dependabot-python 0.369.0 → 0.371.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 64cdd01e07bc2f6472a1027884006af4c7df3648168f04135c7b91cdf5530f14
-  data.tar.gz: b5610dc0420858f42cb23a8462abcd7ebd4b9b1aab8be3ca28233a99c239982c
+  metadata.gz: e5c59beb6b677e51deac37d95023e448ad921265030b47910e4477249a07d1b4
+  data.tar.gz: 4c91924b433ac4f54c2f4f1bfd649e1124864b789cc459e4ab0aca281c02b603
 SHA512:
-  metadata.gz: f4cb556708bba8d54dc3d04495d021e4808cf5651184ed9fe2d1b65d6b1114c688f92d9be8ab8fae6e96d818643ce4c4824db5971dc2fabf55370b6ffff26f39
-  data.tar.gz: 64514c6fad289e34af6bdbaeecc25f8ff815ba193d77088a86fa3399c9379ab1cad740ff0f18ae0ac176e85375714e15f36ceae638b96d6e2714f425ce86cd96
+  metadata.gz: ec8aa99e69214eec367ee3dff6e9e4b6f2031f75cca5e7b674eaa41369c8f40e5af4b8ba86dce39420e7affc0316301bacfc0cf2c832902d3d3da22558971d19
+  data.tar.gz: 586dea07cef16ec324974e7983dfbe42314e4782bfb388194bb524dc78ccb8a3448de97b52867e20be55b5304f674ce3eec26ec6f5e6be30632e4b3e1ffdff34

data/helpers/lib/parser.py

@@ -32,6 +32,30 @@ def parse_pep621_pep735_dependencies(pyproject_path):
                 next(iter(specifier_set)).operator in {"==", "==="}):
             return next(iter(specifier_set)).version
 
+    def original_requirement_from_entry(entry, req):
+        """Extract the original requirement string.
+
+        The packaging library normalizes specifiers
+        (removes spaces, reorders operators), but we
+        need the original so the file updater regex
+        can match the file content.
+        """
+        # Strip the name (and any extras like [filecache]) from the start
+        remainder = entry[len(req.name):].strip()
+
+        # Strip extras bracket if present, e.g. [filecache]
+        if remainder.startswith("["):
+            close = remainder.index("]")
+            remainder = remainder[close + 1:].strip()
+
+        # Strip markers from the end, e.g. "; python_version < '3.4'"
+        if req.marker:
+            marker_pos = remainder.find(";")
+            if marker_pos != -1:
+                remainder = remainder[:marker_pos].strip()
+
+        return remainder
+
     def parse_requirement(entry, pyproject_path, requirement_type=None):
         try:
             req = Requirement(entry)
@@ -45,6 +69,8 @@ def parse_pep621_pep735_dependencies(pyproject_path):
                 "markers": str(req.marker) or None,
                 "file": pyproject_path,
                 "requirement": str(req.specifier),
+                "source_requirement":
+                    original_requirement_from_entry(entry, req),
                 "extras": sorted(list(req.extras)),
                 "requirement_type": requirement_type,
             }

data/helpers/test/fixtures/pep621_spaced_specifiers.toml

@@ -0,0 +1,10 @@
+[project]
+name = "myapp"
+version = "1.0.0"
+
+dependencies = [
+    "requests >= 2.13.0, < 3.0",
+    "urllib3 == 1.26.0",
+    "cachecontrol[filecache] >= 0.14.0",
+    "idna >= 2.5 ; python_version < '3.0'",
+]

data/helpers/test/test_parser.py

@@ -182,3 +182,84 @@ class TestEdgeCases:
         # Both groups should be processed without infinite recursion
         assert "requests" in names
         assert "flask" in names
+
+
+# ---------------------------------------------------------------------------
+# source_requirement — preserves original specifier string from the TOML
+# ---------------------------------------------------------------------------
+class TestSourceRequirement:
+    def test_simple_specifier_preserves_order(self):
+        deps = parse("pep621_dependencies.toml")
+        requests = find_dep(deps, "requests")
+        # Original: "requests>=2.13.0,<3.0" — order preserved
+        assert requests["source_requirement"] == ">=2.13.0,<3.0"
+        # Normalized by packaging: "<3.0,>=2.13.0" (alphabetical by operator)
+        assert requests["requirement"] == "<3.0,>=2.13.0"
+
+    def test_exact_version(self):
+        deps = parse("pep621_dependencies.toml")
+        urllib3 = find_dep(deps, "urllib3")
+        assert urllib3["source_requirement"] == "==1.26.0"
+
+    def test_extras_stripped_from_source(self):
+        deps = parse("pep621_extras.toml")
+        cc = find_dep(deps, "cachecontrol")
+        assert cc["source_requirement"] == ">=0.14.0"
+
+    def test_markers_stripped_from_source(self):
+        deps = parse("pep621_markers.toml")
+        requests = find_dep(deps, "requests")
+        assert requests["source_requirement"] == ">=2.13.0"
+
+    def test_no_version_specifier(self):
+        deps = parse("pep621_no_version.toml")
+        requests = find_dep(deps, "requests")
+        assert requests["source_requirement"] == ""
+
+    def test_multiple_extras_stripped(self):
+        deps = parse("pep621_multiple_extras.toml")
+        boto3 = find_dep(deps, "boto3")
+        assert boto3["source_requirement"] == ">=1.28.0"
+
+    def test_arbitrary_equality(self):
+        deps = parse("pep621_arbitrary_equality.toml")
+        numpy = find_dep(deps, "numpy")
+        assert numpy["source_requirement"] == "===1.24.0rc1"
+
+    def test_spaced_specifiers_preserved(self):
+        deps = parse("pep621_spaced_specifiers.toml")
+        requests = find_dep(deps, "requests")
+        # Spaces are preserved from the original entry
+        assert requests["source_requirement"] == ">= 2.13.0, < 3.0"
+
+    def test_spaced_exact_version_preserved(self):
+        deps = parse("pep621_spaced_specifiers.toml")
+        urllib3 = find_dep(deps, "urllib3")
+        assert urllib3["source_requirement"] == "== 1.26.0"
+
+    def test_spaced_extras_and_specifier(self):
+        deps = parse("pep621_spaced_specifiers.toml")
+        cc = find_dep(deps, "cachecontrol")
+        assert cc["source_requirement"] == ">= 0.14.0"
+
+    def test_spaced_specifier_with_markers(self):
+        deps = parse("pep621_spaced_specifiers.toml")
+        idna = find_dep(deps, "idna")
+        # Markers stripped, original spacing kept
+        assert idna["source_requirement"] == ">= 2.5"
+
+    def test_optional_deps_with_spaces(self):
+        deps = parse("pep621_dependencies.toml")
+        pysocks = find_dep(deps, "PySocks")
+        # Original: "PySocks >= 1.5.6, != 1.5.7, < 2"
+        assert pysocks["source_requirement"] == ">= 1.5.6, != 1.5.7, < 2"
+
+    def test_build_system_source_requirement(self):
+        deps = parse("pep621_dependencies.toml")
+        setuptools = find_dep(deps, "setuptools")
+        assert setuptools["source_requirement"] == ">=68.0"
+
+    def test_dependency_group_source_requirement(self):
+        deps = parse("pep735_dependency_groups.toml")
+        pytest_dep = find_dep(deps, "pytest")
+        assert pytest_dep["source_requirement"] == "==7.1.3"

data/lib/dependabot/python/dependency_grapher/lockfile_generator.rb

@@ -7,6 +7,7 @@ require "dependabot/dependency_file"
 require "dependabot/shared_helpers"
 require "dependabot/python/file_parser/python_requirement_parser"
 require "dependabot/python/language_version_manager"
+require "dependabot/python/poetry_plugin_installer"
 
 module Dependabot
   module Python
@@ -33,6 +34,10 @@ module Dependabot
             SharedHelpers.with_git_configured(credentials: credentials) do
               write_temporary_files
               language_version_manager.install_required_python
+
+              # Install any required Poetry plugins declared in pyproject.toml
+              poetry_plugin_installer.install_required_plugins
+
               run_poetry_lock
               read_generated_lockfile
             end
@@ -119,6 +124,14 @@ module Dependabot
           )
         end
 
+        sig { returns(PoetryPluginInstaller) }
+        def poetry_plugin_installer
+          @poetry_plugin_installer ||= T.let(
+            PoetryPluginInstaller.from_dependency_files(dependency_files),
+            T.nilable(PoetryPluginInstaller)
+          )
+        end
+
         sig { params(error: SharedHelpers::HelperSubprocessFailed).void }
         def handle_generation_error(error)
           Dependabot.logger.error(

data/lib/dependabot/python/file_parser/pyproject_files_parser.rb

@@ -25,6 +25,7 @@ module Dependabot
         sig { params(dependency_files: T::Array[Dependabot::DependencyFile]).void }
         def initialize(dependency_files:)
           @dependency_files = dependency_files
+          @dynamic_fields = T.let(nil, T.nilable(T::Array[String]))
         end
 
         sig { returns(Dependabot::FileParsers::Base::DependencySet) }
@@ -68,7 +69,10 @@ module Dependabot
 
           groups = T.must(poetry_root)["group"] || {}
           groups.each do |group, group_spec|
-            dependencies += parse_poetry_dependency_group(group, group_spec["dependencies"])
+            deps = group_spec["dependencies"]
+            next unless deps
+
+            dependencies += parse_poetry_dependency_group(group, deps)
           end
           dependencies
         end
@@ -84,16 +88,7 @@ module Dependabot
           return dependencies if using_pdm?
 
           parse_pep621_pep735_dependencies.each do |dep|
-            # If a requirement has a `<` or `<=` marker then updating it is
-            # probably blocked. Ignore it.
-            next if dep["markers"]&.include?("<")
-
-            # If no requirement, don't add it
-            next if dep["requirement"].empty?
-
-            # Skip build-system.requires dependencies when using Poetry
-            # Poetry manages its own build system dependencies
-            next if using_poetry? && dep["requirement_type"] == "build-system.requires"
+            next if skip_pep621_dep?(dep)
 
             dependencies <<
               Dependency.new(
@@ -106,7 +101,9 @@ module Dependabot
                   groups: [dep["requirement_type"]].compact
                 }],
                 package_manager: "pip",
-                metadata: extras_metadata(dep["extras"])
+                metadata: extras_metadata(dep["extras"]).merge(
+                  source_requirement: dep["source_requirement"]
+                ).compact
               )
           end
 
@@ -229,6 +226,43 @@ module Dependabot
           using_pep621? && pdm_lock
         end
 
+        sig { returns(T::Array[String]) }
+        def dynamic_fields
+          @dynamic_fields ||= parsed_pyproject.dig("project", "dynamic") || []
+        end
+
+        sig { params(dep: T::Hash[String, T.untyped]).returns(T::Boolean) }
+        def skip_pep621_dep?(dep)
+          # If a requirement has a `<` or `<=` marker then updating it is
+          # probably blocked. Ignore it.
+          return true if dep["markers"]&.include?("<")
+
+          # If no requirement, don't add it
+          return true if dep["requirement"].empty?
+
+          # Skip build-system.requires dependencies when using Poetry
+          # Poetry manages its own build system dependencies
+          return true if using_poetry? && dep["requirement_type"] == "build-system.requires"
+
+          # When dependencies or optional-dependencies are listed in project.dynamic,
+          # they are managed by the build backend (e.g. Poetry) — skip the PEP 621 path
+          dynamic_pep621_dep?(dep["requirement_type"])
+        end
+
+        sig { params(requirement_type: T.nilable(String)).returns(T::Boolean) }
+        def dynamic_pep621_dep?(requirement_type)
+          return false unless using_poetry?
+          return false unless requirement_type
+
+          if requirement_type == "dependencies"
+            dynamic_fields.include?("dependencies")
+          elsif parsed_pyproject.dig("project", "optional-dependencies")&.key?(requirement_type)
+            dynamic_fields.include?("optional-dependencies")
+          else
+            false
+          end
+        end
+
         # Create a DependencySet where each element has no requirement. Any
         # requirements will be added when combining the DependencySet with
         # other DependencySets.

data/lib/dependabot/python/file_parser.rb

@@ -1,6 +1,7 @@
 # typed: strict
 # frozen_string_literal: true
 
+require "toml-rb"
 require "dependabot/dependency"
 require "dependabot/file_parsers"
 require "dependabot/file_parsers/base"
@@ -110,7 +111,13 @@ module Dependabot
 
         return PipenvPackageManager.new(T.must(detect_pipenv_version)) if detect_pipenv_version
 
-        return PoetryPackageManager.new(T.must(detect_poetry_version)) if detect_poetry_version
+        poetry_version = detect_poetry_version
+        if poetry_version
+          return PoetryPackageManager.new(
+            poetry_version,
+            requires_poetry_version_constraint
+          )
+        end
 
         return PipCompilePackageManager.new(T.must(detect_pipcompile_version)) if detect_pipcompile_version
 
@@ -135,6 +142,19 @@ module Dependabot
         nil
       end
 
+      sig { returns(T.nilable(Dependabot::Python::Requirement)) }
+      def requires_poetry_version_constraint
+        return nil unless pyproject&.content
+
+        parsed = TomlRB.parse(T.must(pyproject).content)
+        constraint = parsed.dig("tool", "poetry", "requires-poetry")
+        return nil unless constraint.is_a?(String) && !constraint.strip.empty?
+
+        Dependabot::Python::Requirement.new(constraint.strip)
+      rescue TomlRB::ParseError, TomlRB::ValueOverwriteError, Gem::Requirement::BadRequirementError
+        nil
+      end
+
       # Detects the version of pip-compile. If the version cannot be detected, it returns nil
       sig { returns(T.nilable(String)) }
       def detect_pipcompile_version

data/lib/dependabot/python/file_updater/poetry_file_updater/pep621_updater.rb

@@ -0,0 +1,162 @@
+# typed: strict
+# frozen_string_literal: true
+
+require "sorbet-runtime"
+require "dependabot/python/file_updater/poetry_file_updater"
+
+module Dependabot
+  module Python
+    class FileUpdater
+      class PoetryFileUpdater
+        class Pep621Updater
+          extend T::Sig
+
+          sig { params(dep: Dependabot::Dependency).void }
+          def initialize(dep:)
+            @dep = dep
+          end
+
+          sig do
+            params(
+              content: String,
+              new_r: T::Hash[Symbol, T.untyped],
+              old_r: T::Hash[Symbol, T.untyped]
+            ).returns(T.nilable(String))
+          end
+          def replace(content, new_r, old_r)
+            source_req = dep.metadata[:source_requirement]
+
+            if source_req
+              replace_with_source_requirement(content, source_req, new_r, old_r)
+            else
+              replace_with_normalized_requirement(content, new_r, old_r)
+            end
+          end
+
+          sig { params(source_req: String, old_req: String, new_req: String).returns(String) }
+          def rewrite_pep508_requirement(source_req, old_req, new_req)
+            old_specifiers = parse_specifiers(old_req)
+            new_specifiers = parse_specifiers(new_req)
+
+            old_versions_by_op = group_versions_by_operator(old_specifiers)
+            new_versions_by_op = group_versions_by_operator(new_specifiers)
+
+            replacements = T.let([], T::Array[T::Hash[Symbol, String]])
+            new_versions_by_op.each do |operator, new_versions|
+              old_versions = old_versions_by_op[operator]
+              next unless old_versions
+              next unless old_versions.length == new_versions.length
+
+              old_versions.zip(new_versions).each do |old_version, new_version|
+                next if old_version == new_version
+
+                replacements << {
+                  operator: operator,
+                  old_version: old_version,
+                  new_version: T.must(new_version)
+                }
+              end
+            end
+
+            result = source_req.dup
+            replacements.each do |replacement|
+              op = Regexp.escape(T.must(replacement[:operator]))
+              ver = Regexp.escape(T.must(replacement[:old_version]))
+              result = result.sub(/(#{op}\s*)#{ver}/, "\\1#{replacement[:new_version]}")
+            end
+            result
+          end
+
+          sig { params(specifiers: T::Array[T::Hash[Symbol, String]]).returns(T::Hash[String, T::Array[String]]) }
+          def group_versions_by_operator(specifiers)
+            specifiers.each_with_object(
+              T.let({}, T::Hash[String, T::Array[String]])
+            ) do |specifier, grouped_versions|
+              operator = T.must(specifier[:operator])
+              version = T.must(specifier[:version])
+
+              grouped_versions[operator] ||= []
+              T.must(grouped_versions[operator]) << version
+            end
+          end
+
+          sig { params(req: String).returns(T::Array[T::Hash[Symbol, String]]) }
+          def parse_specifiers(req)
+            req.scan(/([!<>=~]+)\s*([^\s,]+)/).map do |op, ver|
+              { operator: op, version: ver }
+            end
+          end
+
+          private
+
+          sig { returns(Dependabot::Dependency) }
+          attr_reader :dep
+
+          sig do
+            params(
+              content: String,
+              source_req: String,
+              new_r: T::Hash[Symbol, T.untyped],
+              old_r: T::Hash[Symbol, T.untyped]
+            ).returns(T.nilable(String))
+          end
+          def replace_with_source_requirement(content, source_req, new_r, old_r)
+            match = content.match(declaration_regex(source_req))
+            return unless match
+
+            declaration = T.must(match[:declaration])
+            new_req_str = rewrite_pep508_requirement(source_req, old_r[:requirement], new_r[:requirement])
+            content.sub(declaration, declaration.sub(source_req, new_req_str))
+          end
+
+          # Fallback when source_requirement metadata is absent (e.g. after
+          # DependencySet merge or deserialization). Matches using the
+          # normalized requirement string, which may fail on whitespace
+          # differences but is better than skipping the update entirely.
+          sig do
+            params(
+              content: String,
+              new_r: T::Hash[Symbol, T.untyped],
+              old_r: T::Hash[Symbol, T.untyped]
+            ).returns(T.nilable(String))
+          end
+          def replace_with_normalized_requirement(content, new_r, old_r)
+            old_req = old_r[:requirement]
+            new_req = new_r[:requirement]
+
+            match = content.match(normalized_declaration_regex(old_req))
+            return unless match
+
+            declaration = T.must(match[:declaration])
+            return unless declaration.include?(old_req)
+
+            content.sub(declaration, declaration.sub(old_req, new_req))
+          end
+
+          sig { params(old_req: String).returns(Regexp) }
+          def declaration_regex(old_req)
+            /(?<declaration>["']#{escape}\s*#{extras_pattern}\s*#{Regexp.escape(old_req)}["'])/mi
+          end
+
+          sig { params(old_req: String).returns(Regexp) }
+          def normalized_declaration_regex(old_req)
+            /(?<declaration>["']#{escape}#{extras_pattern}#{Regexp.escape(old_req)}["'])/mi
+          end
+
+          sig { returns(String) }
+          def extras_pattern
+            extras_str = dep.metadata[:extras]
+            return "" unless extras_str.is_a?(String) && !extras_str.empty?
+
+            "\\[" + extras_str.split(",").map { |e| Regexp.escape(e.strip) }.join(",\\s*") + "\\]"
+          end
+
+          sig { returns(String) }
+          def escape
+            Regexp.escape(dep.name).gsub("\\-", "[-_.]")
+          end
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/python/file_updater/poetry_file_updater.rb

@@ -13,12 +13,14 @@ require "dependabot/python/file_parser/python_requirement_parser"
 require "dependabot/python/file_updater"
 require "dependabot/python/native_helpers"
 require "dependabot/python/name_normaliser"
+require "dependabot/python/poetry_plugin_installer"
 
 module Dependabot
   module Python
     class FileUpdater
       class PoetryFileUpdater
         require_relative "pyproject_preparer"
+        require_relative "poetry_file_updater/pep621_updater"
         extend T::Sig
 
         sig { returns(T::Array[Dependabot::DependencyFile]) }
@@ -49,6 +51,7 @@ module Dependabot
           @language_version_manager = T.let(nil, T.nilable(LanguageVersionManager))
           @python_requirement_parser = T.let(nil, T.nilable(FileParser::PythonRequirementParser))
           @updated_pyproject_content = T.let(nil, T.nilable(String))
+          @poetry_plugin_installer = T.let(nil, T.nilable(PoetryPluginInstaller))
           @poetry_lock = T.let(nil, T.nilable(Dependabot::DependencyFile))
         end
 
@@ -77,9 +80,7 @@ module Dependabot
               )
           end
 
-          raise "Expected lockfile to change!" if lockfile && lockfile&.content == updated_lockfile_content
-
-          if lockfile
+          if lockfile && lockfile&.content != updated_lockfile_content
             updated_files <<
               updated_file(file: T.must(lockfile), content: updated_lockfile_content)
           end
@@ -105,52 +106,51 @@ module Dependabot
           updated_content
         end
 
-        sig do
-          params(
-            dep: Dependabot::Dependency,
-            content: String,
-            new_r: T::Hash[Symbol, T.untyped],
-            old_r: T::Hash[Symbol, T.untyped]
-          ).returns(String)
-        end
+        sig { params(dep: Dependabot::Dependency, content: String, new_r: T::Hash[Symbol, T.untyped], old_r: T::Hash[Symbol, T.untyped]).returns(String) }
         def replace_dep(dep, content, new_r, old_r)
-          # Handle Git dependencies with tags
           return update_git_tag(dep, content, new_r, old_r) if git_dependency?(new_r) && git_dependency?(old_r)
 
+          replace_poetry_dep(dep, content, new_r, old_r) ||
+            replace_poetry_table_dep(dep, content, new_r, old_r) ||
+            replace_pep621_dep(dep, content, new_r, old_r) ||
+            content
+        end
+
+        sig { params(dep: Dependabot::Dependency, content: String, new_r: T::Hash[Symbol, T.untyped], old_r: T::Hash[Symbol, T.untyped]).returns(T.nilable(String)) }
+        def replace_poetry_dep(dep, content, new_r, old_r)
           new_req = new_r[:requirement]
           old_req = old_r[:requirement]
 
           declaration_regex = declaration_regex(dep, old_r)
           declaration_match = content.match(declaration_regex)
-          if declaration_match
-            declaration = declaration_match[:declaration]
-            if T.must(declaration).include?(old_req)
-              new_declaration = T.must(declaration).sub(old_req, new_req)
-              return content.sub(T.must(declaration), new_declaration)
-            end
-          end
+          return unless declaration_match
 
-          # Try Poetry table format
-          table_match = content.match(table_declaration_regex(dep, new_r))
-          if table_match
-            return content.gsub(table_declaration_regex(dep, new_r)) do |match|
-              match.gsub(
-                /(\s*version\s*=\s*["'])#{Regexp.escape(old_req)}/,
-                '\1' + new_req
-              )
-            end
-          end
+          declaration = declaration_match[:declaration]
+          return unless T.must(declaration).include?(old_req)
+
+          new_declaration = T.must(declaration).sub(old_req, new_req)
+          content.sub(T.must(declaration), new_declaration)
+        end
+
+        sig { params(dep: Dependabot::Dependency, content: String, new_r: T::Hash[Symbol, T.untyped], old_r: T::Hash[Symbol, T.untyped]).returns(T.nilable(String)) }
+        def replace_poetry_table_dep(dep, content, new_r, old_r)
+          old_req = old_r[:requirement]
+          new_req = new_r[:requirement]
+          regex = table_declaration_regex(dep, new_r)
+
+          return unless content.match(regex)
 
-          # Try PEP 621 array format (e.g., dependencies = ["django==5.0.0"])
-          pep621_regex = pep621_declaration_regex(dep, old_req)
-          pep621_match = content.match(pep621_regex)
-          if pep621_match
-            declaration = pep621_match[:declaration]
-            new_declaration = T.must(declaration).sub(old_req, new_req)
-            return content.sub(T.must(declaration), new_declaration)
+          content.gsub(regex) do |match|
+            match.gsub(
+              /(\s*version\s*=\s*["'])#{Regexp.escape(old_req)}/,
+              '\1' + new_req
+            )
           end
+        end
 
-          content
+        sig { params(dep: Dependabot::Dependency, content: String, new_r: T::Hash[Symbol, T.untyped], old_r: T::Hash[Symbol, T.untyped]).returns(T.nilable(String)) }
+        def replace_pep621_dep(dep, content, new_r, old_r)
+          Pep621Updater.new(dep: dep).replace(content, new_r, old_r)
         end
 
         sig { params(req: T::Hash[Symbol, T.untyped]).returns(T::Boolean) }
@@ -158,14 +158,7 @@ module Dependabot
           req.dig(:source, :type) == "git"
         end
 
-        sig do
-          params(
-            dep: Dependabot::Dependency,
-            content: String,
-            new_r: T::Hash[Symbol, T.untyped],
-            old_r: T::Hash[Symbol, T.untyped]
-          ).returns(String)
-        end
+        sig { params(dep: Dependabot::Dependency, content: String, new_r: T::Hash[Symbol, T.untyped], old_r: T::Hash[Symbol, T.untyped]).returns(String) }
         def update_git_tag(dep, content, new_r, old_r)
           old_tag = old_r.dig(:source, :ref)
           new_tag = new_r.dig(:source, :ref)
@@ -302,6 +295,7 @@ module Dependabot
               add_auth_env_vars
 
               language_version_manager.install_required_python
+              poetry_plugin_installer.install_required_plugins
 
               # use system git instead of the pure Python dulwich
               run_poetry_command("pyenv exec poetry config system-git-client true")
@@ -350,17 +344,7 @@ module Dependabot
             .add_auth_env_vars(credentials)
         end
 
-        sig do
-          params(
-            pyproject_content: String
-          ).returns(T.nilable(
-                      T.any(
-                        T::Hash[String, T.untyped],
-                        String,
-                        T::Array[T::Hash[String, T.untyped]]
-                      )
-                    ))
-        end
+        sig { params(pyproject_content: String).returns(T.nilable(T.any(T::Hash[String, T.untyped], String, T::Array[T::Hash[String, T.untyped]]))) }
         def pyproject_hash_for(pyproject_content)
           SharedHelpers.in_a_temporary_directory do |dir|
             SharedHelpers.with_git_configured(credentials: credentials) do
@@ -388,20 +372,6 @@ module Dependabot
           /tool\.poetry\.#{old_req[:groups].first}\.#{escape(dep)}\](?:\r?\n).*?\s*version\s* =.*?(?:\r?\n)/m
         end
 
-        sig { params(dep: Dependabot::Dependency, old_req: String).returns(Regexp) }
-        def pep621_declaration_regex(dep, old_req)
-          /(?<declaration>["']#{escape(dep)}#{extras_pattern(dep)}#{Regexp.escape(old_req)}["'])/mi
-        end
-
-        # Reconstructs extras from metadata for PEP 621 regex matching.
-        sig { params(dep: Dependabot::Dependency).returns(String) }
-        def extras_pattern(dep)
-          extras_str = dep.metadata[:extras]
-          return "" unless extras_str.is_a?(String) && !extras_str.empty?
-
-          "\\[" + extras_str.split(",").map { |e| Regexp.escape(e.strip) }.join(",\\s*") + "\\]"
-        end
-
         sig { params(dep: Dependency).returns(String) }
         def escape(dep)
           Regexp.escape(dep.name).gsub("\\-", "[-_.]")
@@ -448,6 +418,14 @@ module Dependabot
             )
         end
 
+        sig { returns(PoetryPluginInstaller) }
+        def poetry_plugin_installer
+          @poetry_plugin_installer ||= T.let(
+            PoetryPluginInstaller.from_dependency_files(dependency_files),
+            T.nilable(PoetryPluginInstaller)
+          )
+        end
+
         sig { returns(T.nilable(Dependabot::DependencyFile)) }
         def pyproject
           @pyproject ||=