Fix crash when updating libraries with multiple manifests

deivid-rodriguez · deivid-rodriguez · commit 7a25e2cd1f6c · 2022-10-20T02:15:31.000+02:00
If a library has both a pyproject.toml file and a standard
requirements.txt file, we'd end up using the `:widen` strategy for the
dependencies in the `requirements.txt` file and eventually crashing with
an error like the following:

```
/home/dependabot/dependabot-core/common/lib/dependabot/update_checkers/base.rb:266:in `block in preferred_version_resolvable_with_unlock?': undefined method `[]' for nil:NilClass (NoMethodError)

        updated_requirements.none? { |r| r[:requirement] == :unfixable }
                                          ^^^^^^^^^^^^^^
        from /home/dependabot/dependabot-core/common/lib/dependabot/update_checkers/base.rb:266:in `none?'
        from /home/dependabot/dependabot-core/common/lib/dependabot/update_checkers/base.rb:266:in `preferred_version_resolvable_with_unlock?'
        from /home/dependabot/dependabot-core/common/lib/dependabot/update_checkers/base.rb:249:in `numeric_version_can_update?'
        from /home/dependabot/dependabot-core/common/lib/dependabot/update_checkers/base.rb:199:in `version_can_update?'
        from /home/dependabot/dependabot-core/common/lib/dependabot/update_checkers/base.rb:44:in `can_update?'
        from bin/dry-run.rb:709:in `block in &lt;main&gt;'
        from bin/dry-run.rb:661:in `each'
        from bin/dry-run.rb:661:in `&lt;main&gt;'
```

I think the crash happens because the requirements.txt file updater does
not supoort the `:widen` strategy. So my fix is to fallback to
`increase` in this case, since requirements.txt files usually include
pinned dependencies so widening probably doesn't make much sense there.
diff --git a/python/lib/dependabot/python/update_checker.rb b/python/lib/dependabot/python/update_checker.rb
@@ -259,7 +259,7 @@ def latest_version_finder
       end
 
       def poetry_library?
-        return false unless pyproject
+        return false unless updating_pyproject?
 
         # Hit PyPi and check whether there are details for a library with a
         # matching name and description
diff --git a/python/spec/dependabot/python/update_checker_spec.rb b/python/spec/dependabot/python/update_checker_spec.rb
@@ -57,7 +57,7 @@
     )
   end
   let(:requirements_fixture_name) { "version_specified.txt" }
-  let(:dependency) do
+  let(:requirements_dependency) do
     Dependabot::Dependency.new(
       name: dependency_name,
       version: dependency_version,
@@ -76,6 +76,8 @@
     }]
   end
 
+  let(:dependency) { requirements_dependency }
+
   describe "#can_update?" do
     subject { checker.can_update?(requirements_to_unlock: :own) }
 
@@ -507,44 +509,56 @@
       let(:dependency_files) { [requirements_file, pyproject] }
       let(:pyproject_fixture_name) { "caret_version.toml" }
 
-      let(:dependency) do
-        Dependabot::Dependency.new(
-          name: "requests",
-          version: "1.2.3",
-          requirements: [{
-            file: "pyproject.toml",
-            requirement: "^1.0.0",
-            groups: [],
-            source: nil
-          }],
-          package_manager: "pip"
-        )
-      end
+      context "and updating a dependency inside" do
+        let(:dependency) do
+          Dependabot::Dependency.new(
+            name: "requests",
+            version: "1.2.3",
+            requirements: [{
+              file: "pyproject.toml",
+              requirement: "^1.0.0",
+              groups: [],
+              source: nil
+            }],
+            package_manager: "pip"
+          )
+        end
 
-      let(:pypi_url) { "https://pypi.org/simple/requests/" }
-      let(:pypi_response) do
-        fixture("pypi", "pypi_simple_response_requests.html")
-      end
+        let(:pypi_url) { "https://pypi.org/simple/requests/" }
+        let(:pypi_response) do
+          fixture("pypi", "pypi_simple_response_requests.html")
+        end
 
-      context "for a library" do
-        before do
-          stub_request(:get, "https://pypi.org/pypi/pendulum/json/").
-            to_return(
-              status: 200,
-              body: fixture("pypi", "pypi_response_pendulum.json")
-            )
+        context "for a library" do
+          before do
+            stub_request(:get, "https://pypi.org/pypi/pendulum/json/").
+              to_return(
+                status: 200,
+                body: fixture("pypi", "pypi_response_pendulum.json")
+              )
+          end
+
+          its([:requirement]) { is_expected.to eq(">=1,<3") }
         end
 
-        its([:requirement]) { is_expected.to eq(">=1,<3") }
-      end
+        context "for a non-library" do
+          before do
+            stub_request(:get, "https://pypi.org/pypi/pendulum/json/").
+              to_return(status: 404)
+          end
 
-      context "for a non-library" do
-        before do
-          stub_request(:get, "https://pypi.org/pypi/pendulum/json/").
-            to_return(status: 404)
+          its([:requirement]) { is_expected.to eq("^2.19.1") }
         end
+      end
+
+      context "and updating a dependency in an additional requirements file" do
+        let(:dependency_files) { super().append(requirements_file) }
 
-        its([:requirement]) { is_expected.to eq("^2.19.1") }
+        let(:dependency) { requirements_dependency }
+
+        it "does not get affected by whether it's a library or not and updates using the :increase strategy" do
+          expect(subject[:requirement]).to eq("==2.6.0")
+        end
       end
     end
 
