dependabot-python 0.320.0 → 0.320.1

data/lib/dependabot/python/package/package_registry_finder.rb

@@ -1,6 +1,7 @@
-# typed: true
+# typed: strict
 # frozen_string_literal: true
 
+require "sorbet-runtime"
 require "dependabot/python/update_checker"
 require "dependabot/python/authed_url_builder"
 require "dependabot/errors"
@@ -9,15 +10,27 @@ module Dependabot
   module Python
     module Package
       class PackageRegistryFinder
+        extend T::Sig
+
         PYPI_BASE_URL = "https://pypi.org/simple/"
         ENVIRONMENT_VARIABLE_REGEX = /\$\{.+\}/
 
+        UrlsHash = T.type_alias { { main: T.nilable(String), extra: T::Array[String] } }
+
+        sig do
+          params(
+            dependency_files: T::Array[Dependabot::DependencyFile],
+            credentials: T::Array[Dependabot::Credential],
+            dependency: Dependabot::Dependency
+          ).void
+        end
         def initialize(dependency_files:, credentials:, dependency:)
-          @dependency_files = dependency_files
-          @credentials      = credentials
-          @dependency       = dependency
+          @dependency_files = T.let(dependency_files, T::Array[Dependabot::DependencyFile])
+          @credentials      = T.let(credentials, T::Array[Dependabot::Credential])
+          @dependency       = T.let(dependency, Dependabot::Dependency)
         end
 
+        sig { returns(T::Array[String]) }
         def registry_urls
           extra_index_urls =
             config_variable_index_urls[:extra] +
@@ -40,9 +53,13 @@ module Dependabot
 
         private
 
+        sig { returns(T::Array[Dependabot::DependencyFile]) }
         attr_reader :dependency_files
+
+        sig { returns(T::Array[Dependabot::Credential]) }
         attr_reader :credentials
 
+        sig { returns(String) }
         def main_index_url
           url =
             config_variable_index_urls[:main] ||
@@ -55,92 +72,109 @@ module Dependabot
           clean_check_and_remove_environment_variables(url)
         end
 
+        sig { returns(UrlsHash) }
         def requirement_file_index_urls
-          urls = { main: nil, extra: [] }
+          urls = T.let({ main: nil, extra: [] }, UrlsHash)
 
           requirements_files.each do |file|
-            if file.content.match?(/^--index-url\s+['"]?([^\s'"]+)['"]?/)
+            content = T.must(file.content)
+            if content.match?(/^--index-url\s+['"]?([^\s'"]+)['"]?/)
               urls[:main] =
-                file.content.match(/^--index-url\s+['"]?([^\s'"]+)['"]?/)
-                    .captures.first&.strip
+                T.must(content.match(/^--index-url\s+['"]?([^\s'"]+)['"]?/))
+                 .captures.first&.strip
             end
-            urls[:extra] +=
-              file.content
-                  .scan(/^--extra-index-url\s+['"]?([^\s'"]+)['"]?/)
-                  .flatten
-                  .map(&:strip)
+            extra_urls = urls[:extra]
+            extra_urls +=
+              content
+              .scan(/^--extra-index-url\s+['"]?([^\s'"]+)['"]?/)
+              .flatten
+              .map(&:strip)
+            urls[:extra] = extra_urls
           end
 
           urls
         end
 
+        sig { returns(UrlsHash) }
         def pip_conf_index_urls
-          urls = { main: nil, extra: [] }
+          urls = T.let({ main: nil, extra: [] }, UrlsHash)
 
           return urls unless pip_conf
 
-          content = pip_conf.content
+          content = T.must(pip_conf).content
+          return urls unless content
 
           if content.match?(/^index-url\s*=/x)
-            urls[:main] = content.match(/^index-url\s*=\s*(.+)/)
-                                 .captures.first
+            urls[:main] = T.must(content.match(/^index-url\s*=\s*(.+)/))
+                           .captures.first
           end
-          urls[:extra] += content.scan(/^extra-index-url\s*=(.+)/).flatten
+          extra_urls = urls[:extra]
+          extra_urls += content.scan(/^extra-index-url\s*=(.+)/).flatten
+          urls[:extra] = extra_urls
 
           urls
         end
 
+        sig { returns(UrlsHash) }
         def pipfile_index_urls
-          urls = { main: nil, extra: [] }
+          urls = T.let({ main: nil, extra: [] }, UrlsHash)
+          begin
+            return urls unless pipfile
 
