RubyGems - dependabot-python - Versions diffs - 0.368.0 → 0.369.0 - Mend

dependabot-python 0.368.0 → 0.369.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (32) hide show

checksums.yaml +4 -4
data/helpers/build +4 -0
data/helpers/requirements.txt +1 -0
data/helpers/test/fixtures/no_dependencies.toml +3 -0
data/helpers/test/fixtures/pep621_arbitrary_equality.toml +7 -0
data/helpers/test/fixtures/pep621_dependencies.toml +21 -0
data/helpers/test/fixtures/pep621_empty_deps.toml +8 -0
data/helpers/test/fixtures/pep621_extras.toml +8 -0
data/helpers/test/fixtures/pep621_markers.toml +7 -0
data/helpers/test/fixtures/pep621_multiple_extras.toml +7 -0
data/helpers/test/fixtures/pep621_no_version.toml +8 -0
data/helpers/test/fixtures/pep621_only_build_system.toml +3 -0
data/helpers/test/fixtures/pep735_cycle.toml +13 -0
data/helpers/test/fixtures/pep735_dependency_groups.toml +18 -0
data/helpers/test/fixtures/requirements/constraints.txt +1 -0
data/helpers/test/fixtures/requirements/markers.txt +1 -0
data/helpers/test/fixtures/requirements/requirements-dev.txt +2 -0
data/helpers/test/fixtures/requirements/requirements.txt +5 -0
data/helpers/test/fixtures/requirements/with_constraints.txt +2 -0
data/helpers/test/fixtures/requirements_empty/.gitkeep +0 -0
data/helpers/test/fixtures/setup_cfg/setup.cfg +16 -0
data/helpers/test/fixtures/setup_py/setup.py +20 -0
data/helpers/test/fixtures/setup_py_comments/setup.py +9 -0
data/helpers/test/test_hasher.py +114 -0
data/helpers/test/test_parse_requirements.py +103 -0
data/helpers/test/test_parse_setup.py +127 -0
data/helpers/test/test_parser.py +184 -0
data/helpers/test/test_run.py +49 -0
data/lib/dependabot/python/file_updater/poetry_file_updater.rb +16 -11
data/lib/dependabot/python/file_updater/pyproject_preparer.rb +109 -0
data/lib/dependabot/python/update_checker/latest_version_finder.rb +4 -2
metadata +29 -4

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 5b03d84191a73f9cd803b3db1fd32bc70638a4f607c2e9424a3900f143119f5f
-  data.tar.gz: 6d04a235c38eb76a1a86eb2f60e2f34c80c82ff5f342d997ff3c8a25011e42f3
+  metadata.gz: 64cdd01e07bc2f6472a1027884006af4c7df3648168f04135c7b91cdf5530f14
+  data.tar.gz: b5610dc0420858f42cb23a8462abcd7ebd4b9b1aab8be3ca28233a99c239982c
 SHA512:
-  metadata.gz: 793a849e50f2162b65f1da65521dfb7450081b84507fbb4134145ab5c72b63a916a59c68602bf41dea530d373cb0d2dd5e9a38fee9b6a5347b17848a8891054f
-  data.tar.gz: db96c2fd7be7c4b6ac473f29dc429f3c4163fb2dd38d4b1d48c19ea62727022ff6822166dd10e9c4a680eae24bc5f16f447bf9f8ec55b7909b8ae663698b29c6
+  metadata.gz: f4cb556708bba8d54dc3d04495d021e4808cf5651184ed9fe2d1b65d6b1114c688f92d9be8ab8fae6e96d818643ce4c4824db5971dc2fabf55370b6ffff26f39
+  data.tar.gz: 64514c6fad289e34af6bdbaeecc25f8ff815ba193d77088a86fa3399c9379ab1cad740ff0f18ae0ac176e85375714e15f36ceae638b96d6e2714f425ce86cd96

data/helpers/build CHANGED Viewed

@@ -17,6 +17,10 @@ cp -r \
   "$helpers_dir/requirements.txt" \
   "$install_dir"
+if [ -d "$helpers_dir/test" ]; then
+  cp -r "$helpers_dir/test" "$install_dir"
+fi
 cd "$install_dir"
 PYENV_VERSION=$1 pyenv exec pip3 --disable-pip-version-check install --use-pep517 -r "requirements.txt"

data/helpers/requirements.txt CHANGED Viewed

@@ -5,6 +5,7 @@ hashin==1.0.5
 pipenv==2024.4.1
 plette==2.1.0
 poetry==2.2.1
+pytest==8.3.5
 # TODO: Replace 3p package `tomli` with 3.11's new stdlib `tomllib` once we drop support for Python 3.10.
 tomli==2.2.1

data/helpers/test/fixtures/no_dependencies.toml ADDED Viewed

@@ -0,0 +1,3 @@
+[project]
+name = "myapp"
+version = "1.0.0"

data/helpers/test/fixtures/pep621_arbitrary_equality.toml ADDED Viewed

@@ -0,0 +1,7 @@
+[project]
+name = "myapp"
+version = "1.0.0"
+dependencies = [
+    "numpy===1.24.0rc1",
+]

data/helpers/test/fixtures/pep621_dependencies.toml ADDED Viewed

@@ -0,0 +1,21 @@
+[project]
+name = "myapp"
+version = "1.0.0"
+requires-python = ">=3.10"
+dependencies = [
+    "requests>=2.13.0,<3.0",
+    "urllib3==1.26.0",
+]
+[project.optional-dependencies]
+socks = [
+    "PySocks >= 1.5.6, != 1.5.7, < 2",
+]
+tests = [
+    "pytest >= 7.0, < 8",
+]
+[build-system]
+requires = ["setuptools>=68.0"]
+build-backend = "setuptools.build_meta"

data/helpers/test/fixtures/pep621_empty_deps.toml ADDED Viewed

@@ -0,0 +1,8 @@
+[project]
+name = "myapp"
+version = "1.0.0"
+dependencies = []
+[project.optional-dependencies]
+dev = []

data/helpers/test/fixtures/pep621_extras.toml ADDED Viewed

@@ -0,0 +1,8 @@
+[project]
+name = "myapp"
+version = "1.0.0"
+requires-python = ">=3.10"
+dependencies = [
+    "cachecontrol[filecache]>=0.14.0",
+]

data/helpers/test/fixtures/pep621_markers.toml ADDED Viewed

@@ -0,0 +1,7 @@
+[project]
+name = "myapp"
+version = "1.0.0"
+dependencies = [
+    "requests>=2.13.0; python_version >= '3.8'",
+]

data/helpers/test/fixtures/pep621_multiple_extras.toml ADDED Viewed

@@ -0,0 +1,7 @@
+[project]
+name = "myapp"
+version = "1.0.0"
+dependencies = [
+    "boto3[crt,s3]>=1.28.0",
+]

data/helpers/test/fixtures/pep621_no_version.toml ADDED Viewed

@@ -0,0 +1,8 @@
+[project]
+name = "myapp"
+version = "1.0.0"
+dependencies = [
+    "requests",
+    "flask",
+]

data/helpers/test/fixtures/pep621_only_build_system.toml ADDED Viewed

@@ -0,0 +1,3 @@
+[build-system]
+requires = ["setuptools>=68.0", "wheel"]
+build-backend = "setuptools.build_meta"

data/helpers/test/fixtures/pep735_cycle.toml ADDED Viewed

@@ -0,0 +1,13 @@
+[project]
+name = "myapp"
+version = "1.0.0"
+[dependency-groups]
+a = [
+    {include-group = "b"},
+    "requests>=2.0",
+]
+b = [
+    {include-group = "a"},
+    "flask>=2.0",
+]

data/helpers/test/fixtures/pep735_dependency_groups.toml ADDED Viewed

@@ -0,0 +1,18 @@
+[project]
+name = "myapp"
+version = "1.0.0"
+requires-python = ">=3.10"
+dependencies = [
+    "requests>=2.13.0",
+]
+[dependency-groups]
+dev = [
+    "pytest==7.1.3",
+    "black==22.10.0",
+]
+lint = [
+    {include-group = "dev"},
+    "flake8>=5.0",
+]

data/helpers/test/fixtures/requirements/constraints.txt ADDED Viewed

	@@ -0,0 +1 @@
1	+ requests<3.0

data/helpers/test/fixtures/requirements/markers.txt ADDED Viewed

	@@ -0,0 +1 @@
1	+ pywin32>=1.0; sys_platform == "win32"

data/helpers/test/fixtures/requirements/requirements-dev.txt ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ pytest>=7.0
2	+ black==22.10.0

data/helpers/test/fixtures/requirements/requirements.txt ADDED Viewed

@@ -0,0 +1,5 @@
+# Basic requirements file
+requests>=2.13.0,<3.0
+urllib3==1.26.0
+Flask[async]>=2.0
+boto3  # AWS SDK

data/helpers/test/fixtures/requirements/with_constraints.txt ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ -c constraints.txt
2	+ requests>=2.13.0

data/helpers/test/fixtures/requirements_empty/.gitkeep ADDED Viewed

File without changes

data/helpers/test/fixtures/setup_cfg/setup.cfg ADDED Viewed

@@ -0,0 +1,16 @@
+[metadata]
+name = myapp
+version = 1.0.0
+[options]
+install_requires =
+    requests>=2.13.0
+    urllib3==1.26.0
+setup_requires =
+    setuptools>=68.0
+tests_require =
+    pytest>=7.0
+[options.extras_require]
+socks =
+    PySocks>=1.5.6

data/helpers/test/fixtures/setup_py/setup.py ADDED Viewed

@@ -0,0 +1,20 @@
+from setuptools import setup
+setup(
+    name="myapp",
+    version="1.0.0",
+    install_requires=[
+        "requests>=2.13.0",
+        "urllib3==1.26.0",
+    ],
+    setup_requires=[
+        "setuptools>=68.0",
+    ],
+    tests_require=[
+        "pytest>=7.0",
+    ],
+    extras_require={
+        "socks": ["PySocks>=1.5.6"],
+        "dev": ["black==22.10.0"],
+    },
+)

data/helpers/test/fixtures/setup_py_comments/setup.py ADDED Viewed

@@ -0,0 +1,9 @@
+from setuptools import setup
+setup(
+    name="myapp",
+    version="1.0.0",
+    install_requires=[
+        "requests>=2.13.0  # HTTP library",
+    ],
+)

data/helpers/test/test_hasher.py ADDED Viewed

@@ -0,0 +1,114 @@
+import json
+import os
+import ssl
+import sys
+from unittest.mock import MagicMock, patch
+from urllib.error import URLError
+sys.path.insert(
+    0, os.path.join(os.path.dirname(__file__), os.pardir, "lib")
+)
+import hasher  # noqa: E402
+import hashin as hashin_mod  # noqa: E402
+class TestGetDependencyHash:
+    @patch("hasher.hashin.get_package_hashes")
+    def test_returns_hashes(self, mock_get):
+        mock_get.return_value = {
+            "hashes": [
+                {"hash": "abc123", "platform": "linux"},
+                {"hash": "def456", "platform": "macos"},
+            ]
+        }
+        result = json.loads(hasher.get_dependency_hash(
+            "requests", "2.28.0", "sha256"
+        ))
+        assert "result" in result
+        assert len(result["result"]) == 2
+        assert result["result"][0]["hash"] == "abc123"
+        mock_get.assert_called_once()
+    @patch("hasher.hashin.get_package_hashes")
+    def test_custom_index_url(self, mock_get):
+        mock_get.return_value = {"hashes": []}
+        hasher.get_dependency_hash(
+            "requests", "2.28.0", "sha256",
+            index_url="https://custom.registry/simple/"
+        )
+        mock_get.assert_called_once_with(
+            "requests",
+            version="2.28.0",
+            algorithm="sha256",
+            index_url="https://custom.registry/simple/"
+        )
+    @patch("hasher.hashin.get_package_hashes")
+    def test_package_not_found(self, mock_get):
+        mock_get.side_effect = hashin_mod.PackageNotFoundError(
+            "no-such-package"
+        )
+        result = json.loads(hasher.get_dependency_hash(
+            "no-such-package", "1.0.0", "sha256"
+        ))
+        assert "error" in result
+    @patch("hasher.hashin.get_package_hashes")
+    def test_ssl_certificate_error(self, mock_get):
+        ssl_error = ssl.SSLError(
+            "CERTIFICATE_VERIFY_FAILED: unable to get local issuer"
+        )
+        mock_get.side_effect = URLError(ssl_error)
+        result = json.loads(hasher.get_dependency_hash(
+            "requests", "2.28.0", "sha256"
+        ))
+        assert "error" in result
+        assert "CERTIFICATE_VERIFY_FAILED" in result["error"]
+    @patch("hasher.hashin.get_package_hashes")
+    def test_non_ssl_url_error_raises(self, mock_get):
+        mock_get.side_effect = URLError("Connection refused")
+        try:
+            hasher.get_dependency_hash("requests", "2.28.0", "sha256")
+            assert False, "Expected URLError to be raised"
+        except URLError:
+            pass  # expected
+class TestGetPipfileHash:
+    @patch("builtins.open")
+    @patch("hasher.plette")
+    def test_returns_hash(self, mock_plette, mock_open):
+        mock_pipfile = MagicMock()
+        mock_pipfile.get_hash.return_value.value = "abc123hash"
+        mock_plette.Pipfile.load.return_value = mock_pipfile
+        result = json.loads(hasher.get_pipfile_hash("/tmp/project"))
+        assert result["result"] == "abc123hash"
+        mock_open.assert_called_once_with("/tmp/project/Pipfile")
+class TestGetPyprojectHash:
+    @patch("hasher.Factory")
+    def test_returns_hash(self, mock_factory_cls):
+        mock_poetry = MagicMock()
+        mock_poetry.locker._get_content_hash.return_value = "xyz789hash"
+        mock_factory_cls.return_value.create_poetry.return_value = mock_poetry
+        result = json.loads(hasher.get_pyproject_hash("/tmp/project"))
+        assert result["result"] == "xyz789hash"
+        mock_factory_cls.return_value.create_poetry.assert_called_once_with(
+            "/tmp/project"
+        )

data/helpers/test/test_parse_requirements.py ADDED Viewed

@@ -0,0 +1,103 @@
+import json
+import os
+import sys
+sys.path.insert(
+    0, os.path.join(os.path.dirname(__file__), os.pardir, "lib")
+)
+from parser import parse_requirements  # noqa: E402
+FIXTURES = os.path.join(os.path.dirname(__file__), "fixtures")
+def parse(fixture_dir):
+    path = os.path.join(FIXTURES, fixture_dir)
+    result = json.loads(parse_requirements(path))
+    return result
+def find_dep(deps, name):
+    return next((d for d in deps if d["name"] == name), None)
+def find_dep_in_file(deps, name, file_substring):
+    return next(
+        (d for d in deps
+         if d["name"] == name and file_substring in d["file"]),
+        None
+    )
+class TestParseRequirementsTxt:
+    def test_parses_basic_requirements(self):
+        result = parse("requirements")
+        deps = result["result"]
+        requests = find_dep_in_file(deps, "requests", "requirements.txt")
+        assert requests is not None
+        assert requests["requirement"] == "<3.0,>=2.13.0"
+    def test_parses_pinned_version(self):
+        result = parse("requirements")
+        deps = result["result"]
+        urllib3 = find_dep(deps, "urllib3")
+        assert urllib3 is not None
+        assert urllib3["version"] == "1.26.0"
+        assert urllib3["requirement"] == "==1.26.0"
+    def test_parses_extras(self):
+        result = parse("requirements")
+        deps = result["result"]
+        flask = find_dep(deps, "Flask")
+        assert flask is not None
+        assert flask["extras"] == ["async"]
+    def test_strips_inline_comments(self):
+        result = parse("requirements")
+        deps = result["result"]
+        boto3 = find_dep(deps, "boto3")
+        assert boto3 is not None
+        # boto3 has no version specifier, just a comment
+        assert boto3["requirement"] is None or boto3["requirement"] == ""
+    def test_file_path_is_relative(self):
+        result = parse("requirements")
+        deps = result["result"]
+        for dep in deps:
+            assert not os.path.isabs(dep["file"])
+    def test_parses_dev_requirements(self):
+        result = parse("requirements")
+        deps = result["result"]
+        black = find_dep(deps, "black")
+        assert black is not None
+        assert black["version"] == "22.10.0"
+        assert "requirements-dev.txt" in black["file"]
+    def test_parses_markers(self):
+        result = parse("requirements")
+        deps = result["result"]
+        pywin32 = find_dep(deps, "pywin32")
+        assert pywin32 is not None
+        assert pywin32["markers"] == 'sys_platform == "win32"'
+    def test_empty_directory_returns_empty(self):
+        result = parse("requirements_empty")
+        deps = result["result"]
+        assert deps == []
+    def test_constraint_file_deps(self):
+        """Requirements with -c constraints should still parse the deps."""
+        result = parse("requirements")
+        deps = result["result"]
+        # with_constraints.txt has requests
+        req_files = [d["file"] for d in deps if d["name"] == "requests"]
+        assert any("with_constraints" in f for f in req_files)
+    def test_multiple_files_parsed(self):
+        """All .txt files in the directory are parsed."""
+        result = parse("requirements")
+        deps = result["result"]
+        files = {d["file"] for d in deps}
+        assert any("requirements.txt" in f for f in files)
+        assert any("requirements-dev.txt" in f for f in files)

data/helpers/test/test_parse_setup.py ADDED Viewed

@@ -0,0 +1,127 @@
+import json
+import os
+import sys
+sys.path.insert(
+    0, os.path.join(os.path.dirname(__file__), os.pardir, "lib")
+)
+from parser import parse_setup  # noqa: E402
+FIXTURES = os.path.join(os.path.dirname(__file__), "fixtures")
+def parse(fixture_dir):
+    path = os.path.join(FIXTURES, fixture_dir)
+    result = json.loads(parse_setup(path))
+    return result
+def find_dep(deps, name):
+    return next((d for d in deps if d["name"] == name), None)
+# ---------------------------------------------------------------------------
+# setup.py parsing
+# ---------------------------------------------------------------------------
+class TestSetupPy:
+    def test_parses_install_requires(self):
+        result = parse("setup_py")
+        deps = result["result"]
+        requests = find_dep(deps, "requests")
+        assert requests is not None
+        assert requests["requirement"] == ">=2.13.0"
+        assert requests["requirement_type"] == "install_requires"
+        assert requests["file"] == "setup.py"
+    def test_parses_pinned_version(self):
+        result = parse("setup_py")
+        deps = result["result"]
+        urllib3 = find_dep(deps, "urllib3")
+        assert urllib3 is not None
+        assert urllib3["version"] == "1.26.0"
+    def test_parses_setup_requires(self):
+        result = parse("setup_py")
+        deps = result["result"]
+        setuptools = find_dep(deps, "setuptools")
+        assert setuptools is not None
+        assert setuptools["requirement_type"] == "setup_requires"
+    def test_parses_tests_require(self):
+        result = parse("setup_py")
+        deps = result["result"]
+        pytest = find_dep(deps, "pytest")
+        assert pytest is not None
+        assert pytest["requirement_type"] == "tests_require"
+    def test_parses_extras_require(self):
+        result = parse("setup_py")
+        deps = result["result"]
+        pysocks = find_dep(deps, "PySocks")
+        assert pysocks is not None
+        assert pysocks["requirement_type"] == "extras_require:socks"
+    def test_parses_multiple_extras_groups(self):
+        result = parse("setup_py")
+        deps = result["result"]
+        extras = [d for d in deps if d["requirement_type"].startswith(
+            "extras_require:"
+        )]
+        groups = {d["requirement_type"] for d in extras}
+        assert "extras_require:socks" in groups
+        assert "extras_require:dev" in groups
+    def test_strips_comments(self):
+        result = parse("setup_py_comments")
+        deps = result["result"]
+        requests = find_dep(deps, "requests")
+        assert requests is not None
+        assert requests["requirement"] == ">=2.13.0"
+# ---------------------------------------------------------------------------
+# setup.cfg parsing
+# ---------------------------------------------------------------------------
+class TestSetupCfg:
+    def test_parses_install_requires(self):
+        result = parse("setup_cfg")
+        deps = result["result"]
+        requests = find_dep(deps, "requests")
+        assert requests is not None
+        assert requests["requirement"] == ">=2.13.0"
+        assert requests["requirement_type"] == "install_requires"
+        assert requests["file"] == "setup.cfg"
+    def test_parses_pinned_version(self):
+        result = parse("setup_cfg")
+        deps = result["result"]
+        urllib3 = find_dep(deps, "urllib3")
+        assert urllib3 is not None
+        assert urllib3["version"] == "1.26.0"
+    def test_parses_setup_requires(self):
+        result = parse("setup_cfg")
+        deps = result["result"]
+        setuptools = find_dep(deps, "setuptools")
+        assert setuptools is not None
+        assert setuptools["requirement_type"] == "setup_requires"
+    def test_parses_tests_require(self):
+        result = parse("setup_cfg")
+        deps = result["result"]
+        pytest = find_dep(deps, "pytest")
+        assert pytest is not None
+        assert pytest["requirement_type"] == "tests_require"
+    def test_parses_extras_require(self):
+        result = parse("setup_cfg")
+        deps = result["result"]
+        pysocks = find_dep(deps, "PySocks")
+        assert pysocks is not None
+        assert pysocks["requirement_type"] == "extras_require:socks"
+    def test_empty_directory_returns_empty(self):
+        result = parse("requirements_empty")
+        deps = result["result"]
+        assert deps == []

data/helpers/test/test_parser.py ADDED Viewed

@@ -0,0 +1,184 @@
+import json
+import os
+import sys
+# Add the helpers lib directory to the Python path so we can import parser
+sys.path.insert(
+    0, os.path.join(os.path.dirname(__file__), os.pardir, "lib")
+)
+from parser import parse_pep621_pep735_dependencies  # noqa: E402
+FIXTURES = os.path.join(os.path.dirname(__file__), "fixtures")
+def parse(fixture_name):
+    path = os.path.join(FIXTURES, fixture_name)
+    result = json.loads(parse_pep621_pep735_dependencies(path))
+    return result["result"]
+def find_dep(deps, name):
+    return next((d for d in deps if d["name"] == name), None)
+# ---------------------------------------------------------------------------
+# PEP 621 project.dependencies
+# ---------------------------------------------------------------------------
+class TestPep621Dependencies:
+    def test_parses_runtime_dependencies(self):
+        deps = parse("pep621_dependencies.toml")
+        requests = find_dep(deps, "requests")
+        assert requests is not None
+        # packaging normalises specifier order alphabetically by operator
+        assert requests["requirement"] == "<3.0,>=2.13.0"
+        assert requests["requirement_type"] == "dependencies"
+    def test_parses_exact_version(self):
+        deps = parse("pep621_dependencies.toml")
+        urllib3 = find_dep(deps, "urllib3")
+        assert urllib3 is not None
+        assert urllib3["version"] == "1.26.0"
+        assert urllib3["requirement"] == "==1.26.0"
+    def test_parses_optional_dependencies(self):
+        deps = parse("pep621_dependencies.toml")
+        pysocks = find_dep(deps, "PySocks")
+        assert pysocks is not None
+        assert pysocks["requirement_type"] == "socks"
+    def test_optional_dependency_specifiers(self):
+        deps = parse("pep621_dependencies.toml")
+        pysocks = find_dep(deps, "PySocks")
+        # packaging normalises specifiers: sorted, no spaces
+        assert "!=" in pysocks["requirement"]
+        assert ">=" in pysocks["requirement"]
+    def test_parses_multiple_optional_groups(self):
+        deps = parse("pep621_dependencies.toml")
+        group_types = {d["requirement_type"] for d in deps}
+        assert "socks" in group_types
+        assert "tests" in group_types
+    def test_parses_build_system_requires(self):
+        deps = parse("pep621_dependencies.toml")
+        setuptools = find_dep(deps, "setuptools")
+        assert setuptools is not None
+        assert setuptools["requirement_type"] == "build-system.requires"
+        assert setuptools["requirement"] == ">=68.0"
+# ---------------------------------------------------------------------------
+# PEP 621 extras
+# ---------------------------------------------------------------------------
+class TestPep621Extras:
+    def test_parses_extras(self):
+        deps = parse("pep621_extras.toml")
+        cc = find_dep(deps, "cachecontrol")
+        assert cc is not None
+        assert cc["extras"] == ["filecache"]
+    def test_extras_requirement(self):
+        deps = parse("pep621_extras.toml")
+        cc = find_dep(deps, "cachecontrol")
+        assert cc["requirement"] == ">=0.14.0"
+# ---------------------------------------------------------------------------
+# PEP 735 dependency-groups
+# ---------------------------------------------------------------------------
+class TestPep735DependencyGroups:
+    def test_parses_dependency_group(self):
+        deps = parse("pep735_dependency_groups.toml")
+        pytest_dep = find_dep(deps, "pytest")
+        assert pytest_dep is not None
+        assert pytest_dep["requirement_type"] == "dev"
+        assert pytest_dep["version"] == "7.1.3"
+    def test_include_group_resolves(self):
+        deps = parse("pep735_dependency_groups.toml")
+        # "lint" group includes "dev" via include-group, plus flake8
+        lint_deps = [d for d in deps if d["requirement_type"] == "lint"]
+        lint_names = {d["name"] for d in lint_deps}
+        assert "flake8" in lint_names
+        # include-group pulls dev deps into lint but they keep their
+        # original group name, so they appear under "dev" requirement_type
+        all_names = {d["name"] for d in deps}
+        assert "pytest" in all_names
+        assert "black" in all_names
+    def test_include_group_lists_all_resolved_deps(self):
+        deps = parse("pep735_dependency_groups.toml")
+        # pytest appears twice: once from direct "dev" processing and
+        # once from "lint" including "dev" (both with requirement_type="dev"
+        # because included deps keep their original group name)
+        pytests = [d for d in deps if d["name"] == "pytest"]
+        assert len(pytests) == 2
+        assert all(d["requirement_type"] == "dev" for d in pytests)
+# ---------------------------------------------------------------------------
+# Markers
+# ---------------------------------------------------------------------------
+class TestMarkers:
+    def test_parses_markers(self):
+        deps = parse("pep621_markers.toml")
+        requests = find_dep(deps, "requests")
+        assert requests is not None
+        assert requests["markers"] == 'python_version >= "3.8"'
+    def test_requirement_with_markers(self):
+        deps = parse("pep621_markers.toml")
+        requests = find_dep(deps, "requests")
+        assert requests["requirement"] == ">=2.13.0"
+# ---------------------------------------------------------------------------
+# Edge cases
+# ---------------------------------------------------------------------------
+class TestEdgeCases:
+    def test_no_dependencies(self):
+        deps = parse("no_dependencies.toml")
+        assert deps == []
+    def test_only_build_system(self):
+        deps = parse("pep621_only_build_system.toml")
+        assert len(deps) == 2
+        names = {d["name"] for d in deps}
+        assert "setuptools" in names
+        assert "wheel" in names
+        assert all(
+            d["requirement_type"] == "build-system.requires" for d in deps
+        )
+    def test_empty_dependency_lists(self):
+        deps = parse("pep621_empty_deps.toml")
+        assert deps == []
+    def test_multiple_extras_on_single_dep(self):
+        deps = parse("pep621_multiple_extras.toml")
+        boto3 = find_dep(deps, "boto3")
+        assert boto3 is not None
+        assert boto3["extras"] == ["crt", "s3"]
+        assert boto3["requirement"] == ">=1.28.0"
+    def test_arbitrary_equality_operator(self):
+        deps = parse("pep621_arbitrary_equality.toml")
+        numpy = find_dep(deps, "numpy")
+        assert numpy is not None
+        assert numpy["version"] == "1.24.0rc1"
+        assert numpy["requirement"] == "===1.24.0rc1"
+    def test_no_version_specifier(self):
+        deps = parse("pep621_no_version.toml")
+        requests = find_dep(deps, "requests")
+        assert requests is not None
+        assert requests["version"] is None
+        assert requests["requirement"] == ""
+    def test_cyclic_include_group_does_not_loop(self):
+        deps = parse("pep735_cycle.toml")
+        names = [d["name"] for d in deps]
+        # Both groups should be processed without infinite recursion
+        assert "requests" in names
+        assert "flask" in names

data/helpers/test/test_run.py ADDED Viewed

@@ -0,0 +1,49 @@
+import json
+import os
+import subprocess
+import sys
+FIXTURES = os.path.join(os.path.dirname(__file__), "fixtures")
+HELPERS_DIR = os.path.join(os.path.dirname(__file__), os.pardir)
+RUN_PY = os.path.join(HELPERS_DIR, "run.py")
+def run_helper(function, args):
+    input_json = json.dumps({"function": function, "args": args})
+    result = subprocess.run(
+        [sys.executable, RUN_PY],
+        input=input_json,
+        capture_output=True,
+        text=True,
+        cwd=HELPERS_DIR,
+    )
+    assert result.returncode == 0, (
+        f"run.py failed: {result.stderr}"
+    )
+    return json.loads(result.stdout)
+class TestRunRouting:
+    def test_parse_pep621_routing(self):
+        fixture = os.path.join(FIXTURES, "pep621_dependencies.toml")
+        result = run_helper("parse_pep621_pep735_dependencies", [fixture])
+        assert "result" in result
+        names = {d["name"] for d in result["result"]}
+        assert "requests" in names
+    def test_parse_setup_routing(self):
+        fixture_dir = os.path.join(FIXTURES, "setup_py")
+        result = run_helper("parse_setup", [fixture_dir])
+        assert "result" in result
+        names = {d["name"] for d in result["result"]}
+        assert "requests" in names
+    def test_parse_requirements_routing(self):
+        fixture_dir = os.path.join(FIXTURES, "requirements")
+        result = run_helper("parse_requirements", [fixture_dir])
+        assert "result" in result
+        names = {d["name"] for d in result["result"]}
+        assert "requests" in names

data/lib/dependabot/python/file_updater/poetry_file_updater.rb CHANGED Viewed

@@ -124,8 +124,10 @@ module Dependabot
           declaration_match = content.match(declaration_regex)
           if declaration_match
             declaration = declaration_match[:declaration]
-            new_declaration = T.must(declaration).sub(old_req, new_req)
-            return content.sub(T.must(declaration), new_declaration)
+            if T.must(declaration).include?(old_req)
+              new_declaration = T.must(declaration).sub(old_req, new_req)
+              return content.sub(T.must(declaration), new_declaration)
+            end
           end
           # Try Poetry table format
@@ -220,9 +222,8 @@ module Dependabot
         sig { params(pyproject_content: String).returns(String) }
         def freeze_other_dependencies(pyproject_content)
-          PyprojectPreparer
-            .new(pyproject_content: pyproject_content, lockfile: lockfile)
-            .freeze_top_level_dependencies_except(dependencies)
+          PyprojectPreparer.new(pyproject_content: pyproject_content, lockfile: lockfile)
+                           .freeze_top_level_dependencies_except(dependencies)
         end
         sig { params(pyproject_content: String).returns(String) }
@@ -244,14 +245,18 @@ module Dependabot
             end
           end
+          # Freeze PEP 621 project.dependencies and project.optional-dependencies
+          PyprojectPreparer.freeze_pep621_deps!(pyproject_object, dependencies) do |dep|
+            !git_dependency_being_updated?(dep)
+          end
           TomlRB.dump(pyproject_object)
         end
         sig { params(pyproject_content: String).returns(String) }
         def update_python_requirement(pyproject_content)
-          PyprojectPreparer
-            .new(pyproject_content: pyproject_content)
-            .update_python_requirement(language_version_manager.python_version)
+          PyprojectPreparer.new(pyproject_content: pyproject_content)
+                           .update_python_requirement(language_version_manager.python_version)
         end
         sig { params(poetry_object: T::Hash[String, T.untyped], dep: Dependabot::Dependency).returns(T::Array[String]) }
@@ -262,6 +267,8 @@ module Dependabot
             next unless pkg_name
             if poetry_object[type][pkg_name].is_a?(Hash)
+              next unless poetry_object[type][pkg_name].key?("version") # skip enrichment-only entries
               poetry_object[type][pkg_name]["version"] = dep.version
             else
               poetry_object[type][pkg_name] = dep.version
@@ -284,9 +291,7 @@ module Dependabot
         sig { params(pyproject_content: String).returns(String) }
         def sanitize(pyproject_content)
-          PyprojectPreparer
-            .new(pyproject_content: pyproject_content)
-            .sanitize
+          PyprojectPreparer.new(pyproject_content: pyproject_content).sanitize
         end
         sig { params(pyproject_content: String).returns(String) }

data/lib/dependabot/python/file_updater/pyproject_preparer.rb CHANGED Viewed

@@ -16,6 +16,80 @@ module Dependabot
       class PyprojectPreparer
         extend T::Sig
+        # Builds a regex pattern that matches a PEP 508 package name,
+        # treating hyphens, underscores, and dots as interchangeable per PEP 508.
+        sig { params(name: String).returns(String) }
+        def self.pep508_name_pattern(name)
+          Regexp.escape(name).gsub("\\-", "[-_.]").gsub("_", "[-_.]").gsub("\\.", "[-_.]")
+        end
+        private_class_method :pep508_name_pattern
+        # Pins a single PEP 508 dependency entry string to a specific version,
+        # preserving extras and environment markers.
+        sig { params(entry: String, name_pattern: String, version: String).returns(String) }
+        def self.pin_pep508_entry(entry, name_pattern, version)
+          if entry.match?(/\A#{name_pattern}(\[.*?\])?\s*[><=!~]/i)
+            entry.sub(
+              /(?<pre>#{name_pattern}(?:\[.*?\])?)\s*[><=!~][^;]*?(?=\s*;|\s*\z)/i,
+              "\\k<pre>==#{version}"
+            )
+          else
+            entry.sub(
+              /(?<pre>#{name_pattern}(?:\[.*?\])?)(?<rest>\s*(?:;.*)?)/i,
+              "\\k<pre>==#{version}\\k<rest>"
+            )
+          end
+        end
+        private_class_method :pin_pep508_entry
+        # Freezes PEP 621 dependencies in-place within a parsed pyproject object.
+        # Replaces version specifiers with ==dep.version for each matching dep.
+        # Accepts an optional block to filter which dependencies to freeze.
+        sig do
+          params(
+            pyproject_object: T::Hash[String, T.untyped],
+            deps: T::Array[Dependabot::Dependency],
+            blk: T.nilable(T.proc.params(dep: Dependabot::Dependency).returns(T::Boolean))
+          ).void
+        end
+        def self.freeze_pep621_deps!(pyproject_object, deps, &blk)
+          dep_arrays = collect_pep621_dep_arrays(pyproject_object)
+          return if dep_arrays.empty?
+          deps.each do |dep|
+            next if blk && !yield(dep)
+            next unless dep.version
+            pin_pep621_dep_in_arrays!(dep_arrays, dep)
+          end
+        end
+        sig { params(pyproject_object: T::Hash[String, T.untyped]).returns(T::Array[T::Array[String]]) }
+        def self.collect_pep621_dep_arrays(pyproject_object)
+          project_object = pyproject_object["project"]
+          return [] unless project_object
+          dep_arrays = [project_object["dependencies"]]
+          project_object["optional-dependencies"]&.each_value { |opt| dep_arrays << opt }
+          dep_arrays.compact!
+          dep_arrays.select! { |arr| arr.is_a?(Array) && arr.all?(String) }
+          dep_arrays
+        end
+        private_class_method :collect_pep621_dep_arrays
+        sig { params(dep_arrays: T::Array[T::Array[String]], dep: Dependabot::Dependency).void }
+        def self.pin_pep621_dep_in_arrays!(dep_arrays, dep)
+          name_pattern = pep508_name_pattern(dep.name)
+          dep_arrays.each do |arr|
+            arr.each_with_index do |entry, i|
+              next unless entry.match?(/\A#{name_pattern}(\[.*?\])?\s*(\z|[><=!~;,])/i)
+              arr[i] = pin_pep508_entry(entry, name_pattern, T.must(dep.version))
+            end
+          end
+        end
+        private_class_method :pin_pep621_dep_in_arrays!
         sig { params(pyproject_content: String, lockfile: T.nilable(Dependabot::DependencyFile)).void }
         def initialize(pyproject_content:, lockfile: nil)
           @pyproject_content = pyproject_content
@@ -109,6 +183,9 @@ module Dependabot
             end
           end
+          # Freeze PEP 621 project.dependencies and project.optional-dependencies
+          freeze_pep621_top_level_deps!(pyproject_object, excluded_names)
           TomlRB.dump(pyproject_object)
         end
         # rubocop:enable Metrics/AbcSize
@@ -122,6 +199,38 @@ module Dependabot
         sig { returns(T.nilable(Dependabot::DependencyFile)) }
         attr_reader :lockfile
+        sig { params(pyproject_object: T::Hash[String, T.untyped], excluded_names: T::Array[String]).void }
+        def freeze_pep621_top_level_deps!(pyproject_object, excluded_names)
+          project_object = pyproject_object["project"]
+          return unless project_object
+          freeze_pep621_dep_array!(project_object["dependencies"], excluded_names)
+          project_object["optional-dependencies"]&.each_value do |opt_deps|
+            freeze_pep621_dep_array!(opt_deps, excluded_names)
+          end
+        end
+        sig { params(dep_array: T.nilable(T::Array[String]), excluded_names: T::Array[String]).void }
+        def freeze_pep621_dep_array!(dep_array, excluded_names)
+          return unless dep_array
+          dep_array.each_with_index do |entry, index|
+            # Extract dependency name from PEP 508 string
+            match = entry.match(/\A([a-zA-Z0-9](?:[a-zA-Z0-9._-]*[a-zA-Z0-9])?)/i)
+            next unless match
+            dep_name = normalise(T.must(match[1]))
+            next if excluded_names.include?(dep_name)
+            locked_details = locked_details(dep_name)
+            next unless (locked_version = locked_details&.fetch("version"))
+            name_pattern = self.class.send(:pep508_name_pattern, T.must(match[1]))
+            dep_array[index] = self.class.send(:pin_pep508_entry, entry, name_pattern, locked_version)
+          end
+        end
         sig { params(dep_name: String).returns(T.nilable(T::Hash[String, T.untyped])) }
         def locked_details(dep_name)
           parsed_lockfile.fetch("package")

data/lib/dependabot/python/update_checker/latest_version_finder.rb CHANGED Viewed

@@ -9,6 +9,7 @@ require "sorbet-runtime"
 require "dependabot/dependency"
 require "dependabot/git_commit_checker"
 require "dependabot/python/update_checker"
+require "dependabot/update_checkers/cooldown_calculation"
 require "dependabot/update_checkers/version_filters"
 require "dependabot/registry_client"
 require "dependabot/python/authed_url_builder"
@@ -110,8 +111,9 @@ module Dependabot
           new_version = version_class.new(tag_version_str)
           days = cooldown_days_for(current_version, new_version)
-          passed_seconds = Time.now.to_i - release_date_to_seconds(tag_with_detail.release_date)
-          passed_seconds < days * DAY_IN_SECONDS
+          release_time = Time.at(release_date_to_seconds(tag_with_detail.release_date))
+          Dependabot::UpdateCheckers::CooldownCalculation
+            .within_cooldown_window?(release_time, days)
         end
         sig do

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-python
 version: !ruby/object:Gem::Version
-  version: 0.368.0
+  version: 0.369.0
 platform: ruby
 authors:
 - Dependabot
@@ -15,14 +15,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.368.0
+        version: 0.369.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.368.0
+        version: 0.369.0
 - !ruby/object:Gem::Dependency
   name: debug
   requirement: !ruby/object:Gem::Requirement
@@ -247,6 +247,31 @@ files:
 - helpers/lib/parser.py
 - helpers/requirements.txt
 - helpers/run.py
+- helpers/test/fixtures/no_dependencies.toml
+- helpers/test/fixtures/pep621_arbitrary_equality.toml
+- helpers/test/fixtures/pep621_dependencies.toml
+- helpers/test/fixtures/pep621_empty_deps.toml
+- helpers/test/fixtures/pep621_extras.toml
+- helpers/test/fixtures/pep621_markers.toml
+- helpers/test/fixtures/pep621_multiple_extras.toml
+- helpers/test/fixtures/pep621_no_version.toml
+- helpers/test/fixtures/pep621_only_build_system.toml
+- helpers/test/fixtures/pep735_cycle.toml
+- helpers/test/fixtures/pep735_dependency_groups.toml
+- helpers/test/fixtures/requirements/constraints.txt
+- helpers/test/fixtures/requirements/markers.txt
+- helpers/test/fixtures/requirements/requirements-dev.txt
+- helpers/test/fixtures/requirements/requirements.txt
+- helpers/test/fixtures/requirements/with_constraints.txt
+- helpers/test/fixtures/requirements_empty/.gitkeep
+- helpers/test/fixtures/setup_cfg/setup.cfg
+- helpers/test/fixtures/setup_py/setup.py
+- helpers/test/fixtures/setup_py_comments/setup.py
+- helpers/test/test_hasher.py
+- helpers/test/test_parse_requirements.py
+- helpers/test/test_parse_setup.py
+- helpers/test/test_parser.py
+- helpers/test/test_run.py
 - lib/dependabot/python.rb
 - lib/dependabot/python/authed_url_builder.rb
 - lib/dependabot/python/dependency_grapher.rb
@@ -294,7 +319,7 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.368.0
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.369.0
 rdoc_options: []
 require_paths:
 - lib