dependabot-python 0.237.0 → 0.239.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 1cd7a4517e826fb42d55e5f504f0162c5e0850b9d1dd01ff259451a40103cf8f
-  data.tar.gz: 9c064acaf52f7856f60881873d7d3127623d12935936c2b324d1beb2e1b6abc4
+  metadata.gz: bf1b0e7ca12b4aba6ded391d6d075669510d4c0159d0d59fc00f2eb92af5690c
+  data.tar.gz: 61ecd20ccae579ed44f8faa0e0f06f7a0a9b291d3147d7bb2b5a0d8995c41a18
 SHA512:
-  metadata.gz: 175a621875538a2b4c7aab6b02a61cf89d8fa0847d4568466526d2403cfb67a2944322a39ecfef17834d08892e29099d3d54e00db124d6d3a8fb26d505616706
-  data.tar.gz: 0f6dc93dd2598d9f1ab8daf3e5c654c05ec3488c305ccec9a651de34680fefad8892d9d508c4752b74fa69767f4fc9514b9ca931b3f5a2ca87a2d773afedc5ec
+  metadata.gz: fe6af7078145dfdaba758734bd0c5a687827a6f899c0498e1968b00144c4350f9717fa829b30b078656c16d9c534dea952c5e02cc7b3e59192ee4ec080dd8df3
+  data.tar.gz: '0268b8a34839f4609c1537ed34cbc965b7d60118fa4f810412c0339d63d997fa11e88ccf9f20e7d7542cb44669f2dd50f526c648f5dfeda31ae67296aa0dd540'

data/helpers/build

@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
 
 set -e
 
@@ -32,4 +32,3 @@ find "${PYENV_ROOT:-/usr/local/.pyenv}/versions" -depth \
 find -L "${PYENV_ROOT:-/usr/local/.pyenv}/versions" -type f  \
     -name '*.so' \
     -exec strip --preserve-dates {} +
-

data/helpers/requirements.txt

@@ -2,9 +2,9 @@ pip==23.3.1
 pip-tools==7.3.0
 flake8==6.1.0
 hashin==0.17.0
-pipenv==2023.8.28
+pipenv@git+https://github.com/pypa/pipenv@main
 pipfile==0.0.2
-poetry==1.6.1
+poetry==1.7.1
 
 # Some dependencies will only install if Cython is present
-Cython==3.0.4
+Cython==3.0.5

data/lib/dependabot/python/file_fetcher.rb

@@ -53,6 +53,7 @@ module Dependabot
         # the user-specified range of versions, not the version Dependabot chose to run.
         python_requirement_parser = FileParser::PythonRequirementParser.new(dependency_files: files)
         language_version_manager = LanguageVersionManager.new(python_requirement_parser: python_requirement_parser)
+        Dependabot.logger.info("Dependabot is using Python version '#{language_version_manager.python_major_minor}'.")
         {
           languages: {
             python: {

data/lib/dependabot/python/file_updater/poetry_file_updater.rb

@@ -247,7 +247,8 @@ module Dependabot
         def declaration_regex(dep, old_req)
           group = old_req[:groups].first
 
-          /#{group}(?:\.dependencies)?\]\s*\n.*?(?<declaration>(?:^\s*|["'])#{escape(dep)}["']?\s*=[^\n]*)$/mi
+          header_regex = "#{group}(?:\\.dependencies)?\\]\s*(?:\s*#.*?)*?"
+          /#{header_regex}\n.*?(?<declaration>(?:^\s*|["'])#{escape(dep)}["']?\s*=[^\n]*)$/mi
         end
 
         def table_declaration_regex(dep, old_req)

data/lib/dependabot/python/language_version_manager.rb

@@ -57,7 +57,7 @@ module Dependabot
         requirement_string = requirement_string.gsub(/\.\d+$/, ".*") if requirement_string.start_with?(/\d/)
 
         # Try to match one of our pre-installed Python versions
-        requirement = Python::Requirement.requirements_array(requirement_string).first
+        requirement = T.must(Python::Requirement.requirements_array(requirement_string).first)
         version = PRE_INSTALLED_PYTHON_VERSIONS.find { |v| requirement.satisfied_by?(Python::Version.new(v)) }
         return version if version
 

data/lib/dependabot/python/pipenv_runner.rb

@@ -15,10 +15,11 @@ module Dependabot
       end
 
       def run_upgrade(constraint)
-        command = "pyenv exec pipenv upgrade #{dependency_name}#{constraint}"
+        constraint = "" if constraint == "*"
+        command = "pyenv exec pipenv upgrade --verbose #{dependency_name}#{constraint}"
         command << " --dev" if lockfile_section == "develop"
 
-        run(command, fingerprint: "pyenv exec pipenv upgrade <dependency_name><constraint>")
+        run(command, fingerprint: "pyenv exec pipenv upgrade --verbose <dependency_name><constraint>")
       end
 
       def run_upgrade_and_fetch_version(constraint)
@@ -70,11 +71,12 @@ module Dependabot
 
       def pipenv_env_variables
         {
-          "PIPENV_YES" => "true",       # Install new Python ver if needed
-          "PIPENV_MAX_RETRIES" => "3",  # Retry timeouts
-          "PIPENV_NOSPIN" => "1",       # Don't pollute logs with spinner
-          "PIPENV_TIMEOUT" => "600",    # Set install timeout to 10 minutes
-          "PIP_DEFAULT_TIMEOUT" => "60" # Set pip timeout to 1 minute
+          "PIPENV_YES" => "true",        # Install new Python ver if needed
+          "PIPENV_MAX_RETRIES" => "3",   # Retry timeouts
+          "PIPENV_NOSPIN" => "1",        # Don't pollute logs with spinner
+          "PIPENV_TIMEOUT" => "600",     # Set install timeout to 10 minutes
+          "PIP_DEFAULT_TIMEOUT" => "60", # Set pip timeout to 1 minute
+          "COLUMNS" => "250"             # Avoid line wrapping
         }
       end
     end

data/lib/dependabot/python/requirement.rb

@@ -1,12 +1,17 @@
 # typed: true
 # frozen_string_literal: true
 
+require "sorbet-runtime"
+
+require "dependabot/requirement"
 require "dependabot/utils"
 require "dependabot/python/version"
 
 module Dependabot
   module Python
-    class Requirement < Gem::Requirement
+    class Requirement < Dependabot::Requirement
+      extend T::Sig
+
       OR_SEPARATOR = /(?<=[a-zA-Z0-9)*])\s*\|+/
 
       # Add equality and arbitrary-equality matchers
@@ -45,6 +50,7 @@ module Dependabot
       # returned array must be satisfied for a version to be valid.
       #
       # NOTE: Or requirements are only valid for Poetry.
+      sig { override.params(requirement_string: T.nilable(String)).returns(T::Array[Requirement]) }
       def self.requirements_array(requirement_string)
         return [new(nil)] if requirement_string.nil?
 
@@ -52,7 +58,7 @@ module Dependabot
           requirement_string = matches[1]
         end
 
-        requirement_string.strip.split(OR_SEPARATOR).map do |req_string|
+        T.must(requirement_string).strip.split(OR_SEPARATOR).map do |req_string|
           new(req_string.strip)
         end
       end

data/lib/dependabot/python/update_checker/index_finder.rb

@@ -123,14 +123,14 @@ module Dependabot
             # If source is PyPI, skip it, and let it pick the default URI
             next if source["name"].casecmp?("PyPI")
 
-            if source["default"]
+            if @dependency.all_sources.include?(source["name"])
+              # If dependency has specified this source, use it
+              return { main: source["url"], extra: [] }
+            elsif source["default"]
               urls[:main] = source["url"]
             elsif source["priority"] != "explicit"
               # if source is not explicit, add it to extra
               urls[:extra] << source["url"]
-            elsif @dependency.all_sources.include?(source["name"])
-              # if source is explicit, and dependency has specified it as a source, add it to extra
-              urls[:extra] << source["url"]
             end
           end
           urls[:extra] = urls[:extra].uniq

data/lib/dependabot/python/update_checker/pipenv_version_resolver.rb

@@ -1,4 +1,4 @@
-# typed: false
+# typed: true
 # frozen_string_literal: true
 
 require "excon"
@@ -19,7 +19,7 @@ module Dependabot
   module Python
     class UpdateChecker
       class PipenvVersionResolver
-        GIT_DEPENDENCY_UNREACHABLE_REGEX = /git clone --filter=blob:none (?<url>[^\s]+).*/
+        GIT_DEPENDENCY_UNREACHABLE_REGEX = /git clone --filter=blob:none --quiet (?<url>[^\s]+).*/
         GIT_REFERENCE_NOT_FOUND_REGEX = /git checkout -q (?<tag>[^\s]+).*/
         PIPENV_INSTALLATION_ERROR = "python setup.py egg_info exited with 1"
         PIPENV_INSTALLATION_ERROR_REGEX =
@@ -90,6 +90,19 @@ module Dependabot
             raise DependencyFileNotResolvable, msg
           end
 
+          if error.message.match?(GIT_REFERENCE_NOT_FOUND_REGEX)
+            tag = error.message.match(GIT_REFERENCE_NOT_FOUND_REGEX).named_captures.fetch("tag")
+            # Unfortunately the error message doesn't include the package name.
+            # TODO: Talk with pipenv maintainers about exposing the package name, it used to be part of the error output
+            raise GitDependencyReferenceNotFound, "(unknown package at #{tag})"
+          end
+
+          if error.message.match?(GIT_DEPENDENCY_UNREACHABLE_REGEX)
+            url = error.message.match(GIT_DEPENDENCY_UNREACHABLE_REGEX)
+                       .named_captures.fetch("url")
+            raise GitDependenciesNotReachable, url
+          end
+
           if error.message.include?("Could not find a version") || error.message.include?("ResolutionFailure")
             check_original_requirements_resolvable
           end
@@ -119,20 +132,7 @@ module Dependabot
             return if error.message.match?(/#{Regexp.quote(dependency.name)}/i)
           end
 
-          if error.message.match?(GIT_REFERENCE_NOT_FOUND_REGEX)
-            tag = error.message.match(GIT_REFERENCE_NOT_FOUND_REGEX).named_captures.fetch("tag")
-            # Unfortunately the error message doesn't include the package name.
-            # TODO: Talk with pipenv maintainers about exposing the package name, it used to be part of the error output
-            raise GitDependencyReferenceNotFound, "(unknown package at #{tag})"
-          end
-
-          if error.message.match?(GIT_DEPENDENCY_UNREACHABLE_REGEX)
-            url = error.message.match(GIT_DEPENDENCY_UNREACHABLE_REGEX)
-                       .named_captures.fetch("url")
-            raise GitDependenciesNotReachable, url
-          end
-
-          raise unless error.message.include?("could not be resolved")
+          raise unless error.message.include?("ResolutionFailure")
         end
         # rubocop:enable Metrics/CyclomaticComplexity
         # rubocop:enable Metrics/PerceivedComplexity
@@ -178,10 +178,6 @@ module Dependabot
             raise DependencyFileNotResolvable, msg
           end
 
-          # NOTE: Pipenv masks the actual error, see this issue for updates:
-          # https://github.com/pypa/pipenv/issues/2791
-          # TODO: This may no longer be reproducible on latest pipenv, see linked issue,
-          # so investigate when we next bump to newer pipenv...
           handle_pipenv_installation_error(error.message) if error.message.match?(PIPENV_INSTALLATION_ERROR_REGEX)
 
           # Raise an unhandled error, as this could be a problem with

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-python
 version: !ruby/object:Gem::Version
-  version: 0.237.0
+  version: 0.239.0
 platform: ruby
 authors:
 - Dependabot
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2023-11-21 00:00:00.000000000 Z
+date: 2023-12-28 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dependabot-common
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.237.0
+        version: 0.239.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.237.0
+        version: 0.239.0
 - !ruby/object:Gem::Dependency
   name: debug
   requirement: !ruby/object:Gem::Requirement
@@ -114,14 +114,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.57.2
+        version: 1.58.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.57.2
+        version: 1.58.0
 - !ruby/object:Gem::Dependency
   name: rubocop-performance
   requirement: !ruby/object:Gem::Requirement
@@ -260,7 +260,7 @@ licenses:
 - Nonstandard
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.237.0
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.239.0
 post_install_message: 
 rdoc_options: []
 require_paths: