dependabot-python 0.86.23 → 0.86.24

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 3a2e7b8e13a0b685d6bddb995889c5b271a03bac1f0a25cb00a7f3a9efc29b3d
-  data.tar.gz: a655cb4eee2473b905ada7dc1a21e220eb0dfcf4552c79dd6369b21aab07c8d4
+  metadata.gz: b5ec7521376b21387eb9e1990dd73c482ad71edbd415cf229e8877571fa99d80
+  data.tar.gz: 0fe334d0091f3b79868b1635d773d51f91e2bda2ed163671683c9fb84d9f1b9d
 SHA512:
-  metadata.gz: 7a1edfe5a309ca95b8c00dc6c4c7ad4989f7cdd574c35a51d2dcf7fc3bf41a250d3280aac5a59438f7d10dc41ba5f775222edf6a668334215c906a429892745d
-  data.tar.gz: 8499f3daf96a414a7952546b40ac3876ef514ca1e86112c41aebc23bf41ded97efe998f7b87fc2cd6cd94e645ef745994555b44232fd40f7969300cd2f03a194
+  metadata.gz: 24e7163321e16240753a0ed50b6b7d79bec10359ac73e6acfa6f90705883b127aef587dfb45ab0f66951f10be0d4c175694729dec9c8159f514adc868ea92a00
+  data.tar.gz: '017241854ee3e87d026afdfe6a967c5c85d6756757b3372d0b3069962f78c22368761fc0162e0f00af232582da903ed0f42e5469bebbdd65688492f0d6ec8f3e'

data/lib/dependabot/python/file_updater/pip_compile_file_updater.rb

@@ -4,6 +4,7 @@ require "dependabot/python/requirement_parser"
 require "dependabot/python/file_fetcher"
 require "dependabot/python/file_updater"
 require "dependabot/shared_helpers"
+require "dependabot/python/native_helpers"
 
 # rubocop:disable Metrics/ClassLength
 module Dependabot
@@ -266,14 +267,82 @@ module Dependabot
           content
         end
 
-        def update_hashes_if_required(updated_content, _original_content)
-          # TODO: Update the hashes if required.
-          # See https://github.com/dependabot/feedback/issues/235
-          #
-          # 1. Parse the old and new files
-          # 2. For any dependency where the number of hashes has changed, use
-          #    hashin to update the hashes
-          updated_content
+        def update_hashes_if_required(updated_content, original_content)
+          deps_to_update =
+            deps_to_augment_hashes_for(updated_content, original_content)
+
+          updated_content_with_hashes = updated_content
+          deps_to_update.each do |mtch|
+            updated_string = mtch.to_s.sub(
+              RequirementParser::HASHES,
+              package_hashes_for(
+                name: mtch.named_captures.fetch("name"),
+                version: mtch.named_captures.fetch("version"),
+                algorithm: mtch.named_captures.fetch("algorithm")
+              ).join(hash_separator(mtch.to_s))
+            )
+
+            updated_content_with_hashes = updated_content_with_hashes.gsub(
+              mtch.to_s,
+              updated_string
+            )
+          end
+          updated_content_with_hashes
+        end
+
+        def deps_to_augment_hashes_for(updated_content, original_content)
+          regex = RequirementParser::INSTALL_REQ_WITH_REQUIREMENT
+
+          new_matches = []
+          updated_content.scan(regex) { new_matches << Regexp.last_match }
+
+          old_matches = []
+          original_content.scan(regex) { old_matches << Regexp.last_match }
+
+          new_deps = []
+          changed_hashes_deps = []
+
+          new_matches.each do |mtch|
+            nm = mtch.named_captures["name"]
+            old_match = old_matches.find { |m| m.named_captures["name"] == nm }
+
+            next new_deps << mtch unless old_match
+            next unless old_match.named_captures["hashes"]
+
+            old_count = old_match.named_captures["hashes"].split("--hash").count
+            new_count = mtch.named_captures["hashes"].split("--hash").count
+            changed_hashes_deps << mtch if new_count < old_count
+          end
+
+          return [] if changed_hashes_deps.none?
+
+          [*new_deps, *changed_hashes_deps]
+        end
+
+        def package_hashes_for(name:, version:, algorithm:)
+          SharedHelpers.run_helper_subprocess(
+            command: "pyenv exec python #{NativeHelpers.python_helper_path}",
+            function: "get_dependency_hash",
+            args: [name, version, algorithm]
+          ).map { |h| "--hash=#{algorithm}:#{h['hash']}" }
+        end
+
+        def hash_separator(requirement_string)
+          hash_regex = RequirementParser::HASH
+          return unless requirement_string.match?(hash_regex)
+
+          current_separator =
+            requirement_string.
+            match(/#{hash_regex}((?<separator>\s*\\?\s*?)#{hash_regex})*/).
+            named_captures.fetch("separator")
+
+          default_separator =
+            requirement_string.
+            match(RequirementParser::HASH).
+            pre_match.match(/(?<separator>\s*\\?\s*?)\z/).
+            named_captures.fetch("separator")
+
+          current_separator || default_separator
         end
 
         def pip_compile_options(filename)

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-python
 version: !ruby/object:Gem::Version
-  version: 0.86.23
+  version: 0.86.24
 platform: ruby
 authors:
 - Dependabot
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.86.23
+        version: 0.86.24
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.86.23
+        version: 0.86.24
 - !ruby/object:Gem::Dependency
   name: byebug
   requirement: !ruby/object:Gem::Requirement
@@ -195,7 +195,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: 2.5.0
 requirements: []
-rubygems_version: 3.0.1
+rubygems_version: 3.0.2
 signing_key: 
 specification_version: 4
 summary: Python support for dependabot-core