Add name key to sources

Newer versions of `pipenv` require any specified `sources` to be
explicitly `name`'d.

More context here: pypa/pipenv#5370 (comment)

This has been true since at least Sept 2022. Our version of `pipenv` was
from April of 2022, so it didn't complain. But that means most of our
active users of `pipenv` are unlikely to see this error if they're
running a newer version of `pipenv`.

Also, for sources that  dynamically injects into the
`Pipfile`, they need a name. These sources are stripped from the final
`Pipfile` / `Pipfile.lock` during the `FileUpdater#post_process_lockfile`
method, so all we need is a placeholder `name` to placate `pipenv`.

Long term, we may want to add custom error handling to flag this
missing key as a `Dependabot::DependencyFileNotResolvable` error.

But I decided that was out of scope for now as this PR does not generate
the error... that will not happen until we upgrade to newer `pipenv`.
And even at that point, our first priority will be upgrading, and then
from there handling any new errors that start popping up.

python/lib/dependabot/python/file_updater/pipfile_preparer.rb

@@ -132,9 +132,15 @@ def sub_auth_url(source, credentials)
 
         def config_variable_sources(credentials)
           @config_variable_sources ||=
-            credentials.
-            select { |cred| cred["type"] == "python_index" }.
-            map { |c| { "url" => AuthedUrlBuilder.authed_url(credential: c) } }
+            credentials.select { |cred| cred["type"] == "python_index" }.
+            map do |c|
+              {
+                "url" => AuthedUrlBuilder.authed_url(credential: c),
+                # Random suffix ensure names are unique. This entire source is stripped out of the final Pipfile.lock in
+                # FileUpdater#post_process_lockfile so it's okay that the names are non-deterministic.
+                "name" => "dependabot-inserted-index-#{SecureRandom.alphanumeric(5)}"
+              }
+            end
         end
       end
     end

python/spec/dependabot/python/file_updater/pipfile_preparer_spec.rb

@@ -135,8 +135,8 @@
     let(:lockfile_fixture_name) { "version_not_specified.lock" }
 
     it "adds the source" do
-      expect(updated_content).
-        to include("https://username:password@pypi.posrip.com/pypi/")
+      expect(updated_content).to include('name = "dependabot-inserted-index-')
+      expect(updated_content).to include("https://username:password@pypi.posrip.com/pypi/")
     end
 
     context "with auth details provided as a token" do
@@ -154,8 +154,8 @@
       end
 
       it "adds the source" do
-        expect(updated_content).
-          to include("https://username:password@pypi.posrip.com/pypi/")
+        expect(updated_content).to include('name = "dependabot-inserted-index-')
+        expect(updated_content).to include("https://username:password@pypi.posrip.com/pypi/")
       end
     end
 
@@ -178,7 +178,7 @@
       it "keeps source config" do
         expect(updated_content).to include(
           "[[source]]\n" \
-          "name = \"pypi\"\n" \
+          "name = \"internal-pypi\"\n" \
           "url = \"https://username:password@pypi.posrip.com/pypi/\"\n" \
           "verify_ssl = true\n"
         )

python/spec/fixtures/pipfile_files/arbitrary_equality

@@ -1,4 +1,5 @@
 [[source]]
+name = "pypi"
 url = "https://pypi.org/simple"
 verify_ssl = true
 

python/spec/fixtures/pipfile_files/conflict_at_current

@@ -1,4 +1,5 @@
 [[source]]
+name = "pypi"
 url = "https://pypi.org/simple"
 verify_ssl = true
 

python/spec/fixtures/pipfile_files/conflict_at_latest

@@ -1,4 +1,5 @@
 [[source]]
+name = "pypi"
 url = "https://pypi.org/simple"
 verify_ssl = true
 

python/spec/fixtures/pipfile_files/environment_variable_source

@@ -1,4 +1,5 @@
 [[source]]
+name = "pypi"
 url = "https://pypi.org/${ENV_VAR}"
 verify_ssl = true
 

python/spec/fixtures/pipfile_files/exact_version

@@ -1,4 +1,5 @@
 [[source]]
+name = "pypi"
 url = "https://pypi.org/simple"
 verify_ssl = true
 

python/spec/fixtures/pipfile_files/extra_subdependency

@@ -1,7 +1,7 @@
 [[source]]
+name = "pypi"
 url = "https://pypi.org/simple"
 verify_ssl = true
-name = "pypi"
 
 [packages]
 flask = "==1.0.*"

python/spec/fixtures/pipfile_files/git_source

@@ -1,4 +1,5 @@
 [[source]]
+name = "pypi"
 url = "https://pypi.org/simple"
 verify_ssl = true
 

python/spec/fixtures/pipfile_files/git_source_bad_ref

@@ -1,4 +1,5 @@
 [[source]]
+name = "pypi"
 url = "https://pypi.org/simple"
 verify_ssl = true
 

python/spec/fixtures/pipfile_files/git_source_no_ref

@@ -1,4 +1,5 @@
 [[source]]
+name = "pypi"
 url = "https://pypi.org/simple"
 verify_ssl = true
 

python/spec/fixtures/pipfile_files/git_source_unreachable

@@ -1,4 +1,5 @@
 [[source]]
+name = "pypi"
 url = "https://pypi.org/simple"
 verify_ssl = true
 

python/spec/fixtures/pipfile_files/hard_names

@@ -1,4 +1,5 @@
 [[source]]
+name = "pypi"
 url = "https://pypi.org/simple"
 verify_ssl = true
 

python/spec/fixtures/pipfile_files/not_in_lockfile

@@ -1,4 +1,5 @@
 [[source]]
+name = "pypi"
 url = "https://pypi.org/simple"
 verify_ssl = true
 

python/spec/fixtures/pipfile_files/only_dev

@@ -1,4 +1,5 @@
 [[source]]
+name = "pypi"
 url = "https://pypi.org/simple"
 verify_ssl = true
 

python/spec/fixtures/pipfile_files/path_dependency

@@ -1,4 +1,5 @@
 [[source]]
+name = "pypi"
 url = "https://pypi.org/simple"
 verify_ssl = true
 

python/spec/fixtures/pipfile_files/path_dependency_not_self

@@ -1,4 +1,5 @@
 [[source]]
+name = "pypi"
 url = "https://pypi.org/simple"
 verify_ssl = true
 

python/spec/fixtures/pipfile_files/private_source

@@ -1,4 +1,5 @@
 [[source]]
+name = "internal-pypi"
 url = "https://some.internal.registry.com/pypi/"
 verify_ssl = true
 

python/spec/fixtures/pipfile_files/private_source_auth

@@ -1,7 +1,7 @@
 [[source]]
+name = "internal-pypi"
 url = "https://${ENV_USER}:${ENV_PASSWORD}@pypi.posrip.com/pypi/"
 verify_ssl = true
-name = "pypi"
 
 [dev-packages]
 pytest = "==3.4.0"

python/spec/fixtures/pipfile_files/prod_and_dev

@@ -1,4 +1,5 @@
 [[source]]
+name = "pypi"
 url = "https://pypi.org/simple"
 verify_ssl = true
 

python/spec/fixtures/pipfile_files/prod_and_dev_different

@@ -1,4 +1,5 @@
 [[source]]
+name = "pypi"
 url = "https://pypi.org/simple"
 verify_ssl = true
 

python/spec/fixtures/pipfile_files/required_python

@@ -1,4 +1,5 @@
 [[source]]
+name = "pypi"
 url = "https://pypi.org/simple"
 verify_ssl = true
 

python/spec/fixtures/pipfile_files/required_python_implicit

@@ -1,4 +1,5 @@
 [[source]]
+name = "pypi"
 url = "https://pypi.org/simple"
 verify_ssl = true
 

python/spec/fixtures/pipfile_files/required_python_invalid

@@ -1,4 +1,5 @@
 [[source]]
+name = "pypi"
 url = "https://pypi.org/simple"
 verify_ssl = true
 

python/spec/fixtures/pipfile_files/required_python_unsupported

@@ -1,4 +1,5 @@
 [[source]]
+name = "pypi"
 url = "https://pypi.org/simple"
 verify_ssl = true
 

python/spec/fixtures/pipfile_files/unparseable

@@ -1,8 +1,7 @@
 [[source]]
-
+name = "pypi"
 url = "https://pypi.org/simple"
 verify_ssl = true
-name = "pypi"
 
 [dev-packages]
 

python/spec/fixtures/pipfile_files/unsupported_dep

@@ -1,7 +1,7 @@
 [[source]]
+name = "pypi"
 url = "https://pypi.org/simple"
 verify_ssl = true
-name = "pypi"
 
 [packages]
 requests = "==2.18.0"

python/spec/fixtures/pipfile_files/version_hash

@@ -1,4 +1,5 @@
 [[source]]
+name = "pypi"
 url = "https://pypi.org/simple"
 verify_ssl = true
 

python/spec/fixtures/pipfile_files/version_not_specified

@@ -1,4 +1,5 @@
 [[source]]
+name = "pypi"
 url = "https://pypi.org/simple"
 verify_ssl = true
 

python/spec/fixtures/pipfile_files/version_table

@@ -1,4 +1,5 @@
 [[source]]
+name = "pypi"
 url = "https://pypi.org/simple"
 verify_ssl = true
 

python/spec/fixtures/pipfile_files/wildcard

@@ -1,4 +1,5 @@
 [[source]]
+name = "pypi"
 url = "https://pypi.org/simple"
 verify_ssl = true
 

python/spec/fixtures/pipfile_files/with_quotes

@@ -1,4 +1,5 @@
 [[source]]
+name = "pypi"
 url = "https://pypi.org/simple"
 verify_ssl = true
 

python/spec/fixtures/pipfile_files/yanked

@@ -1,4 +1,5 @@
 [[source]]
+name = "pypi"
 url = "https://pypi.org/simple"
 verify_ssl = true