dependabot-python 0.253.0 → 0.255.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/helpers/lib/hasher.py +17 -8
- data/helpers/requirements.txt +2 -2
- data/lib/dependabot/python/file_parser/python_requirement_parser.rb +6 -1
- data/lib/dependabot/python/file_updater/pip_compile_file_updater.rb +29 -8
- data/lib/dependabot/python/file_updater/requirement_file_updater.rb +4 -2
- data/lib/dependabot/python/file_updater/requirement_replacer.rb +26 -6
- data/lib/dependabot/python/file_updater/setup_file_sanitizer.rb +7 -1
- data/lib/dependabot/python/file_updater.rb +15 -2
- data/lib/dependabot/python/language_version_manager.rb +2 -2
- data/lib/dependabot/python/update_checker.rb +2 -0
- metadata +30 -16
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 631b990e99ca7a3be0911a8bf0e8355e2ffa8076a760a2677a99d4359503798a
|
4
|
+
data.tar.gz: 10e7a86fcf9a94f1af3d45f9cbc97afae3f91f0c8fe0442b0c1aa38a4fc92347
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 3ceb72b14d9a1b4f787e00574259b0f75fb840173e16ba535233b49696661ff60e36b4d9fe25f6b130831e56ad36be19c7f1ca8752dd39fe1b3dd5641097a96f
|
7
|
+
data.tar.gz: 5e8b5844b682e2714e87e433412ed0699d61f114bb1f78d98bc7ad41cbafac12b915caeff12ee3d0facdf88e31862758b96d99e73606bb17c3ae817eada8dd18
|
data/helpers/lib/hasher.py
CHANGED
@@ -1,17 +1,26 @@
|
|
1
1
|
import hashin
|
2
2
|
import json
|
3
3
|
import plette
|
4
|
+
import traceback
|
4
5
|
from poetry.factory import Factory
|
5
6
|
|
6
7
|
|
7
|
-
def get_dependency_hash(dependency_name, dependency_version, algorithm
|
8
|
-
|
9
|
-
|
10
|
-
|
11
|
-
|
12
|
-
|
13
|
-
|
14
|
-
|
8
|
+
def get_dependency_hash(dependency_name, dependency_version, algorithm,
|
9
|
+
index_url=hashin.DEFAULT_INDEX_URL):
|
10
|
+
try:
|
11
|
+
hashes = hashin.get_package_hashes(
|
12
|
+
dependency_name,
|
13
|
+
version=dependency_version,
|
14
|
+
algorithm=algorithm,
|
15
|
+
index_url=index_url
|
16
|
+
)
|
17
|
+
return json.dumps({"result": hashes["hashes"]})
|
18
|
+
except hashin.PackageNotFoundError as e:
|
19
|
+
return json.dumps({
|
20
|
+
"error": repr(e),
|
21
|
+
"error_class:": e.__class__.__name__,
|
22
|
+
"trace:": ''.join(traceback.format_stack())
|
23
|
+
})
|
15
24
|
|
16
25
|
|
17
26
|
def get_pipfile_hash(directory):
|
data/helpers/requirements.txt
CHANGED
@@ -2,8 +2,8 @@ pip==24.0
|
|
2
2
|
pip-tools==7.4.1
|
3
3
|
flake8==7.0.0
|
4
4
|
hashin==1.0.1
|
5
|
-
pipenv==2023.
|
6
|
-
plette==0.
|
5
|
+
pipenv==2023.12.1
|
6
|
+
plette==2.0.2
|
7
7
|
poetry==1.8.2
|
8
8
|
# TODO: Replace 3p package `toml` with 3.11's new stdlib `tomllib` once we drop support for Python 3.10.
|
9
9
|
toml==0.10.2
|
@@ -83,7 +83,12 @@ module Dependabot
|
|
83
83
|
def python_version_file_version
|
84
84
|
return unless python_version_file
|
85
85
|
|
86
|
-
|
86
|
+
# read the content, split into lines and remove any lines with '#'
|
87
|
+
content_lines = python_version_file.content.each_line.map do |line|
|
88
|
+
line.sub(/#.*$/, " ").strip
|
89
|
+
end.reject(&:empty?)
|
90
|
+
|
91
|
+
file_version = content_lines.first
|
87
92
|
return if file_version&.empty?
|
88
93
|
return unless pyenv_versions.include?("#{file_version}\n")
|
89
94
|
|
@@ -34,10 +34,11 @@ module Dependabot
|
|
34
34
|
attr_reader :dependency_files
|
35
35
|
attr_reader :credentials
|
36
36
|
|
37
|
-
def initialize(dependencies:, dependency_files:, credentials:)
|
37
|
+
def initialize(dependencies:, dependency_files:, credentials:, index_urls: nil)
|
38
38
|
@dependencies = dependencies
|
39
39
|
@dependency_files = dependency_files
|
40
40
|
@credentials = credentials
|
41
|
+
@index_urls = index_urls
|
41
42
|
@build_isolation = true
|
42
43
|
end
|
43
44
|
|
@@ -265,7 +266,8 @@ module Dependabot
|
|
265
266
|
content: file.content,
|
266
267
|
dependency_name: dependency.name,
|
267
268
|
old_requirement: old_req[:requirement],
|
268
|
-
new_requirement: "==#{dependency.version}"
|
269
|
+
new_requirement: "==#{dependency.version}",
|
270
|
+
index_urls: @index_urls
|
269
271
|
).updated_content
|
270
272
|
end
|
271
273
|
|
@@ -283,7 +285,8 @@ module Dependabot
|
|
283
285
|
content: file.content,
|
284
286
|
dependency_name: dependency.name,
|
285
287
|
old_requirement: old_req[:requirement],
|
286
|
-
new_requirement: new_req[:requirement]
|
288
|
+
new_requirement: new_req[:requirement],
|
289
|
+
index_urls: @index_urls
|
287
290
|
).updated_content
|
288
291
|
end
|
289
292
|
|
@@ -389,11 +392,29 @@ module Dependabot
|
|
389
392
|
end
|
390
393
|
|
391
394
|
def package_hashes_for(name:, version:, algorithm:)
|
392
|
-
|
393
|
-
|
394
|
-
|
395
|
-
|
396
|
-
|
395
|
+
index_urls = @index_urls || [nil]
|
396
|
+
hashes = []
|
397
|
+
|
398
|
+
index_urls.each do |index_url|
|
399
|
+
args = [name, version, algorithm]
|
400
|
+
args << index_url if index_url
|
401
|
+
|
402
|
+
begin
|
403
|
+
native_helper_hashes = SharedHelpers.run_helper_subprocess(
|
404
|
+
command: "pyenv exec python3 #{NativeHelpers.python_helper_path}",
|
405
|
+
function: "get_dependency_hash",
|
406
|
+
args: args
|
407
|
+
).map { |h| "--hash=#{algorithm}:#{h['hash']}" }
|
408
|
+
|
409
|
+
hashes.concat(native_helper_hashes)
|
410
|
+
rescue SharedHelpers::HelperSubprocessFailed => e
|
411
|
+
raise unless e.error_class.include?("PackageNotFoundError")
|
412
|
+
|
413
|
+
next
|
414
|
+
end
|
415
|
+
end
|
416
|
+
|
417
|
+
hashes
|
397
418
|
end
|
398
419
|
|
399
420
|
def hash_separator(requirement_string)
|
@@ -16,10 +16,11 @@ module Dependabot
|
|
16
16
|
attr_reader :dependency_files
|
17
17
|
attr_reader :credentials
|
18
18
|
|
19
|
-
def initialize(dependencies:, dependency_files:, credentials:)
|
19
|
+
def initialize(dependencies:, dependency_files:, credentials:, index_urls: nil)
|
20
20
|
@dependencies = dependencies
|
21
21
|
@dependency_files = dependency_files
|
22
22
|
@credentials = credentials
|
23
|
+
@index_urls = index_urls
|
23
24
|
end
|
24
25
|
|
25
26
|
def updated_dependency_files
|
@@ -58,7 +59,8 @@ module Dependabot
|
|
58
59
|
dependency_name: dependency.name,
|
59
60
|
old_requirement: old_req.fetch(:requirement),
|
60
61
|
new_requirement: new_req.fetch(:requirement),
|
61
|
-
new_hash_version: dependency.version
|
62
|
+
new_hash_version: dependency.version,
|
63
|
+
index_urls: @index_urls
|
62
64
|
).updated_content
|
63
65
|
end
|
64
66
|
|
@@ -12,13 +12,16 @@ module Dependabot
|
|
12
12
|
module Python
|
13
13
|
class FileUpdater
|
14
14
|
class RequirementReplacer
|
15
|
+
PACKAGE_NOT_FOUND_ERROR = "PackageNotFoundError"
|
16
|
+
|
15
17
|
def initialize(content:, dependency_name:, old_requirement:,
|
16
|
-
new_requirement:, new_hash_version: nil)
|
18
|
+
new_requirement:, new_hash_version: nil, index_urls: nil)
|
17
19
|
@content = content
|
18
20
|
@dependency_name = normalise(dependency_name)
|
19
21
|
@old_requirement = old_requirement
|
20
22
|
@new_requirement = new_requirement
|
21
23
|
@new_hash_version = new_hash_version
|
24
|
+
@index_urls = index_urls
|
22
25
|
end
|
23
26
|
|
24
27
|
def updated_content
|
@@ -137,11 +140,28 @@ module Dependabot
|
|
137
140
|
end
|
138
141
|
|
139
142
|
def package_hashes_for(name:, version:, algorithm:)
|
140
|
-
|
141
|
-
|
142
|
-
|
143
|
-
args
|
144
|
-
|
143
|
+
index_urls = @index_urls || [nil]
|
144
|
+
|
145
|
+
index_urls.map do |index_url|
|
146
|
+
args = [name, version, algorithm]
|
147
|
+
args << index_url unless index_url.nil?
|
148
|
+
|
149
|
+
begin
|
150
|
+
result = SharedHelpers.run_helper_subprocess(
|
151
|
+
command: "pyenv exec python3 #{NativeHelpers.python_helper_path}",
|
152
|
+
function: "get_dependency_hash",
|
153
|
+
args: args
|
154
|
+
)
|
155
|
+
rescue SharedHelpers::HelperSubprocessFailed => e
|
156
|
+
raise unless e.message.include?("PackageNotFoundError")
|
157
|
+
|
158
|
+
next
|
159
|
+
end
|
160
|
+
|
161
|
+
return result.map { |h| "--hash=#{algorithm}:#{h['hash']}" } if result.is_a?(Array)
|
162
|
+
end
|
163
|
+
|
164
|
+
raise Dependabot::DependencyFileNotResolvable, "Unable to find hashes for package #{name}"
|
145
165
|
end
|
146
166
|
|
147
167
|
def original_dependency_declaration_string(old_req)
|
@@ -21,7 +21,7 @@ module Dependabot
|
|
21
21
|
# in the lockfile.
|
22
22
|
content =
|
23
23
|
"from setuptools import setup\n\n" \
|
24
|
-
"setup(name=\"
|
24
|
+
"setup(name=\"#{package_name}\",version=\"0.0.1\"," \
|
25
25
|
"install_requires=#{install_requires_array.to_json}," \
|
26
26
|
"extras_require=#{extras_require_hash.to_json}"
|
27
27
|
|
@@ -85,6 +85,12 @@ module Dependabot
|
|
85
85
|
].compact
|
86
86
|
).dependency_set
|
87
87
|
end
|
88
|
+
|
89
|
+
def package_name
|
90
|
+
content = setup_file.content
|
91
|
+
match = content.match(/name\s*=\s*['"](?<package_name>[^'"]+)['"]/)
|
92
|
+
match ? match[:package_name] : "default_package_name"
|
93
|
+
end
|
88
94
|
end
|
89
95
|
end
|
90
96
|
end
|
@@ -105,7 +105,8 @@ module Dependabot
|
|
105
105
|
PipCompileFileUpdater.new(
|
106
106
|
dependencies: dependencies,
|
107
107
|
dependency_files: dependency_files,
|
108
|
-
credentials: credentials
|
108
|
+
credentials: credentials,
|
109
|
+
index_urls: pip_compile_index_urls
|
109
110
|
).updated_dependency_files
|
110
111
|
end
|
111
112
|
|
@@ -113,10 +114,22 @@ module Dependabot
|
|
113
114
|
RequirementFileUpdater.new(
|
114
115
|
dependencies: dependencies,
|
115
116
|
dependency_files: dependency_files,
|
116
|
-
credentials: credentials
|
117
|
+
credentials: credentials,
|
118
|
+
index_urls: pip_compile_index_urls
|
117
119
|
).updated_dependency_files
|
118
120
|
end
|
119
121
|
|
122
|
+
def pip_compile_index_urls
|
123
|
+
if credentials.any?(&:replaces_base?)
|
124
|
+
credentials.select(&:replaces_base?).map { |cred| AuthedUrlBuilder.authed_url(credential: cred) }
|
125
|
+
else
|
126
|
+
urls = credentials.map { |cred| AuthedUrlBuilder.authed_url(credential: cred) }
|
127
|
+
# If there are no credentials that replace the base, we need to
|
128
|
+
# ensure that the base URL is included in the list of extra-index-urls.
|
129
|
+
[nil, *urls]
|
130
|
+
end
|
131
|
+
end
|
132
|
+
|
120
133
|
def check_required_files
|
121
134
|
filenames = dependency_files.map(&:name)
|
122
135
|
return if filenames.any? { |name| name.end_with?(".txt", ".in") }
|
@@ -262,6 +262,8 @@ module Dependabot
|
|
262
262
|
def library?
|
263
263
|
return false unless updating_pyproject?
|
264
264
|
|
265
|
+
return false if library_details["name"].nil?
|
266
|
+
|
265
267
|
# Hit PyPi and check whether there are details for a library with a
|
266
268
|
# matching name and description
|
267
269
|
index_response = Dependabot::RegistryClient.get(
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: dependabot-python
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.
|
4
|
+
version: 0.255.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Dependabot
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2024-
|
11
|
+
date: 2024-05-03 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: dependabot-common
|
@@ -16,28 +16,28 @@ dependencies:
|
|
16
16
|
requirements:
|
17
17
|
- - '='
|
18
18
|
- !ruby/object:Gem::Version
|
19
|
-
version: 0.
|
19
|
+
version: 0.255.0
|
20
20
|
type: :runtime
|
21
21
|
prerelease: false
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
23
23
|
requirements:
|
24
24
|
- - '='
|
25
25
|
- !ruby/object:Gem::Version
|
26
|
-
version: 0.
|
26
|
+
version: 0.255.0
|
27
27
|
- !ruby/object:Gem::Dependency
|
28
28
|
name: debug
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|
30
30
|
requirements:
|
31
31
|
- - "~>"
|
32
32
|
- !ruby/object:Gem::Version
|
33
|
-
version: 1.
|
33
|
+
version: 1.9.2
|
34
34
|
type: :development
|
35
35
|
prerelease: false
|
36
36
|
version_requirements: !ruby/object:Gem::Requirement
|
37
37
|
requirements:
|
38
38
|
- - "~>"
|
39
39
|
- !ruby/object:Gem::Version
|
40
|
-
version: 1.
|
40
|
+
version: 1.9.2
|
41
41
|
- !ruby/object:Gem::Dependency
|
42
42
|
name: gpgme
|
43
43
|
requirement: !ruby/object:Gem::Requirement
|
@@ -114,56 +114,70 @@ dependencies:
|
|
114
114
|
requirements:
|
115
115
|
- - "~>"
|
116
116
|
- !ruby/object:Gem::Version
|
117
|
-
version: 1.
|
117
|
+
version: 1.63.2
|
118
118
|
type: :development
|
119
119
|
prerelease: false
|
120
120
|
version_requirements: !ruby/object:Gem::Requirement
|
121
121
|
requirements:
|
122
122
|
- - "~>"
|
123
123
|
- !ruby/object:Gem::Version
|
124
|
-
version: 1.
|
124
|
+
version: 1.63.2
|
125
125
|
- !ruby/object:Gem::Dependency
|
126
126
|
name: rubocop-performance
|
127
127
|
requirement: !ruby/object:Gem::Requirement
|
128
128
|
requirements:
|
129
129
|
- - "~>"
|
130
130
|
- !ruby/object:Gem::Version
|
131
|
-
version: 1.
|
131
|
+
version: 1.21.0
|
132
132
|
type: :development
|
133
133
|
prerelease: false
|
134
134
|
version_requirements: !ruby/object:Gem::Requirement
|
135
135
|
requirements:
|
136
136
|
- - "~>"
|
137
137
|
- !ruby/object:Gem::Version
|
138
|
-
version: 1.
|
138
|
+
version: 1.21.0
|
139
139
|
- !ruby/object:Gem::Dependency
|
140
140
|
name: rubocop-rspec
|
141
141
|
requirement: !ruby/object:Gem::Requirement
|
142
142
|
requirements:
|
143
143
|
- - "~>"
|
144
144
|
- !ruby/object:Gem::Version
|
145
|
-
version: 2.
|
145
|
+
version: 2.29.1
|
146
146
|
type: :development
|
147
147
|
prerelease: false
|
148
148
|
version_requirements: !ruby/object:Gem::Requirement
|
149
149
|
requirements:
|
150
150
|
- - "~>"
|
151
151
|
- !ruby/object:Gem::Version
|
152
|
-
version: 2.
|
152
|
+
version: 2.29.1
|
153
153
|
- !ruby/object:Gem::Dependency
|
154
154
|
name: rubocop-sorbet
|
155
155
|
requirement: !ruby/object:Gem::Requirement
|
156
156
|
requirements:
|
157
157
|
- - "~>"
|
158
158
|
- !ruby/object:Gem::Version
|
159
|
-
version: 0.
|
159
|
+
version: 0.8.1
|
160
|
+
type: :development
|
161
|
+
prerelease: false
|
162
|
+
version_requirements: !ruby/object:Gem::Requirement
|
163
|
+
requirements:
|
164
|
+
- - "~>"
|
165
|
+
- !ruby/object:Gem::Version
|
166
|
+
version: 0.8.1
|
167
|
+
- !ruby/object:Gem::Dependency
|
168
|
+
name: simplecov
|
169
|
+
requirement: !ruby/object:Gem::Requirement
|
170
|
+
requirements:
|
171
|
+
- - "~>"
|
172
|
+
- !ruby/object:Gem::Version
|
173
|
+
version: 0.22.0
|
160
174
|
type: :development
|
161
175
|
prerelease: false
|
162
176
|
version_requirements: !ruby/object:Gem::Requirement
|
163
177
|
requirements:
|
164
178
|
- - "~>"
|
165
179
|
- !ruby/object:Gem::Version
|
166
|
-
version: 0.
|
180
|
+
version: 0.22.0
|
167
181
|
- !ruby/object:Gem::Dependency
|
168
182
|
name: turbo_tests
|
169
183
|
requirement: !ruby/object:Gem::Requirement
|
@@ -274,7 +288,7 @@ licenses:
|
|
274
288
|
- Nonstandard
|
275
289
|
metadata:
|
276
290
|
bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
|
277
|
-
changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.
|
291
|
+
changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.255.0
|
278
292
|
post_install_message:
|
279
293
|
rdoc_options: []
|
280
294
|
require_paths:
|
@@ -290,7 +304,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
290
304
|
- !ruby/object:Gem::Version
|
291
305
|
version: 3.1.0
|
292
306
|
requirements: []
|
293
|
-
rubygems_version: 3.
|
307
|
+
rubygems_version: 3.5.9
|
294
308
|
signing_key:
|
295
309
|
specification_version: 4
|
296
310
|
summary: Provides Dependabot support for Python
|