dependabot-cargo 0.320.0 → 0.321.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 456d0a29e38e5d82efcac6d4dc9c61ac255200a7878b153ce29fbe4f8ef5950f
-  data.tar.gz: 8bc0a3d97c153197754a9061e3d18ac6905f0e0d11168cdb2050327452d592e7
+  metadata.gz: c526ec59aec95145c21fd881e22410135a2c342a8b631060ade37b89271427c7
+  data.tar.gz: cefe48ec5bed87ebc31c4dde569f739448060ad975fd0161810b705cbfafcf49
 SHA512:
-  metadata.gz: 1e7deb3de9f1c7cf0a0a3f061417981beac4af6a5fefa1ba3ce84c839b7075297e084c98bfce34b1032a9240bf2982ce39d64befd80faa8221fdac7b6d56a171
-  data.tar.gz: c90e14e9c87a1cea521f82d8644a3ca474a2a45bb90bd95dc227e03b28efdafa723f8f5c0b9bd0132538fff9663cfdfcb53f38c4e5db78509a0301007aea8308
+  metadata.gz: e5877226f7656615f62cf1e5d1376d159f9bbe71b2d7d1dc575d9f5edbcbcfc14d7ba93fb70f0b802fc5fb1f7faca182171787261a58df8e05a50183767b35ff
+  data.tar.gz: 489b23fc468b4997093d4d7e4adabb1af961f82de82c05f029e5cc103c7b7d6d0e779aef2a45cb9e0ed122c6a1a49941eac1e9fae1f034229d22a24abc11234b

data/lib/dependabot/cargo/file_updater/lockfile_updater.rb

@@ -1,6 +1,7 @@
-# typed: true
+# typed: strict
 # frozen_string_literal: true
 
+require "sorbet-runtime"
 require "toml-rb"
 require "open3"
 require "dependabot/git_commit_checker"
@@ -12,22 +13,39 @@ require "dependabot/shared_helpers"
 module Dependabot
   module Cargo
     class FileUpdater
+      # rubocop:disable Metrics/ClassLength
       class LockfileUpdater
+        extend T::Sig
         LOCKFILE_ENTRY_REGEX = /
           \[\[package\]\]\n
-          (?:(?!^\[(\[package|metadata)).)+
+          (?:(?!^\[(?:\[package|metadata)).)+
         /mx
 
         LOCKFILE_CHECKSUM_REGEX = /^"checksum .*$/
 
-        def initialize(dependencies:, dependency_files:, credentials:)
-          @dependencies = dependencies
-          @dependency_files = dependency_files
-          @credentials = credentials
+        sig do
+          params(
+            dependencies: T::Array[Dependabot::Dependency],
+            dependency_files: T::Array[Dependabot::DependencyFile],
+            credentials: T::Array[Dependabot::Credential]
+          ).void
         end
-
+        def initialize(dependencies:, dependency_files:, credentials:)
+          @dependencies = T.let(dependencies, T::Array[Dependabot::Dependency])
+          @dependency_files = T.let(dependency_files, T::Array[Dependabot::DependencyFile])
+          @credentials = T.let(credentials, T::Array[Dependabot::Credential])
+          @custom_specification = T.let(nil, T.nilable(String))
+          @git_ssh_requirements_to_swap = T.let(nil, T.nilable(T::Hash[String, String]))
+          @manifest_files = T.let(nil, T.nilable(T::Array[Dependabot::DependencyFile]))
+          @path_dependency_files = T.let(nil, T.nilable(T::Array[Dependabot::DependencyFile]))
+          @lockfile = T.let(nil, T.nilable(Dependabot::DependencyFile))
+          @toolchain = T.let(nil, T.nilable(Dependabot::DependencyFile))
+          @config = T.let(nil, T.nilable(Dependabot::DependencyFile))
+        end
+
+        sig { returns(T.any(String, T.noreturn)) }
         def updated_lockfile_content
-          base_directory = dependency_files.first.directory
+          base_directory = T.must(dependency_files.first).directory
           SharedHelpers.in_a_temporary_directory(base_directory) do
             write_temporary_dependency_files
 
@@ -42,6 +60,18 @@ module Dependabot
 
             next updated_lockfile if updated_lockfile.include?(desired_lockfile_content)
 
+            # If exact version match fails, accept any update
+            if dependency_updated?(updated_lockfile, dependency)
+              actual_version = extract_actual_version(updated_lockfile, dependency.name)
+              if actual_version && actual_version != dependency.version
+                Dependabot.logger.info(
+                  "Cargo selected version #{actual_version} instead of #{dependency.version} for #{dependency.name} " \
+                  "due to dependency constraints"
+                )
+              end
+              next updated_lockfile
+            end
+
             raise "Failed to update #{dependency.name}!"
           end
         rescue Dependabot::SharedHelpers::HelperSubprocessFailed => e
@@ -51,15 +81,22 @@ module Dependabot
 
         private
 
+        sig { returns(T::Array[Dependabot::Dependency]) }
         attr_reader :dependencies
+
+        sig { returns(T::Array[Dependabot::DependencyFile]) }
         attr_reader :dependency_files
+
+        sig { returns(T::Array[T.untyped]) }
         attr_reader :credentials
 
         # Currently, there will only be a single updated dependency
+        sig { returns(Dependabot::Dependency) }
         def dependency
-          dependencies.first
+          T.must(dependencies.first)
         end
 
+        sig { params(error: StandardError).returns(T.noreturn) }
         def handle_cargo_error(error)
           raise unless error.message.include?("failed to select a version") ||
                        error.message.include?("no matching version") ||
@@ -72,6 +109,7 @@ module Dependabot
         # rubocop:disable Metrics/PerceivedComplexity
         # rubocop:disable Metrics/CyclomaticComplexity
         # rubocop:disable Metrics/AbcSize
+        sig { params(error: StandardError).returns(T::Boolean) }
         def better_specification_needed?(error)
           return false if @custom_specification
           return false unless error.message.match?(/specification .* is ambigu/)
@@ -85,16 +123,16 @@ module Dependabot
                   dependency.version
                 end
 
-          if spec_options.count { |s| s.end_with?(ver) } == 1
+          if ver && spec_options.count { |s| s.end_with?(ver) } == 1
             @custom_specification = spec_options.find { |s| s.end_with?(ver) }
             return true
-          elsif spec_options.count { |s| s.end_with?(ver) } > 1
+          elsif ver && spec_options.count { |s| s.end_with?(ver) } > 1
             spec_options.select! { |s| s.end_with?(ver) }
           end
 
           if git_dependency? && git_source_url &&
-             spec_options.count { |s| s.include?(git_source_url) } >= 1
-            spec_options.select! { |s| s.include?(git_source_url) }
+             spec_options.count { |s| s.include?(T.must(git_source_url)) } >= 1
+            spec_options.select! { |s| s.include?(T.must(git_source_url)) }
           end
 
           @custom_specification = spec_options.first
@@ -104,6 +142,7 @@ module Dependabot
         # rubocop:enable Metrics/CyclomaticComplexity
         # rubocop:enable Metrics/PerceivedComplexity
 
+        sig { returns(String) }
         def dependency_spec
           return @custom_specification if @custom_specification
 
@@ -118,26 +157,30 @@ module Dependabot
           spec
         end
 
+        sig { returns(T.nilable(String)) }
         def git_previous_version
           TomlRB.parse(lockfile.content)
                 .fetch("package", [])
                 .select { |p| p["name"] == dependency.name }
                 .find { |p| p["source"].end_with?(dependency.previous_version) }
-                .fetch("version")
+                &.fetch("version")
         end
 
+        sig { returns(T.nilable(String)) }
         def git_source_url
           dependency.previous_requirements
-                    .find { |r| r.dig(:source, :type) == "git" }
+                    &.find { |r| r.dig(:source, :type) == "git" }
                     &.dig(:source, :url)
         end
 
+        sig { returns(String) }
         def desired_lockfile_content
-          return dependency.version if git_dependency?
+          return T.must(dependency.version) if git_dependency?
 
