dependabot-python 0.368.0 → 0.369.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 5b03d84191a73f9cd803b3db1fd32bc70638a4f607c2e9424a3900f143119f5f
-  data.tar.gz: 6d04a235c38eb76a1a86eb2f60e2f34c80c82ff5f342d997ff3c8a25011e42f3
+  metadata.gz: 64cdd01e07bc2f6472a1027884006af4c7df3648168f04135c7b91cdf5530f14
+  data.tar.gz: b5610dc0420858f42cb23a8462abcd7ebd4b9b1aab8be3ca28233a99c239982c
 SHA512:
-  metadata.gz: 793a849e50f2162b65f1da65521dfb7450081b84507fbb4134145ab5c72b63a916a59c68602bf41dea530d373cb0d2dd5e9a38fee9b6a5347b17848a8891054f
-  data.tar.gz: db96c2fd7be7c4b6ac473f29dc429f3c4163fb2dd38d4b1d48c19ea62727022ff6822166dd10e9c4a680eae24bc5f16f447bf9f8ec55b7909b8ae663698b29c6
+  metadata.gz: f4cb556708bba8d54dc3d04495d021e4808cf5651184ed9fe2d1b65d6b1114c688f92d9be8ab8fae6e96d818643ce4c4824db5971dc2fabf55370b6ffff26f39
+  data.tar.gz: 64514c6fad289e34af6bdbaeecc25f8ff815ba193d77088a86fa3399c9379ab1cad740ff0f18ae0ac176e85375714e15f36ceae638b96d6e2714f425ce86cd96

data/helpers/build

@@ -17,6 +17,10 @@ cp -r \
   "$helpers_dir/requirements.txt" \
   "$install_dir"
 
+if [ -d "$helpers_dir/test" ]; then
+  cp -r "$helpers_dir/test" "$install_dir"
+fi
+
 cd "$install_dir"
 PYENV_VERSION=$1 pyenv exec pip3 --disable-pip-version-check install --use-pep517 -r "requirements.txt"
 

data/helpers/requirements.txt

@@ -5,6 +5,7 @@ hashin==1.0.5
 pipenv==2024.4.1
 plette==2.1.0
 poetry==2.2.1
+pytest==8.3.5
 # TODO: Replace 3p package `tomli` with 3.11's new stdlib `tomllib` once we drop support for Python 3.10.
 tomli==2.2.1
 

data/helpers/test/fixtures/no_dependencies.toml

@@ -0,0 +1,3 @@
+[project]
+name = "myapp"
+version = "1.0.0"

data/helpers/test/fixtures/pep621_arbitrary_equality.toml

@@ -0,0 +1,7 @@
+[project]
+name = "myapp"
+version = "1.0.0"
+
+dependencies = [
+    "numpy===1.24.0rc1",
+]

data/helpers/test/fixtures/pep621_dependencies.toml

@@ -0,0 +1,21 @@
+[project]
+name = "myapp"
+version = "1.0.0"
+requires-python = ">=3.10"
+
+dependencies = [
+    "requests>=2.13.0,<3.0",
+    "urllib3==1.26.0",
+]
+
+[project.optional-dependencies]
+socks = [
+    "PySocks >= 1.5.6, != 1.5.7, < 2",
+]
+tests = [
+    "pytest >= 7.0, < 8",
+]
+
+[build-system]
+requires = ["setuptools>=68.0"]
+build-backend = "setuptools.build_meta"

data/helpers/test/fixtures/pep621_empty_deps.toml

@@ -0,0 +1,8 @@
+[project]
+name = "myapp"
+version = "1.0.0"
+
+dependencies = []
+
+[project.optional-dependencies]
+dev = []

data/helpers/test/fixtures/pep621_extras.toml

@@ -0,0 +1,8 @@
+[project]
+name = "myapp"
+version = "1.0.0"
+requires-python = ">=3.10"
+
+dependencies = [
+    "cachecontrol[filecache]>=0.14.0",
+]

data/helpers/test/fixtures/pep621_markers.toml

@@ -0,0 +1,7 @@
+[project]
+name = "myapp"
+version = "1.0.0"
+
+dependencies = [
+    "requests>=2.13.0; python_version >= '3.8'",
+]

data/helpers/test/fixtures/pep621_multiple_extras.toml

@@ -0,0 +1,7 @@
+[project]
+name = "myapp"
+version = "1.0.0"
+
+dependencies = [
+    "boto3[crt,s3]>=1.28.0",
+]

data/helpers/test/fixtures/pep621_no_version.toml

@@ -0,0 +1,8 @@
+[project]
+name = "myapp"
+version = "1.0.0"
+
+dependencies = [
+    "requests",
+    "flask",
+]

data/helpers/test/fixtures/pep621_only_build_system.toml

@@ -0,0 +1,3 @@
+[build-system]
+requires = ["setuptools>=68.0", "wheel"]
+build-backend = "setuptools.build_meta"

data/helpers/test/fixtures/pep735_cycle.toml

@@ -0,0 +1,13 @@
+[project]
+name = "myapp"
+version = "1.0.0"
+
+[dependency-groups]
+a = [
+    {include-group = "b"},
+    "requests>=2.0",
+]
+b = [
+    {include-group = "a"},
+    "flask>=2.0",
+]

data/helpers/test/fixtures/pep735_dependency_groups.toml

@@ -0,0 +1,18 @@
+[project]
+name = "myapp"
+version = "1.0.0"
+requires-python = ">=3.10"
+
+dependencies = [
+    "requests>=2.13.0",
+]
+
+[dependency-groups]
+dev = [
+    "pytest==7.1.3",
+    "black==22.10.0",
+]
+lint = [
+    {include-group = "dev"},
+    "flake8>=5.0",
+]

data/helpers/test/fixtures/requirements/constraints.txt

@@ -0,0 +1 @@
+requests<3.0

data/helpers/test/fixtures/requirements/markers.txt

@@ -0,0 +1 @@
+pywin32>=1.0; sys_platform == "win32"

data/helpers/test/fixtures/requirements/requirements-dev.txt

@@ -0,0 +1,2 @@
+pytest>=7.0
+black==22.10.0

data/helpers/test/fixtures/requirements/requirements.txt

@@ -0,0 +1,5 @@
+# Basic requirements file
+requests>=2.13.0,<3.0
+urllib3==1.26.0
+Flask[async]>=2.0
+boto3  # AWS SDK

data/helpers/test/fixtures/requirements/with_constraints.txt

@@ -0,0 +1,2 @@
+-c constraints.txt
+requests>=2.13.0

data/helpers/test/fixtures/setup_cfg/setup.cfg

@@ -0,0 +1,16 @@
+[metadata]
+name = myapp
+version = 1.0.0
+
+[options]
+install_requires =
+    requests>=2.13.0
+    urllib3==1.26.0
+setup_requires =
+    setuptools>=68.0
+tests_require =
+    pytest>=7.0
+
+[options.extras_require]
+socks =
+    PySocks>=1.5.6

data/helpers/test/fixtures/setup_py/setup.py

@@ -0,0 +1,20 @@
+from setuptools import setup
+
+setup(
+    name="myapp",
+    version="1.0.0",
+    install_requires=[
+        "requests>=2.13.0",
+        "urllib3==1.26.0",
+    ],
+    setup_requires=[
+        "setuptools>=68.0",
+    ],
+    tests_require=[
+        "pytest>=7.0",
+    ],
+    extras_require={
+        "socks": ["PySocks>=1.5.6"],
+        "dev": ["black==22.10.0"],
+    },
+)

data/helpers/test/fixtures/setup_py_comments/setup.py

@@ -0,0 +1,9 @@
+from setuptools import setup
+
+setup(
+    name="myapp",
+    version="1.0.0",
+    install_requires=[
+        "requests>=2.13.0  # HTTP library",
+    ],
+)

data/helpers/test/test_hasher.py

@@ -0,0 +1,114 @@
+import json
+import os
+import ssl
+import sys
+from unittest.mock import MagicMock, patch
+from urllib.error import URLError
+
+sys.path.insert(
+    0, os.path.join(os.path.dirname(__file__), os.pardir, "lib")
+)
+
+import hasher  # noqa: E402
+import hashin as hashin_mod  # noqa: E402
+
+
+class TestGetDependencyHash:
+    @patch("hasher.hashin.get_package_hashes")
+    def test_returns_hashes(self, mock_get):
+        mock_get.return_value = {
+            "hashes": [
+                {"hash": "abc123", "platform": "linux"},
+                {"hash": "def456", "platform": "macos"},
+            ]
+        }
+
+        result = json.loads(hasher.get_dependency_hash(
+            "requests", "2.28.0", "sha256"
+        ))
+
+        assert "result" in result
+        assert len(result["result"]) == 2
+        assert result["result"][0]["hash"] == "abc123"
+        mock_get.assert_called_once()
+
+    @patch("hasher.hashin.get_package_hashes")
+    def test_custom_index_url(self, mock_get):
+        mock_get.return_value = {"hashes": []}
+
+        hasher.get_dependency_hash(
+            "requests", "2.28.0", "sha256",
+            index_url="https://custom.registry/simple/"
+        )
+
+        mock_get.assert_called_once_with(
+            "requests",
+            version="2.28.0",
+            algorithm="sha256",
+            index_url="https://custom.registry/simple/"
+        )
+
+    @patch("hasher.hashin.get_package_hashes")
+    def test_package_not_found(self, mock_get):
+        mock_get.side_effect = hashin_mod.PackageNotFoundError(
+            "no-such-package"
+        )
+
+        result = json.loads(hasher.get_dependency_hash(
+            "no-such-package", "1.0.0", "sha256"
+        ))
+
+        assert "error" in result
+
+    @patch("hasher.hashin.get_package_hashes")
+    def test_ssl_certificate_error(self, mock_get):
+        ssl_error = ssl.SSLError(
+            "CERTIFICATE_VERIFY_FAILED: unable to get local issuer"
+        )
+        mock_get.side_effect = URLError(ssl_error)
+
+        result = json.loads(hasher.get_dependency_hash(
+            "requests", "2.28.0", "sha256"
+        ))
+
+        assert "error" in result
+        assert "CERTIFICATE_VERIFY_FAILED" in result["error"]
+
+    @patch("hasher.hashin.get_package_hashes")
+    def test_non_ssl_url_error_raises(self, mock_get):
+        mock_get.side_effect = URLError("Connection refused")
+
+        try:
+            hasher.get_dependency_hash("requests", "2.28.0", "sha256")
+            assert False, "Expected URLError to be raised"
+        except URLError:
+            pass  # expected
+
+
+class TestGetPipfileHash:
+    @patch("builtins.open")
+    @patch("hasher.plette")
+    def test_returns_hash(self, mock_plette, mock_open):
+        mock_pipfile = MagicMock()
+        mock_pipfile.get_hash.return_value.value = "abc123hash"
+        mock_plette.Pipfile.load.return_value = mock_pipfile
+
+        result = json.loads(hasher.get_pipfile_hash("/tmp/project"))
+
+        assert result["result"] == "abc123hash"
+        mock_open.assert_called_once_with("/tmp/project/Pipfile")
+
+
+class TestGetPyprojectHash:
+    @patch("hasher.Factory")
+    def test_returns_hash(self, mock_factory_cls):
+        mock_poetry = MagicMock()
+        mock_poetry.locker._get_content_hash.return_value = "xyz789hash"
+        mock_factory_cls.return_value.create_poetry.return_value = mock_poetry
+
+        result = json.loads(hasher.get_pyproject_hash("/tmp/project"))
+
+        assert result["result"] == "xyz789hash"
+        mock_factory_cls.return_value.create_poetry.assert_called_once_with(
+            "/tmp/project"
+        )

data/helpers/test/test_parse_requirements.py

@@ -0,0 +1,103 @@
+import json
+import os
+import sys
+
+sys.path.insert(
+    0, os.path.join(os.path.dirname(__file__), os.pardir, "lib")
+)
+
+from parser import parse_requirements  # noqa: E402
+
+FIXTURES = os.path.join(os.path.dirname(__file__), "fixtures")
+
+
+def parse(fixture_dir):
+    path = os.path.join(FIXTURES, fixture_dir)
+    result = json.loads(parse_requirements(path))
+    return result
+
+
+def find_dep(deps, name):
+    return next((d for d in deps if d["name"] == name), None)
+
+
+def find_dep_in_file(deps, name, file_substring):
+    return next(
+        (d for d in deps
+         if d["name"] == name and file_substring in d["file"]),
+        None
+    )
+
+
+class TestParseRequirementsTxt:
+    def test_parses_basic_requirements(self):
+        result = parse("requirements")
+        deps = result["result"]
+        requests = find_dep_in_file(deps, "requests", "requirements.txt")
+        assert requests is not None
+        assert requests["requirement"] == "<3.0,>=2.13.0"
+
+    def test_parses_pinned_version(self):
+        result = parse("requirements")
+        deps = result["result"]
+        urllib3 = find_dep(deps, "urllib3")
+        assert urllib3 is not None
+        assert urllib3["version"] == "1.26.0"
+        assert urllib3["requirement"] == "==1.26.0"
+
+    def test_parses_extras(self):
+        result = parse("requirements")
+        deps = result["result"]
+        flask = find_dep(deps, "Flask")
+        assert flask is not None
+        assert flask["extras"] == ["async"]
+
+    def test_strips_inline_comments(self):
+        result = parse("requirements")
+        deps = result["result"]
+        boto3 = find_dep(deps, "boto3")
+        assert boto3 is not None
+        # boto3 has no version specifier, just a comment
+        assert boto3["requirement"] is None or boto3["requirement"] == ""
+
+    def test_file_path_is_relative(self):
+        result = parse("requirements")
+        deps = result["result"]
+        for dep in deps:
+            assert not os.path.isabs(dep["file"])
+
+    def test_parses_dev_requirements(self):
+        result = parse("requirements")
+        deps = result["result"]
+        black = find_dep(deps, "black")
+        assert black is not None
+        assert black["version"] == "22.10.0"
+        assert "requirements-dev.txt" in black["file"]
+
+    def test_parses_markers(self):
+        result = parse("requirements")
+        deps = result["result"]
+        pywin32 = find_dep(deps, "pywin32")
+        assert pywin32 is not None
+        assert pywin32["markers"] == 'sys_platform == "win32"'
+
+    def test_empty_directory_returns_empty(self):
+        result = parse("requirements_empty")
+        deps = result["result"]
+        assert deps == []
+
+    def test_constraint_file_deps(self):
+        """Requirements with -c constraints should still parse the deps."""
+        result = parse("requirements")
+        deps = result["result"]
+        # with_constraints.txt has requests
+        req_files = [d["file"] for d in deps if d["name"] == "requests"]
+        assert any("with_constraints" in f for f in req_files)
+
+    def test_multiple_files_parsed(self):
+        """All .txt files in the directory are parsed."""
+        result = parse("requirements")
+        deps = result["result"]
+        files = {d["file"] for d in deps}
+        assert any("requirements.txt" in f for f in files)
+        assert any("requirements-dev.txt" in f for f in files)

data/helpers/test/test_parse_setup.py

@@ -0,0 +1,127 @@
+import json
+import os
+import sys
+
+sys.path.insert(
+    0, os.path.join(os.path.dirname(__file__), os.pardir, "lib")
+)
+
+from parser import parse_setup  # noqa: E402
+
+FIXTURES = os.path.join(os.path.dirname(__file__), "fixtures")
+
+
+def parse(fixture_dir):
+    path = os.path.join(FIXTURES, fixture_dir)
+    result = json.loads(parse_setup(path))
+    return result
+
+
+def find_dep(deps, name):
+    return next((d for d in deps if d["name"] == name), None)
+
+
+# ---------------------------------------------------------------------------
+# setup.py parsing
+# ---------------------------------------------------------------------------
+class TestSetupPy:
+    def test_parses_install_requires(self):
+        result = parse("setup_py")
+        deps = result["result"]
+        requests = find_dep(deps, "requests")
+        assert requests is not None
+        assert requests["requirement"] == ">=2.13.0"
+        assert requests["requirement_type"] == "install_requires"
+        assert requests["file"] == "setup.py"
+
+    def test_parses_pinned_version(self):
+        result = parse("setup_py")
+        deps = result["result"]
+        urllib3 = find_dep(deps, "urllib3")
+        assert urllib3 is not None
+        assert urllib3["version"] == "1.26.0"
+
+    def test_parses_setup_requires(self):
+        result = parse("setup_py")
+        deps = result["result"]
+        setuptools = find_dep(deps, "setuptools")
+        assert setuptools is not None
+        assert setuptools["requirement_type"] == "setup_requires"
+
+    def test_parses_tests_require(self):
+        result = parse("setup_py")
+        deps = result["result"]
+        pytest = find_dep(deps, "pytest")
+        assert pytest is not None
+        assert pytest["requirement_type"] == "tests_require"
+
+    def test_parses_extras_require(self):
+        result = parse("setup_py")
+        deps = result["result"]
+        pysocks = find_dep(deps, "PySocks")
+        assert pysocks is not None
+        assert pysocks["requirement_type"] == "extras_require:socks"
+
+    def test_parses_multiple_extras_groups(self):
+        result = parse("setup_py")
+        deps = result["result"]
+        extras = [d for d in deps if d["requirement_type"].startswith(
+            "extras_require:"
+        )]
+        groups = {d["requirement_type"] for d in extras}
+        assert "extras_require:socks" in groups
+        assert "extras_require:dev" in groups
+
+    def test_strips_comments(self):
+        result = parse("setup_py_comments")
+        deps = result["result"]
+        requests = find_dep(deps, "requests")
+        assert requests is not None
+        assert requests["requirement"] == ">=2.13.0"
+
+
+# ---------------------------------------------------------------------------
+# setup.cfg parsing
+# ---------------------------------------------------------------------------
+class TestSetupCfg:
+    def test_parses_install_requires(self):
+        result = parse("setup_cfg")
+        deps = result["result"]
+        requests = find_dep(deps, "requests")
+        assert requests is not None
+        assert requests["requirement"] == ">=2.13.0"
+        assert requests["requirement_type"] == "install_requires"
+        assert requests["file"] == "setup.cfg"
+
+    def test_parses_pinned_version(self):
+        result = parse("setup_cfg")
+        deps = result["result"]
+        urllib3 = find_dep(deps, "urllib3")
+        assert urllib3 is not None
+        assert urllib3["version"] == "1.26.0"
+
+    def test_parses_setup_requires(self):
+        result = parse("setup_cfg")
+        deps = result["result"]
+        setuptools = find_dep(deps, "setuptools")
+        assert setuptools is not None
+        assert setuptools["requirement_type"] == "setup_requires"
+
+    def test_parses_tests_require(self):
+        result = parse("setup_cfg")
+        deps = result["result"]
+        pytest = find_dep(deps, "pytest")
+        assert pytest is not None
+        assert pytest["requirement_type"] == "tests_require"
+
+    def test_parses_extras_require(self):
+        result = parse("setup_cfg")
+        deps = result["result"]
+        pysocks = find_dep(deps, "PySocks")
+        assert pysocks is not None
+        assert pysocks["requirement_type"] == "extras_require:socks"
+
+    def test_empty_directory_returns_empty(self):
+        result = parse("requirements_empty")
+        deps = result["result"]
+        assert deps == []

data/helpers/test/test_parser.py

@@ -0,0 +1,184 @@
+import json
+import os
+import sys
+
+# Add the helpers lib directory to the Python path so we can import parser
+sys.path.insert(
+    0, os.path.join(os.path.dirname(__file__), os.pardir, "lib")
+)
+
+from parser import parse_pep621_pep735_dependencies  # noqa: E402
+
+FIXTURES = os.path.join(os.path.dirname(__file__), "fixtures")
+
+
+def parse(fixture_name):
+    path = os.path.join(FIXTURES, fixture_name)
+    result = json.loads(parse_pep621_pep735_dependencies(path))
+    return result["result"]
+
+
+def find_dep(deps, name):
+    return next((d for d in deps if d["name"] == name), None)
+
+
+# ---------------------------------------------------------------------------
+# PEP 621 project.dependencies
+# ---------------------------------------------------------------------------
+class TestPep621Dependencies:
+    def test_parses_runtime_dependencies(self):
+        deps = parse("pep621_dependencies.toml")
+        requests = find_dep(deps, "requests")
+        assert requests is not None
+        # packaging normalises specifier order alphabetically by operator
+        assert requests["requirement"] == "<3.0,>=2.13.0"
+        assert requests["requirement_type"] == "dependencies"
+
+    def test_parses_exact_version(self):
+        deps = parse("pep621_dependencies.toml")
+        urllib3 = find_dep(deps, "urllib3")
+        assert urllib3 is not None
+        assert urllib3["version"] == "1.26.0"
+        assert urllib3["requirement"] == "==1.26.0"
+
+    def test_parses_optional_dependencies(self):
+        deps = parse("pep621_dependencies.toml")
+        pysocks = find_dep(deps, "PySocks")
+        assert pysocks is not None
+        assert pysocks["requirement_type"] == "socks"
+
+    def test_optional_dependency_specifiers(self):
+        deps = parse("pep621_dependencies.toml")
+        pysocks = find_dep(deps, "PySocks")
+        # packaging normalises specifiers: sorted, no spaces
+        assert "!=" in pysocks["requirement"]
+        assert ">=" in pysocks["requirement"]
+
+    def test_parses_multiple_optional_groups(self):
+        deps = parse("pep621_dependencies.toml")
+        group_types = {d["requirement_type"] for d in deps}
+        assert "socks" in group_types
+        assert "tests" in group_types
+
+    def test_parses_build_system_requires(self):
+        deps = parse("pep621_dependencies.toml")
+        setuptools = find_dep(deps, "setuptools")
+        assert setuptools is not None
+        assert setuptools["requirement_type"] == "build-system.requires"
+        assert setuptools["requirement"] == ">=68.0"
+
+
+# ---------------------------------------------------------------------------
+# PEP 621 extras
+# ---------------------------------------------------------------------------
+class TestPep621Extras:
+    def test_parses_extras(self):
+        deps = parse("pep621_extras.toml")
+        cc = find_dep(deps, "cachecontrol")
+        assert cc is not None
+        assert cc["extras"] == ["filecache"]
+
+    def test_extras_requirement(self):
+        deps = parse("pep621_extras.toml")
+        cc = find_dep(deps, "cachecontrol")
+        assert cc["requirement"] == ">=0.14.0"
+
+
+# ---------------------------------------------------------------------------
+# PEP 735 dependency-groups
+# ---------------------------------------------------------------------------
+class TestPep735DependencyGroups:
+    def test_parses_dependency_group(self):
+        deps = parse("pep735_dependency_groups.toml")
+        pytest_dep = find_dep(deps, "pytest")
+        assert pytest_dep is not None
+        assert pytest_dep["requirement_type"] == "dev"
+        assert pytest_dep["version"] == "7.1.3"
+
+    def test_include_group_resolves(self):
+        deps = parse("pep735_dependency_groups.toml")
+        # "lint" group includes "dev" via include-group, plus flake8
+        lint_deps = [d for d in deps if d["requirement_type"] == "lint"]
+        lint_names = {d["name"] for d in lint_deps}
+        assert "flake8" in lint_names
+        # include-group pulls dev deps into lint but they keep their
+        # original group name, so they appear under "dev" requirement_type
+        all_names = {d["name"] for d in deps}
+        assert "pytest" in all_names
+        assert "black" in all_names
+
+    def test_include_group_lists_all_resolved_deps(self):
+        deps = parse("pep735_dependency_groups.toml")
+        # pytest appears twice: once from direct "dev" processing and
+        # once from "lint" including "dev" (both with requirement_type="dev"
+        # because included deps keep their original group name)
+        pytests = [d for d in deps if d["name"] == "pytest"]
+        assert len(pytests) == 2
+        assert all(d["requirement_type"] == "dev" for d in pytests)
+
+
+# ---------------------------------------------------------------------------
+# Markers
+# ---------------------------------------------------------------------------
+class TestMarkers:
+    def test_parses_markers(self):
+        deps = parse("pep621_markers.toml")
+        requests = find_dep(deps, "requests")
+        assert requests is not None
+        assert requests["markers"] == 'python_version >= "3.8"'
+
+    def test_requirement_with_markers(self):
+        deps = parse("pep621_markers.toml")
+        requests = find_dep(deps, "requests")
+        assert requests["requirement"] == ">=2.13.0"
+
+
+# ---------------------------------------------------------------------------
+# Edge cases
+# ---------------------------------------------------------------------------
+class TestEdgeCases:
+    def test_no_dependencies(self):
+        deps = parse("no_dependencies.toml")
+        assert deps == []
+
+    def test_only_build_system(self):
+        deps = parse("pep621_only_build_system.toml")
+        assert len(deps) == 2
+        names = {d["name"] for d in deps}
+        assert "setuptools" in names
+        assert "wheel" in names
+        assert all(
+            d["requirement_type"] == "build-system.requires" for d in deps
+        )
+
+    def test_empty_dependency_lists(self):
+        deps = parse("pep621_empty_deps.toml")
+        assert deps == []
+
+    def test_multiple_extras_on_single_dep(self):
+        deps = parse("pep621_multiple_extras.toml")
+        boto3 = find_dep(deps, "boto3")
+        assert boto3 is not None
+        assert boto3["extras"] == ["crt", "s3"]
+        assert boto3["requirement"] == ">=1.28.0"
+
+    def test_arbitrary_equality_operator(self):
+        deps = parse("pep621_arbitrary_equality.toml")
+        numpy = find_dep(deps, "numpy")
+        assert numpy is not None
+        assert numpy["version"] == "1.24.0rc1"
+        assert numpy["requirement"] == "===1.24.0rc1"
+
+    def test_no_version_specifier(self):
+        deps = parse("pep621_no_version.toml")
+        requests = find_dep(deps, "requests")
+        assert requests is not None
+        assert requests["version"] is None
+        assert requests["requirement"] == ""
+
+    def test_cyclic_include_group_does_not_loop(self):
+        deps = parse("pep735_cycle.toml")
+        names = [d["name"] for d in deps]
+        # Both groups should be processed without infinite recursion
+        assert "requests" in names
+        assert "flask" in names

data/helpers/test/test_run.py

@@ -0,0 +1,49 @@
+import json
+import os
+import subprocess
+import sys
+
+FIXTURES = os.path.join(os.path.dirname(__file__), "fixtures")
+HELPERS_DIR = os.path.join(os.path.dirname(__file__), os.pardir)
+RUN_PY = os.path.join(HELPERS_DIR, "run.py")
+
+
+def run_helper(function, args):
+    input_json = json.dumps({"function": function, "args": args})
+    result = subprocess.run(
+        [sys.executable, RUN_PY],
+        input=input_json,
+        capture_output=True,
+        text=True,
+        cwd=HELPERS_DIR,
+    )
+    assert result.returncode == 0, (
+        f"run.py failed: {result.stderr}"
+    )
+    return json.loads(result.stdout)
+
+
+class TestRunRouting:
+    def test_parse_pep621_routing(self):
+        fixture = os.path.join(FIXTURES, "pep621_dependencies.toml")
+        result = run_helper("parse_pep621_pep735_dependencies", [fixture])
+
+        assert "result" in result
+        names = {d["name"] for d in result["result"]}
+        assert "requests" in names
+
+    def test_parse_setup_routing(self):
+        fixture_dir = os.path.join(FIXTURES, "setup_py")
+        result = run_helper("parse_setup", [fixture_dir])
+
+        assert "result" in result
+        names = {d["name"] for d in result["result"]}
+        assert "requests" in names
+
+    def test_parse_requirements_routing(self):
+        fixture_dir = os.path.join(FIXTURES, "requirements")
+        result = run_helper("parse_requirements", [fixture_dir])
+
+        assert "result" in result
+        names = {d["name"] for d in result["result"]}
+        assert "requests" in names

data/lib/dependabot/python/file_updater/poetry_file_updater.rb

@@ -124,8 +124,10 @@ module Dependabot
           declaration_match = content.match(declaration_regex)
           if declaration_match
             declaration = declaration_match[:declaration]
-            new_declaration = T.must(declaration).sub(old_req, new_req)
-            return content.sub(T.must(declaration), new_declaration)
+            if T.must(declaration).include?(old_req)
+              new_declaration = T.must(declaration).sub(old_req, new_req)
+              return content.sub(T.must(declaration), new_declaration)
+            end
           end
 
           # Try Poetry table format
@@ -220,9 +222,8 @@ module Dependabot
 
         sig { params(pyproject_content: String).returns(String) }
         def freeze_other_dependencies(pyproject_content)
-          PyprojectPreparer
-            .new(pyproject_content: pyproject_content, lockfile: lockfile)
-            .freeze_top_level_dependencies_except(dependencies)
+          PyprojectPreparer.new(pyproject_content: pyproject_content, lockfile: lockfile)
+                           .freeze_top_level_dependencies_except(dependencies)
         end
 
         sig { params(pyproject_content: String).returns(String) }
@@ -244,14 +245,18 @@ module Dependabot
             end
           end
 
+          # Freeze PEP 621 project.dependencies and project.optional-dependencies
+          PyprojectPreparer.freeze_pep621_deps!(pyproject_object, dependencies) do |dep|
+            !git_dependency_being_updated?(dep)
+          end
+
           TomlRB.dump(pyproject_object)
         end
 
         sig { params(pyproject_content: String).returns(String) }
         def update_python_requirement(pyproject_content)
-          PyprojectPreparer
-            .new(pyproject_content: pyproject_content)
-            .update_python_requirement(language_version_manager.python_version)
+          PyprojectPreparer.new(pyproject_content: pyproject_content)
+                           .update_python_requirement(language_version_manager.python_version)
         end
 
         sig { params(poetry_object: T::Hash[String, T.untyped], dep: Dependabot::Dependency).returns(T::Array[String]) }
@@ -262,6 +267,8 @@ module Dependabot
             next unless pkg_name
 
             if poetry_object[type][pkg_name].is_a?(Hash)
+              next unless poetry_object[type][pkg_name].key?("version") # skip enrichment-only entries
+
               poetry_object[type][pkg_name]["version"] = dep.version
             else
               poetry_object[type][pkg_name] = dep.version
@@ -284,9 +291,7 @@ module Dependabot
 
         sig { params(pyproject_content: String).returns(String) }
         def sanitize(pyproject_content)
-          PyprojectPreparer
-            .new(pyproject_content: pyproject_content)
-            .sanitize
+          PyprojectPreparer.new(pyproject_content: pyproject_content).sanitize
         end
 
         sig { params(pyproject_content: String).returns(String) }

data/lib/dependabot/python/file_updater/pyproject_preparer.rb

@@ -16,6 +16,80 @@ module Dependabot
       class PyprojectPreparer
         extend T::Sig
 
+        # Builds a regex pattern that matches a PEP 508 package name,
+        # treating hyphens, underscores, and dots as interchangeable per PEP 508.
+        sig { params(name: String).returns(String) }
+        def self.pep508_name_pattern(name)
+          Regexp.escape(name).gsub("\\-", "[-_.]").gsub("_", "[-_.]").gsub("\\.", "[-_.]")
+        end
+        private_class_method :pep508_name_pattern
+
+        # Pins a single PEP 508 dependency entry string to a specific version,
+        # preserving extras and environment markers.
+        sig { params(entry: String, name_pattern: String, version: String).returns(String) }
+        def self.pin_pep508_entry(entry, name_pattern, version)
+          if entry.match?(/\A#{name_pattern}(\[.*?\])?\s*[><=!~]/i)
+            entry.sub(
+              /(?<pre>#{name_pattern}(?:\[.*?\])?)\s*[><=!~][^;]*?(?=\s*;|\s*\z)/i,
+              "\\k<pre>==#{version}"
+            )
+          else
+            entry.sub(
+              /(?<pre>#{name_pattern}(?:\[.*?\])?)(?<rest>\s*(?:;.*)?)/i,
+              "\\k<pre>==#{version}\\k<rest>"
+            )
+          end
+        end
+        private_class_method :pin_pep508_entry
+
+        # Freezes PEP 621 dependencies in-place within a parsed pyproject object.
+        # Replaces version specifiers with ==dep.version for each matching dep.
+        # Accepts an optional block to filter which dependencies to freeze.
+        sig do
+          params(
+            pyproject_object: T::Hash[String, T.untyped],
+            deps: T::Array[Dependabot::Dependency],
+            blk: T.nilable(T.proc.params(dep: Dependabot::Dependency).returns(T::Boolean))
+          ).void
+        end
+        def self.freeze_pep621_deps!(pyproject_object, deps, &blk)
+          dep_arrays = collect_pep621_dep_arrays(pyproject_object)
+          return if dep_arrays.empty?
+
+          deps.each do |dep|
+            next if blk && !yield(dep)
+            next unless dep.version
+
+            pin_pep621_dep_in_arrays!(dep_arrays, dep)
+          end
+        end
+
+        sig { params(pyproject_object: T::Hash[String, T.untyped]).returns(T::Array[T::Array[String]]) }
+        def self.collect_pep621_dep_arrays(pyproject_object)
+          project_object = pyproject_object["project"]
+          return [] unless project_object
+
+          dep_arrays = [project_object["dependencies"]]
+          project_object["optional-dependencies"]&.each_value { |opt| dep_arrays << opt }
+          dep_arrays.compact!
+          dep_arrays.select! { |arr| arr.is_a?(Array) && arr.all?(String) }
+          dep_arrays
+        end
+        private_class_method :collect_pep621_dep_arrays
+
+        sig { params(dep_arrays: T::Array[T::Array[String]], dep: Dependabot::Dependency).void }
+        def self.pin_pep621_dep_in_arrays!(dep_arrays, dep)
+          name_pattern = pep508_name_pattern(dep.name)
+          dep_arrays.each do |arr|
+            arr.each_with_index do |entry, i|
+              next unless entry.match?(/\A#{name_pattern}(\[.*?\])?\s*(\z|[><=!~;,])/i)
+
+              arr[i] = pin_pep508_entry(entry, name_pattern, T.must(dep.version))
+            end
+          end
+        end
+        private_class_method :pin_pep621_dep_in_arrays!
+
         sig { params(pyproject_content: String, lockfile: T.nilable(Dependabot::DependencyFile)).void }
         def initialize(pyproject_content:, lockfile: nil)
           @pyproject_content = pyproject_content
@@ -109,6 +183,9 @@ module Dependabot
             end
           end
 
+          # Freeze PEP 621 project.dependencies and project.optional-dependencies
+          freeze_pep621_top_level_deps!(pyproject_object, excluded_names)
+
           TomlRB.dump(pyproject_object)
         end
         # rubocop:enable Metrics/AbcSize
@@ -122,6 +199,38 @@ module Dependabot
         sig { returns(T.nilable(Dependabot::DependencyFile)) }
         attr_reader :lockfile
 
+        sig { params(pyproject_object: T::Hash[String, T.untyped], excluded_names: T::Array[String]).void }
+        def freeze_pep621_top_level_deps!(pyproject_object, excluded_names)
+          project_object = pyproject_object["project"]
+          return unless project_object
+
+          freeze_pep621_dep_array!(project_object["dependencies"], excluded_names)
+
+          project_object["optional-dependencies"]&.each_value do |opt_deps|
+            freeze_pep621_dep_array!(opt_deps, excluded_names)
+          end
+        end
+
+        sig { params(dep_array: T.nilable(T::Array[String]), excluded_names: T::Array[String]).void }
+        def freeze_pep621_dep_array!(dep_array, excluded_names)
+          return unless dep_array
+
+          dep_array.each_with_index do |entry, index|
+            # Extract dependency name from PEP 508 string
+            match = entry.match(/\A([a-zA-Z0-9](?:[a-zA-Z0-9._-]*[a-zA-Z0-9])?)/i)
+            next unless match
+
+            dep_name = normalise(T.must(match[1]))
+            next if excluded_names.include?(dep_name)
+
+            locked_details = locked_details(dep_name)
+            next unless (locked_version = locked_details&.fetch("version"))
+
+            name_pattern = self.class.send(:pep508_name_pattern, T.must(match[1]))
+            dep_array[index] = self.class.send(:pin_pep508_entry, entry, name_pattern, locked_version)
+          end
+        end
+
         sig { params(dep_name: String).returns(T.nilable(T::Hash[String, T.untyped])) }
         def locked_details(dep_name)
           parsed_lockfile.fetch("package")

data/lib/dependabot/python/update_checker/latest_version_finder.rb

@@ -9,6 +9,7 @@ require "sorbet-runtime"
 require "dependabot/dependency"
 require "dependabot/git_commit_checker"
 require "dependabot/python/update_checker"
+require "dependabot/update_checkers/cooldown_calculation"
 require "dependabot/update_checkers/version_filters"
 require "dependabot/registry_client"
 require "dependabot/python/authed_url_builder"
@@ -110,8 +111,9 @@ module Dependabot
           new_version = version_class.new(tag_version_str)
           days = cooldown_days_for(current_version, new_version)
 
-          passed_seconds = Time.now.to_i - release_date_to_seconds(tag_with_detail.release_date)
-          passed_seconds < days * DAY_IN_SECONDS
+          release_time = Time.at(release_date_to_seconds(tag_with_detail.release_date))
+          Dependabot::UpdateCheckers::CooldownCalculation
+            .within_cooldown_window?(release_time, days)
         end
 
         sig do

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-python
 version: !ruby/object:Gem::Version
-  version: 0.368.0
+  version: 0.369.0
 platform: ruby
 authors:
 - Dependabot
@@ -15,14 +15,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.368.0
+        version: 0.369.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.368.0
+        version: 0.369.0
 - !ruby/object:Gem::Dependency
   name: debug
   requirement: !ruby/object:Gem::Requirement
@@ -247,6 +247,31 @@ files:
 - helpers/lib/parser.py
 - helpers/requirements.txt
 - helpers/run.py
+- helpers/test/fixtures/no_dependencies.toml
+- helpers/test/fixtures/pep621_arbitrary_equality.toml
+- helpers/test/fixtures/pep621_dependencies.toml
+- helpers/test/fixtures/pep621_empty_deps.toml
+- helpers/test/fixtures/pep621_extras.toml
+- helpers/test/fixtures/pep621_markers.toml
+- helpers/test/fixtures/pep621_multiple_extras.toml
+- helpers/test/fixtures/pep621_no_version.toml
+- helpers/test/fixtures/pep621_only_build_system.toml
+- helpers/test/fixtures/pep735_cycle.toml
+- helpers/test/fixtures/pep735_dependency_groups.toml
+- helpers/test/fixtures/requirements/constraints.txt
+- helpers/test/fixtures/requirements/markers.txt
+- helpers/test/fixtures/requirements/requirements-dev.txt
+- helpers/test/fixtures/requirements/requirements.txt
+- helpers/test/fixtures/requirements/with_constraints.txt
+- helpers/test/fixtures/requirements_empty/.gitkeep
+- helpers/test/fixtures/setup_cfg/setup.cfg
+- helpers/test/fixtures/setup_py/setup.py
+- helpers/test/fixtures/setup_py_comments/setup.py
+- helpers/test/test_hasher.py
+- helpers/test/test_parse_requirements.py
+- helpers/test/test_parse_setup.py
+- helpers/test/test_parser.py
+- helpers/test/test_run.py
 - lib/dependabot/python.rb
 - lib/dependabot/python/authed_url_builder.rb
 - lib/dependabot/python/dependency_grapher.rb
@@ -294,7 +319,7 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.368.0
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.369.0
 rdoc_options: []
 require_paths:
 - lib