dependabot-conda 0.349.0 → 0.350.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 8d533b2ab537726987e4a367cd0aeeea8f8567edcd218186bf74f2b0075db10e
-  data.tar.gz: 1ec1bed1c8a656534c97e20cbc4ed48ec54f15ecc244bded4adeb1fe21f873c4
+  metadata.gz: ce8cbd205c7b0ab1f739bfa46499f627230e6fe1628a7da150b136dcd7302658
+  data.tar.gz: feaa389e0e1332309d6bba5b583bb0933bcdb389348810b77200c6d62e279c65
 SHA512:
-  metadata.gz: af2b6c51628577e8af809b2d6b540b93d0ef7d8d2036265c0e6766908ea906d5b048586daf71eec920e4e2ea3172b39069a1a26ef60b5e50eb6530e56893e057
-  data.tar.gz: 14ce274e25f589a443c28c8fc762688174faab1a68bd038a05ad2007795c246636f6e2d068f4a771c776ef0aeba29b1efabe9974623dd8ffbd1c22f7e2294b61
+  metadata.gz: aac66701b1fa4423be74d27af6a806bee85103145a07ce076d1b00238858b696cb62a6ca9b6bcb299100e936cda55d12d3477b4ce7927eaa76675e88be1d2ab8
+  data.tar.gz: 2480678c876f4a278fa313f0687f6b0d6cd6d8823f3e9bcb71fc422c98d8eb97240fba624b2a0c12de7df1977fee0c6cf7a4cd42ec24271b9e5115d75c764aaa

data/lib/dependabot/conda/conda_registry_client.rb

@@ -0,0 +1,220 @@
+# typed: strict
+# frozen_string_literal: true
+
+require "excon"
+require "json"
+require "sorbet-runtime"
+require "dependabot/conda/version"
+require "dependabot/registry_client"
+require "dependabot/shared_helpers"
+
+module Dependabot
+  module Conda
+    class CondaRegistryClient
+      extend T::Sig
+
+      # Supported public conda channels (user-facing names from environment.yml)
+      SUPPORTED_CHANNELS = T.let(
+        %w(anaconda conda-forge defaults bioconda main).freeze,
+        T::Array[String]
+      )
+
+      # Channel aliases: maps user-facing channel names to API channel names
+      # 'defaults' is a Conda client alias that doesn't exist on anaconda.org API
+      CHANNEL_ALIASES = T.let(
+        { "defaults" => "anaconda" }.freeze,
+        T::Hash[String, String]
+      )
+      # anaconda.org API configuration
+      DEFAULT_CHANNEL = T.let("anaconda", String)
+      API_BASE_URL = T.let("https://api.anaconda.org", String)
+      CONNECTION_TIMEOUT = T.let(5, Integer)
+      READ_TIMEOUT = T.let(10, Integer)
+      MAX_RETRIES = T.let(1, Integer)
+
+      sig { void }
+      def initialize
+        @cache = T.let({}, T::Hash[String, T.untyped])
+        @not_found_cache = T.let(Set.new, T::Set[String])
+      end
+
+      # Fetch package metadata from Conda API
+      sig do
+        params(
+          package_name: String,
+          channel: String
+        ).returns(T.nilable(T::Hash[String, T.untyped]))
+      end
+      def fetch_package_metadata(package_name, channel = DEFAULT_CHANNEL)
+        cache_key = "#{channel}/#{package_name}"
+
+        # Check 404 cache first
+        return nil if @not_found_cache.include?(cache_key)
+
+        # Check cache
+        return @cache[cache_key] if @cache.key?(cache_key)
+
+        # Fetch from API
+        fetch_from_api(package_name, channel, cache_key)
+      end
+
+      # Check if a specific version exists for a package
+      sig do
+        params(
+          package_name: String,
+          version: String,
+          channel: String
+        ).returns(T::Boolean)
+      end
+      def version_exists?(package_name, version, channel = DEFAULT_CHANNEL)
+        metadata = fetch_package_metadata(package_name, channel)
+        return false unless metadata
+
+        versions = metadata["versions"]
+        return false unless versions.is_a?(Array)
+
+        versions.include?(version)
+      end
+
+      # Get all available versions for a package, sorted newest first
+      sig do
+        params(
+          package_name: String,
+          channel: String
+        ).returns(T::Array[Dependabot::Conda::Version])
+      end
+      def available_versions(package_name, channel = DEFAULT_CHANNEL)
+        metadata = fetch_package_metadata(package_name, channel)
+        return [] unless metadata
+
+        versions = metadata["versions"]
+        return [] unless versions.is_a?(Array)
+
+        # Parse and sort versions
+        parsed_versions = versions.filter_map do |version_string|
+          Dependabot::Conda::Version.new(version_string)
+        rescue ArgumentError
+          # Invalid version format - skip it
+          Dependabot.logger.debug("Skipping invalid conda version: #{version_string}")
+          nil
+        end
+
+        # Sort newest first
+        parsed_versions.sort.reverse
+      end
+
+      # Get the latest version for a package
+      sig do
+        params(
+          package_name: String,
+          channel: String
+        ).returns(T.nilable(Dependabot::Conda::Version))
+      end
+      def latest_version(package_name, channel = DEFAULT_CHANNEL)
+        versions = available_versions(package_name, channel)
+        versions.first
+      end
+
+      # Get package metadata fields for MetadataFinder
+      sig do
+        params(
+          package_name: String,
+          channel: String
+        ).returns(T.nilable(T::Hash[Symbol, T.nilable(String)]))
+      end
+      def package_metadata(package_name, channel = DEFAULT_CHANNEL)
+        metadata = fetch_package_metadata(package_name, channel)
+        return nil unless metadata
+
+        {
+          homepage: metadata["home"],
+          source_url: metadata["dev_url"],
+          description: metadata["summary"],
+          license: metadata["license"]
+        }
+      end
+
+      private
+
+      # Normalize channel name from user-facing to API-compatible
+      sig { params(channel: String).returns(String) }
+      def normalize_channel(channel)
+        CHANNEL_ALIASES[channel] || channel
+      end
+
+      sig do
+        params(
+          package_name: String,
+          channel: String,
+          cache_key: String
+        ).returns(T.nilable(T::Hash[String, T.untyped]))
+      end
+      def fetch_from_api(package_name, channel, cache_key)
+        # Normalize channel name for API (e.g., 'defaults' -> 'anaconda')
+        api_channel = normalize_channel(channel)
+        url = "#{API_BASE_URL}/package/#{api_channel}/#{package_name}"
+
+        begin
+          response = make_http_request(url)
+          handle_response(response, package_name, cache_key)
+        rescue JSON::ParserError => e
+          Dependabot.logger.error("Invalid JSON from Conda API for #{package_name}: #{e.message}")
+          nil
+        rescue Excon::Error::Socket, Excon::Error::Timeout => e
+          Dependabot.logger.error("Conda API connection error for #{package_name}: #{e.message}")
+          raise Dependabot::DependabotError, "Failed to connect to Conda API: #{e.message}"
+        end
+      end
+
+      sig { params(url: String).returns(Excon::Response) }
+      def make_http_request(url)
+        Dependabot::RegistryClient.get(
+          url: url,
+          headers: {
+            "Accept" => "application/json",
+            "User-Agent" => Dependabot::SharedHelpers::USER_AGENT
+          },
+          options: {
+            connect_timeout: CONNECTION_TIMEOUT,
+            read_timeout: READ_TIMEOUT,
+            retry_limit: MAX_RETRIES
+          }
+        )
+      end
+
+      sig do
+        params(
+          response: Excon::Response,
+          package_name: String,
+          cache_key: String
+        ).returns(T.nilable(T::Hash[String, T.untyped]))
+      end
+      def handle_response(response, package_name, cache_key)
+        case response.status
+        when 200
+          data = JSON.parse(response.body)
+          @cache[cache_key] = data
+          data
+        when 404
+          @not_found_cache.add(cache_key)
+          nil
+        when 429
+          handle_rate_limit(response, package_name)
+        else
+          Dependabot.logger.error("Unexpected Conda API response: #{response.status} for #{package_name}")
+          nil
+        end
+      end
+
+      sig { params(response: Excon::Response, package_name: String).returns(T.noreturn) }
+      def handle_rate_limit(response, package_name)
+        retry_after = response.headers["Retry-After"]&.to_i || 60
+        Dependabot.logger.warn(
+          "Conda API rate limited. Retry after #{retry_after} seconds. Package: #{package_name}"
+        )
+        raise Dependabot::DependabotError,
+              "Conda API rate limited. Please try again in #{retry_after} seconds."
+      end
+    end
+  end
+end

