dependabot-pre_commit 0.362.0 → 0.364.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 4218be0a0ac564f79fe6b570a86323967d5fa38924801f1260e9e314dacf72bd
-  data.tar.gz: 11184797fefef083921b31eef2b74ca04a27e70ddf0e3f48cc7819554a8c2c56
+  metadata.gz: d1bd3f81f06b4e86d4139cf07b731129092edf1f86f4febc799cefb7d67fd03e
+  data.tar.gz: 1fa2859dd9dafc4b09ab7718de4b59d2cff583c5991c5439644b40fb2c4a88c8
 SHA512:
-  metadata.gz: 6963ef88985b49c16264d24f11b0da7857673a8c40c166bbb0b0d4fa8a03163a0b3422b1b13b5a0ba869413ca688b95f6654410fc460ff82959bde6d52aa0ab7
-  data.tar.gz: adcecfc80611486b0446a56cc6a95d011b1213e4266aff09b9bd0623fff26c1e87f513726449c8f4e7a34a3f1919cf1ba98a2e9f604696dc0f4cb5335b176e8b
+  metadata.gz: e3c7c74f6e6565ca5ecf32734d4a9d7af200e8acaabec1856abb839815b5d26360375c915104a7b4c484abf0333e68685029ad5b793ab43da0179893f5088507
+  data.tar.gz: e1f3f69285a2cf37e1072ae5216693f51d764c48ef2de33dda2d669943900e41f085e4ec6a8529f761a11fedb58a2c82867a2ef9ab67fdb2b80c47942931203e

data/lib/dependabot/pre_commit/additional_dependency_checkers/dart.rb

@@ -0,0 +1,175 @@
+# typed: strict
+# frozen_string_literal: true
+
+require "sorbet-runtime"
+require "dependabot/dependency"
+require "dependabot/update_checkers"
+require "dependabot/pub/version"
+require "dependabot/pre_commit/additional_dependency_checkers"
+require "dependabot/pre_commit/additional_dependency_checkers/base"
+
+module Dependabot
+  module PreCommit
+    module AdditionalDependencyCheckers
+      class Dart < Base
+        extend T::Sig
+
+        sig { override.returns(T.nilable(String)) }
+        def latest_version
+          return nil unless package_name
+
+          @latest_version ||= T.let(
+            fetch_latest_version_via_pub_checker,
+            T.nilable(String)
+          )
+        end
+
+        sig { override.params(latest_version: String).returns(T::Array[T::Hash[Symbol, T.untyped]]) }
+        def updated_requirements(latest_version)
+          requirements.map do |original_req|
+            original_source = original_req[:source]
+            next original_req unless original_source.is_a?(Hash)
+            next original_req unless original_source[:type] == "additional_dependency"
+
+            original_requirement = original_req[:requirement]
+            new_requirement = build_updated_requirement(original_requirement, latest_version)
+
+            new_original_string = build_original_string(
+              package_name: original_source[:original_name] || original_source[:package_name],
+              requirement: new_requirement
+            )
+
+            new_source = original_source.merge(original_string: new_original_string)
+
+            original_req.merge(
+              requirement: new_requirement,
+              source: new_source
+            )
+          end
+        end
+
+        private
+
+        sig { returns(T.nilable(String)) }
+        def fetch_latest_version_via_pub_checker
+          pub_checker = pub_update_checker
+          return nil unless pub_checker
+
+          latest = pub_checker.latest_version
+          Dependabot.logger.info("Pub UpdateChecker found latest version: #{latest || 'none'}")
+
+          latest&.to_s
+        rescue Dependabot::DependabotError, Excon::Error => e
+          Dependabot.logger.debug("Error checking Dart package #{package_name}: #{e.message}")
+          nil
+        end
+
+        sig { returns(T.nilable(Dependabot::UpdateCheckers::Base)) }
+        def pub_update_checker
+          @pub_update_checker ||= T.let(
+            build_pub_update_checker,
+            T.nilable(Dependabot::UpdateCheckers::Base)
+          )
+        end
+
+        sig { returns(T.nilable(Dependabot::UpdateCheckers::Base)) }
+        def build_pub_update_checker
+          pub_dependency = build_pub_dependency
+          return nil unless pub_dependency
+
+          Dependabot.logger.info("Delegating to pub UpdateChecker for package: #{pub_dependency.name}")
+
+          Dependabot::UpdateCheckers.for_package_manager("pub").new(
+            dependency: pub_dependency,
+            dependency_files: build_pub_dependency_files,
+            credentials: credentials,
+            ignored_versions: [],
+            security_advisories: [],
+            raise_on_ignored: false
+          )
+        end
+
+        sig { returns(T.nilable(Dependabot::Dependency)) }
+        def build_pub_dependency
+          return nil unless package_name
+
+          version = current_version || extract_version_from_requirement
+
+          Dependabot::Dependency.new(
+            name: T.must(package_name),
+            version: version,
+            requirements: [{
+              requirement: version ? "^#{version}" : nil,
+              groups: ["dependencies"],
+              file: "pubspec.yaml",
+              source: nil
+            }],
+            package_manager: "pub"
+          )
+        end
+
+        sig { returns(T.nilable(String)) }
+        def extract_version_from_requirement
+          req_string = requirements.first&.dig(:requirement)
+          return nil unless req_string
+
+          version_part = req_string.to_s.sub(/\A(?:[~^]|[><=]+)\s*/, "")
+          return version_part if Dependabot::Pub::Version.correct?(version_part)
+
+          nil
+        end
+
+        sig { returns(T::Array[Dependabot::DependencyFile]) }
+        def build_pub_dependency_files
+          version = current_version || extract_version_from_requirement
+          requirement = version ? "^#{version}" : "any"
+
+          pubspec_content = <<~YAML
+            name: dependabot_pre_commit_check
+            version: 0.0.1
+            environment:
+              sdk: ">=3.0.0 <4.0.0"
+            dependencies:
+              #{T.must(package_name)}: #{requirement}
+          YAML
+
+          [
+            Dependabot::DependencyFile.new(
+              name: "pubspec.yaml",
+              content: pubspec_content
+            )
+          ]
+        end
+
+        sig do
+          params(
+            package_name: T.nilable(String),
+            requirement: T.nilable(String)
+          ).returns(String)
+        end
+        def build_original_string(package_name:, requirement:)
+          base = package_name.to_s
+          base = "#{base}:#{requirement}" if requirement
+          base
+        end
+
+        sig { params(original_requirement: T.nilable(String), new_version: String).returns(String) }
+        def build_updated_requirement(original_requirement, new_version)
+          return new_version unless original_requirement
+
+          operator_match = original_requirement.match(/\A(?<op>[~^]|[><=]+)\s*/)
+          if operator_match
+            "#{operator_match[:op]}#{new_version}"
+          else
+            new_version
+          end
+        end
+      end
+    end
+  end
+end
+
+Dependabot::PreCommit::AdditionalDependencyCheckers.register(
+  "dart",
+  Dependabot::PreCommit::AdditionalDependencyCheckers::Dart
+)

data/lib/dependabot/pre_commit/comment_version_helper.rb

@@ -0,0 +1,17 @@
+# typed: strong
+# frozen_string_literal: true
+
+module Dependabot
+  module PreCommit
+    module CommentVersionHelper
+      # Matches a version string in a comment, with optional "v" prefix.
+      # Examples: "v1", "v2.3.2", "7.3.0", "1.43.5"
+      COMMENT_VERSION_PATTERN = T.let(/v?\d+(?:\.\d+)*/, Regexp)
+
+      # Matches a version string preceded by a "frozen:" label or "#" prefix.
+      # Captures the version string (with optional "v" prefix) in group 1.
+      # Examples: "# frozen: v2.3.2" → "v2.3.2", "# v4.4.0" → "v4.4.0"
+      FROZEN_COMMENT_REF_PATTERN = T.let(/(?:frozen:\s*|#\s*)(#{COMMENT_VERSION_PATTERN})/, Regexp)
+    end
+  end
+end

data/lib/dependabot/pre_commit/file_fetcher.rb

@@ -25,13 +25,6 @@ module Dependabot
 
       sig { override.returns(T::Array[DependencyFile]) }
       def fetch_files
-        unless allow_beta_ecosystems?
-          raise Dependabot::DependencyFileNotFound.new(
-            nil,
-            "PreCommit support is currently in beta. Set ALLOW_BETA_ECOSYSTEMS=true to enable it."
-          )
-        end
-
         fetched_files = []
         fetched_files << pre_commit_config
 

data/lib/dependabot/pre_commit/file_parser/hook_language_fetcher.rb

@@ -0,0 +1,181 @@
+# typed: strict
+# frozen_string_literal: true
+
+require "yaml"
+require "base64"
+require "sorbet-runtime"
+require "dependabot/clients/github_with_retries"
+require "dependabot/shared_helpers"
+require "dependabot/source"
+
+require "dependabot/pre_commit/file_parser"
+
+module Dependabot
+  module PreCommit
+    class FileParser < Dependabot::FileParsers::Base
+      # Fetches hook language information from the source repository's
+      # .pre-commit-hooks.yaml file. This is needed because the language field
+      # is typically defined in the hook repo, not in the consumer's
+      # .pre-commit-config.yaml file.
+      class HookLanguageFetcher
+        extend T::Sig
+
+        HOOKS_FILE = ".pre-commit-hooks.yaml"
+
+        sig do
+          params(
+            credentials: T::Array[Dependabot::Credential]
+          ).void
+        end
+        def initialize(credentials:)
+          @credentials = credentials
+          @hooks_cache = T.let({}, T::Hash[String, T.nilable(T::Array[T::Hash[String, T.untyped]])])
+        end
+
+        # Fetches the language for a specific hook from the hook source repository.
+        #
+        # @param repo_url [String] The URL of the hook repository (e.g., "https://github.com/psf/black")
+        # @param revision [String] The revision (tag, SHA, branch) to fetch from
+        # @param hook_id [String] The hook ID to look up (e.g., "black")
+        # @return [String, nil] The language for the hook, or nil if not found
+        sig do
+          params(
+            repo_url: String,
+            revision: String,
+            hook_id: String
+          ).returns(T.nilable(String))
+        end
+        def fetch_language(repo_url:, revision:, hook_id:)
+          hooks = fetch_hooks_from_repo(repo_url, revision)
+          return nil unless hooks
+
+          hook = hooks.find { |h| h["id"] == hook_id }
+          return nil unless hook
+
+          T.cast(hook["language"], T.nilable(String))
+        end
+
+        private
+
+        sig { returns(T::Array[Dependabot::Credential]) }
+        attr_reader :credentials
+
+        sig do
+          params(
+            repo_url: String,
+            revision: String
+          ).returns(T.nilable(T::Array[T::Hash[String, T.untyped]]))
+        end
+        def fetch_hooks_from_repo(repo_url, revision)
+          cache_key = "#{repo_url}@#{revision}"
+          return @hooks_cache[cache_key] if @hooks_cache.key?(cache_key)
+
+          hooks = fetch_hooks_internal(repo_url, revision)
+          @hooks_cache[cache_key] = hooks
+          hooks
+        end
+
+        sig do
+          params(
+            repo_url: String,
+            revision: String
+          ).returns(T.nilable(T::Array[T::Hash[String, T.untyped]]))
+        end
+        def fetch_hooks_internal(repo_url, revision)
+          source = Source.from_url(repo_url)
+          return fetch_via_git_clone(repo_url, revision) unless source
+          return fetch_via_git_clone(repo_url, revision) unless source.provider == "github"
+
+          fetch_from_github(source, revision)
+        rescue StandardError => e
+          Dependabot.logger.debug("Failed to fetch hooks from #{repo_url}@#{revision}: #{e.message}")
+          nil
+        end
+
+        sig do
+          params(
+            source: Dependabot::Source,
+            revision: String
+          ).returns(T.nilable(T::Array[T::Hash[String, T.untyped]]))
+        end
+        def fetch_from_github(source, revision)
+          response = github_client.send(
+            :contents,
+            source.repo,
+            path: HOOKS_FILE,
+            ref: revision
+          )
+          return nil unless response
+
+          content = Base64.decode64(response.content)
+          parse_hooks_yaml(content)
+        rescue Octokit::NotFound
+          Dependabot.logger.debug("#{HOOKS_FILE} not found in #{source.repo}@#{revision}")
+          nil
+        rescue StandardError => e
+          Dependabot.logger.debug("Error fetching from GitHub: #{e.message}")
+          fetch_via_git_clone("https://github.com/#{source.repo}", revision)
+        end
+
+        sig do
+          params(
+            repo_url: String,
+            revision: String
+          ).returns(T.nilable(T::Array[T::Hash[String, T.untyped]]))
+        end
+        def fetch_via_git_clone(repo_url, revision)
+          source = Source.from_url(repo_url)
+          return nil unless source
+
+          SharedHelpers.in_a_temporary_directory(File.dirname(source.repo)) do |temp_dir|
+            repo_contents_path = File.join(temp_dir, File.basename(source.repo))
+
+            SharedHelpers.run_shell_command(
+              "git clone --no-checkout --depth 1 #{repo_url} #{repo_contents_path}",
+              fingerprint: "git clone --no-checkout --depth 1 <url> <path>"
+            )
+
+            Dir.chdir(repo_contents_path) do
+              # Fetch the specific revision and checkout the hooks file
+              SharedHelpers.run_shell_command(
+                "git fetch --depth 1 origin #{revision}",
+                fingerprint: "git fetch --depth 1 origin <revision>"
+              )
+              SharedHelpers.run_shell_command(
+                "git checkout FETCH_HEAD -- #{HOOKS_FILE}",
+                fingerprint: "git checkout FETCH_HEAD -- <file>"
+              )
+
+              return nil unless File.exist?(HOOKS_FILE)
+
+              content = File.read(HOOKS_FILE)
+              parse_hooks_yaml(content)
+            end
+          end
+        rescue StandardError => e
+          Dependabot.logger.debug("Failed to clone and fetch hooks: #{e.message}")
+          nil
+        end
+
+        sig { params(content: String).returns(T.nilable(T::Array[T::Hash[String, T.untyped]])) }
+        def parse_hooks_yaml(content)
+          yaml = YAML.safe_load(content, aliases: true)
+          return nil unless yaml.is_a?(Array)
+
+          yaml.grep(Hash)
+        rescue Psych::SyntaxError, Psych::DisallowedClass, Psych::BadAlias => e
+          Dependabot.logger.debug("Failed to parse hooks YAML: #{e.message}")
+          nil
+        end
+
+        sig { returns(Dependabot::Clients::GithubWithRetries) }
+        def github_client
+          @github_client ||= T.let(
+            Dependabot::Clients::GithubWithRetries.for_github_dot_com(credentials: credentials),
+            T.nilable(Dependabot::Clients::GithubWithRetries)
+          )
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/pre_commit/file_parser.rb

