dependabot-julia 0.356.0 → 0.357.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: '084f4d34864ffbbedb588562ce527fce084f36a5e5ad4f59eba5ac8af0b43aa6'
-  data.tar.gz: e0c2782c41d890ad0c25890646cb8090b8d7b2b519dd1a2077baaaef772e4544
+  metadata.gz: 76fe4785dc95ee847322f2673a67df374eb0d2eebf5a740b966f1c487e2e6375
+  data.tar.gz: 174617969c5b36d6aa341f23c310c125794a095a61e3f7de457a874542a8dfb5
 SHA512:
-  metadata.gz: 6a3eed4abae611010acce9afa1442dcf53d524817b9aa2fa4702be1287faee6bd673d874d92641a5a5cd95ff9280d3909ee9d57ffc6d15c3f5016aa04eaf8dfe
-  data.tar.gz: 3d0e3301b92a9d106c7e7c64437e872fc2adcf27307a35ea09a4739686865d74efa3772fee516228fc2ca52b30de926f73de9577a5f580f80af0f0ee70636601
+  metadata.gz: 6240ebc3636af1e5b52bf4c18090800555593aa8be82aa4a567f6b4802eec283d103618d135a08ee8b62b695e182f7d245dd8d367c93c7120a5060fb7ec03fa9
+  data.tar.gz: df44056fe3096eabd8ba8ff3ce42445cf7c1a68d8f2c3b795c58c12fa0dc7386cc460613033f2598c63463ffa1668ce75c4ade3b7d5357bf3e39212c1d120bc6

data/lib/dependabot/julia/file_fetcher.rb

@@ -32,33 +32,55 @@ module Dependabot
 
       sig { params(temp_dir: T.any(Pathname, String)).returns(T::Array[Dependabot::DependencyFile]) }
       def fetch_files_using_julia_helper(temp_dir)
-        # Use Julia helper to identify the correct environment files
-        env_files = registry_client.find_environment_files(temp_dir.to_s)
+        workspace_info = registry_client.find_workspace_project_files(temp_dir.to_s)
+        validate_workspace_info!(workspace_info)
 
-        if env_files.empty? || !env_files["project_file"]
-          raise Dependabot::DependencyFileNotFound, "No Project.toml or JuliaProject.toml found."
-        end
+        project_files = T.cast(workspace_info["project_files"], T::Array[String])
+        manifest_path = T.cast(workspace_info["manifest_file"], String)
 
-        fetched_files = []
+        fetched_files = fetch_all_project_files(project_files, temp_dir.to_s)
+        raise Dependabot::DependencyFileNotFound, "No Project.toml or JuliaProject.toml found." if fetched_files.empty?
 
-        # Fetch the project file identified by Julia helper
-        project_path = T.must(env_files["project_file"])
-        project_filename = File.basename(project_path)
-        fetched_files << fetch_file_from_host(project_filename)
+        fetch_manifest_file(fetched_files, manifest_path, project_files, temp_dir.to_s)
+        fetched_files
+      end
 
-        # Fetch the manifest file if Julia helper found one
-        manifest_path = env_files["manifest_file"]
-        if manifest_path && !manifest_path.empty?
-          # Calculate relative path from project to manifest
-          project_dir = File.dirname(project_path)
-          manifest_relative = Pathname.new(manifest_path).relative_path_from(Pathname.new(project_dir)).to_s
+      sig { params(workspace_info: T::Hash[String, T.untyped]).void }
+      def validate_workspace_info!(workspace_info)
+        error_value = T.cast(workspace_info["error"], T.nilable(String))
+        has_error = !error_value.nil?
+        project_files = T.cast(workspace_info["project_files"], T.nilable(T::Array[String]))
+        no_projects = project_files.nil? || project_files.empty?
+        return unless has_error || no_projects
+
+        raise Dependabot::DependencyFileNotFound, "No Project.toml or JuliaProject.toml found."
+      end
 
