dependabot-uv 0.332.0 → 0.333.0

data/lib/dependabot/uv/file_updater/requirement_replacer.rb

@@ -1,6 +1,8 @@
-# typed: true
+# typed: strict
 # frozen_string_literal: true
 
+require "sorbet-runtime"
+
 require "dependabot/dependency"
 require "dependabot/uv/requirement_parser"
 require "dependabot/uv/file_updater"
@@ -12,20 +14,33 @@ module Dependabot
   module Uv
     class FileUpdater
       class RequirementReplacer
+        extend T::Sig
+
         PACKAGE_NOT_FOUND_ERROR = "PackageNotFoundError"
 
         CERTIFICATE_VERIFY_FAILED = /CERTIFICATE_VERIFY_FAILED/
 
+        sig do
+          params(
+            content: String,
+            dependency_name: String,
+            old_requirement: T.nilable(String),
+            new_requirement: T.nilable(String),
+            new_hash_version: T.nilable(String),
+            index_urls: T.nilable(T::Array[T.nilable(String)])
+          ).void
+        end
         def initialize(content:, dependency_name:, old_requirement:,
                        new_requirement:, new_hash_version: nil, index_urls: nil)
-          @content          = content
-          @dependency_name  = normalise(dependency_name)
-          @old_requirement  = old_requirement
-          @new_requirement  = new_requirement
-          @new_hash_version = new_hash_version
-          @index_urls = index_urls
+          @content = T.let(content, String)
+          @dependency_name = T.let(normalise(dependency_name), String)
+          @old_requirement = T.let(old_requirement, T.nilable(String))
+          @new_requirement = T.let(new_requirement, T.nilable(String))
+          @new_hash_version = T.let(new_hash_version, T.nilable(String))
+          @index_urls = T.let(index_urls, T.nilable(T::Array[T.nilable(String)]))
         end
 
+        sig { returns(String) }
         def updated_content
           updated_content =
             content.gsub(original_declaration_replacement_regex) do |mtch|
@@ -43,40 +58,52 @@ module Dependabot
 
         private
 
+        sig { returns(String) }
         attr_reader :content
+
+        sig { returns(String) }
         attr_reader :dependency_name
+
+        sig { returns(T.nilable(String)) }
         attr_reader :old_requirement
+
+        sig { returns(T.nilable(String)) }
         attr_reader :new_requirement
+
+        sig { returns(T.nilable(String)) }
         attr_reader :new_hash_version
 
+        sig { returns(T::Boolean) }
         def update_hashes?
           !new_hash_version.nil?
         end
 
+        sig { returns(T.nilable(String)) }
         def updated_requirement_string
           new_req_string = new_requirement
 
-          new_req_string = new_req_string.gsub(/,\s*/, ", ") if add_space_after_commas?
+          new_req_string = new_req_string&.gsub(/,\s*/, ", ") if add_space_after_commas?
 
           if add_space_after_operators?
             new_req_string =
               new_req_string
-              .gsub(/(#{RequirementParser::COMPARISON})\s*(?=\d)/o, '\1 ')
+              &.gsub(/(#{RequirementParser::COMPARISON})\s*(?=\d)/o, '\1 ')
           end
 
           new_req_string
         end
 
+        sig { returns(String) }
         def updated_dependency_declaration_string
           old_req = old_requirement
           updated_string =
             if old_req
               original_dependency_declaration_string(old_req)
-                .sub(RequirementParser::REQUIREMENTS, updated_requirement_string)
+                .sub(RequirementParser::REQUIREMENTS, updated_requirement_string || "")
             else
               original_dependency_declaration_string(old_req)
                 .sub(RequirementParser::NAME_WITH_EXTRAS) do |nm|
-                  nm + updated_requirement_string
+                  nm + (updated_requirement_string || "")
                 end
             end
 
@@ -88,59 +115,65 @@ module Dependabot
               name: dependency_name,
               version: new_hash_version,
               algorithm: hash_algorithm(old_req)
-            ).join(hash_separator(old_req))
+            ).join(hash_separator(old_req) || "")
           )
         end
 
+        sig { returns(T::Boolean) }
         def add_space_after_commas?
           original_dependency_declaration_string(old_requirement)
             .match(RequirementParser::REQUIREMENTS)
             .to_s.include?(", ")
         end
 
+        sig { returns(T::Boolean) }
         def add_space_after_operators?
           original_dependency_declaration_string(old_requirement)
             .match(RequirementParser::REQUIREMENTS)
             .to_s.match?(/#{RequirementParser::COMPARISON}\s+\d/o)
         end
 
+        sig { returns(Regexp) }
         def original_declaration_replacement_regex
           original_string =
             original_dependency_declaration_string(old_requirement)
           /(?<![\-\w\.\[])#{Regexp.escape(original_string)}(?![\-\w\.])/
         end
 
+        sig { params(requirement: T.nilable(String)).returns(T::Boolean) }
         def requirement_includes_hashes?(requirement)
           original_dependency_declaration_string(requirement)
             .match?(RequirementParser::HASHES)
         end
 
+        sig { params(requirement: T.nilable(String)).returns(T.nilable(String)) }
         def hash_algorithm(requirement)
           return unless requirement_includes_hashes?(requirement)
 
-          original_dependency_declaration_string(requirement)
-            .match(RequirementParser::HASHES)
-            .named_captures.fetch("algorithm")
+          matches = original_dependency_declaration_string(requirement).match(RequirementParser::HASHES)
+          return unless matches
+
+          matches.named_captures.fetch("algorithm")
         end
 
+        sig { params(requirement: T.nilable(String)).returns(T.nilable(String)) }
         def hash_separator(requirement)
           return unless requirement_includes_hashes?(requirement)
 
           hash_regex = RequirementParser::HASH
-          current_separator =
-            original_dependency_declaration_string(requirement)
-            .match(/#{hash_regex}((?<separator>\s*\\?\s*?)#{hash_regex})*/)
-            .named_captures.fetch("separator")
+          match_result = original_dependency_declaration_string(requirement)
+                         .match(/#{hash_regex}((?<separator>\s*\\?\s*?)#{hash_regex})*/)
+          current_separator = match_result&.named_captures&.fetch("separator", nil)
 
-          default_separator =
-            original_dependency_declaration_string(requirement)
-            .match(RequirementParser::HASH)
-            .pre_match.match(/(?<separator>\s*\\?\s*?)\z/)
-            .named_captures.fetch("separator")
+          default_match = original_dependency_declaration_string(requirement)
+                          .match(RequirementParser::HASH)
+          default_separator = default_match&.pre_match&.match(/(?<separator>\s*\\?\s*?)\z/)
+                                           &.named_captures&.fetch("separator", nil)
 
           current_separator || default_separator
         end
 
+        sig { params(name: String, version: T.nilable(String), algorithm: T.nilable(String)).returns(T::Array[String]) }
         def package_hashes_for(name:, version:, algorithm:)
           index_urls = @index_urls || [nil]
 
@@ -168,6 +201,7 @@ module Dependabot
           raise Dependabot::DependencyFileNotResolvable, "Unable to find hashes for package #{name}"
         end
 
+        sig { params(old_req: T.nilable(String)).returns(String) }
         def original_dependency_declaration_string(old_req)
           matches = []
 
@@ -189,10 +223,12 @@ module Dependabot
           dec.to_s.strip
         end
 
+        sig { params(name: String).returns(String) }
         def normalise(name)
           NameNormaliser.normalise(name)
         end
 
+        sig { params(req1: T.nilable(String), req2: T.nilable(String)).returns(T::Boolean) }
         def requirements_match(req1, req2)
           req1&.split(",")&.map { |r| r.gsub(/\s/, "") }&.sort ==
             req2&.split(",")&.map { |r| r.gsub(/\s/, "") }&.sort
@@ -200,6 +236,7 @@ module Dependabot
 
         public
 
+        sig { params(error: Exception).void }
         def requirement_error_handler(error)
           Dependabot.logger.warn(error.message)
 

data/lib/dependabot/uv/file_updater.rb

@@ -1,4 +1,4 @@
-# typed: strict
+# typed: strong
 # frozen_string_literal: true
 
 require "toml-rb"
@@ -78,7 +78,7 @@ module Dependabot
         ).updated_dependency_files
       end
 
-      sig { returns(T::Array[String]) }
+      sig { returns(T::Array[T.nilable(String)]) }
       def pip_compile_index_urls
         if credentials.any?(&:replaces_base?)
           credentials.select(&:replaces_base?).map { |cred| AuthedUrlBuilder.authed_url(credential: cred) }

data/lib/dependabot/uv/language.rb

@@ -11,6 +11,7 @@ module Dependabot
 
     class Language < Dependabot::Ecosystem::VersionManager
       extend T::Sig
+
       # This list must match the versions specified at the top of `uv/Dockerfile`
       # ARG PY_3_13=3.13.2
       # When updating this list, also update python/lib/dependabot/python/language.rb

data/lib/dependabot/uv/metadata_finder.rb

@@ -1,7 +1,8 @@
-# typed: true
+# typed: strict
 # frozen_string_literal: true
 
 require "excon"
+require "sorbet-runtime"
 require "uri"
 
 require "dependabot/metadata_finders"
@@ -13,8 +14,26 @@ require "dependabot/uv/name_normaliser"
 module Dependabot
   module Uv
     class MetadataFinder < Dependabot::MetadataFinders::Base
+      extend T::Sig
+
       MAIN_PYPI_URL = "https://pypi.org/pypi"
 
+      sig do
+        params(
+          dependency: Dependabot::Dependency,
+          credentials: T::Array[Dependabot::Credential]
+        )
+          .void
+      end
+      def initialize(dependency:, credentials:)
+        super
+        @pypi_listing = T.let(nil, T.nilable(T::Hash[String, T.untyped]))
+        @source_from_description = T.let(nil, T.nilable(String))
+        @source_from_homepage = T.let(nil, T.nilable(String))
+        @homepage_response = T.let(nil, T.nilable(Excon::Response))
+      end
+
+      sig { returns(T.nilable(String)) }
       def homepage_url
         pypi_listing.dig("info", "home_page") ||
           pypi_listing.dig("info", "project_urls", "Homepage") ||
@@ -24,6 +43,7 @@ module Dependabot
 
       private
 
+      sig { override.returns(T.nilable(Dependabot::Source)) }
       def look_up_source
         potential_source_urls = [
           pypi_listing.dig("info", "project_urls", "Source"),
@@ -44,6 +64,7 @@ module Dependabot
       end
 
       # rubocop:disable Metrics/PerceivedComplexity
+      sig { returns(T.nilable(String)) }
       def source_from_description
         potential_source_urls = []
         desc = pypi_listing.dig("info", "description")
@@ -64,7 +85,7 @@ module Dependabot
 
         # Failing that, look for a source where the full dependency name is
         # mentioned when the link is followed
-        @source_from_description ||=
+        @source_from_description ||= T.let(
           potential_source_urls.find do |url|
             full_url = Source.from_url(url)&.url
             next unless full_url
@@ -73,16 +94,19 @@ module Dependabot
             next unless response.status == 200
 
             response.body.include?(normalised_dependency_name)
-          end
+          end, T.nilable(String)
+        )
       end
       # rubocop:enable Metrics/PerceivedComplexity
 
       # rubocop:disable Metrics/PerceivedComplexity
+      sig { returns(T.nilable(String)) }
       def source_from_homepage
-        return unless homepage_body
+        homepage_body_local = homepage_body
+        return unless homepage_body_local
 
         potential_source_urls = []
-        homepage_body.scan(Source::SOURCE_REGEX) do
+        homepage_body_local.scan(Source::SOURCE_REGEX) do
           potential_source_urls << Regexp.last_match.to_s
         end
 
@@ -93,7 +117,7 @@ module Dependabot
 
         return match_url if match_url
 
-        @source_from_homepage ||=
+        @source_from_homepage ||= T.let(
           potential_source_urls.find do |url|
             full_url = Source.from_url(url)&.url
             next unless full_url
@@ -102,10 +126,12 @@ module Dependabot
             next unless response.status == 200
 
             response.body.include?(normalised_dependency_name)
-          end
+          end, T.nilable(String)
+        )
       end
       # rubocop:enable Metrics/PerceivedComplexity
 
+      sig { returns(T.nilable(String)) }
       def homepage_body
         homepage_url = pypi_listing.dig("info", "home_page")
 
@@ -115,19 +141,21 @@ module Dependabot
           "pypi.python.org"
         ].include?(URI(homepage_url).host)
 
-        @homepage_response ||=
+        @homepage_response ||= T.let(
           begin
             Dependabot::RegistryClient.get(url: homepage_url)
           rescue Excon::Error::Timeout, Excon::Error::Socket,
                  Excon::Error::TooManyRedirects, ArgumentError
             nil
-          end
+          end, T.nilable(Excon::Response)
+        )
 
         return unless @homepage_response&.status == 200
 
-        @homepage_response.body
+        @homepage_response&.body
       end
 
+      sig { returns(T::Hash[String, T.untyped]) }
       def pypi_listing
         return @pypi_listing unless @pypi_listing.nil?
         return @pypi_listing = {} if dependency.version&.include?("+")
@@ -147,6 +175,7 @@ module Dependabot
         @pypi_listing = {} # No listing found
       end
 
+      sig { params(url: String).returns(Excon::Response) }
       def fetch_authed_url(url)
         if url.match(%r{(.*)://(.*?):(.*)@([^@]+)$}) &&
            Regexp.last_match&.captures&.[](1)&.include?("@")
@@ -164,6 +193,7 @@ module Dependabot
         end
       end
 
+      sig { returns(T::Array[String]) }
       def possible_listing_urls
         credential_urls =
           credentials
@@ -176,6 +206,7 @@ module Dependabot
       end
 
       # Strip [extras] from name (dependency_name[extra_dep,other_extra])
+      sig { returns(String) }
       def normalised_dependency_name
         NameNormaliser.normalise(dependency.name)
       end

data/lib/dependabot/uv/package/package_registry_finder.rb

@@ -1,6 +1,11 @@
-# typed: true
+# typed: strict
 # frozen_string_literal: true
 
+require "toml-rb"
+require "sorbet-runtime"
+require "dependabot/dependency"
+require "dependabot/dependency_file"
+require "dependabot/credential"
 require "dependabot/uv/update_checker"
 require "dependabot/uv/authed_url_builder"
 require "dependabot/errors"
@@ -10,13 +15,23 @@ module Dependabot
     module Package
       class PackageRegistryFinder
         extend T::Sig
+
         PYPI_BASE_URL = "https://pypi.org/simple/"
         ENVIRONMENT_VARIABLE_REGEX = /\$\{.+\}/
 
+        UrlsHash = T.type_alias { { main: T.nilable(String), extra: T::Array[String] } }
+
+        sig do
+          params(
+            dependency_files: T::Array[Dependabot::DependencyFile],
+            credentials: T::Array[Dependabot::Credential],
+            dependency: Dependabot::Dependency
+          ).void
+        end
         def initialize(dependency_files:, credentials:, dependency:)
-          @dependency_files = dependency_files
-          @credentials      = credentials
-          @dependency       = dependency
+          @dependency_files = T.let(dependency_files, T::Array[Dependabot::DependencyFile])
+          @credentials      = T.let(credentials, T::Array[Dependabot::Credential])
+          @dependency       = T.let(dependency, Dependabot::Dependency)
         end
 
         sig { returns(T::Array[String]) }
@@ -42,9 +57,13 @@ module Dependabot
 
         private
 
+        sig { returns(T::Array[Dependabot::DependencyFile]) }
         attr_reader :dependency_files
+
+        sig { returns(T::Array[Dependabot::Credential]) }
         attr_reader :credentials
 
+        sig { returns(String) }
         def main_index_url
           url =
             config_variable_index_urls[:main] ||
@@ -57,92 +76,124 @@ module Dependabot
           clean_check_and_remove_environment_variables(url)
         end
 
+        sig { returns(UrlsHash) }
         def requirement_file_index_urls
-          urls = { main: nil, extra: [] }
+          urls = T.let({ main: nil, extra: [] }, UrlsHash)
 
           requirements_files.each do |file|
-            if file.content.match?(/^--index-url\s+['"]?([^\s'"]+)['"]?/)
-              urls[:main] =
-                file.content.match(/^--index-url\s+['"]?([^\s'"]+)['"]?/)
-                    .captures.first&.strip
+            content = file.content
+            next unless content
+
+            if content.match?(/^--index-url\s+['"]?([^\s'"]+)['"]?/)
+              match_result = content.match(/^--index-url\s+['"]?([^\s'"]+)['"]?/)
+              urls[:main] = match_result&.captures&.first&.strip
             end
-            urls[:extra] +=
-              file.content
-                  .scan(/^--extra-index-url\s+['"]?([^\s'"]+)['"]?/)
-                  .flatten
-                  .map(&:strip)
+            extra_urls = urls[:extra]
+            extra_urls +=
+              content
+              .scan(/^--extra-index-url\s+['"]?([^\s'"]+)['"]?/)
+              .flatten
+              .map(&:strip)
+            urls[:extra] = extra_urls
           end
 
           urls
         end
 
+        sig { returns(UrlsHash) }
         def pip_conf_index_urls
-          urls = { main: nil, extra: [] }
+          urls = T.let({ main: nil, extra: [] }, UrlsHash)
 
           return urls unless pip_conf
 
-          content = pip_conf.content
+          pip_conf_file = pip_conf
+          return urls unless pip_conf_file
+
+          content = pip_conf_file.content
+          return urls unless content
 
           if content.match?(/^index-url\s*=/x)
-            urls[:main] = content.match(/^index-url\s*=\s*(.+)/)
-                                 .captures.first
+            match_result = content.match(/^index-url\s*=\s*(.+)/)
+            urls[:main] = match_result&.captures&.first
           end
-          urls[:extra] += content.scan(/^extra-index-url\s*=(.+)/).flatten
+          extra_urls = urls[:extra]
+          extra_urls += content.scan(/^extra-index-url\s*=(.+)/).flatten
+          urls[:extra] = extra_urls
 
           urls
         end
 
+        sig { returns(UrlsHash) }
         def pipfile_index_urls
-          urls = { main: nil, extra: [] }
+          urls = T.let({ main: nil, extra: [] }, UrlsHash)
+          begin
+            return urls unless pipfile
 
-          return urls unless pipfile
+            pipfile_file = pipfile
+            return urls unless pipfile_file
 
-          pipfile_object = TomlRB.parse(pipfile.content)
+            content = pipfile_file.content
+            return urls unless content
 
-          urls[:main] = pipfile_object["source"]&.first&.fetch("url", nil)
+            pipfile_object = TomlRB.parse(content)
 
-          pipfile_object["source"]&.each do |source|
-            urls[:extra] << source.fetch("url") if source["url"]
-          end
-          urls[:extra] = urls[:extra].uniq
+            urls[:main] = pipfile_object["source"]&.first&.fetch("url", nil)
 
-          urls
-        rescue TomlRB::ParseError, TomlRB::ValueOverwriteError
-          urls
+            pipfile_object["source"]&.each do |source|
+              urls[:extra] << source.fetch("url") if source["url"]
+            end
+            urls[:extra] = urls[:extra].uniq
+
+            urls
+          rescue TomlRB::ParseError, TomlRB::ValueOverwriteError
+            urls
+          end
         end
 
+        # rubocop:disable Metrics/PerceivedComplexity
+        sig { returns(UrlsHash) }
         def pyproject_index_urls
-          urls = { main: nil, extra: [] }
-
-          return urls unless pyproject
-
-          sources =
-            TomlRB.parse(pyproject.content).dig("tool", "poetry", "source") ||
-            []
-
-          sources.each do |source|
-            # If source is PyPI, skip it, and let it pick the default URI
-            next if source["name"].casecmp?("PyPI")
-
-            if @dependency.all_sources.include?(source["name"])
-              # If dependency has specified this source, use it
-              return { main: source["url"], extra: [] }
-            elsif source["default"]
-              urls[:main] = source["url"]
-            elsif source["priority"] != "explicit"
-              # if source is not explicit, add it to extra
-              urls[:extra] << source["url"]
+          urls = T.let({ main: nil, extra: [] }, UrlsHash)
+
+          begin
+            return urls unless pyproject
+
+            pyproject_file = pyproject
+            return urls unless pyproject_file
+
+            pyproject_content = pyproject_file.content
+            return urls unless pyproject_content
+
+            sources =
+              TomlRB.parse(pyproject_content).dig("tool", "poetry", "source") ||
+              []
+
+            sources.each do |source|
+              # If source is PyPI, skip it, and let it pick the default URI
+              next if source["name"].casecmp?("PyPI")
+
+              if @dependency.all_sources.include?(source["name"])
+                # If dependency has specified this source, use it
+                return { main: source["url"], extra: [] }
+              elsif source["default"]
+                urls[:main] = source["url"]
+              elsif source["priority"] != "explicit"
+                # if source is not explicit, add it to extra
+                urls[:extra] << source["url"]
+              end
             end
-          end
-          urls[:extra] = urls[:extra].uniq
+            urls[:extra] = urls[:extra].uniq
 
-          urls
-        rescue TomlRB::ParseError, TomlRB::ValueOverwriteError
-          urls
+            urls
+          rescue TomlRB::ParseError, TomlRB::ValueOverwriteError
+            urls
+          end
         end
+        # rubocop:enable Metrics/PerceivedComplexity
 
+        sig { returns(UrlsHash) }
         def config_variable_index_urls
-          urls = { main: T.let(nil, T.nilable(String)), extra: [] }
+          urls = T.let({ main: nil, extra: [] }, UrlsHash)
 
           index_url_creds = credentials
                             .select { |cred| cred["type"] == "python_index" }
@@ -159,6 +210,7 @@ module Dependabot
           urls
         end
 
+        sig { params(url: String).returns(String) }
         def clean_check_and_remove_environment_variables(url)
           url = url.strip.sub(%r{/+$}, "") + "/"
 
@@ -188,17 +240,15 @@ module Dependabot
           raise PrivateSourceAuthenticationFailure, url
         end
 
+        sig { params(base_url: String).returns(String) }
         def authed_base_url(base_url)
           cred = credential_for(base_url)
           return base_url unless cred
 
-          builder = AuthedUrlBuilder.authed_url(credential: cred)
-
-          return base_url unless builder
-
-          builder.gsub(%r{/*$}, "") + "/"
+          AuthedUrlBuilder.authed_url(credential: cred).gsub(%r{/*$}, "") + "/"
         end
 
+        sig { params(url: String).returns(T.nilable(Dependabot::Credential)) }
         def credential_for(url)
           credentials
             .select { |c| c["type"] == "python_index" }
@@ -208,22 +258,27 @@ module Dependabot
             end
         end
 
+        sig { returns(T.nilable(Dependabot::DependencyFile)) }
         def pip_conf
           dependency_files.find { |f| f.name == "pip.conf" }
         end
 
+        sig { returns(T.nilable(Dependabot::DependencyFile)) }
         def pipfile
           dependency_files.find { |f| f.name == "Pipfile" }
         end
 
+        sig { returns(T.nilable(Dependabot::DependencyFile)) }
         def pyproject
           dependency_files.find { |f| f.name == "pyproject.toml" }
         end
 
+        sig { returns(T::Array[Dependabot::DependencyFile]) }
         def requirements_files
           dependency_files.select { |f| f.name.match?(/requirements/x) }
         end
 
+        sig { returns(T::Array[Dependabot::DependencyFile]) }
         def pip_compile_files
           dependency_files.select { |f| f.name.end_with?(".in") }
         end