dependabot-conda 0.325.1

data/lib/dependabot/conda/update_checker.rb

@@ -0,0 +1,196 @@
+# typed: strict
+# frozen_string_literal: true
+
+require "sorbet-runtime"
+require "dependabot/update_checkers"
+require "dependabot/update_checkers/base"
+require "dependabot/conda/version"
+require "dependabot/conda/requirement"
+require "dependabot/conda/python_package_classifier"
+
+module Dependabot
+  module Conda
+    class UpdateChecker < Dependabot::UpdateCheckers::Base
+      extend T::Sig
+
+      sig do
+        params(
+          dependency: Dependabot::Dependency,
+          dependency_files: T::Array[Dependabot::DependencyFile],
+          credentials: T::Array[Dependabot::Credential],
+          repo_contents_path: T.nilable(String),
+          ignored_versions: T::Array[String],
+          raise_on_ignored: T::Boolean,
+          security_advisories: T::Array[Dependabot::SecurityAdvisory],
+          requirements_update_strategy: T.nilable(Dependabot::RequirementsUpdateStrategy),
+          dependency_group: T.nilable(Dependabot::DependencyGroup),
+          update_cooldown: T.nilable(Dependabot::Package::ReleaseCooldownOptions),
+          options: T::Hash[Symbol, T.untyped]
+        )
+          .void
+      end
+      def initialize(dependency:, dependency_files:, credentials:,
+                     repo_contents_path: nil, ignored_versions: [],
+                     raise_on_ignored: false, security_advisories: [],
+                     requirements_update_strategy: nil, dependency_group: nil,
+                     update_cooldown: nil, options: {})
+        super
+        @latest_version = T.let(nil, T.nilable(T.any(String, Dependabot::Version)))
+        @lowest_resolvable_security_fix_version = T.let(nil, T.nilable(Dependabot::Version))
+        @lowest_resolvable_security_fix_version_fetched = T.let(false, T::Boolean)
+      end
+
+      sig { override.returns(T.nilable(T.any(String, Dependabot::Version))) }
+      def latest_version
+        @latest_version ||= fetch_latest_version
+      end
+
+      sig { override.returns(T.nilable(T.any(String, Dependabot::Version))) }
+      def latest_resolvable_version_with_no_unlock
+        # For now, same as latest_version since we're not doing full dependency resolution
+        latest_version
+      end
+
+      sig { override.returns(T.nilable(T.any(String, Dependabot::Version))) }
+      def latest_resolvable_version
+        # For Phase 3, delegate to latest_version_finder
+        # This will be enhanced with actual conda search and PyPI integration
+        latest_version
+      end
+
+      sig { override.returns(T::Boolean) }
+      def up_to_date?
+        return true if latest_version.nil?
+
+        # If dependency has no version (range constraint like >=2.0),
+        # we can't determine if it's up-to-date, so assume it needs checking
+        return false if dependency.version.nil?
+
+        T.must(latest_version) <= Dependabot::Conda::Version.new(dependency.version)
+      end
+
+      sig { override.returns(T::Boolean) }
+      def requirements_unlocked_or_can_be?
+        # For conda, we don't have lock files, so requirements can always be updated
+        # This is unlike other ecosystems that have lock files (package-lock.json, Pipfile.lock, etc.)
+        true
+      end
+
+      sig { override.returns(T.nilable(Dependabot::Version)) }
+      def lowest_security_fix_version
+        latest_version_finder.lowest_security_fix_version
+      end
+
+      sig { override.returns(T.nilable(Dependabot::Version)) }
+      def lowest_resolvable_security_fix_version
+        raise "Dependency not vulnerable!" unless vulnerable?
+
+        return @lowest_resolvable_security_fix_version if @lowest_resolvable_security_fix_version_fetched
+
+        @lowest_resolvable_security_fix_version = fetch_lowest_resolvable_security_fix_version
+        @lowest_resolvable_security_fix_version_fetched = true
+        @lowest_resolvable_security_fix_version
+      end
+
+      sig { override.returns(T::Array[T::Hash[Symbol, T.untyped]]) }
+      def updated_requirements
+        target_version = preferred_resolvable_version
+        return dependency.requirements unless target_version
+
+        dependency.requirements.map do |req|
+          req.merge(
+            requirement: update_requirement_string(
+              req[:requirement] || "=#{dependency.version}",
+              target_version.to_s
+            )
+          )
+        end
+      end
+
+      private
+
+      sig { returns(T.nilable(T.any(String, Dependabot::Version))) }
+      def fetch_latest_version
+        latest_version_finder.latest_version
+      end
+
+      sig { returns(LatestVersionFinder) }
+      def latest_version_finder
+        @latest_version_finder ||= T.let(
+          LatestVersionFinder.new(
+            dependency: dependency,
+            dependency_files: dependency_files,
+            credentials: credentials,
+            ignored_versions: ignored_versions,
+            raise_on_ignored: @raise_on_ignored,
+            cooldown_options: @update_cooldown,
+            security_advisories: security_advisories
+          ),
+          T.nilable(LatestVersionFinder)
+        )
+      end
+
+      sig { returns(T.nilable(Dependabot::Version)) }
+      def fetch_lowest_resolvable_security_fix_version
+        # Delegate to latest_version_finder for security fix resolution
+        # This leverages Python ecosystem's security advisory infrastructure
+        latest_version_finder.lowest_security_fix_version
+      end
+
+      sig { override.returns(T::Boolean) }
+      def latest_version_resolvable_with_full_unlock?
+        # For Phase 3, return false as placeholder since we're not doing full dependency resolution
+        false
+      end
+
+      sig { override.returns(T::Array[Dependabot::Dependency]) }
+      def updated_dependencies_after_full_unlock
+        # For Phase 3, return empty array as placeholder
+        []
+      end
+
+      sig { params(requirement_string: String, new_version: String).returns(String) }
+      def update_requirement_string(requirement_string, new_version)
+        # Parse the current requirement to preserve the operator type
+        case requirement_string
+        when /^=([0-9])/
+          # Conda exact version: =1.26 -> =2.3.2
+          "=#{new_version}"
+        when /^==([0-9])/
+          # Pip exact version: ==1.26 -> ==2.3.2
+          "==#{new_version}"
+        when /^>=([0-9])/
+          # Range constraint: preserve as range but update to new version
+          ">=#{new_version}"
+        when /^>([0-9])/
+          # Greater than: >1.26 -> >2.3.2
+          ">#{new_version}"
+        when /^<=([0-9])/
+          # Less than or equal: keep as is (shouldn't be updated)
+          requirement_string
+        when /^<([0-9])/
+          # Less than: keep as is (shouldn't be updated)
+          requirement_string
+        when /^!=([0-9])/
+          # Not equal: keep as is
+          requirement_string
+        when /^~=([0-9])/
+          # Compatible release: ~=1.26 -> ~=2.3.2
+          "~=#{new_version}"
+        else
+          # Default to conda-style equality for unknown patterns
+          "=#{new_version}"
+        end
+      end
+
+      sig { params(package_name: String).returns(T::Boolean) }
+      def python_package?(package_name)
+        PythonPackageClassifier.python_package?(package_name)
+      end
+    end
+  end
+end
+
+require_relative "update_checker/latest_version_finder"
+
+Dependabot::UpdateCheckers.register("conda", Dependabot::Conda::UpdateChecker)

data/lib/dependabot/conda/version.rb

@@ -0,0 +1,23 @@
+# typed: strong
+# frozen_string_literal: true
+
+require "sorbet-runtime"
+require "dependabot/python/version"
+
+module Dependabot
+  module Conda
+    # Conda version handling delegates to Python version since conda primarily manages Python packages
+    class Version < Dependabot::Python::Version
+      extend T::Sig
+
+      # Conda supports the same version formats as Python packages from PyPI
+      # This includes standard semver, epochs, pre-releases, dev releases, etc.
+      sig { override.params(version: VersionParameter).returns(Dependabot::Conda::Version) }
+      def self.new(version)
+        T.cast(super, Dependabot::Conda::Version)
+      end
+    end
+  end
+end
+
+Dependabot::Utils.register_version_class("conda", Dependabot::Conda::Version)

data/lib/dependabot/conda.rb

@@ -0,0 +1,35 @@
+# typed: strict
+# frozen_string_literal: true
+
+# These all need to be required so the various classes can be registered in a
+# lookup table of package manager names to concrete classes.
+require "dependabot/conda/file_fetcher"
+require "dependabot/conda/file_parser"
+require "dependabot/conda/update_checker"
+require "dependabot/conda/file_updater"
+require "dependabot/conda/metadata_finder"
+require "dependabot/conda/requirement"
+require "dependabot/conda/version"
+require "dependabot/conda/name_normaliser"
+
+require "dependabot/pull_request_creator/labeler"
+Dependabot::PullRequestCreator::Labeler
+  .register_label_details("conda", name: "conda", colour: "44a047")
+
+require "dependabot/dependency"
+# Conda manages Python packages, so use the same production check as Python
+Dependabot::Dependency.register_production_check(
+  "conda",
+  lambda do |groups|
+    return true if groups.empty?
+    return true if groups.include?("default")
+    return true if groups.include?("dependencies")
+
+    groups.include?("pip")
+  end
+)
+
+Dependabot::Dependency.register_name_normaliser(
+  "conda",
+  ->(name) { Dependabot::Conda::NameNormaliser.normalise(name) }
+)

metadata

@@ -0,0 +1,294 @@
+--- !ruby/object:Gem::Specification
+name: dependabot-conda
+version: !ruby/object:Gem::Version
+  version: 0.325.1
+platform: ruby
+authors:
+- Dependabot
+bindir: bin
+cert_chain: []
+date: 1980-01-02 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: dependabot-common
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 0.325.1
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 0.325.1
+- !ruby/object:Gem::Dependency
+  name: dependabot-python
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 0.325.1
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 0.325.1
+- !ruby/object:Gem::Dependency
+  name: debug
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.9'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.9'
+- !ruby/object:Gem::Dependency
+  name: gpgme
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '13.2'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '13.2'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.12'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.12'
+- !ruby/object:Gem::Dependency
+  name: rspec-its
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.3'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.3'
+- !ruby/object:Gem::Dependency
+  name: rspec-sorbet
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.9'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.9'
+- !ruby/object:Gem::Dependency
+  name: rubocop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.67'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.67'
+- !ruby/object:Gem::Dependency
+  name: rubocop-performance
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.22'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.22'
+- !ruby/object:Gem::Dependency
+  name: rubocop-rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.29'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.29'
+- !ruby/object:Gem::Dependency
+  name: rubocop-sorbet
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.8'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.8'
+- !ruby/object:Gem::Dependency
+  name: simplecov
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.22'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.22'
+- !ruby/object:Gem::Dependency
+  name: turbo_tests
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 2.2.5
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 2.2.5
+- !ruby/object:Gem::Dependency
+  name: vcr
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '6.1'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '6.1'
+- !ruby/object:Gem::Dependency
+  name: webmock
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.18'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.18'
+- !ruby/object:Gem::Dependency
+  name: webrick
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.9'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.9'
+description: Dependabot-Conda provides support for bumping Python packages in Conda
+  environment.yml files via Dependabot. If you want support for multiple package managers,
+  you probably want the meta-gem dependabot-omnibus.
+email: opensource@github.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- lib/dependabot/conda.rb
+- lib/dependabot/conda/file_fetcher.rb
+- lib/dependabot/conda/file_parser.rb
+- lib/dependabot/conda/file_updater.rb
+- lib/dependabot/conda/metadata_finder.rb
+- lib/dependabot/conda/name_normaliser.rb
+- lib/dependabot/conda/package_manager.rb
+- lib/dependabot/conda/python_package_classifier.rb
+- lib/dependabot/conda/requirement.rb
+- lib/dependabot/conda/update_checker.rb
+- lib/dependabot/conda/update_checker/latest_version_finder.rb
+- lib/dependabot/conda/update_checker/requirement_translator.rb
+- lib/dependabot/conda/version.rb
+homepage: https://github.com/dependabot/dependabot-core
+licenses:
+- MIT
+metadata:
+  bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.325.1
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 3.3.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 3.3.0
+requirements: []
+rubygems_version: 3.6.9
+specification_version: 4
+summary: Provides Dependabot support for Conda
+test_files: []