dependabot-python 0.301.0 → 0.302.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 8b08493047c96fa7ba1391e18f216a9a7456e348c0733ea17af3514d67245c04
-  data.tar.gz: 3a8cdb28351566647bed0354874c61dcef8e463d1cafbf1eb77cf8b5ff6585cc
+  metadata.gz: be5bb8881f630d585a20e8d38c1458020f9a77e369fc44506a996b87da6b47b1
+  data.tar.gz: 327a35b61a9faa2adf137b79d1f49e1b89a8cc3c25e3cc484340d153028cc6dd
 SHA512:
-  metadata.gz: a85078d3f128dde9d78da8b664a26be432255438e11b9fc095b48a4cb2e5a0aa8981fac701968b3b6cf87a77d160d4edb3cf69ed961afa6c24e2eb9beaf7c1c6
-  data.tar.gz: 041c64db083c065e6219c16b74116b00b5d443220ac6bc1c2ece40a6502af94e45b9d760fde8cb2a9a429be8c847bb7168ba388d9cccbb446fb95a6fbb7eb803
+  metadata.gz: 73a38b119440ef9743235bd9a1b5e68092d822dcb70f0550ac353a9bedc4f64363c40cbbcdadbee50347c199ab2f2b7a7653675bb38c5660f69d68e17f514a6b
+  data.tar.gz: f852a27fcc45ec3b4b79bf4c33d0daf0c7e921c258860d55caf79a52102a340db0ac48ba92dba763d7353930922b6d8d0d56aec6b84cceb54aca0857ef0ad540

data/lib/dependabot/python/file_fetcher.rb

@@ -53,7 +53,7 @@ module Dependabot
         # the user-specified range of versions, not the version Dependabot chose to run.
         python_requirement_parser = FileParser::PythonRequirementParser.new(dependency_files: files)
         language_version_manager = LanguageVersionManager.new(python_requirement_parser: python_requirement_parser)
-        Dependabot.logger.info("Dependabot is using Python version '#{language_version_manager.python_major_minor}'.")
+        Dependabot.logger.info("Dependabot is using Python version '#{language_version_manager.python_version}'.")
         {
           languages: {
             python: {

data/lib/dependabot/python/file_updater/pip_compile_file_updater.rb

@@ -1,4 +1,4 @@
-# typed: true
+# typed: strict
 # frozen_string_literal: true
 
 require "open3"
@@ -18,41 +18,70 @@ module Dependabot
     class FileUpdater
       # rubocop:disable Metrics/ClassLength
       class PipCompileFileUpdater
+        extend T::Sig
         require_relative "requirement_replacer"
         require_relative "requirement_file_updater"
         require_relative "setup_file_sanitizer"
 
-        UNSAFE_PACKAGES = %w(setuptools distribute pip).freeze
-        INCOMPATIBLE_VERSIONS_REGEX = /There are incompatible versions in the resolved dependencies:.*\z/m
-        WARNINGS = /\s*# WARNING:.*\Z/m
-        UNSAFE_NOTE = /\s*# The following packages are considered to be unsafe.*\Z/m
-        RESOLVER_REGEX = /(?<=--resolver=)(\w+)/
-        NATIVE_COMPILATION_ERROR =
-          "pip._internal.exceptions.InstallationSubprocessError: Getting requirements to build wheel exited with 1"
-
+        UNSAFE_PACKAGES = T.let(%w(setuptools distribute pip).freeze, T::Array[String])
+        INCOMPATIBLE_VERSIONS_REGEX = T.let(/There are incompatible versions in the resolved dependencies:.*\z/m,
+                                            Regexp)
+        WARNINGS = T.let(/\s*# WARNING:.*\Z/m, Regexp)
+        UNSAFE_NOTE = T.let(/\s*# The following packages are considered to be unsafe.*\Z/m, Regexp)
+        RESOLVER_REGEX = T.let(/(?<=--resolver=)(\w+)/, Regexp)
+        NATIVE_COMPILATION_ERROR = T.let(
+          "pip._internal.exceptions.InstallationSubprocessError: Getting requirements to build wheel exited with 1",
+          String
+        )
+
+        sig { returns(T::Array[Dependabot::Dependency]) }
         attr_reader :dependencies
+
+        sig { returns(T::Array[Dependabot::DependencyFile]) }
         attr_reader :dependency_files
+
+        sig { returns(T::Array[Dependabot::Credential]) }
         attr_reader :credentials
 
-        def initialize(dependencies:, dependency_files:, credentials:, index_urls: nil)
-          @dependencies = dependencies
-          @dependency_files = dependency_files
-          @credentials = credentials
-          @index_urls = index_urls
-          @build_isolation = true
+        sig do
+          params(
+            dependencies: T::Array[Dependabot::Dependency],
+            dependency_files: T::Array[Dependabot::DependencyFile],
+            credentials: T::Array[Dependabot::Credential],
+            index_urls: T.nilable(T::Array[String])
+          ).void
         end
-
+        def initialize(dependencies:, dependency_files:, credentials:, index_urls: nil)
+          @dependencies = T.let(dependencies, T::Array[Dependabot::Dependency])
+          @dependency_files = T.let(dependency_files, T::Array[Dependabot::DependencyFile])
+          @index_urls = T.let(index_urls, T.nilable(T::Array[String]))
+          @build_isolation = T.let(true, T::Boolean)
+          @sanitized_setup_file_content = T.let({}, T::Hash[String, String])
+          @requirement_map = T.let(nil, T.nilable(T::Hash[String, T::Array[String]]))
+          @python_requirement_parser = T.let(nil, T.nilable(FileParser::PythonRequirementParser))
+          @language_version_manager = T.let(nil, T.nilable(LanguageVersionManager))
+          @setup_files = T.let(nil, T.nilable(T::Array[Dependabot::DependencyFile]))
+          @setup_cfg_files = T.let(nil, T.nilable(T::Array[Dependabot::DependencyFile]))
+          @pip_compile_files = T.let(nil, T.nilable(T::Array[Dependabot::DependencyFile]))
+          @compiled_files = T.let(nil, T.nilable(T::Array[Dependabot::DependencyFile]))
+          @credentials = T.let(credentials, T::Array[Dependabot::Credential])
+        end
+
+        sig { returns(T.nilable(T::Array[Dependabot::DependencyFile])) }
         def updated_dependency_files
-          @updated_dependency_files ||= fetch_updated_dependency_files
+          @updated_dependency_files = T.let(fetch_updated_dependency_files,
+                                            T.nilable(T::Array[Dependabot::DependencyFile]))
         end
 
         private
 
+        sig { returns(T.nilable(Dependabot::Dependency)) }
         def dependency
           # For now, we'll only ever be updating a single dependency
           dependencies.first
         end
 
+        sig { returns(T::Array[Dependabot::DependencyFile]) }
         def fetch_updated_dependency_files
           updated_compiled_files = compile_new_requirement_files
           updated_manifest_files = update_manifest_files
@@ -67,6 +96,7 @@ module Dependabot
           ]
         end
 
+        sig { returns(T::Array[Dependabot::DependencyFile]) }
         def compile_new_requirement_files
           SharedHelpers.in_a_temporary_directory do
             write_updated_dependency_files
@@ -93,6 +123,7 @@ module Dependabot
           end
         end
 
+        sig { params(filename: String).void }
         def compile_file(filename)
           # Shell out to pip-compile, generate a new set of requirements.
           # This is slow, as pip-compile needs to do installs.
@@ -101,12 +132,12 @@ module Dependabot
 
           name_part = "pyenv exec pip-compile " \
                       "#{options} -P " \
-                      "#{dependency.name}"
+                      "#{T.must(dependency).name}"
           fingerprint_name_part = "pyenv exec pip-compile " \
                                   "#{options_fingerprint} -P " \
                                   "<dependency_name>"
 
-          version_part = "#{dependency.version} #{filename}"
+          version_part = "#{T.must(dependency).version} #{filename}"
           fingerprint_version_part = "<dependency_version> <filename>"
 
           # Don't escape pyenv `dep-name==version` syntax
@@ -127,10 +158,12 @@ module Dependabot
           raise
         end
 
+        sig { params(error: SharedHelpers::HelperSubprocessFailed).returns(T::Boolean) }
         def compilation_error?(error)
           error.message.include?(NATIVE_COMPILATION_ERROR)
         end
 
+        sig { returns(T::Array[Dependabot::DependencyFile]) }
         def update_manifest_files
           dependency_files.filter_map do |file|
             next unless file.name.end_with?(".in")
@@ -144,12 +177,15 @@ module Dependabot
           end
         end
 
+        sig do
+          params(updated_files: T::Array[Dependabot::DependencyFile]).returns(T::Array[Dependabot::DependencyFile])
+        end
         def update_uncompiled_files(updated_files)
           updated_filenames = updated_files.map(&:name)
-          old_reqs = dependency.previous_requirements
-                               .reject { |r| updated_filenames.include?(r[:file]) }
-          new_reqs = dependency.requirements
-                               .reject { |r| updated_filenames.include?(r[:file]) }
+          old_reqs = T.must(T.must(dependency).previous_requirements)
+                      .reject { |r| updated_filenames.include?(r[:file]) }
+          new_reqs = T.must(dependency).requirements
+                      .reject { |r| updated_filenames.include?(r[:file]) }
 
           return [] if new_reqs.none?
 
@@ -162,13 +198,21 @@ module Dependabot
           args[:previous_requirements] = old_reqs
 
           RequirementFileUpdater.new(
-            dependencies: [Dependency.new(**args)],
+            dependencies: [Dependency.new(**T.unsafe(args))],
             dependency_files: files,
             credentials: credentials
           ).updated_dependency_files
         end
 
-        def run_command(cmd, env: python_env, allow_unsafe_shell_command: false, fingerprint:)
+        sig do
+          params(
+            cmd: String,
+            fingerprint: String,
+            env: T.nilable(T::Hash[String, String]),
+            allow_unsafe_shell_command: T::Boolean
+          ).returns(String)
+        end
+        def run_command(cmd, fingerprint:, env: python_env, allow_unsafe_shell_command: false)
           SharedHelpers.run_shell_command(
             cmd,
             env: env,
@@ -186,7 +230,8 @@ module Dependabot
           raise
         end
 
-        def run_pip_compile_command(command, allow_unsafe_shell_command: false, fingerprint:)
+        sig { params(command: String, fingerprint: String, allow_unsafe_shell_command: T::Boolean).returns(String) }
+        def run_pip_compile_command(command, fingerprint:, allow_unsafe_shell_command: false)
           run_command(
             "pyenv local #{language_version_manager.python_major_minor}",
             fingerprint: "pyenv local <python_major_minor>"
@@ -199,12 +244,13 @@ module Dependabot
           )
         end
 
+        sig { returns(T::Hash[String, T.untyped]) }
         def python_env
           env = {}
 
           # Handle Apache Airflow 1.10.x installs
-          if dependency_files.any? { |f| f.content.include?("apache-airflow") }
-            if dependency_files.any? { |f| f.content.include?("unidecode") }
+          if dependency_files.any? { |f| T.must(f.content).include?("apache-airflow") }
+            if dependency_files.any? { |f| T.must(f.content).include?("unidecode") }
               env["AIRFLOW_GPL_UNIDECODE"] = "yes"
             else
               env["SLUGIFY_USES_TEXT_UNIDECODE"] = "yes"
@@ -214,6 +260,7 @@ module Dependabot
           env
         end
 
+        sig { void }
         def write_updated_dependency_files
           dependency_files.each do |file|
             path = file.name
@@ -237,8 +284,8 @@ module Dependabot
           end
         end
 
+        sig { params(file: Dependabot::DependencyFile).returns(T.nilable(String)) }
         def sanitized_setup_file_content(file)
-          @sanitized_setup_file_content ||= {}
           return @sanitized_setup_file_content[file.name] if @sanitized_setup_file_content[file.name]
 
           @sanitized_setup_file_content[file.name] =
@@ -247,56 +294,61 @@ module Dependabot
             .sanitized_content
         end
 
+        sig { params(file: DependencyFile).returns(T.nilable(Dependabot::DependencyFile)) }
         def setup_cfg(file)
           dependency_files.find do |f|
             f.name == file.name.sub(/\.py$/, ".cfg")
           end
         end
 
+        sig { params(file: Dependabot::DependencyFile).returns(T.nilable(String)) }
         def freeze_dependency_requirement(file)
           return file.content unless file.name.end_with?(".in")
 
-          old_req = dependency.previous_requirements
-                              .find { |r| r[:file] == file.name }
+          old_req = T.must(T.must(dependency).previous_requirements)
+                     .find { |r| r[:file] == file.name }
 
           return file.content unless old_req
-          return file.content if old_req == "==#{dependency.version}"
+          return file.content if old_req == "==#{T.must(dependency).version}"
 
           RequirementReplacer.new(
             content: file.content,
-            dependency_name: dependency.name,
+            dependency_name: T.must(dependency).name,
             old_requirement: old_req[:requirement],
-            new_requirement: "==#{dependency.version}",
+            new_requirement: "==#{T.must(dependency).version}",
             index_urls: @index_urls
           ).updated_content
         end
 
+        sig { params(file: Dependabot::DependencyFile).returns(T.nilable(String)) }
         def update_dependency_requirement(file)
           return file.content unless file.name.end_with?(".in")
 
-          old_req = dependency.previous_requirements
-                              .find { |r| r[:file] == file.name }
-          new_req = dependency.requirements
-                              .find { |r| r[:file] == file.name }
+          old_req = T.must(T.must(dependency).previous_requirements)
+                     .find { |r| r[:file] == file.name }
+          new_req = T.must(dependency).requirements
+                     .find { |r| r[:file] == file.name }
           return file.content unless old_req&.fetch(:requirement)
           return file.content if old_req == new_req
 
           RequirementReplacer.new(
             content: file.content,
-            dependency_name: dependency.name,
+            dependency_name: T.must(dependency).name,
             old_requirement: old_req[:requirement],
-            new_requirement: new_req[:requirement],
+            new_requirement: T.must(new_req)[:requirement],
             index_urls: @index_urls
           ).updated_content
         end
 
+        sig { params(updated_content: String, file: Dependabot::DependencyFile).returns(String) }
         def post_process_compiled_file(updated_content, file)
-          content = replace_header_with_original(updated_content, file.content)
-          content = remove_new_warnings(content, file.content)
-          content = update_hashes_if_required(content, file.content)
-          replace_absolute_file_paths(content, file.content)
+          content = replace_header_with_original(updated_content, T.must(file.content))
+          content = remove_new_warnings(content, T.must(file.content))
+          content = update_hashes_if_required(content, T.must(file.content))
+          replace_absolute_file_paths(content, T.must(file.content))
         end
 
+        sig { params(updated_content: String, original_content: String).returns(String) }
         def replace_header_with_original(updated_content, original_content)
           original_header_lines =
             original_content.lines.take_while { |l| l.start_with?("#") }
@@ -307,6 +359,7 @@ module Dependabot
           [*original_header_lines, *updated_content_lines].join
         end
 
+        sig { params(updated_content: String, original_content: String).returns(String) }
         def replace_absolute_file_paths(updated_content, original_content)
           content = updated_content
 
@@ -328,6 +381,7 @@ module Dependabot
           content
         end
 
+        sig { params(updated_content: String, original_content: String).returns(String) }
         def remove_new_warnings(updated_content, original_content)
           content = updated_content
 
@@ -341,6 +395,7 @@ module Dependabot
           content
         end
 
+        sig { params(updated_content: String, original_content: String).returns(String) }
         def update_hashes_if_required(updated_content, original_content)
           deps_to_update =
             deps_to_augment_hashes_for(updated_content, original_content)
@@ -353,7 +408,7 @@ module Dependabot
                 name: mtch.named_captures.fetch("name"),
                 version: mtch.named_captures.fetch("version"),
                 algorithm: mtch.named_captures.fetch("algorithm")
-              ).sort.join(hash_separator(mtch.to_s))
+              ).sort.join(T.must(hash_separator(mtch.to_s)))
             )
 
             updated_content_with_hashes = updated_content_with_hashes
@@ -362,6 +417,7 @@ module Dependabot
           updated_content_with_hashes
         end
 
+        sig { params(updated_content: String, original_content: String).returns(T::Array[T.untyped]) }
         def deps_to_augment_hashes_for(updated_content, original_content)
           regex = /^#{RequirementParser::INSTALL_REQ_WITH_REQUIREMENT}/o
 
@@ -391,6 +447,7 @@ module Dependabot
           [*new_deps, *changed_hashes_deps]
         end
 
+        sig { params(name: String, version: String, algorithm: String).returns(T::Array[String]) }
         def package_hashes_for(name:, version:, algorithm:)
           index_urls = @index_urls || [nil]
           hashes = []
@@ -420,24 +477,24 @@ module Dependabot
           hashes
         end
 
+        sig { params(requirement_string: String).returns(T.nilable(String)) }
         def hash_separator(requirement_string)
           hash_regex = RequirementParser::HASH
           return unless requirement_string.match?(hash_regex)
 
+          # rubocop:disable Layout/LineLength
           current_separator =
-            requirement_string
-            .match(/#{hash_regex}((?<separator>\s*\\?\s*?)#{hash_regex})*/)
-            .named_captures.fetch("separator")
+            T.must(requirement_string.match(/#{hash_regex}((?<separator>\s*\\?\s*?)#{hash_regex})*/)).named_captures.fetch("separator")
 
           default_separator =
-            requirement_string
-            .match(RequirementParser::HASH)
-            .pre_match.match(/(?<separator>\s*\\?\s*?)\z/)
-            .named_captures.fetch("separator")
+            T.must(T.must(requirement_string
+            .match(RequirementParser::HASH)).pre_match.match(/(?<separator>\s*\\?\s*?)\z/)).named_captures.fetch("separator")
 
+          # rubocop:enable Layout/LineLength
           current_separator || default_separator
         end
 
+        sig { params(options: String).returns(String) }
         def pip_compile_options_fingerprint(options)
           options.sub(
             /--output-file=\S+/, "--output-file=<output_file>"
@@ -448,6 +505,7 @@ module Dependabot
           )
         end
 
+        sig { params(filename: String).returns(String) }
         def pip_compile_options(filename)
           options = @build_isolation ? ["--build-isolation"] : ["--no-build-isolation"]
           options += pip_compile_index_options
@@ -459,30 +517,34 @@ module Dependabot
           options.join(" ")
         end
 
+        # rubocop:disable Metrics/AbcSize
+        sig { params(requirements_file: T.nilable(Dependabot::DependencyFile)).returns(T::Array[String]) }
         def pip_compile_options_from_compiled_file(requirements_file)
-          options = ["--output-file=#{requirements_file.name}"]
+          options = ["--output-file=#{T.must(requirements_file).name}"]
 
-          options << "--no-emit-index-url" unless requirements_file.content.include?("index-url http")
+          options << "--no-emit-index-url" unless T.must(T.must(requirements_file).content).include?("index-url http")
 
-          options << "--generate-hashes" if requirements_file.content.include?("--hash=sha")
+          options << "--generate-hashes" if T.must(T.must(requirements_file).content).include?("--hash=sha")
 
-          options << "--allow-unsafe" if includes_unsafe_packages?(requirements_file.content)
+          options << "--allow-unsafe" if includes_unsafe_packages?(T.must(T.must(requirements_file).content))
 
-          options << "--no-annotate" unless requirements_file.content.include?("# via ")
+          options << "--no-annotate" unless T.must(T.must(requirements_file).content).include?("# via ")
 
-          options << "--no-header" unless requirements_file.content.include?("autogenerated by pip-c")
+          options << "--no-header" unless T.must(T.must(requirements_file).content).include?("autogenerated by pip-c")
 
-          options << "--pre" if requirements_file.content.include?("--pre")
+          options << "--pre" if T.must(T.must(requirements_file).content).include?("--pre")
 
-          options << "--strip-extras" if requirements_file.content.include?("--strip-extras")
+          options << "--strip-extras" if T.must(T.must(requirements_file).content).include?("--strip-extras")
 
-          if (resolver = RESOLVER_REGEX.match(requirements_file.content))
+          if (resolver = RESOLVER_REGEX.match(T.must(requirements_file).content))
             options << "--resolver=#{resolver}"
           end
 
           options
         end
 
+        # rubocop:enable Metrics/AbcSize
+        sig { returns(T::Array[String]) }
         def pip_compile_index_options
           credentials
             .select { |cred| cred["type"] == "python_index" }
@@ -497,15 +559,17 @@ module Dependabot
             end
         end
 
+        sig { params(content: String).returns(T::Boolean) }
         def includes_unsafe_packages?(content)
           UNSAFE_PACKAGES.any? { |n| content.match?(/^#{Regexp.quote(n)}==/) }
         end
 
+        sig { returns(T::Array[String]) }
         def filenames_to_compile
           files_from_reqs =
-            dependency.requirements
-                      .map { |r| r[:file] }
-                      .select { |fn| fn.end_with?(".in") }
+            T.must(dependency).requirements
+             .map { |r| r[:file] }
+             .select { |fn| fn.end_with?(".in") }
 
           files_from_compiled_files =
             pip_compile_files.map(&:name).select do |fn|
@@ -518,10 +582,11 @@ module Dependabot
           order_filenames_for_compilation(filenames)
         end
 
+        sig { params(filename: String).returns(T.nilable(Dependabot::DependencyFile)) }
         def compiled_file_for_filename(filename)
           compiled_file =
             compiled_files
-            .find { |f| f.content.match?(output_file_regex(filename)) }
+            .find { |f| T.must(f.content).match?(output_file_regex(filename)) }
 
           compiled_file ||=
             compiled_files
@@ -530,26 +595,30 @@ module Dependabot
           compiled_file
         end
 
+        sig { params(filename: T.any(String, Symbol)).returns(String) }
         def output_file_regex(filename)
           "--output-file[=\s]+.*\s#{Regexp.escape(filename)}\s*$"
         end
 
+        sig { params(compiled_file: T.nilable(Dependabot::DependencyFile)).returns(T::Boolean) }
         def compiled_file_includes_dependency?(compiled_file)
           return false unless compiled_file
 
           regex = RequirementParser::INSTALL_REQ_WITH_REQUIREMENT
 
           matches = []
-          compiled_file.content.scan(regex) { matches << Regexp.last_match }
-          matches.any? { |m| normalise(m[:name]) == dependency.name }
+          T.must(compiled_file.content).scan(regex) { matches << Regexp.last_match }
+          matches.any? { |m| normalise(m[:name]) == T.must(dependency).name }
         end
 
+        sig { params(name: String).returns(String) }
         def normalise(name)
           NameNormaliser.normalise(name)
         end
 
         # If the files we need to update require one another then we need to
         # update them in the right order
+        sig { params(filenames: T::Array[String]).returns(T::Array[String]) }
         def order_filenames_for_compilation(filenames)
           ordered_filenames = T.let([], T::Array[String])
 
@@ -557,7 +626,7 @@ module Dependabot
             ordered_filenames +=
               remaining_filenames
               .reject do |fn|
-                unupdated_reqs = requirement_map[fn] - ordered_filenames
+                unupdated_reqs = (requirement_map[fn] || []) - ordered_filenames
                 unupdated_reqs.intersect?(filenames)
               end
           end
@@ -565,11 +634,12 @@ module Dependabot
           ordered_filenames
         end
 
+        sig { returns(T::Hash[String, T::Array[String]]) }
         def requirement_map
           child_req_regex = Python::FileFetcher::CHILD_REQUIREMENT_REGEX
           @requirement_map ||=
             pip_compile_files.each_with_object({}) do |file, req_map|
-              paths = file.content.scan(child_req_regex).flatten
+              paths = T.must(file.content).scan(child_req_regex).flatten
               current_dir = File.dirname(file.name)
 
               req_map[file.name] =
@@ -584,6 +654,7 @@ module Dependabot
             end
         end
 
+        sig { returns(Dependabot::Python::FileParser::PythonRequirementParser) }
         def python_requirement_parser
           @python_requirement_parser ||=
             FileParser::PythonRequirementParser.new(
@@ -591,6 +662,7 @@ module Dependabot
             )
         end
 
+        sig { returns(Dependabot::Python::LanguageVersionManager) }
         def language_version_manager
           @language_version_manager ||=
             LanguageVersionManager.new(
@@ -598,18 +670,22 @@ module Dependabot
             )
         end
 
+        sig { returns(T::Array[Dependabot::DependencyFile]) }
         def setup_files
           dependency_files.select { |f| f.name.end_with?("setup.py") }
         end
 
+        sig { returns(T::Array[Dependabot::DependencyFile]) }
         def pip_compile_files
           dependency_files.select { |f| f.name.end_with?(".in") }
         end
 
+        sig { returns(T::Array[Dependabot::DependencyFile]) }
         def compiled_files
           dependency_files.select { |f| f.name.end_with?(".txt") }
         end
 
+        sig { returns(T::Array[Dependabot::DependencyFile]) }
         def setup_cfg_files
           dependency_files.select { |f| f.name.end_with?("setup.cfg") }
         end

data/lib/dependabot/python/file_updater.rb

@@ -114,12 +114,12 @@ module Dependabot
 
       sig { returns(T::Array[DependencyFile]) }
       def updated_pip_compile_based_files
-        PipCompileFileUpdater.new(
+        T.must(PipCompileFileUpdater.new(
           dependencies: dependencies,
           dependency_files: dependency_files,
           credentials: credentials,
           index_urls: pip_compile_index_urls
-        ).updated_dependency_files
+        ).updated_dependency_files)
       end
 
       sig { returns(T::Array[DependencyFile]) }

data/lib/dependabot/python/language.rb

@@ -11,28 +11,43 @@ module Dependabot
 
     class Language < Dependabot::Ecosystem::VersionManager
       extend T::Sig
-      # These versions should match the versions specified at the top of `python/Dockerfile`
-      PYTHON_3_13 = "3.13"
-      PYTHON_3_12 = "3.12"
-      PYTHON_3_11 = "3.11"
-      PYTHON_3_10 = "3.10"
-      PYTHON_3_9  = "3.9"
-      PYTHON_3_8  = "3.8"
+      # This list must match the versions specified at the top of `python/Dockerfile`
+      # ARG PY_3_13=3.13.2
+      PRE_INSTALLED_PYTHON_VERSIONS_RAW = %w(
+        3.13.2
+        3.12.9
+        3.11.11
+        3.10.16
+        3.9.21
+      ).freeze
 
-      DEPRECATED_VERSIONS = T.let([Version.new(PYTHON_3_8)].freeze, T::Array[Dependabot::Version])
+      PRE_INSTALLED_PYTHON_VERSIONS = T.let(PRE_INSTALLED_PYTHON_VERSIONS_RAW.map do |v|
+        Version.new(v)
+      end.sort, T::Array[Dependabot::Python::Version])
 
-      # Keep versions in ascending order
-      SUPPORTED_VERSIONS = T.let([
-        Version.new(PYTHON_3_9),
-        Version.new(PYTHON_3_10),
-        Version.new(PYTHON_3_11),
-        Version.new(PYTHON_3_12),
-        Version.new(PYTHON_3_13)
-      ].freeze, T::Array[Dependabot::Version])
+      PRE_INSTALLED_VERSIONS_MAP = T.let(
+        PRE_INSTALLED_PYTHON_VERSIONS.to_h do |v|
+          [Dependabot::Python::Version.new(T.must(v.segments[0..1]).join(".")), v]
+        end,
+        T::Hash[Dependabot::Python::Version, Dependabot::Python::Version]
+      )
+
+      PRE_INSTALLED_HIGHEST_VERSION = T.let(T.must(PRE_INSTALLED_PYTHON_VERSIONS.max), Dependabot::Python::Version)
+
+      SUPPORTED_VERSIONS = T.let(
+        PRE_INSTALLED_PYTHON_VERSIONS.map do |v|
+          Dependabot::Python::Version.new(T.must(v.segments[0..1]&.join(".")))
+        end,
+        T::Array[Dependabot::Python::Version]
+      )
+
+      NON_SUPPORTED_HIGHEST_VERSION = "3.8"
+
+      DEPRECATED_VERSIONS = T.let([Version.new(NON_SUPPORTED_HIGHEST_VERSION)].freeze, T::Array[Dependabot::Version])
 
       sig do
         params(
-          detected_version: String,
+          detected_version: T.nilable(String),
           raw_version: T.nilable(String),
           requirement: T.nilable(Requirement)
         ).void
@@ -40,7 +55,7 @@ module Dependabot
       def initialize(detected_version:, raw_version: nil, requirement: nil)
         super(
           name: LANGUAGE,
-          detected_version: major_minor_version(detected_version),
+          detected_version: detected_version ? major_minor_version(detected_version) : nil,
           version: raw_version ? Version.new(raw_version) : nil,
           deprecated_versions: DEPRECATED_VERSIONS,
           supported_versions: SUPPORTED_VERSIONS,
@@ -48,25 +63,12 @@ module Dependabot
        )
       end
 
-      sig { override.returns(T::Boolean) }
-      def deprecated?
-        return false unless detected_version
-        return false if unsupported?
-
-        deprecated_versions.include?(detected_version)
-      end
-
-      sig { override.returns(T::Boolean) }
-      def unsupported?
-        return false unless detected_version
-
-        supported_versions.all? { |supported| supported > detected_version }
-      end
-
       private
 
-      sig { params(version: String).returns(Dependabot::Python::Version) }
+      sig { params(version: String).returns(T.nilable(Dependabot::Python::Version)) }
       def major_minor_version(version)
+        return nil if version.empty?
+
         major_minor = T.let(T.must(Version.new(version).segments[0..1]&.join(".")), String)
 
         Version.new(major_minor)

data/lib/dependabot/python/language_version_manager.rb

@@ -9,14 +9,6 @@ module Dependabot
   module Python
     class LanguageVersionManager
       extend T::Sig
-      # This list must match the versions specified at the top of `python/Dockerfile`
-      PRE_INSTALLED_PYTHON_VERSIONS = %w(
-        3.13.2
-        3.12.9
-        3.11.11
-        3.10.16
-        3.9.21
-      ).freeze
 
       sig { params(python_requirement_parser: T.untyped).void }
       def initialize(python_requirement_parser:)
@@ -62,7 +54,34 @@ module Dependabot
             user_specified_python_version
           end
         else
-          python_version_matching_imputed_requirements || PRE_INSTALLED_PYTHON_VERSIONS.first
+          python_version_matching_imputed_requirements || Language::PRE_INSTALLED_HIGHEST_VERSION.to_s
+        end
+      end
+
+      sig { params(requirement_string: T.nilable(String)).returns(T.nilable(String)) }
+      def normalize_python_exact_version(requirement_string)
+        return requirement_string if requirement_string.nil? || requirement_string.strip.empty?
+
+        requirement_string = requirement_string.strip
+
+        # If the requirement already has a wildcard, return nil
+        return nil if requirement_string == "*"
+
+        # If the requirement is not an exact version such as not X.Y.Z, =X.Y.Z, ==X.Y.Z, ===X.Y.Z
+        # then return the requirement as is
+        return requirement_string unless requirement_string.match?(/^=?={0,2}\s*\d+\.\d+(\.\d+)?(-[a-z0-9.-]+)?$/i)
+
+        parts = requirement_string.gsub(/^=+/, "").split(".")
+
+        case parts.length
+        when 1 # Only major version (X)
+          ">= #{parts[0]}.0.0 < #{parts[0].to_i + 1}.0.0" # Ensure only major version range
+        when 2 # Major.Minor (X.Y)
+          ">= #{parts[0]}.#{parts[1]}.0 < #{parts[0].to_i}.#{parts[1].to_i + 1}.0" # Ensure only minor version range
+        when 3 # Major.Minor.Patch (X.Y.Z)
+          ">= #{parts[0]}.#{parts[1]}.0 < #{parts[0].to_i}.#{parts[1].to_i + 1}.0" # Convert to >= X.Y.0
+        else
+          requirement_string
         end
       end
 
@@ -72,15 +91,22 @@ module Dependabot
 
         # If the requirement string isn't already a range (eg ">3.10"), coerce it to "major.minor.*".
         # The patch version is ignored because a non-matching patch version is unlikely to affect resolution.
-        requirement_string = requirement_string.gsub(/\.\d+$/, ".*") if requirement_string.start_with?(/\d/)
+        requirement_string = requirement_string.gsub(/\.\d+$/, ".*") if /^\d/.match?(requirement_string)
+
+        requirement_string = normalize_python_exact_version(requirement_string)
+
+        if requirement_string.nil? || requirement_string.strip.empty?
+          return Language::PRE_INSTALLED_HIGHEST_VERSION.to_s
+        end
 
         # Try to match one of our pre-installed Python versions
         requirement = T.must(Python::Requirement.requirements_array(requirement_string).first)
-        version = PRE_INSTALLED_PYTHON_VERSIONS.find { |v| requirement.satisfied_by?(Python::Version.new(v)) }
-        return version if version
 
-        # Otherwise we have to raise
-        supported_versions = PRE_INSTALLED_PYTHON_VERSIONS.map { |x| x.gsub(/\.\d+$/, ".*") }.join(", ")
+        version = Language::PRE_INSTALLED_PYTHON_VERSIONS.find { |v| requirement.satisfied_by?(v) }
+        return version.to_s if version
+
+        # Otherwise we have to raise an error
+        supported_versions = Language::SUPPORTED_VERSIONS.map { |v| "#{v}.*" }.join(", ")
         raise ToolVersionNotSupported.new("Python", python_requirement_string, supported_versions)
       end
 
@@ -100,14 +126,13 @@ module Dependabot
 
       sig { params(requirements: T.untyped).returns(T.nilable(String)) }
       def python_version_matching(requirements)
-        PRE_INSTALLED_PYTHON_VERSIONS.find do |version_string|
-          version = Python::Version.new(version_string)
+        Language::PRE_INSTALLED_PYTHON_VERSIONS.find do |version|
           requirements.all? do |req|
             next req.any? { |r| r.satisfied_by?(version) } if req.is_a?(Array)
 
             req.satisfied_by?(version)
           end
-        end
+        end.to_s
       end
     end
   end

data/lib/dependabot/python/requirement.rb

@@ -93,7 +93,7 @@ module Dependabot
       private
 
       def convert_python_constraint_to_ruby_constraint(req_string)
-        return nil if req_string.nil?
+        return nil if req_string.nil? || req_string.strip.empty?
         return nil if req_string == "*"
 
         req_string = req_string.gsub("~=", "~>")
@@ -101,6 +101,8 @@ module Dependabot
 
         if req_string.match?(/~[^>]/) then convert_tilde_req(req_string)
         elsif req_string.start_with?("^") then convert_caret_req(req_string)
+        elsif req_string.match?(/^=?={0,2}\s*\d+\.\d+(\.\d+)?(-[a-z0-9.-]+)?(\.\*)?$/i)
+          convert_exact(req_string)
         elsif req_string.include?(".*") then convert_wildcard(req_string)
         else
           req_string
@@ -155,6 +157,37 @@ module Dependabot
                   .gsub(/\*$/, "0.dev")
                   .tap { |s| exact_op ? s.gsub!(/^(?<!!)=*/, "~>") : s }
       end
+
+      def convert_exact(req_string)
+        arbitrary_equality = req_string.start_with?("===")
+        cleaned_version = req_string.gsub(/^=+/, "").strip
+
+        return ["=== #{cleaned_version}"] if arbitrary_equality
+
+        # Handle versions wildcarded with .*, e.g. 1.0.*
+        if cleaned_version.include?(".*")
+          # Remove all characters after the first .*, and the .*
+          cleaned_version = cleaned_version.split(".*").first
+          version = Python::Version.new(cleaned_version)
+          # Get the release segment parts [major, minor, patch]
+          version_parts = version.release_segment
+
+          if version_parts.length == 1
+            major = T.must(version_parts[0])
+            [">= #{major}.0.0.dev", "< #{major + 1}.0.0"]
+          elsif version_parts.length == 2
+            major, minor = version_parts
+            "~> #{major}.#{minor}.0.dev"
+          elsif version_parts.length == 3
+            major, minor, patch = version_parts
+            "~> #{major}.#{minor}.#{patch}.dev"
+          else
+            "= #{cleaned_version}"
+          end
+        else
+          "= #{cleaned_version}"
+        end
+      end
     end
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-python
 version: !ruby/object:Gem::Version
-  version: 0.301.0
+  version: 0.302.0
 platform: ruby
 authors:
 - Dependabot
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2025-03-13 00:00:00.000000000 Z
+date: 2025-03-20 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dependabot-common
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.301.0
+        version: 0.302.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.301.0
+        version: 0.302.0
 - !ruby/object:Gem::Dependency
   name: debug
   requirement: !ruby/object:Gem::Requirement
@@ -291,7 +291,7 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.301.0
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.302.0
 post_install_message:
 rdoc_options: []
 require_paths: