dependabot-python 0.254.0 → 0.255.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 2869e6ef71c246b74839b4aca81a8da7b73fc2c084ba23ff5e821b5ecf034623
-  data.tar.gz: 65d05bbd1070533eff3f282ac77ecce0434dd413353daebd3b8b0843108a558a
+  metadata.gz: 631b990e99ca7a3be0911a8bf0e8355e2ffa8076a760a2677a99d4359503798a
+  data.tar.gz: 10e7a86fcf9a94f1af3d45f9cbc97afae3f91f0c8fe0442b0c1aa38a4fc92347
 SHA512:
-  metadata.gz: ddf90e47a35110fb17b01eb709fedb6b312eee1cb783c6446968afb1ddd31e1f012950f78e431bc2e14597ef18bd6b872d3fc64a4a7febc84f39b771cda7de79
-  data.tar.gz: a4aecd81b8d93dec6348db58f8af080d9d5fed2c3ec633e46888ef5f15e9fe8fee4786d16983cae9f5aa6002eea61fb5fad7b1c5462f606f8eab8d9d5f8c01b9
+  metadata.gz: 3ceb72b14d9a1b4f787e00574259b0f75fb840173e16ba535233b49696661ff60e36b4d9fe25f6b130831e56ad36be19c7f1ca8752dd39fe1b3dd5641097a96f
+  data.tar.gz: 5e8b5844b682e2714e87e433412ed0699d61f114bb1f78d98bc7ad41cbafac12b915caeff12ee3d0facdf88e31862758b96d99e73606bb17c3ae817eada8dd18

data/helpers/lib/hasher.py

@@ -1,17 +1,26 @@
 import hashin
 import json
 import plette
+import traceback
 from poetry.factory import Factory
 
 
-def get_dependency_hash(dependency_name, dependency_version, algorithm):
-    hashes = hashin.get_package_hashes(
-        dependency_name,
-        version=dependency_version,
-        algorithm=algorithm
-    )
-
-    return json.dumps({"result": hashes["hashes"]})
+def get_dependency_hash(dependency_name, dependency_version, algorithm,
+                        index_url=hashin.DEFAULT_INDEX_URL):
+    try:
+        hashes = hashin.get_package_hashes(
+            dependency_name,
+            version=dependency_version,
+            algorithm=algorithm,
+            index_url=index_url
+        )
+        return json.dumps({"result": hashes["hashes"]})
+    except hashin.PackageNotFoundError as e:
+        return json.dumps({
+            "error": repr(e),
+            "error_class:": e.__class__.__name__,
+            "trace:": ''.join(traceback.format_stack())
+        })
 
 
 def get_pipfile_hash(directory):

data/helpers/requirements.txt

@@ -3,7 +3,7 @@ pip-tools==7.4.1
 flake8==7.0.0
 hashin==1.0.1
 pipenv==2023.12.1
-plette==0.4.4
+plette==2.0.2
 poetry==1.8.2
 # TODO: Replace 3p package `toml` with 3.11's new stdlib `tomllib` once we drop support for Python 3.10.
 toml==0.10.2

data/lib/dependabot/python/file_updater/pip_compile_file_updater.rb

@@ -34,10 +34,11 @@ module Dependabot
         attr_reader :dependency_files
         attr_reader :credentials
 
-        def initialize(dependencies:, dependency_files:, credentials:)
+        def initialize(dependencies:, dependency_files:, credentials:, index_urls: nil)
           @dependencies = dependencies
           @dependency_files = dependency_files
           @credentials = credentials
+          @index_urls = index_urls
           @build_isolation = true
         end
 
@@ -265,7 +266,8 @@ module Dependabot
             content: file.content,
             dependency_name: dependency.name,
             old_requirement: old_req[:requirement],
-            new_requirement: "==#{dependency.version}"
+            new_requirement: "==#{dependency.version}",
+            index_urls: @index_urls
           ).updated_content
         end
 
@@ -283,7 +285,8 @@ module Dependabot
             content: file.content,
             dependency_name: dependency.name,
             old_requirement: old_req[:requirement],
-            new_requirement: new_req[:requirement]
+            new_requirement: new_req[:requirement],
+            index_urls: @index_urls
           ).updated_content
         end
 
@@ -389,11 +392,29 @@ module Dependabot
         end
 
         def package_hashes_for(name:, version:, algorithm:)
-          SharedHelpers.run_helper_subprocess(
-            command: "pyenv exec python3 #{NativeHelpers.python_helper_path}",
-            function: "get_dependency_hash",
-            args: [name, version, algorithm]
-          ).map { |h| "--hash=#{algorithm}:#{h['hash']}" }
+          index_urls = @index_urls || [nil]
+          hashes = []
+
+          index_urls.each do |index_url|
+            args = [name, version, algorithm]
+            args << index_url if index_url
+
+            begin
+              native_helper_hashes = SharedHelpers.run_helper_subprocess(
+                command: "pyenv exec python3 #{NativeHelpers.python_helper_path}",
+                function: "get_dependency_hash",
+                args: args
+              ).map { |h| "--hash=#{algorithm}:#{h['hash']}" }
+
+              hashes.concat(native_helper_hashes)
+            rescue SharedHelpers::HelperSubprocessFailed => e
+              raise unless e.error_class.include?("PackageNotFoundError")
+
+              next
+            end
+          end
+
+          hashes
         end
 
         def hash_separator(requirement_string)

data/lib/dependabot/python/file_updater/requirement_file_updater.rb

@@ -16,10 +16,11 @@ module Dependabot
         attr_reader :dependency_files
         attr_reader :credentials
 
