dependabot-bazel 0.349.0 → 0.350.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: ed0dbfa97a75fd1406bca951209c70fd4a6662af02ea56ee4358a4a35775a49a
-  data.tar.gz: 06572e1e787cd4a06b8a87ca8e9ba64a217ba05a521a7b43734f37f77619a724
+  metadata.gz: 89e2aed09f75955bca16702b04e8fdda1daa176158f51b14b83d1d7134071b32
+  data.tar.gz: d4e6d299e8d7f66a35ef8dd53dc90b6d072cd7c4b7f26b3d1c5154ecb9434722
 SHA512:
-  metadata.gz: 2389b544675a0ea95032e4b7011bb61344c1becd2f238b009d8cc206f8d12c11f32a9707edc05cf4d525738821a0f118b7129f9c72e6777266c832eda6d12aec
-  data.tar.gz: a1c6fea7689e7d7518bba8f42f6b5a6c57a17446b8f6f8e349338f4822d4442430ccf77d680da7bfd09c60e2d27caa2e9783461bcb048f32ebb7bf5a6ef6b8f0
+  metadata.gz: 33a3bae8546312ada4aa162f6b4c8b31141f6d87b5d859bb0b87f7e3357297c9fe4eb2fd52714657aa5f951911fbcf19ebada4fd92a58dcfc5549dff5c6a0120
+  data.tar.gz: 90609272d6e1707e079c13d3a2648c9dd85892207193dbb926fa8644fbfcd511deacc60b4c16b57dfd022b7b9445fe09fb5057d9e264d0f0695d686cabc5048d

data/lib/dependabot/bazel/file_fetcher/bzl_file_fetcher.rb

@@ -0,0 +1,116 @@
+# typed: strict
+# frozen_string_literal: true
+
+require "dependabot/bazel/file_fetcher"
+require "sorbet-runtime"
+
+module Dependabot
+  module Bazel
+    class FileFetcher < Dependabot::FileFetchers::Base
+      # Fetches .bzl files and their dependencies recursively.
+      # Handles load() and Label() statements to build a complete dependency graph.
+      class BzlFileFetcher
+        extend T::Sig
+
+        sig do
+          params(
+            module_file: DependencyFile,
+            fetcher: FileFetcher
+          ).void
+        end
+        def initialize(module_file:, fetcher:)
+          @module_file = module_file
+          @fetcher = fetcher
+          @visited_bzl_files = T.let(Set.new, T::Set[String])
+        end
+
+        sig { returns(T::Array[DependencyFile]) }
+        def fetch_bzl_files
+          content = T.must(@module_file.content)
+          bzl_file_paths = extract_bzl_file_paths(content)
+          fetch_bzl_files_recursively(bzl_file_paths)
+        end
+
+        private
+
+        sig { returns(DependencyFile) }
+        attr_reader :module_file
+
+        sig { returns(FileFetcher) }
+        attr_reader :fetcher
+
+        sig { returns(T::Set[String]) }
+        attr_reader :visited_bzl_files
+
+        # Fetches .bzl files recursively, following their load() and Label() dependencies.
+        sig { params(paths: T::Array[String]).returns(T::Array[DependencyFile]) }
+        def fetch_bzl_files_recursively(paths)
+          files = T.let([], T::Array[DependencyFile])
+
+          paths.each do |path|
+            next if visited_bzl_files.include?(path)
+
+            fetched_file = fetcher.send(:fetch_file_if_present, path)
+            next unless fetched_file
+
+            files << fetched_file
+            visited_bzl_files.add(path)
+
+            if path.end_with?(".bzl")
+              bzl_deps = extract_bzl_load_dependencies(fetched_file.content, path)
+              files += fetch_bzl_files_recursively(bzl_deps)
+            end
+          end
+
+          files
+        end
+
+        # Extracts .bzl file paths from use_extension() and use_repo_rule() calls.
+        # Only extracts workspace-relative paths (//...) and filters out external Bazel
+        # repositories (@repo//...) since those files don't exist in the current repository.
+        sig { params(content: String).returns(T::Array[String]) }
+        def extract_bzl_file_paths(content)
+          extract_use_extension_paths(content) + extract_use_repo_rule_paths(content)
+        end
+
+        sig { params(content: String).returns(T::Array[String]) }
+        def extract_use_extension_paths(content)
+          content.scan(%r{use_extension\s*\(\s*"//([^"]+)"}).filter_map do |match|
+            path = T.must(match[0]).tr(":", "/").sub(%r{^/}, "")
+            path if path.end_with?(".bzl")
+          end
+        end
+
+        sig { params(content: String).returns(T::Array[String]) }
+        def extract_use_repo_rule_paths(content)
+          content.scan(%r{use_repo_rule\s*\(\s*"//([^"]+)"}).filter_map do |match|
+            path = T.must(match[0]).tr(":", "/").sub(%r{^/}, "")
+            path if path.end_with?(".bzl")
+          end
+        end
+
+        # Extracts file dependencies from load() and Label() statements.
+        # Only extracts workspace-relative (//...) and file-relative (:...) paths.
+        # External Bazel repositories (@repo//...) are excluded since those files
+        # exist in different repositories, not the current one being analyzed.
+        sig { params(content: String, file_path: String).returns(T::Array[String]) }
+        def extract_bzl_load_dependencies(content, file_path)
+          paths = []
+          file_dir = File.dirname(file_path)
+
+          content.scan(%r{load\s*\(\s*"(//[^"]+|:[^"]+)"}) do |match|
+            path = PathConverter.label_to_path(match[0], context_dir: file_dir)
+            paths << path unless path.empty?
+          end
+
+          content.scan(%r{Label\s*\(\s*"(//[^"]+|:[^"]+)"\)}) do |match|
+            path = PathConverter.label_to_path(match[0], context_dir: file_dir)
+            paths << path unless path.empty?
+          end
+
+          paths
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/bazel/file_fetcher/directory_tree_fetcher.rb

@@ -0,0 +1,79 @@
+# typed: strict
+# frozen_string_literal: true
+
+require "dependabot/bazel/file_fetcher"
+require "sorbet-runtime"
+
+module Dependabot
+  module Bazel
+    class FileFetcher < Dependabot::FileFetchers::Base
+      # Fetches entire directory trees, typically for local_path_override directories.
+      # Includes BUILD files to make directories valid Bazel packages.
+      class DirectoryTreeFetcher
+        extend T::Sig
+
+        SKIP_DIRECTORIES = T.let(%w(.git .bazel-* bazel-* node_modules .github).freeze, T::Array[String])
+
+        sig { params(fetcher: FileFetcher).void }
+        def initialize(fetcher:)
+          @fetcher = fetcher
+        end
+
+        sig { params(directory: String).returns(T::Array[DependencyFile]) }
+        def fetch_directory_tree(directory)
+          return [] if should_skip_directory?(directory)
+
+          files = T.let([], T::Array[DependencyFile])
+
+          begin
+            repo_contents = @fetcher.send(:repo_contents, dir: directory)
+
+            repo_contents.each do |item|
+              path = item.path
+              next if path.nil? || should_skip_directory?(path)
+
+              case item.type
+              when "file"
+                fetched_file = @fetcher.send(:fetch_file_if_present, path)
+                files << fetched_file if fetched_file
+              when "dir"
+                files += fetch_directory_tree(path)
+              end
+            end
+          rescue Octokit::NotFound, Dependabot::RepoNotFound, Dependabot::DependencyFileNotFound => e
+            Dependabot.logger.warn("Skipping inaccessible directory '#{directory}': #{e.message}")
+          end
+
+          files
+        end
+
+        sig { params(directories: T::Set[String]).returns(T::Array[DependencyFile]) }
+        def fetch_build_files_for_directories(directories)
+          files = T.let([], T::Array[DependencyFile])
+          directories.each do |dir|
+            build_file = @fetcher.send(:fetch_file_if_present, "#{dir}/BUILD") ||
+                         @fetcher.send(:fetch_file_if_present, "#{dir}/BUILD.bazel")
+            files << build_file if build_file
+          end
+          files
+        end
+
+        private
+
+        sig { returns(FileFetcher) }
+        attr_reader :fetcher
+
+        sig { params(dirname: String).returns(T::Boolean) }
+        def should_skip_directory?(dirname)
+          SKIP_DIRECTORIES.any? do |skip_pattern|
+            if skip_pattern.end_with?("*")
+              dirname.start_with?(skip_pattern.chomp("*"))
+            else
+              dirname == skip_pattern || dirname.end_with?("/#{skip_pattern}")
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/bazel/file_fetcher/downloader_config_fetcher.rb

@@ -0,0 +1,58 @@
+# typed: strict
+# frozen_string_literal: true
+
+require "dependabot/bazel/file_fetcher"
+require "sorbet-runtime"
+
+module Dependabot
+  module Bazel
+    class FileFetcher < Dependabot::FileFetchers::Base
+      # Fetches downloader configuration files referenced in .bazelrc.
+      # Parses .bazelrc for --downloader_config flags and fetches those files.
+      class DownloaderConfigFetcher
+        extend T::Sig
+
+        sig { params(fetcher: FileFetcher).void }
+        def initialize(fetcher:)
+          @fetcher = fetcher
+        end
+
+        sig { returns(T::Array[DependencyFile]) }
+        def fetch_downloader_config_files
+          bazelrc_file = @fetcher.send(:fetch_file_if_present, ".bazelrc")
+          return [] unless bazelrc_file
+
+          config_paths = extract_downloader_config_paths(bazelrc_file)
+          files = T.let([], T::Array[DependencyFile])
+
+          config_paths.each do |path|
+            fetched_file = @fetcher.send(:fetch_file_if_present, path)
+            files << fetched_file if fetched_file
+          rescue Dependabot::DependencyFileNotFound
+            Dependabot.logger.warn(
+              "Downloader config file '#{path}' referenced in .bazelrc but not found in repository"
+            )
+          end
+
+          files
+        end
+
+        private
+
+        sig { returns(FileFetcher) }
+        attr_reader :fetcher
+
+        sig { params(bazelrc_file: DependencyFile).returns(T::Array[String]) }
+        def extract_downloader_config_paths(bazelrc_file)
+          content = T.must(bazelrc_file.content)
+          extract_downloader_config_flags(content).reject(&:empty?).uniq
+        end
+
+        sig { params(content: String).returns(T::Array[String]) }
+        def extract_downloader_config_flags(content)
+          content.scan(/--downloader_config[=\s]+(\S+)/).flatten
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/bazel/file_fetcher/module_path_extractor.rb

@@ -0,0 +1,83 @@
+# typed: strict
+# frozen_string_literal: true
+
+require "dependabot/bazel/file_fetcher"
+require "dependabot/bazel/file_fetcher/path_converter"
+require "sorbet-runtime"
+
+module Dependabot
+  module Bazel
+    class FileFetcher < Dependabot::FileFetchers::Base
+      # Extracts file and directory paths referenced in MODULE.bazel files.
+      # Handles attributes like lock_file, requirements_lock, patches, and local_path_override.
+      class ModulePathExtractor
+        extend T::Sig
+
+        sig { params(module_file: DependencyFile).void }
+        def initialize(module_file:)
+          @module_file = module_file
+        end
+
+        sig { returns([T::Array[String], T::Array[String]]) }
+        def extract_paths
+          content = T.must(@module_file.content)
+          file_paths = extract_file_attribute_paths(content)
+          directory_paths = extract_directory_paths(content)
+          [file_paths.uniq, directory_paths.uniq]
+        end
+
+        private
+
+        sig { returns(DependencyFile) }
+        attr_reader :module_file
+
+        # Extracts file paths from lock_file, requirements_lock, and patches attributes.
+        sig { params(content: String).returns(T::Array[String]) }
+        def extract_file_attribute_paths(content)
+          (
+            extract_lock_file_paths(content) +
+            extract_requirements_lock_paths(content) +
+            extract_patches_paths(content)
+          ).compact
+        end
+
+        sig { params(content: String).returns(T::Array[String]) }
+        def extract_lock_file_paths(content)
+          content.scan(/lock_file\s*=\s*"([^"]+)"/).map { |match| PathConverter.label_to_path(T.must(match[0])) }
+        end
+
+        sig { params(content: String).returns(T::Array[String]) }
+        def extract_requirements_lock_paths(content)
+          content.scan(/requirements_lock\s*=\s*"([^"]+)"/).map do |match|
+            PathConverter.label_to_path(T.must(match[0]))
+          end
+        end
+
+        sig { params(content: String).returns(T::Array[String]) }
+        def extract_patches_paths(content)
+          patches = []
+          content.scan(/patches\s*=\s*\[([^\]]+)\]/) do |match|
+            match[0].scan(/"([^"]+)"/) { |file| patches << PathConverter.label_to_path(file[0]) }
+          end
+          content.scan(/patches\s*=\s*"([^"]+)"/) do |match|
+            patches << PathConverter.label_to_path(match[0])
+          end
+          patches
+        end
+
+        # Extracts directory paths from local_path_override attributes.
+        sig { params(content: String).returns(T::Array[String]) }
+        def extract_directory_paths(content)
+          extract_local_path_override_paths(content)
+            .reject { |path| PathConverter.should_filter_path?(path) }
+            .map { |path| PathConverter.normalize_path(path) }
+        end
+
+        sig { params(content: String).returns(T::Array[String]) }
+        def extract_local_path_override_paths(content)
+          content.scan(/local_path_override\s*\([^)]*path\s*=\s*"([^"]+)"[^)]*\)/m).flatten
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/bazel/file_fetcher/path_converter.rb

@@ -0,0 +1,78 @@
+# typed: strict
+# frozen_string_literal: true
+
+require "dependabot/bazel/file_fetcher"
+require "sorbet-runtime"
+
+module Dependabot
+  module Bazel
+    class FileFetcher < Dependabot::FileFetchers::Base
+      # Converts Bazel label syntax to filesystem paths
+      class PathConverter
+        extend T::Sig
+
+        sig { params(label: String, context_dir: T.nilable(String)).returns(String) }
+        def self.label_to_path(label, context_dir: nil)
+          path = strip_external_repo_prefix(label)
+          return resolve_relative_path(path, context_dir) if relative_path?(path)
+
+          convert_absolute_label_to_path(path)
+        end
+
+        sig { params(path: String).returns(T::Boolean) }
+        def self.should_filter_path?(path)
+          absolute_path_or_url?(path)
+        end
+
+        sig { params(path: String).returns(String) }
+        def self.normalize_path(path)
+          remove_leading_dot_slash(path)
+        end
+
+        sig { params(label: String).returns(String) }
+        private_class_method def self.strip_external_repo_prefix(label)
+          label.sub(%r{^@[^/]+//}, "")
+        end
+
+        sig { params(path: String).returns(T::Boolean) }
+        private_class_method def self.relative_path?(path)
+          path.start_with?(":")
+        end
+
+        sig { params(path: String, context_dir: T.nilable(String)).returns(String) }
+        private_class_method def self.resolve_relative_path(path, context_dir)
+          relative_file = path.sub(/^:/, "")
+          return relative_file if context_dir.nil? || context_dir == "."
+
+          "#{context_dir}/#{relative_file}"
+        end
+
+        sig { params(path: String).returns(String) }
+        private_class_method def self.convert_absolute_label_to_path(path)
+          path_with_slashes = replace_colon_separator_with_slash(path)
+          remove_leading_slashes(path_with_slashes)
+        end
+
+        sig { params(path: String).returns(String) }
+        private_class_method def self.replace_colon_separator_with_slash(path)
+          path.tr(":", "/")
+        end
+
+        sig { params(path: String).returns(String) }
+        private_class_method def self.remove_leading_slashes(path)
+          path.sub(%r{^/+}, "")
+        end
+
+        sig { params(path: String).returns(T::Boolean) }
+        private_class_method def self.absolute_path_or_url?(path)
+          path.start_with?("http://", "https://", "/", "@")
+        end
+
+        sig { params(path: String).returns(String) }
+        private_class_method def self.remove_leading_dot_slash(path)
+          path.sub(%r{^\./}, "")
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/bazel/file_fetcher.rb

@@ -9,12 +9,17 @@ module Dependabot
     class FileFetcher < Dependabot::FileFetchers::Base
       extend T::Sig
 
+      require_relative "file_fetcher/path_converter"
+      require_relative "file_fetcher/bzl_file_fetcher"
+      require_relative "file_fetcher/module_path_extractor"
+      require_relative "file_fetcher/directory_tree_fetcher"
+      require_relative "file_fetcher/downloader_config_fetcher"
+
       WORKSPACE_FILES = T.let(%w(WORKSPACE WORKSPACE.bazel).freeze, T::Array[String])
       MODULE_FILE = T.let("MODULE.bazel", String)
       CONFIG_FILES = T.let(
         %w(.bazelrc MODULE.bazel.lock .bazelversion maven_install.json BUILD BUILD.bazel).freeze, T::Array[String]
       )
-      SKIP_DIRECTORIES = T.let(%w(.git .bazel-* bazel-* node_modules .github).freeze, T::Array[String])
 
       sig { override.returns(String) }
       def self.required_files_message
@@ -28,21 +33,12 @@ module Dependabot
 
       sig { override.returns(T::Array[DependencyFile]) }
       def fetch_files
-        unless allow_beta_ecosystems?
-          raise Dependabot::DependencyFileNotFound.new(
-            nil,
-            "Bazel support is currently in beta. To enable it, add `enable_beta_ecosystems: true` to the" \
-            " top-level of your `dependabot.yml`. See " \
-            "https://docs.github.com/en/code-security/dependabot/working-with-dependabot" \
-            "/dependabot-options-reference#enable-beta-ecosystems for details."
-          )
-        end
-
         fetched_files = T.let([], T::Array[DependencyFile])
         fetched_files += workspace_files
         fetched_files += module_files
         fetched_files += config_files
         fetched_files += referenced_files_from_modules
+        fetched_files += downloader_config_files
 
         return fetched_files if fetched_files.any?
 
@@ -128,86 +124,72 @@ module Dependabot
         nil
       end
 
-      sig { params(dirname: String).returns(T::Boolean) }
-      def should_skip_directory?(dirname)
-        SKIP_DIRECTORIES.any? { |skip_dir| dirname.start_with?(skip_dir) }
-      end
-
-      # Fetches files referenced in MODULE.bazel files via lock_file and requirements_lock attributes.
-      # Also fetches BUILD/BUILD.bazel files from directories containing referenced files, as these
-      # are required by Bazel to recognize the directories as valid packages.
-      #
-      # This method handles Bazel label syntax and converts it to filesystem paths:
-      # - "@repo//path:file.json" -> "path/file.json"
-      # - "//path:file.json" -> "path/file.json"
-      # - "@repo//:file.json" -> "file.json"
-      #
-      # @return [Array<DependencyFile>] referenced files and their associated BUILD files
+      # Fetches files referenced in MODULE.bazel and their associated BUILD files.
+      # Bazel requires BUILD files to recognize directories as valid packages.
       sig { returns(T::Array[DependencyFile]) }
       def referenced_files_from_modules
         files = T.let([], T::Array[DependencyFile])
         directories_with_files = T.let(Set.new, T::Set[String])
+        local_override_directories = T.let(Set.new, T::Set[String])
+        tree_fetcher = DirectoryTreeFetcher.new(fetcher: self)
 
         module_files.each do |module_file|
-          referenced_paths = extract_referenced_paths(module_file)
+          extractor = ModulePathExtractor.new(module_file: module_file)
+          file_paths, directory_paths = extractor.extract_paths
 
-          referenced_paths.each do |path|
-            fetched_file = fetch_file_if_present(path)
-            next unless fetched_file
+          bzl_fetcher = BzlFileFetcher.new(module_file: module_file, fetcher: self)
+          bzl_files = bzl_fetcher.fetch_bzl_files
 
-            files << fetched_file
-            # Track directories that contain referenced files so we can fetch their BUILD files.
-            # Exclude root directory (.) as BUILD files there are already handled by config_files.
-            dir = File.dirname(path)
+          bzl_files.each do |file|
+            dir = File.dirname(file.name)
             directories_with_files.add(dir) unless dir == "."
           end
-        end
 
-        # Fetch BUILD or BUILD.bazel files for directories that contain referenced files.
-        # These BUILD files are required for Bazel to recognize directories as valid packages.
-        directories_with_files.each do |dir|
-          build_file = fetch_file_if_present("#{dir}/BUILD") || fetch_file_if_present("#{dir}/BUILD.bazel")
-          files << build_file if build_file
+          files += bzl_files
+          files += fetch_paths_and_track_directories(file_paths, directories_with_files)
+
+          directory_paths.each { |dir| local_override_directories.add(dir) unless dir == "." }
         end
 
+        files += tree_fetcher.fetch_build_files_for_directories(directories_with_files)
+        files += fetch_local_override_directory_trees(local_override_directories)
+
         files
       end
 
-      # Extracts file paths from lock_file and requirements_lock attributes in MODULE.bazel content.
-      # Converts Bazel label syntax to filesystem paths.
-      #
-      # Bazel labels can have several formats:
-      # - "@repo//path:file" - external or self-referential repository with path
-      # - "//path:file" - main repository reference with path
-      # - "@repo//:file" - external or self-referential repository root file
-      # - "//:file" - main repository root file
-      #
-      # The method:
-      # 1. Strips optional @repo prefix
-      # 2. Converts colon separators to forward slashes (path:file -> path/file)
-      # 3. Removes leading slashes to create relative paths
-      #
-      # @param module_file [DependencyFile] the MODULE.bazel file to parse
-      # @return [Array<String>] unique relative file paths referenced in the module
-      sig { params(module_file: DependencyFile).returns(T::Array[String]) }
-      def extract_referenced_paths(module_file)
-        content = T.must(module_file.content)
-        paths = []
-
-        # Match lock_file attributes with optional @repo prefix: "(?:@[^"\/]+)?\/\/([^"]+)"
-        # Capture group 1: everything after // (e.g., "tools/jol:file.json" or ":file.json")
-        content.scan(%r{lock_file\s*=\s*"(?:@[^"/]+)?//([^"]+)"}) do |match|
-          path = match[0].tr(":", "/").sub(%r{^/}, "")
-          paths << path
-        end
+      # Fetches files and tracks their directories for BUILD file resolution.
+      sig do
+        params(
+          paths: T::Array[String],
+          directories: T::Set[String]
+        ).returns(T::Array[DependencyFile])
+      end
+      def fetch_paths_and_track_directories(paths, directories)
+        files = T.let([], T::Array[DependencyFile])
+        paths.each do |path|
+          fetched_file = fetch_file_if_present(path)
+          next unless fetched_file
 
-        # Match requirements_lock attributes with optional @repo prefix
-        content.scan(%r{requirements_lock\s*=\s*"(?:@[^"/]+)?//([^"]+)"}) do |match|
-          path = match[0].tr(":", "/").sub(%r{^/}, "")
-          paths << path
+          files << fetched_file
+          dir = File.dirname(path)
+          directories.add(dir) unless dir == "."
         end
+        files
+      end
 
-        paths.uniq
+      # Fetches complete directory trees for local module overrides.
+      sig { params(directories: T::Set[String]).returns(T::Array[DependencyFile]) }
+      def fetch_local_override_directory_trees(directories)
+        tree_fetcher = DirectoryTreeFetcher.new(fetcher: self)
+        files = T.let([], T::Array[DependencyFile])
+        directories.each { |dir| files += tree_fetcher.fetch_directory_tree(dir) }
+        files
+      end
+
+      sig { returns(T::Array[DependencyFile]) }
+      def downloader_config_files
+        config_fetcher = DownloaderConfigFetcher.new(fetcher: self)
+        config_fetcher.fetch_downloader_config_files
       end
     end
   end

data/lib/dependabot/bazel/file_parser.rb

@@ -169,8 +169,7 @@ module Dependabot
           name = func_call.arguments["name"]
           version = func_call.arguments["version"]
 
-          # Ensure name and version are strings
-          next unless name.is_a?(String) && version.is_a?(String)
+          next unless name.is_a?(String) && version.is_a?(String) && !name.empty? && !version.empty?
 
           dependency_set << Dependabot::Dependency.new(
             name: name,

data/lib/dependabot/bazel/version.rb

@@ -9,13 +9,72 @@ module Dependabot
     class Version < Dependabot::Version
       extend T::Sig
 
-      # Bazel uses semantic versioning with hyphens for pre-release versions (e.g., "1.7.0-rc4")
-      # Dependabot::Version normalizes these to dot notation with "pre" prefix (e.g., "1.7.0.pre.rc4")
-      # We need to preserve the original format for Bazel Central Registry compatibility
+      sig { override.params(version: VersionParameter).void }
+      def initialize(version)
+        @original_version = T.let(version.to_s, String)
+        @bcr_suffix = T.let(parse_bcr_suffix(@original_version), T.nilable(Integer))
+
+        base_version = remove_bcr_suffix(@original_version)
+        super(base_version)
+
+        @original_version = version.to_s
+      end
+
       sig { override.returns(String) }
       def to_s
         @original_version
       end
+
+      sig { returns(T.nilable(Integer)) }
+      attr_reader :bcr_suffix
+
+      sig { override.params(other: T.untyped).returns(T.nilable(Integer)) }
+      def <=>(other)
+        other_bazel = convert_to_bazel_version(other)
+        return nil unless other_bazel
+
+        base_comparison = super(other_bazel)
+        return base_comparison unless base_comparison&.zero?
+
+        compare_bcr_suffixes(@bcr_suffix, other_bazel.bcr_suffix)
+      end
+
+      private
+
+      sig { params(version_string: String).returns(T.nilable(Integer)) }
+      def parse_bcr_suffix(version_string)
+        match = version_string.match(/\.bcr\.(\d+)$/)
+        match ? T.must(match[1]).to_i : nil
+      end
+
+      sig { params(version_string: String).returns(String) }
+      def remove_bcr_suffix(version_string)
+        version_string.sub(/\.bcr\.\d+$/, "")
+      end
+
+      sig { params(other: T.untyped).returns(T.nilable(Dependabot::Bazel::Version)) }
+      def convert_to_bazel_version(other)
+        case other
+        when Dependabot::Bazel::Version
+          other
+        when Gem::Version
+          T.cast(Dependabot::Bazel::Version.new(other.to_s), Dependabot::Bazel::Version)
+        when String
+          T.cast(Dependabot::Bazel::Version.new(other), Dependabot::Bazel::Version)
+        when Dependabot::Version
+          T.cast(Dependabot::Bazel::Version.new(other.to_s), Dependabot::Bazel::Version)
+        end
+      end
+
+      sig { params(ours: T.nilable(Integer), theirs: T.nilable(Integer)).returns(Integer) }
+      def compare_bcr_suffixes(ours, theirs)
+        return ours <=> theirs if ours && theirs
+
+        return 1 if ours
+        return -1 if theirs
+
+        0
+      end
     end
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-bazel
 version: !ruby/object:Gem::Version
-  version: 0.349.0
+  version: 0.350.0
 platform: ruby
 authors:
 - Dependabot
@@ -15,14 +15,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.349.0
+        version: 0.350.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.349.0
+        version: 0.350.0
 - !ruby/object:Gem::Dependency
   name: debug
   requirement: !ruby/object:Gem::Requirement
@@ -243,6 +243,11 @@ extra_rdoc_files: []
 files:
 - lib/dependabot/bazel.rb
 - lib/dependabot/bazel/file_fetcher.rb
+- lib/dependabot/bazel/file_fetcher/bzl_file_fetcher.rb
+- lib/dependabot/bazel/file_fetcher/directory_tree_fetcher.rb
+- lib/dependabot/bazel/file_fetcher/downloader_config_fetcher.rb
+- lib/dependabot/bazel/file_fetcher/module_path_extractor.rb
+- lib/dependabot/bazel/file_fetcher/path_converter.rb
 - lib/dependabot/bazel/file_parser.rb
 - lib/dependabot/bazel/file_parser/starlark_parser.rb
 - lib/dependabot/bazel/file_updater.rb
@@ -263,7 +268,7 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.349.0
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.350.0
 rdoc_options: []
 require_paths:
 - lib