From 62f4d33a2e6654338599da3a083aadbba19367af Mon Sep 17 00:00:00 2001 From: Jeff Widman Date: Sat, 5 Aug 2023 23:28:22 -0700 Subject: [PATCH] Add `name` key to `sources` Newer versions of `pipenv` require any specified `sources` to be explicitly `name`'d. More context here: https://github.com/pypa/pipenv/discussions/5370#discussioncomment-3701061 This has been true since at least Sept 2022. Our version of `pipenv` was from April of 2022, so it didn't complain. But that means most of our active users of `pipenv` are unlikely to see this error if they're running a newer version of `pipenv`. Also, for sources that :dependabot: dynamically injects into the `Pipfile`, they need a name. These sources are stripped from the final `Pipfile` / `Pipfile.lock` during the `FileUpdater#post_process_lockfile` method, so all we need is a placeholder `name` to placate `pipenv`. Long term, we may want to add custom error handling to flag this missing key as a `Dependabot::DependencyFileNotResolvable` error. But I decided that was out of scope for now as this PR does not generate the error... that will not happen until we upgrade to newer `pipenv`. And even at that point, our first priority will be upgrading, and then from there handling any new errors that start popping up. --- .../python/file_updater/pipfile_preparer.rb | 12 +++++++++--- .../python/file_updater/pipfile_preparer_spec.rb | 10 +++++----- .../spec/fixtures/pipfile_files/arbitrary_equality | 1 + .../spec/fixtures/pipfile_files/conflict_at_current | 1 + .../spec/fixtures/pipfile_files/conflict_at_latest | 1 + .../pipfile_files/environment_variable_source | 1 + python/spec/fixtures/pipfile_files/exact_version | 1 + .../spec/fixtures/pipfile_files/extra_subdependency | 2 +- python/spec/fixtures/pipfile_files/git_source | 1 + .../spec/fixtures/pipfile_files/git_source_bad_ref | 1 + python/spec/fixtures/pipfile_files/git_source_no_ref | 1 + .../fixtures/pipfile_files/git_source_unreachable | 1 + python/spec/fixtures/pipfile_files/hard_names | 1 + python/spec/fixtures/pipfile_files/not_in_lockfile | 1 + python/spec/fixtures/pipfile_files/only_dev | 1 + python/spec/fixtures/pipfile_files/path_dependency | 1 + .../fixtures/pipfile_files/path_dependency_not_self | 1 + python/spec/fixtures/pipfile_files/private_source | 1 + .../spec/fixtures/pipfile_files/private_source_auth | 2 +- python/spec/fixtures/pipfile_files/prod_and_dev | 1 + .../fixtures/pipfile_files/prod_and_dev_different | 1 + python/spec/fixtures/pipfile_files/required_python | 1 + .../fixtures/pipfile_files/required_python_implicit | 1 + .../fixtures/pipfile_files/required_python_invalid | 1 + .../pipfile_files/required_python_unsupported | 1 + python/spec/fixtures/pipfile_files/unparseable | 3 +-- python/spec/fixtures/pipfile_files/unsupported_dep | 2 +- python/spec/fixtures/pipfile_files/version_hash | 1 + .../fixtures/pipfile_files/version_not_specified | 1 + .../pipfile_files/version_not_specified.lock | 3 ++- python/spec/fixtures/pipfile_files/version_table | 1 + python/spec/fixtures/pipfile_files/wildcard | 1 + python/spec/fixtures/pipfile_files/with_quotes | 1 + python/spec/fixtures/pipfile_files/yanked | 1 + 34 files changed, 47 insertions(+), 14 deletions(-) diff --git a/python/lib/dependabot/python/file_updater/pipfile_preparer.rb b/python/lib/dependabot/python/file_updater/pipfile_preparer.rb index 2b68333f7b0a..69ad9306ada7 100644 --- a/python/lib/dependabot/python/file_updater/pipfile_preparer.rb +++ b/python/lib/dependabot/python/file_updater/pipfile_preparer.rb @@ -132,9 +132,15 @@ def sub_auth_url(source, credentials) def config_variable_sources(credentials) @config_variable_sources ||= - credentials. - select { |cred| cred["type"] == "python_index" }. - map { |c| { "url" => AuthedUrlBuilder.authed_url(credential: c) } } + credentials.select { |cred| cred["type"] == "python_index" }. + map do |c| + { + "url" => AuthedUrlBuilder.authed_url(credential: c), + # Random suffix ensure names are unique. These are stripped out of the final Pipfile.lock in the + # FileUpdater step so it's okay that they're non-deterministic. + "name" => "dependabot-inserted-index-#{SecureRandom.alphanumeric(5)}" + } + end end end end diff --git a/python/spec/dependabot/python/file_updater/pipfile_preparer_spec.rb b/python/spec/dependabot/python/file_updater/pipfile_preparer_spec.rb index b8cd68fff964..246a9eaf1066 100644 --- a/python/spec/dependabot/python/file_updater/pipfile_preparer_spec.rb +++ b/python/spec/dependabot/python/file_updater/pipfile_preparer_spec.rb @@ -135,8 +135,8 @@ let(:lockfile_fixture_name) { "version_not_specified.lock" } it "adds the source" do - expect(updated_content). - to include("https://username:password@pypi.posrip.com/pypi/") + expect(updated_content).to include('name = "dependabot-inserted-index-') + expect(updated_content).to include("https://username:password@pypi.posrip.com/pypi/") end context "with auth details provided as a token" do @@ -154,8 +154,8 @@ end it "adds the source" do - expect(updated_content). - to include("https://username:password@pypi.posrip.com/pypi/") + expect(updated_content).to include('name = "dependabot-inserted-index-') + expect(updated_content).to include("https://username:password@pypi.posrip.com/pypi/") end end @@ -178,7 +178,7 @@ it "keeps source config" do expect(updated_content).to include( "[[source]]\n" \ - "name = \"pypi\"\n" \ + "name = \"internal-pypi\"\n" \ "url = \"https://username:password@pypi.posrip.com/pypi/\"\n" \ "verify_ssl = true\n" ) diff --git a/python/spec/fixtures/pipfile_files/arbitrary_equality b/python/spec/fixtures/pipfile_files/arbitrary_equality index 76f9360fcc31..684fe70d565c 100644 --- a/python/spec/fixtures/pipfile_files/arbitrary_equality +++ b/python/spec/fixtures/pipfile_files/arbitrary_equality @@ -1,4 +1,5 @@ [[source]] +name = "pypi" url = "https://pypi.org/simple" verify_ssl = true diff --git a/python/spec/fixtures/pipfile_files/conflict_at_current b/python/spec/fixtures/pipfile_files/conflict_at_current index e97cb128a096..8a19ad691695 100644 --- a/python/spec/fixtures/pipfile_files/conflict_at_current +++ b/python/spec/fixtures/pipfile_files/conflict_at_current @@ -1,4 +1,5 @@ [[source]] +name = "pypi" url = "https://pypi.org/simple" verify_ssl = true diff --git a/python/spec/fixtures/pipfile_files/conflict_at_latest b/python/spec/fixtures/pipfile_files/conflict_at_latest index 7cced80f3684..be6abd85be33 100644 --- a/python/spec/fixtures/pipfile_files/conflict_at_latest +++ b/python/spec/fixtures/pipfile_files/conflict_at_latest @@ -1,4 +1,5 @@ [[source]] +name = "pypi" url = "https://pypi.org/simple" verify_ssl = true diff --git a/python/spec/fixtures/pipfile_files/environment_variable_source b/python/spec/fixtures/pipfile_files/environment_variable_source index 71101787074f..44b76979eab3 100644 --- a/python/spec/fixtures/pipfile_files/environment_variable_source +++ b/python/spec/fixtures/pipfile_files/environment_variable_source @@ -1,4 +1,5 @@ [[source]] +name = "pypi" url = "https://pypi.org/${ENV_VAR}" verify_ssl = true diff --git a/python/spec/fixtures/pipfile_files/exact_version b/python/spec/fixtures/pipfile_files/exact_version index 6bef68998e70..aaa0096585fc 100644 --- a/python/spec/fixtures/pipfile_files/exact_version +++ b/python/spec/fixtures/pipfile_files/exact_version @@ -1,4 +1,5 @@ [[source]] +name = "pypi" url = "https://pypi.org/simple" verify_ssl = true diff --git a/python/spec/fixtures/pipfile_files/extra_subdependency b/python/spec/fixtures/pipfile_files/extra_subdependency index d3b28dead398..58ee60c26828 100644 --- a/python/spec/fixtures/pipfile_files/extra_subdependency +++ b/python/spec/fixtures/pipfile_files/extra_subdependency @@ -1,7 +1,7 @@ [[source]] +name = "pypi" url = "https://pypi.org/simple" verify_ssl = true -name = "pypi" [packages] flask = "==1.0.*" diff --git a/python/spec/fixtures/pipfile_files/git_source b/python/spec/fixtures/pipfile_files/git_source index a2edea4a305f..827aaedbbcb3 100644 --- a/python/spec/fixtures/pipfile_files/git_source +++ b/python/spec/fixtures/pipfile_files/git_source @@ -1,4 +1,5 @@ [[source]] +name = "pypi" url = "https://pypi.org/simple" verify_ssl = true diff --git a/python/spec/fixtures/pipfile_files/git_source_bad_ref b/python/spec/fixtures/pipfile_files/git_source_bad_ref index 8310b7aee0bd..b3ca7d300235 100644 --- a/python/spec/fixtures/pipfile_files/git_source_bad_ref +++ b/python/spec/fixtures/pipfile_files/git_source_bad_ref @@ -1,4 +1,5 @@ [[source]] +name = "pypi" url = "https://pypi.org/simple" verify_ssl = true diff --git a/python/spec/fixtures/pipfile_files/git_source_no_ref b/python/spec/fixtures/pipfile_files/git_source_no_ref index d3abd5a12036..24966cbc35d0 100644 --- a/python/spec/fixtures/pipfile_files/git_source_no_ref +++ b/python/spec/fixtures/pipfile_files/git_source_no_ref @@ -1,4 +1,5 @@ [[source]] +name = "pypi" url = "https://pypi.org/simple" verify_ssl = true diff --git a/python/spec/fixtures/pipfile_files/git_source_unreachable b/python/spec/fixtures/pipfile_files/git_source_unreachable index 20b0c74db8fc..4df40330391a 100644 --- a/python/spec/fixtures/pipfile_files/git_source_unreachable +++ b/python/spec/fixtures/pipfile_files/git_source_unreachable @@ -1,4 +1,5 @@ [[source]] +name = "pypi" url = "https://pypi.org/simple" verify_ssl = true diff --git a/python/spec/fixtures/pipfile_files/hard_names b/python/spec/fixtures/pipfile_files/hard_names index 936a548a32b0..840fb65bd6a3 100644 --- a/python/spec/fixtures/pipfile_files/hard_names +++ b/python/spec/fixtures/pipfile_files/hard_names @@ -1,4 +1,5 @@ [[source]] +name = "pypi" url = "https://pypi.org/simple" verify_ssl = true diff --git a/python/spec/fixtures/pipfile_files/not_in_lockfile b/python/spec/fixtures/pipfile_files/not_in_lockfile index ed900ef1a2a0..b67e707ff83a 100644 --- a/python/spec/fixtures/pipfile_files/not_in_lockfile +++ b/python/spec/fixtures/pipfile_files/not_in_lockfile @@ -1,4 +1,5 @@ [[source]] +name = "pypi" url = "https://pypi.org/simple" verify_ssl = true diff --git a/python/spec/fixtures/pipfile_files/only_dev b/python/spec/fixtures/pipfile_files/only_dev index 3637b1a9c37c..651b5b24d970 100644 --- a/python/spec/fixtures/pipfile_files/only_dev +++ b/python/spec/fixtures/pipfile_files/only_dev @@ -1,4 +1,5 @@ [[source]] +name = "pypi" url = "https://pypi.org/simple" verify_ssl = true diff --git a/python/spec/fixtures/pipfile_files/path_dependency b/python/spec/fixtures/pipfile_files/path_dependency index 4f654b7ffd49..7ffa1519c752 100644 --- a/python/spec/fixtures/pipfile_files/path_dependency +++ b/python/spec/fixtures/pipfile_files/path_dependency @@ -1,4 +1,5 @@ [[source]] +name = "pypi" url = "https://pypi.org/simple" verify_ssl = true diff --git a/python/spec/fixtures/pipfile_files/path_dependency_not_self b/python/spec/fixtures/pipfile_files/path_dependency_not_self index 35d5aeb6c0f5..93840f836bc2 100644 --- a/python/spec/fixtures/pipfile_files/path_dependency_not_self +++ b/python/spec/fixtures/pipfile_files/path_dependency_not_self @@ -1,4 +1,5 @@ [[source]] +name = "pypi" url = "https://pypi.org/simple" verify_ssl = true diff --git a/python/spec/fixtures/pipfile_files/private_source b/python/spec/fixtures/pipfile_files/private_source index 36ab600974d9..bd95a2d8ff39 100644 --- a/python/spec/fixtures/pipfile_files/private_source +++ b/python/spec/fixtures/pipfile_files/private_source @@ -1,4 +1,5 @@ [[source]] +name = "internal-pypi" url = "https://some.internal.registry.com/pypi/" verify_ssl = true diff --git a/python/spec/fixtures/pipfile_files/private_source_auth b/python/spec/fixtures/pipfile_files/private_source_auth index 07c396383431..ae36a45e3013 100644 --- a/python/spec/fixtures/pipfile_files/private_source_auth +++ b/python/spec/fixtures/pipfile_files/private_source_auth @@ -1,7 +1,7 @@ [[source]] +name = "internal-pypi" url = "https://${ENV_USER}:${ENV_PASSWORD}@pypi.posrip.com/pypi/" verify_ssl = true -name = "pypi" [dev-packages] pytest = "==3.4.0" diff --git a/python/spec/fixtures/pipfile_files/prod_and_dev b/python/spec/fixtures/pipfile_files/prod_and_dev index 83c1f46916dd..651703d5086b 100644 --- a/python/spec/fixtures/pipfile_files/prod_and_dev +++ b/python/spec/fixtures/pipfile_files/prod_and_dev @@ -1,4 +1,5 @@ [[source]] +name = "pypi" url = "https://pypi.org/simple" verify_ssl = true diff --git a/python/spec/fixtures/pipfile_files/prod_and_dev_different b/python/spec/fixtures/pipfile_files/prod_and_dev_different index 34eb4afc28de..893ef34fa65b 100644 --- a/python/spec/fixtures/pipfile_files/prod_and_dev_different +++ b/python/spec/fixtures/pipfile_files/prod_and_dev_different @@ -1,4 +1,5 @@ [[source]] +name = "pypi" url = "https://pypi.org/simple" verify_ssl = true diff --git a/python/spec/fixtures/pipfile_files/required_python b/python/spec/fixtures/pipfile_files/required_python index 10c96ff92634..80fdf3f1ebe8 100644 --- a/python/spec/fixtures/pipfile_files/required_python +++ b/python/spec/fixtures/pipfile_files/required_python @@ -1,4 +1,5 @@ [[source]] +name = "pypi" url = "https://pypi.org/simple" verify_ssl = true diff --git a/python/spec/fixtures/pipfile_files/required_python_implicit b/python/spec/fixtures/pipfile_files/required_python_implicit index 3626f5d6cce7..e02788e7517c 100644 --- a/python/spec/fixtures/pipfile_files/required_python_implicit +++ b/python/spec/fixtures/pipfile_files/required_python_implicit @@ -1,4 +1,5 @@ [[source]] +name = "pypi" url = "https://pypi.org/simple" verify_ssl = true diff --git a/python/spec/fixtures/pipfile_files/required_python_invalid b/python/spec/fixtures/pipfile_files/required_python_invalid index 6158e841667a..44c43aba04f3 100644 --- a/python/spec/fixtures/pipfile_files/required_python_invalid +++ b/python/spec/fixtures/pipfile_files/required_python_invalid @@ -1,4 +1,5 @@ [[source]] +name = "pypi" url = "https://pypi.org/simple" verify_ssl = true diff --git a/python/spec/fixtures/pipfile_files/required_python_unsupported b/python/spec/fixtures/pipfile_files/required_python_unsupported index 481f7a99f15d..f957d73a4482 100644 --- a/python/spec/fixtures/pipfile_files/required_python_unsupported +++ b/python/spec/fixtures/pipfile_files/required_python_unsupported @@ -1,4 +1,5 @@ [[source]] +name = "pypi" url = "https://pypi.org/simple" verify_ssl = true diff --git a/python/spec/fixtures/pipfile_files/unparseable b/python/spec/fixtures/pipfile_files/unparseable index 67ba5f6e7b4e..cd5b790b1ad9 100644 --- a/python/spec/fixtures/pipfile_files/unparseable +++ b/python/spec/fixtures/pipfile_files/unparseable @@ -1,8 +1,7 @@ [[source]] - +name = "pypi" url = "https://pypi.org/simple" verify_ssl = true -name = "pypi" [dev-packages] diff --git a/python/spec/fixtures/pipfile_files/unsupported_dep b/python/spec/fixtures/pipfile_files/unsupported_dep index d28e51afc381..d09870896b02 100644 --- a/python/spec/fixtures/pipfile_files/unsupported_dep +++ b/python/spec/fixtures/pipfile_files/unsupported_dep @@ -1,7 +1,7 @@ [[source]] +name = "pypi" url = "https://pypi.org/simple" verify_ssl = true -name = "pypi" [packages] requests = "==2.18.0" diff --git a/python/spec/fixtures/pipfile_files/version_hash b/python/spec/fixtures/pipfile_files/version_hash index 3dfd68752f73..6514e4a2e9f7 100644 --- a/python/spec/fixtures/pipfile_files/version_hash +++ b/python/spec/fixtures/pipfile_files/version_hash @@ -1,4 +1,5 @@ [[source]] +name = "pypi" url = "https://pypi.org/simple" verify_ssl = true diff --git a/python/spec/fixtures/pipfile_files/version_not_specified b/python/spec/fixtures/pipfile_files/version_not_specified index 4488c4244258..6cb20258d45c 100644 --- a/python/spec/fixtures/pipfile_files/version_not_specified +++ b/python/spec/fixtures/pipfile_files/version_not_specified @@ -1,4 +1,5 @@ [[source]] +name = "pypi" url = "https://pypi.org/simple" verify_ssl = true diff --git a/python/spec/fixtures/pipfile_files/version_not_specified.lock b/python/spec/fixtures/pipfile_files/version_not_specified.lock index b82814317e2f..f1ce3bc07b60 100644 --- a/python/spec/fixtures/pipfile_files/version_not_specified.lock +++ b/python/spec/fixtures/pipfile_files/version_not_specified.lock @@ -1,12 +1,13 @@ { "_meta": { "hash": { - "sha256": "c402ea48092e9d467af51a483bb8dd8ad0620e11c94f009dcd433f97a99d45db" + "sha256": "e76ae491d793d659f05c7f7eab261fd6167dc062efcba08f17be68e73eb87665" }, "pipfile-spec": 6, "requires": {}, "sources": [ { + "name": "this-key-probably-will-show-up-if-regenerating-lockfiles", "url": "https://pypi.org/simple", "verify_ssl": true } diff --git a/python/spec/fixtures/pipfile_files/version_table b/python/spec/fixtures/pipfile_files/version_table index ea9df9dd61c3..f72cea8958cf 100644 --- a/python/spec/fixtures/pipfile_files/version_table +++ b/python/spec/fixtures/pipfile_files/version_table @@ -1,4 +1,5 @@ [[source]] +name = "pypi" url = "https://pypi.org/simple" verify_ssl = true diff --git a/python/spec/fixtures/pipfile_files/wildcard b/python/spec/fixtures/pipfile_files/wildcard index 6dd6d650864e..2cde9a7cdfe7 100644 --- a/python/spec/fixtures/pipfile_files/wildcard +++ b/python/spec/fixtures/pipfile_files/wildcard @@ -1,4 +1,5 @@ [[source]] +name = "pypi" url = "https://pypi.org/simple" verify_ssl = true diff --git a/python/spec/fixtures/pipfile_files/with_quotes b/python/spec/fixtures/pipfile_files/with_quotes index ffce80a7e84e..89ea1a022404 100644 --- a/python/spec/fixtures/pipfile_files/with_quotes +++ b/python/spec/fixtures/pipfile_files/with_quotes @@ -1,4 +1,5 @@ [[source]] +name = "pypi" url = "https://pypi.org/simple" verify_ssl = true diff --git a/python/spec/fixtures/pipfile_files/yanked b/python/spec/fixtures/pipfile_files/yanked index c8c41005edff..fcd8009680ad 100644 --- a/python/spec/fixtures/pipfile_files/yanked +++ b/python/spec/fixtures/pipfile_files/yanked @@ -1,4 +1,5 @@ [[source]] +name = "pypi" url = "https://pypi.org/simple" verify_ssl = true