RubyGems - dependabot-uv - Versions diffs - 0.352.0 → 0.354.0 - Mend

dependabot-uv 0.352.0 → 0.354.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

checksums.yaml +4 -4
data/lib/dependabot/uv/file_fetcher/workspace_fetcher.rb +210 -0
data/lib/dependabot/uv/file_fetcher.rb +18 -29
data/lib/dependabot/uv/file_updater/compile_file_updater.rb +21 -12
data/lib/dependabot/uv/file_updater/lock_file_updater.rb +6 -3
data/lib/dependabot/uv/update_checker/pip_compile_version_resolver.rb +13 -1
metadata +7 -6

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 2182d20a6869566befc86859bd0260cbe23c3ce48b128c95c82ec5713af9f25b
-  data.tar.gz: 0c7a49f6debe6d304cc07854636139d2504a9bd74baa1c72ff08a072b2ddea7c
+  metadata.gz: 9f6cd22ac8eea374c5385636da11e99168ed3d7a19425a73005bfe6dea57d462
+  data.tar.gz: f19a7c8dbc8208cfdba09e5f5513b04895b6ff4eb32c5cba0690bb21e2a2db6d
 SHA512:
-  metadata.gz: ee6297977b3276e5d0661dfa1fc1400100a86dfacc0e916adef15ce504f9adb5707db9214c5ee017147202c8c2104333a9bf6c7f351fdd1ce8577e7b88d005ba
-  data.tar.gz: b71b17c588efbd34281a174f229657173f924cdba4194ebb8073a37b3e2b7e37cdeec7effa71da66807291f0d455f76d3da8e8ab2ff560b4e35cbdab60f6781a
+  metadata.gz: f6d6de0188f952e54b6d3a5e50df326ffbdbaa8f53cc6c27034a489c1636e366a0b6bb15e5ac9210e71a15273dd1fb69430716fd93023b2d72a8eb34260ce252
+  data.tar.gz: a94975fe714eae7eadac990e4ce9c8d996ac4478b0016557245fb5fc2e5745591832f2098d1ca0383bcb7de025cf0e85b047aeefed2baaa8b602e90ac4d0431f

