dependabot-python 0.95.49 → 0.95.50
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/lib/dependabot/python/file_fetcher.rb +59 -11
- data/lib/dependabot/python/file_updater/poetry_file_updater.rb +11 -8
- data/lib/dependabot/python/file_updater/pyproject_preparer.rb +10 -7
- data/lib/dependabot/python/update_checker/poetry_version_resolver.rb +10 -7
- metadata +3 -3
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: c2e710a46e701b0d88c05d30cbb7ae34d375dad71b4ded6e33bbd21bbd9dbc44
|
4
|
+
data.tar.gz: 62906919a14de657cbb323a0a4e39665596d65fa90ad3208c630dadf6fca442e
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: f3ff07889ebb4864e03a753ef6b57049786e05a57ea8758b48767a709ddfeacf6b8f806893d87ad56ae232884bfefaf5e8b6d75fec5d4def9ae5ba90e9e1f492
|
7
|
+
data.tar.gz: 3122677849c56be6c252fd1b8d95f4220226f311563b89de3c1b393b7d455feb71d3ea49f8f161424492df8d6540f2ffbe10402a745678fa53ce585b14b2e76f
|
@@ -7,6 +7,7 @@ require "dependabot/file_fetchers/base"
|
|
7
7
|
require "dependabot/python/file_parser"
|
8
8
|
require "dependabot/errors"
|
9
9
|
|
10
|
+
# rubocop:disable Metrics/ClassLength
|
10
11
|
module Dependabot
|
11
12
|
module Python
|
12
13
|
class FileFetcher < Dependabot::FileFetchers::Base
|
@@ -141,6 +142,14 @@ module Dependabot
|
|
141
142
|
raise Dependabot::DependencyFileNotParseable, pipfile.path
|
142
143
|
end
|
143
144
|
|
145
|
+
def parsed_pyproject
|
146
|
+
raise "No pyproject.toml" unless pyproject
|
147
|
+
|
148
|
+
@parsed_pyproject ||= TomlRB.parse(pyproject.content)
|
149
|
+
rescue TomlRB::ParseError
|
150
|
+
raise Dependabot::DependencyFileNotParseable, pyproject.path
|
151
|
+
end
|
152
|
+
|
144
153
|
def req_txt_and_in_files
|
145
154
|
return @req_txt_and_in_files if @req_txt_and_in_files
|
146
155
|
|
@@ -237,6 +246,12 @@ module Dependabot
|
|
237
246
|
unfetchable_files << error.file_path.gsub(%r{^/}, "")
|
238
247
|
end
|
239
248
|
|
249
|
+
poetry_path_setup_file_paths.each do |path|
|
250
|
+
path_setup_files += fetch_path_setup_file(path, allow_pyproject: true)
|
251
|
+
rescue Dependabot::DependencyFileNotFound => error
|
252
|
+
unfetchable_files << error.file_path.gsub(%r{^/}, "")
|
253
|
+
end
|
254
|
+
|
240
255
|
if unfetchable_files.any?
|
241
256
|
raise Dependabot::PathDependenciesNotReachable, unfetchable_files
|
242
257
|
end
|
@@ -244,7 +259,7 @@ module Dependabot
|
|
244
259
|
path_setup_files
|
245
260
|
end
|
246
261
|
|
247
|
-
def fetch_path_setup_file(path)
|
262
|
+
def fetch_path_setup_file(path, allow_pyproject: false)
|
248
263
|
path_setup_files = []
|
249
264
|
|
250
265
|
unless path.end_with?(".tar.gz", ".zip")
|
@@ -252,22 +267,38 @@ module Dependabot
|
|
252
267
|
end
|
253
268
|
return [] if path == "setup.py" && setup_file
|
254
269
|
|
255
|
-
path_setup_files <<
|
256
|
-
|
270
|
+
path_setup_files <<
|
271
|
+
begin
|
272
|
+
fetch_file_from_host(
|
273
|
+
path,
|
274
|
+
fetch_submodules: true
|
275
|
+
).tap { |f| f.support_file = true }
|
276
|
+
rescue Dependabot::DependencyFileNotFound
|
277
|
+
raise unless allow_pyproject
|
278
|
+
|
279
|
+
fetch_file_from_host(
|
280
|
+
path.gsub("setup.py", "pyproject.toml"),
|
281
|
+
fetch_submodules: true
|
282
|
+
).tap { |f| f.support_file = true }
|
283
|
+
end
|
257
284
|
|
258
285
|
return path_setup_files unless path.end_with?(".py")
|
259
286
|
|
287
|
+
path_setup_files + cfg_files_for_setup_py(path)
|
288
|
+
end
|
289
|
+
|
290
|
+
def cfg_files_for_setup_py(path)
|
291
|
+
cfg_path = path.gsub(/\.py$/, ".cfg")
|
292
|
+
|
260
293
|
begin
|
261
|
-
|
262
|
-
path_setup_files <<
|
294
|
+
[
|
263
295
|
fetch_file_from_host(cfg_path, fetch_submodules: true).
|
264
|
-
|
296
|
+
tap { |f| f.support_file = true }
|
297
|
+
]
|
265
298
|
rescue Dependabot::DependencyFileNotFound
|
266
299
|
# Ignore lack of a setup.cfg
|
267
|
-
|
300
|
+
[]
|
268
301
|
end
|
269
|
-
|
270
|
-
path_setup_files
|
271
302
|
end
|
272
303
|
|
273
304
|
def requirements_file?(file)
|
@@ -337,9 +368,26 @@ module Dependabot
|
|
337
368
|
|
338
369
|
paths
|
339
370
|
end
|
371
|
+
|
372
|
+
def poetry_path_setup_file_paths
|
373
|
+
return [] unless pyproject
|
374
|
+
|
375
|
+
paths = []
|
376
|
+
%w(dependencies dev-dependencies).each do |dep_type|
|
377
|
+
next unless parsed_pyproject.dig("tool", "poetry", dep_type)
|
378
|
+
|
379
|
+
parsed_pyproject.dig("tool", "poetry", dep_type).each do |_, req|
|
380
|
+
next unless req.is_a?(Hash) && req["path"]
|
381
|
+
|
382
|
+
paths << req["path"]
|
383
|
+
end
|
384
|
+
end
|
385
|
+
|
386
|
+
paths
|
387
|
+
end
|
340
388
|
end
|
341
389
|
end
|
342
390
|
end
|
391
|
+
# rubocop:enable Metrics/ClassLength
|
343
392
|
|
344
|
-
Dependabot::FileFetchers.
|
345
|
-
register("pip", Dependabot::Python::FileFetcher)
|
393
|
+
Dependabot::FileFetchers.register("pip", Dependabot::Python::FileFetcher)
|
@@ -98,18 +98,21 @@ module Dependabot
|
|
98
98
|
end
|
99
99
|
|
100
100
|
def prepared_pyproject
|
101
|
-
|
102
|
-
|
103
|
-
|
104
|
-
|
105
|
-
|
106
|
-
|
101
|
+
@prepared_pyproject ||=
|
102
|
+
begin
|
103
|
+
content = updated_pyproject_content
|
104
|
+
content = sanitize(content)
|
105
|
+
content = freeze_other_dependencies(content)
|
106
|
+
content = freeze_dependencies_being_updated(content)
|
107
|
+
content = add_private_sources(content)
|
108
|
+
content
|
109
|
+
end
|
107
110
|
end
|
108
111
|
|
109
112
|
def freeze_other_dependencies(pyproject_content)
|
110
113
|
PyprojectPreparer.
|
111
|
-
new(pyproject_content: pyproject_content).
|
112
|
-
freeze_top_level_dependencies_except(dependencies
|
114
|
+
new(pyproject_content: pyproject_content, lockfile: lockfile).
|
115
|
+
freeze_top_level_dependencies_except(dependencies)
|
113
116
|
end
|
114
117
|
|
115
118
|
def freeze_dependencies_being_updated(pyproject_content)
|
@@ -9,8 +9,9 @@ module Dependabot
|
|
9
9
|
module Python
|
10
10
|
class FileUpdater
|
11
11
|
class PyprojectPreparer
|
12
|
-
def initialize(pyproject_content:)
|
12
|
+
def initialize(pyproject_content:, lockfile: nil)
|
13
13
|
@pyproject_content = pyproject_content
|
14
|
+
@lockfile = lockfile
|
14
15
|
end
|
15
16
|
|
16
17
|
def replace_sources(credentials)
|
@@ -31,7 +32,7 @@ module Dependabot
|
|
31
32
|
end
|
32
33
|
|
33
34
|
# rubocop:disable Metrics/PerceivedComplexity
|
34
|
-
def freeze_top_level_dependencies_except(dependencies
|
35
|
+
def freeze_top_level_dependencies_except(dependencies)
|
35
36
|
return pyproject_content unless lockfile
|
36
37
|
|
37
38
|
pyproject_object = TomlRB.parse(pyproject_content)
|
@@ -44,7 +45,7 @@ module Dependabot
|
|
44
45
|
poetry_object.fetch(key).each do |dep_name, _|
|
45
46
|
next if excluded_names.include?(normalise(dep_name))
|
46
47
|
|
47
|
-
locked_details = locked_details(dep_name
|
48
|
+
locked_details = locked_details(dep_name)
|
48
49
|
|
49
50
|
next unless (locked_version = locked_details&.fetch("version"))
|
50
51
|
|
@@ -67,11 +68,9 @@ module Dependabot
|
|
67
68
|
|
68
69
|
private
|
69
70
|
|
70
|
-
attr_reader :pyproject_content
|
71
|
-
|
72
|
-
def locked_details(dep_name, lockfile)
|
73
|
-
parsed_lockfile = TomlRB.parse(lockfile.content)
|
71
|
+
attr_reader :pyproject_content, :lockfile
|
74
72
|
|
73
|
+
def locked_details(dep_name)
|
75
74
|
parsed_lockfile.fetch("package").
|
76
75
|
find { |d| d["name"] == normalise(dep_name) }
|
77
76
|
end
|
@@ -99,6 +98,10 @@ module Dependabot
|
|
99
98
|
select { |cred| cred["type"] == "python_index" }.
|
100
99
|
map { |cred| { "url" => cred["index-url"] } }
|
101
100
|
end
|
101
|
+
|
102
|
+
def parsed_lockfile
|
103
|
+
@parsed_lockfile ||= TomlRB.parse(lockfile.content)
|
104
|
+
end
|
102
105
|
end
|
103
106
|
end
|
104
107
|
end
|
@@ -164,11 +164,14 @@ module Dependabot
|
|
164
164
|
end
|
165
165
|
|
166
166
|
def updated_pyproject_content
|
167
|
-
|
168
|
-
|
169
|
-
|
170
|
-
|
171
|
-
|
167
|
+
@updated_pyproject_content ||=
|
168
|
+
begin
|
169
|
+
content = pyproject.content
|
170
|
+
content = sanitize_pyproject_content(content)
|
171
|
+
content = freeze_other_dependencies(content)
|
172
|
+
content = unlock_target_dependency(content) if unlock_requirement?
|
173
|
+
content
|
174
|
+
end
|
172
175
|
end
|
173
176
|
|
174
177
|
def sanitized_pyproject_content
|
@@ -185,8 +188,8 @@ module Dependabot
|
|
185
188
|
|
186
189
|
def freeze_other_dependencies(pyproject_content)
|
187
190
|
Python::FileUpdater::PyprojectPreparer.
|
188
|
-
new(pyproject_content: pyproject_content).
|
189
|
-
freeze_top_level_dependencies_except([dependency]
|
191
|
+
new(pyproject_content: pyproject_content, lockfile: lockfile).
|
192
|
+
freeze_top_level_dependencies_except([dependency])
|
190
193
|
end
|
191
194
|
|
192
195
|
def unlock_target_dependency(pyproject_content)
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: dependabot-python
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.95.
|
4
|
+
version: 0.95.50
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Dependabot
|
@@ -16,14 +16,14 @@ dependencies:
|
|
16
16
|
requirements:
|
17
17
|
- - '='
|
18
18
|
- !ruby/object:Gem::Version
|
19
|
-
version: 0.95.
|
19
|
+
version: 0.95.50
|
20
20
|
type: :runtime
|
21
21
|
prerelease: false
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
23
23
|
requirements:
|
24
24
|
- - '='
|
25
25
|
- !ruby/object:Gem::Version
|
26
|
-
version: 0.95.
|
26
|
+
version: 0.95.50
|
27
27
|
- !ruby/object:Gem::Dependency
|
28
28
|
name: byebug
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|