dependabot-uv 0.299.1

data/lib/dependabot/uv/file_updater/requirement_file_updater.rb

@@ -0,0 +1,73 @@
+# typed: true
+# frozen_string_literal: true
+
+require "dependabot/uv/requirement_parser"
+require "dependabot/uv/file_updater"
+require "dependabot/shared_helpers"
+require "dependabot/uv/native_helpers"
+
+module Dependabot
+  module Uv
+    class FileUpdater
+      class RequirementFileUpdater
+        require_relative "requirement_replacer"
+
+        attr_reader :dependencies
+        attr_reader :dependency_files
+        attr_reader :credentials
+
+        def initialize(dependencies:, dependency_files:, credentials:, index_urls: nil)
+          @dependencies = dependencies
+          @dependency_files = dependency_files
+          @credentials = credentials
+          @index_urls = index_urls
+        end
+
+        def updated_dependency_files
+          @updated_dependency_files ||= fetch_updated_dependency_files
+        end
+
+        private
+
+        def dependency
+          # For now, we'll only ever be updating a single dependency
+          dependencies.first
+        end
+
+        def fetch_updated_dependency_files
+          reqs = dependency.requirements.zip(dependency.previous_requirements)
+
+          reqs.filter_map do |(new_req, old_req)|
+            next if new_req == old_req
+
+            file = get_original_file(new_req.fetch(:file)).dup
+            updated_content =
+              updated_requirement_or_setup_file_content(new_req, old_req)
+            next if updated_content == file.content
+
+            file.content = updated_content
+            file
+          end
+        end
+
+        def updated_requirement_or_setup_file_content(new_req, old_req)
+          original_file = get_original_file(new_req.fetch(:file))
+          raise "Could not find a dependency file for #{new_req}" unless original_file
+
+          RequirementReplacer.new(
+            content: original_file.content,
+            dependency_name: dependency.name,
+            old_requirement: old_req.fetch(:requirement),
+            new_requirement: new_req.fetch(:requirement),
+            new_hash_version: dependency.version,
+            index_urls: @index_urls
+          ).updated_content
+        end
+
+        def get_original_file(filename)
+          dependency_files.find { |f| f.name == filename }
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/uv/file_updater/requirement_replacer.rb

@@ -0,0 +1,214 @@
+# typed: true
+# frozen_string_literal: true
+
+require "dependabot/dependency"
+require "dependabot/uv/requirement_parser"
+require "dependabot/uv/file_updater"
+require "dependabot/shared_helpers"
+require "dependabot/uv/native_helpers"
+require "dependabot/uv/name_normaliser"
+
+module Dependabot
+  module Uv
+    class FileUpdater
+      class RequirementReplacer
+        PACKAGE_NOT_FOUND_ERROR = "PackageNotFoundError"
+
+        CERTIFICATE_VERIFY_FAILED = /CERTIFICATE_VERIFY_FAILED/
+
+        def initialize(content:, dependency_name:, old_requirement:,
+                       new_requirement:, new_hash_version: nil, index_urls: nil)
+          @content          = content
+          @dependency_name  = normalise(dependency_name)
+          @old_requirement  = old_requirement
+          @new_requirement  = new_requirement
+          @new_hash_version = new_hash_version
+          @index_urls = index_urls
+        end
+
+        def updated_content
+          updated_content =
+            content.gsub(original_declaration_replacement_regex) do |mtch|
+              # If the "declaration" is setting an option (e.g., no-binary)
+              # ignore it, since it isn't actually a declaration
+              next mtch if Regexp.last_match&.pre_match&.match?(/--.*\z/)
+
+              updated_dependency_declaration_string
+            end
+
+          raise "Expected content to change!" if old_requirement != new_requirement && content == updated_content
+
+          updated_content
+        end
+
+        private
+
+        attr_reader :content
+        attr_reader :dependency_name
+        attr_reader :old_requirement
+        attr_reader :new_requirement
+        attr_reader :new_hash_version
+
+        def update_hashes?
+          !new_hash_version.nil?
+        end
+
+        def updated_requirement_string
+          new_req_string = new_requirement
+
+          new_req_string = new_req_string.gsub(/,\s*/, ", ") if add_space_after_commas?
+
+          if add_space_after_operators?
+            new_req_string =
+              new_req_string
+              .gsub(/(#{RequirementParser::COMPARISON})\s*(?=\d)/o, '\1 ')
+          end
+
+          new_req_string
+        end
+
+        def updated_dependency_declaration_string
+          old_req = old_requirement
+          updated_string =
+            if old_req
+              original_dependency_declaration_string(old_req)
+                .sub(RequirementParser::REQUIREMENTS, updated_requirement_string)
+            else
+              original_dependency_declaration_string(old_req)
+                .sub(RequirementParser::NAME_WITH_EXTRAS) do |nm|
+                  nm + updated_requirement_string
+                end
+            end
+
+          return updated_string unless update_hashes? && requirement_includes_hashes?(old_req)
+
+          updated_string.sub(
+            RequirementParser::HASHES,
+            package_hashes_for(
+              name: dependency_name,
+              version: new_hash_version,
+              algorithm: hash_algorithm(old_req)
+            ).join(hash_separator(old_req))
+          )
+        end
+
+        def add_space_after_commas?
+          original_dependency_declaration_string(old_requirement)
+            .match(RequirementParser::REQUIREMENTS)
+            .to_s.include?(", ")
+        end
+
+        def add_space_after_operators?
+          original_dependency_declaration_string(old_requirement)
+            .match(RequirementParser::REQUIREMENTS)
+            .to_s.match?(/#{RequirementParser::COMPARISON}\s+\d/o)
+        end
+
+        def original_declaration_replacement_regex
+          original_string =
+            original_dependency_declaration_string(old_requirement)
+          /(?<![\-\w\.\[])#{Regexp.escape(original_string)}(?![\-\w\.])/
+        end
+
+        def requirement_includes_hashes?(requirement)
+          original_dependency_declaration_string(requirement)
+            .match?(RequirementParser::HASHES)
+        end
+
+        def hash_algorithm(requirement)
+          return unless requirement_includes_hashes?(requirement)
+
+          original_dependency_declaration_string(requirement)
+            .match(RequirementParser::HASHES)
+            .named_captures.fetch("algorithm")
+        end
+
+        def hash_separator(requirement)
+          return unless requirement_includes_hashes?(requirement)
+
+          hash_regex = RequirementParser::HASH
+          current_separator =
+            original_dependency_declaration_string(requirement)
+            .match(/#{hash_regex}((?<separator>\s*\\?\s*?)#{hash_regex})*/)
+            .named_captures.fetch("separator")
+
+          default_separator =
+            original_dependency_declaration_string(requirement)
+            .match(RequirementParser::HASH)
+            .pre_match.match(/(?<separator>\s*\\?\s*?)\z/)
+            .named_captures.fetch("separator")
+
+          current_separator || default_separator
+        end
+
+        def package_hashes_for(name:, version:, algorithm:)
+          index_urls = @index_urls || [nil]
+
+          index_urls.map do |index_url|
+            args = [name, version, algorithm]
+            args << index_url unless index_url.nil?
+
+            begin
+              result = SharedHelpers.run_helper_subprocess(
+                command: "pyenv exec python3 #{NativeHelpers.python_helper_path}",
+                function: "get_dependency_hash",
+                args: args
+              )
+            rescue SharedHelpers::HelperSubprocessFailed => e
+              requirement_error_handler(e)
+
+              raise unless e.message.include?("PackageNotFoundError")
+
+              next
+            end
+
+            return result.map { |h| "--hash=#{algorithm}:#{h['hash']}" } if result.is_a?(Array)
+          end
+
+          raise Dependabot::DependencyFileNotResolvable, "Unable to find hashes for package #{name}"
+        end
+
+        def original_dependency_declaration_string(old_req)
+          matches = []
+
+          dec =
+            if old_req.nil?
+              regex = RequirementParser::INSTALL_REQ_WITHOUT_REQUIREMENT
+              content.scan(regex) { matches << Regexp.last_match }
+              matches.find { |m| normalise(m[:name]) == dependency_name }
+            else
+              regex = RequirementParser::INSTALL_REQ_WITH_REQUIREMENT
+              content.scan(regex) { matches << Regexp.last_match }
+              matches
+                .select { |m| normalise(m[:name]) == dependency_name }
+                .find { |m| requirements_match(m[:requirements], old_req) }
+            end
+
+          raise "Declaration not found for #{dependency_name}!" unless dec
+
+          dec.to_s.strip
+        end
+
+        def normalise(name)
+          NameNormaliser.normalise(name)
+        end
+
+        def requirements_match(req1, req2)
+          req1&.split(",")&.map { |r| r.gsub(/\s/, "") }&.sort ==
+            req2&.split(",")&.map { |r| r.gsub(/\s/, "") }&.sort
+        end
+
+        public
+
+        def requirement_error_handler(error)
+          Dependabot.logger.warn(error.message)
+
+          return unless error.message.match?(CERTIFICATE_VERIFY_FAILED)
+
+          msg = "Error resolving dependency."
+          raise DependencyFileNotResolvable, msg
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/uv/file_updater.rb

@@ -0,0 +1,105 @@
+# typed: strict
+# frozen_string_literal: true
+
+require "toml-rb"
+require "dependabot/file_updaters"
+require "dependabot/file_updaters/base"
+require "dependabot/shared_helpers"
+require "sorbet-runtime"
+
+module Dependabot
+  module Uv
+    class FileUpdater < Dependabot::FileUpdaters::Base
+      extend T::Sig
+
+      require_relative "file_updater/compile_file_updater"
+      require_relative "file_updater/requirement_file_updater"
+
+      sig { override.returns(T::Array[Regexp]) }
+      def self.updated_files_regex
+        [
+          /^.*\.txt$/,               # Match any .txt files (e.g., requirements.txt) at any level
+          /^.*\.in$/,                # Match any .in files at any level
+          /^.*pyproject\.toml$/      # Match pyproject.toml at any level
+        ]
+      end
+
+      sig { override.returns(T::Array[DependencyFile]) }
+      def updated_dependency_files
+        updated_files = updated_pip_compile_based_files
+
+        if updated_files.none? ||
+           updated_files.sort_by(&:name) == dependency_files.sort_by(&:name)
+          raise "No files have changed!"
+        end
+
+        updated_files
+      end
+
+      private
+
+      sig { returns(T.nilable(Symbol)) }
+      def subdependency_resolver
+        raise "Claimed to be a sub-dependency, but no lockfile exists!" if pip_compile_files.empty?
+
+        :pip_compile if pip_compile_files.any?
+      end
+
+      sig { returns(T::Array[DependencyFile]) }
+      def updated_pip_compile_based_files
+        CompileFileUpdater.new(
+          dependencies: dependencies,
+          dependency_files: dependency_files,
+          credentials: credentials,
+          index_urls: pip_compile_index_urls
+        ).updated_dependency_files
+      end
+
+      sig { returns(T::Array[DependencyFile]) }
+      def updated_requirement_based_files
+        RequirementFileUpdater.new(
+          dependencies: dependencies,
+          dependency_files: dependency_files,
+          credentials: credentials,
+          index_urls: pip_compile_index_urls
+        ).updated_dependency_files
+      end
+
+      sig { returns(T::Array[String]) }
+      def pip_compile_index_urls
+        if credentials.any?(&:replaces_base?)
+          credentials.select(&:replaces_base?).map { |cred| AuthedUrlBuilder.authed_url(credential: cred) }
+        else
+          urls = credentials.map { |cred| AuthedUrlBuilder.authed_url(credential: cred) }
+          # If there are no credentials that replace the base, we need to
+          # ensure that the base URL is included in the list of extra-index-urls.
+          [nil, *urls]
+        end
+      end
+
+      sig { override.void }
+      def check_required_files
+        filenames = dependency_files.map(&:name)
+        return if filenames.any? { |name| name.end_with?(".txt", ".in") }
+        return if pyproject
+
+        raise "Missing required files!"
+      end
+
+      sig { returns(T.nilable(Dependabot::DependencyFile)) }
+      def pyproject
+        @pyproject ||= T.let(get_original_file("pyproject.toml"), T.nilable(Dependabot::DependencyFile))
+      end
+
+      sig { returns(T::Array[DependencyFile]) }
+      def pip_compile_files
+        @pip_compile_files ||= T.let(
+          dependency_files.select { |f| f.name.end_with?(".in") },
+          T.nilable(T::Array[DependencyFile])
+        )
+      end
+    end
+  end
+end
+
+Dependabot::FileUpdaters.register("uv", Dependabot::Uv::FileUpdater)

data/lib/dependabot/uv/language.rb

@@ -0,0 +1,76 @@
+# typed: strong
+# frozen_string_literal: true
+
+require "sorbet-runtime"
+require "dependabot/uv/version"
+require "dependabot/ecosystem"
+
+module Dependabot
+  module Uv
+    LANGUAGE = "python"
+
+    class Language < Dependabot::Ecosystem::VersionManager
+      extend T::Sig
+      # These versions should match the versions specified at the top of `python/Dockerfile`
+      PYTHON_3_13 = "3.13"
+      PYTHON_3_12 = "3.12"
+      PYTHON_3_11 = "3.11"
+      PYTHON_3_10 = "3.10"
+      PYTHON_3_9  = "3.9"
+      PYTHON_3_8  = "3.8"
+
+      DEPRECATED_VERSIONS = T.let([Version.new(PYTHON_3_8)].freeze, T::Array[Dependabot::Version])
+
+      # Keep versions in ascending order
+      SUPPORTED_VERSIONS = T.let([
+        Version.new(PYTHON_3_9),
+        Version.new(PYTHON_3_10),
+        Version.new(PYTHON_3_11),
+        Version.new(PYTHON_3_12),
+        Version.new(PYTHON_3_13)
+      ].freeze, T::Array[Dependabot::Version])
+
+      sig do
+        params(
+          detected_version: String,
+          raw_version: T.nilable(String),
+          requirement: T.nilable(Requirement)
+        ).void
+      end
+      def initialize(detected_version:, raw_version: nil, requirement: nil)
+        super(
+          name: LANGUAGE,
+          detected_version: major_minor_version(detected_version),
+          version: raw_version ? Version.new(raw_version) : nil,
+          deprecated_versions: DEPRECATED_VERSIONS,
+          supported_versions: SUPPORTED_VERSIONS,
+          requirement: requirement,
+       )
+      end
+
+      sig { override.returns(T::Boolean) }
+      def deprecated?
+        return false unless detected_version
+        return false if unsupported?
+
+        deprecated_versions.include?(detected_version)
+      end
+
+      sig { override.returns(T::Boolean) }
+      def unsupported?
+        return false unless detected_version
+
+        supported_versions.all? { |supported| supported > detected_version }
+      end
+
+      private
+
+      sig { params(version: String).returns(Dependabot::Uv::Version) }
+      def major_minor_version(version)
+        major_minor = T.let(T.must(Version.new(version).segments[0..1]&.join(".")), String)
+
+        Version.new(major_minor)
+      end
+    end
+  end
+end

data/lib/dependabot/uv/language_version_manager.rb

@@ -0,0 +1,114 @@
+# typed: strict
+# frozen_string_literal: true
+
+require "dependabot/logger"
+require "dependabot/uv/version"
+require "sorbet-runtime"
+
+module Dependabot
+  module Uv
+    class LanguageVersionManager
+      extend T::Sig
+      # This list must match the versions specified at the top of `python/Dockerfile`
+      PRE_INSTALLED_PYTHON_VERSIONS = %w(
+        3.13.2
+        3.12.9
+        3.11.11
+        3.10.16
+        3.9.21
+      ).freeze
+
+      sig { params(python_requirement_parser: T.untyped).void }
+      def initialize(python_requirement_parser:)
+        @python_requirement_parser = python_requirement_parser
+      end
+
+      sig { returns(T.nilable(String)) }
+      def install_required_python
+        # The leading space is important in the version check
+        return if SharedHelpers.run_shell_command("pyenv versions").include?(" #{python_major_minor}.")
+
+        SharedHelpers.run_shell_command(
+          "tar -axf /usr/local/.pyenv/versions/#{python_version}.tar.zst -C /usr/local/.pyenv/versions"
+        )
+      end
+
+      sig { returns(String) }
+      def installed_version
+        # Use `pyenv exec` to query the active Python version
+        output, _status = SharedHelpers.run_shell_command("pyenv exec python --version")
+        version = output.strip.split.last # Extract the version number (e.g., "3.13.1")
+
+        T.must(version)
+      end
+
+      sig { returns(T.untyped) }
+      def python_major_minor
+        @python_major_minor ||= T.let(T.must(Uv::Version.new(python_version).segments[0..1]).join("."), T.untyped)
+      end
+
+      sig { returns(String) }
+      def python_version
+        @python_version ||= T.let(python_version_from_supported_versions, T.nilable(String))
+      end
+
+      sig { returns(String) }
+      def python_requirement_string
+        if user_specified_python_version
+          if user_specified_python_version.start_with?(/\d/)
+            parts = user_specified_python_version.split(".")
+            parts.fill("*", (parts.length)..2).join(".")
+          else
+            user_specified_python_version
+          end
+        else
+          python_version_matching_imputed_requirements || PRE_INSTALLED_PYTHON_VERSIONS.first
+        end
+      end
+
+      sig { returns(String) }
+      def python_version_from_supported_versions
+        requirement_string = python_requirement_string
+
+        # If the requirement string isn't already a range (eg ">3.10"), coerce it to "major.minor.*".
+        # The patch version is ignored because a non-matching patch version is unlikely to affect resolution.
+        requirement_string = requirement_string.gsub(/\.\d+$/, ".*") if requirement_string.start_with?(/\d/)
+
+        # Try to match one of our pre-installed Python versions
+        requirement = T.must(Uv::Requirement.requirements_array(requirement_string).first)
+        version = PRE_INSTALLED_PYTHON_VERSIONS.find { |v| requirement.satisfied_by?(Uv::Version.new(v)) }
+        return version if version
+
+        # Otherwise we have to raise
+        supported_versions = PRE_INSTALLED_PYTHON_VERSIONS.map { |x| x.gsub(/\.\d+$/, ".*") }.join(", ")
+        raise ToolVersionNotSupported.new("Python", python_requirement_string, supported_versions)
+      end
+
+      sig { returns(T.untyped) }
+      def user_specified_python_version
+        @python_requirement_parser.user_specified_requirements.first
+      end
+
+      sig { returns(T.nilable(String)) }
+      def python_version_matching_imputed_requirements
+        compiled_file_python_requirement_markers =
+          @python_requirement_parser.imputed_requirements.map do |r|
+            Dependabot::Uv::Requirement.new(r)
+          end
+        python_version_matching(compiled_file_python_requirement_markers)
+      end
+
+      sig { params(requirements: T.untyped).returns(T.nilable(String)) }
+      def python_version_matching(requirements)
+        PRE_INSTALLED_PYTHON_VERSIONS.find do |version_string|
+          version = Uv::Version.new(version_string)
+          requirements.all? do |req|
+            next req.any? { |r| r.satisfied_by?(version) } if req.is_a?(Array)
+
+            req.satisfied_by?(version)
+          end
+        end
+      end
+    end
+  end
+end