dependabot-python 0.253.0 → 0.255.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c1e05506cf84267bd43a63e0db63d939c458872d75519148d1b7186bc1297949
-  data.tar.gz: a8df3880bd956cd02fc30cc458ebe967ab764e4a37583d654a79bbafbce31513
+  metadata.gz: 631b990e99ca7a3be0911a8bf0e8355e2ffa8076a760a2677a99d4359503798a
+  data.tar.gz: 10e7a86fcf9a94f1af3d45f9cbc97afae3f91f0c8fe0442b0c1aa38a4fc92347
 SHA512:
-  metadata.gz: a47450613132feac9d741e58d3ffbdc9f0cbb28903772f23cd460c6f8b1b16f5467ad160ef5ff55d0bdb4051ef4abca56c20e7dee6a832bd388394a7d201d427
-  data.tar.gz: f1792da350a5ca7d8495ff525a7b8833bab4b3eead8262d061b26ad5535806b53899c06f71ddc0e00b4ba83cb0c2902c721bc955839ffe807b4dab73b9e42a1d
+  metadata.gz: 3ceb72b14d9a1b4f787e00574259b0f75fb840173e16ba535233b49696661ff60e36b4d9fe25f6b130831e56ad36be19c7f1ca8752dd39fe1b3dd5641097a96f
+  data.tar.gz: 5e8b5844b682e2714e87e433412ed0699d61f114bb1f78d98bc7ad41cbafac12b915caeff12ee3d0facdf88e31862758b96d99e73606bb17c3ae817eada8dd18

data/helpers/lib/hasher.py

@@ -1,17 +1,26 @@
 import hashin
 import json
 import plette
+import traceback
 from poetry.factory import Factory
 
 
-def get_dependency_hash(dependency_name, dependency_version, algorithm):
-    hashes = hashin.get_package_hashes(
-        dependency_name,
-        version=dependency_version,
-        algorithm=algorithm
-    )
-
-    return json.dumps({"result": hashes["hashes"]})
+def get_dependency_hash(dependency_name, dependency_version, algorithm,
+                        index_url=hashin.DEFAULT_INDEX_URL):
+    try:
+        hashes = hashin.get_package_hashes(
+            dependency_name,
+            version=dependency_version,
+            algorithm=algorithm,
+            index_url=index_url
+        )
+        return json.dumps({"result": hashes["hashes"]})
+    except hashin.PackageNotFoundError as e:
+        return json.dumps({
+            "error": repr(e),
+            "error_class:": e.__class__.__name__,
+            "trace:": ''.join(traceback.format_stack())
+        })
 
 
 def get_pipfile_hash(directory):

data/helpers/requirements.txt

@@ -2,8 +2,8 @@ pip==24.0
 pip-tools==7.4.1
 flake8==7.0.0
 hashin==1.0.1
-pipenv==2023.11.17
-plette==0.4.4
+pipenv==2023.12.1
+plette==2.0.2
 poetry==1.8.2
 # TODO: Replace 3p package `toml` with 3.11's new stdlib `tomllib` once we drop support for Python 3.10.
 toml==0.10.2

data/lib/dependabot/python/file_parser/python_requirement_parser.rb

@@ -83,7 +83,12 @@ module Dependabot
         def python_version_file_version
           return unless python_version_file
 
-          file_version = python_version_file.content.strip
+          # read the content, split into lines and remove any lines with '#'
+          content_lines = python_version_file.content.each_line.map do |line|
+            line.sub(/#.*$/, " ").strip
+          end.reject(&:empty?)
+
+          file_version = content_lines.first
           return if file_version&.empty?
           return unless pyenv_versions.include?("#{file_version}\n")
 

data/lib/dependabot/python/file_updater/pip_compile_file_updater.rb

@@ -34,10 +34,11 @@ module Dependabot
         attr_reader :dependency_files
         attr_reader :credentials
 
-        def initialize(dependencies:, dependency_files:, credentials:)
+        def initialize(dependencies:, dependency_files:, credentials:, index_urls: nil)
           @dependencies = dependencies
           @dependency_files = dependency_files
           @credentials = credentials
+          @index_urls = index_urls
           @build_isolation = true
         end
 
@@ -265,7 +266,8 @@ module Dependabot
             content: file.content,
             dependency_name: dependency.name,
             old_requirement: old_req[:requirement],
-            new_requirement: "==#{dependency.version}"
+            new_requirement: "==#{dependency.version}",
+            index_urls: @index_urls
           ).updated_content
         end
 
@@ -283,7 +285,8 @@ module Dependabot
             content: file.content,
             dependency_name: dependency.name,
             old_requirement: old_req[:requirement],
-            new_requirement: new_req[:requirement]
+            new_requirement: new_req[:requirement],
+            index_urls: @index_urls
           ).updated_content
         end
 
@@ -389,11 +392,29 @@ module Dependabot
         end
 
         def package_hashes_for(name:, version:, algorithm:)
-          SharedHelpers.run_helper_subprocess(
-            command: "pyenv exec python3 #{NativeHelpers.python_helper_path}",
-            function: "get_dependency_hash",
-            args: [name, version, algorithm]
-          ).map { |h| "--hash=#{algorithm}:#{h['hash']}" }
+          index_urls = @index_urls || [nil]
+          hashes = []
+
+          index_urls.each do |index_url|
+            args = [name, version, algorithm]
+            args << index_url if index_url
+
+            begin
+              native_helper_hashes = SharedHelpers.run_helper_subprocess(
+                command: "pyenv exec python3 #{NativeHelpers.python_helper_path}",
+                function: "get_dependency_hash",
+                args: args
+              ).map { |h| "--hash=#{algorithm}:#{h['hash']}" }
+
+              hashes.concat(native_helper_hashes)
+            rescue SharedHelpers::HelperSubprocessFailed => e
+              raise unless e.error_class.include?("PackageNotFoundError")
+
+              next
+            end
+          end
+
+          hashes
         end
 
         def hash_separator(requirement_string)

data/lib/dependabot/python/file_updater/requirement_file_updater.rb

@@ -16,10 +16,11 @@ module Dependabot
         attr_reader :dependency_files
         attr_reader :credentials
 
-        def initialize(dependencies:, dependency_files:, credentials:)
+        def initialize(dependencies:, dependency_files:, credentials:, index_urls: nil)
           @dependencies = dependencies
           @dependency_files = dependency_files
           @credentials = credentials
+          @index_urls = index_urls
         end
 
         def updated_dependency_files
@@ -58,7 +59,8 @@ module Dependabot
             dependency_name: dependency.name,
             old_requirement: old_req.fetch(:requirement),
             new_requirement: new_req.fetch(:requirement),
-            new_hash_version: dependency.version
+            new_hash_version: dependency.version,
+            index_urls: @index_urls
           ).updated_content
         end
 

data/lib/dependabot/python/file_updater/requirement_replacer.rb

@@ -12,13 +12,16 @@ module Dependabot
   module Python
     class FileUpdater
       class RequirementReplacer
+        PACKAGE_NOT_FOUND_ERROR = "PackageNotFoundError"
+
         def initialize(content:, dependency_name:, old_requirement:,
-                       new_requirement:, new_hash_version: nil)
+                       new_requirement:, new_hash_version: nil, index_urls: nil)
           @content          = content
           @dependency_name  = normalise(dependency_name)
           @old_requirement  = old_requirement
           @new_requirement  = new_requirement
           @new_hash_version = new_hash_version
+          @index_urls = index_urls
         end
 
         def updated_content
@@ -137,11 +140,28 @@ module Dependabot
         end
 
         def package_hashes_for(name:, version:, algorithm:)
-          SharedHelpers.run_helper_subprocess(
-            command: "pyenv exec python3 #{NativeHelpers.python_helper_path}",
-            function: "get_dependency_hash",
-            args: [name, version, algorithm]
-          ).map { |h| "--hash=#{algorithm}:#{h['hash']}" }
+          index_urls = @index_urls || [nil]
+
+          index_urls.map do |index_url|
+            args = [name, version, algorithm]
+            args << index_url unless index_url.nil?
+
+            begin
+              result = SharedHelpers.run_helper_subprocess(
+                command: "pyenv exec python3 #{NativeHelpers.python_helper_path}",
+                function: "get_dependency_hash",
+                args: args
+              )
+            rescue SharedHelpers::HelperSubprocessFailed => e
+              raise unless e.message.include?("PackageNotFoundError")
+
+              next
+            end
+
+            return result.map { |h| "--hash=#{algorithm}:#{h['hash']}" } if result.is_a?(Array)
+          end
+
+          raise Dependabot::DependencyFileNotResolvable, "Unable to find hashes for package #{name}"
         end
 
         def original_dependency_declaration_string(old_req)

data/lib/dependabot/python/file_updater/setup_file_sanitizer.rb

@@ -21,7 +21,7 @@ module Dependabot
           # in the lockfile.
           content =
             "from setuptools import setup\n\n" \
-            "setup(name=\"sanitized-package\",version=\"0.0.1\"," \
+            "setup(name=\"#{package_name}\",version=\"0.0.1\"," \
             "install_requires=#{install_requires_array.to_json}," \
             "extras_require=#{extras_require_hash.to_json}"
 
@@ -85,6 +85,12 @@ module Dependabot
               ].compact
             ).dependency_set
         end
+
+        def package_name
+          content = setup_file.content
+          match = content.match(/name\s*=\s*['"](?<package_name>[^'"]+)['"]/)
+          match ? match[:package_name] : "default_package_name"
+        end
       end
     end
   end

data/lib/dependabot/python/file_updater.rb

@@ -105,7 +105,8 @@ module Dependabot
         PipCompileFileUpdater.new(
           dependencies: dependencies,
           dependency_files: dependency_files,
-          credentials: credentials
+          credentials: credentials,
+          index_urls: pip_compile_index_urls
         ).updated_dependency_files
       end
 
@@ -113,10 +114,22 @@ module Dependabot
         RequirementFileUpdater.new(
           dependencies: dependencies,
           dependency_files: dependency_files,
-          credentials: credentials
+          credentials: credentials,
+          index_urls: pip_compile_index_urls
         ).updated_dependency_files
       end
 
+      def pip_compile_index_urls
+        if credentials.any?(&:replaces_base?)
+          credentials.select(&:replaces_base?).map { |cred| AuthedUrlBuilder.authed_url(credential: cred) }
+        else
+          urls = credentials.map { |cred| AuthedUrlBuilder.authed_url(credential: cred) }
+          # If there are no credentials that replace the base, we need to
+          # ensure that the base URL is included in the list of extra-index-urls.
+          [nil, *urls]
+        end
+      end
+
       def check_required_files
         filenames = dependency_files.map(&:name)
         return if filenames.any? { |name| name.end_with?(".txt", ".in") }

data/lib/dependabot/python/language_version_manager.rb

@@ -9,8 +9,8 @@ module Dependabot
     class LanguageVersionManager
       # This list must match the versions specified at the top of `python/Dockerfile`
       PRE_INSTALLED_PYTHON_VERSIONS = %w(
-        3.12.2
-        3.11.8
+        3.12.3
+        3.11.9
         3.10.13
         3.9.18
         3.8.18

data/lib/dependabot/python/update_checker.rb

@@ -262,6 +262,8 @@ module Dependabot
       def library?
         return false unless updating_pyproject?
 
+        return false if library_details["name"].nil?
+
         # Hit PyPi and check whether there are details for a library with a
         # matching name and description
         index_response = Dependabot::RegistryClient.get(

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-python
 version: !ruby/object:Gem::Version
-  version: 0.253.0
+  version: 0.255.0
 platform: ruby
 authors:
 - Dependabot
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2024-04-18 00:00:00.000000000 Z
+date: 2024-05-03 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dependabot-common
@@ -16,28 +16,28 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.253.0
+        version: 0.255.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.253.0
+        version: 0.255.0
 - !ruby/object:Gem::Dependency
   name: debug
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.8.0
+        version: 1.9.2
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.8.0
+        version: 1.9.2
 - !ruby/object:Gem::Dependency
   name: gpgme
   requirement: !ruby/object:Gem::Requirement
@@ -114,56 +114,70 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.58.0
+        version: 1.63.2
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.58.0
+        version: 1.63.2
 - !ruby/object:Gem::Dependency
   name: rubocop-performance
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.19.0
+        version: 1.21.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.19.0
+        version: 1.21.0
 - !ruby/object:Gem::Dependency
   name: rubocop-rspec
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 2.27.1
+        version: 2.29.1
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 2.27.1
+        version: 2.29.1
 - !ruby/object:Gem::Dependency
   name: rubocop-sorbet
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.7.3
+        version: 0.8.1
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.8.1
+- !ruby/object:Gem::Dependency
+  name: simplecov
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.22.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.7.3
+        version: 0.22.0
 - !ruby/object:Gem::Dependency
   name: turbo_tests
   requirement: !ruby/object:Gem::Requirement
@@ -274,7 +288,7 @@ licenses:
 - Nonstandard
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.253.0
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.255.0
 post_install_message: 
 rdoc_options: []
 require_paths:
@@ -290,7 +304,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: 3.1.0
 requirements: []
-rubygems_version: 3.3.26
+rubygems_version: 3.5.9
 signing_key: 
 specification_version: 4
 summary: Provides Dependabot support for Python