dependabot-python 0.98.7 → 0.98.8

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 6d309884fb08b759885ec446fcd51a1527a21cdc43a6aa1d1a647adfd67be5d4
-  data.tar.gz: c4a011bad8bece6a1caf78952af0c667962319056dfa8f082b3b95d5c39a6992
+  metadata.gz: fb408ef9461ee63b60df855f633f8b27eebfb464f630e4c22366aa57d2e15f29
+  data.tar.gz: ce8f327163ab06b16a13592a8b9abaaf5e25377a78483a070da4665dcaba3444
 SHA512:
-  metadata.gz: 5b03d21b2f4f6f7d9b943878477a9db2c9f4ff7972e50ef599689fb04150a358320213a2ec0598ad7e1f13eafab445d512b134d09a00c7d80cdfbd35c12aa1d2
-  data.tar.gz: eb9ef187a794d4c437f3a970c3da0172e44e32ab438326bb3f6eed32ba8352561e21ce903d4c8ff22116989e7e552819b7c190cde3f14846aa3514b74a48deb4
+  metadata.gz: 9536b0e57c8146a6581f4b26f1faf610603a400479b00abdae7eef2cea69578da22eaf9643cc11b4a9859f39e3587febc6cdb72f9a943d4aaad07e61b9ade391
+  data.tar.gz: c1f692639f551b64b2546a1da106e4ed8f1c87a0cccce728f95675c393f97eea299728636baf01002eabdf60167ff830755b02053c987a0a5cd116dd4f86033e

data/lib/dependabot/python/file_parser.rb

@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 
 require "toml-rb"
-
+require "shellwords"
 require "dependabot/dependency"
 require "dependabot/file_parsers"
 require "dependabot/file_parsers/base"
@@ -125,8 +125,10 @@ module Dependabot
         SharedHelpers.in_a_temporary_directory do
           write_temporary_dependency_files
 
+          command_parts = ["pyenv", "exec", "python",
+                           NativeHelpers.python_helper_path]
           requirements = SharedHelpers.run_helper_subprocess(
-            command: "pyenv exec python #{NativeHelpers.python_helper_path}",
+            command: Shellwords.join(command_parts),
             function: "parse_requirements",
             args: [Dir.pwd]
           )

data/lib/dependabot/python/file_parser/setup_file_parser.rb

@@ -1,5 +1,6 @@
 # frozen_string_literal: true
 
+require "shellwords"
 require "dependabot/dependency"
 require "dependabot/errors"
 require "dependabot/file_parsers/base/dependency_set"
@@ -57,8 +58,10 @@ module Dependabot
           SharedHelpers.in_a_temporary_directory do
             write_temporary_dependency_files
 
+            command_parts = ["pyenv", "exec", "python",
+                             NativeHelpers.python_helper_path]
             requirements = SharedHelpers.run_helper_subprocess(
-              command: "pyenv exec python #{NativeHelpers.python_helper_path}",
+              command: Shellwords.join(command_parts),
               function: "parse_setup",
               args: [Dir.pwd]
             )
@@ -78,8 +81,10 @@ module Dependabot
           SharedHelpers.in_a_temporary_directory do
             write_sanitized_setup_file
 
+            command_parts = ["pyenv", "exec", "python",
+                             NativeHelpers.python_helper_path]
             requirements = SharedHelpers.run_helper_subprocess(
-              command: "pyenv exec python #{NativeHelpers.python_helper_path}",
+              command: Shellwords.join(command_parts),
               function: "parse_setup",
               args: [Dir.pwd]
             )

data/lib/dependabot/python/file_updater/pip_compile_file_updater.rb

@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 
 require "open3"
+require "shellwords"
 require "dependabot/python/requirement_parser"
 require "dependabot/python/file_fetcher"
 require "dependabot/python/file_updater"
@@ -55,6 +56,8 @@ module Dependabot
           ]
         end
 
+        # rubocop:disable Metrics/AbcSize
+        # rubocop:disable Metrics/MethodLength
         def compile_new_requirement_files
           SharedHelpers.in_a_temporary_directory do
             write_updated_dependency_files
@@ -63,15 +66,20 @@ module Dependabot
             filenames_to_compile.each do |filename|
               # Shell out to pip-compile, generate a new set of requirements.
               # This is slow, as pip-compile needs to do installs.
-              run_pip_compile_command(
-                "pyenv exec pip-compile #{pip_compile_options(filename)} "\
-                "-P #{dependency.name}==#{dependency.version} #{filename}"
-              )
+              cmd_dep_name = Shellwords.join([
+                "pyenv", "exec", "pip-compile",
+                pip_compile_options(filename),
+                "-P", dependency.name
+              ].reject(&:empty?))
+              cmd_dep_version = Shellwords.join([dependency.version, filename])
+              # Don't escape pyenv `dep-name==version` syntax
+              run_pip_compile_command(["#{cmd_dep_name}==#{cmd_dep_version}"],
+                                      escape: false)
               # Run pip-compile a second time, without an update argument, to
               # ensure it resets the right comments.
               run_pip_compile_command(
-                "pyenv exec pip-compile #{pip_compile_options(filename)} "\
-                "#{filename}"
+                ["pyenv", "exec", "pip-compile", pip_compile_options(filename),
+                 filename].reject(&:empty?)
               )
             end
 
@@ -91,6 +99,8 @@ module Dependabot
             end.compact
           end
         end
+        # rubocop:enable Metrics/MethodLength
+        # rubocop:enable Metrics/AbcSize
 
         def update_manifest_files
           dependency_files.map do |file|
@@ -129,11 +139,10 @@ module Dependabot
           ).updated_dependency_files
         end
 
-        def run_command(command)
-          command = command.dup
-          env_cmd = [python_env, command].compact
+        def run_command(cmd_parts, env: python_env, escape: true)
           start = Time.now
-          stdout, process = Open3.capture2e(*env_cmd)
+          command = escape ? Shellwords.join(cmd_parts) : cmd_parts.join(" ")
+          stdout, process = Open3.capture2e(env, command)
           time_taken = Time.now - start
 
           return stdout if process.success?
@@ -148,9 +157,9 @@ module Dependabot
           )
         end
 
-        def run_pip_compile_command(command)
-          local_command = "pyenv local #{python_version} && " + command
-          run_command(local_command)
+        def run_pip_compile_command(command_parts, escape: true)
+          run_command(["pyenv", "local", python_version])
+          run_command(command_parts, escape: escape)
         rescue SharedHelpers::HelperSubprocessFailed => error
           original_error ||= error
           msg = error.message
@@ -216,13 +225,13 @@ module Dependabot
         end
 
         def install_required_python
-          if run_command("pyenv versions").include?("#{python_version}\n")
+          if run_command(%w(pyenv versions)).include?("#{python_version}\n")
             return
           end
 
-          run_command("pyenv install -s #{python_version}")
-          run_command("pyenv exec pip install -r " + \
-                      NativeHelpers.python_requirements_path)
+          run_command(["pyenv", "install", "-s", python_version])
+          run_command(["pyenv", "exec", "pip", "install", "-r",
+                       NativeHelpers.python_requirements_path])
         end
 
         def sanitized_setup_file_content(file)
@@ -366,8 +375,10 @@ module Dependabot
         end
 
         def package_hashes_for(name:, version:, algorithm:)
+          command_parts = ["pyenv", "exec", "python",
+                           NativeHelpers.python_helper_path]
           SharedHelpers.run_helper_subprocess(
-            command: "pyenv exec python #{NativeHelpers.python_helper_path}",
+            command: Shellwords.join(command_parts),
             function: "get_dependency_hash",
             args: [name, version, algorithm]
           ).map { |h| "--hash=#{algorithm}:#{h['hash']}" }
@@ -512,7 +523,7 @@ module Dependabot
         end
 
         def pyenv_versions
-          @pyenv_versions ||= run_command("pyenv install --list")
+          @pyenv_versions ||= run_command(["pyenv", "install", "--list"])
         end
 
         def pre_installed_python?(version)

data/lib/dependabot/python/file_updater/pipfile_file_updater.rb

@@ -2,6 +2,7 @@
 
 require "toml-rb"
 require "open3"
+require "shellwords"
 require "dependabot/python/requirement_parser"
 require "dependabot/python/file_updater"
 require "dependabot/shared_helpers"
@@ -190,10 +191,11 @@ module Dependabot
                 install_required_python
 
                 # Initialize a git repo to appease pip-tools
-                IO.popen("git init", err: %i(child out)) if setup_files.any?
+                command = Shellwords.join(%w(git init))
+                IO.popen(command, err: %i(child out)) if setup_files.any?
 
                 run_pipenv_command(
-                  pipenv_environment_variables + "pyenv exec pipenv lock"
+                  %w(pyenv exec pipenv lock)
                 )
 
                 result = { lockfile: File.read("Pipfile.lock") }
@@ -229,19 +231,21 @@ module Dependabot
         end
 
         def generate_updated_requirements_files
-          run_pipenv_command(
-            pipenv_environment_variables +
-              "pyenv exec pipenv lock -r > req.txt"
+          req_content = run_pipenv_command(
+            ["pyenv", "exec", "pipenv", "lock", "-r"]
           )
-          run_pipenv_command(
-            pipenv_environment_variables +
-              "pyenv exec pipenv lock -r -d > dev-req.txt"
+          File.write("req.txt", req_content)
+
+          dev_req_content = run_pipenv_command(
+            ["pyenv", "exec", "pipenv", "lock", "-r", "-d"]
           )
+          File.write("dev-req.txt", dev_req_content)
         end
 
-        def run_command(command)
+        def run_command(command_parts, env: {})
           start = Time.now
-          stdout, process = Open3.capture2e(command)
+          command = Shellwords.join(command_parts)
+          stdout, process = Open3.capture2e(env, command)
           time_taken = Time.now - start
 
           # Raise an error with the output from the shell session if Pipenv
@@ -258,9 +262,9 @@ module Dependabot
           )
         end
 
-        def run_pipenv_command(command)
-          local_command = "pyenv local #{python_version} && " + command
-          run_command(local_command)
+        def run_pipenv_command(command_parts, env: pipenv_env_variables)
+          run_command(["pyenv", "local", python_version])
+          run_command(command_parts, env: env)
         rescue SharedHelpers::HelperSubprocessFailed => error
           original_error ||= error
           msg = error.message
@@ -274,7 +278,8 @@ module Dependabot
           raise relevant_error if python_version.start_with?("2")
 
           # Clear the existing virtualenv, so that we use the new Python version
-          run_command("pyenv local #{python_version} && pyenv exec pipenv --rm")
+          run_command(["pyenv", "local", python_version])
+          run_command(["pyenv", "exec", "pipenv", "--rm"])
 
           @python_version = "2.7.15"
           retry
@@ -318,18 +323,19 @@ module Dependabot
         def install_required_python
           # Initialize a git repo to appease pip-tools
           begin
-            run_command("git init") if setup_files.any?
+            run_command(%w(git init)) if setup_files.any?
           rescue Dependabot::SharedHelpers::HelperSubprocessFailed
             nil
           end
 
-          if run_command("pyenv versions").include?("#{python_version}\n")
+          if run_command(%w(pyenv versions)).include?("#{python_version}\n")
             return
           end
 
           requirements_path = NativeHelpers.python_requirements_path
-          run_command("pyenv install -s #{python_version}")
-          run_command("pyenv exec pip install -r #{requirements_path}")
+          run_command(["pyenv", "install", "-s", python_version])
+          run_command(["pyenv", "exec", "pip", "install", "-r",
+                       requirements_path])
         end
 
         def sanitized_setup_file_content(file)
@@ -400,7 +406,7 @@ module Dependabot
         end
 
         def pyenv_versions
-          @pyenv_versions ||= run_command("pyenv install --list")
+          @pyenv_versions ||= run_command(["pyenv", "install", "--list"])
         end
 
         def pipfile_python_requirement
@@ -419,8 +425,10 @@ module Dependabot
         def pipfile_hash_for(pipfile_content)
           SharedHelpers.in_a_temporary_directory do |dir|
             File.write(File.join(dir, "Pipfile"), pipfile_content)
+            command_parts = ["pyenv", "exec", "python",
+                             NativeHelpers.python_helper_path]
             SharedHelpers.run_helper_subprocess(
-              command: "pyenv exec python #{NativeHelpers.python_helper_path}",
+              command: Shellwords.join(command_parts),
               function: "get_pipfile_hash",
               args: [dir]
             )
@@ -482,16 +490,14 @@ module Dependabot
           dependency_files.find { |f| f.name == ".python-version" }
         end
 
-        def pipenv_environment_variables
-          environment_variables = [
-            "PIPENV_YES=true",       # Install new Python versions if needed
-            "PIPENV_MAX_RETRIES=3",  # Retry timeouts
-            "PIPENV_NOSPIN=1",       # Don't pollute logs with spinner
-            "PIPENV_TIMEOUT=600",    # Set install timeout to 10 minutes
-            "PIP_DEFAULT_TIMEOUT=60" # Set pip timeout to 1 minute
-          ]
-
-          environment_variables.join(" ") + " "
+        def pipenv_env_variables
+          {
+            "PIPENV_YES" => "true",       # Install new Python ver if needed
+            "PIPENV_MAX_RETRIES" => "3",  # Retry timeouts
+            "PIPENV_NOSPIN" => "1",       # Don't pollute logs with spinner
+            "PIPENV_TIMEOUT" => "600",    # Set install timeout to 10 minutes
+            "PIP_DEFAULT_TIMEOUT" => "60" # Set pip timeout to 1 minute
+          }
         end
       end
     end

data/lib/dependabot/python/file_updater/poetry_file_updater.rb

@@ -2,6 +2,7 @@
 
 require "toml-rb"
 require "open3"
+require "shellwords"
 require "dependabot/shared_helpers"
 require "dependabot/python/version"
 require "dependabot/python/requirement"
@@ -153,14 +154,15 @@ module Dependabot
             write_temporary_dependency_files(pyproject_content)
 
             if python_version && !pre_installed_python?(python_version)
-              run_poetry_command("pyenv install -s  #{python_version}")
-              run_poetry_command("pyenv exec pip install --upgrade pip")
-              run_poetry_command("pyenv exec pip install -r " + \
-                                 NativeHelpers.python_requirements_path)
+              run_poetry_command(["pyenv", "install", "-s", python_version])
+              run_poetry_command(["pyenv", "exec", "pip", "install",
+                                  "--upgrade", "pip"])
+              run_poetry_command(["pyenv", "exec", "pip", "install", "-r",
+                                  NativeHelpers.python_requirements_path])
             end
 
             run_poetry_command(
-              "pyenv exec poetry update #{dependency.name} --lock"
+              ["pyenv", "exec", "poetry", "update", dependency.name, "--lock"]
             )
 
             return File.read("poetry.lock") if File.exist?("poetry.lock")
@@ -169,8 +171,9 @@ module Dependabot
           end
         end
 
-        def run_poetry_command(command)
+        def run_poetry_command(command_parts)
           start = Time.now
+          command = Shellwords.join(command_parts)
           stdout, process = Open3.capture2e(command)
           time_taken = Time.now - start
 
@@ -231,7 +234,7 @@ module Dependabot
         end
 
         def pyenv_versions
-          @pyenv_versions ||= run_poetry_command("pyenv install --list")
+          @pyenv_versions ||= run_poetry_command(["pyenv", "install", "--list"])
         end
 
         def pre_installed_python?(version)
@@ -241,8 +244,10 @@ module Dependabot
         def pyproject_hash_for(pyproject_content)
           SharedHelpers.in_a_temporary_directory do |dir|
             File.write(File.join(dir, "pyproject.toml"), pyproject_content)
+            command_parts = ["pyenv", "exec", "python",
+                             NativeHelpers.python_helper_path]
             SharedHelpers.run_helper_subprocess(
-              command: "pyenv exec python #{NativeHelpers.python_helper_path}",
+              command: Shellwords.join(command_parts),
               function: "get_pyproject_hash",
               args: [dir]
             )

data/lib/dependabot/python/file_updater/requirement_file_updater.rb

@@ -1,5 +1,6 @@
 # frozen_string_literal: true
 
+require "shellwords"
 require "dependabot/python/requirement_parser"
 require "dependabot/python/file_updater"
 require "dependabot/shared_helpers"
@@ -139,8 +140,10 @@ module Dependabot
         end
 
         def package_hashes_for(name:, version:, algorithm:)
+          command_parts = ["pyenv", "exec", "python",
+                           NativeHelpers.python_helper_path]
           SharedHelpers.run_helper_subprocess(
-            command: "pyenv exec python #{NativeHelpers.python_helper_path}",
+            command: Shellwords.join(command_parts),
             function: "get_dependency_hash",
             args: [name, version, algorithm]
           ).map { |h| "--hash=#{algorithm}:#{h['hash']}" }

data/lib/dependabot/python/update_checker/pip_compile_version_resolver.rb

@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 
 require "open3"
+require "shellwords"
 require "dependabot/python/requirement_parser"
 require "dependabot/python/file_fetcher"
 require "dependabot/python/file_parser"
@@ -11,14 +12,13 @@ require "dependabot/python/version"
 require "dependabot/shared_helpers"
 require "dependabot/python/native_helpers"
 require "dependabot/python/python_versions"
-
-# rubocop:disable Metrics/ClassLength
 module Dependabot
   module Python
     class UpdateChecker
       # This class does version resolution for pip-compile. Its approach is:
       # - Unlock the dependency we're checking in the requirements.in file
       # - Run `pip-compile` and see what the result is
+      # rubocop:disable Metrics/ClassLength
       class PipCompileVersionResolver
         VERSION_REGEX = /[0-9]+(?:\.[A-Za-z0-9\-_]+)*/.freeze
 
@@ -59,13 +59,13 @@ module Dependabot
                   # Shell out to pip-compile.
                   # This is slow, as pip-compile needs to do installs.
                   run_pip_compile_command(
-                    "pyenv exec pip-compile --allow-unsafe "\
-                    "-P #{dependency.name} #{filename}"
+                    ["pyenv", "exec", "pip-compile", "--allow-unsafe",
+                     "-P", dependency.name, filename]
                   )
                   # Run pip-compile a second time, without an update argument,
                   # to ensure it handles markers correctly
                   run_pip_compile_command(
-                    "pyenv exec pip-compile --allow-unsafe #{filename}"
+                    ["pyenv", "exec", "pip-compile", "--allow-unsafe", filename]
                   )
                 end
 
@@ -118,8 +118,8 @@ module Dependabot
               write_temporary_dependency_files(unlock_requirement: false)
 
               filenames_to_compile.each do |filename|
-                cmd = "pyenv exec pip-compile --allow-unsafe #{filename}"
-                run_command(cmd)
+                run_command(["pyenv", "exec", "pip-compile", "--allow-unsafe",
+                             filename])
               end
 
               true
@@ -134,11 +134,10 @@ module Dependabot
           end
         end
 
-        def run_command(command)
-          command = command.dup
-          env_cmd = [python_env, command].compact
+        def run_command(command_parts, env: python_env)
           start = Time.now
-          stdout, process = Open3.capture2e(*env_cmd)
+          command = Shellwords.join(command_parts)
+          stdout, process = Open3.capture2e(env, command)
           time_taken = Time.now - start
 
           return stdout if process.success?
@@ -153,9 +152,9 @@ module Dependabot
           )
         end
 
-        def run_pip_compile_command(command)
-          local_command = "pyenv local #{python_version} && " + command
-          run_command(local_command)
+        def run_pip_compile_command(command_parts)
+          run_command(["pyenv", "local", python_version])
+          run_command(command_parts)
         rescue SharedHelpers::HelperSubprocessFailed => error
           original_error ||= error
           msg = error.message
@@ -225,13 +224,13 @@ module Dependabot
         end
 
         def install_required_python
-          if run_command("pyenv versions").include?("#{python_version}\n")
+          if run_command(%w(pyenv versions)).include?("#{python_version}\n")
             return
           end
 
-          run_command("pyenv install -s #{python_version}")
-          run_command("pyenv exec pip install -r " + \
-                      NativeHelpers.python_requirements_path)
+          run_command(["pyenv", "install", "-s", python_version])
+          run_command(["pyenv", "exec", "pip", "install", "-r",
+                       NativeHelpers.python_requirements_path])
         end
 
         def sanitized_setup_file_content(file)
@@ -411,7 +410,7 @@ module Dependabot
         end
 
         def pyenv_versions
-          @pyenv_versions ||= run_command("pyenv install --list")
+          @pyenv_versions ||= run_command(["pyenv", "install", "--list"])
         end
 
         def pre_installed_python?(version)
@@ -434,7 +433,7 @@ module Dependabot
           dependency_files.find { |f| f.name == ".python-version" }
         end
       end
+      # rubocop:enable Metrics/ClassLength
     end
   end
 end
-# rubocop:enable Metrics/ClassLength

data/lib/dependabot/python/update_checker/pipfile_version_resolver.rb

@@ -3,6 +3,7 @@
 require "excon"
 require "toml-rb"
 require "open3"
+require "shellwords"
 require "dependabot/errors"
 require "dependabot/shared_helpers"
 require "dependabot/python/file_parser"
@@ -78,7 +79,7 @@ module Dependabot
                 # pipenv flow, an install is still done by pip-tools in order
                 # to resolve the dependencies. That means this is slow.
                 run_pipenv_command(
-                  pipenv_environment_variables + "pyenv exec pipenv lock"
+                  %w(pyenv exec pipenv lock)
                 )
 
                 updated_lockfile = JSON.parse(File.read("Pipfile.lock"))
@@ -195,7 +196,7 @@ module Dependabot
               write_temporary_dependency_files(update_pipfile: false)
 
               run_pipenv_command(
-                pipenv_environment_variables + "pyenv exec pipenv lock"
+                %w(pyenv exec pipenv lock)
               )
 
               true
@@ -287,18 +288,19 @@ module Dependabot
         def install_required_python
           # Initialize a git repo to appease pip-tools
           begin
-            run_command("git init") if setup_files.any?
+            run_command(%w(git init)) if setup_files.any?
           rescue Dependabot::SharedHelpers::HelperSubprocessFailed
             nil
           end
 
-          if run_command("pyenv versions").include?("#{python_version}\n")
+          if run_command(%w(pyenv versions)).include?("#{python_version}\n")
             return
           end
 
           requirements_path = NativeHelpers.python_requirements_path
-          run_command("pyenv install -s #{python_version}")
-          run_command("pyenv exec pip install -r #{requirements_path}")
+          run_command(["pyenv", "install", "-s", python_version])
+          run_command(["pyenv", "exec", "pip", "install", "-r",
+                       requirements_path])
         end
 
         def sanitized_setup_file_content(file)
@@ -412,7 +414,7 @@ module Dependabot
         end
 
         def pyenv_versions
-          @pyenv_versions ||= run_command("pyenv install --list")
+          @pyenv_versions ||= run_command(["pyenv", "install", "--list"])
         end
 
         def pipfile_python_requirement
@@ -485,10 +487,10 @@ module Dependabot
           end
         end
 
-        def run_command(command)
-          command = command.dup
+        def run_command(command_parts, env: {})
           start = Time.now
-          stdout, process = Open3.capture2e(command)
+          command = Shellwords.join(command_parts)
+          stdout, process = Open3.capture2e(env, command)
           time_taken = Time.now - start
 
           return stdout if process.success?
@@ -503,9 +505,9 @@ module Dependabot
           )
         end
 
-        def run_pipenv_command(command)
-          local_command = "pyenv local #{python_version} && " + command
-          run_command(local_command)
+        def run_pipenv_command(command_parts, env: pipenv_env_variables)
+          run_command(["pyenv", "local", python_version])
+          run_command(command_parts, env: env)
         rescue SharedHelpers::HelperSubprocessFailed => error
           original_error ||= error
           msg = error.message
@@ -519,7 +521,8 @@ module Dependabot
           raise relevant_error if python_version.start_with?("2")
 
           # Clear the existing virtualenv, so that we use the new Python version
-          run_command("pyenv local #{python_version} && pyenv exec pipenv --rm")
+          run_command(["pyenv", "local", python_version])
+          run_command(["pyenv", "exec", "pipenv", "--rm"])
 
           @python_version = "2.7.15"
           retry
@@ -566,16 +569,14 @@ module Dependabot
             map { |h| h.dup.merge("url" => h["url"].gsub(%r{/*$}, "") + "/") }
         end
 
-        def pipenv_environment_variables
-          environment_variables = [
-            "PIPENV_YES=true",       # Install new Python versions if needed
-            "PIPENV_MAX_RETRIES=3",  # Retry timeouts
-            "PIPENV_NOSPIN=1",       # Don't pollute logs with spinner
-            "PIPENV_TIMEOUT=600",    # Set install timeout to 10 minutes
-            "PIP_DEFAULT_TIMEOUT=60" # Set pip timeout to 1 minute
-          ]
-
-          environment_variables.join(" ") + " "
+        def pipenv_env_variables
+          {
+            "PIPENV_YES" => "true",       # Install new Python ver if needed
+            "PIPENV_MAX_RETRIES" => "3",  # Retry timeouts
+            "PIPENV_NOSPIN" => "1",       # Don't pollute logs with spinner
+            "PIPENV_TIMEOUT" => "600",    # Set install timeout to 10 minutes
+            "PIP_DEFAULT_TIMEOUT" => "60" # Set pip timeout to 1 minute
+          }
         end
 
         # See https://www.python.org/dev/peps/pep-0503/#normalized-names

data/lib/dependabot/python/update_checker/poetry_version_resolver.rb

@@ -3,6 +3,7 @@
 require "excon"
 require "toml-rb"
 require "open3"
+require "shellwords"
 require "dependabot/errors"
 require "dependabot/shared_helpers"
 require "dependabot/python/file_parser"
@@ -55,15 +56,15 @@ module Dependabot
               write_temporary_dependency_files
 
               if python_version && !pre_installed_python?(python_version)
-                run_poetry_command("pyenv install -s #{python_version}")
-                run_poetry_command("pyenv exec pip install -r " + \
-                                   NativeHelpers.python_requirements_path)
+                run_poetry_command(["pyenv", "install", "-s", python_version])
+                run_poetry_command(["pyenv", "exec", "pip", "install", "-r",
+                                    NativeHelpers.python_requirements_path])
               end
 
               # Shell out to Poetry, which handles everything for us.
               # Using `--lock` avoids doing an install.
               run_poetry_command(
-                "pyenv exec poetry update #{dependency.name} --lock"
+                ["pyenv", "exec", "poetry", "update", dependency.name, "--lock"]
               )
 
               updated_lockfile =
@@ -105,7 +106,7 @@ module Dependabot
             write_temporary_dependency_files(update_pyproject: false)
 
             run_poetry_command(
-              "pyenv exec poetry update #{dependency.name} --lock"
+              ["pyenv", "exec", "poetry", "update", dependency.name, "--lock"]
             )
 
             true
@@ -175,7 +176,7 @@ module Dependabot
         end
 
         def pyenv_versions
-          @pyenv_versions ||= run_poetry_command("pyenv install --list")
+          @pyenv_versions ||= run_poetry_command(["pyenv", "install", "--list"])
         end
 
         def pre_installed_python?(version)
@@ -311,8 +312,9 @@ module Dependabot
           dependency_files.find { |f| f.name == ".python-version" }
         end
 
-        def run_poetry_command(command)
+        def run_poetry_command(command_parts)
           start = Time.now
+          command = Shellwords.join(command_parts)
           stdout, process = Open3.capture2e(command)
           time_taken = Time.now - start
 

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-python
 version: !ruby/object:Gem::Version
-  version: 0.98.7
+  version: 0.98.8
 platform: ruby
 authors:
 - Dependabot
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.98.7
+        version: 0.98.8
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.98.7
+        version: 0.98.8
 - !ruby/object:Gem::Dependency
   name: byebug
   requirement: !ruby/object:Gem::Requirement
@@ -100,14 +100,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.65.0
+        version: 0.66.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.65.0
+        version: 0.66.0
 - !ruby/object:Gem::Dependency
   name: vcr
   requirement: !ruby/object:Gem::Requirement