dependabot-python 0.279.0 → 0.281.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a5bf717c8f68ca481074e67a3358e97f609347162e8ebdefb1b961af9b3d401b
-  data.tar.gz: b1565b6a609f5c0ed0aab1254cea234cd807c86bae05fcda662ebf2b13fbe480
+  metadata.gz: 1273f0793f6c0432a5a66468ec19a460c854eda211c935c45af189d1c7b11e9d
+  data.tar.gz: c938f342ad448550e12036631ecefe4623d5d16afebf21aa01bfe85a0c048ab2
 SHA512:
-  metadata.gz: 6d0928e2b3ec818b2de96783f85e25c3afd9df6c68e9aa10a85177a62e2794bad043b0dc6b174c8e5f5e020505c3e4a33d465e663aede6c7a23080acbf5b761f
-  data.tar.gz: 59598f676aff1150e4bd6db41c3911b05c0d056267309dedc1fa3bd49bce20d7d0e3d5c8a10e8d5838db14163fbae77461e7a7a7d3f705b539daa5b5b667c4ff
+  metadata.gz: a2ae4f68e9cdba267b00989165544e24384d8cd10b58c99802066214fb0b354a9c331af03e8b611a0195eda2d6d760c8cb354584b29b3a7b0d7f42e8e14067a7
+  data.tar.gz: 39a45d259c975b32debd5f3d21edd53622fb863630da7fe0bdafb6170f6adde5e3f556c36896cac357475b14797ac878855c4b9d171f7d29799bc8bd8ac20854

data/lib/dependabot/python/requirement.rb

@@ -36,7 +36,17 @@ module Dependabot
           line = matches[1]
         end
 
-        unless (matches = PATTERN.match(line))
+        pattern = PATTERN
+
+        if Dependabot::Experiments.enabled?(:python_new_version)
+          quoted = OPS.keys.sort_by(&:length).reverse
+                      .map { |k| Regexp.quote(k) }.join("|")
+          version_pattern = Python::Version::NEW_VERSION_PATTERN
+          pattern_raw = "\\s*(?<op>#{quoted})?\\s*(?<version>#{version_pattern})\\s*".freeze
+          pattern = /\A#{pattern_raw}\z/
+        end
+
+        unless (matches = pattern.match(line))
           msg = "Illformed requirement [#{obj.inspect}]"
           raise BadRequirementError, msg
         end
@@ -128,7 +138,8 @@ module Dependabot
         upper_bound = parts.map.with_index do |part, i|
           if i < first_non_zero_index then part
           elsif i == first_non_zero_index then (part.to_i + 1).to_s
-          elsif i > first_non_zero_index && i == 2 then "0.a"
+          # .dev has lowest precedence: https://packaging.python.org/en/latest/specifications/version-specifiers/#summary-of-permitted-suffixes-and-relative-ordering
+          elsif i > first_non_zero_index && i == 2 then "0.dev"
           else
             0
           end
@@ -151,7 +162,7 @@ module Dependabot
                   .first(req_string.split(".").index { |s| s.include?("*") } + 1)
                   .join(".")
                   .gsub(/\*(?!$)/, "0")
-                  .gsub(/\*$/, "0.a")
+                  .gsub(/\*$/, "0.dev")
                   .tap { |s| exact_op ? s.gsub!(/^(?<!!)=*/, "~>") : s }
       end
     end

data/lib/dependabot/python/update_checker/poetry_version_resolver.rb

@@ -353,8 +353,21 @@ module Dependabot
       # package version mentioned in .toml not found in package index
       PACKAGE_NOT_FOUND = /Package (?<pkg>.*) ((?<req_ver>.*)) not found./
 
-      # error code 401 while accessing registry
-      ERROR_401 = /401 Client Error/
+      # client access error codes while accessing package index
+      CLIENT_ERROR_CODES = T.let({
+        error401: /401 Client Error/,
+        error403: /403 Client Error/,
+        error404: /404 Client Error/,
+        http403: /HTTP error 403/,
+        http404: /HTTP error 404/
+      }.freeze, T::Hash[T.nilable(String), Regexp])
+
+      # server response error codes while accessing package index
+      SERVER_ERROR_CODES = T.let({
+        server502: /502 Server Error/,
+        server503: /503 Server Error/,
+        server504: /504 Server Error/
+      }.freeze, T::Hash[T.nilable(String), Regexp])
 
       sig do
         params(
@@ -386,6 +399,8 @@ module Dependabot
 
       public
 
+      # rubocop:disable Metrics/AbcSize
+      # rubocop:disable Metrics/PerceivedComplexity
       sig { params(error: Exception).void }
       def handle_poetry_error(error)
         Dependabot.logger.warn(error.message)
@@ -403,11 +418,22 @@ module Dependabot
 
         raise DependencyFileNotResolvable, error.message if error.message.match(PYTHON_RANGE_NOT_SATISFIED)
 
-        return unless error.message.match?(ERROR_401)
+        SERVER_ERROR_CODES.each do |(_error_codes, error_regex)|
+          next unless error.message.match?(error_regex)
 
-        url = URI.extract(error.message).first.then { sanitize_url(_1) }
-        raise PrivateSourceAuthenticationFailure, url
+          index_url = URI.extract(error.message.to_s).last .then { sanitize_url(_1) }
+          raise InconsistentRegistryResponse, index_url
+        end
+
+        CLIENT_ERROR_CODES.each do |(_error_codes, error_regex)|
+          next unless error.message.match?(error_regex)
+
+          index_url = URI.extract(error.message.to_s).last .then { sanitize_url(_1) }
+          raise PrivateSourceAuthenticationFailure, index_url
+        end
       end
+      # rubocop:enable Metrics/AbcSize
+      # rubocop:enable Metrics/PerceivedComplexity
     end
   end
 end

data/lib/dependabot/python/version.rb

@@ -4,71 +4,333 @@
 require "dependabot/version"
 require "dependabot/utils"
 
-# Python versions can include a local version identifier, which Ruby can't
-# parse. This class augments Gem::Version with local version identifier info.
-# See https://www.python.org/dev/peps/pep-0440 for details.
+# See https://packaging.python.org/en/latest/specifications/version-specifiers for spec details.
 
 module Dependabot
   module Python
     class Version < Dependabot::Version
+      sig { returns(Integer) }
       attr_reader :epoch
+
+      sig { returns(T::Array[Integer]) }
+      attr_reader :release_segment
+
+      sig { returns(T.nilable(T::Array[T.any(String, Integer)])) }
+      attr_reader :dev
+
+      sig { returns(T.nilable(T::Array[T.any(String, Integer)])) }
+      attr_reader :pre
+
+      sig { returns(T.nilable(T::Array[T.any(String, Integer)])) }
+      attr_reader :post
+
+      sig { returns(T.nilable(T::Array[T.any(String, Integer)])) }
+      attr_reader :local
+
       attr_reader :local_version
       attr_reader :post_release_version
 
+      INFINITY = 1000
+      NEGATIVE_INFINITY = -INFINITY
+
       # See https://peps.python.org/pep-0440/#appendix-b-parsing-version-strings-with-regular-expressions
+      NEW_VERSION_PATTERN = /
+        v?
+        (?:
+          (?:(?<epoch>[0-9]+)!)?                          # epoch
+          (?<release>[0-9]+(?:\.[0-9]+)*)                 # release
+          (?<pre>                                         # prerelease
+            [-_\.]?
+            (?<pre_l>(a|b|c|rc|alpha|beta|pre|preview))
+            [-_\.]?
+            (?<pre_n>[0-9]+)?
+          )?
+          (?<post>                                        # post release
+            (?:-(?<post_n1>[0-9]+))
+            |
+            (?:
+                [-_\.]?
+                (?<post_l>post|rev|r)
+                [-_\.]?
+                (?<post_n2>[0-9]+)?
+            )
+          )?
+          (?<dev>                                          # dev release
+            [-_\.]?
+            (?<dev_l>dev)
+            [-_\.]?
+            (?<dev_n>[0-9]+)?
+          )?
+        )
+        (?:\+(?<local>[a-z0-9]+(?:[-_\.][a-z0-9]+)*))?    # local version
+      /ix
+
       VERSION_PATTERN = 'v?([1-9][0-9]*!)?[0-9]+[0-9a-zA-Z]*(?>\.[0-9a-zA-Z]+)*' \
                         '(-[0-9A-Za-z]+(\.[0-9a-zA-Z]+)*)?' \
                         '(\+[0-9a-zA-Z]+(\.[0-9a-zA-Z]+)*)?'
-      ANCHORED_VERSION_PATTERN = /\A\s*(#{VERSION_PATTERN})?\s*\z/
 
+      ANCHORED_VERSION_PATTERN = /\A\s*#{VERSION_PATTERN}\s*\z/
+
+      sig { override.params(version: VersionParameter).returns(T::Boolean) }
       def self.correct?(version)
         return false if version.nil?
 
-        version.to_s.match?(ANCHORED_VERSION_PATTERN)
+        if Dependabot::Experiments.enabled?(:python_new_version)
+          version.to_s.match?(/\A\s*#{NEW_VERSION_PATTERN}\s*\z/o)
+        else
+          version.to_s.match?(ANCHORED_VERSION_PATTERN)
+        end
       end
 
-      def initialize(version)
+      sig { override.params(version: VersionParameter).void }
+      def initialize(version) # rubocop:disable Metrics/AbcSize,Metrics/PerceivedComplexity
+        raise Dependabot::BadRequirementError, "Malformed version string - string is nil" if version.nil?
+
         @version_string = version.to_s
-        version, @local_version = @version_string.split("+")
-        version ||= ""
-        version = version.gsub(/^v/, "")
-        if version.include?("!")
-          @epoch, version = version.split("!")
+
+        raise Dependabot::BadRequirementError, "Malformed version string - string is empty" if @version_string.empty?
+
+        matches = anchored_version_pattern.match(@version_string.downcase)
+
+        unless matches
+          raise Dependabot::BadRequirementError,
+                "Malformed version string - #{@version_string} does not match regex"
+        end
+
+        if Dependabot::Experiments.enabled?(:python_new_version)
+          @epoch = matches["epoch"].to_i
+          @release_segment = matches["release"]&.split(".")&.map(&:to_i) || []
+          @pre = parse_letter_version(matches["pre_l"], matches["pre_n"])
+          @post = parse_letter_version(matches["post_l"], matches["post_n1"] || matches["post_n2"])
+          @dev = parse_letter_version(matches["dev_l"], matches["dev_n"])
+          @local = parse_local_version(matches["local"])
+          super(matches["release"] || "")
         else
-          @epoch = "0"
+          version, @local_version = @version_string.split("+")
+          version ||= ""
+          version = version.gsub(/^v/, "")
+          if version.include?("!")
+            epoch, version = version.split("!")
+            @epoch = epoch.to_i
+          else
+            @epoch = 0
+          end
+          version = normalise_prerelease(version)
+          version, @post_release_version = version.split(/\.r(?=\d)/)
+          version ||= ""
+          @local_version = normalise_prerelease(@local_version) if @local_version
+          super
         end
-        version = normalise_prerelease(version)
-        version, @post_release_version = version.split(/\.r(?=\d)/)
-        version ||= ""
-        @local_version = normalise_prerelease(@local_version) if @local_version
-        super
       end
 
+      sig { override.params(version: VersionParameter).returns(Dependabot::Python::Version) }
+      def self.new(version)
+        T.cast(super, Dependabot::Python::Version)
+      end
+
+      sig { returns(String) }
       def to_s
         @version_string
       end
 
+      sig { returns(String) }
       def inspect # :nodoc:
         "#<#{self.class} #{@version_string}>"
       end
 
-      def <=>(other)
-        other = Version.new(other.to_s) unless other.is_a?(Python::Version)
+      sig { returns(T::Boolean) }
+      def prerelease?
+        return super unless Dependabot::Experiments.enabled?(:python_new_version)
 
-        epoch_comparison = epoch_comparison(other)
-        return epoch_comparison unless epoch_comparison.zero?
+        !!(pre || dev)
+      end
+
+      sig { returns(T.any(Gem::Version, Dependabot::Python::Version)) }
+      def release
+        return super unless Dependabot::Experiments.enabled?(:python_new_version)
+
+        Dependabot::Python::Version.new(release_segment.join("."))
+      end
+
+      sig { params(other: VersionParameter).returns(Integer) }
+      def <=>(other) # rubocop:disable Metrics/AbcSize,Metrics/PerceivedComplexity
+        other = Dependabot::Python::Version.new(other.to_s) unless other.is_a?(Dependabot::Python::Version)
+        other = T.cast(other, Dependabot::Python::Version)
 
-        version_comparison = super
-        return version_comparison unless version_comparison&.zero?
+        if Dependabot::Experiments.enabled?(:python_new_version)
+          epoch_comparison = epoch <=> other.epoch
+          return epoch_comparison unless epoch_comparison.zero?
 
-        post_version_comparison = post_version_comparison(other)
-        return post_version_comparison unless post_version_comparison.zero?
+          release_comparison = release_version_comparison(other)
+          return release_comparison unless release_comparison.zero?
+
+          pre_comparison = compare_keys(pre_cmp_key, other.pre_cmp_key)
+          return pre_comparison unless pre_comparison.zero?
+
+          post_comparison = compare_keys(post_cmp_key, other.post_cmp_key)
+          return post_comparison unless post_comparison.zero?
+
+          dev_comparison = compare_keys(dev_cmp_key, other.dev_cmp_key)
+          return dev_comparison unless dev_comparison.zero?
+
+          compare_keys(local_cmp_key, other.local_cmp_key)
+        else
+          epoch_comparison = epoch_comparison(other)
+          return epoch_comparison unless epoch_comparison.zero?
 
-        local_version_comparison(other)
+          version_comparison = super
+          return T.must(version_comparison) unless version_comparison&.zero?
+
+          post_version_comparison = post_version_comparison(other)
+          return post_version_comparison unless post_version_comparison.zero?
+
+          local_version_comparison(other)
+        end
+      end
+
+      sig do
+        params(
+          key: T.any(Integer, T::Array[T.any(String, Integer)]),
+          other_key: T.any(Integer, T::Array[T.any(String, Integer)])
+        ).returns(Integer)
+      end
+      def compare_keys(key, other_key)
+        if key.is_a?(Integer) && other_key.is_a?(Integer)
+          key <=> other_key
+        elsif key.is_a?(Array) && other_key.is_a?(Array)
+          key <=> other_key
+        elsif key.is_a?(Integer)
+          key == NEGATIVE_INFINITY ? -1 : 1
+        elsif other_key.is_a?(Integer)
+          other_key == NEGATIVE_INFINITY ? 1 : -1
+        end
+      end
+
+      sig { returns(T.any(Integer, T::Array[T.any(String, Integer)])) }
+      def pre_cmp_key
+        if pre.nil? && post.nil? && dev # sort 1.0.dev0 before 1.0a0
+          NEGATIVE_INFINITY
+        elsif pre.nil?
+          INFINITY # versions without a pre-release should sort after those with one.
+        else
+          T.must(pre)
+        end
+      end
+
+      sig { returns(T.any(Integer, T::Array[T.any(String, Integer)])) }
+      def local_cmp_key
+        if local.nil?
+          # Versions without a local segment should sort before those with one.
+          NEGATIVE_INFINITY
+        else
+          # According to PEP440.
+          # - Alphanumeric segments sort before numeric segments
+          # - Alphanumeric segments sort lexicographically
+          # - Numeric segments sort numerically
+          # - Shorter versions sort before longer versions when the prefixes match exactly
+          local&.map do |token|
+            if token.is_a?(Integer)
+              [token, ""]
+            else
+              [NEGATIVE_INFINITY, token]
+            end
+          end
+        end
+      end
+
+      sig { returns(T.any(Integer, T::Array[T.any(String, Integer)])) }
+      def post_cmp_key
+        # Versions without a post segment should sort before those with one.
+        return NEGATIVE_INFINITY if post.nil?
+
+        T.must(post)
+      end
+
+      sig { returns(T.any(Integer, T::Array[T.any(String, Integer)])) }
+      def dev_cmp_key
+        # Versions without a dev segment should sort after those with one.
+        return INFINITY if dev.nil?
+
+        T.must(dev)
       end
 
       private
 
+      sig { params(other: Dependabot::Python::Version).returns(Integer) }
+      def release_version_comparison(other)
+        tokens, other_tokens = pad_for_comparison(release_segment, other.release_segment)
+        tokens <=> other_tokens
+      end
+
+      sig do
+        params(
+          tokens: T::Array[Integer],
+          other_tokens: T::Array[Integer]
+        ).returns(T::Array[T::Array[Integer]])
+      end
+      def pad_for_comparison(tokens, other_tokens)
+        tokens = tokens.dup
+        other_tokens = other_tokens.dup
+
+        longer = [tokens, other_tokens].max_by(&:count)
+        shorter = [tokens, other_tokens].min_by(&:count)
+
+        difference = T.must(longer).length - T.must(shorter).length
+
+        difference.times { T.must(shorter) << 0 }
+
+        [tokens, other_tokens]
+      end
+
+      sig { params(local: T.nilable(String)).returns(T.nilable(T::Array[T.any(String, Integer)])) }
+      def parse_local_version(local)
+        return if local.nil?
+
+        # Takes a string like abc.1.twelve and turns it into ["abc", 1, "twelve"]
+        local.split(/[\._-]/).map { |s| /^\d+$/.match?(s) ? s.to_i : s }
+      end
+
+      sig do
+        params(
+          letter: T.nilable(String), number: T.nilable(String)
+        ).returns(T.nilable(T::Array[T.any(String, Integer)]))
+      end
+      def parse_letter_version(letter = nil, number = nil)
+        return if letter.nil? && number.nil?
+
+        if letter
+          # Implicit 0 for cases where prerelease has no numeral
+          number ||= 0
+
+          # Normalize alternate spellings
+          if letter == "alpha"
+            letter = "a"
+          elsif letter == "beta"
+            letter = "b"
+          elsif %w(c pre preview).include? letter
+            letter = "rc"
+          elsif %w(rev r).include? letter
+            letter = "post"
+          end
+
+          return letter, number.to_i
+        end
+
+        # Number but no letter i.e. implicit post release syntax (e.g. 1.0-1)
+        letter = "post"
+
+        [letter, number.to_i]
+      end
+
+      sig { returns(Regexp) }
+      def anchored_version_pattern
+        if Dependabot::Experiments.enabled?(:python_new_version)
+          /\A\s*#{NEW_VERSION_PATTERN}\s*\z/o
+        else
+          ANCHORED_VERSION_PATTERN
+        end
+      end
+
       def epoch_comparison(other)
         epoch.to_i <=> other.epoch.to_i
       end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-python
 version: !ruby/object:Gem::Version
-  version: 0.279.0
+  version: 0.281.0
 platform: ruby
 authors:
 - Dependabot
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2024-10-03 00:00:00.000000000 Z
+date: 2024-10-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dependabot-common
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.279.0
+        version: 0.281.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.279.0
+        version: 0.281.0
 - !ruby/object:Gem::Dependency
   name: debug
   requirement: !ruby/object:Gem::Requirement
@@ -156,14 +156,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.8.1
+        version: 0.8.5
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.8.1
+        version: 0.8.5
 - !ruby/object:Gem::Dependency
   name: simplecov
   requirement: !ruby/object:Gem::Requirement
@@ -288,7 +288,7 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.279.0
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.281.0
 post_install_message: 
 rdoc_options: []
 require_paths: