dependabot-python 0.95.49 → 0.95.50

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a26241c6343eebe08a48ac7f3d4119d31a2bf5ba2799c8cc2363288f52de7b75
-  data.tar.gz: d9da41c2f1408485855627c9aa84652228b5dd06cf6f01d91deeb630100b3f6f
+  metadata.gz: c2e710a46e701b0d88c05d30cbb7ae34d375dad71b4ded6e33bbd21bbd9dbc44
+  data.tar.gz: 62906919a14de657cbb323a0a4e39665596d65fa90ad3208c630dadf6fca442e
 SHA512:
-  metadata.gz: 1b537126ac99eef30e564388ef23a3f870849616acfe23255971046f68a5a2a29e1e53ec721678eece81d3a23fe98b09d6c93c448dbc366ccef4134bd47d8b99
-  data.tar.gz: 1777d9ae20d36b13979705fab0e3e87e4274a489a5267fc277f85916535c12c0231d9323fb3e855a613fc8aff8ff4c23809b5ce5e32c0cc5729ba11a2c729f04
+  metadata.gz: f3ff07889ebb4864e03a753ef6b57049786e05a57ea8758b48767a709ddfeacf6b8f806893d87ad56ae232884bfefaf5e8b6d75fec5d4def9ae5ba90e9e1f492
+  data.tar.gz: 3122677849c56be6c252fd1b8d95f4220226f311563b89de3c1b393b7d455feb71d3ea49f8f161424492df8d6540f2ffbe10402a745678fa53ce585b14b2e76f

data/lib/dependabot/python/file_fetcher.rb

@@ -7,6 +7,7 @@ require "dependabot/file_fetchers/base"
 require "dependabot/python/file_parser"
 require "dependabot/errors"
 
+# rubocop:disable Metrics/ClassLength
 module Dependabot
   module Python
     class FileFetcher < Dependabot::FileFetchers::Base
@@ -141,6 +142,14 @@ module Dependabot
         raise Dependabot::DependencyFileNotParseable, pipfile.path
       end
 
+      def parsed_pyproject
+        raise "No pyproject.toml" unless pyproject
+
+        @parsed_pyproject ||= TomlRB.parse(pyproject.content)
+      rescue TomlRB::ParseError
+        raise Dependabot::DependencyFileNotParseable, pyproject.path
+      end
+
       def req_txt_and_in_files
         return @req_txt_and_in_files if @req_txt_and_in_files
 
@@ -237,6 +246,12 @@ module Dependabot
           unfetchable_files << error.file_path.gsub(%r{^/}, "")
         end
 
+        poetry_path_setup_file_paths.each do |path|
+          path_setup_files += fetch_path_setup_file(path, allow_pyproject: true)
+        rescue Dependabot::DependencyFileNotFound => error
+          unfetchable_files << error.file_path.gsub(%r{^/}, "")
+        end
+
         if unfetchable_files.any?
           raise Dependabot::PathDependenciesNotReachable, unfetchable_files
         end
@@ -244,7 +259,7 @@ module Dependabot
         path_setup_files
       end
 
-      def fetch_path_setup_file(path)
+      def fetch_path_setup_file(path, allow_pyproject: false)
         path_setup_files = []
 
         unless path.end_with?(".tar.gz", ".zip")
@@ -252,22 +267,38 @@ module Dependabot
         end
         return [] if path == "setup.py" && setup_file
 
-        path_setup_files << fetch_file_from_host(path, fetch_submodules: true).
-                            tap { |f| f.support_file = true }
+        path_setup_files <<
+          begin
+            fetch_file_from_host(
+              path,
+              fetch_submodules: true
+            ).tap { |f| f.support_file = true }
+          rescue Dependabot::DependencyFileNotFound
+            raise unless allow_pyproject
+
+            fetch_file_from_host(
+              path.gsub("setup.py", "pyproject.toml"),
+              fetch_submodules: true
+            ).tap { |f| f.support_file = true }
+          end
 
         return path_setup_files unless path.end_with?(".py")
 
+        path_setup_files + cfg_files_for_setup_py(path)
+      end
+
+      def cfg_files_for_setup_py(path)
+        cfg_path = path.gsub(/\.py$/, ".cfg")
+
         begin
-          cfg_path = path.gsub(/\.py$/, ".cfg")
-          path_setup_files <<
+          [
             fetch_file_from_host(cfg_path, fetch_submodules: true).
-            tap { |f| f.support_file = true }
+              tap { |f| f.support_file = true }
+          ]
         rescue Dependabot::DependencyFileNotFound
           # Ignore lack of a setup.cfg
-          nil
+          []
         end
-
-        path_setup_files
       end
 
       def requirements_file?(file)
@@ -337,9 +368,26 @@ module Dependabot
 
         paths
       end
+
+      def poetry_path_setup_file_paths
+        return [] unless pyproject
+
+        paths = []
+        %w(dependencies dev-dependencies).each do |dep_type|
+          next unless parsed_pyproject.dig("tool", "poetry", dep_type)
+
+          parsed_pyproject.dig("tool", "poetry", dep_type).each do |_, req|
+            next unless req.is_a?(Hash) && req["path"]
+
+            paths << req["path"]
+          end
+        end
+
+        paths
+      end
     end
   end
 end
+# rubocop:enable Metrics/ClassLength
 
-Dependabot::FileFetchers.
-  register("pip", Dependabot::Python::FileFetcher)
+Dependabot::FileFetchers.register("pip", Dependabot::Python::FileFetcher)

data/lib/dependabot/python/file_updater/poetry_file_updater.rb

@@ -98,18 +98,21 @@ module Dependabot
         end
 
         def prepared_pyproject
-          content = updated_pyproject_content
-          content = sanitize(content)
-          content = freeze_other_dependencies(content)
-          content = freeze_dependencies_being_updated(content)
-          content = add_private_sources(content)
-          content
+          @prepared_pyproject ||=
+            begin
+              content = updated_pyproject_content
+              content = sanitize(content)
+              content = freeze_other_dependencies(content)
+              content = freeze_dependencies_being_updated(content)
+              content = add_private_sources(content)
+              content
+            end
         end
 
         def freeze_other_dependencies(pyproject_content)
           PyprojectPreparer.
-            new(pyproject_content: pyproject_content).
-            freeze_top_level_dependencies_except(dependencies, lockfile)
+            new(pyproject_content: pyproject_content, lockfile: lockfile).
+            freeze_top_level_dependencies_except(dependencies)
         end
 
         def freeze_dependencies_being_updated(pyproject_content)

data/lib/dependabot/python/file_updater/pyproject_preparer.rb

@@ -9,8 +9,9 @@ module Dependabot
   module Python
     class FileUpdater
       class PyprojectPreparer
-        def initialize(pyproject_content:)
+        def initialize(pyproject_content:, lockfile: nil)
           @pyproject_content = pyproject_content
+          @lockfile = lockfile
         end
 
         def replace_sources(credentials)
@@ -31,7 +32,7 @@ module Dependabot
         end
 
         # rubocop:disable Metrics/PerceivedComplexity
-        def freeze_top_level_dependencies_except(dependencies, lockfile)
+        def freeze_top_level_dependencies_except(dependencies)
           return pyproject_content unless lockfile
 
           pyproject_object = TomlRB.parse(pyproject_content)
@@ -44,7 +45,7 @@ module Dependabot
             poetry_object.fetch(key).each do |dep_name, _|
               next if excluded_names.include?(normalise(dep_name))
 
-              locked_details = locked_details(dep_name, lockfile)
+              locked_details = locked_details(dep_name)
 
               next unless (locked_version = locked_details&.fetch("version"))
 
@@ -67,11 +68,9 @@ module Dependabot
 
         private
 
-        attr_reader :pyproject_content
-
-        def locked_details(dep_name, lockfile)
-          parsed_lockfile = TomlRB.parse(lockfile.content)
+        attr_reader :pyproject_content, :lockfile
 
+        def locked_details(dep_name)
           parsed_lockfile.fetch("package").
             find { |d| d["name"] == normalise(dep_name) }
         end
@@ -99,6 +98,10 @@ module Dependabot
             select { |cred| cred["type"] == "python_index" }.
             map { |cred| { "url" => cred["index-url"] } }
         end
+
+        def parsed_lockfile
+          @parsed_lockfile ||= TomlRB.parse(lockfile.content)
+        end
       end
     end
   end

data/lib/dependabot/python/update_checker/poetry_version_resolver.rb

@@ -164,11 +164,14 @@ module Dependabot
         end
 
         def updated_pyproject_content
-          content = pyproject.content
-          content = sanitize_pyproject_content(content)
-          content = freeze_other_dependencies(content)
-          content = unlock_target_dependency(content) if unlock_requirement?
-          content
+          @updated_pyproject_content ||=
+            begin
+              content = pyproject.content
+              content = sanitize_pyproject_content(content)
+              content = freeze_other_dependencies(content)
+              content = unlock_target_dependency(content) if unlock_requirement?
+              content
+            end
         end
 
         def sanitized_pyproject_content
@@ -185,8 +188,8 @@ module Dependabot
 
         def freeze_other_dependencies(pyproject_content)
           Python::FileUpdater::PyprojectPreparer.
-            new(pyproject_content: pyproject_content).
-            freeze_top_level_dependencies_except([dependency], lockfile)
+            new(pyproject_content: pyproject_content, lockfile: lockfile).
+            freeze_top_level_dependencies_except([dependency])
         end
 
         def unlock_target_dependency(pyproject_content)

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-python
 version: !ruby/object:Gem::Version
-  version: 0.95.49
+  version: 0.95.50
 platform: ruby
 authors:
 - Dependabot
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.95.49
+        version: 0.95.50
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.95.49
+        version: 0.95.50
 - !ruby/object:Gem::Dependency
   name: byebug
   requirement: !ruby/object:Gem::Requirement