dependabot-python 0.375.0 → 0.376.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 78d82643ecf214fa9c9546719f86f904775a2df1adc1838daddef1306054a00a
-  data.tar.gz: 68aca7a7062f67514acdf3616ee543eb830727dffb3ea2001bbec07612d3d6ab
+  metadata.gz: 8ea3de397765b873cd8faf8d93bde90b92e2254eace30c9603d46bf667af2bfb
+  data.tar.gz: d294b949dda1e010b01caae6c285f979c7c9510f55e57a8f7ed48b06c141d9ba
 SHA512:
-  metadata.gz: '0548b008756712973354e457a020174748b741fa8d446975cfb543a8cb9663169e4a14ef7eb7390f275e97baa227ab1cc28f2d001add97ba7528bb415ca65249'
-  data.tar.gz: 2432fe5ce55b1749d2ad09b99875157a66f3a3d1797d2217772d545dd727192d5562b5deae11e70c3e6331753b60000dbb2aa46d2aad4ce6dfc0996e1f569c41
+  metadata.gz: f9e0c083e6128c766189bdb911495eb37944f87dd8405ee6fdad569c59d65c19b7cfa18799a4fd4d8d869e55dea5c3e072b624d5e7f0639e96559b16782c65d5
+  data.tar.gz: f923f746f74bdc91ba8a47f3a1366250a90ebc178b0ae1eb94a012cb43777fedc854b19cb427ffcad4232408cf1bfc2f60bf04aaef8e58aee28cc3d9d039e5fe

data/lib/dependabot/python/dependency_grapher.rb

@@ -18,6 +18,30 @@ module Dependabot
     class DependencyGrapher < Dependabot::DependencyGraphers::Base
       require_relative "dependency_grapher/lockfile_generator"
 
+      # Regex patterns for detecting Python requirements / dependencies .txt manifest variants.
+      # Used by the dependency grapher to filter out unrelated .txt files (e.g. README-style notes,
+      # tool output, etc.) from being treated as pip manifests.
+
+      # Matches "requirements" preceded by a hyphen, period, underscore, start-of-string, or slash,
+      # followed by non-whitespace chars and ".txt".
+      # Examples: requirements.txt, requirements.prod.txt, requirements/production.txt
+      REQUIREMENTS_TXT_REGEX = T.let(%r{(?:[-._]|^|/)requirements[^\s]*\.txt$}i, Regexp)
+
+      # More lenient: matches "require" with optional prefix (no dots/whitespace)
+      # and optional hyphen/underscore/slash suffix. Does not match "require" as a substring.
+      # Examples: require.txt, require-test.txt, py3-require.txt, pyenv_require_e2e.txt
+      REQUIRE_TXT_REGEX = T.let(%r{[^\s|.]*require(?:[-_/][^\s|.]*)?\.txt$}i, Regexp)
+
+      # Matches "dependencies" / "dependency" preceded by a hyphen, period, underscore,
+      # start-of-string, or slash, followed by non-whitespace chars and ".txt".
+      # Examples: dependencies.txt, my-dependencies.txt, dependencies/python/ansible-lint.txt
+      DEPENDENCIES_TXT_REGEX = T.let(%r{(?:[-._]|^|/)dependenc(?:y|ies)[^\s]*\.txt$}i, Regexp)
+
+      # More lenient: matches "depend" / "depends" with optional prefix (no dots/whitespace)
+      # and optional hyphen/underscore/slash suffix. Does not match "depend" as a substring.
+      # Examples: depend.txt, depends.txt, depend-test.txt, py3-depends.txt
+      DEPEND_TXT_REGEX = T.let(%r{[^\s|.]*depend(?:s)?(?:[-_/][^\s|.]*)?\.txt$}i, Regexp)
+
       sig { override.returns(Dependabot::DependencyFile) }
       def relevant_dependency_file
         dependency_files_by_package_manager = T.let(
@@ -352,11 +376,19 @@ module Dependabot
 
         @pip_requirements_file = T.let(
           dependency_files.find { |f| f.name == "requirements.txt" } ||
-            dependency_files.find { |f| f.name.end_with?(".txt") },
+            dependency_files.find { |f| f.name.end_with?(".txt") && python_manifest_txt_filename?(f.name) },
           T.nilable(Dependabot::DependencyFile)
         )
       end
 
+      sig { params(path: String).returns(T::Boolean) }
+      def python_manifest_txt_filename?(path)
+        path.match?(REQUIREMENTS_TXT_REGEX) ||
+          path.match?(REQUIRE_TXT_REGEX) ||
+          path.match?(DEPENDENCIES_TXT_REGEX) ||
+          path.match?(DEPEND_TXT_REGEX)
+      end
+
       sig { params(filename: String).returns(T.nilable(Dependabot::DependencyFile)) }
       def dependency_file(filename)
         dependency_files.find { |file| file.name == filename }

data/lib/dependabot/python/shared_file_fetcher.rb

@@ -26,19 +26,6 @@ module Dependabot
       DEPENDENCY_TYPES = T.let(%w(packages dev-packages).freeze, T::Array[String])
       MAX_FILE_SIZE = T.let(500_000, Integer)
 
-      # Regex patterns for detecting Python requirements.txt manifest variants.
-      # Ported from github/dependency-snapshots-api.
-      #
-      # Matches "requirements" preceded by a hyphen, period, underscore, start-of-string, or slash,
-      # followed by non-whitespace chars and ".txt".
-      # Examples: requirements.txt, requirements.prod.txt, requirements/production.txt
-      REQUIREMENTS_TXT_REGEX = T.let(%r{(?:[-._]|^|/)requirements[^\s]*\.txt$}i, Regexp)
-
-      # More lenient: matches "require" with optional prefix (no dots/whitespace)
-      # and optional hyphen/underscore/slash suffix. Does not match "require" as a substring.
-      # Examples: require.txt, require-test.txt, py3-require.txt, pyenv_require_e2e.txt
-      REQUIRE_TXT_REGEX = T.let(%r{[^\s|.]*require(?:[-_/][^\s|.]*)?\.txt$}i, Regexp)
-
       sig { abstract.returns(T::Array[String]) }
       def self.ecosystem_specific_required_files; end
 
@@ -182,7 +169,7 @@ module Dependabot
 
             repo_contents
               .select { |f| f.type == "file" }
-              .select { |f| potential_requirements_file?(f.name) }
+              .select { |f| f.name.end_with?(".txt", ".in") }
               .reject { |f| f.size > MAX_FILE_SIZE }
               .map { |f| fetch_file_from_host(f.name) }
               .select { |f| requirements_file?(f) }
@@ -206,7 +193,7 @@ module Dependabot
 
         repo_contents(dir: relative_reqs_dir)
           .select { |f| f.type == "file" }
-          .select { |f| potential_requirements_file?(File.join(relative_reqs_dir, f.name)) }
+          .select { |f| File.join(relative_reqs_dir, f.name).end_with?(".txt", ".in") }
           .reject { |f| f.size > MAX_FILE_SIZE }
           .map { |f| fetch_file_from_host("#{relative_reqs_dir}/#{f.name}") }
           .select { |f| requirements_file?(f) }
@@ -392,24 +379,6 @@ module Dependabot
         uneditable_reqs + editable_reqs
       end
 
-      # Checks if a filename matches known Python requirements.txt naming patterns.
-      sig { params(path: String).returns(T::Boolean) }
-      def requirements_txt_filename?(path)
-        path.match?(REQUIREMENTS_TXT_REGEX) || path.match?(REQUIRE_TXT_REGEX)
-      end
-
-      # When the feature flag is enabled, only considers .txt files whose names match
-      # requirements patterns (plus all .in files). When disabled, falls back to the
-      # original behavior of accepting any .txt or .in file.
-      sig { params(path: String).returns(T::Boolean) }
-      def potential_requirements_file?(path)
-        unless Dependabot::Experiments.enabled?(:python_requirements_file_name_filtering)
-          return path.end_with?(".txt", ".in")
-        end
-
-        path.end_with?(".in") || requirements_txt_filename?(path)
-      end
-
       sig { params(path: String).returns(String) }
       def clean_path(path)
         Pathname.new(path).cleanpath.to_path

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-python
 version: !ruby/object:Gem::Version
-  version: 0.375.0
+  version: 0.376.0
 platform: ruby
 authors:
 - Dependabot
@@ -15,14 +15,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.375.0
+        version: 0.376.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.375.0
+        version: 0.376.0
 - !ruby/object:Gem::Dependency
   name: debug
   requirement: !ruby/object:Gem::Requirement
@@ -322,7 +322,7 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.375.0
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.376.0
 rdoc_options: []
 require_paths:
 - lib