dependabot-uv 0.327.0 → 0.330.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 005274daa86380f1e1f7ef220ef90b943a0e16343f7a619b00c0e9599c5acdb0
-  data.tar.gz: 67a8685349a89aa537a5586a5323ecc45ce591835e947564fa30736d9faadba8
+  metadata.gz: 439dcd622fb16fb120a560e350814994af41808a9b451be75eefa37c1558512b
+  data.tar.gz: 1a614a6c05a9081496efb729181b7ffb399c64eac080584895d00b26d7cfcb56
 SHA512:
-  metadata.gz: 9be29876a44a54dba65bf2471afc49897d8ae72a92d4bf36aa9310c97560ebb086c67c64162f541b47770c212955c86538bdd726491bc2453470f8c6bac8ea5e
-  data.tar.gz: 81032af7f3d76a4bed2e8e23eef757f1d5c4d5d698d0dad2ac88d2ed7179c1e075a57c576dbd813dfd6de85490838f38496bcf38db7d4aa13e4f1fce50d9864e
+  metadata.gz: 3b0676d7407422abeefa96a1443481154794861a42d8359200cf09bcadbd32f86cb0049af2bd0de48c2fa7ac27d9bed2957be3657b7787d18fc28254e716c481
+  data.tar.gz: 2e7d837110017ea0c0dd71abcf58e6afa2ee6c068a9f7078a3db1fa3c5b6b426059fa4a73e6270754a3730a6412840f37f55ce1be3452deebeffa38b47c4a2e5

data/lib/dependabot/uv/file_fetcher.rb

@@ -1,4 +1,4 @@
-# typed: true
+# typed: strict
 # frozen_string_literal: true
 
 require "toml-rb"
@@ -6,6 +6,7 @@ require "sorbet-runtime"
 
 require "dependabot/file_fetchers"
 require "dependabot/file_fetchers/base"
+require "dependabot/uv"
 require "dependabot/uv/language_version_manager"
 require "dependabot/uv/requirements_file_matcher"
 require "dependabot/uv/requirement_parser"
@@ -22,14 +23,20 @@ module Dependabot
       CHILD_REQUIREMENT_REGEX = /^-r\s?(?<path>.*\.(?:txt|in))/
       CONSTRAINT_REGEX = /^-c\s?(?<path>.*\.(?:txt|in))/
       DEPENDENCY_TYPES = %w(packages dev-packages).freeze
-      REQUIREMENT_FILE_PATTERNS = {
+      REQUIREMENT_FILE_PATTERNS = T.let({
         extensions: [".txt", ".in"],
         filenames: ["uv.lock"]
-      }.freeze
+      }.freeze, T::Hash[Symbol, T::Array[String]])
+
       MAX_FILE_SIZE = 500_000
 
+      sig { override.params(filenames: T::Array[String]).returns(T::Boolean) }
       def self.required_files_in?(filenames)
-        return true if filenames.any? { |name| name.end_with?(*REQUIREMENT_FILE_PATTERNS[:extensions]) }
+        return true if filenames.any? do |name|
+          T.must(REQUIREMENT_FILE_PATTERNS[:extensions]).any? do |ext|
+            name.end_with?(ext)
+          end
+        end
 
         # If there is a directory of requirements return true
         return true if filenames.include?("requirements")
@@ -38,10 +45,12 @@ module Dependabot
         filenames.include?("pyproject.toml")
       end
 
+      sig { override.returns(String) }
       def self.required_files_message
         "Repo must contain a requirements.txt, uv.lock, requirements.in, or pyproject.toml" \
       end
 
+      sig { override.returns(T.nilable(T::Hash[Symbol, T.untyped])) }
       def ecosystem_versions
         # Hmm... it's weird that this calls file parser methods, but here we are in the file fetcher... for all
         # ecosystems our goal is to extract the user specified versions, so we'll need to do file parsing... so should
@@ -83,16 +92,19 @@ module Dependabot
 
       private
 
+      sig { params(fetched_files: T::Array[Dependabot::DependencyFile]).returns(T::Array[Dependabot::DependencyFile]) }
       def uniq_files(fetched_files)
         uniq_files = fetched_files.reject(&:support_file?).uniq
         uniq_files += fetched_files
                       .reject { |f| uniq_files.map(&:name).include?(f.name) }
       end
 
+      sig { returns(T::Array[Dependabot::DependencyFile]) }
       def pyproject_files
         [pyproject].compact
       end
 
+      sig { returns(T::Array[Dependabot::DependencyFile]) }
       def requirement_files
         [
           *requirements_txt_files,
@@ -101,10 +113,11 @@ module Dependabot
         ]
       end
 
+      sig { returns(T.nilable(Dependabot::DependencyFile)) }
       def python_version_file
         return @python_version_file if defined?(@python_version_file)
 
-        @python_version_file = fetch_support_file(".python-version")
+        @python_version_file = T.let(fetch_support_file(".python-version"), T.nilable(Dependabot::DependencyFile))
 
         return @python_version_file if @python_version_file
         return if [".", "/"].include?(directory)
@@ -116,66 +129,77 @@ module Dependabot
           &.tap { |f| f.name = ".python-version" }
       end
 
+      sig { returns(T.nilable(Dependabot::DependencyFile)) }
       def pyproject
         return @pyproject if defined?(@pyproject)
 
-        @pyproject = fetch_file_if_present("pyproject.toml")
+        @pyproject = T.let(fetch_file_if_present("pyproject.toml"), T.nilable(Dependabot::DependencyFile))
       end
 
+      sig { returns(T::Array[Dependabot::DependencyFile]) }
       def requirements_txt_files
         req_txt_and_in_files.select { |f| f.name.end_with?(".txt") }
       end
 
+      sig { returns(T::Array[Dependabot::DependencyFile]) }
       def requirements_in_files
         req_txt_and_in_files.select { |f| f.name.end_with?(".in") } +
           child_requirement_in_files
       end
 
+      sig { returns(T::Array[Dependabot::DependencyFile]) }
       def uv_lock_files
         req_txt_and_in_files.select { |f| f.name.end_with?("uv.lock") } +
           child_uv_lock_files
       end
 
+      sig { returns(TomlContent) }
       def parsed_pyproject
         raise "No pyproject.toml" unless pyproject
 
-        @parsed_pyproject ||= TomlRB.parse(pyproject.content)
+        @parsed_pyproject ||= T.let(TomlRB.parse(T.must(pyproject).content), T.nilable(TomlContent))
       rescue TomlRB::ParseError, TomlRB::ValueOverwriteError
-        raise Dependabot::DependencyFileNotParseable, pyproject.path
+        raise Dependabot::DependencyFileNotParseable, T.must(pyproject).path
       end
 
+      sig { returns(T::Array[Dependabot::DependencyFile]) }
       def req_txt_and_in_files
         return @req_txt_and_in_files if @req_txt_and_in_files
 
-        @req_txt_and_in_files = []
-        @req_txt_and_in_files += fetch_requirement_files_from_path
+        @req_txt_and_in_files = T.let([], T.nilable(T::Array[Dependabot::DependencyFile]))
+        @req_txt_and_in_files = T.must(@req_txt_and_in_files) + fetch_requirement_files_from_path
         @req_txt_and_in_files += fetch_requirement_files_from_dirs
 
         @req_txt_and_in_files
       end
 
+      sig { params(requirements_dir: OpenStruct).returns(T::Array[Dependabot::DependencyFile]) }
       def req_files_for_dir(requirements_dir)
         dir = directory.gsub(%r{(^/|/$)}, "")
         relative_reqs_dir =
-          requirements_dir.path.gsub(%r{^/?#{Regexp.escape(dir)}/?}, "")
+          T.unsafe(requirements_dir).path.gsub(%r{^/?#{Regexp.escape(dir)}/?}, "")
 
         fetch_requirement_files_from_path(relative_reqs_dir)
       end
 
+      sig { returns(T::Array[Dependabot::DependencyFile]) }
       def child_requirement_txt_files
         child_requirement_files.select { |f| f.name.end_with?(".txt") }
       end
 
+      sig { returns(T::Array[Dependabot::DependencyFile]) }
       def child_requirement_in_files
         child_requirement_files.select { |f| f.name.end_with?(".in") }
       end
 
+      sig { returns(T::Array[Dependabot::DependencyFile]) }
       def child_uv_lock_files
         child_requirement_files.select { |f| f.name.end_with?("uv.lock") }
       end
 
+      sig { returns(T::Array[Dependabot::DependencyFile]) }
       def child_requirement_files
-        @child_requirement_files ||=
+        @child_requirement_files ||= T.let(
           begin
             fetched_files = req_txt_and_in_files.dup
             req_txt_and_in_files.flat_map do |requirement_file|
@@ -187,11 +211,21 @@ module Dependabot
               fetched_files += child_files
               child_files
             end
-          end
+          end, T.nilable(T::Array[Dependabot::DependencyFile])
+        )
       end
 
+      sig do
+        params(
+          file: Dependabot::DependencyFile,
+          previously_fetched_files: T::Array[Dependabot::DependencyFile]
+        ).returns(T::Array[Dependabot::DependencyFile])
+      end
       def fetch_child_requirement_files(file:, previously_fetched_files:)
-        paths = file.content.scan(CHILD_REQUIREMENT_REGEX).flatten
+        content = file.content
+        return [] if content.nil?
+
+        paths = content.scan(CHILD_REQUIREMENT_REGEX).flatten
         current_dir = File.dirname(file.name)
 
         paths.flat_map do |path|
@@ -210,13 +244,17 @@ module Dependabot
         end.compact
       end
 
+      sig { returns(T::Array[Dependabot::DependencyFile]) }
       def constraints_files
         all_requirement_files = requirements_txt_files +
                                 child_requirement_txt_files
 
         constraints_paths = all_requirement_files.map do |req_file|
           current_dir = File.dirname(req_file.name)
-          paths = req_file.content.scan(CONSTRAINT_REGEX).flatten
+          content = req_file.content
+          next [] if content.nil?
+
+          paths = content.scan(CONSTRAINT_REGEX).flatten
 
           paths.map do |path|
             path = File.join(current_dir, path) unless current_dir == "."
@@ -227,12 +265,15 @@ module Dependabot
         constraints_paths.map { |path| fetch_file_from_host(path) }
       end
 
+      sig { returns(T::Array[Dependabot::DependencyFile]) }
       def project_files
         project_files = T.let([], T::Array[Dependabot::DependencyFile])
         unfetchable_deps = []
 
         path_dependencies.each do |dep|
           path = dep[:path]
+          next if path.nil?
+
           project_files += fetch_project_file(path)
         rescue Dependabot::DependencyFileNotFound
           unfetchable_deps << "\"#{dep[:name]}\" at #{cleanpath(File.join(directory, dep[:file]))}"
@@ -243,6 +284,7 @@ module Dependabot
         project_files
       end
 
+      sig { params(path: String).returns(T::Array[Dependabot::DependencyFile]) }
       def fetch_project_file(path)
         project_files = []
 
@@ -258,15 +300,17 @@ module Dependabot
         project_files
       end
 
+      sig { params(path: String).returns(T::Boolean) }
       def sdist_or_wheel?(path)
         path.end_with?(".tar.gz", ".whl", ".zip")
       end
 
+      sig { params(file: Dependabot::DependencyFile).returns(T::Boolean) }
       def requirements_file?(file)
-        return false unless file.content.valid_encoding?
+        return false unless file.content&.valid_encoding?
         return true if file.name.match?(/requirements/x)
 
-        file.content.lines.all? do |line|
+        T.must(file.content).lines.all? do |line|
           next true if line.strip.empty?
           next true if line.strip.start_with?("#", "-r ", "-c ", "-e ", "--")
 
@@ -274,6 +318,7 @@ module Dependabot
         end
       end
 
+      sig { returns(T::Array[PathDependency]) }
       def path_dependencies
         [
           *requirement_txt_path_dependencies,
@@ -282,47 +327,74 @@ module Dependabot
         ]
       end
 
+      sig { returns(T::Array[PathDependency]) }
       def requirement_txt_path_dependencies
         (requirements_txt_files + child_requirement_txt_files)
           .map { |req_file| parse_requirement_path_dependencies(req_file) }
           .flatten.uniq { |dep| dep[:path] }
       end
 
+      sig { returns(T::Array[PathDependency]) }
       def requirement_in_path_dependencies
         requirements_in_files
           .map { |req_file| parse_requirement_path_dependencies(req_file) }
           .flatten.uniq { |dep| dep[:path] }
       end
 
+      sig { params(req_file: Dependabot::DependencyFile).returns(T::Array[PathDependency]) }
       def parse_requirement_path_dependencies(req_file)
         # If this is a pip-compile lockfile, rely on whatever path dependencies we found in the main manifest
         return [] if requirements_in_file_matcher.compiled_file?(req_file)
 
-        uneditable_reqs =
-          req_file.content
-                  .scan(/(?<name>^['"]?(?:file:)?(?<path>\..*?)(?=\[|#|'|"|$))/)
-                  .filter_map do |n, p|
-                    { name: n.strip, path: p.strip, file: req_file.name } unless p.include?("://")
-                  end
-
-        editable_reqs =
-          req_file.content
-                  .scan(/(?<name>^(?:-e)\s+['"]?(?:file:)?(?<path>.*?)(?=\[|#|'|"|$))/)
-                  .filter_map do |n, p|
-                    { name: n.strip, path: p.strip, file: req_file.name } unless p.include?("://") || p.include?("git@")
-                  end
+        content = T.must(req_file.content)
+        uneditable_reqs = parse_uneditable_requirements(content, req_file.name)
+        editable_reqs = parse_editable_requirements(content, req_file.name)
 
         uneditable_reqs + editable_reqs
       end
 
+      sig { params(content: String, file_name: String).returns(T::Array[PathDependency]) }
+      def parse_uneditable_requirements(content, file_name)
+        content
+          .scan(/(?<name>^['"]?(?:file:)?(?<path>\..*?)(?=\[|#|'|"|$))/)
+          .filter_map { |match_data| process_requirement_match(T.cast(match_data, T::Array[String]), file_name, false) }
+      end
+
+      sig { params(content: String, file_name: String).returns(T::Array[PathDependency]) }
+      def parse_editable_requirements(content, file_name)
+        content
+          .scan(/(?<name>^(?:-e)\s+['"]?(?:file:)?(?<path>.*?)(?=\[|#|'|"|$))/)
+          .filter_map { |match_data| process_requirement_match(T.cast(match_data, T::Array[String]), file_name, true) }
+      end
+
+      sig do
+        params(
+          match_data: T::Array[String],
+          file_name: String,
+          editable: T::Boolean
+        ).returns(T.nilable(PathDependency))
+      end
+      def process_requirement_match(match_data, file_name, editable)
+        name, path = match_data
+        return nil if name.nil? || path.nil?
+        return nil if path.include?("://")
+        return nil if editable && path.include?("git@")
+
+        { name: name.strip, path: path.strip, file: file_name }
+      end
+
+      sig { params(path: String).returns(String) }
       def cleanpath(path)
         Pathname.new(path).cleanpath.to_path
       end
 
+      sig { returns(Dependabot::Uv::RequiremenstFileMatcher) }
       def requirements_in_file_matcher
-        @requirements_in_file_matcher ||= RequiremenstFileMatcher.new(requirements_in_files)
+        @requirements_in_file_matcher ||= T.let(RequiremenstFileMatcher.new(requirements_in_files),
+                                                T.nilable(Dependabot::Uv::RequiremenstFileMatcher))
       end
 
+      sig { returns(T::Array[PathDependency]) }
       def uv_sources_path_dependencies
         return [] unless pyproject
 
@@ -334,37 +406,52 @@ module Dependabot
             {
               name: name,
               path: source_config["path"],
-              file: pyproject.name
+              file: T.must(pyproject).name
             }
           end
         end
       end
 
+      sig { params(path: T.nilable(T.any(Pathname, String))).returns(T::Array[Dependabot::DependencyFile]) }
       def fetch_requirement_files_from_path(path = nil)
         contents = path ? repo_contents(dir: path) : repo_contents
         filter_requirement_files(contents, base_path: path)
       end
 
+      sig { returns(T::Array[Dependabot::DependencyFile]) }
       def fetch_requirement_files_from_dirs
         repo_contents
-          .select { |f| f.type == "dir" }
+          .select { |f| T.unsafe(f).type == "dir" }
           .flat_map { |dir| req_files_for_dir(dir) }
       end
 
+      sig do
+        params(
+          contents: T::Array[OpenStruct],
+          base_path: T.nilable(T.any(Pathname, String))
+        ).returns(T::Array[Dependabot::DependencyFile])
+      end
       def filter_requirement_files(contents, base_path: nil)
         contents
-          .select { |f| f.type == "file" }
-          .select { |f| file_matches_requirement_pattern?(f.name) }
-          .reject { |f| f.size > MAX_FILE_SIZE }
-          .map { |f| fetch_file_with_path(f.name, base_path) }
-          .select { |f| REQUIREMENT_FILE_PATTERNS[:filenames].include?(f.name) || requirements_file?(f) }
+          .select { |f| T.unsafe(f).type == "file" }
+          .select { |f| file_matches_requirement_pattern?(T.unsafe(f).name) }
+          .reject { |f| T.unsafe(f).size > MAX_FILE_SIZE }
+          .map { |f| fetch_file_with_path(T.unsafe(f).name, base_path) }
+          .select { |f| T.must(REQUIREMENT_FILE_PATTERNS[:filenames]).include?(f.name) || requirements_file?(f) }
       end
 
+      sig { params(filename: String).returns(T::Boolean) }
       def file_matches_requirement_pattern?(filename)
-        REQUIREMENT_FILE_PATTERNS[:extensions].any? { |ext| filename.end_with?(ext) } ||
-          REQUIREMENT_FILE_PATTERNS[:filenames].any?(filename)
+        T.must(REQUIREMENT_FILE_PATTERNS[:extensions]).any? { |ext| filename.end_with?(ext) } ||
+          T.must(REQUIREMENT_FILE_PATTERNS[:filenames]).any?(filename)
       end
 
+      sig do
+        params(
+          filename: T.any(Pathname, String),
+          base_path: T.nilable(T.any(Pathname, String))
+        ).returns(Dependabot::DependencyFile)
+      end
       def fetch_file_with_path(filename, base_path)
         path = base_path ? File.join(base_path, filename) : filename
         fetch_file_from_host(path)

data/lib/dependabot/uv/file_parser.rb

@@ -2,6 +2,7 @@
 # frozen_string_literal: true
 
 require "dependabot/dependency"
+require "dependabot/dependency_file"
 require "dependabot/file_parsers"
 require "dependabot/file_parsers/base"
 require "dependabot/file_parsers/base/dependency_set"
@@ -20,6 +21,7 @@ module Dependabot
   module Uv
     class FileParser < Dependabot::FileParsers::Base
       extend T::Sig
+
       require_relative "file_parser/pyproject_files_parser"
       require_relative "file_parser/python_requirement_parser"
 
@@ -128,14 +130,11 @@ module Dependabot
         nil
       end
 
-      sig { params(package_manager: String, version: String).returns(T::Boolean) }
+      sig { params(package_manager: String, version: String).void }
       def log_if_version_malformed(package_manager, version)
-        if version.match?(/^\d+(?:\.\d+)*$/)
-          true
-        else
-          Dependabot.logger.warn("Detected #{package_manager} with malformed version #{version}")
-          false
-        end
+        return if version.match?(/^\d+(?:\.\d+)*$/)
+
+        Dependabot.logger.warn("Detected #{package_manager} with malformed version #{version}")
       end
 
       sig { returns(String) }
@@ -273,12 +272,12 @@ module Dependabot
       def marker_satisfied?(marker, python_version)
         conditions = marker.split(/\s+(and|or)\s+/)
 
-        result = T.let(evaluate_condition(conditions.shift, python_version), T::Boolean)
+        result = T.let(evaluate_condition?(conditions.shift, python_version), T::Boolean)
 
         until conditions.empty?
           operator = conditions.shift
           next_condition = conditions.shift
-          next_result = evaluate_condition(next_condition, python_version)
+          next_result = evaluate_condition?(next_condition, python_version)
 
           result = if operator == "and"
                      result && next_result
@@ -294,7 +293,7 @@ module Dependabot
         params(condition: T.untyped,
                python_version: T.any(String, Integer, Gem::Version)).returns(T::Boolean)
       end
-      def evaluate_condition(condition, python_version)
+      def evaluate_condition?(condition, python_version)
         operator, version = condition.match(/([<>=!]=?)\s*"?([\d.]+)"?/)&.captures
 
         case operator
@@ -385,9 +384,9 @@ module Dependabot
         @pyproject ||= T.let(get_original_file("pyproject.toml"), T.nilable(DependencyFile))
       end
 
-      sig { returns(T::Array[Requirement]) }
+      sig { returns(T::Array[DependencyFile]) }
       def requirements_in_files
-        @requirements_in_files ||= T.let(dependency_files.select { |f| f.name.end_with?(".in") }, T.untyped)
+        dependency_files.select { |f| f.name.end_with?(".in") }
       end
 
       sig { returns(RequiremenstFileMatcher) }

data/lib/dependabot/uv/requirements_file_matcher.rb

@@ -1,12 +1,14 @@
-# typed: strict
+# typed: strong
 # frozen_string_literal: true
 
+require "dependabot/dependency_file"
+
 module Dependabot
   module Uv
     class RequiremenstFileMatcher
       extend T::Sig
 
-      sig { params(requirements_in_files: T::Array[Requirement]).void }
+      sig { params(requirements_in_files: T::Array[DependencyFile]).void }
       def initialize(requirements_in_files)
         @requirements_in_files = requirements_in_files
       end
@@ -21,12 +23,12 @@ module Dependabot
         return true if file.content&.match?(output_file_regex(name))
 
         basename = name.gsub(/\.txt$/, "")
-        requirements_in_files.any? { |f| f.instance_variable_get(:@name) == basename + ".in" }
+        requirements_in_files.any? { |f| f.name == basename + ".in" }
       end
 
       private
 
-      sig { returns(T::Array[Requirement]) }
+      sig { returns(T::Array[DependencyFile]) }
       attr_reader :requirements_in_files
 
       sig { params(filename: T.any(String, Symbol)).returns(String) }

data/lib/dependabot/uv.rb

@@ -1,6 +1,19 @@
 # typed: strict
 # frozen_string_literal: true
 
+require "sorbet-runtime"
+
+# Type definitions for repository file structures
+module Dependabot
+  module Uv
+    extend T::Sig
+
+    PathDependency = T.type_alias { { name: String, path: String, file: String } }
+
+    TomlContent = T.type_alias { T::Hash[String, T.untyped] }
+  end
+end
+
 # These all need to be required so the various classes can be registered in a
 # lookup table of package manager names to concrete classes.
 require "dependabot/uv/file_fetcher"

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-uv
 version: !ruby/object:Gem::Version
-  version: 0.327.0
+  version: 0.330.0
 platform: ruby
 authors:
 - Dependabot
@@ -15,14 +15,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.327.0
+        version: 0.330.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.327.0
+        version: 0.330.0
 - !ruby/object:Gem::Dependency
   name: debug
   requirement: !ruby/object:Gem::Requirement
@@ -284,7 +284,7 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.327.0
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.330.0
 rdoc_options: []
 require_paths:
 - lib