dependabot-python 0.280.0 → 0.282.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 769029ca498ad0bf57b8e8a3f7470dded08b67253371747cdc2cd14f19733660
-  data.tar.gz: '05984613c4a3eb2298b755c4e96287c4d1b15a94553a378ab31b8992d20151b7'
+  metadata.gz: cb78159e578c1979c167b0539aef17d508c9a07b17b257c05a7d177a3c543d56
+  data.tar.gz: 31e6e4a5c352927c54cca8ef0a9b69265737d1739e9d85622aab8fba4b9e5ac3
 SHA512:
-  metadata.gz: c3de2cf52a0326efb5e91b045001bfca0f25574394425f70ab59b7c6fe15f9618f690cfd847e8736c81b29d3e8fd28e5524931db4f9bad90171f8daffeeafad3
-  data.tar.gz: d47f611d5f940b9c420f727d2f44d19308a7317a6ca799e86a29369401c64c6e833020f4279a991515ecfe3dcf6c3522d5b0d9aea8a282cbcc181b3a2d3c303a
+  metadata.gz: 4a15a3f16e2e68aa7c35d2fc3c011e88210a483cc13b7676e6412a035b8dac2abc831f395074185ca21e4bc020aa0cc775bb8d4b8efb3dda2be0332612bdf3f7
+  data.tar.gz: a241cbe9a4b2bab87b9daa50ad2e3ff357b2890f4ecb3f540a97350d44e7a24bd39dcfa660f9d2777d950834ab114ff54183255e35e8edfb22b1daeea92c74ae

data/lib/dependabot/python/language_version_manager.rb

@@ -11,9 +11,9 @@ module Dependabot
       PRE_INSTALLED_PYTHON_VERSIONS = %w(
         3.12.5
         3.11.9
-        3.10.13
+        3.10.15
         3.9.18
-        3.8.18
+        3.8.20
       ).freeze
 
       def initialize(python_requirement_parser:)

data/lib/dependabot/python/requirement.rb

@@ -24,7 +24,7 @@ module Dependabot
                   .map { |k| Regexp.quote(k) }.join("|")
       version_pattern = Python::Version::VERSION_PATTERN
 
-      PATTERN_RAW = "\\s*(#{quoted})?\\s*(#{version_pattern})\\s*".freeze
+      PATTERN_RAW = "\\s*(?<op>#{quoted})?\\s*(?<version>#{version_pattern})\\s*".freeze
       PATTERN = /\A#{PATTERN_RAW}\z/
       PARENS_PATTERN = /\A\(([^)]+)\)\z/
 
@@ -41,9 +41,9 @@ module Dependabot
           raise BadRequirementError, msg
         end
 
-        return DefaultRequirement if matches[1] == ">=" && matches[2] == "0"
+        return DefaultRequirement if matches[:op] == ">=" && matches[:version] == "0"
 
-        [matches[1] || "=", Python::Version.new(T.must(matches[2]))]
+        [matches[:op] || "=", Python::Version.new(T.must(matches[:version]))]
       end
 
       # Returns an array of requirements. At least one requirement from the
@@ -128,7 +128,8 @@ module Dependabot
         upper_bound = parts.map.with_index do |part, i|
           if i < first_non_zero_index then part
           elsif i == first_non_zero_index then (part.to_i + 1).to_s
-          elsif i > first_non_zero_index && i == 2 then "0.a"
+          # .dev has lowest precedence: https://packaging.python.org/en/latest/specifications/version-specifiers/#summary-of-permitted-suffixes-and-relative-ordering
+          elsif i > first_non_zero_index && i == 2 then "0.dev"
           else
             0
           end
@@ -151,7 +152,7 @@ module Dependabot
                   .first(req_string.split(".").index { |s| s.include?("*") } + 1)
                   .join(".")
                   .gsub(/\*(?!$)/, "0")
-                  .gsub(/\*$/, "0.a")
+                  .gsub(/\*$/, "0.dev")
                   .tap { |s| exact_op ? s.gsub!(/^(?<!!)=*/, "~>") : s }
       end
     end

data/lib/dependabot/python/update_checker/latest_version_finder.rb

@@ -159,10 +159,7 @@ module Dependabot
         end
 
         def wants_prerelease?
-          if dependency.version
-            version = version_class.new(dependency.version.tr("+", "."))
-            return version.prerelease?
-          end
+          return version_class.new(dependency.version).prerelease? if dependency.version
 
           dependency.requirements.any? do |req|
             reqs = (req.fetch(:requirement) || "").split(",").map(&:strip)

data/lib/dependabot/python/version.rb

@@ -4,119 +4,282 @@
 require "dependabot/version"
 require "dependabot/utils"
 
-# Python versions can include a local version identifier, which Ruby can't
-# parse. This class augments Gem::Version with local version identifier info.
-# See https://www.python.org/dev/peps/pep-0440 for details.
+# See https://packaging.python.org/en/latest/specifications/version-specifiers for spec details.
 
 module Dependabot
   module Python
     class Version < Dependabot::Version
+      sig { returns(Integer) }
       attr_reader :epoch
-      attr_reader :local_version
-      attr_reader :post_release_version
+
+      sig { returns(T::Array[Integer]) }
+      attr_reader :release_segment
+
+      sig { returns(T.nilable(T::Array[T.any(String, Integer)])) }
+      attr_reader :dev
+
+      sig { returns(T.nilable(T::Array[T.any(String, Integer)])) }
+      attr_reader :pre
+
+      sig { returns(T.nilable(T::Array[T.any(String, Integer)])) }
+      attr_reader :post
+
+      sig { returns(T.nilable(T::Array[T.any(String, Integer)])) }
+      attr_reader :local
+
+      INFINITY = 1000
+      NEGATIVE_INFINITY = -INFINITY
 
       # See https://peps.python.org/pep-0440/#appendix-b-parsing-version-strings-with-regular-expressions
-      VERSION_PATTERN = 'v?([1-9][0-9]*!)?[0-9]+[0-9a-zA-Z]*(?>\.[0-9a-zA-Z]+)*' \
-                        '(-[0-9A-Za-z]+(\.[0-9a-zA-Z]+)*)?' \
-                        '(\+[0-9a-zA-Z]+(\.[0-9a-zA-Z]+)*)?'
-      ANCHORED_VERSION_PATTERN = /\A\s*(#{VERSION_PATTERN})?\s*\z/
+      VERSION_PATTERN = /
+        v?
+        (?:
+          (?:(?<epoch>[0-9]+)!)?                          # epoch
+          (?<release>[0-9]+(?:\.[0-9]+)*)                 # release
+          (?<pre>                                         # prerelease
+            [-_\.]?
+            (?<pre_l>(a|b|c|rc|alpha|beta|pre|preview))
+            [-_\.]?
+            (?<pre_n>[0-9]+)?
+          )?
+          (?<post>                                        # post release
+            (?:-(?<post_n1>[0-9]+))
+            |
+            (?:
+                [-_\.]?
+                (?<post_l>post|rev|r)
+                [-_\.]?
+                (?<post_n2>[0-9]+)?
+            )
+          )?
+          (?<dev>                                          # dev release
+            [-_\.]?
+            (?<dev_l>dev)
+            [-_\.]?
+            (?<dev_n>[0-9]+)?
+          )?
+        )
+        (?:\+(?<local>[a-z0-9]+(?:[-_\.][a-z0-9]+)*))?    # local version
+      /ix
+
+      ANCHORED_VERSION_PATTERN = /\A\s*#{VERSION_PATTERN}\s*\z/
 
+      sig { override.params(version: VersionParameter).returns(T::Boolean) }
       def self.correct?(version)
         return false if version.nil?
 
         version.to_s.match?(ANCHORED_VERSION_PATTERN)
       end
 
+      sig { override.params(version: VersionParameter).void }
       def initialize(version)
+        raise Dependabot::BadRequirementError, "Malformed version string - string is nil" if version.nil?
+
         @version_string = version.to_s
-        version, @local_version = @version_string.split("+")
-        version ||= ""
-        version = version.gsub(/^v/, "")
-        if version.include?("!")
-          @epoch, version = version.split("!")
-        else
-          @epoch = "0"
+
+        raise Dependabot::BadRequirementError, "Malformed version string - string is empty" if @version_string.empty?
+
+        matches = ANCHORED_VERSION_PATTERN.match(@version_string.downcase)
+
+        unless matches
+          raise Dependabot::BadRequirementError,
+                "Malformed version string - #{@version_string} does not match regex"
         end
-        version = normalise_prerelease(version)
-        version, @post_release_version = version.split(/\.r(?=\d)/)
-        version ||= ""
-        @local_version = normalise_prerelease(@local_version) if @local_version
-        super
+
+        @epoch = matches["epoch"].to_i
+        @release_segment = matches["release"]&.split(".")&.map(&:to_i) || []
+        @pre = parse_letter_version(matches["pre_l"], matches["pre_n"])
+        @post = parse_letter_version(matches["post_l"], matches["post_n1"] || matches["post_n2"])
+        @dev = parse_letter_version(matches["dev_l"], matches["dev_n"])
+        @local = parse_local_version(matches["local"])
+        super(matches["release"] || "")
       end
 
+      sig { override.params(version: VersionParameter).returns(Dependabot::Python::Version) }
+      def self.new(version)
+        T.cast(super, Dependabot::Python::Version)
+      end
+
+      sig { returns(String) }
       def to_s
         @version_string
       end
 
+      sig { returns(String) }
       def inspect # :nodoc:
         "#<#{self.class} #{@version_string}>"
       end
 
+      sig { returns(T::Boolean) }
+      def prerelease?
+        !!(pre || dev)
+      end
+
+      sig { returns(Dependabot::Python::Version) }
+      def release
+        Dependabot::Python::Version.new(release_segment.join("."))
+      end
+
+      sig { params(other: VersionParameter).returns(Integer) }
       def <=>(other)
-        other = Version.new(other.to_s) unless other.is_a?(Python::Version)
+        other = Dependabot::Python::Version.new(other.to_s) unless other.is_a?(Dependabot::Python::Version)
+        other = T.cast(other, Dependabot::Python::Version)
 
-        epoch_comparison = epoch_comparison(other)
+        epoch_comparison = epoch <=> other.epoch
         return epoch_comparison unless epoch_comparison.zero?
 
-        version_comparison = super
-        return version_comparison unless version_comparison&.zero?
+        release_comparison = release_version_comparison(other)
+        return release_comparison unless release_comparison.zero?
 
-        post_version_comparison = post_version_comparison(other)
-        return post_version_comparison unless post_version_comparison.zero?
+        pre_comparison = compare_keys(pre_cmp_key, other.pre_cmp_key)
+        return pre_comparison unless pre_comparison.zero?
 
-        local_version_comparison(other)
+        post_comparison = compare_keys(post_cmp_key, other.post_cmp_key)
+        return post_comparison unless post_comparison.zero?
+
+        dev_comparison = compare_keys(dev_cmp_key, other.dev_cmp_key)
+        return dev_comparison unless dev_comparison.zero?
+
+        compare_keys(local_cmp_key, other.local_cmp_key)
       end
 
-      private
+      sig do
+        params(
+          key: T.any(Integer, T::Array[T.any(String, Integer)]),
+          other_key: T.any(Integer, T::Array[T.any(String, Integer)])
+        ).returns(Integer)
+      end
+      def compare_keys(key, other_key)
+        if key.is_a?(Integer) && other_key.is_a?(Integer)
+          key <=> other_key
+        elsif key.is_a?(Array) && other_key.is_a?(Array)
+          key <=> other_key
+        elsif key.is_a?(Integer)
+          key == NEGATIVE_INFINITY ? -1 : 1
+        elsif other_key.is_a?(Integer)
+          other_key == NEGATIVE_INFINITY ? 1 : -1
+        end
+      end
 
-      def epoch_comparison(other)
-        epoch.to_i <=> other.epoch.to_i
+      sig { returns(T.any(Integer, T::Array[T.any(String, Integer)])) }
+      def pre_cmp_key
+        if pre.nil? && post.nil? && dev # sort 1.0.dev0 before 1.0a0
+          NEGATIVE_INFINITY
+        elsif pre.nil?
+          INFINITY # versions without a pre-release should sort after those with one.
+        else
+          T.must(pre)
+        end
       end
 
-      def post_version_comparison(other)
-        unless other.post_release_version
-          return post_release_version.nil? ? 0 : 1
+      sig { returns(T.any(Integer, T::Array[T.any(String, Integer)])) }
+      def local_cmp_key
+        if local.nil?
+          # Versions without a local segment should sort before those with one.
+          NEGATIVE_INFINITY
+        else
+          # According to PEP440.
+          # - Alphanumeric segments sort before numeric segments
+          # - Alphanumeric segments sort lexicographically
+          # - Numeric segments sort numerically
+          # - Shorter versions sort before longer versions when the prefixes match exactly
+          local&.map do |token|
+            if token.is_a?(Integer)
+              [token, ""]
+            else
+              [NEGATIVE_INFINITY, token]
+            end
+          end
         end
+      end
+
+      sig { returns(T.any(Integer, T::Array[T.any(String, Integer)])) }
+      def post_cmp_key
+        # Versions without a post segment should sort before those with one.
+        return NEGATIVE_INFINITY if post.nil?
+
+        T.must(post)
+      end
+
+      sig { returns(T.any(Integer, T::Array[T.any(String, Integer)])) }
+      def dev_cmp_key
+        # Versions without a dev segment should sort after those with one.
+        return INFINITY if dev.nil?
+
+        T.must(dev)
+      end
+
+      sig { returns(String) }
+      def lowest_prerelease_suffix
+        "dev0"
+      end
 
-        return -1 if post_release_version.nil?
+      private
+
+      sig { params(other: Dependabot::Python::Version).returns(Integer) }
+      def release_version_comparison(other)
+        tokens, other_tokens = pad_for_comparison(release_segment, other.release_segment)
+        tokens <=> other_tokens
+      end
 
-        post_release_version.to_i <=> other.post_release_version.to_i
+      sig do
+        params(
+          tokens: T::Array[Integer],
+          other_tokens: T::Array[Integer]
+        ).returns(T::Array[T::Array[Integer]])
       end
+      def pad_for_comparison(tokens, other_tokens)
+        tokens = tokens.dup
+        other_tokens = other_tokens.dup
 
-      def local_version_comparison(other)
-        # Local version comparison works differently in Python: `1.0.beta`
-        # compares as greater than `1.0`. To accommodate, we make the
-        # strings the same length before comparing.
-        lhsegments = local_version.to_s.split(".").map(&:downcase)
-        rhsegments = other.local_version.to_s.split(".").map(&:downcase)
-        limit = [lhsegments.count, rhsegments.count].min
+        longer = [tokens, other_tokens].max_by(&:count)
+        shorter = [tokens, other_tokens].min_by(&:count)
 
-        lhs = ["1", *lhsegments.first(limit)].join(".")
-        rhs = ["1", *rhsegments.first(limit)].join(".")
+        difference = T.must(longer).length - T.must(shorter).length
+
+        difference.times { T.must(shorter) << 0 }
+
+        [tokens, other_tokens]
+      end
 
-        local_comparison = Gem::Version.new(lhs) <=> Gem::Version.new(rhs)
+      sig { params(local: T.nilable(String)).returns(T.nilable(T::Array[T.any(String, Integer)])) }
+      def parse_local_version(local)
+        return if local.nil?
 
-        return local_comparison unless local_comparison&.zero?
+        # Takes a string like abc.1.twelve and turns it into ["abc", 1, "twelve"]
+        local.split(/[\._-]/).map { |s| /^\d+$/.match?(s) ? s.to_i : s }
+      end
 
-        lhsegments.count <=> rhsegments.count
+      sig do
+        params(
+          letter: T.nilable(String), number: T.nilable(String)
+        ).returns(T.nilable(T::Array[T.any(String, Integer)]))
       end
+      def parse_letter_version(letter = nil, number = nil)
+        return if letter.nil? && number.nil?
+
+        if letter
+          # Implicit 0 for cases where prerelease has no numeral
+          number ||= 0
+
+          # Normalize alternate spellings
+          if letter == "alpha"
+            letter = "a"
+          elsif letter == "beta"
+            letter = "b"
+          elsif %w(c pre preview).include? letter
+            letter = "rc"
+          elsif %w(rev r).include? letter
+            letter = "post"
+          end
+
+          return letter, number.to_i
+        end
+
+        # Number but no letter i.e. implicit post release syntax (e.g. 1.0-1)
+        letter = "post"
 
-      def normalise_prerelease(version)
-        # Python has reserved words for release states, which are treated
-        # as equal (e.g., preview, pre and rc).
-        # Further, Python treats dashes as a separator between version
-        # parts and treats the alphabetical characters in strings as the
-        # start of a new version part (so 1.1a2 == 1.1.alpha.2).
-        version
-          .gsub("alpha", "a")
-          .gsub("beta", "b")
-          .gsub("preview", "c")
-          .gsub("pre", "c")
-          .gsub("post", "r")
-          .gsub("rev", "r")
-          .gsub(/([\d.\-_])rc([\d.\-_])?/, '\1c\2')
-          .tr("-", ".")
-          .gsub(/(\d)([a-z])/i, '\1.\2')
+        [letter, number.to_i]
       end
     end
   end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-python
 version: !ruby/object:Gem::Version
-  version: 0.280.0
+  version: 0.282.0
 platform: ruby
 authors:
 - Dependabot
-autorequire:
+autorequire: 
 bindir: bin
 cert_chain: []
-date: 2024-10-10 00:00:00.000000000 Z
+date: 2024-10-24 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dependabot-common
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.280.0
+        version: 0.282.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.280.0
+        version: 0.282.0
 - !ruby/object:Gem::Dependency
   name: debug
   requirement: !ruby/object:Gem::Requirement
@@ -114,28 +114,28 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.65.0
+        version: 1.67.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.65.0
+        version: 1.67.0
 - !ruby/object:Gem::Dependency
   name: rubocop-performance
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.21.0
+        version: 1.22.1
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.21.0
+        version: 1.22.1
 - !ruby/object:Gem::Dependency
   name: rubocop-rspec
   requirement: !ruby/object:Gem::Requirement
@@ -288,8 +288,8 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.280.0
-post_install_message:
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.282.0
+post_install_message: 
 rdoc_options: []
 require_paths:
 - lib
@@ -305,7 +305,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: 3.1.0
 requirements: []
 rubygems_version: 3.5.9
-signing_key:
+signing_key: 
 specification_version: 4
 summary: Provides Dependabot support for Python
 test_files: []