dependabot-python 0.263.0 → 0.265.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/helpers/requirements.txt +1 -1
- data/lib/dependabot/python/authed_url_builder.rb +1 -0
- data/lib/dependabot/python/file_fetcher.rb +2 -2
- data/lib/dependabot/python/file_updater.rb +30 -8
- data/lib/dependabot/python/pip_compile_file_matcher.rb +9 -3
- data/lib/dependabot/python/requirement.rb +7 -2
- data/lib/dependabot/python/update_checker/requirements_updater.rb +5 -5
- metadata +5 -5
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 428bb1e1c9c44c9ef4b889e90d8f76386e0a178d1f8fe294043118964cb26c48
|
4
|
+
data.tar.gz: 8f2462ce25b115f32eb8d25290aa55704ec7b945c117e21f51577801688a76ee
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: f0b68334df8cc79d5f4875e73398ac9e593480d1865df9ab63781dc20ddd88eead8bbcb5ef0e74c2a24a7859389f5f19d863b20c090aef2a3aa4f49f20c55309
|
7
|
+
data.tar.gz: a40dfb15cc8c8fa70aba4cf8a8ba340b12b698ba24e195a2ef359e09992d17918eccf2d7165e606da15a652d351f81b1f2bbb7f6cc5cfdf92963aa346ce90e6e
|
data/helpers/requirements.txt
CHANGED
@@ -1,4 +1,4 @@
|
|
1
|
-
# typed:
|
1
|
+
# typed: true
|
2
2
|
# frozen_string_literal: true
|
3
3
|
|
4
4
|
require "toml-rb"
|
@@ -139,7 +139,7 @@ module Dependabot
|
|
139
139
|
|
140
140
|
# Check the top-level for a .python-version file, too
|
141
141
|
reverse_path = Pathname.new(directory[0]).relative_path_from(directory)
|
142
|
-
@python_version_file
|
142
|
+
@python_version_file =
|
143
143
|
fetch_support_file(File.join(reverse_path, ".python-version"))
|
144
144
|
&.tap { |f| f.name = ".python-version" }
|
145
145
|
end
|
@@ -1,19 +1,23 @@
|
|
1
|
-
# typed:
|
1
|
+
# typed: strict
|
2
2
|
# frozen_string_literal: true
|
3
3
|
|
4
4
|
require "toml-rb"
|
5
5
|
require "dependabot/file_updaters"
|
6
6
|
require "dependabot/file_updaters/base"
|
7
7
|
require "dependabot/shared_helpers"
|
8
|
+
require "sorbet-runtime"
|
8
9
|
|
9
10
|
module Dependabot
|
10
11
|
module Python
|
11
12
|
class FileUpdater < Dependabot::FileUpdaters::Base
|
13
|
+
extend T::Sig
|
14
|
+
|
12
15
|
require_relative "file_updater/pipfile_file_updater"
|
13
16
|
require_relative "file_updater/pip_compile_file_updater"
|
14
17
|
require_relative "file_updater/poetry_file_updater"
|
15
18
|
require_relative "file_updater/requirement_file_updater"
|
16
19
|
|
20
|
+
sig { override.returns(T::Array[Regexp]) }
|
17
21
|
def self.updated_files_regex
|
18
22
|
[
|
19
23
|
/^Pipfile$/,
|
@@ -27,6 +31,7 @@ module Dependabot
|
|
27
31
|
]
|
28
32
|
end
|
29
33
|
|
34
|
+
sig { override.returns(T::Array[DependencyFile]) }
|
30
35
|
def updated_dependency_files
|
31
36
|
updated_files =
|
32
37
|
case resolver_type
|
@@ -48,6 +53,8 @@ module Dependabot
|
|
48
53
|
private
|
49
54
|
|
50
55
|
# rubocop:disable Metrics/PerceivedComplexity
|
56
|
+
|
57
|
+
sig { returns(Symbol) }
|
51
58
|
def resolver_type
|
52
59
|
reqs = dependencies.flat_map(&:requirements)
|
53
60
|
changed_reqs = reqs.zip(dependencies.flat_map(&:previous_requirements))
|
@@ -76,6 +83,7 @@ module Dependabot
|
|
76
83
|
end
|
77
84
|
# rubocop:enable Metrics/PerceivedComplexity
|
78
85
|
|
86
|
+
sig { returns(Symbol) }
|
79
87
|
def subdependency_resolver
|
80
88
|
return :pipfile if pipfile_lock
|
81
89
|
return :poetry if poetry_lock
|
@@ -84,6 +92,7 @@ module Dependabot
|
|
84
92
|
raise "Claimed to be a sub-dependency, but no lockfile exists!"
|
85
93
|
end
|
86
94
|
|
95
|
+
sig { returns(T::Array[DependencyFile]) }
|
87
96
|
def updated_pipfile_based_files
|
88
97
|
PipfileFileUpdater.new(
|
89
98
|
dependencies: dependencies,
|
@@ -93,6 +102,7 @@ module Dependabot
|
|
93
102
|
).updated_dependency_files
|
94
103
|
end
|
95
104
|
|
105
|
+
sig { returns(T::Array[DependencyFile]) }
|
96
106
|
def updated_poetry_based_files
|
97
107
|
PoetryFileUpdater.new(
|
98
108
|
dependencies: dependencies,
|
@@ -101,6 +111,7 @@ module Dependabot
|
|
101
111
|
).updated_dependency_files
|
102
112
|
end
|
103
113
|
|
114
|
+
sig { returns(T::Array[DependencyFile]) }
|
104
115
|
def updated_pip_compile_based_files
|
105
116
|
PipCompileFileUpdater.new(
|
106
117
|
dependencies: dependencies,
|
@@ -110,6 +121,7 @@ module Dependabot
|
|
110
121
|
).updated_dependency_files
|
111
122
|
end
|
112
123
|
|
124
|
+
sig { returns(T::Array[DependencyFile]) }
|
113
125
|
def updated_requirement_based_files
|
114
126
|
RequirementFileUpdater.new(
|
115
127
|
dependencies: dependencies,
|
@@ -119,6 +131,7 @@ module Dependabot
|
|
119
131
|
).updated_dependency_files
|
120
132
|
end
|
121
133
|
|
134
|
+
sig { returns(T::Array[String]) }
|
122
135
|
def pip_compile_index_urls
|
123
136
|
if credentials.any?(&:replaces_base?)
|
124
137
|
credentials.select(&:replaces_base?).map { |cred| AuthedUrlBuilder.authed_url(credential: cred) }
|
@@ -130,6 +143,7 @@ module Dependabot
|
|
130
143
|
end
|
131
144
|
end
|
132
145
|
|
146
|
+
sig { override.void }
|
133
147
|
def check_required_files
|
134
148
|
filenames = dependency_files.map(&:name)
|
135
149
|
return if filenames.any? { |name| name.end_with?(".txt", ".in") }
|
@@ -141,31 +155,39 @@ module Dependabot
|
|
141
155
|
raise "Missing required files!"
|
142
156
|
end
|
143
157
|
|
158
|
+
sig { returns(T::Boolean) }
|
144
159
|
def poetry_based?
|
145
160
|
return false unless pyproject
|
146
161
|
|
147
|
-
!TomlRB.parse(pyproject
|
162
|
+
!TomlRB.parse(pyproject&.content).dig("tool", "poetry").nil?
|
148
163
|
end
|
149
164
|
|
165
|
+
sig { returns(T.nilable(Dependabot::DependencyFile)) }
|
150
166
|
def pipfile
|
151
|
-
@pipfile ||= get_original_file("Pipfile")
|
167
|
+
@pipfile ||= T.let(get_original_file("Pipfile"), T.nilable(Dependabot::DependencyFile))
|
152
168
|
end
|
153
169
|
|
170
|
+
sig { returns(T.nilable(Dependabot::DependencyFile)) }
|
154
171
|
def pipfile_lock
|
155
|
-
@pipfile_lock ||= get_original_file("Pipfile.lock")
|
172
|
+
@pipfile_lock ||= T.let(get_original_file("Pipfile.lock"), T.nilable(Dependabot::DependencyFile))
|
156
173
|
end
|
157
174
|
|
175
|
+
sig { returns(T.nilable(Dependabot::DependencyFile)) }
|
158
176
|
def pyproject
|
159
|
-
@pyproject ||= get_original_file("pyproject.toml")
|
177
|
+
@pyproject ||= T.let(get_original_file("pyproject.toml"), T.nilable(Dependabot::DependencyFile))
|
160
178
|
end
|
161
179
|
|
180
|
+
sig { returns(T.nilable(Dependabot::DependencyFile)) }
|
162
181
|
def poetry_lock
|
163
|
-
@poetry_lock ||= get_original_file("poetry.lock")
|
182
|
+
@poetry_lock ||= T.let(get_original_file("poetry.lock"), T.nilable(Dependabot::DependencyFile))
|
164
183
|
end
|
165
184
|
|
185
|
+
sig { returns(T::Array[DependencyFile]) }
|
166
186
|
def pip_compile_files
|
167
|
-
@pip_compile_files ||=
|
168
|
-
dependency_files.select { |f| f.name.end_with?(".in") }
|
187
|
+
@pip_compile_files ||= T.let(
|
188
|
+
dependency_files.select { |f| f.name.end_with?(".in") },
|
189
|
+
T.nilable(T::Array[DependencyFile])
|
190
|
+
)
|
169
191
|
end
|
170
192
|
end
|
171
193
|
end
|
@@ -1,29 +1,35 @@
|
|
1
|
-
# typed:
|
1
|
+
# typed: strict
|
2
2
|
# frozen_string_literal: true
|
3
3
|
|
4
4
|
module Dependabot
|
5
5
|
module Python
|
6
6
|
class PipCompileFileMatcher
|
7
|
+
extend T::Sig
|
8
|
+
|
9
|
+
sig { params(requirements_in_files: T::Array[Dependabot::Python::Requirement]).void }
|
7
10
|
def initialize(requirements_in_files)
|
8
11
|
@requirements_in_files = requirements_in_files
|
9
12
|
end
|
10
13
|
|
14
|
+
sig { params(file: Dependabot::DependencyFile).returns(T::Boolean) }
|
11
15
|
def lockfile_for_pip_compile_file?(file)
|
12
16
|
return false unless requirements_in_files.any?
