dependabot-python 0.382.0 → 0.383.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (7) hide show
  1. checksums.yaml +4 -4
  2. data/helpers/build +1 -9
  3. data/lib/dependabot/python/language.rb +3 -3
  4. data/lib/dependabot/python/update_checker/requirements_updater.rb +32 -28
  5. data/lib/dependabot/python/update_checker.rb +13 -14
  6. metadata +4 -5
  7. data/helpers/requirements-3.9.txt +0 -15
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: e521f3e297026d2b21597f830c9978e6365a5dd4b99ad7a24a9d0973772db45d
4
- data.tar.gz: 446649a64857c3cc95aeed4c7e4c9d37bf55e6b5573e82445c6b0b0e4fc10f33
3
+ metadata.gz: 26031826db5cb07c05ca33adc90a735f803008ac10fe45670311c0d77a0ba738
4
+ data.tar.gz: c4aa146094305a3941c3fd63360a9375cfdfbe7bd819cee61241148c5bc91f16
5
5
  SHA512:
6
- metadata.gz: 2b67ffd686818a7d3e3399a2493a188815959102bc4235086ed16fc47b1bdf93a392e743cc2fb411619f90b9c1b01d0ce27de7e65b53e1ed6e52dfaf67b58107
7
- data.tar.gz: 269b0733ac11ef8d19cefa5c972e6e67330c51792981fc98a80e389f6338477a099e62ab184873d28ce26dddf8d8b5213c1c2baed56b5d18b6ee9b8097f86338
6
+ metadata.gz: dba3705c8b0458e64b853f97ad170d8a525fae4b89c176d0236eeab2e27b7c186c6eceb92b245181f5ef6f2cee683d2d17baac298adb4061cdbbc2ca88349b96
7
+ data.tar.gz: 06e507ffbda36680035517f07d11aae8298f6e7b2708e8837589de0cf7d74da73e2e63618088bacee8663c9a4f625724c339a4a1dbbc641ac9d254e71ef78137
data/helpers/build CHANGED
@@ -15,7 +15,6 @@ cp -r \
15
15
  "$helpers_dir/lib" \
16
16
  "$helpers_dir/run.py" \
17
17
  "$helpers_dir/requirements.txt" \
18
- "$helpers_dir/requirements-3.9.txt" \
19
18
  "$install_dir"
20
19
 
21
20
  if [ -d "$helpers_dir/test" ]; then
@@ -25,15 +24,8 @@ fi
25
24
  cd "$install_dir"
26
25
 
27
26
  python_version=$1
28
- # pip 26.x and several other packages require Python >=3.10.
29
- # Use 3.9-compatible versions for the deprecated Python 3.9 runtime.
30
- if [[ "$python_version" == 3.9.* ]]; then
31
- req_file="requirements-3.9.txt"
32
- else
33
- req_file="requirements.txt"
34
- fi
35
27
 
36
- PYENV_VERSION=$python_version pyenv exec pip3 --disable-pip-version-check install --use-pep517 -r "$req_file"
28
+ PYENV_VERSION=$python_version pyenv exec pip3 --disable-pip-version-check install --use-pep517 -r requirements.txt
37
29
 
38
30
  # Remove the extra objects added during the previous install. Based on
39
31
  # https://github.com/docker-library/python/blob/master/Dockerfile-linux.template
data/lib/dependabot/python/language.rb CHANGED
@@ -21,7 +21,6 @@ module Dependabot
21
21
  3.12.13
22
22
  3.11.15
23
23
  3.10.20
24
- 3.9.25
25
24
  ).freeze
26
25
 
27
26
  PRE_INSTALLED_PYTHON_VERSIONS = T.let(
@@ -47,8 +46,9 @@ module Dependabot
47
46
  T::Array[Dependabot::Python::Version]
48
47
  )
49
48
 
50
- # The highest Python version that is no longer fully supported.
51
- # Deprecated now (warning); unsupported once removed from PRE_INSTALLED_PYTHON_VERSIONS_RAW.
49
+ # The highest Python version that is no longer supported.
50
+ # Python 3.9 reached end-of-life and was removed from PRE_INSTALLED_PYTHON_VERSIONS_RAW,
51
+ # so a ToolVersionNotSupported error is raised for it (and any lower version).
52
52
  NON_SUPPORTED_HIGHEST_VERSION = "3.9"
53
53
 
54
54
  DEPRECATED_VERSIONS = T.let([Version.new(NON_SUPPORTED_HIGHEST_VERSION)].freeze, T::Array[Dependabot::Version])
data/lib/dependabot/python/update_checker/requirements_updater.rb CHANGED
@@ -2,6 +2,7 @@
2
2
  # frozen_string_literal: true
3
3
 
4
4
  require "sorbet-runtime"
5
+ require "dependabot/dependency_requirement"
5
6
  require "dependabot/python/requirement_parser"
6
7
  require "dependabot/python/requirement"
7
8
  require "dependabot/python/update_checker"
@@ -21,7 +22,7 @@ module Dependabot
21
22
 
22
23
  class UnfixableRequirement < StandardError; end
23
24
 
24
- sig { returns(T::Array[T::Hash[Symbol, T.untyped]]) }
25
+ sig { returns(T::Array[Dependabot::DependencyRequirement]) }
25
26
  attr_reader :requirements
26
27
 
27
28
  sig { returns(Dependabot::RequirementsUpdateStrategy) }
@@ -35,7 +36,7 @@ module Dependabot
35
36
 
36
37
  sig do
37
38
  params(
38
- requirements: T::Array[T::Hash[Symbol, T.untyped]],
39
+ requirements: T::Array[Dependabot::DependencyRequirement],
39
40
  update_strategy: Dependabot::RequirementsUpdateStrategy,
40
41
  has_lockfile: T::Boolean,
41
42
  latest_resolvable_version: T.nilable(String)
@@ -47,7 +48,10 @@ module Dependabot
47
48
  has_lockfile:,
48
49
  latest_resolvable_version:
49
50
  )
50
- @requirements = T.let(requirements, T::Array[T::Hash[Symbol, T.untyped]])
51
+ @requirements = T.let(
52
+ requirements.map { |req| Dependabot::DependencyRequirement.create(req) },
53
+ T::Array[Dependabot::DependencyRequirement]
54
+ )
51
55
  @update_strategy = T.let(update_strategy, Dependabot::RequirementsUpdateStrategy)
52
56
  @has_lockfile = T.let(has_lockfile, T::Boolean)
53
57
  @latest_resolvable_version = T.let(nil, T.nilable(Dependabot::Python::Version))
@@ -57,7 +61,7 @@ module Dependabot
57
61
  @latest_resolvable_version = Python::Version.new(latest_resolvable_version)
58
62
  end
59
63
 
60
- sig { returns(T::Array[T::Hash[Symbol, T.untyped]]) }
64
+ sig { returns(T::Array[Dependabot::DependencyRequirement]) }
61
65
  def updated_requirements
62
66
  return requirements if update_strategy.lockfile_only?
63
67
 
@@ -75,7 +79,7 @@ module Dependabot
75
79
  private
76
80
 
77
81
  # rubocop:disable Metrics/PerceivedComplexity
78
- sig { params(req: T::Hash[Symbol, T.untyped]).returns(T::Hash[Symbol, T.untyped]) }
82
+ sig { params(req: Dependabot::DependencyRequirement).returns(Dependabot::DependencyRequirement) }
79
83
  def updated_setup_requirement(req)
80
84
  return req unless latest_resolvable_version
81
85
  return req unless req.fetch(:requirement)
@@ -96,20 +100,20 @@ module Dependabot
96
100
  update_requirements_range(req_strings)
97
101
  end
98
102
 
99
- req.merge(requirement: new_requirement)
103
+ Dependabot::DependencyRequirement.create(req.merge(requirement: new_requirement))
100
104
  rescue UnfixableRequirement
101
- req.merge(requirement: :unfixable)
105
+ Dependabot::DependencyRequirement.create(req.merge(requirement: :unfixable))
102
106
  end
103
107
  # rubocop:enable Metrics/PerceivedComplexity
104
108
 
105
- sig { params(req: T::Hash[Symbol, T.untyped]).returns(T::Hash[Symbol, T.untyped]) }
109
+ sig { params(req: Dependabot::DependencyRequirement).returns(Dependabot::DependencyRequirement) }
106
110
  def updated_pipfile_requirement(req)
107
111
  # For now, we just proxy to updated_requirement. In future this
108
112
  # method may treat Pipfile requirements differently.
109
113
  updated_requirement(req)
110
114
  end
111
115
 
112
- sig { params(req: T::Hash[Symbol, T.untyped]).returns(T::Hash[Symbol, T.untyped]) }
116
+ sig { params(req: Dependabot::DependencyRequirement).returns(Dependabot::DependencyRequirement) }
113
117
  def updated_pyproject_requirement(req)
114
118
  return req unless latest_resolvable_version
115
119
  return req unless req.fetch(:requirement)
@@ -117,16 +121,16 @@ module Dependabot
117
121
 
118
122
  pyproject_update_for_strategy(req)
119
123
  rescue UnfixableRequirement
120
- req.merge(requirement: :unfixable)
124
+ Dependabot::DependencyRequirement.create(req.merge(requirement: :unfixable))
121
125
  end
122
126
 
123
- sig { params(req: T::Hash[Symbol, T.untyped]).returns(T::Boolean) }
127
+ sig { params(req: Dependabot::DependencyRequirement).returns(T::Boolean) }
124
128
  def skip_pyproject_update?(req)
125
129
  new_version_satisfies?(req) && !has_lockfile &&
126
130
  update_strategy != RequirementsUpdateStrategy::BumpVersions
127
131
  end
128
132
 
129
- sig { params(req: T::Hash[Symbol, T.untyped]).returns(T::Hash[Symbol, T.untyped]) }
133
+ sig { params(req: Dependabot::DependencyRequirement).returns(Dependabot::DependencyRequirement) }
130
134
  def pyproject_update_for_strategy(req)
131
135
  # If the requirement uses || syntax then we always want to widen it
132
136
  return widen_pyproject_requirement(req) if req.fetch(:requirement).match?(PYPROJECT_OR_SEPARATOR)
@@ -142,14 +146,14 @@ module Dependabot
142
146
  end
143
147
  end
144
148
 
145
- sig { params(req: T::Hash[Symbol, T.untyped]).returns(T::Hash[Symbol, T.untyped]) }
149
+ sig { params(req: Dependabot::DependencyRequirement).returns(Dependabot::DependencyRequirement) }
146
150
  def update_pyproject_version_if_needed(req)
147
151
  return req if new_version_satisfies?(req)
148
152
 
149
153
  update_pyproject_version_core(req, bump_lower_bound: false)
150
154
  end
151
155
 
152
- sig { params(req: T::Hash[Symbol, T.untyped]).returns(T::Hash[Symbol, T.untyped]) }
156
+ sig { params(req: Dependabot::DependencyRequirement).returns(Dependabot::DependencyRequirement) }
153
157
  def update_pyproject_version(req)
154
158
  return req if req[:requirement] == "*"
155
159
 
@@ -158,9 +162,9 @@ module Dependabot
158
162
 
159
163
  sig do
160
164
  params(
161
- req: T::Hash[Symbol, T.untyped],
165
+ req: Dependabot::DependencyRequirement,
162
166
  bump_lower_bound: T::Boolean
163
- ).returns(T::Hash[Symbol, T.untyped])
167
+ ).returns(Dependabot::DependencyRequirement)
164
168
  end
165
169
  def update_pyproject_version_core(req, bump_lower_bound:)
166
170
  requirement_strings = req[:requirement].split(",").map(&:strip)
@@ -177,10 +181,10 @@ module Dependabot
177
181
  update_requirements_range(requirement_strings)
178
182
  end
179
183
 
180
- req.merge(requirement: new_requirement)
184
+ Dependabot::DependencyRequirement.create(req.merge(requirement: new_requirement))
181
185
  end
182
186
 
183
- sig { params(req: T::Hash[Symbol, T.untyped]).returns(T::Hash[Symbol, T.untyped]) }
187
+ sig { params(req: Dependabot::DependencyRequirement).returns(Dependabot::DependencyRequirement) }
184
188
  def widen_pyproject_requirement(req)
185
189
  return req if new_version_satisfies?(req)
186
190
 
@@ -191,7 +195,7 @@ module Dependabot
191
195
  widen_requirement_range(req[:requirement])
192
196
  end
193
197
 
194
- req.merge(requirement: new_requirement)
198
+ Dependabot::DependencyRequirement.create(req.merge(requirement: new_requirement))
195
199
  end
196
200
 
197
201
  sig { params(req_string: String).returns(String) }
@@ -241,7 +245,7 @@ module Dependabot
241
245
  end
242
246
  # rubocop:enable Metrics/PerceivedComplexity
243
247
 
244
- sig { params(req: T::Hash[Symbol, T.untyped]).returns(T::Hash[Symbol, T.untyped]) }
248
+ sig { params(req: Dependabot::DependencyRequirement).returns(Dependabot::DependencyRequirement) }
245
249
  def updated_requirement(req)
246
250
  return req unless latest_resolvable_version
247
251
  return req unless req.fetch(:requirement)
@@ -258,22 +262,22 @@ module Dependabot
258
262
  end
259
263
  end
260
264
 
261
- sig { params(req: T::Hash[Symbol, T.untyped]).returns(T::Hash[Symbol, T.untyped]) }
265
+ sig { params(req: Dependabot::DependencyRequirement).returns(Dependabot::DependencyRequirement) }
262
266
  def update_requirement_if_needed(req)
263
267
  return req if new_version_satisfies?(req)
264
268
 
265
269
  update_requirement(req)
266
270
  end
267
271
 
268
- sig { params(req: T::Hash[Symbol, T.untyped]).returns(T::Hash[Symbol, T.untyped]) }
272
+ sig { params(req: Dependabot::DependencyRequirement).returns(Dependabot::DependencyRequirement) }
269
273
  def update_requirement(req)
270
274
  new_requirement = updated_requirement_string(req)
271
- req.merge(requirement: new_requirement)
275
+ Dependabot::DependencyRequirement.create(req.merge(requirement: new_requirement))
272
276
  rescue UnfixableRequirement
273
- req.merge(requirement: :unfixable)
277
+ Dependabot::DependencyRequirement.create(req.merge(requirement: :unfixable))
274
278
  end
275
279
 
276
- sig { params(req: T::Hash[Symbol, T.untyped]).returns(T.any(String, Symbol)) }
280
+ sig { params(req: Dependabot::DependencyRequirement).returns(T.any(String, Symbol)) }
277
281
  def updated_requirement_string(req)
278
282
  requirement_strings = req[:requirement].split(",").map(&:strip)
279
283
 
@@ -297,16 +301,16 @@ module Dependabot
297
301
  requirement_strings.any? { |r| r.strip.start_with?(">") }
298
302
  end
299
303
 
300
- sig { params(req: T::Hash[Symbol, T.untyped]).returns(T::Hash[Symbol, T.untyped]) }
304
+ sig { params(req: Dependabot::DependencyRequirement).returns(Dependabot::DependencyRequirement) }
301
305
  def widen_requirement(req)
302
306
  return req if new_version_satisfies?(req)
303
307
 
304
308
  new_requirement = widen_requirement_range(req[:requirement])
305
309
 
306
- req.merge(requirement: new_requirement)
310
+ Dependabot::DependencyRequirement.create(req.merge(requirement: new_requirement))
307
311
  end
308
312
 
309
- sig { params(req: T::Hash[Symbol, T.untyped]).returns(T::Boolean) }
313
+ sig { params(req: Dependabot::DependencyRequirement).returns(T::Boolean) }
310
314
  def new_version_satisfies?(req)
311
315
  requirement_class
312
316
  .requirements_array(req.fetch(:requirement))
data/lib/dependabot/python/update_checker.rb CHANGED
@@ -6,6 +6,7 @@ require "toml-rb"
6
6
  require "sorbet-runtime"
7
7
 
8
8
  require "dependabot/dependency"
9
+ require "dependabot/dependency_requirement"
9
10
  require "dependabot/errors"
10
11
  require "dependabot/python/name_normaliser"
11
12
  require "dependabot/python/requirement_parser"
@@ -95,16 +96,14 @@ module Dependabot
95
96
 
96
97
  sig { override.returns(T::Array[Dependabot::DependencyRequirement]) }
97
98
  def updated_requirements
98
- return wrap_requirements(updated_git_requirements) if git_dependency?
99
-
100
- wrap_requirements(
101
- RequirementsUpdater.new(
102
- requirements: requirements,
103
- latest_resolvable_version: preferred_resolvable_version&.to_s,
104
- update_strategy: requirements_update_strategy,
105
- has_lockfile: !(pipfile_lock || poetry_lock).nil?
106
- ).updated_requirements
107
- )
99
+ return updated_git_requirements if git_dependency?
100
+
101
+ RequirementsUpdater.new(
102
+ requirements: dependency.requirements,
103
+ latest_resolvable_version: preferred_resolvable_version&.to_s,
104
+ update_strategy: requirements_update_strategy,
105
+ has_lockfile: !(pipfile_lock || poetry_lock).nil?
106
+ ).updated_requirements
108
107
  end
109
108
 
110
109
  sig { override.returns(T::Boolean) }
@@ -139,13 +138,13 @@ module Dependabot
139
138
  latest_version_for_git_dependency
140
139
  end
141
140
 
142
- sig { returns(T::Array[T::Hash[Symbol, T.untyped]]) }
141
+ sig { returns(T::Array[Dependabot::DependencyRequirement]) }
143
142
  def updated_git_requirements
144
143
  updated_source = updated_git_source
145
- return requirements unless updated_source
144
+ return dependency.requirements unless updated_source
146
145
 
147
- requirements.map do |req|
148
- req.merge(source: updated_source)
146
+ dependency.requirements.map do |req|
147
+ Dependabot::DependencyRequirement.create(req.merge(source: updated_source))
149
148
  end
150
149
  end
151
150
 
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: dependabot-python
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.382.0
4
+ version: 0.383.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Dependabot
@@ -15,14 +15,14 @@ dependencies:
15
15
  requirements:
16
16
  - - '='
17
17
  - !ruby/object:Gem::Version
18
- version: 0.382.0
18
+ version: 0.383.0
19
19
  type: :runtime
20
20
  prerelease: false
21
21
  version_requirements: !ruby/object:Gem::Requirement
22
22
  requirements:
23
23
  - - '='
24
24
  - !ruby/object:Gem::Version
25
- version: 0.382.0
25
+ version: 0.383.0
26
26
  - !ruby/object:Gem::Dependency
27
27
  name: debug
28
28
  requirement: !ruby/object:Gem::Requirement
@@ -245,7 +245,6 @@ files:
245
245
  - helpers/lib/__init__.py
246
246
  - helpers/lib/hasher.py
247
247
  - helpers/lib/parser.py
248
- - helpers/requirements-3.9.txt
249
248
  - helpers/requirements.txt
250
249
  - helpers/run.py
251
250
  - helpers/test/fixtures/no_dependencies.toml
@@ -323,7 +322,7 @@ licenses:
323
322
  - MIT
324
323
  metadata:
325
324
  bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
326
- changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.382.0
325
+ changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.383.0
327
326
  rdoc_options: []
328
327
  require_paths:
329
328
  - lib
data/helpers/requirements-3.9.txt DELETED
@@ -1,15 +0,0 @@
1
- # Python 3.9-compatible versions pinned to the last known working set before
2
- # packages dropped 3.9 support. Python 3.9 reached end-of-life on 2025-10-31.
3
- pip==24.2
4
- pip-tools==7.5.3
5
- flake8==7.3.0
6
- hashin==1.0.5
7
- pipenv==2024.4.1
8
- plette==2.1.0
9
- poetry==2.2.1
10
- pytest==8.3.5
11
- # tomli is required for Python <3.11 (stdlib tomllib was added in 3.11).
12
- tomli==2.2.1
13
-
14
- # Some dependencies will only install if Cython is present
15
- Cython==3.2.4