RubyGems - dependabot-uv - Versions diffs - 0.363.0 → 0.364.0 - Mend

dependabot-uv 0.363.0 → 0.364.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

checksums.yaml +4 -4
data/lib/dependabot/uv/dependency_grapher.rb +196 -0
data/lib/dependabot/uv/file_parser.rb +16 -2
data/lib/dependabot/uv/file_updater/lock_file_updater.rb +15 -15
data/lib/dependabot/uv.rb +1 -0
metadata +7 -6

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c00b324d4b8b8b0070b03ba16767d40b0f8130871c78240c1099815277664f71
-  data.tar.gz: f4bf0c298a4b4fbb1bab69c9af1bda513a6bdf5986f973ccfe8b233af51a301e
+  metadata.gz: 66f81d0ac637cdaa3193618598079972af284af23add69f280b5dc5eb26e988d
+  data.tar.gz: 0a10dc4db04f2e311feef435dc31c35dabf6f15ad8f02b6ba5d64daef384a615
 SHA512:
-  metadata.gz: 45595b8e72d691dcb17bb747eff12e0c2ecd0ccd5afd9e6294eed9adbe2c82d05f8f160a9631d30254c67385084e283376b2473d5ad308992168acef273650eb
-  data.tar.gz: 1b2da7bc589e4a0a1f094f67a4caeefea2512b9b34ab79f16765fd78645d6ed3389e8ef2a60bf90548a2d56ae48d08b4c29fcf66b12d3bcb5ce9bde450cbe7a8
+  metadata.gz: 186c1e97d18b0166ffd052abafbaffcfe18b880daf3c54dc6e065d5ae6f525c7c58d5813205339daa3821ca9e3aae619c311c402ce888009f6b7eece1d88fb90
+  data.tar.gz: e6c02a262d85ac3c593603cdf2e2ed519c3174470e1fe36827708297db5ec191da41c2cb96d63d22ecab5d46a8f03712d2ac2430bcab6a784b29a964ee40da82

data/lib/dependabot/uv/dependency_grapher.rb ADDED Viewed

@@ -0,0 +1,196 @@
+# typed: strict
+# frozen_string_literal: true
+require "sorbet-runtime"
+require "dependabot/dependency_graphers"
+require "dependabot/dependency_graphers/base"
+require "dependabot/uv/file_parser"
+require "toml-rb"
+module Dependabot
+  module Uv
+    class DependencyGrapher < Dependabot::DependencyGraphers::Base
+      UV_LOCK_COMMAND = T.let("pyenv exec uv lock --color never --no-progress && cat uv.lock", String)
+      UV_TREE_COMMAND = T.let("pyenv exec uv tree -q --color never --no-progress --frozen", String)
+      # Used to capture package lines from `uv tree` output.
+      #
+      # Example output:
+      #   ├── flask v3.1.3
+      #   │   ├── click v8.3.1
+      #   │   └── jinja2 v3.1.6
+      #   │       └── markupsafe v3.0.3
+      #
+      # The `prefix` contains tree-depth segments (`│   ` or `    `) and
+      # `package` is the dependency name token before the `v<version>` marker.
+      UV_TREE_LINE_REGEX = T.let(
+        /^(?<prefix>(?:(?:│   )|(?:    ))*)(?:├──|└──)\s(?<package>.+?)\sv[^\s]+(?:\s+\(.*\))?$/,
+        Regexp
+      )
+      sig { override.returns(Dependabot::DependencyFile) }
+      def relevant_dependency_file
+        # This cannot realistically happen as the parser will throw a runtime error
+        # on init without a pyproject.toml file,
+        # but this will avoid surprises if anything changes.
+        raise DependabotError, "No pyproject.toml present in dependency files." unless pyproject_toml
+        T.must(pyproject_toml)
+      end
+      private
+      sig { override.params(dependency: Dependabot::Dependency).returns(T::Array[String]) }
+      def fetch_subdependencies(dependency)
+        dependency_names = @dependencies.map(&:name)
+        package_relationships.fetch(dependency.name, []).select { |child| dependency_names.include?(child) }
+      end
+      sig { returns(T::Hash[String, T::Array[String]]) }
+      def package_relationships
+        @package_relationships ||= T.let(
+          fetch_package_relationships,
+          T.nilable(T::Hash[String, T::Array[String]])
+        )
+      end
+      # See UV tree docs https://docs.astral.sh/uv/reference/cli/#uv-tree
+      # First try extracting relationships from uv.lock directly. If there is no
+      # lockfile, generate one in a temporary parsed context and parse that.
+      # If lockfile parsing fails for any reason, fall back to uv tree output.
+      sig { returns(T::Hash[String, T::Array[String]]) }
+      def fetch_package_relationships
+        return package_relationships_from_lockfile(T.must(T.must(uv_lock).content)) if uv_lock
+        begin
+          Dependabot.logger.info("No uv.lock present, generating ephemeral lockfile for dependency graphing")
+          generated_lockfile = uv_parser.run_in_parsed_context(UV_LOCK_COMMAND)
+          return package_relationships_from_lockfile(generated_lockfile)
+        rescue StandardError => e
+          Dependabot.logger.warn("Failed to build dependency graph from uv.lock: #{e.message}")
+          Dependabot.logger.info("Falling back to parsing uv tree output")
+        end
+        package_relationships_from_tree
+      end
+      sig { params(lockfile_content: String).returns(T::Hash[String, T::Array[String]]) }
+      def package_relationships_from_lockfile(lockfile_content)
+        lockfile_packages(lockfile_content).each_with_object({}) do |package_data, rels|
+          parent = lockfile_parent_name(package_data)
+          next unless parent
+          rels[parent] ||= []
+          rels[parent].concat(lockfile_child_names(package_data))
+        end
+      rescue StandardError => e
+        Dependabot.logger.warn("Failed to parse uv.lock relationships: #{e.message}")
+        {}
+      end
+      sig { params(lockfile_content: String).returns(T::Array[T.untyped]) }
+      def lockfile_packages(lockfile_content)
+        parsed = TomlRB.parse(lockfile_content)
+        T.cast(parsed.fetch("package", []), T::Array[T.untyped])
+      end
+      sig { params(package_data: T.untyped).returns(T.nilable(String)) }
+      def lockfile_parent_name(package_data)
+        return unless package_data.is_a?(Hash)
+        package_name = package_data["name"]
+        return unless package_name.is_a?(String)
+        normalised_dependency_name(package_name)
+      end
+      sig { params(package_data: T.untyped).returns(T::Array[String]) }
+      def lockfile_child_names(package_data)
+        dependencies =
+          if package_data.is_a?(Hash)
+            T.cast(package_data["dependencies"], T.nilable(T::Array[T.untyped])) || []
+          else
+            []
+          end
+        dependencies.filter_map do |dependency|
+          dependency_name = lockfile_dependency_name(dependency)
+          normalised_dependency_name(dependency_name) if dependency_name
+        end
+      end
+      sig { params(dependency_data: T.untyped).returns(T.nilable(String)) }
+      def lockfile_dependency_name(dependency_data)
+        if dependency_data.is_a?(Hash)
+          name = dependency_data["name"]
+          return name if name.is_a?(String)
+        end
+        return dependency_data if dependency_data.is_a?(String)
+        nil
+      end
+      sig { returns(T::Hash[String, T::Array[String]]) }
+      def package_relationships_from_tree
+        relationship_stack = T.let([], T::Array[String])
+        uv_parser.run_in_parsed_context(UV_TREE_COMMAND).lines.each_with_object({}) do |line, rels|
+          match = line.match(UV_TREE_LINE_REGEX)
+          next unless match
+          package = normalised_dependency_name(T.must(match[:package]))
+          depth = T.must(match[:prefix]).scan(/(?:│   |    )/).length
+          relationship_stack[depth] = package
+          relationship_stack.slice!(depth + 1, relationship_stack.length)
+          parent = depth.zero? ? nil : relationship_stack[depth - 1]
+          rels[package] ||= []
+          next unless parent
+          rels[parent] ||= []
+          rels[parent] << package
+        end
+      end
+      sig { returns(Dependabot::Uv::FileParser) }
+      def uv_parser
+        T.cast(file_parser, Dependabot::Uv::FileParser)
+      end
+      sig { params(name: String).returns(String) }
+      def normalised_dependency_name(name)
+        Dependabot::Uv::FileParser.normalize_dependency_name(name)
+      end
+      sig { override.params(_dependency: Dependabot::Dependency).returns(String) }
+      def purl_pkg_for(_dependency)
+        "pypi"
+      end
+      sig { returns(T.nilable(Dependabot::DependencyFile)) }
+      def pyproject_toml
+        return @pyproject_toml if defined?(@pyproject_toml)
+        @pyproject_toml = T.let(
+          dependency_files.find { |f| f.name == "pyproject.toml" },
+          T.nilable(Dependabot::DependencyFile)
+        )
+      end
+      sig { returns(T.nilable(Dependabot::DependencyFile)) }
+      def uv_lock
+        return @uv_lock if defined?(@uv_lock)
+        @uv_lock = T.let(
+          dependency_files.find { |f| f.name == "uv.lock" },
+          T.nilable(Dependabot::DependencyFile)
+        )
+      end
+    end
+  end
+end
+Dependabot::DependencyGraphers.register("uv", Dependabot::Uv::DependencyGrapher)

data/lib/dependabot/uv/file_parser.rb CHANGED Viewed

@@ -71,6 +71,21 @@ module Dependabot
         )
       end
+      sig { override.params(command: String).returns(String) }
+      def run_in_parsed_context(command)
+        SharedHelpers.in_a_temporary_directory do
+          dependency_files.each do |file|
+            path = file.name
+            FileUtils.mkdir_p(Pathname.new(path).dirname)
+            File.write(path, file.content)
+          end
+          setup_python_environment
+          SharedHelpers.run_shell_command(command)
+        end
+      end
       # Normalize dependency names to match the PyPI index normalization
       sig { params(name: String, extras: T::Array[String]).returns(String) }
       def self.normalize_dependency_name(name, extras = [])
@@ -94,8 +109,7 @@ module Dependabot
       def python_requirement_parser
         @python_requirement_parser ||= T.let(
           PythonRequirementParser.new(
-            dependency_files:
-                                                     dependency_files
+            dependency_files: dependency_files
           ),
           T.nilable(PythonRequirementParser)
         )

data/lib/dependabot/uv/file_updater/lock_file_updater.rb CHANGED Viewed

@@ -359,13 +359,13 @@ module Dependabot
             .select { |cred| cred["type"] == "python_index" }
             .reject { |cred| explicit_index?(cred) }
             .map do |cred|
-              authed_url = AuthedUrlBuilder.authed_url(credential: cred)
+            authed_url = AuthedUrlBuilder.authed_url(credential: cred)
-              if cred.replaces_base?
-                "--default-index #{authed_url}"
-              else
-                "--index #{authed_url}"
-              end
+            if cred.replaces_base?
+              "--default-index #{authed_url}"
+            else
+              "--index #{authed_url}"
+            end
           end
         end
@@ -421,18 +421,18 @@ module Dependabot
             .select { |cred| cred["type"] == "python_index" }
             .select { |cred| explicit_index?(cred) }
             .each do |cred|
-              index_name = find_index_name_for_credential(cred)
-              next unless index_name
+            index_name = find_index_name_for_credential(cred)
+            next unless index_name
-              env_name = index_name.upcase.gsub(/[^A-Z0-9]/, "_")
+            env_name = index_name.upcase.gsub(/[^A-Z0-9]/, "_")
-              env_vars["UV_INDEX_#{env_name}_USERNAME"] = cred["username"] if cred["username"]
+            env_vars["UV_INDEX_#{env_name}_USERNAME"] = cred["username"] if cred["username"]
-              if cred["password"]
-                env_vars["UV_INDEX_#{env_name}_PASSWORD"] = cred["password"]
-              elsif cred["token"]
-                env_vars["UV_INDEX_#{env_name}_PASSWORD"] = cred["token"]
-              end
+            if cred["password"]
+              env_vars["UV_INDEX_#{env_name}_PASSWORD"] = cred["password"]
+            elsif cred["token"]
+              env_vars["UV_INDEX_#{env_name}_PASSWORD"] = cred["token"]
+            end
           end
           env_vars

data/lib/dependabot/uv.rb CHANGED Viewed

@@ -16,6 +16,7 @@ end
 # These all need to be required so the various classes can be registered in a
 # lookup table of package manager names to concrete classes.
+require "dependabot/uv/dependency_grapher"
 require "dependabot/uv/file_fetcher"
 require "dependabot/uv/file_parser"
 require "dependabot/uv/update_checker"

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-uv
 version: !ruby/object:Gem::Version
-  version: 0.363.0
+  version: 0.364.0
 platform: ruby
 authors:
 - Dependabot
@@ -15,28 +15,28 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.363.0
+        version: 0.364.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.363.0
+        version: 0.364.0
 - !ruby/object:Gem::Dependency
   name: dependabot-python
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.363.0
+        version: 0.364.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.363.0
+        version: 0.364.0
 - !ruby/object:Gem::Dependency
   name: debug
   requirement: !ruby/object:Gem::Requirement
@@ -263,6 +263,7 @@ files:
 - helpers/run.py
 - lib/dependabot/uv.rb
 - lib/dependabot/uv/authed_url_builder.rb
+- lib/dependabot/uv/dependency_grapher.rb
 - lib/dependabot/uv/file_fetcher.rb
 - lib/dependabot/uv/file_fetcher/workspace_fetcher.rb
 - lib/dependabot/uv/file_parser.rb
@@ -299,7 +300,7 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.363.0
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.364.0
 rdoc_options: []
 require_paths:
 - lib