dependabot-cargo 0.325.1 → 0.326.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 16f73abf3755178c72c29e83289797a4ed369364e69166caefb51082893b9f6c
-  data.tar.gz: cbe0877963a964dd7799635533fcd310792b8ef1fef882b92aee02564a84b653
+  metadata.gz: 649b2e05f391db12ac0c0a2b684c1307d08c0f70d63cda70fbcf38b684b0ced6
+  data.tar.gz: 2d99e07be08c7d16413c23a93fa05475aa8958fb32690e8685a9ffa5cd2fc3a0
 SHA512:
-  metadata.gz: 1d1b6bf9acebd9fdcea9b2a9423fad240dd06b6854d58ed3b69322436869261cc3a0d0b24f388d3fabf6d79d8f78980518085fb463ad5c1321952c9258f11007
-  data.tar.gz: 0cc86b9dec23ac4c5fc1fae9237c9aa55d611402f77ddf9e996aca436c823a238362ea6dab631060f47be18f97e234b215e43cb90df97047be4c838a6b2681ce
+  metadata.gz: 7edc7ef35e787abbc520058bf77514c0ac6837cee2f1bfafe02cac7e5b698d58459f22a7a01f02d5ea00d5515a7506bdf6e64103a2675feac0d4f4841a1d7787
+  data.tar.gz: 871c65564b60b9d5a3a29a61ec56b86a5b8ddb302b6ac5db11e965fc6eb75272793bb67898ed8fe823ffbf10ff7c9f3fb3dbe361c340cb372145af65becf6f1f

data/lib/dependabot/cargo/file_parser.rb

@@ -1,4 +1,4 @@
-# typed: true
+# typed: strict
 # frozen_string_literal: true
 
 require "toml-rb"
@@ -25,6 +25,7 @@ module Dependabot
       DEPENDENCY_TYPES =
         %w(dependencies dev-dependencies build-dependencies).freeze
 
+      sig { override.returns(T::Array[Dependabot::Dependency]) }
       def parse
         check_rust_workspace_root
 
@@ -88,10 +89,14 @@ module Dependabot
         end, T.nilable(String))
       end
 
+      sig { void }
       def check_rust_workspace_root
         cargo_toml = dependency_files.find { |f| f.name == "Cargo.toml" }
-        workspace_root = parsed_file(cargo_toml).dig("package", "workspace")
-        return unless workspace_root
+        workspace_root = parsed_file(T.must(cargo_toml))
+        return unless workspace_root.is_a?(Hash)
+
+        workspace_config = workspace_root.dig("package", "workspace")
+        return unless workspace_config
 
         msg = "This project is part of a Rust workspace but is not the " \
               "workspace root." \
@@ -106,20 +111,32 @@ module Dependabot
       # rubocop:disable Metrics/AbcSize
       # rubocop:disable Metrics/CyclomaticComplexity
       # rubocop:disable Metrics/PerceivedComplexity
+      sig { returns(DependencySet) }
       def manifest_dependencies
         dependency_set = DependencySet.new
 
         manifest_files.each do |file|
+          parsed_content = parsed_file(file)
+          next unless parsed_content.is_a?(Hash)
+
           DEPENDENCY_TYPES.each do |type|
-            parsed_file(file).fetch(type, {}).each do |name, requirement|
+            parsed_content.fetch(type, {}).each do |name, requirement|
+              # Skip workspace-inherited dependencies (similar to pnpm catalog)
+              # Only skip if workspace is exactly boolean true
+              next if requirement.is_a?(Hash) && requirement["workspace"] == true
+
               next unless name == name_from_declaration(name, requirement)
               next if lockfile && !version_from_lockfile(name, requirement)
 
               dependency_set << build_dependency(name, requirement, type, file)
             end
 
-            parsed_file(file).fetch("target", {}).each do |_, t_details|
+            parsed_content.fetch("target", {}).each do |_, t_details|
               t_details.fetch(type, {}).each do |name, requirement|
+                # Skip workspace-inherited dependencies
+                # Only skip if workspace is exactly boolean true
+                next if requirement.is_a?(Hash) && requirement["workspace"] == true
+
                 next unless name == name_from_declaration(name, requirement)
                 next if lockfile && !version_from_lockfile(name, requirement)
 
@@ -129,7 +146,7 @@ module Dependabot
             end
           end
 
-          workspace = parsed_file(file).fetch("workspace", {})
+          workspace = parsed_content.fetch("workspace", {})
           workspace.fetch("dependencies", {}).each do |name, requirement|
             next unless name == name_from_declaration(name, requirement)
             next if lockfile && !version_from_lockfile(name, requirement)
@@ -145,6 +162,10 @@ module Dependabot
       # rubocop:enable Metrics/CyclomaticComplexity
       # rubocop:enable Metrics/PerceivedComplexity
 
+      sig do
+        params(name: String, requirement: T.any(String, T::Hash[String, String]), type: String,
+               file: Dependabot::DependencyFile).returns(Dependency)
+      end
       def build_dependency(name, requirement, type, file)
         Dependency.new(
           name: name,
@@ -159,11 +180,15 @@ module Dependabot
         )
       end
 
+      sig { returns(DependencySet) }
       def lockfile_dependencies
         dependency_set = DependencySet.new
         return dependency_set unless lockfile
 
-        parsed_file(lockfile).fetch("package", []).each do |package_details|
+        lockfile_content = parsed_file(T.must(lockfile))
+        return dependency_set unless lockfile_content.is_a?(Hash)
+
+        lockfile_content.fetch("package", []).each do |package_details|
           next unless package_details["source"]
 
           # TODO: This isn't quite right, as it will only give us one
@@ -179,40 +204,49 @@ module Dependabot
         dependency_set
       end
 
+      sig { returns(T::Array[String]) }
       def patched_dependencies
         root_manifest = manifest_files.find { |f| f.name == "Cargo.toml" }
-        return [] unless parsed_file(root_manifest)["patch"]
+        parsed_content = parsed_file(T.must(root_manifest))
+        return [] unless parsed_content.is_a?(Hash)
+        return [] unless parsed_content["patch"]
 
-        parsed_file(root_manifest)["patch"].values.flat_map(&:keys)
+        parsed_content["patch"].values.flat_map(&:keys)
       end
 
+      sig { params(declaration: T.any(String, T::Hash[String, String])).returns(T.nilable(String)) }
       def requirement_from_declaration(declaration)
         if declaration.is_a?(String)
-          return declaration == "" ? nil : declaration
-        end
-        raise "Unexpected dependency declaration: #{declaration}" unless declaration.is_a?(Hash)
-        return declaration["version"] if declaration["version"].is_a?(String) && declaration["version"] != ""
+          declaration == "" ? nil : declaration
+        else
+          return declaration["version"] if declaration["version"].is_a?(String) && declaration["version"] != ""
 
-        nil
+          nil
+        end
       end
 
+      sig { params(name: String, declaration: T.any(String, T::Hash[String, String])).returns(String) }
       def name_from_declaration(name, declaration)
-        return name if declaration.is_a?(String)
-        raise "Unexpected dependency declaration: #{declaration}" unless declaration.is_a?(Hash)
-
-        declaration.fetch("package", name)
+        if declaration.is_a?(String)
+          name
+        else
+          declaration.fetch("package", name)
+        end
       end
 
+      sig { params(declaration: T.any(String, T::Hash[String, String])).returns(T.nilable(T::Hash[Symbol, String])) }
       def source_from_declaration(declaration)
-        return if declaration.is_a?(String)
-        raise "Unexpected dependency declaration: #{declaration}" unless declaration.is_a?(Hash)
-
-        return git_source_details(declaration) if declaration["git"]
-        return { type: "path" } if declaration["path"]
+        if declaration.is_a?(String)
+          nil
+        else
+          return git_source_details(declaration) if declaration["git"]
+          return { type: "path" } if declaration["path"]
 
-        registry_source_details(declaration)
+          registry_source_details(declaration)
+        end
       end
 
+      sig { params(declaration: T.any(String, T::Hash[String, String])).returns(T.nilable(T::Hash[Symbol, String])) }
       def registry_source_details(declaration)
         registry_name = declaration["registry"]
         return if registry_name.nil?
@@ -242,6 +276,7 @@ module Dependabot
         end
       end
 
+      sig { params(registry_name: String, index_url: String).returns(T::Hash[Symbol, String]) }
       def sparse_registry_source_details(registry_name, index_url)
         token = credentials.find do |cred|
           cred["type"] == "cargo_registry" && cred["registry"] == registry_name
@@ -268,25 +303,35 @@ module Dependabot
 
       # Looks up dotted key name in cargo config
       # e.g. "registries.my_registry.index"
+      sig { params(key_name: String).returns(T.nilable(String)) }
       def cargo_config_field(key_name)
         cargo_config_from_env(key_name) || cargo_config_from_file(key_name)
       end
 
+      sig { params(key_name: String).returns(T.nilable(String)) }
       def cargo_config_from_env(key_name)
         env_var = "CARGO_#{key_name.upcase.tr('-.', '_')}"
         ENV.fetch(env_var, nil)
       end
 
+      sig { params(key_name: String).returns(T.nilable(String)) }
       def cargo_config_from_file(key_name)
-        parsed_file(cargo_config).dig(*key_name.split("."))
+        config_file = cargo_config
+        return nil unless config_file
+
+        parsed_file(config_file).dig(*key_name.split("."))
       end
 
+      sig { params(name: String, declaration: T.any(String, T::Hash[String, String])).returns(T.nilable(String)) }
       def version_from_lockfile(name, declaration)
         return unless lockfile
 
+        lockfile_content = parsed_file(T.must(lockfile))
+        return unless lockfile_content.is_a?(Hash)
+
         candidate_packages =
-          parsed_file(lockfile).fetch("package", [])
-                               .select { |p| p["name"] == name }
+          lockfile_content.fetch("package", [])
+                          .select { |p| p["name"] == name }
 
         if (req = requirement_from_declaration(declaration))
           req = Cargo::Requirement.new(req)
@@ -311,10 +356,12 @@ module Dependabot
         version_from_lockfile_details(package)
       end
 
+      sig { params(declaration: T.any(String, T::Hash[String, String])).returns(T::Boolean) }
       def git_req?(declaration)
         source_from_declaration(declaration)&.fetch(:type, nil) == "git"
       end
 
+      sig { params(declaration: T.any(String, T::Hash[String, String])).returns(T::Hash[Symbol, String]) }
       def git_source_details(declaration)
         {
           type: "git",
@@ -324,38 +371,47 @@ module Dependabot
         }
       end
 
+      sig { params(package_details: T::Hash[String, String]).returns(String) }
       def version_from_lockfile_details(package_details)
-        return package_details["version"] unless package_details["source"]&.start_with?("git+")
+        return T.must(package_details["version"]) unless package_details["source"]&.start_with?("git+")
 
-        package_details["source"].split("#").last
+        T.must(T.must(package_details["source"]).split("#").last)
       end
 
+      sig { override.void }
       def check_required_files
         raise "No Cargo.toml!" unless get_original_file("Cargo.toml")
       end
 
+      sig { params(file: DependencyFile).returns(T.untyped) }
       def parsed_file(file)
-        @parsed_file ||= {}
+        @parsed_file ||= T.let({}, T.untyped)
         @parsed_file[file.name] ||= TomlRB.parse(file.content)
       rescue TomlRB::ParseError, TomlRB::ValueOverwriteError
         raise Dependabot::DependencyFileNotParseable, file.path
       end
 
+      sig { returns(T::Array[Dependabot::DependencyFile]) }
       def manifest_files
-        @manifest_files ||=
+        @manifest_files ||= T.let(
           dependency_files
-          .select { |f| f.name.end_with?("Cargo.toml") }
-          .reject(&:support_file?)
+                  .select { |f| f.name.end_with?("Cargo.toml") }
+                  .reject(&:support_file?),
+          T.nilable(T::Array[Dependabot::DependencyFile])
+        )
       end
 
+      sig { returns(T.nilable(Dependabot::DependencyFile)) }
       def lockfile
-        @lockfile ||= get_original_file("Cargo.lock")
+        @lockfile ||= T.let(get_original_file("Cargo.lock"), T.nilable(Dependabot::DependencyFile))
       end
 
+      sig { returns(T.nilable(Dependabot::DependencyFile)) }
       def cargo_config
-        @cargo_config ||= get_original_file(".cargo/config.toml")
+        @cargo_config ||= T.let(get_original_file(".cargo/config.toml"), T.nilable(Dependabot::DependencyFile))
       end
 
+      sig { returns(T.class_of(Dependabot::Version)) }
       def version_class
         Cargo::Version
       end

data/lib/dependabot/cargo/file_updater/workspace_manifest_updater.rb

@@ -0,0 +1,142 @@
+# typed: strict
+# frozen_string_literal: true
+
+require "sorbet-runtime"
+require "dependabot/cargo/file_updater"
+
+module Dependabot
+  module Cargo
+    class FileUpdater
+      class WorkspaceManifestUpdater
+        extend T::Sig
+
+        sig { params(dependencies: T::Array[Dependabot::Dependency], manifest: Dependabot::DependencyFile).void }
+        def initialize(dependencies:, manifest:)
+          @dependencies = T.let(dependencies, T::Array[Dependabot::Dependency])
+          @manifest = T.let(manifest, Dependabot::DependencyFile)
+        end
+
+        sig { returns(String) }
+        def updated_manifest_content
+          workspace_deps = dependencies.select { |dep| workspace_dependency?(dep) }
+
+          return T.must(manifest.content) if workspace_deps.empty?
+
+          T.must(workspace_deps.reduce(manifest.content.dup) do |content, dep|
+            update_workspace_dependency(T.must(content), dep)
+          end)
+        end
+
+        private
+
+        sig { returns(T::Array[Dependabot::Dependency]) }
+        attr_reader :dependencies
+
+        sig { returns(Dependabot::DependencyFile) }
+        attr_reader :manifest
+
+        sig { params(dep: Dependabot::Dependency).returns(T::Boolean) }
+        def workspace_dependency?(dep)
+          dep.requirements.any? { |r| r[:groups]&.include?("workspace.dependencies") }
+        end
+
+        sig { params(content: String, dep: Dependabot::Dependency).returns(String) }
+        def update_workspace_dependency(content, dep)
+          old_req = find_workspace_requirement(dep.previous_requirements)
+          new_req = find_workspace_requirement(dep.requirements)
+
+          return content if old_req == new_req || !old_req || !new_req
+
+          # First try to update in the inline [workspace.dependencies] section
+          workspace_section_regex = /\[workspace\.dependencies\](.*?)(?=\n\[|\n*\z)/m
+
+          updated_content = content.gsub(workspace_section_regex) do |section|
+            update_version_in_section(section, dep.name, old_req, new_req)
+          end
+
+          # If content didn't change, try table header notation [workspace.dependencies.name]
+          if updated_content == content
+            updated_content = update_table_header_notation(content, dep.name, old_req, new_req)
+          end
+
+          updated_content
+        end
+
+        sig { params(requirements: T.nilable(T::Array[T::Hash[Symbol, T.untyped]])).returns(T.nilable(String)) }
+        def find_workspace_requirement(requirements)
+          requirements&.find { |r| r[:groups]&.include?("workspace.dependencies") }
+                      &.fetch(:requirement)
+        end
+
+        sig { params(section: String, dep_name: String, old_req: String, new_req: String).returns(String) }
+        def update_version_in_section(section, dep_name, old_req, new_req)
+          # Try double-quoted version first
+          updated = section.gsub(
+            /^(\s*#{Regexp.escape(dep_name)}\s*=\s*)"#{Regexp.escape(old_req)}"/m,
+            "\\1\"#{new_req}\""
+          )
+          return updated if updated != section
+
+          # Try single-quoted version
+          updated = section.gsub(
+            /^(\s*#{Regexp.escape(dep_name)}\s*=\s*)'#{Regexp.escape(old_req)}'/m,
+            "\\1'#{new_req}'"
+          )
+          return updated if updated != section
+
+          # Try unquoted version
+          updated = section.gsub(
+            /^(\s*#{Regexp.escape(dep_name)}\s*=\s*)#{Regexp.escape(old_req)}(\s|$)/m,
+            "\\1#{new_req}\\2"
+          )
+          return updated if updated != section
+
+          # Try inline table format with double quotes
+          updated = section.gsub(
+            /^(\s*#{Regexp.escape(dep_name)}\s*=\s*\{[^}]*version\s*=\s*)"#{Regexp.escape(old_req)}"/m,
+            "\\1\"#{new_req}\""
+          )
+          return updated if updated != section
+
+          # Try inline table format with single quotes
+          section.gsub(
+            /^(\s*#{Regexp.escape(dep_name)}\s*=\s*\{[^}]*version\s*=\s*)'#{Regexp.escape(old_req)}'/m,
+            "\\1'#{new_req}'"
+          )
+        end
+
+        sig { params(content: String, dep_name: String, old_req: String, new_req: String).returns(String) }
+        def update_table_header_notation(content, dep_name, old_req, new_req)
+          # Match [workspace.dependencies.name] section and its content until next section
+          table_header_regex = /\[workspace\.dependencies\.#{Regexp.escape(dep_name)}\](.*?)(?=\n\[|\n*\z)/m
+
+          content.gsub(table_header_regex) do |section|
+            # Update version = "..." line within this section (double quotes)
+            updated = section.gsub(
+              /^(\s*version\s*=\s*)"#{Regexp.escape(old_req)}"/m,
+              "\\1\"#{new_req}\""
+            )
+
+            # Try single quotes if double quotes didn't match
+            if updated == section
+              updated = section.gsub(
+                /^(\s*version\s*=\s*)'#{Regexp.escape(old_req)}'/m,
+                "\\1'#{new_req}'"
+              )
+            end
+
+            # Also try unquoted version
+            if updated == section
+              updated = section.gsub(
+                /^(\s*version\s*=\s*)#{Regexp.escape(old_req)}(\s|$)/m,
+                "\\1#{new_req}\\2"
+              )
+            end
+
+            updated
+          end
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/cargo/file_updater.rb

@@ -16,6 +16,7 @@ module Dependabot
 
       require_relative "file_updater/manifest_updater"
       require_relative "file_updater/lockfile_updater"
+      require_relative "file_updater/workspace_manifest_updater"
 
       sig { override.returns(T::Array[Regexp]) }
       def self.updated_files_regex
@@ -60,10 +61,18 @@ module Dependabot
 
       sig { params(file: Dependabot::DependencyFile).returns(String) }
       def updated_manifest_content(file)
-        ManifestUpdater.new(
-          dependencies: dependencies,
-          manifest: file
-        ).updated_manifest_content
+        # Use workspace updater for root workspace manifests
+        if workspace_root_manifest?(file)
+          WorkspaceManifestUpdater.new(
+            dependencies: dependencies,
+            manifest: file
+          ).updated_manifest_content
+        else
+          ManifestUpdater.new(
+            dependencies: dependencies,
+            manifest: file
+          ).updated_manifest_content
+        end
       end
 
       sig { returns(String) }
@@ -92,6 +101,16 @@ module Dependabot
       def lockfile
         @lockfile ||= T.let(get_original_file("Cargo.lock"), T.nilable(Dependabot::DependencyFile))
       end
+
+      sig { params(file: Dependabot::DependencyFile).returns(T::Boolean) }
+      def workspace_root_manifest?(file)
+        return false unless file.name == "Cargo.toml"
+
+        parsed_file = TomlRB.parse(file.content)
+        parsed_file.key?("workspace") && parsed_file["workspace"].key?("dependencies")
+      rescue TomlRB::ParseError
+        false
+      end
     end
   end
 end

data/lib/dependabot/cargo/update_checker/version_resolver.rb

@@ -1,4 +1,4 @@
-# typed: true
+# typed: strict
 # frozen_string_literal: true
 
 require "toml-rb"
@@ -12,7 +12,8 @@ require "dependabot/errors"
 module Dependabot
   module Cargo
     class UpdateChecker
-      class VersionResolver
+      class VersionResolver # rubocop:disable Metrics/ClassLength
+        extend T::Sig
         UNABLE_TO_UPDATE = /Unable to update (?<url>.*?)$/
         BRANCH_NOT_FOUND_REGEX = /#{UNABLE_TO_UPDATE}.*to find branch `(?<branch>[^`]+)`/m
         REVSPEC_PATTERN = /revspec '.*' not found/
@@ -26,31 +27,52 @@ module Dependabot
         NOT_OUR_REF = /fatal: remote error: upload-pack: not our ref/
         NOT_OUR_REF_REGEX = /#{NOT_OUR_REF}.*#{UNABLE_TO_UPDATE}/m
 
+        sig do
+          params(
+            dependency: Dependabot::Dependency,
+            credentials: T::Array[Dependabot::Credential],
+            original_dependency_files: T::Array[Dependabot::DependencyFile],
+            prepared_dependency_files: T::Array[Dependabot::DependencyFile]
+          ).void
+        end
         def initialize(dependency:, credentials:,
                        original_dependency_files:, prepared_dependency_files:)
           @dependency = dependency
           @prepared_dependency_files = prepared_dependency_files
           @original_dependency_files = original_dependency_files
           @credentials = credentials
+
+          # Initialize instance variables with proper T.let declarations
+          @prepared_manifest_files = T.let(nil, T.nilable(T::Array[DependencyFile]))
+          @original_manifest_files = T.let(nil, T.nilable(T::Array[DependencyFile]))
         end
 
+        sig { returns(T.nilable(T.any(String, Gem::Version))) }
         def latest_resolvable_version
           return @latest_resolvable_version if defined?(@latest_resolvable_version)
 
-          @latest_resolvable_version = fetch_latest_resolvable_version
-          rescue Dependabot::SharedHelpers::HelperSubprocessFailed => e
-            raise Dependabot::DependencyFileNotResolvable, e.message
+          @latest_resolvable_version = T.let(fetch_latest_resolvable_version, T.nilable(T.any(String, Gem::Version)))
+        rescue Dependabot::SharedHelpers::HelperSubprocessFailed => e
+          raise Dependabot::DependencyFileNotResolvable, e.message
         end
 
         private
 
+        sig { returns(Dependency) }
         attr_reader :dependency
+
+        sig { returns(T::Array[Credential]) }
         attr_reader :credentials
+
+        sig { returns(T::Array[DependencyFile]) }
         attr_reader :prepared_dependency_files
+
+        sig { returns(T::Array[DependencyFile]) }
         attr_reader :original_dependency_files
 
+        sig { returns(T.nilable(T.any(String, Gem::Version))) }
         def fetch_latest_resolvable_version
-          base_directory = prepared_dependency_files.first.directory
+          base_directory = T.must(prepared_dependency_files.first).directory
           SharedHelpers.in_a_temporary_directory(base_directory) do
             write_temporary_dependency_files
 
@@ -68,8 +90,10 @@ module Dependabot
         rescue SharedHelpers::HelperSubprocessFailed => e
           retry if better_specification_needed?(e)
           handle_cargo_errors(e)
+          nil
         end
 
