dependabot-python 0.364.0 → 0.365.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: ad6e1e80553f3ffd620ea7d83d9e9d6dbe3d910b069df6e970b3b0176090f024
-  data.tar.gz: 4869abdc7a7905d29c03d5e3620f7b5f8f5a5321131f035d9aa070563db6cff2
+  metadata.gz: 4c8198c7872836b593620355006c05b2c8c4e7c2d01ff504055abdbb48060bcd
+  data.tar.gz: 1ecac99ad26554ca0ae29881083da1bd0b40698fe459594cdb37e253c6388492
 SHA512:
-  metadata.gz: 896f820ec9168bee0abb669b46c5ad4368d741b6a15bc3b81d22cbaeea63416043c1a81801c9df5965177c8b4681b7f9dc860b90b36b870a1e8be3700725a670
-  data.tar.gz: c4a75fcb7e5ad87522d6817a1d3cc716d11b0766f164ce7917e196a879f743761eab3eb269bebd57d4473d51f3117f9e35e4d12ced3d55e31794ed7365eab290
+  metadata.gz: bf1ee8da823a08a786319eb38a842620311d672d8ea157570f936bb7ff9abb6f3ecc44815f048cf547bca3dbfe22a6f07523d3c23b43ae3352c3b7da046fc673
+  data.tar.gz: 313756cb337d95a513c7ff4a628d0d91b4a15eac11cc06946be1ea98dd724106b77622140cb4abd3c9cbecbf48359978976d6d426e70b4d680bb38820c78c72b

data/lib/dependabot/python/dependency_grapher.rb

@@ -0,0 +1,293 @@
+# typed: strict
+# frozen_string_literal: true
+
+require "json"
+require "sorbet-runtime"
+
+require "dependabot/dependency_graphers"
+require "dependabot/dependency_graphers/base"
+require "dependabot/python/file_parser"
+require "dependabot/python/language_version_manager"
+require "dependabot/python/name_normaliser"
+require "dependabot/python/pip_compile_file_matcher"
+require "dependabot/python/pipenv_runner"
+require "toml-rb"
+
+module Dependabot
+  module Python
+    class DependencyGrapher < Dependabot::DependencyGraphers::Base
+      sig { override.returns(Dependabot::DependencyFile) }
+      def relevant_dependency_file
+        dependency_files_by_package_manager = T.let(
+          {
+            PipenvPackageManager::NAME => [pipfile_lock, pipfile],
+            PoetryPackageManager::NAME => [poetry_lock, pyproject_toml],
+            PipCompilePackageManager::NAME => [pip_compile_lockfile, pip_compile_manifest, pyproject_toml],
+            PipPackageManager::NAME => [pip_requirements_file, pyproject_toml, pipfile_lock, pipfile, setup_file,
+                                        setup_cfg_file]
+          },
+          T::Hash[String, T::Array[T.nilable(Dependabot::DependencyFile)]]
+        )
+
+        candidates = dependency_files_by_package_manager.fetch(python_package_manager, [])
+        relevant_file = candidates.compact.first
+        return relevant_file if relevant_file
+
+        raise DependabotError, "No supported dependency file present."
+      end
+
+      private
+
+      sig { returns(String) }
+      def python_package_manager
+        T.must(file_parser.ecosystem).package_manager.name
+      end
+
+      sig { override.params(dependency: Dependabot::Dependency).returns(T::Array[String]) }
+      def fetch_subdependencies(dependency)
+        package_relationships.fetch(dependency.name, []).select { |child| dependency_name_set.include?(child) }
+      end
+
+      sig { override.params(_dependency: Dependabot::Dependency).returns(String) }
+      def purl_pkg_for(_dependency)
+        "pypi"
+      end
+
+      sig { returns(T::Hash[String, T::Array[String]]) }
+      def package_relationships
+        @package_relationships ||= T.let(
+          fetch_package_relationships,
+          T.nilable(T::Hash[String, T::Array[String]])
+        )
+      end
+
+      sig { returns(T::Hash[String, T::Array[String]]) }
+      def fetch_package_relationships
+        case python_package_manager
+        when PoetryPackageManager::NAME
+          poetry_lock ? fetch_poetry_lock_relationships : {}
+        when PipenvPackageManager::NAME
+          pipfile_lock ? fetch_pipfile_lock_relationships : {}
+        else
+          {}
+        end
+      end
+
+      sig { returns(T::Hash[String, T::Array[String]]) }
+      def fetch_poetry_lock_relationships
+        TomlRB.parse(T.must(poetry_lock).content).fetch("package", []).each_with_object({}) do |pkg, rels|
+          next unless pkg.is_a?(Hash) && pkg["name"].is_a?(String)
+
+          parent = NameNormaliser.normalise(pkg["name"])
+          deps = pkg["dependencies"]
+          deps = {} unless deps.is_a?(Hash)
+          children = deps.keys.map { |name| NameNormaliser.normalise(name) }
+          rels[parent] = children
+        end
+      rescue TomlRB::ParseError, TomlRB::ValueOverwriteError
+        raise Dependabot::DependencyFileNotParseable, T.must(poetry_lock).name
+      end
+
+      sig { returns(T::Hash[String, T::Array[String]]) }
+      def fetch_pipfile_lock_relationships
+        json_output = pipenv_runner.run_pipenv_graph
+        parse_pipenv_graph_output(json_output)
+      end
+
+      # Parses the JSON output from `pipenv graph --json`.
+      #
+      # The format is a flat list where each entry has a "package" object and a "dependencies" array:
+      #   [
+      #     {
+      #       "package": { "package_name": "requests", "installed_version": "2.32.5", ... },
+      #       "dependencies": [
+      #         { "package_name": "certifi", "installed_version": "2024.2.2", ... },
+      #         ...
+      #       ]
+      #     },
+      #     ...
+      #   ]
+      sig { params(json_output: String).returns(T::Hash[String, T::Array[String]]) }
+      def parse_pipenv_graph_output(json_output)
+        graph = JSON.parse(json_output)
+        return {} unless valid_pipenv_graph_array?(graph)
+
+        graph.each_with_object({}) do |entry, rels|
+          parent = pipenv_parent_name(entry)
+          next unless parent
+
+          rels[parent] = pipenv_child_names(entry)
+        end
+      rescue JSON::ParserError
+        Dependabot.logger.warn("Unexpected output from 'pipenv graph --json': could not parse as JSON")
+        {}
+      end
+
+      sig { params(graph: T.untyped).returns(T::Boolean) }
+      def valid_pipenv_graph_array?(graph)
+        return true if graph.is_a?(Array)
+
+        Dependabot.logger.warn("Unexpected output from 'pipenv graph --json': expected a JSON array")
+        false
+      end
+
+      sig { params(entry: T.untyped).returns(T.nilable(String)) }
+      def pipenv_parent_name(entry)
+        return nil unless entry.is_a?(Hash)
+
+        pkg = entry["package"]
+        return nil unless pkg.is_a?(Hash)
+
+        package_name = pkg["package_name"]
+        return nil unless package_name.is_a?(String)
+
+        NameNormaliser.normalise(package_name)
+      end
+
+      sig { params(entry: T.untyped).returns(T::Array[String]) }
+      def pipenv_child_names(entry)
+        deps = entry.is_a?(Hash) ? entry["dependencies"] : nil
+        return [] unless deps.is_a?(Array)
+
+        deps.filter_map do |dep|
+          next unless dep.is_a?(Hash)
+
+          package_name = dep["package_name"]
+          next unless package_name.is_a?(String)
+
+          NameNormaliser.normalise(package_name)
+        end
+      end
+
+      sig { returns(T::Set[String]) }
+      def dependency_name_set
+        @dependency_name_set ||= T.let(
+          Set.new(@dependencies.map(&:name)),
+          T.nilable(T::Set[String])
+        )
+      end
+
+      sig { returns(PipenvRunner) }
+      def pipenv_runner
+        @pipenv_runner ||= T.let(
+          PipenvRunner.new(
+            dependency: nil,
+            lockfile: pipfile_lock,
+            language_version_manager: language_version_manager,
+            dependency_files: dependency_files
+          ),
+          T.nilable(PipenvRunner)
+        )
+      end
+
+      sig { returns(LanguageVersionManager) }
+      def language_version_manager
+        @language_version_manager ||= T.let(
+          LanguageVersionManager.new(
+            python_requirement_parser: python_requirement_parser
+          ),
+          T.nilable(LanguageVersionManager)
+        )
+      end
+
+      sig { returns(FileParser::PythonRequirementParser) }
+      def python_requirement_parser
+        @python_requirement_parser ||= T.let(
+          FileParser::PythonRequirementParser.new(
+            dependency_files: dependency_files
+          ),
+          T.nilable(FileParser::PythonRequirementParser)
+        )
+      end
+
+      sig { returns(T.nilable(Dependabot::DependencyFile)) }
+      def pyproject_toml
+        dependency_file("pyproject.toml")
+      end
+
+      sig { returns(T.nilable(Dependabot::DependencyFile)) }
+      def poetry_lock
+        dependency_file(PoetryPackageManager::LOCKFILE_NAME)
+      end
+
+      sig { returns(T.nilable(Dependabot::DependencyFile)) }
+      def pipfile
+        dependency_file(PipenvPackageManager::MANIFEST_FILENAME)
+      end
+
+      sig { returns(T.nilable(Dependabot::DependencyFile)) }
+      def pipfile_lock
+        dependency_file(PipenvPackageManager::LOCKFILE_FILENAME)
+      end
+
+      sig { returns(T.nilable(Dependabot::DependencyFile)) }
+      def setup_file
+        dependency_file("setup.py")
+      end
+
+      sig { returns(T.nilable(Dependabot::DependencyFile)) }
+      def setup_cfg_file
+        dependency_file("setup.cfg")
+      end
+
+      sig { returns(T::Array[Dependabot::DependencyFile]) }
+      def requirements_in_files
+        @requirements_in_files ||= T.let(
+          dependency_files.select { |f| f.name.end_with?(".in") },
+          T.nilable(T::Array[Dependabot::DependencyFile])
+        )
+      end
+
+      sig { returns(T.nilable(Dependabot::DependencyFile)) }
+      def pip_compile_lockfile
+        return @pip_compile_lockfile if defined?(@pip_compile_lockfile)
+
+        @pip_compile_lockfile = T.let(
+          dependency_files.find { |f| pip_compile_file_matcher.lockfile_for_pip_compile_file?(f) },
+          T.nilable(Dependabot::DependencyFile)
+        )
+      end
+
+      sig { returns(T.nilable(Dependabot::DependencyFile)) }
+      def pip_compile_manifest
+        return @pip_compile_manifest if defined?(@pip_compile_manifest)
+
+        lockfile = pip_compile_lockfile
+        @pip_compile_manifest = T.let(
+          if lockfile
+            pip_compile_file_matcher.manifest_for_pip_compile_lockfile(lockfile)
+          else
+            requirements_in_files.first
+          end,
+          T.nilable(Dependabot::DependencyFile)
+        )
+      end
+
+      sig { returns(T.nilable(Dependabot::DependencyFile)) }
+      def pip_requirements_file
+        return @pip_requirements_file if defined?(@pip_requirements_file)
+
+        @pip_requirements_file = T.let(
+          dependency_files.find { |f| f.name == "requirements.txt" } ||
+            dependency_files.find { |f| f.name.end_with?(".txt") },
+          T.nilable(Dependabot::DependencyFile)
+        )
+      end
+
+      sig { params(filename: String).returns(T.nilable(Dependabot::DependencyFile)) }
+      def dependency_file(filename)
+        dependency_files.find { |file| file.name == filename }
+      end
+
+      sig { returns(PipCompileFileMatcher) }
+      def pip_compile_file_matcher
+        @pip_compile_file_matcher ||= T.let(
+          PipCompileFileMatcher.new(requirements_in_files),
+          T.nilable(PipCompileFileMatcher)
+        )
+      end
+    end
+  end
+end
+
+Dependabot::DependencyGraphers.register("pip", Dependabot::Python::DependencyGrapher)

data/lib/dependabot/python/pip_compile_file_matcher.rb

@@ -1,4 +1,4 @@
-# typed: strict
+# typed: strong
 # frozen_string_literal: true
 
 module Dependabot
@@ -20,8 +20,14 @@ module Dependabot
 
         return true if file.content&.match?(output_file_regex(name))
 
-        basename = name.gsub(/\.txt$/, "")
-        requirements_in_files.any? { |f| f.instance_variable_get(:@name) == basename + ".in" }
+        !!manifest_for_lockfile_name(name)
+      end
+
+      sig { params(file: Dependabot::DependencyFile).returns(T.nilable(Dependabot::DependencyFile)) }
+      def manifest_for_pip_compile_lockfile(file)
+        return nil unless lockfile_for_pip_compile_file?(file)
+
+        manifest_for_lockfile_name(file.name) || requirements_in_files.first
       end
 
       private
@@ -33,6 +39,12 @@ module Dependabot
       def output_file_regex(filename)
         "--output-file[=\s]+#{Regexp.escape(filename)}(?:\s|$)"
       end
+
+      sig { params(lockfile_name: String).returns(T.nilable(Dependabot::DependencyFile)) }
+      def manifest_for_lockfile_name(lockfile_name)
+        basename = lockfile_name.gsub(/\.txt$/, "")
+        requirements_in_files.find { |f| f.name == basename + ".in" }
+      end
     end
   end
 end

data/lib/dependabot/python/pipenv_runner.rb

@@ -13,16 +13,18 @@ module Dependabot
 
       sig do
         params(
-          dependency: Dependabot::Dependency,
+          dependency: T.nilable(Dependabot::Dependency),
           lockfile: T.nilable(Dependabot::DependencyFile),
-          language_version_manager: LanguageVersionManager
+          language_version_manager: LanguageVersionManager,
+          dependency_files: T.nilable(T::Array[Dependabot::DependencyFile])
         )
           .void
       end
-      def initialize(dependency:, lockfile:, language_version_manager:)
+      def initialize(dependency:, lockfile:, language_version_manager:, dependency_files: nil)
         @dependency = dependency
         @lockfile = lockfile
         @language_version_manager = language_version_manager
+        @dependency_files = dependency_files
       end
 
       sig { params(constraint: T.nilable(String)).returns(String) }
@@ -48,6 +50,17 @@ module Dependabot
         fetch_version_from_parsed_lockfile(updated_lockfile)
       end
 
+      # Called by Python::DependencyGrapher.
+      sig { returns(String) }
+      def run_pipenv_graph
+        SharedHelpers.in_a_temporary_directory do
+          write_temporary_dependency_files
+          language_version_manager.install_required_python
+          run_command("pyenv exec pipenv sync --dev", fingerprint: "pyenv exec pipenv sync --dev")
+          run_command("pyenv exec pipenv graph --json", fingerprint: "pyenv exec pipenv graph --json")
+        end
+      end
+
       sig { params(command: String, fingerprint: T.nilable(String)).returns(String) }
       def run(command, fingerprint: nil)
         run_command(
@@ -60,7 +73,7 @@ module Dependabot
 
       private
 
-      sig { returns(Dependabot::Dependency) }
+      sig { returns(T.nilable(Dependabot::Dependency)) }
       attr_reader :dependency
 
       sig { returns(T.nilable(Dependabot::DependencyFile)) }
@@ -69,6 +82,25 @@ module Dependabot
       sig { returns(LanguageVersionManager) }
       attr_reader :language_version_manager
 
+      sig { returns(T.nilable(T::Array[Dependabot::DependencyFile])) }
+      attr_reader :dependency_files
+
+      sig { returns(Dependabot::Dependency) }
+      def current_dependency
+        T.must(dependency)
+      end
+
+      sig { returns(T::Array[Dependabot::DependencyFile]) }
+      def write_temporary_dependency_files
+        T.must(dependency_files)
+         .reject { |f| f.name == ".python-version" }
+         .each do |file|
+          path = file.name
+          FileUtils.mkdir_p(Pathname.new(path).dirname)
+          File.write(path, file.content)
+        end
+      end
+
       sig { returns(String) }
       def extras_specification
         extras = dependency_extras
@@ -108,8 +140,8 @@ module Dependabot
 
       sig { returns(String) }
       def lockfile_section
-        if dependency.requirements.any?
-          T.must(dependency.requirements.first)[:groups].first
+        if current_dependency.requirements.any?
+          T.must(current_dependency.requirements.first)[:groups].first
         else
           Python::FileParser::DEPENDENCY_GROUP_KEYS.each do |keys|
             section = keys.fetch(:lockfile)
@@ -120,7 +152,7 @@ module Dependabot
 
       sig { returns(String) }
       def dependency_name
-        dependency.metadata[:original_name] || dependency.name
+        current_dependency.metadata[:original_name] || current_dependency.name
       end
 
       sig { returns(T::Hash[String, String]) }

data/lib/dependabot/python/update_checker/pip_version_resolver/marker_evaluator.rb

@@ -0,0 +1,241 @@
+# typed: strong
+# frozen_string_literal: true
+
+require "dependabot/python/update_checker/pip_version_resolver"
+
+module Dependabot
+  module Python
+    class UpdateChecker
+      class PipVersionResolver
+        class MarkerEvaluator
+          extend T::Sig
+
+          sig { params(requirement_string: String).returns([T.nilable(String), T.nilable(String)]) }
+          def split_requirement_and_marker(requirement_string)
+            separator_index = T.let(nil, T.nilable(Integer))
+            in_single_quote = T.let(false, T::Boolean)
+            in_double_quote = T.let(false, T::Boolean)
+
+            requirement_string.each_char.with_index do |char, index|
+              in_single_quote, in_double_quote, quote_toggled =
+                toggle_quote_state(char, in_single_quote, in_double_quote)
+              next if quote_toggled
+              next if in_single_quote || in_double_quote
+              next unless char == ";"
+
+              separator_index = index
+              break
+            end
+
+            return [requirement_string.strip, nil] if separator_index.nil?
+
+            requirement_part = requirement_string[0...separator_index]
+            marker_part = requirement_string[(separator_index + 1)..]
+
+            [requirement_part&.strip, marker_part&.strip]
+          end
+
+          sig { params(marker: String, python_version: String).returns(T::Boolean) }
+          def marker_satisfied?(marker:, python_version:)
+            evaluate_marker_expression(marker, python_version)
+          rescue ArgumentError
+            # If we cannot safely parse a python marker, treat it as applicable.
+            # This avoids silently skipping transitive constraints that may break installs.
+            true
+          end
+
+          private
+
+          sig { params(expression: String, python_version: String).returns(T::Boolean) }
+          def evaluate_marker_expression(expression, python_version)
+            expr = strip_wrapping_parentheses(expression.strip)
+
+            or_parts = split_top_level(expr, "or")
+            return or_parts.any? { |part| evaluate_marker_expression(part, python_version) } if or_parts.length > 1
+
+            and_parts = split_top_level(expr, "and")
+            if and_parts.length > 1
+              return and_parts.all? do |part|
+                evaluate_marker_expression(part, python_version) || !python_marker?(part)
+              end
+            end
+
+            not_expression = strip_top_level_not(expr)
+            if not_expression
+              return false unless python_marker?(not_expression)
+
+              return !evaluate_marker_expression(not_expression, python_version)
+            end
+
+            evaluate_python_version_condition(expr, python_version, default: python_marker?(expr))
+          end
+
+          sig { params(expression: String).returns(T.nilable(String)) }
+          def strip_top_level_not(expression)
+            return nil unless expression.start_with?("not")
+            return nil unless word_at?(expression, 0, "not")
+
+            remaining = expression[3..]&.strip
+            return nil if remaining.nil? || remaining.empty?
+
+            remaining
+          end
+
+          sig { params(expression: String).returns(T::Boolean) }
+          def python_marker?(expression)
+            expression.match?(/\bpython(?:_full)?_version\b/)
+          end
+
+          sig { params(expression: String).returns(String) }
+          def strip_wrapping_parentheses(expression)
+            expr = expression
+            while expr.start_with?("(") && expr.end_with?(")")
+              inner = expr[1...-1].to_s.strip
+              break unless balanced_parentheses?(inner)
+
+              expr = inner
+            end
+
+            expr
+          end
+
+          sig { params(expression: String).returns(T::Boolean) }
+          def balanced_parentheses?(expression)
+            depth = T.let(0, Integer)
+            in_single_quote = T.let(false, T::Boolean)
+            in_double_quote = T.let(false, T::Boolean)
+
+            expression.each_char do |char|
+              in_single_quote, in_double_quote, quote_toggled =
+                toggle_quote_state(char, in_single_quote, in_double_quote)
+              next if quote_toggled
+              next if in_single_quote || in_double_quote
+
+              depth += 1 if char == "("
+              depth -= 1 if char == ")"
+              return false if depth.negative?
+            end
+
+            depth.zero? && !in_single_quote && !in_double_quote
+          end
+
+          sig do
+            params(
+              char: String,
+              in_single_quote: T::Boolean,
+              in_double_quote: T::Boolean
+            ).returns([T::Boolean, T::Boolean, T::Boolean])
+          end
+          def toggle_quote_state(char, in_single_quote, in_double_quote)
+            return [!in_single_quote, in_double_quote, true] if char == "'" && !in_double_quote
+
+            return [in_single_quote, !in_double_quote, true] if char == '"' && !in_single_quote
+
+            [in_single_quote, in_double_quote, false]
+          end
+
+          sig { params(expression: String, operator: String).returns(T::Array[String]) }
+          def split_top_level(expression, operator)
+            parts = T.let([], T::Array[String])
+            token = T.let(+"", String)
+            depth = T.let(0, Integer)
+            in_single_quote = T.let(false, T::Boolean)
+            in_double_quote = T.let(false, T::Boolean)
+            i = T.let(0, Integer)
+
+            while i < expression.length
+              char = T.must(expression[i])
+
+              in_single_quote, in_double_quote, quote_toggled =
+                toggle_quote_state(char, in_single_quote, in_double_quote)
+              if quote_toggled
+                token << char
+                i += 1
+                next
+              end
+
+              depth = update_depth_for_unquoted_char(char, depth, in_single_quote, in_double_quote)
+
+              if depth.zero? && !in_single_quote && !in_double_quote && word_at?(expression, i, operator)
+                parts << token.strip
+                token = +""
+                i += operator.length
+                next
+              end
+
+              token << char
+              i += 1
+            end
+
+            parts << token.strip
+            parts
+          end
+
+          sig do
+            params(
+              char: String,
+              depth: Integer,
+              in_single_quote: T::Boolean,
+              in_double_quote: T::Boolean
+            ).returns(Integer)
+          end
+          def update_depth_for_unquoted_char(char, depth, in_single_quote, in_double_quote)
+            return depth if in_single_quote || in_double_quote
+
+            depth += 1 if char == "("
+            depth -= 1 if char == ")"
+            depth
+          end
+
+          sig { params(expression: String, index: Integer, word: String).returns(T::Boolean) }
+          def word_at?(expression, index, word)
+            return false unless expression[index, word.length] == word
+
+            before = index.zero? ? " " : T.must(expression[index - 1])
+            after_index = index + word.length
+            after = after_index >= expression.length ? " " : T.must(expression[after_index])
+
+            word_boundary?(before) && word_boundary?(after)
+          end
+
+          sig { params(char: String).returns(T::Boolean) }
+          def word_boundary?(char)
+            !!(char =~ /[^A-Za-z0-9_]/)
+          end
+
+          sig do
+            params(
+              condition: T.nilable(String),
+              python_version: String,
+              default: T::Boolean
+            ).returns(T::Boolean)
+          end
+          def evaluate_python_version_condition(condition, python_version, default:)
+            return default if condition.nil?
+
+            candidate = strip_wrapping_parentheses(condition.strip)
+            match = candidate.match(/\Apython(?:_full)?_version\s*(<=|>=|<|>|==|!=)\s*['\"]([^'\"]+)['\"]\z/)
+            return default unless match
+
+            operator = T.must(match[1])
+            version = T.must(match[2])
+            lhs = Dependabot::Python::Version.new(python_version)
+            rhs = Dependabot::Python::Version.new(version)
+
+            case operator
+            when "<" then lhs < rhs
+            when "<=" then lhs <= rhs
+            when ">" then lhs > rhs
+            when ">=" then lhs >= rhs
+            when "==" then lhs == rhs
+            when "!=" then lhs != rhs
+            else false
+            end
+          rescue ArgumentError
+            true
+          end
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/python/update_checker/pip_version_resolver.rb

@@ -1,8 +1,15 @@
 # typed: strong
 # frozen_string_literal: true
 
+require "json"
+require "pathname"
+require "toml-rb"
 require "sorbet-runtime"
+require "excon"
+require "dependabot/registry_client"
 require "dependabot/python/language_version_manager"
+require "dependabot/python/name_normaliser"
+require "dependabot/python/package/package_registry_finder"
 require "dependabot/python/update_checker"
 require "dependabot/python/update_checker/latest_version_finder"
 require "dependabot/python/file_parser/python_requirement_parser"
@@ -10,9 +17,14 @@ require "dependabot/python/file_parser/python_requirement_parser"
 module Dependabot
   module Python
     class UpdateChecker
+      # This resolver intentionally co-locates resolution, marker handling, and
+      # constraints matching to keep compatibility decisions in one place.
+      # rubocop:disable Metrics/ClassLength
       class PipVersionResolver
         extend T::Sig
 
+        require_relative "pip_version_resolver/marker_evaluator"
+
         sig do
           params(
             dependency: Dependabot::Dependency,
@@ -33,21 +45,33 @@ module Dependabot
           update_cooldown: nil,
           raise_on_ignored: false
         )
-          @dependency          = T.let(dependency, Dependabot::Dependency)
-          @dependency_files    = T.let(dependency_files, T::Array[Dependabot::DependencyFile])
-          @credentials         = T.let(credentials, T::Array[Dependabot::Credential])
-          @ignored_versions    = T.let(ignored_versions, T::Array[String])
-          @security_advisories = T.let(security_advisories, T::Array[Dependabot::SecurityAdvisory])
-          @update_cooldown = T.let(update_cooldown, T.nilable(Dependabot::Package::ReleaseCooldownOptions))
-          @raise_on_ignored = T.let(raise_on_ignored, T::Boolean)
+          @dependency = dependency
+          @dependency_files = dependency_files
+          @credentials = credentials
+          @ignored_versions = ignored_versions
+          @security_advisories = security_advisories
+          @update_cooldown = update_cooldown
+          @raise_on_ignored = raise_on_ignored
           @latest_version_finder = T.let(nil, T.nilable(LatestVersionFinder))
           @python_requirement_parser = T.let(nil, T.nilable(FileParser::PythonRequirementParser))
           @language_version_manager = T.let(nil, T.nilable(LanguageVersionManager))
+          @marker_evaluator = T.let(nil, T.nilable(MarkerEvaluator))
+          @registry_json_urls = T.let(nil, T.nilable(T::Array[String]))
+          @transitive_requirements_cache = T.let({}, T::Hash[String, T::Array[String]])
+          @transitive_requirement_available_cache = T.let({}, T::Hash[String, T::Boolean])
+          @constraints_files = T.let(nil, T.nilable(T::Array[String]))
+          @constraints_file_basenames = T.let(nil, T.nilable(T::Array[String]))
+          @requirement_file_directories = T.let(nil, T.nilable(T::Array[String]))
+          @pyproject_content_cache = T.let({}, T::Hash[String, T::Hash[String, T.untyped]])
         end
 
         sig { returns(T.nilable(Dependabot::Version)) }
         def latest_resolvable_version
-          latest_version_finder.latest_version(language_version: language_version_manager.python_version)
+          candidate = latest_version_finder.latest_version(language_version: language_version_manager.python_version)
+          return candidate if candidate.nil?
+          return candidate if compatible_with_pinned_pyproject_dependencies?(candidate)
+
+          nil
         end
 
         sig { returns(T.nilable(Dependabot::Version)) }
@@ -58,8 +82,12 @@ module Dependabot
 
         sig { returns(T.nilable(Dependabot::Version)) }
         def lowest_resolvable_security_fix_version
-          latest_version_finder
-            .lowest_security_fix_version(language_version: language_version_manager.python_version)
+          candidate = latest_version_finder
+                      .lowest_security_fix_version(language_version: language_version_manager.python_version)
+          return candidate if candidate.nil?
+          return candidate if compatible_with_pinned_pyproject_dependencies?(candidate)
+
+          nil
         end
 
         private
@@ -108,7 +136,444 @@ module Dependabot
               python_requirement_parser: python_requirement_parser
             )
         end
+
+        sig { returns(MarkerEvaluator) }
+        def marker_evaluator
+          @marker_evaluator ||= MarkerEvaluator.new
+        end
+
+        sig { params(candidate: Dependabot::Version).returns(T::Boolean) }
+        def compatible_with_pinned_pyproject_dependencies?(candidate)
+          return true unless constraints_dependency?
+
+          pinned_dependencies = pinned_pyproject_dependencies
+          return false if pinned_dependencies.none? && pyproject_scope_ambiguous_for_constraints?
+          return true if pinned_dependencies.none?
+
+          pinned_dependencies.all? do |name, version|
+            requirements, metadata_available = transitive_requirement_for(name: name, version: version)
+            next false unless metadata_available
+            next true if requirements.empty?
+
+            requirements.all? do |requirement|
+              Python::Requirement.new(requirement).satisfied_by?(candidate)
+            rescue Gem::Requirement::BadRequirementError
+              # If one metadata requirement is unsupported, ignore it but still
+              # enforce any other valid constraints for this dependency.
+              true
+            end
+          end
+        end
+
+        sig { returns(T::Boolean) }
+        def pyproject_scope_ambiguous_for_constraints?
+          pyproject_files.length > 1 && relevant_pyproject_files_for_dependency.empty?
+        end
+
+        sig { returns(T::Boolean) }
+        def constraints_dependency?
+          normalized_requirement_files.any? do |raw_file, normalized_file|
+            constraints_files.include?(normalized_file) ||
+              (File.dirname(raw_file) == "." && constraints_file_basenames.include?(File.basename(normalized_file))) ||
+              File.basename(normalized_file).start_with?("constraints")
+          end
+        end
+
+        sig { returns(T::Array[[String, String]]) }
+        def normalized_requirement_files
+          dependency.requirements.filter_map do |req|
+            raw_file = T.cast(req.fetch(:file), String)
+            [raw_file, normalize_path(raw_file)]
+          end
+        end
+
+        sig { returns(T::Array[[String, String]]) }
+        def pinned_pyproject_dependencies
+          pyprojects = relevant_pyproject_files_for_dependency
+          return [] if pyprojects.empty?
+
+          pyprojects.flat_map do |pyproject|
+            pinned_pyproject_dependencies_for(pyproject)
+          end.uniq
+        end
+
+        sig { params(pyproject: Dependabot::DependencyFile).returns(T::Array[[String, String]]) }
+        def pinned_pyproject_dependencies_for(pyproject)
+          pyproject_content = pyproject_content_for(pyproject)
+          project_obj = T.cast(pyproject_content["project"], T.nilable(Object))
+          return [] unless project_obj.is_a?(Hash)
+
+          project_hash = project_obj
+          dependencies_obj = T.cast(project_hash["dependencies"], T.nilable(Object))
+          return [] unless dependencies_obj.is_a?(Array)
+
+          dependencies_obj.filter_map do |entry|
+            entry_obj = T.cast(entry, T.nilable(Object))
+            next unless entry_obj.is_a?(String)
+
+            requirement_string, marker = split_requirement_and_marker(entry_obj)
+            next unless marker_satisfied_for_python?(marker)
+            next if requirement_string.nil? || requirement_string.empty?
+
+            parsed = requirement_string.match(
+              /\A(?<name>[A-Za-z0-9][A-Za-z0-9._\-]*)(?:\[[^\]]+\])?\s*==\s*(?<version>[^\s]+)\z/
+            )
+            next unless parsed
+
+            dep_name = NameNormaliser.normalise(T.must(parsed[:name]))
+            next if dep_name == NameNormaliser.normalise(dependency.name)
+
+            [dep_name, T.must(parsed[:version])]
+          end
+        end
+
+        sig { returns(T::Array[Dependabot::DependencyFile]) }
+        def relevant_pyproject_files_for_dependency
+          requirement_files = requirement_files_for_dependency
+          relevant_pyprojects = pyproject_files.select do |pyproject|
+            pyproject_matches_requirement_files?(pyproject: pyproject, requirement_files: requirement_files)
+          end
+
+          return relevant_pyprojects unless relevant_pyprojects.empty?
+
+          fallback_pyproject_for_dependency
+        end
+
+        sig { returns(T::Array[String]) }
+        def requirement_files_for_dependency
+          normalized_requirement_files.map(&:last).uniq
+        end
+
+        sig { params(pyproject: Dependabot::DependencyFile, requirement_files: T::Array[String]).returns(T::Boolean) }
+        def pyproject_matches_requirement_files?(pyproject:, requirement_files:)
+          declared_constraints = constraints_for_pyproject(pyproject)
+          declared_constraints.any? do |declared_constraint|
+            declared_constraint_matches_requirement_files?(
+              declared_constraint: declared_constraint,
+              requirement_files: requirement_files
+            )
+          end
+        end
+
+        sig { params(declared_constraint: String, requirement_files: T::Array[String]).returns(T::Boolean) }
+        def declared_constraint_matches_requirement_files?(declared_constraint:, requirement_files:)
+          return true if requirement_files.include?(declared_constraint)
+
+          !url_path?(declared_constraint) &&
+            File.dirname(declared_constraint) == "." &&
+            constraints_file_basenames.include?(File.basename(declared_constraint)) &&
+            requirement_files.include?(File.basename(declared_constraint))
+        end
+
+        sig { returns(T::Array[Dependabot::DependencyFile]) }
+        def fallback_pyproject_for_dependency
+          return [T.must(pyproject_files.first)] if pyproject_files.length == 1
+
+          []
+        end
+
+        sig { params(name: String, version: String).returns([T::Array[String], T::Boolean]) }
+        def transitive_requirement_for(name:, version:)
+          cache_key = "#{name}@#{version}"
+          if @transitive_requirements_cache.key?(cache_key)
+            requirements = T.must(@transitive_requirements_cache[cache_key])
+            available = T.must(@transitive_requirement_available_cache[cache_key])
+            return [requirements, available]
+          end
+
+          response, metadata_available = dependency_metadata_response(name: name, version: version)
+          unless response
+            @transitive_requirements_cache[cache_key] = []
+            @transitive_requirement_available_cache[cache_key] = metadata_available
+            return [[], metadata_available]
+          end
+
+          requirements, metadata_available = requirements_for_target_dependency(response)
+
+          @transitive_requirements_cache[cache_key] = requirements
+          @transitive_requirement_available_cache[cache_key] = metadata_available
+          [requirements, metadata_available]
+        end
+
+        sig { params(name: String, version: String).returns([T.nilable(Excon::Response), T::Boolean]) }
+        def dependency_metadata_response(name:, version:)
+          had_transport_error = T.let(false, T::Boolean)
+          saw_not_found = T.let(false, T::Boolean)
+
+          registry_json_urls.each do |registry_url|
+            url = "#{registry_url}#{name}/#{version}/json/"
+            response = Dependabot::RegistryClient.get(url: url)
+            return [response, true] if response.status == 200
+
+            if response.status == 404
+              saw_not_found = true
+            else
+              had_transport_error = true
+              Dependabot.logger.warn(
+                "Unexpected python dependency metadata response #{response.status} for #{name}@#{version}"
+              )
+            end
+          rescue Excon::Error::Timeout, Excon::Error::Socket, URI::InvalidURIError
+            had_transport_error = true
+            Dependabot.logger.warn("Failed to fetch python dependency metadata for #{name}@#{version}")
+            next
+          end
+
+          [nil, saw_not_found && !had_transport_error]
+        end
+
+        sig { returns(T::Array[String]) }
+        def registry_json_urls
+          return @registry_json_urls if @registry_json_urls
+
+          package_registry_urls = Package::PackageRegistryFinder.new(
+            dependency_files: dependency_files,
+            credentials: credentials,
+            dependency: dependency
+          ).registry_urls
+
+          @registry_json_urls =
+            package_registry_urls
+            .map { |url| url.sub(%r{/simple/?$}i, "/pypi/") }
+            .uniq
+
+          @registry_json_urls
+        end
+
+        sig { params(response: Excon::Response).returns([T::Array[String], T::Boolean]) }
+        def requirements_for_target_dependency(response)
+          requires_dist = requires_dist_from_response(response)
+          return [[], true] unless requires_dist
+
+          parsed_requirements = requires_dist.filter_map do |requirement_string|
+            parse_target_requirement(requirement_string)
+          end.uniq
+
+          [parsed_requirements, true]
+        rescue JSON::ParserError
+          Dependabot.logger.warn("Failed to parse python dependency metadata JSON response")
+          [[], false]
+        end
+
+        sig { returns(T::Array[String]) }
+        def constraints_files
+          return @constraints_files if @constraints_files
+
+          pyproject_constraints = pyproject_constraints_files
+          requirement_constraints = requirement_constraint_declaration_files.flat_map do |file|
+            requirement_constraints_from_file(file)
+          end
+
+          @constraints_files = (pyproject_constraints + requirement_constraints).map do |path|
+            normalize_path(path)
+          end.uniq
+          @constraints_files
+        end
+
+        sig { returns(T::Array[Dependabot::DependencyFile]) }
+        def requirement_constraint_declaration_files
+          requirement_paths = requirement_files_for_dependency
+          directories = requirement_file_directories
+
+          dependency_files.select do |file|
+            next false unless requirements_manifest_file?(file)
+
+            normalized_name = normalize_path(file.name)
+
+            requirement_paths.include?(normalized_name) ||
+              directories.include?(File.dirname(normalized_name))
+          end
+        end
+
+        sig { params(file: Dependabot::DependencyFile).returns(T::Boolean) }
+        def requirements_manifest_file?(file)
+          basename = File.basename(normalize_path(file.name))
+          return true if basename.start_with?("requirements")
+
+          false
+        end
+
+        sig { returns(T::Array[String]) }
+        def requirement_file_directories
+          return @requirement_file_directories if @requirement_file_directories
+
+          @requirement_file_directories = requirement_files_for_dependency.filter_map do |path|
+            next if url_path?(path)
+
+            File.dirname(path)
+          end.uniq
+          @requirement_file_directories
+        end
+
+        sig { returns(T::Array[String]) }
+        def constraints_file_basenames
+          return @constraints_file_basenames if @constraints_file_basenames
+
+          counts = T.let(Hash.new(0), T::Hash[String, Integer])
+          constraints_files.each do |path|
+            next if url_path?(path)
+
+            counts[File.basename(path)] = T.must(counts[File.basename(path)]) + 1
+          end
+          @constraints_file_basenames = counts.filter_map do |basename, count|
+            basename if count == 1
+          end
+          @constraints_file_basenames
+        end
+
+        sig { returns(T::Array[String]) }
+        def pyproject_constraints_files
+          pyproject_files.flat_map do |pyproject|
+            constraints_for_pyproject(pyproject)
+          end
+        end
+
+        sig { params(pyproject: Dependabot::DependencyFile).returns(T::Array[String]) }
+        def constraints_for_pyproject(pyproject)
+          pyproject_content = pyproject_content_for(pyproject)
+          tool_obj = T.cast(pyproject_content["tool"], T.nilable(Object))
+          return [] unless tool_obj.is_a?(Hash)
+
+          pip_obj = T.cast(tool_obj["pip"], T.nilable(Object))
+          return [] unless pip_obj.is_a?(Hash)
+
+          constraints_obj = T.cast(pip_obj["constraints"], T.nilable(Object))
+          case constraints_obj
+          when String
+            [resolve_constraint_path(path: constraints_obj, declaring_file: pyproject)]
+          when Array
+            constraints_obj.grep(String).map do |path|
+              resolve_constraint_path(path: path, declaring_file: pyproject)
+            end
+          else
+            []
+          end
+        end
+
+        sig { returns(T::Array[Dependabot::DependencyFile]) }
+        def pyproject_files
+          dependency_files.select do |file|
+            File.basename(file.name) == "pyproject.toml"
+          end
+        end
+
+        sig { params(file: Dependabot::DependencyFile).returns(T::Array[String]) }
+        def requirement_constraints_from_file(file)
+          content = file.content
+          return [] unless content
+
+          content.each_line.filter_map do |line|
+            path = constraint_path_from_line(line)
+            next unless path
+
+            resolve_constraint_path(path: path.strip, declaring_file: file)
+          end
+        end
+
+        sig { params(line: String).returns(T.nilable(String)) }
+        def constraint_path_from_line(line)
+          match = line.match(
+            /^\s*(?:-c|--constraint)(?:\s+|=)(?:"(?<double>[^"]+)"|'(?<single>[^']+)'|(?<plain>[^\s'\"]+))/
+          )
+          return nil unless match
+
+          T.must(match[:double] || match[:single] || match[:plain])
+        end
+
+        sig { params(path: String, declaring_file: Dependabot::DependencyFile).returns(String) }
+        def resolve_constraint_path(path:, declaring_file:)
+          return path if url_path?(path)
+          return normalize_path(path) if Pathname.new(path).absolute?
+
+          base_dir = File.dirname(declaring_file.name)
+          return normalize_path(path) if base_dir == "."
+
+          normalize_path(File.join(base_dir, path))
+        end
+
+        sig { params(path: String).returns(String) }
+        def normalize_path(path)
+          return path if url_path?(path)
+
+          Pathname.new(path).cleanpath.to_s
+        rescue ArgumentError
+          path
+        end
+
+        sig { params(path: String).returns(T::Boolean) }
+        def url_path?(path)
+          path.match?(%r{\A[a-z][a-z0-9+.-]*://}i)
+        end
+
+        sig { params(response: Excon::Response).returns(T.nilable(T::Array[String])) }
+        def requires_dist_from_response(response)
+          body = T.cast(JSON.parse(response.body), T::Hash[String, T.untyped])
+          info_obj = T.cast(body["info"], T.nilable(Object))
+          return nil unless info_obj.is_a?(Hash)
+
+          requires_dist_obj = T.cast(info_obj["requires_dist"], T.nilable(Object))
+          return nil unless requires_dist_obj.is_a?(Array)
+
+          requires_dist_obj.filter_map do |entry|
+            entry_obj = T.cast(entry, T.nilable(Object))
+            entry_obj if entry_obj.is_a?(String)
+          end
+        end
+
+        sig { params(requirement_string: String).returns(T.nilable(String)) }
+        def parse_target_requirement(requirement_string)
+          package_requirement, marker = split_requirement_and_marker(requirement_string)
+          return nil unless marker_satisfied_for_python?(marker)
+          return nil if package_requirement.nil?
+
+          match = package_requirement.match(
+            /\A(?<name>[A-Za-z0-9][A-Za-z0-9._\-]*)(?:\[[^\]]+\])?\s*(?:\((?<requirement>[^)]*)\))?\z/
+          )
+          return nil unless match
+
+          return nil unless NameNormaliser.normalise(T.must(match[:name])) == NameNormaliser.normalise(dependency.name)
+
+          match[:requirement]&.strip
+        end
+
+        sig { params(requirement_string: String).returns([T.nilable(String), T.nilable(String)]) }
+        def split_requirement_and_marker(requirement_string)
+          marker_evaluator.split_requirement_and_marker(requirement_string)
+        end
+
+        sig { params(marker: T.nilable(String)).returns(T::Boolean) }
+        def marker_satisfied_for_python?(marker)
+          return true if marker.nil? || marker.empty?
+          return false unless marker.match?(/\bpython(?:_full)?_version\b/)
+
+          marker_satisfied?(marker, language_version_manager.python_version)
+        end
+
+        sig { params(marker: String, python_version: String).returns(T::Boolean) }
+        def marker_satisfied?(marker, python_version)
+          marker_evaluator.marker_satisfied?(marker: marker, python_version: python_version)
+        end
+
+        sig { params(pyproject: Dependabot::DependencyFile).returns(T::Hash[String, T.untyped]) }
+        def pyproject_content_for(pyproject)
+          cache_key = pyproject.name
+          return T.must(@pyproject_content_cache[cache_key]) if @pyproject_content_cache.key?(cache_key)
+
+          content =
+            if pyproject.content
+              T.let(TomlRB.parse(pyproject.content), T::Hash[String, T.untyped])
+            else
+              T.let({}, T::Hash[String, T.untyped])
+            end
+
+          @pyproject_content_cache[cache_key] = content
+          content
+        rescue TomlRB::ParseError, TomlRB::ValueOverwriteError
+          @pyproject_content_cache[pyproject.name] = {}
+          T.must(@pyproject_content_cache[pyproject.name])
+        end
       end
+      # rubocop:enable Metrics/ClassLength
     end
   end
 end

data/lib/dependabot/python.rb

@@ -3,6 +3,7 @@
 
 # These all need to be required so the various classes can be registered in a
 # lookup table of package manager names to concrete classes.
+require "dependabot/python/dependency_grapher"
 require "dependabot/python/file_fetcher"
 require "dependabot/python/file_parser"
 require "dependabot/python/update_checker"

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-python
 version: !ruby/object:Gem::Version
-  version: 0.364.0
+  version: 0.365.0
 platform: ruby
 authors:
 - Dependabot
@@ -15,14 +15,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.364.0
+        version: 0.365.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.364.0
+        version: 0.365.0
 - !ruby/object:Gem::Dependency
   name: debug
   requirement: !ruby/object:Gem::Requirement
@@ -249,6 +249,7 @@ files:
 - helpers/run.py
 - lib/dependabot/python.rb
 - lib/dependabot/python/authed_url_builder.rb
+- lib/dependabot/python/dependency_grapher.rb
 - lib/dependabot/python/file_fetcher.rb
 - lib/dependabot/python/file_parser.rb
 - lib/dependabot/python/file_parser/pipfile_files_parser.rb
@@ -282,6 +283,7 @@ files:
 - lib/dependabot/python/update_checker/latest_version_finder.rb
 - lib/dependabot/python/update_checker/pip_compile_version_resolver.rb
 - lib/dependabot/python/update_checker/pip_version_resolver.rb
+- lib/dependabot/python/update_checker/pip_version_resolver/marker_evaluator.rb
 - lib/dependabot/python/update_checker/pipenv_version_resolver.rb
 - lib/dependabot/python/update_checker/poetry_version_resolver.rb
 - lib/dependabot/python/update_checker/requirements_updater.rb
@@ -291,7 +293,7 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.364.0
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.365.0
 rdoc_options: []
 require_paths:
 - lib