dependabot-cargo 0.340.0 → 0.342.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 072a4c9070f558b9d46d699d40debaa675953e7d02c1975d31cdada8d53e30e8
-  data.tar.gz: 6c52f00cc8b7a5fc95dbe6c5fcf0b9322c6bd5e23d1368d0e797fca360d62207
+  metadata.gz: 24474e4539bb3a8547a639f5a16737166f4d0e329c8b8d857245a2133719282e
+  data.tar.gz: fe51accf4820675950bbf0837704608f998a66cf67ccc5d0c4c405f400cea3b8
 SHA512:
-  metadata.gz: 11fdbd06bcbe80bf10e11f44742024246e603cd8eafc82dd2687c88ee3e413329f0e298357e121ee1fa6707fc208a5b317aebf57999b9d1ceea97b663169f748
-  data.tar.gz: 97efb3fef98287a70c1e3c7e42279ec9b8943a3b372feb8c883adfc7c5eaf73d53adeda79de2153d09a745ad94ff2db2e6a970af01fe6476518b5051cf0cd905
+  metadata.gz: 3b8448fe1beb3afd164187c8240c7dc67c7ae7ff07d67fbc7b112dd066b6ec6838af4d5c79024333261dc1240941b72ce05765b44581b189ac600c6c2034e3fa
+  data.tar.gz: d6a9626c6e705b73597dbe0cd94e5b95e3bbdaa532c98d7f2826f978095267e4ffadb7ae369b9ef01807f05ddf679638abde40ccbb337304e776af01ea7bc62d

data/lib/dependabot/cargo/file_fetcher.rb

@@ -57,6 +57,13 @@ module Dependabot
         fetched_files << T.must(rust_toolchain) if rust_toolchain
         fetched_files += fetch_path_dependency_and_workspace_files
 
+        # If the main Cargo.toml uses workspace dependencies, ensure we have the workspace root
+        parsed_manifest = parsed_file(cargo_toml)
+        if uses_workspace_dependencies?(parsed_manifest) || workspace_member?(parsed_manifest)
+          workspace_root = find_workspace_root(cargo_toml)
+          fetched_files << workspace_root if workspace_root && !fetched_files.include?(workspace_root)
+        end
+
         # Filter excluded files from final collection
         filtered_files = fetched_files.reject do |file|
           Dependabot::FileFiltering.should_exclude_path?(file.name, "file from final collection", @exclude_paths)
@@ -131,17 +138,17 @@ module Dependabot
 
           next if previously_fetched_files.map(&:name).include?(path)
           next if file.name == path
-
           next if Dependabot::FileFiltering.should_exclude_path?(path, "file from final collection", @exclude_paths)
 
           fetched_file = fetch_file_from_host(path, fetch_submodules: true)
           previously_fetched_files << fetched_file
-          grandchild_requirement_files =
-            fetch_workspace_files(
-              file: fetched_file,
-              previously_fetched_files: previously_fetched_files
-            )
-          [fetched_file, *grandchild_requirement_files]
+          grandchild_requirement_files = fetch_workspace_files(
+            file: fetched_file,
+            previously_fetched_files: previously_fetched_files
+          )
+
+          workspace_root = workspace_root_for_file(fetched_file)
+          [fetched_file, *grandchild_requirement_files, workspace_root]
         end.compact
 
         files.each { |f| f.support_file = file != cargo_toml }
@@ -168,24 +175,18 @@ module Dependabot
 
             next if previously_fetched_files.map(&:name).include?(path)
             next if file.name == path
-
             next if Dependabot::FileFiltering.should_exclude_path?(path, "file from final collection", @exclude_paths)
 
             fetched_file = fetch_file_from_host(path, fetch_submodules: true)
                            .tap { |f| f.support_file = true }
             previously_fetched_files << fetched_file
-            grandchild_requirement_files =
-              fetch_path_dependency_files(
-                file: fetched_file,
-                previously_fetched_files: previously_fetched_files
-              )
-
-            # If this path dependency file is a workspace member that inherits from
-            # its root workspace, we search for the root to include it so Cargo can
-            # resolve the path dependency file manifest properly.
-            root = find_workspace_root(fetched_file) if workspace_member?(parsed_file(fetched_file))
-
-            [fetched_file, *grandchild_requirement_files, root]
+            grandchild_requirement_files = fetch_path_dependency_files(
+              file: fetched_file,
+              previously_fetched_files: previously_fetched_files
+            )
+
+            workspace_root = workspace_root_for_file(fetched_file)
+            [fetched_file, *grandchild_requirement_files, workspace_root]
           rescue Dependabot::DependencyFileNotFound
             next unless required_path?(file, path)
 
@@ -198,15 +199,21 @@ module Dependabot
               unfetchable_required_path_deps
       end
 
+      sig { params(file: Dependabot::DependencyFile).returns(T.nilable(Dependabot::DependencyFile)) }
+      def workspace_root_for_file(file)
+        parsed_manifest = parsed_file(file)
+        return unless workspace_member?(parsed_manifest) || uses_workspace_dependencies?(parsed_manifest)
+
+        find_workspace_root(file)
+      end
+
       sig { params(dependencies: T::Hash[T.untyped, T.untyped]).returns(T::Array[String]) }
       def collect_path_dependencies_paths(dependencies)
-        paths = []
-        dependencies.each do |_, details|
+        dependencies.filter_map do |_, details|
           next unless details.is_a?(Hash) && details["path"]
 
-          paths << File.join(details["path"], "Cargo.toml").delete_prefix("/")
+          File.join(details["path"], "Cargo.toml").delete_prefix("/")
         end
-        paths
       end
 
       # rubocop:enable Metrics/PerceivedComplexity
@@ -229,8 +236,7 @@ module Dependabot
           end
         end
 
-        paths += replacement_path_dependency_paths_from_file(file)
-        paths
+        paths + replacement_path_dependency_paths_from_file(file)
       end
 
       sig { params(file: Dependabot::DependencyFile).returns(T::Array[String]) }
@@ -239,8 +245,7 @@ module Dependabot
 
         # Paths specified as replacements
         parsed_file(file).fetch("replace", {}).each do |_, details|
-          next unless details.is_a?(Hash)
-          next unless details["path"]
+          next unless details.is_a?(Hash) && details["path"]
 
           paths << File.join(details["path"], "Cargo.toml")
         end
@@ -250,8 +255,7 @@ module Dependabot
           next unless details.is_a?(Hash)
 
           details.each do |_, dep_details|
-            next unless dep_details.is_a?(Hash)
-            next unless dep_details["path"]
+            next unless dep_details.is_a?(Hash) && dep_details["path"]
 
             paths << File.join(dep_details["path"], "Cargo.toml")
           end
@@ -260,6 +264,35 @@ module Dependabot
         paths
       end
 
+      # Check if this Cargo manifest uses workspace dependencies
+      # (e.g. dependency = { workspace = true }).
+      sig { params(parsed_manifest: T::Hash[T.untyped, T.untyped]).returns(T::Boolean) }
+      def uses_workspace_dependencies?(parsed_manifest)
+        # Check regular dependencies
+        workspace_deps = Cargo::FileParser::DEPENDENCY_TYPES.any? do |type|
+          deps = parsed_manifest.fetch(type, {})
+          deps.any? do |_, details|
+            next false unless details.is_a?(Hash)
+
+            details["workspace"] == true
+          end
+        end
+
+        return true if workspace_deps
+
+        # Check target-specific dependencies
+        parsed_manifest.fetch("target", {}).any? do |_, target_details|
+          Cargo::FileParser::DEPENDENCY_TYPES.any? do |type|
+            deps = target_details.fetch(type, {})
+            deps.any? do |_, details|
+              next false unless details.is_a?(Hash)
+
+              details["workspace"] == true
+            end
+          end
+        end
+      end
+
       # See if this Cargo manifest inherits any property from a workspace
       # (e.g. edition = { workspace = true }).
       sig { params(hash: T::Hash[T.untyped, T.untyped]).returns(T::Boolean) }

data/lib/dependabot/cargo/file_updater/lockfile_updater.rb

@@ -99,12 +99,44 @@ module Dependabot
 
         sig { params(error: StandardError).returns(T.noreturn) }
         def handle_cargo_error(error)
-          raise unless error.message.include?("failed to select a version") ||
-                       error.message.include?("no matching version") ||
-                       error.message.include?("unexpected end of input while parsing major version number")
+          raise unless resolvable_cargo_error?(error.message)
           raise if error.message.include?("`#{dependency.name} ")
 
-          raise Dependabot::DependencyFileNotResolvable, error.message
+          extract_binary_path_error(error.message)
+        end
+
+        sig { params(message: String).returns(T::Boolean) }
+        def resolvable_cargo_error?(message)
+          message.include?("failed to select a version") ||
+            message.include?("no matching version") ||
+            message.include?("unexpected end of input while parsing major version number") ||
+            message.match?(/couldn't find `[^`]+\.rs`/) ||
+            message.match?(/failed to find `[^`]+\.rs`/) ||
+            message.match?(/could not find `[^`]+\.rs`/) ||
+            message.match?(/cannot find binary `[^`]+`/) ||
+            message.include?("Please specify bin.path if you want to use a non-default path") ||
+            message.include?("binary target")
+        end
+
+        sig { params(message: String).returns(T.noreturn) }
+        def extract_binary_path_error(message)
+          if (match = message.match(/can't find `([^`]+)` bin at `([^`]+)`/))
+            binary_name = match[1]
+            expected_path = match[2]
+            raise Dependabot::DependencyFileNotResolvable,
+                  "Binary '#{binary_name}' not found at expected path '#{expected_path}'. " \
+                  "Please check the bin.path configuration in Cargo.toml."
+          elsif (match = message.match(/(couldn't find|failed to find|could not find) `([^`]+\.rs)`/))
+            file_path = match[2]
+            raise Dependabot::DependencyFileNotResolvable,
+                  "Source file '#{file_path}' not found. Please check the bin.path configuration in Cargo.toml."
+          elsif (match = message.match(/cannot find binary `([^`]+)`/))
+            binary_name = match[1]
+            raise Dependabot::DependencyFileNotResolvable,
+                  "Binary target '#{binary_name}' not found. Please check the [[bin]] configuration in Cargo.toml."
+          end
+
+          raise Dependabot::DependencyFileNotResolvable, message
         end
 
         # rubocop:disable Metrics/PerceivedComplexity
@@ -186,28 +218,24 @@ module Dependabot
           start = Time.now
           command = SharedHelpers.escape_command(command)
           Helpers.setup_credentials_in_environment(credentials)
-          # Pass through any registry tokens supplied via CARGO_REGISTRIES_...
-          # environment variables.
           env = ENV.select { |key, _value| key.match(/^CARGO_REGISTRIES_/) }
           stdout, process = Open3.capture2e(env, command)
           time_taken = Time.now - start
 
-          # Raise an error with the output from the shell session if Cargo
-          # returns a non-zero status
           return if process.success?
 
+          handle_cargo_command_error(stdout, command, fingerprint, time_taken)
+        end
+
+        sig { params(stdout: String, command: String, fingerprint: String, time_taken: Float).returns(T.noreturn) }
+        def handle_cargo_command_error(stdout, command, fingerprint, time_taken)
           if using_old_toolchain?(stdout)
             raise Dependabot::DependencyFileNotEvaluatable, "Dependabot only supports toolchain 1.68 and up."
           end
 
-          # package doesn't exist in the index
-          if (match = stdout.match(/no matching package named `([^`]+)` found/))
-            raise Dependabot::DependencyFileNotResolvable, match[1]
-          end
-
-          if (match = /error: no matching package found\nsearched package name: `([^`]+)`/m.match(stdout))
-            raise Dependabot::DependencyFileNotResolvable, match[1]
-          end
+          check_ambiguous_package_error(stdout)
+          check_missing_package_error(stdout)
+          check_binary_path_error(stdout)
 
           raise SharedHelpers::HelperSubprocessFailed.new(
             message: stdout,
@@ -215,11 +243,48 @@ module Dependabot
               command: command,
               fingerprint: fingerprint,
               time_taken: time_taken,
-              process_exit_value: process.to_s
+              process_exit_value: "non-zero"
             }
           )
         end
 
+        sig { params(stdout: String).void }
+        def check_ambiguous_package_error(stdout)
+          ambiguous_match = stdout.match(/There are multiple `([^`]+)` packages.*specification `([^`]+)` is ambiguous/)
+          return unless ambiguous_match
+
+          raise Dependabot::DependencyFileNotEvaluatable, "Ambiguous package specification: #{ambiguous_match[2]}"
+        end
+
+        sig { params(stdout: String).void }
+        def check_missing_package_error(stdout)
+          if (match = stdout.match(/no matching package named `([^`]+)` found/))
+            raise Dependabot::DependencyFileNotResolvable, match[1]
+          end
+
+          if (match = /error: no matching package found\nsearched package name: `([^`]+)`/m.match(stdout))
+            raise Dependabot::DependencyFileNotResolvable, match[1]
+          end
+        end
+
+        sig { params(stdout: String).void }
+        def check_binary_path_error(stdout)
+          return unless binary_path_error?(stdout)
+
+          extract_binary_path_error(stdout)
+        end
+
+        sig { params(stdout: String).returns(T::Boolean) }
+        def binary_path_error?(stdout)
+          stdout.match?(/couldn't find `[^`]+\.rs`/) ||
+            stdout.match?(/failed to find `[^`]+\.rs`/) ||
+            stdout.match?(/could not find `[^`]+\.rs`/) ||
+            stdout.match?(/cannot find binary `[^`]+`/) ||
+            stdout.match?(/binary target `[^`]+` not found/) ||
+            stdout.include?("Please specify bin.path if you want to use a non-default path") ||
+            (stdout.include?("binary target") && stdout.include?("not found"))
+        end
+
         sig { params(message: String).returns(T::Boolean) }
         def using_old_toolchain?(message)
           return true if message.include?("usage of sparse registries requires `-Z sparse-registry`")

data/lib/dependabot/cargo/file_updater.rb

@@ -18,14 +18,6 @@ module Dependabot
       require_relative "file_updater/lockfile_updater"
       require_relative "file_updater/workspace_manifest_updater"
 
-      sig { override.returns(T::Array[Regexp]) }
-      def self.updated_files_regex
-        [
-          /Cargo\.toml$/, # Matches Cargo.toml in the root directory or any subdirectory
-          /Cargo\.lock$/  # Matches Cargo.lock in the root directory or any subdirectory
-        ]
-      end
-
       sig { override.returns(T::Array[Dependabot::DependencyFile]) }
       def updated_dependency_files
         # Returns an array of updated files. Only files that have been updated

data/lib/dependabot/cargo/update_checker/file_preparer.rb

@@ -118,6 +118,7 @@ module Dependabot
           end
 
           replace_req_on_target_specific_deps!(parsed_manifest, filename)
+          replace_req_on_workspace_deps!(parsed_manifest, filename)
 
           TomlRB.dump(parsed_manifest)
         end
@@ -148,6 +149,24 @@ module Dependabot
           end
         end
 
+        sig { params(parsed_manifest: T::Hash[String, T.untyped], filename: String).void }
+        def replace_req_on_workspace_deps!(parsed_manifest, filename)
+          workspace = parsed_manifest.fetch("workspace", {})
+          workspace_deps = workspace.fetch("dependencies", {})
+
+          workspace_deps.each do |name, req|
+            next unless dependency.name == name_from_declaration(name, req)
+
+            updated_req = temporary_requirement_for_resolution(filename)
+
+            if req.is_a?(Hash)
+              parsed_manifest["workspace"]["dependencies"][name]["version"] = updated_req
+            else
+              parsed_manifest["workspace"]["dependencies"][name] = updated_req
+            end
+          end
+        end
+
         sig { params(content: String).returns(String) }
         def replace_git_pin(content)
           parsed_manifest = TomlRB.parse(content)

data/lib/dependabot/cargo/update_checker/version_resolver.rb

@@ -238,75 +238,100 @@ module Dependabot
           raise Dependabot::DependencyFileNotResolvable, msg
         end
 
-        # rubocop:disable Metrics/AbcSize
-        # rubocop:disable Metrics/PerceivedComplexity
         sig { params(error: StandardError).void }
         def handle_cargo_errors(error)
-          if error.message.include?("does not have these features")
+          return if missing_feature_error?(error)
+          return if recoverable_workspace_error?(error)
+
+          handle_git_authentication_errors(error)
+          handle_git_reference_errors(error)
+          handle_toolchain_errors(error)
+          handle_resolvability_errors(error)
+
+          raise
+        end
+
+        sig { params(error: StandardError).returns(T::Boolean) }
+        def missing_feature_error?(error)
+          if error.message.include?("does not have these features") ||
+             error.message.include?("does not have that feature")
             # TODO: Ideally we should update the declaration not to ask
             # for the specified features
-            return
+            return true
           end
 
-          if error.message.include?("authenticate when downloading repo") ||
-             error.message.include?("fatal: Authentication failed for")
-            # Check all dependencies for reachability (so that we raise a
-            # consistent error)
-            urls = unreachable_git_urls
-
-            if T.must(urls).none?
-              url = T.must(
-                T.must(error.message.match(UNABLE_TO_UPDATE))
-                                            .named_captures.fetch("url")
-              ).split(/[#?]/).first
-              raise if T.must(reachable_git_urls).include?(url)
-
-              # Fix: Wrap url in T.must since split().first can return nil
-              T.must(urls) << T.must(url)
-            end
+          false
+        end
+
+        sig { params(error: StandardError).void }
+        def handle_git_authentication_errors(error)
+          return unless error.message.include?("authenticate when downloading repo") ||
+                        error.message.include?("fatal: Authentication failed for")
+
+          urls = unreachable_git_urls
+
+          if T.must(urls).none?
+            url = T.must(
+              T.must(error.message.match(UNABLE_TO_UPDATE))
+                                          .named_captures.fetch("url")
+            ).split(/[#?]/).first
+            raise if T.must(reachable_git_urls).include?(url)
 
-            raise Dependabot::GitDependenciesNotReachable, T.must(urls)
+            T.must(urls) << T.must(url)
           end
 
+          raise Dependabot::GitDependenciesNotReachable, T.must(urls)
+        end
+
+        sig { params(error: StandardError).void }
+        def handle_git_reference_errors(error)
           [BRANCH_NOT_FOUND_REGEX, REF_NOT_FOUND_REGEX, GIT_REF_NOT_FOUND_REGEX, NOT_OUR_REF_REGEX].each do |regex|
             next unless error.message.match?(regex)
 
             dependency_url = T.must(T.must(error.message.match(regex)).named_captures.fetch("url")).split(/[#?]/).first
-            # Fix: Wrap dependency_url in T.must since split().first can return nil
             raise Dependabot::GitDependencyReferenceNotFound, T.must(dependency_url)
           end
+        end
 
+        sig { params(error: StandardError).returns(T::Boolean) }
+        def recoverable_workspace_error?(error)
           if workspace_native_library_update_error?(error.message)
             # This happens when we're updating one part of a workspace which
             # triggers an update of a subdependency that uses a native library,
             # whilst leaving another part of the workspace using an older
             # version. Ideally we would prevent the subdependency update.
-            return nil
+            return true
           end
 
           if git_dependency? && error.message.include?("no matching package")
             # This happens when updating a git dependency whose version has
             # changed from a release to a pre-release version
-            return nil
+            return true
           end
 
           if error.message.include?("all possible versions conflict")
             # This happens when a top-level requirement locks us to an old
             # patch release of a dependency that is a sub-dep of what we're
             # updating. It's (probably) a Cargo bug.
-            return nil
+            return true
           end
 
-          if using_old_toolchain?(error.message)
-            raise Dependabot::DependencyFileNotEvaluatable, "Dependabot only supports toolchain 1.68 and up."
-          end
+          false
+        end
 
-          raise Dependabot::DependencyFileNotResolvable, error.message if resolvability_error?(error.message)
+        sig { params(error: StandardError).void }
+        def handle_toolchain_errors(error)
+          return unless using_old_toolchain?(error.message)
 
-          raise
+          raise Dependabot::DependencyFileNotEvaluatable, "Dependabot only supports toolchain 1.68 and up."
+        end
+
+        sig { params(error: StandardError).void }
+        def handle_resolvability_errors(error)
+          return unless resolvability_error?(error.message)
+
+          raise Dependabot::DependencyFileNotResolvable, error.message
         end
-        # rubocop:enable Metrics/AbcSize
-        # rubocop:enable Metrics/PerceivedComplexity
 
         sig { params(message: T.nilable(String)).returns(T.any(Dependabot::Version, T::Boolean)) }
         def using_old_toolchain?(message)
@@ -360,20 +385,37 @@ module Dependabot
 
         sig { params(message: String).returns(T::Boolean) }
         def resolvability_error?(message)
-          return true if message.include?("failed to parse lock")
-          return true if message.include?("believes it's in a workspace")
-          return true if message.include?("wasn't a root")
-          return true if message.include?("requires a nightly version")
-          return true if message.match?(/feature `[^\`]+` is required/)
-          return true if message.include?("unexpected end of input while parsing major version number")
+          return true if common_resolvability_error?(message)
+          return true if binary_path_error?(message)
 
           original_requirements_resolvable = original_requirements_resolvable?
-
           return false if original_requirements_resolvable == :unknown
 
           !original_requirements_resolvable
         end
 
+        sig { params(message: String).returns(T::Boolean) }
+        def common_resolvability_error?(message)
+          message.include?("failed to parse lock") ||
+            message.include?("believes it's in a workspace") ||
+            message.include?("wasn't a root") ||
+            message.include?("requires a nightly version") ||
+            message.match?(/feature `[^\`]+` is required/) ||
+            message.include?("unexpected end of input while parsing major version number")
+        end
+
+        sig { params(message: String).returns(T::Boolean) }
+        def binary_path_error?(message)
+          message.match?(/couldn't find `[^`]+\.rs`/) ||
+            message.match?(/failed to find `[^`]+\.rs`/) ||
+            message.match?(/could not find `[^`]+\.rs`/) ||
+            message.match?(/cannot find binary `[^`]+`/) ||
+            message.match?(/binary target `[^`]+` not found/) ||
+            message.include?("Please specify bin.path if you want to use a non-default path") ||
+            message.include?("binary target") ||
+            message.include?("target not found")
+        end
+
         sig { returns(T.any(TrueClass, FalseClass, Symbol)) }
         def original_requirements_resolvable?
           base_directory = T.must(original_dependency_files.first).directory
@@ -421,9 +463,11 @@ module Dependabot
 
           T.must(manifest_files).each do |file|
             path = file.name
-            dir = Pathname.new(path).dirname
-            FileUtils.mkdir_p(dir)
-            File.write(file.name, sanitized_manifest_content(T.must(file.content)))
+            # Convert absolute paths to relative paths to avoid permission errors
+            relative_path = path.start_with?("/") ? path[1..-1] || "." : path
+            dir = Pathname.new(relative_path).dirname
+            FileUtils.mkdir_p(dir) unless dir.to_s == "."
+            File.write(relative_path, sanitized_manifest_content(T.must(file.content)))
 
             next if virtual_manifest?(file)
 

data/lib/dependabot/cargo/update_checker.rb

@@ -261,12 +261,25 @@ module Dependabot
           latest_allowable_version: latest_version
         ).prepared_dependency_files
 
-        VersionResolver.new(
+        result = VersionResolver.new(
           dependency: dependency,
           prepared_dependency_files: prepared_files,
           original_dependency_files: dependency_files,
           credentials: credentials
         ).latest_resolvable_version
+
+        # If the resolver returns a version higher than latest_version, cap it at latest_version
+        # This handles cases where the resolver might pick prereleases or incorrect versions
+        # Only apply this logic for semantic versions, not git SHAs
+        if result && latest_version &&
+           !git_dependency? &&
+           version_class.correct?(result.to_s) &&
+           version_class.correct?(latest_version.to_s) &&
+           version_class.new(result.to_s) > version_class.new(latest_version.to_s)
+          latest_version
+        else
+          result
+        end
       end
 
       sig { returns(T.nilable(T.any(String, Gem::Version))) }

data/lib/dependabot/cargo/version.rb

@@ -43,6 +43,122 @@ module Dependabot
 
         version.to_s.match?(ANCHORED_VERSION_PATTERN)
       end
+
+      # Cargo uses a different semantic versioning approach for pre-1.0 versions:
+      # - For 0.y.z versions: changes in y are considered major/breaking
+      # - For 0.0.z versions: changes in z are considered major/breaking
+      # - Only the leftmost non-zero component is considered for compatibility
+
+      sig { override.returns(T::Array[String]) }
+      def ignored_patch_versions
+        parts = to_s.split(".")
+        major = parts[0].to_i
+        minor = parts[1].to_i
+
+        # For 0.0.z versions, patch changes are breaking, so treat as major
+        return ignored_major_versions if major.zero? && minor.zero?
+
+        # For 0.y.z versions, patch changes are compatible, use standard logic
+        return super if major.zero?
+
+        # For 1.y.z+ versions, use standard semantic versioning
+        super
+      end
+
+      sig { override.returns(T::Array[String]) }
+      def ignored_minor_versions
+        parts = to_s.split(".")
+        major = parts[0].to_i
+
+        # For 0.y.z versions, minor changes are breaking, so treat as major
+        return ignored_major_versions if major.zero?
+
+        # For 1.y.z+ versions, use standard semantic versioning
+        super
+      end
+
+      # Determines the correct update type for a version change according to Cargo's semantic versioning rules
+      # For pre-1.0 versions, Cargo treats changes in the leftmost non-zero component as breaking
+      sig { params(from_version: T.any(String, Dependabot::Cargo::Version), to_version: T.any(String, Dependabot::Cargo::Version)).returns(String) }
+      def self.update_type(from_version, to_version)
+        from_v, to_v = normalize_versions(from_version, to_version)
+        from_major, from_minor, from_patch, to_major, to_minor, to_patch = extract_version_parts(from_v, to_v)
+
+        # Standard semver for 1.0.0+ versions
+        return standard_semver_type(from_major, from_minor, from_patch, to_major, to_minor, to_patch) if from_major >= 1
+
+        # Cargo pre-1.0 semver rules
+        cargo_pre_1_0_type(from_major, from_minor, from_patch, to_major, to_minor, to_patch)
+      rescue StandardError => e
+        # Log the error but return a safe default
+        Dependabot.logger.warn("Error in Cargo::Version.update_type: #{e.message}")
+        "major" # Default to major for safety
+      end
+
+      sig do
+        params(
+          from_version: T.any(String, Dependabot::Cargo::Version),
+          to_version: T.any(String, Dependabot::Cargo::Version)
+        ).returns([Dependabot::Cargo::Version, Dependabot::Cargo::Version])
+      end
+      def self.normalize_versions(from_version, to_version)
+        from_v = from_version.is_a?(String) ? T.cast(new(from_version), Dependabot::Cargo::Version) : from_version
+        to_v = to_version.is_a?(String) ? T.cast(new(to_version), Dependabot::Cargo::Version) : to_version
+        [from_v, to_v]
+      end
+
+      sig { params(from_v: Dependabot::Cargo::Version, to_v: Dependabot::Cargo::Version).returns([Integer, Integer, Integer, Integer, Integer, Integer]) }
+      def self.extract_version_parts(from_v, to_v)
+        from_parts = from_v.to_s.split(".").map(&:to_i)
+        to_parts = to_v.to_s.split(".").map(&:to_i)
+
+        [from_parts[0] || 0, from_parts[1] || 0, from_parts[2] || 0,
+         to_parts[0] || 0, to_parts[1] || 0, to_parts[2] || 0]
+      end
+
+      # rubocop:disable Metrics/ParameterLists
+      sig do
+        params(
+          from_major: Integer,
+          from_minor: Integer,
+          from_patch: Integer,
+          to_major: Integer,
+          to_minor: Integer,
+          to_patch: Integer
+        ).returns(String)
+      end
+      def self.standard_semver_type(from_major, from_minor, from_patch, to_major, to_minor, to_patch)
+        return "major" if to_major > from_major
+        return "minor" if to_minor > from_minor
+        return "patch" if to_patch > from_patch
+
+        "patch"
+      end
+
+      sig do
+        params(
+          from_major: Integer,
+          from_minor: Integer,
+          from_patch: Integer,
+          to_major: Integer,
+          to_minor: Integer,
+          to_patch: Integer
+        ).returns(String)
+      end
+      def self.cargo_pre_1_0_type(from_major, from_minor, from_patch, to_major, to_minor, to_patch)
+        # Any major version increase is always major
+        return "major" if to_major > from_major
+
+        # For 0.0.z versions, any change is breaking
+        return "major" if from_minor.zero? && (to_minor > from_minor || to_patch > from_patch)
+
+        # For 0.y.z versions, minor changes are breaking
+        return "major" if to_minor > from_minor
+
+        # Only patch changes remain
+        "patch"
+      end
+      # rubocop:enable Metrics/ParameterLists
     end
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-cargo
 version: !ruby/object:Gem::Version
-  version: 0.340.0
+  version: 0.342.1
 platform: ruby
 authors:
 - Dependabot
@@ -15,14 +15,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.340.0
+        version: 0.342.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.340.0
+        version: 0.342.1
 - !ruby/object:Gem::Dependency
   name: debug
   requirement: !ruby/object:Gem::Requirement
@@ -266,7 +266,7 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.340.0
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.342.1
 rdoc_options: []
 require_paths:
 - lib