dependabot-cargo 0.257.0 → 0.259.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: eefbdb0310f3616da7f5bc60389b5bd7434c682db14aef08566702e8b03e6b25
-  data.tar.gz: 0e7d63534c80eb8d092b322780860761b5294350c5eb94f55b715c759cc5a9bf
+  metadata.gz: f574254dc30cded50cbacf3c567318d9420c3697663bf4b7755c0efe3bd7be8d
+  data.tar.gz: 11e7d101a66a74feef633458f7f166bc52710123123b9c14e8d1a37159f793b2
 SHA512:
-  metadata.gz: 364cc6f48413688b33b72a66b1680cbd38916335aa4e176ebaa4225bf92ab46a774d413ca11bb0b806a9ca96f47f684e6499777eb9921aae09ed4e129bbef51a
-  data.tar.gz: b2c27e2635185e83e46d03d8516c288e36f8bc39fde21e7e21e902d0730876f6953b5798dade000c06dda3788ac49eb5fcc35ffd50d35f13171d37e0fbe34156
+  metadata.gz: 623435a9303a427346727fd956806425f47ad30bd875b99c1deb5b31eac564673299d69227259ee37ee32816b7617bd97d51b1835d339f81325c5368818d4f19
+  data.tar.gz: c3c2f43eaadb3809cdf9535b0ba0f1b708d984f0610ffd3d1d10bad4fb298cefea1adca42b8ab90810108ca453e4eb77ce1a6b92556f269943e7f80d7cc4cecc

data/lib/dependabot/cargo/helpers.rb

@@ -17,7 +17,7 @@ module Dependabot
           # (We must add these environment variables here, or 'cargo update' will not think it is
           # configured properly for the private registries.)
 
-          token_env_var = "CARGO_REGISTRIES_#{cred['cargo_registry'].upcase.tr('-', '_')}_TOKEN"
+          token_env_var = "CARGO_REGISTRIES_#{cred['registry'].upcase.tr('-', '_')}_TOKEN"
 
           token = "placeholder_token"
           if cred["token"].nil?

data/lib/dependabot/cargo/metadata_finder.rb

@@ -48,26 +48,40 @@ module Dependabot
 
         info = dependency.requirements.filter_map { |r| r[:source] }.first
         index = (info && info[:index]) || CRATES_IO_API
+        hdrs = build_headers(index, info)
 
-        # Default request headers
+        url = metadata_fetch_url(dependency, index)
+        response = fetch_metadata(url, hdrs)
+
+        @crates_listing = parse_response(response, index)
+      end
+
+      def build_headers(index, info)
         hdrs = { "User-Agent" => "Dependabot (dependabot.com)" }
+        return hdrs if index == CRATES_IO_API
 
-        if index != CRATES_IO_API
-          # Add authentication headers if credentials are present for this registry
-          credentials.find { |cred| cred["type"] == "cargo_registry" && cred["registry"] == info[:name] }&.tap do |cred|
-            hdrs["Authorization"] = "Token #{cred['token']}"
-          end
+        credentials.find { |cred| cred["type"] == "cargo_registry" && cred["registry"] == info[:name] }&.tap do |cred|
+          hdrs["Authorization"] = "Token #{cred['token']}"
         end
 
-        url = metadata_fetch_url(dependency, index)
+        hdrs
+      end
 
-        response = Excon.get(
+      def fetch_metadata(url, headers)
+        Excon.get(
           url,
           idempotent: true,
-          **SharedHelpers.excon_defaults(headers: hdrs)
+          **SharedHelpers.excon_defaults(headers: headers)
         )
+      end
 
-        @crates_listing = JSON.parse(response.body)
+      def parse_response(response, index)
+        if index.start_with?("sparse+")
+          parsed_response = response.body.lines.map { |line| JSON.parse(line) }
+          { "versions" => parsed_response }
+        else
+          JSON.parse(response.body)
+        end
       end
 
       def metadata_fetch_url(dependency, index)

data/lib/dependabot/cargo/update_checker/latest_version_finder.rb

@@ -97,46 +97,33 @@ module Dependabot
           crates_listing
             .fetch("versions", [])
             .reject { |v| v["yanked"] }
-            .map { |v| version_class.new(v.fetch("num")) }
+            # Handle both default and sparse registry responses.
+            # Default registry uses "num" for version number.
+            # Sparse registry uses "vers" for version number.
+            .map do |v|
+              version_number = v["num"] || v["vers"]
+              version_class.new(version_number)
+            end
         end
 
         def crates_listing
           return @crates_listing unless @crates_listing.nil?
 
-          info = dependency.requirements.filter_map { |r| r[:source] }.first
-          index = (info && info[:index]) || CRATES_IO_API
-
-          # Default request headers
-          hdrs = { "User-Agent" => "Dependabot (dependabot.com)" }
-
-          if index != CRATES_IO_API
-            # Add authentication headers if credentials are present for this registry
-            registry_creds = credentials.find do |cred|
-              cred["type"] == "cargo_registry" && cred["registry"] == info[:name]
-            end
-
-            unless registry_creds.nil?
-              # If there is a credential, but no actual token at this point, it means that dependabot-cli
-              # stripped the token from our credentials. In this case, the dependabot proxy will reintroduce
-              # the correct token, so we just use 'placeholder_token' as the token value.
-              token = registry_creds["token"] || "placeholder_token"
+          info = fetch_dependency_info
+          index = fetch_index(info)
 
-              hdrs["Authorization"] = token
-            end
-          end
+          hdrs = default_headers
+          hdrs.merge!(auth_headers(info)) if index != CRATES_IO_API
 
           url = metadata_fetch_url(dependency, index)
 
           # B4PR
           puts "Calling #{url} to fetch metadata for #{dependency.name} from #{index}"
 
-          response = Excon.get(
-            url,
-            idempotent: true,
-            **SharedHelpers.excon_defaults(headers: hdrs)
-          )
+          response = fetch_response(url, hdrs)
+          return {} if response.status == 404
 
-          @crates_listing = JSON.parse(response.body)
+          @crates_listing = parse_response(response, index)
 
           # B4PR
           puts "Fetched metadata for #{dependency.name} from #{index} successfully"
@@ -145,6 +132,46 @@ module Dependabot
           @crates_listing
         end
 
+        def fetch_dependency_info
+          dependency.requirements.filter_map { |r| r[:source] }.first
+        end
+
+        def fetch_index(info)
+          (info && info[:index]) || CRATES_IO_API
+        end
+
+        def default_headers
+          { "User-Agent" => "Dependabot (dependabot.com)" }
+        end
+
+        def auth_headers(info)
+          registry_creds = credentials.find do |cred|
+            cred["type"] == "cargo_registry" && cred["registry"] == info[:name]
+          end
+
+          return {} if registry_creds.nil?
+
+          token = registry_creds["token"] || "placeholder_token"
+          { "Authorization" => token }
+        end
+
+        def fetch_response(url, headers)
+          Excon.get(
+            url,
+            idempotent: true,
+            **SharedHelpers.excon_defaults(headers: headers)
+          )
+        end
+
+        def parse_response(response, index)
+          if index.start_with?("sparse+")
+            parsed_response = response.body.lines.map { |line| JSON.parse(line) }
+            { "versions" => parsed_response }
+          else
+            JSON.parse(response.body)
+          end
+        end
+
         def metadata_fetch_url(dependency, index)
           return "#{index}/#{dependency.name}" if index == CRATES_IO_API
 

data/lib/dependabot/cargo/update_checker/requirements_updater.rb

@@ -141,7 +141,11 @@ module Dependabot
             raise UnfixableRequirement if req.start_with?(">")
 
             req.sub(VERSION_REGEX) do |old_version|
-              update_greatest_version(old_version, target_version)
+              if req.start_with?("<=")
+                target_version
+              else
+                update_greatest_version(old_version, target_version)
+              end
             end
           end.join(", ")
         rescue UnfixableRequirement

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-cargo
 version: !ruby/object:Gem::Version
-  version: 0.257.0
+  version: 0.259.0
 platform: ruby
 authors:
 - Dependabot
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2024-05-13 00:00:00.000000000 Z
+date: 2024-05-30 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dependabot-common
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.257.0
+        version: 0.259.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.257.0
+        version: 0.259.0
 - !ruby/object:Gem::Dependency
   name: debug
   requirement: !ruby/object:Gem::Requirement
@@ -263,7 +263,7 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.257.0
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.259.0
 post_install_message: 
 rdoc_options: []
 require_paths: