dependabot-python 0.260.0 → 0.261.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 41b8b323a1393ba65b278a0cb9b333cc12f38ebf6ef744f7a68905f3cebc4055
-  data.tar.gz: 2102bb88ef040557b38c6e8dcce3e9a0e8a03e176346cf976835e48b352a63c5
+  metadata.gz: 6f7872db15ecad633ad312a58d9aad4445eaa6cc546400e22a7558c67d563b76
+  data.tar.gz: fdbe82aa20379236c896e27ed5eabcebbfc4b4c62742596fee5e3a99d00d811c
 SHA512:
-  metadata.gz: 7194f93fbc5e3b251a4d7adc949a25c306c9234d8857e19f511378e9b6bba4846dc80d32c664cb15cfec8b53a854124dd47718ee02e1bbc42e84f5a4502f3441
-  data.tar.gz: 9b16465b177f1a762db9c1716c5e91aab56101f0752aed82cb1dd4d8e4998b5fab9bd9f1951d160b1f01007af8da8cdab0b40618d37fb4544229a27fc68e54cb
+  metadata.gz: 14370129f0bbdfe6453b006405e5fd00087ed1b1ed79a0c3e601b8a51196f663924d36db746d4f35ce6fb936d4cda4dbad98d57492bd9a3492757c321a0747ce
+  data.tar.gz: 8c69ff20d0554d713c4b329b7b17e04cc69abe50f0fd2641b034b825e71ab5e1bb0c00c9bf904e30d9966764ac06b0ab5a4efb65b2271e0473b54ac994fb2e85

data/lib/dependabot/python/file_fetcher.rb

@@ -294,7 +294,7 @@ module Dependabot
       end
 
       def project_files
-        project_files = []
+        project_files = T.let([], T::Array[Dependabot::DependencyFile])
         unfetchable_deps = []
 
         path_dependencies.each do |dep|
@@ -302,7 +302,7 @@ module Dependabot
           project_files += fetch_project_file(path)
         rescue Dependabot::DependencyFileNotFound => e
           unfetchable_deps << if sdist_or_wheel?(path)
-                                e.file_path.gsub(%r{^/}, "")
+                                e.file_path&.gsub(%r{^/}, "")
                               else
                                 "\"#{dep[:name]}\" at #{cleanpath(File.join(directory, dep[:file]))}"
                               end
@@ -311,7 +311,7 @@ module Dependabot
         poetry_path_dependencies.each do |path|
           project_files += fetch_project_file(path)
         rescue Dependabot::DependencyFileNotFound => e
-          unfetchable_deps << e.file_path.gsub(%r{^/}, "")
+          unfetchable_deps << e.file_path&.gsub(%r{^/}, "")
         end
 
         raise Dependabot::PathDependenciesNotReachable, unfetchable_deps if unfetchable_deps.any?

data/lib/dependabot/python/file_updater/pip_compile_file_updater.rb

@@ -1,4 +1,4 @@
-# typed: false
+# typed: true
 # frozen_string_literal: true
 
 require "open3"
@@ -400,10 +400,13 @@ module Dependabot
             args << index_url if index_url
 
             begin
-              native_helper_hashes = SharedHelpers.run_helper_subprocess(
-                command: "pyenv exec python3 #{NativeHelpers.python_helper_path}",
-                function: "get_dependency_hash",
-                args: args
+              native_helper_hashes = T.cast(
+                SharedHelpers.run_helper_subprocess(
+                  command: "pyenv exec python3 #{NativeHelpers.python_helper_path}",
+                  function: "get_dependency_hash",
+                  args: args
+                ),
+                T::Array[T::Hash[String, String]]
               ).map { |h| "--hash=#{algorithm}:#{h['hash']}" }
 
               hashes.concat(native_helper_hashes)
@@ -548,7 +551,7 @@ module Dependabot
         # If the files we need to update require one another then we need to
         # update them in the right order
         def order_filenames_for_compilation(filenames)
-          ordered_filenames = []
+          ordered_filenames = T.let([], T::Array[String])
 
           while (remaining_filenames = filenames - ordered_filenames).any?
             ordered_filenames +=

data/lib/dependabot/python/file_updater/requirement_replacer.rb

@@ -1,4 +1,4 @@
-# typed: false
+# typed: true
 # frozen_string_literal: true
 
 require "dependabot/dependency"
@@ -29,7 +29,7 @@ module Dependabot
             content.gsub(original_declaration_replacement_regex) do |mtch|
               # If the "declaration" is setting an option (e.g., no-binary)
               # ignore it, since it isn't actually a declaration
-              next mtch if Regexp.last_match.pre_match.match?(/--.*\z/)
+              next mtch if Regexp.last_match&.pre_match&.match?(/--.*\z/)
 
               updated_dependency_declaration_string
             end

data/lib/dependabot/python/metadata_finder.rb

@@ -1,4 +1,4 @@
-# typed: false
+# typed: true
 # frozen_string_literal: true
 
 require "excon"
@@ -42,6 +42,7 @@ module Dependabot
         Source.from_url(source_url)
       end
 
+      # rubocop:disable Metrics/PerceivedComplexity
       def source_from_description
         potential_source_urls = []
         desc = pypi_listing.dig("info", "description")
@@ -54,8 +55,8 @@ module Dependabot
         # Looking for a source where the repo name exactly matches the
         # dependency name
         match_url = potential_source_urls.find do |url|
-          repo = Source.from_url(url).repo
-          repo.downcase.end_with?(normalised_dependency_name)
+          repo = Source.from_url(url)&.repo
+          repo&.downcase&.end_with?(normalised_dependency_name)
         end
 
         return match_url if match_url
@@ -64,14 +65,18 @@ module Dependabot
         # mentioned when the link is followed
         @source_from_description ||=
           potential_source_urls.find do |url|
-            full_url = Source.from_url(url).url
+            full_url = Source.from_url(url)&.url
+            next unless full_url
+
             response = Dependabot::RegistryClient.get(url: full_url)
             next unless response.status == 200
 
             response.body.include?(normalised_dependency_name)
           end
       end
+      # rubocop:enable Metrics/PerceivedComplexity
 
+      # rubocop:disable Metrics/PerceivedComplexity
       def source_from_homepage
         return unless homepage_body
 
@@ -81,21 +86,24 @@ module Dependabot
         end
 
         match_url = potential_source_urls.find do |url|
-          repo = Source.from_url(url).repo
-          repo.downcase.end_with?(normalised_dependency_name)
+          repo = Source.from_url(url)&.repo
+          repo&.downcase&.end_with?(normalised_dependency_name)
         end
 
         return match_url if match_url
 
         @source_from_homepage ||=
           potential_source_urls.find do |url|
-            full_url = Source.from_url(url).url
+            full_url = Source.from_url(url)&.url
+            next unless full_url
+
             response = Dependabot::RegistryClient.get(url: full_url)
             next unless response.status == 200
 
             response.body.include?(normalised_dependency_name)
           end
       end
+      # rubocop:enable Metrics/PerceivedComplexity
 
       def homepage_body
         homepage_url = pypi_listing.dig("info", "home_page")
@@ -121,7 +129,7 @@ module Dependabot
 
       def pypi_listing
         return @pypi_listing unless @pypi_listing.nil?
-        return @pypi_listing = {} if dependency.version.include?("+")
+        return @pypi_listing = {} if dependency.version&.include?("+")
 
         possible_listing_urls.each do |url|
           response = fetch_authed_url(url)
@@ -140,8 +148,8 @@ module Dependabot
 
       def fetch_authed_url(url)
         if url.match(%r{(.*)://(.*?):(.*)@([^@]+)$}) &&
-           Regexp.last_match.captures[1].include?("@")
-          protocol, user, pass, url = Regexp.last_match.captures
+           Regexp.last_match&.captures&.[](1)&.include?("@")
+          protocol, user, pass, url = T.must(Regexp.last_match).captures
 
           Dependabot::RegistryClient.get(
             url: "#{protocol}://#{url}",

data/lib/dependabot/python/name_normaliser.rb

@@ -1,14 +1,20 @@
-# typed: true
+# typed: strict
 # frozen_string_literal: true
 
+require "sorbet-runtime"
+
 module Dependabot
   module Python
     module NameNormaliser
+      extend T::Sig
+
+      sig { params(name: String).returns(String) }
       def self.normalise(name)
         extras_regex = /\[.+\]/
         name.downcase.gsub(/[-_.]+/, "-").gsub(extras_regex, "")
       end
 
+      sig { params(name: String, extras: T::Array[String]).returns(String) }
       def self.normalise_including_extras(name, extras)
         normalised_name = normalise(name)
         return normalised_name if extras.empty?

data/lib/dependabot/python/native_helpers.rb

@@ -1,26 +1,35 @@
-# typed: true
+# typed: strong
 # frozen_string_literal: true
 
+require "sorbet-runtime"
+
 module Dependabot
   module Python
     module NativeHelpers
+      extend T::Sig
+
+      sig { returns(String) }
       def self.python_helper_path
         clean_path(File.join(python_helpers_dir, "run.py"))
       end
 
+      sig { returns(String) }
       def self.python_requirements_path
         clean_path(File.join(python_helpers_dir, "requirements.txt"))
       end
 
+      sig { returns(String) }
       def self.python_helpers_dir
         File.join(native_helpers_root, "python")
       end
 
+      sig { returns(String) }
       def self.native_helpers_root
         default_path = File.join(__dir__, "../../../..")
         ENV.fetch("DEPENDABOT_NATIVE_HELPERS_PATH", default_path)
       end
 
+      sig { params(path: T.nilable(String)).returns(String) }
       def self.clean_path(path)
         Pathname.new(path).cleanpath.to_path
       end

data/lib/dependabot/python/update_checker/index_finder.rb

@@ -1,4 +1,4 @@
-# typed: false
+# typed: true
 # frozen_string_literal: true
 
 require "dependabot/python/update_checker"
@@ -52,8 +52,6 @@ module Dependabot
             pyproject_index_urls[:main] ||
             PYPI_BASE_URL
 
-          return unless url
-
           clean_check_and_remove_environment_variables(url)
         end
 

data/lib/dependabot/python/update_checker/pip_compile_version_resolver.rb

@@ -1,4 +1,4 @@
-# typed: false
+# typed: true
 # frozen_string_literal: true
 
 require "open3"
@@ -413,7 +413,7 @@ module Dependabot
         # If the files we need to update require one another then we need to
         # update them in the right order
         def order_filenames_for_compilation(filenames)
-          ordered_filenames = []
+          ordered_filenames = T.let([], T::Array[String])
 
           while (remaining_filenames = filenames - ordered_filenames).any?
             ordered_filenames +=

data/lib/dependabot/python/update_checker/poetry_version_resolver.rb

@@ -1,4 +1,4 @@
-# typed: false
+# typed: true
 # frozen_string_literal: true
 
 require "excon"
@@ -113,12 +113,13 @@ module Dependabot
           raise "No version in lockfile!"
         end
 
+        # rubocop:disable Metrics/AbcSize
         def handle_poetry_errors(error)
           if error.message.gsub(/\s/, "").match?(GIT_REFERENCE_NOT_FOUND_REGEX)
             message = error.message.gsub(/\s/, "")
             match = message.match(GIT_REFERENCE_NOT_FOUND_REGEX)
             name = if (url = match.named_captures.fetch("url"))
-                     File.basename(URI.parse(url).path)
+                     File.basename(T.must(URI.parse(url).path))
                    else
                      message.match(GIT_REFERENCE_NOT_FOUND_REGEX)
                             .named_captures.fetch("name")
@@ -146,6 +147,7 @@ module Dependabot
           # change then we want to hear about it
           raise
         end
+        # rubocop:enable Metrics/AbcSize
 
         # Using `--lock` avoids doing an install.
         # Using `--no-interaction` avoids asking for passwords.

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-python
 version: !ruby/object:Gem::Version
-  version: 0.260.0
+  version: 0.261.0
 platform: ruby
 authors:
 - Dependabot
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2024-06-06 00:00:00.000000000 Z
+date: 2024-06-13 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dependabot-common
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.260.0
+        version: 0.261.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.260.0
+        version: 0.261.0
 - !ruby/object:Gem::Dependency
   name: debug
   requirement: !ruby/object:Gem::Requirement
@@ -288,7 +288,7 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.260.0
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.261.0
 post_install_message: 
 rdoc_options: []
 require_paths: