dependabot-conda 0.349.0 → 0.351.0

data/lib/dependabot/conda/file_updater.rb

@@ -30,6 +30,21 @@ module Dependabot
         T.proc.params(arg0: T.untyped).returns(Regexp)
       )
 
+      # Bracket syntax: package[version='>=1.0']
+      CONDA_BRACKET_PATTERN = T.let(
+        lambda do |name|
+          /^(\s{2,4}-\s+)(#{Regexp.escape(name)})(\[version=['"])[^'"]+(['"]\])(\s*)(#.*)?$/
+        end,
+        T.proc.params(arg0: T.untyped).returns(Regexp)
+      )
+
+      CONDA_CHANNEL_BRACKET_PATTERN = T.let(
+        lambda do |name|
+          /^(\s{2,4}-\s+[a-zA-Z0-9_.-]+::)(#{Regexp.escape(name)})(\[version=['"])[^'"]+(['"]\])(\s*)(#.*)?$/
+        end,
+        T.proc.params(arg0: T.untyped).returns(Regexp)
+      )
+
       PIP_PATTERN = T.let(
         lambda do |name|
           /^(\s{5,}-\s+)(#{Regexp.escape(name)})#{VERSION_CONSTRAINT_PATTERN}(\s*)(#.*)?$/
@@ -43,7 +58,6 @@ module Dependabot
 
         environment_files.each do |file|
           updated_file = update_environment_file(file)
-          # Always include a file (even if unchanged) to match expected behavior
           updated_files << (updated_file || file)
         end
 
@@ -56,7 +70,6 @@ module Dependabot
       def check_required_files
         filenames = dependency_files.map(&:name)
         raise "No environment.yml file found!" unless filenames.any? { |name| name.match?(/^environment\.ya?ml$/i) }
-        # File found, all good
       end
 
       sig { returns(T::Array[Dependabot::DependencyFile]) }
@@ -140,18 +153,13 @@ module Dependabot
         ).returns(T::Hash[Symbol, T.untyped])
       end
       def update_conda_dependency_in_content(content, dependency)
-        # Pattern to match conda dependency lines (with optional channel prefix)
-        # Matches: "  - numpy=1.26", "  - conda-forge::numpy>=1.21.0", "  - numpy >= 1.21.0  # comment", etc.
-        # Enhanced to handle flexible indentation, space around operators, and comment preservation
-        # But restrict to main dependencies section (not deeply nested like pip section)
-        conda_patterns = [
-          # With channel prefix - main dependencies section (2-4 spaces to avoid pip section)
+        # Try standard patterns first (most common)
+        standard_patterns = [
           CONDA_CHANNEL_PATTERN.call(dependency.name),
-          # Without channel prefix - main dependencies section (2-4 spaces to avoid pip section)
           CONDA_SIMPLE_PATTERN.call(dependency.name)
         ]
 
-        conda_patterns.each do |pattern|
+        standard_patterns.each do |pattern|
           next unless content.match?(pattern)
 
           updated_content = content.gsub(pattern) do
@@ -159,13 +167,34 @@ module Dependabot
             name = ::Regexp.last_match(2)
             whitespace_before_comment = ::Regexp.last_match(4) || ""
             comment = ::Regexp.last_match(5) || ""
-            # Use the requirement from the dependency object, or default to =version
             new_requirement = get_requirement_for_dependency(dependency, "conda")
             "#{prefix}#{name}#{new_requirement}#{whitespace_before_comment}#{comment}"
           end
           return { updated: true, content: updated_content, not_found: false }
         end
 
+        # Try bracket syntax patterns (rare cases)
+        bracket_patterns = [
+          CONDA_CHANNEL_BRACKET_PATTERN.call(dependency.name),
+          CONDA_BRACKET_PATTERN.call(dependency.name)
+        ]
+
+        bracket_patterns.each do |pattern|
+          next unless content.match?(pattern)
+
+          updated_content = content.gsub(pattern) do
+            prefix = ::Regexp.last_match(1)
+            name = ::Regexp.last_match(2)
+            bracket_start = ::Regexp.last_match(3)
+            bracket_end = ::Regexp.last_match(4)
+            whitespace_before_comment = ::Regexp.last_match(5) || ""
+            comment = ::Regexp.last_match(6) || ""
+            new_requirement = get_requirement_for_dependency(dependency, "conda")
+            "#{prefix}#{name}#{bracket_start}#{new_requirement}#{bracket_end}#{whitespace_before_comment}#{comment}"
+          end
+          return { updated: true, content: updated_content, not_found: false }
+        end
+
         { updated: false, content: content, not_found: false }
       end
 
@@ -176,10 +205,6 @@ module Dependabot
         ).returns(T::Hash[Symbol, T.untyped])
       end
       def update_pip_dependency_in_content(content, dependency)
-        # Pattern to match pip dependency lines in pip section
-        # Enhanced to handle flexible indentation for pip section (5+ spaces to distinguish from main deps),
-        # better operator support, and multiple constraints like "requests>=2.25.0,<3.0"
-        # Capture whitespace between requirement and comment to preserve formatting
         pip_pattern = PIP_PATTERN.call(dependency.name)
 
         if content.match?(pip_pattern)
@@ -188,7 +213,6 @@ module Dependabot
             name = ::Regexp.last_match(2)
             whitespace_before_comment = ::Regexp.last_match(4) || ""
             comment = ::Regexp.last_match(5) || ""
-            # Use the requirement from the dependency object, or default to ==version
             new_requirement = get_requirement_for_dependency(dependency, "pip")
             "#{prefix}#{name}#{new_requirement}#{whitespace_before_comment}#{comment}"
           end

data/lib/dependabot/conda/metadata_finder.rb

@@ -4,7 +4,6 @@
 require "sorbet-runtime"
 require "dependabot/metadata_finders"
 require "dependabot/metadata_finders/base"
-require "dependabot/conda/python_package_classifier"
 require "dependabot/python/metadata_finder"
 
 module Dependabot
@@ -14,32 +13,27 @@ module Dependabot
 
       sig { override.returns(T.nilable(String)) }
       def homepage_url
-        return super unless python_package?(dependency.name)
+        return python_metadata_finder.homepage_url if pip_dependency?
 
-        # Delegate to Python metadata finder for enhanced PyPI-based homepage URLs
-        python_metadata_finder.homepage_url
+        nil
       end
 
       private
 
       sig { override.returns(T.nilable(Dependabot::Source)) }
       def look_up_source
-        return nil unless python_package?(dependency.name)
+        return python_metadata_finder.send(:look_up_source) if pip_dependency?
 
-        # Delegate to Python metadata finder for Python packages
-        python_metadata_finder.send(:look_up_source)
+        nil
       end
 
-      sig { params(package_name: String).returns(T::Boolean) }
-      def python_package?(package_name)
-        PythonPackageClassifier.python_package?(package_name)
+      sig { returns(T::Boolean) }
+      def pip_dependency?
+        dependency.requirements.any? { |req| req[:groups]&.include?("pip") }
       end
 
       sig { returns(Dependabot::Python::MetadataFinder) }
       def python_metadata_finder
-        # Cache the Python metadata finder instance for reuse across method calls
-        # Credentials are passed through as-is since conda manifests don't specify pip-index credentials
-        # TODO: If we decide to support non python packages for Conda we will have to review this
         @python_metadata_finder ||= T.let(
           Dependabot::Python::MetadataFinder.new(
             dependency: python_dependency,
@@ -57,8 +51,7 @@ module Dependabot
           version: dependency.version,
           requirements: dependency.requirements.map do |req|
             req.merge(
-              file: req[:file]&.gsub(/environment\.ya?ml/, "requirements.txt"),
-              source: nil # No private pip-index in conda manifests
+              source: nil
             )
           end,
           package_manager: "pip"

data/lib/dependabot/conda/update_checker/latest_version_finder.rb

@@ -1,10 +1,13 @@
 # typed: strict
 # frozen_string_literal: true
 
+require "yaml"
 require "sorbet-runtime"
 require "dependabot/package/package_latest_version_finder"
+require "dependabot/package/package_release"
 require "dependabot/python/update_checker/latest_version_finder"
 require "dependabot/dependency"
+require "dependabot/conda/conda_registry_client"
 require_relative "requirement_translator"
 
 module Dependabot
@@ -35,13 +38,18 @@ module Dependabot
         )
           @raise_on_ignored = T.let(raise_on_ignored, T::Boolean)
           @cooldown_options = T.let(cooldown_options, T.nilable(Dependabot::Package::ReleaseCooldownOptions))
+          @conda_client = T.let(CondaRegistryClient.new, CondaRegistryClient)
 
           super
         end
 
         sig { override.returns(T.nilable(Dependabot::Package::PackageDetails)) }
         def package_details
-          @package_details ||= python_latest_version_finder.package_details
+          @package_details ||= if pip_dependency?
+                                 python_latest_version_finder.package_details
+                               else
+                                 conda_package_details
+                               end
         end
 
         sig { override.returns(T::Boolean) }
@@ -51,6 +59,106 @@ module Dependabot
 
         private
 
+        sig { returns(T::Boolean) }
+        def pip_dependency?
+          dependency.requirements.any? { |req| req[:groups]&.include?("pip") }
+        end
+
+        sig { returns(T.nilable(Dependabot::Package::PackageDetails)) }
+        def conda_package_details
+          channels_to_search.each do |channel|
+            versions = @conda_client.available_versions(dependency.name, channel)
+            next if versions.empty?
+
+            releases = versions.map.with_index do |version, index|
+              Dependabot::Package::PackageRelease.new(
+                version: version,
+                url: "https://anaconda.org/#{channel}/#{dependency.name}",
+                latest: index.zero?
+              )
+            end
+
+            return Dependabot::Package::PackageDetails.new(
+              dependency: dependency,
+              releases: releases
+            )
+          end
+
+          nil
+        end
+
+        sig { returns(T::Array[String]) }
+        def channels_to_search
+          channels = []
+
+          # Priority 1: Explicit source channel
+          source_channel = extract_channel_from_source
+          channels << source_channel if source_channel
+
+          # Priority 2: Channel prefix in requirement
+          requirement_channel = extract_channel_from_requirement
+          channels << requirement_channel if requirement_channel && !channels.include?(requirement_channel)
+
+          # Priority 3: Environment file channels
+          env_channels = extract_all_channels_from_environment_file
+          env_channels.each do |ch|
+            channels << ch unless channels.include?(ch)
+          end
+
+          # Priority 4: Default fallback channels
+          [CondaRegistryClient::DEFAULT_CHANNEL, "conda-forge", "main"].each do |ch|
+            channels << ch unless channels.include?(ch)
+          end
+
+          channels
+        end
+
+        sig { returns(T.nilable(String)) }
+        def extract_channel_from_source
+          return nil unless dependency.requirements.first
+
+          source = T.let(T.must(dependency.requirements.first)[:source], T.nilable(T::Hash[Symbol, T.untyped]))
+          return nil unless source
+
+          channel = source[:channel]
+          return nil unless channel.is_a?(String)
+          return nil unless CondaRegistryClient::SUPPORTED_CHANNELS.include?(channel)
+
+          channel
+        end
+
+        sig { returns(T.nilable(String)) }
+        def extract_channel_from_requirement
+          dependency.requirements.each do |req|
+            requirement_string = req[:requirement]
+            next unless requirement_string&.include?("::")
+
+            channel = requirement_string.split("::").first
+            next unless channel
+            next unless CondaRegistryClient::SUPPORTED_CHANNELS.include?(channel)
+
+            return channel
+          end
+
+          nil
+        end
+
+        sig { returns(T::Array[String]) }
+        def extract_all_channels_from_environment_file
+          environment_file = dependency_files.find { |f| f.name.match?(/environment\.ya?ml/i) }
+          return [] unless environment_file
+
+          parsed = YAML.safe_load(T.must(environment_file.content))
+          return [] unless parsed.is_a?(Hash)
+
+          channels = parsed["channels"]
+          return [] unless channels.is_a?(Array)
+
+          channels.select { |ch| ch.is_a?(String) && CondaRegistryClient::SUPPORTED_CHANNELS.include?(ch) }
+        rescue Psych::SyntaxError
+          []
+        end
+
         sig { returns(Dependabot::Python::UpdateChecker::LatestVersionFinder) }
         def python_latest_version_finder
           @python_latest_version_finder ||= T.let(
@@ -69,12 +177,11 @@ module Dependabot
 
         sig { returns(Dependabot::Dependency) }
         def python_compatible_dependency
-          # Convert conda dependency to python-compatible dependency
           Dependabot::Dependency.new(
             name: dependency.name,
             version: dependency.version,
             requirements: python_compatible_requirements,
-            package_manager: "pip" # Use pip for PyPI compatibility
+            package_manager: "pip"
           )
         end
 
@@ -90,7 +197,6 @@ module Dependabot
         sig { returns(T::Array[Dependabot::SecurityAdvisory]) }
         def python_compatible_security_advisories
           security_advisories.map do |advisory|
-            # Convert Conda requirements to Python requirements for pip compatibility
             python_vulnerable_versions = advisory.vulnerable_versions.flat_map do |conda_req|
               Dependabot::Python::Requirement.requirements_array(conda_req.to_s)
             end
@@ -99,10 +205,9 @@ module Dependabot
               Dependabot::Python::Requirement.requirements_array(conda_req.to_s)
             end
 
-            # Normalize security advisories to use 'pip' package manager for Python delegation
             Dependabot::SecurityAdvisory.new(
               dependency_name: advisory.dependency_name,
-              package_manager: "pip", # Use pip for PyPI compatibility
+              package_manager: "pip",
               vulnerable_versions: python_vulnerable_versions,
               safe_versions: python_safe_versions
             )