dependabot-python 0.104.1 → 0.104.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (6) hide show
  1. checksums.yaml +4 -4
  2. data/lib/dependabot/python/update_checker.rb +50 -19
  3. data/lib/dependabot/python/update_checker/latest_version_finder.rb +30 -6
  4. data/lib/dependabot/python/update_checker/{pipfile_version_resolver.rb → pipenv_version_resolver.rb} +1 -1
  5. data/lib/dependabot/python/update_checker/requirements_updater.rb +2 -6
  6. metadata +4 -4
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 1704546d9328a26bba38bd159150a5238797253f07538aa5ee731e307d1a5a86
4
- data.tar.gz: 4e1a258ebb51cedb6cd6c801d2ac4a7f2f191658b163b56046a7ab526c24c287
3
+ metadata.gz: 07562c281f0015c26bac56e792bd46fa643b9e418aa74504847d9f7ab28afcdd
4
+ data.tar.gz: ed693ef282c7b4a4e2497ef4088edee0f6894c70eb62af61b7fa6b398f0066e6
5
5
  SHA512:
6
- metadata.gz: 1b994991d16cafe0ece709fdc52f5bbe5f25cb3dd635ad08fab6b87885926afe281231642d28cfe24e26724bccd4427750d99dad27e718882ecc04bf333e8ff5
7
- data.tar.gz: 37ffc6c72e569f50b2c73999089237512b08742e10473fb02f5b7047751be623ffeb9d9d8298376e1748748274dfe22c64c6a15ee60647de831317f8caf71e33
6
+ metadata.gz: 9475d9e98b20f257d941a66a07943e76c3a3eb525561740886daee7a6a1935dfd80336335b28441887fcb6a52f1c19a053965ae8247e98a0aacd888054222af2
7
+ data.tar.gz: 91193f7f7b1015f34080bccd28d32423e7935893ffb70e0f37bff47b6ceedad1f21ba30ef2327ef7f1f0c34bd2764841455374fa306365fd8d2df4f96aecae78
data/lib/dependabot/python/update_checker.rb CHANGED
@@ -13,7 +13,7 @@ module Dependabot
13
13
  module Python
14
14
  class UpdateChecker < Dependabot::UpdateCheckers::Base
15
15
  require_relative "update_checker/poetry_version_resolver"
16
- require_relative "update_checker/pipfile_version_resolver"
16
+ require_relative "update_checker/pipenv_version_resolver"
17
17
  require_relative "update_checker/pip_compile_version_resolver"
18
18
  require_relative "update_checker/requirements_updater"
19
19
  require_relative "update_checker/latest_version_finder"
@@ -31,17 +31,11 @@ module Dependabot
31
31
  @latest_resolvable_version ||=
32
32
  case resolver_type
33
33
  when :pipfile
34
- PipfileVersionResolver.new(
35
- resolver_args.merge(unlock_requirement: true)
36
- ).latest_resolvable_version
34
+ pipenv_version_resolver.latest_resolvable_version
37
35
  when :poetry
38
- PoetryVersionResolver.new(
39
- resolver_args.merge(unlock_requirement: true)
40
- ).latest_resolvable_version
36
+ poetry_version_resolver.latest_resolvable_version
41
37
  when :pip_compile
42
- PipCompileVersionResolver.new(
43
- resolver_args.merge(unlock_requirement: true)
44
- ).latest_resolvable_version
38
+ pip_compile_version_resolver.latest_resolvable_version
45
39
  when :requirements
46
40
  # pip doesn't (yet) do any dependency resolution, so if we don't
47
41
  # have a Pipfile or a pip-compile file, we just return the latest
@@ -55,16 +49,16 @@ module Dependabot
55
49
  @latest_resolvable_version_with_no_unlock ||=
56
50
  case resolver_type
57
51
  when :pipfile
58
- PipfileVersionResolver.new(
59
- resolver_args.merge(unlock_requirement: false)
52
+ pipenv_version_resolver(
53
+ unlock_requirement: false
60
54
  ).latest_resolvable_version
61
55
  when :poetry
62
- PoetryVersionResolver.new(
63
- resolver_args.merge(unlock_requirement: false)
56
+ poetry_version_resolver(
57
+ unlock_requirement: false
64
58
  ).latest_resolvable_version
65
59
  when :pip_compile
66
- PipCompileVersionResolver.new(
67
- resolver_args.merge(unlock_requirement: false)
60
+ pip_compile_version_resolver(
61
+ unlock_requirement: false
68
62
  ).latest_resolvable_version
69
63
  when :requirements
70
64
  latest_pip_version_with_no_unlock
@@ -72,11 +66,26 @@ module Dependabot
72
66
  end
73
67
  end
74
68
 
69
+ def lowest_resolvable_security_fix_version
70
+ raise "Dependency not vulnerable!" unless vulnerable?
71
+
72
+ @lowest_resolvable_security_fix_version ||=
73
+ case resolver_type
74
+ when :requirements
75
+ latest_version_finder.lowest_security_fix_version
76
+ when :pipfile, :poetry, :pip_compile
77
+ # TODO: Handle package managers with a resolvability concept
78
+ latest_resolvable_version
79
+ else raise "Unexpected resolver type #{resolver_type}"
80
+ end
81
+
82
+ latest_version_finder.lowest_security_fix_version
83
+ end
84
+
75
85
  def updated_requirements
76
86
  RequirementsUpdater.new(
77
87
  requirements: dependency.requirements,
78
- latest_version: latest_version&.to_s,
79
- latest_resolvable_version: latest_resolvable_version&.to_s,
88
+ latest_resolvable_version: preferred_resolvable_version&.to_s,
80
89
  update_strategy: requirements_update_strategy,
81
90
  has_lockfile: !(pipfile_lock || poetry_lock || pyproject_lock).nil?
82
91
  ).updated_requirements
@@ -145,6 +154,27 @@ module Dependabot
145
154
  reqs.any? { |r| Python::Requirement.new(r).exact? }
146
155
  end
147
156
 
157
+ def pipenv_version_resolver(unlock_requirement: true)
158
+ @pipenv_version_resolver ||= {}
159
+ @pipenv_version_resolver[unlock_requirement] ||=
160
+ PipenvVersionResolver.
161
+ new(resolver_args.merge(unlock_requirement: unlock_requirement))
162
+ end
163
+
164
+ def pip_compile_version_resolver(unlock_requirement: true)
165
+ @pip_compile_version_resolver ||= {}
166
+ @pip_compile_version_resolver[unlock_requirement] ||=
167
+ PipCompileVersionResolver.
168
+ new(resolver_args.merge(unlock_requirement: unlock_requirement))
169
+ end
170
+
171
+ def poetry_version_resolver(unlock_requirement: true)
172
+ @poetry_version_resolver ||= {}
173
+ @poetry_version_resolver[unlock_requirement] ||=
174
+ PoetryVersionResolver.
175
+ new(resolver_args.merge(unlock_requirement: unlock_requirement))
176
+ end
177
+
148
178
  def resolver_args
149
179
  {
150
180
  dependency: dependency,
@@ -167,7 +197,8 @@ module Dependabot
167
197
  dependency: dependency,
168
198
  dependency_files: dependency_files,
169
199
  credentials: credentials,
170
- ignored_versions: ignored_versions
200
+ ignored_versions: ignored_versions,
201
+ security_advisories: security_advisories
171
202
  )
172
203
  end
173
204
 
data/lib/dependabot/python/update_checker/latest_version_finder.rb CHANGED
@@ -13,11 +13,12 @@ module Dependabot
13
13
  require_relative "index_finder"
14
14
 
15
15
  def initialize(dependency:, dependency_files:, credentials:,
16
- ignored_versions:)
17
- @dependency = dependency
18
- @dependency_files = dependency_files
19
- @credentials = credentials
20
- @ignored_versions = ignored_versions
16
+ ignored_versions:, security_advisories:)
17
+ @dependency = dependency
18
+ @dependency_files = dependency_files
19
+ @credentials = credentials
20
+ @ignored_versions = ignored_versions
21
+ @security_advisories = security_advisories
21
22
  end
22
23
 
23
24
  def latest_version
@@ -29,10 +30,14 @@ module Dependabot
29
30
  fetch_latest_version_with_no_unlock
30
31
  end
31
32
 
33
+ def lowest_security_fix_version
34
+ @lowest_security_fix_version ||= fetch_lowest_security_fix_version
35
+ end
36
+
32
37
  private
33
38
 
34
39
  attr_reader :dependency, :dependency_files, :credentials,
35
- :ignored_versions
40
+ :ignored_versions, :security_advisories
36
41
 
37
42
  def fetch_latest_version
38
43
  versions = available_versions
@@ -49,6 +54,15 @@ module Dependabot
49
54
  versions.max
50
55
  end
51
56
 
57
+ def fetch_lowest_security_fix_version
58
+ versions = available_versions
59
+ versions = filter_prerelease_versions(versions)
60
+ versions = filter_ignored_versions(versions)
61
+ versions = filter_vulnerable_versions(versions)
62
+ versions = filter_lower_versions(versions)
63
+ versions.min
64
+ end
65
+
52
66
  def filter_prerelease_versions(versions_array)
53
67
  return versions_array if wants_prerelease?
54
68
 
@@ -60,6 +74,16 @@ module Dependabot
60
74
  reject { |v| ignore_reqs.any? { |r| r.satisfied_by?(v) } }
61
75
  end
62
76
 
77
+ def filter_vulnerable_versions(versions_array)
78
+ versions_array.
79
+ reject { |v| security_advisories.any? { |a| a.vulnerable?(v) } }
80
+ end
81
+
82
+ def filter_lower_versions(versions_array)
83
+ versions_array.
84
+ select { |version| version > version_class.new(dependency.version) }
85
+ end
86
+
63
87
  def filter_out_of_range_versions(versions_array)
64
88
  reqs = dependency.requirements.map do |r|
65
89
  requirement_class.requirements_array(r.fetch(:requirement))
data/lib/dependabot/python/update_checker/{pipfile_version_resolver.rb → pipenv_version_resolver.rb} RENAMED
@@ -27,7 +27,7 @@ module Dependabot
27
27
  # Unfortunately, Pipenv doesn't resolve how we'd expect - it appears to
28
28
  # just raise if the latest version can't be resolved. Knowing that is
29
29
  # still better than nothing, though.
30
- class PipfileVersionResolver
30
+ class PipenvVersionResolver
31
31
  VERSION_REGEX = /[0-9]+(?:\.[A-Za-z0-9\-_]+)*/.freeze
32
32
  GIT_DEPENDENCY_UNREACHABLE_REGEX =
33
33
  /Command "git clone -q (?<url>[^\s]+).*" failed/.freeze
data/lib/dependabot/python/update_checker/requirements_updater.rb CHANGED
@@ -16,18 +16,14 @@ module Dependabot
16
16
  class UnfixableRequirement < StandardError; end
17
17
 
18
18
  attr_reader :requirements, :update_strategy, :has_lockfile,
19
- :latest_version, :latest_resolvable_version
19
+ :latest_resolvable_version
20
20
 
21
21
  def initialize(requirements:, update_strategy:, has_lockfile:,
22
- latest_version:, latest_resolvable_version:)
22
+ latest_resolvable_version:)
23
23
  @requirements = requirements
24
24
  @update_strategy = update_strategy
25
25
  @has_lockfile = has_lockfile
26
26
 
27
- if latest_version
28
- @latest_version = Python::Version.new(latest_version)
29
- end
30
-
31
27
  return unless latest_resolvable_version
32
28
 
33
29
  @latest_resolvable_version =
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: dependabot-python
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.104.1
4
+ version: 0.104.2
5
5
  platform: ruby
6
6
  authors:
7
7
  - Dependabot
@@ -16,14 +16,14 @@ dependencies:
16
16
  requirements:
17
17
  - - '='
18
18
  - !ruby/object:Gem::Version
19
- version: 0.104.1
19
+ version: 0.104.2
20
20
  type: :runtime
21
21
  prerelease: false
22
22
  version_requirements: !ruby/object:Gem::Requirement
23
23
  requirements:
24
24
  - - '='
25
25
  - !ruby/object:Gem::Version
26
- version: 0.104.1
26
+ version: 0.104.2
27
27
  - !ruby/object:Gem::Dependency
28
28
  name: byebug
29
29
  requirement: !ruby/object:Gem::Requirement
@@ -175,7 +175,7 @@ files:
175
175
  - lib/dependabot/python/update_checker/index_finder.rb
176
176
  - lib/dependabot/python/update_checker/latest_version_finder.rb
177
177
  - lib/dependabot/python/update_checker/pip_compile_version_resolver.rb
178
- - lib/dependabot/python/update_checker/pipfile_version_resolver.rb
178
+ - lib/dependabot/python/update_checker/pipenv_version_resolver.rb
179
179
  - lib/dependabot/python/update_checker/poetry_version_resolver.rb
180
180
  - lib/dependabot/python/update_checker/requirements_updater.rb
181
181
  - lib/dependabot/python/version.rb