dependabot-linguist 0.212.1 → 0.303.0

data/README.md

@@ -2,10 +2,16 @@
 Use [linguist](https://github.com/github/linguist) to check the contents of a **local** repository, and then scan for [dependabot-core](https://github.com/dependabot/dependabot-core) ecosystems relevant to those languages! With the list of [ecosystems](https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#package-ecosystem) present in a repository, add a [dependabot.y[a]ml](https://docs.github.com/en/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates) ([configuration file](https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file)).
 ## Getting Started
 ### [Linguist dependencies](https://github.com/github/linguist#dependencies);
-Before installing this gem, which will install the [github-linguist gem](https://rubygems.org/gems/github-linguist), linguists dependencies should be installed. A number of these are enabling [rugged](https://rubygems.org/gems/rugged), so they can't be "ignored" like [dependabot's setup](https://github.com/dependabot/dependabot-core#setup), which _can_ be ignored for the purpose of **this** gem, which only intends to use the [file fetchers](https://github.com/dependabot/dependabot-core/blob/v0.212.0/common/lib/dependabot/file_fetchers/README.md).
+Before installing this gem, which will install the [github-linguist gem](https://rubygems.org/gems/github-linguist), linguists dependencies should be installed. A number of these are enabling [rugged](https://rubygems.org/gems/rugged), so they can't be "ignored" like [dependabot's setup](https://github.com/dependabot/dependabot-core#setup), which _can_ be ignored for the purpose of **this** gem, which only intends to use the [file fetchers](https://github.com/dependabot/dependabot-core/blob/v0.303.0/common/lib/dependabot/file_fetchers/README.md).
 ```bash
 sudo apt-get install build-essential cmake pkg-config libicu-dev zlib1g-dev libcurl4-openssl-dev libssl-dev ruby-dev
 ```
+### Dependabot dependencies;
+The `npm`/`yarn` module requires [`corepack`](https://www.npmjs.com/package/corepack), so it will be necessary to install, either with npm or yarn. Ensuring you have the _right version_ of `corepack` is important. Your best bet is to ensure you have the latest version.
+```bash
+nvm install 22 && nvm use 22 && npm i -g corepack@latest
+# you'll need to `nvm use 22` to load that node before running this gem
+```
 ### Install _this_
 [To install the latest from RubyGems](https://rubygems.org/gems/dependabot-linguist);
 ```sh
@@ -22,12 +28,12 @@ bundle add dependabot-linguist
 ```
 Or add the following line to your `Gemfile` manually
 ```ruby
-gem "dependabot-linguist", ">= 0.212.0
+gem "dependabot-linguist", ">= 0.303.0
 ```
 [Add the GitHub hosted gem](https://github.com/Skenvy/dependabot-linguist/packages/1704407);
 ```ruby
 source "https://rubygems.pkg.github.com/skenvy" do
-  gem "dependabot-linguist", ">= 0.212.0"
+  gem "dependabot-linguist", ">= 0.303.0"
 end
 ```
 ### Setup external CLIs
@@ -89,11 +95,34 @@ ignore:
 ```
 ## [RDoc generated docs](https://skenvy.github.io/dependabot-linguist/)
 ## Developing
+### Install Ruby
+You will need to install [rvm](https://rvm.io/) and one of its [ruby binaries](https://rvm.io/binaries/).
+
+You'll also need to set the `RVM_DIR` in your shell profile e.g. [like this](https://github.com/Skenvy/dotfiles/blob/1de61272c588a30b634a03a7d304ef51e40c72f1/.bash_login#L17). RVM will set some basic initialisation in your shell profile, but changing what it sets to instead use `RVM_DIR` like this allows you to install it somewhere other than the default.
+
+The `make setup` in [first time setup](#the-first-time-setup) will install the intended development version for you, but it might not be a precompiled binary, depending on your OS and architecture ~ if it isn't precompiled, contributing your time in compiling to [publish the binary for rvm](https://github.com/rvm/rvm/issues/4921) is probably more worth your time than this lol.
+
+RVM is locally how we manage proctoring the ruby environment. It is not on the [github runners](https://github.com/actions/runner-images), so the make invocations in the workflows set the RVM proctors empty. If you want to manage your own ruby installs you can set `_=''` on each `make ...`.
+
+You should also read the requirements for the gems this uses, see [Linguist dependencies](#linguist-dependencies) and [Dependabot dependencies](#dependabot-dependencies). `Linguist`'s can be acquired with `make preinit` done once. 
+### Install Corepack
+[Dependabot dependencies](#dependabot-dependencies) are managed in this project via [`nvm`](https://github.com/nvm-sh/nvm), so `corepack` can be loaded into every subshell the `Makefile` spawns. If you don't want to install `nvm` but would rather manage your own `corepack` install, set `__=''` on each `make ...`.
+
+For the currently targetted version of `dependabot` that this is using, the existing reference versions of `corepack` are;
+* [bun/Dockerfile](https://github.com/dependabot/dependabot-core/blob/v0.303.0/bun/Dockerfile#L4)
+* [npm_and_yarn/Dockerfile](https://github.com/dependabot/dependabot-core/blob/v0.303.0/npm_and_yarn/Dockerfile#L4)
+
+Both currently (as of writing) set their `corepack` version to `0.31.0`. However, it's possible for the changes in versions in `corepack` to outstrip the rate of changes of this gem, so don't rely on _this_ to determine what the most suitable version of `corepack` is.
+
+> [!CAUTION]
+> `make setup` / `initialise` / `initialise_corepack` will install to your _global_ `node`. If you're using the recommended `nvm` then each `node` install can be treated eseentially ephemeral. If you aren't using `nvm`, this might hijack your global `corepack` install.
 ### The first time setup
+If you have `rvm` and `nvm` installed and you have `apt`, you should be able to;
 ```sh
-git clone https://github.com/Skenvy/dependabot-linguist.git && cd dependabot-linguist && make setup
+git clone https://github.com/Skenvy/dependabot-linguist.git && cd dependabot-linguist && make preinit && make setup
 ```
 ### Iterative development
 The majority of `make` recipes for this are just wrapping a `bundle` invocation of `rake`.
 * `make docs` will recreate the RDoc docs
-* `make test` will run both the RSpec tests and the RuboCop linter.
+* `make test` will run the RSpec tests.
+* `make lint` will run the RuboCop linter.

data/SECURITY.md

@@ -1,9 +1,11 @@
 # Security Policy
 ## Supported Versions
 The `<major>.<minor>.*` versions of this are pinned to the **supported** `<major>.<minor>.*` versions of the gems that are published by the [dependabot-core](https://github.com/dependabot/dependabot-core) repository, centric to the [dependabot-common](https://rubygems.org/gems/dependabot-common) gem, with any required patches applied to each supported minor version.
-* Initially this will support version `0.212.0`, centric to [dependabot-common@0.212.0](https://rubygems.org/gems/dependabot-common/versions/0.212.0)
+* Support version `0.212.0`, centric to [dependabot-common@0.212.0](https://rubygems.org/gems/dependabot-common/versions/0.212.0)
     * This is because this is the last version to support a Ruby version of `2.7.0`.
+* Support version `0.217.0`, centric to [dependabot-common@0.217.0](https://rubygems.org/gems/dependabot-common/versions/0.217.0)
+* Version `0.303.0` is a partial update to [dependabot-common@0.303.0](https://rubygems.org/gems/dependabot-common/versions/0.303.0)
 
-Bugs present in any supported pinned version may be patched and contribute to successive patch versions. If a bug exists in an older version and no longer exists in a newer version, it is suggested to update to the newer version.
+Bugs present in only the most recent pinned minor version may be patched and contribute to successive patch versions. If a bug exists in an older version and no longer exists in a newer version, it is suggested to update to the newer version. As the underlying package this wraps, dependabot[-omnibus], is a live service, it makes sense for this to only roll forward.
 ## Reporting a Vulnerability
 Raise a [Security Vulnerability](https://github.com/Skenvy/dependabot-linguist/issues/new?assignees=&labels=security&template=security-vulnerability.yaml) issue.

data/dependabot-linguist.gemspec

@@ -12,9 +12,12 @@ Gem::Specification.new do |spec|
   spec.description = "Use linguist to check the contents of a repository,
   and then scan for dependabot-core ecosystems relevant to those languages!"
   spec.homepage = "https://skenvy.github.io/dependabot-linguist"
-  spec.required_ruby_version = ">= 2.7.0"
+  # https://github.com/dependabot/dependabot-core/blob/v0.303.0/common/dependabot-common.gemspec#L23-L24
+  spec.required_ruby_version = ">= 3.1.0"
+  spec.required_rubygems_version = ">= 3.3.7"
   spec.metadata["homepage_uri"] = spec.homepage
   spec.metadata["source_code_uri"] = "https://github.com/Skenvy/dependabot-linguist/tree/main/"
+  spec.metadata["github_repo"] = "https://github.com/Skenvy/dependabot-linguist"
 
   spec.require_paths = ["lib"]
   spec.files = Dir.chdir(__dir__) do
@@ -25,17 +28,24 @@ Gem::Specification.new do |spec|
   spec.bindir = "exe"
   spec.executables = spec.files.grep(%r{\Aexe/}) { |f| File.basename(f) }
 
-  spec.add_dependency "rugged", "~> 1.5.0"
-  spec.add_dependency "github-linguist", "7.23.0"
+  spec.add_dependency "rugged", "1.9.0"
+  spec.add_dependency "github-linguist", "9.0.0"
   # All ecosystem gems from https://rubygems.org/profiles/dependabot can be
-  # required via https://rubygems.org/gems/dependabot-omnibus/versions/0.212.0
+  # required via https://rubygems.org/gems/dependabot-omnibus/versions/0.303.0
   # which will include all dependencies of omnibus (16 ecosystems and common).
-  # https://github.com/dependabot/dependabot-core/blob/v0.212.0/omnibus/dependabot-omnibus.gemspec#L24-L40
-  spec.add_dependency "dependabot-omnibus", "0.212.0"
+  # https://github.com/dependabot/dependabot-core/blob/v0.303.0/omnibus/dependabot-omnibus.gemspec#L29-L52
+  spec.add_dependency "dependabot-omnibus", "0.303.0"
+  # We can't update from this json version without getting some weird
+  # uninitialized constant Dependabot::FileFetchers::Base::OpenStruct
+  # ~= https://github.com/ruby/json/compare/v2.7.1...v2.7.2 but idk
+  # But also dependabot-* >= 0.238.0 introduce requiring json < 2.7
+  spec.add_dependency "json", "2.6.3"
+  # stringio (>= 0) leads to ambiguous spec so lock it too.
+  spec.add_dependency "stringio", "3.1.5"
 
-  # spec.add_development_dependency "aruba", "~> 2.1" # TODO
-  spec.add_development_dependency "rake", "~> 13.0"
-  spec.add_development_dependency "rdoc", "~> 6.0"
-  spec.add_development_dependency "rspec", "~> 3.12"
-  spec.add_development_dependency "rubocop", "~> 1.37"
+  spec.add_development_dependency "aruba", "~> 2.3"
+  spec.add_development_dependency "rake", "~> 13.2"
+  spec.add_development_dependency "rdoc", "~> 6.12"
+  spec.add_development_dependency "rspec", "~> 3.13"
+  spec.add_development_dependency "rubocop", "~> 1.73"
 end

data/exe/dependabot-linguist

@@ -12,7 +12,7 @@ require "yaml"
 $VERBOSE = previous_verbose
 
 VERSION = ::Dependabot::Linguist::VERSION
-BANNER = <<~BANNER
+BANNER = <<~BANNER.freeze
 Dependabot Linguist v#{VERSION}
 Detect dependabot ecosystems present for a given git repository, based off using
 linguist to determine the files present, that could be relevant to an ecosystem,

data/lib/dependabot/linguist/dependabot_file_validator.rb

@@ -202,7 +202,9 @@ module Dependabot
       end
 
       def write_new_config
-        File.open("#{@repo.path.delete_suffix("/.git/")}/#{dependabot_file_path}", "w") { |file| file.write(new_config.to_yaml) } if new_config != existing_config
+        full_file_path = "#{@repo.path.delete_suffix("/.git/")}/#{dependabot_file_path}"
+        FileUtils.mkdir_p File.dirname(full_file_path)
+        File.open(full_file_path, "w") { |file| file.write(new_config.to_yaml) } if new_config != existing_config
       end
 
       # The expected environment to run this final step in should have 'git' AND

data/lib/dependabot/linguist/dependabot_patch.rb

@@ -1,8 +1,20 @@
 # frozen_string_literal: true
 
+#########################################################################################
+# _____                            _       _           _     _____      _       _       #
+# |  __ \                          | |     | |         | |   |  __ \    | |     | |     #
+# | |  | | ___ _ __   ___ _ __   __| | __ _| |__   ___ | |_  | |__) |_ _| |_ ___| |__   #
+# | |  | |/ _ \ '_ \ / _ \ '_ \ / _` |/ _` | '_ \ / _ \| __| |  ___/ _` | __/ __| '_ \  #
+# | |__| |  __/ |_) |  __/ | | | (_| | (_| | |_) | (_) | |_  | |  | (_| | || (__| | | | #
+# |_____/ \___| .__/ \___|_| |_|\__,_|\__,_|_.__/ \___/ \__| |_|   \__,_|\__\___|_| |_| #
+#             | |                                                                       #
+#             |_|                                                                       #
+#########################################################################################
+
 # Direct the requiring of the files that patch dependabot via this.
-# https://github.com/dependabot/dependabot-core/tree/v0.212.0
+# The current target version for dependabot is 0.303.0
+# https://github.com/dependabot/dependabot-core/tree/v0.303.0
 
-require_relative "file_fetchers/base"
+require_relative "file_fetchers/bundler"
 require_relative "file_fetchers/go_modules"
 require_relative "file_fetchers/git_submodules"

data/lib/dependabot/linguist/file_fetchers/bundler.rb

@@ -0,0 +1,54 @@
+# frozen_string_literal: true
+
+#########################################################################################
+# _____                            _       _           _     _____      _       _       #
+# |  __ \                          | |     | |         | |   |  __ \    | |     | |     #
+# | |  | | ___ _ __   ___ _ __   __| | __ _| |__   ___ | |_  | |__) |_ _| |_ ___| |__   #
+# | |  | |/ _ \ '_ \ / _ \ '_ \ / _` |/ _` | '_ \ / _ \| __| |  ___/ _` | __/ __| '_ \  #
+# | |__| |  __/ |_) |  __/ | | | (_| | (_| | |_) | (_) | |_  | |  | (_| | || (__| | | | #
+# |_____/ \___| .__/ \___|_| |_|\__,_|\__,_|_.__/ \___/ \__| |_|   \__,_|\__\___|_| |_| #
+#             | |                                                                       #
+#             |_|                                                                       #
+#########################################################################################
+
+# Patches Dependabot::GitSubmodules::FileFetcher.path_gemspec_paths
+
+# To fix https://github.com/Skenvy/dependabot-linguist/issues/6 we need to patch
+# ::Dependabot::Bundler::FileFetcher::fetch_path_gemspec_paths to stop it throwing
+# a Bundler::GemfileNotFound error, thrown from assuming that ::Bundler::root will
+# be run at the location the Gemfile.lock, and thus the Gemfile, exist. Currently
+# ::Bundler::LockfileParser::initialize during fetch_path_gemspec_paths will go;
+# ::Bundler::LockfileParser::parse_source, ::Bundler::Source::Rubygems::from_lock,
+# ::Bundler::Source::Rubygems::initialize, ::Bundler::Source::Rubygems::cache_path,
+# ::Bundler::app_cache, ::Bundler::root, ::Bundler::SharedHelpers::root, before
+# landing at ::Bundler::SharedHelpers::find_gemfile where it can read from ENV
+# `ENV["BUNDLE_GEMFILE"]`, or fail to locate an adjacent "Gemfile".
+
+# See https://github.com/CloutKhan/dependabot-bundler error demo for more details.
+
+# Instead of having the entire fetch_path_gemspec_paths in here, we can just wrap
+# the only place it's used, inside path_gemspec_paths -- with setting the ENV.
+
+require "dependabot/errors"
+require "dependabot/bundler"
+
+# rubocop:disable Style/Documentation
+
+module Dependabot
+  module Bundler
+    class FileFetcher
+      # https://github.com/dependabot/dependabot-core/blob/v0.303.0/bundler/lib/dependabot/bundler/file_fetcher.rb#L162-L165
+      def path_gemspec_paths
+        swap_bundle_gemfile = ENV.fetch("BUNDLE_GEMFILE", nil)
+        repo_dir_gemfile = "#{@repo_contents_path}#{source.directory}/Gemfile"
+        ENV["BUNDLE_GEMFILE"] = repo_dir_gemfile
+        raise(Dependabot::DependencyFileNotFound, Pathname.new(File.join(directory, "Gemfile")).cleanpath.to_path) unless File.exist?(repo_dir_gemfile)
+        result = fetch_path_gemspec_paths.map { |path| Pathname.new(path) }
+        ENV["BUNDLE_GEMFILE"] = swap_bundle_gemfile
+        result
+      end
+    end
+  end
+end
+
+# rubocop:enable Style/Documentation

data/lib/dependabot/linguist/file_fetchers/git_submodules.rb

@@ -12,8 +12,6 @@
 #########################################################################################
 
 # Patches Dependabot::GitSubmodules::FileFetcher.(fetch_files, gitmodules_file)
-# https://github.com/dependabot/dependabot-core/blob/v0.212.0/git_submodules/lib/dependabot/git_submodules/file_fetcher.rb#L21-L26
-# https://github.com/dependabot/dependabot-core/blob/v0.212.0/git_submodules/lib/dependabot/git_submodules/file_fetcher.rb#L28-L30
 
 # This patches out the network calls that might fail if you've used a private
 # repo as a submodule. It still validates the `.gitmodules` exists. If you ARE
@@ -21,9 +19,11 @@
 # "Allowing Dependabot to access private dependencies" at the below link
 # https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#allowing-dependabot-to-access-private-dependencies
 
-# required_files_in? only asserts the presence of a `.gitmodules` file if the
-# submodule referenced is private, then the network calls in `submodule_refs`
-# might break the runner. If Dependabot::FileFetchers::Base.load_cloned_file_if_present
+# Dependabot::GitSubmodules::FileFetcher::required_files_in? only asserts the
+# presence of a `.gitmodules` file if the submodule referenced is private, then
+# the network calls in `submodule_refs` might break the runner.
+
+# If Dependabot::FileFetchers::Base.load_cloned_file_if_present
 # can't see the file, it'll `raise Dependabot::DependencyFileNotFound`, which
 # will make Dependabot::FileFetchers::Base.fetch_file_if_present `return` which
 # will add nil to the list of fetched_files -- i.e.
@@ -36,9 +36,9 @@
 # So we need to be more cautious with this and check it first.
 
 # Dependabot::FileFetchers::Base.load_cloned_file_if_present
-# https://github.com/dependabot/dependabot-core/blob/v0.212.0/common/lib/dependabot/file_fetchers/base.rb#L117-L137
+# https://github.com/dependabot/dependabot-core/blob/v0.303.0/common/lib/dependabot/file_fetchers/base.rb#L218-L240
 # Dependabot::FileFetchers::Base.fetch_file_if_present
-# https://github.com/dependabot/dependabot-core/blob/v0.212.0/common/lib/dependabot/file_fetchers/base.rb#L93-L115
+# https://github.com/dependabot/dependabot-core/blob/v0.303.0/common/lib/dependabot/file_fetchers/base.rb#L194-L216
 
 require "dependabot/errors"
 require "dependabot/git_submodules"
@@ -48,11 +48,13 @@ require "dependabot/git_submodules"
 module Dependabot
   module GitSubmodules
     class FileFetcher
+      # https://github.com/dependabot/dependabot-core/blob/v0.303.0/git_submodules/lib/dependabot/git_submodules/file_fetcher.rb#L26-L32
       def fetch_files
         raise(Dependabot::DependencyFileNotFound, Pathname.new(File.join(directory, ".gitmodules")).cleanpath.to_path) if gitmodules_file.nil?
         [gitmodules_file]
       end
 
+      # https://github.com/dependabot/dependabot-core/blob/v0.303.0/git_submodules/lib/dependabot/git_submodules/file_fetcher.rb#L36-L43
       def gitmodules_file
         @gitmodules_file ||= fetch_file_if_present(".gitmodules")
       end

data/lib/dependabot/linguist/file_fetchers/go_modules.rb

@@ -12,9 +12,8 @@
 #########################################################################################
 
 # Patches Dependabot::GoModules::FileFetcher.fetch_files
-# https://github.com/dependabot/dependabot-core/blob/v0.212.0/go_modules/lib/dependabot/go_modules/file_fetcher.rb#L19-L41
 
-# Patch to remove the online requirement for fetching go modules
+# Patched to remove the online requirement for fetching go modules
 
 # See the git_submodule patch for a comment explaining the reorder pattern,
 # due to `go_mod` being acquired via `fetch_file_if_present` and hitting
@@ -28,6 +27,7 @@ require "dependabot/go_modules"
 module Dependabot
   module GoModules
     class FileFetcher
+      # https://github.com/dependabot/dependabot-core/blob/v0.303.0/go_modules/lib/dependabot/go_modules/file_fetcher.rb#L33-L46
       def fetch_files
         raise(Dependabot::DependencyFileNotFound, Pathname.new(File.join(directory, "go.mod")).cleanpath.to_path) if go_mod.nil?
         fetched_files = [go_mod]

data/lib/dependabot/linguist/language.rb

@@ -11,26 +11,29 @@
 #                 |___/                                             #
 #####################################################################
 
-# Patches the class Linguist::Language to selectively "ungroup"
-# and change the type of "languages" to a detectable type.
-# https://github.com/github/linguist/blob/v7.23.0/lib/linguist/language.rb
-
-# Patch https://github.com/github/linguist/blob/v7.23.0/lib/linguist/blob_helper.rb#L220
-# Need to remove the "(^|/)\.gitmodules$" string (plus one of the adjacent "|") as we
-# can't rely on the gitmodules to be unvendored in a `.gitattributes` and patching
-# https://github.com/github/linguist/blob/v7.23.0/lib/linguist/lazy_blob.rb#L35-L38 or
-# https://github.com/github/linguist/blob/v7.23.0/lib/linguist/lazy_blob.rb#L56-L62
-# would be too cumbersome. It also seems easier than duplicating the vendor patterns
-# from https://github.com/github/linguist/blob/v7.23.0/lib/linguist/vendor.yml
-# See https://ruby-doc.org/core-2.7.0/Regexp.html
-# We also need to remove the "(^|/)\.github/" string (plus one of the adjacent "|"),
-# to capture yaml files under .github/workflows/*.yaml
+# Patches the class Linguist::Language to selectively "ungroup" and
+# change the type of "languages" to a detectable type. This patches
+# the class with new functions, so there are no links to the "orig".
+
+# Patch Linguist::BlobHelper::VendoredRegexp. Need to remove the
+# "(^|/)\.gitmodules$" string (plus one of the adjacent "|") as we
+# can't rely on the gitmodules to be unvendored in a `.gitattributes`.
+# Need to remove the "(^|/)\.github/" string (plus the adjacent "|"),
+# to capture yaml files under `.github/workflows/*.yaml`
+# See https://ruby-doc.org/core-3.1.0/Regexp.html
+
+# Patching either Linguist::LazyBlob::git_attributes or
+# Linguist::LazyBlob::vendored? would be too cumbersome.
+# It also seems easier than duplicating the vendor patterns from
+# https://github.com/github/linguist/blob/v9.0.0/lib/linguist/vendor.yml
 
 require "linguist"
 
 # rubocop:disable Style/Documentation
 
 module Linguist
+  # https://github.com/github/linguist/blob/v9.0.0/lib/linguist/language.rb
+
   class Language
     def ungroup_language
       @group_name = self.name
@@ -55,6 +58,7 @@ module Linguist
   end
 
   module BlobHelper
+    # https://github.com/github/linguist/blob/v9.0.0/lib/linguist/blob_helper.rb#L220
     VendoredRegexp = Regexp.new(VendoredRegexp.source.gsub("(^|/)\\.gitmodules$|", "").gsub("|(^|/)\\.github/", ""))
   end
 end

data/lib/dependabot/linguist/languages_to_ecosystems/contexts.rb

@@ -8,7 +8,7 @@
 # as it's source directory is not the directory it is valid to "fetch" from.
 
 # For a list of "linguist languages", see
-# https://github.com/github/linguist/blob/v7.23.0/lib/linguist/languages.yml
+# https://github.com/github/linguist/blob/v9.0.0/lib/linguist/languages.yml
 
 require_relative "manager_ecosystem_maps"
 
@@ -23,6 +23,7 @@ module Dependabot
       # is derived from inspecting the rules the file fetcher class actually
       # uses itself to determine if it can "fetch files" for a directory.
       # Possibly also based on the `def self.required_files_message` message.
+      # Or alternatively the `def self.required_files_in?`, the actual check!
       FETCH_FILES = "def fetch_files"
       # PRIMARY_LANGUAGES implies that the language should be the main or only
       # languages that that package manager could be used for, and the presence
@@ -60,7 +61,7 @@ module Dependabot
 
     ##
     CONTEXT_RULES[PackageManagers::BUNDLER][ContextRule::FETCH_FILES] = [
-      # https://github.com/dependabot/dependabot-core/blob/v0.212.0/bundler/lib/dependabot/bundler/file_fetcher.rb#L22-L24
+      # https://github.com/dependabot/dependabot-core/blob/v0.303.0/bundler/lib/dependabot/bundler/file_fetcher.rb#L22-L32
       "Gemfile.lock", # Gemfile.lock
       "Ruby" # Gemfile or .gemspec
     ]
@@ -69,7 +70,7 @@ module Dependabot
 
     ##
     CONTEXT_RULES[PackageManagers::CARGO][ContextRule::FETCH_FILES] = [
-      # https://github.com/dependabot/dependabot-core/blob/v0.212.0/cargo/lib/dependabot/cargo/file_fetcher.rb#L19-L21
+      # https://github.com/dependabot/dependabot-core/blob/v0.303.0/cargo/lib/dependabot/cargo/file_fetcher.rb#L20-L26
       "TOML" # Cargo.toml and Cargo.lock
     ]
     CONTEXT_RULES[PackageManagers::CARGO][ContextRule::PRIMARY_LANGUAGES] = ["Rust"]
@@ -77,7 +78,8 @@ module Dependabot
 
     ##
     CONTEXT_RULES[PackageManagers::COMPOSER][ContextRule::FETCH_FILES] = [
-      # https://github.com/dependabot/dependabot-core/blob/v0.212.0/composer/lib/dependabot/composer/file_fetcher.rb#L16-L18
+      # https://github.com/dependabot/dependabot-core/blob/v0.303.0/composer/lib/dependabot/composer/file_fetcher.rb#L18-L24
+      # https://github.com/dependabot/dependabot-core/blob/v0.303.0/composer/lib/dependabot/composer/package_manager.rb#L16
       "JSON" # composer.json and composer.lock
     ]
     CONTEXT_RULES[PackageManagers::COMPOSER][ContextRule::PRIMARY_LANGUAGES] = ["PHP"]
@@ -85,7 +87,7 @@ module Dependabot
 
     ##
     CONTEXT_RULES[PackageManagers::DOCKER][ContextRule::FETCH_FILES] = [
-      # https://github.com/dependabot/dependabot-core/blob/v0.212.0/docker/lib/dependabot/docker/file_fetcher.rb#L17-L19
+      # https://github.com/dependabot/dependabot-core/blob/v0.303.0/docker/lib/dependabot/docker/file_fetcher.rb#L19-L28
       "Dockerfile", # Dockerfile
       "YAML" # .yaml, if kubernetes option is set
     ]
@@ -94,7 +96,7 @@ module Dependabot
 
     ##
     CONTEXT_RULES[PackageManagers::HEX][ContextRule::FETCH_FILES] = [
-      # https://github.com/dependabot/dependabot-core/blob/v0.212.0/hex/lib/dependabot/hex/file_fetcher.rb#L20-L22
+      # https://github.com/dependabot/dependabot-core/blob/v0.303.0/hex/lib/dependabot/hex/file_fetcher.rb#L20-L28
       "Elixir" # mix.lock and mix.exs by extension
     ]
     CONTEXT_RULES[PackageManagers::HEX][ContextRule::PRIMARY_LANGUAGES] = ["Elixir"]
@@ -102,7 +104,8 @@ module Dependabot
 
     ##
     CONTEXT_RULES[PackageManagers::ELM_PACKAGE][ContextRule::FETCH_FILES] = [
-      # https://github.com/dependabot/dependabot-core/blob/v0.212.0/elm/lib/dependabot/elm/file_fetcher.rb#L13-L15
+      # https://github.com/dependabot/dependabot-core/blob/v0.303.0/elm/lib/dependabot/elm/file_fetcher.rb#L14-L22
+      # https://github.com/dependabot/dependabot-core/blob/v0.303.0/elm/lib/dependabot/elm/package_manager.rb#L14
       "JSON" # elm-package.json or an elm.json, only seeks via .json extension though.
     ]
     CONTEXT_RULES[PackageManagers::ELM_PACKAGE][ContextRule::PRIMARY_LANGUAGES] = ["Elm"]
@@ -110,7 +113,7 @@ module Dependabot
 
     ##
     CONTEXT_RULES[PackageManagers::GIT_SUBMODULE][ContextRule::FETCH_FILES] = [
-      # https://github.com/dependabot/dependabot-core/blob/v0.212.0/git_submodules/lib/dependabot/git_submodules/file_fetcher.rb#L15-L17
+      # https://github.com/dependabot/dependabot-core/blob/v0.303.0/git_submodules/lib/dependabot/git_submodules/file_fetcher.rb#L16-L24
       "Git Config" # ".gitmodules"
     ]
     CONTEXT_RULES[PackageManagers::GIT_SUBMODULE][ContextRule::PRIMARY_LANGUAGES] = []
@@ -118,7 +121,7 @@ module Dependabot
 
     ##
     CONTEXT_RULES[PackageManagers::GITHUB_ACTIONS][ContextRule::FETCH_FILES] = [
-      # https://github.com/dependabot/dependabot-core/blob/v0.212.0/github_actions/lib/dependabot/github_actions/file_fetcher.rb#L15-L17
+      # https://github.com/dependabot/dependabot-core/blob/v0.303.0/github_actions/lib/dependabot/github_actions/file_fetcher.rb#L16-L24
       # "YAML", but this is handled without linguist
     ]
     CONTEXT_RULES[PackageManagers::GITHUB_ACTIONS][ContextRule::PRIMARY_LANGUAGES] = []
@@ -126,7 +129,7 @@ module Dependabot
 
     ##
     CONTEXT_RULES[PackageManagers::GO_MODULES][ContextRule::FETCH_FILES] = [
-      # https://github.com/dependabot/dependabot-core/blob/v0.212.0/go_modules/lib/dependabot/go_modules/file_fetcher.rb#L13-L15
+      # https://github.com/dependabot/dependabot-core/blob/v0.303.0/go_modules/lib/dependabot/go_modules/file_fetcher.rb#L14-L22
       "Go Checksums", # go.sum
       "Go Module" # go.mod
     ]
@@ -134,7 +137,7 @@ module Dependabot
     CONTEXT_RULES[PackageManagers::GO_MODULES][ContextRule::RELEVANT_LANGUAGES] = []
 
     CONTEXT_RULES[PackageManagers::GRADLE][ContextRule::FETCH_FILES] = [
-      # https://github.com/dependabot/dependabot-core/blob/v0.212.0/gradle/lib/dependabot/gradle/file_fetcher.rb#L23-L25
+      # https://github.com/dependabot/dependabot-core/blob/v0.303.0/gradle/lib/dependabot/gradle/file_fetcher.rb#L44-L54
       "Gradle", # for any `.gradle` file
       "Kotlin" # for any `.kts` file"
     ]
@@ -144,7 +147,7 @@ module Dependabot
     ]
 
     CONTEXT_RULES[PackageManagers::MAVEN][ContextRule::FETCH_FILES] = [
-      # https://github.com/dependabot/dependabot-core/blob/v0.212.0/maven/lib/dependabot/maven/file_fetcher.rb#L17-L19
+      # https://github.com/dependabot/dependabot-core/blob/v0.303.0/maven/lib/dependabot/maven/file_fetcher.rb#L19-L27
       "Maven POM" # for `pom.xml` files
     ]
     CONTEXT_RULES[PackageManagers::MAVEN][ContextRule::PRIMARY_LANGUAGES] = []
@@ -154,7 +157,7 @@ module Dependabot
 
     ##
     CONTEXT_RULES[PackageManagers::NPM][ContextRule::FETCH_FILES] = [
-      # https://github.com/dependabot/dependabot-core/blob/v0.212.0/npm_and_yarn/lib/dependabot/npm_and_yarn/file_fetcher.rb#L36-L51
+      # https://github.com/dependabot/dependabot-core/blob/v0.303.0/npm_and_yarn/lib/dependabot/npm_and_yarn/file_fetcher.rb#L35-L43
       "JSON", # "package.json" or "package-lock.json" or "npm-shrinkwrap.json" but only by extension
       "NPM Config" # ".npmrc"
     ]
@@ -163,7 +166,7 @@ module Dependabot
 
     ##
     CONTEXT_RULES[PackageManagers::NUGET][ContextRule::FETCH_FILES] = [
-      # https://github.com/dependabot/dependabot-core/blob/v0.212.0/nuget/lib/dependabot/nuget/file_fetcher.rb#L20-L22
+      # https://github.com/dependabot/dependabot-core/blob/v0.303.0/nuget/lib/dependabot/nuget/file_fetcher.rb#L17-L25
       "XML" # .csproj, .vbproj and .fsproj
       # Nothing looks for a packages.config
     ]
@@ -172,8 +175,9 @@ module Dependabot
 
     ##
     CONTEXT_RULES[PackageManagers::PIP][ContextRule::FETCH_FILES] = [
-      # https://github.com/dependabot/dependabot-core/blob/v0.212.0/python/lib/dependabot/python/file_fetcher.rb#L35-L38
+      # https://github.com/dependabot/dependabot-core/blob/v0.303.0/python/lib/dependabot/python/file_fetcher.rb#L26-L46
       # Besides the other pip related package managers, there is no language for `requirements` files. RIP.
+      "Pip Requirements", # Added in https://github.com/github-linguist/linguist/pull/6739 to specifically match what this pkg mngr is about
       "Text" # for `.txt`
     ]
     CONTEXT_RULES[PackageManagers::PIP][ContextRule::PRIMARY_LANGUAGES] = ["Python"]
@@ -181,7 +185,7 @@ module Dependabot
 
     ##
     CONTEXT_RULES[PackageManagers::PIPENV][ContextRule::FETCH_FILES] = [
-      # https://github.com/dependabot/dependabot-core/blob/v0.212.0/python/lib/dependabot/python/file_fetcher.rb#L35-L38
+      # https://github.com/dependabot/dependabot-core/blob/v0.303.0/python/lib/dependabot/python/file_fetcher.rb#L26-L46
       "JSON", # Pipfile.lock
       "TOML" # Pipfile
     ]
@@ -190,7 +194,7 @@ module Dependabot
 
     ##
     CONTEXT_RULES[PackageManagers::PIP_COMPILE][ContextRule::FETCH_FILES] = [
-      # https://github.com/dependabot/dependabot-core/blob/v0.212.0/python/lib/dependabot/python/file_fetcher.rb#L35-L38
+      # https://github.com/dependabot/dependabot-core/blob/v0.303.0/python/lib/dependabot/python/file_fetcher.rb#L26-L46
       # Already captured by the other pip related package manager paths
     ]
     CONTEXT_RULES[PackageManagers::PIP_COMPILE][ContextRule::PRIMARY_LANGUAGES] = ["Python"]
@@ -198,7 +202,7 @@ module Dependabot
 
     ##
     CONTEXT_RULES[PackageManagers::POETRY][ContextRule::FETCH_FILES] = [
-      # https://github.com/dependabot/dependabot-core/blob/v0.212.0/python/lib/dependabot/python/file_fetcher.rb#L35-L38
+      # https://github.com/dependabot/dependabot-core/blob/v0.303.0/python/lib/dependabot/python/file_fetcher.rb#L26-L46
       # pyproject.lock has none and setup.py is vague.
       "TOML" # poetry.lock and pyproject.toml by extension
     ]
@@ -207,7 +211,7 @@ module Dependabot
 
     ##
     CONTEXT_RULES[PackageManagers::PUB][ContextRule::FETCH_FILES] = [
-      # https://github.com/dependabot/dependabot-core/blob/v0.212.0/pub/lib/dependabot/pub/file_fetcher.rb#L15-L17
+      # https://github.com/dependabot/dependabot-core/blob/v0.303.0/pub/lib/dependabot/pub/file_fetcher.rb#L16-L24
       "YAML" # pubspec.yaml, but only by extension.
     ]
     CONTEXT_RULES[PackageManagers::PUB][ContextRule::PRIMARY_LANGUAGES] = ["Dart"]
@@ -215,7 +219,7 @@ module Dependabot
 
     ##
     CONTEXT_RULES[PackageManagers::TERRAFORM][ContextRule::FETCH_FILES] = [
-      # https://github.com/dependabot/dependabot-core/blob/v0.212.0/terraform/lib/dependabot/terraform/file_fetcher.rb#L19-L21
+      # https://github.com/dependabot/dependabot-core/blob/v0.303.0/terraform/lib/dependabot/terraform/file_fetcher.rb#L21-L29
       "HCL" # .tf and .hcl
     ]
     CONTEXT_RULES[PackageManagers::TERRAFORM][ContextRule::PRIMARY_LANGUAGES] = []
@@ -223,7 +227,7 @@ module Dependabot
 
     ##
     CONTEXT_RULES[PackageManagers::YARN][ContextRule::FETCH_FILES] = [
-      # https://github.com/dependabot/dependabot-core/blob/v0.212.0/npm_and_yarn/lib/dependabot/npm_and_yarn/file_fetcher.rb#L36-L51
+      # https://github.com/dependabot/dependabot-core/blob/v0.303.0/npm_and_yarn/lib/dependabot/npm_and_yarn/file_fetcher.rb#L35-L43
       "YAML" # yarn.lock
     ]
     CONTEXT_RULES[PackageManagers::YARN][ContextRule::PRIMARY_LANGUAGES] = ["JavaScript", "TypeScript"]

data/lib/dependabot/linguist/languages_to_ecosystems/contexts_applied.rb

@@ -21,7 +21,7 @@ module Dependabot
     LANGUAGE_TO_PACKAGE_MANAGER = languages.to_h { |name, _| [name, nil] }.tap do |this|
       # Now apply the context rules to "this"
       CONTEXT_RULES.each do |package_manager, context_map|
-        context_map.each do |_context_rule, linguist_languages|
+        context_map.each_value do |linguist_languages|
           linguist_languages.each do |linguist_language|
             if this[linguist_language].nil?
               this[linguist_language] = [package_manager]