+        sig { returns(T.nilable(T.any(String, Gem::Version))) }
         def fetch_version_from_new_lockfile
           check_rust_workspace_root unless File.exist?("Cargo.lock")
           lockfile_content = File.read("Cargo.lock")
@@ -95,6 +119,7 @@ module Dependabot
         # rubocop:disable Metrics/PerceivedComplexity
         # rubocop:disable Metrics/CyclomaticComplexity
         # rubocop:disable Metrics/AbcSize
+        sig { params(error: StandardError).returns(T::Boolean) }
         def better_specification_needed?(error)
           return false if @custom_specification
           return false unless error.message.match?(/specification .* is ambigu/)
@@ -108,25 +133,26 @@ module Dependabot
                   dependency.version
                 end
 
-          if spec_options.count { |s| s.end_with?(ver) } == 1
-            @custom_specification = spec_options.find { |s| s.end_with?(ver) }
+          if spec_options.count { |s| s.end_with?(T.must(ver)) } == 1
+            @custom_specification = spec_options.find { |s| s.end_with?(T.must(ver)) }
             return true
-          elsif spec_options.count { |s| s.end_with?(ver) } > 1
-            spec_options.select! { |s| s.end_with?(ver) }
+          elsif spec_options.count { |s| s.end_with?(T.must(ver)) } > 1
+            spec_options.select! { |s| s.end_with?(T.must(ver)) }
           end
 
           if git_dependency? && git_source_url &&
-             spec_options.count { |s| s.include?(git_source_url) } >= 1
-            spec_options.select! { |s| s.include?(git_source_url) }
+             spec_options.count { |s| s.include?(T.must(git_source_url)) } >= 1
+            spec_options.select! { |s| s.include?(T.must(git_source_url)) }
           end
 
-          @custom_specification = spec_options.first
+          @custom_specification = T.let(spec_options.first, T.nilable(String))
           true
         end
         # rubocop:enable Metrics/AbcSize
         # rubocop:enable Metrics/CyclomaticComplexity
         # rubocop:enable Metrics/PerceivedComplexity
 
+        sig { returns(String) }
         def dependency_spec
           return @custom_specification if @custom_specification
 
@@ -143,6 +169,7 @@ module Dependabot
 
         # Shell out to Cargo, which handles everything for us, and does
         # so without doing an install (so it's fast).
+        sig { void }
         def run_cargo_update_command
           run_cargo_command(
             "cargo update -p #{dependency_spec} -vv",
@@ -150,6 +177,7 @@ module Dependabot
           )
         end
 
+        sig { params(command: String, fingerprint: T.nilable(String)).void }
         def run_cargo_command(command, fingerprint: nil)
           start = Time.now
           command = SharedHelpers.escape_command(command)
@@ -176,40 +204,43 @@ module Dependabot
           )
         end
 
+        sig { params(prepared: T::Boolean).returns(T.nilable(Integer)) }
         def write_temporary_dependency_files(prepared: true)
           write_manifest_files(prepared: prepared)
 
-          File.write(lockfile.name, lockfile.content) if lockfile
-          File.write(toolchain.name, toolchain.content) if toolchain
+          File.write(T.must(lockfile).name, T.must(lockfile).content) if lockfile
+          File.write(T.must(toolchain).name, T.must(toolchain).content) if toolchain
           return unless config
 
-          FileUtils.mkdir_p(File.dirname(config.name))
-          File.write(config.name, config.content)
+          FileUtils.mkdir_p(File.dirname(T.must(config).name))
+          File.write(T.must(config).name, T.must(config).content)
         end
 
+        sig { void }
         def check_rust_workspace_root
           cargo_toml = original_dependency_files
                        .select { |f| f.name.end_with?("../Cargo.toml") }
                        .max_by { |f| f.name.length }
-          return unless TomlRB.parse(cargo_toml.content)["workspace"]
+          return unless TomlRB.parse(T.must(cargo_toml).content)["workspace"]
 
           msg = "This project is part of a Rust workspace but is not the " \
                 "workspace root." \
 
-          if cargo_toml.directory != "/"
+          if T.must(cargo_toml).directory != "/"
             msg += "Please update your settings so Dependabot points at the " \
-                   "workspace root instead of #{cargo_toml.directory}."
+                   "workspace root instead of #{T.must(cargo_toml).directory}."
           end
           raise Dependabot::DependencyFileNotResolvable, msg
         end
 
         # rubocop:disable Metrics/AbcSize
         # rubocop:disable Metrics/PerceivedComplexity
+        sig { params(error: StandardError).void }
         def handle_cargo_errors(error)
           if error.message.include?("does not have these features")
             # TODO: Ideally we should update the declaration not to ask
             # for the specified features
-            return nil
+            return
           end
 
           if error.message.include?("authenticate when downloading repo") ||
@@ -218,22 +249,24 @@ module Dependabot
             # consistent error)
             urls = unreachable_git_urls
 
-            if urls.none?
-              url = error.message.match(UNABLE_TO_UPDATE)
-                         .named_captures.fetch("url").split(/[#?]/).first
-              raise if reachable_git_urls.include?(url)
+            if T.must(urls).none?
+              url = T.must(T.must(error.message.match(UNABLE_TO_UPDATE))
+                            .named_captures.fetch("url")).split(/[#?]/).first
+              raise if T.must(reachable_git_urls).include?(url)
 
-              urls << url
+              # Fix: Wrap url in T.must since split().first can return nil
+              T.must(urls) << T.must(url)
             end
 
-            raise Dependabot::GitDependenciesNotReachable, urls
+            raise Dependabot::GitDependenciesNotReachable, T.must(urls)
           end
 
           [BRANCH_NOT_FOUND_REGEX, REF_NOT_FOUND_REGEX, GIT_REF_NOT_FOUND_REGEX, NOT_OUR_REF_REGEX].each do |regex|
             next unless error.message.match?(regex)
 
-            dependency_url = error.message.match(regex).named_captures.fetch("url").split(/[#?]/).first
-            raise Dependabot::GitDependencyReferenceNotFound, dependency_url
+            dependency_url = T.must(T.must(error.message.match(regex)).named_captures.fetch("url")).split(/[#?]/).first
+            # Fix: Wrap dependency_url in T.must since split().first can return nil
+            raise Dependabot::GitDependencyReferenceNotFound, T.must(dependency_url)
           end
 
           if workspace_native_library_update_error?(error.message)
@@ -268,8 +301,9 @@ module Dependabot
         # rubocop:enable Metrics/AbcSize
         # rubocop:enable Metrics/PerceivedComplexity
 
+        sig { params(message: T.nilable(String)).returns(T.any(Dependabot::Version, T::Boolean)) }
         def using_old_toolchain?(message)
-          return true if message.include?("usage of sparse registries requires `-Z sparse-registry`")
+          return true if T.must(message).include?("usage of sparse registries requires `-Z sparse-registry`")
 
           version_log = /rust version (?<version>\d.\d+)/.match(message)
           return false unless version_log
@@ -277,11 +311,12 @@ module Dependabot
           version_class.new(version_log[:version]) < version_class.new("1.68")
         end
 
+        sig { returns(T.nilable(T::Array[String])) }
         def unreachable_git_urls
           return @unreachable_git_urls if defined?(@unreachable_git_urls)
 
-          @unreachable_git_urls = []
-          @reachable_git_urls = []
+          @unreachable_git_urls = T.let([], T.nilable(T::Array[String]))
+          @reachable_git_urls = T.let([], T.nilable(T::Array[String]))
 
           dependencies = FileParser.new(
             dependency_files: original_dependency_files,
@@ -295,19 +330,20 @@ module Dependabot
             )
             next unless checker.git_dependency?
 
-            url = dep.requirements.find { |r| r.dig(:source, :type) == "git" }
-                     .fetch(:source).fetch(:url)
+            url = T.must(dep.requirements.find { |r| r.dig(:source, :type) == "git" })
+                   .fetch(:source).fetch(:url)
 
             if checker.git_repo_reachable?
-              @reachable_git_urls << url
+              T.must(@reachable_git_urls) << url
             else
-              @unreachable_git_urls << url
+              T.must(@unreachable_git_urls) << url
             end
           end
 
           @unreachable_git_urls
         end
 
+        sig { returns(T.nilable(T::Array[String])) }
         def reachable_git_urls
           return @reachable_git_urls if defined?(@reachable_git_urls)
 
@@ -315,6 +351,7 @@ module Dependabot
           @reachable_git_urls
         end
 
+        sig { params(message: String).returns(T::Boolean) }
         def resolvability_error?(message)
           return true if message.include?("failed to parse lock")
           return true if message.include?("believes it's in a workspace")
@@ -330,8 +367,9 @@ module Dependabot
           !original_requirements_resolvable
         end
 
+        sig { returns(T.any(TrueClass, FalseClass, Symbol)) }
         def original_requirements_resolvable?
-          base_directory = original_dependency_files.first.directory
+          base_directory = T.must(original_dependency_files.first).directory
           SharedHelpers.in_a_temporary_directory(base_directory) do
             write_temporary_dependency_files(prepared: false)
 
@@ -353,10 +391,11 @@ module Dependabot
           end
         end
 
+        sig { params(message: String).returns(T::Boolean) }
         def workspace_native_library_update_error?(message)
           return false unless message.include?("native library")
 
-          library_count = prepared_manifest_files.count do |file|
+          library_count = T.must(prepared_manifest_files).count do |file|
             package_name = TomlRB.parse(file.content).dig("package", "name")
             next false unless package_name
 
@@ -366,17 +405,18 @@ module Dependabot
           library_count >= 2
         end
 
+        sig { params(prepared: T::Boolean).returns(T.nilable(T::Array[Dependabot::DependencyFile])) }
         def write_manifest_files(prepared: true)
           manifest_files = if prepared then prepared_manifest_files
                            else
                              original_manifest_files
                            end
 
-          manifest_files.each do |file|
+          T.must(manifest_files).each do |file|
             path = file.name
             dir = Pathname.new(path).dirname
             FileUtils.mkdir_p(dir)
-            File.write(file.name, sanitized_manifest_content(file.content))
+            File.write(file.name, sanitized_manifest_content(T.must(file.content)))
 
             next if virtual_manifest?(file)
 
@@ -388,26 +428,30 @@ module Dependabot
           end
         end
 
+        sig { returns(T.nilable(String)) }
         def git_dependency_version
           return unless lockfile
 
-          TomlRB.parse(lockfile.content)
+          TomlRB.parse(T.must(lockfile).content)
                 .fetch("package", [])
                 .select { |p| p["name"] == dependency.name }
                 .find { |p| p["source"].end_with?(dependency.version) }
                 .fetch("version")
         end
 
+        sig { returns(T.nilable(String)) }
         def git_source_url
           dependency.requirements
                     .find { |r| r.dig(:source, :type) == "git" }
                     &.dig(:source, :url)
         end
 
+        sig { returns(String) }
         def dummy_app_content
           %{fn main() {\nprintln!("Hello, world!");\n}}
         end
 
+        sig { params(content: String).returns(String) }
         def sanitized_manifest_content(content)
           object = TomlRB.parse(content)
 
@@ -424,32 +468,40 @@ module Dependabot
           TomlRB.dump(object)
         end
 
+        sig { returns(T.nilable(T::Array[DependencyFile])) }
         def prepared_manifest_files
           @prepared_manifest_files ||=
             prepared_dependency_files
             .select { |f| f.name.end_with?("Cargo.toml") }
         end
 
+        sig { returns(T.nilable(T::Array[DependencyFile])) }
         def original_manifest_files
           @original_manifest_files ||=
             original_dependency_files
             .select { |f| f.name.end_with?("Cargo.toml") }
         end
 
+        sig { returns(T.nilable(DependencyFile)) }
         def lockfile
-          @lockfile ||= prepared_dependency_files
-                        .find { |f| f.name == "Cargo.lock" }
+          @lockfile ||= T.let(prepared_dependency_files
+                                .find { |f| f.name == "Cargo.lock" }, T.nilable(Dependabot::DependencyFile))
         end
 
+        sig { returns(T.nilable(DependencyFile)) }
         def toolchain
-          @toolchain ||= original_dependency_files
-                         .find { |f| f.name == "rust-toolchain" }
+          @toolchain ||= T.let(original_dependency_files
+                                 .find { |f| f.name == "rust-toolchain" }, T.nilable(Dependabot::DependencyFile))
         end
 
+        sig { returns(T.nilable(DependencyFile)) }
         def config
-          @config ||= original_dependency_files.find { |f| f.name == ".cargo/config.toml" }
+          @config ||= T.let(original_dependency_files.find do |f|
+            f.name == ".cargo/config.toml"
+          end, T.nilable(Dependabot::DependencyFile))
         end
 
+        sig { returns(T::Boolean) }
         def git_dependency?
           GitCommitChecker.new(
             dependency: dependency,
@@ -460,10 +512,12 @@ module Dependabot
         # When the package table is not present in a workspace manifest, it is
         # called a virtual manifest: https://doc.rust-lang.org/cargo/reference/
         # manifest.html#virtual-manifest
+        sig { params(file: DependencyFile).returns(T::Boolean) }
         def virtual_manifest?(file)
-          !file.content.include?("[package]")
+          !T.must(file.content).include?("[package]")
         end
 
+        sig { returns(T.class_of(Dependabot::Version)) }
         def version_class
           dependency.version_class
         end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-cargo
 version: !ruby/object:Gem::Version
-  version: 0.325.1
+  version: 0.326.1
 platform: ruby
 authors:
 - Dependabot
@@ -15,14 +15,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.325.1
+        version: 0.326.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.325.1
+        version: 0.326.1
 - !ruby/object:Gem::Dependency
   name: debug
   requirement: !ruby/object:Gem::Requirement
@@ -247,6 +247,7 @@ files:
 - lib/dependabot/cargo/file_updater.rb
 - lib/dependabot/cargo/file_updater/lockfile_updater.rb
 - lib/dependabot/cargo/file_updater/manifest_updater.rb
+- lib/dependabot/cargo/file_updater/workspace_manifest_updater.rb
 - lib/dependabot/cargo/helpers.rb
 - lib/dependabot/cargo/language.rb
 - lib/dependabot/cargo/metadata_finder.rb
@@ -265,7 +266,7 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.325.1
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.326.1
 rdoc_options: []
 require_paths:
 - lib