data/lib/dependabot/uv/file_fetcher/workspace_fetcher.rb ADDED Viewed

@@ -0,0 +1,210 @@
+# typed: strict
+# frozen_string_literal: true
+require "toml-rb"
+require "sorbet-runtime"
+require "dependabot/dependency_file"
+module Dependabot
+  module Uv
+    class FileFetcher < Dependabot::FileFetchers::Base
+      class WorkspaceFetcher
+        extend T::Sig
+        README_FILENAMES = T.let(%w(README.md README.rst README.txt README).freeze, T::Array[String])
+        sig do
+          params(
+            file_fetcher: Dependabot::Uv::FileFetcher,
+            pyproject: T.nilable(Dependabot::DependencyFile)
+          ).void
+        end
+        def initialize(file_fetcher, pyproject)
+          @file_fetcher = file_fetcher
+          @pyproject = pyproject
+          @parsed_pyproject = T.let(nil, T.nilable(T::Hash[String, T.untyped]))
+        end
+        sig { returns(T::Array[Dependabot::DependencyFile]) }
+        def workspace_member_files
+          return [] unless @pyproject
+          workspace_member_paths.flat_map do |member_path|
+            member_pyproject = fetch_workspace_member_pyproject(member_path)
+            member_readmes = fetch_readme_files_for(member_path, member_pyproject)
+            [member_pyproject] + member_readmes
+          rescue Dependabot::DependencyFileNotFound
+            []
+          end
+        end
+        sig { returns(T::Array[{ name: String, file: String }]) }
+        def uv_sources_workspace_dependencies
+          return [] unless @pyproject
+          uv_sources = parsed_pyproject.dig("tool", "uv", "sources")
+          return [] unless uv_sources
+          uv_sources.filter_map do |name, source_config|
+            if source_config.is_a?(Hash) && source_config["workspace"] == true
+              {
+                name: T.cast(name, String),
+                file: @pyproject.name
+              }
+            end
+          end
+        end
+        private
+        sig { params(member_path: String).returns(Dependabot::DependencyFile) }
+        def fetch_workspace_member_pyproject(member_path)
+          pyproject_path = clean_path(File.join(member_path, "pyproject.toml"))
+          pyproject_file = fetch_file_from_host(pyproject_path, fetch_submodules: true)
+          pyproject_file.support_file = true
+          pyproject_file
+        end
+        sig do
+          params(
+            path: String,
+            pyproject_file: Dependabot::DependencyFile
+          ).returns(T::Array[Dependabot::DependencyFile])
+        end
+        def fetch_readme_files_for(path, pyproject_file)
+          readme_candidates = readme_candidates_from_pyproject(pyproject_file)
+          is_root_project = path == directory
+          readme_candidates.filter_map do |filename|
+            file = fetch_readme_file(filename, path, is_root_project)
+            next unless file
+            file.support_file = true
+            file
+          rescue Dependabot::DependencyFileNotFound
+            nil
+          end
+        rescue TomlRB::ParseError, TomlRB::ValueOverwriteError
+          []
+        end
+        sig { params(pyproject_file: Dependabot::DependencyFile).returns(T::Array[String]) }
+        def readme_candidates_from_pyproject(pyproject_file)
+          parsed_content = TomlRB.parse(pyproject_file.content)
+          readme_declaration = parsed_content.dig("project", "readme")
+          case readme_declaration
+          when String then [readme_declaration]
+          when Hash
+            readme_declaration["file"].is_a?(String) ? [T.cast(readme_declaration["file"], String)] : README_FILENAMES
+          else
+            README_FILENAMES
+          end
+        end
+        sig do
+          params(
+            filename: String,
+            path: String,
+            is_root_project: T::Boolean
+          ).returns(T.nilable(Dependabot::DependencyFile))
+        end
+        def fetch_readme_file(filename, path, is_root_project)
+          if is_root_project
+            fetch_file_if_present(filename)
+          else
+            file_path = clean_path(File.join(path, filename))
+            fetch_file_from_host(file_path, fetch_submodules: true)
+          end
+        end
+        sig { returns(T::Array[String]) }
+        def workspace_member_paths
+          return [] unless @pyproject
+          members = parsed_pyproject.dig("tool", "uv", "workspace", "members")
+          return [] unless members.is_a?(Array)
+          members.grep(String).flat_map { |pattern| expand_workspace_pattern(pattern) }
+        end
+        sig { params(pattern: String).returns(T::Array[String]) }
+        def expand_workspace_pattern(pattern)
+          return [pattern] unless pattern.include?("*")
+          base_directory = extract_base_directory_from_glob(pattern)
+          directory_paths = fetch_directory_paths_for_matching(base_directory)
+          match_paths_against_pattern(directory_paths, pattern)
+        end
+        sig { params(glob_pattern: String).returns(String) }
+        def extract_base_directory_from_glob(glob_pattern)
+          pattern_without_dot_slash = glob_pattern.gsub(%r{^\./}, "")
+          path_before_glob = pattern_without_dot_slash.split("*").first&.gsub(%r{(?<=/)[^/]*$}, "") || "."
+          path_before_glob.empty? ? "." : path_before_glob.chomp("/")
+        end
+        sig { params(base_dir: String).returns(T::Array[String]) }
+        def fetch_directory_paths_for_matching(base_dir)
+          normalized_directory = directory.gsub(%r{(^/|/$)}, "")
+          repo_contents(dir: base_dir, raise_errors: false)
+            .select { |file| T.unsafe(file).type == "dir" }
+            .map { |f| T.unsafe(f).path.gsub(%r{^/?#{Regexp.escape(normalized_directory)}/?}, "") }
+        end
+        sig { params(paths: T::Array[String], pattern: String).returns(T::Array[String]) }
+        def match_paths_against_pattern(paths, pattern)
+          pattern_without_dot_slash = pattern.gsub(%r{^\./}, "")
+          paths.select { |path| File.fnmatch?(pattern_without_dot_slash, path, File::FNM_PATHNAME) }
+        end
+        sig { returns(T::Hash[String, T.untyped]) }
+        def parsed_pyproject
+          cached = @parsed_pyproject
+          return cached if cached
+          return {} unless @pyproject
+          @parsed_pyproject = TomlRB.parse(@pyproject.content)
+        end
+        # Delegate methods to file_fetcher
+        sig { params(path: T.nilable(T.any(Pathname, String))).returns(String) }
+        def clean_path(path)
+          @file_fetcher.send(:cleanpath, path)
+        end
+        sig do
+          params(
+            filename: String,
+            fetch_submodules: T::Boolean
+          ).returns(Dependabot::DependencyFile)
+        end
+        def fetch_file_from_host(filename, fetch_submodules: false)
+          @file_fetcher.send(:fetch_file_from_host, filename, fetch_submodules: fetch_submodules)
+        end
+        sig { params(filename: String).returns(T.nilable(Dependabot::DependencyFile)) }
+        def fetch_file_if_present(filename)
+          @file_fetcher.send(:fetch_file_if_present, filename)
+        end
+        sig do
+          params(
+            dir: T.nilable(String),
+            raise_errors: T::Boolean
+          ).returns(T::Array[OpenStruct])
+        end
+        def repo_contents(dir: nil, raise_errors: true)
+          @file_fetcher.send(:repo_contents, dir: dir, raise_errors: raise_errors)
+        end
+        sig { returns(String) }
+        def directory
+          @file_fetcher.send(:directory)
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/uv/file_fetcher.rb CHANGED Viewed

@@ -12,6 +12,7 @@ require "dependabot/uv/requirements_file_matcher"
 require "dependabot/uv/requirement_parser"
 require "dependabot/uv/file_parser/pyproject_files_parser"
 require "dependabot/uv/file_parser/python_requirement_parser"
+require "dependabot/uv/file_fetcher/workspace_fetcher"
 require "dependabot/errors"
 require "dependabot/file_filtering"
@@ -94,6 +95,7 @@ module Dependabot
         fetched_files += uv_lock_files
         fetched_files += project_files
+        fetched_files += workspace_member_files
         fetched_files << python_version_file if python_version_file
         uniques = uniq_files(fetched_files)
@@ -119,38 +121,20 @@ module Dependabot
       end
       sig { returns(T::Array[Dependabot::DependencyFile]) }
-      def readme_files
-        return [] unless pyproject
+      def workspace_member_files
+        workspace_fetcher.workspace_member_files
+      end
-        # Attempt to read the readme declaration from the pyproject. Accept both simplified
-        # string form and table form ( { file = "..." } ).
-        readme_decl = nil
-        begin
-          readme_decl = parsed_pyproject.dig("project", "readme")
-        rescue TomlRB::ParseError
-          # If the pyproject is unparseable fail later in parsed_pyproject.
-        end
+      sig { returns(WorkspaceFetcher) }
+      def workspace_fetcher
+        @workspace_fetcher ||= T.let(WorkspaceFetcher.new(self, pyproject), T.nilable(WorkspaceFetcher))
+      end
-        candidate_names =
-          case readme_decl
-          when String then [readme_decl]
-          when Hash
-            if readme_decl["file"].is_a?(String)
-              [T.cast(readme_decl["file"], String)]
-            else
-              README_FILENAMES
-            end
-          else
-            README_FILENAMES
-          end
+      sig { returns(T::Array[Dependabot::DependencyFile]) }
+      def readme_files
+        return [] unless pyproject
-        candidate_names.filter_map do |filename|
-          file = fetch_file_if_present(filename)
-          file.support_file = true if file
-          file
-        rescue Dependabot::DependencyFileNotFound
-          nil
-        end
+        workspace_fetcher.send(:fetch_readme_files_for, directory, T.must(pyproject))
       end
       sig { returns(T::Array[Dependabot::DependencyFile]) }
@@ -472,6 +456,11 @@ module Dependabot
         end
       end
+      sig { returns(T::Array[{ name: String, file: String }]) }
+      def uv_sources_workspace_dependencies
+        workspace_fetcher.uv_sources_workspace_dependencies
+      end
       sig { params(path: T.nilable(T.any(Pathname, String))).returns(T::Array[Dependabot::DependencyFile]) }
       def fetch_requirement_files_from_path(path = nil)
         contents = path ? repo_contents(dir: path) : repo_contents

data/lib/dependabot/uv/file_updater/compile_file_updater.rb CHANGED Viewed

@@ -37,6 +37,7 @@ module Dependabot
           "pip._internal.exceptions.InstallationSubprocessError: Getting requirements to build wheel exited with 1",
           String
         )
+        PYTHON_VERSION_REGEX = T.let(/--python-version[=\s]+(?<version>\d+\.\d+(?:\.\d+)?)/, Regexp)
         sig { returns(T::Array[Dependabot::Dependency]) }
         attr_reader :dependencies
@@ -475,6 +476,8 @@ module Dependabot
             /--index-url=\S+/, "--index-url=<index_url>"
           ).sub(
             /--extra-index-url=\S+/, "--extra-index-url=<extra_index_url>"
+          ).sub(
+            /--python-version=\S+/, "--python-version=<python_version>"
           )
         end
@@ -492,21 +495,27 @@ module Dependabot
         sig { params(requirements_file: Dependabot::DependencyFile).returns(T::Array[String]) }
         def uv_compile_options_from_compiled_file(requirements_file)
+          content = T.must(requirements_file.content)
           options = ["--output-file=#{requirements_file.name}"]
-          options << "--emit-index-url" if T.must(requirements_file.content).include?("index-url http")
-          options << "--generate-hashes" if T.must(requirements_file.content).include?("--hash=sha")
-          options << "--no-annotate" unless T.must(requirements_file.content).include?("# via ")
-          options << "--pre" if T.must(requirements_file.content).include?("--pre")
-          options << "--no-strip-extras" if T.must(requirements_file.content).include?("--no-strip-extras")
-          if T.must(requirements_file.content).include?("--no-binary") ||
-             T.must(requirements_file.content).include?("--only-binary")
-            options << "--emit-build-options"
-          end
+          options << "--emit-index-url" if content.include?("index-url http")
+          options << "--generate-hashes" if content.include?("--hash=sha")
+          options << "--no-annotate" unless content.include?("# via ")
+          options << "--pre" if content.include?("--pre")
+          options << "--no-strip-extras" if content.include?("--no-strip-extras")
+          options << "--emit-build-options" if content.include?("--no-binary") || content.include?("--only-binary")
+          options << "--universal" if content.include?("--universal")
+          python_version_option = extract_python_version_option(content)
+          options << python_version_option if python_version_option
+          options.compact
+        end
-          options << "--universal" if T.must(requirements_file.content).include?("--universal")
+        sig { params(content: String).returns(T.nilable(String)) }
+        def extract_python_version_option(content)
+          return unless (match = PYTHON_VERSION_REGEX.match(content))
-          options
+          "--python-version=#{match[:version]}"
         end
         sig { returns(T::Array[String]) }

data/lib/dependabot/uv/file_updater/lock_file_updater.rb CHANGED Viewed

@@ -140,7 +140,7 @@ module Dependabot
         def replace_dep(dep, content, new_r, old_r)
           new_req = new_r[:requirement]
           old_req = old_r[:requirement]
-          escaped_name = Regexp.escape(dep.name)
+          escaped_name = escape_package_name(dep.name)
           regex = /(["']#{escaped_name})([^"']+)(["'])/x
@@ -394,8 +394,9 @@ module Dependabot
         end
         sig { params(name: T.any(String, Symbol)).returns(String) }
-        def escape(name)
-          Regexp.escape(name).gsub("\\-", "[-_.]")
+        def escape_package_name(name)
+          # Per PEP 503, Python package names normalize -, _, and . to the same character
+          Regexp.escape(name).gsub(/\\[-_.]/, "[-_.]")
         end
         sig { params(file: T.nilable(DependencyFile)).returns(T::Boolean) }
@@ -476,6 +477,8 @@ module Dependabot
         sig { returns(T::Boolean) }
         def create_or_update_lock_file?
+          return true if lockfile && T.must(dependency).requirements.empty?
           T.must(dependency).requirements.select { _1[:file].end_with?(*REQUIRED_FILES) }.any?
         end
       end

data/lib/dependabot/uv/update_checker/pip_compile_version_resolver.rb CHANGED Viewed

@@ -39,6 +39,7 @@ module Dependabot
         RESOLUTION_IMPOSSIBLE_ERROR = T.let("ResolutionImpossible", String)
         ERROR_REGEX = T.let(/(?<=ERROR\:\W).*$/, Regexp)
         UV_UNRESOLVABLE_REGEX = T.let(/ × No solution found when resolving dependencies:[\s\S]*$/, Regexp)
+        PYTHON_VERSION_REGEX = T.let(/--python-version[=\s]+(?<version>\d+\.\d+(?:\.\d+)?)/, Regexp)
         sig { returns(Dependabot::Dependency) }
         attr_reader :dependency
@@ -272,6 +273,8 @@ module Dependabot
             /--index-url=\S+/, "--index-url=<index_url>"
           ).sub(
             /--extra-index-url=\S+/, "--extra-index-url=<extra_index_url>"
+          ).sub(
+            /--python-version=\S+/, "--python-version=<python_version>"
           )
         end
@@ -342,10 +345,19 @@ module Dependabot
           options << "--universal" if T.must(requirements_file.content).include?("--universal")
-          options
+          options << extract_python_version_option(requirements_file)
+          options.compact
         end
         # rubocop:enable Metrics/AbcSize
+        sig { params(requirements_file: Dependabot::DependencyFile).returns(T.nilable(String)) }
+        def extract_python_version_option(requirements_file)
+          return unless (match = PYTHON_VERSION_REGEX.match(T.must(requirements_file.content)))
+          "--python-version=#{match[:version]}"
+        end
         sig { returns(T::Hash[String, String]) }
         def python_env
           env = {}

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-uv
 version: !ruby/object:Gem::Version
-  version: 0.352.0
+  version: 0.354.0
 platform: ruby
 authors:
 - Dependabot
@@ -15,28 +15,28 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.352.0
+        version: 0.354.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.352.0
+        version: 0.354.0
 - !ruby/object:Gem::Dependency
   name: dependabot-python
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.352.0
+        version: 0.354.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.352.0
+        version: 0.354.0
 - !ruby/object:Gem::Dependency
   name: debug
   requirement: !ruby/object:Gem::Requirement
@@ -264,6 +264,7 @@ files:
 - lib/dependabot/uv.rb
 - lib/dependabot/uv/authed_url_builder.rb
 - lib/dependabot/uv/file_fetcher.rb
+- lib/dependabot/uv/file_fetcher/workspace_fetcher.rb
 - lib/dependabot/uv/file_parser.rb
 - lib/dependabot/uv/file_parser/pyproject_files_parser.rb
 - lib/dependabot/uv/file_parser/python_requirement_parser.rb
@@ -296,7 +297,7 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.352.0
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.354.0
 rdoc_options: []
 require_paths:
 - lib