dependabot-composer 0.310.0 → 0.311.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 19b71569b2bd0eeb530428366bccef3bc61d6285f19c9895e8b9c76f6d39c14d
-  data.tar.gz: 6e19dbc11146ebcc760aca127eee44433f17b66fc8649feefd2c7f01ea8d0104
+  metadata.gz: 1b7f9286dece3b3c0c35b5be85a580078a6467edb4dd43b9817601f541b5c2cf
+  data.tar.gz: 4d31a01b968c789451178cee2855a6e507fad696663bac7e01cc89103b6a5c0c
 SHA512:
-  metadata.gz: 9e4d00454f1b5e3c0dd810c1bf9a3d8423cefe9974ad78c473870c7fe71f39cf7fdd3ae41449df12890ada3ceb5c9006a29e30943cdef2e027502134aec91257
-  data.tar.gz: 417e824b9d0da5f8a2d7a0ef66ce8ab549bac4e4e6f0ea978fec219c525885d721ac6bf74ecf3a23217c3210caacd0a3c37aa62eaca0fcc103b1e111de9099de
+  metadata.gz: fb35c79db05afba4a18eceb83722484488031b68503975dd13df219b3eaba3d98d931bb0850dd74f2c5a3023689441e436083f01e81a188bd1db897840496a86
+  data.tar.gz: d963a5ccdc05bc63e3ee72b6d59bd8e9e8eedd3ac71d3a7da457d803ccd9ff618cf2d68c5da1e6e6707606cbbc1d094664dbc2d386fe3ca22ace4116eaa3a5cd

data/lib/dependabot/composer/file_fetcher.rb

@@ -1,4 +1,4 @@
-# typed: true
+# typed: strict
 # frozen_string_literal: true
 
 require "json"
@@ -15,14 +15,17 @@ module Dependabot
       require_relative "file_fetcher/path_dependency_builder"
       require_relative "helpers"
 
+      sig { override.params(filenames: T::Array[String]).returns(T::Boolean) }
       def self.required_files_in?(filenames)
         filenames.include?(PackageManager::MANIFEST_FILENAME)
       end
 
+      sig { override.returns(String) }
       def self.required_files_message
         "Repo must contain a #{PackageManager::MANIFEST_FILENAME}."
       end
 
+      sig { override.returns(T.nilable(T::Hash[Symbol, T.untyped])) }
       def ecosystem_versions
         {
           package_managers: {
@@ -44,28 +47,35 @@ module Dependabot
 
       private
 
+      sig { returns(Dependabot::DependencyFile) }
       def composer_json
-        @composer_json ||= fetch_file_from_host(PackageManager::MANIFEST_FILENAME)
+        @composer_json ||= T.let(
+          fetch_file_from_host(PackageManager::MANIFEST_FILENAME),
+          T.nilable(Dependabot::DependencyFile)
+        )
       end
 
+      sig { returns(T.nilable(Dependabot::DependencyFile)) }
       def composer_lock
-        return @composer_lock if defined?(@composer_lock)
-
-        @composer_lock = fetch_file_if_present(PackageManager::LOCKFILE_FILENAME)
+        @composer_lock ||= T.let(
+          fetch_file_if_present(PackageManager::LOCKFILE_FILENAME),
+          T.nilable(Dependabot::DependencyFile)
+        )
       end
 
       # NOTE: This is fetched but currently unused
+      sig { returns(T.nilable(Dependabot::DependencyFile)) }
       def auth_json
-        return @auth_json if defined?(@auth_json)
-
-        @auth_json = fetch_support_file(PackageManager::AUTH_FILENAME)
+        @auth_json ||= T.let(
+          fetch_support_file(PackageManager::AUTH_FILENAME),
+          T.nilable(Dependabot::DependencyFile)
+        )
       end
 
+      sig { returns(T::Array[Dependabot::DependencyFile]) }
       def artifact_dependencies
-        return @artifact_dependencies if defined?(@artifact_dependencies)
-
         # Find zip files in the artifact sources and download them.
-        @artifact_dependencies =
+        @artifact_dependencies ||= T.let(
           artifact_sources.map do |url|
             repo_contents(dir: url)
               .select { |file| file.type == "file" && file.name.end_with?(".zip") }
@@ -78,7 +88,9 @@ module Dependabot
                 type: "file"
               )
             end
-          end.flatten
+          end.flatten,
+          T.nilable(T::Array[Dependabot::DependencyFile])
+        )
 
         # Add .gitkeep to all directories in case they are empty. Composer isn't ok with empty directories.
         @artifact_dependencies += artifact_sources.map do |url|
@@ -96,8 +108,9 @@ module Dependabot
         @artifact_dependencies
       end
 
+      sig { returns(T::Array[Dependabot::DependencyFile]) }
       def path_dependencies
-        @path_dependencies ||=
+        @path_dependencies ||= T.let(
           begin
             composer_json_files = []
             unfetchable_deps = []
@@ -123,19 +136,24 @@ module Dependabot
             composer_json_files.tap do |files|
               files.each { |f| f.support_file = true }
             end
-          end
+          end,
+          T.nilable(T::Array[Dependabot::DependencyFile])
+        )
       end
 
+      sig { returns(T::Array[String]) }
       def artifact_sources
         sources.select { |details| details["type"] == "artifact" }.map { |details| details["url"] }
       end
 
+      sig { returns(T::Array[String]) }
       def path_sources
         sources.select { |details| details["type"] == "path" }.map { |details| details["url"] }
       end
 
+      sig { returns(T::Array[T::Hash[String, T.untyped]]) }
       def sources
-        @sources ||=
+        @sources ||= T.let(
           begin
             repos = parsed_composer_json.fetch("repositories", [])
             if repos.is_a?(Hash) || repos.is_a?(Array)
@@ -147,9 +165,12 @@ module Dependabot
             else
               []
             end
-          end
+          end,
+          T.nilable(T::Array[T::Hash[String, T.untyped]])
+        )
       end
 
+      sig { params(unfetchable_deps: T::Array[String]).returns(T::Array[Dependabot::DependencyFile]) }
       def build_unfetchable_deps(unfetchable_deps)
         unfetchable_deps.filter_map do |path|
           PathDependencyBuilder.new(
@@ -160,6 +181,7 @@ module Dependabot
         end
       end
 
+      sig { params(path: String).returns(T::Array[String]) }
       def expand_path(path)
         wildcard_depth = 0
         path = path.gsub(/\*$/, "")
@@ -185,6 +207,7 @@ module Dependabot
           .select { |p| p.to_s.start_with?(path.gsub(/\*$/, "")) }
       end
 
+      sig { returns(T::Array[String]) }
       def lockfile_path_dependency_paths
         keys = FileParser::DEPENDENCY_GROUP_KEYS
                .map { |h| h.fetch(:lockfile) }
@@ -198,20 +221,29 @@ module Dependabot
         end
       end
 
+      sig { returns(T::Hash[String, T.untyped]) }
       def parsed_composer_json
-        @parsed_composer_json ||= JSON.parse(composer_json.content)
+        @parsed_composer_json ||= T.let(
+          JSON.parse(T.must(composer_json.content)),
+          T.nilable(T::Hash[String, T.untyped])
+        )
       rescue JSON::ParserError
         raise Dependabot::DependencyFileNotParseable, composer_json.path
       end
 
+      sig { returns(T::Hash[String, T.untyped]) }
       def parsed_lockfile
         return {} unless composer_lock
 
-        @parsed_lockfile ||= JSON.parse(composer_lock.content)
+        @parsed_lockfile ||= T.let(
+          JSON.parse(T.must(T.must(composer_lock).content)),
+          T.nilable(T::Hash[String, T.untyped])
+        )
       rescue JSON::ParserError
         {}
       end
 
+      sig { params(filename: String).returns(Dependabot::DependencyFile) }
       def fetch_file_with_root_fallback(filename)
         path = Pathname.new(File.join(directory, filename)).cleanpath.to_path
 

data/lib/dependabot/composer/file_updater/lockfile_updater.rb

@@ -1,4 +1,4 @@
-# typed: true
+# typed: strict
 # frozen_string_literal: true
 
 require "dependabot/shared_helpers"
@@ -10,19 +10,26 @@ require "dependabot/composer/requirement"
 require "dependabot/composer/native_helpers"
 require "dependabot/composer/helpers"
 require "dependabot/composer/update_checker/version_resolver"
+require "sorbet-runtime"
 
 # rubocop:disable Metrics/ClassLength
 module Dependabot
   module Composer
     class FileUpdater
       class LockfileUpdater
+        extend T::Sig
+
         require_relative "manifest_updater"
 
         class MissingExtensions < StandardError
+          extend T::Sig
+
+          sig { returns(T::Array[T::Hash[Symbol, String]]) }
           attr_reader :extensions
 
+          sig { params(extensions: T::Array[T::Hash[Symbol, String]]).void }
           def initialize(extensions)
-            @extensions = extensions
+            @extensions = T.let(extensions, T::Array[T::Hash[Symbol, String]])
             super
           end
         end
@@ -39,15 +46,27 @@ module Dependabot
           }x
         MISSING_ENV_VAR_REGEX = /Environment variable '(?<env_var>.[^']+)' is not set/
 
+        sig do
+          params(
+            dependencies: T::Array[Dependabot::Dependency],
+            dependency_files: T::Array[Dependabot::DependencyFile],
+            credentials: T::Array[Dependabot::Credential]
+          ).void
+        end
         def initialize(dependencies:, dependency_files:, credentials:)
           @dependencies = dependencies
           @dependency_files = dependency_files
           @credentials = credentials
-          @composer_platform_extensions = initial_platform
+          @composer_platform_extensions = T.let(initial_platform, T::Hash[String, T::Array[String]])
+          @lock_git_deps = T.let(true, T::Boolean)
         end
 
+        sig { returns(String) }
         def updated_lockfile_content
-          @updated_lockfile_content ||= generate_updated_lockfile_content
+          @updated_lockfile_content ||= T.let(
+            generate_updated_lockfile_content,
+            T.nilable(String)
+          )
         rescue MissingExtensions => e
           previous_extensions = composer_platform_extensions.dup
           update_required_extensions(e.extensions)
@@ -58,13 +77,21 @@ module Dependabot
 
         private
 
+        sig { returns(T::Array[Dependabot::Dependency]) }
         attr_reader :dependencies
+
+        sig { returns(T::Array[Dependabot::DependencyFile]) }
         attr_reader :dependency_files
+
+        sig { returns(T::Array[Dependabot::Credential]) }
         attr_reader :credentials
+
+        sig { returns(T::Hash[String, T::Array[String]]) }
         attr_reader :composer_platform_extensions
 
+        sig { returns(String) }
         def generate_updated_lockfile_content
-          base_directory = dependency_files.first.directory
+          base_directory = T.must(dependency_files.first).directory
           SharedHelpers.in_a_temporary_directory(base_directory) do
             write_temporary_dependency_files
 
@@ -87,13 +114,15 @@ module Dependabot
           handle_composer_errors(e)
         end
 
+        sig { returns(Dependabot::Dependency) }
         def dependency
           # For now, we'll only ever be updating a single dependency for PHP
-          dependencies.first
+          T.must(dependencies.first)
         end
 
+        sig { returns(T::Hash[String, String]) }
         def run_update_helper
-          SharedHelpers.with_git_configured(credentials: credentials) do
+          SharedHelpers.with_git_configured(credentials: T.unsafe(credentials)) do
             SharedHelpers.run_helper_subprocess(
               command: "php -d memory_limit=-1 #{php_helper_path}",
               allow_unsafe_shell_command: true,
@@ -110,6 +139,7 @@ module Dependabot
           end
         end
 
+        sig { returns(String) }
         def updated_composer_json_content
           ManifestUpdater.new(
             dependencies: dependencies,
@@ -117,6 +147,7 @@ module Dependabot
           ).updated_manifest_content
         end
 
+        sig { params(error: SharedHelpers::HelperSubprocessFailed).returns(T::Boolean) }
         def transitory_failure?(error)
           return true if error.message.include?("404 Not Found")
           return true if error.message.include?("timed out")
@@ -125,6 +156,7 @@ module Dependabot
           error.message.include?("Content-Length mismatch")
         end
 
+        sig { params(error: SharedHelpers::HelperSubprocessFailed).returns(T::Boolean) }
         def locked_git_dep_error?(error)
           error.message.start_with?("Could not authenticate against")
         end
@@ -135,6 +167,7 @@ module Dependabot
         # rubocop:disable Metrics/CyclomaticComplexity
         # rubocop:disable Metrics/MethodLength
         # rubocop:disable Metrics/PerceivedComplexity
+        sig { params(error: SharedHelpers::HelperSubprocessFailed).returns(T.noreturn) }
         def handle_composer_errors(error)
           if error.message.match?(MISSING_EXPLICIT_PLATFORM_REQ_REGEX)
             # These errors occur when platform requirements declared explicitly
@@ -142,7 +175,7 @@ module Dependabot
             missing_extensions =
               error.message.scan(MISSING_EXPLICIT_PLATFORM_REQ_REGEX)
                    .map do |extension_string|
-                name, requirement = extension_string.strip.split(" ", 2)
+                name, requirement = T.cast(extension_string, String).strip.split(" ", 2)
                 { name: name, requirement: requirement }
               end
             raise MissingExtensions, missing_extensions
@@ -153,7 +186,7 @@ module Dependabot
             missing_extensions =
               error.message.scan(MISSING_IMPLICIT_PLATFORM_REQ_REGEX)
                    .map do |extension_string|
-                name, requirement = extension_string.strip.split(" ", 2)
+                name, requirement = T.cast(extension_string, String).strip.split(" ", 2)
                 { name: name, requirement: requirement }
               end
 
@@ -162,10 +195,10 @@ module Dependabot
               version_for_reqs(existing_reqs + [hash[:requirement]])
             end
 
-            raise MissingExtensions, [missing_extension]
+            raise MissingExtensions, (T.must(missing_extension).then { |ext| [ext] })
           end
 
-          raise git_dependency_reference_error(error) if error.message.start_with?("Failed to execute git checkout")
+          git_dependency_reference_error(error) if error.message.start_with?("Failed to execute git checkout")
 
           # Special case for Laravel Nova, which will fall back to attempting
           # to close a private repo if given invalid (or no) credentials
@@ -185,9 +218,10 @@ module Dependabot
 
           # NOTE: This matches error output from a composer plugin (private-composer-installer):
           # https://github.com/ffraenz/private-composer-installer/blob/8655e3da4e8f99203f13ccca33b9ab953ad30a31/src/Exception/MissingEnvException.php#L22
-          if error.message.match?(MISSING_ENV_VAR_REGEX)
-            env_var = error.message.match(MISSING_ENV_VAR_REGEX).named_captures.fetch("env_var")
-            raise MissingEnvironmentVariable, env_var
+          match_data = error.message.match(MISSING_ENV_VAR_REGEX)
+          if match_data
+            env_var = match_data.named_captures.fetch("env_var")
+            raise MissingEnvironmentVariable, T.must(env_var)
           end
 
           if error.message.start_with?("Unknown downloader type: npm-sign") ||
@@ -198,9 +232,9 @@ module Dependabot
 
           raise Dependabot::OutOfMemory if error.message.start_with?("Allowed memory size")
 
-          if error.message.include?("403 Forbidden")
-            source = error.message.match(%r{https?://(?<source>[^/]+)/})
-                          .named_captures.fetch("source")
+          match_data = error.message.match(%r{https?://(?<source>[^/]+)/})
+          if error.message.include?("403 Forbidden") && match_data
+            source = match_data.named_captures.fetch("source")
             raise PrivateSourceAuthenticationFailure, source
           end
 
@@ -217,15 +251,17 @@ module Dependabot
         # rubocop:enable Metrics/MethodLength
         # rubocop:enable Metrics/PerceivedComplexity
 
+        sig { returns(T::Boolean) }
         def library?
           parsed_composer_json["type"] == "library"
         end
 
+        sig { params(message: String).returns(T::Boolean) }
         def implicit_platform_reqs_satisfiable?(message)
           missing_extensions =
             message.scan(MISSING_IMPLICIT_PLATFORM_REQ_REGEX)
                    .map do |extension_string|
-              name, requirement = extension_string.strip.split(" ", 2)
+              name, requirement = T.cast(extension_string, String).strip.split(" ", 2)
               { name: name, requirement: requirement }
             end
 
@@ -235,6 +271,7 @@ module Dependabot
           end
         end
 
+        sig { void }
         def write_temporary_dependency_files
           artifact_dependencies.each do |file|
             path = file.name
@@ -250,9 +287,10 @@ module Dependabot
 
           File.write(PackageManager::MANIFEST_FILENAME, locked_composer_json_content)
           File.write(PackageManager::LOCKFILE_FILENAME, lockfile.content)
-          File.write(PackageManager::AUTH_FILENAME, auth_json.content) if auth_json
+          File.write(PackageManager::AUTH_FILENAME, T.must(auth_json).content) if auth_json
         end
 
+        sig { returns(String) }
         def locked_composer_json_content
           content = updated_composer_json_content
           content = lock_dependencies_being_updated(content)
@@ -261,6 +299,7 @@ module Dependabot
           content
         end
 
+        sig { params(content: String).returns(String) }
         def add_temporary_platform_extensions(content)
           json = JSON.parse(content)
 
@@ -274,6 +313,7 @@ module Dependabot
           JSON.dump(json)
         end
 
+        sig { params(original_content: String).returns(String) }
         def lock_dependencies_being_updated(original_content)
           dependencies.reduce(original_content) do |content, dep|
             updated_req = dep.version
@@ -298,6 +338,7 @@ module Dependabot
           end
         end
 
+        sig { params(content: String).returns(String) }
         def lock_git_dependencies(content)
           json = JSON.parse(content)
 
@@ -309,7 +350,7 @@ module Dependabot
               next if req.include?("#")
 
               commit_sha = parsed_lockfile
-                           .fetch(keys[:lockfile], [])
+                           .fetch(T.must(keys[:lockfile]), [])
                            .find { |d| d["name"] == name }
                            &.dig("source", "reference")
               updated_req_parts = req.split
@@ -321,11 +362,13 @@ module Dependabot
           JSON.dump(json)
         end
 
+        sig { params(error: SharedHelpers::HelperSubprocessFailed).returns(T.noreturn) }
         def git_dependency_reference_error(error)
           ref = error.message.match(/checkout '(?<ref>.*?)'/)
-                     .named_captures.fetch("ref")
+                     &.named_captures
+                     &.fetch("ref")
           dependency_name =
-            JSON.parse(lockfile.content)
+            JSON.parse(T.must(lockfile.content))
                 .values_at("packages", "packages-dev").flatten(1)
                 .find { |dep| dep.dig("source", "reference") == ref }
                 &.fetch("name")
@@ -335,23 +378,20 @@ module Dependabot
           raise GitDependencyReferenceNotFound, dependency_name
         end
 
-        def post_process_lockfile(content)
-          content = replace_patches(content)
-          content = replace_content_hash(content)
-          replace_platform_overrides(content)
-        end
-
+        sig { params(updated_content: String).returns(String) }
         def replace_patches(updated_content)
           content = updated_content
           %w(packages packages-dev).each do |package_type|
-            JSON.parse(lockfile.content).fetch(package_type).each do |details|
+            JSON.parse(T.must(lockfile.content))
+                .fetch(package_type, [])
+                .each do |details|
               next unless details["extra"].is_a?(Hash)
               next unless (patches = details.dig("extra", "patches_applied"))
 
               updated_object = JSON.parse(content)
               updated_object_package =
                 updated_object
-                .fetch(package_type)
+                .fetch(package_type, [])
                 .find { |d| d["name"] == details["name"] }
 
               next unless updated_object_package
@@ -360,14 +400,18 @@ module Dependabot
               updated_object_package["extra"]["patches_applied"] = patches
 
               content =
-                JSON.pretty_generate(updated_object, indent: "    ")
+                T.cast(
+                  JSON.pretty_generate(updated_object, indent: "    ")
                     .gsub(/\[\n\n\s*\]/, "[]")
-                    .gsub(/\}\z/, "}\n")
+                    .gsub(/\}\z/, "}\n"),
+                  String
+                )
             end
           end
           content
         end
 
+        sig { params(content: String).returns(String) }
         def replace_content_hash(content)
           existing_hash = JSON.parse(content).fetch("content-hash")
           SharedHelpers.in_a_temporary_directory do
@@ -385,8 +429,9 @@ module Dependabot
           end
         end
 
+        sig { params(content: String).returns(String) }
         def replace_platform_overrides(content)
-          original_object = JSON.parse(lockfile.content)
+          original_object = JSON.parse(T.must(lockfile.content))
           original_overrides = original_object.fetch("platform-overrides", nil)
 
           updated_object = JSON.parse(content)
@@ -402,6 +447,7 @@ module Dependabot
               .gsub(/\}\z/, "}\n")
         end
 
+        sig { params(requirements: T::Array[String]).returns(String) }
         def version_for_reqs(requirements)
           req_arrays =
             requirements
@@ -426,42 +472,60 @@ module Dependabot
           version.to_s
         end
 
+        sig { params(additional_extensions: T::Array[T::Hash[Symbol, String]]).void }
         def update_required_extensions(additional_extensions)
           additional_extensions.each do |ext|
             composer_platform_extensions[ext.fetch(:name)] ||= []
-            composer_platform_extensions[ext.fetch(:name)] +=
-              [ext.fetch(:requirement)]
+            existing_reqs = composer_platform_extensions[ext.fetch(:name)]
+            composer_platform_extensions[ext.fetch(:name)] =
+              T.must(existing_reqs) + [ext.fetch(:requirement)]
             composer_platform_extensions[ext.fetch(:name)] =
-              composer_platform_extensions[ext.fetch(:name)].uniq
+              T.must(composer_platform_extensions[ext.fetch(:name)]).uniq
           end
         end
 
+        sig { returns(String) }
         def php_helper_path
           NativeHelpers.composer_helper_path(composer_version: composer_version)
         end
 
+        sig { params(content: String).returns(String) }
+        def post_process_lockfile(content)
+          content = replace_patches(content)
+          content = replace_content_hash(content)
+          replace_platform_overrides(content)
+        end
+
+        sig { returns(String) }
         def composer_version
-          @composer_version ||= Helpers.composer_version(parsed_composer_json, parsed_lockfile)
+          @composer_version ||= T.let(
+            Helpers.composer_version(parsed_composer_json, parsed_lockfile),
+            T.nilable(String)
+          )
         end
 
+        sig { returns(T::Hash[String, String]) }
         def credentials_env
           credentials
             .select { |c| c.fetch("type") == "php_environment_variable" }
-            .to_h { |cred| [cred["env-key"], cred.fetch("env-value", "-")] }
+            .to_h { |cred| [T.cast(cred["env-key"], String), cred.fetch("env-value", "-")] }
         end
 
+        sig { returns(T::Array[Dependabot::Credential]) }
         def git_credentials
           credentials
             .select { |cred| cred.fetch("type") == "git_source" }
             .select { |cred| cred["password"] }
         end
 
+        sig { returns(T::Array[Dependabot::Credential]) }
         def registry_credentials
           credentials
             .select { |cred| cred.fetch("type") == PackageManager::REPOSITORY_KEY }
             .select { |cred| cred["password"] }
         end
 
+        sig { returns(T::Hash[String, T::Array[String]]) }
         def initial_platform
           platform_php = Helpers.capture_platform_php(parsed_composer_json)
 
@@ -480,6 +544,7 @@ module Dependabot
           platform
         end
 
+        sig { params(req_string: String).returns(T::Boolean) }
         def requirement_valid?(req_string)
           Composer::Requirement.requirements_array(req_string)
           true
@@ -487,36 +552,60 @@ module Dependabot
           false
         end
 
+        sig { returns(T::Hash[String, T.untyped]) }
         def parsed_composer_json
-          @parsed_composer_json ||= JSON.parse(composer_json.content)
+          @parsed_composer_json ||= T.let(
+            JSON.parse(T.must(composer_json.content)),
+            T.nilable(T::Hash[String, T.untyped])
+          )
         end
 
+        sig { returns(T::Hash[String, T.untyped]) }
         def parsed_lockfile
-          @parsed_lockfile ||= JSON.parse(lockfile.content)
+          @parsed_lockfile ||= T.let(
+            JSON.parse(T.must(lockfile.content)),
+            T.nilable(T::Hash[String, T.untyped])
+          )
         end
 
+        sig { returns(Dependabot::DependencyFile) }
         def composer_json
-          @composer_json ||=
-            dependency_files.find { |f| f.name == PackageManager::MANIFEST_FILENAME }
+          @composer_json ||= T.let(
+            T.must(dependency_files.find { |f| f.name == PackageManager::MANIFEST_FILENAME }),
+            T.nilable(Dependabot::DependencyFile)
+          )
         end
 
+        sig { returns(Dependabot::DependencyFile) }
         def lockfile
-          @lockfile ||=
-            dependency_files.find { |f| f.name == PackageManager::LOCKFILE_FILENAME }
+          @lockfile ||= T.let(
+            T.must(dependency_files.find { |f| f.name == PackageManager::LOCKFILE_FILENAME }),
+            T.nilable(Dependabot::DependencyFile)
+          )
         end
 
+        sig { returns(T.nilable(Dependabot::DependencyFile)) }
         def auth_json
-          @auth_json ||= dependency_files.find { |f| f.name == PackageManager::AUTH_FILENAME }
+          @auth_json ||= T.let(
+            dependency_files.find { |f| f.name == PackageManager::AUTH_FILENAME },
+            T.nilable(Dependabot::DependencyFile)
+          )
         end
 
+        sig { returns(T::Array[Dependabot::DependencyFile]) }
         def artifact_dependencies
-          @artifact_dependencies ||=
-            dependency_files.select { |f| f.name.end_with?(".zip", ".gitkeep") }
+          @artifact_dependencies ||= T.let(
+            dependency_files.select { |f| f.name.end_with?(".zip", ".gitkeep") },
+            T.nilable(T::Array[Dependabot::DependencyFile])
+          )
         end
 
+        sig { returns(T::Array[Dependabot::DependencyFile]) }
         def path_dependencies
-          @path_dependencies ||=
-            dependency_files.select { |f| f.name.end_with?("/#{PackageManager::MANIFEST_FILENAME}") }
+          @path_dependencies ||= T.let(
+            dependency_files.select { |f| f.name.end_with?("/#{PackageManager::MANIFEST_FILENAME}") },
+            T.nilable(T::Array[Dependabot::DependencyFile])
+          )
         end
       end
     end

data/lib/dependabot/composer/file_updater/manifest_updater.rb

@@ -1,22 +1,28 @@
-# typed: true
+# typed: strict
 # frozen_string_literal: true
 
+require "sorbet-runtime"
+
 require "dependabot/composer/file_updater"
 
 module Dependabot
   module Composer
     class FileUpdater
       class ManifestUpdater
+        extend T::Sig
+
+        sig { params(dependencies: T::Array[Dependabot::Dependency], manifest: Dependabot::DependencyFile).void }
         def initialize(dependencies:, manifest:)
           @dependencies = dependencies
           @manifest = manifest
         end
 
+        sig { returns(String) }
         def updated_manifest_content
-          dependencies.reduce(manifest.content.dup) do |content, dep|
+          T.must(dependencies.reduce(manifest.content.dup) do |content, dep|
             updated_content = content
             updated_requirements(dep).each do |new_req|
-              old_req = old_requirement(dep, new_req).fetch(:requirement)
+              old_req = old_requirement(dep, new_req)&.fetch(:requirement)
               updated_req = new_req.fetch(:requirement)
 
               regex =
@@ -25,7 +31,7 @@ module Dependabot
                   "#{Regexp.escape(old_req)}"
                 /x
 
-              updated_content = content.gsub(regex) do |declaration|
+              updated_content = content&.gsub(regex) do |declaration|
                 declaration.gsub(%("#{old_req}"), %("#{updated_req}"))
               end
 
@@ -33,32 +39,45 @@ module Dependabot
             end
 
             updated_content
-          end
+          end)
         end
 
         private
 
+        sig { returns(T::Array[Dependabot::Dependency]) }
         attr_reader :dependencies
+
+        sig { returns(Dependabot::DependencyFile) }
         attr_reader :manifest
 
+        sig { params(dependency: Dependabot::Dependency).returns(T::Array[T::Hash[Symbol, T.untyped]]) }
         def new_requirements(dependency)
           dependency.requirements.select { |r| r[:file] == manifest.name }
         end
 
+        sig do
+          params(
+            dependency: Dependabot::Dependency,
+            new_requirement: T::Hash[Symbol, T.untyped]
+          )
+            .returns(T.nilable(T::Hash[Symbol, T.untyped]))
+        end
         def old_requirement(dependency, new_requirement)
-          dependency.previous_requirements
-                    .select { |r| r[:file] == manifest.name }
-                    .find { |r| r[:groups] == new_requirement[:groups] }
+          T.must(dependency.previous_requirements)
+           .select { |r| r[:file] == manifest.name }
+           .find { |r| r[:groups] == new_requirement[:groups] }
         end
 
+        sig { params(dependency: Dependabot::Dependency).returns(T::Array[T::Hash[Symbol, T.untyped]]) }
         def updated_requirements(dependency)
           new_requirements(dependency)
-            .reject { |r| dependency.previous_requirements.include?(r) }
+            .reject { |r| T.must(dependency.previous_requirements).include?(r) }
         end
 
+        sig { params(file: Dependabot::DependencyFile, dependency: Dependabot::Dependency).returns(T::Boolean) }
         def requirement_changed?(file, dependency)
           changed_requirements =
-            dependency.requirements - dependency.previous_requirements
+            dependency.requirements - T.must(dependency.previous_requirements)
 
           changed_requirements.any? { |f| f[:file] == file.name }
         end

data/lib/dependabot/composer/file_updater.rb

@@ -56,7 +56,7 @@ module Dependabot
       def updated_composer_json_content
         ManifestUpdater.new(
           dependencies: dependencies,
-          manifest: composer_json
+          manifest: T.must(composer_json)
         ).updated_manifest_content
       end
 

data/lib/dependabot/composer/metadata_finder.rb

@@ -1,7 +1,9 @@
-# typed: true
+# typed: strict
 # frozen_string_literal: true
 
 require "excon"
+require "sorbet-runtime"
+
 require "dependabot/metadata_finders"
 require "dependabot/metadata_finders/base"
 require "dependabot/registry_client"
@@ -10,6 +12,21 @@ require "dependabot/composer/version"
 module Dependabot
   module Composer
     class MetadataFinder < Dependabot::MetadataFinders::Base
+      extend T::Sig
+
+      sig do
+        override
+          .params(
+            dependency: Dependabot::Dependency,
+            credentials: T::Array[Dependabot::Credential]
+          )
+          .void
+      end
+      def initialize(dependency:, credentials:)
+        @packagist_listing = T.let(nil, T.nilable(T::Hash[String, T.untyped]))
+        super
+      end
+
       private
 
       sig { override.returns(T.nilable(Source)) }

data/lib/dependabot/composer/version.rb

@@ -1,6 +1,8 @@
-# typed: true
+# typed: strong
 # frozen_string_literal: true
 
+require "sorbet-runtime"
+
 require "dependabot/version"
 require "dependabot/utils"
 
@@ -11,11 +13,15 @@ require "dependabot/utils"
 module Dependabot
   module Composer
     class Version < Dependabot::Version
+      extend T::Sig
+
+      sig { override.params(version: VersionParameter).void }
       def initialize(version)
-        @version_string = version.to_s
+        @version_string = T.let(version.to_s, String)
         super
       end
 
+      sig { returns(String) }
       def to_s
         @version_string
       end

metadata

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-composer
 version: !ruby/object:Gem::Version
-  version: 0.310.0
+  version: 0.311.0
 platform: ruby
 authors:
 - Dependabot
 bindir: bin
 cert_chain: []
-date: 2025-04-24 00:00:00.000000000 Z
+date: 2025-05-01 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dependabot-common
@@ -15,14 +15,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.310.0
+        version: 0.311.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.310.0
+        version: 0.311.0
 - !ruby/object:Gem::Dependency
   name: debug
   requirement: !ruby/object:Gem::Requirement
@@ -223,16 +223,16 @@ dependencies:
   name: webrick
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.7'
+        version: '1.9'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.7'
+        version: '1.9'
 description: Dependabot-Composer provides support for bumping PHP (composer) libraries
   via Dependabot. If you want support for multiple package managers, you probably
   want the meta-gem dependabot-omnibus.
@@ -279,7 +279,7 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.310.0
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.311.0
 rdoc_options: []
 require_paths:
 - lib