dependabot-cargo 0.337.0 → 0.341.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a45c407b9e724884f55967f9768f2aebddbc56a1e5946ba3a45a6307eac42805
-  data.tar.gz: 6c52f00cc8b7a5fc95dbe6c5fcf0b9322c6bd5e23d1368d0e797fca360d62207
+  metadata.gz: 81b5078d121895148890b7f204e56c8622297d1abe48d29f6a18f1f161d5a324
+  data.tar.gz: 127662908e03a996f1b62197083dace776b60854f6e797f769979768816a1a96
 SHA512:
-  metadata.gz: f436187a8afeb149cf6f555a9f593793f9215f86fe8a9b7b571725f8a966b4d59aa25ba8d406cb31368039f0b5c8aab36983f82f8a30ee185686b126c8ef0036
-  data.tar.gz: 97efb3fef98287a70c1e3c7e42279ec9b8943a3b372feb8c883adfc7c5eaf73d53adeda79de2153d09a745ad94ff2db2e6a970af01fe6476518b5051cf0cd905
+  metadata.gz: 453ee1deb7b4f3ef0518cfe7fe4e5455c30969df7595532af8b1e1a95999a082cf795327cd6c7d380ca8f29c9465f6af82659a6ee51ac77b07a4eeda2f84e78c
+  data.tar.gz: e1997255b35b8baa728b4cd5b97ad723dd1d3d64868f7a2e6d6e0eaca97d2a72d66fe28bae5bc1f52b9eda0af3e4e8ebfdfc07f88ec182a820e05bd9158e896a

data/lib/dependabot/cargo/file_fetcher.rb

@@ -57,6 +57,13 @@ module Dependabot
         fetched_files << T.must(rust_toolchain) if rust_toolchain
         fetched_files += fetch_path_dependency_and_workspace_files
 
+        # If the main Cargo.toml uses workspace dependencies, ensure we have the workspace root
+        parsed_manifest = parsed_file(cargo_toml)
+        if uses_workspace_dependencies?(parsed_manifest) || workspace_member?(parsed_manifest)
+          workspace_root = find_workspace_root(cargo_toml)
+          fetched_files << workspace_root if workspace_root && !fetched_files.include?(workspace_root)
+        end
+
         # Filter excluded files from final collection
         filtered_files = fetched_files.reject do |file|
           Dependabot::FileFiltering.should_exclude_path?(file.name, "file from final collection", @exclude_paths)
@@ -131,17 +138,17 @@ module Dependabot
 
           next if previously_fetched_files.map(&:name).include?(path)
           next if file.name == path
-
           next if Dependabot::FileFiltering.should_exclude_path?(path, "file from final collection", @exclude_paths)
 
           fetched_file = fetch_file_from_host(path, fetch_submodules: true)
           previously_fetched_files << fetched_file
-          grandchild_requirement_files =
-            fetch_workspace_files(
-              file: fetched_file,
-              previously_fetched_files: previously_fetched_files
-            )
-          [fetched_file, *grandchild_requirement_files]
+          grandchild_requirement_files = fetch_workspace_files(
+            file: fetched_file,
+            previously_fetched_files: previously_fetched_files
+          )
+
+          workspace_root = workspace_root_for_file(fetched_file)
+          [fetched_file, *grandchild_requirement_files, workspace_root]
         end.compact
 
         files.each { |f| f.support_file = file != cargo_toml }
@@ -168,24 +175,18 @@ module Dependabot
 
             next if previously_fetched_files.map(&:name).include?(path)
             next if file.name == path
-
             next if Dependabot::FileFiltering.should_exclude_path?(path, "file from final collection", @exclude_paths)
 
             fetched_file = fetch_file_from_host(path, fetch_submodules: true)
                            .tap { |f| f.support_file = true }
             previously_fetched_files << fetched_file
-            grandchild_requirement_files =
-              fetch_path_dependency_files(
-                file: fetched_file,
-                previously_fetched_files: previously_fetched_files
-              )
-
-            # If this path dependency file is a workspace member that inherits from
-            # its root workspace, we search for the root to include it so Cargo can
-            # resolve the path dependency file manifest properly.
-            root = find_workspace_root(fetched_file) if workspace_member?(parsed_file(fetched_file))
-
-            [fetched_file, *grandchild_requirement_files, root]
+            grandchild_requirement_files = fetch_path_dependency_files(
+              file: fetched_file,
+              previously_fetched_files: previously_fetched_files
+            )
+
+            workspace_root = workspace_root_for_file(fetched_file)
+            [fetched_file, *grandchild_requirement_files, workspace_root]
           rescue Dependabot::DependencyFileNotFound
             next unless required_path?(file, path)
 
@@ -198,15 +199,21 @@ module Dependabot
               unfetchable_required_path_deps
       end
 
+      sig { params(file: Dependabot::DependencyFile).returns(T.nilable(Dependabot::DependencyFile)) }
+      def workspace_root_for_file(file)
+        parsed_manifest = parsed_file(file)
+        return unless workspace_member?(parsed_manifest) || uses_workspace_dependencies?(parsed_manifest)
+
+        find_workspace_root(file)
+      end
+
       sig { params(dependencies: T::Hash[T.untyped, T.untyped]).returns(T::Array[String]) }
       def collect_path_dependencies_paths(dependencies)
-        paths = []
-        dependencies.each do |_, details|
+        dependencies.filter_map do |_, details|
           next unless details.is_a?(Hash) && details["path"]
 
-          paths << File.join(details["path"], "Cargo.toml").delete_prefix("/")
+          File.join(details["path"], "Cargo.toml").delete_prefix("/")
         end
-        paths
       end
 
       # rubocop:enable Metrics/PerceivedComplexity
@@ -229,8 +236,7 @@ module Dependabot
           end
         end
 
-        paths += replacement_path_dependency_paths_from_file(file)
-        paths
+        paths + replacement_path_dependency_paths_from_file(file)
       end
 
       sig { params(file: Dependabot::DependencyFile).returns(T::Array[String]) }
@@ -239,8 +245,7 @@ module Dependabot
 
         # Paths specified as replacements
         parsed_file(file).fetch("replace", {}).each do |_, details|
-          next unless details.is_a?(Hash)
-          next unless details["path"]
+          next unless details.is_a?(Hash) && details["path"]
 
           paths << File.join(details["path"], "Cargo.toml")
         end
@@ -250,8 +255,7 @@ module Dependabot
           next unless details.is_a?(Hash)
 
           details.each do |_, dep_details|
-            next unless dep_details.is_a?(Hash)
-            next unless dep_details["path"]
+            next unless dep_details.is_a?(Hash) && dep_details["path"]
 
             paths << File.join(dep_details["path"], "Cargo.toml")
           end
@@ -260,6 +264,35 @@ module Dependabot
         paths
       end
 
+      # Check if this Cargo manifest uses workspace dependencies
+      # (e.g. dependency = { workspace = true }).
+      sig { params(parsed_manifest: T::Hash[T.untyped, T.untyped]).returns(T::Boolean) }
+      def uses_workspace_dependencies?(parsed_manifest)
+        # Check regular dependencies
+        workspace_deps = Cargo::FileParser::DEPENDENCY_TYPES.any? do |type|
+          deps = parsed_manifest.fetch(type, {})
+          deps.any? do |_, details|
+            next false unless details.is_a?(Hash)
+
+            details["workspace"] == true
+          end
+        end
+
+        return true if workspace_deps
+
+        # Check target-specific dependencies
+        parsed_manifest.fetch("target", {}).any? do |_, target_details|
+          Cargo::FileParser::DEPENDENCY_TYPES.any? do |type|
+            deps = target_details.fetch(type, {})
+            deps.any? do |_, details|
+              next false unless details.is_a?(Hash)
+
+              details["workspace"] == true
+            end
+          end
+        end
+      end
+
       # See if this Cargo manifest inherits any property from a workspace
       # (e.g. edition = { workspace = true }).
       sig { params(hash: T::Hash[T.untyped, T.untyped]).returns(T::Boolean) }

data/lib/dependabot/cargo/file_updater/lockfile_updater.rb

@@ -200,6 +200,12 @@ module Dependabot
             raise Dependabot::DependencyFileNotEvaluatable, "Dependabot only supports toolchain 1.68 and up."
           end
 
+          # ambiguous package specification
+          ambiguous_match = stdout.match(/There are multiple `([^`]+)` packages.*specification `([^`]+)` is ambiguous/)
+          if ambiguous_match
+            raise Dependabot::DependencyFileNotEvaluatable, "Ambiguous package specification: #{ambiguous_match[2]}"
+          end
+
           # package doesn't exist in the index
           if (match = stdout.match(/no matching package named `([^`]+)` found/))
             raise Dependabot::DependencyFileNotResolvable, match[1]

data/lib/dependabot/cargo/file_updater.rb

@@ -18,14 +18,6 @@ module Dependabot
       require_relative "file_updater/lockfile_updater"
       require_relative "file_updater/workspace_manifest_updater"
 
-      sig { override.returns(T::Array[Regexp]) }
-      def self.updated_files_regex
-        [
-          /Cargo\.toml$/, # Matches Cargo.toml in the root directory or any subdirectory
-          /Cargo\.lock$/  # Matches Cargo.lock in the root directory or any subdirectory
-        ]
-      end
-
       sig { override.returns(T::Array[Dependabot::DependencyFile]) }
       def updated_dependency_files
         # Returns an array of updated files. Only files that have been updated

data/lib/dependabot/cargo/update_checker/file_preparer.rb

@@ -118,6 +118,7 @@ module Dependabot
           end
 
           replace_req_on_target_specific_deps!(parsed_manifest, filename)
+          replace_req_on_workspace_deps!(parsed_manifest, filename)
 
           TomlRB.dump(parsed_manifest)
         end
@@ -148,6 +149,24 @@ module Dependabot
           end
         end
 
+        sig { params(parsed_manifest: T::Hash[String, T.untyped], filename: String).void }
+        def replace_req_on_workspace_deps!(parsed_manifest, filename)
+          workspace = parsed_manifest.fetch("workspace", {})
+          workspace_deps = workspace.fetch("dependencies", {})
+
+          workspace_deps.each do |name, req|
+            next unless dependency.name == name_from_declaration(name, req)
+
+            updated_req = temporary_requirement_for_resolution(filename)
+
+            if req.is_a?(Hash)
+              parsed_manifest["workspace"]["dependencies"][name]["version"] = updated_req
+            else
+              parsed_manifest["workspace"]["dependencies"][name] = updated_req
+            end
+          end
+        end
+
         sig { params(content: String).returns(String) }
         def replace_git_pin(content)
           parsed_manifest = TomlRB.parse(content)

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-cargo
 version: !ruby/object:Gem::Version
-  version: 0.337.0
+  version: 0.341.0
 platform: ruby
 authors:
 - Dependabot
@@ -15,14 +15,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.337.0
+        version: 0.341.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.337.0
+        version: 0.341.0
 - !ruby/object:Gem::Dependency
   name: debug
   requirement: !ruby/object:Gem::Requirement
@@ -266,7 +266,7 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.337.0
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.341.0
 rdoc_options: []
 require_paths:
 - lib