dependabot-python 0.291.0 → 0.293.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: d57699e8c42eda7ada8f63802fbe0c3166d8a355df41ce374098686be3ae0f95
-  data.tar.gz: 8f1c09c2d0a06a96fe8ce50d9f5783b1d48e64162f1b5ffce5e788d0fb4fbe70
+  metadata.gz: b25ebaf8e9c7ec713cdc0ed55d0447bc0550e6889f1b948626514eb956da21fe
+  data.tar.gz: 5fa5ef854bd4291ace811e78ce5e48dd33fa34a6dbccc3df13ca993fd67def1c
 SHA512:
-  metadata.gz: 7e8530e6cd29ad3c3c9d5626e4d6da634057974ffe3ea0b431e7930129f7096377021d3891046d88c0b87e6245b2eedd91ebc3b3da752da40ffd00350fb7eac7
-  data.tar.gz: 67d187f890dd253e56567fe51f5d0124a466e11b046caf8d0843364c901d8baad4164b617589402b7d6d8b4fd075554bcd50cbfc46f2047538dda09383f70373
+  metadata.gz: a06decf5a991d84e80b454307fdb269927619e24f295a5c759b5403e7cc036d6f143a87d6b0718fb3bcfb9460d625fc3a13acf8aa8bf2c7054205afb25ca1436
+  data.tar.gz: cd14d822f9f00215a89f0baa2cbcff208e88d04c5c72d6dc18759e6caf974b0f1112625bc37305ebc029c188bc26616d836ad5dc1ca739f8dc7dee4e640679ff

data/lib/dependabot/python/file_parser.rb

@@ -21,6 +21,7 @@ module Dependabot
       require_relative "file_parser/pipfile_files_parser"
       require_relative "file_parser/pyproject_files_parser"
       require_relative "file_parser/setup_file_parser"
+      require_relative "file_parser/python_requirement_parser"
 
       DEPENDENCY_GROUP_KEYS = [
         {
@@ -217,9 +218,17 @@ module Dependabot
         language_version_manager.python_version
       end
 
+      sig { returns(String) }
+      def python_command_version
+        language_version_manager.installed_version
+      end
+
       sig { returns(T.nilable(Ecosystem::VersionManager)) }
       def language
-        Language.new(python_raw_version)
+        Language.new(
+          detected_version: python_raw_version,
+          raw_version: python_command_version
+        )
       end
 
       def requirement_files
@@ -293,10 +302,58 @@ module Dependabot
 
       def blocking_marker?(dep)
         return false if dep["markers"] == "None"
-        return true if dep["markers"].include?("<")
-        return false if dep["markers"].include?(">")
 
-        dep["requirement"]&.include?("<")
+        marker = dep["markers"]
+        version = python_raw_version
+
+        if marker.include?("python_version")
+          !marker_satisfied?(marker, version)
+        else
+          return true if dep["markers"].include?("<")
+          return false if dep["markers"].include?(">")
+
+          dep["requirement"]&.include?("<")
+        end
+      end
+
+      def marker_satisfied?(marker, python_version)
+        conditions = marker.split(/\s+(and|or)\s+/)
+
+        # Explicitly define the type of result as T::Boolean
+        result = T.let(evaluate_condition(conditions.shift, python_version), T::Boolean)
+
+        until conditions.empty?
+          operator = conditions.shift
+          next_condition = conditions.shift
+          next_result = evaluate_condition(next_condition, python_version)
+
+          result = if operator == "and"
+                     result && next_result
+                   else
+                     result || next_result
+                   end
+        end
+
+        result
+      end
+
+      def evaluate_condition(condition, python_version)
+        operator, version = condition.match(/([<>=!]=?)\s*"?([\d.]+)"?/)&.captures
+
+        case operator
+        when "<"
+          Dependabot::Python::Version.new(python_version) < Dependabot::Python::Version.new(version)
+        when "<="
+          Dependabot::Python::Version.new(python_version) <= Dependabot::Python::Version.new(version)
+        when ">"
+          Dependabot::Python::Version.new(python_version) > Dependabot::Python::Version.new(version)
+        when ">="
+          Dependabot::Python::Version.new(python_version) >= Dependabot::Python::Version.new(version)
+        when "=="
+          Dependabot::Python::Version.new(python_version) == Dependabot::Python::Version.new(version)
+        else
+          false
+        end
       end
 
       def setup_file_dependencies
@@ -337,7 +394,7 @@ module Dependabot
       end
 
       def pipcompile_in_file
-        requirement_files.any? { |f| f.end_with?(".in") }
+        requirement_files.any? { |f| f.name.end_with?(PipCompilePackageManager::MANIFEST_FILENAME) }
       end
 
       def pipenv_files

data/lib/dependabot/python/file_updater/requirement_replacer.rb

@@ -14,6 +14,8 @@ module Dependabot
       class RequirementReplacer
         PACKAGE_NOT_FOUND_ERROR = "PackageNotFoundError"
 
+        CERTIFICATE_VERIFY_FAILED = /CERTIFICATE_VERIFY_FAILED/
+
         def initialize(content:, dependency_name:, old_requirement:,
                        new_requirement:, new_hash_version: nil, index_urls: nil)
           @content          = content
@@ -153,6 +155,8 @@ module Dependabot
                 args: args
               )
             rescue SharedHelpers::HelperSubprocessFailed => e
+              requirement_error_handler(e)
+
               raise unless e.message.include?("PackageNotFoundError")
 
               next
@@ -193,6 +197,17 @@ module Dependabot
           req1&.split(",")&.map { |r| r.gsub(/\s/, "") }&.sort ==
             req2&.split(",")&.map { |r| r.gsub(/\s/, "") }&.sort
         end
+
+        public
+
+        def requirement_error_handler(error)
+          Dependabot.logger.warn(error.message)
+
+          return unless error.message.match?(CERTIFICATE_VERIFY_FAILED)
+
+          msg = "Error resolving dependency."
+          raise DependencyFileNotResolvable, msg
+        end
       end
     end
   end

data/lib/dependabot/python/language.rb

@@ -11,10 +11,67 @@ module Dependabot
 
     class Language < Dependabot::Ecosystem::VersionManager
       extend T::Sig
+      # These versions should match the versions specified at the top of `python/Dockerfile`
+      PYTHON_3_13 = "3.13"
+      PYTHON_3_12 = "3.12"
+      PYTHON_3_11 = "3.11"
+      PYTHON_3_10 = "3.10"
+      PYTHON_3_9  = "3.9"
+      PYTHON_3_8  = "3.8"
 
-      sig { params(raw_version: String, requirement: T.nilable(Requirement)).void }
-      def initialize(raw_version, requirement = nil)
-        super(LANGUAGE, Version.new(raw_version), [], [], requirement)
+      DEPRECATED_VERSIONS = T.let([Version.new(PYTHON_3_8)].freeze, T::Array[Dependabot::Version])
+
+      # Keep versions in ascending order
+      SUPPORTED_VERSIONS = T.let([
+        Version.new(PYTHON_3_9),
+        Version.new(PYTHON_3_10),
+        Version.new(PYTHON_3_11),
+        Version.new(PYTHON_3_12),
+        Version.new(PYTHON_3_13)
+      ].freeze, T::Array[Dependabot::Version])
+
+      sig do
+        params(
+          detected_version: String,
+          raw_version: T.nilable(String),
+          requirement: T.nilable(Requirement)
+        ).void
+      end
+      def initialize(detected_version:, raw_version: nil, requirement: nil)
+        super(
+          name: LANGUAGE,
+          detected_version: major_minor_version(detected_version),
+          version: raw_version ? Version.new(raw_version) : nil,
+          deprecated_versions: DEPRECATED_VERSIONS,
+          supported_versions: SUPPORTED_VERSIONS,
+          requirement: requirement,
+       )
+      end
+
+      sig { override.returns(T::Boolean) }
+      def deprecated?
+        return false unless detected_version
+        return false if unsupported?
+        return false unless Dependabot::Experiments.enabled?(:python_3_8_deprecation_warning)
+
+        deprecated_versions.include?(detected_version)
+      end
+
+      sig { override.returns(T::Boolean) }
+      def unsupported?
+        return false unless detected_version
+        return false unless Dependabot::Experiments.enabled?(:python_3_8_unsupported_error)
+
+        supported_versions.all? { |supported| supported > detected_version }
+      end
+
+      private
+
+      sig { params(version: String).returns(Dependabot::Python::Version) }
+      def major_minor_version(version)
+        major_minor = T.let(T.must(Version.new(version).segments[0..1]&.join(".")), String)
+
+        Version.new(major_minor)
       end
     end
   end

data/lib/dependabot/python/language_version_manager.rb

@@ -9,6 +9,7 @@ module Dependabot
     class LanguageVersionManager
       # This list must match the versions specified at the top of `python/Dockerfile`
       PRE_INSTALLED_PYTHON_VERSIONS = %w(
+        3.13.1
         3.12.7
         3.11.9
         3.10.15
@@ -29,6 +30,14 @@ module Dependabot
         )
       end
 
+      def installed_version
+        # Use `pyenv exec` to query the active Python version
+        output, _status = SharedHelpers.run_shell_command("pyenv exec python --version")
+        version = output.strip.split.last # Extract the version number (e.g., "3.13.1")
+
+        version
+      end
+
       def python_major_minor
         @python_major_minor ||= T.must(Python::Version.new(python_version).segments[0..1]).join(".")
       end

data/lib/dependabot/python/package_manager.rb

@@ -31,11 +31,11 @@ module Dependabot
       end
       def initialize(raw_version, requirement = nil)
         super(
-          NAME,
-          Version.new(raw_version),
-          SUPPORTED_VERSIONS,
-          DEPRECATED_VERSIONS,
-          requirement,
+          name: NAME,
+          version: Version.new(raw_version),
+          deprecated_versions: DEPRECATED_VERSIONS,
+          supported_versions: SUPPORTED_VERSIONS,
+          requirement: requirement,
        )
       end
 
@@ -69,11 +69,11 @@ module Dependabot
       end
       def initialize(raw_version, requirement = nil)
         super(
-          NAME,
-          Version.new(raw_version),
-          SUPPORTED_VERSIONS,
-          DEPRECATED_VERSIONS,
-          requirement,
+          name: NAME,
+          version: Version.new(raw_version),
+          deprecated_versions: DEPRECATED_VERSIONS,
+          supported_versions: SUPPORTED_VERSIONS,
+          requirement: requirement,
        )
       end
 
@@ -92,6 +92,7 @@ module Dependabot
       extend T::Sig
 
       NAME = "pip-compile"
+      MANIFEST_FILENAME = ".in"
 
       SUPPORTED_VERSIONS = T.let([].freeze, T::Array[Dependabot::Version])
 
@@ -105,11 +106,11 @@ module Dependabot
       end
       def initialize(raw_version, requirement = nil)
         super(
-          NAME,
-          Version.new(raw_version),
-          SUPPORTED_VERSIONS,
-          DEPRECATED_VERSIONS,
-          requirement,
+          name: NAME,
+          version: Version.new(raw_version),
+          deprecated_versions: DEPRECATED_VERSIONS,
+          supported_versions: SUPPORTED_VERSIONS,
+          requirement: requirement,
        )
       end
 
@@ -144,11 +145,11 @@ module Dependabot
       end
       def initialize(raw_version, requirement = nil)
         super(
-          NAME,
-          Version.new(raw_version),
-          SUPPORTED_VERSIONS,
-          DEPRECATED_VERSIONS,
-          requirement,
+          name: NAME,
+          version: Version.new(raw_version),
+          deprecated_versions: DEPRECATED_VERSIONS,
+          supported_versions: SUPPORTED_VERSIONS,
+          requirement: requirement,
        )
       end
 

data/lib/dependabot/python/update_checker/poetry_version_resolver.rb

@@ -369,6 +369,12 @@ module Dependabot
         server504: /504 Server Error/
       }.freeze, T::Hash[T.nilable(String), Regexp])
 
+      # invalid configuration in pyproject.toml
+      POETRY_VIRTUAL_ENV_CONFIG = %r{pypoetry/virtualenvs(.|\n)*list index out of range}
+
+      # error related to local project as dependency in pyproject.toml
+      ERR_LOCAL_PROJECT_PATH = /Path (?<path>.*) for (?<dep>.*) does not exist/
+
       sig do
         params(
           dependencies: Dependabot::Dependency,
@@ -418,6 +424,12 @@ module Dependabot
 
         raise DependencyFileNotResolvable, error.message if error.message.match(PYTHON_RANGE_NOT_SATISFIED)
 
+        if error.message.match(POETRY_VIRTUAL_ENV_CONFIG) || error.message.match(ERR_LOCAL_PROJECT_PATH)
+          msg = "Error while resolving pyproject.toml file"
+
+          raise DependencyFileNotResolvable, msg
+        end
+
         SERVER_ERROR_CODES.each do |(_error_codes, error_regex)|
           next unless error.message.match?(error_regex)
 

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-python
 version: !ruby/object:Gem::Version
-  version: 0.291.0
+  version: 0.293.0
 platform: ruby
 authors:
 - Dependabot
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-12-19 00:00:00.000000000 Z
+date: 2025-01-16 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dependabot-common
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.291.0
+        version: 0.293.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.291.0
+        version: 0.293.0
 - !ruby/object:Gem::Dependency
   name: debug
   requirement: !ruby/object:Gem::Requirement
@@ -290,7 +290,7 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.291.0
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.293.0
 post_install_message:
 rdoc_options: []
 require_paths:
@@ -306,7 +306,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: 3.1.0
 requirements: []
-rubygems_version: 3.5.9
+rubygems_version: 3.5.22
 signing_key:
 specification_version: 4
 summary: Provides Dependabot support for Python