RubyGems - dependabot-uv - Versions diffs - 0.382.0 → 0.383.0 - Mend

dependabot-uv 0.382.0 → 0.383.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

checksums.yaml +4 -4
data/helpers/build +1 -9
data/lib/dependabot/uv/dependency_grapher.rb +164 -88
data/lib/dependabot/uv/update_checker.rb +7 -8
metadata +6 -7
data/helpers/requirements-3.9.txt +0 -15

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 4f8d39e39ce8e18f7c946928ed3a7b5cd780ce3ae7d8808dad8c96c3b8248e6b
-  data.tar.gz: 2747bc7341934590fb3c0d1b0af95f788e055ff7845570dc10918179c0a9a26b
+  metadata.gz: ec6b2f2a71183f96ba54935778ae0881d4e54de983b0185651871b5582f43527
+  data.tar.gz: 6d52e75689a7a2b202deded8bb158f6e882e682a77b03738c6af717ce6a7b37e
 SHA512:
-  metadata.gz: 4f6677be24fdf402b476d7018f98ca323491fb6c4ea7ba5eeb4634d0e48b097e98dde9c679b9c1229dcc6343d38600e17d83a2fb931ca3a6918742d8bc88f777
-  data.tar.gz: f56c52f7b7d3b38d894bfa5452a6c4d68a61cf0ea995f2a26ec75a7d68c4bc4abb7a41a495ba0e699c85597bb8d74b9ddc5ee2413ba009db260102807f716d5c
+  metadata.gz: d193574d174b6266342042d95e59ba99b0a89b90ef4878e4735c9dfd27c0fb76be68a54ff85c9d5876e9ebbed85d505909f0cd9f598eb7dae8e443d7fb8d8bc4
+  data.tar.gz: fc9b36d7a7482e8642cb8bb6ecc348496972ccb938139c645cf5a96d7f6b0239b8ec1219f0d8cb497bb82eed12fca7336c86febd3f2d1a6aafc3920e985a9c4d

data/helpers/build CHANGED Viewed

@@ -15,21 +15,13 @@ cp -r \
   "$helpers_dir/lib" \
   "$helpers_dir/run.py" \
   "$helpers_dir/requirements.txt" \
-  "$helpers_dir/requirements-3.9.txt" \
   "$install_dir"
 cd "$install_dir"
 python_version=$1
-# pip 26.x and several other packages require Python >=3.10.
-# Use 3.9-compatible versions for the deprecated Python 3.9 runtime.
-if [[ "$python_version" == 3.9.* ]]; then
-  req_file="requirements-3.9.txt"
-else
-  req_file="requirements.txt"
-fi
-PYENV_VERSION=$python_version pyenv exec pip3 --disable-pip-version-check install --use-pep517 -r "$req_file"
+PYENV_VERSION=$python_version pyenv exec pip3 --disable-pip-version-check install --use-pep517 -r requirements.txt
 # Remove the extra objects added during the previous install. Based on
 # https://github.com/docker-library/python/blob/master/Dockerfile-linux.template

data/lib/dependabot/uv/dependency_grapher.rb CHANGED Viewed

@@ -3,39 +3,55 @@
 require "sorbet-runtime"
+require "dependabot/dependency"
 require "dependabot/dependency_graphers"
 require "dependabot/dependency_graphers/base"
 require "dependabot/uv/file_parser"
-require "dependabot/uv/name_normaliser"
 require "toml-rb"
 module Dependabot
   module Uv
     class DependencyGrapher < Dependabot::DependencyGraphers::Base
-      UV_LOCK_COMMAND = T.let("pyenv exec uv lock --color never --no-progress && cat uv.lock", String)
-      UV_TREE_COMMAND = T.let("pyenv exec uv tree -q --color never --no-progress --frozen", String)
-      # Used to capture package lines from `uv tree` output.
-      #
-      # Example output:
-      #   ├── flask v3.1.3
-      #   │   ├── click v8.3.1
-      #   │   └── jinja2 v3.1.6
-      #   │       └── markupsafe v3.0.3
-      #
-      # The `prefix` contains tree-depth segments (`│   ` or `    `) and
-      # `package` is the dependency name token before the `v<version>` marker.
-      UV_TREE_LINE_REGEX = T.let(
-        /^(?<prefix>(?:(?:│   )|(?:    ))*)(?:├──|└──)\s(?<package>.+?)\sv[^\s]+(?:\s+\(.*\))?$/,
-        Regexp
-      )
+      RUNTIME_GROUP = T.let("dependencies", String)
+      DEV_GROUP = T.let("dev-dependencies", String)
       sig { override.returns(Dependabot::DependencyFile) }
       def relevant_dependency_file
-        return T.must(uv_lock) if uv_lock
-        return T.must(pyproject_toml) if pyproject_toml
+        uv_lock || raise(DependabotError, "No uv.lock present; uv graphing requires a lockfile.")
+      end
+      # uv.lock is guaranteed to be present when graphing runs - the
+      # dependabot-api EcosystemFileDetector only routes UV jobs when it sees
+      # a uv.lock in the repo. We override prepare! to parse uv.lock directly
+      # rather than delegating to FileParser, so the graph reflects only what
+      # uv actually resolved (no requirements.txt / pyproject.toml inputs).
+      sig { override.void }
+      def prepare!
+        raise DependabotError, "No uv.lock present; uv graphing requires a lockfile." unless uv_lock
+        parsed = TomlRB.parse(T.must(T.must(uv_lock).content))
+        packages = T.cast(parsed.fetch("package", []), T::Array[T.untyped])
+        manifest = parsed.fetch("manifest", {})
+        root_names = root_package_names(packages, manifest)
+        direct_runtime, direct_dev = direct_dependency_names(packages, root_names)
-        raise DependabotError, "No uv.lock or pyproject.toml present."
+        @dependencies = packages.filter_map do |pkg|
+          build_dependency(pkg, root_names, direct_runtime, direct_dev)
+        end
+        @prepared = true
+      rescue DependabotError
+        raise
+      rescue StandardError => e
+        # If uv.lock is unparseable we can't build a graph at all, but we still
+        # want the rest of the submission flow to continue (matching the prior
+        # behaviour where lockfile parse failures only marked subdependency
+        # fetching as errored).
+        errored_fetching_subdependencies!
+        @subdependency_error = e
+        Dependabot.logger.error("Failed to parse uv.lock for graphing: #{e.message}")
+        @dependencies = []
+        @prepared = true
       end
       private
@@ -49,31 +65,11 @@ module Dependabot
       sig { returns(T::Hash[String, T::Array[String]]) }
       def package_relationships
         @package_relationships ||= T.let(
-          fetch_package_relationships,
+          package_relationships_from_lockfile(T.must(T.must(uv_lock).content)),
           T.nilable(T::Hash[String, T::Array[String]])
         )
       end
-      # See UV tree docs https://docs.astral.sh/uv/reference/cli/#uv-tree
-      # First try extracting relationships from uv.lock directly. If there is no
-      # lockfile, generate one in a temporary parsed context and parse that.
-      # If lockfile parsing fails for any reason, fall back to uv tree output.
-      sig { returns(T::Hash[String, T::Array[String]]) }
-      def fetch_package_relationships
-        return package_relationships_from_lockfile(T.must(T.must(uv_lock).content)) if uv_lock
-        begin
-          Dependabot.logger.info("No uv.lock present, generating ephemeral lockfile for dependency graphing")
-          generated_lockfile = uv_parser.run_in_parsed_context(UV_LOCK_COMMAND)
-          return package_relationships_from_lockfile(generated_lockfile)
-        rescue StandardError => e
-          Dependabot.logger.warn("Failed to build dependency graph from uv.lock: #{e.message}")
-          Dependabot.logger.info("Falling back to parsing uv tree output")
-        end
-        package_relationships_from_tree
-      end
       sig { params(lockfile_content: String).returns(T::Hash[String, T::Array[String]]) }
       def package_relationships_from_lockfile(lockfile_content)
         lockfile_packages(lockfile_content).each_with_object({}) do |package_data, rels|
@@ -106,19 +102,18 @@ module Dependabot
         normalised_dependency_name(package_name)
       end
+      # Mirrors uv's `create_dependencies` (crates/uv-resolver/src/lock/export/cyclonedx_json.rs),
+      # which chains a package's `dependencies`, `optional-dependencies`, and
+      # `dev-dependencies` when building the SBOM dependency graph.
       sig { params(package_data: T.untyped).returns(T::Array[String]) }
       def lockfile_child_names(package_data)
-        dependencies =
-          if package_data.is_a?(Hash)
-            T.cast(package_data["dependencies"], T.nilable(T::Array[T.untyped])) || []
-          else
-            []
-          end
-        dependencies.filter_map do |dependency|
-          dependency_name = lockfile_dependency_name(dependency)
-          normalised_dependency_name(dependency_name) if dependency_name
-        end
+        return [] unless package_data.is_a?(Hash)
+        names = T.let([], T::Array[String])
+        collect_dep_names(package_data["dependencies"], names)
+        collect_dep_names_from_groups(package_data["optional-dependencies"], names)
+        collect_dep_names_from_groups(package_data["dev-dependencies"], names)
+        names.map { |name| normalised_dependency_name(name) }.uniq
       end
       sig { params(dependency_data: T.untyped).returns(T.nilable(String)) }
@@ -133,32 +128,130 @@ module Dependabot
         nil
       end
-      sig { returns(T::Hash[String, T::Array[String]]) }
-      def package_relationships_from_tree
-        relationship_stack = T.let([], T::Array[String])
+      # Identifies the workspace member packages whose `dependencies`,
+      # `optional-dependencies`, and `dev-dependencies` arrays describe the
+      # project's direct deps.
+      #
+      # Authoritative signal: the `[manifest] members = [...]` array, which uv
+      # writes for multi-member workspaces. See
+      # https://github.com/astral-sh/uv/blob/main/crates/uv-resolver/src/lock/mod.rs
+      # ("manifest_table.insert(\"members\", ...)" and the workspace-member
+      # lookup `self.members().contains(&package.id.name)`).
+      #
+      # Fallback for single-member workspaces (which omit `[manifest] members`):
+      # match packages whose `source` is a local variant — `virtual`, `editable`,
+      # or `directory` — per the `SourceWire` enum in the same file.
+      sig { params(packages: T::Array[T.untyped], manifest: T.untyped).returns(T::Set[String]) }
+      def root_package_names(packages, manifest)
+        declared = declared_workspace_members(manifest)
+        return declared unless declared.empty?
+        packages.each_with_object(Set.new) do |pkg, set|
+          next unless pkg.is_a?(Hash)
+          source = pkg["source"]
+          next unless source.is_a?(Hash)
+          next unless source.key?("virtual") || source.key?("editable") || source.key?("directory")
+          name = pkg["name"]
+          set << name if name.is_a?(String)
+        end
+      end
-        uv_parser.run_in_parsed_context(UV_TREE_COMMAND).lines.each_with_object({}) do |line, rels|
-          match = line.match(UV_TREE_LINE_REGEX)
-          next unless match
+      sig { params(manifest: T.untyped).returns(T::Set[String]) }
+      def declared_workspace_members(manifest)
+        return Set.new unless manifest.is_a?(Hash)
-          package = normalised_dependency_name(T.must(match[:package]))
-          depth = T.must(match[:prefix]).scan(/(?:│   |    )/).length
+        members = manifest["members"]
+        return Set.new unless members.is_a?(Array)
-          relationship_stack[depth] = package
-          relationship_stack.slice!(depth + 1, relationship_stack.length)
+        members.each_with_object(Set.new) do |name, set|
+          set << name if name.is_a?(String)
+        end
+      end
-          parent = depth.zero? ? nil : relationship_stack[depth - 1]
-          rels[package] ||= []
-          next unless parent
+      # Mirrors uv's `ExportableRequirements::from_lock` (crates/uv-resolver/src/lock/export/mod.rs)
+      # when invoked with `--all-extras --all-groups`: each workspace root contributes its
+      # `dependencies` as direct runtime, `optional-dependencies` (all extras) as direct runtime,
+      # and `dev-dependencies` (all groups) as direct dev. We use --all-extras/--all-groups
+      # semantics because the dependency graph reports what *could* be installed, not what was
+      # selected for a particular sync.
+      sig do
+        params(packages: T::Array[T.untyped], root_names: T::Set[String])
+          .returns([T::Set[String], T::Set[String]])
+      end
+      def direct_dependency_names(packages, root_names)
+        runtime = T.let(Set.new, T::Set[String])
+        dev = T.let(Set.new, T::Set[String])
-          rels[parent] ||= []
-          rels[parent] << package
+        packages.each do |pkg|
+          next unless pkg.is_a?(Hash) && root_names.include?(pkg["name"])
+          collect_dep_names(pkg["dependencies"], runtime)
+          collect_dep_names_from_groups(pkg["optional-dependencies"], runtime)
+          collect_dep_names_from_groups(pkg["dev-dependencies"], dev)
         end
+        [runtime, dev]
       end
-      sig { returns(Dependabot::Uv::FileParser) }
-      def uv_parser
-        T.cast(file_parser, Dependabot::Uv::FileParser)
+      sig { params(entries: T.untyped, collection: T.any(T::Set[String], T::Array[String])).void }
+      def collect_dep_names(entries, collection)
+        return unless entries.is_a?(Array)
+        entries.each do |entry|
+          name = lockfile_dependency_name(entry)
+          collection << name if name.is_a?(String)
+        end
+      end
+      sig { params(groups: T.untyped, collection: T.any(T::Set[String], T::Array[String])).void }
+      def collect_dep_names_from_groups(groups, collection)
+        return unless groups.is_a?(Hash)
+        groups.each_value { |entries| collect_dep_names(entries, collection) }
+      end
+      sig do
+        params(
+          pkg: T.untyped,
+          root_names: T::Set[String],
+          direct_runtime: T::Set[String],
+          direct_dev: T::Set[String]
+        ).returns(T.nilable(Dependabot::Dependency))
+      end
+      def build_dependency(pkg, root_names, direct_runtime, direct_dev)
+        return unless pkg.is_a?(Hash)
+        name = pkg["name"]
+        version = pkg["version"]
+        return unless name.is_a?(String) && version.is_a?(String)
+        # Root project packages get requirements: [] (indirect, runtime) to
+        # match the prior FileParser-derived behaviour where uv.lock packages
+        # without a pyproject entry surfaced as indirect.
+        groups = root_names.include?(name) ? [] : direct_groups_for(name, direct_runtime, direct_dev)
+        requirements = groups.empty? ? [] : [{ requirement: nil, file: "uv.lock", source: nil, groups: groups }]
+        Dependabot::Dependency.new(
+          name: normalised_dependency_name(name),
+          version: version,
+          requirements: requirements,
+          package_manager: "uv"
+        )
+      end
+      # A dependency listed under both runtime and dev groups stays runtime;
+      # uv's production check returns true if "dependencies" is present.
+      sig do
+        params(name: String, direct_runtime: T::Set[String], direct_dev: T::Set[String])
+          .returns(T::Array[String])
+      end
+      def direct_groups_for(name, direct_runtime, direct_dev)
+        return [RUNTIME_GROUP] if direct_runtime.include?(name)
+        return [DEV_GROUP] if direct_dev.include?(name)
+        []
       end
       sig { params(name: String).returns(String) }
@@ -171,23 +264,6 @@ module Dependabot
         "pypi"
       end
-      # Strip extras (e.g. "[filecache]") from the dependency name for PURLs,
-      # since the PURL should reference the base package only.
-      sig { override.params(dependency: Dependabot::Dependency).returns(String) }
-      def purl_name_for(dependency)
-        NameNormaliser.normalise(dependency.name)
-      end
-      sig { returns(T.nilable(Dependabot::DependencyFile)) }
-      def pyproject_toml
-        return @pyproject_toml if defined?(@pyproject_toml)
-        @pyproject_toml = T.let(
-          dependency_files.find { |f| f.name == "pyproject.toml" },
-          T.nilable(Dependabot::DependencyFile)
-        )
-      end
       sig { returns(T.nilable(Dependabot::DependencyFile)) }
       def uv_lock
         return @uv_lock if defined?(@uv_lock)

data/lib/dependabot/uv/update_checker.rb CHANGED Viewed

@@ -6,6 +6,7 @@ require "toml-rb"
 require "sorbet-runtime"
 require "dependabot/dependency"
+require "dependabot/dependency_requirement"
 require "dependabot/errors"
 require "dependabot/uv/name_normaliser"
 require "dependabot/uv/requirement_parser"
@@ -33,14 +34,12 @@ module Dependabot
       sig { override.returns(T::Array[Dependabot::DependencyRequirement]) }
       def updated_requirements
-        wrap_requirements(
-          RequirementsUpdater.new(
-            requirements: requirements,
-            latest_resolvable_version: preferred_resolvable_version&.to_s,
-            update_strategy: requirements_update_strategy,
-            has_lockfile: requirements_text_file?
-          ).updated_requirements
-        )
+        RequirementsUpdater.new(
+          requirements: dependency.requirements,
+          latest_resolvable_version: preferred_resolvable_version&.to_s,
+          update_strategy: requirements_update_strategy,
+          has_lockfile: requirements_text_file?
+        ).updated_requirements
       end
       private

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-uv
 version: !ruby/object:Gem::Version
-  version: 0.382.0
+  version: 0.383.0
 platform: ruby
 authors:
 - Dependabot
@@ -15,28 +15,28 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.382.0
+        version: 0.383.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.382.0
+        version: 0.383.0
 - !ruby/object:Gem::Dependency
   name: dependabot-python
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.382.0
+        version: 0.383.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.382.0
+        version: 0.383.0
 - !ruby/object:Gem::Dependency
   name: debug
   requirement: !ruby/object:Gem::Requirement
@@ -259,7 +259,6 @@ files:
 - helpers/lib/__init__.py
 - helpers/lib/hasher.py
 - helpers/lib/parser.py
-- helpers/requirements-3.9.txt
 - helpers/requirements.txt
 - helpers/run.py
 - lib/dependabot/uv.rb
@@ -302,7 +301,7 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.382.0
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.383.0
 rdoc_options: []
 require_paths:
 - lib

data/helpers/requirements-3.9.txt DELETED Viewed

@@ -1,15 +0,0 @@
-# Python 3.9-compatible versions pinned to the last known working set before
-# packages dropped 3.9 support. Python 3.9 reached end-of-life on 2025-10-31.
-pip==24.2
-pip-tools==7.5.3
-flake8==7.3.0
-hashin==1.0.5
-pipenv==2024.4.1
-plette==2.1.0
-poetry==2.2.1
-# tomli is required for Python <3.11 (stdlib tomllib was added in 3.11).
-tomli==2.2.1
-uv==0.11.8
-# Some dependencies will only install if Cython is present
-Cython==3.2.4