dependabot-python 0.358.0 → 0.359.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 48c37437d99c146971cb9ecc12889faf559a657346ca44b95a71bc06d607445a
-  data.tar.gz: 163fbc7bfcb2aecde6cbc0f95bdc33bb1cb454201b6014158a65dcc71ab22fc4
+  metadata.gz: 9b809922cec5a45858a2db5ccbc1a44616bd29e338b208ef2ce62c40cc92c5cc
+  data.tar.gz: 690573daf64882e4308e2b67962d218b050d6e35f5f2de463037c9d3bb4373f5
 SHA512:
-  metadata.gz: de34134537d989cc22bdea97b581b80e0adf85cde617690689916fbc1169e462d1fdea9c9c40369401ac2edcf4cf21015d3c399c9b4ebaafaf0fa9541109f84f
-  data.tar.gz: bf298b6e70c2fd083f89d3186a31d610ac937fe749345974edcce57f5871f97579bd215e3d5897f1b6d82e691a7a400f287c3d97241b50249d73dab2f2b1e765
+  metadata.gz: 85cbac2d3e04004f10fb8829b512c22962339aca71b3e2fe00b5b22a0af1a745cc6a0810d038f5bf084dcebd749959fb73bcf08408de67a5683a61d7eb47e121
+  data.tar.gz: f2336e9490af88f4a08ed69c4116b085d161e2e0e8ef5ea5e2e494fb1308ea5b62239761a675c4f214cd79b943a0414d7e2133a6a5e5573b4aac1ef433723a8a

data/lib/dependabot/python/file_parser/pyproject_files_parser.rb

@@ -180,10 +180,14 @@ module Dependabot
               }
             else
               check_requirements(requirement)
+              # String sources are registry name references (e.g., "custom") that reference
+              # [[tool.poetry.source]] definitions. Resolve them to proper hashes.
+              source_value = requirement.fetch("source", nil)
+              source = resolve_source(source_value)
               {
                 requirement: requirement["version"],
                 file: T.must(pyproject).name,
-                source: requirement.fetch("source", nil),
+                source: source,
                 groups: [type]
               }
             end
@@ -299,6 +303,34 @@ module Dependabot
           NameNormaliser.normalise(name)
         end
 
+        sig { params(source_value: T.untyped).returns(T.nilable(T::Hash[Symbol, T.untyped])) }
+        def resolve_source(source_value)
+          # Return nil if no source specified
+          return nil if source_value.nil?
+
+          # If already a hash, return as-is (handles git sources)
+          return source_value if source_value.is_a?(Hash)
+
+          # String sources are references to [[tool.poetry.source]] definitions
+          # Look up the source definition and create a hash
+          return nil unless source_value.is_a?(String)
+
+          source_name = source_value
+          poetry_sources = parsed_pyproject.dig("tool", "poetry", "source") || []
+          source_def = poetry_sources.find { |s| s["name"] == source_name }
+
+          # If source definition not found, return nil
+          return nil unless source_def
+
+          # Create a hash with type and url from the source definition
+          # Use "registry" as the type since these are package index sources
+          {
+            type: "registry",
+            url: source_def["url"],
+            name: source_name
+          }
+        end
+
         sig { returns(T.untyped) }
         def parsed_pyproject
           @parsed_pyproject ||= T.let(TomlRB.parse(T.must(pyproject).content), T.untyped)

data/lib/dependabot/python/update_checker/latest_version_finder.rb

@@ -1,4 +1,4 @@
-# typed: strong
+# typed: strict
 # frozen_string_literal: true
 
 require "cgi"
@@ -7,6 +7,7 @@ require "nokogiri"
 require "sorbet-runtime"
 
 require "dependabot/dependency"
+require "dependabot/git_commit_checker"
 require "dependabot/python/update_checker"
 require "dependabot/update_checkers/version_filters"
 require "dependabot/registry_client"
@@ -22,6 +23,38 @@ module Dependabot
       class LatestVersionFinder < Dependabot::Package::PackageLatestVersionFinder
         extend T::Sig
 
+        sig do
+          params(git_commit_checker: Dependabot::GitCommitChecker)
+            .returns(T.nilable(T::Hash[Symbol, T.untyped]))
+        end
+        def latest_version_tag(git_commit_checker:)
+          return git_commit_checker.local_tag_for_latest_version unless cooldown_enabled?
+
+          allowed_version_tags = git_commit_checker.local_tags_for_allowed_versions
+          tags_in_cooldown = select_version_tags_in_cooldown_period(git_commit_checker)
+
+          return max_version_from_tags(allowed_version_tags) if tags_in_cooldown.empty?
+
+          filtered_tags = allowed_version_tags.reject do |tag|
+            tags_in_cooldown.include?(tag[:tag])
+          end
+
+          if filtered_tags.empty?
+            Dependabot.logger.info("All git tags filtered by cooldown for #{dependency.name}, returning nil")
+            return nil
+          end
+
+          filtered_count = allowed_version_tags.count - filtered_tags.count
+          if filtered_count.positive?
+            Dependabot.logger.info("Filtered #{filtered_count} git tags due to cooldown for #{dependency.name}")
+          end
+
+          max_version_from_tags(filtered_tags)
+        rescue StandardError => e
+          Dependabot.logger.error("Error fetching latest version tag: #{e.message}")
+          git_commit_checker.local_tag_for_latest_version
+        end
+
         sig do
           override.returns(T.nilable(Dependabot::Package::PackageDetails))
         end
@@ -35,7 +68,93 @@ module Dependabot
 
         sig { override.returns(T::Boolean) }
         def cooldown_enabled?
-          true
+          return false if cooldown_options.nil?
+
+          cooldown = T.must(cooldown_options)
+          cooldown.default_days.to_i.positive? ||
+            cooldown.semver_major_days.to_i.positive? ||
+            cooldown.semver_minor_days.to_i.positive? ||
+            cooldown.semver_patch_days.to_i.positive?
+        end
+
+        private
+
+        sig { params(tags: T::Array[T::Hash[Symbol, T.untyped]]).returns(T.nilable(T::Hash[Symbol, T.untyped])) }
+        def max_version_from_tags(tags)
+          tags.max_by { |t| t[:version] }
+        end
+
+        sig { params(git_commit_checker: Dependabot::GitCommitChecker).returns(T::Array[String]) }
+        def select_version_tags_in_cooldown_period(git_commit_checker)
+          version_tags_in_cooldown_period = T.let([], T::Array[String])
+
+          git_commit_checker.refs_for_tag_with_detail.each do |git_tag_with_detail|
+            if check_if_version_in_cooldown_period?(git_tag_with_detail)
+              version_tags_in_cooldown_period << git_tag_with_detail.tag
+            end
+          end
+          version_tags_in_cooldown_period
+        rescue StandardError => e
+          Dependabot.logger.error("Error checking if version is in cooldown: #{e.message}")
+          []
+        end
+
+        sig { params(tag_with_detail: Dependabot::GitTagWithDetail).returns(T::Boolean) }
+        def check_if_version_in_cooldown_period?(tag_with_detail)
+          return false unless tag_with_detail.release_date
+
+          current_version = version_class.correct?(dependency.version) ? version_class.new(dependency.version) : nil
+          tag_version_str = tag_with_detail.tag.delete_prefix("v")
+          return false unless version_class.correct?(tag_version_str)
+
+          new_version = version_class.new(tag_version_str)
+          days = cooldown_days_for(current_version, new_version)
+
+          passed_seconds = Time.now.to_i - release_date_to_seconds(tag_with_detail.release_date)
+          passed_seconds < days * DAY_IN_SECONDS
+        end
+
+        sig do
+          params(
+            current_version: T.nilable(Dependabot::Version),
+            new_version: Dependabot::Version
+          ).returns(Integer)
+        end
+        def cooldown_days_for(current_version, new_version)
+          return 0 unless cooldown_enabled?
+
+          cooldown = T.must(cooldown_options)
+          return 0 unless cooldown.included?(dependency.name)
+          return cooldown.default_days if current_version.nil?
+
+          current_version_semver = current_version.semver_parts
+          new_version_semver = new_version.semver_parts
+
+          return cooldown.default_days if current_version_semver.nil? || new_version_semver.nil?
+
+          current_major, current_minor, current_patch = current_version_semver
+          new_major, new_minor, new_patch = new_version_semver
+
+          return cooldown.semver_major_days if new_major > current_major
+          return cooldown.semver_minor_days if new_minor > current_minor
+          return cooldown.semver_patch_days if new_patch > current_patch
+
+          cooldown.default_days
+        end
+
+        sig { returns(T.class_of(Dependabot::Version)) }
+        def version_class
+          dependency.version_class
+        end
+
+        sig { params(release_date: T.nilable(String)).returns(Integer) }
+        def release_date_to_seconds(release_date)
+          return 0 unless release_date
+
+          Time.parse(release_date).to_i
+        rescue ArgumentError => e
+          Dependabot.logger.error("Invalid release date format: #{release_date} and error: #{e.message}")
+          0
         end
       end
     end

data/lib/dependabot/python/update_checker.rb

@@ -163,7 +163,7 @@ module Dependabot
       sig { returns(T.nilable(T::Hash[Symbol, T.untyped])) }
       def latest_git_version_details
         @latest_git_version_details ||= T.let(
-          git_commit_checker.local_tag_for_latest_version,
+          latest_version_finder.latest_version_tag(git_commit_checker: git_commit_checker),
           T.nilable(T::Hash[Symbol, T.untyped])
         )
       end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-python
 version: !ruby/object:Gem::Version
-  version: 0.358.0
+  version: 0.359.0
 platform: ruby
 authors:
 - Dependabot
@@ -15,14 +15,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.358.0
+        version: 0.359.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.358.0
+        version: 0.359.0
 - !ruby/object:Gem::Dependency
   name: debug
   requirement: !ruby/object:Gem::Requirement
@@ -291,7 +291,7 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.358.0
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.359.0
 rdoc_options: []
 require_paths:
 - lib