dependabot-julia 0.342.2

data/lib/dependabot/julia/metadata_finder.rb

@@ -0,0 +1,99 @@
+# typed: strong
+# frozen_string_literal: true
+
+require "excon"
+require "dependabot/metadata_finders"
+require "dependabot/metadata_finders/base"
+require "dependabot/registry_client"
+require "dependabot/julia/registry_client"
+require "uri" # Required for URI.parse
+require "toml-rb" # Required for TOML parsing
+
+module Dependabot
+  module Julia
+    class MetadataFinder < Dependabot::MetadataFinders::Base
+      extend T::Sig
+
+      # The public source_url method is inherited from Base.
+      # We need to implement look_up_source as a private method.
+
+      private
+
+      sig { override.returns(T.nilable(Dependabot::Source)) }
+      def look_up_source
+        # Only use authoritative sources from Julia helper or dependency files
+        url_string = source_url_from_julia_helper ||
+                     source_url_from_dependency_files
+
+        return nil unless url_string
+
+        parse_source_url(url_string)
+      end
+
+      sig { returns(T.nilable(String)) }
+      def source_url_from_julia_helper
+        uuid = T.cast(dependency.metadata[:julia_uuid], T.nilable(String))
+        result = registry_client.find_package_source_url(dependency.name, uuid)
+        error = T.cast(result["error"], T.nilable(T.any(String, T::Boolean)))
+        return nil if error
+
+        T.cast(result["source_url"], T.nilable(String))
+      rescue StandardError => e
+        Dependabot.logger.warn("Failed to get source URL from Julia helper: #{e.message}")
+        nil
+      end
+
+      sig { returns(Dependabot::Julia::RegistryClient) }
+      def registry_client
+        @registry_client ||= T.let(
+          Dependabot::Julia::RegistryClient.new(
+            credentials: credentials
+          ),
+          T.nilable(Dependabot::Julia::RegistryClient)
+        )
+      end
+
+      sig { params(url_string: String).returns(T.nilable(Dependabot::Source)) }
+      def parse_source_url(url_string)
+        uri = URI.parse(url_string)
+        hostname = uri.host
+        return nil unless hostname
+
+        # Extract repository path and clean it
+        path = T.must(uri.path).delete_prefix("/").delete_suffix(".git")
+        path_parts = path.split("/")
+        return nil if path_parts.length < 2
+
+        repo = "#{path_parts[0]}/#{path_parts[1]}"
+
+        # Determine the provider based on hostname
+        provider = case hostname
+                   when "github.com" then "github"
+                   when "gitlab.com" then "gitlab"
+                   when /\A.*\.gitlab\.io\z/ then "gitlab"
+                   else
+                     Dependabot.logger.info("Unknown SCM provider for #{hostname}, using generic")
+                     return nil # Return nil for unknown providers
+                   end
+
+        Dependabot::Source.new(
+          provider: provider,
+          repo: repo
+        )
+      rescue URI::InvalidURIError => e
+        Dependabot.logger.error("Invalid URI for dependency #{dependency.name}: #{url_string} - #{e.message}")
+        nil
+      end
+
+      sig { returns(T.nilable(String)) }
+      def source_url_from_dependency_files
+        # MetadataFinder doesn't have access to dependency_files
+        # This would typically be handled by FileParser or other components
+        # For now, we'll skip this strategy and rely on the Julia helper
+        nil
+      end
+    end
+  end
+end
+
+Dependabot::MetadataFinders.register("julia", Dependabot::Julia::MetadataFinder)

data/lib/dependabot/julia/package/package_details_fetcher.rb

@@ -0,0 +1,129 @@
+# typed: strong
+# frozen_string_literal: true
+
+require "time"
+require "dependabot/julia/registry_client"
+require "dependabot/julia/version"
+require "dependabot/package/package_release"
+require "dependabot/package/package_language"
+
+module Dependabot
+  module Julia
+    module Package
+      class PackageDetailsFetcher
+        extend T::Sig
+
+        PACKAGE_LANGUAGE = "julia"
+
+        sig do
+          params(
+            dependency: Dependabot::Dependency,
+            credentials: T::Array[Dependabot::Credential],
+            custom_registries: T::Array[T::Hash[Symbol, String]]
+          ).void
+        end
+        def initialize(dependency:, credentials:, custom_registries: [])
+          @dependency = dependency
+          @credentials = credentials
+          @custom_registries = custom_registries
+        end
+
+        sig { returns(Dependabot::Dependency) }
+        attr_reader :dependency
+
+        sig { returns(T::Array[Dependabot::Credential]) }
+        attr_reader :credentials
+
+        sig { returns(T::Array[T::Hash[Symbol, String]]) }
+        attr_reader :custom_registries
+
+        sig { returns(T::Array[Dependabot::Package::PackageRelease]) }
+        def fetch_package_releases
+          releases = T.let([], T::Array[Dependabot::Package::PackageRelease])
+
+          begin
+            registry_client = RegistryClient.new(
+              credentials: credentials,
+              custom_registries: custom_registries
+            )
+            uuid = T.cast(dependency.metadata[:julia_uuid], T.nilable(String))
+
+            # Fetch all available versions
+            available_versions = registry_client.fetch_available_versions(dependency.name, uuid)
+            return releases if available_versions.empty?
+
+            releases = build_releases_for_versions(registry_client, available_versions, uuid)
+            mark_latest_release(releases)
+
+            releases
+          rescue StandardError => e
+            Dependabot.logger.error("Error while fetching package releases for #{dependency.name}: #{e.message}")
+            releases
+          end
+        end
+
+        private
+
+        sig do
+          params(
+            registry_client: RegistryClient,
+            available_versions: T::Array[String],
+            uuid: T.nilable(String)
+          ).returns(T::Array[Dependabot::Package::PackageRelease])
+        end
+        def build_releases_for_versions(registry_client, available_versions, uuid)
+          releases = T.let([], T::Array[Dependabot::Package::PackageRelease])
+
+          available_versions.each do |version_string|
+            version = Julia::Version.new(version_string)
+            release_date = fetch_release_date_safely(registry_client, version_string, uuid)
+
+            releases << create_package_release(version, release_date)
+          end
+
+          releases
+        end
+
+        sig do
+          params(
+            registry_client: RegistryClient,
+            version_string: String,
+            uuid: T.nilable(String)
+          ).returns(T.nilable(Time))
+        end
+        def fetch_release_date_safely(registry_client, version_string, uuid)
+          registry_client.fetch_version_release_date(dependency.name, version_string, uuid)
+        rescue StandardError => e
+          Dependabot.logger.warn(
+            "Failed to fetch release info for #{dependency.name} version #{version_string}: #{e.message}"
+          )
+          nil
+        end
+
+        sig do
+          params(
+            version: Julia::Version,
+            release_date: T.nilable(Time)
+          ).returns(Dependabot::Package::PackageRelease)
+        end
+        def create_package_release(version, release_date)
+          Dependabot::Package::PackageRelease.new(
+            version: version,
+            released_at: release_date,
+            latest: false, # Will be determined later
+            yanked: false, # Julia registries don't support yanked packages
+            language: Dependabot::Package::PackageLanguage.new(name: PACKAGE_LANGUAGE)
+          )
+        end
+
+        sig { params(releases: T::Array[Dependabot::Package::PackageRelease]).void }
+        def mark_latest_release(releases)
+          return if releases.empty?
+
+          latest_release = releases.max_by(&:version)
+          latest_release&.instance_variable_set(:@latest, true)
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/julia/package_manager.rb

@@ -0,0 +1,71 @@
+# typed: strong
+# frozen_string_literal: true
+
+require "sorbet-runtime"
+require "dependabot/ecosystem"
+require "dependabot/shared_helpers"
+require "dependabot/version"
+
+module Dependabot
+  module Julia
+    class PackageManager < Ecosystem::VersionManager
+      extend T::Sig
+
+      PACKAGE_MANAGER_COMMAND = T.let("julia", String)
+      # Julia versions as of June 2025:
+      # - 1.10 is the LTS (Long Term Support) version
+      # - 1.11 is the current stable version
+      # Update these constants when new LTS or major versions are released
+      MINIMUM_VERSION = T.let("1.10", String) # LTS version
+      CURRENT_VERSION = T.let("1.11", String) # Current stable version
+
+      sig { returns(T.nilable(String)) }
+      def self.detected_version
+        # Try to detect Julia version by executing `julia --version`
+        output = T.let(
+          Dependabot::SharedHelpers.run_shell_command("julia --version"),
+          String
+        )
+
+        # Parse output like "julia version 1.10.0" or "julia version 1.6.7"
+        version_match = output.match(/julia version (\d+\.\d+(?:\.\d+)?)/)
+        return version_match[1] if version_match
+
+        # If we can't parse the version, log and fallback
+        Dependabot.logger.warn("Could not parse Julia version from output: #{output}")
+        MINIMUM_VERSION
+      rescue Dependabot::SharedHelpers::HelperSubprocessFailed => e
+        Dependabot.logger.info("Julia not found or failed to execute: #{e.message}")
+        MINIMUM_VERSION
+      rescue StandardError => e
+        Dependabot.logger.error("Error detecting Julia version: #{e.message}")
+        MINIMUM_VERSION
+      end
+
+      sig { void }
+      def initialize
+        detected_ver_str = self.class.detected_version
+        # detected_version always returns a string (either detected or MINIMUM_VERSION fallback),
+        # so we can safely use T.must here
+        super(
+          name: "julia",
+          detected_version: Dependabot::Version.new(T.must(detected_ver_str)),
+          version: Dependabot::Version.new(T.must(detected_ver_str)),
+          supported_versions: [
+            Dependabot::Version.new(MINIMUM_VERSION),
+            Dependabot::Version.new(CURRENT_VERSION)
+          ],
+          deprecated_versions: []
+        )
+      end
+
+      sig { returns(T::Hash[T.untyped, T.untyped]) }
+      def ecosystem
+        {
+          package_manager: "julia",
+          version: version # This will use the potentially configured version
+        }
+      end
+    end
+  end
+end

data/lib/dependabot/julia/registry_client.rb

@@ -0,0 +1,340 @@
+# Julia Registry Client with DependabotHelper.jl integration
+# typed: strict
+# frozen_string_literal: true
+
+require "time"
+require "dependabot/credential"
+require "dependabot/julia/version"
+require "dependabot/shared_helpers"
+require "dependabot/errors"
+
+module Dependabot
+  module Julia
+    class RegistryClient
+      extend T::Sig
+
+      sig do
+        params(credentials: T::Array[Dependabot::Credential], custom_registries: T::Array[T::Hash[Symbol, String]]).void
+      end
+      def initialize(credentials:, custom_registries: [])
+        @credentials = credentials
+        @custom_registries = custom_registries
+      end
+
+      sig { params(package_name: String, package_uuid: T.nilable(String)).returns(T.nilable(Gem::Version)) }
+      def fetch_latest_version(package_name, package_uuid = nil)
+        # Use custom registries if available
+        return fetch_latest_version_with_custom_registries(package_name, package_uuid) if custom_registries.any?
+
+        args = { package_name: package_name }
+        args[:package_uuid] = package_uuid if package_uuid
+
+        result = call_julia_helper(
+          function: "get_latest_version",
+          args: args
+        )
+
+        # Check if the result itself contains an error (package not found)
+        return nil if result["error"]
+
+        # Extract version from the result structure
+        # The Julia helper returns version directly in the result
+        return nil unless result["version"]
+
+        Gem::Version.new(result["version"])
+      rescue StandardError => e
+        Dependabot.logger.warn(
+          "Failed to fetch latest version for #{package_name}: #{e.message}"
+        )
+        nil
+      end
+
+      sig { params(package_name: String, package_uuid: T.nilable(String)).returns(T.nilable(Gem::Version)) }
+      def fetch_latest_version_with_custom_registries(package_name, package_uuid = nil)
+        args = {
+          package_name: package_name,
+          package_uuid: package_uuid || "",
+          registry_urls: custom_registry_urls
+        }
+
+        result = call_julia_helper(
+          function: "get_latest_version_with_custom_registries",
+          args: args
+        )
+
+        # Check if the result itself contains an error (package not found)
+        return nil if result["error"]
+
+        # Extract version from the result structure
+        return nil unless result["version"]
+
+        Gem::Version.new(result["version"])
+      rescue StandardError => e
+        Dependabot.logger.warn(
+          "Failed to fetch latest version with custom registries for #{package_name}: #{e.message}"
+        )
+        nil
+      end
+
+      sig { params(package_name: String, package_uuid: String).returns(T.nilable(T::Hash[String, T.untyped])) }
+      def fetch_package_metadata(package_name, package_uuid)
+        call_julia_helper(
+          function: "get_package_metadata",
+          args: { package_name: package_name, package_uuid: package_uuid }
+        )
+      rescue StandardError => e
+        Dependabot.logger.warn("Failed to fetch metadata for #{package_name}: #{e.message}")
+        nil
+      end
+
+      sig do
+        params(
+          project_path: String,
+          package_name: String,
+          target_version: String
+        ).returns(T::Hash[String, T.untyped])
+      end
+      def check_update_compatibility(project_path, package_name, target_version)
+        call_julia_helper(
+          function: "check_update_compatibility",
+          args: {
+            project_path: project_path,
+            package_name: package_name,
+            target_version: target_version
+          }
+        )
+      end
+
+      sig do
+        params(
+          project_path: String,
+          manifest_path: T.nilable(String)
+        ).returns(T::Hash[String, T.untyped])
+      end
+      def parse_project(project_path:, manifest_path: nil)
+        args = { project_path: project_path }
+        args[:manifest_path] = manifest_path if manifest_path
+
+        call_julia_helper(
+          function: "parse_project",
+          args: args
+        )
+      end
+
+      sig { params(manifest_path: String).returns(T::Hash[String, T.untyped]) }
+      def parse_manifest(manifest_path)
+        call_julia_helper(
+          function: "parse_manifest",
+          args: { manifest_path: manifest_path }
+        )
+      end
+
+      sig do
+        params(
+          manifest_path: String,
+          name: String,
+          uuid: String
+        ).returns(T.nilable(String))
+      end
+      def get_version_from_manifest(manifest_path, name, uuid)
+        result = call_julia_helper(
+          function: "get_version_from_manifest",
+          args: {
+            manifest_path: manifest_path,
+            name: name,
+            uuid: uuid
+          }
+        )
+
+        result["version"] unless result["error"]
+      end
+
+      sig { params(package_name: String, package_uuid: T.nilable(String)).returns(T::Hash[String, T.untyped]) }
+      def find_package_source_url(package_name, package_uuid = nil)
+        args = { package_name: package_name }
+        args[:package_uuid] = package_uuid if package_uuid
+
+        call_julia_helper(
+          function: "find_package_source_url",
+          args: args
+        )
+      end
+
+      sig do
+        params(
+          package_name: String,
+          source_url: String
+        ).returns(T::Hash[String, T.untyped])
+      end
+      def extract_package_metadata_from_url(package_name, source_url)
+        call_julia_helper(
+          function: "extract_package_metadata_from_url",
+          args: {
+            package_name: package_name,
+            source_url: source_url
+          }
+        )
+      end
+
+      sig do
+        params(
+          project_path: String,
+          updates: T::Hash[String, String]
+        ).returns(T::Hash[String, T.untyped])
+      end
+      def update_manifest(project_path:, updates:)
+        call_julia_helper(
+          function: "update_manifest",
+          args: {
+            project_path: project_path,
+            updates: updates
+          }
+        )
+      end
+
+      sig { params(package_name: String, version: String, package_uuid: T.nilable(String)).returns(T.nilable(Time)) }
+      def fetch_version_release_date(package_name, version, package_uuid = nil)
+        result = call_julia_helper(
+          function: "get_version_release_date",
+          args: {
+            package_name: package_name,
+            version: version,
+            package_uuid: package_uuid
+          }
+        )
+
+        # Check if the result contains an error
+        return nil if result["error"]
+
+        # Parse the release date if available
+        return nil unless result["release_date"]
+
+        Time.parse(result["release_date"])
+      rescue StandardError => e
+        Dependabot.logger.warn("Failed to fetch release date for #{package_name} v#{version}: #{e.message}")
+        nil
+      end
+
+      sig { params(package_name: String, package_uuid: T.nilable(String)).returns(T::Array[String]) }
+      def fetch_available_versions(package_name, package_uuid = nil)
+        # Use custom registries if available
+        return fetch_available_versions_with_custom_registries(package_name, package_uuid) if custom_registries.any?
+
+        args = { package_name: package_name }
+        args[:package_uuid] = package_uuid if package_uuid
+
+        result = call_julia_helper(
+          function: "get_available_versions",
+          args: args
+        )
+
+        # Check if the result contains an error
+        return [] if result["error"]
+
+        # Extract versions array from the result
+        versions = result["versions"]
+        return [] unless versions.is_a?(Array)
+
+        versions.map(&:to_s)
+      rescue StandardError => e
+        Dependabot.logger.warn("Failed to fetch available versions for #{package_name}: #{e.message}")
+        []
+      end
+
+      sig { params(package_name: String, package_uuid: T.nilable(String)).returns(T::Array[String]) }
+      def fetch_available_versions_with_custom_registries(package_name, package_uuid = nil)
+        args = {
+          package_name: package_name,
+          package_uuid: package_uuid || "",
+          registry_urls: custom_registry_urls
+        }
+
+        result = call_julia_helper(
+          function: "get_available_versions_with_custom_registries",
+          args: args
+        )
+
+        # Check if the result contains an error
+        return [] if result["error"]
+
+        # Extract versions array from the result
+        versions = result["versions"]
+        return [] unless versions.is_a?(Array)
+
+        versions.map(&:to_s)
+      rescue StandardError => e
+        Dependabot.logger.warn(
+          "Failed to fetch available versions with custom registries for #{package_name}: #{e.message}"
+        )
+        []
+      end
+
+      private
+
+      sig { returns(T::Array[T::Hash[Symbol, String]]) }
+      attr_reader :custom_registries
+
+      sig { returns(T::Array[String]) }
+      def custom_registry_urls
+        custom_registries.filter_map { |reg| reg[:url] }
+      end
+
+      sig { returns(T::Array[Dependabot::Credential]) }
+      attr_reader :credentials
+
+      sig do
+        params(
+          function: String,
+          args: T::Hash[Symbol, T.untyped]
+        ).returns(T::Hash[String, T.untyped])
+      end
+      def call_julia_helper(function:, args:)
+        # Use the main julia helpers directory as project (contains Project.toml with DependabotHelper in [sources])
+        julia_project_dir = File.dirname(julia_helper_script)
+        julia_command = "julia --project=#{julia_project_dir} #{julia_helper_script}"
+
+        SharedHelpers.run_helper_subprocess(
+          command: julia_command,
+          function: function,
+          args: args,
+          env: julia_env,
+          allow_unsafe_shell_command: true
+        )
+      end
+
+      sig { returns(String) }
+      def julia_helper_script
+        # Use environment variable if available, otherwise fall back to relative path
+        helpers_path = ENV.fetch("DEPENDABOT_NATIVE_HELPERS_PATH", nil)
+        if helpers_path
+          File.join(helpers_path, "julia", "run_dependabot_helper.jl")
+        else
+          # Fallback for development/test environments
+          File.join(__dir__, "..", "..", "..", "helpers", "run_dependabot_helper.jl")
+        end
+      end
+
+      sig { returns(T::Hash[String, String]) }
+      def julia_env
+        env = {}
+
+        if ENV["DEPENDABOT_NATIVE_HELPERS_PATH"]
+          # In production/CI, use the shared depot where packages were precompiled
+          user_depot = File.join(ENV.fetch("HOME", "/home/dependabot"), ".julia")
+          # Trailing : is intentional. It automatically includes the bundled stdlibs
+          env["JULIA_DEPOT_PATH"] = "#{user_depot}:"
+        end
+        # In development use the default Julia depot
+
+        # Add Julia-specific environment variables for registry authentication
+        julia_credentials = credentials.select { |c| c["type"] == "julia_registry" }
+        julia_credentials.each_with_index do |cred, index|
+          env["JULIA_PKG_SERVER_REGISTRY_PREFERENCE_#{index}"] = cred.fetch("url")
+          env["JULIA_PKG_SERVER_#{index}_TOKEN"] = cred.fetch("token") if cred["token"]
+        end
+
+        env
+      end
+    end
+  end
+end