dependabot-python 0.299.1 → 0.301.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: acceb8fa127937d9f47961a162388d23ff9bf1c5c0c5d0ebbbe07a65273762e7
-  data.tar.gz: 9b8f49f1c670ea8473b506fbbfff4dfe8fb570664c2ceb07fdf9b9ff5778977a
+  metadata.gz: 8b08493047c96fa7ba1391e18f216a9a7456e348c0733ea17af3514d67245c04
+  data.tar.gz: 3a8cdb28351566647bed0354874c61dcef8e463d1cafbf1eb77cf8b5ff6585cc
 SHA512:
-  metadata.gz: 42bc5d2b34edc189d8f0eb9c58db001695abcae2607dfb17281c512c43822c863460298a8384498746e5c0c372df850ae608437c1dc6e38a152030e36b103aea
-  data.tar.gz: 05e37c59eeb041362d71b84e3cfe38c93a7e7ed90ef14a7bfa781dfa10795d7a778f4cf9c4a946817c3f6da5f6275505f09583eee5dceec2f0eebde3b72326a8
+  metadata.gz: a85078d3f128dde9d78da8b664a26be432255438e11b9fc095b48a4cb2e5a0aa8981fac701968b3b6cf87a77d160d4edb3cf69ed961afa6c24e2eb9beaf7c1c6
+  data.tar.gz: 041c64db083c065e6219c16b74116b00b5d443220ac6bc1c2ece40a6502af94e45b9d760fde8cb2a9a429be8c847bb7168ba388d9cccbb446fb95a6fbb7eb803

data/helpers/requirements.txt

@@ -2,9 +2,9 @@ pip==24.0
 pip-tools==7.4.1
 flake8==7.1.0
 hashin==1.0.3
-pipenv==2024.0.2
+pipenv==2024.4.1
 plette==2.1.0
-poetry==1.8.5
+poetry==2.1.1
 # TODO: Replace 3p package `tomli` with 3.11's new stdlib `tomllib` once we drop support for Python 3.10.
 tomli==2.0.1
 

data/lib/dependabot/python/file_parser/python_requirement_parser.rb

@@ -1,4 +1,4 @@
-# typed: true
+# typed: strict
 # frozen_string_literal: true
 
 require "toml-rb"
@@ -13,12 +13,17 @@ module Dependabot
   module Python
     class FileParser
       class PythonRequirementParser
+        extend T::Sig
+
+        sig { returns(T::Array[Dependabot::DependencyFile]) }
         attr_reader :dependency_files
 
+        sig { params(dependency_files: T::Array[Dependabot::DependencyFile]).void }
         def initialize(dependency_files:)
           @dependency_files = dependency_files
         end
 
+        sig { returns(T::Array[String]) }
         def user_specified_requirements
           [
             pipfile_python_requirement,
@@ -32,22 +37,28 @@ module Dependabot
 
         # TODO: Add better Python version detection using dependency versions
         # (e.g., Django 2.x implies Python 3)
+        sig { returns(T::Array[String]) }
         def imputed_requirements
           requirement_files.flat_map do |file|
-            file.content.lines
-                .select { |l| l.include?(";") && l.include?("python") }
-                .filter_map { |l| l.match(/python_version(?<req>.*?["'].*?['"])/) }
-                .map { |re| re.named_captures.fetch("req").gsub(/['"]/, "") }
-                .select { |r| valid_requirement?(r) }
+            T.must(file.content).lines
+             .select { |l| l.include?(";") && l.include?("python") }
+             .filter_map { |l| l.match(/python_version(?<req>.*?["'].*?['"])/) }
+             .map { |re| T.must(re.named_captures.fetch("req")).gsub(/['"]/, "") }
+             .select { |r| valid_requirement?(r) }
           end
         end
 
         private
 
+        # Parses the Pipfile content to extract the Python version requirement.
+        #
+        # @return [String, nil] the Python version requirement if specified in the Pipfile,
+        #   or nil if the requirement is not present or does not start with a digit.
+        sig { returns(T.nilable(String)) }
         def pipfile_python_requirement
           return unless pipfile
 