|
13
17
|
|
14
18
|
name = file.name
|
15
19
|
return false unless name.end_with?(".txt")
|
16
20
|
|
17
|
-
return true if file.content
|
21
|
+
return true if file.content&.match?(output_file_regex(name))
|
18
22
|
|
19
23
|
basename = name.gsub(/\.txt$/, "")
|
20
|
-
requirements_in_files.any? { |f| f.name == basename + ".in" }
|
24
|
+
requirements_in_files.any? { |f| f.instance_variable_get(:@name) == basename + ".in" }
|
21
25
|
end
|
22
26
|
|
23
27
|
private
|
24
28
|
|
29
|
+
sig { returns(T::Array[Dependabot::Python::Requirement]) }
|
25
30
|
attr_reader :requirements_in_files
|
26
31
|
|
32
|
+
sig { params(filename: T.any(String, Symbol)).returns(String) }
|
27
33
|
def output_file_regex(filename)
|
28
34
|
"--output-file[=\s]+#{Regexp.escape(filename)}(?:\s|$)"
|
29
35
|
end
|
@@ -20,6 +20,11 @@ module Dependabot
|
|
20
20
|
"===" => ->(v, r) { v.to_s == r.to_s }
|
21
21
|
)
|
22
22
|
|
23
|
+
# Override the lower bound logic for bump versions strategy.
|
24
|
+
BUMP_VERSIONS_OPS = OPS.merge(
|
25
|
+
">=" => ->(v, r) { v.to_s == r.to_s }
|
26
|
+
)
|
27
|
+
|
23
28
|
quoted = OPS.keys.sort_by(&:length).reverse
|
24
29
|
.map { |k| Regexp.quote(k) }.join("|")
|
25
30
|
version_pattern = Python::Version::VERSION_PATTERN
|
@@ -78,10 +83,10 @@ module Dependabot
|
|
78
83
|
super(requirements)
|
79
84
|
end
|
80
85
|
|
81
|
-
def satisfied_by?(version)
|
86
|
+
def satisfied_by?(version, ops = OPS)
|
82
87
|
version = Python::Version.new(version.to_s)
|
83
88
|
|
84
|
-
requirements.all? { |op, rv| (
|
89
|
+
requirements.all? { |op, rv| (ops[op] || ops["="]).call(version, rv) }
|
85
90
|
end
|
86
91
|
|
87
92
|
def exact?
|
@@ -278,14 +278,14 @@ module Dependabot
|
|
278
278
|
requirement_strings.map { |r| requirement_class.new(r) }
|
279
279
|
|
280
280
|
updated_requirement_strings = ruby_requirements.flat_map do |r|
|
281
|
-
next r.to_s if r.satisfied_by?(latest_resolvable_version)
|
281
|
+
next r.to_s if r.satisfied_by?(latest_resolvable_version, Requirement::BUMP_VERSIONS_OPS)
|
282
282
|
|
283
283
|
case op = r.requirements.first.first
|
284
284
|
when "<"
|
285
|
-
"
|
286
|
-
when "<="
|
287
|
-
"
|
288
|
-
when "!=", ">"
|
285
|
+
"#{op}#{update_greatest_version(r.requirements.first.last, latest_resolvable_version)}"
|
286
|
+
when "<=", ">="
|
287
|
+
"#{op}#{latest_resolvable_version}"
|
288
|
+
when "!=", ">"
|
289
289
|
raise UnfixableRequirement
|
290
290
|
else
|
291
291
|
raise "Unexpected op for unsatisfied requirement: #{op}"
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: dependabot-python
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.
|
4
|
+
version: 0.265.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Dependabot
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2024-
|
11
|
+
date: 2024-07-11 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: dependabot-common
|
@@ -16,14 +16,14 @@ dependencies:
|
|
16
16
|
requirements:
|
17
17
|
- - '='
|
18
18
|
- !ruby/object:Gem::Version
|
19
|
-
version: 0.
|
19
|
+
version: 0.265.0
|
20
20
|
type: :runtime
|
21
21
|
prerelease: false
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
23
23
|
requirements:
|
24
24
|
- - '='
|
25
25
|
- !ruby/object:Gem::Version
|
26
|
-
version: 0.
|
26
|
+
version: 0.265.0
|
27
27
|
- !ruby/object:Gem::Dependency
|
28
28
|
name: debug
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|
@@ -288,7 +288,7 @@ licenses:
|
|
288
288
|
- MIT
|
289
289
|
metadata:
|
290
290
|
bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
|
291
|
-
changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.
|
291
|
+
changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.265.0
|
292
292
|
post_install_message:
|
293
293
|
rdoc_options: []
|
294
294
|
require_paths:
|