-        def initialize(dependencies:, dependency_files:, credentials:)
+        def initialize(dependencies:, dependency_files:, credentials:, index_urls: nil)
           @dependencies = dependencies
           @dependency_files = dependency_files
           @credentials = credentials
+          @index_urls = index_urls
         end
 
         def updated_dependency_files
@@ -58,7 +59,8 @@ module Dependabot
             dependency_name: dependency.name,
             old_requirement: old_req.fetch(:requirement),
             new_requirement: new_req.fetch(:requirement),
-            new_hash_version: dependency.version
+            new_hash_version: dependency.version,
+            index_urls: @index_urls
           ).updated_content
         end
 

data/lib/dependabot/python/file_updater/requirement_replacer.rb

@@ -12,13 +12,16 @@ module Dependabot
   module Python
     class FileUpdater
       class RequirementReplacer
+        PACKAGE_NOT_FOUND_ERROR = "PackageNotFoundError"
+
         def initialize(content:, dependency_name:, old_requirement:,
-                       new_requirement:, new_hash_version: nil)
+                       new_requirement:, new_hash_version: nil, index_urls: nil)
           @content          = content
           @dependency_name  = normalise(dependency_name)
           @old_requirement  = old_requirement
           @new_requirement  = new_requirement
           @new_hash_version = new_hash_version
+          @index_urls = index_urls
         end
 
         def updated_content
@@ -137,11 +140,28 @@ module Dependabot
         end
 
         def package_hashes_for(name:, version:, algorithm:)
-          SharedHelpers.run_helper_subprocess(
-            command: "pyenv exec python3 #{NativeHelpers.python_helper_path}",
-            function: "get_dependency_hash",
-            args: [name, version, algorithm]
-          ).map { |h| "--hash=#{algorithm}:#{h['hash']}" }
+          index_urls = @index_urls || [nil]
+
+          index_urls.map do |index_url|
+            args = [name, version, algorithm]
+            args << index_url unless index_url.nil?
+
+            begin
+              result = SharedHelpers.run_helper_subprocess(
+                command: "pyenv exec python3 #{NativeHelpers.python_helper_path}",
+                function: "get_dependency_hash",
+                args: args
+              )
+            rescue SharedHelpers::HelperSubprocessFailed => e
+              raise unless e.message.include?("PackageNotFoundError")
+
+              next
+            end
+
+            return result.map { |h| "--hash=#{algorithm}:#{h['hash']}" } if result.is_a?(Array)
+          end
+
+          raise Dependabot::DependencyFileNotResolvable, "Unable to find hashes for package #{name}"
         end
 
         def original_dependency_declaration_string(old_req)

data/lib/dependabot/python/file_updater.rb

@@ -105,7 +105,8 @@ module Dependabot
         PipCompileFileUpdater.new(
           dependencies: dependencies,
           dependency_files: dependency_files,
-          credentials: credentials
+          credentials: credentials,
+          index_urls: pip_compile_index_urls
         ).updated_dependency_files
       end
 
@@ -113,10 +114,22 @@ module Dependabot
         RequirementFileUpdater.new(
           dependencies: dependencies,
           dependency_files: dependency_files,
-          credentials: credentials
+          credentials: credentials,
+          index_urls: pip_compile_index_urls
         ).updated_dependency_files
       end
 
+      def pip_compile_index_urls
+        if credentials.any?(&:replaces_base?)
+          credentials.select(&:replaces_base?).map { |cred| AuthedUrlBuilder.authed_url(credential: cred) }
+        else
+          urls = credentials.map { |cred| AuthedUrlBuilder.authed_url(credential: cred) }
+          # If there are no credentials that replace the base, we need to
+          # ensure that the base URL is included in the list of extra-index-urls.
+          [nil, *urls]
+        end
+      end
+
       def check_required_files
         filenames = dependency_files.map(&:name)
         return if filenames.any? { |name| name.end_with?(".txt", ".in") }

data/lib/dependabot/python/language_version_manager.rb

@@ -9,8 +9,8 @@ module Dependabot
     class LanguageVersionManager
       # This list must match the versions specified at the top of `python/Dockerfile`
       PRE_INSTALLED_PYTHON_VERSIONS = %w(
-        3.12.2
-        3.11.8
+        3.12.3
+        3.11.9
         3.10.13
         3.9.18
         3.8.18

data/lib/dependabot/python/update_checker.rb

@@ -262,6 +262,8 @@ module Dependabot
       def library?
         return false unless updating_pyproject?
 
+        return false if library_details["name"].nil?
+
         # Hit PyPi and check whether there are details for a library with a
         # matching name and description
         index_response = Dependabot::RegistryClient.get(

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-python
 version: !ruby/object:Gem::Version
-  version: 0.254.0
+  version: 0.255.0
 platform: ruby
 authors:
 - Dependabot
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2024-04-24 00:00:00.000000000 Z
+date: 2024-05-03 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dependabot-common
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.254.0
+        version: 0.255.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.254.0
+        version: 0.255.0
 - !ruby/object:Gem::Dependency
   name: debug
   requirement: !ruby/object:Gem::Requirement
@@ -164,6 +164,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: 0.8.1
+- !ruby/object:Gem::Dependency
+  name: simplecov
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.22.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.22.0
 - !ruby/object:Gem::Dependency
   name: turbo_tests
   requirement: !ruby/object:Gem::Requirement
@@ -274,7 +288,7 @@ licenses:
 - Nonstandard
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.254.0
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.255.0
 post_install_message: 
 rdoc_options: []
 require_paths:
@@ -290,7 +304,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: 3.1.0
 requirements: []
-rubygems_version: 3.3.26
+rubygems_version: 3.5.9
 signing_key: 
 specification_version: 4
 summary: Provides Dependabot support for Python