豆豆友情提示:这是一个非官方 GitHub 代理镜像,主要用于网络测试或访问加速。请勿在此进行登录、注册或处理任何敏感信息。进行这些操作请务必访问官方网站 github.com。 Raw 内容也通过此代理提供。
Skip to content

Poetry grapher generates lockfiles to determine versions in pyproject#14524

Merged
jakecoffman merged 11 commits intomainfrom
fix-python-fallback-to-requirements
Mar 24, 2026
Merged

Poetry grapher generates lockfiles to determine versions in pyproject#14524
jakecoffman merged 11 commits intomainfrom
fix-python-fallback-to-requirements

Conversation

@jakecoffman
Copy link
Copy Markdown
Member

@jakecoffman jakecoffman commented Mar 24, 2026

What are you trying to accomplish?

When there is no lockfile, Dependabot needs to generate one to determine what version would be installed at the time.

Anything you want to highlight for special attention from reviewers?

Copied patterns from the NPM lockfile generator which does the same thing.

How will you know you've accomplished your goal?

Versions will start replacing UNKNOWN in SBOMs where a pyproject exists but not a lockfile.

Checklist

  • I have run the complete test suite to ensure all tests and linters pass.
  • I have thoroughly tested my code changes to ensure they work as expected, including adding additional tests for new functionality.
  • I have written clear and descriptive commit messages.
  • I have provided a detailed description of the changes in the pull request, including the problem it addresses, how it fixes the problem, and any relevant details about the implementation.
  • I have ensured that the code is well-documented and easy to understand.

@jakecoffman jakecoffman changed the title grapher falls back to requirements if version not set (no lockfile) Poetry grapher generates lockfiles to determine versions in pyproject Mar 24, 2026
@jakecoffman jakecoffman marked this pull request as ready for review March 24, 2026 15:19
@jakecoffman jakecoffman requested a review from a team as a code owner March 24, 2026 15:19
Copilot AI review requested due to automatic review settings March 24, 2026 15:19
Comment thread python/lib/dependabot/python/dependency_grapher.rb Outdated
Copy link
Copy Markdown
Contributor

@brrygrdn brrygrdn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, just one not on the log message

Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds a Poetry-specific ephemeral lockfile generation step to the Python dependency grapher so Dependabot can resolve exact installed versions (instead of UNKNOWN) for SBOM/dependency graphing when a repo has pyproject.toml but no committed poetry.lock.

Changes:

  • Add Dependabot::Python::DependencyGrapher::LockfileGenerator to run poetry lock in a temp dir and return an in-memory poetry.lock.
  • Update Dependabot::Python::DependencyGrapher#prepare! to generate and inject an ephemeral poetry.lock when the project is detected as Poetry via pyproject.toml.
  • Add/extend specs to cover successful/failed ephemeral lockfile generation and resulting resolved PURLs/relationships.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 4 comments.

File Description
python/lib/dependabot/python/dependency_grapher.rb Generates/injects an ephemeral Poetry lockfile during graph preparation and adjusts relevant file selection.
python/lib/dependabot/python/dependency_grapher/lockfile_generator.rb Implements the temp-dir poetry lock flow and returns a DependencyFile for the generated lock.
python/spec/dependabot/python/dependency_grapher_spec.rb Adds coverage for grapher behavior when poetry.lock is absent (generation attempt, success, failure).
python/spec/dependabot/python/dependency_grapher/lockfile_generator_spec.rb New unit specs for lockfile generator success/failure/non-generation paths.

Comment thread python/lib/dependabot/python/dependency_grapher.rb Outdated
Comment thread python/lib/dependabot/python/dependency_grapher.rb
Comment thread python/lib/dependabot/python/dependency_grapher/lockfile_generator.rb Outdated
Comment thread python/lib/dependabot/python/dependency_grapher.rb Outdated
jakecoffman and others added 2 commits March 24, 2026 10:37
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Nishnha
Nishnha previously approved these changes Mar 24, 2026
@jakecoffman jakecoffman merged commit a4bb733 into main Mar 24, 2026
103 checks passed
@jakecoffman jakecoffman deleted the fix-python-fallback-to-requirements branch March 24, 2026 18:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants