Merge pull request #39 from enpaul/enp/bugfixes

Misc Bugfixes

.github/workflows/ci.yaml

@@ -40,9 +40,7 @@ jobs:
       - name: Setup:env
         run: .github/scripts/setup-env.sh
       - name: Run:${{ matrix.python.toxenv }}
-        run: $HOME/ci/bin/tox \
-          -e ${{ matrix.python.toxenv }} \
-          --require-poetry
+        run: $HOME/ci/bin/tox -e ${{ matrix.python.toxenv }} --require-poetry
   Check:
     runs-on: ubuntu-latest
     steps:

CHANGELOG.md

@@ -2,6 +2,20 @@
 
 See also: [Github Release Page](https://github.com/enpaul/tox-poetry-installer/releases).
 
+## Version 0.6.2
+
+View this release on:
+[Github](https://github.com/enpaul/tox-poetry-installer/releases/tag/0.6.2),
+[PyPI](https://pypi.org/project/tox-poetry-installer/0.6.2/)
+
+* Update locked version of `py` to `1.10.0` to address
+  [CVE-2020-29651](https://nvd.nist.gov/vuln/detail/CVE-2020-29651)
+* Fix dependency identification failing when the package under test is a transient dependency
+  of a locked dependency specified for installation
+* Fix `AttributeError` being raised while creating the Tox self-provisioned environment when
+  using either the [`minversion`](https://tox.readthedocs.io/en/latest/config.html#conf-minversion)
+  or [`requires`](https://tox.readthedocs.io/en/latest/config.html#conf-requires) Tox config options
+
 
 ## Version 0.6.1
 

pyproject.toml

@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "tox-poetry-installer"
-version = "0.6.1"
+version = "0.6.2"
 license = "MIT"
 authors = ["Ethan Paul <24588726+enpaul@users.noreply.github.com>"]
 description = "Tox plugin to install Tox environment dependencies using the Poetry backend and lockfile"

tox_poetry_installer/__about__.py

@@ -1,7 +1,7 @@
 # pylint: disable=missing-docstring
 __title__ = "tox-poetry-installer"
 __summary__ = "Tox plugin to install Tox environment dependencies using the Poetry backend and lockfile"
-__version__ = "0.6.1"
+__version__ = "0.6.2"
 __url__ = "https://github.com/enpaul/tox-poetry-installer/"
 __license__ = "MIT"
 __authors__ = ["Ethan Paul <24588726+enpaul@users.noreply.github.com>"]

tox_poetry_installer/hooks.py

@@ -112,7 +112,9 @@ def tox_testenv_install_deps(venv: ToxVirtualEnv, action: ToxAction) -> Optional
 
         env_deps: List[PoetryPackage] = []
         for dep in venv.envconfig.locked_deps:
-            env_deps += utilities.find_transients(package_map, dep.lower())
+            env_deps += utilities.find_transients(
+                package_map, dep.lower(), allow_missing=[poetry.package.name]
+            )
         reporter.verbosity1(
             f"{constants.REPORTER_PREFIX} Identified {len(env_deps)} environment dependencies to install to env"
         )

tox_poetry_installer/utilities.py

@@ -48,13 +48,17 @@ def install_to_venv(
         installer.install(dependency)
 
 
-def find_transients(packages: PackageMap, dependency_name: str) -> Set[PoetryPackage]:
+def find_transients(
+    packages: PackageMap, dependency_name: str, allow_missing: Sequence[str] = ()
+) -> Set[PoetryPackage]:
     """Using a poetry object identify all dependencies of a specific dependency
 
-    :param poetry: Populated poetry object which can be used to build a populated locked
-                   repository object.
+    :param packages: All packages from the lockfile to use for identifying dependency relationships.
     :param dependency_name: Bare name (without version) of the dependency to fetch the transient
                             dependencies of.
+    :param allow_missing: Sequence of package names to allow to be missing from the lockfile. Any
+                          packages that are not found in the lockfile but their name appears in this
+                          list will be silently skipped from installation.
     :returns: List of packages that need to be installed for the requested dependency.
 
     .. note:: The package corresponding to the dependency named by ``dependency_name`` is included
@@ -75,7 +79,15 @@ def find_transients(packages: PackageMap, dependency_name: str) -> Set[PoetryPac
             return dict()
 
         transients: PackageMap = {}
-        package = packages[name]
+        try:
+            package = packages[name]
+        except KeyError as err:
+            if name in allow_missing:
+                reporter.verbosity2(
+                    f"{constants.REPORTER_PREFIX} Skip {name}: package is not in lockfile but designated as allowed to be missing"
+                )
+                return dict()
+            raise err
 
         if not package.python_constraint.allows(constants.PLATFORM_VERSION):
             reporter.verbosity2(
@@ -133,6 +145,16 @@ def find_transients(packages: PackageMap, dependency_name: str) -> Set[PoetryPac
 
 def check_preconditions(venv: ToxVirtualEnv, action: ToxAction) -> "_poetry.Poetry":
     """Check that the local project environment meets expectations"""
+    # Skip running the plugin for the provisioning environment. The provisioned environment,
+    # for alternative Tox versions and/or the ``requires`` meta dependencies is specially
+    # handled by Tox and is out of scope for this plugin. Since one of the ways to install this
+    # plugin in the first place is via the Tox provisioning environment, it quickly becomes a
+    # chicken-and-egg problem.
+    if action.name == venv.envconfig.config.provision_tox_env:
+        raise exceptions.SkipEnvironment(
+            f"Skipping Tox provisioning env '{action.name}'"
+        )
+
     # Skip running the plugin for the packaging environment. PEP-517 front ends can handle
     # that better than we can, so let them do their thing. More to the point: if you're having
     # problems in the packaging env that this plugin would solve, god help you.
@@ -190,6 +212,8 @@ def find_project_dependencies(
 
     dependencies: List[PoetryPackage] = []
     for dep in base_dependencies + extra_dependencies:
-        dependencies += find_transients(packages, dep.name.lower())
+        dependencies += find_transients(
+            packages, dep.name.lower(), allow_missing=[poetry.package.name]
+        )
 
     return dependencies