dependabot-python 0.350.0 → 0.352.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (6) hide show
  1. checksums.yaml +4 -4
  2. data/lib/dependabot/python/file_updater/pip_compile_file_updater.rb +34 -18
  3. data/lib/dependabot/python/file_updater/poetry_file_updater.rb +6 -4
  4. data/lib/dependabot/python/language.rb +3 -3
  5. data/lib/dependabot/python/update_checker/pip_compile_version_resolver.rb +20 -9
  6. metadata +4 -4
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: ff8f5ef8b9e00108f378196ab5a05ccab573a42197a0585cb54d6b5cf97bad14
4
- data.tar.gz: ae41c189ec329bc8c044bba77435dacb643b0499d163b1cba2d06d0389724e77
3
+ metadata.gz: 6003fe06636162867de00796bf0df3145c7de4077eb635c65c52c1ec9a4df50e
4
+ data.tar.gz: e328a2f8dd8f8c9ae17ce4be35822ab9f3f9e554ee5f82688a0604a342ca39aa
5
5
  SHA512:
6
- metadata.gz: eee06d46b96e5ee06e295602754e4a9a94b6b227cc6448e9fca61a67980a7c51a1e0a7248b5afaef9b7175910fdcc4fa7d70eaef1c03d180d07cb102463eb348
7
- data.tar.gz: 8bfd1d6abda04b1f072286bec9b49065a6d015679eb741901c9c135929fffd1a81489eba468208732b63cd8cf58c659320e04b462cd1769fefec09d588c0a130
6
+ metadata.gz: af573776c4f167c72e6159ece26aef0bebf5d334b23763edd4ba93625764a5998fa4edeb753826915a120a561104305afd65777be3457da6557857162a2b086d
7
+ data.tar.gz: 4ebb87425b96545882e9efa783959dab8a4f93ab431471ce8d5a836b86a9a18f41fee37a58fed6e1b0c706a4c35b54c7d6d226338fc0dd5e189b3da2ed846d9a
data/lib/dependabot/python/file_updater/pip_compile_file_updater.rb CHANGED
@@ -108,7 +108,12 @@ module Dependabot
108
108
  language_version_manager.install_required_python
109
109
 
110
110
  filenames_to_compile.each do |filename|
111
- compile_file(filename)
111
+ # Compile the file for each of its output files
112
+ # A single .in file may generate multiple .txt files with different --output-file options
113
+ output_files = compiled_files_for_filename(filename)
114
+ # When no output files are found, compile with nil to use default pip-compile behavior
115
+ output_files = [nil] if output_files.empty?
116
+ output_files.each { |output_file| compile_file(filename, output_file) }
112
117
  end
113
118
 
114
119
  # Remove any .python-version file before parsing the reqs
@@ -128,11 +133,11 @@ module Dependabot
128
133
  end
129
134
  end
130
135
 
131
- sig { params(filename: String).void }
132
- def compile_file(filename)
136
+ sig { params(filename: String, output_file: T.nilable(Dependabot::DependencyFile)).void }
137
+ def compile_file(filename, output_file)
133
138
  # Shell out to pip-compile, generate a new set of requirements.
134
139
  # This is slow, as pip-compile needs to do installs.
135
- options = pip_compile_options(filename)
140
+ options = pip_compile_options(filename, output_file)
136
141
  options_fingerprint = pip_compile_options_fingerprint(options)
137
142
 
138
143
  name_part = "pyenv exec pip-compile " \
@@ -516,14 +521,14 @@ module Dependabot
516
521
  )
517
522
  end
518
523
 
519
- sig { params(filename: String).returns(String) }
520
- def pip_compile_options(filename)
524
+ sig { params(filename: String, output_file: T.nilable(Dependabot::DependencyFile)).returns(String) }
525
+ def pip_compile_options(filename, output_file = nil)
521
526
  options = @build_isolation ? ["--build-isolation"] : ["--no-build-isolation"]
522
527
  options += pip_compile_index_options
523
528
 
524
- if (requirements_file = compiled_file_for_filename(filename))
525
- options += pip_compile_options_from_compiled_file(requirements_file)
526
- end
529
+ # Use the explicit output file if provided, otherwise fall back to finding one
530
+ requirements_file = output_file || compiled_file_for_filename(filename)
531
+ options += pip_compile_options_from_compiled_file(requirements_file) if requirements_file
527
532
 
528
533
  options.join(" ")
529
534
  end
@@ -584,8 +589,9 @@ module Dependabot
584
589
 
585
590
  files_from_compiled_files =
586
591
  pip_compile_files.map(&:name).select do |fn|
587
- compiled_file = compiled_file_for_filename(fn)
588
- compiled_file_includes_dependency?(compiled_file)
592
+ compiled_files_for_filename(fn).any? do |compiled_file|
593
+ compiled_file_includes_dependency?(compiled_file)
594
+ end
589
595
  end
590
596
 
591
597
  filenames = [*files_from_reqs, *files_from_compiled_files].uniq
@@ -593,17 +599,27 @@ module Dependabot
593
599
  order_filenames_for_compilation(filenames)
594
600
  end
595
601
 
602
+ # Returns the first compiled file for a given source filename
603
+ # Used for backward compatibility in places where only one file is needed
596
604
  sig { params(filename: String).returns(T.nilable(Dependabot::DependencyFile)) }
597
605
  def compiled_file_for_filename(filename)
598
- compiled_file =
599
- compiled_files
600
- .find { |f| T.must(f.content).match?(output_file_regex(filename)) }
606
+ compiled_files_for_filename(filename).first
607
+ end
608
+
609
+ # Returns all compiled files (.txt) that were generated from the given source file (.in)
610
+ # A single .in file may generate multiple .txt files with different --output-file options
611
+ sig { params(filename: String).returns(T::Array[Dependabot::DependencyFile]) }
612
+ def compiled_files_for_filename(filename)
613
+ # First, find all files that have an --output-file header referencing this input file
614
+ files_with_output_header = compiled_files.select do |f|
615
+ T.must(f.content).match?(output_file_regex(filename))
616
+ end
601
617
 
602
- compiled_file ||=
603
- compiled_files
604
- .find { |f| f.name == filename.gsub(/\.in$/, ".txt") }
618
+ return files_with_output_header if files_with_output_header.any?
605
619
 
606
- compiled_file
620
+ # Fall back to convention-based matching (input.in -> input.txt)
621
+ default_output = compiled_files.find { |f| f.name == filename.gsub(/\.in$/, ".txt") }
622
+ default_output ? [default_output] : []
607
623
  end
608
624
 
609
625
  sig { params(filename: T.any(String, Symbol)).returns(String) }
data/lib/dependabot/python/file_updater/poetry_file_updater.rb CHANGED
@@ -157,8 +157,10 @@ module Dependabot
157
157
 
158
158
  original_locked_python = TomlRB.parse(T.must(lockfile).content)["metadata"]["python-versions"]
159
159
 
160
- new_lockfile.gsub!(/\[metadata\]\n.*python-versions[^\n]+\n/m) do |match|
161
- match.gsub(/(["']).*(['"])\n\Z/, '\1' + original_locked_python + '\1' + "\n")
160
+ new_lockfile.gsub!(/\[metadata\](?:\r?\n).*python-versions[^\r\n]+(?:\r?\n)/m) do |match|
161
+ # Detect the line ending style from the match (CRLF or LF)
162
+ line_ending = match.include?("\r\n") ? "\r\n" : "\n"
163
+ match.gsub(/(["']).*\1(?:\r?\n)\Z/, '\1' + original_locked_python + '\1' + line_ending)
162
164
  end
163
165
 
164
166
  tmp_hash =
@@ -331,12 +333,12 @@ module Dependabot
331
333
  group = old_req[:groups].first
332
334
 
333
335
  header_regex = "#{group}(?:\\.dependencies)?\\]\s*(?:\s*#.*?)*?"
334
- /#{header_regex}\n.*?(?<declaration>(?:^\s*|["'])#{escape(dep)}["']?\s*=[^\n]*)$/mi
336
+ /#{header_regex}(?:\r?\n).*?(?<declaration>(?:^\s*|["'])#{escape(dep)}["']?\s*=[^\r\n]*)(?=\r?\n|$)/mi
335
337
  end
336
338
 
337
339
  sig { params(dep: Dependabot::Dependency, old_req: T::Hash[Symbol, T.untyped]).returns(Regexp) }
338
340
  def table_declaration_regex(dep, old_req)
339
- /tool\.poetry\.#{old_req[:groups].first}\.#{escape(dep)}\]\n.*?\s*version\s* =.*?\n/m
341
+ /tool\.poetry\.#{old_req[:groups].first}\.#{escape(dep)}\](?:\r?\n).*?\s*version\s* =.*?(?:\r?\n)/m
340
342
  end
341
343
 
342
344
  sig { params(dep: Dependabot::Dependency, old_req: String).returns(Regexp) }
data/lib/dependabot/python/language.rb CHANGED
@@ -14,10 +14,10 @@ module Dependabot
14
14
 
15
15
  # This list must match the versions specified at the top of `python/Dockerfile`
16
16
  # ARG PY_3_13=3.13.2
17
- # When updating this list, also update uv/lib/dependabot/uv/language.rb
17
+ # Note: uv ecosystem aliases this class, so updates here apply to both ecosystems.
18
18
  PRE_INSTALLED_PYTHON_VERSIONS_RAW = %w(
19
- 3.14.0
20
- 3.13.9
19
+ 3.14.2
20
+ 3.13.11
21
21
  3.12.12
22
22
  3.11.14
23
23
  3.10.19
data/lib/dependabot/python/update_checker/pip_compile_version_resolver.rb CHANGED
@@ -431,8 +431,9 @@ module Dependabot
431
431
 
432
432
  files_from_compiled_files =
433
433
  pip_compile_files.map(&:name).select do |fn|
434
- compiled_file = compiled_file_for_filename(fn)
435
- compiled_file_includes_dependency?(compiled_file)
434
+ compiled_files_for_filename(fn).any? do |compiled_file|
435
+ compiled_file_includes_dependency?(compiled_file)
436
+ end
436
437
  end
437
438
 
438
439
  filenames = [*files_from_reqs, *files_from_compiled_files].uniq
@@ -440,17 +441,27 @@ module Dependabot
440
441
  order_filenames_for_compilation(filenames)
441
442
  end
442
443
 
444
+ # Returns the first compiled file for a given source filename
445
+ # Used for backward compatibility in places where only one file is needed
443
446
  sig { params(filename: String).returns(T.nilable(Dependabot::DependencyFile)) }
444
447
  def compiled_file_for_filename(filename)
445
- compiled_file =
446
- compiled_files
447
- .find { |f| T.must(f.content).match?(output_file_regex(filename)) }
448
+ compiled_files_for_filename(filename).first
449
+ end
450
+
451
+ # Returns all compiled files (.txt) that were generated from the given source file (.in)
452
+ # A single .in file may generate multiple .txt files with different --output-file options
453
+ sig { params(filename: String).returns(T::Array[Dependabot::DependencyFile]) }
454
+ def compiled_files_for_filename(filename)
455
+ # First, find all files that have an --output-file header referencing this input file
456
+ files_with_output_header = compiled_files.select do |f|
457
+ T.must(f.content).match?(output_file_regex(filename))
458
+ end
448
459
 
449
- compiled_file ||=
450
- compiled_files
451
- .find { |f| f.name == filename.gsub(/\.in$/, ".txt") }
460
+ return files_with_output_header if files_with_output_header.any?
452
461
 
453
- compiled_file
462
+ # Fall back to convention-based matching (input.in -> input.txt)
463
+ default_output = compiled_files.find { |f| f.name == filename.gsub(/\.in$/, ".txt") }
464
+ default_output ? [default_output] : []
454
465
  end
455
466
 
456
467
  sig { params(filename: String).returns(String) }
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: dependabot-python
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.350.0
4
+ version: 0.352.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Dependabot
@@ -15,14 +15,14 @@ dependencies:
15
15
  requirements:
16
16
  - - '='
17
17
  - !ruby/object:Gem::Version
18
- version: 0.350.0
18
+ version: 0.352.0
19
19
  type: :runtime
20
20
  prerelease: false
21
21
  version_requirements: !ruby/object:Gem::Requirement
22
22
  requirements:
23
23
  - - '='
24
24
  - !ruby/object:Gem::Version
25
- version: 0.350.0
25
+ version: 0.352.0
26
26
  - !ruby/object:Gem::Dependency
27
27
  name: debug
28
28
  requirement: !ruby/object:Gem::Requirement
@@ -290,7 +290,7 @@ licenses:
290
290
  - MIT
291
291
  metadata:
292
292
  bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
293
- changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.350.0
293
+ changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.352.0
294
294
  rdoc_options: []
295
295
  require_paths:
296
296
  - lib