           %(name = "#{dependency.name}"\nversion = "#{dependency.version}")
         end
 
+        sig { params(command: String, fingerprint: String).void }
         def run_cargo_command(command, fingerprint:)
           start = Time.now
           command = SharedHelpers.escape_command(command)
@@ -176,6 +219,7 @@ module Dependabot
           )
         end
 
+        sig { params(message: String).returns(T::Boolean) }
         def using_old_toolchain?(message)
           return true if message.include?("usage of sparse registries requires `-Z sparse-registry`")
 
@@ -185,18 +229,20 @@ module Dependabot
           version_class.new(version_log[:version]) < version_class.new("1.68")
         end
 
+        sig { void }
         def write_temporary_dependency_files
           write_temporary_manifest_files
           write_temporary_path_dependency_files
 
           File.write(lockfile.name, lockfile.content)
-          File.write(toolchain.name, toolchain.content) if toolchain
+          File.write(T.must(toolchain).name, T.must(toolchain).content) if toolchain
           return unless config
 
-          FileUtils.mkdir_p(File.dirname(config.name))
-          File.write(config.name, config.content)
+          FileUtils.mkdir_p(File.dirname(T.must(config).name))
+          File.write(T.must(config).name, T.must(config).content)
         end
 
+        sig { void }
         def write_temporary_manifest_files
           manifest_files.each do |file|
             path = file.name
@@ -214,6 +260,7 @@ module Dependabot
           end
         end
 
+        sig { void }
         def write_temporary_path_dependency_files
           path_dependency_files.each do |file|
             path = file.name
@@ -227,6 +274,7 @@ module Dependabot
           end
         end
 
+        sig { params(file: Dependabot::DependencyFile).returns(String) }
         def prepared_manifest_content(file)
           content = updated_manifest_content(file)
           content = pin_version(content) unless git_dependency?
@@ -236,12 +284,14 @@ module Dependabot
           content
         end
 
+        sig { params(file: Dependabot::DependencyFile).returns(String) }
         def prepared_path_dependency_content(file)
-          content = file.content.dup
+          content = T.must(file.content).dup
           content = replace_ssh_urls(content)
           content
         end
 
+        sig { params(file: Dependabot::DependencyFile).returns(String) }
         def updated_manifest_content(file)
           ManifestUpdater.new(
             dependencies: dependencies,
@@ -249,6 +299,7 @@ module Dependabot
           ).updated_manifest_content
         end
 
+        sig { params(content: String).returns(String) }
         def pin_version(content)
           parsed_manifest = TomlRB.parse(content)
 
@@ -269,6 +320,7 @@ module Dependabot
           TomlRB.dump(parsed_manifest)
         end
 
+        sig { params(parsed_manifest: T::Hash[String, T.untyped]).void }
         def pin_target_specific_dependencies!(parsed_manifest)
           parsed_manifest.fetch("target", {}).each do |target, t_details|
             Cargo::FileParser::DEPENDENCY_TYPES.each do |type|
@@ -288,6 +340,7 @@ module Dependabot
           end
         end
 
+        sig { params(content: String).returns(String) }
         def replace_ssh_urls(content)
           git_ssh_requirements_to_swap.each do |ssh_url, https_url|
             content = content.gsub(ssh_url, https_url)
@@ -295,18 +348,21 @@ module Dependabot
           content
         end
 
+        sig { params(content: String).returns(String) }
         def remove_binary_specifications(content)
           parsed_manifest = TomlRB.parse(content)
           parsed_manifest.delete("bin")
           TomlRB.dump(parsed_manifest)
         end
 
+        sig { params(content: String).returns(String) }
         def remove_default_run_specification(content)
           parsed_manifest = TomlRB.parse(content)
           parsed_manifest["package"].delete("default-run") if parsed_manifest.dig("package", "default-run")
           TomlRB.dump(parsed_manifest)
         end
 
+        sig { params(content: String).returns(String) }
         def post_process_lockfile(content)
           git_ssh_requirements_to_swap.each do |ssh_url, https_url|
             content = content.gsub(https_url, ssh_url)
@@ -316,6 +372,7 @@ module Dependabot
           content
         end
 
+        sig { returns(T::Hash[String, String]) }
         def git_ssh_requirements_to_swap
           return @git_ssh_requirements_to_swap if @git_ssh_requirements_to_swap
 
@@ -338,6 +395,7 @@ module Dependabot
           @git_ssh_requirements_to_swap
         end
 
+        sig { params(lockfile_content: String).returns(String) }
         def remove_duplicate_lockfile_entries(lockfile_content)
           # Loop through the lockfile entries looking for duplicates. Replace
           # any that are found
@@ -368,10 +426,12 @@ module Dependabot
           lockfile_content
         end
 
+        sig { returns(String) }
         def dummy_app_content
           %{fn main() {\nprintln!("Hello, world!");\n}}
         end
 
+        sig { returns(T::Boolean) }
         def git_dependency?
           GitCommitChecker.new(
             dependency: dependency,
@@ -379,6 +439,7 @@ module Dependabot
           ).git_dependency?
         end
 
+        sig { returns(T::Array[Dependabot::DependencyFile]) }
         def manifest_files
           @manifest_files ||=
             dependency_files
@@ -386,6 +447,7 @@ module Dependabot
             .reject(&:support_file?)
         end
 
+        sig { returns(T::Array[Dependabot::DependencyFile]) }
         def path_dependency_files
           @path_dependency_files ||=
             dependency_files
@@ -393,27 +455,77 @@ module Dependabot
             .select(&:support_file?)
         end
 
+        sig { returns(Dependabot::DependencyFile) }
         def lockfile
           @lockfile ||= dependency_files.find { |f| f.name == "Cargo.lock" }
+          T.must(@lockfile)
         end
 
+        sig { returns(T.nilable(Dependabot::DependencyFile)) }
         def toolchain
           @toolchain ||=
             dependency_files.find { |f| f.name == "rust-toolchain" }
         end
 
+        sig { returns(T.nilable(Dependabot::DependencyFile)) }
         def config
           @config ||= dependency_files.find { |f| f.name == ".cargo/config.toml" }
         end
 
+        sig { params(file: Dependabot::DependencyFile).returns(T::Boolean) }
         def virtual_manifest?(file)
-          !file.content.include?("[package]")
+          !T.must(file.content).include?("[package]")
         end
 
+        sig { returns(T.class_of(Gem::Version)) }
         def version_class
           dependency.version_class
         end
+
+        sig { params(lockfile_content: String, dependency: Dependabot::Dependency).returns(T::Boolean) }
+        def dependency_updated?(lockfile_content, dependency)
+          return false unless dependency.previous_version
+
+          # For multiple versions case, we need to check the specific entry
+          # that corresponds to our dependency (the one used by our package)
+          entries = T.let([], T::Array[String])
+          lockfile_content.scan(LOCKFILE_ENTRY_REGEX) do
+            entries << Regexp.last_match.to_s
+          end
+          entries.select! { |entry| entry.include?("name = \"#{dependency.name}\"") }
+
+          # Check if any entry has a version newer than the previous version
+          entries.any? do |entry|
+            version_match = entry.match(/version = "([^"]+)"/)
+            next false unless version_match
+
+            new_version = version_match[1]
+            # Only consider it updated if it's newer than the previous version
+            # and either matches our expected version or is at least newer than previous
+            dependency.version_class.new(new_version) > dependency.version_class.new(dependency.previous_version)
+          end
+        end
+
+        sig { params(lockfile_content: String, dependency_name: String).returns(T.nilable(String)) }
+        def extract_actual_version(lockfile_content, dependency_name)
+          entries = T.let([], T::Array[String])
+          lockfile_content.scan(LOCKFILE_ENTRY_REGEX) do
+            entries << Regexp.last_match.to_s
+          end
+          entries.select! { |entry| entry.include?("name = \"#{dependency_name}\"") }
+
+          # Get the highest version from matching entries
+          versions = entries.filter_map do |entry|
+            version_match = entry.match(/version = "([^"]+)"/)
+            version_match&.captures&.first
+          end
+
+          return nil if versions.empty?
+
+          versions.max_by { |v| version_class.new(v) }
+        end
       end
+      # rubocop:enable Metrics/ClassLength
     end
   end
 end

data/lib/dependabot/cargo/update_checker/latest_version_finder.rb

@@ -56,7 +56,7 @@ module Dependabot
 
         sig { override.returns(T::Boolean) }
         def cooldown_enabled?
-          Dependabot::Experiments.enabled?(:enable_cooldown_for_cargo)
+          true
         end
 
         private

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-cargo
 version: !ruby/object:Gem::Version
-  version: 0.320.0
+  version: 0.321.0
 platform: ruby
 authors:
 - Dependabot
@@ -15,14 +15,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.320.0
+        version: 0.321.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.320.0
+        version: 0.321.0
 - !ruby/object:Gem::Dependency
   name: debug
   requirement: !ruby/object:Gem::Requirement
@@ -265,7 +265,7 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.320.0
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.321.0
 rdoc_options: []
 require_paths:
 - lib