dependabot-python 0.381.0 → 0.383.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: f0477e6159f9fcd2dfd744b603b9bd23ba2df5ad50c3bf3a8fc51fbcd00e6306
4
- data.tar.gz: 1271ebda6e197461e2721a7aa0f69d917dc8c506813465931ba01ae143f3c34a
3
+ metadata.gz: 26031826db5cb07c05ca33adc90a735f803008ac10fe45670311c0d77a0ba738
4
+ data.tar.gz: c4aa146094305a3941c3fd63360a9375cfdfbe7bd819cee61241148c5bc91f16
5
5
  SHA512:
6
- metadata.gz: ca638414b000ecf033fa4470316f3858a1f57e9ca496db678b9779da39a292aaaaf66908b037e6b6f0c02ad528c9142cd42a687149a75887b053dc5001dd5ff8
7
- data.tar.gz: 34164a7fcbc0eb80ee3cdfe995cd891560fe9b2feaab98ec3be721699117897855be5a6f76bb76cea581b2cf18b60cc378df2a1128042197582894154abb308f
6
+ metadata.gz: dba3705c8b0458e64b853f97ad170d8a525fae4b89c176d0236eeab2e27b7c186c6eceb92b245181f5ef6f2cee683d2d17baac298adb4061cdbbc2ca88349b96
7
+ data.tar.gz: 06e507ffbda36680035517f07d11aae8298f6e7b2708e8837589de0cf7d74da73e2e63618088bacee8663c9a4f625724c339a4a1dbbc641ac9d254e71ef78137
data/helpers/build CHANGED
@@ -15,7 +15,6 @@ cp -r \
15
15
  "$helpers_dir/lib" \
16
16
  "$helpers_dir/run.py" \
17
17
  "$helpers_dir/requirements.txt" \
18
- "$helpers_dir/requirements-3.9.txt" \
19
18
  "$install_dir"
20
19
 
21
20
  if [ -d "$helpers_dir/test" ]; then
@@ -25,15 +24,8 @@ fi
25
24
  cd "$install_dir"
26
25
 
27
26
  python_version=$1
28
- # pip 26.x and several other packages require Python >=3.10.
29
- # Use 3.9-compatible versions for the deprecated Python 3.9 runtime.
30
- if [[ "$python_version" == 3.9.* ]]; then
31
- req_file="requirements-3.9.txt"
32
- else
33
- req_file="requirements.txt"
34
- fi
35
27
 
36
- PYENV_VERSION=$python_version pyenv exec pip3 --disable-pip-version-check install --use-pep517 -r "$req_file"
28
+ PYENV_VERSION=$python_version pyenv exec pip3 --disable-pip-version-check install --use-pep517 -r requirements.txt
37
29
 
38
30
  # Remove the extra objects added during the previous install. Based on
39
31
  # https://github.com/docker-library/python/blob/master/Dockerfile-linux.template
@@ -65,6 +65,10 @@ module Dependabot
65
65
  sig { override.void }
66
66
  def prepare!
67
67
  if poetry_project_without_lockfile?
68
+ # Generating an ephemeral lockfile requires executing `poetry lock`. Strictly speaking, that violates our
69
+ # policy of refusing to run Python tooling when external code execution is disallowed, so fail fast.
70
+ raise Dependabot::UnexpectedExternalCode if file_parser.reject_external_code?
71
+
68
72
  Dependabot.logger.info("No poetry.lock found, generating ephemeral lockfile for dependency graphing")
69
73
  generate_ephemeral_lockfile!
70
74
  emit_missing_lockfile_warning! if @ephemeral_lockfile_generated
@@ -209,7 +209,10 @@ module Dependabot
209
209
 
210
210
  sig { returns(T::Array[DependencyFile]) }
211
211
  def pip_compile_files
212
- @pip_compile_files ||= T.let(dependency_files.select { |f| f.name.end_with?(".in") }, T.untyped)
212
+ @pip_compile_files ||= T.let(
213
+ dependency_files.select { |f| f.name.end_with?(".in") },
214
+ T.nilable(T::Array[DependencyFile])
215
+ )
213
216
  end
214
217
  end
215
218
  end
@@ -21,7 +21,6 @@ module Dependabot
21
21
  3.12.13
22
22
  3.11.15
23
23
  3.10.20
24
- 3.9.25
25
24
  ).freeze
26
25
 
27
26
  PRE_INSTALLED_PYTHON_VERSIONS = T.let(
@@ -47,8 +46,9 @@ module Dependabot
47
46
  T::Array[Dependabot::Python::Version]
48
47
  )
49
48
 
50
- # The highest Python version that is no longer fully supported.
51
- # Deprecated now (warning); unsupported once removed from PRE_INSTALLED_PYTHON_VERSIONS_RAW.
49
+ # The highest Python version that is no longer supported.
50
+ # Python 3.9 reached end-of-life and was removed from PRE_INSTALLED_PYTHON_VERSIONS_RAW,
51
+ # so a ToolVersionNotSupported error is raised for it (and any lower version).
52
52
  NON_SUPPORTED_HIGHEST_VERSION = "3.9"
53
53
 
54
54
  DEPRECATED_VERSIONS = T.let([Version.new(NON_SUPPORTED_HIGHEST_VERSION)].freeze, T::Array[Dependabot::Version])
@@ -65,7 +65,7 @@ module Dependabot
65
65
  # Parses a single pip requirement string (e.g. "types-requests==2.31.0.10")
66
66
  # into a structured hash. Returns nil if the string is not a valid requirement
67
67
  # or has no version constraint.
68
- sig { params(dependency_string: String).returns(T.nilable(T::Hash[Symbol, T.untyped])) }
68
+ sig { params(dependency_string: String).returns(T.nilable(T::Hash[Symbol, T.nilable(String)])) }
69
69
  def self.parse(dependency_string)
70
70
  match = dependency_string.strip.match(VALID_REQ_TXT_REQUIREMENT)
71
71
  return nil unless match
@@ -92,17 +92,17 @@ module Dependabot
92
92
  sig { params(requirements_string: String).returns(T.nilable(String)) }
93
93
  def self.extract_pinned_version(requirements_string)
94
94
  requirement = Dependabot::Python::Requirement.new(requirements_string)
95
- constraints = T.let(requirement.requirements, T::Array[T::Array[T.untyped]])
95
+ constraints = T.let(requirement.requirements, T::Array[[String, Gem::Version]])
96
96
 
97
97
  exact_pin = constraints.find do |pair|
98
- op = T.cast(pair[0], String)
98
+ op = pair[0]
99
99
  op == "==" || op == "="
100
100
  end
101
- return T.cast(exact_pin[1], Gem::Version).to_s if exact_pin
101
+ return exact_pin[1].to_s if exact_pin
102
102
 
103
103
  lower_bound_operators = %w(>= > ~>).freeze
104
- lower_bound = constraints.find { |pair| lower_bound_operators.include?(T.cast(pair[0], String)) }
105
- return T.cast(lower_bound[1], Gem::Version).to_s if lower_bound
104
+ lower_bound = constraints.find { |pair| lower_bound_operators.include?(pair[0]) }
105
+ return lower_bound[1].to_s if lower_bound
106
106
 
107
107
  nil
108
108
  rescue Gem::Requirement::BadRequirementError
@@ -2,6 +2,7 @@
2
2
  # frozen_string_literal: true
3
3
 
4
4
  require "sorbet-runtime"
5
+ require "dependabot/dependency_requirement"
5
6
  require "dependabot/python/requirement_parser"
6
7
  require "dependabot/python/requirement"
7
8
  require "dependabot/python/update_checker"
@@ -21,7 +22,7 @@ module Dependabot
21
22
 
22
23
  class UnfixableRequirement < StandardError; end
23
24
 
24
- sig { returns(T::Array[T::Hash[Symbol, T.untyped]]) }
25
+ sig { returns(T::Array[Dependabot::DependencyRequirement]) }
25
26
  attr_reader :requirements
26
27
 
27
28
  sig { returns(Dependabot::RequirementsUpdateStrategy) }
@@ -35,7 +36,7 @@ module Dependabot
35
36
 
36
37
  sig do
37
38
  params(
38
- requirements: T::Array[T::Hash[Symbol, T.untyped]],
39
+ requirements: T::Array[Dependabot::DependencyRequirement],
39
40
  update_strategy: Dependabot::RequirementsUpdateStrategy,
40
41
  has_lockfile: T::Boolean,
41
42
  latest_resolvable_version: T.nilable(String)
@@ -47,7 +48,10 @@ module Dependabot
47
48
  has_lockfile:,
48
49
  latest_resolvable_version:
49
50
  )
50
- @requirements = T.let(requirements, T::Array[T::Hash[Symbol, T.untyped]])
51
+ @requirements = T.let(
52
+ requirements.map { |req| Dependabot::DependencyRequirement.create(req) },
53
+ T::Array[Dependabot::DependencyRequirement]
54
+ )
51
55
  @update_strategy = T.let(update_strategy, Dependabot::RequirementsUpdateStrategy)
52
56
  @has_lockfile = T.let(has_lockfile, T::Boolean)
53
57
  @latest_resolvable_version = T.let(nil, T.nilable(Dependabot::Python::Version))
@@ -57,7 +61,7 @@ module Dependabot
57
61
  @latest_resolvable_version = Python::Version.new(latest_resolvable_version)
58
62
  end
59
63
 
60
- sig { returns(T::Array[T::Hash[Symbol, T.untyped]]) }
64
+ sig { returns(T::Array[Dependabot::DependencyRequirement]) }
61
65
  def updated_requirements
62
66
  return requirements if update_strategy.lockfile_only?
63
67
 
@@ -75,7 +79,7 @@ module Dependabot
75
79
  private
76
80
 
77
81
  # rubocop:disable Metrics/PerceivedComplexity
78
- sig { params(req: T::Hash[Symbol, T.untyped]).returns(T::Hash[Symbol, T.untyped]) }
82
+ sig { params(req: Dependabot::DependencyRequirement).returns(Dependabot::DependencyRequirement) }
79
83
  def updated_setup_requirement(req)
80
84
  return req unless latest_resolvable_version
81
85
  return req unless req.fetch(:requirement)
@@ -96,20 +100,20 @@ module Dependabot
96
100
  update_requirements_range(req_strings)
97
101
  end
98
102
 
99
- req.merge(requirement: new_requirement)
103
+ Dependabot::DependencyRequirement.create(req.merge(requirement: new_requirement))
100
104
  rescue UnfixableRequirement
101
- req.merge(requirement: :unfixable)
105
+ Dependabot::DependencyRequirement.create(req.merge(requirement: :unfixable))
102
106
  end
103
107
  # rubocop:enable Metrics/PerceivedComplexity
104
108
 
105
- sig { params(req: T::Hash[Symbol, T.untyped]).returns(T::Hash[Symbol, T.untyped]) }
109
+ sig { params(req: Dependabot::DependencyRequirement).returns(Dependabot::DependencyRequirement) }
106
110
  def updated_pipfile_requirement(req)
107
111
  # For now, we just proxy to updated_requirement. In future this
108
112
  # method may treat Pipfile requirements differently.
109
113
  updated_requirement(req)
110
114
  end
111
115
 
112
- sig { params(req: T::Hash[Symbol, T.untyped]).returns(T::Hash[Symbol, T.untyped]) }
116
+ sig { params(req: Dependabot::DependencyRequirement).returns(Dependabot::DependencyRequirement) }
113
117
  def updated_pyproject_requirement(req)
114
118
  return req unless latest_resolvable_version
115
119
  return req unless req.fetch(:requirement)
@@ -117,16 +121,16 @@ module Dependabot
117
121
 
118
122
  pyproject_update_for_strategy(req)
119
123
  rescue UnfixableRequirement
120
- req.merge(requirement: :unfixable)
124
+ Dependabot::DependencyRequirement.create(req.merge(requirement: :unfixable))
121
125
  end
122
126
 
123
- sig { params(req: T::Hash[Symbol, T.untyped]).returns(T::Boolean) }
127
+ sig { params(req: Dependabot::DependencyRequirement).returns(T::Boolean) }
124
128
  def skip_pyproject_update?(req)
125
129
  new_version_satisfies?(req) && !has_lockfile &&
126
130
  update_strategy != RequirementsUpdateStrategy::BumpVersions
127
131
  end
128
132
 
129
- sig { params(req: T::Hash[Symbol, T.untyped]).returns(T::Hash[Symbol, T.untyped]) }
133
+ sig { params(req: Dependabot::DependencyRequirement).returns(Dependabot::DependencyRequirement) }
130
134
  def pyproject_update_for_strategy(req)
131
135
  # If the requirement uses || syntax then we always want to widen it
132
136
  return widen_pyproject_requirement(req) if req.fetch(:requirement).match?(PYPROJECT_OR_SEPARATOR)
@@ -142,14 +146,14 @@ module Dependabot
142
146
  end
143
147
  end
144
148
 
145
- sig { params(req: T::Hash[Symbol, T.untyped]).returns(T::Hash[Symbol, T.untyped]) }
149
+ sig { params(req: Dependabot::DependencyRequirement).returns(Dependabot::DependencyRequirement) }
146
150
  def update_pyproject_version_if_needed(req)
147
151
  return req if new_version_satisfies?(req)
148
152
 
149
153
  update_pyproject_version_core(req, bump_lower_bound: false)
150
154
  end
151
155
 
152
- sig { params(req: T::Hash[Symbol, T.untyped]).returns(T::Hash[Symbol, T.untyped]) }
156
+ sig { params(req: Dependabot::DependencyRequirement).returns(Dependabot::DependencyRequirement) }
153
157
  def update_pyproject_version(req)
154
158
  return req if req[:requirement] == "*"
155
159
 
@@ -158,9 +162,9 @@ module Dependabot
158
162
 
159
163
  sig do
160
164
  params(
161
- req: T::Hash[Symbol, T.untyped],
165
+ req: Dependabot::DependencyRequirement,
162
166
  bump_lower_bound: T::Boolean
163
- ).returns(T::Hash[Symbol, T.untyped])
167
+ ).returns(Dependabot::DependencyRequirement)
164
168
  end
165
169
  def update_pyproject_version_core(req, bump_lower_bound:)
166
170
  requirement_strings = req[:requirement].split(",").map(&:strip)
@@ -177,10 +181,10 @@ module Dependabot
177
181
  update_requirements_range(requirement_strings)
178
182
  end
179
183
 
180
- req.merge(requirement: new_requirement)
184
+ Dependabot::DependencyRequirement.create(req.merge(requirement: new_requirement))
181
185
  end
182
186
 
183
- sig { params(req: T::Hash[Symbol, T.untyped]).returns(T::Hash[Symbol, T.untyped]) }
187
+ sig { params(req: Dependabot::DependencyRequirement).returns(Dependabot::DependencyRequirement) }
184
188
  def widen_pyproject_requirement(req)
185
189
  return req if new_version_satisfies?(req)
186
190
 
@@ -191,7 +195,7 @@ module Dependabot
191
195
  widen_requirement_range(req[:requirement])
192
196
  end
193
197
 
194
- req.merge(requirement: new_requirement)
198
+ Dependabot::DependencyRequirement.create(req.merge(requirement: new_requirement))
195
199
  end
196
200
 
197
201
  sig { params(req_string: String).returns(String) }
@@ -241,7 +245,7 @@ module Dependabot
241
245
  end
242
246
  # rubocop:enable Metrics/PerceivedComplexity
243
247
 
244
- sig { params(req: T::Hash[Symbol, T.untyped]).returns(T::Hash[Symbol, T.untyped]) }
248
+ sig { params(req: Dependabot::DependencyRequirement).returns(Dependabot::DependencyRequirement) }
245
249
  def updated_requirement(req)
246
250
  return req unless latest_resolvable_version
247
251
  return req unless req.fetch(:requirement)
@@ -258,22 +262,22 @@ module Dependabot
258
262
  end
259
263
  end
260
264
 
261
- sig { params(req: T::Hash[Symbol, T.untyped]).returns(T::Hash[Symbol, T.untyped]) }
265
+ sig { params(req: Dependabot::DependencyRequirement).returns(Dependabot::DependencyRequirement) }
262
266
  def update_requirement_if_needed(req)
263
267
  return req if new_version_satisfies?(req)
264
268
 
265
269
  update_requirement(req)
266
270
  end
267
271
 
268
- sig { params(req: T::Hash[Symbol, T.untyped]).returns(T::Hash[Symbol, T.untyped]) }
272
+ sig { params(req: Dependabot::DependencyRequirement).returns(Dependabot::DependencyRequirement) }
269
273
  def update_requirement(req)
270
274
  new_requirement = updated_requirement_string(req)
271
- req.merge(requirement: new_requirement)
275
+ Dependabot::DependencyRequirement.create(req.merge(requirement: new_requirement))
272
276
  rescue UnfixableRequirement
273
- req.merge(requirement: :unfixable)
277
+ Dependabot::DependencyRequirement.create(req.merge(requirement: :unfixable))
274
278
  end
275
279
 
276
- sig { params(req: T::Hash[Symbol, T.untyped]).returns(T.any(String, Symbol)) }
280
+ sig { params(req: Dependabot::DependencyRequirement).returns(T.any(String, Symbol)) }
277
281
  def updated_requirement_string(req)
278
282
  requirement_strings = req[:requirement].split(",").map(&:strip)
279
283
 
@@ -297,16 +301,16 @@ module Dependabot
297
301
  requirement_strings.any? { |r| r.strip.start_with?(">") }
298
302
  end
299
303
 
300
- sig { params(req: T::Hash[Symbol, T.untyped]).returns(T::Hash[Symbol, T.untyped]) }
304
+ sig { params(req: Dependabot::DependencyRequirement).returns(Dependabot::DependencyRequirement) }
301
305
  def widen_requirement(req)
302
306
  return req if new_version_satisfies?(req)
303
307
 
304
308
  new_requirement = widen_requirement_range(req[:requirement])
305
309
 
306
- req.merge(requirement: new_requirement)
310
+ Dependabot::DependencyRequirement.create(req.merge(requirement: new_requirement))
307
311
  end
308
312
 
309
- sig { params(req: T::Hash[Symbol, T.untyped]).returns(T::Boolean) }
313
+ sig { params(req: Dependabot::DependencyRequirement).returns(T::Boolean) }
310
314
  def new_version_satisfies?(req)
311
315
  requirement_class
312
316
  .requirements_array(req.fetch(:requirement))
@@ -6,6 +6,7 @@ require "toml-rb"
6
6
  require "sorbet-runtime"
7
7
 
8
8
  require "dependabot/dependency"
9
+ require "dependabot/dependency_requirement"
9
10
  require "dependabot/errors"
10
11
  require "dependabot/python/name_normaliser"
11
12
  require "dependabot/python/requirement_parser"
@@ -93,12 +94,12 @@ module Dependabot
93
94
  )
94
95
  end
95
96
 
96
- sig { override.returns(T::Array[T::Hash[Symbol, T.untyped]]) }
97
+ sig { override.returns(T::Array[Dependabot::DependencyRequirement]) }
97
98
  def updated_requirements
98
99
  return updated_git_requirements if git_dependency?
99
100
 
100
101
  RequirementsUpdater.new(
101
- requirements: requirements,
102
+ requirements: dependency.requirements,
102
103
  latest_resolvable_version: preferred_resolvable_version&.to_s,
103
104
  update_strategy: requirements_update_strategy,
104
105
  has_lockfile: !(pipfile_lock || poetry_lock).nil?
@@ -137,13 +138,13 @@ module Dependabot
137
138
  latest_version_for_git_dependency
138
139
  end
139
140
 
140
- sig { returns(T::Array[T::Hash[Symbol, T.untyped]]) }
141
+ sig { returns(T::Array[Dependabot::DependencyRequirement]) }
141
142
  def updated_git_requirements
142
143
  updated_source = updated_git_source
143
- return requirements unless updated_source
144
+ return dependency.requirements unless updated_source
144
145
 
145
- requirements.map do |req|
146
- req.merge(source: updated_source)
146
+ dependency.requirements.map do |req|
147
+ Dependabot::DependencyRequirement.create(req.merge(source: updated_source))
147
148
  end
148
149
  end
149
150
 
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: dependabot-python
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.381.0
4
+ version: 0.383.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Dependabot
@@ -15,14 +15,14 @@ dependencies:
15
15
  requirements:
16
16
  - - '='
17
17
  - !ruby/object:Gem::Version
18
- version: 0.381.0
18
+ version: 0.383.0
19
19
  type: :runtime
20
20
  prerelease: false
21
21
  version_requirements: !ruby/object:Gem::Requirement
22
22
  requirements:
23
23
  - - '='
24
24
  - !ruby/object:Gem::Version
25
- version: 0.381.0
25
+ version: 0.383.0
26
26
  - !ruby/object:Gem::Dependency
27
27
  name: debug
28
28
  requirement: !ruby/object:Gem::Requirement
@@ -245,7 +245,6 @@ files:
245
245
  - helpers/lib/__init__.py
246
246
  - helpers/lib/hasher.py
247
247
  - helpers/lib/parser.py
248
- - helpers/requirements-3.9.txt
249
248
  - helpers/requirements.txt
250
249
  - helpers/run.py
251
250
  - helpers/test/fixtures/no_dependencies.toml
@@ -323,7 +322,7 @@ licenses:
323
322
  - MIT
324
323
  metadata:
325
324
  bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
326
- changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.381.0
325
+ changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.383.0
327
326
  rdoc_options: []
328
327
  require_paths:
329
328
  - lib
@@ -1,15 +0,0 @@
1
- # Python 3.9-compatible versions pinned to the last known working set before
2
- # packages dropped 3.9 support. Python 3.9 reached end-of-life on 2025-10-31.
3
- pip==24.2
4
- pip-tools==7.5.3
5
- flake8==7.3.0
6
- hashin==1.0.5
7
- pipenv==2024.4.1
8
- plette==2.1.0
9
- poetry==2.2.1
10
- pytest==8.3.5
11
- # tomli is required for Python <3.11 (stdlib tomllib was added in 3.11).
12
- tomli==2.2.1
13
-
14
- # Some dependencies will only install if Cython is present
15
- Cython==3.2.4