Merge pull request #7832 from dependabot/deivid-rodriguez/poetry-yanked

Fix yanked library problems in Poetry not detected when lockfile is present
dependabot · Aug 18, 2023 · 1dfd94e · 1dfd94e
2 parents 7202c85 + b3761d0
commit 1dfd94e
Show file tree

Hide file tree

Showing 4 changed files with 46 additions and 267 deletions.
diff --git a/python/lib/dependabot/python/update_checker/poetry_version_resolver.rb b/python/lib/dependabot/python/update_checker/poetry_version_resolver.rb
@@ -133,7 +133,7 @@ def handle_poetry_errors(error)
           end
 
           raise unless error.message.include?("SolverProblemError") ||
-                       error.message.include?("PackageNotFound") ||
+                       error.message.include?("not found") ||
                        error.message.include?("version solving failed.")
 
           check_original_requirements_resolvable
@@ -168,7 +168,7 @@ def check_original_requirements_resolvable
               @original_reqs_resolvable = true
             rescue SharedHelpers::HelperSubprocessFailed => e
               raise unless e.message.include?("SolverProblemError") ||
-                           e.message.include?("PackageNotFound") ||
+                           e.message.include?("not found") ||
                            e.message.include?("version solving failed.")
 
               msg = clean_error_message(e.message)

diff --git a/python/spec/dependabot/python/update_checker/poetry_version_resolver_spec.rb b/python/spec/dependabot/python/update_checker/poetry_version_resolver_spec.rb
@@ -33,7 +33,7 @@
   let(:pyproject_fixture_name) { "poetry_exact_requirement.toml" }
   let(:lockfile) do
     Dependabot::DependencyFile.new(
-      name: "pyproject.lock",
+      name: "poetry.lock",
       content: fixture("pyproject_locks", lockfile_fixture_name)
     )
   end
@@ -168,7 +168,7 @@
       end
     end
 
-    context "with a dependency file that includes a git dependency", :slow do
+    context "with a dependency file that includes a git dependency" do
       let(:pyproject_fixture_name) { "git_dependency.toml" }
       let(:lockfile_fixture_name) { "git_dependency.lock" }
       let(:dependency_name) { "pytest" }
@@ -185,28 +185,30 @@
 
       it { is_expected.to eq(Gem::Version.new("3.8.2")) }
 
-      context "that has a bad reference" do
-        let(:pyproject_fixture_name) { "git_dependency_bad_ref.toml" }
-        let(:lockfile_fixture_name) { "git_dependency_bad_ref.lock" }
+      context "that has no lockfile" do
+        let(:dependency_files) { [pyproject] }
 
-        it "raises a helpful error" do
-          expect { subject }.
-            to raise_error(Dependabot::GitDependencyReferenceNotFound) do |err|
-              expect(err.dependency).to eq("toml")
-            end
+        context "that has a bad reference, and no lockfile" do
+          let(:pyproject_fixture_name) { "git_dependency_bad_ref.toml" }
+
+          it "raises a helpful error" do
+            expect { subject }.
+              to raise_error(Dependabot::GitDependencyReferenceNotFound) do |err|
+                expect(err.dependency).to eq("toml")
+              end
+          end
         end
-      end
 
-      context "that is unreachable" do
-        let(:pyproject_fixture_name) { "git_dependency_unreachable.toml" }
-        let(:lockfile_fixture_name) { "git_dependency_unreachable.lock" }
+        context "that is unreachable" do
+          let(:pyproject_fixture_name) { "git_dependency_unreachable.toml" }
 
-        it "raises a helpful error" do
-          expect { subject }.
-            to raise_error(Dependabot::GitDependenciesNotReachable) do |error|
-              expect(error.dependency_urls).
-                to eq(["https://github.com/greysteil/unreachable.git"])
-            end
+          it "raises a helpful error" do
+            expect { subject }.
+              to raise_error(Dependabot::GitDependenciesNotReachable) do |error|
+                expect(error.dependency_urls).
+                  to eq(["https://github.com/greysteil/unreachable.git"])
+              end
+          end
         end
       end
     end
@@ -260,16 +262,31 @@
       end
 
       context "because of a yanked dependency" do
-        let(:dependency_files) { [pyproject, lockfile] }
         let(:pyproject_fixture_name) { "yanked_version.toml" }
         let(:lockfile_fixture_name) { "yanked_version.lock" }
 
-        it "raises a helpful error" do
-          expect { subject }.
-            to raise_error(Dependabot::DependencyFileNotResolvable) do |error|
-              expect(error.message).
-                to include("depends on croniter (0.3.26) which doesn't match any versions")
-            end
+        context "with a lockfile" do
+          let(:dependency_files) { [pyproject, lockfile] }
+
+          it "raises a helpful error" do
+            expect { subject }.
+              to raise_error(Dependabot::DependencyFileNotResolvable) do |error|
+                expect(error.message).
+                  to include("Package croniter (0.3.26) not found")
+              end
+          end
+        end
+
+        context "without a lockfile" do
+          let(:dependency_files) { [pyproject] }
+
+          it "raises a helpful error" do
+            expect { subject }.
+              to raise_error(Dependabot::DependencyFileNotResolvable) do |error|
+                expect(error.message).
+                  to include("depends on croniter (0.3.26) which doesn't match any versions")
+              end
+          end
         end
       end
     end

diff --git a/python/spec/fixtures/pyproject_locks/git_dependency_bad_ref.lock b/python/spec/fixtures/pyproject_locks/git_dependency_bad_ref.lock
diff --git a/python/spec/fixtures/pyproject_locks/git_dependency_unreachable.lock b/python/spec/fixtures/pyproject_locks/git_dependency_unreachable.lock