-          parsed_pipfile = TomlRB.parse(pipfile.content)
+          parsed_pipfile = TomlRB.parse(T.must(pipfile).content)
           requirement =
             parsed_pipfile.dig("requires", "python_full_version") ||
             parsed_pipfile.dig("requires", "python_version")
@@ -56,10 +67,11 @@ module Dependabot
           requirement
         end
 
+        sig { returns(T.nilable(String)) }
         def pyproject_python_requirement
           return unless pyproject
 
-          pyproject_object = TomlRB.parse(pyproject.content)
+          pyproject_object = TomlRB.parse(T.must(pyproject).content)
 
           # Check for PEP621 requires-python
           pep621_python = pyproject_object.dig("project", "requires-python")
@@ -72,9 +84,10 @@ module Dependabot
             poetry_object&.dig("dev-dependencies", "python")
         end
 
+        sig { returns(T.nilable(String)) }
         def pip_compile_python_requirement
           requirement_files.each do |file|
-            next unless pip_compile_file_matcher.lockfile_for_pip_compile_file?(file)
+            next unless T.must(pip_compile_file_matcher).lockfile_for_pip_compile_file?(file)
 
             marker = /^# This file is autogenerated by pip-compile with [pP]ython (?<version>\d+.\d+)$/m
             match = marker.match(file.content)
@@ -86,38 +99,41 @@ module Dependabot
           nil
         end
 
+        sig { returns(T.nilable(String)) }
         def python_version_file_version
           return unless python_version_file
 
           # read the content, split into lines and remove any lines with '#'
-          content_lines = python_version_file.content.each_line.map do |line|
+          content_lines = T.must(T.must(python_version_file).content).each_line.map do |line|
             line.sub(/#.*$/, " ").strip
           end.reject(&:empty?)
 
           file_version = content_lines.first
           return if file_version&.empty?
-          return unless pyenv_versions.include?("#{file_version}\n")
+          return unless T.must(pyenv_versions).include?("#{file_version}\n")
 
           file_version
         end
 
+        sig { returns(T.nilable(String)) }
         def runtime_file_python_version
           return unless runtime_file
 
-          file_version = runtime_file.content
-                                     .match(/(?<=python-).*/)&.to_s&.strip
+          file_version = T.must(T.must(runtime_file).content)
+                          .match(/(?<=python-).*/)&.to_s&.strip
           return if file_version&.empty?
-          return unless pyenv_versions.include?("#{file_version}\n")
+          return unless T.must(pyenv_versions).include?("#{file_version}\n")
 
           file_version
         end
 
+        sig { returns(T.nilable(String)) }
         def setup_file_requirement
           return unless setup_file
 
-          req = setup_file.content
-                          .match(/python_requires\s*=\s*['"](?<req>[^'"]+)['"]/)
-                          &.named_captures&.fetch("req")&.strip
+          req = T.must(T.must(setup_file).content)
+                 .match(/python_requires\s*=\s*['"](?<req>[^'"]+)['"]/)
+                 &.named_captures&.fetch("req")&.strip
 
           requirement_class.new(req)
           req
@@ -125,22 +141,28 @@ module Dependabot
           nil
         end
 
+        sig { returns(T.nilable(String)) }
         def pyenv_versions
-          @pyenv_versions ||= run_command("pyenv install --list")
+          @pyenv_versions = T.let(run_command("pyenv install --list"), T.nilable(String))
         end
 
+        sig { params(command: String, env: T::Hash[String, String]).returns(String) }
         def run_command(command, env: {})
           SharedHelpers.run_shell_command(command, env: env, stderr_to_stdout: true)
         end
 
+        sig { returns(T.nilable(PipCompileFileMatcher)) }
         def pip_compile_file_matcher
-          @pip_compile_file_matcher ||= PipCompileFileMatcher.new(pip_compile_files)
+          @pip_compile_file_matcher = T.let(PipCompileFileMatcher.new(pip_compile_files),
+                                            T.nilable(PipCompileFileMatcher))
         end
 
+        sig { returns(T.class_of(Dependabot::Python::Requirement)) }
         def requirement_class
           Dependabot::Python::Requirement
         end
 
+        sig { params(req_string: String).returns(T::Boolean) }
         def valid_requirement?(req_string)
           requirement_class.new(req_string)
           true
@@ -148,36 +170,44 @@ module Dependabot
           false
         end
 
+        sig { returns(T.nilable(Dependabot::DependencyFile)) }
         def pipfile
           dependency_files.find { |f| f.name == "Pipfile" }
         end
 
+        sig { returns(T.nilable(Dependabot::DependencyFile)) }
         def pipfile_lock
           dependency_files.find { |f| f.name == "Pipfile.lock" }
         end
 
+        sig { returns(T.nilable(Dependabot::DependencyFile)) }
         def pyproject
           dependency_files.find { |f| f.name == "pyproject.toml" }
         end
 
+        sig { returns(T.nilable(Dependabot::DependencyFile)) }
         def setup_file
           dependency_files.find { |f| f.name == "setup.py" }
         end
 
+        sig { returns(T.nilable(Dependabot::DependencyFile)) }
         def python_version_file
           dependency_files.find { |f| f.name == ".python-version" }
         end
 
+        sig { returns(T.nilable(Dependabot::DependencyFile)) }
         def runtime_file
           dependency_files.find { |f| f.name.end_with?("runtime.txt") }
         end
 
+        sig { returns(T::Array[Dependabot::DependencyFile]) }
         def requirement_files
           dependency_files.select { |f| f.name.end_with?(".txt") }
         end
 
+        sig { returns(T::Array[DependencyFile]) }
         def pip_compile_files
-          dependency_files.select { |f| f.name.end_with?(".in") }
+          @pip_compile_files ||= T.let(dependency_files.select { |f| f.name.end_with?(".in") }, T.untyped)
         end
       end
     end

data/lib/dependabot/python/file_parser.rb

@@ -489,7 +489,7 @@ module Dependabot
         @setup_cfg_file ||= T.let(get_original_file("setup.cfg"), T.nilable(Dependabot::DependencyFile))
       end
 
-      sig { returns(T::Array[Dependabot::Python::Requirement]) }
+      sig { returns(T::Array[Dependabot::DependencyFile]) }
       def pip_compile_files
         @pip_compile_files ||= T.let(dependency_files.select { |f| f.name.end_with?(".in") }, T.untyped)
       end

data/lib/dependabot/python/file_updater/poetry_file_updater.rb

@@ -190,7 +190,7 @@ module Dependabot
               language_version_manager.install_required_python
 
               # use system git instead of the pure Python dulwich
-              run_poetry_command("pyenv exec poetry config experimental.system-git-client true")
+              run_poetry_command("pyenv exec poetry config system-git-client true")
 
               run_poetry_update_command
 

data/lib/dependabot/python/metadata_finder.rb

@@ -1,4 +1,4 @@
-# typed: true
+# typed: strict
 # frozen_string_literal: true
 
 require "excon"
@@ -13,8 +13,22 @@ require "dependabot/python/name_normaliser"
 module Dependabot
   module Python
     class MetadataFinder < Dependabot::MetadataFinders::Base
+      extend T::Sig
       MAIN_PYPI_URL = "https://pypi.org/pypi"
 
+      sig do
+        params(
+          dependency: Dependabot::Dependency,
+          credentials: T::Array[Dependabot::Credential]
+        )
+          .void
+      end
+      def initialize(dependency:, credentials:)
+        super
+        @pypi_listing = T.let(nil, T.nilable(T::Hash[String, T.untyped]))
+      end
+
+      sig { returns(T.nilable(String)) }
       def homepage_url
         pypi_listing.dig("info", "home_page") ||
           pypi_listing.dig("info", "project_urls", "Homepage") ||
@@ -24,6 +38,7 @@ module Dependabot
 
       private
 
+      sig { override.returns(T.nilable(Dependabot::Source)) }
       def look_up_source
         potential_source_urls = [
           pypi_listing.dig("info", "project_urls", "Source"),
@@ -44,6 +59,7 @@ module Dependabot
       end
 
       # rubocop:disable Metrics/PerceivedComplexity
+      sig { returns(T.nilable(String)) }
       def source_from_description
         potential_source_urls = []
         desc = pypi_listing.dig("info", "description")
@@ -64,7 +80,7 @@ module Dependabot
 
         # Failing that, look for a source where the full dependency name is
         # mentioned when the link is followed
-        @source_from_description ||=
+        @source_from_description ||= T.let(
           potential_source_urls.find do |url|
             full_url = Source.from_url(url)&.url
             next unless full_url
@@ -73,16 +89,19 @@ module Dependabot
             next unless response.status == 200
 
             response.body.include?(normalised_dependency_name)
-          end
+          end, T.nilable(String)
+        )
       end
       # rubocop:enable Metrics/PerceivedComplexity
 
       # rubocop:disable Metrics/PerceivedComplexity
+      sig { returns(T.nilable(String)) }
       def source_from_homepage
-        return unless homepage_body
+        homepage_body_local = homepage_body
+        return unless homepage_body_local
 
         potential_source_urls = []
-        homepage_body.scan(Source::SOURCE_REGEX) do
+        homepage_body_local.scan(Source::SOURCE_REGEX) do
           potential_source_urls << Regexp.last_match.to_s
         end
 
@@ -93,7 +112,7 @@ module Dependabot
 
         return match_url if match_url
 
-        @source_from_homepage ||=
+        @source_from_homepage ||= T.let(
           potential_source_urls.find do |url|
             full_url = Source.from_url(url)&.url
             next unless full_url
@@ -102,10 +121,12 @@ module Dependabot
             next unless response.status == 200
 
             response.body.include?(normalised_dependency_name)
-          end
+          end, T.nilable(String)
+        )
       end
       # rubocop:enable Metrics/PerceivedComplexity
 
+      sig { returns(T.nilable(String)) }
       def homepage_body
         homepage_url = pypi_listing.dig("info", "home_page")
 
@@ -115,19 +136,21 @@ module Dependabot
           "pypi.python.org"
         ].include?(URI(homepage_url).host)
 
-        @homepage_response ||=
+        @homepage_response ||= T.let(
           begin
             Dependabot::RegistryClient.get(url: homepage_url)
           rescue Excon::Error::Timeout, Excon::Error::Socket,
                  Excon::Error::TooManyRedirects, ArgumentError
             nil
-          end
+          end, T.nilable(Excon::Response)
+        )
 
         return unless @homepage_response&.status == 200
 
-        @homepage_response.body
+        @homepage_response&.body
       end
 
+      sig { returns(T::Hash[String, T.untyped]) }
       def pypi_listing
         return @pypi_listing unless @pypi_listing.nil?
         return @pypi_listing = {} if dependency.version&.include?("+")
@@ -147,6 +170,7 @@ module Dependabot
         @pypi_listing = {} # No listing found
       end
 
+      sig { params(url: String).returns(Excon::Response) }
       def fetch_authed_url(url)
         if url.match(%r{(.*)://(.*?):(.*)@([^@]+)$}) &&
            Regexp.last_match&.captures&.[](1)&.include?("@")
@@ -164,6 +188,7 @@ module Dependabot
         end
       end
 
+      sig { returns(T::Array[String]) }
       def possible_listing_urls
         credential_urls =
           credentials
@@ -176,6 +201,7 @@ module Dependabot
       end
 
       # Strip [extras] from name (dependency_name[extra_dep,other_extra])
+      sig { returns(String) }
       def normalised_dependency_name
         NameNormaliser.normalise(dependency.name)
       end

data/lib/dependabot/python/package/package_details_fetcher.rb

@@ -268,11 +268,13 @@ module Dependabot
 
         sig do
           params(
-            releases_json: T::Hash[String, T::Array[T::Hash[String, T.untyped]]]
+            releases_json: T.nilable(T::Hash[String, T::Array[T::Hash[String, T.untyped]]])
           )
             .returns(T::Array[Dependabot::Package::PackageRelease])
         end
         def format_version_releases(releases_json)
+          return [] unless releases_json
+
           releases_json.each_with_object([]) do |(version, release_data_array), versions|
             release_data = release_data_array.last
 
@@ -385,8 +387,9 @@ module Dependabot
 
         sig { params(json_url: String).returns(Excon::Response) }
         def registry_json_response_for_dependency(json_url)
+          url = "#{json_url.chomp('/')}/#{@dependency.name}/json"
           Dependabot::RegistryClient.get(
-            url: "#{json_url.chomp('/')}/#{@dependency.name}/json",
+            url: url,
             headers: { "Accept" => APPLICATION_JSON }
           )
         end

data/lib/dependabot/python/pip_compile_file_matcher.rb

@@ -6,7 +6,7 @@ module Dependabot
     class PipCompileFileMatcher
       extend T::Sig
 
-      sig { params(requirements_in_files: T::Array[Dependabot::Python::Requirement]).void }
+      sig { params(requirements_in_files: T::Array[DependencyFile]).void }
       def initialize(requirements_in_files)
         @requirements_in_files = requirements_in_files
       end
@@ -26,7 +26,7 @@ module Dependabot
 
       private
 
-      sig { returns(T::Array[Dependabot::Python::Requirement]) }
+      sig { returns(T::Array[DependencyFile]) }
       attr_reader :requirements_in_files
 
       sig { params(filename: T.any(String, Symbol)).returns(String) }

data/lib/dependabot/python/update_checker/latest_version_finder.rb

@@ -32,6 +32,11 @@ module Dependabot
             credentials: credentials
           ).fetch
         end
+
+        sig { override.returns(T::Boolean) }
+        def cooldown_enabled?
+          Dependabot::Experiments.enabled?(:enable_cooldown_for_python)
+        end
       end
     end
   end

data/lib/dependabot/python/update_checker/pip_version_resolver.rb

@@ -11,12 +11,13 @@ module Dependabot
     class UpdateChecker
       class PipVersionResolver
         def initialize(dependency:, dependency_files:, credentials:,
-                       ignored_versions:, raise_on_ignored: false,
+                       ignored_versions:, update_cooldown: nil, raise_on_ignored: false,
                        security_advisories:)
           @dependency          = dependency
           @dependency_files    = dependency_files
           @credentials         = credentials
           @ignored_versions    = ignored_versions
+          @update_cooldown = update_cooldown
           @raise_on_ignored    = raise_on_ignored
           @security_advisories = security_advisories
         end
@@ -50,8 +51,10 @@ module Dependabot
             credentials: credentials,
             ignored_versions: ignored_versions,
             raise_on_ignored: @raise_on_ignored,
+            cooldown_options: @update_cooldown,
             security_advisories: security_advisories
           )
+          @latest_version_finder
         end
 
         def python_requirement_parser

data/lib/dependabot/python/update_checker/poetry_version_resolver.rb

@@ -97,7 +97,7 @@ module Dependabot
                 language_version_manager.install_required_python
 
                 # use system git instead of the pure Python dulwich
-                run_poetry_command("pyenv exec poetry config experimental.system-git-client true")
+                run_poetry_command("pyenv exec poetry config system-git-client true")
 
                 # Shell out to Poetry, which handles everything for us.
                 run_poetry_update_command

data/lib/dependabot/python/update_checker.rb

@@ -187,6 +187,7 @@ module Dependabot
           dependency_files: dependency_files,
           credentials: credentials,
           ignored_versions: ignored_versions,
+          update_cooldown: @update_cooldown,
           raise_on_ignored: @raise_on_ignored,
           security_advisories: security_advisories
         )
@@ -255,6 +256,7 @@ module Dependabot
           credentials: credentials,
           ignored_versions: ignored_versions,
           raise_on_ignored: @raise_on_ignored,
+          cooldown_options: @update_cooldown,
           security_advisories: security_advisories
         )
       end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-python
 version: !ruby/object:Gem::Version
-  version: 0.299.1
+  version: 0.301.0
 platform: ruby
 authors:
 - Dependabot
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2025-02-28 00:00:00.000000000 Z
+date: 2025-03-13 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dependabot-common
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.299.1
+        version: 0.301.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.299.1
+        version: 0.301.0
 - !ruby/object:Gem::Dependency
   name: debug
   requirement: !ruby/object:Gem::Requirement
@@ -291,7 +291,7 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.299.1
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.301.0
 post_install_message:
 rdoc_options: []
 require_paths: