dependabot-python 0.357.0 → 0.359.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 4d9c1af8569ef4090792c2ebee4bd6dd19e58e47c0d6bc1918804c26adeb4dfc
-  data.tar.gz: 5bb14421ad8c437294aba6d0d5a0bc0bca2c6dd61e8f7d998773c13f73750f5b
+  metadata.gz: 9b809922cec5a45858a2db5ccbc1a44616bd29e338b208ef2ce62c40cc92c5cc
+  data.tar.gz: 690573daf64882e4308e2b67962d218b050d6e35f5f2de463037c9d3bb4373f5
 SHA512:
-  metadata.gz: 9d91cabe7351ee1d2dcc0fcbe842d9cae3141b13cfbc313d683e4f2723102b9ecadb1fbf5545dc4a3de615a40eb6fcdd9669b84a2c1350df5420cd92486c38ec
-  data.tar.gz: b4be22afa1102a99dd8e3dc4a8935d28fd839d6917e029a1db19400dfd380b0f21c3c92e97b5aedf06c9b7eb5e6c46a1a90d0550cf37c1c6b80b158b863d8d53
+  metadata.gz: 85cbac2d3e04004f10fb8829b512c22962339aca71b3e2fe00b5b22a0af1a745cc6a0810d038f5bf084dcebd749959fb73bcf08408de67a5683a61d7eb47e121
+  data.tar.gz: f2336e9490af88f4a08ed69c4116b085d161e2e0e8ef5ea5e2e494fb1308ea5b62239761a675c4f214cd79b943a0414d7e2133a6a5e5573b4aac1ef433723a8a

data/lib/dependabot/python/file_parser/pyproject_files_parser.rb

@@ -19,7 +19,8 @@ module Dependabot
         POETRY_DEPENDENCY_TYPES = %w(dependencies dev-dependencies).freeze
 
         # https://python-poetry.org/docs/dependency-specification/
-        UNSUPPORTED_DEPENDENCY_TYPES = %w(git path url).freeze
+        # Git dependencies with tags are now supported for version tracking
+        UNSUPPORTED_DEPENDENCY_TYPES = %w(path url).freeze
 
         sig { params(dependency_files: T::Array[Dependabot::DependencyFile]).void }
         def initialize(dependency_files:)
@@ -148,13 +149,29 @@ module Dependabot
 
         # @param req can be an Array, Hash or String that represents the constraints for a dependency
         sig { params(req: T.untyped, type: String).returns(T::Array[T::Hash[Symbol, T.nilable(String)]]) }
+        # rubocop:disable Metrics/PerceivedComplexity
         def parse_requirements_from(req, type)
           [req].flatten.compact.filter_map do |requirement|
+            # Skip unsupported dependency types (path, url), but allow git
             next if requirement.is_a?(Hash) && UNSUPPORTED_DEPENDENCY_TYPES.intersect?(requirement.keys)
+            # Skip git dependencies without tags (e.g., with branch, rev)
+            next if requirement.is_a?(Hash) && requirement["git"] && !requirement["tag"]
 
-            check_requirements(requirement)
-
-            if requirement.is_a?(String)
+            # Handle git dependencies with tags
+            if requirement.is_a?(Hash) && requirement["git"] && requirement["tag"]
+              {
+                requirement: nil,
+                file: T.must(pyproject).name,
+                source: {
+                  type: "git",
+                  url: requirement["git"],
+                  ref: requirement["tag"],
+                  branch: nil
+                },
+                groups: [type]
+              }
+            elsif requirement.is_a?(String)
+              check_requirements(requirement)
               {
                 requirement: requirement,
                 file: T.must(pyproject).name,
@@ -162,15 +179,21 @@ module Dependabot
                 groups: [type]
               }
             else
+              check_requirements(requirement)
+              # String sources are registry name references (e.g., "custom") that reference
+              # [[tool.poetry.source]] definitions. Resolve them to proper hashes.
+              source_value = requirement.fetch("source", nil)
+              source = resolve_source(source_value)
               {
                 requirement: requirement["version"],
                 file: T.must(pyproject).name,
-                source: requirement.fetch("source", nil),
+                source: source,
                 groups: [type]
               }
             end
           end
         end
+        # rubocop:enable Metrics/PerceivedComplexity
 
         sig { returns(T.nilable(T::Boolean)) }
         def using_poetry?
@@ -280,6 +303,34 @@ module Dependabot
           NameNormaliser.normalise(name)
         end
 
+        sig { params(source_value: T.untyped).returns(T.nilable(T::Hash[Symbol, T.untyped])) }
+        def resolve_source(source_value)
+          # Return nil if no source specified
+          return nil if source_value.nil?
+
+          # If already a hash, return as-is (handles git sources)
+          return source_value if source_value.is_a?(Hash)
+
+          # String sources are references to [[tool.poetry.source]] definitions
+          # Look up the source definition and create a hash
+          return nil unless source_value.is_a?(String)
+
+          source_name = source_value
+          poetry_sources = parsed_pyproject.dig("tool", "poetry", "source") || []
+          source_def = poetry_sources.find { |s| s["name"] == source_name }
+
+          # If source definition not found, return nil
+          return nil unless source_def
+
+          # Create a hash with type and url from the source definition
+          # Use "registry" as the type since these are package index sources
+          {
+            type: "registry",
+            url: source_def["url"],
+            name: source_name
+          }
+        end
+
         sig { returns(T.untyped) }
         def parsed_pyproject
           @parsed_pyproject ||= T.let(TomlRB.parse(T.must(pyproject).content), T.untyped)

data/lib/dependabot/python/file_parser.rb

@@ -101,16 +101,12 @@ module Dependabot
 
       sig { returns(Ecosystem::VersionManager) }
       def package_manager
-        if Dependabot::Experiments.enabled?(:enable_file_parser_python_local)
-          Dependabot.logger.info("Detected package manager : #{detected_package_manager.name}")
-        end
-
         @package_manager ||= T.let(detected_package_manager, T.nilable(Dependabot::Ecosystem::VersionManager))
       end
 
       sig { returns(Ecosystem::VersionManager) }
       def detected_package_manager
-        setup_python_environment if Dependabot::Experiments.enabled?(:enable_file_parser_python_local)
+        setup_python_environment
 
         return PipenvPackageManager.new(T.must(detect_pipenv_version)) if detect_pipenv_version
 
@@ -225,11 +221,6 @@ module Dependabot
 
       sig { returns(String) }
       def python_raw_version
-        if Dependabot::Experiments.enabled?(:enable_file_parser_python_local)
-          Dependabot.logger.info("Detected python version: #{language_version_manager.python_version}")
-          Dependabot.logger.info("Detected python major minor version: #{language_version_manager.python_major_minor}")
-        end
-
         language_version_manager.python_version
       end
 

data/lib/dependabot/python/file_updater/poetry_file_updater.rb

@@ -115,6 +115,9 @@ module Dependabot
           ).returns(String)
         end
         def replace_dep(dep, content, new_r, old_r)
+          # Handle Git dependencies with tags
+          return update_git_tag(dep, content, new_r, old_r) if git_dependency?(new_r) && git_dependency?(old_r)
+
           new_req = new_r[:requirement]
           old_req = old_r[:requirement]
 
@@ -149,6 +152,38 @@ module Dependabot
           content
         end
 
+        sig { params(req: T::Hash[Symbol, T.untyped]).returns(T::Boolean) }
+        def git_dependency?(req)
+          req.dig(:source, :type) == "git"
+        end
+
+        sig do
+          params(
+            dep: Dependabot::Dependency,
+            content: String,
+            new_r: T::Hash[Symbol, T.untyped],
+            old_r: T::Hash[Symbol, T.untyped]
+          ).returns(String)
+        end
+        def update_git_tag(dep, content, new_r, old_r)
+          old_tag = old_r.dig(:source, :ref)
+          new_tag = new_r.dig(:source, :ref)
+
+          return content if old_tag == new_tag
+
+          # Match git dependency declaration with tag
+          # Example: fastapi = { git = "...", extras = ["all"], tag = "0.110.0" }
+          git_dep_regex = /
+            ^(\s*)#{Regexp.escape(dep.name)}(\s*=\s*\{[^}]*tag\s*=\s*)
+            ["']#{Regexp.escape(old_tag)}["']([^}]*\})
+          /mx
+
+          content.gsub(git_dep_regex) do
+            match_data = T.must(Regexp.last_match)
+            "#{match_data[1]}#{dep.name}#{match_data[2]}\"#{new_tag}\"#{match_data[3]}"
+          end
+        end
+
         sig { returns(String) }
         def updated_lockfile_content
           @updated_lockfile_content ||=
@@ -199,6 +234,9 @@ module Dependabot
 
           if poetry_object
             dependencies.each do |dep|
+              # Skip Git dependencies - they use tags/refs, not versions
+              next if git_dependency_being_updated?(dep)
+
               if dep.requirements.find { |r| r[:file] == pyproject&.name }
                 lock_declaration_to_new_version!(poetry_object, dep)
               else
@@ -240,6 +278,11 @@ module Dependabot
           poetry_object[subdep_type][dep.name] = dep.version
         end
 
+        sig { params(dep: Dependabot::Dependency).returns(T::Boolean) }
+        def git_dependency_being_updated?(dep)
+          dep.requirements.any? { |r| r.dig(:source, :type) == "git" }
+        end
+
         sig { params(pyproject_content: String).returns(String) }
         def sanitize(pyproject_content)
           PyprojectPreparer

data/lib/dependabot/python/update_checker/latest_version_finder.rb

@@ -1,4 +1,4 @@
-# typed: strong
+# typed: strict
 # frozen_string_literal: true
 
 require "cgi"
@@ -7,6 +7,7 @@ require "nokogiri"
 require "sorbet-runtime"
 
 require "dependabot/dependency"
+require "dependabot/git_commit_checker"
 require "dependabot/python/update_checker"
 require "dependabot/update_checkers/version_filters"
 require "dependabot/registry_client"
@@ -22,6 +23,38 @@ module Dependabot
       class LatestVersionFinder < Dependabot::Package::PackageLatestVersionFinder
         extend T::Sig
 
+        sig do
+          params(git_commit_checker: Dependabot::GitCommitChecker)
+            .returns(T.nilable(T::Hash[Symbol, T.untyped]))
+        end
+        def latest_version_tag(git_commit_checker:)
+          return git_commit_checker.local_tag_for_latest_version unless cooldown_enabled?
+
+          allowed_version_tags = git_commit_checker.local_tags_for_allowed_versions
+          tags_in_cooldown = select_version_tags_in_cooldown_period(git_commit_checker)
+
+          return max_version_from_tags(allowed_version_tags) if tags_in_cooldown.empty?
+
+          filtered_tags = allowed_version_tags.reject do |tag|
+            tags_in_cooldown.include?(tag[:tag])
+          end
+
+          if filtered_tags.empty?
+            Dependabot.logger.info("All git tags filtered by cooldown for #{dependency.name}, returning nil")
+            return nil
+          end
+
+          filtered_count = allowed_version_tags.count - filtered_tags.count
+          if filtered_count.positive?
+            Dependabot.logger.info("Filtered #{filtered_count} git tags due to cooldown for #{dependency.name}")
+          end
+
+          max_version_from_tags(filtered_tags)
+        rescue StandardError => e
+          Dependabot.logger.error("Error fetching latest version tag: #{e.message}")
+          git_commit_checker.local_tag_for_latest_version
+        end
+
         sig do
           override.returns(T.nilable(Dependabot::Package::PackageDetails))
         end
@@ -35,7 +68,93 @@ module Dependabot
 
         sig { override.returns(T::Boolean) }
         def cooldown_enabled?
-          true
+          return false if cooldown_options.nil?
+
+          cooldown = T.must(cooldown_options)
+          cooldown.default_days.to_i.positive? ||
+            cooldown.semver_major_days.to_i.positive? ||
+            cooldown.semver_minor_days.to_i.positive? ||
+            cooldown.semver_patch_days.to_i.positive?
+        end
+
+        private
+
+        sig { params(tags: T::Array[T::Hash[Symbol, T.untyped]]).returns(T.nilable(T::Hash[Symbol, T.untyped])) }
+        def max_version_from_tags(tags)
+          tags.max_by { |t| t[:version] }
+        end
+
+        sig { params(git_commit_checker: Dependabot::GitCommitChecker).returns(T::Array[String]) }
+        def select_version_tags_in_cooldown_period(git_commit_checker)
+          version_tags_in_cooldown_period = T.let([], T::Array[String])
+
+          git_commit_checker.refs_for_tag_with_detail.each do |git_tag_with_detail|
+            if check_if_version_in_cooldown_period?(git_tag_with_detail)
+              version_tags_in_cooldown_period << git_tag_with_detail.tag
+            end
+          end
+          version_tags_in_cooldown_period
+        rescue StandardError => e
+          Dependabot.logger.error("Error checking if version is in cooldown: #{e.message}")
+          []
+        end
+
+        sig { params(tag_with_detail: Dependabot::GitTagWithDetail).returns(T::Boolean) }
+        def check_if_version_in_cooldown_period?(tag_with_detail)
+          return false unless tag_with_detail.release_date
+
+          current_version = version_class.correct?(dependency.version) ? version_class.new(dependency.version) : nil
+          tag_version_str = tag_with_detail.tag.delete_prefix("v")
+          return false unless version_class.correct?(tag_version_str)
+
+          new_version = version_class.new(tag_version_str)
+          days = cooldown_days_for(current_version, new_version)
+
+          passed_seconds = Time.now.to_i - release_date_to_seconds(tag_with_detail.release_date)
+          passed_seconds < days * DAY_IN_SECONDS
+        end
+
+        sig do
+          params(
+            current_version: T.nilable(Dependabot::Version),
+            new_version: Dependabot::Version
+          ).returns(Integer)
+        end
+        def cooldown_days_for(current_version, new_version)
+          return 0 unless cooldown_enabled?
+
+          cooldown = T.must(cooldown_options)
+          return 0 unless cooldown.included?(dependency.name)
+          return cooldown.default_days if current_version.nil?
+
+          current_version_semver = current_version.semver_parts
+          new_version_semver = new_version.semver_parts
+
+          return cooldown.default_days if current_version_semver.nil? || new_version_semver.nil?
+
+          current_major, current_minor, current_patch = current_version_semver
+          new_major, new_minor, new_patch = new_version_semver
+
+          return cooldown.semver_major_days if new_major > current_major
+          return cooldown.semver_minor_days if new_minor > current_minor
+          return cooldown.semver_patch_days if new_patch > current_patch
+
+          cooldown.default_days
+        end
+
+        sig { returns(T.class_of(Dependabot::Version)) }
+        def version_class
+          dependency.version_class
+        end
+
+        sig { params(release_date: T.nilable(String)).returns(Integer) }
+        def release_date_to_seconds(release_date)
+          return 0 unless release_date
+
+          Time.parse(release_date).to_i
+        rescue ArgumentError => e
+          Dependabot.logger.error("Invalid release date format: #{release_date} and error: #{e.message}")
+          0
         end
       end
     end

data/lib/dependabot/python/update_checker/requirements_updater.rb

@@ -389,7 +389,7 @@ module Dependabot
           version = version.release if version.prerelease?
 
           lb_segments = version.segments
-          lb_segments.pop while lb_segments.last.zero?
+          lb_segments.pop while lb_segments.last&.zero?
 
           lb_segments
         end
@@ -400,7 +400,7 @@ module Dependabot
           version = req.requirements.first.last.release
 
           if req_string.strip.start_with?("^")
-            version.segments.index { |i| i != 0 }
+            version.segments.index { |i| i != 0 } || (version.segments.count - 1)
           elsif req_string.include?("*")
             version.segments.count - 1
           elsif req_string.strip.start_with?("~=", "==")

data/lib/dependabot/python/update_checker.rb

@@ -17,6 +17,7 @@ require "dependabot/update_checkers/base"
 
 module Dependabot
   module Python
+    # rubocop:disable Metrics/ClassLength
     class UpdateChecker < Dependabot::UpdateCheckers::Base
       extend T::Sig
 
@@ -35,6 +36,8 @@ module Dependabot
 
       sig { override.returns(T.nilable(Gem::Version)) }
       def latest_version
+        return latest_version_for_git_dependency if git_dependency?
+
         @latest_version ||= T.let(
           fetch_latest_version,
           T.nilable(Gem::Version)
@@ -43,6 +46,8 @@ module Dependabot
 
       sig { override.returns(T.nilable(Gem::Version)) }
       def latest_resolvable_version
+        return latest_resolvable_version_for_git_dependency if git_dependency?
+
         @latest_resolvable_version ||= T.let(
           if resolver_type == :requirements
             resolver.latest_resolvable_version
@@ -59,6 +64,8 @@ module Dependabot
 
       sig { override.returns(T.nilable(Gem::Version)) }
       def latest_resolvable_version_with_no_unlock
+        return T.cast(dependency.version, T.nilable(Gem::Version)) if git_dependency? && git_commit_checker.pinned?
+
         @latest_resolvable_version_with_no_unlock ||= T.let(
           if resolver_type == :requirements
             resolver.latest_resolvable_version_with_no_unlock
@@ -88,6 +95,8 @@ module Dependabot
 
       sig { override.returns(T::Array[T::Hash[Symbol, T.untyped]]) }
       def updated_requirements
+        return updated_git_requirements if git_dependency?
+
         RequirementsUpdater.new(
           requirements: requirements,
           latest_resolvable_version: preferred_resolvable_version&.to_s,
@@ -112,6 +121,64 @@ module Dependabot
 
       private
 
+      sig { returns(T::Boolean) }
+      def git_dependency?
+        git_commit_checker.git_dependency?
+      end
+
+      sig { returns(T.nilable(Gem::Version)) }
+      def latest_version_for_git_dependency
+        latest_git_version_details&.fetch(:version)
+      end
+
+      sig { returns(T.nilable(Gem::Version)) }
+      def latest_resolvable_version_for_git_dependency
+        # For git dependencies, we assume the latest version is resolvable
+        latest_version_for_git_dependency
+      end
+
+      sig { returns(T::Array[T::Hash[Symbol, T.untyped]]) }
+      def updated_git_requirements
+        updated_source = updated_git_source
+        return requirements unless updated_source
+
+        requirements.map do |req|
+          req.merge(source: updated_source)
+        end
+      end
+
+      sig { returns(T.nilable(T::Hash[Symbol, T.untyped])) }
+      def updated_git_source
+        # Update the git tag if a new version is available
+        if git_commit_checker.pinned_ref_looks_like_version? && latest_git_version_details
+          new_tag = T.must(latest_git_version_details).fetch(:tag)
+          source_details = dependency.source_details
+          return source_details.transform_keys(&:to_sym).merge(ref: new_tag) if source_details
+        end
+
+        # Otherwise return the original source
+        dependency.source_details&.transform_keys(&:to_sym)
+      end
+
+      sig { returns(T.nilable(T::Hash[Symbol, T.untyped])) }
+      def latest_git_version_details
+        @latest_git_version_details ||= T.let(
+          latest_version_finder.latest_version_tag(git_commit_checker: git_commit_checker),
+          T.nilable(T::Hash[Symbol, T.untyped])
+        )
+      end
+
+      sig { returns(Dependabot::GitCommitChecker) }
+      def git_commit_checker
+        @git_commit_checker ||= T.let(
+          Dependabot::GitCommitChecker.new(
+            dependency: dependency,
+            credentials: credentials
+          ),
+          T.nilable(Dependabot::GitCommitChecker)
+        )
+      end
+
       sig { override.returns(T::Boolean) }
       def latest_version_resolvable_with_full_unlock?
         # Full unlock checks aren't implemented for Python (yet)
@@ -135,10 +202,6 @@ module Dependabot
 
       sig { returns(T.untyped) }
       def resolver
-        if Dependabot::Experiments.enabled?(:enable_file_parser_python_local)
-          Dependabot.logger.info("Python package resolver : #{resolver_type}")
-        end
-
         case resolver_type
         when :pip_compile then pip_compile_version_resolver
         when :pipenv then pipenv_version_resolver
@@ -456,6 +519,7 @@ module Dependabot
         dependency_files.select { |f| f.name.end_with?(".in") }
       end
     end
+    # rubocop:enable Metrics/ClassLength
   end
 end
 

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-python
 version: !ruby/object:Gem::Version
-  version: 0.357.0
+  version: 0.359.0
 platform: ruby
 authors:
 - Dependabot
@@ -15,14 +15,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.357.0
+        version: 0.359.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.357.0
+        version: 0.359.0
 - !ruby/object:Gem::Dependency
   name: debug
   requirement: !ruby/object:Gem::Requirement
@@ -291,7 +291,7 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.357.0
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.359.0
 rdoc_options: []
 require_paths:
 - lib