dependabot-uv 0.372.0 → 0.374.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 5b800f6ffdf570bc834de464268bdb32c5051b2af1f7e9e7b522430d6ce4f237
-  data.tar.gz: c4da6008928f94391a149957c5e13bd0274adc0bca2602bc5b0408de8b01676b
+  metadata.gz: 2e6bf92dbfeb4d2c7671701d936b8176e501b09c321ad64801540e0a322f7bc7
+  data.tar.gz: 9fbff1b9ec1f035932b1e8183d51d0c2b3c1fba55ecf5d7432ec9933f1262f98
 SHA512:
-  metadata.gz: 41b72c005c15263ccdf177000a5ced804ba43b73cf8170dfcb4f65cc4a1ef0a2d02e79146a2a94d81e859b9895a20c665c4e5d3e6fa4663e1af91c58ae858946
-  data.tar.gz: b086ec486967b5a6c78f29611b8fe0adbbff911a4e8f46fc3188efb48d1791d0d2a6be24c7e6c0431bc6a46306b73c95c5bc6bc1a32c254495a0bcd3727a26ba
+  metadata.gz: 7c6e4c28cf13c55e33b75dbdf0c262e7b3897008de927df2ae56802d39cd798af3b1c1b65f3fd01d6d0c49788a1ca4cb754d612ca29c6d859814185119273289
+  data.tar.gz: 4d9bd0393f2c71a08aa867c81440a4ee0aefa7d770bf0c4da9ed428badce9d78e4599937512336123b85bc0c036dea96bc14c48abe6a395efaf8ae2aefe075a1

data/helpers/requirements.txt

@@ -7,7 +7,7 @@ plette==2.1.0
 poetry==1.8.5
 # TODO: Replace 3p package `tomli` with 3.11's new stdlib `tomllib` once we drop support for Python 3.10.
 tomli==2.0.1
-uv==0.10.9
+uv==0.11.8
 
 # Some dependencies will only install if Cython is present
 Cython==3.0.10

data/lib/dependabot/uv/dependency_grapher.rb

@@ -84,7 +84,9 @@ module Dependabot
           rels[parent].concat(lockfile_child_names(package_data))
         end
       rescue StandardError => e
-        Dependabot.logger.warn("Failed to parse uv.lock relationships: #{e.message}")
+        errored_fetching_subdependencies!
+        @subdependency_error = e
+        Dependabot.logger.error("Failed to parse uv.lock relationships: #{e.message}")
         {}
       end
 

data/lib/dependabot/uv/file_parser/pyproject_files_parser.rb

@@ -31,6 +31,7 @@ module Dependabot
           dependency_set = Dependabot::FileParsers::Base::DependencySet.new
 
           dependency_set += pyproject_dependencies if using_poetry? || using_pep621? || using_pep735?
+          dependency_set += workspace_member_dependencies if workspace_member_pyproject_files.any?
           dependency_set += lockfile_dependencies if using_poetry? && lockfile
 
           dependency_set
@@ -46,7 +47,7 @@ module Dependabot
           if using_poetry?
             poetry_dependencies
           else
-            pep621_pep735_dependencies
+            pep621_pep735_dependencies(T.must(pyproject))
           end
         end
 
@@ -71,8 +72,8 @@ module Dependabot
           dependencies
         end
 
-        sig { returns(Dependabot::FileParsers::Base::DependencySet) }
-        def pep621_pep735_dependencies
+        sig { params(pyproject_file: Dependabot::DependencyFile).returns(Dependabot::FileParsers::Base::DependencySet) }
+        def pep621_pep735_dependencies(pyproject_file)
           dependencies = Dependabot::FileParsers::Base::DependencySet.new
 
           # PDM is not yet supported, so we want to ignore it for now because in
@@ -81,7 +82,7 @@ module Dependabot
           # undesirable. Leave PDM alone until properly supported
           return dependencies if using_pdm?
 
-          parse_pep621_pep735_dependencies.each do |dep|
+          parse_pep621_pep735_dependencies(pyproject_file).each do |dep|
             # If a requirement has a `<` or `<=` marker then updating it is
             # probably blocked. Ignore it.
             next if dep["markers"]&.include?("<")
@@ -106,6 +107,22 @@ module Dependabot
           dependencies
         end
 
+        sig { returns(T::Array[Dependabot::DependencyFile]) }
+        def workspace_member_pyproject_files
+          dependency_files.select { |file| file.support_file? && file.name.end_with?("pyproject.toml") }
+        end
+
+        sig { returns(Dependabot::FileParsers::Base::DependencySet) }
+        def workspace_member_dependencies
+          dependencies = Dependabot::FileParsers::Base::DependencySet.new
+
+          workspace_member_pyproject_files.each do |pyproject_file|
+            dependencies += pep621_pep735_dependencies(pyproject_file)
+          end
+
+          dependencies
+        end
+
         sig do
           params(
             type: String,
@@ -298,24 +315,24 @@ module Dependabot
           poetry_lock
         end
 
-        sig { returns(T.untyped) }
-        def parse_pep621_pep735_dependencies
+        sig { params(pyproject_file: Dependabot::DependencyFile).returns(T.untyped) }
+        def parse_pep621_pep735_dependencies(pyproject_file)
           SharedHelpers.in_a_temporary_directory do
-            write_temporary_pyproject
+            write_temporary_pyproject(pyproject_file)
 
             SharedHelpers.run_helper_subprocess(
               command: "pyenv exec python3 #{NativeHelpers.python_helper_path}",
               function: "parse_pep621_pep735_dependencies",
-              args: [T.must(pyproject).name]
+              args: [pyproject_file.name]
             )
           end
         end
 
