dependabot-python 0.368.0 → 0.370.0

data/lib/dependabot/python/file_updater/poetry_file_updater.rb

@@ -13,12 +13,14 @@ require "dependabot/python/file_parser/python_requirement_parser"
 require "dependabot/python/file_updater"
 require "dependabot/python/native_helpers"
 require "dependabot/python/name_normaliser"
+require "dependabot/python/poetry_plugin_installer"
 
 module Dependabot
   module Python
     class FileUpdater
       class PoetryFileUpdater
         require_relative "pyproject_preparer"
+        require_relative "poetry_file_updater/pep621_updater"
         extend T::Sig
 
         sig { returns(T::Array[Dependabot::DependencyFile]) }
@@ -49,6 +51,7 @@ module Dependabot
           @language_version_manager = T.let(nil, T.nilable(LanguageVersionManager))
           @python_requirement_parser = T.let(nil, T.nilable(FileParser::PythonRequirementParser))
           @updated_pyproject_content = T.let(nil, T.nilable(String))
+          @poetry_plugin_installer = T.let(nil, T.nilable(PoetryPluginInstaller))
           @poetry_lock = T.let(nil, T.nilable(Dependabot::DependencyFile))
         end
 
@@ -77,9 +80,7 @@ module Dependabot
               )
           end
 
-          raise "Expected lockfile to change!" if lockfile && lockfile&.content == updated_lockfile_content
-
-          if lockfile
+          if lockfile && lockfile&.content != updated_lockfile_content
             updated_files <<
               updated_file(file: T.must(lockfile), content: updated_lockfile_content)
           end
@@ -105,50 +106,51 @@ module Dependabot
           updated_content
         end
 
-        sig do
-          params(
-            dep: Dependabot::Dependency,
-            content: String,
-            new_r: T::Hash[Symbol, T.untyped],
-            old_r: T::Hash[Symbol, T.untyped]
-          ).returns(String)
-        end
+        sig { params(dep: Dependabot::Dependency, content: String, new_r: T::Hash[Symbol, T.untyped], old_r: T::Hash[Symbol, T.untyped]).returns(String) }
         def replace_dep(dep, content, new_r, old_r)
-          # Handle Git dependencies with tags
           return update_git_tag(dep, content, new_r, old_r) if git_dependency?(new_r) && git_dependency?(old_r)
 
+          replace_poetry_dep(dep, content, new_r, old_r) ||
+            replace_poetry_table_dep(dep, content, new_r, old_r) ||
+            replace_pep621_dep(dep, content, new_r, old_r) ||
+            content
+        end
+
+        sig { params(dep: Dependabot::Dependency, content: String, new_r: T::Hash[Symbol, T.untyped], old_r: T::Hash[Symbol, T.untyped]).returns(T.nilable(String)) }
+        def replace_poetry_dep(dep, content, new_r, old_r)
           new_req = new_r[:requirement]
           old_req = old_r[:requirement]
 
           declaration_regex = declaration_regex(dep, old_r)
           declaration_match = content.match(declaration_regex)
-          if declaration_match
-            declaration = declaration_match[:declaration]
-            new_declaration = T.must(declaration).sub(old_req, new_req)
-            return content.sub(T.must(declaration), new_declaration)
-          end
+          return unless declaration_match
 
-          # Try Poetry table format
-          table_match = content.match(table_declaration_regex(dep, new_r))
-          if table_match
-            return content.gsub(table_declaration_regex(dep, new_r)) do |match|
-              match.gsub(
-                /(\s*version\s*=\s*["'])#{Regexp.escape(old_req)}/,
-                '\1' + new_req
-              )
-            end
-          end
+          declaration = declaration_match[:declaration]
+          return unless T.must(declaration).include?(old_req)
+
+          new_declaration = T.must(declaration).sub(old_req, new_req)
+          content.sub(T.must(declaration), new_declaration)
+        end
 
-          # Try PEP 621 array format (e.g., dependencies = ["django==5.0.0"])
-          pep621_regex = pep621_declaration_regex(dep, old_req)
-          pep621_match = content.match(pep621_regex)
-          if pep621_match
-            declaration = pep621_match[:declaration]
-            new_declaration = T.must(declaration).sub(old_req, new_req)
-            return content.sub(T.must(declaration), new_declaration)
+        sig { params(dep: Dependabot::Dependency, content: String, new_r: T::Hash[Symbol, T.untyped], old_r: T::Hash[Symbol, T.untyped]).returns(T.nilable(String)) }
+        def replace_poetry_table_dep(dep, content, new_r, old_r)
+          old_req = old_r[:requirement]
+          new_req = new_r[:requirement]
+          regex = table_declaration_regex(dep, new_r)
+
+          return unless content.match(regex)
+
+          content.gsub(regex) do |match|
+            match.gsub(
+              /(\s*version\s*=\s*["'])#{Regexp.escape(old_req)}/,
+              '\1' + new_req
+            )
           end
+        end
 
-          content
+        sig { params(dep: Dependabot::Dependency, content: String, new_r: T::Hash[Symbol, T.untyped], old_r: T::Hash[Symbol, T.untyped]).returns(T.nilable(String)) }
+        def replace_pep621_dep(dep, content, new_r, old_r)
+          Pep621Updater.new(dep: dep).replace(content, new_r, old_r)
         end
 
         sig { params(req: T::Hash[Symbol, T.untyped]).returns(T::Boolean) }
@@ -156,14 +158,7 @@ module Dependabot
           req.dig(:source, :type) == "git"
         end
 
-        sig do
-          params(
-            dep: Dependabot::Dependency,
-            content: String,
-            new_r: T::Hash[Symbol, T.untyped],
-            old_r: T::Hash[Symbol, T.untyped]
-          ).returns(String)
-        end
+        sig { params(dep: Dependabot::Dependency, content: String, new_r: T::Hash[Symbol, T.untyped], old_r: T::Hash[Symbol, T.untyped]).returns(String) }
         def update_git_tag(dep, content, new_r, old_r)
           old_tag = old_r.dig(:source, :ref)
           new_tag = new_r.dig(:source, :ref)
@@ -220,9 +215,8 @@ module Dependabot
 
         sig { params(pyproject_content: String).returns(String) }
         def freeze_other_dependencies(pyproject_content)
-          PyprojectPreparer
-            .new(pyproject_content: pyproject_content, lockfile: lockfile)
-            .freeze_top_level_dependencies_except(dependencies)
+          PyprojectPreparer.new(pyproject_content: pyproject_content, lockfile: lockfile)
+                           .freeze_top_level_dependencies_except(dependencies)
         end
 
         sig { params(pyproject_content: String).returns(String) }
@@ -244,14 +238,18 @@ module Dependabot
             end
           end
 
+          # Freeze PEP 621 project.dependencies and project.optional-dependencies
+          PyprojectPreparer.freeze_pep621_deps!(pyproject_object, dependencies) do |dep|
+            !git_dependency_being_updated?(dep)
+          end
+
           TomlRB.dump(pyproject_object)
         end
 
         sig { params(pyproject_content: String).returns(String) }
         def update_python_requirement(pyproject_content)
-          PyprojectPreparer
-            .new(pyproject_content: pyproject_content)
-            .update_python_requirement(language_version_manager.python_version)
+          PyprojectPreparer.new(pyproject_content: pyproject_content)
+                           .update_python_requirement(language_version_manager.python_version)
         end
 
         sig { params(poetry_object: T::Hash[String, T.untyped], dep: Dependabot::Dependency).returns(T::Array[String]) }
@@ -262,6 +260,8 @@ module Dependabot
             next unless pkg_name
 
             if poetry_object[type][pkg_name].is_a?(Hash)
+              next unless poetry_object[type][pkg_name].key?("version") # skip enrichment-only entries
+
               poetry_object[type][pkg_name]["version"] = dep.version
             else
               poetry_object[type][pkg_name] = dep.version
@@ -284,9 +284,7 @@ module Dependabot
 
         sig { params(pyproject_content: String).returns(String) }
         def sanitize(pyproject_content)
-          PyprojectPreparer
-            .new(pyproject_content: pyproject_content)
-            .sanitize
+          PyprojectPreparer.new(pyproject_content: pyproject_content).sanitize
         end
 
         sig { params(pyproject_content: String).returns(String) }
@@ -297,6 +295,7 @@ module Dependabot
               add_auth_env_vars
 
               language_version_manager.install_required_python
+              poetry_plugin_installer.install_required_plugins
 
               # use system git instead of the pure Python dulwich
               run_poetry_command("pyenv exec poetry config system-git-client true")
@@ -345,17 +344,7 @@ module Dependabot
             .add_auth_env_vars(credentials)
         end
 
-        sig do
-          params(
-            pyproject_content: String
-          ).returns(T.nilable(
-                      T.any(
-                        T::Hash[String, T.untyped],
-                        String,
-                        T::Array[T::Hash[String, T.untyped]]
-                      )
-                    ))
-        end
+        sig { params(pyproject_content: String).returns(T.nilable(T.any(T::Hash[String, T.untyped], String, T::Array[T::Hash[String, T.untyped]]))) }
         def pyproject_hash_for(pyproject_content)
           SharedHelpers.in_a_temporary_directory do |dir|
             SharedHelpers.with_git_configured(credentials: credentials) do
@@ -383,20 +372,6 @@ module Dependabot
           /tool\.poetry\.#{old_req[:groups].first}\.#{escape(dep)}\](?:\r?\n).*?\s*version\s* =.*?(?:\r?\n)/m
         end
 
-        sig { params(dep: Dependabot::Dependency, old_req: String).returns(Regexp) }
-        def pep621_declaration_regex(dep, old_req)
-          /(?<declaration>["']#{escape(dep)}#{extras_pattern(dep)}#{Regexp.escape(old_req)}["'])/mi
-        end
-
-        # Reconstructs extras from metadata for PEP 621 regex matching.
-        sig { params(dep: Dependabot::Dependency).returns(String) }
-        def extras_pattern(dep)
-          extras_str = dep.metadata[:extras]
-          return "" unless extras_str.is_a?(String) && !extras_str.empty?
-
-          "\\[" + extras_str.split(",").map { |e| Regexp.escape(e.strip) }.join(",\\s*") + "\\]"
-        end
-
         sig { params(dep: Dependency).returns(String) }
         def escape(dep)
           Regexp.escape(dep.name).gsub("\\-", "[-_.]")
@@ -443,6 +418,14 @@ module Dependabot
             )
         end
 
+        sig { returns(PoetryPluginInstaller) }
+        def poetry_plugin_installer
+          @poetry_plugin_installer ||= T.let(
+            PoetryPluginInstaller.from_dependency_files(dependency_files),
+            T.nilable(PoetryPluginInstaller)
+          )
+        end
+
         sig { returns(T.nilable(Dependabot::DependencyFile)) }
         def pyproject
           @pyproject ||=

data/lib/dependabot/python/file_updater/pyproject_preparer.rb

@@ -16,6 +16,81 @@ module Dependabot
       class PyprojectPreparer
         extend T::Sig
 
+        # Fixed regex for extracting the name+extras prefix from a PEP 508 entry.
+        # Does not interpolate library input, avoiding polynomial backtracking.
+        PEP508_PREFIX = T.let(
+          /\A(?<prefix>(?<name>[a-zA-Z0-9](?:[a-zA-Z0-9._-]*[a-zA-Z0-9])?)(?:\[[^\]]*\])?)/i,
+          Regexp
+        )
+
+        # Pins a single PEP 508 dependency entry string to a specific version,
+        # preserving extras and environment markers.
+        sig { params(entry: String, version: String).returns(String) }
+        def self.pin_pep508_entry(entry, version)
+          prefix_match = entry.match(PEP508_PREFIX)
+          return entry unless prefix_match
+
+          prefix = T.must(prefix_match[:prefix])
+          rest = T.must(entry[prefix.length..])
+
+          # Extract the environment marker ("; ..." suffix) if present
+          marker_match = rest.match(/(\s*;.*)/)
+          marker = marker_match ? marker_match[1] : ""
+
+          "#{prefix}==#{version}#{marker}"
+        end
+        private_class_method :pin_pep508_entry
+
+        # Freezes PEP 621 dependencies in-place within a parsed pyproject object.
+        # Replaces version specifiers with ==dep.version for each matching dep.
+        # Accepts an optional block to filter which dependencies to freeze.
+        sig do
+          params(
+            pyproject_object: T::Hash[String, T.untyped],
+            deps: T::Array[Dependabot::Dependency],
+            blk: T.nilable(T.proc.params(dep: Dependabot::Dependency).returns(T::Boolean))
+          ).void
+        end
+        def self.freeze_pep621_deps!(pyproject_object, deps, &blk)
+          dep_arrays = collect_pep621_dep_arrays(pyproject_object)
+          return if dep_arrays.empty?
+
+          deps.each do |dep|
+            next if blk && !yield(dep)
+            next unless dep.version
+
+            pin_pep621_dep_in_arrays!(dep_arrays, dep)
+          end
+        end
+
+        sig { params(pyproject_object: T::Hash[String, T.untyped]).returns(T::Array[T::Array[String]]) }
+        def self.collect_pep621_dep_arrays(pyproject_object)
+          project_object = pyproject_object["project"]
+          return [] unless project_object
+
+          dep_arrays = [project_object["dependencies"]]
+          project_object["optional-dependencies"]&.each_value { |opt| dep_arrays << opt }
+          dep_arrays.compact!
+          dep_arrays.select! { |arr| arr.is_a?(Array) && arr.all?(String) }
+          dep_arrays
+        end
+        private_class_method :collect_pep621_dep_arrays
+
+        sig { params(dep_arrays: T::Array[T::Array[String]], dep: Dependabot::Dependency).void }
+        def self.pin_pep621_dep_in_arrays!(dep_arrays, dep)
+          normalised_name = NameNormaliser.normalise(dep.name)
+          dep_arrays.each do |arr|
+            arr.each_with_index do |entry, i|
+              match = entry.match(PEP508_PREFIX)
+              next unless match
+              next unless NameNormaliser.normalise(T.must(match[:name])) == normalised_name
+
+              arr[i] = pin_pep508_entry(entry, T.must(dep.version))
+            end
+          end
+        end
+        private_class_method :pin_pep621_dep_in_arrays!
+
         sig { params(pyproject_content: String, lockfile: T.nilable(Dependabot::DependencyFile)).void }
         def initialize(pyproject_content:, lockfile: nil)
           @pyproject_content = pyproject_content
@@ -64,8 +139,8 @@ module Dependabot
             .gsub('#{', "{")
         end
 
-        # rubocop:disable Metrics/PerceivedComplexity
-        # rubocop:disable Metrics/AbcSize
+        UNSUPPORTED_SOURCE_TYPES = T.let(%w(directory file url).freeze, T::Array[String])
+
         sig { params(dependencies: T::Array[Dependabot::Dependency]).returns(String) }
         def freeze_top_level_dependencies_except(dependencies)
           return pyproject_content unless lockfile
@@ -80,39 +155,18 @@ module Dependabot
           Dependabot::Python::FileParser::PyprojectFilesParser::POETRY_DEPENDENCY_TYPES.each do |key|
             next unless poetry_object[key]
 
-            source_types = %w(directory file url)
             poetry_object.fetch(key).each do |dep_name, _|
               next if excluded_names.include?(normalise(dep_name))
 
-              locked_details = locked_details(dep_name)
-
-              next unless (locked_version = locked_details&.fetch("version"))
-
-              next if source_types.include?(locked_details.dig("source", "type"))
-
-              if locked_details.dig("source", "type") == "git"
-                poetry_object[key][dep_name] = {
-                  "git" => locked_details.dig("source", "url"),
-                  "rev" => locked_details.dig("source", "reference")
-                }
-                subdirectory = locked_details.dig("source", "subdirectory")
-                poetry_object[key][dep_name]["subdirectory"] = subdirectory if subdirectory
-              elsif poetry_object[key][dep_name].is_a?(Hash)
-                poetry_object[key][dep_name]["version"] = locked_version
-              elsif poetry_object[key][dep_name].is_a?(Array)
-                # if it has multiple-constraints, locking to a single version is
-                # going to result in a bad lockfile, ignore
-                next
-              else
-                poetry_object[key][dep_name] = locked_version
-              end
+              freeze_poetry_dep!(poetry_object[key], dep_name)
             end
           end
 
+          # Freeze PEP 621 project.dependencies and project.optional-dependencies
+          freeze_pep621_top_level_deps!(pyproject_object, excluded_names)
+
           TomlRB.dump(pyproject_object)
         end
-        # rubocop:enable Metrics/AbcSize
-        # rubocop:enable Metrics/PerceivedComplexity
 
         private
 
@@ -122,6 +176,64 @@ module Dependabot
         sig { returns(T.nilable(Dependabot::DependencyFile)) }
         attr_reader :lockfile
 
+        sig { params(deps_hash: T::Hash[String, T.untyped], dep_name: String).void }
+        def freeze_poetry_dep!(deps_hash, dep_name)
+          details = locked_details(dep_name)
+          return unless (locked_version = details&.fetch("version"))
+
+          source_type = details.dig("source", "type")
+          return if UNSUPPORTED_SOURCE_TYPES.include?(source_type)
+
+          if source_type == "git"
+            freeze_git_dep!(deps_hash, dep_name, details)
+          elsif deps_hash[dep_name].is_a?(Hash)
+            deps_hash[dep_name]["version"] = locked_version
+          elsif !deps_hash[dep_name].is_a?(Array)
+            deps_hash[dep_name] = locked_version
+          end
+        end
+
+        sig { params(deps_hash: T::Hash[String, T.untyped], dep_name: String, details: T::Hash[String, T.untyped]).void }
+        def freeze_git_dep!(deps_hash, dep_name, details)
+          deps_hash[dep_name] = {
+            "git" => details.dig("source", "url"),
+            "rev" => details.dig("source", "reference")
+          }
+          subdirectory = details.dig("source", "subdirectory")
+          deps_hash[dep_name]["subdirectory"] = subdirectory if subdirectory
+        end
+
+        sig { params(pyproject_object: T::Hash[String, T.untyped], excluded_names: T::Array[String]).void }
+        def freeze_pep621_top_level_deps!(pyproject_object, excluded_names)
+          project_object = pyproject_object["project"]
+          return unless project_object
+
+          freeze_pep621_dep_array!(project_object["dependencies"], excluded_names)
+
+          project_object["optional-dependencies"]&.each_value do |opt_deps|
+            freeze_pep621_dep_array!(opt_deps, excluded_names)
+          end
+        end
+
+        sig { params(dep_array: T.nilable(T::Array[String]), excluded_names: T::Array[String]).void }
+        def freeze_pep621_dep_array!(dep_array, excluded_names)
+          return unless dep_array
+
+          dep_array.each_with_index do |entry, index|
+            # Extract dependency name from PEP 508 string
+            match = entry.match(/\A([a-zA-Z0-9](?:[a-zA-Z0-9._-]*[a-zA-Z0-9])?)/i)
+            next unless match
+
+            dep_name = normalise(T.must(match[1]))
+            next if excluded_names.include?(dep_name)
+
+            locked_details = locked_details(dep_name)
+            next unless (locked_version = locked_details&.fetch("version"))
+
+            dep_array[index] = self.class.send(:pin_pep508_entry, entry, locked_version)
+          end
+        end
+
         sig { params(dep_name: String).returns(T.nilable(T::Hash[String, T.untyped])) }
         def locked_details(dep_name)
           parsed_lockfile.fetch("package")

data/lib/dependabot/python/package_manager.rb

@@ -86,6 +86,22 @@ module Dependabot
       def unsupported?
         false
       end
+
+      # Poetry supports requires-poetry constraints in pyproject.toml;
+      # other Python package managers don't have an equivalent mechanism.
+      sig { override.void }
+      def raise_if_unsupported!
+        super
+        return unless requirement
+        return unless version
+        return if T.cast(T.must(requirement).satisfied_by?(T.must(version)), T::Boolean)
+
+        raise Dependabot::ToolVersionNotSupported.new(
+          NAME,
+          version.to_s,
+          requirement.to_s
+        )
+      end
     end
 
     class PipCompilePackageManager < Dependabot::Ecosystem::VersionManager

data/lib/dependabot/python/poetry_plugin_installer.rb

@@ -0,0 +1,95 @@
+# typed: strict
+# frozen_string_literal: true
+
+require "shellwords"
+require "sorbet-runtime"
+require "toml-rb"
+require "dependabot/dependency_file"
+require "dependabot/errors"
+require "dependabot/shared_helpers"
+
+module Dependabot
+  module Python
+    class PoetryPluginInstaller
+      extend T::Sig
+
+      # Only allow valid PyPI package names to prevent command injection
+      VALID_PLUGIN_NAME = /\A[a-zA-Z0-9]([a-zA-Z0-9._-]*[a-zA-Z0-9])?\z/
+
+      # Only allow valid version constraint characters to prevent command injection
+      VALID_CONSTRAINT = /\A[a-zA-Z0-9.*,!=<>~^ ]+\z/
+
+      sig { params(dependency_files: T::Array[Dependabot::DependencyFile]).returns(PoetryPluginInstaller) }
+      def self.from_dependency_files(dependency_files)
+        pyproject_content = dependency_files.find { |f| f.name == "pyproject.toml" }&.content
+        new(pyproject_content: pyproject_content)
+      end
+
+      sig { params(pyproject_content: T.nilable(String)).void }
+      def initialize(pyproject_content:)
+        @pyproject_content = T.let(pyproject_content, T.nilable(String))
+        @plugins_installed = T.let(false, T::Boolean)
+      end
+
+      sig { void }
+      def install_required_plugins
+        return if @plugins_installed
+
+        required_plugins.each do |name, constraint|
+          install_plugin(name, constraint)
+        end
+
+        @plugins_installed = true
+      end
+
+      private
+
+      sig { returns(T.nilable(String)) }
+      attr_reader :pyproject_content
+
+      sig { returns(T::Hash[String, String]) }
+      def required_plugins
+        return {} unless pyproject_content
+
+        parsed = TomlRB.parse(pyproject_content)
+        plugins = parsed.dig("tool", "poetry", "requires-plugins")
+        return {} unless plugins.is_a?(Hash)
+
+        plugins.each_with_object({}) do |(name, constraint), result|
+          next unless name.is_a?(String) && constraint.is_a?(String)
+          next unless valid_plugin_name?(name)
+          next unless valid_constraint?(constraint)
+
+          result[name] = constraint
+        end
+      rescue TomlRB::ParseError, TomlRB::ValueOverwriteError
+        {}
+      end
+
+      sig { params(name: String).returns(T::Boolean) }
+      def valid_plugin_name?(name)
+        VALID_PLUGIN_NAME.match?(name)
+      end
+
+      sig { params(constraint: String).returns(T::Boolean) }
+      def valid_constraint?(constraint)
+        VALID_CONSTRAINT.match?(constraint)
+      end
+
+      sig { params(name: String, constraint: String).void }
+      def install_plugin(name, constraint)
+        Dependabot.logger.info("Installing Poetry plugin: #{name}@#{constraint}")
+
+        escaped = Shellwords.shellescape("#{name}@#{constraint}")
+        SharedHelpers.run_shell_command(
+          "pyenv exec poetry self add #{escaped}",
+          fingerprint: "pyenv exec poetry self add <plugin_name>@<constraint>"
+        )
+      rescue SharedHelpers::HelperSubprocessFailed => e
+        Dependabot.logger.warn(
+          "Failed to install Poetry plugin #{name}@#{constraint}: #{e.message}"
+        )
+      end
+    end
+  end
+end

data/lib/dependabot/python/update_checker/latest_version_finder.rb

@@ -9,6 +9,7 @@ require "sorbet-runtime"
 require "dependabot/dependency"
 require "dependabot/git_commit_checker"
 require "dependabot/python/update_checker"
+require "dependabot/update_checkers/cooldown_calculation"
 require "dependabot/update_checkers/version_filters"
 require "dependabot/registry_client"
 require "dependabot/python/authed_url_builder"
@@ -110,8 +111,9 @@ module Dependabot
           new_version = version_class.new(tag_version_str)
           days = cooldown_days_for(current_version, new_version)
 
-          passed_seconds = Time.now.to_i - release_date_to_seconds(tag_with_detail.release_date)
-          passed_seconds < days * DAY_IN_SECONDS
+          release_time = Time.at(release_date_to_seconds(tag_with_detail.release_date))
+          Dependabot::UpdateCheckers::CooldownCalculation
+            .within_cooldown_window?(release_time, days)
         end
 
         sig do

data/lib/dependabot/python/update_checker/poetry_version_resolver.rb

@@ -18,6 +18,7 @@ require "dependabot/python/requirement"
 require "dependabot/python/native_helpers"
 require "dependabot/python/authed_url_builder"
 require "dependabot/python/name_normaliser"
+require "dependabot/python/poetry_plugin_installer"
 
 module Dependabot
   module Python
@@ -90,6 +91,7 @@ module Dependabot
           @original_reqs_resolvable = T.let(nil, T.nilable(T::Boolean))
           @python_requirement_parser = T.let(nil, T.nilable(FileParser::PythonRequirementParser))
           @language_version_manager = T.let(nil, T.nilable(LanguageVersionManager))
+          @poetry_plugin_installer = T.let(nil, T.nilable(PoetryPluginInstaller))
         end
 
         sig { params(requirement: T.nilable(String)).returns(T.nilable(Dependabot::Python::Version)) }
@@ -129,6 +131,9 @@ module Dependabot
 
                 language_version_manager.install_required_python
 
+                # Install any required Poetry plugins declared in pyproject.toml
+                poetry_plugin_installer.install_required_plugins
+
                 # use system git instead of the pure Python dulwich
                 run_poetry_command("pyenv exec poetry config system-git-client true")
 
@@ -385,6 +390,14 @@ module Dependabot
           poetry_lock
         end
 
+        sig { returns(PoetryPluginInstaller) }
+        def poetry_plugin_installer
+          @poetry_plugin_installer ||= T.let(
+            PoetryPluginInstaller.from_dependency_files(dependency_files),
+            T.nilable(PoetryPluginInstaller)
+          )
+        end
+
         sig { params(command: String, fingerprint: T.nilable(String)).returns(String) }
         def run_poetry_command(command, fingerprint: nil)
           SharedHelpers.run_shell_command(command, fingerprint: fingerprint)