dependabot-uv 0.299.1 → 0.301.0

data/lib/dependabot/uv/file_updater/lock_file_updater.rb

@@ -0,0 +1,392 @@
+# typed: true
+# frozen_string_literal: true
+
+require "toml-rb"
+require "open3"
+require "dependabot/dependency"
+require "dependabot/shared_helpers"
+require "dependabot/uv/language_version_manager"
+require "dependabot/uv/version"
+require "dependabot/uv/requirement"
+require "dependabot/uv/file_parser/python_requirement_parser"
+require "dependabot/uv/file_updater"
+require "dependabot/uv/native_helpers"
+require "dependabot/uv/name_normaliser"
+
+module Dependabot
+  module Uv
+    class FileUpdater
+      class LockFileUpdater
+        require_relative "pyproject_preparer"
+
+        attr_reader :dependencies
+        attr_reader :dependency_files
+        attr_reader :credentials
+        attr_reader :index_urls
+
+        def initialize(dependencies:, dependency_files:, credentials:, index_urls: nil)
+          @dependencies = dependencies
+          @dependency_files = dependency_files
+          @credentials = credentials
+          @index_urls = index_urls
+        end
+
+        def updated_dependency_files
+          @updated_dependency_files ||= fetch_updated_dependency_files
+        end
+
+        private
+
+        def dependency
+          # For now, we'll only ever be updating a single dependency
+          dependencies.first
+        end
+
+        def fetch_updated_dependency_files
+          updated_files = []
+
+          if file_changed?(pyproject)
+            updated_files <<
+              updated_file(
+                file: pyproject,
+                content: updated_pyproject_content
+              )
+          end
+
+          if lockfile
+            # Use updated_lockfile_content which might raise if the lockfile doesn't change
+            new_content = updated_lockfile_content
+            raise "Expected lockfile to change!" if lockfile.content == new_content
+
+            updated_files << updated_file(file: lockfile, content: new_content)
+          end
+
+          updated_files
+        end
+
+        def updated_pyproject_content
+          content = pyproject.content
+          return content unless file_changed?(pyproject)
+
+          updated_content = content.dup
+
+          dependency.requirements.zip(dependency.previous_requirements).each do |new_r, old_r|
+            next unless new_r[:file] == pyproject.name && old_r[:file] == pyproject.name
+
+            updated_content = replace_dep(dependency, updated_content, new_r, old_r)
+          end
+
+          raise DependencyFileContentNotChanged, "Content did not change!" if content == updated_content
+
+          updated_content
+        end
+
+        def replace_dep(dep, content, new_r, old_r)
+          new_req = new_r[:requirement]
+          old_req = old_r[:requirement]
+
+          declaration_regex = declaration_regex(dep, old_r)
+          declaration_match = content.match(declaration_regex)
+          if declaration_match
+            declaration = declaration_match[:declaration]
+            new_declaration = declaration.sub(old_req, new_req)
+            content.sub(declaration, new_declaration)
+          else
+            content
+          end
+        end
+
+        def updated_lockfile_content
+          @updated_lockfile_content ||=
+            begin
+              original_content = lockfile.content
+              # Extract the original requires-python value to preserve it
+              original_requires_python = original_content
+                                         .match(/requires-python\s*=\s*["']([^"']+)["']/)&.captures&.first
+
+              # Use the original Python version requirement for the update if one exists
+              with_original_python_version(original_requires_python) do
+                new_lockfile = updated_lockfile_content_for(prepared_pyproject)
+
+                # Use direct string replacement to preserve the exact format
+                # Match the dependency section and update only the version
+                dependency_section_pattern = /
+                  (\[\[package\]\]\s*\n
+                   .*?name\s*=\s*["']#{Regexp.escape(dependency.name)}["']\s*\n
+                   .*?)
+                  (version\s*=\s*["'][^"']+["'])
+                  (.*?)
+                  (\[\[package\]\]|\z)
+                /xm
+
+                result = original_content.sub(dependency_section_pattern) do
+                  section_start = Regexp.last_match(1)
+                  version_line = "version = \"#{dependency.version}\""
+                  section_end = Regexp.last_match(3)
+                  next_section_or_end = Regexp.last_match(4)
+
+                  "#{section_start}#{version_line}#{section_end}#{next_section_or_end}"
+                end
+
+                # If the content didn't change and we expect it to, something went wrong
+                if result == original_content
+                  Dependabot.logger.warn("Package section not found for #{dependency.name}, falling back to raw update")
+                  result = new_lockfile
+                end
+
+                # Restore the original requires-python if it exists
+                if original_requires_python
+                  result = result.gsub(/requires-python\s*=\s*["'][^"']+["']/,
+                                       "requires-python = \"#{original_requires_python}\"")
+                end
+
+                result
+              end
+            end
+        end
+
+        # Helper method to temporarily override Python version during operations
+        def with_original_python_version(original_requires_python)
+          if original_requires_python
+            original_python_version = @original_python_version
+            @original_python_version = original_requires_python
+            result = yield
+            @original_python_version = original_python_version
+            result
+          else
+            yield
+          end
+        end
+
+        def prepared_pyproject
+          @prepared_pyproject ||=
+            begin
+              content = updated_pyproject_content
+              content = sanitize(content)
+              content = freeze_other_dependencies(content)
+              content = update_python_requirement(content)
+              content
+            end
+        end
+
+        def freeze_other_dependencies(pyproject_content)
+          PyprojectPreparer
+            .new(pyproject_content: pyproject_content, lockfile: lockfile)
+            .freeze_top_level_dependencies_except(dependencies)
+        end
+
+        def update_python_requirement(pyproject_content)
+          PyprojectPreparer
+            .new(pyproject_content: pyproject_content)
+            .update_python_requirement(language_version_manager.python_version)
+        end
+
+        def sanitize(pyproject_content)
+          PyprojectPreparer
+            .new(pyproject_content: pyproject_content)
+            .sanitize
+        end
+
+        def updated_lockfile_content_for(pyproject_content)
+          SharedHelpers.in_a_temporary_directory do
+            SharedHelpers.with_git_configured(credentials: credentials) do
+              write_temporary_dependency_files(pyproject_content)
+
+              # Install Python before writing .python-version to make sure we use a version that's available
+              language_version_manager.install_required_python
+
+              # Determine the Python version to use after installation
+              python_version = determine_python_version
+
+              # Now write the .python-version file with a version we know is installed
+              File.write(".python-version", python_version)
+
+              run_update_command
+
+              File.read("uv.lock")
+            end
+          end
+        end
+
+        def run_update_command
+          command = "pyenv exec uv lock --upgrade-package #{dependency.name}"
+          fingerprint = "pyenv exec uv lock --upgrade-package <dependency_name>"
+
+          run_command(command, fingerprint:)
+        end
+
+        def run_command(command, fingerprint: nil)
+          SharedHelpers.run_shell_command(command, fingerprint: fingerprint)
+        end
+
+        def write_temporary_dependency_files(pyproject_content)
+          dependency_files.each do |file|
+            path = file.name
+            FileUtils.mkdir_p(Pathname.new(path).dirname)
+            File.write(path, file.content)
+          end
+
+          # Only write the .python-version file after the language version manager has
+          # installed the required Python version to ensure it's available
+          # Overwrite the pyproject with updated content
+          File.write("pyproject.toml", pyproject_content)
+        end
+
+        def determine_python_version
+          # Check available Python versions through pyenv
+          available_versions = nil
+          begin
+            available_versions = SharedHelpers.run_shell_command("pyenv versions --bare")
+                                              .split("\n")
+                                              .map(&:strip)
+                                              .reject(&:empty?)
+          rescue StandardError => e
+            Dependabot.logger.warn("Error checking available Python versions: #{e}")
+          end
+
+          # Try to find the closest match for our priority order
+          preferred_version = find_preferred_version(available_versions)
+
+          if preferred_version
+            # Just return the major.minor version string
+            preferred_version.match(/^(\d+\.\d+)/)[1]
+          else
+            # If all else fails, use "system" which should work with whatever Python is available
+            "system"
+          end
+        end
+
+        def find_preferred_version(available_versions)
+          return nil unless available_versions&.any?
+
+          # Try each strategy in order of preference
+          try_version_from_file(available_versions) ||
+            try_version_from_requires_python(available_versions) ||
+            try_highest_python3_version(available_versions)
+        end
+
+        def try_version_from_file(available_versions)
+          python_version_file = dependency_files.find { |f| f.name == ".python-version" }
+          return nil unless python_version_file && !python_version_file.content.strip.empty?
+
+          requested_version = python_version_file.content.strip
+          return requested_version if version_available?(available_versions, requested_version)
+
+          Dependabot.logger.info("Python version #{requested_version} from .python-version not available")
+          nil
+        end
+
+        def try_version_from_requires_python(available_versions)
+          return nil unless @original_python_version
+
+          version_match = @original_python_version.match(/(\d+\.\d+)/)
+          return nil unless version_match
+
+          requested_version = version_match[1]
+          return requested_version if version_available?(available_versions, requested_version)
+
+          Dependabot.logger.info("Python version #{requested_version} from requires-python not available")
+          nil
+        end
+
+        def try_highest_python3_version(available_versions)
+          python3_versions = available_versions
+                             .select { |v| v.match(/^3\.\d+/) }
+                             .sort_by { |v| Gem::Version.new(v.match(/^(\d+\.\d+)/)[1]) }
+                             .reverse
+
+          python3_versions.first # returns nil if array is empty
+        end
+
+        def version_available?(available_versions, requested_version)
+          # Check if the exact version or a version with the same major.minor is available
+          available_versions.any? do |v|
+            v == requested_version || v.start_with?("#{requested_version}.")
+          end
+        end
+
+        def sanitize_env_name(url)
+          url.gsub(%r{^https?://}, "").gsub(/[^a-zA-Z0-9]/, "_").upcase
+        end
+
+        def declaration_regex(dep, old_req)
+          escaped_name = Regexp.escape(dep.name)
+          # Extract the requirement operator and version
+          operator = old_req.fetch(:requirement).match(/^(.+?)[0-9]/)&.captures&.first
+          # Escape special regex characters in the operator
+          escaped_operator = Regexp.escape(operator) if operator
+
+          # Match various formats of dependency declarations:
+          # 1. "dependency==1.0.0" (with quotes around the entire string)
+          # 2. dependency==1.0.0 (without quotes)
+          # The declaration should only include the package name, operator, and version
+          # without the enclosing quotes
+          /
+            ["']?(?<declaration>#{escaped_name}\s*#{escaped_operator}[\d\.\*]+)["']?
+          /x
+        end
+
+        def escape(name)
+          Regexp.escape(name).gsub("\\-", "[-_.]")
+        end
+
+        def file_changed?(file)
+          return false unless file
+
+          dependencies.any? do |dep|
+            dep.requirements.any? { |r| r[:file] == file.name } &&
+              requirement_changed?(file, dep)
+          end
+        end
+
+        def requirement_changed?(file, dependency)
+          changed_requirements =
+            dependency.requirements - dependency.previous_requirements
+
+          changed_requirements.any? { |f| f[:file] == file.name }
+        end
+
+        def updated_file(file:, content:)
+          updated_file = file.dup
+          updated_file.content = content
+          updated_file
+        end
+
+        def normalise(name)
+          NameNormaliser.normalise(name)
+        end
+
+        def python_requirement_parser
+          @python_requirement_parser ||=
+            FileParser::PythonRequirementParser.new(
+              dependency_files: dependency_files
+            )
+        end
+
+        def language_version_manager
+          @language_version_manager ||=
+            LanguageVersionManager.new(
+              python_requirement_parser: python_requirement_parser
+            )
+        end
+
+        def pyproject
+          @pyproject ||=
+            dependency_files.find { |f| f.name == "pyproject.toml" }
+        end
+
+        def lockfile
+          @lockfile ||= uv_lock
+        end
+
+        def python_helper_path
+          NativeHelpers.python_helper_path
+        end
+
+        def uv_lock
+          dependency_files.find { |f| f.name == "uv.lock" }
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/uv/file_updater/pyproject_preparer.rb

@@ -19,104 +19,124 @@ module Dependabot
           @lockfile = lockfile
         end
 
-        # For hosted Dependabot token will be nil since the credentials aren't present.
-        # This is for those running Dependabot themselves and for dry-run.
-        def add_auth_env_vars(credentials)
-          TomlRB.parse(@pyproject_content).dig("tool", "poetry", "source")&.each do |source|
-            cred = credentials&.find { |c| c["index-url"] == source["url"] }
-            next unless cred
-
-            token = cred.fetch("token", nil)
-            next unless token && token.count(":") == 1
-
-            arr = token.split(":")
-            # https://python-poetry.org/docs/configuration/#using-environment-variables
-            name = source["name"]&.upcase&.gsub(/\W/, "_")
-            ENV["POETRY_HTTP_BASIC_#{name}_USERNAME"] = arr[0]
-            ENV["POETRY_HTTP_BASIC_#{name}_PASSWORD"] = arr[1]
+        def freeze_top_level_dependencies_except(dependencies_to_update)
+          return @pyproject_content unless lockfile
+
+          pyproject_object = TomlRB.parse(@pyproject_content)
+          deps_to_update_names = dependencies_to_update.map(&:name)
+
+          if pyproject_object["project"]&.key?("dependencies")
+            locked_deps = parsed_lockfile_dependencies || {}
+
+            pyproject_object["project"]["dependencies"] =
+              pyproject_object["project"]["dependencies"].map do |dep_string|
+                freeze_dependency(dep_string, deps_to_update_names, locked_deps)
+              end
           end
+
+          TomlRB.dump(pyproject_object)
         end
 
-        def update_python_requirement(requirement)
+        def update_python_requirement(python_version)
+          return @pyproject_content unless python_version
+
           pyproject_object = TomlRB.parse(@pyproject_content)
-          if (python_specification = pyproject_object.dig("tool", "poetry", "dependencies", "python"))
-            python_req = Uv::Requirement.new(python_specification)
-            unless python_req.satisfied_by?(requirement)
-              pyproject_object["tool"]["poetry"]["dependencies"]["python"] = "~#{requirement}"
-            end
+
+          if pyproject_object["project"]&.key?("requires-python")
+            pyproject_object["project"]["requires-python"] = ">=#{python_version}"
           end
+
           TomlRB.dump(pyproject_object)
         end
 
-        def sanitize
-          # {{ name }} syntax not allowed
-          pyproject_content
-            .gsub(/\{\{.*?\}\}/, "something")
-            .gsub('#{', "{")
-        end
+        def add_auth_env_vars(credentials)
+          return unless credentials
 
-        # rubocop:disable Metrics/PerceivedComplexity
-        # rubocop:disable Metrics/AbcSize
-        def freeze_top_level_dependencies_except(dependencies)
-          return pyproject_content unless lockfile
-
-          pyproject_object = TomlRB.parse(pyproject_content)
-          poetry_object = pyproject_object["tool"]["poetry"]
-          excluded_names = dependencies.map(&:name) + ["python"]
-
-          Dependabot::Uv::FileParser::PyprojectFilesParser::POETRY_DEPENDENCY_TYPES.each do |key|
-            next unless poetry_object[key]
-
-            source_types = %w(directory file url)
-            poetry_object.fetch(key).each do |dep_name, _|
-              next if excluded_names.include?(normalise(dep_name))
-
-              locked_details = locked_details(dep_name)
-
-              next unless (locked_version = locked_details&.fetch("version"))
-
-              next if source_types.include?(locked_details&.dig("source", "type"))
-
-              if locked_details&.dig("source", "type") == "git"
-                poetry_object[key][dep_name] = {
-                  "git" => locked_details&.dig("source", "url"),
-                  "rev" => locked_details&.dig("source", "reference")
-                }
-                subdirectory = locked_details&.dig("source", "subdirectory")
-                poetry_object[key][dep_name]["subdirectory"] = subdirectory if subdirectory
-              elsif poetry_object[key][dep_name].is_a?(Hash)
-                poetry_object[key][dep_name]["version"] = locked_version
-              elsif poetry_object[key][dep_name].is_a?(Array)
-                # if it has multiple-constraints, locking to a single version is
-                # going to result in a bad lockfile, ignore
-                next
-              else
-                poetry_object[key][dep_name] = locked_version
-              end
-            end
+          credentials.each do |credential|
+            next unless credential["type"] == "python_index"
+
+            token = credential["token"]
+            index_url = credential["index-url"]
+
+            next unless token && index_url
+
+            # Set environment variables for uv auth
+            ENV["UV_INDEX_URL_TOKEN_#{sanitize_env_name(index_url)}"] = token
+
+            # Also set pip-style credentials for compatibility
+            ENV["PIP_INDEX_URL"] ||= "https://#{token}@#{index_url.gsub(%r{^https?://}, '')}"
           end
+        end
 
-          TomlRB.dump(pyproject_object)
+        def sanitize
+          # No special sanitization needed for UV files at this point
+          @pyproject_content
         end
-        # rubocop:enable Metrics/AbcSize
-        # rubocop:enable Metrics/PerceivedComplexity
 
         private
 
-        attr_reader :pyproject_content
         attr_reader :lockfile
 
-        def locked_details(dep_name)
-          parsed_lockfile.fetch("package")
-                         .find { |d| d["name"] == normalise(dep_name) }
+        def parsed_lockfile
+          @parsed_lockfile ||= lockfile ? parse_lockfile(lockfile.content) : {}
         end
 
-        def normalise(name)
-          NameNormaliser.normalise(name)
+        def parse_lockfile(content)
+          TomlRB.parse(content)
+        rescue TomlRB::ParseError
+          {} # Return empty hash if parsing fails
         end
 
-        def parsed_lockfile
-          @parsed_lockfile ||= TomlRB.parse(lockfile.content)
+        def parsed_lockfile_dependencies
+          return {} unless lockfile
+
+          deps = {}
+          parsed = parsed_lockfile
+
+          # Handle UV lock format (version 1)
+          if parsed["version"] == 1 && parsed["package"].is_a?(Array)
+            parsed["package"].each do |pkg|
+              next unless pkg["name"] && pkg["version"]
+
+              deps[pkg["name"]] = { "version" => pkg["version"] }
+            end
+          # Handle traditional Poetry-style lock format
+          elsif parsed["dependencies"]
+            deps = parsed["dependencies"]
+          end
+
+          deps
+        end
+
+        def locked_version_for_dep(locked_deps, dep_name)
+          locked_deps.each do |name, details|
+            next unless Uv::FileParser.normalize_dependency_name(name) == dep_name
+            return details["version"] if details.is_a?(Hash) && details["version"]
+          end
+          nil
+        end
+
+        def sanitize_env_name(url)
+          url.gsub(%r{^https?://}, "").gsub(/[^a-zA-Z0-9]/, "_").upcase
+        end
+
+        def freeze_dependency(dep_string, deps_to_update_names, locked_deps)
+          package_name = dep_string.split(/[=>~<\[]/).first.strip
+          normalized_name = Uv::FileParser.normalize_dependency_name(package_name)
+
+          return dep_string if deps_to_update_names.include?(normalized_name)
+
+          version = locked_version_for_dep(locked_deps, normalized_name)
+          return dep_string unless version
+
+          if dep_string.include?("=") || dep_string.include?(">") ||
+             dep_string.include?("<") || dep_string.include?("~")
+            # Replace version constraint with exact version
+            dep_string.sub(/[=>~<\[].*$/, "==#{version}")
+          else
+            # Simple dependency, just append version
+            "#{dep_string}==#{version}"
+          end
         end
       end
     end

data/lib/dependabot/uv/file_updater.rb

@@ -13,6 +13,7 @@ module Dependabot
       extend T::Sig
 
       require_relative "file_updater/compile_file_updater"
+      require_relative "file_updater/lock_file_updater"
       require_relative "file_updater/requirement_file_updater"
 
       sig { override.returns(T::Array[Regexp]) }
@@ -20,13 +21,15 @@ module Dependabot
         [
           /^.*\.txt$/,               # Match any .txt files (e.g., requirements.txt) at any level
           /^.*\.in$/,                # Match any .in files at any level
-          /^.*pyproject\.toml$/      # Match pyproject.toml at any level
+          /^.*pyproject\.toml$/,     # Match pyproject.toml at any level
+          /^.*uv\.lock$/             # Match uv.lock at any level
         ]
       end
 
       sig { override.returns(T::Array[DependencyFile]) }
       def updated_dependency_files
         updated_files = updated_pip_compile_based_files
+        updated_files += updated_uv_lock_files
 
         if updated_files.none? ||
            updated_files.sort_by(&:name) == dependency_files.sort_by(&:name)
@@ -65,6 +68,16 @@ module Dependabot
         ).updated_dependency_files
       end
 
+      sig { returns(T::Array[DependencyFile]) }
+      def updated_uv_lock_files
+        LockFileUpdater.new(
+          dependencies: dependencies,
+          dependency_files: dependency_files,
+          credentials: credentials,
+          index_urls: pip_compile_index_urls
+        ).updated_dependency_files
+      end
+
       sig { returns(T::Array[String]) }
       def pip_compile_index_urls
         if credentials.any?(&:replaces_base?)

data/lib/dependabot/uv/{pip_compile_file_matcher.rb → requirements_file_matcher.rb}

@@ -3,16 +3,16 @@
 
 module Dependabot
   module Uv
-    class PipCompileFileMatcher
+    class RequiremenstFileMatcher
       extend T::Sig
 
-      sig { params(requirements_in_files: T::Array[Dependabot::Uv::Requirement]).void }
+      sig { params(requirements_in_files: T::Array[Requirement]).void }
       def initialize(requirements_in_files)
         @requirements_in_files = requirements_in_files
       end
 
-      sig { params(file: Dependabot::DependencyFile).returns(T::Boolean) }
-      def lockfile_for_pip_compile_file?(file)
+      sig { params(file: DependencyFile).returns(T::Boolean) }
+      def compiled_file?(file)
         return false unless requirements_in_files.any?
 
         name = file.name
@@ -26,7 +26,7 @@ module Dependabot
 
       private
 
-      sig { returns(T::Array[Dependabot::Uv::Requirement]) }
+      sig { returns(T::Array[Requirement]) }
       attr_reader :requirements_in_files
 
       sig { params(filename: T.any(String, Symbol)).returns(String) }