dependabot-python 0.212.0 → 0.213.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 4862b59513a97a33d51ff8ad57b6d9815842769c87f612426ffbcd8e75a9655c
-  data.tar.gz: 9543935b3ab8027344757b41aa8ff265d823beac956a06d20d4917e75962698d
+  metadata.gz: 6cb23890c79504e40e7e4962485003c76c07179574ac89b210b6529d15d2c216
+  data.tar.gz: b96523f9cf991cbffc38fc2831221c43450c74ef560e8e80ff2d2bbf73c889c4
 SHA512:
-  metadata.gz: fd9e547d19f01addfdc2fcc4eeb7095bf8e886eded086772f81b9bfbd6acfb2fc6076c354c970ae5fad0691a25679d99db8eb0884121e986c1bcf39b17c041ba
-  data.tar.gz: be587fe031f132dd20d4fc023668e31d81c37608d915a9f586ca159b675302993a208b6e93209cfaedad83d08eaae1ca06f6af7eec8933bcc2c44e8a61293ccf
+  metadata.gz: 5beeac4ec63193ce095e6a5d7223c11e4e9c2ace55b3ef5c94f0011d8cb0c70fc7b364108b68cd68f656a5ed79d712b64eecbb75998714325a0f3b101169592c
+  data.tar.gz: 17ec5483c750fe4bc35490feebf418a8bd7eaf0eb2d14e2bcfc811e06f94c02f69eca71bafb589cb2d51b8a73155d3d358b97fcc6125a8fb7229b54f06a42fbe

data/helpers/build

@@ -18,9 +18,4 @@ cp -r \
   "$install_dir"
 
 cd "$install_dir"
-PYENV_VERSION=3.10.5 pyenv exec pip --disable-pip-version-check install -r "requirements.txt"
-
-# Workaround of https://github.com/python-poetry/poetry/issues/3010
-# By default poetry config file is stored under ~/.config/pypoetry
-# and is not bound to any specific Python version
-PYENV_VERSION=3.10.5 pyenv exec poetry config experimental.new-installer false
+PYENV_VERSION=3.10.7 pyenv exec pip --disable-pip-version-check install --use-pep517 -r "requirements.txt"

data/helpers/lib/parser.py

@@ -11,11 +11,63 @@ from pip._internal.req.constructors import (
     install_req_from_line,
     install_req_from_parsed_requirement,
 )
+
+from packaging.requirements import InvalidRequirement, Requirement
+import toml
+
 # Inspired by pips internal check:
 # https://github.com/pypa/pip/blob/0bb3ac87f5bb149bd75cceac000844128b574385/src/pip/_internal/req/req_file.py#L35
 COMMENT_RE = re.compile(r'(^|\s+)#.*$')
 
 
+def parse_pep621_dependencies(pyproject_path):
+    project_toml = toml.load(pyproject_path)['project']
+
+    def parse_toml_section_pep621_dependencies(pyproject_path, dependencies):
+        requirement_packages = []
+
+        def version_from_req(specifier_set):
+            if (len(specifier_set) == 1 and
+                    next(iter(specifier_set)).operator in {"==", "==="}):
+                return next(iter(specifier_set)).version
+
+        for dependency in dependencies:
+            try:
+                req = Requirement(dependency)
+            except InvalidRequirement as e:
+                print(json.dumps({"error": repr(e)}))
+                exit(1)
+            else:
+                requirement_packages.append({
+                    "name": req.name,
+                    "version": version_from_req(req.specifier),
+                    "markers": str(req.marker) or None,
+                    "file": pyproject_path,
+                    "requirement": str(req.specifier),
+                    "extras": sorted(list(req.extras))
+                })
+
+        return requirement_packages
+
+    dependencies = parse_toml_section_pep621_dependencies(
+        pyproject_path,
+        project_toml['dependencies']
+    )
+
+    if 'optional-dependencies' in project_toml:
+        optional_dependencies_toml = project_toml['optional-dependencies']
+
+        for group in optional_dependencies_toml:
+            group_dependencies = parse_toml_section_pep621_dependencies(
+                pyproject_path,
+                optional_dependencies_toml[group]
+            )
+
+            dependencies.extend(group_dependencies)
+
+    return json.dumps({"result": dependencies})
+
+
 def parse_requirements(directory):
     # Parse the requirements.txt
     requirement_packages = []

data/helpers/requirements.txt

@@ -1,10 +1,10 @@
-pip>=21.3.1,<22.2.3  # Range maintains py36 support TODO: Review python 3.6 support in April 2023 (eol ubuntu 18.04)
-pip-tools>=6.4.0,<6.8.1  # Range maintains py36 support TODO: Review python 3.6 support in April 2023 (eol ubuntu 18.04)
+pip>=21.3.1,<22.4.0  # Range maintains py36 support TODO: Review python 3.6 support in April 2023 (eol ubuntu 18.04)
+pip-tools>=6.4.0,<6.9.1  # Range maintains py36 support TODO: Review python 3.6 support in April 2023 (eol ubuntu 18.04)
 flake8==5.0.4
 hashin==0.17.0
 pipenv==2022.4.8
 pipfile==0.0.2
-poetry>=1.1.15,<=1.2.0
+poetry>=1.1.15,<1.3.0
 wheel==0.37.1
 
 # Some dependencies will only install if Cython is present

data/helpers/run.py

@@ -10,6 +10,8 @@ if __name__ == "__main__":
         print(parser.parse_requirements(args["args"][0]))
     elif args["function"] == "parse_setup":
         print(parser.parse_setup(args["args"][0]))
+    elif args["function"] == "parse_pep621_dependencies":
+        print(parser.parse_pep621_dependencies(args["args"][0]))
     elif args["function"] == "get_dependency_hash":
         print(hasher.get_dependency_hash(*args["args"]))
     elif args["function"] == "get_pipfile_hash":

data/lib/dependabot/python/file_fetcher.rb

@@ -5,15 +5,15 @@ require "toml-rb"
 require "dependabot/file_fetchers"
 require "dependabot/file_fetchers/base"
 require "dependabot/python/requirement_parser"
-require "dependabot/python/file_parser/poetry_files_parser"
+require "dependabot/python/file_parser/pyproject_files_parser"
 require "dependabot/errors"
 
 module Dependabot
   module Python
     class FileFetcher < Dependabot::FileFetchers::Base
-      CHILD_REQUIREMENT_REGEX = /^-r\s?(?<path>.*\.(?:txt|in))/.freeze
-      CONSTRAINT_REGEX = /^-c\s?(?<path>.*\.(?:txt|in))/.freeze
-      DEPENDENCY_TYPES = %w(packages dev-packages).freeze
+      CHILD_REQUIREMENT_REGEX = /^-r\s?(?<path>.*\.(?:txt|in))/
+      CONSTRAINT_REGEX = /^-c\s?(?<path>.*\.(?:txt|in))/
+      DEPENDENCY_TYPES = %w(packages dev-packages)
 
       def self.required_files_in?(filenames)
         return true if filenames.any? { |name| name.end_with?(".txt", ".in") }
@@ -24,7 +24,7 @@ module Dependabot
         # If this repo is using a Pipfile return true
         return true if filenames.include?("Pipfile")
 
-        # If this repo is using Poetry return true
+        # If this repo is using pyproject.toml return true
         return true if filenames.include?("pyproject.toml")
 
         return true if filenames.include?("setup.py")
@@ -69,7 +69,7 @@ module Dependabot
       end
 
       def pyproject_files
-        [pyproject, pyproject_lock, poetry_lock].compact
+        [pyproject, pyproject_lock, poetry_lock, pdm_lock].compact
       end
 
       def requirement_files
@@ -81,7 +81,12 @@ module Dependabot
       end
 
       def check_required_files_present
-        return if requirements_txt_files.any? || setup_file || setup_cfg_file || pipfile || pyproject
+        return if requirements_txt_files.any? ||
+                  requirements_in_files.any? ||
+                  setup_file ||
+                  setup_cfg_file ||
+                  pipfile ||
+                  pyproject
 
         path = Pathname.new(File.join(directory, "requirements.txt")).
                cleanpath.to_path
@@ -136,6 +141,10 @@ module Dependabot
         @poetry_lock ||= fetch_file_if_present("poetry.lock")
       end
 
+      def pdm_lock
+        @pdm_lock ||= fetch_file_if_present("pdm.lock")
+      end
+
       def requirements_txt_files
         req_txt_and_in_files.select { |f| f.name.end_with?(".txt") }
       end
@@ -169,7 +178,7 @@ module Dependabot
         repo_contents.
           select { |f| f.type == "file" }.
           select { |f| f.name.end_with?(".txt", ".in") }.
-          reject { |f| f.size > 200_000 }.
+          reject { |f| f.size > 500_000 }.
           map { |f| fetch_file_from_host(f.name) }.
           select { |f| requirements_file?(f) }.
           each { |f| @req_txt_and_in_files << f }
@@ -189,7 +198,7 @@ module Dependabot
         repo_contents(dir: relative_reqs_dir).
           select { |f| f.type == "file" }.
           select { |f| f.name.end_with?(".txt", ".in") }.
-          reject { |f| f.size > 200_000 }.
+          reject { |f| f.size > 500_000 }.
           map { |f| fetch_file_from_host("#{relative_reqs_dir}/#{f.name}") }.
           select { |f| requirements_file?(f) }
       end
@@ -291,8 +300,8 @@ module Dependabot
               fetch_submodules: true
             ).tap { |f| f.support_file = true }
           rescue Dependabot::DependencyFileNotFound
-            # For Poetry projects attempt to fetch a pyproject.toml at the
-            # given path instead of a setup.py. We do not require a
+            # For projects with pyproject.toml attempt to fetch a pyproject.toml
+            # at the given path instead of a setup.py. We do not require a
             # setup.py to be present, so if none can be found, simply return
             return [] unless allow_pyproject
 
@@ -390,7 +399,7 @@ module Dependabot
         return [] unless pyproject
 
         paths = []
-        Dependabot::Python::FileParser::PoetryFilesParser::POETRY_DEPENDENCY_TYPES.each do |dep_type|
+        Dependabot::Python::FileParser::PyprojectFilesParser::POETRY_DEPENDENCY_TYPES.each do |dep_type|
           next unless parsed_pyproject.dig("tool", "poetry", dep_type)
 
           parsed_pyproject.dig("tool", "poetry", dep_type).each do |_, req|

data/lib/dependabot/python/file_parser/{poetry_files_parser.rb → pyproject_files_parser.rb}

@@ -12,7 +12,7 @@ require "dependabot/python/name_normaliser"
 module Dependabot
   module Python
     class FileParser
-      class PoetryFilesParser
+      class PyprojectFilesParser
         POETRY_DEPENDENCY_TYPES = %w(dependencies dev-dependencies).freeze
 
         # https://python-poetry.org/docs/dependency-specification/
@@ -25,7 +25,7 @@ module Dependabot
         def dependency_set
           dependency_set = Dependabot::FileParsers::Base::DependencySet.new
 
-          dependency_set += pyproject_dependencies
+          dependency_set += pyproject_dependencies if using_poetry? || using_pep621?
           dependency_set += lockfile_dependencies if lockfile
 
           dependency_set
@@ -36,6 +36,14 @@ module Dependabot
         attr_reader :dependency_files
 
         def pyproject_dependencies
+          if using_poetry?
+            poetry_dependencies
+          else
+            pep621_dependencies
+          end
+        end
+
+        def poetry_dependencies
           dependencies = Dependabot::FileParsers::Base::DependencySet.new
 
           POETRY_DEPENDENCY_TYPES.each do |type|
@@ -59,6 +67,44 @@ module Dependabot
           dependencies
         end
 
+        def pep621_dependencies
+          dependencies = Dependabot::FileParsers::Base::DependencySet.new
+
+          # PDM is not yet supported, so we want to ignore it for now because in
+          # the current state of things, going on would result in updating
+          # pyproject.toml but leaving pdm.lock out of sync, which is
+          # undesirable. Leave PDM alone until properly supported
+          return dependencies if using_pdm?
+
+          parsed_pep621_dependencies.each do |dep|
+            # If a requirement has a `<` or `<=` marker then updating it is
+            # probably blocked. Ignore it.
+            next if dep["markers"].include?("<")
+
+            # If no requirement, don't add it
+            next if dep["requirement"].empty?
+
+            dependencies <<
+              Dependency.new(
+                name: normalised_name(dep["name"], dep["extras"]),
+                version: dep["version"]&.include?("*") ? nil : dep["version"],
+                requirements: [{
+                  requirement: dep["requirement"],
+                  file: Pathname.new(dep["file"]).cleanpath.to_path,
+                  source: nil,
+                  groups: [dep["requirement_type"]]
+                }],
+                package_manager: "pip"
+              )
+          end
+
+          dependencies
+        end
+
+        def normalised_name(name, extras)
+          NameNormaliser.normalise_including_extras(name, extras)
+        end
+
         # @param req can be an Array, Hash or String that represents the constraints for a dependency
         def parse_requirements_from(req, type)
           [req].flatten.compact.filter_map do |requirement|
@@ -75,6 +121,18 @@ module Dependabot
           end
         end
 
+        def using_poetry?
+          !parsed_pyproject.dig("tool", "poetry").nil?
+        end
+
+        def using_pep621?
+          !parsed_pyproject.dig("project", "dependencies").nil?
+        end
+
+        def using_pdm?
+          using_pep621? && pdm_lock
+        end
+
         # Create a DependencySet where each element has no requirement. Any
         # requirements will be added when combining the DependencySet with
         # other DependencySets.
@@ -146,6 +204,24 @@ module Dependabot
           poetry_lock || pyproject_lock
         end
 
+        def parsed_pep621_dependencies
+          SharedHelpers.in_a_temporary_directory do
+            write_temporary_pyproject
+
+            SharedHelpers.run_helper_subprocess(
+              command: "pyenv exec python #{NativeHelpers.python_helper_path}",
+              function: "parse_pep621_dependencies",
+              args: [pyproject.name]
+            )
+          end
+        end
+
+        def write_temporary_pyproject
+          path = pyproject.name
+          FileUtils.mkdir_p(Pathname.new(path).dirname)
+          File.write(path, pyproject.content)
+        end
+
         def parsed_lockfile
           return parsed_poetry_lock if poetry_lock
           return parsed_pyproject_lock if pyproject_lock
@@ -160,6 +236,11 @@ module Dependabot
           @poetry_lock ||=
             dependency_files.find { |f| f.name == "poetry.lock" }
         end
+
+        def pdm_lock
+          @pdm_lock ||=
+            dependency_files.find { |f| f.name == "pdm.lock" }
+        end
       end
     end
   end

data/lib/dependabot/python/file_parser/setup_file_parser.rb

@@ -12,10 +12,10 @@ module Dependabot
   module Python
     class FileParser
       class SetupFileParser
-        INSTALL_REQUIRES_REGEX = /install_requires\s*=\s*\[/m.freeze
-        SETUP_REQUIRES_REGEX = /setup_requires\s*=\s*\[/m.freeze
-        TESTS_REQUIRE_REGEX = /tests_require\s*=\s*\[/m.freeze
-        EXTRAS_REQUIRE_REGEX = /extras_require\s*=\s*\{/m.freeze
+        INSTALL_REQUIRES_REGEX = /install_requires\s*=\s*\[/m
+        SETUP_REQUIRES_REGEX = /setup_requires\s*=\s*\[/m
+        TESTS_REQUIRE_REGEX = /tests_require\s*=\s*\[/m
+        EXTRAS_REQUIRE_REGEX = /extras_require\s*=\s*\{/m
 
         CLOSING_BRACKET = { "[" => "]", "{" => "}" }.freeze
 

data/lib/dependabot/python/file_parser.rb

@@ -1,6 +1,5 @@
 # frozen_string_literal: true
 
-require "toml-rb"
 require "dependabot/dependency"
 require "dependabot/file_parsers"
 require "dependabot/file_parsers/base"
@@ -15,11 +14,9 @@ module Dependabot
   module Python
     class FileParser < Dependabot::FileParsers::Base
       require_relative "file_parser/pipfile_files_parser"
-      require_relative "file_parser/poetry_files_parser"
+      require_relative "file_parser/pyproject_files_parser"
       require_relative "file_parser/setup_file_parser"
 
-      POETRY_DEPENDENCY_TYPES =
-        %w(tool.poetry.dependencies tool.poetry.dev-dependencies).freeze
       DEPENDENCY_GROUP_KEYS = [
         {
           pipfile: "packages",
@@ -42,7 +39,7 @@ module Dependabot
         dependency_set = DependencySet.new
 
         dependency_set += pipenv_dependencies if pipfile
-        dependency_set += poetry_dependencies if using_poetry?
+        dependency_set += pyproject_file_dependencies if pyproject
         dependency_set += requirement_dependencies if requirement_files.any?
         dependency_set += setup_file_dependencies if setup_file || setup_cfg_file
 
@@ -62,9 +59,9 @@ module Dependabot
           dependency_set
       end
 
-      def poetry_dependencies
-        @poetry_dependencies ||=
-          PoetryFilesParser.
+      def pyproject_file_dependencies
+        @pyproject_file_dependencies ||=
+          PyprojectFilesParser.
           new(dependency_files: dependency_files).
           dependency_set
       end
@@ -105,18 +102,6 @@ module Dependabot
         end
       end
 
-      def included_in_pipenv_deps?(dep_name)
-        return false unless pipfile
-
-        pipenv_dependencies.dependencies.map(&:name).include?(dep_name)
-      end
-
-      def included_in_poetry_deps?(dep_name)
-        return false unless using_poetry?
-
-        poetry_dependencies.dependencies.map(&:name).include?(dep_name)
-      end
-
       def blocking_marker?(dep)
         return false if dep["markers"] == "None"
         return true if dep["markers"].include?("<")
@@ -215,15 +200,6 @@ module Dependabot
         @pipfile_lock ||= get_original_file("Pipfile.lock")
       end
 
-      def using_poetry?
-        return false unless pyproject
-        return true if poetry_lock || pyproject_lock
-
-        !TomlRB.parse(pyproject.content).dig("tool", "poetry").nil?
-      rescue TomlRB::ParseError, TomlRB::ValueOverwriteError
-        raise Dependabot::DependencyFileNotParseable, pyproject.path
-      end
-
       def output_file_regex(filename)
         "--output-file[=\s]+#{Regexp.escape(filename)}(?:\s|$)"
       end

data/lib/dependabot/python/file_updater/pip_compile_file_updater.rb

@@ -7,6 +7,7 @@ require "dependabot/python/file_fetcher"
 require "dependabot/python/file_parser/python_requirement_parser"
 require "dependabot/python/file_updater"
 require "dependabot/shared_helpers"
+require "dependabot/python/helpers"
 require "dependabot/python/native_helpers"
 require "dependabot/python/python_versions"
 require "dependabot/python/name_normaliser"
@@ -22,10 +23,9 @@ module Dependabot
         require_relative "setup_file_sanitizer"
 
         UNSAFE_PACKAGES = %w(setuptools distribute pip).freeze
-        INCOMPATIBLE_VERSIONS_REGEX = /There are incompatible versions in the resolved dependencies:.*\z/m.freeze
-        WARNINGS = /\s*# WARNING:.*\Z/m.freeze
-        UNSAFE_NOTE =
-          /\s*# The following packages are considered to be unsafe.*\Z/m.freeze
+        INCOMPATIBLE_VERSIONS_REGEX = /There are incompatible versions in the resolved dependencies:.*\z/m
+        WARNINGS = /\s*# WARNING:.*\Z/m
+        UNSAFE_NOTE = /\s*# The following packages are considered to be unsafe.*\Z/m
 
         attr_reader :dependencies, :dependency_files, :credentials
 
@@ -66,7 +66,7 @@ module Dependabot
         def compile_new_requirement_files
           SharedHelpers.in_a_temporary_directory do
             write_updated_dependency_files
-            install_required_python
+            Helpers.install_required_python(python_version)
 
             filenames_to_compile.each do |filename|
               # Shell out to pip-compile, generate a new set of requirements.
@@ -81,12 +81,6 @@ module Dependabot
                 "#{SharedHelpers.escape_command(version_part)}",
                 allow_unsafe_shell_command: true
               )
-              # Run pip-compile a second time, without an update argument, to
-              # ensure it resets the right comments.
-              run_pip_compile_command(
-                "pyenv exec pip-compile #{pip_compile_options(filename)} " \
-                "#{filename}"
-              )
             end
 
             # Remove any .python-version file before parsing the reqs
@@ -219,15 +213,6 @@ module Dependabot
           end
         end
 
-        def install_required_python
-          return if run_command("pyenv versions").include?("#{python_version}\n")
-
-          run_command("pyenv install -s #{python_version}")
-          run_command("pyenv exec pip install --upgrade pip")
-          run_command("pyenv exec pip install -r " \
-                      "#{NativeHelpers.python_requirements_path}")
-        end
-
         def sanitized_setup_file_content(file)
           @sanitized_setup_file_content ||= {}
           return @sanitized_setup_file_content[file.name] if @sanitized_setup_file_content[file.name]

data/lib/dependabot/python/file_updater/pipfile_file_updater.rb

@@ -302,11 +302,7 @@ module Dependabot
             nil
           end
 
-          return if run_command("pyenv versions").include?("#{python_version}\n")
-
-          requirements_path = NativeHelpers.python_requirements_path
-          run_command("pyenv install -s #{python_version}")
-          run_command("pyenv exec pip install -r #{requirements_path}")
+          Helpers.install_required_python(python_version)
         end
 
         def sanitized_setup_file_content(file)

data/lib/dependabot/python/file_updater/poetry_file_updater.rb

@@ -4,6 +4,7 @@ require "toml-rb"
 require "open3"
 require "dependabot/dependency"
 require "dependabot/shared_helpers"
+require "dependabot/python/helpers"
 require "dependabot/python/version"
 require "dependabot/python/requirement"
 require "dependabot/python/python_versions"
@@ -131,7 +132,7 @@ module Dependabot
         end
 
         def lock_declaration_to_new_version!(poetry_object, dep)
-          Dependabot::Python::FileParser::PoetryFilesParser::POETRY_DEPENDENCY_TYPES.each do |type|
+          Dependabot::Python::FileParser::PyprojectFilesParser::POETRY_DEPENDENCY_TYPES.each do |type|
             names = poetry_object[type]&.keys || []
             pkg_name = names.find { |nm| normalise(nm) == dep.name }
             next unless pkg_name
@@ -170,11 +171,11 @@ module Dependabot
               write_temporary_dependency_files(pyproject_content)
               add_auth_env_vars
 
-              if python_version && !pre_installed_python?(python_version)
-                run_poetry_command("pyenv install -s #{python_version}")
-                run_poetry_command("pyenv exec pip install --upgrade pip")
-                run_poetry_command("pyenv exec pip install -r" \
-                                   "#{NativeHelpers.python_requirements_path}")
+              Helpers.install_required_python(python_version)
+
+              # use system git instead of the pure Python dulwich
+              unless python_version&.start_with?("3.6")
+                run_poetry_command("pyenv exec poetry config experimental.system-git-client true")
               end
 
               run_poetry_command(poetry_update_command)

data/lib/dependabot/python/file_updater/pyproject_preparer.rb

@@ -52,7 +52,7 @@ module Dependabot
           poetry_object = pyproject_object["tool"]["poetry"]
           excluded_names = dependencies.map(&:name) + ["python"]
 
-          Dependabot::Python::FileParser::PoetryFilesParser::POETRY_DEPENDENCY_TYPES.each do |key|
+          Dependabot::Python::FileParser::PyprojectFilesParser::POETRY_DEPENDENCY_TYPES.each do |key|
             next unless poetry_object[key]
 
             source_types = %w(directory file url)

data/lib/dependabot/python/file_updater.rb

@@ -1,5 +1,6 @@
 # frozen_string_literal: true
 
+require "toml-rb"
 require "dependabot/file_updaters"
 require "dependabot/file_updaters/base"
 require "dependabot/shared_helpers"
@@ -61,7 +62,13 @@ module Dependabot
         # Otherwise, this is a top-level dependency, and we can figure out
         # which resolver to use based on the filename of its requirements
         return :pipfile if changed_req_files.any?("Pipfile")
-        return :poetry if changed_req_files.any?("pyproject.toml")
+
+        if changed_req_files.any?("pyproject.toml")
+          return :poetry if poetry_based?
+
+          return :requirements
+        end
+
         return :pip_compile if changed_req_files.any? { |f| f.end_with?(".in") }
 
         :requirements
@@ -119,6 +126,12 @@ module Dependabot
         raise "Missing required files!"
       end
 
+      def poetry_based?
+        return false unless pyproject
+
+        !TomlRB.parse(pyproject.content).dig("tool", "poetry").nil?
+      end
+
       def pipfile
         @pipfile ||= get_original_file("Pipfile")
       end

data/lib/dependabot/python/helpers.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+require "dependabot/logger"
+
+module Dependabot
+  module Python
+    module Helpers
+      def self.install_required_python(python_version)
+        # The leading space is important in the version check
+        return if SharedHelpers.run_shell_command("pyenv versions").include?(" #{python_version}")
+
+        Dependabot.logger.info("Installing required Python #{python_version}.")
+        SharedHelpers.run_shell_command("pyenv install -s #{python_version}")
+        SharedHelpers.run_shell_command("pyenv exec pip install --upgrade pip")
+        SharedHelpers.run_shell_command("pyenv exec pip install -r" \
+                                        "#{NativeHelpers.python_requirements_path}")
+      end
+    end
+  end
+end

data/lib/dependabot/python/metadata_finder.rb

@@ -131,6 +131,8 @@ module Dependabot
           return @pypi_listing
         rescue JSON::ParserError
           next
+        rescue Excon::Error::Timeout
+          next
         end
 
         @pypi_listing = {} # No listing found

data/lib/dependabot/python/python_versions.rb

@@ -4,16 +4,16 @@ module Dependabot
   module Python
     module PythonVersions
       PRE_INSTALLED_PYTHON_VERSIONS = %w(
-        3.10.5
+        3.10.7
       ).freeze
 
       # Due to an OpenSSL issue we can only install the following versions in
       # the Dependabot container.
       SUPPORTED_VERSIONS = %w(
-        3.10.5 3.10.4 3.10.3 3.10.2 3.10.1 3.10.0
-        3.9.13 3.9.12 3.9.11 3.9.10 3.9.9 3.9.8 3.9.7 3.9.6 3.9.5 3.9.4 3.9.2 3.9.1 3.9.0
-        3.8.13 3.8.12 3.8.11 3.8.10 3.8.9 3.8.8 3.8.7 3.8.6 3.8.5 3.8.4 3.8.3 3.8.2 3.8.1 3.8.0
-        3.7.13 3.7.12 3.7.11 3.7.10 3.7.9 3.7.8 3.7.7 3.7.6 3.7.5 3.7.4 3.7.3 3.7.2 3.7.1 3.7.0
+        3.10.7 3.10.6 3.10.5 3.10.4 3.10.3 3.10.2 3.10.1 3.10.0
+        3.9.14 3.9.13 3.9.12 3.9.11 3.9.10 3.9.9 3.9.8 3.9.7 3.9.6 3.9.5 3.9.4 3.9.2 3.9.1 3.9.0
+        3.8.14 3.8.13 3.8.12 3.8.11 3.8.10 3.8.9 3.8.8 3.8.7 3.8.6 3.8.5 3.8.4 3.8.3 3.8.2 3.8.1 3.8.0
+        3.7.14 3.7.13 3.7.12 3.7.11 3.7.10 3.7.9 3.7.8 3.7.7 3.7.6 3.7.5 3.7.4 3.7.3 3.7.2 3.7.1 3.7.0
         3.6.15 3.6.14 3.6.13 3.6.12 3.6.11 3.6.10 3.6.9 3.6.8 3.6.7 3.6.6 3.6.5 3.6.4 3.6.3
         3.6.2 3.6.1 3.6.0 3.5.10 3.5.8 3.5.7 3.5.6 3.5.5 3.5.4 3.5.3
       ).freeze