dependabot-uv 0.300.0 → 0.301.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 3e306a8d52bca54571baf167605279980eeb625a9dcfbad1128a13de55270936
-  data.tar.gz: 7bd9b6a85cf4e76675eaf401ed285acad0e6e518920e3cd344ae0074fa8a3a2a
+  metadata.gz: 26af709186ad20b222961b28c19395f53edfcab51c9fdc0e92734cd06aa2d296
+  data.tar.gz: c26d70a21a979a655c952c940c0f32a10f89e58cb1d1588238b64c252bf96c48
 SHA512:
-  metadata.gz: 8a4fb9a0de4405de4e3130e78e917fc41480770e9b2053d7b368bbcfe397d202f12fde5db46edc563047322354abe87ff65a14190560f960b0c93f56e1d7a6fb
-  data.tar.gz: 0f5f35583b805d8a5047bbea2c69db49636759c63f7afc50f0957368d99f5ae874b742ade653f6983e8c5401b34cd0d966b092c14a0ea836993a704fde5f0e63
+  metadata.gz: d0c2ac20cafd314d293a7a903947cd7fef9df95c5a85fae9f46e41d78920ae856949357cb4e6419c1804e95c19ba625c2a8fbd8bef43d9154d912c6aa31adb43
+  data.tar.gz: e1cb4fe17761e4f1433f9a55ae619a9271ec49359a3de0198c807f9393748633d9bfddb85002c01d782eadfc40f0a6598488fde5d9a7044e1c4e844198a26dd5

data/lib/dependabot/uv/file_fetcher.rb

@@ -22,19 +22,24 @@ module Dependabot
       CHILD_REQUIREMENT_REGEX = /^-r\s?(?<path>.*\.(?:txt|in))/
       CONSTRAINT_REGEX = /^-c\s?(?<path>.*\.(?:txt|in))/
       DEPENDENCY_TYPES = %w(packages dev-packages).freeze
+      REQUIREMENT_FILE_PATTERNS = {
+        extensions: [".txt", ".in"],
+        filenames: ["uv.lock"]
+      }.freeze
+      MAX_FILE_SIZE = 500_000
 
       def self.required_files_in?(filenames)
-        return true if filenames.any? { |name| name.end_with?(".txt", ".in") }
+        return true if filenames.any? { |name| name.end_with?(*REQUIREMENT_FILE_PATTERNS[:extensions]) }
 
         # If there is a directory of requirements return true
         return true if filenames.include?("requirements")
 
-        # If this repo is using pyproject.toml return true
+        # If this repo is using pyproject.toml return true (uv.lock files require a pyproject.toml)
         filenames.include?("pyproject.toml")
       end
 
       def self.required_files_message
-        "Repo must contain a requirements.txt, requirements.in, or pyproject.toml" \
+        "Repo must contain a requirements.txt, uv.lock, requirements.in, or pyproject.toml" \
       end
 
       def ecosystem_versions
@@ -69,6 +74,7 @@ module Dependabot
         fetched_files += requirements_in_files
         fetched_files += requirement_files if requirements_txt_files.any?
 
+        fetched_files += uv_lock_files
         fetched_files += project_files
         fetched_files << python_version_file if python_version_file
 
@@ -125,6 +131,11 @@ module Dependabot
           child_requirement_in_files
       end
 
+      def uv_lock_files
+        req_txt_and_in_files.select { |f| f.name.end_with?("uv.lock") } +
+          child_uv_lock_files
+      end
+
       def parsed_pyproject
         raise "No pyproject.toml" unless pyproject
 
@@ -137,18 +148,8 @@ module Dependabot
         return @req_txt_and_in_files if @req_txt_and_in_files
 
         @req_txt_and_in_files = []
-
-        repo_contents
-          .select { |f| f.type == "file" }
-          .select { |f| f.name.end_with?(".txt", ".in") }
-          .reject { |f| f.size > 500_000 }
-          .map { |f| fetch_file_from_host(f.name) }
-          .select { |f| requirements_file?(f) }
-          .each { |f| @req_txt_and_in_files << f }
-
-        repo_contents
-          .select { |f| f.type == "dir" }
-          .each { |f| @req_txt_and_in_files += req_files_for_dir(f) }
+        @req_txt_and_in_files += fetch_requirement_files_from_path
+        @req_txt_and_in_files += fetch_requirement_files_from_dirs
 
         @req_txt_and_in_files
       end
@@ -158,12 +159,7 @@ module Dependabot
         relative_reqs_dir =
           requirements_dir.path.gsub(%r{^/?#{Regexp.escape(dir)}/?}, "")
 
-        repo_contents(dir: relative_reqs_dir)
-          .select { |f| f.type == "file" }
-          .select { |f| f.name.end_with?(".txt", ".in") }
-          .reject { |f| f.size > 500_000 }
-          .map { |f| fetch_file_from_host("#{relative_reqs_dir}/#{f.name}") }
-          .select { |f| requirements_file?(f) }
+        fetch_requirement_files_from_path(relative_reqs_dir)
       end
 
       def child_requirement_txt_files
@@ -174,6 +170,10 @@ module Dependabot
         child_requirement_files.select { |f| f.name.end_with?(".in") }
       end
 
+      def child_uv_lock_files
+        child_requirement_files.select { |f| f.name.end_with?("uv.lock") }
+      end
+
       def child_requirement_files
         @child_requirement_files ||=
           begin
@@ -321,6 +321,36 @@ module Dependabot
       def requirements_in_file_matcher
         @requirements_in_file_matcher ||= RequiremenstFileMatcher.new(requirements_in_files)
       end
+
+      def fetch_requirement_files_from_path(path = nil)
+        contents = path ? repo_contents(dir: path) : repo_contents
+        filter_requirement_files(contents, base_path: path)
+      end
+
+      def fetch_requirement_files_from_dirs
+        repo_contents
+          .select { |f| f.type == "dir" }
+          .flat_map { |dir| req_files_for_dir(dir) }
+      end
+
+      def filter_requirement_files(contents, base_path: nil)
+        contents
+          .select { |f| f.type == "file" }
+          .select { |f| file_matches_requirement_pattern?(f.name) }
+          .reject { |f| f.size > MAX_FILE_SIZE }
+          .map { |f| fetch_file_with_path(f.name, base_path) }
+          .select { |f| REQUIREMENT_FILE_PATTERNS[:filenames].include?(f.name) || requirements_file?(f) }
+      end
+
+      def file_matches_requirement_pattern?(filename)
+        REQUIREMENT_FILE_PATTERNS[:extensions].any? { |ext| filename.end_with?(ext) } ||
+          REQUIREMENT_FILE_PATTERNS[:filenames].any?(filename)
+      end
+
+      def fetch_file_with_path(filename, base_path)
+        path = base_path ? File.join(base_path, filename) : filename
+        fetch_file_from_host(path)
+      end
     end
   end
 end

data/lib/dependabot/uv/file_parser.rb

@@ -14,6 +14,7 @@ require "dependabot/uv/name_normaliser"
 require "dependabot/uv/requirements_file_matcher"
 require "dependabot/uv/language_version_manager"
 require "dependabot/uv/package_manager"
+require "toml-rb"
 
 module Dependabot
   module Uv
@@ -47,6 +48,7 @@ module Dependabot
         dependency_set = DependencySet.new
 
         dependency_set += pyproject_file_dependencies if pyproject
+        dependency_set += uv_lock_file_dependencies
         dependency_set += requirement_dependencies if requirement_files.any?
 
         dependency_set.dependencies
@@ -64,6 +66,12 @@ module Dependabot
         )
       end
 
+      # Normalize dependency names to match the PyPI index normalization
+      sig { params(name: String, extras: T::Array[String]).returns(String) }
+      def self.normalize_dependency_name(name, extras = [])
+        NameNormaliser.normalise_including_extras(name, extras)
+      end
+
       private
 
       sig { returns(LanguageVersionManager) }
@@ -164,6 +172,36 @@ module Dependabot
         dependency_files.select { |f| f.name.end_with?(".txt", ".in") }
       end
 
+      sig { returns(T::Array[DependencyFile]) }
+      def uv_lock_files
+        dependency_files.select { |f| f.name == "uv.lock" }
+      end
+
+      sig { returns(DependencySet) }
+      def uv_lock_file_dependencies
+        dependency_set = DependencySet.new
+
+        uv_lock_files.each do |file|
+          lockfile_content = TomlRB.parse(file.content)
+          packages = lockfile_content.fetch("package", [])
+
+          packages.each do |package_data|
+            next unless package_data.is_a?(Hash) && package_data["name"] && package_data["version"]
+
+            dependency_set << Dependency.new(
+              name: normalised_name(package_data["name"]),
+              version: package_data["version"],
+              requirements: [], # Lock files don't contain requirements
+              package_manager: "uv"
+            )
+          end
+        rescue StandardError => e
+          Dependabot.logger.warn("Error parsing uv.lock: #{e.message}")
+        end
+
+        dependency_set
+      end
+
       sig { returns(DependencySet) }
       def pyproject_file_dependencies
         @pyproject_file_dependencies ||= T.let(PyprojectFilesParser.new(dependency_files:
@@ -341,7 +379,7 @@ module Dependabot
 
       sig { params(name: String, extras: T::Array[String]).returns(String) }
       def normalised_name(name, extras = [])
-        NameNormaliser.normalise_including_extras(name, extras)
+        FileParser.normalize_dependency_name(name, extras)
       end
 
       sig { override.returns(T.untyped) }

data/lib/dependabot/uv/file_updater/lock_file_updater.rb

@@ -0,0 +1,392 @@
+# typed: true
+# frozen_string_literal: true
+
+require "toml-rb"
+require "open3"
+require "dependabot/dependency"
+require "dependabot/shared_helpers"
+require "dependabot/uv/language_version_manager"
+require "dependabot/uv/version"
+require "dependabot/uv/requirement"
+require "dependabot/uv/file_parser/python_requirement_parser"
+require "dependabot/uv/file_updater"
+require "dependabot/uv/native_helpers"
+require "dependabot/uv/name_normaliser"
+
+module Dependabot
+  module Uv
+    class FileUpdater
+      class LockFileUpdater
+        require_relative "pyproject_preparer"
+
+        attr_reader :dependencies
+        attr_reader :dependency_files
+        attr_reader :credentials
+        attr_reader :index_urls
+
+        def initialize(dependencies:, dependency_files:, credentials:, index_urls: nil)
+          @dependencies = dependencies
+          @dependency_files = dependency_files
+          @credentials = credentials
+          @index_urls = index_urls
+        end
+
+        def updated_dependency_files
+          @updated_dependency_files ||= fetch_updated_dependency_files
+        end
+
+        private
+
+        def dependency
+          # For now, we'll only ever be updating a single dependency
+          dependencies.first
+        end
+
+        def fetch_updated_dependency_files
+          updated_files = []
+
+          if file_changed?(pyproject)
+            updated_files <<
+              updated_file(
+                file: pyproject,
+                content: updated_pyproject_content
+              )
+          end
+
+          if lockfile
+            # Use updated_lockfile_content which might raise if the lockfile doesn't change
+            new_content = updated_lockfile_content
+            raise "Expected lockfile to change!" if lockfile.content == new_content
+
+            updated_files << updated_file(file: lockfile, content: new_content)
+          end
+
+          updated_files
+        end
+
+        def updated_pyproject_content
+          content = pyproject.content
+          return content unless file_changed?(pyproject)
+
+          updated_content = content.dup
+
+          dependency.requirements.zip(dependency.previous_requirements).each do |new_r, old_r|
+            next unless new_r[:file] == pyproject.name && old_r[:file] == pyproject.name
+
+            updated_content = replace_dep(dependency, updated_content, new_r, old_r)
+          end
+
+          raise DependencyFileContentNotChanged, "Content did not change!" if content == updated_content
+
+          updated_content
+        end
+
+        def replace_dep(dep, content, new_r, old_r)
+          new_req = new_r[:requirement]
+          old_req = old_r[:requirement]
+
+          declaration_regex = declaration_regex(dep, old_r)
+          declaration_match = content.match(declaration_regex)
+          if declaration_match
+            declaration = declaration_match[:declaration]
+            new_declaration = declaration.sub(old_req, new_req)
+            content.sub(declaration, new_declaration)
+          else
+            content
+          end
+        end
+
+        def updated_lockfile_content
+          @updated_lockfile_content ||=
+            begin
+              original_content = lockfile.content
+              # Extract the original requires-python value to preserve it
+              original_requires_python = original_content
+                                         .match(/requires-python\s*=\s*["']([^"']+)["']/)&.captures&.first
+
+              # Use the original Python version requirement for the update if one exists
+              with_original_python_version(original_requires_python) do
+                new_lockfile = updated_lockfile_content_for(prepared_pyproject)
+
+                # Use direct string replacement to preserve the exact format
+                # Match the dependency section and update only the version
+                dependency_section_pattern = /
+                  (\[\[package\]\]\s*\n
+                   .*?name\s*=\s*["']#{Regexp.escape(dependency.name)}["']\s*\n
+                   .*?)
+                  (version\s*=\s*["'][^"']+["'])
+                  (.*?)
+                  (\[\[package\]\]|\z)
+                /xm
+
+                result = original_content.sub(dependency_section_pattern) do
+                  section_start = Regexp.last_match(1)
+                  version_line = "version = \"#{dependency.version}\""
+                  section_end = Regexp.last_match(3)
+                  next_section_or_end = Regexp.last_match(4)
+
+                  "#{section_start}#{version_line}#{section_end}#{next_section_or_end}"
+                end
+
+                # If the content didn't change and we expect it to, something went wrong
+                if result == original_content
+                  Dependabot.logger.warn("Package section not found for #{dependency.name}, falling back to raw update")
+                  result = new_lockfile
+                end
+
+                # Restore the original requires-python if it exists
+                if original_requires_python
+                  result = result.gsub(/requires-python\s*=\s*["'][^"']+["']/,
+                                       "requires-python = \"#{original_requires_python}\"")
+                end
+
+                result
+              end
+            end
+        end
+
+        # Helper method to temporarily override Python version during operations
+        def with_original_python_version(original_requires_python)
+          if original_requires_python
+            original_python_version = @original_python_version
+            @original_python_version = original_requires_python
+            result = yield
+            @original_python_version = original_python_version
+            result
+          else
+            yield
+          end
+        end
+
+        def prepared_pyproject
+          @prepared_pyproject ||=
+            begin
+              content = updated_pyproject_content
+              content = sanitize(content)
+              content = freeze_other_dependencies(content)
+              content = update_python_requirement(content)
+              content
+            end
+        end
+
+        def freeze_other_dependencies(pyproject_content)
+          PyprojectPreparer
+            .new(pyproject_content: pyproject_content, lockfile: lockfile)
+            .freeze_top_level_dependencies_except(dependencies)
+        end
+
+        def update_python_requirement(pyproject_content)
+          PyprojectPreparer
+            .new(pyproject_content: pyproject_content)
+            .update_python_requirement(language_version_manager.python_version)
+        end
+
+        def sanitize(pyproject_content)
+          PyprojectPreparer
+            .new(pyproject_content: pyproject_content)
+            .sanitize
+        end
+
+        def updated_lockfile_content_for(pyproject_content)
+          SharedHelpers.in_a_temporary_directory do
+            SharedHelpers.with_git_configured(credentials: credentials) do
+              write_temporary_dependency_files(pyproject_content)
+
+              # Install Python before writing .python-version to make sure we use a version that's available
+              language_version_manager.install_required_python
+
+              # Determine the Python version to use after installation
+              python_version = determine_python_version
+
+              # Now write the .python-version file with a version we know is installed
+              File.write(".python-version", python_version)
+
+              run_update_command
+
+              File.read("uv.lock")
+            end
+          end
+        end
+
+        def run_update_command
+          command = "pyenv exec uv lock --upgrade-package #{dependency.name}"
+          fingerprint = "pyenv exec uv lock --upgrade-package <dependency_name>"
+
+          run_command(command, fingerprint:)
+        end
+
+        def run_command(command, fingerprint: nil)
+          SharedHelpers.run_shell_command(command, fingerprint: fingerprint)
+        end
+
+        def write_temporary_dependency_files(pyproject_content)
+          dependency_files.each do |file|
+            path = file.name
+            FileUtils.mkdir_p(Pathname.new(path).dirname)
+            File.write(path, file.content)
+          end
+
+          # Only write the .python-version file after the language version manager has
+          # installed the required Python version to ensure it's available
+          # Overwrite the pyproject with updated content
+          File.write("pyproject.toml", pyproject_content)
+        end
+
+        def determine_python_version
+          # Check available Python versions through pyenv
+          available_versions = nil
+          begin
+            available_versions = SharedHelpers.run_shell_command("pyenv versions --bare")
+                                              .split("\n")
+                                              .map(&:strip)
+                                              .reject(&:empty?)
+          rescue StandardError => e
+            Dependabot.logger.warn("Error checking available Python versions: #{e}")
+          end
+
+          # Try to find the closest match for our priority order
+          preferred_version = find_preferred_version(available_versions)
+
+          if preferred_version
+            # Just return the major.minor version string
+            preferred_version.match(/^(\d+\.\d+)/)[1]
+          else
+            # If all else fails, use "system" which should work with whatever Python is available
+            "system"
+          end
+        end
+
+        def find_preferred_version(available_versions)
+          return nil unless available_versions&.any?
+
+          # Try each strategy in order of preference
+          try_version_from_file(available_versions) ||
+            try_version_from_requires_python(available_versions) ||
+            try_highest_python3_version(available_versions)
+        end
+
+        def try_version_from_file(available_versions)
+          python_version_file = dependency_files.find { |f| f.name == ".python-version" }
+          return nil unless python_version_file && !python_version_file.content.strip.empty?
+
+          requested_version = python_version_file.content.strip
+          return requested_version if version_available?(available_versions, requested_version)
+
+          Dependabot.logger.info("Python version #{requested_version} from .python-version not available")
+          nil
+        end
+
+        def try_version_from_requires_python(available_versions)
+          return nil unless @original_python_version
+
+          version_match = @original_python_version.match(/(\d+\.\d+)/)
+          return nil unless version_match
+
+          requested_version = version_match[1]
+          return requested_version if version_available?(available_versions, requested_version)
+
+          Dependabot.logger.info("Python version #{requested_version} from requires-python not available")
+          nil
+        end
+
+        def try_highest_python3_version(available_versions)
+          python3_versions = available_versions
+                             .select { |v| v.match(/^3\.\d+/) }
+                             .sort_by { |v| Gem::Version.new(v.match(/^(\d+\.\d+)/)[1]) }
+                             .reverse
+
+          python3_versions.first # returns nil if array is empty
+        end
+
+        def version_available?(available_versions, requested_version)
+          # Check if the exact version or a version with the same major.minor is available
+          available_versions.any? do |v|
+            v == requested_version || v.start_with?("#{requested_version}.")
+          end
+        end
+
+        def sanitize_env_name(url)
+          url.gsub(%r{^https?://}, "").gsub(/[^a-zA-Z0-9]/, "_").upcase
+        end
+
+        def declaration_regex(dep, old_req)
+          escaped_name = Regexp.escape(dep.name)
+          # Extract the requirement operator and version
+          operator = old_req.fetch(:requirement).match(/^(.+?)[0-9]/)&.captures&.first
+          # Escape special regex characters in the operator
+          escaped_operator = Regexp.escape(operator) if operator
+
+          # Match various formats of dependency declarations:
+          # 1. "dependency==1.0.0" (with quotes around the entire string)
+          # 2. dependency==1.0.0 (without quotes)
+          # The declaration should only include the package name, operator, and version
+          # without the enclosing quotes
+          /
+            ["']?(?<declaration>#{escaped_name}\s*#{escaped_operator}[\d\.\*]+)["']?
+          /x
+        end
+
+        def escape(name)
+          Regexp.escape(name).gsub("\\-", "[-_.]")
+        end
+
+        def file_changed?(file)
+          return false unless file
+
+          dependencies.any? do |dep|
+            dep.requirements.any? { |r| r[:file] == file.name } &&
+              requirement_changed?(file, dep)
+          end
+        end
+
+        def requirement_changed?(file, dependency)
+          changed_requirements =
+            dependency.requirements - dependency.previous_requirements
+
+          changed_requirements.any? { |f| f[:file] == file.name }
+        end
+
+        def updated_file(file:, content:)
+          updated_file = file.dup
+          updated_file.content = content
+          updated_file
+        end
+
+        def normalise(name)
+          NameNormaliser.normalise(name)
+        end
+
+        def python_requirement_parser
+          @python_requirement_parser ||=
+            FileParser::PythonRequirementParser.new(
+              dependency_files: dependency_files
+            )
+        end
+
+        def language_version_manager
+          @language_version_manager ||=
+            LanguageVersionManager.new(
+              python_requirement_parser: python_requirement_parser
+            )
+        end
+
+        def pyproject
+          @pyproject ||=
+            dependency_files.find { |f| f.name == "pyproject.toml" }
+        end
+
+        def lockfile
+          @lockfile ||= uv_lock
+        end
+
+        def python_helper_path
+          NativeHelpers.python_helper_path
+        end
+
+        def uv_lock
+          dependency_files.find { |f| f.name == "uv.lock" }
+        end
+      end
+    end
+  end
+end