dependabot-python 0.263.0 → 0.265.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 1799b305706f2d88b8fccdc347184c8a4f26b48695225404726c70282f8bc239
4
- data.tar.gz: 03bbe3af68c64485cb54c881b701677683dccb097b99aa7a01a12ed9a0596431
3
+ metadata.gz: 428bb1e1c9c44c9ef4b889e90d8f76386e0a178d1f8fe294043118964cb26c48
4
+ data.tar.gz: 8f2462ce25b115f32eb8d25290aa55704ec7b945c117e21f51577801688a76ee
5
5
  SHA512:
6
- metadata.gz: 9f2b3eb22d5beb8dcd799e96399a96dbdbdc07f8bf3b4f930adcb0fd856185ed2f06466a63a2403ae00a39ee98fad5c1121c9f2297eaff43d51409e99f2cac5f
7
- data.tar.gz: db2e6f7123ef9fefe4e8d36a5cebf46ec4c7ee3bd3a2708e2013fb8bfe3942651a44b18dfc997cc845e0d3e73a89f1bb6375c5c3cc8a797517eb6e7711d5d777
6
+ metadata.gz: f0b68334df8cc79d5f4875e73398ac9e593480d1865df9ab63781dc20ddd88eead8bbcb5ef0e74c2a24a7859389f5f19d863b20c090aef2a3aa4f49f20c55309
7
+ data.tar.gz: a40dfb15cc8c8fa70aba4cf8a8ba340b12b698ba24e195a2ef359e09992d17918eccf2d7165e606da15a652d351f81b1f2bbb7f6cc5cfdf92963aa346ce90e6e
@@ -4,7 +4,7 @@ flake8==7.1.0
4
4
  hashin==1.0.1
5
5
  pipenv==2023.12.1
6
6
  plette==2.1.0
7
- poetry==1.8.2
7
+ poetry==1.8.3
8
8
  # TODO: Replace 3p package `toml` with 3.11's new stdlib `tomllib` once we drop support for Python 3.10.
9
9
  toml==0.10.2
10
10
 
@@ -7,6 +7,7 @@ module Dependabot
7
7
  def self.authed_url(credential:)
8
8
  token = credential.fetch("token", nil)
9
9
  url = credential.fetch("index-url", nil)
10
+ return "" unless url
10
11
  return url unless token
11
12
 
12
13
  basic_auth_details =
@@ -1,4 +1,4 @@
1
- # typed: false
1
+ # typed: true
2
2
  # frozen_string_literal: true
3
3
 
4
4
  require "toml-rb"
@@ -139,7 +139,7 @@ module Dependabot
139
139
 
140
140
  # Check the top-level for a .python-version file, too
141
141
  reverse_path = Pathname.new(directory[0]).relative_path_from(directory)
142
- @python_version_file ||=
142
+ @python_version_file =
143
143
  fetch_support_file(File.join(reverse_path, ".python-version"))
144
144
  &.tap { |f| f.name = ".python-version" }
145
145
  end
@@ -1,19 +1,23 @@
1
- # typed: true
1
+ # typed: strict
2
2
  # frozen_string_literal: true
3
3
 
4
4
  require "toml-rb"
5
5
  require "dependabot/file_updaters"
6
6
  require "dependabot/file_updaters/base"
7
7
  require "dependabot/shared_helpers"
8
+ require "sorbet-runtime"
8
9
 
9
10
  module Dependabot
10
11
  module Python
11
12
  class FileUpdater < Dependabot::FileUpdaters::Base
13
+ extend T::Sig
14
+
12
15
  require_relative "file_updater/pipfile_file_updater"
13
16
  require_relative "file_updater/pip_compile_file_updater"
14
17
  require_relative "file_updater/poetry_file_updater"
15
18
  require_relative "file_updater/requirement_file_updater"
16
19
 
20
+ sig { override.returns(T::Array[Regexp]) }
17
21
  def self.updated_files_regex
18
22
  [
19
23
  /^Pipfile$/,
@@ -27,6 +31,7 @@ module Dependabot
27
31
  ]
28
32
  end
29
33
 
34
+ sig { override.returns(T::Array[DependencyFile]) }
30
35
  def updated_dependency_files
31
36
  updated_files =
32
37
  case resolver_type
@@ -48,6 +53,8 @@ module Dependabot
48
53
  private
49
54
 
50
55
  # rubocop:disable Metrics/PerceivedComplexity
56
+
57
+ sig { returns(Symbol) }
51
58
  def resolver_type
52
59
  reqs = dependencies.flat_map(&:requirements)
53
60
  changed_reqs = reqs.zip(dependencies.flat_map(&:previous_requirements))
@@ -76,6 +83,7 @@ module Dependabot
76
83
  end
77
84
  # rubocop:enable Metrics/PerceivedComplexity
78
85
 
86
+ sig { returns(Symbol) }
79
87
  def subdependency_resolver
80
88
  return :pipfile if pipfile_lock
81
89
  return :poetry if poetry_lock
@@ -84,6 +92,7 @@ module Dependabot
84
92
  raise "Claimed to be a sub-dependency, but no lockfile exists!"
85
93
  end
86
94
 
95
+ sig { returns(T::Array[DependencyFile]) }
87
96
  def updated_pipfile_based_files
88
97
  PipfileFileUpdater.new(
89
98
  dependencies: dependencies,
@@ -93,6 +102,7 @@ module Dependabot
93
102
  ).updated_dependency_files
94
103
  end
95
104
 
105
+ sig { returns(T::Array[DependencyFile]) }
96
106
  def updated_poetry_based_files
97
107
  PoetryFileUpdater.new(
98
108
  dependencies: dependencies,
@@ -101,6 +111,7 @@ module Dependabot
101
111
  ).updated_dependency_files
102
112
  end
103
113
 
114
+ sig { returns(T::Array[DependencyFile]) }
104
115
  def updated_pip_compile_based_files
105
116
  PipCompileFileUpdater.new(
106
117
  dependencies: dependencies,
@@ -110,6 +121,7 @@ module Dependabot
110
121
  ).updated_dependency_files
111
122
  end
112
123
 
124
+ sig { returns(T::Array[DependencyFile]) }
113
125
  def updated_requirement_based_files
114
126
  RequirementFileUpdater.new(
115
127
  dependencies: dependencies,
@@ -119,6 +131,7 @@ module Dependabot
119
131
  ).updated_dependency_files
120
132
  end
121
133
 
134
+ sig { returns(T::Array[String]) }
122
135
  def pip_compile_index_urls
123
136
  if credentials.any?(&:replaces_base?)
124
137
  credentials.select(&:replaces_base?).map { |cred| AuthedUrlBuilder.authed_url(credential: cred) }
@@ -130,6 +143,7 @@ module Dependabot
130
143
  end
131
144
  end
132
145
 
146
+ sig { override.void }
133
147
  def check_required_files
134
148
  filenames = dependency_files.map(&:name)
135
149
  return if filenames.any? { |name| name.end_with?(".txt", ".in") }
@@ -141,31 +155,39 @@ module Dependabot
141
155
  raise "Missing required files!"
142
156
  end
143
157
 
158
+ sig { returns(T::Boolean) }
144
159
  def poetry_based?
145
160
  return false unless pyproject
146
161
 
147
- !TomlRB.parse(pyproject.content).dig("tool", "poetry").nil?
162
+ !TomlRB.parse(pyproject&.content).dig("tool", "poetry").nil?
148
163
  end
149
164
 
165
+ sig { returns(T.nilable(Dependabot::DependencyFile)) }
150
166
  def pipfile
151
- @pipfile ||= get_original_file("Pipfile")
167
+ @pipfile ||= T.let(get_original_file("Pipfile"), T.nilable(Dependabot::DependencyFile))
152
168
  end
153
169
 
170
+ sig { returns(T.nilable(Dependabot::DependencyFile)) }
154
171
  def pipfile_lock
155
- @pipfile_lock ||= get_original_file("Pipfile.lock")
172
+ @pipfile_lock ||= T.let(get_original_file("Pipfile.lock"), T.nilable(Dependabot::DependencyFile))
156
173
  end
157
174
 
175
+ sig { returns(T.nilable(Dependabot::DependencyFile)) }
158
176
  def pyproject
159
- @pyproject ||= get_original_file("pyproject.toml")
177
+ @pyproject ||= T.let(get_original_file("pyproject.toml"), T.nilable(Dependabot::DependencyFile))
160
178
  end
161
179
 
180
+ sig { returns(T.nilable(Dependabot::DependencyFile)) }
162
181
  def poetry_lock
163
- @poetry_lock ||= get_original_file("poetry.lock")
182
+ @poetry_lock ||= T.let(get_original_file("poetry.lock"), T.nilable(Dependabot::DependencyFile))
164
183
  end
165
184
 
185
+ sig { returns(T::Array[DependencyFile]) }
166
186
  def pip_compile_files
167
- @pip_compile_files ||=
168
- dependency_files.select { |f| f.name.end_with?(".in") }
187
+ @pip_compile_files ||= T.let(
188
+ dependency_files.select { |f| f.name.end_with?(".in") },
189
+ T.nilable(T::Array[DependencyFile])
190
+ )
169
191
  end
170
192
  end
171
193
  end
@@ -1,29 +1,35 @@
1
- # typed: true
1
+ # typed: strict
2
2
  # frozen_string_literal: true
3
3
 
4
4
  module Dependabot
5
5
  module Python
6
6
  class PipCompileFileMatcher
7
+ extend T::Sig
8
+
9
+ sig { params(requirements_in_files: T::Array[Dependabot::Python::Requirement]).void }
7
10
  def initialize(requirements_in_files)
8
11
  @requirements_in_files = requirements_in_files
9
12
  end
10
13
 
14
+ sig { params(file: Dependabot::DependencyFile).returns(T::Boolean) }
11
15
  def lockfile_for_pip_compile_file?(file)
12
16
  return false unless requirements_in_files.any?
13
17
 
14
18
  name = file.name
15
19
  return false unless name.end_with?(".txt")
16
20
 
17
- return true if file.content.match?(output_file_regex(name))
21
+ return true if file.content&.match?(output_file_regex(name))
18
22
 
19
23
  basename = name.gsub(/\.txt$/, "")
20
- requirements_in_files.any? { |f| f.name == basename + ".in" }
24
+ requirements_in_files.any? { |f| f.instance_variable_get(:@name) == basename + ".in" }
21
25
  end
22
26
 
23
27
  private
24
28
 
29
+ sig { returns(T::Array[Dependabot::Python::Requirement]) }
25
30
  attr_reader :requirements_in_files
26
31
 
32
+ sig { params(filename: T.any(String, Symbol)).returns(String) }
27
33
  def output_file_regex(filename)
28
34
  "--output-file[=\s]+#{Regexp.escape(filename)}(?:\s|$)"
29
35
  end
@@ -20,6 +20,11 @@ module Dependabot
20
20
  "===" => ->(v, r) { v.to_s == r.to_s }
21
21
  )
22
22
 
23
+ # Override the lower bound logic for bump versions strategy.
24
+ BUMP_VERSIONS_OPS = OPS.merge(
25
+ ">=" => ->(v, r) { v.to_s == r.to_s }
26
+ )
27
+
23
28
  quoted = OPS.keys.sort_by(&:length).reverse
24
29
  .map { |k| Regexp.quote(k) }.join("|")
25
30
  version_pattern = Python::Version::VERSION_PATTERN
@@ -78,10 +83,10 @@ module Dependabot
78
83
  super(requirements)
79
84
  end
80
85
 
81
- def satisfied_by?(version)
86
+ def satisfied_by?(version, ops = OPS)
82
87
  version = Python::Version.new(version.to_s)
83
88
 
84
- requirements.all? { |op, rv| (OPS[op] || OPS["="]).call(version, rv) }
89
+ requirements.all? { |op, rv| (ops[op] || ops["="]).call(version, rv) }
85
90
  end
86
91
 
87
92
  def exact?
@@ -278,14 +278,14 @@ module Dependabot
278
278
  requirement_strings.map { |r| requirement_class.new(r) }
279
279
 
280
280
  updated_requirement_strings = ruby_requirements.flat_map do |r|
281
- next r.to_s if r.satisfied_by?(latest_resolvable_version)
281
+ next r.to_s if r.satisfied_by?(latest_resolvable_version, Requirement::BUMP_VERSIONS_OPS)
282
282
 
283
283
  case op = r.requirements.first.first
284
284
  when "<"
285
- "<" + update_greatest_version(r.requirements.first.last, latest_resolvable_version)
286
- when "<="
287
- "<=" + latest_resolvable_version.to_s
288
- when "!=", ">", ">="
285
+ "#{op}#{update_greatest_version(r.requirements.first.last, latest_resolvable_version)}"
286
+ when "<=", ">="
287
+ "#{op}#{latest_resolvable_version}"
288
+ when "!=", ">"
289
289
  raise UnfixableRequirement
290
290
  else
291
291
  raise "Unexpected op for unsatisfied requirement: #{op}"
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: dependabot-python
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.263.0
4
+ version: 0.265.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Dependabot
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2024-06-27 00:00:00.000000000 Z
11
+ date: 2024-07-11 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: dependabot-common
@@ -16,14 +16,14 @@ dependencies:
16
16
  requirements:
17
17
  - - '='
18
18
  - !ruby/object:Gem::Version
19
- version: 0.263.0
19
+ version: 0.265.0
20
20
  type: :runtime
21
21
  prerelease: false
22
22
  version_requirements: !ruby/object:Gem::Requirement
23
23
  requirements:
24
24
  - - '='
25
25
  - !ruby/object:Gem::Version
26
- version: 0.263.0
26
+ version: 0.265.0
27
27
  - !ruby/object:Gem::Dependency
28
28
  name: debug
29
29
  requirement: !ruby/object:Gem::Requirement
@@ -288,7 +288,7 @@ licenses:
288
288
  - MIT
289
289
  metadata:
290
290
  bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
291
- changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.263.0
291
+ changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.265.0
292
292
  post_install_message:
293
293
  rdoc_options: []
294
294
  require_paths: