dependabot-python 0.263.0 → 0.264.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (9) hide show
  1. checksums.yaml +4 -4
  2. data/helpers/requirements.txt +1 -1
  3. data/lib/dependabot/python/authed_url_builder.rb +1 -0
  4. data/lib/dependabot/python/file_fetcher.rb +2 -2
  5. data/lib/dependabot/python/file_updater.rb +30 -8
  6. data/lib/dependabot/python/pip_compile_file_matcher.rb +9 -3
  7. data/lib/dependabot/python/requirement.rb +7 -2
  8. data/lib/dependabot/python/update_checker/requirements_updater.rb +5 -5
  9. metadata +5 -5
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 1799b305706f2d88b8fccdc347184c8a4f26b48695225404726c70282f8bc239
4
- data.tar.gz: 03bbe3af68c64485cb54c881b701677683dccb097b99aa7a01a12ed9a0596431
3
+ metadata.gz: 1b32f97adeb9b92870d0508a7ad61f27cff4aa25720961201c4b3768c1d7f13d
4
+ data.tar.gz: 2eb54348ac4bae2685050f6f7aade5b1880d8cbeec0ab8426124573463895fb2
5
5
  SHA512:
6
- metadata.gz: 9f2b3eb22d5beb8dcd799e96399a96dbdbdc07f8bf3b4f930adcb0fd856185ed2f06466a63a2403ae00a39ee98fad5c1121c9f2297eaff43d51409e99f2cac5f
7
- data.tar.gz: db2e6f7123ef9fefe4e8d36a5cebf46ec4c7ee3bd3a2708e2013fb8bfe3942651a44b18dfc997cc845e0d3e73a89f1bb6375c5c3cc8a797517eb6e7711d5d777
6
+ metadata.gz: 2781b289d9dbc5cc631325448adbe2c620a8e8e6e529752babbc3314655886f05a3426c9e5ebfe14cfe12bf0fb89fd749b1dbd4d5b4ddfad242f9c4320d6226a
7
+ data.tar.gz: 4cafc74f705b401b5d5ea1f0045db4d90365530acd4b62dfe22279ea5b6881cf3178249d0697f8fad7bb294f89be70890c815ab4a34db88e310b57f3a951d4cf
data/helpers/requirements.txt CHANGED
@@ -4,7 +4,7 @@ flake8==7.1.0
4
4
  hashin==1.0.1
5
5
  pipenv==2023.12.1
6
6
  plette==2.1.0
7
- poetry==1.8.2
7
+ poetry==1.8.3
8
8
  # TODO: Replace 3p package `toml` with 3.11's new stdlib `tomllib` once we drop support for Python 3.10.
9
9
  toml==0.10.2
10
10
 
data/lib/dependabot/python/authed_url_builder.rb CHANGED
@@ -7,6 +7,7 @@ module Dependabot
7
7
  def self.authed_url(credential:)
8
8
  token = credential.fetch("token", nil)
9
9
  url = credential.fetch("index-url", nil)
10
+ return "" unless url
10
11
  return url unless token
11
12
 
12
13
  basic_auth_details =
data/lib/dependabot/python/file_fetcher.rb CHANGED
@@ -1,4 +1,4 @@
1
- # typed: false
1
+ # typed: true
2
2
  # frozen_string_literal: true
3
3
 
4
4
  require "toml-rb"
@@ -139,7 +139,7 @@ module Dependabot
139
139
 
140
140
  # Check the top-level for a .python-version file, too
141
141
  reverse_path = Pathname.new(directory[0]).relative_path_from(directory)
142
- @python_version_file ||=
142
+ @python_version_file =
143
143
  fetch_support_file(File.join(reverse_path, ".python-version"))
144
144
  &.tap { |f| f.name = ".python-version" }
145
145
  end
data/lib/dependabot/python/file_updater.rb CHANGED
@@ -1,19 +1,23 @@
1
- # typed: true
1
+ # typed: strict
2
2
  # frozen_string_literal: true
3
3
 
4
4
  require "toml-rb"
5
5
  require "dependabot/file_updaters"
6
6
  require "dependabot/file_updaters/base"
7
7
  require "dependabot/shared_helpers"
8
+ require "sorbet-runtime"
8
9
 
9
10
  module Dependabot
10
11
  module Python
11
12
  class FileUpdater < Dependabot::FileUpdaters::Base
13
+ extend T::Sig
14
+
12
15
  require_relative "file_updater/pipfile_file_updater"
13
16
  require_relative "file_updater/pip_compile_file_updater"
14
17
  require_relative "file_updater/poetry_file_updater"
15
18
  require_relative "file_updater/requirement_file_updater"
16
19
 
20
+ sig { override.returns(T::Array[Regexp]) }
17
21
  def self.updated_files_regex
18
22
  [
19
23
  /^Pipfile$/,
@@ -27,6 +31,7 @@ module Dependabot
27
31
  ]
28
32
  end
29
33
 
34
+ sig { override.returns(T::Array[DependencyFile]) }
30
35
  def updated_dependency_files
31
36
  updated_files =
32
37
  case resolver_type
@@ -48,6 +53,8 @@ module Dependabot
48
53
  private
49
54
 
50
55
  # rubocop:disable Metrics/PerceivedComplexity
56
+
57
+ sig { returns(Symbol) }
51
58
  def resolver_type
52
59
  reqs = dependencies.flat_map(&:requirements)
53
60
  changed_reqs = reqs.zip(dependencies.flat_map(&:previous_requirements))
@@ -76,6 +83,7 @@ module Dependabot
76
83
  end
77
84
  # rubocop:enable Metrics/PerceivedComplexity
78
85
 
86
+ sig { returns(Symbol) }
79
87
  def subdependency_resolver
80
88
  return :pipfile if pipfile_lock
81
89
  return :poetry if poetry_lock
@@ -84,6 +92,7 @@ module Dependabot
84
92
  raise "Claimed to be a sub-dependency, but no lockfile exists!"
85
93
  end
86
94
 
95
+ sig { returns(T::Array[DependencyFile]) }
87
96
  def updated_pipfile_based_files
88
97
  PipfileFileUpdater.new(
89
98
  dependencies: dependencies,
@@ -93,6 +102,7 @@ module Dependabot
93
102
  ).updated_dependency_files
94
103
  end
95
104
 
105
+ sig { returns(T::Array[DependencyFile]) }
96
106
  def updated_poetry_based_files
97
107
  PoetryFileUpdater.new(
98
108
  dependencies: dependencies,
@@ -101,6 +111,7 @@ module Dependabot
101
111
  ).updated_dependency_files
102
112
  end
103
113
 
114
+ sig { returns(T::Array[DependencyFile]) }
104
115
  def updated_pip_compile_based_files
105
116
  PipCompileFileUpdater.new(
106
117
  dependencies: dependencies,
@@ -110,6 +121,7 @@ module Dependabot
110
121
  ).updated_dependency_files
111
122
  end
112
123
 
124
+ sig { returns(T::Array[DependencyFile]) }
113
125
  def updated_requirement_based_files
114
126
  RequirementFileUpdater.new(
115
127
  dependencies: dependencies,
@@ -119,6 +131,7 @@ module Dependabot
119
131
  ).updated_dependency_files
120
132
  end
121
133
 
134
+ sig { returns(T::Array[String]) }
122
135
  def pip_compile_index_urls
123
136
  if credentials.any?(&:replaces_base?)
124
137
  credentials.select(&:replaces_base?).map { |cred| AuthedUrlBuilder.authed_url(credential: cred) }
@@ -130,6 +143,7 @@ module Dependabot
130
143
  end
131
144
  end
132
145
 
146
+ sig { override.void }
133
147
  def check_required_files
134
148
  filenames = dependency_files.map(&:name)
135
149
  return if filenames.any? { |name| name.end_with?(".txt", ".in") }
@@ -141,31 +155,39 @@ module Dependabot
141
155
  raise "Missing required files!"
142
156
  end
143
157
 
158
+ sig { returns(T::Boolean) }
144
159
  def poetry_based?
145
160
  return false unless pyproject
146
161
 
147
- !TomlRB.parse(pyproject.content).dig("tool", "poetry").nil?
162
+ !TomlRB.parse(pyproject&.content).dig("tool", "poetry").nil?
148
163
  end
149
164
 
165
+ sig { returns(T.nilable(Dependabot::DependencyFile)) }
150
166
  def pipfile
151
- @pipfile ||= get_original_file("Pipfile")
167
+ @pipfile ||= T.let(get_original_file("Pipfile"), T.nilable(Dependabot::DependencyFile))
152
168
  end
153
169
 
170
+ sig { returns(T.nilable(Dependabot::DependencyFile)) }
154
171
  def pipfile_lock
155
- @pipfile_lock ||= get_original_file("Pipfile.lock")
172
+ @pipfile_lock ||= T.let(get_original_file("Pipfile.lock"), T.nilable(Dependabot::DependencyFile))
156
173
  end
157
174
 
175
+ sig { returns(T.nilable(Dependabot::DependencyFile)) }
158
176
  def pyproject
159
- @pyproject ||= get_original_file("pyproject.toml")
177
+ @pyproject ||= T.let(get_original_file("pyproject.toml"), T.nilable(Dependabot::DependencyFile))
160
178
  end
161
179
 
180
+ sig { returns(T.nilable(Dependabot::DependencyFile)) }
162
181
  def poetry_lock
163
- @poetry_lock ||= get_original_file("poetry.lock")
182
+ @poetry_lock ||= T.let(get_original_file("poetry.lock"), T.nilable(Dependabot::DependencyFile))
164
183
  end
165
184
 
185
+ sig { returns(T::Array[DependencyFile]) }
166
186
  def pip_compile_files
167
- @pip_compile_files ||=
168
- dependency_files.select { |f| f.name.end_with?(".in") }
187
+ @pip_compile_files ||= T.let(
188
+ dependency_files.select { |f| f.name.end_with?(".in") },
189
+ T.nilable(T::Array[DependencyFile])
190
+ )
169
191
  end
170
192
  end
171
193
  end
data/lib/dependabot/python/pip_compile_file_matcher.rb CHANGED
@@ -1,29 +1,35 @@
1
- # typed: true
1
+ # typed: strict
2
2
  # frozen_string_literal: true
3
3
 
4
4
  module Dependabot
5
5
  module Python
6
6
  class PipCompileFileMatcher
7
+ extend T::Sig
8
+
9
+ sig { params(requirements_in_files: T::Array[Dependabot::Python::Requirement]).void }
7
10
  def initialize(requirements_in_files)
8
11
  @requirements_in_files = requirements_in_files
9
12
  end
10
13
 
14
+ sig { params(file: Dependabot::DependencyFile).returns(T::Boolean) }
11
15
  def lockfile_for_pip_compile_file?(file)
12
16
  return false unless requirements_in_files.any?
13
17
 
14
18
  name = file.name
15
19
  return false unless name.end_with?(".txt")
16
20
 
17
- return true if file.content.match?(output_file_regex(name))
21
+ return true if file.content&.match?(output_file_regex(name))
18
22
 
19
23
  basename = name.gsub(/\.txt$/, "")
20
- requirements_in_files.any? { |f| f.name == basename + ".in" }
24
+ requirements_in_files.any? { |f| f.instance_variable_get(:@name) == basename + ".in" }
21
25
  end
22
26
 
23
27
  private
24
28
 
29
+ sig { returns(T::Array[Dependabot::Python::Requirement]) }
25
30
  attr_reader :requirements_in_files
26
31
 
32
+ sig { params(filename: T.any(String, Symbol)).returns(String) }
27
33
  def output_file_regex(filename)
28
34
  "--output-file[=\s]+#{Regexp.escape(filename)}(?:\s|$)"
29
35
  end
data/lib/dependabot/python/requirement.rb CHANGED
@@ -20,6 +20,11 @@ module Dependabot
20
20
  "===" => ->(v, r) { v.to_s == r.to_s }
21
21
  )
22
22
 
23
+ # Override the lower bound logic for bump versions strategy.
24
+ BUMP_VERSIONS_OPS = OPS.merge(
25
+ ">=" => ->(v, r) { v.to_s == r.to_s }
26
+ )
27
+
23
28
  quoted = OPS.keys.sort_by(&:length).reverse
24
29
  .map { |k| Regexp.quote(k) }.join("|")
25
30
  version_pattern = Python::Version::VERSION_PATTERN
@@ -78,10 +83,10 @@ module Dependabot
78
83
  super(requirements)
79
84
  end
80
85
 
81
- def satisfied_by?(version)
86
+ def satisfied_by?(version, ops = OPS)
82
87
  version = Python::Version.new(version.to_s)
83
88
 
84
- requirements.all? { |op, rv| (OPS[op] || OPS["="]).call(version, rv) }
89
+ requirements.all? { |op, rv| (ops[op] || ops["="]).call(version, rv) }
85
90
  end
86
91
 
87
92
  def exact?
data/lib/dependabot/python/update_checker/requirements_updater.rb CHANGED
@@ -278,14 +278,14 @@ module Dependabot
278
278
  requirement_strings.map { |r| requirement_class.new(r) }
279
279
 
280
280
  updated_requirement_strings = ruby_requirements.flat_map do |r|
281
- next r.to_s if r.satisfied_by?(latest_resolvable_version)
281
+ next r.to_s if r.satisfied_by?(latest_resolvable_version, Requirement::BUMP_VERSIONS_OPS)
282
282
 
283
283
  case op = r.requirements.first.first
284
284
  when "<"
285
- "<" + update_greatest_version(r.requirements.first.last, latest_resolvable_version)
286
- when "<="
287
- "<=" + latest_resolvable_version.to_s
288
- when "!=", ">", ">="
285
+ "#{op}#{update_greatest_version(r.requirements.first.last, latest_resolvable_version)}"
286
+ when "<=", ">="
287
+ "#{op}#{latest_resolvable_version}"
288
+ when "!=", ">"
289
289
  raise UnfixableRequirement
290
290
  else
291
291
  raise "Unexpected op for unsatisfied requirement: #{op}"
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: dependabot-python
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.263.0
4
+ version: 0.264.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Dependabot
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2024-06-27 00:00:00.000000000 Z
11
+ date: 2024-07-05 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: dependabot-common
@@ -16,14 +16,14 @@ dependencies:
16
16
  requirements:
17
17
  - - '='
18
18
  - !ruby/object:Gem::Version
19
- version: 0.263.0
19
+ version: 0.264.0
20
20
  type: :runtime
21
21
  prerelease: false
22
22
  version_requirements: !ruby/object:Gem::Requirement
23
23
  requirements:
24
24
  - - '='
25
25
  - !ruby/object:Gem::Version
26
- version: 0.263.0
26
+ version: 0.264.0
27
27
  - !ruby/object:Gem::Dependency
28
28
  name: debug
29
29
  requirement: !ruby/object:Gem::Requirement
@@ -288,7 +288,7 @@ licenses:
288
288
  - MIT
289
289
  metadata:
290
290
  bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
291
- changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.263.0
291
+ changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.264.0
292
292
  post_install_message:
293
293
  rdoc_options: []
294
294
  require_paths: