feat(manager/pip-compile): Allow security updates for transitive dependencies

lib/modules/manager/pip-compile/extract.spec.ts

@@ -359,4 +359,27 @@ describe('modules/manager/pip-compile/extract', () => {
       'pip-compile: dependency not found in lock file',
     );
   });
+
+  it('adds transitive dependency to deps in package file', async () => {
+    fs.readLocalFile.mockResolvedValueOnce(
+      getSimpleRequirementsFile(
+        'pip-compile --output-file=requirements.txt requirements.in',
+        ['friendly-bard==1.0.1', 'bards-friend==1.0.0'],
+      ),
+    );
+    fs.readLocalFile.mockResolvedValueOnce('FrIeNdLy-._.-bArD>=1.0.0');
+
+    const lockFiles = ['requirements.txt'];
+    const packageFiles = await extractAllPackageFiles({}, lockFiles);
+    expect(packageFiles).toBeDefined();
+    const packageFile = packageFiles!.pop();
+    expect(packageFile!.deps).toHaveLength(2);
+    expect(packageFile!.deps[1]).toEqual({
+      datasource: 'pypi',
+      depType: 'indirect',
+      depName: 'bards-friend',
+      lockedVersion: '1.0.0',
+      enabled: false,
+    });
+  });
 });

lib/modules/manager/pip-compile/extract.ts

@@ -5,7 +5,12 @@ import { ensureLocalPath } from '../../../util/fs/util';
 import { normalizeDepName } from '../../datasource/pypi/common';
 import { extractPackageFile as extractRequirementsFile } from '../pip_requirements/extract';
 import { extractPackageFile as extractSetupPyFile } from '../pip_setup';
-import type { ExtractConfig, PackageFile, PackageFileContent } from '../types';
+import type {
+  ExtractConfig,
+  PackageDependency,
+  PackageFile,
+  PackageFileContent,
+} from '../types';
 import { extractHeaderCommand } from './common';
 import type {
   DependencyBetweenFiles,
@@ -132,7 +137,9 @@ export async function extractAllPackageFiles(
         logger.debug(
           `pip-compile: ${packageFile} used in multiple output files`,
         );
-        packageFiles.get(packageFile)!.lockFiles!.push(fileMatch);
+        const packageFileContent = packageFiles.get(packageFile)!;
+        packageFileContent.lockFiles!.push(fileMatch);
+        extendWithIndirectDeps(packageFileContent, lockedDeps);
         continue;
       }
       const content = await readLocalFile(packageFile, 'utf8');
@@ -180,6 +187,7 @@ export async function extractAllPackageFiles(
             );
           }
         }
+        extendWithIndirectDeps(packageFileContent, lockedDeps);
         packageFiles.set(packageFile, {
           ...packageFileContent,
           lockFiles: [fileMatch],
@@ -206,3 +214,31 @@ export async function extractAllPackageFiles(
   );
   return result;
 }
+
+function extendWithIndirectDeps(
+  packageFileContent: PackageFileContent,
+  lockedDeps: PackageDependency[],
+): void {
+  for (const lockedDep of lockedDeps) {
+    if (
+      !packageFileContent.deps.find(
+        (dep) =>
+          normalizeDepName(lockedDep.depName!) ===
+          normalizeDepName(dep.depName!),
+      )
+    ) {
+      packageFileContent.deps.push(indirectDep(lockedDep));
+    }
+  }
+}
+function indirectDep(dep: PackageDependency): PackageDependency {
+  const result = {
+    ...dep,
+    lockedVersion: dep.currentVersion,
+    depType: 'indirect',
+    enabled: false,
+  };
+  delete result.currentValue;
+  delete result.currentVersion;
+  return result;
+}

lib/modules/manager/pip-compile/readme.md

@@ -83,3 +83,9 @@ Renovate reads the `requirements.txt` file and extracts these `pip-compile` argu
 - `--output-file`
 
 All other allowed `pip-compile` arguments will be passed over without modification.
+
+### Transitive / indirect dependencies
+
+This manager detects dependencies that only appear in lock files.
+They are disabled by default but can be forced to enable by vulnerability alerts.
+They will be upgraded with `--upgrade-package` option.