dependabot-uv 0.332.0 → 0.333.0

data/lib/dependabot/uv/requirement.rb

@@ -1,4 +1,4 @@
-# typed: true
+# typed: strict
 # frozen_string_literal: true
 
 require "sorbet-runtime"
@@ -12,22 +12,23 @@ module Dependabot
     class Requirement < Dependabot::Requirement
       extend T::Sig
 
-      OR_SEPARATOR = /(?<=[a-zA-Z0-9)*])\s*\|+/
+      OR_SEPARATOR = T.let(/(?<=[a-zA-Z0-9)*])\s*\|+/, Regexp)
 
       # Add equality and arbitrary-equality matchers
-      OPS = OPS.merge(
-        "==" => ->(v, r) { v == r },
-        "===" => ->(v, r) { v.to_s == r.to_s }
-      )
+      OPS = T.let(OPS.merge(
+                    "==" => ->(v, r) { v == r },
+                    "===" => ->(v, r) { v.to_s == r.to_s }
+                  ), T::Hash[String, T.proc.params(arg0: T.untyped, arg1: T.untyped).returns(T.untyped)])
 
       quoted = OPS.keys.sort_by(&:length).reverse
                   .map { |k| Regexp.quote(k) }.join("|")
       version_pattern = Uv::Version::VERSION_PATTERN
 
-      PATTERN_RAW = "\\s*(?<op>#{quoted})?\\s*(?<version>#{version_pattern})\\s*".freeze
-      PATTERN = /\A#{PATTERN_RAW}\z/
-      PARENS_PATTERN = /\A\(([^)]+)\)\z/
+      PATTERN_RAW = T.let("\\s*(?<op>#{quoted})?\\s*(?<version>#{version_pattern})\\s*".freeze, String)
+      PATTERN = T.let(/\A#{PATTERN_RAW}\z/, Regexp)
+      PARENS_PATTERN = T.let(/\A\(([^)]+)\)\z/, Regexp)
 
+      sig { params(obj: T.any(Gem::Version, String)).returns([String, Gem::Version]) }
       def self.parse(obj)
         return ["=", Uv::Version.new(obj.to_s)] if obj.is_a?(Gem::Version)
 
@@ -63,6 +64,7 @@ module Dependabot
         end
       end
 
+      sig { params(requirements: T.nilable(T.any(String, T::Array[String]))).void }
       def initialize(*requirements)
         requirements = requirements.flatten.flat_map do |req_string|
           next if req_string.nil?
@@ -78,20 +80,23 @@ module Dependabot
         super(requirements)
       end
 
+      sig { params(version: T.any(Gem::Version, String)).returns(T::Boolean) }
       def satisfied_by?(version)
         version = Uv::Version.new(version.to_s)
 
-        requirements.all? { |op, rv| (OPS[op] || OPS["="]).call(version, rv) }
+        requirements.all? { |op, rv| T.must(OPS[op] || OPS["="]).call(version, rv) }
       end
 
+      sig { returns(T::Boolean) }
       def exact?
-        return false unless @requirements.size == 1
+        return false unless requirements.size == 1
 
-        %w(= == ===).include?(@requirements[0][0])
+        %w(= == ===).include?(requirements[0][0])
       end
 
       private
 
+      sig { params(req_string: T.nilable(String)).returns(T.nilable(T.any(String, T::Array[String]))) }
       def convert_python_constraint_to_ruby_constraint(req_string)
         return nil if req_string.nil? || req_string.strip.empty?
         return nil if req_string == "*"
@@ -111,6 +116,7 @@ module Dependabot
 
       # Poetry uses ~ requirements.
       # https://github.com/sdispater/poetry#tilde-requirements
+      sig { params(req_string: String).returns(String) }
       def convert_tilde_req(req_string)
         version = req_string.gsub(/^~\>?/, "")
         parts = version.split(".")
@@ -120,44 +126,47 @@ module Dependabot
 
       # Poetry uses ^ requirements
       # https://github.com/sdispater/poetry#caret-requirement
+      sig { params(req_string: String).returns(T::Array[String]) }
       def convert_caret_req(req_string)
         version = req_string.gsub(/^\^/, "")
         parts = version.split(".")
-        parts.fill(0, parts.length...3)
+        parts.fill("0", parts.length...3)
         first_non_zero = parts.find { |d| d != "0" }
         first_non_zero_index =
           first_non_zero ? parts.index(first_non_zero) : parts.count - 1
         upper_bound = parts.map.with_index do |part, i|
-          if i < first_non_zero_index then part
+          if i < T.must(first_non_zero_index) then part
           elsif i == first_non_zero_index then (part.to_i + 1).to_s
           # .dev has lowest precedence: https://packaging.python.org/en/latest/specifications/version-specifiers/#summary-of-permitted-suffixes-and-relative-ordering
-          elsif i > first_non_zero_index && i == 2 then "0.dev"
+          elsif i > T.must(first_non_zero_index) && i == 2 then "0.dev"
           else
-            0
+            "0"
           end
         end.join(".")
 
         [">= #{version}", "< #{upper_bound}"]
       end
 
+      sig { params(req_string: String).returns(String) }
       def convert_wildcard(req_string)
         # NOTE: This isn't perfect. It replaces the "!= 1.0.*" case with
         # "!= 1.0.0". There's no way to model this correctly in Ruby :'(
         quoted_ops = OPS.keys.sort_by(&:length).reverse
                         .map { |k| Regexp.quote(k) }.join("|")
-        op = req_string.match(/\A\s*(#{quoted_ops})?/)
-                       .captures.first.to_s&.strip
+        op_match = req_string.match(/\A\s*(#{quoted_ops})?/)
+        op = op_match&.captures&.first.to_s.strip
         exact_op = ["", "=", "==", "==="].include?(op)
 
         req_string.strip
                   .split(".")
-                  .first(req_string.split(".").index { |s| s.include?("*") } + 1)
+                  .first(T.must(req_string.split(".").index { |s| s.include?("*") }) + 1)
                   .join(".")
                   .gsub(/\*(?!$)/, "0")
                   .gsub(/\*$/, "0.dev")
                   .tap { |s| exact_op ? s.gsub!(/^(?<!!)=*/, "~>") : s }
       end
 
+      sig { params(req_string: String).returns(T.any(String, T::Array[String])) }
       def convert_exact(req_string)
         arbitrary_equality = req_string.start_with?("===")
         cleaned_version = req_string.gsub(/^=+/, "").strip

data/lib/dependabot/uv/update_checker/lock_file_resolver.rb

@@ -1,6 +1,8 @@
-# typed: true
+# typed: strong
 # frozen_string_literal: true
 
+require "sorbet-runtime"
+
 require "dependabot/uv/version"
 require "dependabot/uv/requirement"
 require "dependabot/uv/update_checker"
@@ -9,6 +11,16 @@ module Dependabot
   module Uv
     class UpdateChecker
       class LockFileResolver
+        extend T::Sig
+
+        sig do
+          params(
+            dependency: Dependabot::Dependency,
+            dependency_files: T::Array[Dependabot::DependencyFile],
+            credentials: T::Array[Dependabot::Credential],
+            repo_contents_path: T.nilable(String)
+          ).void
+        end
         def initialize(dependency:, dependency_files:, credentials:, repo_contents_path: nil)
           @dependency = dependency
           @dependency_files = dependency_files
@@ -16,6 +28,7 @@ module Dependabot
           @repo_contents_path = repo_contents_path
         end
 
+        sig { params(requirement: T.nilable(String)).returns(T.nilable(Dependabot::Uv::Version)) }
         def latest_resolvable_version(requirement:)
           return nil unless requirement
 
@@ -28,19 +41,30 @@ module Dependabot
           nil
         end
 
-        def resolvable?(*)
+        sig { params(_version: T.untyped).returns(T::Boolean) }
+        def resolvable?(_version)
+          # Always return true since we don't actually attempt resolution
+          # This is just a placeholder implementation
           true
         end
 
+        sig { returns(T.nilable(Dependabot::Uv::Version)) }
         def lowest_resolvable_security_fix_version
           nil
         end
 
         private
 
+        sig { returns(Dependabot::Dependency) }
         attr_reader :dependency
+
+        sig { returns(T::Array[Dependabot::DependencyFile]) }
         attr_reader :dependency_files
+
+        sig { returns(T::Array[Dependabot::Credential]) }
         attr_reader :credentials
+
+        sig { returns(T.nilable(String)) }
         attr_reader :repo_contents_path
       end
     end

data/lib/dependabot/uv/update_checker/pip_compile_version_resolver.rb

@@ -1,7 +1,9 @@
-# typed: true
+# typed: strict
 # frozen_string_literal: true
 
 require "open3"
+require "sorbet-runtime"
+
 require "dependabot/dependency"
 require "dependabot/uv/requirement_parser"
 require "dependabot/uv/file_fetcher"
@@ -22,34 +24,60 @@ module Dependabot
       # This class does version resolution for pip-compile. Its approach is:
       # - Unlock the dependency we're checking in the requirements.in file
       # - Run `pip-compile` and see what the result is
+      # rubocop:disable Metrics/ClassLength
       class PipCompileVersionResolver
-        GIT_DEPENDENCY_UNREACHABLE_REGEX = /git clone --filter=blob:none --quiet (?<url>[^\s]+).* /
-        GIT_REFERENCE_NOT_FOUND_REGEX = /Did not find branch or tag '(?<tag>[^\n"]+)'/m
-        NATIVE_COMPILATION_ERROR =
-          "pip._internal.exceptions.InstallationSubprocessError: Getting requirements to build wheel exited with 1"
+        extend T::Sig
+
+        GIT_DEPENDENCY_UNREACHABLE_REGEX = T.let(/git clone --filter=blob:none --quiet (?<url>[^\s]+).* /, Regexp)
+        GIT_REFERENCE_NOT_FOUND_REGEX = T.let(/Did not find branch or tag '(?<tag>[^\n"]+)'/m, Regexp)
+        NATIVE_COMPILATION_ERROR = T.let(
+          "pip._internal.exceptions.InstallationSubprocessError: Getting requirements to build wheel exited with 1",
+          String
+        )
         # See https://packaging.python.org/en/latest/tutorials/packaging-projects/#configuring-metadata
-        PYTHON_PACKAGE_NAME_REGEX = /[A-Za-z0-9_\-]+/
-        RESOLUTION_IMPOSSIBLE_ERROR = "ResolutionImpossible"
-        ERROR_REGEX = /(?<=ERROR\:\W).*$/
-        UV_UNRESOLVABLE_REGEX = / × No solution found when resolving dependencies:[\s\S]*$/
+        PYTHON_PACKAGE_NAME_REGEX = T.let(/[A-Za-z0-9_\-]+/, Regexp)
+        RESOLUTION_IMPOSSIBLE_ERROR = T.let("ResolutionImpossible", String)
+        ERROR_REGEX = T.let(/(?<=ERROR\:\W).*$/, Regexp)
+        UV_UNRESOLVABLE_REGEX = T.let(/ × No solution found when resolving dependencies:[\s\S]*$/, Regexp)
 
+        sig { returns(Dependabot::Dependency) }
         attr_reader :dependency
+
+        sig { returns(T::Array[Dependabot::DependencyFile]) }
         attr_reader :dependency_files
+
+        sig { returns(T::Array[Dependabot::Credential]) }
         attr_reader :credentials
+
+        sig { returns(T.nilable(String)) }
         attr_reader :repo_contents_path
+
+        sig { returns(PipCompileErrorHandler) }
         attr_reader :error_handler
 
+        sig do
+          params(
+            dependency: Dependabot::Dependency,
+            dependency_files: T::Array[Dependabot::DependencyFile],
+            credentials: T::Array[Dependabot::Credential],
+            repo_contents_path: T.nilable(String)
+          ).void
+        end
         def initialize(dependency:, dependency_files:, credentials:, repo_contents_path:)
-          @dependency               = dependency
-          @dependency_files         = dependency_files
-          @credentials              = credentials
-          @repo_contents_path       = repo_contents_path
-          @build_isolation = true
-          @error_handler = PipCompileErrorHandler.new
+          @dependency               = T.let(dependency, Dependabot::Dependency)
+          @dependency_files         = T.let(dependency_files, T::Array[Dependabot::DependencyFile])
+          @credentials              = T.let(credentials, T::Array[Dependabot::Credential])
+          @repo_contents_path       = T.let(repo_contents_path, T.nilable(String))
+          @build_isolation = T.let(true, T::Boolean)
+          @error_handler = T.let(PipCompileErrorHandler.new, PipCompileErrorHandler)
         end
 
+        sig { params(requirement: T.nilable(String)).returns(T.nilable(Dependabot::Uv::Version)) }
         def latest_resolvable_version(requirement: nil)
-          @latest_resolvable_version_string ||= {}
+          @latest_resolvable_version_string ||= T.let(
+            {},
+            T.nilable(T::Hash[T.nilable(String), T.nilable(Dependabot::Uv::Version)])
+          )
           return @latest_resolvable_version_string[requirement] if @latest_resolvable_version_string.key?(requirement)
 
           version_string =
@@ -59,9 +87,10 @@ module Dependabot
             version_string.nil? ? nil : Uv::Version.new(version_string)
         end
 
+        sig { params(version: Gem::Version).returns(T::Boolean) }
         def resolvable?(version:)
-          @resolvable ||= {}
-          return @resolvable[version] if @resolvable.key?(version)
+          @resolvable ||= T.let({}, T.nilable(T::Hash[Gem::Version, T::Boolean]))
+          return T.must(@resolvable[version]) if @resolvable.key?(version)
 
           @resolvable[version] = if latest_resolvable_version(requirement: "==#{version}")
                                    true
@@ -72,6 +101,7 @@ module Dependabot
 
         private
 
+        sig { params(requirement: T.nilable(String)).returns(T.nilable(String)) }
         def fetch_latest_resolvable_version_string(requirement:)
           SharedHelpers.in_a_temporary_directory do
             SharedHelpers.with_git_configured(credentials: credentials) do
@@ -90,6 +120,7 @@ module Dependabot
           end
         end
 
+        sig { params(filename: String).returns(T::Boolean) }
         def compile_file(filename)
           # Shell out to pip-compile.
           # This is slow, as pip-compile needs to do installs.
@@ -126,17 +157,24 @@ module Dependabot
           end
 
           handle_pip_compile_errors(e.message)
+          false
         end
 
+        sig { params(error: Dependabot::SharedHelpers::HelperSubprocessFailed).returns(T::Boolean) }
         def compilation_error?(error)
           error.message.include?(NATIVE_COMPILATION_ERROR)
         end
 
         # rubocop:disable Metrics/AbcSize
         # rubocop:disable Metrics/PerceivedComplexity
+        sig { params(message: String).returns(T.nilable(String)) }
         def handle_pip_compile_errors(message)
           if message.include?("No solution found when resolving dependencies")
-            raise DependencyFileNotResolvable, message.scan(UV_UNRESOLVABLE_REGEX).last
+            match_result = message.scan(UV_UNRESOLVABLE_REGEX).last
+            if match_result
+              error_message = match_result.is_a?(Array) ? match_result.join : match_result
+              raise DependencyFileNotResolvable, error_message
+            end
           end
 
           check_original_requirements_resolvable if message.include?(RESOLUTION_IMPOSSIBLE_ERROR)
@@ -153,21 +191,23 @@ module Dependabot
           end
 
           if message.match?(GIT_REFERENCE_NOT_FOUND_REGEX)
-            tag = message.match(GIT_REFERENCE_NOT_FOUND_REGEX).named_captures.fetch("tag")
-            constraints_section = message.split("Finding the best candidates:").first
+            tag = T.must(T.must(message.match(GIT_REFERENCE_NOT_FOUND_REGEX)).named_captures.fetch("tag"))
+            constraints_section = T.must(message.split("Finding the best candidates:").first)
             egg_regex = /#{Regexp.escape(tag)}#egg=(#{PYTHON_PACKAGE_NAME_REGEX})/
             name_match = constraints_section.scan(egg_regex)
 
             # We can determine the name of the package from another part of the logger output if it has a unique tag
-            raise GitDependencyReferenceNotFound, name_match.first.first if name_match.length == 1
+            if name_match.length == 1 && name_match.first.is_a?(Array)
+              raise GitDependencyReferenceNotFound, T.must(T.cast(T.must(name_match.first), T::Array[String]).first)
+            end
 
             raise GitDependencyReferenceNotFound, "(unknown package at #{tag})"
           end
 
           if message.match?(GIT_DEPENDENCY_UNREACHABLE_REGEX)
-            url = message.match(GIT_DEPENDENCY_UNREACHABLE_REGEX)
-                         .named_captures.fetch("url")
-            raise GitDependenciesNotReachable, url
+            url = T.must(message.match(GIT_DEPENDENCY_UNREACHABLE_REGEX))
+                   .named_captures.fetch("url")
+            raise GitDependenciesNotReachable, T.must(url)
           end
 
           raise Dependabot::OutOfDisk if message.end_with?("[Errno 28] No space left on device")
@@ -185,6 +225,7 @@ module Dependabot
         # Note: We raise errors from this method, rather than returning a
         # boolean, so that all deps for this repo will raise identical
         # errors when failing to update
+        sig { returns(T::Boolean) }
         def check_original_requirements_resolvable
           SharedHelpers.in_a_temporary_directory do
             SharedHelpers.with_git_configured(credentials: credentials) do
@@ -216,12 +257,14 @@ module Dependabot
           end
         end
 
-        def run_command(command, env: python_env, fingerprint:)
+        sig { params(command: String, fingerprint: String, env: T::Hash[String, String]).void }
+        def run_command(command, fingerprint:, env: python_env)
           SharedHelpers.run_shell_command(command, env: env, fingerprint: fingerprint, stderr_to_stdout: true)
         rescue SharedHelpers::HelperSubprocessFailed => e
           handle_pip_compile_errors(e.message)
         end
 
+        sig { params(options: String).returns(String) }
         def pip_compile_options_fingerprint(options)
           options.sub(
             /--output-file=\S+/, "--output-file=<output_file>"
@@ -232,6 +275,7 @@ module Dependabot
           )
         end
 
+        sig { params(filename: String).returns(String) }
         def pip_compile_options(filename)
           options = @build_isolation ? ["--build-isolation"] : ["--no-build-isolation"]
           options += pip_compile_index_options
@@ -247,6 +291,7 @@ module Dependabot
           options.join(" ")
         end
 
+        sig { returns(T::Array[String]) }
         def pip_compile_index_options
           credentials
             .select { |cred| cred["type"] == "python_index" }
@@ -261,6 +306,7 @@ module Dependabot
             end
         end
 
+        sig { params(command: String, fingerprint: String).void }
         def run_pip_compile_command(command, fingerprint:)
           run_command(
             "pyenv local #{language_version_manager.python_major_minor}",
@@ -270,38 +316,43 @@ module Dependabot
           run_command(command, fingerprint: fingerprint)
         end
 
+        # rubocop:disable Metrics/AbcSize
+        sig { params(requirements_file: Dependabot::DependencyFile).returns(T::Array[String]) }
         def uv_pip_compile_options_from_compiled_file(requirements_file)
           options = []
 
-          options << "--no-emit-index-url" unless requirements_file.content.include?("index-url http")
+          options << "--no-emit-index-url" unless T.must(requirements_file.content).include?("index-url http")
 
-          options << "--generate-hashes" if requirements_file.content.include?("--hash=sha")
+          options << "--generate-hashes" if T.must(requirements_file.content).include?("--hash=sha")
 
-          options << "--no-annotate" unless requirements_file.content.include?("# via ")
+          options << "--no-annotate" unless T.must(requirements_file.content).include?("# via ")
 
-          options << "--pre" if requirements_file.content.include?("--pre")
+          options << "--pre" if T.must(requirements_file.content).include?("--pre")
 
-          options << "--no-strip-extras" if requirements_file.content.include?("--no-strip-extras")
+          options << "--no-strip-extras" if T.must(requirements_file.content).include?("--no-strip-extras")
 
-          if requirements_file.content.include?("--no-binary") || requirements_file.content.include?("--only-binary")
+          if T.must(requirements_file.content).include?("--no-binary") ||
+             T.must(requirements_file.content).include?("--only-binary")
             options << "--emit-build-options"
           end
 
-          if (resolver = FileUpdater::CompileFileUpdater::RESOLVER_REGEX.match(requirements_file.content))
+          if (resolver = FileUpdater::CompileFileUpdater::RESOLVER_REGEX.match(T.must(requirements_file.content)))
             options << "--resolver=#{resolver}"
           end
 
-          options << "--universal" if requirements_file.content.include?("--universal")
+          options << "--universal" if T.must(requirements_file.content).include?("--universal")
 
           options
         end
+        # rubocop:enable Metrics/AbcSize
 
+        sig { returns(T::Hash[String, String]) }
         def python_env
           env = {}
 
           # Handle Apache Airflow 1.10.x installs
-          if dependency_files.any? { |f| f.content.include?("apache-airflow") }
-            if dependency_files.any? { |f| f.content.include?("unidecode") }
+          if dependency_files.any? { |f| T.must(f.content).include?("apache-airflow") }
+            if dependency_files.any? { |f| T.must(f.content).include?("unidecode") }
               env["AIRFLOW_GPL_UNIDECODE"] = "yes"
             else
               env["SLUGIFY_USES_TEXT_UNIDECODE"] = "yes"
@@ -311,6 +362,9 @@ module Dependabot
           env
         end
 
+        sig do
+          params(updated_req: T.nilable(String), update_requirement: T::Boolean).void
+        end
         def write_temporary_dependency_files(updated_req: nil,
                                              update_requirement: true)
           dependency_files.each do |file|
@@ -328,6 +382,7 @@ module Dependabot
           File.write(".python-version", language_version_manager.python_major_minor)
         end
 
+        sig { void }
         def write_original_manifest_files
           pip_compile_files.each do |file|
             FileUtils.mkdir_p(Pathname.new(file.name).dirname)
@@ -335,29 +390,33 @@ module Dependabot
           end
         end
 
+        sig { params(file: Dependabot::DependencyFile, updated_req: T.nilable(String)).returns(String) }
         def update_req_file(file, updated_req)
-          return file.content unless file.name.end_with?(".in")
+          return T.must(file.content) unless file.name.end_with?(".in")
 
           req = dependency.requirements.find { |r| r[:file] == file.name }
 
-          return file.content + "\n#{dependency.name} #{updated_req}" unless req&.fetch(:requirement)
+          return T.must(file.content) + "\n#{dependency.name} #{updated_req}" unless req&.fetch(:requirement)
 
           Uv::FileUpdater::RequirementReplacer.new(
-            content: file.content,
+            content: T.must(file.content),
             dependency_name: dependency.name,
             old_requirement: req[:requirement],
             new_requirement: updated_req
           ).updated_content
         end
 
+        sig { params(name: String).returns(String) }
         def normalise(name)
           NameNormaliser.normalise(name)
         end
 
+        sig { params(message: String).returns(String) }
         def clean_error_message(message)
-          message.scan(ERROR_REGEX).last
+          T.must(T.cast(message.scan(ERROR_REGEX), T::Array[String]).last)
         end
 
+        sig { returns(T::Array[String]) }
         def filenames_to_compile
           files_from_reqs =
             dependency.requirements
@@ -375,10 +434,11 @@ module Dependabot
           order_filenames_for_compilation(filenames)
         end
 
+        sig { params(filename: String).returns(T.nilable(Dependabot::DependencyFile)) }
         def compiled_file_for_filename(filename)
           compiled_file =
             compiled_files
-            .find { |f| f.content.match?(output_file_regex(filename)) }
+            .find { |f| T.must(f.content).match?(output_file_regex(filename)) }
 
           compiled_file ||=
             compiled_files
@@ -387,22 +447,25 @@ module Dependabot
           compiled_file
         end
 
+        sig { params(filename: String).returns(String) }
         def output_file_regex(filename)
           "--output-file[=\s]+.*\s#{Regexp.escape(filename)}\s*$"
         end
 
+        sig { params(compiled_file: T.nilable(Dependabot::DependencyFile)).returns(T::Boolean) }
         def compiled_file_includes_dependency?(compiled_file)
           return false unless compiled_file
 
           regex = RequirementParser::INSTALL_REQ_WITH_REQUIREMENT
 
           matches = []
-          compiled_file.content.scan(regex) { matches << Regexp.last_match }
+          T.must(compiled_file.content).scan(regex) { matches << Regexp.last_match }
           matches.any? { |m| normalise(m[:name]) == dependency.name }
         end
 
         # If the files we need to update require one another then we need to
         # update them in the right order
+        sig { params(filenames: T::Array[String]).returns(T::Array[String]) }
         def order_filenames_for_compilation(filenames)
           ordered_filenames = T.let([], T::Array[String])
 
@@ -410,7 +473,7 @@ module Dependabot
             ordered_filenames +=
               remaining_filenames
               .reject do |fn|
-                unupdated_reqs = requirement_map[fn] - ordered_filenames
+                unupdated_reqs = T.must(requirement_map[fn]) - ordered_filenames
                 unupdated_reqs.intersect?(filenames)
               end
           end
@@ -418,11 +481,12 @@ module Dependabot
           ordered_filenames
         end
 
+        sig { returns(T::Hash[String, T::Array[String]]) }
         def requirement_map
           child_req_regex = Uv::FileFetcher::CHILD_REQUIREMENT_REGEX
-          @requirement_map ||=
+          @requirement_map ||= T.let(
             pip_compile_files.each_with_object({}) do |file, req_map|
-              paths = file.content.scan(child_req_regex).flatten
+              paths = T.must(file.content).scan(child_req_regex).flatten
               current_dir = File.dirname(file.name)
 
               req_map[file.name] =
@@ -434,9 +498,12 @@ module Dependabot
 
                   path
                 end.uniq.compact
-            end
+            end,
+            T.nilable(T::Hash[String, T::Array[String]])
+          )
         end
 
+        sig { returns(T.nilable(String)) }
         def parse_updated_files
           updated_files =
             dependency_files.map do |file|
@@ -454,47 +521,59 @@ module Dependabot
           ).parse.find { |d| d.name == dependency.name }&.version
         end
 
+        sig { returns(Dependabot::Uv::FileParser::PythonRequirementParser) }
         def python_requirement_parser
-          @python_requirement_parser ||=
+          @python_requirement_parser ||= T.let(
             FileParser::PythonRequirementParser.new(
               dependency_files: dependency_files
-            )
+            ), T.nilable(FileParser::PythonRequirementParser)
+          )
         end
 
+        sig { returns(Dependabot::Uv::LanguageVersionManager) }
         def language_version_manager
-          @language_version_manager ||=
+          @language_version_manager ||= T.let(
             LanguageVersionManager.new(
               python_requirement_parser: python_requirement_parser
-            )
+            ), T.nilable(LanguageVersionManager)
+          )
         end
 
+        sig { returns(T::Array[Dependabot::DependencyFile]) }
         def setup_files
           dependency_files.select { |f| f.name.end_with?("setup.py") }
         end
 
+        sig { returns(T::Array[Dependabot::DependencyFile]) }
         def pip_compile_files
           dependency_files.select { |f| f.name.end_with?(".in") }
         end
 
+        sig { returns(T::Array[Dependabot::DependencyFile]) }
         def compiled_files
           dependency_files.select { |f| f.name.end_with?(".txt") }
         end
 
+        sig { returns(T::Array[Dependabot::DependencyFile]) }
         def setup_cfg_files
           dependency_files.select { |f| f.name.end_with?("setup.cfg") }
         end
       end
+      # rubocop:enable Metrics/ClassLength
     end
 
     class PipCompileErrorHandler
-      SUBPROCESS_ERROR = /subprocess-exited-with-error/
+      extend T::Sig
+
+      SUBPROCESS_ERROR = T.let(/subprocess-exited-with-error/, Regexp)
 
-      INSTALLATION_ERROR = /InstallationError/
+      INSTALLATION_ERROR = T.let(/InstallationError/, Regexp)
 
-      INSTALLATION_SUBPROCESS_ERROR = /InstallationSubprocessError/
+      INSTALLATION_SUBPROCESS_ERROR = T.let(/InstallationSubprocessError/, Regexp)
 
-      HASH_MISMATCH = /HashMismatch/
+      HASH_MISMATCH = T.let(/HashMismatch/, Regexp)
 
+      sig { params(error: String).void }
       def handle_pipcompile_error(error)
         return unless error.match?(SUBPROCESS_ERROR) || error.match?(INSTALLATION_ERROR) ||
                       error.match?(INSTALLATION_SUBPROCESS_ERROR) || error.match?(HASH_MISMATCH)