RubyGems - dependabot-cargo - Versions diffs - 0.305.0 → 0.306.0 - Mend

dependabot-cargo 0.305.0 → 0.306.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

checksums.yaml +4 -4
data/lib/dependabot/cargo/package/package_details_fetcher.rb +231 -0
data/lib/dependabot/cargo/update_checker/latest_version_finder.rb +25 -166
metadata +6 -5

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 7bb1d1d01e8722e5d2e2b4d7d5ebd81308db522828484bc57e3a5f7199acd16c
-  data.tar.gz: 5c9fee65711dbb7fb55fa211d48578e46189053ad017b616576bee87530d066e
+  metadata.gz: 72b4039f8ac30bc8421818e11b43de5d2d9997cd5fdb5a4e53bba00b3bc7df15
+  data.tar.gz: c4a81d07aecd06538167a7c628e17c4f1aea1e0214816e5a8aaf29cad9796dc3
 SHA512:
-  metadata.gz: da0510df1c5a53673c4cdae9278e8c5d8b674f44d88ae279eb79d97d14980d658fe48d2caba0c4390d472289f3788a78808f505d069803a3d19e5c86722f75e5
-  data.tar.gz: 4634cef9a1f15590dba5127a23cfdf43d0661c10994cef61a0919a5dd2fd8b4f19f4e51acaf95d12a5e781453d0aa98f63218d0f3e5ae58eca331dd9304e64d2
+  metadata.gz: 0730b405c1f82cecdd1f1efb647e6eea37420b9d241fe46c6225bd41dd329388bff05b007051e6f901e110b27cd567b8a5dbe7a86600056f5f78d6dd657a4155
+  data.tar.gz: eb7cfa179819ae14421be61f9c847d1e79c94590ba90b0063d74a6c314e7b56740a2d9a3b9ef54ca68abeae8c2de72079426702ef641da9293dd1a4eab5c0df2

data/lib/dependabot/cargo/package/package_details_fetcher.rb ADDED Viewed

@@ -0,0 +1,231 @@
+# typed: strict
+# frozen_string_literal: true
+require "json"
+require "time"
+require "cgi"
+require "excon"
+require "nokogiri"
+require "sorbet-runtime"
+require "dependabot/registry_client"
+require "dependabot/cargo"
+require "dependabot/package/package_release"
+require "dependabot/package/package_details"
+module Dependabot
+  module Cargo
+    module Package
+      class PackageDetailsFetcher
+        extend T::Sig
+        CRATES_IO_API = "https://crates.io/api/v1/crates"
+        PACKAGE_TYPE = "gem"
+        PACKAGE_LANGUAGE = "rust"
+        # fallback for empty requirement
+        RUST_REQUIREMENT = "1.0"
+        sig do
+          params(
+            dependency: Dependabot::Dependency,
+            dependency_files: T::Array[Dependabot::DependencyFile],
+            credentials: T::Array[Dependabot::Credential]
+          ).void
+        end
+        def initialize(dependency:, dependency_files:, credentials:)
+          @dependency = dependency
+          @dependency_files = dependency_files
+          @credentials = credentials
+          @source_type = T.let(nil, T.nilable(String))
+        end
+        sig { returns(Dependabot::Dependency) }
+        attr_reader :dependency
+        sig { returns(T::Array[T.untyped]) }
+        attr_reader :dependency_files
+        sig { returns(T::Array[T.untyped]) }
+        attr_reader :credentials
+        sig do
+          returns(T.nilable(Dependabot::Package::PackageDetails))
+        end
+        def fetch
+          package_releases = crates_listing.fetch("versions", []).reject { |v| v["yanked"] }.map do |release|
+            package_release(
+              version: release["num"] || release["vers"],
+              released_at: release["created_at"] ? Time.parse(release["created_at"]) : nil,
+              downloads: release["downloads"],
+              url: "#{CRATES_IO_API}/#{release['dl_path']}",
+              rust_version: release["rust"]
+            )
+          end
+          package_details(package_releases)
+        end
+        private
+        sig do
+          returns(T.untyped)
+        end
+        def crates_listing
+          return @crates_listing unless @crates_listing.nil?
+          info = fetch_dependency_info
+          index = fetch_index(info)
+          hdrs = default_headers
+          hdrs.merge!(auth_headers(info)) if index != CRATES_IO_API
+          url = metadata_fetch_url(dependency, index)
+          Dependabot.logger.info("Calling #{url} to fetch metadata for #{dependency.name} from #{index}")
+          response = fetch_response(url, hdrs)
+          return {} if response.status == 404
+          @crates_listing = T.let(parse_response(response, index), T.nilable(T::Hash[T.untyped, T.untyped]))
+          Dependabot.logger.info("Fetched metadata for #{dependency.name} from #{index} successfully")
+          @crates_listing
+        end
+        sig { returns(T.nilable(T::Hash[T.untyped, T.untyped])) }
+        def fetch_dependency_info
+          dependency.requirements.filter_map { |r| r[:source] }.first
+        end
+        sig { params(info: T.untyped).returns(String) }
+        def fetch_index(info)
+          (info && info[:index]) || CRATES_IO_API
+        end
+        sig { returns(T::Hash[T.untyped, T.untyped]) }
+        def default_headers
+          { "User-Agent" => "Dependabot (dependabot.com)" }
+        end
+        sig { params(info: T.untyped).returns(T::Hash[T.untyped, T.untyped]) }
+        def auth_headers(info)
+          registry_creds = credentials.find do |cred|
+            cred["type"] == "cargo_registry" && cred["registry"] == info[:name]
+          end
+          return {} if registry_creds.nil?
+          token = registry_creds["token"] || "placeholder_token"
+          { "Authorization" => token }
+        end
+        sig { params(url: String, headers: T.untyped).returns(Excon::Response) }
+        def fetch_response(url, headers)
+          Excon.get(
+            url,
+            idempotent: true,
+            **SharedHelpers.excon_defaults(headers: headers)
+          )
+        end
+        sig { params(response: Excon::Response, index: T.untyped).returns(T::Hash[T.untyped, T.untyped]) }
+        def parse_response(response, index)
+          if index.start_with?("sparse+")
+            parsed_response = response.body.lines.map { |line| JSON.parse(line) }
+            { "versions" => parsed_response }
+          else
+            JSON.parse(response.body)
+          end
+        end
+        sig { params(dependency: T.untyped, index: T.untyped).returns(String) }
+        def metadata_fetch_url(dependency, index)
+          return "#{index}/#{dependency.name}" if index == CRATES_IO_API
+          # Determine cargo's index file path for the dependency
+          index = index.delete_prefix("sparse+")
+          name_length = dependency.name.length
+          dependency_path = case name_length
+                            when 1, 2
+                              "#{name_length}/#{dependency.name}"
+                            when 3
+                              "#{name_length}/#{dependency.name[0..1]}/#{dependency.name}"
+                            else
+                              "#{dependency.name[0..1]}/#{dependency.name[2..3]}/#{dependency.name}"
+                            end
+          "#{index}#{'/' unless index.end_with?('/')}#{dependency_path}"
+        end
+        sig { returns(T::Boolean) }
+        def wants_prerelease?
+          return true if dependency.numeric_version&.prerelease?
+          dependency.requirements.any? do |req|
+            reqs = (req.fetch(:requirement) || "").split(",").map(&:strip)
+            reqs.any? { |r| r.match?(/[A-Za-z]/) }
+          end
+        end
+        sig { returns(T.class_of(Dependabot::Version)) }
+        def version_class
+          dependency.version_class
+        end
+        sig { returns(T.class_of(Dependabot::Requirement)) }
+        def requirement_class
+          dependency.requirement_class
+        end
+        sig do
+          params(
+            version: String,
+            released_at: T.nilable(Time),
+            downloads: T.nilable(Integer),
+            url: T.nilable(String),
+            rust_version: T.nilable(String),
+            yanked: T::Boolean
+          ).returns(Dependabot::Package::PackageRelease)
+        end
+        def package_release(version:, released_at:, downloads:, url:, rust_version:, yanked: false)
+          Dependabot::Package::PackageRelease.new(
+            version: Cargo::Version.new(version),
+            released_at: released_at,
+            yanked: yanked,
+            yanked_reason: nil,
+            downloads: downloads,
+            url: url,
+            package_type: PACKAGE_TYPE,
+            language: Dependabot::Package::PackageLanguage.new(
+              name: PACKAGE_LANGUAGE,
+              version: nil,
+              requirement: language_requirement(rust_version)
+            )
+          )
+        end
+        sig { params(req_string: T.nilable(String)).returns(T.nilable(Requirement)) }
+        def language_requirement(req_string)
+          return Requirement.new(req_string) if req_string && !req_string.empty?
+          nil
+        end
+        sig do
+          params(releases: T::Array[Dependabot::Package::PackageRelease])
+            .returns(Dependabot::Package::PackageDetails)
+        end
+        def package_details(releases)
+          @package_details ||= T.let(
+            Dependabot::Package::PackageDetails.new(
+              dependency: dependency,
+              releases: releases.reverse.uniq(&:version)
+            ), T.nilable(Dependabot::Package::PackageDetails)
+          )
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/cargo/update_checker/latest_version_finder.rb CHANGED Viewed

@@ -5,16 +5,16 @@ require "excon"
 require "dependabot/cargo/update_checker"
 require "dependabot/update_checkers/version_filters"
 require "dependabot/registry_client"
+require "dependabot/cargo/package/package_details_fetcher"
+require "dependabot/package/package_latest_version_finder"
 require "sorbet-runtime"
 module Dependabot
   module Cargo
     class UpdateChecker
-      class LatestVersionFinder
+      class LatestVersionFinder < Dependabot::Package::PackageLatestVersionFinder
         extend T::Sig
-        CRATES_IO_API = "https://crates.io/api/v1/crates"
         def initialize(dependency:, dependency_files:, credentials:,
                        ignored_versions:, raise_on_ignored: false,
                        security_advisories:)
@@ -26,169 +26,28 @@ module Dependabot
           @security_advisories = security_advisories
         end
-        def latest_version
-          @latest_version ||= fetch_latest_version
-        end
-        def lowest_security_fix_version
-          @lowest_security_fix_version ||= fetch_lowest_security_fix_version
-        end
-        private
-        attr_reader :dependency
-        attr_reader :dependency_files
-        attr_reader :credentials
-        attr_reader :ignored_versions
-        attr_reader :security_advisories
-        def fetch_latest_version
-          versions = available_versions
-          versions = filter_prerelease_versions(versions)
-          versions = filter_ignored_versions(versions)
-          versions.max
+        sig do
+          override.returns(T.nilable(Dependabot::Package::PackageDetails))
         end
-        def fetch_lowest_security_fix_version
-          versions = available_versions
-          versions = filter_prerelease_versions(versions)
-          versions = Dependabot::UpdateCheckers::VersionFilters.filter_vulnerable_versions(versions,
-                                                                                           security_advisories)
-          versions = filter_ignored_versions(versions)
-          versions = filter_lower_versions(versions)
-          versions.min
+        def package_details
+          @package_details ||= Package::PackageDetailsFetcher.new(
+            dependency: dependency,
+            dependency_files: dependency_files,
+            credentials: credentials
+          ).fetch
         end
-        sig { params(versions_array: T::Array[Gem::Version]).returns(T::Array[Gem::Version]) }
-        def filter_prerelease_versions(versions_array)
-          return versions_array if wants_prerelease?
-          filtered = versions_array.reject(&:prerelease?)
-          if versions_array.count > filtered.count
-            Dependabot.logger.info("Filtered out #{versions_array.count - filtered.count} pre-release versions")
-          end
-          filtered
-        end
-        sig { params(versions_array: T::Array[Gem::Version]).returns(T::Array[Gem::Version]) }
-        def filter_ignored_versions(versions_array)
-          filtered = versions_array
-                     .reject { |v| ignore_requirements.any? { |r| r.satisfied_by?(v) } }
-          if @raise_on_ignored && filter_lower_versions(filtered).empty? && filter_lower_versions(versions_array).any?
-            raise Dependabot::AllVersionsIgnored
-          end
-          if versions_array.count > filtered.count
-            Dependabot.logger.info("Filtered out #{versions_array.count - filtered.count} ignored versions")
-          end
-          filtered
-        end
-        def filter_lower_versions(versions_array)
-          return versions_array unless dependency.numeric_version
-          versions_array
-            .select { |version| version > dependency.numeric_version }
-        end
-        def available_versions
-          crates_listing
-            .fetch("versions", [])
-            .reject { |v| v["yanked"] }
-            # Handle both default and sparse registry responses.
-            # Default registry uses "num" for version number.
-            # Sparse registry uses "vers" for version number.
-            .map do |v|
-              version_number = v["num"] || v["vers"]
-              version_class.new(version_number)
-            end
-        end
-        def crates_listing
-          return @crates_listing unless @crates_listing.nil?
-          info = fetch_dependency_info
-          index = fetch_index(info)
-          hdrs = default_headers
-          hdrs.merge!(auth_headers(info)) if index != CRATES_IO_API
-          url = metadata_fetch_url(dependency, index)
-          # B4PR
-          Dependabot.logger.info("Calling #{url} to fetch metadata for #{dependency.name} from #{index}")
-          response = fetch_response(url, hdrs)
-          return {} if response.status == 404
-          @crates_listing = parse_response(response, index)
-          # B4PR
-          Dependabot.logger.info("Fetched metadata for #{dependency.name} from #{index} successfully")
-          @crates_listing
-        end
-        def fetch_dependency_info
-          dependency.requirements.filter_map { |r| r[:source] }.first
-        end
-        def fetch_index(info)
-          (info && info[:index]) || CRATES_IO_API
-        end
-        def default_headers
-          { "User-Agent" => "Dependabot (dependabot.com)" }
-        end
-        def auth_headers(info)
-          registry_creds = credentials.find do |cred|
-            cred["type"] == "cargo_registry" && cred["registry"] == info[:name]
-          end
-          return {} if registry_creds.nil?
-          token = registry_creds["token"] || "placeholder_token"
-          { "Authorization" => token }
-        end
-        def fetch_response(url, headers)
-          Excon.get(
-            url,
-            idempotent: true,
-            **SharedHelpers.excon_defaults(headers: headers)
-          )
+        def latest_version
+          @latest_version ||= fetch_latest_version
         end
-        def parse_response(response, index)
-          if index.start_with?("sparse+")
-            parsed_response = response.body.lines.map { |line| JSON.parse(line) }
-            { "versions" => parsed_response }
-          else
-            JSON.parse(response.body)
-          end
+        def lowest_security_fix_version
+          @lowest_security_fix_version ||= fetch_lowest_security_fix_version(language_version: nil)
         end
-        def metadata_fetch_url(dependency, index)
-          return "#{index}/#{dependency.name}" if index == CRATES_IO_API
-          # Determine cargo's index file path for the dependency
-          index = index.delete_prefix("sparse+")
-          name_length = dependency.name.length
-          dependency_path = case name_length
-                            when 1, 2
-                              "#{name_length}/#{dependency.name}"
-                            when 3
-                              "#{name_length}/#{dependency.name[0..1]}/#{dependency.name}"
-                            else
-                              "#{dependency.name[0..1]}/#{dependency.name[2..3]}/#{dependency.name}"
-                            end
-          "#{index}#{'/' unless index.end_with?('/')}#{dependency_path}"
-        end
+        protected
+        sig { override.returns(T::Boolean) }
         def wants_prerelease?
           return true if dependency.numeric_version&.prerelease?
@@ -198,16 +57,16 @@ module Dependabot
           end
         end
-        def ignore_requirements
-          ignored_versions.flat_map { |req| requirement_class.requirements_array(req) }
-        end
+        private
-        def version_class
-          dependency.version_class
-        end
+        attr_reader :dependency
+        attr_reader :dependency_files
+        attr_reader :credentials
+        attr_reader :ignored_versions
+        attr_reader :security_advisories
-        def requirement_class
-          dependency.requirement_class
+        def apply_post_fetch_lowest_security_fix_versions_filter(versions)
+          filter_prerelease_versions(versions)
         end
       end
     end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-cargo
 version: !ruby/object:Gem::Version
-  version: 0.305.0
+  version: 0.306.0
 platform: ruby
 authors:
 - Dependabot
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2025-04-06 00:00:00.000000000 Z
+date: 2025-04-10 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dependabot-common
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.305.0
+        version: 0.306.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.305.0
+        version: 0.306.0
 - !ruby/object:Gem::Dependency
   name: debug
   requirement: !ruby/object:Gem::Requirement
@@ -251,6 +251,7 @@ files:
 - lib/dependabot/cargo/helpers.rb
 - lib/dependabot/cargo/language.rb
 - lib/dependabot/cargo/metadata_finder.rb
+- lib/dependabot/cargo/package/package_details_fetcher.rb
 - lib/dependabot/cargo/package_manager.rb
 - lib/dependabot/cargo/registry_fetcher.rb
 - lib/dependabot/cargo/requirement.rb
@@ -265,7 +266,7 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.305.0
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.306.0
 post_install_message:
 rdoc_options: []
 require_paths: