dependabot-conda 0.349.0 → 0.351.0

data/lib/dependabot/conda/version.rb

@@ -1,21 +1,332 @@
-# typed: strong
+# typed: strict
 # frozen_string_literal: true
 
 require "sorbet-runtime"
-require "dependabot/python/version"
+require "dependabot/version"
+require "dependabot/utils"
 
 module Dependabot
   module Conda
-    # Conda version handling delegates to Python version since conda primarily manages Python packages
-    class Version < Dependabot::Python::Version
+    # Conda version handling based on conda's version specification
+    # See: https://docs.conda.io/projects/conda/en/stable/user-guide/concepts/pkg-specs.html
+    #
+    # Version format: [epoch!]version[+local]
+    #
+    # Components:
+    # - Epoch (optional): Integer prefix with ! separator (e.g., "1!2.0")
+    # - Version: Main version identifier with segments separated by . or _
+    # - Local version (optional): Build metadata with + prefix (e.g., "1.0+abc.7")
+    #
+    # Special handling:
+    # - "dev" pre-releases sort before all other pre-releases
+    # - "post" releases sort after the main version
+    # - Underscores are normalized to dots
+    # - Case-insensitive string comparison
+    # - Fillvalue 0 insertion for missing segments
+    # - Integer < String in mixed-type segment comparison (numeric before pre-release)
+    class Version < Dependabot::Version
       extend T::Sig
 
-      # Conda supports the same version formats as Python packages from PyPI
-      # This includes standard semver, epochs, pre-releases, dev releases, etc.
+      VERSION_PATTERN = /\A[a-z0-9_.!+\-]+\z/i
+
+      sig { override.params(version: VersionParameter).returns(T::Boolean) }
+      def self.correct?(version)
+        return false if version.nil? || version.to_s.empty?
+
+        version.to_s.match?(VERSION_PATTERN)
+      end
+
       sig { override.params(version: VersionParameter).returns(Dependabot::Conda::Version) }
       def self.new(version)
         T.cast(super, Dependabot::Conda::Version)
       end
+
+      sig { returns(Integer) }
+      attr_reader :epoch
+
+      sig { returns(T::Array[T.any(Integer, String)]) }
+      attr_reader :version_parts
+
+      sig { returns(T.nilable(T::Array[T.any(Integer, String)])) }
+      attr_reader :local_parts
+
+      VersionParts = T.let(Struct.new(:epoch, :main, :local, keyword_init: true), T.untyped)
+      private_constant :VersionParts
+
+      sig { override.params(version: VersionParameter).void }
+      def initialize(version)
+        @version_string = T.let(version.to_s, String)
+
+        raise ArgumentError, "Malformed version string #{version}" unless self.class.correct?(version)
+
+        # Validate no empty segments
+        validate_version!(@version_string)
+
+        # Parse epoch, main version, and local version
+        parts = parse_epoch_and_local(@version_string)
+
+        @epoch = T.let(parts.epoch.to_i, Integer)
+        @version_parts = T.let(parse_components(parts.main), T::Array[T.any(Integer, String)])
+        @local_parts = T.let(
+          parts.local ? parse_components(parts.local) : nil,
+          T.nilable(T::Array[T.any(Integer, String)])
+        )
+
+        super
+      end
+
+      sig { override.params(other: T.untyped).returns(T.nilable(Integer)) }
+      def <=>(other)
+        return nil unless other.is_a?(Dependabot::Conda::Version)
+
+        # Step 1: Compare epochs (numerically)
+        epoch_comparison = @epoch <=> other.epoch
+        return epoch_comparison unless epoch_comparison.zero?
+
+        # Step 2: Compare version parts (segment by segment with fillvalue)
+        version_comparison = compare_parts(@version_parts, other.version_parts)
+        return version_comparison unless version_comparison.zero?
+
+        # Step 3: Compare local parts (if present)
+        compare_local_parts(@local_parts, other.local_parts)
+      end
+
+      private
+
+      # Validates version string for malformed segments
+      sig { params(version_str: String).void }
+      def validate_version!(version_str)
+        main_version = parse_epoch_and_local(version_str).main
+
+        # Check for empty segments (consecutive dots, leading/trailing dots)
+        return unless main_version.include?("..") || main_version.match?(/^\./) || main_version.match?(/\.$/)
+
+        raise ArgumentError, "Empty version segments not allowed in #{version_str}"
+      end
+
+      # Parses epoch and local version from version string
+      # Returns VersionParts struct with epoch, main, and local fields
+      sig { params(version_str: String).returns(T.untyped) }
+      def parse_epoch_and_local(version_str)
+        # Split on '!' for epoch
+        parts = version_str.split("!", 2)
+        if parts.length == 2
+          epoch_str = parts[0]
+          remainder = T.must(parts[1])
+        else
+          epoch_str = "0"
+          remainder = parts[0]
+        end
+
+        # Split on '+' for local version
+        parts = T.must(remainder).split("+", 2)
+        main_version = parts[0]
+        local_version = parts[1]
+
+        VersionParts.new(epoch: epoch_str, main: T.must(main_version), local: local_version)
+      end
+
+      # Parses version components into normalized segments
+      # Normalizes underscores to dots, handles special strings (dev, post)
+      # Splits alphanumeric segments like "a1" into ["a", 1]
+      sig { params(version_str: String).returns(T::Array[T.any(Integer, String)]) }
+      def parse_components(version_str)
+        # Normalize underscores to dots
+        normalized = version_str.tr("_", ".")
+
+        # Split on dots and dashes
+        raw_segments = normalized.split(/[.\-]/)
+
+        # Process each segment
+        segments = T.let([], T::Array[T.any(Integer, String)])
+        raw_segments.each do |segment|
+          next if segment.empty?
+
+          process_segment(segment, segments)
+        end
+
+        segments
+      end
+
+      # Process a single version segment and add results to segments array
+      sig do
+        params(
+          segment: String,
+          segments: T::Array[T.any(Integer, String)]
+        ).void
+      end
+      def process_segment(segment, segments)
+        # Key insight: Pre-release markers are only recognized when EMBEDDED in
+        # numeric segments (e.g., "0a1" in "1.0a1"), NOT when they appear as
+        # separate dot-delimited components (e.g., "rc1" in "2.rc1").
+        lower_seg = segment.downcase
+        has_embedded_prerelease = embedded_prerelease?(lower_seg)
+
+        subsegments = T.cast(segment.scan(/\d+|[a-z]+/i), T::Array[String])
+
+        if has_embedded_prerelease
+          process_prerelease_subsegments(subsegments, segments)
+        else
+          process_normal_subsegments(subsegments, segments)
+        end
+      end
+
+      # Check if segment contains an embedded pre-release marker
+      sig { params(lower_seg: String).returns(T::Boolean) }
+      def embedded_prerelease?(lower_seg)
+        # Embedded: digits + a/b/rc + required digits (e.g., "0a1", "10b2", "2rc1")
+        lower_seg.match?(/^\d+(a|alpha|b|beta|rc|c)\d+$/) ||
+          # Embedded: digits + dev/post + optional digits (e.g., "0dev", "10post1")
+          lower_seg.match?(/^\d+(dev|post)\d*$/)
+      end
+
+      # Process subsegments that contain pre-release markers
+      sig do
+        params(
+          subsegments: T::Array[String],
+          segments: T::Array[T.any(Integer, String)]
+        ).void
+      end
+      def process_prerelease_subsegments(subsegments, segments)
+        subsegments.each do |subseg|
+          lower_subseg = subseg.downcase
+          segments << if lower_subseg.match?(/^(dev|a|alpha|b|beta|rc|c|post)$/)
+                        normalize_prerelease_segment(subseg)
+                      elsif subseg.match?(/^\d+$/)
+                        subseg.to_i
+                      else
+                        subseg.downcase
+                      end
+        end
+      end
+
+      # Process normal subsegments (no pre-release markers)
+      sig do
+        params(
+          subsegments: T::Array[String],
+          segments: T::Array[T.any(Integer, String)]
+        ).void
+      end
+      def process_normal_subsegments(subsegments, segments)
+        subsegments.each do |subseg|
+          segments << if subseg.match?(/^\d+$/)
+                        subseg.to_i
+                      else
+                        subseg.downcase
+                      end
+        end
+      end
+
+      # Normalizes a pre-release or post-release segment
+      # Only called for confirmed pre-release/post-release patterns
+      sig { params(segment: String).returns(T.any(Integer, String)) }
+      def normalize_prerelease_segment(segment)
+        lower_segment = segment.downcase
+
+        # Pre-releases: use negative integers to sort before 0
+        return -4 if dev_prerelease?(lower_segment)
+        return -3 if alpha_prerelease?(lower_segment)
+        return -2 if beta_prerelease?(lower_segment)
+        return -1 if rc_prerelease?(lower_segment)
+
+        # Post-releases: use ~ prefix to sort after everything
+        return "~#{lower_segment}" if post_release?(lower_segment)
+
+        lower_segment
+      end
+
+      # Check if segment is dev pre-release
+      sig { params(lower_segment: String).returns(T::Boolean) }
+      def dev_prerelease?(lower_segment)
+        lower_segment == "dev" || lower_segment.match?(/^dev\d/)
+      end
+
+      # Check if segment is alpha pre-release
+      sig { params(lower_segment: String).returns(T::Boolean) }
+      def alpha_prerelease?(lower_segment)
+        lower_segment == "a" || lower_segment == "alpha" || lower_segment.match?(/^(a|alpha)\d/)
+      end
+
+      # Check if segment is beta pre-release
+      sig { params(lower_segment: String).returns(T::Boolean) }
+      def beta_prerelease?(lower_segment)
+        lower_segment == "b" || lower_segment == "beta" || lower_segment.match?(/^(b|beta)\d/)
+      end
+
+      # Check if segment is rc pre-release
+      sig { params(lower_segment: String).returns(T::Boolean) }
+      def rc_prerelease?(lower_segment)
+        lower_segment == "rc" || lower_segment == "c" || lower_segment.match?(/^(rc|c)\d/)
+      end
+
+      # Check if segment is post-release
+      sig { params(lower_segment: String).returns(T::Boolean) }
+      def post_release?(lower_segment)
+        lower_segment == "post" || lower_segment.start_with?("post")
+      end
+
+      # Compares two arrays of version parts with fillvalue insertion
+      sig do
+        params(
+          parts1: T::Array[T.any(Integer, String)],
+          parts2: T::Array[T.any(Integer, String)]
+        ).returns(Integer)
+      end
+      def compare_parts(parts1, parts2)
+        max_length = [parts1.length, parts2.length].max
+
+        max_length.times do |i|
+          # Insert fillvalue 0 for missing segments
+          seg1 = parts1[i] || 0
+          seg2 = parts2[i] || 0
+
+          result = compare_single_segment(seg1, seg2)
+          return result unless result.zero?
+        end
+
+        0 # All segments equal
+      end
+
+      # Compares two individual segments
+      # Rules:
+      # - Both integers: numeric comparison
+      # - Both strings: case-insensitive lexicographic comparison
+      # - Mixed types: Integer < String (numeric versions sort before pre-releases)
+      sig { params(seg1: T.any(Integer, String), seg2: T.any(Integer, String)).returns(Integer) }
+      def compare_single_segment(seg1, seg2)
+        # Both integers: numeric comparison
+        return seg1 <=> seg2 if seg1.is_a?(Integer) && seg2.is_a?(Integer)
+
+        # Both strings: case-insensitive lexicographic
+        # (already normalized to lowercase in parse_components)
+        return T.must(seg1 <=> seg2) if seg1.is_a?(String) && seg2.is_a?(String)
+
+        # Mixed types: Integer < String
+        # This means 1.0.0 (with fillvalue 0) < 1.0.0a (with "a")
+        seg1.is_a?(Integer) ? -1 : 1
+      end
+
+      # Compares local version parts
+      # - nil local version sorts before any local version
+      # - Both nil: equal
+      # - Otherwise compare using same rules as version parts
+      sig do
+        params(
+          local1: T.nilable(T::Array[T.any(Integer, String)]),
+          local2: T.nilable(T::Array[T.any(Integer, String)])
+        ).returns(Integer)
+      end
+      def compare_local_parts(local1, local2)
+        # Both nil: equal
+        return 0 if local1.nil? && local2.nil?
+
+        # One nil: nil sorts before any local version
+        return -1 if local1.nil?
+        return 1 if local2.nil?
+
+        # Both present: compare using same rules as version parts
+        compare_parts(local1, local2)
+      end
     end
   end
 end

data/lib/dependabot/conda.rb

@@ -17,15 +17,16 @@ Dependabot::PullRequestCreator::Labeler
   .register_label_details("conda", name: "conda", colour: "44a047")
 
 require "dependabot/dependency"
-# Conda manages Python packages, so use the same production check as Python
+# Conda manages packages from multiple ecosystems (Python, R, Julia, system tools)
+# and can also contain pip dependencies for Python packages from PyPI
 Dependabot::Dependency.register_production_check(
   "conda",
   lambda do |groups|
     return true if groups.empty?
     return true if groups.include?("default")
-    return true if groups.include?("dependencies")
+    return true if groups.include?("dependencies") # Conda packages
 
-    groups.include?("pip")
+    groups.include?("pip") # Pip packages (Python from PyPI)
   end
 )
 

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-conda
 version: !ruby/object:Gem::Version
-  version: 0.349.0
+  version: 0.351.0
 platform: ruby
 authors:
 - Dependabot
@@ -15,28 +15,28 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.349.0
+        version: 0.351.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.349.0
+        version: 0.351.0
 - !ruby/object:Gem::Dependency
   name: dependabot-python
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.349.0
+        version: 0.351.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.349.0
+        version: 0.351.0
 - !ruby/object:Gem::Dependency
   name: debug
   requirement: !ruby/object:Gem::Requirement
@@ -247,33 +247,34 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '1.9'
-description: Dependabot-Conda provides support for bumping Python packages in Conda
-  environment.yml files via Dependabot. If you want support for multiple package managers,
-  you probably want the meta-gem dependabot-omnibus.
+description: Dependabot-Conda provides support for updating Conda packages defined
+  in Conda environment.yml files. Routes conda packages to Conda channel APIs and
+  pip packages to PyPI for accurate version information.
 email: opensource@github.com
 executables: []
 extensions: []
 extra_rdoc_files: []
 files:
 - lib/dependabot/conda.rb
+- lib/dependabot/conda/conda_registry_client.rb
 - lib/dependabot/conda/file_fetcher.rb
 - lib/dependabot/conda/file_parser.rb
 - lib/dependabot/conda/file_updater.rb
 - lib/dependabot/conda/metadata_finder.rb
 - lib/dependabot/conda/name_normaliser.rb
 - lib/dependabot/conda/package_manager.rb
-- lib/dependabot/conda/python_package_classifier.rb
 - lib/dependabot/conda/requirement.rb
 - lib/dependabot/conda/update_checker.rb
 - lib/dependabot/conda/update_checker/latest_version_finder.rb
 - lib/dependabot/conda/update_checker/requirement_translator.rb
+- lib/dependabot/conda/update_checker/requirements_updater.rb
 - lib/dependabot/conda/version.rb
 homepage: https://github.com/dependabot/dependabot-core
 licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.349.0
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.351.0
 rdoc_options: []
 require_paths:
 - lib

data/lib/dependabot/conda/python_package_classifier.rb

@@ -1,88 +0,0 @@
-# typed: strong
-# frozen_string_literal: true
-
-require "sorbet-runtime"
-
-module Dependabot
-  module Conda
-    class PythonPackageClassifier
-      extend T::Sig
-
-      # Known non-Python packages that should be ignored
-      NON_PYTHON_PATTERNS = T.let(
-        [
-          /^r-/i, # R packages (r-base, r-essentials, etc.)
-          /^r$/i,           # R language itself
-          /^python$/i,      # Python interpreter (conda-specific, not on PyPI)
-          /^git$/i,         # Git version control
-          /^gcc$/i,         # GCC compiler
-          /^cmake$/i,       # CMake build system
-          /^make$/i,        # Make build tool
-          /^curl$/i,        # cURL utility
-          /^wget$/i,        # Wget utility
-          /^vim$/i,         # Vim editor
-          /^nano$/i,        # Nano editor
-          /^nodejs$/i,      # Node.js runtime
-          /^java$/i,        # Java runtime
-          /^go$/i,          # Go language
-          /^rust$/i,        # Rust language
-          /^julia$/i,       # Julia language
-          /^perl$/i,        # Perl language
-          /^ruby$/i,        # Ruby language
-          # System libraries
-          /^openssl$/i,     # OpenSSL
-          /^zlib$/i,        # zlib compression
-          /^libffi$/i,      # Foreign Function Interface library
-          /^ncurses$/i,     # Terminal control library
-          /^readline$/i,    # Command line editing
-          # Compiler and build tools
-          /^_libgcc_mutex$/i,
-          /^_openmp_mutex$/i,
-          /^binutils$/i,
-          /^gxx_linux-64$/i,
-          # Multimedia libraries
-          /^ffmpeg$/i,      # Video processing
-          /^opencv$/i,      # Computer vision (note: opencv-python is different)
-          /^imageio$/i      # Image I/O (note: imageio python package is different)
-        ].freeze,
-        T::Array[Regexp]
-      )
-
-      # Determine if a package name represents a Python package
-      sig { params(package_name: String).returns(T::Boolean) }
-      def self.python_package?(package_name)
-        return false if package_name.empty?
-
-        # Extract just the package name without version or channel information
-        normalized_name = extract_package_name(package_name).downcase.strip
-        return false if normalized_name.empty?
-
-        # Check if it's explicitly a non-Python package
-        return false if NON_PYTHON_PATTERNS.any? { |pattern| normalized_name.match?(pattern) }
-
-        # Block obvious binary/system files
-        return false if normalized_name.match?(/\.(exe|dll|so|dylib)$/i)
-        return false if normalized_name.match?(/^lib.+\.a$/i) # Static libraries
-
-        # Block system mutexes
-        return false if normalized_name.match?(/^_[a-z0-9]+_mutex$/i)
-
-        # Default: treat as Python package
-        # This aligns with the strategic decision to focus on Python packages
-        # Most packages in conda environments are Python packages
-        true
-      end
-
-      # Extract package name from conda specification (remove channel prefix if present)
-      sig { params(spec: String).returns(String) }
-      def self.extract_package_name(spec)
-        # Handle channel specifications like "conda-forge::numpy=1.21.0"
-        parts = spec.split("::")
-        package_spec = parts.last || spec
-
-        # Extract package name (before = or space or version operators)
-        package_spec.split(/[=<>!~\s]/).first&.strip || spec
-      end
-    end
-  end
-end