From 08a9369bb59f36924994c9a336a38b67cccfcf3b Mon Sep 17 00:00:00 2001 From: Jeff Widman Date: Sat, 5 Aug 2023 15:48:16 -0700 Subject: [PATCH] Switch from `pipfile` to `plette` lib The main user of `pipfile` is `pipenv`, and _not_ any of the other python package managers. However, `pipfile` library has been pretty much unmaintained, so `pipenv` switched to using `plette` for parsing/validation of `Pipfile`'s: * https://github.com/pypa/pipenv/issues/5310 * https://github.com/pypa/pipenv/pull/5339 So let's switch our usage as well. Today we only use `pipfile` for generating hashes, so this is effectively a silent no-op. However, down the road we could leverage `plette` for `Pipfile` parsing/validation... for example see how it's flagging things here: https://github.com/dependabot/dependabot-core/pull/6104#issuecomment-1356403336 --- python/helpers/lib/hasher.py | 7 ++++--- python/helpers/requirements.txt | 2 +- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/python/helpers/lib/hasher.py b/python/helpers/lib/hasher.py index b134017d79e..7e105c18c47 100644 --- a/python/helpers/lib/hasher.py +++ b/python/helpers/lib/hasher.py @@ -1,6 +1,6 @@ import hashin import json -import pipfile +import plette from poetry.factory import Factory @@ -15,9 +15,10 @@ def get_dependency_hash(dependency_name, dependency_version, algorithm): def get_pipfile_hash(directory): - p = pipfile.load(directory + '/Pipfile') + with open(directory + '/Pipfile') as f: + pipfile = plette.Pipfile.load(f) - return json.dumps({"result": p.hash}) + return json.dumps({"result": pipfile.get_hash().value}) def get_pyproject_hash(directory): diff --git a/python/helpers/requirements.txt b/python/helpers/requirements.txt index 93181463eca..4aecd8d976c 100644 --- a/python/helpers/requirements.txt +++ b/python/helpers/requirements.txt @@ -2,7 +2,7 @@ pip>=21.3.1,<23.2.0 # Range maintains py36 support TODO: Review python 3.6 supp pip-tools>=6.4.0,<=6.14.0 # Range maintains py36 support TODO: Review python 3.6 support in April 2023 (eol ubuntu 18.04) hashin==0.17.0 pipenv==2022.4.8 -pipfile==0.0.2 +plette==0.4.4 poetry>=1.1.15,<1.6.0 # For now we chose to pin `wheel` even though we don't import it directly. # Background context: https://github.com/dependabot/dependabot-core/pull/5597