dependabot-python 0.213.0 → 0.214.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 6cb23890c79504e40e7e4962485003c76c07179574ac89b210b6529d15d2c216
-  data.tar.gz: b96523f9cf991cbffc38fc2831221c43450c74ef560e8e80ff2d2bbf73c889c4
+  metadata.gz: 940ed0c4abf7f4d3a496321e4898ba9c123091d6539f86ef54d7ee74dadf3344
+  data.tar.gz: 802abe558f75bc2e98f1b88e93be85fc48f8b71774a1ff37b8ea16311381f587
 SHA512:
-  metadata.gz: 5beeac4ec63193ce095e6a5d7223c11e4e9c2ace55b3ef5c94f0011d8cb0c70fc7b364108b68cd68f656a5ed79d712b64eecbb75998714325a0f3b101169592c
-  data.tar.gz: 17ec5483c750fe4bc35490feebf418a8bd7eaf0eb2d14e2bcfc811e06f94c02f69eca71bafb589cb2d51b8a73155d3d358b97fcc6125a8fb7229b54f06a42fbe
+  metadata.gz: 523ff39717afd9636f3d2f3115d6953817ab01585e2e218233eb0439a7cc9e5ac620c4b28d429b35256530a32bff6e71a73ffdfd72587ba53c8b10b6a3070175
+  data.tar.gz: a3d05a60ad4d1b08dfe8fed7cdac12384aa49fbb3ad130008bf4748ab710df9b20a8297c99f66e33bd672717b52be32c17434b2ed253fe4bb6556cfc87941b05

data/helpers/build

@@ -18,4 +18,8 @@ cp -r \
   "$install_dir"
 
 cd "$install_dir"
-PYENV_VERSION=3.10.7 pyenv exec pip --disable-pip-version-check install --use-pep517 -r "requirements.txt"
+PYENV_VERSION=3.11.0 pyenv exec pip --disable-pip-version-check install --use-pep517 -r "requirements.txt"
+PYENV_VERSION=3.10.8 pyenv exec pip --disable-pip-version-check install --use-pep517 -r "requirements.txt"
+PYENV_VERSION=3.9.15 pyenv exec pip --disable-pip-version-check install --use-pep517 -r "requirements.txt"
+PYENV_VERSION=3.8.15 pyenv exec pip --disable-pip-version-check install --use-pep517 -r "requirements.txt"
+PYENV_VERSION=3.7.15 pyenv exec pip --disable-pip-version-check install --use-pep517 -r "requirements.txt"

data/helpers/lib/parser.py

@@ -49,10 +49,17 @@ def parse_pep621_dependencies(pyproject_path):
 
         return requirement_packages
 
-    dependencies = parse_toml_section_pep621_dependencies(
-        pyproject_path,
-        project_toml['dependencies']
-    )
+    dependencies = []
+
+    if 'dependencies' in project_toml:
+        dependencies_toml = project_toml['dependencies']
+
+        runtime_dependencies = parse_toml_section_pep621_dependencies(
+            pyproject_path,
+            dependencies_toml
+        )
+
+        dependencies.extend(runtime_dependencies)
 
     if 'optional-dependencies' in project_toml:
         optional_dependencies_toml = project_toml['optional-dependencies']

data/helpers/requirements.txt

@@ -1,5 +1,5 @@
 pip>=21.3.1,<22.4.0  # Range maintains py36 support TODO: Review python 3.6 support in April 2023 (eol ubuntu 18.04)
-pip-tools>=6.4.0,<6.9.1  # Range maintains py36 support TODO: Review python 3.6 support in April 2023 (eol ubuntu 18.04)
+pip-tools>=6.4.0,<6.10.1  # Range maintains py36 support TODO: Review python 3.6 support in April 2023 (eol ubuntu 18.04)
 flake8==5.0.4
 hashin==0.17.0
 pipenv==2022.4.8

data/lib/dependabot/python/file_parser/pyproject_files_parser.rb

@@ -126,7 +126,8 @@ module Dependabot
         end
 
         def using_pep621?
-          !parsed_pyproject.dig("project", "dependencies").nil?
+          !parsed_pyproject.dig("project", "dependencies").nil? ||
+            !parsed_pyproject.dig("project", "optional-dependencies").nil?
         end
 
         def using_pdm?

data/lib/dependabot/python/file_updater/pip_compile_file_updater.rb

@@ -168,7 +168,7 @@ module Dependabot
         end
 
         def run_pip_compile_command(command, allow_unsafe_shell_command: false)
-          run_command("pyenv local #{python_version}")
+          run_command("pyenv local #{Helpers.python_major_minor(python_version)}")
           run_command(
             command,
             allow_unsafe_shell_command: allow_unsafe_shell_command
@@ -198,7 +198,7 @@ module Dependabot
           end
 
           # Overwrite the .python-version with updated content
-          File.write(".python-version", python_version)
+          File.write(".python-version", Helpers.python_major_minor(python_version))
 
           setup_files.each do |file|
             path = file.name

data/lib/dependabot/python/file_updater/pipfile_file_updater.rb

@@ -133,6 +133,7 @@ module Dependabot
           content = freeze_other_dependencies(content)
           content = freeze_dependencies_being_updated(content)
           content = add_private_sources(content)
+          content = update_python_requirement(content)
           content
         end
 
@@ -142,6 +143,12 @@ module Dependabot
             freeze_top_level_dependencies_except(dependencies)
         end
 
+        def update_python_requirement(pipfile_content)
+          PipfilePreparer.
+            new(pipfile_content: pipfile_content).
+            update_python_requirement(Helpers.python_major_minor(python_version))
+        end
+
         # rubocop:disable Metrics/PerceivedComplexity
         def freeze_dependencies_being_updated(pipfile_content)
           pipfile_object = TomlRB.parse(pipfile_content)
@@ -246,7 +253,7 @@ module Dependabot
         def run_command(command, env: {})
           start = Time.now
           command = SharedHelpers.escape_command(command)
-          stdout, process = Open3.capture2e(env, command)
+          stdout, _, process = Open3.capture3(env, command)
           time_taken = Time.now - start
 
           # Raise an error with the output from the shell session if Pipenv
@@ -264,7 +271,7 @@ module Dependabot
         end
 
         def run_pipenv_command(command, env: pipenv_env_variables)
-          run_command("pyenv local #{python_version}")
+          run_command("pyenv local #{Helpers.python_major_minor(python_version)}")
           run_command(command, env: env)
         end
 
@@ -276,7 +283,7 @@ module Dependabot
           end
 
           # Overwrite the .python-version with updated content
-          File.write(".python-version", python_version)
+          File.write(".python-version", Helpers.python_major_minor(python_version))
 
           setup_files.each do |file|
             path = file.name

data/lib/dependabot/python/file_updater/pipfile_preparer.rb

@@ -70,10 +70,12 @@ module Dependabot
           pipfile_object = TomlRB.parse(pipfile_content)
 
           pipfile_object["requires"] ||= {}
-          pipfile_object["requires"].delete("python_full_version")
-          pipfile_object["requires"].delete("python_version")
-          pipfile_object["requires"]["python_full_version"] = requirement
-
+          if pipfile_object.dig("requires", "python_full_version") && pipfile_object.dig("requires", "python_version")
+            pipfile_object["requires"].delete("python_full_version")
+          elsif pipfile_object.dig("requires", "python_full_version")
+            pipfile_object["requires"].delete("python_full_version")
+            pipfile_object["requires"]["python_version"] = requirement
+          end
           TomlRB.dump(pipfile_object)
         end
 

data/lib/dependabot/python/file_updater/poetry_file_updater.rb

@@ -106,6 +106,7 @@ module Dependabot
               content = sanitize(content)
               content = freeze_other_dependencies(content)
               content = freeze_dependencies_being_updated(content)
+              content = update_python_requirement(content)
               content
             end
         end
@@ -131,6 +132,12 @@ module Dependabot
           TomlRB.dump(pyproject_object)
         end
 
+        def update_python_requirement(pyproject_content)
+          PyprojectPreparer.
+            new(pyproject_content: pyproject_content).
+            update_python_requirement(Helpers.python_major_minor(python_version))
+        end
+
         def lock_declaration_to_new_version!(poetry_object, dep)
           Dependabot::Python::FileParser::PyprojectFilesParser::POETRY_DEPENDENCY_TYPES.each do |type|
             names = poetry_object[type]&.keys || []
@@ -221,7 +228,7 @@ module Dependabot
           end
 
           # Overwrite the .python-version with updated content
-          File.write(".python-version", python_version) if python_version
+          File.write(".python-version", Helpers.python_major_minor(python_version)) if python_version
 
           # Overwrite the pyproject with updated content
           File.write("pyproject.toml", pyproject_content)

data/lib/dependabot/python/file_updater/pyproject_preparer.rb

@@ -36,6 +36,17 @@ module Dependabot
           end
         end
 
+        def update_python_requirement(requirement)
+          pyproject_object = TomlRB.parse(@pyproject_content)
+          if (python_specification = pyproject_object.dig("tool", "poetry", "dependencies", "python"))
+            python_req = Python::Requirement.new(python_specification)
+            unless python_req.satisfied_by?(requirement)
+              pyproject_object["tool"]["poetry"]["dependencies"]["python"] = "~#{requirement}"
+            end
+          end
+          TomlRB.dump(pyproject_object)
+        end
+
         def sanitize
           # {{ name }} syntax not allowed
           pyproject_content.
@@ -72,6 +83,10 @@ module Dependabot
                 }
               elsif poetry_object[key][dep_name].is_a?(Hash)
                 poetry_object[key][dep_name]["version"] = locked_version
+              elsif poetry_object[key][dep_name].is_a?(Array)
+                # if it has multiple-constraints, locking to a single version is
+                # going to result in a bad lockfile, ignore
+                next
               else
                 poetry_object[key][dep_name] = locked_version
               end

data/lib/dependabot/python/helpers.rb

@@ -1,19 +1,36 @@
 # frozen_string_literal: true
 
 require "dependabot/logger"
+require "dependabot/python/version"
 
 module Dependabot
   module Python
     module Helpers
       def self.install_required_python(python_version)
         # The leading space is important in the version check
-        return if SharedHelpers.run_shell_command("pyenv versions").include?(" #{python_version}")
+        return if SharedHelpers.run_shell_command("pyenv versions").include?(" #{python_major_minor(python_version)}.")
+
+        if File.exist?("/usr/local/.pyenv/#{python_major_minor(python_version)}.tar.gz")
+          SharedHelpers.run_shell_command(
+            "tar xzf /usr/local/.pyenv/#{python_major_minor(python_version)}.tar.gz -C /usr/local/.pyenv/"
+          )
+          return if SharedHelpers.run_shell_command("pyenv versions").
+                    include?(" #{python_major_minor(python_version)}.")
+        end
 
         Dependabot.logger.info("Installing required Python #{python_version}.")
+        start = Time.now
         SharedHelpers.run_shell_command("pyenv install -s #{python_version}")
         SharedHelpers.run_shell_command("pyenv exec pip install --upgrade pip")
         SharedHelpers.run_shell_command("pyenv exec pip install -r" \
                                         "#{NativeHelpers.python_requirements_path}")
+        time_taken = Time.now - start
+        Dependabot.logger.info("Installing Python #{python_version} took #{time_taken}s.")
+      end
+
+      def self.python_major_minor(python_version)
+        python = Python::Version.new(python_version)
+        "#{python.segments[0]}.#{python.segments[1]}"
       end
     end
   end

data/lib/dependabot/python/python_versions.rb

@@ -4,18 +4,22 @@ module Dependabot
   module Python
     module PythonVersions
       PRE_INSTALLED_PYTHON_VERSIONS = %w(
-        3.10.7
+        3.11.0
       ).freeze
 
       # Due to an OpenSSL issue we can only install the following versions in
       # the Dependabot container.
+      # NOTE: When adding one version, always doublecheck for additional releases: https://www.python.org/downloads/
+      #
+      # WARNING: 3.9.3 is purposefully omitted as it was recalled: https://www.python.org/downloads/release/python-393/
       SUPPORTED_VERSIONS = %w(
-        3.10.7 3.10.6 3.10.5 3.10.4 3.10.3 3.10.2 3.10.1 3.10.0
-        3.9.14 3.9.13 3.9.12 3.9.11 3.9.10 3.9.9 3.9.8 3.9.7 3.9.6 3.9.5 3.9.4 3.9.2 3.9.1 3.9.0
-        3.8.14 3.8.13 3.8.12 3.8.11 3.8.10 3.8.9 3.8.8 3.8.7 3.8.6 3.8.5 3.8.4 3.8.3 3.8.2 3.8.1 3.8.0
-        3.7.14 3.7.13 3.7.12 3.7.11 3.7.10 3.7.9 3.7.8 3.7.7 3.7.6 3.7.5 3.7.4 3.7.3 3.7.2 3.7.1 3.7.0
-        3.6.15 3.6.14 3.6.13 3.6.12 3.6.11 3.6.10 3.6.9 3.6.8 3.6.7 3.6.6 3.6.5 3.6.4 3.6.3
-        3.6.2 3.6.1 3.6.0 3.5.10 3.5.8 3.5.7 3.5.6 3.5.5 3.5.4 3.5.3
+        3.11.0
+        3.10.8 3.10.7 3.10.6 3.10.5 3.10.4 3.10.3 3.10.2 3.10.1 3.10.0
+        3.9.15 3.9.14 3.9.13 3.9.12 3.9.11 3.9.10 3.9.9 3.9.8 3.9.7 3.9.6 3.9.5 3.9.4 3.9.2 3.9.1 3.9.0
+        3.8.15 3.8.14 3.8.13 3.8.12 3.8.11 3.8.10 3.8.9 3.8.8 3.8.7 3.8.6 3.8.5 3.8.4 3.8.3 3.8.2 3.8.1 3.8.0
+        3.7.15 3.7.14 3.7.13 3.7.12 3.7.11 3.7.10 3.7.9 3.7.8 3.7.7 3.7.6 3.7.5 3.7.4 3.7.3 3.7.2 3.7.1 3.7.0
+        3.6.15 3.6.14 3.6.13 3.6.12 3.6.11 3.6.10 3.6.9 3.6.8 3.6.7 3.6.6 3.6.5 3.6.4 3.6.3 3.6.2 3.6.1 3.6.0
+        3.5.10 3.5.8 3.5.7 3.5.6 3.5.5 3.5.4 3.5.3
       ).freeze
 
       # This list gets iterated through to find a valid version, so we have

data/lib/dependabot/python/update_checker/latest_version_finder.rb

@@ -112,9 +112,9 @@ module Dependabot
         end
 
         def filter_lower_versions(versions_array)
-          return versions_array unless dependency.version && version_class.correct?(dependency.version)
+          return versions_array unless dependency.numeric_version
 
-          versions_array.select { |version| version > version_class.new(dependency.version) }
+          versions_array.select { |version| version > dependency.numeric_version }
         end
 
         def filter_out_of_range_versions(versions_array)

data/lib/dependabot/python/update_checker/pip_compile_version_resolver.rb

@@ -254,7 +254,7 @@ module Dependabot
         end
 
         def run_pip_compile_command(command)
-          run_command("pyenv local #{python_version}")
+          run_command("pyenv local #{Helpers.python_major_minor(python_version)}")
           run_command(command)
         end
 
@@ -298,7 +298,7 @@ module Dependabot
           end
 
           # Overwrite the .python-version with updated content
-          File.write(".python-version", python_version)
+          File.write(".python-version", Helpers.python_major_minor(python_version))
 
           setup_files.each do |file|
             path = file.name

data/lib/dependabot/python/update_checker/pipenv_version_resolver.rb

@@ -290,7 +290,7 @@ module Dependabot
           end
 
           # Overwrite the .python-version with updated content
-          File.write(".python-version", python_version)
+          File.write(".python-version", Helpers.python_major_minor(python_version))
 
           setup_files.each do |file|
             path = file.name
@@ -341,6 +341,7 @@ module Dependabot
           content = freeze_other_dependencies(content)
           content = set_target_dependency_req(content, updated_requirement)
           content = add_private_sources(content)
+          content = update_python_requirement(content)
           content
         end
 
@@ -350,6 +351,12 @@ module Dependabot
             freeze_top_level_dependencies_except([dependency])
         end
 
+        def update_python_requirement(pipfile_content)
+          Python::FileUpdater::PipfilePreparer.
+            new(pipfile_content: pipfile_content).
+            update_python_requirement(Helpers.python_major_minor(python_version))
+        end
+
         # rubocop:disable Metrics/PerceivedComplexity
         def set_target_dependency_req(pipfile_content, updated_requirement)
           return pipfile_content unless updated_requirement
@@ -461,7 +468,7 @@ module Dependabot
         end
 
         def run_pipenv_command(command, env: pipenv_env_variables)
-          run_command("pyenv local #{python_version}")
+          run_command("pyenv local #{Helpers.python_major_minor(python_version)}")
           run_command(command, env: env)
         end
 

data/lib/dependabot/python/update_checker/poetry_version_resolver.rb

@@ -202,7 +202,7 @@ module Dependabot
           end
 
           # Overwrite the .python-version with updated content
-          File.write(".python-version", python_version) if python_version
+          File.write(".python-version", Helpers.python_major_minor(python_version)) if python_version
 
           # Overwrite the pyproject with updated content
           if update_pyproject

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-python
 version: !ruby/object:Gem::Version
-  version: 0.213.0
+  version: 0.214.0
 platform: ruby
 authors:
 - Dependabot
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2022-10-31 00:00:00.000000000 Z
+date: 2022-12-01 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dependabot-common
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.213.0
+        version: 0.214.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.213.0
+        version: 0.214.0
 - !ruby/object:Gem::Dependency
   name: debug
   requirement: !ruby/object:Gem::Requirement
@@ -58,14 +58,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 3.13.0
+        version: 4.0.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 3.13.0
+        version: 4.0.0
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
@@ -114,14 +114,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.37.1
+        version: 1.39.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.37.1
+        version: 1.39.0
 - !ruby/object:Gem::Dependency
   name: rubocop-performance
   requirement: !ruby/object:Gem::Requirement