dependabot-nuget 0.246.0 → 0.247.0

data/lib/dependabot/nuget/update_checker/repository_finder.rb

@@ -72,6 +72,21 @@ module Dependabot
       end
 
       def build_url_for_details(repo_details)
+        url = repo_details.fetch(:url)
+        url_obj = URI.parse(url)
+        if url_obj.is_a?(URI::HTTP)
+          details = build_url_for_details_remote(repo_details)
+        elsif url_obj.is_a?(URI::File)
+          details = {
+            base_url: url,
+            repository_type: "local"
+          }
+        end
+
+        details
+      end
+
+      def build_url_for_details_remote(repo_details)
         response = get_repo_metadata(repo_details)
         check_repo_response(response, repo_details)
         return unless response.status == 200
@@ -205,6 +220,7 @@ module Dependabot
 
       # rubocop:disable Metrics/CyclomaticComplexity
       # rubocop:disable Metrics/PerceivedComplexity
+      # rubocop:disable Metrics/MethodLength
       # rubocop:disable Metrics/AbcSize
       def repos_from_config_file(config_file)
         doc = Nokogiri::XML(config_file.content)
@@ -223,7 +239,14 @@ module Dependabot
             key = node.attribute("key")&.value&.strip || node.at_xpath("./key")&.content&.strip
             url = node.attribute("value")&.value&.strip || node.at_xpath("./value")&.content&.strip
             url = expand_windows_style_environment_variables(url) if url
-            sources << { url: url, key: key }
+
+            # if the path isn't absolute it's relative to the nuget.config file
+            if url
+              unless url.include?("://") || Pathname.new(url).absolute?
+                url = Pathname(config_file.directory).join(url).to_path
+              end
+              sources << { url: url, key: key }
+            end
           end
         end
 
@@ -246,14 +269,13 @@ module Dependabot
           known_urls.include?(s.fetch(:url))
         end
 
-        sources.select! { |s| s.fetch(:url)&.include?("://") }
-
         add_config_file_credentials(sources: sources, doc: doc)
         sources.each { |details| details.delete(:key) }
 
         sources
       end
       # rubocop:enable Metrics/AbcSize
+      # rubocop:enable Metrics/MethodLength
       # rubocop:enable Metrics/PerceivedComplexity
       # rubocop:enable Metrics/CyclomaticComplexity
 

data/lib/dependabot/nuget/update_checker/tfm_finder.rb

@@ -52,13 +52,13 @@ module Dependabot
 
         config_parser = FileParser::PackagesConfigParser.new(packages_config: config_file)
         config_parser.dependency_set.dependencies.any? do |d|
-          d.name.casecmp(dependency.name).zero?
+          d.name.casecmp(dependency.name)&.zero?
         end
       end
 
       def project_file_contains_dependency?(file, dependency)
         project_file_parser.dependency_set(project_file: file).dependencies.any? do |d|
-          d.name.casecmp(dependency.name).zero?
+          d.name.casecmp(dependency.name)&.zero?
         end
       end
 

data/lib/dependabot/nuget/update_checker/version_finder.rb

@@ -1,4 +1,4 @@
-# typed: false
+# typed: true
 # frozen_string_literal: true
 
 require "dependabot/nuget/version"
@@ -6,11 +6,14 @@ require "dependabot/nuget/requirement"
 require "dependabot/update_checkers/base"
 require "dependabot/update_checkers/version_filters"
 require "dependabot/nuget/nuget_client"
+require "sorbet-runtime"
 
 module Dependabot
   module Nuget
     class UpdateChecker < Dependabot::UpdateCheckers::Base
       class VersionFinder
+        extend T::Sig
+
         require_relative "compatibility_checker"
         require_relative "repository_finder"
 
@@ -109,13 +112,19 @@ module Dependabot
           )
         end
 
+        sig { params(possible_versions: T::Array[T.untyped]).returns(T::Array[T.untyped]) }
         def filter_prereleases(possible_versions)
-          possible_versions.reject do |d|
+          filtered = possible_versions.reject do |d|
             version = d.fetch(:version)
             version.prerelease? && !related_to_current_pre?(version)
           end
+          if possible_versions.count > filtered.count
+            Dependabot.logger.info("Filtered out #{possible_versions.count - filtered.count} pre-release versions")
+          end
+          filtered
         end
 
+        sig { params(possible_versions: T::Array[T.untyped]).returns(T::Array[T.untyped]) }
         def filter_ignored_versions(possible_versions)
           filtered = possible_versions
 
@@ -131,6 +140,10 @@ module Dependabot
             raise AllVersionsIgnored
           end
 
+          if possible_versions.count > filtered.count
+            Dependabot.logger.info("Filtered out #{possible_versions.count - filtered.count} ignored versions")
+          end
+
           filtered
         end
 
@@ -233,8 +246,6 @@ module Dependabot
         # rubocop:enable Metrics/PerceivedComplexity
 
         def v3_nuget_listings
-          return @v3_nuget_listings unless @v3_nuget_listings.nil?
-
           @v3_nuget_listings ||=
             dependency_urls
             .select { |details| details.fetch(:repository_type) == "v3" }
@@ -247,8 +258,6 @@ module Dependabot
         end
 
         def v2_nuget_listings
-          return @v2_nuget_listings unless @v2_nuget_listings.nil?
-
           @v2_nuget_listings ||=
             dependency_urls
             .select { |details| details.fetch(:repository_type) == "v2" }

data/lib/dependabot/nuget/update_checker.rb

@@ -17,7 +17,8 @@ module Dependabot
         # No need to find latest version for transitive dependencies unless they have a vulnerability.
         return dependency.version if !dependency.top_level? && !vulnerable?
 
-        @latest_version = latest_version_details&.fetch(:version)
+        # if no update sources have the requisite package, then we can only assume that the current version is correct
+        @latest_version = latest_version_details&.fetch(:version) || dependency.version
       end
 
       def latest_resolvable_version
@@ -44,9 +45,8 @@ module Dependabot
       def updated_requirements
         RequirementsUpdater.new(
           requirements: dependency.requirements,
-          latest_version: preferred_resolvable_version_details.fetch(:version)&.to_s,
-          source_details: preferred_resolvable_version_details
-                          &.slice(:nuspec_url, :repo_url, :source_url)
+          latest_version: preferred_resolvable_version_details&.fetch(:version, nil)&.to_s,
+          source_details: preferred_resolvable_version_details&.slice(:nuspec_url, :repo_url, :source_url)
         ).updated_requirements
       end
 

data/lib/dependabot/nuget/version.rb

@@ -17,14 +17,14 @@ module Dependabot
       VERSION_PATTERN = T.let(Gem::Version::VERSION_PATTERN + '(\+[0-9a-zA-Z\-.]+)?', String)
       ANCHORED_VERSION_PATTERN = /\A\s*(#{VERSION_PATTERN})?\s*\z/
 
-      sig { override.params(version: T.nilable(T.any(String, Integer, Float, Gem::Version))).returns(T::Boolean) }
+      sig { override.params(version: VersionParameter).returns(T::Boolean) }
       def self.correct?(version)
         return false if version.nil?
 
         version.to_s.match?(ANCHORED_VERSION_PATTERN)
       end
 
-      sig { override.params(version: T.nilable(T.any(String, Integer, Float, Gem::Version))).void }
+      sig { override.params(version: VersionParameter).void }
       def initialize(version)
         version = version.to_s.split("+").first || ""
         @version_string = T.let(version, String)
@@ -32,6 +32,11 @@ module Dependabot
         super
       end
 
+      sig { override.params(version: VersionParameter).returns(Dependabot::Nuget::Version) }
+      def self.new(version)
+        T.cast(super, Dependabot::Nuget::Version)
+      end
+
       sig { returns(String) }
       def to_s
         @version_string

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-nuget
 version: !ruby/object:Gem::Version
-  version: 0.246.0
+  version: 0.247.0
 platform: ruby
 authors:
 - Dependabot
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2024-03-01 00:00:00.000000000 Z
+date: 2024-03-14 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dependabot-common
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.246.0
+        version: 0.247.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.246.0
+        version: 0.247.0
 - !ruby/object:Gem::Dependency
   name: rubyzip
   requirement: !ruby/object:Gem::Requirement
@@ -156,6 +156,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: 1.19.0
+- !ruby/object:Gem::Dependency
+  name: rubocop-rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 2.27.1
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 2.27.1
 - !ruby/object:Gem::Dependency
   name: rubocop-sorbet
   requirement: !ruby/object:Gem::Requirement
@@ -371,7 +385,7 @@ licenses:
 - Nonstandard
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.246.0
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.247.0
 post_install_message: 
 rdoc_options: []
 require_paths: