dependabot-python 0.262.0 → 0.264.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 5724f50145d1e3274eaa50d8301778e09de0488992b60488a1873c5fa4771eca
-  data.tar.gz: 1c40bd5961bb48cbf9cc7f7063744c3d0c696964a0e8db170da4b5877a2f1b20
+  metadata.gz: 1b32f97adeb9b92870d0508a7ad61f27cff4aa25720961201c4b3768c1d7f13d
+  data.tar.gz: 2eb54348ac4bae2685050f6f7aade5b1880d8cbeec0ab8426124573463895fb2
 SHA512:
-  metadata.gz: 5489f882375710bf5c7d2a1cd70f3b20e04fc0e89ad5f503c97daffb5060d947b9213bf3437f8bd496cea69a3b6b09af011f18ad381f0896e7a5654bc8ddfcda
-  data.tar.gz: 526160c480cb6a94cac4a5e9b01beea08356325412786714409152cfa067600f90569ead3106356ba55f3edc3704dcd80e2cd2e0d99f62932f6a695eff3913f2
+  metadata.gz: 2781b289d9dbc5cc631325448adbe2c620a8e8e6e529752babbc3314655886f05a3426c9e5ebfe14cfe12bf0fb89fd749b1dbd4d5b4ddfad242f9c4320d6226a
+  data.tar.gz: 4cafc74f705b401b5d5ea1f0045db4d90365530acd4b62dfe22279ea5b6881cf3178249d0697f8fad7bb294f89be70890c815ab4a34db88e310b57f3a951d4cf

data/helpers/requirements.txt

@@ -1,10 +1,10 @@
 pip==24.0
 pip-tools==7.4.1
-flake8==7.0.0
+flake8==7.1.0
 hashin==1.0.1
 pipenv==2023.12.1
 plette==2.1.0
-poetry==1.8.2
+poetry==1.8.3
 # TODO: Replace 3p package `toml` with 3.11's new stdlib `tomllib` once we drop support for Python 3.10.
 toml==0.10.2
 

data/lib/dependabot/python/authed_url_builder.rb

@@ -7,6 +7,7 @@ module Dependabot
       def self.authed_url(credential:)
         token = credential.fetch("token", nil)
         url = credential.fetch("index-url", nil)
+        return "" unless url
         return url unless token
 
         basic_auth_details =

data/lib/dependabot/python/file_fetcher.rb

@@ -1,4 +1,4 @@
-# typed: false
+# typed: true
 # frozen_string_literal: true
 
 require "toml-rb"
@@ -139,7 +139,7 @@ module Dependabot
 
         # Check the top-level for a .python-version file, too
         reverse_path = Pathname.new(directory[0]).relative_path_from(directory)
-        @python_version_file ||=
+        @python_version_file =
           fetch_support_file(File.join(reverse_path, ".python-version"))
           &.tap { |f| f.name = ".python-version" }
       end

data/lib/dependabot/python/file_updater.rb

@@ -1,19 +1,23 @@
-# typed: true
+# typed: strict
 # frozen_string_literal: true
 
 require "toml-rb"
 require "dependabot/file_updaters"
 require "dependabot/file_updaters/base"
 require "dependabot/shared_helpers"
+require "sorbet-runtime"
 
 module Dependabot
   module Python
     class FileUpdater < Dependabot::FileUpdaters::Base
+      extend T::Sig
+
       require_relative "file_updater/pipfile_file_updater"
       require_relative "file_updater/pip_compile_file_updater"
       require_relative "file_updater/poetry_file_updater"
       require_relative "file_updater/requirement_file_updater"
 
+      sig { override.returns(T::Array[Regexp]) }
       def self.updated_files_regex
         [
           /^Pipfile$/,
@@ -27,6 +31,7 @@ module Dependabot
         ]
       end
 
+      sig { override.returns(T::Array[DependencyFile]) }
       def updated_dependency_files
         updated_files =
           case resolver_type
@@ -48,6 +53,8 @@ module Dependabot
       private
 
       # rubocop:disable Metrics/PerceivedComplexity
+
+      sig { returns(Symbol) }
       def resolver_type
         reqs = dependencies.flat_map(&:requirements)
         changed_reqs = reqs.zip(dependencies.flat_map(&:previous_requirements))
@@ -76,6 +83,7 @@ module Dependabot
       end
       # rubocop:enable Metrics/PerceivedComplexity
 
+      sig { returns(Symbol) }
       def subdependency_resolver
         return :pipfile if pipfile_lock
         return :poetry if poetry_lock
@@ -84,6 +92,7 @@ module Dependabot
         raise "Claimed to be a sub-dependency, but no lockfile exists!"
       end
 
+      sig { returns(T::Array[DependencyFile]) }
       def updated_pipfile_based_files
         PipfileFileUpdater.new(
           dependencies: dependencies,
@@ -93,6 +102,7 @@ module Dependabot
         ).updated_dependency_files
       end
 
+      sig { returns(T::Array[DependencyFile]) }
       def updated_poetry_based_files
         PoetryFileUpdater.new(
           dependencies: dependencies,
@@ -101,6 +111,7 @@ module Dependabot
         ).updated_dependency_files
       end
 
+      sig { returns(T::Array[DependencyFile]) }
       def updated_pip_compile_based_files
         PipCompileFileUpdater.new(
           dependencies: dependencies,
@@ -110,6 +121,7 @@ module Dependabot
         ).updated_dependency_files
       end
 
+      sig { returns(T::Array[DependencyFile]) }
       def updated_requirement_based_files
         RequirementFileUpdater.new(
           dependencies: dependencies,
@@ -119,6 +131,7 @@ module Dependabot
         ).updated_dependency_files
       end
 
+      sig { returns(T::Array[String]) }
       def pip_compile_index_urls
         if credentials.any?(&:replaces_base?)
           credentials.select(&:replaces_base?).map { |cred| AuthedUrlBuilder.authed_url(credential: cred) }
@@ -130,6 +143,7 @@ module Dependabot
         end
       end
 
+      sig { override.void }
       def check_required_files
         filenames = dependency_files.map(&:name)
         return if filenames.any? { |name| name.end_with?(".txt", ".in") }
@@ -141,31 +155,39 @@ module Dependabot
         raise "Missing required files!"
       end
 
+      sig { returns(T::Boolean) }
       def poetry_based?
         return false unless pyproject
 
-        !TomlRB.parse(pyproject.content).dig("tool", "poetry").nil?
+        !TomlRB.parse(pyproject&.content).dig("tool", "poetry").nil?
       end
 
+      sig { returns(T.nilable(Dependabot::DependencyFile)) }
       def pipfile
-        @pipfile ||= get_original_file("Pipfile")
+        @pipfile ||= T.let(get_original_file("Pipfile"), T.nilable(Dependabot::DependencyFile))
       end
 
+      sig { returns(T.nilable(Dependabot::DependencyFile)) }
       def pipfile_lock
-        @pipfile_lock ||= get_original_file("Pipfile.lock")
+        @pipfile_lock ||= T.let(get_original_file("Pipfile.lock"), T.nilable(Dependabot::DependencyFile))
       end
 
+      sig { returns(T.nilable(Dependabot::DependencyFile)) }
       def pyproject
-        @pyproject ||= get_original_file("pyproject.toml")
+        @pyproject ||= T.let(get_original_file("pyproject.toml"), T.nilable(Dependabot::DependencyFile))
       end
 
+      sig { returns(T.nilable(Dependabot::DependencyFile)) }
       def poetry_lock
-        @poetry_lock ||= get_original_file("poetry.lock")
+        @poetry_lock ||= T.let(get_original_file("poetry.lock"), T.nilable(Dependabot::DependencyFile))
       end
 
+      sig { returns(T::Array[DependencyFile]) }
       def pip_compile_files
-        @pip_compile_files ||=
-          dependency_files.select { |f| f.name.end_with?(".in") }
+        @pip_compile_files ||= T.let(
+          dependency_files.select { |f| f.name.end_with?(".in") },
+          T.nilable(T::Array[DependencyFile])
+        )
       end
     end
   end

data/lib/dependabot/python/pip_compile_file_matcher.rb

@@ -1,29 +1,35 @@
-# typed: true
+# typed: strict
 # frozen_string_literal: true
 
 module Dependabot
   module Python
     class PipCompileFileMatcher
+      extend T::Sig
+
+      sig { params(requirements_in_files: T::Array[Dependabot::Python::Requirement]).void }
       def initialize(requirements_in_files)
         @requirements_in_files = requirements_in_files
       end
 
+      sig { params(file: Dependabot::DependencyFile).returns(T::Boolean) }
       def lockfile_for_pip_compile_file?(file)
         return false unless requirements_in_files.any?
 
         name = file.name
         return false unless name.end_with?(".txt")
 
-        return true if file.content.match?(output_file_regex(name))
+        return true if file.content&.match?(output_file_regex(name))
 
         basename = name.gsub(/\.txt$/, "")
-        requirements_in_files.any? { |f| f.name == basename + ".in" }
+        requirements_in_files.any? { |f| f.instance_variable_get(:@name) == basename + ".in" }
       end
 
       private
 
+      sig { returns(T::Array[Dependabot::Python::Requirement]) }
       attr_reader :requirements_in_files
 
+      sig { params(filename: T.any(String, Symbol)).returns(String) }
       def output_file_regex(filename)
         "--output-file[=\s]+#{Regexp.escape(filename)}(?:\s|$)"
       end

data/lib/dependabot/python/requirement.rb

@@ -20,6 +20,11 @@ module Dependabot
         "===" => ->(v, r) { v.to_s == r.to_s }
       )
 
+      # Override the lower bound logic for bump versions strategy.
+      BUMP_VERSIONS_OPS = OPS.merge(
+        ">=" => ->(v, r) { v.to_s == r.to_s }
+      )
+
       quoted = OPS.keys.sort_by(&:length).reverse
                   .map { |k| Regexp.quote(k) }.join("|")
       version_pattern = Python::Version::VERSION_PATTERN
@@ -78,10 +83,10 @@ module Dependabot
         super(requirements)
       end
 
-      def satisfied_by?(version)
+      def satisfied_by?(version, ops = OPS)
         version = Python::Version.new(version.to_s)
 
-        requirements.all? { |op, rv| (OPS[op] || OPS["="]).call(version, rv) }
+        requirements.all? { |op, rv| (ops[op] || ops["="]).call(version, rv) }
       end
 
       def exact?

data/lib/dependabot/python/update_checker/requirements_updater.rb

@@ -34,7 +34,7 @@ module Dependabot
         end
 
         def updated_requirements
-          return requirements if update_strategy == RequirementsUpdateStrategy::LockfileOnly
+          return requirements if update_strategy.lockfile_only?
 
           requirements.map do |req|
             case req[:file]
@@ -278,14 +278,14 @@ module Dependabot
             requirement_strings.map { |r| requirement_class.new(r) }
 
           updated_requirement_strings = ruby_requirements.flat_map do |r|
-            next r.to_s if r.satisfied_by?(latest_resolvable_version)
+            next r.to_s if r.satisfied_by?(latest_resolvable_version, Requirement::BUMP_VERSIONS_OPS)
 
             case op = r.requirements.first.first
             when "<"
-              "<" + update_greatest_version(r.requirements.first.last, latest_resolvable_version)
-            when "<="
-              "<=" + latest_resolvable_version.to_s
-            when "!=", ">", ">="
+              "#{op}#{update_greatest_version(r.requirements.first.last, latest_resolvable_version)}"
+            when "<=", ">="
+              "#{op}#{latest_resolvable_version}"
+            when "!=", ">"
               raise UnfixableRequirement
             else
               raise "Unexpected op for unsatisfied requirement: #{op}"

data/lib/dependabot/python/update_checker.rb

@@ -81,7 +81,7 @@ module Dependabot
       end
 
       def requirements_unlocked_or_can_be?
-        requirements_update_strategy != RequirementsUpdateStrategy::LockfileOnly
+        !requirements_update_strategy.lockfile_only?
       end
 
       def requirements_update_strategy

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-python
 version: !ruby/object:Gem::Version
-  version: 0.262.0
+  version: 0.264.0
 platform: ruby
 authors:
 - Dependabot
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2024-06-20 00:00:00.000000000 Z
+date: 2024-07-05 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dependabot-common
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.262.0
+        version: 0.264.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.262.0
+        version: 0.264.0
 - !ruby/object:Gem::Dependency
   name: debug
   requirement: !ruby/object:Gem::Requirement
@@ -288,7 +288,7 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.262.0
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.264.0
 post_install_message: 
 rdoc_options: []
 require_paths: