dependabot-common 0.331.0 → 0.333.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 368060e7dedf182e8c8b2ddf50b4db02fa3e5376af51f9e67c1463447afd34dc
-  data.tar.gz: b803b274fb307a702c06f8b84a97c461c9616c5513c344d75a089f35ceb08af7
+  metadata.gz: 97cacde3bd9b1e5403604eb71363db435ab78fec1a794f0e75c264822033fa8d
+  data.tar.gz: 84122d41a73c7c439ff2cfccb58200ccabed7a76577814f856fb63fcc7c599d8
 SHA512:
-  metadata.gz: 583a5880a5600a7a358971da32c0ec6c50c26221239180daef53139c2d34f9307cc8bb8ef068f13644b01454077708a061a7425d557482e883deacb8c394f8fe
-  data.tar.gz: ed79678548ca61683a7f65860b7901ab7af465263e047cec0ffd6b44e74c4bbea7a0f2e1baf404fa530579e57ddc1e9952e40de089658052f98ed2b14df65cb2
+  metadata.gz: 849fb16bfa7ce8d2b90185214d609ac3b505001069fc86ba9ace6d8794e80f9a8dfabe6e15153e1ce2f2a50bc2a4622d4aa593da5dbbda23c1f0fe822690ee4b
+  data.tar.gz: 9b0dc17ff63aac4c32f086e18b5deaaf28a9a216c5bf533fe5766b94d10add47a9597d26c97aaa6de625015eeae74d1b5af44c8425e75ba8a9f82d125d800a9a

data/lib/dependabot/clients/azure.rb

@@ -226,7 +226,6 @@ module Dependabot
       def create_pull_request(pr_name, source_branch, target_branch,
                               pr_description, labels,
                               reviewers = nil, assignees = nil, work_item = nil)
-
         content = {
           sourceRefName: "refs/heads/" + source_branch,
           targetRefName: "refs/heads/" + target_branch,
@@ -259,7 +258,6 @@ module Dependabot
       def autocomplete_pull_request(pull_request_id, auto_complete_set_by, merge_commit_message,
                                     delete_source_branch = true, squash_merge = true, merge_strategy = "squash",
                                     trans_work_items = true, ignore_config_ids = [])
-
         content = {
           autoCompleteSetBy: {
             id: auto_complete_set_by

data/lib/dependabot/command_helpers.rb

@@ -86,7 +86,6 @@ module Dependabot
       timeout: TIMEOUTS::DEFAULT,
       output_observer: nil
     )
-
       stdout = T.let("", String)
       stderr = T.let("", String)
       status = T.let(nil, T.nilable(ProcessStatus))

data/lib/dependabot/config/file_fetcher.rb

@@ -27,8 +27,6 @@ module Dependabot
         @config_file ||= T.let(files.first, T.nilable(Dependabot::DependencyFile))
       end
 
-      private
-
       sig { override.returns(T::Array[Dependabot::DependencyFile]) }
       def fetch_files
         fetched_files = T.let([], T::Array[Dependabot::DependencyFile])

data/lib/dependabot/dependency.rb

@@ -101,9 +101,6 @@ module Dependabot
     sig { returns(T.nilable(Time)) }
     attr_accessor :attribution_timestamp
 
-    sig { returns(T::Array[String]) }
-    attr_reader :origin_files
-
     # rubocop:disable Metrics/AbcSize
     # rubocop:disable Metrics/PerceivedComplexity
     sig do
@@ -118,15 +115,12 @@ module Dependabot
         directory: T.nilable(String),
         subdependency_metadata: T.nilable(T::Array[T::Hash[T.any(Symbol, String), String]]),
         removed: T::Boolean,
-        metadata: T.nilable(T::Hash[T.any(Symbol, String), String]),
-        direct_relationship: T::Boolean,
-        origin_files: T::Array[String]
+        metadata: T.nilable(T::Hash[T.any(Symbol, String), String])
       ).void
     end
     def initialize(name:, requirements:, package_manager:, version: nil,
                    previous_version: nil, previous_requirements: nil, directory: nil,
-                   subdependency_metadata: [], removed: false, metadata: {}, direct_relationship: false,
-                   origin_files: [])
+                   subdependency_metadata: [], removed: false, metadata: {})
       @name = name
       @version = T.let(
         case version
@@ -153,8 +147,6 @@ module Dependabot
       end
       @removed = removed
       @metadata = T.let(symbolize_keys(metadata || {}), T::Hash[Symbol, T.untyped])
-      @direct_relationship = direct_relationship
-      @origin_files = origin_files
       check_values
     end
     # rubocop:enable Metrics/AbcSize
@@ -165,12 +157,6 @@ module Dependabot
       requirements.any?
     end
 
-    # used to support lockfile parsing/DependencySubmission
-    sig { returns(T::Boolean) }
-    def direct?
-      top_level? || @direct_relationship
-    end
-
     sig { returns(T::Boolean) }
     def removed?
       @removed
@@ -194,7 +180,7 @@ module Dependabot
         "directory" => directory,
         "package_manager" => package_manager,
         "subdependency_metadata" => subdependency_metadata,
-        "removed" => removed? ? true : nil
+        "removed" => removed? || nil
       }.compact
     end
 
@@ -281,7 +267,7 @@ module Dependabot
       previous_refs = T.must(previous_requirements).filter_map do |r|
         r.dig(:source, "ref") || r.dig(:source, :ref)
       end.uniq
-      previous_refs.first if previous_refs.count == 1
+      previous_refs.first if previous_refs.one?
     end
 
     sig { returns(T.nilable(String)) }
@@ -289,7 +275,7 @@ module Dependabot
       new_refs = requirements.filter_map do |r|
         r.dig(:source, "ref") || r.dig(:source, :ref)
       end.uniq
-      new_refs.first if new_refs.count == 1
+      new_refs.first if new_refs.one?
     end
 
     sig { returns(T::Boolean) }

data/lib/dependabot/dependency_file.rb

@@ -28,14 +28,6 @@ module Dependabot
     sig { returns(T::Boolean) }
     attr_accessor :vendored_file
 
-    # Dependency file priority is used to determine which files are relevant when generating a dependency graph for the
-    # project - only the highest priority files will be graphed for each directory.
-    #
-    # This allows us to default to treating all dependency files as relevant unless the ecosystem's file parser tells
-    # us otherwise, for example indicating that a Gemfile.lock fully supersedes its peered Gemfile.
-    sig { returns(Integer) }
-    attr_accessor :priority
-
     sig { returns(T.nilable(String)) }
     attr_accessor :symlink_target
 
@@ -48,9 +40,6 @@ module Dependabot
     sig { returns(T.nilable(String)) }
     attr_accessor :mode
 
-    sig { returns(T::Set[T.untyped]) }
-    attr_accessor :dependencies
-
     class ContentEncoding
       UTF_8 = "utf-8"
       BASE64 = "base64"
@@ -86,15 +75,14 @@ module Dependabot
         content_encoding: String,
         deleted: T::Boolean,
         operation: String,
-        mode: T.nilable(String),
-        priority: Integer
+        mode: T.nilable(String)
       )
         .void
     end
     def initialize(name:, content:, directory: "/", type: "file",
                    support_file: false, vendored_file: false, symlink_target: nil,
                    content_encoding: ContentEncoding::UTF_8, deleted: false,
-                   operation: Operation::UPDATE, mode: nil, priority: 0)
+                   operation: Operation::UPDATE, mode: nil)
       @name = name
       @content = content
       @directory = T.let(clean_directory(directory), String)
@@ -104,8 +92,6 @@ module Dependabot
       @content_encoding = content_encoding
       @operation = operation
       @mode = mode
-      @dependencies = T.let(Set.new, T::Set[T.untyped])
-      @priority = priority
       raise ArgumentError, "Invalid Git mode: #{mode}" if mode && !VALID_MODES.include?(mode)
 
       # Make deleted override the operation. Deleted is kept when operation

data/lib/dependabot/file_fetchers/base.rb

@@ -158,9 +158,6 @@ module Dependabot
         @files = files
       end
 
-      sig { abstract.returns(T::Array[DependencyFile]) }
-      def fetch_files; end
-
       sig { returns(T.nilable(String)) }
       def commit
         return T.must(cloned_commit) if cloned_commit
@@ -195,6 +192,9 @@ module Dependabot
       sig { overridable.returns(T.nilable(T::Hash[Symbol, T.untyped])) }
       def ecosystem_versions; end
 
+      sig { abstract.returns(T::Array[DependencyFile]) }
+      def fetch_files; end
+
       private
 
       sig { params(name: String).returns(T.nilable(Dependabot::DependencyFile)) }
@@ -462,14 +462,18 @@ module Dependabot
         params(path: String, fetch_submodules: T::Boolean, raise_errors: T::Boolean)
           .returns(T::Array[OpenStruct])
       end
-      def _fetch_repo_contents(path, fetch_submodules: false, raise_errors: true)
+      def _fetch_repo_contents(path, fetch_submodules: false, raise_errors: true) # rubocop:disable Metrics/PerceivedComplexity
         path = path.gsub(" ", "%20")
         provider, repo, tmp_path, commit =
           _full_specification_for(path, fetch_submodules: fetch_submodules)
           .values_at(:provider, :repo, :path, :commit)
 
         entries = _fetch_repo_contents_fully_specified(provider, repo, tmp_path, commit)
-        entries
+        if Dependabot::Experiments.enabled?(:enable_exclude_paths_subdirectory_manifest_files)
+          filter_excluded(entries)
+        else
+          entries
+        end
       rescue *CLIENT_NOT_FOUND_ERRORS
         raise Dependabot::DirectoryNotFound, directory if path == directory.gsub(%r{^/*}, "")
 
@@ -550,12 +554,16 @@ module Dependabot
             size: 0 # NOTE: added for parity with github contents API
           )
         end
-        entries
+        if Dependabot::Experiments.enabled?(:enable_exclude_paths_subdirectory_manifest_files)
+          filter_excluded(entries)
+        else
+          entries
+        end
       end
 
       # Filters out any entries whose paths match one of the exclude_paths globs.
       sig { params(entries: T::Array[T.untyped]).returns(T::Array[T.untyped]) }
-      def filter_excluded(entries) # rubocop:disable Metrics/PerceivedComplexity,Metrics/MethodLength,Metrics/AbcSize
+      def filter_excluded(entries)
         Dependabot.logger.info("DEBUG filter_excluded: entries=#{entries.length}, exclude_paths=#{@exclude_paths.inspect}") # rubocop:disable Layout/LineLength
 
         return entries if @exclude_paths.empty?
@@ -564,41 +572,7 @@ module Dependabot
           full_entry_path = entry.path
           Dependabot.logger.info("DEBUG: Checking entry path: #{full_entry_path}")
 
-          @exclude_paths.any? do |exclude_pattern|
-            Dependabot.logger.info("DEBUG: Testing pattern: #{exclude_pattern} against path: #{full_entry_path}")
-
-            # case 1: exact match
-            exclude_exact = full_entry_path == exclude_pattern
-
-            # case 2: Directory prefix matching: check if path is inside an excluded directory
-            exclude_deeper = full_entry_path.start_with?("#{exclude_pattern}#{File::SEPARATOR}",
-                                                         "#{exclude_pattern}/")
-
-            # case 3: Explicit recursive (patterns that end with /**)
-            exclude_recursive = false
-            if exclude_pattern.end_with?("/**")
-              base_pattern = exclude_pattern[0...-3]
-              exclude_recursive = full_entry_path == base_pattern ||
-                                  full_entry_path.start_with?("#{base_pattern}/") ||
-                                  full_entry_path.start_with?("#{base_pattern}#{File::SEPARATOR}")
-            end
-
-            # case 4: Glob pattern matching with enhanced flags
-            # Use multiple fnmatch attempts with different flag combinations
-            fnmatch_flags = [
-              File::FNM_EXTGLOB,
-              File::FNM_EXTGLOB | File::FNM_PATHNAME,
-              File::FNM_EXTGLOB | File::FNM_PATHNAME | File::FNM_DOTMATCH,
-              File::FNM_PATHNAME
-            ]
-            exclude_fnmatch_paths = fnmatch_flags.any? do |flag|
-              File.fnmatch?(exclude_pattern, full_entry_path, flag)
-            end
-
-            result = exclude_exact || exclude_deeper || exclude_recursive || exclude_fnmatch_paths
-            Dependabot.logger.info("DEBUG: Pattern #{exclude_pattern} vs #{full_entry_path} -> #{result ? 'EXCLUDED' : 'INCLUDED'}") # rubocop:disable Layout/LineLength
-            result
-          end
+          Dependabot::FileFiltering.exclude_path?(full_entry_path, @exclude_paths)
         end
 
         Dependabot.logger.info("DEBUG filter_excluded: Filtered from #{entries.length} to #{filtered_entries.length} entries") # rubocop:disable Layout/LineLength

data/lib/dependabot/file_filtering.rb

@@ -7,7 +7,7 @@ module Dependabot
 
     # Returns true if the given path matches any of the exclude patterns
     sig { params(path: String, exclude_patterns: T.nilable(T::Array[String])).returns(T::Boolean) }
-    def self.exclude_path?(path, exclude_patterns) # rubocop:disable Metrics/PerceivedComplexity
+    def self.exclude_path?(path, exclude_patterns)
       return false if exclude_patterns.nil? || exclude_patterns.empty?
 
       # Normalize the path by removing leading slashes and resolving relative paths
@@ -16,39 +16,51 @@ module Dependabot
       exclude_patterns.any? do |pattern|
         normalized_pattern = normalize_path(pattern.chomp("/"))
 
-        # case 1: exact match
-        exclude_exact = normalized_path == pattern || normalized_path == normalized_pattern
-
-        # case 2: Directory prefix matching: check if path is inside an excluded directory
-        exclude_deeper = normalized_path.start_with?("#{pattern}#{File::SEPARATOR}",
-                                                     "#{normalized_pattern}#{File::SEPARATOR}")
-
-        # case 3: Explicit recursive (patterns that end with /**)
-        exclude_recursive = false
-        if pattern.end_with?("/**")
-          base_pattern_str = pattern[0...-3]
-          base_pattern = normalize_path(base_pattern_str) if base_pattern_str
-          exclude_recursive = base_pattern && (
-            normalized_path == base_pattern ||
-            normalized_path.start_with?("#{base_pattern}/") ||
-            normalized_path.start_with?("#{base_pattern}#{File::SEPARATOR}")
-          )
-        end
-
-        # case 4: Glob pattern matching with enhanced flags
-        # Use multiple fnmatch attempts with different flag combinations
-        fnmatch_flags = [
-          File::FNM_EXTGLOB,
-          File::FNM_EXTGLOB | File::FNM_PATHNAME,
-          File::FNM_EXTGLOB | File::FNM_PATHNAME | File::FNM_DOTMATCH,
-          File::FNM_PATHNAME
-        ]
-        exclude_fnmatch_paths = fnmatch_flags.any? do |flag|
-          File.fnmatch?(pattern, normalized_path, flag) || File.fnmatch?(normalized_pattern, normalized_path, flag)
-        end
-
-        result = exclude_exact || exclude_deeper || exclude_recursive || exclude_fnmatch_paths
-        result
+        exact_or_directory_match?(normalized_path, pattern, normalized_pattern) ||
+          recursive_match?(normalized_path, pattern) ||
+          glob_match?(normalized_path, pattern, normalized_pattern)
+      end
+    end
+
+    # Check for exact path matches or directory prefix matches
+    sig { params(normalized_path: String, pattern: String, normalized_pattern: String).returns(T::Boolean) }
+    def self.exact_or_directory_match?(normalized_path, pattern, normalized_pattern)
+      # Exact match
+      return true if normalized_path == pattern || normalized_path == normalized_pattern
+
+      # Directory prefix match: check if path is inside an excluded directory
+      normalized_path.start_with?("#{pattern}#{File::SEPARATOR}",
+                                  "#{normalized_pattern}#{File::SEPARATOR}")
+    end
+
+    # Check for recursive pattern matches (patterns ending with /**)
+    sig { params(normalized_path: String, pattern: String).returns(T::Boolean) }
+    def self.recursive_match?(normalized_path, pattern)
+      return false unless pattern.end_with?("/**")
+
+      base_pattern_str = pattern[0...-3]
+      return false if base_pattern_str.nil? || base_pattern_str.empty?
+
+      base_pattern = normalize_path(base_pattern_str)
+      return false if base_pattern.empty?
+
+      normalized_path == base_pattern ||
+        normalized_path.start_with?("#{base_pattern}/") ||
+        normalized_path.start_with?("#{base_pattern}#{File::SEPARATOR}")
+    end
+
+    # Check for glob pattern matches with various fnmatch flags
+    sig { params(normalized_path: String, pattern: String, normalized_pattern: String).returns(T::Boolean) }
+    def self.glob_match?(normalized_path, pattern, normalized_pattern)
+      fnmatch_flags = [
+        File::FNM_EXTGLOB,
+        File::FNM_EXTGLOB | File::FNM_PATHNAME,
+        File::FNM_EXTGLOB | File::FNM_PATHNAME | File::FNM_DOTMATCH,
+        File::FNM_PATHNAME
+      ]
+
+      fnmatch_flags.any? do |flag|
+        File.fnmatch?(pattern, normalized_path, flag) || File.fnmatch?(normalized_pattern, normalized_path, flag)
       end
     end
 
@@ -66,5 +78,28 @@ module Dependabot
       normalized = normalized.sub(%r{^/+}, "")
       normalized
     end
+
+    # Helper method to check if a file path should be excluded
+    sig do
+      params(path: String,
+             context: String,
+             exclude_paths: T.nilable(T::Array[String])).returns(T::Boolean)
+    end
+    def self.should_exclude_path?(path, context, exclude_paths)
+      return false unless Dependabot::Experiments.enabled?(:enable_exclude_paths_subdirectory_manifest_files)
+
+      return false if exclude_paths.nil? || exclude_paths.empty?
+
+      should_exclude = exclude_path?(path, exclude_paths)
+
+      if should_exclude
+        Dependabot.logger.warn(
+          "Skipping excluded #{context} '#{path}'. " \
+          "This file is excluded by exclude_paths configuration: #{exclude_paths}"
+        )
+      end
+
+      should_exclude
+    end
   end
 end

data/lib/dependabot/file_parsers/base/dependency_set.rb

@@ -150,19 +150,13 @@ module Dependabot
               (old_dep.subdependency_metadata || []) +
               (new_dep.subdependency_metadata || [])
             ).uniq
-            origin_files = (
-              old_dep.origin_files +
-              new_dep.origin_files
-            ).uniq
-
             Dependency.new(
               name: old_dep.name,
               version: version,
               requirements: requirements,
               package_manager: old_dep.package_manager,
               metadata: old_dep.metadata,
-              subdependency_metadata: subdependency_metadata,
-              origin_files: origin_files
+              subdependency_metadata: subdependency_metadata
             )
           end
 

data/lib/dependabot/file_updaters/vendor_updater.rb

@@ -37,7 +37,7 @@ module Dependabot
           .returns(Dependabot::DependencyFile)
       end
       def create_dependency_file(parameters)
-        Dependabot::DependencyFile.new(**T.unsafe({ **parameters.merge({ vendored_file: true }) }))
+        Dependabot::DependencyFile.new(**T.unsafe({ **parameters, vendored_file: true }))
       end
     end
   end

data/lib/dependabot/metadata_finders/base/changelog_finder.rb

@@ -290,7 +290,7 @@ module Dependabot
           @dependency_file_list[ref] ||= fetch_dependency_file_list(ref)
         end
 
-        sig { params(ref: T.nilable(String)).returns(T::Array[T.untyped,]) }
+        sig { params(ref: T.nilable(String)).returns(T::Array[T.untyped]) }
         def fetch_dependency_file_list(ref)
           case T.must(source).provider
           when "github" then fetch_github_file_list(ref)
@@ -411,7 +411,7 @@ module Dependabot
           previous_refs = dependency.previous_requirements&.filter_map do |r|
             r.dig(:source, "ref") || r.dig(:source, :ref)
           end&.uniq
-          previous_refs&.first if previous_refs&.count == 1
+          previous_refs.first if previous_refs&.one?
         end
 
         sig { returns(T.nilable(String)) }
@@ -419,7 +419,7 @@ module Dependabot
           new_refs = dependency.requirements.filter_map do |r|
             r.dig(:source, "ref") || r.dig(:source, :ref)
           end.uniq
-          new_refs.first if new_refs.count == 1
+          new_refs.first if new_refs.one?
         end
 
         sig { returns(T::Boolean) }

data/lib/dependabot/metadata_finders/base/changelog_pruner.rb

@@ -169,7 +169,7 @@ module Dependabot
           previous_refs = T.must(dependency.previous_requirements).filter_map do |r|
             r.dig(:source, "ref") || r.dig(:source, :ref)
           end.uniq
-          previous_refs.first if previous_refs.count == 1
+          previous_refs.first if previous_refs.one?
         end
 
         sig { returns(T.nilable(String)) }
@@ -177,7 +177,7 @@ module Dependabot
           new_refs = dependency.requirements.filter_map do |r|
             r.dig(:source, "ref") || r.dig(:source, :ref)
           end.uniq
-          new_refs.first if new_refs.count == 1
+          new_refs.first if new_refs.one?
         end
 
         # TODO: Refactor me so that Composer doesn't need to be special cased

data/lib/dependabot/metadata_finders/base/commits_finder.rb

@@ -170,7 +170,7 @@ module Dependabot
           previous_refs = T.must(dependency.previous_requirements).filter_map do |r|
             r.dig(:source, "ref") || r.dig(:source, :ref)
           end.uniq
-          previous_refs.first if previous_refs.count == 1
+          previous_refs.first if previous_refs.one?
         end
 
         sig { returns(T.nilable(String)) }
@@ -180,7 +180,7 @@ module Dependabot
           new_refs = dependency.requirements.filter_map do |r|
             r.dig(:source, "ref") || r.dig(:source, :ref)
           end.uniq
-          new_refs.first if new_refs.count == 1
+          new_refs.first if new_refs.one?
         end
 
         sig { params(tag: String, version: T.nilable(String)).returns(T::Boolean) }

data/lib/dependabot/metadata_finders/base/release_finder.rb

@@ -330,7 +330,7 @@ module Dependabot
           previous_refs = T.must(dependency.previous_requirements).filter_map do |r|
             r.dig(:source, "ref") || r.dig(:source, :ref)
           end.uniq
-          previous_refs.first if previous_refs.count == 1
+          previous_refs.first if previous_refs.one?
         end
 
         sig { returns(T.nilable(String)) }
@@ -338,7 +338,7 @@ module Dependabot
           new_refs = dependency.requirements.filter_map do |r|
             r.dig(:source, "ref") || r.dig(:source, :ref)
           end.uniq
-          new_refs.first if new_refs.count == 1
+          new_refs.first if new_refs.one?
         end
 
         sig { returns(T::Boolean) }

data/lib/dependabot/notices.rb

@@ -94,7 +94,7 @@ module Dependabot
 
       later_description = support_later_versions ? ", or later" : ""
 
-      return "Please upgrade to version #{versions_string}#{later_description}." if supported_versions.count == 1
+      return "Please upgrade to version #{versions_string}#{later_description}." if supported_versions.one?
 
       "Please upgrade to one of the following versions: #{versions_string}#{later_description}."
     end

data/lib/dependabot/package/package_latest_version_finder.rb

@@ -106,9 +106,6 @@ module Dependabot
         @lowest_security_fix_version ||= fetch_lowest_security_fix_version(language_version: language_version)
       end
 
-      sig { abstract.returns(T.nilable(Dependabot::Package::PackageDetails)) }
-      def package_details; end
-
       sig do
         returns(T.nilable(T::Array[Dependabot::Package::PackageRelease]))
       end
@@ -118,23 +115,6 @@ module Dependabot
 
       protected
 
-      sig do
-        params(language_version: T.nilable(T.any(String, Dependabot::Version)))
-          .returns(T.nilable(Dependabot::Version))
-      end
-      def fetch_latest_version(language_version: nil)
-        releases = available_versions
-        return unless releases
-
-        releases = filter_yanked_versions(releases)
-        releases = filter_by_cooldown(releases)
-        releases = filter_unsupported_versions(releases, language_version)
-        releases = filter_prerelease_versions(releases)
-        releases = filter_ignored_versions(releases)
-        releases = apply_post_fetch_latest_versions_filter(releases)
-        releases.max_by(&:version)&.version
-      end
-
       sig do
         params(language_version: T.nilable(T.any(String, Dependabot::Version)))
           .returns(T.nilable(Dependabot::Version))
@@ -153,45 +133,6 @@ module Dependabot
         releases.max_by(&:version)&.version
       end
 
-      sig do
-        params(language_version: T.nilable(T.any(String, Dependabot::Version)))
-          .returns(T.nilable(Dependabot::Version))
-      end
-      def fetch_lowest_security_fix_version(language_version: nil)
-        releases = available_versions
-        return unless releases
-
-        releases = filter_yanked_versions(releases)
-        releases = filter_unsupported_versions(releases, language_version)
-        # versions = filter_prerelease_versions(versions)
-        releases = Dependabot::UpdateCheckers::VersionFilters
-                   .filter_vulnerable_versions(
-                     releases,
-                     security_advisories
-                   )
-        releases = filter_ignored_versions(releases)
-        releases = filter_lower_versions(releases)
-        releases = apply_post_fetch_lowest_security_fix_versions_filter(releases)
-
-        releases.min_by(&:version)&.version
-      end
-
-      sig do
-        params(releases: T::Array[Dependabot::Package::PackageRelease])
-          .returns(T::Array[Dependabot::Package::PackageRelease])
-      end
-      def apply_post_fetch_latest_versions_filter(releases)
-        releases
-      end
-
-      sig do
-        params(releases: T::Array[Dependabot::Package::PackageRelease])
-          .returns(T::Array[Dependabot::Package::PackageRelease])
-      end
-      def apply_post_fetch_lowest_security_fix_versions_filter(releases)
-        releases
-      end
-
       sig do
         params(releases: T::Array[Dependabot::Package::PackageRelease])
           .returns(T::Array[Dependabot::Package::PackageRelease])
@@ -322,11 +263,6 @@ module Dependabot
         end
       end
 
-      sig { returns(T::Boolean) }
-      def cooldown_enabled?
-        false
-      end
-
       sig do
         params(
           current_version: T.nilable(Dependabot::Version),
@@ -382,6 +318,72 @@ module Dependabot
       def requirement_class
         dependency.requirement_class
       end
+
+      private
+
+      sig { abstract.returns(T.nilable(Dependabot::Package::PackageDetails)) }
+      def package_details; end
+
+      sig { returns(T::Boolean) }
+      def cooldown_enabled?
+        true
+      end
+
+      sig do
+        params(language_version: T.nilable(T.any(String, Dependabot::Version)))
+          .returns(T.nilable(Dependabot::Version))
+      end
+      def fetch_latest_version(language_version: nil)
+        releases = available_versions
+        return unless releases
+
+        releases = filter_yanked_versions(releases)
+        releases = filter_by_cooldown(releases)
+        releases = filter_unsupported_versions(releases, language_version)
+        releases = filter_prerelease_versions(releases)
+        releases = filter_ignored_versions(releases)
+        releases = apply_post_fetch_latest_versions_filter(releases)
+        releases.max_by(&:version)&.version
+      end
+
+      sig do
+        params(language_version: T.nilable(T.any(String, Dependabot::Version)))
+          .returns(T.nilable(Dependabot::Version))
+      end
+      def fetch_lowest_security_fix_version(language_version: nil)
+        releases = available_versions
+        return unless releases
+
+        releases = filter_yanked_versions(releases)
+        releases = filter_unsupported_versions(releases, language_version)
+        # versions = filter_prerelease_versions(versions)
+        releases = Dependabot::UpdateCheckers::VersionFilters
+                   .filter_vulnerable_versions(
+                     releases,
+                     security_advisories
+                   )
+        releases = filter_ignored_versions(releases)
+        releases = filter_lower_versions(releases)
+        releases = apply_post_fetch_lowest_security_fix_versions_filter(releases)
+
+        releases.min_by(&:version)&.version
+      end
+
+      sig do
+        params(releases: T::Array[Dependabot::Package::PackageRelease])
+          .returns(T::Array[Dependabot::Package::PackageRelease])
+      end
+      def apply_post_fetch_latest_versions_filter(releases)
+        releases
+      end
+
+      sig do
+        params(releases: T::Array[Dependabot::Package::PackageRelease])
+          .returns(T::Array[Dependabot::Package::PackageRelease])
+      end
+      def apply_post_fetch_lowest_security_fix_versions_filter(releases)
+        releases
+      end
     end
   end
 end

data/lib/dependabot/pull_request_creator/branch_namer/solo_strategy.rb

@@ -157,7 +157,7 @@ module Dependabot
           previous_refs = T.must(dependency.previous_requirements).filter_map do |r|
             r.dig(:source, "ref") || r.dig(:source, :ref)
           end.uniq
-          previous_refs.first if previous_refs.count == 1
+          previous_refs.first if previous_refs.one?
         end
 
         sig { params(dependency: Dependabot::Dependency).returns(T.nilable(String)) }
@@ -165,7 +165,7 @@ module Dependabot
           new_refs = dependency.requirements.filter_map do |r|
             r.dig(:source, "ref") || r.dig(:source, :ref)
           end.uniq
-          new_refs.first if new_refs.count == 1
+          new_refs.first if new_refs.one?
         end
 
         sig { params(dependency: Dependabot::Dependency).returns(T::Boolean) }

data/lib/dependabot/pull_request_creator/github.rb

@@ -431,7 +431,7 @@ module Dependabot
                      .map { |rv| "#{source.repo.split('/').first}/#{rv}" }
 
         reviewers_string =
-          if reviewers.count == 1
+          if reviewers.one?
             "`@#{reviewers.first}`"
           else
             names = reviewers.map { |rv| "`@#{rv}`" }

data/lib/dependabot/pull_request_creator/gitlab.rb

@@ -170,7 +170,7 @@ module Dependabot
 
       sig { returns(::Gitlab::ObjectifiedHash) }
       def create_commit
-        return create_submodule_update_commit if files.count == 1 && T.must(files.first).type == "submodule"
+        return create_submodule_update_commit if files.one? && T.must(files.first).type == "submodule"
 
         options = {}
         options[:author_email] = author_details&.fetch(:email) if author_details&.key?(:email)

data/lib/dependabot/pull_request_creator/message_builder.rb

@@ -207,13 +207,13 @@ module Dependabot
       sig { returns(String) }
       def library_pr_name
         "update " +
-          if dependencies.count == 1
+          if dependencies.one?
             "#{T.must(dependencies.first).display_name} requirement " \
               "#{from_version_msg(old_library_requirement(T.must(dependencies.first)))}" \
               "to #{new_library_requirement(T.must(dependencies.first))}"
           else
             names = dependencies.map(&:name).uniq
-            if names.count == 1
+            if names.one?
               "requirements for #{names.first}"
             else
               "requirements for #{T.must(names[0..-2]).join(', ')} and #{names[-1]}"
@@ -225,7 +225,7 @@ module Dependabot
       sig { returns(String) }
       def application_pr_name
         "bump " +
-          if dependencies.count == 1
+          if dependencies.one?
             dependency = dependencies.first
             "#{T.must(dependency).display_name} " \
               "#{from_version_msg(T.must(dependency).humanized_previous_version)}" \
@@ -242,7 +242,7 @@ module Dependabot
               "to #{T.must(dependency).humanized_version}"
           else
             names = dependencies.map(&:name).uniq
-            if names.count == 1
+            if names.one?
               T.must(names.first)
             else
               "#{T.must(names[0..-2]).join(', ')} and #{names[-1]}"
@@ -263,7 +263,7 @@ module Dependabot
       sig { returns(String) }
       def grouped_name
         updates = dependencies.map(&:name).uniq.count
-        if dependencies.count == 1
+        if dependencies.one?
           "#{solo_pr_name} in the #{T.must(dependency_group).name} group"
         else
           "bump the #{T.must(dependency_group).name} group#{pr_name_directory} " \
@@ -281,7 +281,7 @@ module Dependabot
           directories_from_dependencies.include?(directory)
         end
 
-        if dependencies.count == 1
+        if dependencies.one?
           "#{solo_pr_name} in the #{T.must(dependency_group).name} group across " \
             "#{T.must(directories_with_updates).count} directory"
         else
@@ -387,7 +387,7 @@ module Dependabot
         msg = "Updates the requirements on "
 
         msg +=
-          if dependencies.count == 1
+          if dependencies.one?
             "#{dependency_links.first} "
           else
             "#{T.must(dependency_links[0..-2]).join(', ')} and #{dependency_links[-1]} "
@@ -508,7 +508,7 @@ module Dependabot
           update_count = dependencies_in_directory.map(&:name).uniq.count
 
           msg += "Bumps the #{T.must(dependency_group).name} group " \
-                 "with #{update_count} update#{update_count > 1 ? 's' : ''} in the #{directory} directory:"
+                 "with #{update_count} update#{'s' if update_count > 1} in the #{directory} directory:"
 
           msg += if update_count >= 5
                    header = %w(Package From To)
@@ -543,7 +543,7 @@ module Dependabot
         update_count = unique_dependencies.count
 
         msg = "Bumps the #{T.must(dependency_group).name} group#{pr_name_directory} " \
-              "with #{update_count} update#{update_count > 1 ? 's' : ''}:"
+              "with #{update_count} update#{'s' if update_count > 1}:"
 
         msg += if update_count >= 5
                  header = %w(Package From To)
@@ -663,7 +663,7 @@ module Dependabot
 
       sig { returns(String) }
       def metadata_links
-        return metadata_links_for_dep(T.must(dependencies.first)) if dependencies.count == 1 && dependency_group.nil?
+        return metadata_links_for_dep(T.must(dependencies.first)) if dependencies.one? && dependency_group.nil?
 
         dependencies.map do |dep|
           if dep.removed?

data/lib/dependabot/requirement.rb

@@ -32,7 +32,7 @@ module Dependabot
     sig { returns(T.nilable(Dependabot::Version)) }
     def min_version
       # Select constraints with minimum operators
-      min_constraints = requirements.select { |op, _| MINIMUM_OPERATORS.include?(op) }
+      min_constraints = requirements.select { |op, _version| MINIMUM_OPERATORS.include?(op) }
 
       # Process each minimum constraint using the respective handler
       effective_min_versions = min_constraints.filter_map do |op, version|
@@ -47,7 +47,7 @@ module Dependabot
     sig { returns(T.nilable(Dependabot::Version)) }
     def max_version
       # Select constraints with maximum operators
-      max_constraints = requirements.select { |op, _| MAXIMUM_OPERATORS.include?(op) }
+      max_constraints = requirements.select { |op, _version| MAXIMUM_OPERATORS.include?(op) }
 
       # Process each maximum constraint using the respective handler
       effective_max_versions = max_constraints.filter_map do |op, version|

data/lib/dependabot/requirements_updater/base.rb

@@ -18,6 +18,8 @@ module Dependabot
       sig { abstract.returns(T::Array[T::Hash[Symbol, T.untyped]]) }
       def updated_requirements; end
 
+      private
+
       sig { abstract.returns(T::Class[Version]) }
       def version_class; end
 

data/lib/dependabot/update_checkers/base.rb

@@ -46,9 +46,6 @@ module Dependabot
       sig { returns(T.nilable(Dependabot::Package::ReleaseCooldownOptions)) }
       attr_reader :update_cooldown
 
-      sig { returns(T.nilable(T::Array[String])) }
-      attr_reader :exclude_paths
-
       sig { returns(T::Hash[Symbol, T.untyped]) }
       attr_reader :options
 
@@ -64,7 +61,6 @@ module Dependabot
           requirements_update_strategy: T.nilable(Dependabot::RequirementsUpdateStrategy),
           dependency_group: T.nilable(Dependabot::DependencyGroup),
           update_cooldown: T.nilable(Dependabot::Package::ReleaseCooldownOptions),
-          exclude_paths: T.nilable(T::Array[String]),
           options: T::Hash[Symbol, T.untyped]
         )
           .void
@@ -73,7 +69,7 @@ module Dependabot
                      repo_contents_path: nil, ignored_versions: [],
                      raise_on_ignored: false, security_advisories: [],
                      requirements_update_strategy: nil, dependency_group: nil,
-                     update_cooldown: nil, exclude_paths: [], options: {})
+                     update_cooldown: nil, options: {})
         @dependency = dependency
         @dependency_files = dependency_files
         @repo_contents_path = repo_contents_path
@@ -84,7 +80,6 @@ module Dependabot
         @security_advisories = security_advisories
         @dependency_group = dependency_group
         @update_cooldown = update_cooldown
-        @exclude_paths = exclude_paths
         @options = options
       end
 
@@ -112,37 +107,6 @@ module Dependabot
         end
       end
 
-      sig { returns(T::Boolean) }
-      def excluded? # rubocop:disable Metrics/PerceivedComplexity
-        return false unless Dependabot::Experiments.enabled?(:enable_exclude_paths_subdirectory_manifest_files)
-
-        return false if exclude_paths.nil? || exclude_paths&.empty?
-
-        origin_files = @dependency.origin_files
-        if origin_files.length.positive?
-          excluded_files = []
-          non_excluded_files = []
-
-          origin_files.each do |origin_file|
-            if Dependabot::FileFiltering.exclude_path?(origin_file, exclude_paths)
-              excluded_files << origin_file
-            else
-              non_excluded_files << origin_file
-            end
-          end
-
-          # Only exclude if the dependency appears ONLY in excluded paths
-          # If it appears in any non-excluded path, we should process it
-          if non_excluded_files.empty? && excluded_files.any?
-            Dependabot.logger.info("Excluding dependency #{dependency.name} - only found in excluded paths " \
-                                   "#{excluded_files.join(', ')}")
-            return true
-          end
-        end
-
-        false
-      end
-
       sig { params(requirements_to_unlock: T.nilable(Symbol)).returns(T::Array[Dependabot::Dependency]) }
       def updated_dependencies(requirements_to_unlock:)
         return [] unless can_update?(requirements_to_unlock: requirements_to_unlock)
@@ -179,17 +143,17 @@ module Dependabot
 
       # Lowest available security fix version not checking resolvability
       # @return [Dependabot::<package manager>::Version, #to_s] version class
-      sig { overridable.returns(T.nilable(Dependabot::Version)) }
+      sig { overridable.returns(T.nilable(Gem::Version)) }
       def lowest_security_fix_version
         raise NotImplementedError, "#{self.class} must implement #lowest_security_fix_version"
       end
 
-      sig { overridable.returns(T.nilable(Dependabot::Version)) }
+      sig { overridable.returns(T.nilable(Gem::Version)) }
       def lowest_resolvable_security_fix_version
         raise NotImplementedError, "#{self.class} must implement #lowest_resolvable_security_fix_version"
       end
 
-      sig { overridable.returns(T.nilable(T.any(String, Dependabot::Version))) }
+      sig { overridable.returns(T.nilable(T.any(String, Gem::Version))) }
       def latest_resolvable_version_with_no_unlock
         raise NotImplementedError, "#{self.class} must implement #latest_resolvable_version_with_no_unlock"
       end
@@ -398,9 +362,7 @@ module Dependabot
 
       sig { returns(T::Boolean) }
       def requirements_up_to_date?
-        if can_compare_requirements?
-          return (T.must(version_from_requirements) >= version_class.new(latest_version.to_s))
-        end
+        return T.must(version_from_requirements) >= version_class.new(latest_version.to_s) if can_compare_requirements?
 
         changed_requirements.none?
       end

data/lib/dependabot/workspace/base.rb

@@ -75,6 +75,8 @@ module Dependabot
       end
       def capture_failed_change_attempt(memo = nil, error = nil); end
 
+      private
+
       sig { abstract.returns(String) }
       def clean; end
     end

data/lib/dependabot.rb

@@ -2,5 +2,5 @@
 # frozen_string_literal: true
 
 module Dependabot
-  VERSION = "0.331.0"
+  VERSION = "0.333.0"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-common
 version: !ruby/object:Gem::Version
-  version: 0.331.0
+  version: 0.333.0
 platform: ruby
 authors:
 - Dependabot
@@ -497,14 +497,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.18'
+        version: '3.25'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.18'
+        version: '3.25'
 - !ruby/object:Gem::Dependency
   name: webrick
   requirement: !ruby/object:Gem::Requirement
@@ -626,7 +626,7 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.331.0
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.333.0
 rdoc_options: []
 require_paths:
 - lib