dependabot · phillipuniverse · Jul 20, 2023 · Jul 22, 2023 · Jul 24, 2023 · Aug 9, 2023
@@ -156,17 +156,38 @@ def lock_declaration_to_new_version!(poetry_object, dep)
         end
 
         def create_declaration_at_new_version!(poetry_object, dep)
-          poetry_object[subdep_type] ||= {}
-          poetry_object[subdep_type][dependency.name] = dep.version
+          type = subdep_type(poetry_object, dep)
+          poetry_object[type] ||= {}
+          poetry_object[type][dependency.name] = dep.version
         end
 
-        def subdep_type
-          category =
-            TomlRB.parse(lockfile.content).fetch("package", []).
-            find { |dets| normalise(dets.fetch("name")) == dependency.name }.
-            fetch("category")
+        def subdep_type(poetry_object, dep)
+          locked_dep = TomlRB.parse(lockfile.content).fetch("package", []).
+                       find { |dets| normalise(dets.fetch("name")) == dependency.name }
 
-          category == "dev" ? "dev-dependencies" : "dependencies"
+          category = locked_dep.fetch("category", nil)
+          # Simple case < Poetry 1.5
+          return category == "dev" ? "dev-dependencies" : "dependencies" if category
+
+          # No category so Poetry > 1.5, find the declaration from pyproject.toml
+          in_main = poetry_object.fetch("dependencies", []).find(dep.name)
+          return "dependencies" if in_main
+
+          in_legacy_dev = poetry_object.fetch("dev-dependencies", []).find(dep.name)
+          return "dev-dependencies" if in_legacy_dev
+
+          groups = poetry_object.fetch("group", {})
+          groups.each do |_group_name, group_spec|
+            in_group = group_spec["dependencies"].find(dep.name)
+            # All group dependencies get treated the same, as "dev" dependencies
+            return "dev-dependencies" if in_group
+          end
+
+          # Did not return before this, must not have found it in pyproject.toml. This means it must be a transitive
+          # dependency. Default all transitive dependencies to main dependencies for now.
+          # Future TODO: go in reverse order looking at all the packages that declare this dependency as a dependency,
+          # checking each time for existence in pyproject.toml to determine the category
+          "dependencies"
         end
 
         def sanitize(pyproject_content)

@@ -295,12 +295,32 @@ def update_dependency_requirement(toml_node, requirement)
         end
 
         def subdep_type
-          category =
-            TomlRB.parse(lockfile.content).fetch("package", []).
-            find { |dets| normalise(dets.fetch("name")) == dependency.name }.
-            fetch("category")
+          locked_dep = TomlRB.parse(lockfile.content).fetch("package", []).
+                       find { |dets| normalise(dets.fetch("name")) == dependency.name }
 
-          category == "dev" ? "dev-dependencies" : "dependencies"
+          category = locked_dep.fetch("category", nil)
+          # Simple case < Poetry 1.5
+          return category == "dev" ? "dev-dependencies" : "dependencies" if category
+
+          # No category so Poetry > 1.5, find the declaration from pyproject.toml
+          in_main = poetry_object.fetch("dependencies", []).find(dep.name)
+          return "dependencies" if in_main
+
+          in_legacy_dev = poetry_object.fetch("dev-dependencies", []).find(dep.name)
+          return "dev-dependencies" if in_legacy_dev
+
+          groups = poetry_object.fetch("group", {})
+          groups.each do |_group_name, group_spec|
+            in_group = group_spec["dependencies"].find(dep.name)
+            # All group dependencies get treated the same, as "dev" dependencies
+            return "dev-dependencies" if in_group
+          end
+
+          # Did not return before this, must not have found it in pyproject.toml. This means it must be a transitive
+          # dependency. Default all transitive dependencies to main dependencies for now.
+          # Future TODO: go in reverse order looking at all the packages that declare this dependency as a dependency,
+          # checking each time for existence in pyproject.toml to determine the category
+          "dependencies"
         end
 
         def python_requirement_parser

@@ -132,7 +132,7 @@
 
         its(:length) { is_expected.to eq(36) }
 
-        describe "a development sub-dependency" do
+        describe "a pre Poetry 1.5 development sub-dependency" do
           subject(:dep) { dependencies.find { |d| d.name == "atomicwrites" } }
 
           its(:subdependency_metadata) do
@@ -227,6 +227,34 @@
           expect(dependency.requirements).to eq([])
         end
       end
+
+      context "with Poetry 1.5 locked group dependencies" do
+        # This is how Poetry treats transitive dev dependencies, see discussion at https://github.com/python-poetry/poetry/pull/7637#issuecomment-1494272266
+        # and https://github.com/dependabot/dependabot-core/pull/7418#issuecomment-1644012926
+        let(:pyproject_fixture_name) { "poetry_group_dependencies.toml" }
+        let(:pyproject_lock_fixture_name) { "poetry_group_dependencies.lock" }
+
+        describe "a legacy dev-dependencies sub-dependency" do
+          subject(:dep) { dependencies.find { |d| d.name == "click" } }
+          its(:subdependency_metadata) do
+            is_expected.to eq([{ production: true }])
+          end
+        end
+
+        describe "a dev group sub-dependency" do
+          subject(:dep) { dependencies.find { |d| d.name == "pluggy" } }
+          its(:subdependency_metadata) do
+            is_expected.to eq([{ production: true }])
+          end
+        end
+
+        describe "a non-dev group sub-dependency" do
+          subject(:dep) { dependencies.find { |d| d.name == "sphinxcontrib-applehelp" } }
+          its(:subdependency_metadata) do
+            is_expected.to eq([{ production: true }])
+          end
+        end
+      end
     end
 
     context "with group dependencies" do