Skip to content

strip extras from Python PURLs in DG payload#14462

Merged
jakecoffman merged 1 commit into
mainfrom
strip-extras-from-python-purls
Mar 16, 2026
Merged

strip extras from Python PURLs in DG payload#14462
jakecoffman merged 1 commit into
mainfrom
strip-extras-from-python-purls

Conversation

@jakecoffman
Copy link
Copy Markdown
Member

@jakecoffman jakecoffman commented Mar 16, 2026
edited
Loading

What are you trying to accomplish?

Python can specify dependency extras like cachecontrol[filecache]==0.14.2 where filecache specifies a set of transitive dependencies that are optionally specified.

Dependabot carries this extra data in the Dependency name (e.g. cachecontrol[filecache]) probably so when it bumps it preserves the extras.

For submitting this data to Dependency Graph we need to strip it, because the package is just cachecontrol.

Anything you want to highlight for special attention from reviewers?

How will you know you've accomplished your goal?

We'll see correct names show up in Dependency Graph.

Running this in Dependabot CLI shows it's working now. This used to be coverage[toml]

$ dependabot graph pip encode/httpx
...
updater |         "pkg:pypi/coverage@7.10.6": {
...

Checklist

  • I have run the complete test suite to ensure all tests and linters pass.
  • I have thoroughly tested my code changes to ensure they work as expected, including adding additional tests for new functionality.
  • I have written clear and descriptive commit messages.
  • I have provided a detailed description of the changes in the pull request, including the problem it addresses, how it fixes the problem, and any relevant details about the implementation.
  • I have ensured that the code is well-documented and easy to understand.

@jakecoffman jakecoffman changed the title strip extras from Python PURLs strip extras from Python PURLs in DG payload Mar 16, 2026
@jakecoffman jakecoffman marked this pull request as ready for review March 16, 2026 19:14
@jakecoffman jakecoffman requested a review from a team as a code owner March 16, 2026 19:14
Copilot AI review requested due to automatic review settings March 16, 2026 19:14
Copilot AI reviewed Mar 16, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the Python Dependency Grapher’s PURL generation to drop Python “extras” (e.g., cachecontrol[filecache]) so Dependency Graph receives the base package name (e.g., cachecontrol).

Changes:

  • Override Python grapher purl_name_for to normalize names and strip extras before building PURLs.
  • Add specs ensuring extras are removed from generated PyPI PURLs.
  • Add a spec case confirming requirements.txt remains a valid relevant dependency file when it contains extras.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File Description
python/lib/dependabot/python/dependency_grapher.rb Overrides PURL name generation to use normalized base package names (extras removed).
python/spec/dependabot/python/dependency_grapher_spec.rb Adds regression coverage for extras being stripped from PyPI PURLs and a requirements.txt selection case.

Comment thread python/lib/dependabot/python/dependency_grapher.rb
Comment thread python/spec/dependabot/python/dependency_grapher_spec.rb
@jakecoffman jakecoffman merged commit 3b662ea into main Mar 16, 2026
127 of 130 checks passed
@jakecoffman jakecoffman deleted the strip-extras-from-python-purls branch March 16, 2026 19:38
Copilot AI added a commit that referenced this pull request Mar 17, 2026
@jakecoffman
fix(uv): strip extras from dependency names in PURL generation
f31daf6 
Apply the same fix from Python grapher (PR #14462) to the UV ecosystem.
Add purl_name_for override that uses NameNormaliser.normalise to strip
extras like [filecache] from dependency names in PURLs.

Co-authored-by: jakecoffman <886768+jakecoffman@users.noreply.github.com>
Copilot AI mentioned this pull request Mar 17, 2026
Merged
5 tasks
jakecoffman added a commit that referenced this pull request Mar 17, 2026
@jakecoffman
fix(uv): strip extras from dependency names in PURL generation (#14468)
ede8c4a 
* fix(uv): strip extras from dependency names in PURL generation

Apply the same fix from Python grapher (PR #14462) to the UV ecosystem.
Add purl_name_for override that uses NameNormaliser.normalise to strip
extras like [filecache] from dependency names in PURLs.

Co-authored-by: jakecoffman <886768+jakecoffman@users.noreply.github.com>

* test: assert normalized cachecontrol PURL is present in extras test

Co-authored-by: jakecoffman <886768+jakecoffman@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: jakecoffman <886768+jakecoffman@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@Nishnha Nishnha Nishnha approved these changes

Assignees

No one assigned

Labels

L: python

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jakecoffman @Nishnha