIT_DEPENDENCY_UNREACHABLE_REGEX)
|
102
|
+
.named_captures.fetch("url")
|
103
|
+
raise GitDependenciesNotReachable, url
|
104
|
+
end
|
105
|
+
|
93
106
|
if error.message.include?("Could not find a version") || error.message.include?("ResolutionFailure")
|
94
107
|
check_original_requirements_resolvable
|
95
108
|
end
|
@@ -119,20 +132,7 @@ module Dependabot
|
|
119
132
|
return if error.message.match?(/#{Regexp.quote(dependency.name)}/i)
|
120
133
|
end
|
121
134
|
|
122
|
-
|
123
|
-
tag = error.message.match(GIT_REFERENCE_NOT_FOUND_REGEX).named_captures.fetch("tag")
|
124
|
-
# Unfortunately the error message doesn't include the package name.
|
125
|
-
# TODO: Talk with pipenv maintainers about exposing the package name, it used to be part of the error output
|
126
|
-
raise GitDependencyReferenceNotFound, "(unknown package at #{tag})"
|
127
|
-
end
|
128
|
-
|
129
|
-
if error.message.match?(GIT_DEPENDENCY_UNREACHABLE_REGEX)
|
130
|
-
url = error.message.match(GIT_DEPENDENCY_UNREACHABLE_REGEX)
|
131
|
-
.named_captures.fetch("url")
|
132
|
-
raise GitDependenciesNotReachable, url
|
133
|
-
end
|
134
|
-
|
135
|
-
raise unless error.message.include?("could not be resolved")
|
135
|
+
raise unless error.message.include?("ResolutionFailure")
|
136
136
|
end
|
137
137
|
# rubocop:enable Metrics/CyclomaticComplexity
|
138
138
|
# rubocop:enable Metrics/PerceivedComplexity
|
@@ -178,10 +178,6 @@ module Dependabot
|
|
178
178
|
raise DependencyFileNotResolvable, msg
|
179
179
|
end
|
180
180
|
|
181
|
-
# NOTE: Pipenv masks the actual error, see this issue for updates:
|
182
|
-
# https://github.com/pypa/pipenv/issues/2791
|
183
|
-
# TODO: This may no longer be reproducible on latest pipenv, see linked issue,
|
184
|
-
# so investigate when we next bump to newer pipenv...
|
185
181
|
handle_pipenv_installation_error(error.message) if error.message.match?(PIPENV_INSTALLATION_ERROR_REGEX)
|
186
182
|
|
187
183
|
# Raise an unhandled error, as this could be a problem with
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: dependabot-python
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.
|
4
|
+
version: 0.239.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Dependabot
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2023-
|
11
|
+
date: 2023-12-28 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: dependabot-common
|
@@ -16,14 +16,14 @@ dependencies:
|
|
16
16
|
requirements:
|
17
17
|
- - '='
|
18
18
|
- !ruby/object:Gem::Version
|
19
|
-
version: 0.
|
19
|
+
version: 0.239.0
|
20
20
|
type: :runtime
|
21
21
|
prerelease: false
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
23
23
|
requirements:
|
24
24
|
- - '='
|
25
25
|
- !ruby/object:Gem::Version
|
26
|
-
version: 0.
|
26
|
+
version: 0.239.0
|
27
27
|
- !ruby/object:Gem::Dependency
|
28
28
|
name: debug
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|
@@ -114,14 +114,14 @@ dependencies:
|
|
114
114
|
requirements:
|
115
115
|
- - "~>"
|
116
116
|
- !ruby/object:Gem::Version
|
117
|
-
version: 1.
|
117
|
+
version: 1.58.0
|
118
118
|
type: :development
|
119
119
|
prerelease: false
|
120
120
|
version_requirements: !ruby/object:Gem::Requirement
|
121
121
|
requirements:
|
122
122
|
- - "~>"
|
123
123
|
- !ruby/object:Gem::Version
|
124
|
-
version: 1.
|
124
|
+
version: 1.58.0
|
125
125
|
- !ruby/object:Gem::Dependency
|
126
126
|
name: rubocop-performance
|
127
127
|
requirement: !ruby/object:Gem::Requirement
|
@@ -260,7 +260,7 @@ licenses:
|
|
260
260
|
- Nonstandard
|
261
261
|
metadata:
|
262
262
|
bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
|
263
|
-
changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.
|
263
|
+
changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.239.0
|
264
264
|
post_install_message:
|
265
265
|
rdoc_options: []
|
266
266
|
require_paths:
|