(fix) Handle Poetry group metadata without dependencies table

[julia-thorn]

What are you trying to accomplish?

This change fixes a parser bug in Dependabot's Python Poetry support when a project combines PEP 735 dependency-groups with Poetry group metadata such as optional = true. This is a valid configuration as stated in the Poetry docs.

In situations like the test example, tool.poetry.group.gpu is valid metadata-only configuration and does not need a corresponding tool.poetry.group.gpu.dependencies table. Dependabot currently assumes that every Poetry group contains a dependencies hash and crashes with NoMethodError: undefined method 'each' for nil while parsing the manifest.

The goal of this PR is to make Poetry group parsing nil-safe so Dependabot can handle valid Poetry metadata-only groups without crashing, while continuing to parse dependencies declared through dependency-groups.

Anything you want to highlight for special attention from reviewers?

I went with the smallest possible fix to preserve current behavior and avoid any accidental regressions

How will you know you've accomplished your goal?

I reproduced the failure using a pyproject.toml fixture with:

• a dependency-groups entry for gpu
• a matching tool.poetry.group.gpu section containing only optional = true

Before this change, parsing that fixture raises:
NoMethodError: undefined method 'each' for nil

After this change:

• the parser no longer raises on that configuration
• dependencies declared under dependency-groups are still returned as expected
• the new regression spec covers both conditions

So the success criteria are:

• no parser crash for metadata, only Poetry groups
• existing dependency parsing behavior remains intact
• the regression spec passes in CI/containerized test execution

Checklist

• I have run the complete test suite to ensure all tests and linters pass.
• I have thoroughly tested my code changes to ensure they work as expected, including adding additional tests for new functionality.
• I have written clear and descriptive commit messages.
• I have provided a detailed description of the changes in the pull request, including the problem it addresses, how it fixes the problem, and any relevant details about the implementation.
• I have ensured that the code is well-documented and easy to understand.

[Copilot]

Pull request overview

Fixes a crash in Dependabot’s Python Poetry manifest parsing when a project defines Poetry group metadata (e.g., optional = true) without a corresponding tool.poetry.group.<name>.dependencies table, while also using PEP 735 dependency-groups.

Changes:

• Add a pyproject.toml fixture that reproduces a metadata-only Poetry group combined with PEP 735 dependency groups.
• Add a regression spec ensuring parsing doesn’t raise and that PEP 735 dependencies are still returned.
• Make Poetry group parsing nil-safe in PyprojectFilesParser when a group’s dependencies table is missing.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.

File	Description
python/spec/fixtures/pyproject_files/poetry_group_optional_without_dependencies.toml	Adds a fixture covering metadata-only tool.poetry.group.gpu plus PEP 735 dependency-groups.
python/spec/dependabot/python/file_parser/pyproject_files_parser_spec.rb	Adds regression coverage for the nil-safe parsing behavior and PEP 735 dependency inclusion.
python/lib/dependabot/python/file_parser/pyproject_files_parser.rb	Updates Poetry group dependency parsing to tolerate missing dependencies tables.

[Copilot]

Pull request overview

Fixes a crash in Dependabot’s Python Poetry parsing/version-resolution when a Poetry group is present as metadata-only (e.g., optional = true) without a corresponding dependencies table, especially when combined with PEP 735 dependency-groups.

Changes:

• Make Poetry group dependency parsing nil-safe in the pyproject.toml parser.
• Make Poetry version resolver’s requirement-updating logic nil-safe for metadata-only groups.
• Add fixtures + regression specs covering metadata-only Poetry groups and mixed PEP 735 + Poetry group metadata.

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
python/lib/dependabot/python/file_parser/pyproject_files_parser.rb	Returns an empty DependencySet when a Poetry group has no dependencies table, avoiding NoMethodError.
python/lib/dependabot/python/update_checker/poetry_version_resolver.rb	Allows update_dependency_requirement to accept nil and no-op, preventing crashes when groups are metadata-only.
python/spec/dependabot/python/file_parser/pyproject_files_parser_spec.rb	Adds regression coverage for optional Poetry group metadata alongside PEP 735 dependency-groups.
python/spec/dependabot/python/update_checker/poetry_version_resolver_spec.rb	Adds regression coverage ensuring version resolution doesn’t raise with metadata-only Poetry groups.
python/spec/fixtures/pyproject_files/poetry_metadata_only_group.toml	New fixture representing a metadata-only Poetry group.
python/spec/fixtures/pyproject_files/poetry_group_optional_without_dependencies.toml	New fixture combining PEP 735 dependency-groups with metadata-only Poetry group config.

[Copilot]

Pull request overview

Fixes a crash in Dependabot’s Python Poetry parsing/resolution when a tool.poetry.group.<name> table contains only metadata (e.g., optional = true) and does not include a dependencies table—while still supporting PEP 735 dependency-groups.

Changes:

• Make Poetry group dependency parsing nil-safe in the pyproject file parser.
• Make PoetryVersionResolver’s pyproject requirement rewriting nil-safe for metadata-only groups.
• Add fixtures and regression specs covering metadata-only Poetry groups (including with PEP 735 dependency-groups).

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
python/lib/dependabot/python/file_parser/pyproject_files_parser.rb	Avoids each on nil by treating missing group dependencies as an empty dependency set.
python/lib/dependabot/python/update_checker/poetry_version_resolver.rb	Avoids keys on nil when rewriting requirements for Poetry groups lacking a dependencies table.
python/spec/dependabot/python/file_parser/pyproject_files_parser_spec.rb	Adds regression coverage for parsing with metadata-only Poetry groups + PEP 735 dependency-groups.
python/spec/dependabot/python/update_checker/poetry_version_resolver_spec.rb	Adds regression coverage for version resolution with a metadata-only Poetry group present.
python/spec/fixtures/pyproject_files/poetry_metadata_only_group.toml	Fixture demonstrating a Poetry metadata-only group plus dependency-groups entry.
python/spec/fixtures/pyproject_files/poetry_group_optional_without_dependencies.toml	Fixture demonstrating optional group metadata without a corresponding dependencies table.

[Copilot]

Pull request overview

Fixes a Dependabot Python Poetry parsing/resolution crash when a Poetry group contains metadata (e.g., optional = true) but no corresponding tool.poetry.group.<name>.dependencies table—especially when combined with PEP 735 dependency-groups.

Changes:

• Make Poetry group handling nil-safe in the Poetry version resolver and pyproject parser.
• Add regression fixtures/specs covering “metadata-only” Poetry groups alongside PEP 735 dependency-groups.
• Add a smoke-test workflow step + script to apply a certifi-related stabilization for Poetry smoke suites.

Reviewed changes

Copilot reviewed 8 out of 8 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
python/lib/dependabot/python/update_checker/poetry_version_resolver.rb	Avoids NoMethodError by making dependency requirement updates nil-safe for group specs without dependencies.
python/lib/dependabot/python/file_parser/pyproject_files_parser.rb	Allows Poetry dependency group parsing to safely handle a nil dependencies table.
python/spec/dependabot/python/update_checker/poetry_version_resolver_spec.rb	Regression test ensuring version resolution works when a Poetry group is metadata-only.
python/spec/dependabot/python/file_parser/pyproject_files_parser_spec.rb	Regression test ensuring parsing doesn’t crash and still returns PEP 735 dependencies.
python/spec/fixtures/pyproject_files/poetry_metadata_only_group.toml	Fixture for metadata-only Poetry group.
python/spec/fixtures/pyproject_files/poetry_group_optional_without_dependencies.toml	Fixture combining PEP 735 dependency-groups with Poetry group metadata-only config.
.github/workflows/smoke.yml	Runs a new script step to mutate smoke.yaml for Poetry suites.
.github/scripts/apply_smoke_overrides.sh	Adds logic to inject a certifi ignore-condition override into downloaded smoke tests.

[julia-thorn]

The e2e smoke tests appear to be failing for unrelated reasons; I have a PR in the smoke-tests repo to fix.

[Copilot]

Pull request overview

Fixes a nil-handling bug in Dependabot’s Python Poetry support so projects with Poetry group metadata (e.g., optional = true) but no dependencies table don’t crash, including when combined with PEP 735 dependency-groups.

Changes:

• Make Poetry group dependency parsing nil-safe in PyprojectFilesParser.
• Make Poetry version resolver’s dependency-table mutation nil-safe for groups without dependencies.
• Add fixtures + regression specs covering metadata-only groups and mixed Poetry/PEP735 configurations.

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
python/lib/dependabot/python/file_parser/pyproject_files_parser.rb	Allows parse_poetry_dependency_group to accept nil and return an empty set instead of raising.
python/lib/dependabot/python/update_checker/poetry_version_resolver.rb	Guards update_dependency_requirement against nil group dependency tables.
python/spec/dependabot/python/file_parser/pyproject_files_parser_spec.rb	Adds coverage for parsing metadata-only Poetry group tables alongside PEP 735 dependency-groups.
python/spec/dependabot/python/update_checker/poetry_version_resolver_spec.rb	Adds regression coverage ensuring version resolution works when a Poetry group has metadata only.
python/spec/fixtures/pyproject_files/poetry_metadata_only_group.toml	New fixture reproducing metadata-only Poetry group alongside dependency-groups.
python/spec/fixtures/pyproject_files/poetry_group_optional_without_dependencies.toml	New fixture for optional Poetry group metadata without dependencies, plus PEP 735 groups.

[julia-thorn]

@AbhishekBhaskar tagging you because you seem to have reviewed similar PRs recently - apologies if that's not the right ping!

[julia-thorn]

@markhallen tagging you because you seem to have reviewed similar PRs recently - apologies if that's not the right ping! This is causing a lot of problems for our team so I would really appreciate a review. Thanks!

[markhallen]

Thanks for your contribution @julia-thorn

[albertoblue87-netizen]

Done