-          return urls unless pipfile
+            content = T.must(pipfile).content
+            return urls unless content
 
-          pipfile_object = TomlRB.parse(pipfile.content)
+            pipfile_object = TomlRB.parse(content)
 
-          urls[:main] = pipfile_object["source"]&.first&.fetch("url", nil)
+            urls[:main] = pipfile_object["source"]&.first&.fetch("url", nil)
 
-          pipfile_object["source"]&.each do |source|
-            urls[:extra] << source.fetch("url") if source["url"]
-          end
-          urls[:extra] = urls[:extra].uniq
+            pipfile_object["source"]&.each do |source|
+              urls[:extra] << source.fetch("url") if source["url"]
+            end
+            urls[:extra] = urls[:extra].uniq
 
-          urls
-        rescue TomlRB::ParseError, TomlRB::ValueOverwriteError
-          urls
+            urls
+          rescue TomlRB::ParseError, TomlRB::ValueOverwriteError
+            urls
+          end
         end
 
+        sig { returns(UrlsHash) }
         def pyproject_index_urls
-          urls = { main: nil, extra: [] }
-
-          return urls unless pyproject
-
-          sources =
-            TomlRB.parse(pyproject.content).dig("tool", "poetry", "source") ||
-            []
-
-          sources.each do |source|
-            # If source is PyPI, skip it, and let it pick the default URI
-            next if source["name"].casecmp?("PyPI")
-
-            if @dependency.all_sources.include?(source["name"])
-              # If dependency has specified this source, use it
-              return { main: source["url"], extra: [] }
-            elsif source["default"]
-              urls[:main] = source["url"]
-            elsif source["priority"] != "explicit"
-              # if source is not explicit, add it to extra
-              urls[:extra] << source["url"]
+          urls = T.let({ main: nil, extra: [] }, UrlsHash)
+
+          begin
+            return urls unless pyproject
+
+            sources =
+              TomlRB.parse(T.must(T.must(pyproject).content)).dig("tool", "poetry", "source") ||
+              []
+
+            sources.each do |source|
+              # If source is PyPI, skip it, and let it pick the default URI
+              next if source["name"].casecmp?("PyPI")
+
+              if @dependency.all_sources.include?(source["name"])
+                # If dependency has specified this source, use it
+                return { main: source["url"], extra: [] }
+              elsif source["default"]
+                urls[:main] = source["url"]
+              elsif source["priority"] != "explicit"
+                # if source is not explicit, add it to extra
+                urls[:extra] << source["url"]
+              end
             end
-          end
-          urls[:extra] = urls[:extra].uniq
+            urls[:extra] = urls[:extra].uniq
 
-          urls
-        rescue TomlRB::ParseError, TomlRB::ValueOverwriteError
-          urls
+            urls
+          rescue TomlRB::ParseError, TomlRB::ValueOverwriteError
+            urls
+          end
         end
 
+        sig { returns(UrlsHash) }
         def config_variable_index_urls
-          urls = { main: nil, extra: [] }
+          urls = T.let({ main: nil, extra: [] }, UrlsHash)
 
           index_url_creds = credentials
                             .select { |cred| cred["type"] == "python_index" }
@@ -157,6 +191,7 @@ module Dependabot
           urls
         end
 
+        sig { params(url: String).returns(String) }
         def clean_check_and_remove_environment_variables(url)
           url = url.strip.sub(%r{/+$}, "") + "/"
 
@@ -186,6 +221,7 @@ module Dependabot
           raise PrivateSourceAuthenticationFailure, url
         end
 
+        sig { params(base_url: String).returns(String) }
         def authed_base_url(base_url)
           cred = credential_for(base_url)
           return base_url unless cred
@@ -193,6 +229,7 @@ module Dependabot
           AuthedUrlBuilder.authed_url(credential: cred).gsub(%r{/*$}, "") + "/"
         end
 
+        sig { params(url: String).returns(T.nilable(Dependabot::Credential)) }
         def credential_for(url)
           credentials
             .select { |c| c["type"] == "python_index" }
@@ -202,22 +239,27 @@ module Dependabot
             end
         end
 
+        sig { returns(T.nilable(Dependabot::DependencyFile)) }
         def pip_conf
           dependency_files.find { |f| f.name == "pip.conf" }
         end
 
+        sig { returns(T.nilable(Dependabot::DependencyFile)) }
         def pipfile
           dependency_files.find { |f| f.name == "Pipfile" }
         end
 
+        sig { returns(T.nilable(Dependabot::DependencyFile)) }
         def pyproject
           dependency_files.find { |f| f.name == "pyproject.toml" }
         end
 
+        sig { returns(T::Array[Dependabot::DependencyFile]) }
         def requirements_files
           dependency_files.select { |f| f.name.match?(/requirements/x) }
         end
 
+        sig { returns(T::Array[Dependabot::DependencyFile]) }
         def pip_compile_files
           dependency_files.select { |f| f.name.end_with?(".in") }
         end

data/lib/dependabot/python/pipenv_runner.rb

@@ -25,7 +25,7 @@ module Dependabot
         @language_version_manager = language_version_manager
       end
 
-      sig { params(constraint: String).returns(String) }
+      sig { params(constraint: T.nilable(String)).returns(String) }
       def run_upgrade(constraint)
         constraint = "" if constraint == "*"
         command = "pyenv exec pipenv upgrade --verbose #{dependency_name}#{constraint}"
@@ -34,7 +34,7 @@ module Dependabot
         run(command, fingerprint: "pyenv exec pipenv upgrade --verbose <dependency_name><constraint>")
       end
 
-      sig { params(constraint: String).returns(T.nilable(String)) }
+      sig { params(constraint: T.nilable(String)).returns(T.nilable(String)) }
       def run_upgrade_and_fetch_version(constraint)
         run_upgrade(constraint)
 

data/lib/dependabot/python/requirement.rb

@@ -1,4 +1,4 @@
-# typed: true
+# typed: strict
 # frozen_string_literal: true
 
 require "sorbet-runtime"
@@ -12,26 +12,27 @@ module Dependabot
     class Requirement < Dependabot::Requirement
       extend T::Sig
 
-      OR_SEPARATOR = /(?<=[a-zA-Z0-9)*])\s*\|+/
+      OR_SEPARATOR = T.let(/(?<=[a-zA-Z0-9)*])\s*\|+/, Regexp)
 
       # Add equality and arbitrary-equality matchers
-      OPS = OPS.merge(
-        "==" => ->(v, r) { v == r },
-        "===" => ->(v, r) { v.to_s == r.to_s }
-      )
+      OPS = T.let(OPS.merge(
+                    "==" => ->(v, r) { v == r },
+                    "===" => ->(v, r) { v.to_s == r.to_s }
+                  ), T::Hash[String, T.proc.params(arg0: T.untyped, arg1: T.untyped).returns(T.untyped)])
 
       quoted = OPS.keys.sort_by(&:length).reverse
                   .map { |k| Regexp.quote(k) }.join("|")
       version_pattern = Python::Version::VERSION_PATTERN
 
-      PATTERN_RAW = "\\s*(?<op>#{quoted})?\\s*(?<version>#{version_pattern})\\s*".freeze
-      PATTERN = /\A#{PATTERN_RAW}\z/
-      PARENS_PATTERN = /\A\(([^)]+)\)\z/
+      PATTERN_RAW = T.let("\\s*(?<op>#{quoted})?\\s*(?<version>#{version_pattern})\\s*".freeze, String)
+      PATTERN = T.let(/\A#{PATTERN_RAW}\z/, Regexp)
+      PARENS_PATTERN = T.let(/\A\(([^)]+)\)\z/, Regexp)
 
+      sig { params(obj: T.any(Gem::Version, String)).returns([String, Gem::Version]) }
       def self.parse(obj)
-        return ["=", Python::Version.new(obj.to_s)] if obj.is_a?(Gem::Version)
+        return ["=", obj] if obj.is_a?(Gem::Version)
 
-        line = obj.to_s
+        line = obj
         if (matches = PARENS_PATTERN.match(line))
           line = matches[1]
         end
@@ -63,6 +64,7 @@ module Dependabot
         end
       end
 
+      sig { params(requirements: T.nilable(T.any(String, T::Array[String]))).void }
       def initialize(*requirements)
         requirements = requirements.flatten.flat_map do |req_string|
           next if req_string.nil?
@@ -78,20 +80,23 @@ module Dependabot
         super(requirements)
       end
 
+      sig { params(version: T.any(Gem::Version, String)).returns(T::Boolean) }
       def satisfied_by?(version)
         version = Python::Version.new(version.to_s)
 
-        requirements.all? { |op, rv| (OPS[op] || OPS["="]).call(version, rv) }
+        requirements.all? { |op, rv| T.must(OPS[op] || OPS["="]).call(version, rv) }
       end
 
+      sig { returns(T::Boolean) }
       def exact?
-        return false unless @requirements.size == 1
+        return false unless requirements.size == 1
 
-        %w(= == ===).include?(@requirements[0][0])
+        %w(= == ===).include?(requirements[0][0])
       end
 
       private
 
+      sig { params(req_string: T.nilable(String)).returns(T.nilable(T.any(String, T::Array[String]))) }
       def convert_python_constraint_to_ruby_constraint(req_string)
         return nil if req_string.nil? || req_string.strip.empty?
         return nil if req_string == "*"
@@ -111,6 +116,7 @@ module Dependabot
 
       # Poetry uses ~ requirements.
       # https://github.com/sdispater/poetry#tilde-requirements
+      sig { params(req_string: String).returns(String) }
       def convert_tilde_req(req_string)
         version = req_string.gsub(/^~\>?/, "")
         parts = version.split(".")
@@ -120,18 +126,19 @@ module Dependabot
 
       # Poetry uses ^ requirements
       # https://github.com/sdispater/poetry#caret-requirement
+      sig { params(req_string: String).returns(T::Array[String]) }
       def convert_caret_req(req_string)
         version = req_string.gsub(/^\^/, "")
         parts = version.split(".")
-        parts.fill(0, parts.length...3)
+        parts.fill("0", parts.length...3)
         first_non_zero = parts.find { |d| d != "0" }
         first_non_zero_index =
           first_non_zero ? parts.index(first_non_zero) : parts.count - 1
         upper_bound = parts.map.with_index do |part, i|
-          if i < first_non_zero_index then part
+          if i < T.must(first_non_zero_index) then part
           elsif i == first_non_zero_index then (part.to_i + 1).to_s
           # .dev has lowest precedence: https://packaging.python.org/en/latest/specifications/version-specifiers/#summary-of-permitted-suffixes-and-relative-ordering
-          elsif i > first_non_zero_index && i == 2 then "0.dev"
+          elsif i > T.must(first_non_zero_index) && i == 2 then "0.dev"
           else
             0
           end
@@ -140,24 +147,26 @@ module Dependabot
         [">= #{version}", "< #{upper_bound}"]
       end
 
+      sig { params(req_string: String).returns(String) }
       def convert_wildcard(req_string)
         # NOTE: This isn't perfect. It replaces the "!= 1.0.*" case with
         # "!= 1.0.0". There's no way to model this correctly in Ruby :'(
         quoted_ops = OPS.keys.sort_by(&:length).reverse
                         .map { |k| Regexp.quote(k) }.join("|")
-        op = req_string.match(/\A\s*(#{quoted_ops})?/)
-                       .captures.first.to_s&.strip
+        op_match = req_string.match(/\A\s*(#{quoted_ops})?/)
+        op = op_match&.captures&.first.to_s.strip
         exact_op = ["", "=", "==", "==="].include?(op)
 
         req_string.strip
                   .split(".")
-                  .first(req_string.split(".").index { |s| s.include?("*") } + 1)
+                  .first(T.must(req_string.split(".").index { |s| s.include?("*") }) + 1)
                   .join(".")
                   .gsub(/\*(?!$)/, "0")
                   .gsub(/\*$/, "0.dev")
                   .tap { |s| exact_op ? s.gsub!(/^(?<!!)=*/, "~>") : s }
       end
 
+      sig { params(req_string: String).returns(T.any(String, T::Array[String])) }
       def convert_exact(req_string)
         arbitrary_equality = req_string.start_with?("===")
         cleaned_version = req_string.gsub(/^=+/, "").strip