fix #8414 follow poetry source constraint

[lucemia]

Context

• fix not follow poetry's package source constraint #8414

Package source constraints are strongly suggested for all packages that are expected to be provided only by one specific source to avoid dependency confusion attacks.

https://python-poetry.org/docs/repositories/#package-source-constraint

Summary

• Update the index_finder.rb script to ensure that if a dependency has a package source configuration in pyproject.toml, it won't utilize any other sources as its :main source.
• Please note that the behavior may not completely align with Poetry's behavior.
  • For example, if a package points to a source that is not defined in pyproject.toml, Poetry will raise an exception, but Dependabot will continue to check the default source.
  • Should we consider aligning dependabot behavior with Poetry's in this regard?

User-facing changes

• dependabot bot won't check default source if a package defined its source correctly.

Testing Instructions

[dependabot-core-dev] ~ $ ./bin/dry-run.rb pip lucemia/dependabot-source-constraint --cache=files

Before modification

• dependabot will check https://pypi.org/simple/requests/

=> reading cloned repo from /home/dependabot/tmp/lucemia/dependabot-source-constraint
=> parsing dependency files
=> updating 1 dependencies: requests

=== requests ()
 => checking for updates 1/1
🌍 --> GET https://pypi.org/simple/requests/
🌍 <-- 200 https://pypi.org/simple/requests/
🌍 --> GET https://some.internal.registry.com/pypi/requests/
 => handled error whilst updating requests: private_source_timed_out {:source=>"https://some.internal.registry.com/pypi/"}
🌍 Total requests made: '2'
🎈 Ecosystem Versions log: {:languages=>{:python=>{"raw"=>"^3.7", "max"=>"3.11"}}}

After modification

• dependabot won't check https://pypi.org/simple/requests/

=> reading cloned repo from /home/dependabot/tmp/lucemia/dependabot-source-constraint
=> parsing dependency files
=> updating 1 dependencies: requests

=== requests ()
 => checking for updates 1/1
🌍 --> GET https://some.internal.registry.com/pypi/requests/
 => handled error whilst updating requests: private_source_timed_out {:source=>"https://some.internal.registry.com/pypi/"}
🌍 Total requests made: '1'
🎈 Ecosystem Versions log: {:languages=>{:python=>{"raw"=>"^3.7", "max"=>"3.11"}}}

[deivid-rodriguez]

Makes sense to me!

[deivid-rodriguez]

Regarding your question, yes, it makes to me to align with poetry. If poetry fails to run that kind of project, since we run poetry ourselves, we're already running into an unknown error anyways. So it makes sense to raise a proper user error instead. Maybe DependencyFileNotEvaluatable or MisconfiguredTool error.

[lucemia]

Regarding your question, yes, it makes to me to align with poetry. If poetry fails to run that kind of project, since we run poetry ourselves, we're already running into an unknown error anyways. So it makes sense to raise a proper user error instead. Maybe DependencyFileNotEvaluatable or MisconfiguredTool error.

I've squashed the commits, and I think the PR may be also to merged first.

To align with Poetry, it will require more time as I want to clarify Poetry's behavior. I have raised an issue there to discuss further: python-poetry/poetry#8704."

[deivid-rodriguez]

Thank you! Yes, I will merge this PR independently of any other improvements. Hopefully next week!

[deivid-rodriguez]

Thanks for the improvement @lucemia, it's now merged and deployed 🎉