dependabot-python 0.227.0 → 0.228.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: eb1b6edd3b3d295491ad39866fa4a7d480f9322bd60a6a05e2d9a8e7eb3c9462
-  data.tar.gz: 3b6397f0af03444908c3b87cc6dfbc173b38f0e5ae54bc5528c6588ea3e4655a
+  metadata.gz: 67fcdac9ca728ef251cf259a11a3d1efec3f037715f9587bc30896baf3abcad9
+  data.tar.gz: 00cf4ecfceeba160a6ccb95c84853f782df01f571ea17b320609205a6138e76e
 SHA512:
-  metadata.gz: 295996b49310faa8aa04502f057963a0a3e21289a800be24780fcdc38c4533d0496e88a4b9a0b6722d526e707ee51cadb30a91916a882db4fb95aa8f8f2d9ebd
-  data.tar.gz: 71b07d3ed46fe06aeecce18cf2dc42da67143be4953e9b45e051cad4e57f84332fda400b071139695847a1e7eaf8ee4c4fc6da50a03dfc9d00a81979e0ffc10c
+  metadata.gz: e320bfeef5f545705df3daf17edf15cf9633b3ed2a6438bc1cd12ec3fc66d8abd1248d20898b0a8aca1d3aaa86f1b512f951179c4708706af36d64a93b0a5933
+  data.tar.gz: 9bc806e1d363784ed23ed71d694154e8d37f967bb1d559348852fffdde381889b2f235658b5dc424c9400589483d76c08b5f1f608eb15e43e59e70bc773a266a

data/helpers/requirements.txt

@@ -1,9 +1,10 @@
-pip==23.2.0
-pip-tools==7.2.0
+pip==23.2.1
+pip-tools==7.3.0
+flake8==6.1.0
 hashin==0.17.0
 pipenv==2022.4.8
 pipfile==0.0.2
-poetry==1.5.1
+poetry==1.6.1
 
 # Some dependencies will only install if Cython is present
 Cython==3.0.0

data/lib/dependabot/python/file_fetcher.rb

@@ -4,8 +4,10 @@ require "toml-rb"
 
 require "dependabot/file_fetchers"
 require "dependabot/file_fetchers/base"
+require "dependabot/python/language_version_manager"
 require "dependabot/python/requirement_parser"
 require "dependabot/python/file_parser/pyproject_files_parser"
+require "dependabot/python/file_parser/python_requirement_parser"
 require "dependabot/errors"
 
 module Dependabot

data/lib/dependabot/python/file_parser/pyproject_files_parser.rb

@@ -7,6 +7,7 @@ require "dependabot/file_parsers/base/dependency_set"
 require "dependabot/python/file_parser"
 require "dependabot/python/requirement"
 require "dependabot/errors"
+require "dependabot/python/helpers"
 require "dependabot/python/name_normaliser"
 
 module Dependabot
@@ -44,16 +45,20 @@ module Dependabot
         end
 
         def poetry_dependencies
+          @poetry_dependencies ||= parse_poetry_dependencies
+        end
+
+        def parse_poetry_dependencies
           dependencies = Dependabot::FileParsers::Base::DependencySet.new
 
           POETRY_DEPENDENCY_TYPES.each do |type|
             deps_hash = parsed_pyproject.dig("tool", "poetry", type) || {}
-            dependencies += parse_poetry_dependencies(type, deps_hash)
+            dependencies += parse_poetry_dependency_group(type, deps_hash)
           end
 
           groups = parsed_pyproject.dig("tool", "poetry", "group") || {}
           groups.each do |group, group_spec|
-            dependencies += parse_poetry_dependencies(group, group_spec["dependencies"])
+            dependencies += parse_poetry_dependency_group(group, group_spec["dependencies"])
           end
           dependencies
         end
@@ -92,7 +97,7 @@ module Dependabot
           dependencies
         end
 
-        def parse_poetry_dependencies(type, deps_hash)
+        def parse_poetry_dependency_group(type, deps_hash)
           dependencies = Dependabot::FileParsers::Base::DependencySet.new
 
           deps_hash.each do |name, req|
@@ -154,14 +159,16 @@ module Dependabot
           parsed_lockfile.fetch("package", []).each do |details|
             next if source_types.include?(details.dig("source", "type"))
 
+            name = normalise(details.fetch("name"))
+
             dependencies <<
               Dependency.new(
-                name: normalise(details.fetch("name")),
+                name: name,
                 version: details.fetch("version"),
                 requirements: [],
                 package_manager: "pip",
                 subdependency_metadata: [{
-                  production: details["category"] != "dev"
+                  production: production_dependency_names.include?(name)
                 }]
               )
           end
@@ -169,6 +176,32 @@ module Dependabot
           dependencies
         end
 
+        def production_dependency_names
+          @production_dependency_names ||= parse_production_dependency_names
+        end
+
+        def parse_production_dependency_names
+          SharedHelpers.in_a_temporary_directory do
+            File.write(pyproject.name, pyproject.content)
+            File.write(lockfile.name, lockfile.content)
+
+            begin
+              output = Helpers.run_poetry_command("pyenv exec poetry show --only main")
+
+              output.split("\n").map { |line| line.split.first }
+            rescue SharedHelpers::HelperSubprocessFailed
+              # Sometimes, we may be dealing with an old lockfile that our
+              # poetry version can't show dependency information for. Other
+              # commands we use like `poetry update` are more resilient and
+              # automatically heal the lockfile. So we rescue the error and make
+              # a best effort approach to this.
+              poetry_dependencies.dependencies.filter_map do |dep|
+                dep.name if dep.production?
+              end
+            end
+          end
+        end
+
         def version_from_lockfile(dep_name)
           return unless parsed_lockfile
 
@@ -228,7 +261,7 @@ module Dependabot
         end
 
         def parsed_lockfile
-          return parsed_poetry_lock if poetry_lock
+          parsed_poetry_lock if poetry_lock
         end
 
         def poetry_lock

data/lib/dependabot/python/file_updater/poetry_file_updater.rb

@@ -8,8 +8,8 @@ require "dependabot/python/language_version_manager"
 require "dependabot/python/version"
 require "dependabot/python/requirement"
 require "dependabot/python/file_parser/python_requirement_parser"
-require "dependabot/python/file_parser/subdependency_type_parser"
 require "dependabot/python/file_updater"
+require "dependabot/python/helpers"
 require "dependabot/python/native_helpers"
 require "dependabot/python/name_normaliser"
 
@@ -95,6 +95,12 @@ module Dependabot
             begin
               new_lockfile = updated_lockfile_content_for(prepared_pyproject)
 
+              original_locked_python = TomlRB.parse(lockfile.content)["metadata"]["python-versions"]
+
+              new_lockfile.gsub!(/\[metadata\]\n.*python-versions[^\n]+\n/m) do |match|
+                match.gsub(/(["']).*(['"])\n\Z/, '\1' + original_locked_python + '\1' + "\n")
+              end
+
               tmp_hash =
                 TomlRB.parse(new_lockfile)["metadata"]["content-hash"]
               correct_hash = pyproject_hash_for(updated_pyproject_content)
@@ -139,7 +145,7 @@ module Dependabot
         def update_python_requirement(pyproject_content)
           PyprojectPreparer.
             new(pyproject_content: pyproject_content).
-            update_python_requirement(language_version_manager.python_major_minor)
+            update_python_requirement(language_version_manager.python_version)
         end
 
         def lock_declaration_to_new_version!(poetry_object, dep)
@@ -157,7 +163,7 @@ module Dependabot
         end
 
         def create_declaration_at_new_version!(poetry_object, dep)
-          subdep_type = subdependency_type_parser.subdep_type(dep)
+          subdep_type = dep.production? ? "dependencies" : "dev-dependencies"
 
           poetry_object[subdep_type] ||= {}
           poetry_object[subdep_type][dep.name] = dep.version
@@ -197,24 +203,7 @@ module Dependabot
         end
 
         def run_poetry_command(command, fingerprint: nil)
-          start = Time.now
-          command = SharedHelpers.escape_command(command)
-          stdout, process = Open3.capture2e(command)
-          time_taken = Time.now - start
-
-          # Raise an error with the output from the shell session if Pipenv
-          # returns a non-zero status
-          return if process.success?
-
-          raise SharedHelpers::HelperSubprocessFailed.new(
-            message: stdout,
-            error_context: {
-              command: command,
-              fingerprint: fingerprint,
-              time_taken: time_taken,
-              process_exit_value: process.to_s
-            }
-          )
+          Helpers.run_poetry_command(command, fingerprint: fingerprint)
         end
 
         def write_temporary_dependency_files(pyproject_content)
@@ -291,13 +280,6 @@ module Dependabot
             )
         end
 
-        def subdependency_type_parser
-          @subdependency_type_parser ||=
-            FileParser::PoetrySubdependencyTypeParser.new(
-              lockfile: lockfile
-            )
-        end
-
         def language_version_manager
           @language_version_manager ||=
             LanguageVersionManager.new(

data/lib/dependabot/python/helpers.rb

@@ -0,0 +1,34 @@
+# frozen_string_literal: true
+
+require "time"
+require "open3"
+
+require "dependabot/errors"
+require "dependabot/shared_helpers"
+
+module Dependabot
+  module Python
+    module Helpers
+      def self.run_poetry_command(command, fingerprint: nil)
+        start = Time.now
+        command = SharedHelpers.escape_command(command)
+        stdout, stderr, process = Open3.capture3(command)
+        time_taken = Time.now - start
+
+        # Raise an error with the output from the shell session if Poetry
+        # returns a non-zero status
+        return stdout if process.success?
+
+        raise SharedHelpers::HelperSubprocessFailed.new(
+          message: stderr,
+          error_context: {
+            command: command,
+            fingerprint: fingerprint,
+            time_taken: time_taken,
+            process_exit_value: process.to_s
+          }
+        )
+      end
+    end
+  end
+end

data/lib/dependabot/python/language_version_manager.rb

@@ -43,10 +43,8 @@ module Dependabot
           else
             user_specified_python_version
           end
-        elsif python_version_matching_imputed_requirements
-          python_version_matching_imputed_requirements
         else
-          PythonVersions::PRE_INSTALLED_PYTHON_VERSIONS.first
+          python_version_matching_imputed_requirements || PRE_INSTALLED_PYTHON_VERSIONS.first
         end
       end
 

data/lib/dependabot/python/update_checker/index_finder.rb

@@ -118,6 +118,9 @@ module Dependabot
             []
 
           sources.each do |source|
+            # If source is PyPI, skip it, and let it pick the default URI
+            next if source["name"].casecmp?("PyPI")
+
             if source["default"]
               urls[:main] = source["url"]
             else

data/lib/dependabot/python/update_checker/pipenv_version_resolver.rb

@@ -39,7 +39,7 @@ module Dependabot
 
         UNSUPPORTED_DEPS = %w(pyobjc).freeze
         UNSUPPORTED_DEP_REGEX =
-          /Could not find a version that satisfies the requirement.*(?:#{UNSUPPORTED_DEPS.join("|")})/
+          /Could not find a version that satisfies the requirement.*(?:#{UNSUPPORTED_DEPS.join('|')})/
         PIPENV_RANGE_WARNING = /Warning:\sPython\s[<>].* was not found/
         # rubocop:enable Layout/LineLength
 
@@ -207,15 +207,13 @@ module Dependabot
         # errors when failing to update
         def check_original_requirements_resolvable
           SharedHelpers.in_a_temporary_directory do
-            SharedHelpers.with_git_configured(credentials: credentials) do
-              write_temporary_dependency_files(update_pipfile: false)
+            write_temporary_dependency_files(update_pipfile: false)
 
-              run_pipenv_command("pyenv exec pipenv lock")
+            run_pipenv_command("pyenv exec pipenv lock")
 
-              true
-            rescue SharedHelpers::HelperSubprocessFailed => e
-              handle_pipenv_errors_resolving_original_reqs(e)
-            end
+            true
+          rescue SharedHelpers::HelperSubprocessFailed => e
+            handle_pipenv_errors_resolving_original_reqs(e)
           end
         end
 

data/lib/dependabot/python/update_checker/poetry_version_resolver.rb

@@ -9,11 +9,11 @@ require "dependabot/errors"
 require "dependabot/shared_helpers"
 require "dependabot/python/file_parser"
 require "dependabot/python/file_parser/python_requirement_parser"
-require "dependabot/python/file_parser/subdependency_type_parser"
 require "dependabot/python/file_updater/pyproject_preparer"
 require "dependabot/python/update_checker"
 require "dependabot/python/version"
 require "dependabot/python/requirement"
+require "dependabot/python/helpers"
 require "dependabot/python/native_helpers"
 require "dependabot/python/authed_url_builder"
 require "dependabot/python/name_normaliser"
@@ -156,20 +156,18 @@ module Dependabot
           return @original_reqs_resolvable if @original_reqs_resolvable
 
           SharedHelpers.in_a_temporary_directory do
-            SharedHelpers.with_git_configured(credentials: credentials) do
-              write_temporary_dependency_files(update_pyproject: false)
+            write_temporary_dependency_files(update_pyproject: false)
 
-              run_poetry_update_command
+            run_poetry_update_command
 
-              @original_reqs_resolvable = true
-            rescue SharedHelpers::HelperSubprocessFailed => e
-              raise unless e.message.include?("SolverProblemError") ||
-                           e.message.include?("not found") ||
-                           e.message.include?("version solving failed.")
+            @original_reqs_resolvable = true
+          rescue SharedHelpers::HelperSubprocessFailed => e
+            raise unless e.message.include?("SolverProblemError") ||
+                         e.message.include?("not found") ||
+                         e.message.include?("version solving failed.")
 
-              msg = clean_error_message(e.message)
-              raise DependencyFileNotResolvable, msg
-            end
+            msg = clean_error_message(e.message)
+            raise DependencyFileNotResolvable, msg
           end
         end
 
@@ -231,7 +229,7 @@ module Dependabot
         def update_python_requirement(pyproject_content)
           Python::FileUpdater::PyprojectPreparer.
             new(pyproject_content: pyproject_content).
-            update_python_requirement(language_version_manager.python_major_minor)
+            update_python_requirement(language_version_manager.python_version)
         end
 
         def freeze_other_dependencies(pyproject_content)
@@ -260,8 +258,6 @@ module Dependabot
 
           # If this is a sub-dependency, add the new requirement
           unless dependency.requirements.find { |r| r[:file] == pyproject.name }
-            subdep_type = subdependency_type_parser.subdep_type(dependency)
-
             poetry_object[subdep_type] ||= {}
             poetry_object[subdep_type][dependency.name] = updated_requirement
           end
@@ -281,6 +277,10 @@ module Dependabot
           end
         end
 
+        def subdep_type
+          dependency.production? ? "dependencies" : "dev-dependencies"
+        end
+
         def python_requirement_parser
           @python_requirement_parser ||=
             FileParser::PythonRequirementParser.new(
@@ -288,13 +288,6 @@ module Dependabot
             )
         end
 
-        def subdependency_type_parser
-          @subdependency_type_parser ||=
-            FileParser::PoetrySubdependencyTypeParser.new(
-              lockfile: lockfile
-            )
-        end
-
         def language_version_manager
           @language_version_manager ||=
             LanguageVersionManager.new(
@@ -315,24 +308,7 @@ module Dependabot
         end
 
         def run_poetry_command(command, fingerprint: nil)
-          start = Time.now
-          command = SharedHelpers.escape_command(command)
-          stdout, process = Open3.capture2e(command)
-          time_taken = Time.now - start
-
-          # Raise an error with the output from the shell session if poetry
-          # returns a non-zero status
-          return if process.success?
-
-          raise SharedHelpers::HelperSubprocessFailed.new(
-            message: stdout,
-            error_context: {
-              command: command,
-              fingerprint: fingerprint,
-              time_taken: time_taken,
-              process_exit_value: process.to_s
-            }
-          )
+          Helpers.run_poetry_command(command, fingerprint: fingerprint)
         end
 
         def normalise(name)

data/lib/dependabot/python/update_checker.rb

@@ -257,7 +257,7 @@ module Dependabot
       end
 
       def library?
-        return unless updating_pyproject?
+        return false unless updating_pyproject?
 
         # Hit PyPi and check whether there are details for a library with a
         # matching name and description

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-python
 version: !ruby/object:Gem::Version
-  version: 0.227.0
+  version: 0.228.0
 platform: ruby
 authors:
 - Dependabot
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2023-08-18 00:00:00.000000000 Z
+date: 2023-08-25 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dependabot-common
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.227.0
+        version: 0.228.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.227.0
+        version: 0.228.0
 - !ruby/object:Gem::Dependency
   name: debug
   requirement: !ruby/object:Gem::Requirement
@@ -114,14 +114,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.50.0
+        version: 1.56.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.50.0
+        version: 1.56.0
 - !ruby/object:Gem::Dependency
   name: rubocop-performance
   requirement: !ruby/object:Gem::Requirement
@@ -200,7 +200,6 @@ files:
 - lib/dependabot/python/file_parser/pyproject_files_parser.rb
 - lib/dependabot/python/file_parser/python_requirement_parser.rb
 - lib/dependabot/python/file_parser/setup_file_parser.rb
-- lib/dependabot/python/file_parser/subdependency_type_parser.rb
 - lib/dependabot/python/file_updater.rb
 - lib/dependabot/python/file_updater/pip_compile_file_updater.rb
 - lib/dependabot/python/file_updater/pipfile_file_updater.rb
@@ -211,6 +210,7 @@ files:
 - lib/dependabot/python/file_updater/requirement_file_updater.rb
 - lib/dependabot/python/file_updater/requirement_replacer.rb
 - lib/dependabot/python/file_updater/setup_file_sanitizer.rb
+- lib/dependabot/python/helpers.rb
 - lib/dependabot/python/language_version_manager.rb
 - lib/dependabot/python/metadata_finder.rb
 - lib/dependabot/python/name_normaliser.rb
@@ -231,7 +231,7 @@ licenses:
 - Nonstandard
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.227.0
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.228.0
 post_install_message: 
 rdoc_options: []
 require_paths:

data/lib/dependabot/python/file_parser/subdependency_type_parser.rb

@@ -1,34 +0,0 @@
-# frozen_string_literal: true
-
-require "toml-rb"
-require "dependabot/python/file_parser"
-require "dependabot/python/name_normaliser"
-
-module Dependabot
-  module Python
-    class FileParser
-      class PoetrySubdependencyTypeParser
-        def initialize(lockfile:)
-          @lockfile = lockfile
-        end
-
-        def subdep_type(dep)
-          category =
-            TomlRB.parse(lockfile.content).fetch("package", []).
-            find { |dets| normalise(dets.fetch("name")) == dep.name }.
-            fetch("category")
-
-          category == "dev" ? "dev-dependencies" : "dependencies"
-        end
-
-        private
-
-        attr_reader :lockfile
-
-        def normalise(name)
-          NameNormaliser.normalise(name)
-        end
-      end
-    end
-  end
-end