RubyGems - dependabot-python - Versions diffs - 0.275.0 → 0.276.0 - Mend

dependabot-python 0.275.0 → 0.276.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

checksums.yaml +4 -4
data/lib/dependabot/python/update_checker/latest_version_finder.rb +11 -0
data/lib/dependabot/python/update_checker/poetry_version_resolver.rb +58 -0
metadata +5 -5

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: '0626084dc83e808fbf8f28e59811aa2c01be03d7735e36f1c60df096d40fe25a'
-  data.tar.gz: a0d8c1d862fa9ce282e216c4a2fc7d0a68ea717cd5b13c8c19b08309254b91ff
+  metadata.gz: b0c0ebe17176ecc264d11ac2b7e4a4b569f89d9caef5d82855c804045c23c2f2
+  data.tar.gz: caa6f4908c81929629fa4df74457c3ef18d67533eec81b0863f0b5b5d366ea52
 SHA512:
-  metadata.gz: a917f63eabb8f58bffb7884bd142eb547ae9dddd14f4195ed76907f5d336a01532094716668311d6b79c87296f49177a66cecfcfa8efec2e4087f5409a071635
-  data.tar.gz: 925475e32323452a63d91a773c893db2e5e1fa72083e6c0be215c3ab8eb9cf6ccba2109946a3d9fdc9aecb36bc390284c345a93d5cd45cf0981655d443868dd8
+  metadata.gz: 0237ca31de163f73dc570289e2f103d4d1400fd6ca65adadd2ea9e8bb648d10a25500969513236cfc9c3047339ced25f5188101b15128ce584c95991f458957b
+  data.tar.gz: 677869a2cda25d91e93c3cf7dd6a6174e1c471c0f4234ece66e5231ac52864c283a1c740d2d5b4b2c40589a77440c2868e47ce38969cf277059431a4731e4550

data/lib/dependabot/python/update_checker/latest_version_finder.rb CHANGED Viewed

@@ -175,6 +175,8 @@ module Dependabot
         def available_versions
           @available_versions ||=
             index_urls.flat_map do |index_url|
+              validate_index(index_url)
               sanitized_url = index_url.gsub(%r{(?<=//).*(?=@)}, "redacted")
               index_response = registry_response_for_dependency(index_url)
@@ -283,6 +285,15 @@ module Dependabot
         def requirement_class
           dependency.requirement_class
         end
+        def validate_index(index_url)
+          sanitized_url = index_url.gsub(%r{(?<=//).*(?=@)}, "redacted")
+          return if index_url&.match?(URI::DEFAULT_PARSER.regexp[:ABS_URI])
+          raise Dependabot::DependencyFileNotResolvable,
+                "Invalid URL: #{sanitized_url}"
+        end
       end
     end
   end

data/lib/dependabot/python/update_checker/poetry_version_resolver.rb CHANGED Viewed

@@ -23,6 +23,9 @@ module Dependabot
     class UpdateChecker
       # This class does version resolution for pyproject.toml files.
       class PoetryVersionResolver
+        extend T::Sig
+        extend T::Helpers
         GIT_REFERENCE_NOT_FOUND_REGEX = /
           (Failed to checkout
           (?<tag>.+?)
@@ -38,16 +41,23 @@ module Dependabot
           \s+check\syour\sgit\sconfiguration
         /mx
+        INCOMPATIBLE_CONSTRAINTS = /Incompatible constraints in requirements of (?<dep>.+?) ((?<ver>.+?)):/
         attr_reader :dependency
         attr_reader :dependency_files
         attr_reader :credentials
         attr_reader :repo_contents_path
+        sig { returns(Dependabot::Python::PoetryErrorHandler) }
+        attr_reader :error_handler
         def initialize(dependency:, dependency_files:, credentials:, repo_contents_path:)
           @dependency               = dependency
           @dependency_files         = dependency_files
           @credentials              = credentials
           @repo_contents_path       = repo_contents_path
+          @error_handler = PoetryErrorHandler.new(dependencies: dependency,
+                                                  dependency_files: dependency_files)
         end
         def latest_resolvable_version(requirement: nil)
@@ -115,6 +125,8 @@ module Dependabot
         # rubocop:disable Metrics/AbcSize
         def handle_poetry_errors(error)
+          error_handler.handle_poetry_error(error)
           if error.message.gsub(/\s/, "").match?(GIT_REFERENCE_NOT_FOUND_REGEX)
             message = error.message.gsub(/\s/, "")
             match = message.match(GIT_REFERENCE_NOT_FOUND_REGEX)
@@ -322,5 +334,51 @@ module Dependabot
         end
       end
     end
+    class PoetryErrorHandler < UpdateChecker
+      extend T::Sig
+      # if a valid config value is not found in project.toml file
+      INVALID_CONFIGURATION = /The Poetry configuration is invalid:(?<config>.*)/
+      # if .toml has incorrect version specification i.e. <0.2.0app
+      INVALID_VERSION = /Could not parse version constraint: (?<ver>.*)/
+      # dependency source link not accessible
+      INVALID_LINK = /No valid distribution links found for package: "(?<dep>.*)" version: "(?<ver>.*)"/
+      sig do
+        params(
+          dependencies: Dependabot::Dependency,
+          dependency_files: T::Array[Dependabot::DependencyFile]
+        ).void
+      end
+      def initialize(dependencies:, dependency_files:)
+        @dependencies = dependencies
+        @dependency_files = dependency_files
+      end
+      private
+      sig { returns(Dependabot::Dependency) }
+      attr_reader :dependencies
+      sig { returns(T::Array[Dependabot::DependencyFile]) }
+      attr_reader :dependency_files
+      public
+      sig { params(error: Exception).void }
+      def handle_poetry_error(error)
+        Dependabot.logger.warn(error.message)
+        if (msg = error.message.match(PoetryVersionResolver::INCOMPATIBLE_CONSTRAINTS) ||
+            error.message.match(INVALID_CONFIGURATION) || error.message.match(INVALID_VERSION) ||
+            error.message.match(INVALID_LINK))
+          raise DependencyFileNotResolvable, msg
+        end
+      end
+    end
   end
 end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-python
 version: !ruby/object:Gem::Version
-  version: 0.275.0
+  version: 0.276.0
 platform: ruby
 authors:
 - Dependabot
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-09-12 00:00:00.000000000 Z
+date: 2024-09-19 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dependabot-common
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.275.0
+        version: 0.276.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.275.0
+        version: 0.276.0
 - !ruby/object:Gem::Dependency
   name: debug
   requirement: !ruby/object:Gem::Requirement
@@ -288,7 +288,7 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.275.0
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.276.0
 post_install_message:
 rdoc_options: []
 require_paths: