Python: handle Poetry group metadata without dependencies table

[julia-thorn]

What are you trying to accomplish?

This change fixes a parser bug in Dependabot's Python Poetry support when a project combines PEP 735 dependency-groups with Poetry group metadata such as optional = true. This is a valid configuration as stated in the Poetry docs.

In situations like the test example, tool.poetry.group.gpu is valid metadata-only configuration and does not need a corresponding tool.poetry.group.gpu.dependencies table. Dependabot currently assumes that every Poetry group contains a dependencies hash and crashes with NoMethodError: undefined method 'each' for nil while parsing the manifest.

The goal of this PR is to make Poetry group parsing nil-safe so Dependabot can handle valid Poetry metadata-only groups without crashing, while continuing to parse dependencies declared through dependency-groups.

Anything you want to highlight for special attention from reviewers?

I went with the smallest possible fix to preserve current behavior and avoid any accidental regressions

How will you know you've accomplished your goal?

I reproduced the failure using a pyproject.toml fixture with:

• a dependency-groups entry for gpu
• a matching tool.poetry.group.gpu section containing only optional = true

Before this change, parsing that fixture raises:
NoMethodError: undefined method 'each' for nil

After this change:

• the parser no longer raises on that configuration
• dependencies declared under dependency-groups are still returned as expected
• the new regression spec covers both conditions

So the success criteria are:

• no parser crash for metadata, only Poetry groups
• existing dependency parsing behavior remains intact
• the regression spec passes in CI/containerized test execution

Checklist

• I have run the complete test suite to ensure all tests and linters pass.
• I have thoroughly tested my code changes to ensure they work as expected, including adding additional tests for new functionality.
• I have written clear and descriptive commit messages.
• I have provided a detailed description of the changes in the pull request, including the problem it addresses, how it fixes the problem, and any relevant details about the implementation.
• I have ensured that the code is well-documented and easy to understand.

[Copilot]

Pull request overview

Fixes a crash in Dependabot’s Python Poetry manifest parsing when a project defines Poetry group metadata (e.g., optional = true) without a corresponding tool.poetry.group.<name>.dependencies table, while also using PEP 735 dependency-groups.

Changes:

• Add a pyproject.toml fixture that reproduces a metadata-only Poetry group combined with PEP 735 dependency groups.
• Add a regression spec ensuring parsing doesn’t raise and that PEP 735 dependencies are still returned.
• Make Poetry group parsing nil-safe in PyprojectFilesParser when a group’s dependencies table is missing.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.

File	Description
python/spec/fixtures/pyproject_files/poetry_group_optional_without_dependencies.toml	Adds a fixture covering metadata-only tool.poetry.group.gpu plus PEP 735 dependency-groups.
python/spec/dependabot/python/file_parser/pyproject_files_parser_spec.rb	Adds regression coverage for the nil-safe parsing behavior and PEP 735 dependency inclusion.
python/lib/dependabot/python/file_parser/pyproject_files_parser.rb	Updates Poetry group dependency parsing to tolerate missing dependencies tables.

[Copilot]

Pull request overview

Fixes a crash in Dependabot’s Python Poetry parsing/version-resolution when a Poetry group is present as metadata-only (e.g., optional = true) without a corresponding dependencies table, especially when combined with PEP 735 dependency-groups.

Changes:

• Make Poetry group dependency parsing nil-safe in the pyproject.toml parser.
• Make Poetry version resolver’s requirement-updating logic nil-safe for metadata-only groups.
• Add fixtures + regression specs covering metadata-only Poetry groups and mixed PEP 735 + Poetry group metadata.

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
python/lib/dependabot/python/file_parser/pyproject_files_parser.rb	Returns an empty DependencySet when a Poetry group has no dependencies table, avoiding NoMethodError.
python/lib/dependabot/python/update_checker/poetry_version_resolver.rb	Allows update_dependency_requirement to accept nil and no-op, preventing crashes when groups are metadata-only.
python/spec/dependabot/python/file_parser/pyproject_files_parser_spec.rb	Adds regression coverage for optional Poetry group metadata alongside PEP 735 dependency-groups.
python/spec/dependabot/python/update_checker/poetry_version_resolver_spec.rb	Adds regression coverage ensuring version resolution doesn’t raise with metadata-only Poetry groups.
python/spec/fixtures/pyproject_files/poetry_metadata_only_group.toml	New fixture representing a metadata-only Poetry group.
python/spec/fixtures/pyproject_files/poetry_group_optional_without_dependencies.toml	New fixture combining PEP 735 dependency-groups with metadata-only Poetry group config.

[Copilot]

Pull request overview

Fixes a crash in Dependabot’s Python Poetry parsing/resolution when a tool.poetry.group.<name> table contains only metadata (e.g., optional = true) and does not include a dependencies table—while still supporting PEP 735 dependency-groups.

Changes:

• Make Poetry group dependency parsing nil-safe in the pyproject file parser.
• Make PoetryVersionResolver’s pyproject requirement rewriting nil-safe for metadata-only groups.
• Add fixtures and regression specs covering metadata-only Poetry groups (including with PEP 735 dependency-groups).

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
python/lib/dependabot/python/file_parser/pyproject_files_parser.rb	Avoids each on nil by treating missing group dependencies as an empty dependency set.
python/lib/dependabot/python/update_checker/poetry_version_resolver.rb	Avoids keys on nil when rewriting requirements for Poetry groups lacking a dependencies table.
python/spec/dependabot/python/file_parser/pyproject_files_parser_spec.rb	Adds regression coverage for parsing with metadata-only Poetry groups + PEP 735 dependency-groups.
python/spec/dependabot/python/update_checker/poetry_version_resolver_spec.rb	Adds regression coverage for version resolution with a metadata-only Poetry group present.
python/spec/fixtures/pyproject_files/poetry_metadata_only_group.toml	Fixture demonstrating a Poetry metadata-only group plus dependency-groups entry.
python/spec/fixtures/pyproject_files/poetry_group_optional_without_dependencies.toml	Fixture demonstrating optional group metadata without a corresponding dependencies table.