-          # Fetch manifest (handles workspace cases where manifest is in parent directory)
-          manifest_file = fetch_file_if_present(manifest_relative)
-          fetched_files << manifest_file if manifest_file
+      sig { params(project_files: T::Array[String], base_dir: String).returns(T::Array[Dependabot::DependencyFile]) }
+      def fetch_all_project_files(project_files, base_dir)
+        project_files.filter_map do |project_path|
+          project_relative = Pathname.new(project_path).relative_path_from(Pathname.new(base_dir)).to_s
+          fetch_file_if_present(project_relative)
         end
+      end
 
-        fetched_files
+      sig do
+        params(
+          fetched_files: T::Array[Dependabot::DependencyFile],
+          manifest_path: String,
+          project_files: T::Array[String],
+          base_dir: String
+        ).void
+      end
+      def fetch_manifest_file(fetched_files, manifest_path, project_files, base_dir)
+        return if manifest_path.empty? || !File.exist?(manifest_path)
+
+        primary_project_path = project_files.find { |p| File.dirname(p) == base_dir } || project_files.first
+        primary_project_dir = File.dirname(T.must(primary_project_path))
+        manifest_relative = Pathname.new(manifest_path).relative_path_from(Pathname.new(primary_project_dir)).to_s
+
+        manifest_file = fetch_file_if_present(manifest_relative)
+        fetched_files << manifest_file if manifest_file
       end
 
       sig { returns(Dependabot::Julia::RegistryClient) }

data/lib/dependabot/julia/file_parser.rb

@@ -39,7 +39,6 @@ module Dependabot
         super
         @registry_client = T.let(nil, T.nilable(Dependabot::Julia::RegistryClient))
         @custom_registries = T.let(nil, T.nilable(T::Array[T::Hash[Symbol, T.untyped]]))
-        @temp_dir = T.let(nil, T.nilable(String))
       end
 
       sig { override.returns(T::Array[Dependabot::Dependency]) }
@@ -101,94 +100,107 @@ module Dependabot
         end
       end
 
-      sig { returns(String) }
-      def write_temp_project_file
-        @temp_dir ||= Dir.mktmpdir("julia_project")
-        project_path = File.join(@temp_dir, T.must(project_file).name)
-        File.write(project_path, T.must(project_file).content)
-        project_path
-      end
-
       sig { returns(T::Array[Dependabot::Dependency]) }
       def project_file_dependencies
-        dependencies = T.let([], T::Array[Dependabot::Dependency])
-        return dependencies unless project_file
-
-        # Use DependabotHelper.jl for project parsing
-        project_path = write_temp_project_file
+        dependencies_map = T.let({}, T::Hash[String, Dependabot::Dependency])
 
-        begin
-          result = registry_client.parse_project(project_path: project_path)
-
-          raise Dependabot::DependencyFileNotParseable, result["error"] if result["error"]
-
-          # Convert DependabotHelper.jl result to Dependabot::Dependency objects
-          dependencies = build_dependencies_from_julia_result(result)
-        ensure
-          # Cleanup temporary directory
-          FileUtils.rm_rf(@temp_dir) if @temp_dir && File.exist?(@temp_dir)
+        # Parse all project files in the workspace
+        all_project_files.each do |proj_file|
+          parse_single_project_file(proj_file, dependencies_map)
         end
 
-        dependencies
+        dependencies_map.values
       end
 
-      sig { params(result: T::Hash[String, T.untyped]).returns(T::Array[Dependabot::Dependency]) }
-      def build_dependencies_from_julia_result(result)
-        dependencies = T.let([], T::Array[Dependabot::Dependency])
+      sig { params(proj_file: Dependabot::DependencyFile, dependencies_map: T::Hash[String, Dependabot::Dependency]).void }
+      def parse_single_project_file(proj_file, dependencies_map)
+        temp_dir = Dir.mktmpdir("julia_project")
+        project_path = File.join(temp_dir, proj_file.name)
+        FileUtils.mkdir_p(File.dirname(project_path))
+        File.write(project_path, proj_file.content)
 
-        # Process dependencies and weak dependencies (matching CompatHelper.jl behavior)
-        # Note: We don't process dev_dependencies/extras to match CompatHelper.jl
-        parsed_deps = T.cast(result["dependencies"] || [], T::Array[T.untyped])
-        dependencies.concat(build_dependencies_from_dep_list(parsed_deps, ["deps"]))
+        begin
+          result = registry_client.parse_project(project_path: project_path)
+
+          return if result["error"]
 
-        parsed_weak_deps = T.cast(result["weak_dependencies"] || [], T::Array[T.untyped])
-        dependencies.concat(build_dependencies_from_dep_list(parsed_weak_deps, ["weakdeps"]))
+          # Process dependencies
+          parsed_deps = T.cast(result["dependencies"] || [], T::Array[T.untyped])
+          merge_dependencies_from_list(parsed_deps, ["deps"], proj_file.name, dependencies_map)
 
-        dependencies
+          # Process weak dependencies
+          parsed_weak_deps = T.cast(result["weak_dependencies"] || [], T::Array[T.untyped])
+          merge_dependencies_from_list(parsed_weak_deps, ["weakdeps"], proj_file.name, dependencies_map)
+        ensure
+          FileUtils.rm_rf(temp_dir)
+        end
       end
 
       sig do
         params(
           dep_list: T::Array[T.untyped],
-          groups: T::Array[String]
-        ).returns(T::Array[Dependabot::Dependency])
+          groups: T::Array[String],
+          file_name: String,
+          dependencies_map: T::Hash[String, Dependabot::Dependency]
+        ).void
       end
-      def build_dependencies_from_dep_list(dep_list, groups)
-        dep_list.filter_map do |dep_info|
+      def merge_dependencies_from_list(dep_list, groups, file_name, dependencies_map)
+        dep_list.each do |dep_info|
           dep_hash = T.cast(dep_info, T::Hash[String, T.untyped])
           name = T.cast(dep_hash["name"], String)
           next if name == "julia" # Skip Julia version requirement
 
           uuid = T.cast(dep_hash["uuid"], T.nilable(String))
-          # NOTE: Missing "requirement" means no compat entry (any version acceptable)
           requirement_string = T.cast(dep_hash["requirement"], T.nilable(String))
 
-          Dependabot::Dependency.new(
-            name: name,
-            version: nil, # Julia dependencies don't use locked versions
-            requirements: [{
-              requirement: requirement_string,
-              file: T.must(project_file).name,
-              groups: groups,
-              source: nil
-            }],
-            package_manager: "julia",
-            metadata: uuid ? { julia_uuid: uuid } : {}
-          )
+          new_requirement = {
+            requirement: requirement_string,
+            file: file_name,
+            groups: groups,
+            source: nil
+          }
+
+          if dependencies_map.key?(name)
+            # Merge requirements from additional project files
+            existing_dep = T.must(dependencies_map[name])
+            existing_requirements = existing_dep.requirements.dup
+            existing_requirements << new_requirement
+            dependencies_map[name] = Dependabot::Dependency.new(
+              name: name,
+              version: nil,
+              requirements: existing_requirements,
+              package_manager: "julia",
+              metadata: existing_dep.metadata
+            )
+          else
+            # Create new dependency
+            dependencies_map[name] = Dependabot::Dependency.new(
+              name: name,
+              version: nil,
+              requirements: [new_requirement],
+              package_manager: "julia",
+              metadata: uuid ? { julia_uuid: uuid } : {}
+            )
+          end
         end
       end
 
+      sig { returns(T::Array[Dependabot::DependencyFile]) }
+      def all_project_files
+        dependency_files.select { |f| f.name.match?(/Project\.toml$/i) }
+      end
+
       sig { returns(T.nilable(Dependabot::DependencyFile)) }
       def project_file
         @project_file ||= T.let(
-          get_original_file("Project.toml") || get_original_file("JuliaProject.toml"),
+          all_project_files.first || get_original_file("Project.toml") || get_original_file("JuliaProject.toml"),
           T.nilable(Dependabot::DependencyFile)
         )
       end
 
       sig { override.void }
       def check_required_files
-        raise "No Project.toml or JuliaProject.toml!" unless project_file
+        raise "No Project.toml or JuliaProject.toml!" if all_project_files.empty?
       end
     end
   end

data/lib/dependabot/julia/file_updater.rb

@@ -52,19 +52,19 @@ module Dependabot
         updated_files = []
 
         SharedHelpers.in_a_temporary_repo_directory(T.must(dependency_files.first).directory, repo_contents_path) do
-          updated_project = updated_project_content
+          # Update all project files (main + workspace members)
+          updated_project_files = update_all_project_files
           actual_manifest = find_manifest_file
 
-          return project_only_update(updated_project) if actual_manifest.nil?
+          return all_projects_only_update(updated_project_files) if actual_manifest.nil?
 
-          # Work directly in the repo directory - no need for another temp directory
-          # This ensures all workspace packages are accessible to Julia's Pkg
-          write_temporary_files(updated_project, actual_manifest)
+          # Write all updated project files to disk for Julia's Pkg
+          write_all_temporary_files(updated_project_files, actual_manifest)
           result = call_julia_helper
 
-          return handle_julia_helper_error(result, actual_manifest, updated_project) if result["error"]
+          return handle_julia_helper_error_multi(result, actual_manifest, updated_project_files) if result["error"]
 
-          build_updated_files(updated_files, updated_project, actual_manifest, result)
+          build_updated_files_multi(updated_files, updated_project_files, actual_manifest, result)
         end
 
         raise "No files changed!" if updated_files.empty?
@@ -72,22 +72,68 @@ module Dependabot
         updated_files
       end
 
-      sig { params(updated_project: String).returns(T::Array[Dependabot::DependencyFile]) }
-      def project_only_update(updated_project)
-        [updated_file(file: T.must(project_file), content: updated_project)]
+      sig { returns(T::Array[T::Hash[Symbol, T.untyped]]) }
+      def update_all_project_files
+        all_project_files.map do |proj_file|
+          {
+            file: proj_file,
+            content: updated_project_content_for_file(proj_file)
+          }
+        end
+      end
+
+      sig { params(proj_file: Dependabot::DependencyFile).returns(String) }
+      def updated_project_content_for_file(proj_file)
+        content = T.must(proj_file.content)
+
+        dependencies.each do |dependency|
+          # Find the new requirement for this dependency in this file
+          new_requirement = dependency.requirements
+                                      .find { |req| T.cast(req[:file], String) == proj_file.name }
+                                      &.fetch(:requirement)
+
+          next unless new_requirement
+
+          content = update_dependency_requirement_in_content(content, dependency.name, new_requirement)
+        end
+
+        content
+      end
+
+      sig { returns(T::Array[Dependabot::DependencyFile]) }
+      def all_project_files
+        dependency_files.select { |f| f.name.match?(/Project\.toml$/i) }
+      end
+
+      sig { params(updated_project_files: T::Array[T::Hash[Symbol, T.untyped]]).returns(T::Array[Dependabot::DependencyFile]) }
+      def all_projects_only_update(updated_project_files)
+        updated_project_files.filter_map do |update_info|
+          file = T.cast(update_info[:file], Dependabot::DependencyFile)
+          content = T.cast(update_info[:content], String)
+          next if content == file.content
+
+          updated_file(file: file, content: content)
+        end
       end
 
       sig do
         params(
-          updated_project: String,
+          updated_project_files: T::Array[T::Hash[Symbol, T.untyped]],
           actual_manifest: Dependabot::DependencyFile
         ).void
       end
-      def write_temporary_files(updated_project, actual_manifest)
-        File.write(T.must(project_file).name, updated_project)
+      def write_all_temporary_files(updated_project_files, actual_manifest)
+        # Write all updated project files
+        updated_project_files.each do |update_info|
+          file = T.cast(update_info[:file], Dependabot::DependencyFile)
+          content = T.cast(update_info[:content], String)
+
+          file_path = file.name
+          FileUtils.mkdir_p(File.dirname(file_path)) if file_path.include?("/")
+          File.write(file_path, content)
+        end
 
-        # Preserve relative paths (e.g., ../Manifest.toml for workspace packages)
-        # so Julia's Pkg can find and update the correct shared manifest
+        # Write manifest file
         manifest_path = actual_manifest.name
         FileUtils.mkdir_p(File.dirname(manifest_path)) if manifest_path.include?("/")
         File.write(manifest_path, actual_manifest.content)
@@ -105,10 +151,10 @@ module Dependabot
         params(
           result: T::Hash[String, T.untyped],
           actual_manifest: Dependabot::DependencyFile,
-          updated_project: String
+          updated_project_files: T::Array[T::Hash[Symbol, T.untyped]]
         ).returns(T::Array[Dependabot::DependencyFile])
       end
-      def handle_julia_helper_error(result, actual_manifest, updated_project)
+      def handle_julia_helper_error_multi(result, actual_manifest, updated_project_files)
         error_message = result["error"]
         manifest_path = actual_manifest.name
 
@@ -117,8 +163,8 @@ module Dependabot
 
         add_manifest_update_notice(manifest_path, error_message)
 
-        # Return only the updated Project.toml
-        [updated_file(file: T.must(project_file), content: updated_project)]
+        # Return all updated Project.toml files
+        all_projects_only_update(updated_project_files)
       end
 
       sig { params(error_message: String).returns(T::Boolean) }
@@ -156,13 +202,20 @@ module Dependabot
       sig do
         params(
           updated_files: T::Array[Dependabot::DependencyFile],
-          updated_project: String,
+          updated_project_files: T::Array[T::Hash[Symbol, T.untyped]],
           actual_manifest: Dependabot::DependencyFile,
           result: T::Hash[String, T.untyped]
         ).void
       end
-      def build_updated_files(updated_files, updated_project, actual_manifest, result)
-        updated_files << updated_file(file: T.must(project_file), content: updated_project)
+      def build_updated_files_multi(updated_files, updated_project_files, actual_manifest, result)
+        # Add all updated project files
+        updated_project_files.each do |update_info|
+          file = T.cast(update_info[:file], Dependabot::DependencyFile)
+          content = T.cast(update_info[:content], String)
+          next if content == file.content
+
+          updated_files << updated_file(file: file, content: content)
+        end
 
         return unless result["manifest_content"]
 
@@ -275,26 +328,6 @@ module Dependabot
         )
       end
 
-      sig { returns(String) }
-      def updated_project_content
-        return T.must(T.must(project_file).content) unless project_file
-
-        content = T.must(T.must(project_file).content)
-
-        dependencies.each do |dependency|
-          # Find the new requirement for this dependency
-          new_requirement = dependency.requirements
-                                      .find { |req| T.cast(req[:file], String) == T.must(project_file).name }
-                                      &.fetch(:requirement)
-
-          next unless new_requirement
-
-          content = update_dependency_requirement_in_content(content, dependency.name, new_requirement)
-        end
-
-        content
-      end
-
       sig { params(content: String, dependency_name: String, new_requirement: String).returns(String) }
       def update_dependency_requirement_in_content(content, dependency_name, new_requirement)
         # Extract the [compat] section to update it specifically

data/lib/dependabot/julia/registry_client.rb

@@ -129,6 +129,25 @@ module Dependabot
         {}
       end
 
+      sig { params(directory: String).returns(T::Hash[String, T.untyped]) }
+      def find_workspace_project_files(directory)
+        result = call_julia_helper(
+          function: "find_workspace_project_files",
+          args: { directory: directory }
+        )
+
+        return { "error" => result["error"] } if result["error"]
+
+        {
+          "project_files" => result["project_files"] || [],
+          "manifest_file" => result["manifest_file"] || "",
+          "workspace_root" => result["workspace_root"] || ""
+        }
+      rescue StandardError => e
+        Dependabot.logger.warn("Failed to find workspace project files in #{directory}: #{e.message}")
+        { "error" => e.message }
+      end
+
       sig do
         params(
           manifest_path: String,

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-julia
 version: !ruby/object:Gem::Version
-  version: 0.356.0
+  version: 0.357.0
 platform: ruby
 authors:
 - Dependabot
@@ -15,14 +15,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.356.0
+        version: 0.357.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.356.0
+        version: 0.357.0
 - !ruby/object:Gem::Dependency
   name: debug
   requirement: !ruby/object:Gem::Requirement
@@ -261,7 +261,7 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.356.0
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.357.0
 rdoc_options: []
 require_paths:
 - lib
@@ -276,7 +276,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: 3.3.7
 requirements: []
-rubygems_version: 3.6.9
+rubygems_version: 3.7.2
 specification_version: 4
 summary: Provides Dependabot support for Julia
 test_files: []