dependabot-python 0.381.0 → 0.382.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f0477e6159f9fcd2dfd744b603b9bd23ba2df5ad50c3bf3a8fc51fbcd00e6306
-  data.tar.gz: 1271ebda6e197461e2721a7aa0f69d917dc8c506813465931ba01ae143f3c34a
+  metadata.gz: e521f3e297026d2b21597f830c9978e6365a5dd4b99ad7a24a9d0973772db45d
+  data.tar.gz: 446649a64857c3cc95aeed4c7e4c9d37bf55e6b5573e82445c6b0b0e4fc10f33
 SHA512:
-  metadata.gz: ca638414b000ecf033fa4470316f3858a1f57e9ca496db678b9779da39a292aaaaf66908b037e6b6f0c02ad528c9142cd42a687149a75887b053dc5001dd5ff8
-  data.tar.gz: 34164a7fcbc0eb80ee3cdfe995cd891560fe9b2feaab98ec3be721699117897855be5a6f76bb76cea581b2cf18b60cc378df2a1128042197582894154abb308f
+  metadata.gz: 2b67ffd686818a7d3e3399a2493a188815959102bc4235086ed16fc47b1bdf93a392e743cc2fb411619f90b9c1b01d0ce27de7e65b53e1ed6e52dfaf67b58107
+  data.tar.gz: 269b0733ac11ef8d19cefa5c972e6e67330c51792981fc98a80e389f6338477a099e62ab184873d28ce26dddf8d8b5213c1c2baed56b5d18b6ee9b8097f86338

data/lib/dependabot/python/dependency_grapher.rb

@@ -65,6 +65,10 @@ module Dependabot
       sig { override.void }
       def prepare!
         if poetry_project_without_lockfile?
+          # Generating an ephemeral lockfile requires executing `poetry lock`. Strictly speaking, that violates our
+          # policy of refusing to run Python tooling when external code execution is disallowed, so fail fast.
+          raise Dependabot::UnexpectedExternalCode if file_parser.reject_external_code?
+
           Dependabot.logger.info("No poetry.lock found, generating ephemeral lockfile for dependency graphing")
           generate_ephemeral_lockfile!
           emit_missing_lockfile_warning! if @ephemeral_lockfile_generated

data/lib/dependabot/python/file_parser/python_requirement_parser.rb

@@ -209,7 +209,10 @@ module Dependabot
 
         sig { returns(T::Array[DependencyFile]) }
         def pip_compile_files
-          @pip_compile_files ||= T.let(dependency_files.select { |f| f.name.end_with?(".in") }, T.untyped)
+          @pip_compile_files ||= T.let(
+            dependency_files.select { |f| f.name.end_with?(".in") },
+            T.nilable(T::Array[DependencyFile])
+          )
         end
       end
     end

data/lib/dependabot/python/requirement_parser.rb

@@ -65,7 +65,7 @@ module Dependabot
       # Parses a single pip requirement string (e.g. "types-requests==2.31.0.10")
       # into a structured hash. Returns nil if the string is not a valid requirement
       # or has no version constraint.
-      sig { params(dependency_string: String).returns(T.nilable(T::Hash[Symbol, T.untyped])) }
+      sig { params(dependency_string: String).returns(T.nilable(T::Hash[Symbol, T.nilable(String)])) }
       def self.parse(dependency_string)
         match = dependency_string.strip.match(VALID_REQ_TXT_REQUIREMENT)
         return nil unless match
@@ -92,17 +92,17 @@ module Dependabot
       sig { params(requirements_string: String).returns(T.nilable(String)) }
       def self.extract_pinned_version(requirements_string)
         requirement = Dependabot::Python::Requirement.new(requirements_string)
-        constraints = T.let(requirement.requirements, T::Array[T::Array[T.untyped]])
+        constraints = T.let(requirement.requirements, T::Array[[String, Gem::Version]])
 
         exact_pin = constraints.find do |pair|
-          op = T.cast(pair[0], String)
+          op = pair[0]
           op == "==" || op == "="
         end
-        return T.cast(exact_pin[1], Gem::Version).to_s if exact_pin
+        return exact_pin[1].to_s if exact_pin
 
         lower_bound_operators = %w(>= > ~>).freeze
-        lower_bound = constraints.find { |pair| lower_bound_operators.include?(T.cast(pair[0], String)) }
-        return T.cast(lower_bound[1], Gem::Version).to_s if lower_bound
+        lower_bound = constraints.find { |pair| lower_bound_operators.include?(pair[0]) }
+        return lower_bound[1].to_s if lower_bound
 
         nil
       rescue Gem::Requirement::BadRequirementError

data/lib/dependabot/python/update_checker.rb

@@ -93,16 +93,18 @@ module Dependabot
         )
       end
 
-      sig { override.returns(T::Array[T::Hash[Symbol, T.untyped]]) }
+      sig { override.returns(T::Array[Dependabot::DependencyRequirement]) }
       def updated_requirements
-        return updated_git_requirements if git_dependency?
-
-        RequirementsUpdater.new(
-          requirements: requirements,
-          latest_resolvable_version: preferred_resolvable_version&.to_s,
-          update_strategy: requirements_update_strategy,
-          has_lockfile: !(pipfile_lock || poetry_lock).nil?
-        ).updated_requirements
+        return wrap_requirements(updated_git_requirements) if git_dependency?
+
+        wrap_requirements(
+          RequirementsUpdater.new(
+            requirements: requirements,
+            latest_resolvable_version: preferred_resolvable_version&.to_s,
+            update_strategy: requirements_update_strategy,
+            has_lockfile: !(pipfile_lock || poetry_lock).nil?
+          ).updated_requirements
+        )
       end
 
       sig { override.returns(T::Boolean) }

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-python
 version: !ruby/object:Gem::Version
-  version: 0.381.0
+  version: 0.382.0
 platform: ruby
 authors:
 - Dependabot
@@ -15,14 +15,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.381.0
+        version: 0.382.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.381.0
+        version: 0.382.0
 - !ruby/object:Gem::Dependency
   name: debug
   requirement: !ruby/object:Gem::Requirement
@@ -323,7 +323,7 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.381.0
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.382.0
 rdoc_options: []
 require_paths:
 - lib