(fix) Handle Poetry group metadata without dependencies table (#14689)

julia-thorn · Copilot · markhallen · web-flow · commit e10de6ecd3ce · 2026-05-20T12:18:02.000+01:00
* fix(python): handle Poetry groups without dependencies table * Fix lint issue * Fix CoPilot suggestions * Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> * Fix flaky smoke test * Fix security alert * Revert "Fix security alert" This reverts commit 133a269. * Revert "Fix flaky smoke test" This reverts commit 0ba52f1. * trigger ci * trigger ci * trigger ci * trigger ci --------- Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> Co-authored-by: Mark Allen <markhallen@gmail.com>
diff --git a/python/lib/dependabot/python/file_parser/pyproject_files_parser.rb b/python/lib/dependabot/python/file_parser/pyproject_files_parser.rb
@@ -113,12 +113,12 @@ def pep621_pep735_dependencies
         sig do
           params(
             type: String,
-            deps_hash: T::Hash[String,
-                               T.untyped]
+            deps_hash: T.nilable(T::Hash[String, T.untyped])
           ).returns(Dependabot::FileParsers::Base::DependencySet)
         end
         def parse_poetry_dependency_group(type, deps_hash)
           dependencies = Dependabot::FileParsers::Base::DependencySet.new
+          return dependencies if deps_hash.nil?
 
           deps_hash.each do |name, req|
             next if normalise(name) == "python"
diff --git a/python/lib/dependabot/python/update_checker/poetry_version_resolver.rb b/python/lib/dependabot/python/update_checker/poetry_version_resolver.rb
@@ -341,8 +341,10 @@ def set_target_dependency_req(pyproject_content, updated_requirement)
           TomlRB.dump(pyproject_object)
         end
 
-        sig { params(toml_node: T::Hash[String, T.untyped], requirement: String).void }
+        sig { params(toml_node: T.nilable(T::Hash[String, T.untyped]), requirement: String).void }
         def update_dependency_requirement(toml_node, requirement)
+          return unless toml_node
+
           names = toml_node.keys
           pkg_name = names.find { |nm| normalise(nm) == dependency.name }
           return unless pkg_name
diff --git a/python/spec/dependabot/python/file_parser/pyproject_files_parser_spec.rb b/python/spec/dependabot/python/file_parser/pyproject_files_parser_spec.rb
@@ -329,6 +329,21 @@
       end
     end
 
+    context "with optional poetry group metadata and pep735 groups" do
+      subject(:dependency_names) { dependencies.map(&:name) }
+
+      let(:pyproject_fixture_name) { "poetry_group_optional_without_dependencies.toml" }
+
+      it "parses without error when tool.poetry.group has no dependencies table" do
+        expect { parser.dependency_set }.not_to raise_error
+      end
+
+      it "includes dependencies declared in dependency-groups" do
+        expect(dependency_names).to include("requests")
+        expect(dependency_names).to include("onnxruntime-gpu")
+      end
+    end
+
     context "with a group that has no dependencies key" do
       subject(:dependency_names) { dependencies.map(&:name) }
 
diff --git a/python/spec/dependabot/python/update_checker/poetry_version_resolver_spec.rb b/python/spec/dependabot/python/update_checker/poetry_version_resolver_spec.rb
@@ -98,6 +98,14 @@
       it { is_expected.to eq(Gem::Version.new("2.18.4")) }
     end
 
+    context "with a metadata-only poetry group" do
+      let(:pyproject_fixture_name) { "poetry_metadata_only_group.toml" }
+
+      it "resolves the latest version when a poetry group has no dependencies table" do
+        expect(latest_resolvable_version).to eq(Gem::Version.new("2.18.4"))
+      end
+    end
+
     context "with a non-package mode project" do
       let(:pyproject_fixture_name) { "poetry_non_package_mode_simple.toml" }
       let(:lockfile_fixture_name) { "version_not_specified.lock" }
diff --git a/python/spec/fixtures/pyproject_files/poetry_group_optional_without_dependencies.toml b/python/spec/fixtures/pyproject_files/poetry_group_optional_without_dependencies.toml
@@ -0,0 +1,19 @@
+[tool.poetry]
+name = "poetry-group-optional-without-dependencies"
+version = "0.1.0"
+description = ""
+authors = ["Dependabot <support@dependabot.com>"]
+
+[tool.poetry.dependencies]
+python = ">=3.11"
+
+[dependency-groups]
+dev = [
+    "requests==2.18.0",
+]
+gpu = [
+    "onnxruntime-gpu==1.23.2",
+]
+
+[tool.poetry.group.gpu]
+optional = true
diff --git a/python/spec/fixtures/pyproject_files/poetry_metadata_only_group.toml b/python/spec/fixtures/pyproject_files/poetry_metadata_only_group.toml
@@ -0,0 +1,20 @@
+[tool.poetry]
+name = "poetry-metadata-only-group"
+version = "2.0.0"
+homepage = "https://github.com/roghu/py3_projects"
+license = "MIT"
+readme = "README.md"
+authors = ["Dependabot <support@dependabot.com>"]
+description = "Various small python projects."
+
+[tool.poetry.dependencies]
+python = "3.11.1"
+requests = "2.18.0"
+
+[dependency-groups]
+gpu = [
+  "onnxruntime-gpu==1.23.2",
+]
+
+[tool.poetry.group.gpu]
+optional = true
