dependabot-uv 0.373.0 → 0.375.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c78c457d915b59fa89446fbac28a04dd21bacfeea68be9269a064860c94740a0
-  data.tar.gz: b411c026710c02805e31c2083942b1e2bb88ea1c850bd01a34091e9f6634abf1
+  metadata.gz: 70d931188f97da35d9640f12c9e46ce6448d11e217a5929c42147d0bc5921da0
+  data.tar.gz: 9fbff1b9ec1f035932b1e8183d51d0c2b3c1fba55ecf5d7432ec9933f1262f98
 SHA512:
-  metadata.gz: 7a987303b993f1014af6293e9417dda25e60d9cd69dfdc2858f500c3a64a3b812525dd369b3c08410f396e2da72887d42e4f118284c75b82700823ea901859c1
-  data.tar.gz: e3696a1ff4f3a5617e331ca4cdf515ce2b039b31fd0a7344dab58bebb469136993f0348ec68ad022da34f02ad33831c1366e807d4c8a11251c0121966b6c3af3
+  metadata.gz: 2617fb6467bbaee53b2aeb34ef1674312b7266a8a301ae8fbb60d77cadce8ca95edf35aeca16939eb0d1782b5f8ae35e6b619953a804535ebd602fbf954129c2
+  data.tar.gz: 4d9bd0393f2c71a08aa867c81440a4ee0aefa7d770bf0c4da9ed428badce9d78e4599937512336123b85bc0c036dea96bc14c48abe6a395efaf8ae2aefe075a1

data/lib/dependabot/uv/file_parser/pyproject_files_parser.rb

@@ -31,6 +31,7 @@ module Dependabot
           dependency_set = Dependabot::FileParsers::Base::DependencySet.new
 
           dependency_set += pyproject_dependencies if using_poetry? || using_pep621? || using_pep735?
+          dependency_set += workspace_member_dependencies if workspace_member_pyproject_files.any?
           dependency_set += lockfile_dependencies if using_poetry? && lockfile
 
           dependency_set
@@ -46,7 +47,7 @@ module Dependabot
           if using_poetry?
             poetry_dependencies
           else
-            pep621_pep735_dependencies
+            pep621_pep735_dependencies(T.must(pyproject))
           end
         end
 
@@ -71,8 +72,8 @@ module Dependabot
           dependencies
         end
 
-        sig { returns(Dependabot::FileParsers::Base::DependencySet) }
-        def pep621_pep735_dependencies
+        sig { params(pyproject_file: Dependabot::DependencyFile).returns(Dependabot::FileParsers::Base::DependencySet) }
+        def pep621_pep735_dependencies(pyproject_file)
           dependencies = Dependabot::FileParsers::Base::DependencySet.new
 
           # PDM is not yet supported, so we want to ignore it for now because in
@@ -81,7 +82,7 @@ module Dependabot
           # undesirable. Leave PDM alone until properly supported
           return dependencies if using_pdm?
 
-          parse_pep621_pep735_dependencies.each do |dep|
+          parse_pep621_pep735_dependencies(pyproject_file).each do |dep|
             # If a requirement has a `<` or `<=` marker then updating it is
             # probably blocked. Ignore it.
             next if dep["markers"]&.include?("<")
@@ -106,6 +107,22 @@ module Dependabot
           dependencies
         end
 
+        sig { returns(T::Array[Dependabot::DependencyFile]) }
+        def workspace_member_pyproject_files
+          dependency_files.select { |file| file.support_file? && file.name.end_with?("pyproject.toml") }
+        end
+
+        sig { returns(Dependabot::FileParsers::Base::DependencySet) }
+        def workspace_member_dependencies
+          dependencies = Dependabot::FileParsers::Base::DependencySet.new
+
+          workspace_member_pyproject_files.each do |pyproject_file|
+            dependencies += pep621_pep735_dependencies(pyproject_file)
+          end
+
+          dependencies
+        end
+
         sig do
           params(
             type: String,
@@ -298,24 +315,24 @@ module Dependabot
           poetry_lock
         end
 
-        sig { returns(T.untyped) }
-        def parse_pep621_pep735_dependencies
+        sig { params(pyproject_file: Dependabot::DependencyFile).returns(T.untyped) }
+        def parse_pep621_pep735_dependencies(pyproject_file)
           SharedHelpers.in_a_temporary_directory do
-            write_temporary_pyproject
+            write_temporary_pyproject(pyproject_file)
 
             SharedHelpers.run_helper_subprocess(
               command: "pyenv exec python3 #{NativeHelpers.python_helper_path}",
               function: "parse_pep621_pep735_dependencies",
-              args: [T.must(pyproject).name]
+              args: [pyproject_file.name]
             )
           end
         end
 
-        sig { returns(Integer) }
-        def write_temporary_pyproject
-          path = T.must(pyproject).name
+        sig { params(pyproject_file: Dependabot::DependencyFile).returns(Integer) }
+        def write_temporary_pyproject(pyproject_file)
+          path = pyproject_file.name
           FileUtils.mkdir_p(Pathname.new(path).dirname)
-          File.write(path, T.must(pyproject).content)
+          File.write(path, pyproject_file.content)
         end
 
         sig { returns(T.untyped) }

data/lib/dependabot/uv/file_updater/lock_file_updater.rb

@@ -93,14 +93,13 @@ module Dependabot
         def fetch_updated_dependency_files
           return [] unless create_or_update_lock_file?
 
-          updated_files = []
-
-          if file_changed?(pyproject)
-            updated_files <<
-              updated_file(
-                file: T.must(pyproject),
-                content: T.must(updated_pyproject_content)
-              )
+          updated_files = pyproject_files.filter_map do |file|
+            next unless file_changed?(file)
+
+            updated_file(
+              file: file,
+              content: T.must(updated_pyproject_content_for(file))
+            )
           end
 
           if lockfile && !build_system_only_dependency?
@@ -117,15 +116,20 @@ module Dependabot
 
         sig { returns(T.nilable(String)) }
         def updated_pyproject_content
-          content = T.must(pyproject).content
-          return content unless file_changed?(T.must(pyproject))
+          updated_pyproject_content_for(T.must(pyproject))
+        end
+
+        sig { params(file: Dependabot::DependencyFile).returns(T.nilable(String)) }
+        def updated_pyproject_content_for(file)
+          content = T.must(file.content)
+          return content unless file_changed?(file)
 
           updated_content = content.dup
 
           T.must(dependency).requirements.zip(T.must(T.must(dependency).previous_requirements)).each do |new_r, old_r|
-            next unless new_r[:file] == T.must(pyproject).name && T.must(old_r)[:file] == T.must(pyproject).name
+            next unless new_r[:file] == file.name && T.must(old_r)[:file] == file.name
 
-            updated_content = replace_dep(T.must(dependency), T.must(updated_content), new_r, T.must(old_r))
+            updated_content = replace_dep(T.must(dependency), updated_content, new_r, T.must(old_r))
           end
 
           raise DependencyFileContentNotChanged, "Content did not change!" if content == updated_content
@@ -302,12 +306,17 @@ module Dependabot
           dependency_files.each do |file|
             path = file.name
             FileUtils.mkdir_p(Pathname.new(path).dirname)
-            File.write(path, file.content)
+            content = if file.name == "pyproject.toml"
+                        pyproject_content
+                      elsif file.name.end_with?("pyproject.toml") && file_changed?(file)
+                        T.must(updated_pyproject_content_for(file))
+                      else
+                        T.must(file.content)
+                      end
+
+            File.write(path, content)
           end
 
-          # Overwrite the pyproject with updated content
-          File.write("pyproject.toml", pyproject_content)
-
           ensure_version_file_directories
         end
 
@@ -598,6 +607,11 @@ module Dependabot
           )
         end
 
+        sig { returns(T::Array[Dependabot::DependencyFile]) }
+        def pyproject_files
+          dependency_files.select { |file| file.name.end_with?("pyproject.toml") }
+        end
+
         sig { returns(String) }
         def directory
           dependency_files.first&.directory || "/"

data/lib/dependabot/uv/file_updater.rb

@@ -18,8 +18,8 @@ module Dependabot
 
       sig { override.returns(T::Array[DependencyFile]) }
       def updated_dependency_files
-        updated_files = updated_pip_compile_based_files
-        updated_files += updated_uv_lock_files
+        updated_files = updated_pip_compile_based_files + updated_uv_lock_files
+        updated_files = updated_files.reverse.uniq(&:name).reverse
 
         if updated_files.none? ||
            updated_files.sort_by(&:name) == dependency_files.sort_by(&:name)

data/lib/dependabot/uv/update_checker.rb

@@ -158,7 +158,7 @@ module Dependabot
         requirement = reqs.find do |r|
           file = r[:file]
 
-          file == "uv.lock" || file == "pyproject.toml" || file.end_with?(".in") || file.end_with?(".txt")
+          file == "uv.lock" || file.end_with?("pyproject.toml") || file.end_with?(".in") || file.end_with?(".txt")
         end
 
         requirement&.fetch(:requirement)
@@ -235,6 +235,11 @@ module Dependabot
         false
       end
 
+      sig { returns(T::Boolean) }
+      def updating_pyproject?
+        requirement_files.any? { |file| file.end_with?("pyproject.toml") }
+      end
+
       sig { returns(T::Boolean) }
       def updating_uv_lock?
         requirement_files.any?("uv.lock")

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-uv
 version: !ruby/object:Gem::Version
-  version: 0.373.0
+  version: 0.375.0
 platform: ruby
 authors:
 - Dependabot
@@ -15,28 +15,28 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.373.0
+        version: 0.375.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.373.0
+        version: 0.375.0
 - !ruby/object:Gem::Dependency
   name: dependabot-python
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.373.0
+        version: 0.375.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.373.0
+        version: 0.375.0
 - !ruby/object:Gem::Dependency
   name: debug
   requirement: !ruby/object:Gem::Requirement
@@ -301,7 +301,7 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.373.0
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.375.0
 rdoc_options: []
 require_paths:
 - lib