dependabot-julia 0.342.2

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 1b48cd9be4ed4e37e08b11eb39f35e71d449320f0efb7ee5d888e6f2be7d8ed3
+  data.tar.gz: 1f34fc7c632a67d01f7325c5d60b7a2d8e3e6c40178961713b42b817b7e3b5b4
+SHA512:
+  metadata.gz: b5c0b679487adf8dce2910599a8018f1858b68a7e987d64662ac92edeb32a4bf00925f4a43a35b507bb816c359d17614c320a9f0999ba82fff109d168712673e
+  data.tar.gz: 21ff26c3c0989184d86d36d8fa4104478b7d3e9797f694a74cb573b252562ebead236e09347fd9211217ab77cea903817183ee88ac0f1846f1bbcb1340fa2f4e

data/lib/dependabot/julia/dependency.rb

@@ -0,0 +1,21 @@
+# typed: strong
+# frozen_string_literal: true
+
+require "dependabot/dependency"
+require "dependabot/julia/version"
+require "sorbet-runtime"
+
+module Dependabot
+  module Julia
+    class Dependency < Dependabot::Dependency
+      extend T::Sig
+
+      # This class intentionally delegates most functionality to the base
+      # Dependabot::Dependency class.
+      #
+      # Note: Dependabot::Julia::Version is properly registered for the "julia" package manager
+      # and implements ::new(version_string) and ::correct?(version_string) methods that handle
+      # Julia version strings according to Julia's semantic versioning specification.
+    end
+  end
+end

data/lib/dependabot/julia/file_fetcher.rb

@@ -0,0 +1,63 @@
+# typed: strong
+# frozen_string_literal: true
+
+require "dependabot/file_fetchers"
+require "dependabot/file_fetchers/base"
+
+module Dependabot
+  module Julia
+    class FileFetcher < Dependabot::FileFetchers::Base
+      sig { override.params(filenames: T::Array[String]).returns(T::Boolean) }
+      def self.required_files_in?(filenames)
+        filenames.any? { |name| name.match?(/^(Julia)?Project\.toml$/i) }
+      end
+
+      sig { override.returns(String) }
+      def self.required_files_message
+        "Repo must contain a Project.toml or JuliaProject.toml file."
+      end
+
+      sig { override.returns(T::Array[Dependabot::DependencyFile]) }
+      def fetch_files
+        # Julia is currently in beta - only fetch files if beta ecosystems are enabled
+        return [] unless allow_beta_ecosystems?
+
+        fetched_files = []
+
+        # Fetch the main project file (Project.toml or JuliaProject.toml)
+        fetched_files << project_file
+
+        # Fetch the Manifest file if it exists
+        fetched_files << manifest_file if manifest_file
+
+        fetched_files
+      end
+
+      private
+
+      sig { returns(Dependabot::DependencyFile) }
+      def project_file
+        @project_file ||= T.let(
+          fetch_file_if_present("Project.toml") ||
+          fetch_file_if_present("JuliaProject.toml") ||
+          raise(
+            Dependabot::DependencyFileNotFound,
+            "No Project.toml or JuliaProject.toml found."
+          ),
+          T.nilable(Dependabot::DependencyFile)
+        )
+      end
+
+      sig { returns(T.nilable(Dependabot::DependencyFile)) }
+      def manifest_file
+        @manifest_file ||= T.let(
+          fetch_file_if_present("Manifest.toml") ||
+                                     fetch_file_if_present("JuliaManifest.toml"),
+          T.nilable(Dependabot::DependencyFile)
+        )
+      end
+    end
+  end
+end
+
+Dependabot::FileFetchers.register("julia", Dependabot::Julia::FileFetcher)

data/lib/dependabot/julia/file_parser.rb

@@ -0,0 +1,278 @@
+# typed: strict
+# frozen_string_literal: true
+
+require "toml-rb"
+require "tempfile"
+require "fileutils"
+require "dependabot/dependency"
+require "dependabot/file_parsers"
+require "dependabot/file_parsers/base"
+require "dependabot/julia/version"
+require "dependabot/julia/requirement"
+require "dependabot/julia/registry_client"
+
+module Dependabot
+  module Julia
+    class FileParser < Dependabot::FileParsers::Base
+      extend T::Sig
+
+      sig do
+        params(
+          dependency_files: T::Array[Dependabot::DependencyFile],
+          source: Dependabot::Source,
+          repo_contents_path: T.nilable(String),
+          credentials: T::Array[Dependabot::Credential],
+          reject_external_code: T::Boolean,
+          options: T::Hash[Symbol, T.untyped]
+        ).void
+      end
+      def initialize(
+        dependency_files:,
+        source:,
+        repo_contents_path: nil,
+        credentials: [],
+        reject_external_code: false,
+        options: {}
+      )
+        super
+        @parsed_project_file = T.let(nil, T.nilable(T::Hash[String, T.untyped]))
+        @parsed_manifest_file = T.let(nil, T.nilable(T::Hash[String, T.untyped]))
+        @registry_client = T.let(nil, T.nilable(Dependabot::Julia::RegistryClient))
+        @custom_registries = T.let(nil, T.nilable(T::Array[T::Hash[Symbol, T.untyped]]))
+        @temp_dir = T.let(nil, T.nilable(String))
+      end
+
+      sig { override.returns(T::Array[Dependabot::Dependency]) }
+      def parse
+        dependency_set = T.let([], T::Array[Dependabot::Dependency])
+
+        dependency_set += project_file_dependencies
+        dependency_set.uniq
+      end
+
+      private
+
+      # Helper methods for DependabotHelper.jl integration
+
+      sig { returns(Dependabot::Julia::RegistryClient) }
+      def registry_client
+        @registry_client ||= Dependabot::Julia::RegistryClient.new(
+          credentials: credentials,
+          custom_registries: custom_registries
+        )
+      end
+
+      sig { returns(T::Array[T::Hash[Symbol, T.untyped]]) }
+      def custom_registries
+        @custom_registries ||= begin
+          registries = options.dig(:registries, :julia) || []
+          # Convert string keys to symbols if needed
+          registries.map do |registry|
+            registry.is_a?(Hash) ? registry.transform_keys(&:to_sym) : registry
+          end
+        end
+      end
+
+      sig { returns(String) }
+      def write_temp_project_file
+        @temp_dir ||= Dir.mktmpdir("julia_project")
+        project_path = File.join(@temp_dir, "Project.toml")
+        File.write(project_path, T.must(project_file).content)
+        project_path
+      end
+
+      sig { returns(T.nilable(String)) }
+      def write_temp_manifest_file
+        return nil unless manifest_file
+
+        @temp_dir ||= Dir.mktmpdir("julia_project")
+        manifest_path = File.join(@temp_dir, "Manifest.toml")
+        File.write(manifest_path, T.must(manifest_file).content)
+        manifest_path
+      end
+
+      sig { returns(T::Array[Dependabot::Dependency]) }
+      def project_file_dependencies
+        dependencies = T.let([], T::Array[Dependabot::Dependency])
+        return dependencies unless project_file
+
+        # Use DependabotHelper.jl for project parsing
+        project_path = write_temp_project_file
+        manifest_path = write_temp_manifest_file if manifest_file
+
+        begin
+          result = registry_client.parse_project(
+            project_path: project_path,
+            manifest_path: manifest_path
+          )
+
+          if result["error"]
+            # Fallback to Ruby TOML parsing if Julia helper fails
+            Dependabot.logger.warn(
+              "DependabotHelper.jl parsing failed: #{result['error']}, " \
+              "falling back to Ruby parsing"
+            )
+            return fallback_project_file_dependencies
+          end
+
+          # Convert DependabotHelper.jl result to Dependabot::Dependency objects
+          dependencies = build_dependencies_from_julia_result(result)
+        ensure
+          # Cleanup temporary directory
+          FileUtils.rm_rf(@temp_dir) if @temp_dir && File.exist?(@temp_dir)
+        end
+
+        dependencies
+      end
+
+      sig { params(result: T::Hash[String, T.untyped]).returns(T::Array[Dependabot::Dependency]) }
+      def build_dependencies_from_julia_result(result)
+        dependencies = T.let([], T::Array[Dependabot::Dependency])
+        parsed_deps = T.cast(result["dependencies"] || [], T::Array[T.untyped])
+
+        parsed_deps.each do |dep_info|
+          dep_hash = T.cast(dep_info, T::Hash[String, T.untyped])
+          name = T.cast(dep_hash["name"], String)
+          uuid = T.cast(dep_hash["uuid"], T.nilable(String))
+          requirement_string = T.cast(dep_hash["requirement"] || "*", String)
+          resolved_version = T.cast(dep_hash["resolved_version"], T.nilable(String))
+
+          # Skip Julia version requirement
+          next if name == "julia"
+
+          dependencies << Dependabot::Dependency.new(
+            name: name,
+            version: resolved_version,
+            requirements: [{
+              requirement: requirement_string,
+              file: T.must(project_file).name,
+              groups: ["runtime"],
+              source: nil
+            }],
+            package_manager: "julia",
+            metadata: uuid ? { julia_uuid: uuid } : {}
+          )
+        end
+
+        dependencies
+      end
+
+      # Fallback method using Ruby TOML parsing
+      sig { returns(T::Array[Dependabot::Dependency]) }
+      def fallback_project_file_dependencies
+        dependencies = T.let([], T::Array[Dependabot::Dependency])
+
+        parsed_project = parsed_project_file
+        deps_section = T.cast(parsed_project["deps"] || {}, T::Hash[String, T.untyped])
+        compat_section = T.cast(parsed_project["compat"] || {}, T::Hash[String, T.untyped])
+
+        deps_section.each do |name, _uuid|
+          next if name == "julia" # Skip Julia version requirement
+
+          # Get the version requirement from compat section, default to "*" if not specified
+          requirement_string = T.cast(compat_section[name] || "*", String)
+
+          # Get the exact version from Manifest.toml if available
+          exact_version = version_from_manifest(name)
+
+          dependencies << Dependabot::Dependency.new(
+            name: name,
+            version: exact_version,
+            requirements: [{
+              requirement: requirement_string,
+              file: T.must(project_file).name,
+              groups: ["runtime"],
+              source: nil
+            }],
+            package_manager: "julia"
+          )
+        end
+
+        dependencies
+      end
+
+      sig { params(dependency_name: String).returns(T.nilable(String)) }
+      def version_from_manifest(dependency_name)
+        return nil unless manifest_file
+
+        # Try using DependabotHelper.jl first
+        temp_dir = Dir.mktmpdir("julia_manifest_only")
+        manifest_path = File.join(temp_dir, "Manifest.toml")
+        File.write(manifest_path, T.must(manifest_file).content)
+
+        begin
+          # We need the UUID for the DependabotHelper.jl call, so fallback to Ruby parsing
+          # Note: Future enhancement could add name-only lookup to DependabotHelper.jl
+          fallback_version_from_manifest(dependency_name)
+        ensure
+          FileUtils.rm_rf(temp_dir)
+        end
+      end
+
+      sig { params(dependency_name: String).returns(T.nilable(String)) }
+      def fallback_version_from_manifest(dependency_name)
+        return nil unless manifest_file
+
+        parsed_manifest = parsed_manifest_file
+
+        # Look for the dependency in the manifest
+        deps_section = T.cast(parsed_manifest["deps"], T.nilable(T::Hash[String, T.untyped]))
+        if deps_section && deps_section[dependency_name]
+          # Manifest v2 format
+          dep_entries = deps_section[dependency_name]
+          if dep_entries.is_a?(Array) && dep_entries.first.is_a?(Hash)
+            return T.cast(dep_entries.first["version"], T.nilable(String))
+          end
+        end
+
+        nil
+      end
+
+      sig { returns(T.nilable(Dependabot::DependencyFile)) }
+      def project_file
+        @project_file ||= T.let(
+          get_original_file("Project.toml") || get_original_file("JuliaProject.toml"),
+          T.nilable(Dependabot::DependencyFile)
+        )
+      end
+
+      sig { returns(T.nilable(Dependabot::DependencyFile)) }
+      def manifest_file
+        @manifest_file ||= T.let(
+          get_original_file("Manifest.toml") || get_original_file("JuliaManifest.toml"),
+          T.nilable(Dependabot::DependencyFile)
+        )
+      end
+
+      sig { returns(T::Hash[String, T.untyped]) }
+      def parsed_project_file
+        return @parsed_project_file if @parsed_project_file
+
+        parsed_content = T.cast(TomlRB.parse(T.must(project_file).content), T::Hash[String, T.untyped])
+        @parsed_project_file = parsed_content
+        parsed_content
+      rescue TomlRB::ParseError, TomlRB::ValueOverwriteError => e
+        raise Dependabot::DependencyFileNotParseable, "Error parsing #{T.must(project_file).name}: #{e.message}"
+      end
+
+      sig { returns(T::Hash[String, T.untyped]) }
+      def parsed_manifest_file
+        return {} unless manifest_file
+        return @parsed_manifest_file if @parsed_manifest_file
+
+        parsed_content = T.cast(TomlRB.parse(T.must(manifest_file).content), T::Hash[String, T.untyped])
+        @parsed_manifest_file = parsed_content
+        parsed_content
+      rescue TomlRB::ParseError, TomlRB::ValueOverwriteError => e
+        raise Dependabot::DependencyFileNotParseable, "Error parsing #{T.must(manifest_file).name}: #{e.message}"
+      end
+
+      sig { override.void }
+      def check_required_files
+        raise "No Project.toml or JuliaProject.toml!" unless project_file
+      end
+    end
+  end
+end
+
+Dependabot::FileParsers.register("julia", Dependabot::Julia::FileParser)

data/lib/dependabot/julia/file_updater.rb

@@ -0,0 +1,295 @@
+# typed: strict
+# frozen_string_literal: true
+
+require "toml-rb"
+require "tempfile"
+require "dependabot/file_updaters"
+require "dependabot/file_updaters/base"
+require "dependabot/julia/registry_client"
+
+module Dependabot
+  module Julia
+    class FileUpdater < Dependabot::FileUpdaters::Base
+      extend T::Sig
+
+      sig { returns(T::Array[Regexp]) }
+      def self.updated_files_regex
+        [/(?:Julia)?Project\.toml$/i, /(?:Julia)?Manifest(?:-v[\d.]+)?\.toml$/i]
+      end
+
+      sig { override.returns(T::Array[Dependabot::DependencyFile]) }
+      def updated_dependency_files
+        updated_files = []
+
+        # Use DependabotHelper.jl for manifest updating
+        if project_file
+          project_path = T.let(nil, T.nilable(String))
+
+          begin
+            project_path = write_temp_project_file
+
+            result = registry_client.update_manifest(
+              project_path: project_path,
+              updates: build_updates_hash
+            )
+
+            if result["error"]
+              # Fallback to Ruby TOML manipulation
+              Dependabot.logger.warn(
+                "DependabotHelper.jl update failed: #{result['error']}, " \
+                "falling back to Ruby updating"
+              )
+              return fallback_updated_dependency_files
+            end
+
+            # Create updated files from DependabotHelper.jl results
+            updated_files = build_updated_files_from_result(result)
+          rescue StandardError => e
+            # Fallback to Ruby TOML manipulation if Julia helper fails
+            Dependabot.logger.warn(
+              "DependabotHelper.jl update failed with exception: #{e.message}, " \
+              "falling back to Ruby updating"
+            )
+            return fallback_updated_dependency_files
+          ensure
+            File.delete(project_path) if project_path && File.exist?(project_path)
+          end
+        end
+
+        raise "No files changed!" if updated_files.empty?
+
+        updated_files
+      end
+
+      # Fallback method using Ruby TOML manipulation
+      sig { returns(T::Array[Dependabot::DependencyFile]) }
+      def fallback_updated_dependency_files
+        updated_files = []
+
+        # Update Project.toml file
+        if project_file && file_changed?(T.must(project_file))
+          updated_files << updated_file(
+            file: T.must(project_file),
+            content: updated_project_content
+          )
+        end
+
+        # Update Manifest.toml file if it exists and dependencies have changed
+        if manifest_file
+          updated_manifest_content = build_updated_manifest_content
+          if updated_manifest_content != T.must(manifest_file).content
+            updated_files << updated_file(
+              file: T.must(manifest_file),
+              content: updated_manifest_content
+            )
+          end
+        end
+
+        raise "No files changed!" if updated_files.empty?
+
+        updated_files
+      end
+
+      private
+
+      sig { returns(T::Hash[String, String]) }
+      def build_updates_hash
+        updates = {}
+        dependencies.each do |dependency|
+          next unless dependency.version
+
+          updates[dependency.name] = dependency.version
+        end
+        updates
+      end
+
+      sig { params(result: T::Hash[String, T.untyped]).returns(T::Array[Dependabot::DependencyFile]) }
+      def build_updated_files_from_result(result)
+        updated_files = T.let([], T::Array[Dependabot::DependencyFile])
+
+        if result["project_content"] && result["project_content"] != T.must(project_file).content
+          updated_files << updated_file(
+            file: T.must(project_file),
+            content: result["project_content"]
+          )
+        end
+
+        if manifest_file && result["manifest_content"] &&
+           result["manifest_content"] != T.must(manifest_file).content
+          updated_files << updated_file(
+            file: T.must(manifest_file),
+            content: result["manifest_content"]
+          )
+        end
+
+        updated_files
+      end
+
+      # Helper methods for DependabotHelper.jl integration
+
+      sig { returns(Dependabot::Julia::RegistryClient) }
+      def registry_client
+        @registry_client ||= T.let(
+          Dependabot::Julia::RegistryClient.new(
+            credentials: credentials
+          ),
+          T.nilable(Dependabot::Julia::RegistryClient)
+        )
+      end
+
+      sig { returns(String) }
+      def write_temp_project_file
+        temp_file = Tempfile.new(["Project", ".toml"])
+        temp_file.write(T.must(project_file).content)
+        temp_file.close
+        T.must(temp_file.path)
+      end
+
+      sig { override.void }
+      def check_required_files
+        return if dependency_files.empty?
+
+        return if dependency_files.any? { |f| f.name.match?(/^(Julia)?Project\.toml$/i) }
+
+        raise Dependabot::DependencyFileNotFound, "No Project.toml or JuliaProject.toml found."
+      end
+
+      sig { returns(T.nilable(Dependabot::DependencyFile)) }
+      def project_file
+        @project_file ||= T.let(
+          dependency_files.find do |f|
+            f.name.match?(/^(Julia)?Project\.toml$/i)
+          end,
+          T.nilable(Dependabot::DependencyFile)
+        )
+      end
+
+      sig { returns(T.nilable(Dependabot::DependencyFile)) }
+      def manifest_file
+        @manifest_file ||= T.let(
+          dependency_files.find do |f|
+            f.name.match?(/^(Julia)?Manifest(?:-v[\d.]+)?\.toml$/i)
+          end,
+          T.nilable(Dependabot::DependencyFile)
+        )
+      end
+
+      sig { returns(String) }
+      def updated_project_content
+        return T.must(T.must(project_file).content) unless project_file
+
+        content = T.must(T.must(project_file).content)
+
+        dependencies.each do |dependency|
+          # Find the new requirement for this dependency
+          new_requirement = dependency.requirements
+                                      .find { |req| T.cast(req[:file], String) == T.must(project_file).name }
+                                      &.fetch(:requirement)
+
+          next unless new_requirement
+
+          content = update_dependency_requirement_in_content(content, dependency.name, new_requirement)
+        end
+
+        content
+      end
+
+      sig { params(content: String, dependency_name: String, new_requirement: String).returns(String) }
+      def update_dependency_requirement_in_content(content, dependency_name, new_requirement)
+        # Pattern to match the dependency in [compat] section
+        # Handles various quote styles and spacing
+        pattern = /(^\s*#{Regexp.escape(dependency_name)}\s*=\s*)(?:"[^"]*"|'[^']*'|[^\s#\n]+)(\s*(?:\#.*)?$)/mx
+
+        if content.match?(pattern)
+          # Replace existing entry
+          content.gsub(pattern, "\\1\"#{new_requirement}\"\\2")
+        else
+          # Add new entry to [compat] section
+          add_compat_entry_to_content(content, dependency_name, new_requirement)
+        end
+      end
+
+      sig { params(content: String, dependency_name: String, requirement: String).returns(String) }
+      def add_compat_entry_to_content(content, dependency_name, requirement)
+        # Find [compat] section or create it
+        if content.match?(/^\s*\[compat\]\s*$/m)
+          # Add to existing [compat] section
+          content.gsub(/(\[compat\]\s*\n)/, "\\1#{dependency_name} = \"#{requirement}\"\n")
+        else
+          # Add new [compat] section at the end
+          content + "\n[compat]\n#{dependency_name} = \"#{requirement}\"\n"
+        end
+      end
+
+      sig { returns(String) }
+      def build_updated_manifest_content
+        return T.must(T.must(manifest_file).content) unless manifest_file
+
+        content = T.must(T.must(manifest_file).content)
+
+        dependencies.each do |dependency|
+          next unless dependency.version
+
+          content = update_dependency_version_in_manifest(content, dependency.name, T.must(dependency.version))
+        end
+
+        content
+      end
+
+      sig { params(content: String, dependency_name: String, new_version: String).returns(String) }
+      def update_dependency_version_in_manifest(content, dependency_name, new_version)
+        # Pattern to find the dependency entry and update its version
+        # Matches the [[deps.DependencyName]] section and updates the version line within it
+        dep_start = /^\[\[deps\.#{Regexp.escape(dependency_name)}\]\]\s*\n(?:.*\n)*?/
+        version_key = /^\s*version\s*=\s*/
+        old_version = /(?:"[^"]*"|'[^']*'|[^\s#\n]+)/
+        trailing = /\s*(?:\#.*)?$/
+        pattern = /(#{dep_start})(#{version_key})#{old_version}(#{trailing})/mx
+
+        if content.match?(pattern)
+          content.gsub(pattern, "\\1\\2\"#{new_version}\"\\3")
+        else
+          # If pattern doesn't match, fall back to original approach
+          Dependabot.logger.warn("Could not find manifest entry for #{dependency_name}, using fallback")
+          fallback_update_manifest_content(content, dependency_name, new_version)
+        end
+      end
+
+      sig { params(content: String, dependency_name: String, new_version: String).returns(String) }
+      def fallback_update_manifest_content(content, dependency_name, new_version)
+        # Fallback to parse-and-dump for complex cases
+        parsed_manifest = T.cast(TomlRB.parse(content), T::Hash[String, T.untyped])
+
+        deps_section = T.cast(parsed_manifest["deps"] || {}, T::Hash[String, T.untyped])
+        if deps_section[dependency_name]
+          dep_entries = deps_section[dependency_name]
+          update_dependency_entries(dep_entries, new_version)
+        end
+
+        T.cast(TomlRB.dump(parsed_manifest), String)
+      end
+
+      sig { params(dependency: Dependabot::Dependency, manifest: T::Hash[String, T.untyped]).void }
+      def update_dependency_in_manifest(dependency, manifest)
+        deps_section = T.cast(manifest["deps"] || {}, T::Hash[String, T.untyped])
+        return unless deps_section[dependency.name]
+
+        dep_entries = deps_section[dependency.name]
+        update_dependency_entries(dep_entries, dependency.version)
+      end
+
+      sig { params(dep_entries: T.untyped, version: T.nilable(String)).void }
+      def update_dependency_entries(dep_entries, version)
+        if dep_entries.is_a?(Array)
+          dep_entries.each do |dep_entry|
+            dep_entry["version"] = version if dep_entry.is_a?(Hash) && dep_entry["uuid"]
+          end
+        elsif dep_entries.is_a?(Hash) && dep_entries["uuid"]
+          dep_entries["version"] = version
+        end
+      end
+    end
+  end
+end
+
+Dependabot::FileUpdaters.register("julia", Dependabot::Julia::FileUpdater)