dependabot-python 0.366.0 → 0.368.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 3b498f046a4fb1abdd22aa02f941fae26c33c3f270a7211de5d84b7a6c940314
-  data.tar.gz: ea3de508f569a3b1d84380bce00db482973fdffedb88c8e0cbe4e43e6c684778
+  metadata.gz: 5b03d84191a73f9cd803b3db1fd32bc70638a4f607c2e9424a3900f143119f5f
+  data.tar.gz: 6d04a235c38eb76a1a86eb2f60e2f34c80c82ff5f342d997ff3c8a25011e42f3
 SHA512:
-  metadata.gz: 8f2863ace34a24b905087a738ded1e9113c91d2a3694a4192bfb9c2d85ab928192b142ce3551ea3bfeca3b787d34dfce34ed76d9dd95de04d1f4be17ef527257
-  data.tar.gz: af23ec35a7c9f6499ee669e087911681e5b844ac223c86b2425e0d47a724ef45a7829c577085086ac582f07888288afb36584420ee9cf6871f0c0c6134714127
+  metadata.gz: 793a849e50f2162b65f1da65521dfb7450081b84507fbb4134145ab5c72b63a916a59c68602bf41dea530d373cb0d2dd5e9a38fee9b6a5347b17848a8891054f
+  data.tar.gz: db96c2fd7be7c4b6ac473f29dc429f3c4163fb2dd38d4b1d48c19ea62727022ff6822166dd10e9c4a680eae24bc5f16f447bf9f8ec55b7909b8ae663698b29c6

data/lib/dependabot/python/dependency_grapher/lockfile_generator.rb

@@ -0,0 +1,131 @@
+# typed: strict
+# frozen_string_literal: true
+
+require "sorbet-runtime"
+
+require "dependabot/dependency_file"
+require "dependabot/shared_helpers"
+require "dependabot/python/file_parser/python_requirement_parser"
+require "dependabot/python/language_version_manager"
+
+module Dependabot
+  module Python
+    class DependencyGrapher < Dependabot::DependencyGraphers::Base
+      class LockfileGenerator
+        extend T::Sig
+
+        LOCKFILE_NAME = "poetry.lock"
+
+        sig do
+          params(
+            dependency_files: T::Array[Dependabot::DependencyFile],
+            credentials: T::Array[Dependabot::Credential]
+          ).void
+        end
+        def initialize(dependency_files:, credentials:)
+          @dependency_files = dependency_files
+          @credentials = credentials
+        end
+
+        sig { returns(T.nilable(Dependabot::DependencyFile)) }
+        def generate
+          SharedHelpers.in_a_temporary_directory do
+            SharedHelpers.with_git_configured(credentials: credentials) do
+              write_temporary_files
+              language_version_manager.install_required_python
+              run_poetry_lock
+              read_generated_lockfile
+            end
+          end
+        rescue SharedHelpers::HelperSubprocessFailed => e
+          handle_generation_error(e)
+          nil
+        end
+
+        private
+
+        sig { returns(T::Array[Dependabot::DependencyFile]) }
+        attr_reader :dependency_files
+
+        sig { returns(T::Array[Dependabot::Credential]) }
+        attr_reader :credentials
+
+        sig { void }
+        def write_temporary_files
+          dependency_files.each do |file|
+            path = file.name
+            FileUtils.mkdir_p(File.dirname(path))
+            File.write(path, file.content)
+          end
+
+          File.write(".python-version", language_version_manager.python_major_minor)
+        end
+
+        sig { void }
+        def run_poetry_lock
+          Dependabot.logger.info("Generating poetry.lock for dependency graphing")
+
+          # Use system git instead of the pure Python dulwich
+          run_poetry_command("pyenv exec poetry config system-git-client true")
+
+          # --no-interaction avoids password prompts
+          run_poetry_command("pyenv exec poetry lock --no-interaction")
+        end
+
+        sig { returns(T.nilable(Dependabot::DependencyFile)) }
+        def read_generated_lockfile
+          unless File.exist?(LOCKFILE_NAME)
+            Dependabot.logger.warn("#{LOCKFILE_NAME} was not generated")
+            return nil
+          end
+
+          content = File.read(LOCKFILE_NAME)
+
+          Dependabot::DependencyFile.new(
+            name: LOCKFILE_NAME,
+            content: content,
+            directory: pyproject_directory
+          )
+        end
+
+        sig { returns(String) }
+        def pyproject_directory
+          pyproject = dependency_files.find { |f| f.name == "pyproject.toml" }
+          pyproject&.directory || "/"
+        end
+
+        sig { params(command: String).returns(String) }
+        def run_poetry_command(command)
+          SharedHelpers.run_shell_command(command, fingerprint: command)
+        end
+
+        sig { returns(LanguageVersionManager) }
+        def language_version_manager
+          @language_version_manager ||= T.let(
+            LanguageVersionManager.new(
+              python_requirement_parser: python_requirement_parser
+            ),
+            T.nilable(LanguageVersionManager)
+          )
+        end
+
+        sig { returns(FileParser::PythonRequirementParser) }
+        def python_requirement_parser
+          @python_requirement_parser ||= T.let(
+            FileParser::PythonRequirementParser.new(
+              dependency_files: dependency_files
+            ),
+            T.nilable(FileParser::PythonRequirementParser)
+          )
+        end
+
+        sig { params(error: SharedHelpers::HelperSubprocessFailed).void }
+        def handle_generation_error(error)
+          Dependabot.logger.error(
+            "Failed to generate #{LOCKFILE_NAME}: #{error.message}"
+          )
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/python/dependency_grapher.rb

@@ -16,12 +16,14 @@ require "toml-rb"
 module Dependabot
   module Python
     class DependencyGrapher < Dependabot::DependencyGraphers::Base
+      require_relative "dependency_grapher/lockfile_generator"
+
       sig { override.returns(Dependabot::DependencyFile) }
       def relevant_dependency_file
         dependency_files_by_package_manager = T.let(
           {
             PipenvPackageManager::NAME => [pipfile_lock, pipfile],
-            PoetryPackageManager::NAME => [poetry_lock, pyproject_toml],
+            PoetryPackageManager::NAME => [committed_poetry_lock, pyproject_toml],
             PipCompilePackageManager::NAME => [pip_compile_lockfile, pip_compile_manifest, pyproject_toml],
             PipPackageManager::NAME => [pip_requirements_file, pyproject_toml, pipfile_lock, pipfile, setup_file,
                                         setup_cfg_file]
@@ -36,13 +38,87 @@ module Dependabot
         raise DependabotError, "No supported dependency file present."
       end
 
+      sig { override.void }
+      def prepare!
+        if poetry_project_without_lockfile?
+          Dependabot.logger.info("No poetry.lock found, generating ephemeral lockfile for dependency graphing")
+          generate_ephemeral_lockfile!
+          emit_missing_lockfile_warning! if @ephemeral_lockfile_generated
+        end
+        super
+      end
+
       private
 
+      # Returns the poetry.lock only if it was committed to the repo,
+      # not if it was generated ephemerally. This ensures that
+      # relevant_dependency_file reports the real manifest (pyproject.toml).
+      sig { returns(T.nilable(Dependabot::DependencyFile)) }
+      def committed_poetry_lock
+        return nil if @ephemeral_lockfile_generated
+
+        poetry_lock
+      end
+
+      # The file parser only identifies Poetry when poetry.lock is present,
+      # so we detect it independently by checking for [tool.poetry] in pyproject.toml.
+      # Within the python image, no other package manager uses this section
+      # (uv runs in a separate image).
+      sig { returns(T::Boolean) }
+      def poetry_project_without_lockfile?
+        return false if poetry_lock
+        return false unless pyproject_toml
+
+        parsed = TomlRB.parse(T.must(pyproject_toml&.content))
+        !parsed.dig("tool", "poetry").nil?
+      rescue TomlRB::ParseError, TomlRB::ValueOverwriteError
+        false
+      end
+
       sig { returns(String) }
       def python_package_manager
         T.must(file_parser.ecosystem).package_manager.name
       end
 
+      sig { void }
+      def generate_ephemeral_lockfile!
+        generator = LockfileGenerator.new(
+          dependency_files: dependency_files,
+          credentials: file_parser.credentials
+        )
+
+        ephemeral_lockfile = generator.generate
+        return unless ephemeral_lockfile
+
+        inject_ephemeral_lockfile(ephemeral_lockfile)
+        @ephemeral_lockfile_generated = T.let(true, T.nilable(T::Boolean))
+
+        Dependabot.logger.info(
+          "Successfully generated ephemeral #{ephemeral_lockfile.name} for dependency graphing"
+        )
+      rescue StandardError => e
+        Dependabot.logger.warn(
+          "Failed to generate ephemeral lockfile: #{e.message}. " \
+          "Dependency versions may not be resolved."
+        )
+      end
+
+      sig { params(ephemeral_lockfile: Dependabot::DependencyFile).void }
+      def inject_ephemeral_lockfile(ephemeral_lockfile)
+        dependency_files << ephemeral_lockfile
+      end
+
+      sig { void }
+      def emit_missing_lockfile_warning!
+        Dependabot.logger.warn(
+          "No poetry.lock was found in this repository. " \
+          "Dependabot generated a temporary lockfile to determine exact dependency versions.\n\n" \
+          "To ensure consistent builds and security scanning, we recommend committing your poetry.lock file. " \
+          "Without a committed lockfile, resolved dependency versions may change between scans " \
+          "due to new package releases."
+        )
+      end
+
       sig { override.params(dependency: Dependabot::Dependency).returns(T::Array[String]) }
       def fetch_subdependencies(dependency)
         package_relationships.fetch(dependency.name, []).select { |child| dependency_name_set.include?(child) }

data/lib/dependabot/python/file_parser/pyproject_files_parser.rb

@@ -46,11 +46,7 @@ module Dependabot
         def pyproject_dependencies
           dependencies = Dependabot::FileParsers::Base::DependencySet.new
 
-          # Parse Poetry dependencies if [tool.poetry] section exists
           dependencies += poetry_dependencies if using_poetry?
-
-          # Parse PEP 621/735 dependencies if those sections exist
-          # This handles hybrid projects that have both Poetry and PEP 621 sections
           dependencies += pep621_pep735_dependencies if using_pep621? || using_pep735?
 
           dependencies
@@ -101,7 +97,7 @@ module Dependabot
 
             dependencies <<
               Dependency.new(
-                name: normalised_name(dep["name"], dep["extras"]),
+                name: normalise(dep["name"]),
                 version: dep["version"]&.include?("*") ? nil : dep["version"],
                 requirements: [{
                   requirement: dep["requirement"],
@@ -109,7 +105,8 @@ module Dependabot
                   source: nil,
                   groups: [dep["requirement_type"]].compact
                 }],
-                package_manager: "pip"
+                package_manager: "pip",
+                metadata: extras_metadata(dep["extras"])
               )
           end
 
@@ -147,6 +144,16 @@ module Dependabot
           NameNormaliser.normalise_including_extras(name, extras)
         end
 
+        # Build metadata hash storing extras as a comma-separated string.
+        # Stored in metadata so the file updater can reconstruct the full
+        # PEP 621 declaration (e.g. "cachecontrol[filecache]>=0.14.0").
+        sig { params(extras: T::Array[String]).returns(T::Hash[Symbol, String]) }
+        def extras_metadata(extras)
+          return {} if extras.empty?
+
+          { extras: extras.join(",") }
+        end
+
         # @param req can be an Array, Hash or String that represents the constraints for a dependency
         sig { params(req: T.untyped, type: String).returns(T::Array[T::Hash[Symbol, T.nilable(String)]]) }
         # rubocop:disable Metrics/PerceivedComplexity

data/lib/dependabot/python/file_parser/setup_file_parser.rb

@@ -43,7 +43,7 @@ module Dependabot
 
             dependencies <<
               Dependency.new(
-                name: normalised_name(dep["name"], dep["extras"]),
+                name: normalise(dep["name"]),
                 version: dep["version"]&.include?("*") ? nil : dep["version"],
                 requirements: [{
                   requirement: dep["requirement"],
@@ -51,7 +51,8 @@ module Dependabot
                   source: nil,
                   groups: [dep["requirement_type"]]
                 }],
-                package_manager: "pip"
+                package_manager: "pip",
+                metadata: extras_metadata(dep["extras"])
               )
           end
           dependencies
@@ -184,6 +185,18 @@ module Dependabot
           NameNormaliser.normalise_including_extras(name, extras)
         end
 
+        sig { params(name: String).returns(String) }
+        def normalise(name)
+          NameNormaliser.normalise(name)
+        end
+
+        sig { params(extras: T::Array[String]).returns(T::Hash[Symbol, String]) }
+        def extras_metadata(extras)
+          return {} if extras.empty?
+
+          { extras: extras.join(",") }
+        end
+
         sig { returns(T.untyped) }
         def setup_file
           dependency_files.find { |f| f.name == "setup.py" }

data/lib/dependabot/python/file_parser.rb

@@ -293,10 +293,11 @@ module Dependabot
 
           dependencies <<
             Dependency.new(
-              name: normalised_name(name, dep["extras"]),
+              name: NameNormaliser.normalise(name),
               version: version&.include?("*") ? nil : version,
               requirements: requirements,
-              package_manager: "pip"
+              package_manager: "pip",
+              metadata: extras_metadata(dep["extras"])
             )
         end
         dependencies
@@ -467,6 +468,13 @@ module Dependabot
         NameNormaliser.normalise_including_extras(name, extras)
       end
 
+      sig { params(extras: T::Array[String]).returns(T::Hash[Symbol, String]) }
+      def extras_metadata(extras)
+        return {} if extras.empty?
+
+        { extras: extras.join(",") }
+      end
+
       sig { override.returns(T.untyped) }
       def check_required_files
         filenames = dependency_files.map(&:name)

data/lib/dependabot/python/file_updater/poetry_file_updater.rb

@@ -49,7 +49,6 @@ module Dependabot
           @language_version_manager = T.let(nil, T.nilable(LanguageVersionManager))
           @python_requirement_parser = T.let(nil, T.nilable(FileParser::PythonRequirementParser))
           @updated_pyproject_content = T.let(nil, T.nilable(String))
-          @python_helper_path = T.let(nil, T.nilable(String))
           @poetry_lock = T.let(nil, T.nilable(Dependabot::DependencyFile))
         end
 
@@ -363,7 +362,7 @@ module Dependabot
               write_temporary_dependency_files(pyproject_content)
 
               SharedHelpers.run_helper_subprocess(
-                command: "pyenv exec python3 #{python_helper_path}",
+                command: "pyenv exec python3 #{NativeHelpers.python_helper_path}",
                 function: "get_pyproject_hash",
                 args: [T.cast(dir, Pathname).to_s]
               )
@@ -386,7 +385,16 @@ module Dependabot
 
         sig { params(dep: Dependabot::Dependency, old_req: String).returns(Regexp) }
         def pep621_declaration_regex(dep, old_req)
-          /(?<declaration>["']#{escape(dep)}#{Regexp.escape(old_req)}["'])/mi
+          /(?<declaration>["']#{escape(dep)}#{extras_pattern(dep)}#{Regexp.escape(old_req)}["'])/mi
+        end
+
+        # Reconstructs extras from metadata for PEP 621 regex matching.
+        sig { params(dep: Dependabot::Dependency).returns(String) }
+        def extras_pattern(dep)
+          extras_str = dep.metadata[:extras]
+          return "" unless extras_str.is_a?(String) && !extras_str.empty?
+
+          "\\[" + extras_str.split(",").map { |e| Regexp.escape(e.strip) }.join(",\\s*") + "\\]"
         end
 
         sig { params(dep: Dependency).returns(String) }
@@ -446,11 +454,6 @@ module Dependabot
           @lockfile ||= poetry_lock
         end
 
-        sig { returns(String) }
-        def python_helper_path
-          NativeHelpers.python_helper_path
-        end
-
         sig { returns(T.nilable(Dependabot::DependencyFile)) }
         def poetry_lock
           dependency_files.find { |f| f.name == "poetry.lock" }

data/lib/dependabot/python/file_updater/requirement_file_updater.rb

@@ -55,33 +55,56 @@ module Dependabot
 
         sig { returns(T::Array[Dependabot::DependencyFile]) }
         def fetch_updated_dependency_files
-          reqs = dependency.requirements.zip(dependency.previous_requirements || [])
+          updated_contents = T.let({}, T::Hash[String, String])
+
+          unique_requirement_changes.each do |pair|
+            new_req = T.must(pair[0])
+            old_req = pair[1]
+            filename = new_req.fetch(:file)
+            content = updated_contents[filename] || T.must(T.must(get_original_file(filename)).content)
+            updated_contents[filename] = updated_requirement_or_setup_file_content(content, new_req, old_req)
+          end
+
+          updated_contents.filter_map do |filename, content|
+            file = T.must(get_original_file(filename)).dup
+            next if content == T.must(file.content)
+
+            file.content = content
+            file
+          end
+        end
+
+        # Deduplicates requirements that share the same file and requirement strings.
+        # The replacer's regex matches all extras variants at once, so one call per
+        # unique (file, old_requirement, new_requirement) is sufficient.
+        sig { returns(T::Array[T::Array[T.nilable(T::Hash[Symbol, T.untyped])]]) }
+        def unique_requirement_changes
+          previous_reqs = dependency.previous_requirements || []
 
-          reqs.filter_map do |(new_req, old_req)|
+          changes = dependency.requirements.filter_map do |new_req|
+            old_req = previous_reqs.find { |r| r[:file] == new_req[:file] && r[:groups] == new_req[:groups] }
             next if new_req == old_req
 
-            file = T.must(get_original_file(new_req.fetch(:file))).dup
-            updated_content =
-              updated_requirement_or_setup_file_content(new_req, old_req)
-            next if updated_content == file.content
+            [new_req, old_req]
+          end
 
-            file.content = updated_content
-            file
+          changes.uniq do |pair|
+            new_req = pair[0]
+            old_req = pair[1]
+            [new_req[:file], old_req&.fetch(:requirement), new_req.fetch(:requirement)]
           end
         end
 
         sig do
           params(
+            content: String,
             new_req: T::Hash[Symbol, T.untyped],
             old_req: T.nilable(T::Hash[Symbol, T.untyped])
           ).returns(String)
         end
-        def updated_requirement_or_setup_file_content(new_req, old_req)
-          original_file = get_original_file(new_req.fetch(:file))
-          raise "Could not find a dependency file for #{new_req}" unless original_file
-
+        def updated_requirement_or_setup_file_content(content, new_req, old_req)
           RequirementReplacer.new(
-            content: T.must(original_file.content),
+            content: content,
             dependency_name: dependency.name,
             old_requirement: old_req&.fetch(:requirement),
             new_requirement: new_req.fetch(:requirement),

data/lib/dependabot/python/file_updater/requirement_replacer.rb

@@ -53,7 +53,7 @@ module Dependabot
               # ignore it, since it isn't actually a declaration
               next mtch if Regexp.last_match&.pre_match&.match?(/--.*\z/)
 
-              updated_dependency_declaration_string
+              updated_matched_declaration(mtch)
             end
 
           raise "Expected content to change!" if old_requirement != new_requirement && content == updated_content
@@ -98,29 +98,30 @@ module Dependabot
           new_req_string
         end
 
-        sig { returns(String) }
-        def updated_dependency_declaration_string
-          old_req = old_requirement
-          updated_string =
-            if old_req
-              original_dependency_declaration_string(old_req)
-                .sub(RequirementParser::REQUIREMENTS, updated_requirement_string || "")
-            else
-              original_dependency_declaration_string(old_req)
-                .sub(RequirementParser::NAME_WITH_EXTRAS) do |nm|
-                  nm + (updated_requirement_string || "")
-                end
-            end
-
-          return updated_string unless update_hashes? && requirement_includes_hashes?(old_req)
-
-          updated_string.sub(
+        # Builds updated declaration from the actual matched text, preserving
+        # whatever extras (or lack thereof) appeared in the original match.
+        sig { params(matched_declaration: String).returns(String) }
+        def updated_matched_declaration(matched_declaration)
+          updated = if old_requirement
+                      matched_declaration
+                        .sub(RequirementParser::REQUIREMENTS, updated_requirement_string || "")
+                    else
+                      matched_declaration
+                        .sub(RequirementParser::NAME_WITH_EXTRAS) { |nm| nm + (updated_requirement_string || "") }
+                    end
+
+          return updated unless update_hashes? && matched_declaration.match?(RequirementParser::HASHES)
+
+          algorithm = T.must(matched_declaration.match(RequirementParser::HASHES))
+                       .named_captures.fetch("algorithm")
+          separator = hash_separator(old_requirement)
+          updated.sub(
             RequirementParser::HASHES,
             package_hashes_for(
               name: dependency_name,
               version: new_hash_version,
-              algorithm: hash_algorithm(old_req)
-            ).join(hash_separator(old_req))
+              algorithm: algorithm
+            ).join(separator)
           )
         end
 
@@ -142,7 +143,14 @@ module Dependabot
         def original_declaration_replacement_regex
           original_string =
             original_dependency_declaration_string(old_requirement)
-          /(?<![\-\w\.\[])#{Regexp.escape(original_string)}(?![\-\w\.])/
+          match_data = T.must(original_string.match(RequirementParser::NAME_WITH_EXTRAS))
+          name_escaped = Regexp.escape(T.must(match_data[:name]))
+          # Everything after name+extras (the requirement/markers/hashes portion)
+          after_name_extras = T.must(original_string[T.must(match_data[0]).length..]).strip
+          after_escaped = Regexp.escape(after_name_extras)
+          # Match the dependency name with any extras (or none), followed by the requirement.
+          # This ensures a single gsub handles all extras variants of the same dependency.
+          /(?<![\-\w\.\[])#{name_escaped}\s*\\?\s*(?:\[[^\]]*\])?\s*\\?\s*#{after_escaped}(?![\-\w\.])/
         end
 
         sig { params(requirement: T.nilable(String)).returns(T::Boolean) }

data/lib/dependabot/python/file_updater/setup_file_sanitizer.rb

@@ -64,7 +64,7 @@ module Dependabot
               next unless first[:groups]
                           .include?("install_requires")
 
-              dep.name + first[:requirement].to_s
+              name_with_extras(dep) + first[:requirement].to_s
             end
         end
 
@@ -76,7 +76,7 @@ module Dependabot
               next unless first[:groups]
                           .include?("setup_requires")
 
-              dep.name + first[:requirement].to_s
+              name_with_extras(dep) + first[:requirement].to_s
             end
         end
 
@@ -92,7 +92,7 @@ module Dependabot
 
                   hash[group.split(":").last] ||= []
                   hash[group.split(":").last] <<
-                    (dep.name + first[:requirement].to_s)
+                    (name_with_extras(dep) + first[:requirement].to_s)
                 end
               end
 
@@ -100,6 +100,15 @@ module Dependabot
             end
         end
 
+        # Reconstruct dependency name with extras from metadata.
+        sig { params(dep: Dependabot::Dependency).returns(String) }
+        def name_with_extras(dep)
+          extras_str = dep.metadata[:extras]
+          return dep.name unless extras_str.is_a?(String) && !extras_str.empty?
+
+          "#{dep.name}[#{extras_str}]"
+        end
+
         sig { returns(Dependabot::FileParsers::Base::DependencySet) }
         def parsed_setup_file
           @parsed_setup_file ||=

data/lib/dependabot/python/metadata_finder.rb

@@ -2,6 +2,7 @@
 # frozen_string_literal: true
 
 require "excon"
+require "openssl"
 require "uri"
 
 require "dependabot/metadata_finders"
@@ -27,6 +28,7 @@ module Dependabot
       def initialize(dependency:, credentials:)
         super
         @pypi_listing = T.let(nil, T.nilable(T::Hash[String, T.untyped]))
+        @parsed_source_urls = T.let({}, T::Hash[String, T.nilable(Dependabot::Source)])
       end
 
       sig { returns(T.nilable(String)) }
@@ -37,26 +39,88 @@ module Dependabot
           super
       end
 
+      sig { override.returns(T.nilable(String)) }
+      def maintainer_changes
+        return unless dependency.previous_version
+        return unless dependency.version
+
+        previous_ownership = ownership_for_version(T.must(dependency.previous_version))
+        current_ownership = ownership_for_version(T.must(dependency.version))
+
+        if previous_ownership.nil? || current_ownership.nil?
+          Dependabot.logger.info("Unable to determine ownership changes for #{dependency.name}")
+          return
+        end
+
+        previous_org = previous_ownership["organization"]
+        current_org = current_ownership["organization"]
+
+        if previous_org != current_org && !(previous_org.nil? && current_org)
+          return "The organization that maintains #{dependency.name} on PyPI has " \
+                 "changed since your current version."
+        end
+
+        previous_users = ownership_users(previous_ownership)
+        current_users = ownership_users(current_ownership)
+
+        # Warn only when there were previous maintainers and none of them remain
+        return unless previous_users.any? && !previous_users.intersect?(current_users)
+
+        "None of the maintainers for your current version of #{dependency.name} are " \
+          "listed as maintainers for the new version on PyPI."
+      end
+
       private
 
       sig { override.returns(T.nilable(Dependabot::Source)) }
       def look_up_source
+        source_url = exact_match_source_url_from_project_urls
+        source_url ||= labelled_source_url_from_project_urls
+        source_url ||= fallback_source_url
+        source_url ||= source_from_description
+        source_url ||= source_from_homepage
+
+        parsed_source_from_url(source_url)
+      end
+
+      sig { returns(T.nilable(String)) }
+      def exact_match_source_url_from_project_urls
+        project_urls.values.find do |url|
+          repo = parsed_source_from_url(url)&.repo
+          repo&.downcase&.end_with?(normalised_dependency_name)
+        end
+      end
+
+      sig { returns(T.nilable(String)) }
+      def labelled_source_url_from_project_urls
+        source_urls = source_like_project_url_labels.filter_map do |label|
+          project_urls[label]
+        end
+
+        source_urls.find { |url| parsed_source_from_url(url) }
+      end
+
+      sig { returns(T.nilable(String)) }
+      def fallback_source_url
         potential_source_urls = [
-          pypi_listing.dig("info", "project_urls", "Source"),
-          pypi_listing.dig("info", "project_urls", "Repository"),
           pypi_listing.dig("info", "home_page"),
           pypi_listing.dig("info", "download_url"),
           pypi_listing.dig("info", "docs_url")
         ].compact
 
-        potential_source_urls +=
-          (pypi_listing.dig("info", "project_urls") || {}).values
+        potential_source_urls += project_urls.values
 
-        source_url = potential_source_urls.find { |url| Source.from_url(url) }
-        source_url ||= source_from_description
-        source_url ||= source_from_homepage
+        potential_source_urls.find { |url| parsed_source_from_url(url) }
+      end
 
-        Source.from_url(source_url)
+      sig { returns(T::Hash[String, String]) }
+      def project_urls
+        pypi_listing.dig("info", "project_urls") || {}
+      end
+
+      sig { returns(T::Array[String]) }
+      def source_like_project_url_labels
+        ["Source", "Source Code", "Repository", "Code", "Homepage"]
       end
 
       # rubocop:disable Metrics/PerceivedComplexity
@@ -73,7 +137,7 @@ module Dependabot
         # Looking for a source where the repo name exactly matches the
         # dependency name
         match_url = potential_source_urls.find do |url|
-          repo = Source.from_url(url)&.repo
+          repo = parsed_source_from_url(url)&.repo
           repo&.downcase&.end_with?(normalised_dependency_name)
         end
 
@@ -83,11 +147,14 @@ module Dependabot
         # mentioned when the link is followed
         @source_from_description ||= T.let(
           potential_source_urls.find do |url|
-            full_url = Source.from_url(url)&.url
+            full_url = parsed_source_from_url(url)&.url
             next unless full_url
 
             response = Dependabot::RegistryClient.get(url: full_url)
-            next unless response.status == 200
+            unless response.status == 200
+              Dependabot.logger.warn("Error fetching source URL #{full_url}: HTTP #{response.status}")
+              next
+            end
 
             response.body.include?(normalised_dependency_name)
           end,
@@ -108,7 +175,7 @@ module Dependabot
         end
 
         match_url = potential_source_urls.find do |url|
-          repo = Source.from_url(url)&.repo
+          repo = parsed_source_from_url(url)&.repo
           repo&.downcase&.end_with?(normalised_dependency_name)
         end
 
@@ -116,7 +183,7 @@ module Dependabot
 
         @source_from_homepage ||= T.let(
           potential_source_urls.find do |url|
-            full_url = Source.from_url(url)&.url
+            full_url = parsed_source_from_url(url)&.url
             next unless full_url
 
             response = Dependabot::RegistryClient.get(url: full_url)
@@ -143,7 +210,8 @@ module Dependabot
           begin
             Dependabot::RegistryClient.get(url: homepage_url)
           rescue Excon::Error::Timeout, Excon::Error::Socket,
-                 Excon::Error::TooManyRedirects, ArgumentError
+                 Excon::Error::TooManyRedirects, OpenSSL::SSL::SSLError, ArgumentError => e
+            Dependabot.logger.warn("Error fetching Python homepage URL #{homepage_url}: #{e.class}: #{e.message}")
             nil
           end,
           T.nilable(Excon::Response)
@@ -165,9 +233,8 @@ module Dependabot
 
           @pypi_listing = JSON.parse(response.body)
           return @pypi_listing
-        rescue JSON::ParserError
-          next
-        rescue Excon::Error::Timeout
+        rescue JSON::ParserError, Excon::Error::Timeout, Excon::Error::Socket, OpenSSL::SSL::SSLError => e
+          Dependabot.logger.warn("Error fetching Python package listing from #{url}: #{e.class}: #{e.message}")
           next
         end
 
@@ -194,23 +261,88 @@ module Dependabot
 
       sig { returns(T::Array[String]) }
       def possible_listing_urls
-        credential_urls =
+        index_credentials =
           credentials
           .select { |cred| cred["type"] == "python_index" }
-          .map { |c| AuthedUrlBuilder.authed_url(credential: c) }
 
-        (credential_urls + [MAIN_PYPI_URL]).map do |base_url|
+        credential_urls = index_credentials
+                          .map { |c| AuthedUrlBuilder.authed_url(credential: c) }
+                          .reject { |url| url.strip.empty? }
+
+        base_urls = if index_credentials.any?(&:replaces_base?)
+                      credential_urls
+                    else
+                      credential_urls + [MAIN_PYPI_URL]
+                    end
+        base_urls = [MAIN_PYPI_URL] if base_urls.empty?
+
+        base_urls.map do |base_url|
           # Convert /simple/ endpoints to /pypi/ for JSON API access
           json_base_url = base_url.sub(%r{/simple/?$}i, "/pypi")
           json_base_url.gsub(%r{/$}, "") + "/#{normalised_dependency_name}/json"
         end
       end
 
+      sig { params(version: String).returns(T.nilable(T::Hash[String, T.untyped])) }
+      def ownership_for_version(version)
+        if version.include?("+")
+          Dependabot.logger.info("Version #{version} includes a local version identifier, skipping ownership check")
+          return nil
+        end
+
+        possible_version_listing_urls(version).each do |url|
+          response = fetch_authed_url(url)
+          unless response.status == 200
+            Dependabot.logger.warn(
+              "Error fetching Python package ownership from #{url} for version #{version}: " \
+              "HTTP #{response.status}"
+            )
+            next
+          end
+
+          data = JSON.parse(response.body)
+          ownership = data["ownership"]
+          Dependabot.logger.debug("Found ownership for #{dependency.name} version #{version}")
+          return ownership
+        rescue JSON::ParserError, Excon::Error::Timeout, Excon::Error::Socket,
+               Excon::Error::TooManyRedirects, OpenSSL::SSL::SSLError, ArgumentError => e
+          Dependabot.logger.warn(
+            "Error fetching Python package ownership from #{url} for version #{version}: #{e.class}: #{e.message}"
+          )
+          next
+        end
+
+        nil
+      end
+
+      sig { params(version: String).returns(T::Array[String]) }
+      def possible_version_listing_urls(version)
+        possible_listing_urls.map do |url|
+          url.sub(%r{/json$}, "/#{URI::DEFAULT_PARSER.escape(version)}/json")
+        end
+      end
+
+      sig { params(ownership: T::Hash[String, T.untyped]).returns(T::Array[String]) }
+      def ownership_users(ownership)
+        roles = ownership["roles"]
+        return [] unless roles.is_a?(Array)
+
+        roles.filter_map { |role| role["user"] if role.is_a?(Hash) }
+      end
+
       # Strip [extras] from name (dependency_name[extra_dep,other_extra])
       sig { returns(String) }
       def normalised_dependency_name
         NameNormaliser.normalise(dependency.name)
       end
+
+      sig { params(url: T.nilable(String)).returns(T.nilable(Dependabot::Source)) }
+      def parsed_source_from_url(url)
+        return unless url
+        return @parsed_source_urls[url] if @parsed_source_urls.key?(url)
+
+        @parsed_source_urls[url] = Source.from_url(url)
+      end
     end
   end
 end

data/lib/dependabot/python/shared_file_fetcher.rb

@@ -238,7 +238,8 @@ module Dependabot
         content = file.content
         return [] if content.nil?
 
-        paths = content.scan(CHILD_REQUIREMENT_REGEX).flatten
+        paths = content.scan(CHILD_REQUIREMENT_REGEX).flatten +
+                content.scan(CONSTRAINT_REGEX).flatten
         current_dir = File.dirname(file.name)
 
         paths.flat_map do |path|
@@ -268,7 +269,8 @@ module Dependabot
       sig { returns(T::Array[Dependabot::DependencyFile]) }
       def constraints_files
         all_requirement_files = requirements_txt_files +
-                                child_requirement_txt_files
+                                child_requirement_txt_files +
+                                requirements_in_files
 
         constraints_paths = all_requirement_files.map do |req_file|
           current_dir = File.dirname(req_file.name)
@@ -283,7 +285,10 @@ module Dependabot
           end
         end.flatten.uniq
 
-        constraints_paths.map { |path| fetch_file_from_host(path) }
+        already_fetched_names = child_requirement_files.map(&:name)
+        constraints_paths
+          .reject { |path| already_fetched_names.include?(path) }
+          .map { |path| fetch_file_from_host(path) }
       end
 
       sig { returns(T::Array[Dependabot::DependencyFile]) }
@@ -355,7 +360,7 @@ module Dependabot
 
         uneditable_reqs =
           content
-          .scan(/(?<name>^['"]?(?:file:)?(?<path>\.[^\[#'"\n]*))/)
+          .scan(/(?<name>^['"]?(?:file:)?(?<path>\.[^\[#'"\n;]*))/)
           .filter_map do |match_array|
             n, p = match_array
             { name: n.to_s.strip, path: p.to_s.strip, file: req_file.name } unless p.to_s.include?("://")
@@ -363,7 +368,7 @@ module Dependabot
 
         editable_reqs =
           content
-          .scan(/(?<name>^-e\s+['"]?(?:file:)?(?<path>[^\[#'"\n]*))/)
+          .scan(/(?<name>^-e\s+['"]?(?:file:)?(?<path>[^\[#'"\n;]*))/)
           .filter_map do |match_array|
             n, p = match_array
             unless p.to_s.include?("://") || p.to_s.include?("git@")

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-python
 version: !ruby/object:Gem::Version
-  version: 0.366.0
+  version: 0.368.0
 platform: ruby
 authors:
 - Dependabot
@@ -15,14 +15,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.366.0
+        version: 0.368.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.366.0
+        version: 0.368.0
 - !ruby/object:Gem::Dependency
   name: debug
   requirement: !ruby/object:Gem::Requirement
@@ -250,6 +250,7 @@ files:
 - lib/dependabot/python.rb
 - lib/dependabot/python/authed_url_builder.rb
 - lib/dependabot/python/dependency_grapher.rb
+- lib/dependabot/python/dependency_grapher/lockfile_generator.rb
 - lib/dependabot/python/file_fetcher.rb
 - lib/dependabot/python/file_parser.rb
 - lib/dependabot/python/file_parser/pipfile_files_parser.rb
@@ -293,7 +294,7 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.366.0
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.368.0
 rdoc_options: []
 require_paths:
 - lib