data/lib/dependabot/conda/file_fetcher.rb

@@ -1,10 +1,10 @@
 # typed: strict
 # frozen_string_literal: true
 
+require "yaml"
 require "sorbet-runtime"
 require "dependabot/file_fetchers"
 require "dependabot/file_fetchers/base"
-require "dependabot/conda/python_package_classifier"
 
 module Dependabot
   module Conda
@@ -31,101 +31,150 @@ module Dependabot
 
       sig { override.returns(T::Array[DependencyFile]) }
       def fetch_files
-        []
+        unless allow_beta_ecosystems?
+          raise Dependabot::DependencyFileNotFound.new(
+            nil,
+            "Conda support is currently in beta. Set ALLOW_BETA_ECOSYSTEMS=true to enable it."
+          )
+        end
+
+        fetched_files = []
+
+        # Try to fetch environment.yml first, then environment.yaml
+        environment_file = fetch_file_if_present("environment.yml") ||
+                           fetch_file_if_present("environment.yaml")
+
+        if environment_file
+          # Validate it's a proper conda environment file
+          validation = validate_conda_environment(environment_file)
+          unless validation[:valid]
+            raise(
+              Dependabot::DependencyFileNotFound.new(
+                File.join(directory, environment_file.name),
+                unsupported_environment_message(validation[:reason])
+              )
+            )
+          end
+          fetched_files << environment_file
+        end
+
+        return fetched_files if fetched_files.any?
+
+        raise(
+          Dependabot::DependencyFileNotFound,
+          File.join(directory, "environment.yml")
+        )
       end
 
       private
 
-      # Check if an environment file contains Python packages we can manage
-      sig { params(file: DependencyFile).returns(T::Boolean) }
-      def environment_contains_manageable_packages?(file)
+      # Validate that environment file is a proper conda manifest with manageable packages
+      # Returns a hash with :valid (Boolean) and :reason (Symbol or nil)
+      sig { params(file: DependencyFile).returns(T::Hash[Symbol, T.untyped]) }
+      def validate_conda_environment(file)
         content = file.content
-        return false unless content
+        return { valid: false, reason: :no_content } unless content
 
-        parsed_yaml = begin
-          parse_yaml_content(content)
-        rescue Psych::SyntaxError => e
-          Dependabot.logger.error("YAML parsing error: #{e.message}")
-          nil
-        end
-        return false unless parsed_yaml
+        parsed_yaml = parse_and_validate_yaml(content)
+        return { valid: false, reason: :invalid_yaml } unless parsed_yaml
+
+        dependencies = parsed_yaml["dependencies"]
+        return { valid: false, reason: :no_dependencies } unless dependencies.is_a?(Array)
+        return { valid: false, reason: :empty_dependencies } if dependencies.empty?
 
-        manageable_conda_packages?(parsed_yaml) || manageable_pip_packages?(parsed_yaml)
+        # Check if all packages are fully qualified (no manageable packages)
+        return { valid: false, reason: :all_fully_qualified } unless manageable_packages?(dependencies)
+
+        { valid: true, reason: nil }
       end
 
-      # Parse YAML content and return parsed hash or nil
       sig { params(content: String).returns(T.nilable(T::Hash[T.untyped, T.untyped])) }
-      def parse_yaml_content(content)
-        require "yaml"
-        parsed = YAML.safe_load(content)
-        parsed.is_a?(Hash) ? parsed : nil
+      def parse_and_validate_yaml(content)
+        parsed_yaml = parse_yaml_content(content)
+        return nil unless parsed_yaml
+        return nil unless parsed_yaml.is_a?(Hash)
+
+        parsed_yaml
+      rescue Psych::SyntaxError => e
+        Dependabot.logger.error("YAML parsing error: #{e.message}")
+        nil
       end
 
-      # Check if the parsed YAML contains manageable conda packages
-      sig { params(parsed_yaml: T::Hash[T.untyped, T.untyped]).returns(T::Boolean) }
-      def manageable_conda_packages?(parsed_yaml)
-        dependencies = parsed_yaml["dependencies"]
+      # Check if there are any manageable packages (simple specs or pip)
+      sig { params(dependencies: T.untyped).returns(T::Boolean) }
+      def manageable_packages?(dependencies)
         return false unless dependencies.is_a?(Array)
 
-        simplified_packages = dependencies.select do |dep|
-          dep.is_a?(String) && !fully_qualified_spec?(dep) &&
-            PythonPackageClassifier.python_package?(PythonPackageClassifier.extract_package_name(dep))
+        has_simple_conda = dependencies.any? do |dep|
+          dep.is_a?(String) && !fully_qualified_spec?(dep)
         end
-        simplified_packages.any?
-      end
 
-      # Check if the parsed YAML contains manageable pip packages
-      sig { params(parsed_yaml: T::Hash[T.untyped, T.untyped]).returns(T::Boolean) }
-      def manageable_pip_packages?(parsed_yaml)
-        dependencies = parsed_yaml["dependencies"]
-        return false unless dependencies.is_a?(Array)
+        has_pip = dependencies.any? { |dep| dep.is_a?(Hash) && dep.key?("pip") }
 
-        pip_deps = dependencies.find { |dep| dep.is_a?(Hash) && dep.key?("pip") }
-        return false unless pip_deps && pip_deps["pip"].is_a?(Array)
+        has_simple_conda || has_pip
+      end
 
-        python_pip_packages = pip_deps["pip"].select do |pip_dep|
-          pip_dep.is_a?(String) &&
-            PythonPackageClassifier.python_package?(PythonPackageClassifier.extract_package_name(pip_dep))
-        end
-        python_pip_packages.any?
+      sig { params(content: String).returns(T.nilable(T::Hash[T.untyped, T.untyped])) }
+      def parse_yaml_content(content)
+        parsed = YAML.safe_load(content)
+        parsed.is_a?(Hash) ? parsed : nil
       end
 
-      # Check if a package specification is fully qualified (build string included)
       sig { params(spec: String).returns(T::Boolean) }
       def fully_qualified_spec?(spec)
-        # Fully qualified specs have format: package=version=build_string
-        # e.g., "numpy=1.21.0=py39h20f2e39_0"
+        # Fully qualified: package=version=build_string (e.g., numpy=1.21.0=py39h20f2e39_0)
+        return false if spec.include?("==")
+        return false if spec.include?("[")
+
         parts = spec.split("=")
         return false unless parts.length >= 3
 
         build_string = parts[2]
-        return false unless build_string
+        return false unless build_string && !build_string.empty?
 
         build_string.match?(/^[a-zA-Z0-9_]+$/)
       end
 
-      sig { returns(String) }
-      def unsupported_environment_message
-        <<~MSG
-          This Conda environment file is not currently supported by Dependabot.
-
-          Dependabot-Conda supports Python packages only and requires one of the following:
-
-          1. **Simplified conda specifications**: Dependencies using simple version syntax (e.g., numpy=1.21.0)
-          2. **Pip section with Python packages**: A 'pip:' section containing Python packages from PyPI
-
-          **Not supported:**
-          - Fully qualified conda specifications (e.g., numpy=1.21.0=py39h20f2e39_0)
-          - Non-Python packages (R packages, system tools, etc.)
-          - Environments without any Python packages
-
-          To make your environment compatible:
-          - Use simplified conda package specifications for conda packages
-          - Add a pip section for PyPI packages
-          - Focus on Python packages only
-
-          For more information, see the Dependabot-Conda documentation.
-        MSG
+      sig { params(reason: T.nilable(Symbol)).returns(String) }
+      def unsupported_environment_message(reason)
+        case reason
+        when :all_fully_qualified
+          <<~MSG
+            This environment file contains only fully qualified package specifications with build strings.
+
+            Dependabot cannot update packages with build strings like:
+              - numpy=1.21.0=py39h20f2e39_0
+
+            To fix, remove the build string. Dependabot supports simplified specifications \
+            (e.g., numpy=1.21.0,r-base>=4.0)
+          MSG
+        when :no_dependencies, :empty_dependencies
+          <<~MSG
+            This environment file has no dependencies to manage.
+
+            Add at least one package to the dependencies section:
+              dependencies:
+                - python>=3.9
+                - numpy>=1.21.0
+          MSG
+        when :invalid_yaml
+          <<~MSG
+            This environment file contains invalid YAML syntax.
+
+            Please fix the YAML syntax errors before Dependabot can process this file.
+          MSG
+        else
+          <<~MSG
+            This Conda environment file is not supported by Dependabot.
+
+            Dependabot supports:
+            - Simplified conda specifications (e.g., numpy=1.21.0, r-base>=4.0)
+            - Pip dependencies in the pip section
+
+            Not supported:
+            - Fully qualified specifications with build strings (e.g., numpy=1.21.0=py39h20f2e39_0)
+          MSG
+        end
       end
     end
   end

data/lib/dependabot/conda/file_parser.rb

@@ -5,10 +5,10 @@ require "yaml"
 require "sorbet-runtime"
 require "dependabot/file_parsers"
 require "dependabot/file_parsers/base"
-require "dependabot/conda/python_package_classifier"
 require "dependabot/conda/requirement"
 require "dependabot/conda/version"
 require "dependabot/conda/package_manager"
+require "dependabot/conda/conda_registry_client"
 
 module Dependabot
   module Conda
@@ -93,15 +93,12 @@ module Dependabot
 
         dependencies.each do |dep|
           next unless dep.is_a?(String)
-          next if dep.is_a?(Hash) # Skip pip section
-
-          # Skip conda dependencies if we have fully qualified packages (Tier 2 support)
+          next if dep.is_a?(Hash)
           next if has_fully_qualified
 
           parsed_dep = parse_conda_dependency_string(dep, file)
           next unless parsed_dep
-          next unless python_package?(parsed_dep[:name])
-          next if parsed_dep[:name] == "pip" # Skip pip itself as it's infrastructure
+          next if parsed_dep[:name] == "pip"
 
           parsed_dependencies << create_dependency(
             name: parsed_dep[:name],
@@ -114,7 +111,7 @@ module Dependabot
         parsed_dependencies
       end
 
-      sig { params(dependencies: T.nilable(T::Array[T.untyped])).returns(T.nilable(T::Array[String])) }
+      sig { params(dependencies: T.untyped).returns(T.nilable(T::Array[String])) }
       def find_pip_dependencies(dependencies)
         return nil unless dependencies.is_a?(Array)
 
@@ -141,7 +138,7 @@ module Dependabot
             name: parsed_dep[:name],
             version: parsed_dep[:version],
             requirements: parsed_dep[:requirements],
-            package_manager: "conda"
+            package_manager: "pip"
           )
         end
 
@@ -154,12 +151,18 @@ module Dependabot
       def parse_conda_dependency_string(dep_string, file)
         return nil if dep_string.nil?
 
+        # Extract channel prefix before normalizing (e.g., "conda-forge::numpy=1.26.0")
+        channel = extract_channel_from_dependency_string(dep_string)
+
         # Handle channel specifications: conda-forge::numpy=1.21.0
         normalized_dep_string = normalize_conda_dependency_string(dep_string)
         return nil if normalized_dep_string.nil?
 
-        # Parse conda-style version specifications
-        # Examples: numpy=1.21.0, scipy>=1.7.0, pandas, python=3.9, python>=3.8,<3.11
+        # Handle bracket syntax: package[version='>=1.0']
+        if normalized_dep_string.include?("[")
+          bracket_match = normalized_dep_string.match(/^([a-zA-Z0-9_.-]+)\[version=['"](.+)['"]\]$/)
+          normalized_dep_string = "#{bracket_match[1]}#{bracket_match[2]}" if bracket_match
+        end
         match = normalized_dep_string.match(/^([a-zA-Z0-9_.-]+)(?:\s*(.+))?$/)
         return nil unless match
 
@@ -167,7 +170,7 @@ module Dependabot
         constraint = match[2]&.strip
 
         version = extract_conda_version(constraint)
-        requirements = build_conda_requirements(constraint, file)
+        requirements = build_conda_requirements(constraint, file, channel)
 
         {
           name: name,
@@ -176,6 +179,17 @@ module Dependabot
         }
       end
 
+      sig { params(dep_string: String).returns(T.nilable(String)) }
+      def extract_channel_from_dependency_string(dep_string)
+        return nil unless dep_string.include?("::")
+
+        channel = dep_string.split("::", 2).first
+        return nil unless channel
+        return nil unless CondaRegistryClient::SUPPORTED_CHANNELS.include?(channel)
+
+        channel
+      end
+
       sig { params(dep_string: String).returns(T.nilable(String)) }
       def normalize_conda_dependency_string(dep_string)
         return dep_string unless dep_string.include?("::")
@@ -189,32 +203,31 @@ module Dependabot
         return nil unless constraint
 
         case constraint
+        when /^==([0-9][a-zA-Z0-9._+-]+)$/
+          constraint[2..-1]
         when /^=([0-9][a-zA-Z0-9._+-]+)$/
-          # Exact conda version: =1.26.0
-          constraint[1..-1] # Remove the = prefix
+          constraint[1..-1]
         when /^>=([0-9][a-zA-Z0-9._+-]+)$/
-          # Minimum version constraint: >=1.26.0
-          # For security purposes, treat this as the current version
-          constraint[2..-1] # Remove the >= prefix
+          constraint[2..-1]
         when /^~=([0-9][a-zA-Z0-9._+-]+)$/
-          # Compatible release: ~=1.26.0
-          constraint[2..-1] # Remove the ~= prefix
+          constraint[2..-1]
         end
       end
 
       sig do
         params(
           constraint: T.nilable(String),
-          file: Dependabot::DependencyFile
+          file: Dependabot::DependencyFile,
+          channel: T.nilable(String)
         ).returns(T::Array[T::Hash[Symbol, T.untyped]])
       end
-      def build_conda_requirements(constraint, file)
-        return [] unless constraint && !constraint.empty?
+      def build_conda_requirements(constraint, file, channel = nil)
+        source = channel ? { channel: channel } : nil
 
         [{
-          requirement: constraint,
+          requirement: constraint && !constraint.empty? ? constraint : nil,
           file: file.name,
-          source: nil,
+          source: source,
           groups: ["dependencies"]
         }]
       end
@@ -223,7 +236,6 @@ module Dependabot
         params(dep_string: String, file: Dependabot::DependencyFile).returns(T.nilable(T::Hash[Symbol, T.untyped]))
       end
       def parse_pip_dependency_string(dep_string, file)
-        # Handle pip-style specifications: requests==2.25.1, flask>=1.0.0
         match = dep_string.match(/^([a-zA-Z0-9_.-]+)(?:\s*(==|>=|>|<=|<|!=|~=)\s*([0-9][a-zA-Z0-9._+-]*))?$/)
         return nil unless match
 
@@ -231,22 +243,16 @@ module Dependabot
         operator = match[2]
         version = match[3]
 
-        # Extract meaningful version information for security update purposes
         extracted_version = nil
         if version
           case operator
           when "==", "="
-            # Exact version: use as-is
             extracted_version = version
           when ">=", "~="
-            # Minimum version constraint: use the specified version as current
-            # This allows security updates to work by treating the constraint as current version
             extracted_version = version
           when ">"
-            # Greater than: we can't determine exact version, leave as nil
             extracted_version = nil
           when "<=", "<", "!="
-            # Upper bounds or exclusions: not useful for determining current version
             extracted_version = nil
           end
         end
@@ -286,16 +292,12 @@ module Dependabot
         )
       end
 
-      sig { params(package_name: String).returns(T::Boolean) }
-      def python_package?(package_name)
-        PythonPackageClassifier.python_package?(package_name)
-      end
-
       sig { params(dep_string: String).returns(T::Boolean) }
       def fully_qualified_package?(dep_string)
-        # Fully qualified packages have build strings after the version
-        # Format: package=version=build_string
-        # Example: python=3.9.7=h60c2a47_0_cpython
+        # Fully qualified: package=version=build_string (e.g., python=3.9.7=h60c2a47_0)
+        return false if dep_string.include?("==")
+        return false if dep_string.include?("[")
+
         dep_string.count("=") >= 2
       end