dependabot-python 0.367.0 → 0.369.0

data/lib/dependabot/python/metadata_finder.rb

@@ -2,6 +2,7 @@
 # frozen_string_literal: true
 
 require "excon"
+require "openssl"
 require "uri"
 
 require "dependabot/metadata_finders"
@@ -27,6 +28,7 @@ module Dependabot
       def initialize(dependency:, credentials:)
         super
         @pypi_listing = T.let(nil, T.nilable(T::Hash[String, T.untyped]))
+        @parsed_source_urls = T.let({}, T::Hash[String, T.nilable(Dependabot::Source)])
       end
 
       sig { returns(T.nilable(String)) }
@@ -37,26 +39,88 @@ module Dependabot
           super
       end
 
+      sig { override.returns(T.nilable(String)) }
+      def maintainer_changes
+        return unless dependency.previous_version
+        return unless dependency.version
+
+        previous_ownership = ownership_for_version(T.must(dependency.previous_version))
+        current_ownership = ownership_for_version(T.must(dependency.version))
+
+        if previous_ownership.nil? || current_ownership.nil?
+          Dependabot.logger.info("Unable to determine ownership changes for #{dependency.name}")
+          return
+        end
+
+        previous_org = previous_ownership["organization"]
+        current_org = current_ownership["organization"]
+
+        if previous_org != current_org && !(previous_org.nil? && current_org)
+          return "The organization that maintains #{dependency.name} on PyPI has " \
+                 "changed since your current version."
+        end
+
+        previous_users = ownership_users(previous_ownership)
+        current_users = ownership_users(current_ownership)
+
+        # Warn only when there were previous maintainers and none of them remain
+        return unless previous_users.any? && !previous_users.intersect?(current_users)
+
+        "None of the maintainers for your current version of #{dependency.name} are " \
+          "listed as maintainers for the new version on PyPI."
+      end
+
       private
 
       sig { override.returns(T.nilable(Dependabot::Source)) }
       def look_up_source
+        source_url = exact_match_source_url_from_project_urls
+        source_url ||= labelled_source_url_from_project_urls
+        source_url ||= fallback_source_url
+        source_url ||= source_from_description
+        source_url ||= source_from_homepage
+
+        parsed_source_from_url(source_url)
+      end
+
+      sig { returns(T.nilable(String)) }
+      def exact_match_source_url_from_project_urls
+        project_urls.values.find do |url|
+          repo = parsed_source_from_url(url)&.repo
+          repo&.downcase&.end_with?(normalised_dependency_name)
+        end
+      end
+
+      sig { returns(T.nilable(String)) }
+      def labelled_source_url_from_project_urls
+        source_urls = source_like_project_url_labels.filter_map do |label|
+          project_urls[label]
+        end
+
+        source_urls.find { |url| parsed_source_from_url(url) }
+      end
+
+      sig { returns(T.nilable(String)) }
+      def fallback_source_url
         potential_source_urls = [
-          pypi_listing.dig("info", "project_urls", "Source"),
-          pypi_listing.dig("info", "project_urls", "Repository"),
           pypi_listing.dig("info", "home_page"),
           pypi_listing.dig("info", "download_url"),
           pypi_listing.dig("info", "docs_url")
         ].compact
 
-        potential_source_urls +=
-          (pypi_listing.dig("info", "project_urls") || {}).values
+        potential_source_urls += project_urls.values
 
-        source_url = potential_source_urls.find { |url| Source.from_url(url) }
-        source_url ||= source_from_description
-        source_url ||= source_from_homepage
+        potential_source_urls.find { |url| parsed_source_from_url(url) }
+      end
 
-        Source.from_url(source_url)
+      sig { returns(T::Hash[String, String]) }
+      def project_urls
+        pypi_listing.dig("info", "project_urls") || {}
+      end
+
+      sig { returns(T::Array[String]) }
+      def source_like_project_url_labels
+        ["Source", "Source Code", "Repository", "Code", "Homepage"]
       end
 
       # rubocop:disable Metrics/PerceivedComplexity
@@ -73,7 +137,7 @@ module Dependabot
         # Looking for a source where the repo name exactly matches the
         # dependency name
         match_url = potential_source_urls.find do |url|
-          repo = Source.from_url(url)&.repo
+          repo = parsed_source_from_url(url)&.repo
           repo&.downcase&.end_with?(normalised_dependency_name)
         end
 
@@ -83,11 +147,14 @@ module Dependabot
         # mentioned when the link is followed
         @source_from_description ||= T.let(
           potential_source_urls.find do |url|
-            full_url = Source.from_url(url)&.url
+            full_url = parsed_source_from_url(url)&.url
             next unless full_url
 
             response = Dependabot::RegistryClient.get(url: full_url)
-            next unless response.status == 200
+            unless response.status == 200
+              Dependabot.logger.warn("Error fetching source URL #{full_url}: HTTP #{response.status}")
+              next
+            end
 
             response.body.include?(normalised_dependency_name)
           end,
@@ -108,7 +175,7 @@ module Dependabot
         end
 
         match_url = potential_source_urls.find do |url|
-          repo = Source.from_url(url)&.repo
+          repo = parsed_source_from_url(url)&.repo
           repo&.downcase&.end_with?(normalised_dependency_name)
         end
 
@@ -116,7 +183,7 @@ module Dependabot
 
         @source_from_homepage ||= T.let(
           potential_source_urls.find do |url|
-            full_url = Source.from_url(url)&.url
+            full_url = parsed_source_from_url(url)&.url
             next unless full_url
 
             response = Dependabot::RegistryClient.get(url: full_url)
@@ -143,7 +210,8 @@ module Dependabot
           begin
             Dependabot::RegistryClient.get(url: homepage_url)
           rescue Excon::Error::Timeout, Excon::Error::Socket,
-                 Excon::Error::TooManyRedirects, ArgumentError
+                 Excon::Error::TooManyRedirects, OpenSSL::SSL::SSLError, ArgumentError => e
+            Dependabot.logger.warn("Error fetching Python homepage URL #{homepage_url}: #{e.class}: #{e.message}")
             nil
           end,
           T.nilable(Excon::Response)
@@ -165,9 +233,8 @@ module Dependabot
 
           @pypi_listing = JSON.parse(response.body)
           return @pypi_listing
-        rescue JSON::ParserError
-          next
-        rescue Excon::Error::Timeout
+        rescue JSON::ParserError, Excon::Error::Timeout, Excon::Error::Socket, OpenSSL::SSL::SSLError => e
+          Dependabot.logger.warn("Error fetching Python package listing from #{url}: #{e.class}: #{e.message}")
           next
         end
 
@@ -194,23 +261,88 @@ module Dependabot
 
       sig { returns(T::Array[String]) }
       def possible_listing_urls
-        credential_urls =
+        index_credentials =
           credentials
           .select { |cred| cred["type"] == "python_index" }
-          .map { |c| AuthedUrlBuilder.authed_url(credential: c) }
 
-        (credential_urls + [MAIN_PYPI_URL]).map do |base_url|
+        credential_urls = index_credentials
+                          .map { |c| AuthedUrlBuilder.authed_url(credential: c) }
+                          .reject { |url| url.strip.empty? }
+
+        base_urls = if index_credentials.any?(&:replaces_base?)
+                      credential_urls
+                    else
+                      credential_urls + [MAIN_PYPI_URL]
+                    end
+        base_urls = [MAIN_PYPI_URL] if base_urls.empty?
+
+        base_urls.map do |base_url|
           # Convert /simple/ endpoints to /pypi/ for JSON API access
           json_base_url = base_url.sub(%r{/simple/?$}i, "/pypi")
           json_base_url.gsub(%r{/$}, "") + "/#{normalised_dependency_name}/json"
         end
       end
 
+      sig { params(version: String).returns(T.nilable(T::Hash[String, T.untyped])) }
+      def ownership_for_version(version)
+        if version.include?("+")
+          Dependabot.logger.info("Version #{version} includes a local version identifier, skipping ownership check")
+          return nil
+        end
+
+        possible_version_listing_urls(version).each do |url|
+          response = fetch_authed_url(url)
+          unless response.status == 200
+            Dependabot.logger.warn(
+              "Error fetching Python package ownership from #{url} for version #{version}: " \
+              "HTTP #{response.status}"
+            )
+            next
+          end
+
+          data = JSON.parse(response.body)
+          ownership = data["ownership"]
+          Dependabot.logger.debug("Found ownership for #{dependency.name} version #{version}")
+          return ownership
+        rescue JSON::ParserError, Excon::Error::Timeout, Excon::Error::Socket,
+               Excon::Error::TooManyRedirects, OpenSSL::SSL::SSLError, ArgumentError => e
+          Dependabot.logger.warn(
+            "Error fetching Python package ownership from #{url} for version #{version}: #{e.class}: #{e.message}"
+          )
+          next
+        end
+
+        nil
+      end
+
+      sig { params(version: String).returns(T::Array[String]) }
+      def possible_version_listing_urls(version)
+        possible_listing_urls.map do |url|
+          url.sub(%r{/json$}, "/#{URI::DEFAULT_PARSER.escape(version)}/json")
+        end
+      end
+
+      sig { params(ownership: T::Hash[String, T.untyped]).returns(T::Array[String]) }
+      def ownership_users(ownership)
+        roles = ownership["roles"]
+        return [] unless roles.is_a?(Array)
+
+        roles.filter_map { |role| role["user"] if role.is_a?(Hash) }
+      end
+
       # Strip [extras] from name (dependency_name[extra_dep,other_extra])
       sig { returns(String) }
       def normalised_dependency_name
         NameNormaliser.normalise(dependency.name)
       end
+
+      sig { params(url: T.nilable(String)).returns(T.nilable(Dependabot::Source)) }
+      def parsed_source_from_url(url)
+        return unless url
+        return @parsed_source_urls[url] if @parsed_source_urls.key?(url)
+
+        @parsed_source_urls[url] = Source.from_url(url)
+      end
     end
   end
 end

data/lib/dependabot/python/shared_file_fetcher.rb

@@ -238,7 +238,8 @@ module Dependabot
         content = file.content
         return [] if content.nil?
 
-        paths = content.scan(CHILD_REQUIREMENT_REGEX).flatten
+        paths = content.scan(CHILD_REQUIREMENT_REGEX).flatten +
+                content.scan(CONSTRAINT_REGEX).flatten
         current_dir = File.dirname(file.name)
 
         paths.flat_map do |path|
@@ -268,7 +269,8 @@ module Dependabot
       sig { returns(T::Array[Dependabot::DependencyFile]) }
       def constraints_files
         all_requirement_files = requirements_txt_files +
-                                child_requirement_txt_files
+                                child_requirement_txt_files +
+                                requirements_in_files
 
         constraints_paths = all_requirement_files.map do |req_file|
           current_dir = File.dirname(req_file.name)
@@ -283,7 +285,10 @@ module Dependabot
           end
         end.flatten.uniq
 
-        constraints_paths.map { |path| fetch_file_from_host(path) }
+        already_fetched_names = child_requirement_files.map(&:name)
+        constraints_paths
+          .reject { |path| already_fetched_names.include?(path) }
+          .map { |path| fetch_file_from_host(path) }
       end
 
       sig { returns(T::Array[Dependabot::DependencyFile]) }
@@ -355,7 +360,7 @@ module Dependabot
 
         uneditable_reqs =
           content
-          .scan(/(?<name>^['"]?(?:file:)?(?<path>\.[^\[#'"\n]*))/)
+          .scan(/(?<name>^['"]?(?:file:)?(?<path>\.[^\[#'"\n;]*))/)
           .filter_map do |match_array|
             n, p = match_array
             { name: n.to_s.strip, path: p.to_s.strip, file: req_file.name } unless p.to_s.include?("://")
@@ -363,7 +368,7 @@ module Dependabot
 
         editable_reqs =
           content
-          .scan(/(?<name>^-e\s+['"]?(?:file:)?(?<path>[^\[#'"\n]*))/)
+          .scan(/(?<name>^-e\s+['"]?(?:file:)?(?<path>[^\[#'"\n;]*))/)
           .filter_map do |match_array|
             n, p = match_array
             unless p.to_s.include?("://") || p.to_s.include?("git@")

data/lib/dependabot/python/update_checker/latest_version_finder.rb

@@ -9,6 +9,7 @@ require "sorbet-runtime"
 require "dependabot/dependency"
 require "dependabot/git_commit_checker"
 require "dependabot/python/update_checker"
+require "dependabot/update_checkers/cooldown_calculation"
 require "dependabot/update_checkers/version_filters"
 require "dependabot/registry_client"
 require "dependabot/python/authed_url_builder"
@@ -110,8 +111,9 @@ module Dependabot
           new_version = version_class.new(tag_version_str)
           days = cooldown_days_for(current_version, new_version)
 
-          passed_seconds = Time.now.to_i - release_date_to_seconds(tag_with_detail.release_date)
-          passed_seconds < days * DAY_IN_SECONDS
+          release_time = Time.at(release_date_to_seconds(tag_with_detail.release_date))
+          Dependabot::UpdateCheckers::CooldownCalculation
+            .within_cooldown_window?(release_time, days)
         end
 
         sig do

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-python
 version: !ruby/object:Gem::Version
-  version: 0.367.0
+  version: 0.369.0
 platform: ruby
 authors:
 - Dependabot
@@ -15,14 +15,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.367.0
+        version: 0.369.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.367.0
+        version: 0.369.0
 - !ruby/object:Gem::Dependency
   name: debug
   requirement: !ruby/object:Gem::Requirement
@@ -247,6 +247,31 @@ files:
 - helpers/lib/parser.py
 - helpers/requirements.txt
 - helpers/run.py
+- helpers/test/fixtures/no_dependencies.toml
+- helpers/test/fixtures/pep621_arbitrary_equality.toml
+- helpers/test/fixtures/pep621_dependencies.toml
+- helpers/test/fixtures/pep621_empty_deps.toml
+- helpers/test/fixtures/pep621_extras.toml
+- helpers/test/fixtures/pep621_markers.toml
+- helpers/test/fixtures/pep621_multiple_extras.toml
+- helpers/test/fixtures/pep621_no_version.toml
+- helpers/test/fixtures/pep621_only_build_system.toml
+- helpers/test/fixtures/pep735_cycle.toml
+- helpers/test/fixtures/pep735_dependency_groups.toml
+- helpers/test/fixtures/requirements/constraints.txt
+- helpers/test/fixtures/requirements/markers.txt
+- helpers/test/fixtures/requirements/requirements-dev.txt
+- helpers/test/fixtures/requirements/requirements.txt
+- helpers/test/fixtures/requirements/with_constraints.txt
+- helpers/test/fixtures/requirements_empty/.gitkeep
+- helpers/test/fixtures/setup_cfg/setup.cfg
+- helpers/test/fixtures/setup_py/setup.py
+- helpers/test/fixtures/setup_py_comments/setup.py
+- helpers/test/test_hasher.py
+- helpers/test/test_parse_requirements.py
+- helpers/test/test_parse_setup.py
+- helpers/test/test_parser.py
+- helpers/test/test_run.py
 - lib/dependabot/python.rb
 - lib/dependabot/python/authed_url_builder.rb
 - lib/dependabot/python/dependency_grapher.rb
@@ -294,7 +319,7 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.367.0
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.369.0
 rdoc_options: []
 require_paths:
 - lib