dependabot-uv 0.299.1

data/lib/dependabot/uv/update_checker/requirements_updater.rb

@@ -0,0 +1,391 @@
+# typed: true
+# frozen_string_literal: true
+
+require "dependabot/uv/requirement_parser"
+require "dependabot/uv/requirement"
+require "dependabot/uv/update_checker"
+require "dependabot/uv/version"
+require "dependabot/requirements_update_strategy"
+
+module Dependabot
+  module Uv
+    class UpdateChecker
+      class RequirementsUpdater
+        PYPROJECT_OR_SEPARATOR = /(?<=[a-zA-Z0-9*])\s*\|+/
+        PYPROJECT_SEPARATOR = /#{PYPROJECT_OR_SEPARATOR}|,/
+
+        class UnfixableRequirement < StandardError; end
+
+        attr_reader :requirements
+        attr_reader :update_strategy
+        attr_reader :has_lockfile
+        attr_reader :latest_resolvable_version
+
+        def initialize(requirements:, update_strategy:, has_lockfile:,
+                       latest_resolvable_version:)
+          @requirements = requirements
+          @update_strategy = update_strategy
+          @has_lockfile = has_lockfile
+
+          return unless latest_resolvable_version
+
+          @latest_resolvable_version =
+            Uv::Version.new(latest_resolvable_version)
+        end
+
+        def updated_requirements
+          return requirements if update_strategy.lockfile_only?
+
+          requirements.map do |req|
+            case req[:file]
+            when /setup\.(?:py|cfg)$/ then updated_setup_requirement(req)
+            when "pyproject.toml" then updated_pyproject_requirement(req)
+            when "Pipfile" then updated_pipfile_requirement(req)
+            when /\.txt$|\.in$/ then updated_requirement(req)
+            else raise "Unexpected filename: #{req[:file]}"
+            end
+          end
+        end
+
+        private
+
+        # rubocop:disable Metrics/PerceivedComplexity
+        def updated_setup_requirement(req)
+          return req unless latest_resolvable_version
+          return req unless req.fetch(:requirement)
+          return req if new_version_satisfies?(req)
+
+          req_strings = req[:requirement].split(",").map(&:strip)
+
+          new_requirement =
+            if req_strings.any? { |r| requirement_class.new(r).exact? }
+              find_and_update_equality_match(req_strings)
+            elsif req_strings.any? { |r| r.start_with?("~=", "==") }
+              tw_req = req_strings.find { |r| r.start_with?("~=", "==") }
+              convert_to_range(tw_req, latest_resolvable_version)
+            else
+              update_requirements_range(req_strings)
+            end
+
+          req.merge(requirement: new_requirement)
+        rescue UnfixableRequirement
+          req.merge(requirement: :unfixable)
+        end
+        # rubocop:enable Metrics/PerceivedComplexity
+
+        def updated_pipfile_requirement(req)
+          # For now, we just proxy to updated_requirement. In future this
+          # method may treat Pipfile requirements differently.
+          updated_requirement(req)
+        end
+
+        def updated_pyproject_requirement(req)
+          return req unless latest_resolvable_version
+          return req unless req.fetch(:requirement)
+          return req if new_version_satisfies?(req) && !has_lockfile
+
+          # If the requirement uses || syntax then we always want to widen it
+          return widen_pyproject_requirement(req) if req.fetch(:requirement).match?(PYPROJECT_OR_SEPARATOR)
+
+          # If the requirement is a development dependency we always want to
+          # bump it
+          return update_pyproject_version(req) if req.fetch(:groups).include?("dev-dependencies")
+
+          case update_strategy
+          when RequirementsUpdateStrategy::WidenRanges then widen_pyproject_requirement(req)
+          when RequirementsUpdateStrategy::BumpVersions then update_pyproject_version(req)
+          when RequirementsUpdateStrategy::BumpVersionsIfNecessary then update_pyproject_version_if_needed(req)
+          else raise "Unexpected update strategy: #{update_strategy}"
+          end
+        rescue UnfixableRequirement
+          req.merge(requirement: :unfixable)
+        end
+
+        def update_pyproject_version_if_needed(req)
+          return req if new_version_satisfies?(req)
+
+          update_pyproject_version(req)
+        end
+
+        def update_pyproject_version(req)
+          requirement_strings = req[:requirement].split(",").map(&:strip)
+
+          new_requirement =
+            if requirement_strings.any? { |r| r.match?(/^=|^\d/) }
+              # If there is an equality operator, just update that. It must
+              # be binding and any other requirements will be being ignored
+              find_and_update_equality_match(requirement_strings)
+            elsif requirement_strings.any? { |r| r.start_with?("~", "^") }
+              # If a compatibility operator is being used, just bump its
+              # version (and remove any other requirements)
+              v_req = requirement_strings.find { |r| r.start_with?("~", "^") }
+              bump_version(v_req, latest_resolvable_version.to_s)
+            elsif new_version_satisfies?(req)
+              # Otherwise we're looking at a range operator. No change
+              # required if it's already satisfied
+              req.fetch(:requirement)
+            else
+              # But if it's not, update it
+              update_requirements_range(requirement_strings)
+            end
+
+          req.merge(requirement: new_requirement)
+        end
+
+        def widen_pyproject_requirement(req)
+          return req if new_version_satisfies?(req)
+
+          new_requirement =
+            if req[:requirement].match?(PYPROJECT_OR_SEPARATOR)
+              add_new_requirement_option(req[:requirement])
+            else
+              widen_requirement_range(req[:requirement])
+            end
+
+          req.merge(requirement: new_requirement)
+        end
+
+        def add_new_requirement_option(req_string)
+          option_to_copy = req_string.split(PYPROJECT_OR_SEPARATOR).last
+                                     .split(PYPROJECT_SEPARATOR).first.strip
+          operator       = option_to_copy.gsub(/\d.*/, "").strip
+
+          new_option =
+            case operator
+            when "", "==", "==="
+              find_and_update_equality_match([option_to_copy])
+            when "~=", "~", "^"
+              bump_version(option_to_copy, latest_resolvable_version.to_s)
+            else
+              # We don't expect to see OR conditions used with range
+              # operators. If / when we see it, we should handle it.
+              raise "Unexpected operator: #{operator}"
+            end
+
+          # TODO: Match source spacing
+          "#{req_string.strip} || #{new_option.strip}"
+        end
+
+        # rubocop:disable Metrics/PerceivedComplexity
+        def widen_requirement_range(req_string)
+          requirement_strings = req_string.split(",").map(&:strip)
+
+          if requirement_strings.any? { |r| r.match?(/(^=|^\d)[^*]*$/) }
+            # If there is an equality operator, just update that.
+            # (i.e., assume it's being used deliberately)
+            find_and_update_equality_match(requirement_strings)
+          elsif requirement_strings.any? { |r| r.start_with?("~", "^") } ||
+                requirement_strings.any? { |r| r.include?("*") }
+            # If a compatibility operator is being used, widen its
+            # range to include the new version
+            v_req = requirement_strings
+                    .find { |r| r.start_with?("~", "^") || r.include?("*") }
+            convert_to_range(v_req, latest_resolvable_version)
+          else
+            # Otherwise we have a range, and need to update the upper bound
+            update_requirements_range(requirement_strings)
+          end
+        end
+        # rubocop:enable Metrics/PerceivedComplexity
+
+        def updated_requirement(req)
+          return req unless latest_resolvable_version
+          return req unless req.fetch(:requirement)
+
+          case update_strategy
+          when RequirementsUpdateStrategy::WidenRanges
+            widen_requirement(req)
+          when RequirementsUpdateStrategy::BumpVersions
+            update_requirement(req)
+          when RequirementsUpdateStrategy::BumpVersionsIfNecessary
+            update_requirement_if_needed(req)
+          else
+            raise "Unexpected update strategy: #{update_strategy}"
+          end
+        end
+
+        def update_requirement_if_needed(req)
+          return req if new_version_satisfies?(req)
+
+          update_requirement(req)
+        end
+
+        def update_requirement(req)
+          requirement_strings = req[:requirement].split(",").map(&:strip)
+
+          new_requirement =
+            if requirement_strings.any? { |r| r.match?(/^[=\d]/) }
+              find_and_update_equality_match(requirement_strings)
+            elsif requirement_strings.any? { |r| r.start_with?("~=") }
+              tw_req = requirement_strings.find { |r| r.start_with?("~=") }
+              bump_version(tw_req, latest_resolvable_version.to_s)
+            elsif new_version_satisfies?(req)
+              req.fetch(:requirement)
+            else
+              update_requirements_range(requirement_strings)
+            end
+          req.merge(requirement: new_requirement)
+        rescue UnfixableRequirement
+          req.merge(requirement: :unfixable)
+        end
+
+        def widen_requirement(req)
+          return req if new_version_satisfies?(req)
+
+          new_requirement = widen_requirement_range(req[:requirement])
+
+          req.merge(requirement: new_requirement)
+        end
+
+        def new_version_satisfies?(req)
+          requirement_class
+            .requirements_array(req.fetch(:requirement))
+            .any? { |r| r.satisfied_by?(latest_resolvable_version) }
+        end
+
+        def find_and_update_equality_match(requirement_strings)
+          if requirement_strings.any? { |r| requirement_class.new(r).exact? }
+            # True equality match
+            requirement_strings.find { |r| requirement_class.new(r).exact? }
+                               .sub(
+                                 RequirementParser::VERSION,
+                                 latest_resolvable_version.to_s
+                               )
+          else
+            # Prefix match
+            requirement_strings.find { |r| r.match?(/^(=+|\d)/) }
+                               .sub(RequirementParser::VERSION) do |v|
+              at_same_precision(latest_resolvable_version.to_s, v)
+            end
+          end
+        end
+
+        def at_same_precision(new_version, old_version)
+          # return new_version unless old_version.include?("*")
+
+          count = old_version.split(".").count
+          precision = old_version.split(".").index("*") || count
+
+          new_version
+            .split(".")
+            .first(count)
+            .map.with_index { |s, i| i < precision ? s : "*" }
+            .join(".")
+        end
+
+        def update_requirements_range(requirement_strings)
+          ruby_requirements =
+            requirement_strings.map { |r| requirement_class.new(r) }
+
+          updated_requirement_strings = ruby_requirements.flat_map do |r|
+            next r.to_s if r.satisfied_by?(latest_resolvable_version)
+
+            case op = r.requirements.first.first
+            when "<"
+              "<" + update_greatest_version(r.requirements.first.last, latest_resolvable_version)
+            when "<="
+              "<=" + latest_resolvable_version.to_s
+            when "!=", ">", ">="
+              raise UnfixableRequirement
+            else
+              raise "Unexpected op for unsatisfied requirement: #{op}"
+            end
+          end.compact
+
+          updated_requirement_strings
+            .sort_by { |r| requirement_class.new(r).requirements.first.last }
+            .map(&:to_s).join(",").delete(" ")
+        end
+
+        # Updates the version in a constraint to be the given version
+        def bump_version(req_string, version_to_be_permitted)
+          old_version = req_string
+                        .match(/(#{RequirementParser::VERSION})/o)
+                        .captures.first
+
+          req_string.sub(
+            old_version,
+            at_same_precision(version_to_be_permitted, old_version)
+          )
+        end
+
+        def convert_to_range(req_string, version_to_be_permitted)
+          # Construct an upper bound at the same precision that the original
+          # requirement was at (taking into account ~ dynamics)
+          index_to_update = index_to_update_for(req_string)
+          ub_segments = version_to_be_permitted.segments
+          ub_segments << 0 while ub_segments.count <= index_to_update
+          ub_segments = ub_segments[0..index_to_update]
+          ub_segments[index_to_update] += 1
+
+          lb_segments = lower_bound_segments_for_req(req_string)
+
+          # Ensure versions have the same length as each other (cosmetic)
+          length = [lb_segments.count, ub_segments.count].max
+          lb_segments.fill(0, lb_segments.count...length)
+          ub_segments.fill(0, ub_segments.count...length)
+
+          ">=#{lb_segments.join('.')},<#{ub_segments.join('.')}"
+        end
+
+        def lower_bound_segments_for_req(req_string)
+          requirement = requirement_class.new(req_string)
+          version = requirement.requirements.first.last
+          version = version.release if version.prerelease?
+
+          lb_segments = version.segments
+          lb_segments.pop while lb_segments.last.zero?
+
+          lb_segments
+        end
+
+        def index_to_update_for(req_string)
+          req = requirement_class.new(req_string.split(/[.\-]\*/).first)
+          version = req.requirements.first.last.release
+
+          if req_string.strip.start_with?("^")
+            version.segments.index { |i| i != 0 }
+          elsif req_string.include?("*")
+            version.segments.count - 1
+          elsif req_string.strip.start_with?("~=", "==")
+            version.segments.count - 2
+          elsif req_string.strip.start_with?("~")
+            req_string.split(".").count == 1 ? 0 : 1
+          else
+            raise "Don't know how to convert #{req_string} to range"
+          end
+        end
+
+        # Updates the version in a "<" constraint to allow the given version
+        def update_greatest_version(version, version_to_be_permitted)
+          if version_to_be_permitted.is_a?(String)
+            version_to_be_permitted =
+              Uv::Version.new(version_to_be_permitted)
+          end
+          version = version.release if version.prerelease?
+
+          index_to_update = [
+            version.segments.map.with_index { |n, i| n.zero? ? 0 : i }.max,
+            version_to_be_permitted.segments.count - 1
+          ].min
+
+          new_segments = version.segments.map.with_index do |_, index|
+            if index < index_to_update
+              version_to_be_permitted.segments[index]
+            elsif index == index_to_update
+              version_to_be_permitted.segments[index] + 1
+            else
+              0
+            end
+          end
+
+          new_segments.join(".")
+        end
+
+        def requirement_class
+          Uv::Requirement
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/uv/update_checker.rb

@@ -0,0 +1,317 @@
+# typed: true
+# frozen_string_literal: true
+
+require "excon"
+require "toml-rb"
+
+require "dependabot/dependency"
+require "dependabot/errors"
+require "dependabot/uv/name_normaliser"
+require "dependabot/uv/requirement_parser"
+require "dependabot/uv/requirement"
+require "dependabot/registry_client"
+require "dependabot/requirements_update_strategy"
+require "dependabot/update_checkers"
+require "dependabot/update_checkers/base"
+
+module Dependabot
+  module Uv
+    class UpdateChecker < Dependabot::UpdateCheckers::Base
+      require_relative "update_checker/pip_compile_version_resolver"
+      require_relative "update_checker/pip_version_resolver"
+      require_relative "update_checker/requirements_updater"
+      require_relative "update_checker/latest_version_finder"
+
+      MAIN_PYPI_INDEXES = %w(
+        https://pypi.python.org/simple/
+        https://pypi.org/simple/
+      ).freeze
+      VERSION_REGEX = /[0-9]+(?:\.[A-Za-z0-9\-_]+)*/
+
+      def latest_version
+        @latest_version ||= fetch_latest_version
+      end
+
+      def latest_resolvable_version
+        @latest_resolvable_version ||=
+          if resolver_type == :requirements
+            resolver.latest_resolvable_version
+          elsif resolver_type == :pip_compile && resolver.resolvable?(version: latest_version)
+            latest_version
+          else
+            resolver.latest_resolvable_version(
+              requirement: unlocked_requirement_string
+            )
+          end
+      end
+
+      def latest_resolvable_version_with_no_unlock
+        @latest_resolvable_version_with_no_unlock ||=
+          if resolver_type == :requirements
+            resolver.latest_resolvable_version_with_no_unlock
+          else
+            resolver.latest_resolvable_version(
+              requirement: current_requirement_string
+            )
+          end
+      end
+
+      def lowest_security_fix_version
+        latest_version_finder.lowest_security_fix_version
+      end
+
+      def lowest_resolvable_security_fix_version
+        raise "Dependency not vulnerable!" unless vulnerable?
+
+        return @lowest_resolvable_security_fix_version if defined?(@lowest_resolvable_security_fix_version)
+
+        @lowest_resolvable_security_fix_version =
+          fetch_lowest_resolvable_security_fix_version
+      end
+
+      def updated_requirements
+        RequirementsUpdater.new(
+          requirements: requirements,
+          latest_resolvable_version: preferred_resolvable_version&.to_s,
+          update_strategy: requirements_update_strategy,
+          has_lockfile: requirements_text_file?
+        ).updated_requirements
+      end
+
+      def requirements_unlocked_or_can_be?
+        !requirements_update_strategy.lockfile_only?
+      end
+
+      def requirements_update_strategy
+        # If passed in as an option (in the base class) honour that option
+        return @requirements_update_strategy if @requirements_update_strategy
+
+        # Otherwise, check if this is a library or not
+        library? ? RequirementsUpdateStrategy::WidenRanges : RequirementsUpdateStrategy::BumpVersions
+      end
+
+      private
+
+      def latest_version_resolvable_with_full_unlock?
+        # Full unlock checks aren't implemented for Python (yet)
+        false
+      end
+
+      def updated_dependencies_after_full_unlock
+        raise NotImplementedError
+      end
+
+      def fetch_lowest_resolvable_security_fix_version
+        fix_version = lowest_security_fix_version
+        return latest_resolvable_version if fix_version.nil?
+
+        return resolver.lowest_resolvable_security_fix_version if resolver_type == :requirements
+
+        resolver.resolvable?(version: fix_version) ? fix_version : nil
+      end
+
+      def resolver
+        if Dependabot::Experiments.enabled?(:enable_file_parser_python_local)
+          Dependabot.logger.info("Python package resolver : #{resolver_type}")
+        end
+
+        case resolver_type
+        when :pip_compile then pip_compile_version_resolver
+        when :requirements then pip_version_resolver
+        else raise "Unexpected resolver type #{resolver_type}"
+        end
+      end
+
+      def resolver_type
+        reqs = requirements
+
+        # If there are no requirements then this is a sub-dependency. It
+        # must come from one of Pipenv, Poetry or pip-tools, and can't come
+        # from the first two unless they have a lockfile.
+        return subdependency_resolver if reqs.none?
+
+        # Otherwise, this is a top-level dependency, and we can figure out
+        # which resolver to use based on the filename of its requirements
+        return :requirements if updating_pyproject?
+        return :pip_compile if updating_in_file?
+
+        if dependency.version && !exact_requirement?(reqs)
+          subdependency_resolver
+        else
+          :requirements
+        end
+      end
+
+      def subdependency_resolver
+        return :pip_compile if pip_compile_files.any?
+
+        raise "Claimed to be a sub-dependency, but no lockfile exists!"
+      end
+
+      def exact_requirement?(reqs)
+        reqs = reqs.map { |r| r.fetch(:requirement) }
+        reqs = reqs.compact
+        reqs = reqs.flat_map { |r| r.split(",").map(&:strip) }
+        reqs.any? { |r| Uv::Requirement.new(r).exact? }
+      end
+
+      def pip_compile_version_resolver
+        @pip_compile_version_resolver ||=
+          PipCompileVersionResolver.new(**resolver_args)
+      end
+
+      def pip_version_resolver
+        @pip_version_resolver ||= PipVersionResolver.new(
+          dependency: dependency,
+          dependency_files: dependency_files,
+          credentials: credentials,
+          ignored_versions: ignored_versions,
+          raise_on_ignored: @raise_on_ignored,
+          security_advisories: security_advisories
+        )
+      end
+
+      def resolver_args
+        {
+          dependency: dependency,
+          dependency_files: dependency_files,
+          credentials: credentials,
+          repo_contents_path: repo_contents_path
+        }
+      end
+
+      def current_requirement_string
+        reqs = requirements
+        return if reqs.none?
+
+        requirement = reqs.find do |r|
+          file = r[:file]
+
+          file == "Pipfile" || file == "pyproject.toml" || file.end_with?(".in") || file.end_with?(".txt")
+        end
+
+        requirement&.fetch(:requirement)
+      end
+
+      def unlocked_requirement_string
+        lower_bound_req = updated_version_req_lower_bound
+
+        # Add the latest_version as an upper bound. This means
+        # ignore conditions are considered when checking for the latest
+        # resolvable version.
+        #
+        # NOTE: This isn't perfect. If v2.x is ignored and v3 is out but
+        # unresolvable then the `latest_version` will be v3, and
+        # we won't be ignoring v2.x releases like we should be.
+        return lower_bound_req if latest_version.nil?
+        return lower_bound_req unless Uv::Version.correct?(latest_version)
+
+        lower_bound_req + ",<=#{latest_version}"
+      end
+
+      def updated_version_req_lower_bound
+        return ">=#{dependency.version}" if dependency.version
+
+        version_for_requirement =
+          requirements.filter_map { |r| r[:requirement] }
+                      .reject { |req_string| req_string.start_with?("<") }
+                      .select { |req_string| req_string.match?(VERSION_REGEX) }
+                      .map { |req_string| req_string.match(VERSION_REGEX).to_s }
+                      .select { |version| Uv::Version.correct?(version) }
+                      .max_by { |version| Uv::Version.new(version) }
+
+        ">=#{version_for_requirement || 0}"
+      end
+
+      def fetch_latest_version
+        latest_version_finder.latest_version
+      end
+
+      def latest_version_finder
+        @latest_version_finder ||= LatestVersionFinder.new(
+          dependency: dependency,
+          dependency_files: dependency_files,
+          credentials: credentials,
+          ignored_versions: ignored_versions,
+          raise_on_ignored: @raise_on_ignored,
+          security_advisories: security_advisories
+        )
+      end
+
+      def library?
+        return false unless updating_pyproject?
+
+        return false if library_details["name"].nil?
+
+        # Hit PyPi and check whether there are details for a library with a
+        # matching name and description
+        index_response = Dependabot::RegistryClient.get(
+          url: "https://pypi.org/pypi/#{normalised_name(library_details['name'])}/json/"
+        )
+
+        return false unless index_response.status == 200
+
+        pypi_info = JSON.parse(index_response.body)["info"] || {}
+        pypi_info["summary"] == library_details["description"]
+      rescue Excon::Error::Timeout, Excon::Error::Socket
+        false
+      rescue URI::InvalidURIError
+        false
+      end
+
+      def updating_pyproject?
+        requirement_files.any?("pyproject.toml")
+      end
+
+      def updating_in_file?
+        requirement_files.any? { |f| f.end_with?(".in") }
+      end
+
+      def requirements_text_file?
+        requirement_files.any? { |f| f.end_with?("requirements.txt") }
+      end
+
+      def updating_requirements_file?
+        requirement_files.any? { |f| f =~ /\.txt$|\.in$/ }
+      end
+
+      def requirement_files
+        requirements.map { |r| r.fetch(:file) }
+      end
+
+      def requirements
+        dependency.requirements
+      end
+
+      def normalised_name(name)
+        NameNormaliser.normalise(name)
+      end
+
+      def pyproject
+        dependency_files.find { |f| f.name == "pyproject.toml" }
+      end
+
+      def library_details
+        @library_details ||= standard_details || build_system_details
+      end
+
+      def standard_details
+        @standard_details ||= toml_content["project"]
+      end
+
+      def build_system_details
+        @build_system_details ||= toml_content["build-system"]
+      end
+
+      def toml_content
+        @toml_content ||= TomlRB.parse(pyproject.content)
+      end
+
+      def pip_compile_files
+        dependency_files.select { |f| f.name.end_with?(".in") }
+      end
+    end
+  end
+end
+
+Dependabot::UpdateCheckers.register("uv", Dependabot::Uv::UpdateChecker)