dependabot-uv 0.299.1

data/lib/dependabot/uv/metadata_finder.rb

@@ -0,0 +1,186 @@
+# typed: true
+# frozen_string_literal: true
+
+require "excon"
+require "uri"
+
+require "dependabot/metadata_finders"
+require "dependabot/metadata_finders/base"
+require "dependabot/registry_client"
+require "dependabot/uv/authed_url_builder"
+require "dependabot/uv/name_normaliser"
+
+module Dependabot
+  module Uv
+    class MetadataFinder < Dependabot::MetadataFinders::Base
+      MAIN_PYPI_URL = "https://pypi.org/pypi"
+
+      def homepage_url
+        pypi_listing.dig("info", "home_page") ||
+          pypi_listing.dig("info", "project_urls", "Homepage") ||
+          pypi_listing.dig("info", "project_urls", "homepage") ||
+          super
+      end
+
+      private
+
+      def look_up_source
+        potential_source_urls = [
+          pypi_listing.dig("info", "project_urls", "Source"),
+          pypi_listing.dig("info", "project_urls", "Repository"),
+          pypi_listing.dig("info", "home_page"),
+          pypi_listing.dig("info", "download_url"),
+          pypi_listing.dig("info", "docs_url")
+        ].compact
+
+        potential_source_urls +=
+          (pypi_listing.dig("info", "project_urls") || {}).values
+
+        source_url = potential_source_urls.find { |url| Source.from_url(url) }
+        source_url ||= source_from_description
+        source_url ||= source_from_homepage
+
+        Source.from_url(source_url)
+      end
+
+      # rubocop:disable Metrics/PerceivedComplexity
+      def source_from_description
+        potential_source_urls = []
+        desc = pypi_listing.dig("info", "description")
+        return unless desc
+
+        desc.scan(Source::SOURCE_REGEX) do
+          potential_source_urls << Regexp.last_match.to_s
+        end
+
+        # Looking for a source where the repo name exactly matches the
+        # dependency name
+        match_url = potential_source_urls.find do |url|
+          repo = Source.from_url(url)&.repo
+          repo&.downcase&.end_with?(normalised_dependency_name)
+        end
+
+        return match_url if match_url
+
+        # Failing that, look for a source where the full dependency name is
+        # mentioned when the link is followed
+        @source_from_description ||=
+          potential_source_urls.find do |url|
+            full_url = Source.from_url(url)&.url
+            next unless full_url
+
+            response = Dependabot::RegistryClient.get(url: full_url)
+            next unless response.status == 200
+
+            response.body.include?(normalised_dependency_name)
+          end
+      end
+      # rubocop:enable Metrics/PerceivedComplexity
+
+      # rubocop:disable Metrics/PerceivedComplexity
+      def source_from_homepage
+        return unless homepage_body
+
+        potential_source_urls = []
+        homepage_body.scan(Source::SOURCE_REGEX) do
+          potential_source_urls << Regexp.last_match.to_s
+        end
+
+        match_url = potential_source_urls.find do |url|
+          repo = Source.from_url(url)&.repo
+          repo&.downcase&.end_with?(normalised_dependency_name)
+        end
+
+        return match_url if match_url
+
+        @source_from_homepage ||=
+          potential_source_urls.find do |url|
+            full_url = Source.from_url(url)&.url
+            next unless full_url
+
+            response = Dependabot::RegistryClient.get(url: full_url)
+            next unless response.status == 200
+
+            response.body.include?(normalised_dependency_name)
+          end
+      end
+      # rubocop:enable Metrics/PerceivedComplexity
+
+      def homepage_body
+        homepage_url = pypi_listing.dig("info", "home_page")
+
+        return unless homepage_url
+        return if [
+          "pypi.org",
+          "pypi.python.org"
+        ].include?(URI(homepage_url).host)
+
+        @homepage_response ||=
+          begin
+            Dependabot::RegistryClient.get(url: homepage_url)
+          rescue Excon::Error::Timeout, Excon::Error::Socket,
+                 Excon::Error::TooManyRedirects, ArgumentError
+            nil
+          end
+
+        return unless @homepage_response&.status == 200
+
+        @homepage_response.body
+      end
+
+      def pypi_listing
+        return @pypi_listing unless @pypi_listing.nil?
+        return @pypi_listing = {} if dependency.version&.include?("+")
+
+        possible_listing_urls.each do |url|
+          response = fetch_authed_url(url)
+          next unless response.status == 200
+
+          @pypi_listing = JSON.parse(response.body)
+          return @pypi_listing
+        rescue JSON::ParserError
+          next
+        rescue Excon::Error::Timeout
+          next
+        end
+
+        @pypi_listing = {} # No listing found
+      end
+
+      def fetch_authed_url(url)
+        if url.match(%r{(.*)://(.*?):(.*)@([^@]+)$}) &&
+           Regexp.last_match&.captures&.[](1)&.include?("@")
+          protocol, user, pass, url = T.must(Regexp.last_match).captures
+
+          Dependabot::RegistryClient.get(
+            url: "#{protocol}://#{url}",
+            options: {
+              user: user,
+              password: pass
+            }
+          )
+        else
+          Dependabot::RegistryClient.get(url: url)
+        end
+      end
+
+      def possible_listing_urls
+        credential_urls =
+          credentials
+          .select { |cred| cred["type"] == "python_index" }
+          .map { |c| AuthedUrlBuilder.authed_url(credential: c) }
+
+        (credential_urls + [MAIN_PYPI_URL]).map do |base_url|
+          base_url.gsub(%r{/$}, "") + "/#{normalised_dependency_name}/json"
+        end
+      end
+
+      # Strip [extras] from name (dependency_name[extra_dep,other_extra])
+      def normalised_dependency_name
+        NameNormaliser.normalise(dependency.name)
+      end
+    end
+  end
+end
+
+Dependabot::MetadataFinders.register("uv", Dependabot::Uv::MetadataFinder)

data/lib/dependabot/uv/name_normaliser.rb

@@ -0,0 +1,26 @@
+# typed: strict
+# frozen_string_literal: true
+
+require "sorbet-runtime"
+
+module Dependabot
+  module Uv
+    module NameNormaliser
+      extend T::Sig
+
+      sig { params(name: String).returns(String) }
+      def self.normalise(name)
+        extras_regex = /\[.+\]/
+        name.downcase.gsub(/[-_.]+/, "-").gsub(extras_regex, "")
+      end
+
+      sig { params(name: String, extras: T::Array[String]).returns(String) }
+      def self.normalise_including_extras(name, extras)
+        normalised_name = normalise(name)
+        return normalised_name if extras.empty?
+
+        normalised_name + "[" + extras.join(",") + "]"
+      end
+    end
+  end
+end

data/lib/dependabot/uv/native_helpers.rb

@@ -0,0 +1,38 @@
+# typed: strong
+# frozen_string_literal: true
+
+require "sorbet-runtime"
+
+module Dependabot
+  module Uv
+    module NativeHelpers
+      extend T::Sig
+
+      sig { returns(String) }
+      def self.python_helper_path
+        clean_path(File.join(python_helpers_dir, "run.py"))
+      end
+
+      sig { returns(String) }
+      def self.python_requirements_path
+        clean_path(File.join(python_helpers_dir, "requirements.txt"))
+      end
+
+      sig { returns(String) }
+      def self.python_helpers_dir
+        File.join(native_helpers_root, "python")
+      end
+
+      sig { returns(String) }
+      def self.native_helpers_root
+        default_path = File.join(__dir__, "../../../..")
+        ENV.fetch("DEPENDABOT_NATIVE_HELPERS_PATH", default_path)
+      end
+
+      sig { params(path: T.nilable(String)).returns(String) }
+      def self.clean_path(path)
+        Pathname.new(path).cleanpath.to_path
+      end
+    end
+  end
+end

data/lib/dependabot/uv/package_manager.rb

@@ -0,0 +1,54 @@
+# typed: strong
+# frozen_string_literal: true
+
+require "sorbet-runtime"
+require "dependabot/uv/version"
+require "dependabot/ecosystem"
+require "dependabot/uv/requirement"
+
+module Dependabot
+  module Uv
+    ECOSYSTEM = "uv"
+
+    SUPPORTED_PYTHON_VERSIONS = T.let([].freeze, T::Array[Dependabot::Version])
+
+    DEPRECATED_PYTHON_VERSIONS = T.let([].freeze, T::Array[Dependabot::Version])
+
+    class PackageManager < Dependabot::Ecosystem::VersionManager
+      extend T::Sig
+
+      NAME = "uv"
+      MANIFEST_FILENAME = ".in"
+
+      SUPPORTED_VERSIONS = T.let([].freeze, T::Array[Dependabot::Version])
+
+      DEPRECATED_VERSIONS = T.let([].freeze, T::Array[Dependabot::Version])
+
+      sig do
+        params(
+          raw_version: String,
+          requirement: T.nilable(Requirement)
+        ).void
+      end
+      def initialize(raw_version, requirement = nil)
+        super(
+          name: NAME,
+          version: Version.new(raw_version),
+          deprecated_versions: DEPRECATED_VERSIONS,
+          supported_versions: SUPPORTED_VERSIONS,
+          requirement: requirement,
+       )
+      end
+
+      sig { override.returns(T::Boolean) }
+      def deprecated?
+        false
+      end
+
+      sig { override.returns(T::Boolean) }
+      def unsupported?
+        false
+      end
+    end
+  end
+end

data/lib/dependabot/uv/pip_compile_file_matcher.rb

@@ -0,0 +1,38 @@
+# typed: strict
+# frozen_string_literal: true
+
+module Dependabot
+  module Uv
+    class PipCompileFileMatcher
+      extend T::Sig
+
+      sig { params(requirements_in_files: T::Array[Dependabot::Uv::Requirement]).void }
+      def initialize(requirements_in_files)
+        @requirements_in_files = requirements_in_files
+      end
+
+      sig { params(file: Dependabot::DependencyFile).returns(T::Boolean) }
+      def lockfile_for_pip_compile_file?(file)
+        return false unless requirements_in_files.any?
+
+        name = file.name
+        return false unless name.end_with?(".txt")
+
+        return true if file.content&.match?(output_file_regex(name))
+
+        basename = name.gsub(/\.txt$/, "")
+        requirements_in_files.any? { |f| f.instance_variable_get(:@name) == basename + ".in" }
+      end
+
+      private
+
+      sig { returns(T::Array[Dependabot::Uv::Requirement]) }
+      attr_reader :requirements_in_files
+
+      sig { params(filename: T.any(String, Symbol)).returns(String) }
+      def output_file_regex(filename)
+        "--output-file[=\s]+#{Regexp.escape(filename)}(?:\s|$)"
+      end
+    end
+  end
+end

data/lib/dependabot/uv/pipenv_runner.rb

@@ -0,0 +1,108 @@
+# typed: strict
+# frozen_string_literal: true
+
+require "dependabot/shared_helpers"
+require "dependabot/uv/file_parser"
+require "json"
+require "sorbet-runtime"
+
+module Dependabot
+  module Uv
+    class PipenvRunner
+      extend T::Sig
+
+      sig do
+        params(
+          dependency: Dependabot::Dependency,
+          lockfile: T.nilable(Dependabot::DependencyFile),
+          language_version_manager: LanguageVersionManager
+        )
+          .void
+      end
+      def initialize(dependency:, lockfile:, language_version_manager:)
+        @dependency = dependency
+        @lockfile = lockfile
+        @language_version_manager = language_version_manager
+      end
+
+      sig { params(constraint: String).returns(String) }
+      def run_upgrade(constraint)
+        constraint = "" if constraint == "*"
+        command = "pyenv exec pipenv upgrade --verbose #{dependency_name}#{constraint}"
+        command << " --dev" if lockfile_section == "develop"
+
+        run(command, fingerprint: "pyenv exec pipenv upgrade --verbose <dependency_name><constraint>")
+      end
+
+      sig { params(constraint: String).returns(T.nilable(String)) }
+      def run_upgrade_and_fetch_version(constraint)
+        run_upgrade(constraint)
+
+        updated_lockfile = JSON.parse(File.read("Pipfile.lock"))
+
+        fetch_version_from_parsed_lockfile(updated_lockfile)
+      end
+
+      sig { params(command: String, fingerprint: T.nilable(String)).returns(String) }
+      def run(command, fingerprint: nil)
+        run_command(
+          "pyenv local #{language_version_manager.python_major_minor}",
+          fingerprint: "pyenv local <python_major_minor>"
+        )
+
+        run_command(command, fingerprint: fingerprint)
+      end
+
+      private
+
+      sig { returns(Dependabot::Dependency) }
+      attr_reader :dependency
+      sig { returns(T.nilable(Dependabot::DependencyFile)) }
+      attr_reader :lockfile
+      sig { returns(LanguageVersionManager) }
+      attr_reader :language_version_manager
+
+      sig { params(updated_lockfile: T::Hash[String, T.untyped]).returns(T.nilable(String)) }
+      def fetch_version_from_parsed_lockfile(updated_lockfile)
+        deps = updated_lockfile[lockfile_section] || {}
+
+        deps.dig(dependency_name, "version")
+            &.gsub(/^==/, "")
+      end
+
+      sig { params(command: String, fingerprint: T.nilable(String)).returns(String) }
+      def run_command(command, fingerprint: nil)
+        SharedHelpers.run_shell_command(command, env: pipenv_env_variables, fingerprint: fingerprint)
+      end
+
+      sig { returns(String) }
+      def lockfile_section
+        if dependency.requirements.any?
+          T.must(dependency.requirements.first)[:groups].first
+        else
+          Uv::FileParser::DEPENDENCY_GROUP_KEYS.each do |keys|
+            section = keys.fetch(:lockfile)
+            return section if JSON.parse(T.must(T.must(lockfile).content))[section].keys.any?(dependency_name)
+          end
+        end
+      end
+
+      sig { returns(String) }
+      def dependency_name
+        dependency.metadata[:original_name] || dependency.name
+      end
+
+      sig { returns(T::Hash[String, String]) }
+      def pipenv_env_variables
+        {
+          "PIPENV_YES" => "true",        # Install new Python ver if needed
+          "PIPENV_MAX_RETRIES" => "3",   # Retry timeouts
+          "PIPENV_NOSPIN" => "1",        # Don't pollute logs with spinner
+          "PIPENV_TIMEOUT" => "600",     # Set install timeout to 10 minutes
+          "PIP_DEFAULT_TIMEOUT" => "60", # Set pip timeout to 1 minute
+          "COLUMNS" => "250"             # Avoid line wrapping
+        }
+      end
+    end
+  end
+end

data/lib/dependabot/uv/requirement.rb

@@ -0,0 +1,163 @@
+# typed: true
+# frozen_string_literal: true
+
+require "sorbet-runtime"
+
+require "dependabot/requirement"
+require "dependabot/utils"
+require "dependabot/uv/version"
+
+module Dependabot
+  module Uv
+    class Requirement < Dependabot::Requirement
+      extend T::Sig
+
+      OR_SEPARATOR = /(?<=[a-zA-Z0-9)*])\s*\|+/
+
+      # Add equality and arbitrary-equality matchers
+      OPS = OPS.merge(
+        "==" => ->(v, r) { v == r },
+        "===" => ->(v, r) { v.to_s == r.to_s }
+      )
+
+      quoted = OPS.keys.sort_by(&:length).reverse
+                  .map { |k| Regexp.quote(k) }.join("|")
+      version_pattern = Uv::Version::VERSION_PATTERN
+
+      PATTERN_RAW = "\\s*(?<op>#{quoted})?\\s*(?<version>#{version_pattern})\\s*".freeze
+      PATTERN = /\A#{PATTERN_RAW}\z/
+      PARENS_PATTERN = /\A\(([^)]+)\)\z/
+
+      def self.parse(obj)
+        return ["=", Uv::Version.new(obj.to_s)] if obj.is_a?(Gem::Version)
+
+        line = obj.to_s
+        if (matches = PARENS_PATTERN.match(line))
+          line = matches[1]
+        end
+
+        unless (matches = PATTERN.match(line))
+          msg = "Illformed requirement [#{obj.inspect}]"
+          raise BadRequirementError, msg
+        end
+
+        return DefaultRequirement if matches[:op] == ">=" && matches[:version] == "0"
+
+        [matches[:op] || "=", Uv::Version.new(T.must(matches[:version]))]
+      end
+
+      # Returns an array of requirements. At least one requirement from the
+      # returned array must be satisfied for a version to be valid.
+      #
+      # NOTE: Or requirements are only valid for Poetry.
+      sig { override.params(requirement_string: T.nilable(String)).returns(T::Array[Requirement]) }
+      def self.requirements_array(requirement_string)
+        return [new(nil)] if requirement_string.nil?
+
+        if (matches = PARENS_PATTERN.match(requirement_string))
+          requirement_string = matches[1]
+        end
+
+        T.must(requirement_string).strip.split(OR_SEPARATOR).map do |req_string|
+          new(req_string.strip)
+        end
+      end
+
+      def initialize(*requirements)
+        requirements = requirements.flatten.flat_map do |req_string|
+          next if req_string.nil?
+
+          # Standard python doesn't support whitespace in requirements, but Poetry does.
+          req_string = req_string.gsub(/(\d +)([<=>])/, '\1,\2')
+
+          req_string.split(",").map(&:strip).map do |r|
+            convert_python_constraint_to_ruby_constraint(r)
+          end
+        end
+
+        super(requirements)
+      end
+
+      def satisfied_by?(version)
+        version = Uv::Version.new(version.to_s)
+
+        requirements.all? { |op, rv| (OPS[op] || OPS["="]).call(version, rv) }
+      end
+
+      def exact?
+        return false unless @requirements.size == 1
+
+        %w(= == ===).include?(@requirements[0][0])
+      end
+
+      private
+
+      def convert_python_constraint_to_ruby_constraint(req_string)
+        return nil if req_string.nil?
+        return nil if req_string == "*"
+
+        req_string = req_string.gsub("~=", "~>")
+        req_string = req_string.gsub(/(?<=\d)[<=>].*\Z/, "")
+
+        if req_string.match?(/~[^>]/) then convert_tilde_req(req_string)
+        elsif req_string.start_with?("^") then convert_caret_req(req_string)
+        elsif req_string.include?(".*") then convert_wildcard(req_string)
+        else
+          req_string
+        end
+      end
+
+      # Poetry uses ~ requirements.
+      # https://github.com/sdispater/poetry#tilde-requirements
+      def convert_tilde_req(req_string)
+        version = req_string.gsub(/^~\>?/, "")
+        parts = version.split(".")
+        parts << "0" if parts.count < 3
+        "~> #{parts.join('.')}"
+      end
+
+      # Poetry uses ^ requirements
+      # https://github.com/sdispater/poetry#caret-requirement
+      def convert_caret_req(req_string)
+        version = req_string.gsub(/^\^/, "")
+        parts = version.split(".")
+        parts.fill(0, parts.length...3)
+        first_non_zero = parts.find { |d| d != "0" }
+        first_non_zero_index =
+          first_non_zero ? parts.index(first_non_zero) : parts.count - 1
+        upper_bound = parts.map.with_index do |part, i|
+          if i < first_non_zero_index then part
+          elsif i == first_non_zero_index then (part.to_i + 1).to_s
+          # .dev has lowest precedence: https://packaging.python.org/en/latest/specifications/version-specifiers/#summary-of-permitted-suffixes-and-relative-ordering
+          elsif i > first_non_zero_index && i == 2 then "0.dev"
+          else
+            0
+          end
+        end.join(".")
+
+        [">= #{version}", "< #{upper_bound}"]
+      end
+
+      def convert_wildcard(req_string)
+        # NOTE: This isn't perfect. It replaces the "!= 1.0.*" case with
+        # "!= 1.0.0". There's no way to model this correctly in Ruby :'(
+        quoted_ops = OPS.keys.sort_by(&:length).reverse
+                        .map { |k| Regexp.quote(k) }.join("|")
+        op = req_string.match(/\A\s*(#{quoted_ops})?/)
+                       .captures.first.to_s&.strip
+        exact_op = ["", "=", "==", "==="].include?(op)
+
+        req_string.strip
+                  .split(".")
+                  .first(req_string.split(".").index { |s| s.include?("*") } + 1)
+                  .join(".")
+                  .gsub(/\*(?!$)/, "0")
+                  .gsub(/\*$/, "0.dev")
+                  .tap { |s| exact_op ? s.gsub!(/^(?<!!)=*/, "~>") : s }
+      end
+    end
+  end
+end
+
+Dependabot::Utils
+  .register_requirement_class("uv", Dependabot::Uv::Requirement)

data/lib/dependabot/uv/requirement_parser.rb

@@ -0,0 +1,60 @@
+# typed: strong
+# frozen_string_literal: true
+
+module Dependabot
+  module Uv
+    class RequirementParser
+      NAME = /[a-zA-Z0-9](?:[a-zA-Z0-9\-_\.]*[a-zA-Z0-9])?/
+      EXTRA = /[a-zA-Z0-9\-_\.]+/
+      COMPARISON = /===|==|>=|<=|<|>|~=|!=/
+      VERSION = /([1-9][0-9]*!)?[0-9]+[a-zA-Z0-9\-_.*]*(\+[0-9a-zA-Z]+(\.[0-9a-zA-Z]+)*)?/
+
+      REQUIREMENT = /(?<comparison>#{COMPARISON})\s*\\?\s*v?(?<version>#{VERSION})/
+      HASH = /--hash=(?<algorithm>.*?):(?<hash>.*?)(?=\s|\\|$)/
+      REQUIREMENTS = /#{REQUIREMENT}(\s*,\s*\\?\s*#{REQUIREMENT})*/
+      HASHES = /#{HASH}(\s*\\?\s*#{HASH})*/
+      MARKER_OP = /\s*(#{COMPARISON}|(\s*in)|(\s*not\s*in))/
+      PYTHON_STR_C = %r{[a-zA-Z0-9\s\(\)\.\{\}\-_\*#:;/\?\[\]!~`@\$%\^&=\+\|<>]}
+      PYTHON_STR = /('(#{PYTHON_STR_C}|")*'|"(#{PYTHON_STR_C}|')*")/
+      ENV_VAR =
+        /python_version|python_full_version|os_name|sys_platform|
+         platform_release|platform_system|platform_version|platform_machine|
+         platform_python_implementation|implementation_name|
+         implementation_version/
+      MARKER_VAR = /\s*(#{ENV_VAR}|#{PYTHON_STR})/
+      MARKER_EXPR_ONE = /#{MARKER_VAR}#{MARKER_OP}#{MARKER_VAR}/
+      MARKER_EXPR = /(#{MARKER_EXPR_ONE}|\(\s*|\s*\)|\s+and\s+|\s+or\s+)+/
+
+      INSTALL_REQ_WITH_REQUIREMENT =
+        /\s*\\?\s*(?<name>#{NAME})
+          \s*\\?\s*(\[\s*(?<extras>#{EXTRA}(\s*,\s*#{EXTRA})*)\s*\])?
+          \s*\\?\s*\(?(?<requirements>#{REQUIREMENTS})\)?
+          \s*\\?\s*(;\s*(?<markers>#{MARKER_EXPR}))?
+          \s*\\?\s*(?<hashes>#{HASHES})?
+          \s*#*\s*(?<comment>.+)?
+        /x
+
+      INSTALL_REQ_WITHOUT_REQUIREMENT =
+        /^\s*\\?\s*(?<name>#{NAME})
+          \s*\\?\s*(\[\s*(?<extras>#{EXTRA}(\s*,\s*#{EXTRA})*)\s*\])?
+          \s*\\?\s*(;\s*(?<markers>#{MARKER_EXPR}))?
+          \s*\\?\s*(?<hashes>#{HASHES})?
+          \s*#*\s*(?<comment>.+)?$
+        /x
+
+      VALID_REQ_TXT_REQUIREMENT =
+        /^\s*\\?\s*(?<name>#{NAME})
+          \s*\\?\s*(\[\s*(?<extras>#{EXTRA}(\s*,\s*#{EXTRA})*)\s*\])?
+          \s*\\?\s*\(?(?<requirements>#{REQUIREMENTS})?\)?
+          \s*\\?\s*(;\s*(?<markers>#{MARKER_EXPR}))?
+          \s*\\?\s*(?<hashes>#{HASHES})?
+          \s*(\#+\s*(?<comment>.*))?$
+        /x
+
+      NAME_WITH_EXTRAS =
+        /\s*\\?\s*(?<name>#{NAME})
+          (\s*\\?\s*\[\s*(?<extras>#{EXTRA}(\s*,\s*#{EXTRA})*)\s*\])?
+        /x
+    end
+  end
+end