dependabot-cargo 0.341.0 → 0.342.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 81b5078d121895148890b7f204e56c8622297d1abe48d29f6a18f1f161d5a324
-  data.tar.gz: 127662908e03a996f1b62197083dace776b60854f6e797f769979768816a1a96
+  metadata.gz: 24474e4539bb3a8547a639f5a16737166f4d0e329c8b8d857245a2133719282e
+  data.tar.gz: fe51accf4820675950bbf0837704608f998a66cf67ccc5d0c4c405f400cea3b8
 SHA512:
-  metadata.gz: 453ee1deb7b4f3ef0518cfe7fe4e5455c30969df7595532af8b1e1a95999a082cf795327cd6c7d380ca8f29c9465f6af82659a6ee51ac77b07a4eeda2f84e78c
-  data.tar.gz: e1997255b35b8baa728b4cd5b97ad723dd1d3d64868f7a2e6d6e0eaca97d2a72d66fe28bae5bc1f52b9eda0af3e4e8ebfdfc07f88ec182a820e05bd9158e896a
+  metadata.gz: 3b8448fe1beb3afd164187c8240c7dc67c7ae7ff07d67fbc7b112dd066b6ec6838af4d5c79024333261dc1240941b72ce05765b44581b189ac600c6c2034e3fa
+  data.tar.gz: d6a9626c6e705b73597dbe0cd94e5b95e3bbdaa532c98d7f2826f978095267e4ffadb7ae369b9ef01807f05ddf679638abde40ccbb337304e776af01ea7bc62d

data/lib/dependabot/cargo/file_updater/lockfile_updater.rb

@@ -99,12 +99,44 @@ module Dependabot
 
         sig { params(error: StandardError).returns(T.noreturn) }
         def handle_cargo_error(error)
-          raise unless error.message.include?("failed to select a version") ||
-                       error.message.include?("no matching version") ||
-                       error.message.include?("unexpected end of input while parsing major version number")
+          raise unless resolvable_cargo_error?(error.message)
           raise if error.message.include?("`#{dependency.name} ")
 
-          raise Dependabot::DependencyFileNotResolvable, error.message
+          extract_binary_path_error(error.message)
+        end
+
+        sig { params(message: String).returns(T::Boolean) }
+        def resolvable_cargo_error?(message)
+          message.include?("failed to select a version") ||
+            message.include?("no matching version") ||
+            message.include?("unexpected end of input while parsing major version number") ||
+            message.match?(/couldn't find `[^`]+\.rs`/) ||
+            message.match?(/failed to find `[^`]+\.rs`/) ||
+            message.match?(/could not find `[^`]+\.rs`/) ||
+            message.match?(/cannot find binary `[^`]+`/) ||
+            message.include?("Please specify bin.path if you want to use a non-default path") ||
+            message.include?("binary target")
+        end
+
+        sig { params(message: String).returns(T.noreturn) }
+        def extract_binary_path_error(message)
+          if (match = message.match(/can't find `([^`]+)` bin at `([^`]+)`/))
+            binary_name = match[1]
+            expected_path = match[2]
+            raise Dependabot::DependencyFileNotResolvable,
+                  "Binary '#{binary_name}' not found at expected path '#{expected_path}'. " \
+                  "Please check the bin.path configuration in Cargo.toml."
+          elsif (match = message.match(/(couldn't find|failed to find|could not find) `([^`]+\.rs)`/))
+            file_path = match[2]
+            raise Dependabot::DependencyFileNotResolvable,
+                  "Source file '#{file_path}' not found. Please check the bin.path configuration in Cargo.toml."
+          elsif (match = message.match(/cannot find binary `([^`]+)`/))
+            binary_name = match[1]
+            raise Dependabot::DependencyFileNotResolvable,
+                  "Binary target '#{binary_name}' not found. Please check the [[bin]] configuration in Cargo.toml."
+          end
+
+          raise Dependabot::DependencyFileNotResolvable, message
         end
 
         # rubocop:disable Metrics/PerceivedComplexity
@@ -186,27 +218,46 @@ module Dependabot
           start = Time.now
           command = SharedHelpers.escape_command(command)
           Helpers.setup_credentials_in_environment(credentials)
-          # Pass through any registry tokens supplied via CARGO_REGISTRIES_...
-          # environment variables.
           env = ENV.select { |key, _value| key.match(/^CARGO_REGISTRIES_/) }
           stdout, process = Open3.capture2e(env, command)
           time_taken = Time.now - start
 
-          # Raise an error with the output from the shell session if Cargo
-          # returns a non-zero status
           return if process.success?
 
+          handle_cargo_command_error(stdout, command, fingerprint, time_taken)
+        end
+
+        sig { params(stdout: String, command: String, fingerprint: String, time_taken: Float).returns(T.noreturn) }
+        def handle_cargo_command_error(stdout, command, fingerprint, time_taken)
           if using_old_toolchain?(stdout)
             raise Dependabot::DependencyFileNotEvaluatable, "Dependabot only supports toolchain 1.68 and up."
           end
 
-          # ambiguous package specification
+          check_ambiguous_package_error(stdout)
+          check_missing_package_error(stdout)
+          check_binary_path_error(stdout)
+
+          raise SharedHelpers::HelperSubprocessFailed.new(
+            message: stdout,
+            error_context: {
+              command: command,
+              fingerprint: fingerprint,
+              time_taken: time_taken,
+              process_exit_value: "non-zero"
+            }
+          )
+        end
+
+        sig { params(stdout: String).void }
+        def check_ambiguous_package_error(stdout)
           ambiguous_match = stdout.match(/There are multiple `([^`]+)` packages.*specification `([^`]+)` is ambiguous/)
-          if ambiguous_match
-            raise Dependabot::DependencyFileNotEvaluatable, "Ambiguous package specification: #{ambiguous_match[2]}"
-          end
+          return unless ambiguous_match
+
+          raise Dependabot::DependencyFileNotEvaluatable, "Ambiguous package specification: #{ambiguous_match[2]}"
+        end
 
-          # package doesn't exist in the index
+        sig { params(stdout: String).void }
+        def check_missing_package_error(stdout)
           if (match = stdout.match(/no matching package named `([^`]+)` found/))
             raise Dependabot::DependencyFileNotResolvable, match[1]
           end
@@ -214,16 +265,24 @@ module Dependabot
           if (match = /error: no matching package found\nsearched package name: `([^`]+)`/m.match(stdout))
             raise Dependabot::DependencyFileNotResolvable, match[1]
           end
+        end
 
-          raise SharedHelpers::HelperSubprocessFailed.new(
-            message: stdout,
-            error_context: {
-              command: command,
-              fingerprint: fingerprint,
-              time_taken: time_taken,
-              process_exit_value: process.to_s
-            }
-          )
+        sig { params(stdout: String).void }
+        def check_binary_path_error(stdout)
+          return unless binary_path_error?(stdout)
+
+          extract_binary_path_error(stdout)
+        end
+
+        sig { params(stdout: String).returns(T::Boolean) }
+        def binary_path_error?(stdout)
+          stdout.match?(/couldn't find `[^`]+\.rs`/) ||
+            stdout.match?(/failed to find `[^`]+\.rs`/) ||
+            stdout.match?(/could not find `[^`]+\.rs`/) ||
+            stdout.match?(/cannot find binary `[^`]+`/) ||
+            stdout.match?(/binary target `[^`]+` not found/) ||
+            stdout.include?("Please specify bin.path if you want to use a non-default path") ||
+            (stdout.include?("binary target") && stdout.include?("not found"))
         end
 
         sig { params(message: String).returns(T::Boolean) }

data/lib/dependabot/cargo/update_checker/version_resolver.rb

@@ -238,75 +238,100 @@ module Dependabot
           raise Dependabot::DependencyFileNotResolvable, msg
         end
 
-        # rubocop:disable Metrics/AbcSize
-        # rubocop:disable Metrics/PerceivedComplexity
         sig { params(error: StandardError).void }
         def handle_cargo_errors(error)
-          if error.message.include?("does not have these features")
+          return if missing_feature_error?(error)
+          return if recoverable_workspace_error?(error)
+
+          handle_git_authentication_errors(error)
+          handle_git_reference_errors(error)
+          handle_toolchain_errors(error)
+          handle_resolvability_errors(error)
+
+          raise
+        end
+
+        sig { params(error: StandardError).returns(T::Boolean) }
+        def missing_feature_error?(error)
+          if error.message.include?("does not have these features") ||
+             error.message.include?("does not have that feature")
             # TODO: Ideally we should update the declaration not to ask
             # for the specified features
-            return
+            return true
           end
 
-          if error.message.include?("authenticate when downloading repo") ||
-             error.message.include?("fatal: Authentication failed for")
-            # Check all dependencies for reachability (so that we raise a
-            # consistent error)
-            urls = unreachable_git_urls
-
-            if T.must(urls).none?
-              url = T.must(
-                T.must(error.message.match(UNABLE_TO_UPDATE))
-                                            .named_captures.fetch("url")
-              ).split(/[#?]/).first
-              raise if T.must(reachable_git_urls).include?(url)
-
-              # Fix: Wrap url in T.must since split().first can return nil
-              T.must(urls) << T.must(url)
-            end
+          false
+        end
+
+        sig { params(error: StandardError).void }
+        def handle_git_authentication_errors(error)
+          return unless error.message.include?("authenticate when downloading repo") ||
+                        error.message.include?("fatal: Authentication failed for")
+
+          urls = unreachable_git_urls
+
+          if T.must(urls).none?
+            url = T.must(
+              T.must(error.message.match(UNABLE_TO_UPDATE))
+                                          .named_captures.fetch("url")
+            ).split(/[#?]/).first
+            raise if T.must(reachable_git_urls).include?(url)
 
-            raise Dependabot::GitDependenciesNotReachable, T.must(urls)
+            T.must(urls) << T.must(url)
           end
 
+          raise Dependabot::GitDependenciesNotReachable, T.must(urls)
+        end
+
+        sig { params(error: StandardError).void }
+        def handle_git_reference_errors(error)
           [BRANCH_NOT_FOUND_REGEX, REF_NOT_FOUND_REGEX, GIT_REF_NOT_FOUND_REGEX, NOT_OUR_REF_REGEX].each do |regex|
             next unless error.message.match?(regex)
 
             dependency_url = T.must(T.must(error.message.match(regex)).named_captures.fetch("url")).split(/[#?]/).first
-            # Fix: Wrap dependency_url in T.must since split().first can return nil
             raise Dependabot::GitDependencyReferenceNotFound, T.must(dependency_url)
           end
+        end
 
+        sig { params(error: StandardError).returns(T::Boolean) }
+        def recoverable_workspace_error?(error)
           if workspace_native_library_update_error?(error.message)
             # This happens when we're updating one part of a workspace which
             # triggers an update of a subdependency that uses a native library,
             # whilst leaving another part of the workspace using an older
             # version. Ideally we would prevent the subdependency update.
-            return nil
+            return true
           end
 
           if git_dependency? && error.message.include?("no matching package")
             # This happens when updating a git dependency whose version has
             # changed from a release to a pre-release version
-            return nil
+            return true
           end
 
           if error.message.include?("all possible versions conflict")
             # This happens when a top-level requirement locks us to an old
             # patch release of a dependency that is a sub-dep of what we're
             # updating. It's (probably) a Cargo bug.
-            return nil
+            return true
           end
 
-          if using_old_toolchain?(error.message)
-            raise Dependabot::DependencyFileNotEvaluatable, "Dependabot only supports toolchain 1.68 and up."
-          end
+          false
+        end
 
-          raise Dependabot::DependencyFileNotResolvable, error.message if resolvability_error?(error.message)
+        sig { params(error: StandardError).void }
+        def handle_toolchain_errors(error)
+          return unless using_old_toolchain?(error.message)
 
-          raise
+          raise Dependabot::DependencyFileNotEvaluatable, "Dependabot only supports toolchain 1.68 and up."
+        end
+
+        sig { params(error: StandardError).void }
+        def handle_resolvability_errors(error)
+          return unless resolvability_error?(error.message)
+
+          raise Dependabot::DependencyFileNotResolvable, error.message
         end
-        # rubocop:enable Metrics/AbcSize
-        # rubocop:enable Metrics/PerceivedComplexity
 
         sig { params(message: T.nilable(String)).returns(T.any(Dependabot::Version, T::Boolean)) }
         def using_old_toolchain?(message)
@@ -360,20 +385,37 @@ module Dependabot
 
         sig { params(message: String).returns(T::Boolean) }
         def resolvability_error?(message)
-          return true if message.include?("failed to parse lock")
-          return true if message.include?("believes it's in a workspace")
-          return true if message.include?("wasn't a root")
-          return true if message.include?("requires a nightly version")
-          return true if message.match?(/feature `[^\`]+` is required/)
-          return true if message.include?("unexpected end of input while parsing major version number")
+          return true if common_resolvability_error?(message)
+          return true if binary_path_error?(message)
 
           original_requirements_resolvable = original_requirements_resolvable?
-
           return false if original_requirements_resolvable == :unknown
 
           !original_requirements_resolvable
         end
 
+        sig { params(message: String).returns(T::Boolean) }
+        def common_resolvability_error?(message)
+          message.include?("failed to parse lock") ||
+            message.include?("believes it's in a workspace") ||
+            message.include?("wasn't a root") ||
+            message.include?("requires a nightly version") ||
+            message.match?(/feature `[^\`]+` is required/) ||
+            message.include?("unexpected end of input while parsing major version number")
+        end
+
+        sig { params(message: String).returns(T::Boolean) }
+        def binary_path_error?(message)
+          message.match?(/couldn't find `[^`]+\.rs`/) ||
+            message.match?(/failed to find `[^`]+\.rs`/) ||
+            message.match?(/could not find `[^`]+\.rs`/) ||
+            message.match?(/cannot find binary `[^`]+`/) ||
+            message.match?(/binary target `[^`]+` not found/) ||
+            message.include?("Please specify bin.path if you want to use a non-default path") ||
+            message.include?("binary target") ||
+            message.include?("target not found")
+        end
+
         sig { returns(T.any(TrueClass, FalseClass, Symbol)) }
         def original_requirements_resolvable?
           base_directory = T.must(original_dependency_files.first).directory
@@ -421,9 +463,11 @@ module Dependabot
 
           T.must(manifest_files).each do |file|
             path = file.name
-            dir = Pathname.new(path).dirname
-            FileUtils.mkdir_p(dir)
-            File.write(file.name, sanitized_manifest_content(T.must(file.content)))
+            # Convert absolute paths to relative paths to avoid permission errors
+            relative_path = path.start_with?("/") ? path[1..-1] || "." : path
+            dir = Pathname.new(relative_path).dirname
+            FileUtils.mkdir_p(dir) unless dir.to_s == "."
+            File.write(relative_path, sanitized_manifest_content(T.must(file.content)))
 
             next if virtual_manifest?(file)
 

data/lib/dependabot/cargo/update_checker.rb

@@ -261,12 +261,25 @@ module Dependabot
           latest_allowable_version: latest_version
         ).prepared_dependency_files
 
-        VersionResolver.new(
+        result = VersionResolver.new(
           dependency: dependency,
           prepared_dependency_files: prepared_files,
           original_dependency_files: dependency_files,
           credentials: credentials
         ).latest_resolvable_version
+
+        # If the resolver returns a version higher than latest_version, cap it at latest_version
+        # This handles cases where the resolver might pick prereleases or incorrect versions
+        # Only apply this logic for semantic versions, not git SHAs
+        if result && latest_version &&
+           !git_dependency? &&
+           version_class.correct?(result.to_s) &&
+           version_class.correct?(latest_version.to_s) &&
+           version_class.new(result.to_s) > version_class.new(latest_version.to_s)
+          latest_version
+        else
+          result
+        end
       end
 
       sig { returns(T.nilable(T.any(String, Gem::Version))) }

data/lib/dependabot/cargo/version.rb

@@ -43,6 +43,122 @@ module Dependabot
 
         version.to_s.match?(ANCHORED_VERSION_PATTERN)
       end
+
+      # Cargo uses a different semantic versioning approach for pre-1.0 versions:
+      # - For 0.y.z versions: changes in y are considered major/breaking
+      # - For 0.0.z versions: changes in z are considered major/breaking
+      # - Only the leftmost non-zero component is considered for compatibility
+
+      sig { override.returns(T::Array[String]) }
+      def ignored_patch_versions
+        parts = to_s.split(".")
+        major = parts[0].to_i
+        minor = parts[1].to_i
+
+        # For 0.0.z versions, patch changes are breaking, so treat as major
+        return ignored_major_versions if major.zero? && minor.zero?
+
+        # For 0.y.z versions, patch changes are compatible, use standard logic
+        return super if major.zero?
+
+        # For 1.y.z+ versions, use standard semantic versioning
+        super
+      end
+
+      sig { override.returns(T::Array[String]) }
+      def ignored_minor_versions
+        parts = to_s.split(".")
+        major = parts[0].to_i
+
+        # For 0.y.z versions, minor changes are breaking, so treat as major
+        return ignored_major_versions if major.zero?
+
+        # For 1.y.z+ versions, use standard semantic versioning
+        super
+      end
+
+      # Determines the correct update type for a version change according to Cargo's semantic versioning rules
+      # For pre-1.0 versions, Cargo treats changes in the leftmost non-zero component as breaking
+      sig { params(from_version: T.any(String, Dependabot::Cargo::Version), to_version: T.any(String, Dependabot::Cargo::Version)).returns(String) }
+      def self.update_type(from_version, to_version)
+        from_v, to_v = normalize_versions(from_version, to_version)
+        from_major, from_minor, from_patch, to_major, to_minor, to_patch = extract_version_parts(from_v, to_v)
+
+        # Standard semver for 1.0.0+ versions
+        return standard_semver_type(from_major, from_minor, from_patch, to_major, to_minor, to_patch) if from_major >= 1
+
+        # Cargo pre-1.0 semver rules
+        cargo_pre_1_0_type(from_major, from_minor, from_patch, to_major, to_minor, to_patch)
+      rescue StandardError => e
+        # Log the error but return a safe default
+        Dependabot.logger.warn("Error in Cargo::Version.update_type: #{e.message}")
+        "major" # Default to major for safety
+      end
+
+      sig do
+        params(
+          from_version: T.any(String, Dependabot::Cargo::Version),
+          to_version: T.any(String, Dependabot::Cargo::Version)
+        ).returns([Dependabot::Cargo::Version, Dependabot::Cargo::Version])
+      end
+      def self.normalize_versions(from_version, to_version)
+        from_v = from_version.is_a?(String) ? T.cast(new(from_version), Dependabot::Cargo::Version) : from_version
+        to_v = to_version.is_a?(String) ? T.cast(new(to_version), Dependabot::Cargo::Version) : to_version
+        [from_v, to_v]
+      end
+
+      sig { params(from_v: Dependabot::Cargo::Version, to_v: Dependabot::Cargo::Version).returns([Integer, Integer, Integer, Integer, Integer, Integer]) }
+      def self.extract_version_parts(from_v, to_v)
+        from_parts = from_v.to_s.split(".").map(&:to_i)
+        to_parts = to_v.to_s.split(".").map(&:to_i)
+
+        [from_parts[0] || 0, from_parts[1] || 0, from_parts[2] || 0,
+         to_parts[0] || 0, to_parts[1] || 0, to_parts[2] || 0]
+      end
+
+      # rubocop:disable Metrics/ParameterLists
+      sig do
+        params(
+          from_major: Integer,
+          from_minor: Integer,
+          from_patch: Integer,
+          to_major: Integer,
+          to_minor: Integer,
+          to_patch: Integer
+        ).returns(String)
+      end
+      def self.standard_semver_type(from_major, from_minor, from_patch, to_major, to_minor, to_patch)
+        return "major" if to_major > from_major
+        return "minor" if to_minor > from_minor
+        return "patch" if to_patch > from_patch
+
+        "patch"
+      end
+
+      sig do
+        params(
+          from_major: Integer,
+          from_minor: Integer,
+          from_patch: Integer,
+          to_major: Integer,
+          to_minor: Integer,
+          to_patch: Integer
+        ).returns(String)
+      end
+      def self.cargo_pre_1_0_type(from_major, from_minor, from_patch, to_major, to_minor, to_patch)
+        # Any major version increase is always major
+        return "major" if to_major > from_major
+
+        # For 0.0.z versions, any change is breaking
+        return "major" if from_minor.zero? && (to_minor > from_minor || to_patch > from_patch)
+
+        # For 0.y.z versions, minor changes are breaking
+        return "major" if to_minor > from_minor
+
+        # Only patch changes remain
+        "patch"
+      end
+      # rubocop:enable Metrics/ParameterLists
     end
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-cargo
 version: !ruby/object:Gem::Version
-  version: 0.341.0
+  version: 0.342.1
 platform: ruby
 authors:
 - Dependabot
@@ -15,14 +15,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.341.0
+        version: 0.342.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.341.0
+        version: 0.342.1
 - !ruby/object:Gem::Dependency
   name: debug
   requirement: !ruby/object:Gem::Requirement
@@ -266,7 +266,7 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.341.0
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.342.1
 rdoc_options: []
 require_paths:
 - lib