RubyGems - dependabot-maven - Versions diffs - 0.355.0 → 0.356.0 - Mend

dependabot-maven 0.355.0 → 0.356.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

checksums.yaml +4 -4
data/lib/dependabot/maven/shared/shared_version_finder.rb +117 -0
data/lib/dependabot/maven/update_checker/version_finder.rb +2 -24
metadata +5 -4

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: ed3c6bc921b14f4b9c8b5b972eddd908d25ca480169eb1e154f4e469b3d49759
-  data.tar.gz: 91587156337eb764be0168703579558c50a134a6c15ce9e235d9318141bdfef9
+  metadata.gz: 939776aad30eddb24b7f46aba6efaf40a3d2a2283d9b4e7f85dc834324ad8417
+  data.tar.gz: 3c8e2245756dd20c57a9a436f085764e6f3b0640b17dce77d44a1e86b96f12a2
 SHA512:
-  metadata.gz: bda3df043f3c32e84a1f18536d2c7c574e5e2902746d6ba08ffe46fb173b8634ed55ce89b3b82b6e4f40aca248ea1d149612ab4cd3f10de68f5fdee751539249
-  data.tar.gz: 7583568de4499b7c72d1d32a94149ecd0dcfa20573db44e96af07de58b399efe48e783d0079383271f046608d2913cc4cbc4927a3864f7685ec415f719092569
+  metadata.gz: 13d3ce09d720eacd2726597e773beab4c124ade4bc77e166336250dd59332905e149b58285186d8ec64eccfdfd58af9bf3e2cc02c4caac11e49a5b89b501bfcb
+  data.tar.gz: 485059691e0adca6ed1effa6df241abc34a2fffded27dcb5f67f9f8982e46107a8f177581580d0719db9d5de1e172657f0b03b70a72445b212e459ed38d0c7f1

data/lib/dependabot/maven/shared/shared_version_finder.rb ADDED Viewed

@@ -0,0 +1,117 @@
+# typed: strong
+# frozen_string_literal: true
+require "sorbet-runtime"
+require "dependabot/file_fetchers"
+require "dependabot/file_fetchers/base"
+require "dependabot/package/package_latest_version_finder"
+module Dependabot
+  module Maven
+    module Shared
+      class SharedVersionFinder < Dependabot::Package::PackageLatestVersionFinder
+        extend T::Sig
+        # Regex to match common Maven release qualifiers that indicate stable releases.
+        # See https://github.com/apache/maven/blob/848fbb4bf2d427b72bdb2471c22fced7ebd9a7a1/maven-artifact/src/main/java/org/apache/maven/artifact/versioning/ComparableVersion.java#L315-L320
+        MAVEN_RELEASE_QUALIFIERS = /
+          ^.+[-._](
+            RELEASE|# Official release
+            FINAL|# Final build
+            GA# General Availability
+          )$
+        /ix
+        # Common Maven pre-release qualifiers.
+        # They often indicate versions that are not yet stable but that are released to the public for testing.
+        # Examples: 1.0.0-RC1, 2.0.0-ALPHA2, 3.1.0-BETA, 4.0.0-DEV5, etc.
+        # See https://maven.apache.org/guides/mini/guide-naming-conventions.html#version-identifier
+        MAVEN_PRE_RELEASE_QUALIFIERS = /
+            [-._]?(
+              # --- Qualifiers that usually REQUIRE a number ---
+              # Examples: "RC1", "BETA2", "M3", "ALPHA-1", "EAP.2"
+              # The number differentiates multiple pre-releases; a version like "1.0.0-RC"
+              (?i)(?:RC|CR|M|MILESTONE|ALPHA|BETA|EA|EAP)(?:[-._]?\d+)?
+              |
+              # --- Qualifiers that do NOT usually have numbers ---
+              DEV|
+              PREVIEW|
+              PRERELEASE|
+              EXPERIMENTAL|
+              UNSTABLE
+            )$
+          /ix
+        MAVEN_SNAPSHOT_QUALIFIER = /-SNAPSHOT$/i
+        sig { params(comparison_version: Dependabot::Version).returns(T::Boolean) }
+        def matches_dependency_version_type?(comparison_version)
+          return true unless dependency.version
+          current_version_string = dependency.version
+          candidate_version_string = comparison_version.to_s
+          current_is_pre_release = current_version_string&.match?(MAVEN_PRE_RELEASE_QUALIFIERS)
+          candidate_is_pre_release = candidate_version_string.match?(MAVEN_PRE_RELEASE_QUALIFIERS)
+          # Pre-releases are only compatible with other pre-releases
+          # When this happens, the suffix does not need to match exactly
+          # This allows transitions between 1.0.0-RC1 and 1.0.0-CR2, for example
+          return true if current_is_pre_release && candidate_is_pre_release
+          current_is_snapshot = current_version_string&.match?(MAVEN_SNAPSHOT_QUALIFIER)
+          # If the current version is a pre-release or a snapshot, allow upgrading to a stable release
+          # This can help move from pre-release to the stable version that supersedes it,
+          # but this should not happen vice versa as a stable release should not be downgraded to a pre-release
+          return true if (current_is_pre_release || current_is_snapshot) && !candidate_is_pre_release
+          current_suffix = extract_version_suffix(current_version_string)
+          candidate_suffix = extract_version_suffix(candidate_version_string)
+          # If both versions share the exact suffix or no suffix, they are compatible
+          current_suffix == candidate_suffix
+        end
+        private
+        # Extracts the qualifier/suffix from a Maven version string.
+        #
+        # Maven versions consist of numeric parts and optional string qualifiers.
+        # This method identifies the suffix by finding the first segment (separated by '.')
+        # that contains a non-digit character.
+        sig { params(version_string: T.nilable(String)).returns(T.nilable(String)) }
+        def extract_version_suffix(version_string)
+          return nil unless version_string
+          # Exclude common Maven release qualifiers that indicate stable releases
+          return nil if version_string.match?(MAVEN_RELEASE_QUALIFIERS)
+          version_string.split(".").each do |part|
+            # Skip fully numeric segments
+            next if part.match?(/\A\d+\z/)
+            # strip leading digits and capture the suffix
+            suffix = part.sub(/\A\d+/, "")
+            # Normalize delimiters to ensure consistent comparison
+            # e.g., "beta-1" and "beta_1" are treated the same
+            suffix = suffix.tr("-", "_")
+            # Ignore purely numeric suffixes (e.g., "-1", "_2")
+            # e.g., "1.0.0-1" or "1.0.0_2" are not considered to have a meaningful suffix
+            return nil if suffix.match?(/^_?\d+$/)
+            # Must contain a hyphen to be considered a valid suffix
+            return suffix if suffix.include?("-") || suffix.include?("_")
+          end
+          nil
+        end
+        sig { override.returns(T.nilable(Dependabot::Package::PackageDetails)) }
+        def package_details
+          raise NotImplementedError, "Subclasses must implement `package_details`"
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/maven/update_checker/version_finder.rb CHANGED Viewed

@@ -6,16 +6,15 @@ require "dependabot/package/release_cooldown_options"
 require "dependabot/update_checkers/version_filters"
 require "dependabot/maven/package/package_details_fetcher"
 require "dependabot/maven/update_checker"
+require "dependabot/maven/shared/shared_version_finder"
 require "sorbet-runtime"
 module Dependabot
   module Maven
     class UpdateChecker
-      class VersionFinder < Dependabot::Package::PackageLatestVersionFinder
+      class VersionFinder < Dependabot::Maven::Shared::SharedVersionFinder
         extend T::Sig
-        TYPE_SUFFICES = %w(jre android java native_mt agp).freeze
         sig do
           params(
             dependency: Dependabot::Dependency,
@@ -192,27 +191,6 @@ module Dependabot
           T.must(dependency.numeric_version) >= version_class.new(100)
         end
-        sig { params(comparison_version: Dependabot::Version).returns(T::Boolean) }
-        def matches_dependency_version_type?(comparison_version)
-          return true unless dependency.version
-          current_type = dependency.version
-                                   &.gsub("native-mt", "native_mt")
-                                   &.split(/[.\-]/)
-                                   &.find do |type|
-            TYPE_SUFFICES.find { |s| type.include?(s) }
-          end
-          version_type = comparison_version.to_s
-                                           .gsub("native-mt", "native_mt")
-                                           .split(/[.\-]/)
-                                           .find do |type|
-            TYPE_SUFFICES.find { |s| type.include?(s) }
-          end
-          current_type == version_type
-        end
         sig { returns(T.class_of(Dependabot::Version)) }
         def version_class
           dependency.version_class

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-maven
 version: !ruby/object:Gem::Version
-  version: 0.355.0
+  version: 0.356.0
 platform: ruby
 authors:
 - Dependabot
@@ -15,14 +15,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.355.0
+        version: 0.356.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.355.0
+        version: 0.356.0
 - !ruby/object:Gem::Dependency
   name: rexml
   requirement: !ruby/object:Gem::Requirement
@@ -272,6 +272,7 @@ files:
 - lib/dependabot/maven/package_manager.rb
 - lib/dependabot/maven/pom.xml
 - lib/dependabot/maven/requirement.rb
+- lib/dependabot/maven/shared/shared_version_finder.rb
 - lib/dependabot/maven/token_bucket.rb
 - lib/dependabot/maven/update_checker.rb
 - lib/dependabot/maven/update_checker/property_updater.rb
@@ -285,7 +286,7 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.355.0
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.356.0
 rdoc_options: []
 require_paths:
 - lib