-        sig { returns(Integer) }
-        def write_temporary_pyproject
-          path = T.must(pyproject).name
+        sig { params(pyproject_file: Dependabot::DependencyFile).returns(Integer) }
+        def write_temporary_pyproject(pyproject_file)
+          path = pyproject_file.name
           FileUtils.mkdir_p(Pathname.new(path).dirname)
-          File.write(path, T.must(pyproject).content)
+          File.write(path, pyproject_file.content)
         end
 
         sig { returns(T.untyped) }

data/lib/dependabot/uv/file_updater/lock_file_updater.rb

@@ -93,14 +93,13 @@ module Dependabot
         def fetch_updated_dependency_files
           return [] unless create_or_update_lock_file?
 
-          updated_files = []
-
-          if file_changed?(pyproject)
-            updated_files <<
-              updated_file(
-                file: T.must(pyproject),
-                content: T.must(updated_pyproject_content)
-              )
+          updated_files = pyproject_files.filter_map do |file|
+            next unless file_changed?(file)
+
+            updated_file(
+              file: file,
+              content: T.must(updated_pyproject_content_for(file))
+            )
           end
 
           if lockfile && !build_system_only_dependency?
@@ -117,15 +116,20 @@ module Dependabot
 
         sig { returns(T.nilable(String)) }
         def updated_pyproject_content
-          content = T.must(pyproject).content
-          return content unless file_changed?(T.must(pyproject))
+          updated_pyproject_content_for(T.must(pyproject))
+        end
+
+        sig { params(file: Dependabot::DependencyFile).returns(T.nilable(String)) }
+        def updated_pyproject_content_for(file)
+          content = T.must(file.content)
+          return content unless file_changed?(file)
 
           updated_content = content.dup
 
           T.must(dependency).requirements.zip(T.must(T.must(dependency).previous_requirements)).each do |new_r, old_r|
-            next unless new_r[:file] == T.must(pyproject).name && T.must(old_r)[:file] == T.must(pyproject).name
+            next unless new_r[:file] == file.name && T.must(old_r)[:file] == file.name
 
-            updated_content = replace_dep(T.must(dependency), T.must(updated_content), new_r, T.must(old_r))
+            updated_content = replace_dep(T.must(dependency), updated_content, new_r, T.must(old_r))
           end
 
           raise DependencyFileContentNotChanged, "Content did not change!" if content == updated_content
@@ -302,12 +306,17 @@ module Dependabot
           dependency_files.each do |file|
             path = file.name
             FileUtils.mkdir_p(Pathname.new(path).dirname)
-            File.write(path, file.content)
+            content = if file.name == "pyproject.toml"
+                        pyproject_content
+                      elsif file.name.end_with?("pyproject.toml") && file_changed?(file)
+                        T.must(updated_pyproject_content_for(file))
+                      else
+                        T.must(file.content)
+                      end
+
+            File.write(path, content)
           end
 
-          # Overwrite the pyproject with updated content
-          File.write("pyproject.toml", pyproject_content)
-
           ensure_version_file_directories
         end
 
@@ -598,6 +607,11 @@ module Dependabot
           )
         end
 
+        sig { returns(T::Array[Dependabot::DependencyFile]) }
+        def pyproject_files
+          dependency_files.select { |file| file.name.end_with?("pyproject.toml") }
+        end
+
         sig { returns(String) }
         def directory
           dependency_files.first&.directory || "/"

data/lib/dependabot/uv/file_updater.rb

@@ -18,8 +18,8 @@ module Dependabot
 
       sig { override.returns(T::Array[DependencyFile]) }
       def updated_dependency_files
-        updated_files = updated_pip_compile_based_files
-        updated_files += updated_uv_lock_files
+        updated_files = updated_pip_compile_based_files + updated_uv_lock_files
+        updated_files = updated_files.reverse.uniq(&:name).reverse
 
         if updated_files.none? ||
            updated_files.sort_by(&:name) == dependency_files.sort_by(&:name)

data/lib/dependabot/uv/update_checker.rb

@@ -158,7 +158,7 @@ module Dependabot
         requirement = reqs.find do |r|
           file = r[:file]
 
-          file == "uv.lock" || file == "pyproject.toml" || file.end_with?(".in") || file.end_with?(".txt")
+          file == "uv.lock" || file.end_with?("pyproject.toml") || file.end_with?(".in") || file.end_with?(".txt")
         end
 
         requirement&.fetch(:requirement)
@@ -235,6 +235,11 @@ module Dependabot
         false
       end
 
+      sig { returns(T::Boolean) }
+      def updating_pyproject?
+        requirement_files.any? { |file| file.end_with?("pyproject.toml") }
+      end
+
       sig { returns(T::Boolean) }
       def updating_uv_lock?
         requirement_files.any?("uv.lock")

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-uv
 version: !ruby/object:Gem::Version
-  version: 0.372.0
+  version: 0.374.0
 platform: ruby
 authors:
 - Dependabot
@@ -15,28 +15,28 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.372.0
+        version: 0.374.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.372.0
+        version: 0.374.0
 - !ruby/object:Gem::Dependency
   name: dependabot-python
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.372.0
+        version: 0.374.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.372.0
+        version: 0.374.0
 - !ruby/object:Gem::Dependency
   name: debug
   requirement: !ruby/object:Gem::Requirement
@@ -301,7 +301,7 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.372.0
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.374.0
 rdoc_options: []
 require_paths:
 - lib