@@ -12,6 +12,7 @@ require "dependabot/pre_commit/version"
 require "dependabot/pre_commit/requirement"
 require "dependabot/cargo/requirement"
 require "dependabot/npm_and_yarn/requirement"
+require "dependabot/pub/requirement"
 require "dependabot/python/requirement_parser"
 require "dependabot/bundler/requirement"
 require "dependabot/go_modules/requirement_parser"
@@ -22,6 +23,7 @@ module Dependabot
       extend T::Sig
 
       require "dependabot/file_parsers/base/dependency_set"
+      require_relative "file_parser/hook_language_fetcher"
 
       CONFIG_FILE_PATTERN = /\.pre-commit(-config)?\.ya?ml$/i
       ECOSYSTEM = "pre_commit"
@@ -32,7 +34,8 @@ module Dependabot
           "node" => ->(dep_string) { Dependabot::NpmAndYarn::Requirement.parse_dep_string(dep_string) },
           "rust" => ->(dep_string) { Dependabot::Cargo::Requirement.parse_dep_string(dep_string) },
           "golang" => ->(dep_string) { Dependabot::GoModules::RequirementParser.parse(dep_string) },
-          "ruby" => ->(dep_string) { Dependabot::Bundler::Requirement.parse_dep_string(dep_string) }
+          "ruby" => ->(dep_string) { Dependabot::Bundler::Requirement.parse_dep_string(dep_string) },
+          "dart" => ->(dep_string) { Dependabot::Pub::Requirement.parse_dep_string(dep_string) }
         }.freeze,
         T::Hash[String, T.proc.params(dep_string: String).returns(T.nilable(T::Hash[Symbol, T.untyped]))]
       )
@@ -102,6 +105,8 @@ module Dependabot
         return nil if repo_url.nil? || rev.nil?
         return nil if %w(local meta).include?(repo_url)
 
+        comment = rev_line_comment(file, repo_url)
+
         Dependency.new(
           name: repo_url,
           version: rev,
@@ -114,7 +119,8 @@ module Dependabot
               url: repo_url,
               ref: rev,
               branch: nil
-            }
+            },
+            metadata: { comment: comment }
           }],
           package_manager: ECOSYSTEM
         )
@@ -129,6 +135,7 @@ module Dependabot
       def parse_additional_dependencies(repo, file)
         dependencies = []
         repo_url = repo["repo"]
+        revision = repo["rev"]
 
         return dependencies if repo_url.nil? || %w(local meta).include?(repo_url)
 
@@ -136,7 +143,7 @@ module Dependabot
         hooks.each do |hook|
           next unless hook.is_a?(Hash)
 
-          hook_deps = parse_hook_additional_dependencies(hook, repo_url, file)
+          hook_deps = parse_hook_additional_dependencies(hook, repo_url, revision, file)
           dependencies.concat(hook_deps)
         end
 
@@ -147,18 +154,24 @@ module Dependabot
         params(
           hook: T::Hash[String, T.untyped],
           repo_url: String,
+          revision: T.nilable(String),
           file: Dependabot::DependencyFile
         ).returns(T::Array[Dependabot::Dependency])
       end
-      def parse_hook_additional_dependencies(hook, repo_url, file)
+      def parse_hook_additional_dependencies(hook, repo_url, revision, file)
         dependencies = []
+        hook_id = hook["id"]
 
-        return dependencies unless hook["id"]
+        return dependencies unless hook_id
 
         additional_deps = hook.fetch("additional_dependencies", [])
         return dependencies if additional_deps.empty?
 
-        parser = LANGUAGE_PARSERS[hook["language"]]
+        # Get language from local config first, then try fetching from hook source repo
+        language = resolve_hook_language(hook, repo_url, revision, hook_id)
+        return dependencies unless language
+
+        parser = LANGUAGE_PARSERS[language]
         return dependencies unless parser
 
         additional_deps.each do |dep_string|
@@ -176,10 +189,10 @@ module Dependabot
               file: file.name,
               source: {
                 type: "additional_dependency",
-                language: hook["language"],
+                language: language,
                 package_name: parsed[:normalised_name],
                 original_name: parsed[:name],
-                hook_id: hook["id"],
+                hook_id: hook_id,
                 hook_repo: repo_url,
                 extras: parsed[:extras],
                 original_string: dep_string
@@ -192,6 +205,59 @@ module Dependabot
         dependencies
       end
 
+      sig do
+        params(
+          hook: T::Hash[String, T.untyped],
+          repo_url: String,
+          revision: T.nilable(String),
+          hook_id: String
+        ).returns(T.nilable(String))
+      end
+      def resolve_hook_language(hook, repo_url, revision, hook_id)
+        # Use local language if explicitly specified
+        local_language = hook["language"]
+        return local_language if local_language
+
+        # Otherwise fetch from the hook source repository
+        return nil unless revision
+
+        hook_language_fetcher.fetch_language(
+          repo_url: repo_url,
+          revision: revision,
+          hook_id: hook_id
+        )
+      end
+
+      sig { returns(HookLanguageFetcher) }
+      def hook_language_fetcher
+        @hook_language_fetcher ||= T.let(
+          HookLanguageFetcher.new(credentials: credentials),
+          T.nilable(HookLanguageFetcher)
+        )
+      end
+
+      sig do
+        params(
+          file: Dependabot::DependencyFile,
+          repo_url: String
+        ).returns(T.nilable(String))
+      end
+      def rev_line_comment(file, repo_url)
+        current_repo = T.let(nil, T.nilable(String))
+
+        T.must(file.content).each_line do |line|
+          repo_match = line.match(/^\s*-\s*repo:\s*(\S+)/)
+          current_repo = repo_match[1] if repo_match
+
+          next unless current_repo == repo_url
+
+          rev_match = line.match(/^\s*rev:\s*\S+\s*(#.*)$/)
+          return T.must(rev_match[1]).rstrip if rev_match
+        end
+
+        nil
+      end
+
       sig { returns(T::Array[Dependabot::DependencyFile]) }
       def pre_commit_config_files
         dependency_files.select { |f| f.name.match?(CONFIG_FILE_PATTERN) }

data/lib/dependabot/pre_commit/file_updater.rb

@@ -113,7 +113,18 @@ module Dependabot
         old_ref = T.cast(old_source.fetch(:ref), String)
         new_ref = T.cast(new_source.fetch(:ref), String)
 
-        replace_ref_in_content(content, repo_url, old_ref, new_ref)
+        new_metadata = T.cast(new_req.fetch(:metadata, {}), T::Hash[Symbol, T.untyped])
+        old_version = T.cast(new_metadata[:comment_version], T.nilable(String))
+        new_version = T.cast(new_metadata[:new_comment_version], T.nilable(String))
+
+        replace_ref_in_content(
+          content,
+          repo_url,
+          old_ref,
+          new_ref,
+          old_version: old_version,
+          new_version: new_version
+        )
       end
 
       sig do
@@ -134,9 +145,16 @@ module Dependabot
       end
 
       sig do
-        params(content: String, repo_url: String, old_ref: String, new_ref: String).returns(String)
+        params(
+          content: String,
+          repo_url: String,
+          old_ref: String,
+          new_ref: String,
+          old_version: T.nilable(String),
+          new_version: T.nilable(String)
+        ).returns(String)
       end
-      def replace_ref_in_content(content, repo_url, old_ref, new_ref)
+      def replace_ref_in_content(content, repo_url, old_ref, new_ref, old_version: nil, new_version: nil)
         current_repo = T.let(nil, T.nilable(String))
 
         updated_lines = content.lines.map do |line|
@@ -145,7 +163,9 @@ module Dependabot
 
           if current_repo == repo_url &&
              line.match?(/^\s*rev:\s+#{Regexp.escape(old_ref)}(\s*(?:#.*)?)?$/)
-            line.gsub(old_ref, new_ref)
+            updated_line = line.sub(old_ref, new_ref)
+            updated_line = update_version_comment(updated_line, old_version, new_version)
+            updated_line
           else
             line
           end
@@ -154,6 +174,28 @@ module Dependabot
         updated_lines.join
       end
 
+      sig do
+        params(
+          line: String,
+          old_version: T.nilable(String),
+          new_version: T.nilable(String)
+        ).returns(String)
+      end
+      def update_version_comment(line, old_version, new_version)
+        return line unless old_version && new_version
+
+        pattern = /
+          (                # 1: comment prefix
+            \#\s*          # '#' and optional whitespace
+            (?:frozen:\s*)? # optional 'frozen:' label
+          )
+          #{Regexp.escape(old_version)} # the old version
+          (.*)$            # 2: trailing content (whitespace or other characters) up to end of line
+        /x
+
+        line.sub(pattern, "\\1#{new_version}\\2")
+      end
+
       sig do
         params(content: String, old_string: String, new_string: String).returns(String)
       end

data/lib/dependabot/pre_commit/metadata_finder.rb

@@ -1,10 +1,7 @@
-# typed: strong
+# typed: strict
 # frozen_string_literal: true
 
-# NOTE: This file was scaffolded automatically but is OPTIONAL.
-# If you don't need custom metadata finding logic (changelogs, release notes, etc.),
-# you can safely delete this file and remove the require from lib/dependabot/pre_commit.rb
-
+require "sorbet-runtime"
 require "dependabot/metadata_finders"
 require "dependabot/metadata_finders/base"
 
@@ -17,9 +14,15 @@ module Dependabot
 
       sig { override.returns(T.nilable(Dependabot::Source)) }
       def look_up_source
-        # TODO: Implement custom source lookup logic if needed
-        # Otherwise, delete this file and the require in the main registration file
-        nil
+        info = dependency.requirements.filter_map { |r| r[:source] }.first
+
+        url =
+          if info.nil?
+            dependency.name
+          else
+            info[:url] || info.fetch("url")
+          end
+        Source.from_url(url)
       end
     end
   end

data/lib/dependabot/pre_commit/package/package_details_fetcher.rb

@@ -3,6 +3,7 @@
 
 require "sorbet-runtime"
 require "dependabot/errors"
+require "dependabot/pre_commit/comment_version_helper"
 require "dependabot/pre_commit/helpers"
 require "dependabot/pre_commit/requirement"
 require "dependabot/pre_commit/update_checker"
@@ -71,11 +72,14 @@ module Dependabot
         def commit_sha_release
           return unless git_commit_checker.pinned_ref_looks_like_commit_sha?
 
-          # Prioritize tagged releases over latest commits
-          # If latest_version_tag exists, use it (even if current SHA doesn't have a tag)
-          return latest_version_tag&.fetch(:version) if latest_version_tag
+          if latest_version_tag
+            if git_commit_checker.local_tag_for_pinned_sha || version_comment?
+              return T.must(latest_version_tag).fetch(:version)
+            end
+
+            return latest_commit_for_pinned_ref
+          end
 
-          # Only fall back to latest commit if no tags exist
           latest_commit_for_pinned_ref
         end
 
@@ -83,7 +87,9 @@ module Dependabot
         def latest_version_tag
           @latest_version_tag ||= T.let(
             begin
-              return git_commit_checker.local_tag_for_latest_version if dependency.version.nil?
+              if dependency.version.nil? || !Dependabot::PreCommit::Version.correct?(dependency.version)
+                return constrained_latest_version_tag || git_commit_checker.local_tag_for_latest_version
+              end
 
               ref = git_commit_checker.local_ref_for_latest_version_matching_existing_precision
               return ref if ref && current_version && ref.fetch(:version) > current_version
@@ -96,6 +102,74 @@ module Dependabot
 
         private
 
+        sig { returns(T.nilable(T::Hash[Symbol, T.untyped])) }
+        def constrained_latest_version_tag
+          frozen_ref = frozen_comment_ref
+          return nil unless frozen_ref
+
+          prefix = tag_prefix(frozen_ref)
+          return nil if prefix.empty?
+
+          version_suffix = frozen_ref.sub(/^#{Regexp.escape(prefix)}/, "")
+          return nil if version_suffix.empty? || version_suffix !~ /^\d/
+
+          matching = tags_matching_frozen_constraint(prefix, version_suffix.split("."))
+          git_commit_checker.max_local_tag(matching)
+        end
+
+        sig do
+          params(
+            prefix: String,
+            frozen_segments: T::Array[String]
+          ).returns(T::Array[Dependabot::GitRef])
+        end
+        def tags_matching_frozen_constraint(prefix, frozen_segments)
+          tags = tags_with_prefix(prefix)
+
+          max_segments = tags.map { |t| tag_version_segments(t.name, prefix).length }.max || 0
+          return tags unless frozen_segments.length < max_segments
+
+          tags.select { |tag| tag_starts_with_segments?(tag.name, prefix, frozen_segments) }
+        end
+
+        sig { params(prefix: String).returns(T::Array[Dependabot::GitRef]) }
+        def tags_with_prefix(prefix)
+          git_commit_checker.allowed_version_tags.select { |tag| tag.name.start_with?(prefix) }
+        end
+
+        sig { params(tag_name: String, prefix: String).returns(T::Array[String]) }
+        def tag_version_segments(tag_name, prefix)
+          tag_name.sub(/^#{Regexp.escape(prefix)}/, "").split(".")
+        end
+
+        sig { params(tag_name: String, prefix: String, frozen_segments: T::Array[String]).returns(T::Boolean) }
+        def tag_starts_with_segments?(tag_name, prefix, frozen_segments)
+          segments = tag_version_segments(tag_name, prefix)
+          frozen_segments.each_with_index.all? { |seg, i| segments[i] == seg }
+        end
+
+        sig { returns(T.nilable(String)) }
+        def frozen_comment_ref
+          comment = dependency.requirements.first&.dig(:metadata, :comment)
+          return nil unless comment
+
+          match = comment.match(CommentVersionHelper::FROZEN_COMMENT_REF_PATTERN)
+          match&.[](1)
+        end
+
+        sig { params(ref: String).returns(String) }
+        def tag_prefix(ref)
+          ref.sub(/\d+(?:\.\d+)*$/, "")
+        end
+
+        sig { returns(T::Boolean) }
+        def version_comment?
+          comment = dependency.requirements.first&.dig(:metadata, :comment)
+          return false unless comment
+
+          comment.match?(CommentVersionHelper::COMMENT_VERSION_PATTERN)
+        end
+
         sig { returns(T.nilable(String)) }
         def current_commit
           git_commit_checker.head_commit_for_current_branch

data/lib/dependabot/pre_commit/update_checker.rb

@@ -4,9 +4,11 @@
 require "sorbet-runtime"
 
 require "dependabot/errors"
+require "dependabot/pre_commit/comment_version_helper"
 require "dependabot/pre_commit/requirement"
 require "dependabot/pre_commit/version"
 require "dependabot/pre_commit/additional_dependency_checkers"
+require "dependabot/pre_commit/additional_dependency_checkers/dart"
 require "dependabot/pre_commit/additional_dependency_checkers/node"
 require "dependabot/pre_commit/additional_dependency_checkers/python"
 require "dependabot/pre_commit/additional_dependency_checkers/ruby"
@@ -54,7 +56,7 @@ module Dependabot
 
           current = T.cast(source&.[](:ref), T.nilable(String))
 
-          # Maintain a short git hash only if it matches the latest
+          # Maintain short git hash when the updated SHA starts with the current SHA
           if T.cast(req[:type], T.nilable(String)) == "git" &&
              git_commit_checker.ref_looks_like_commit_sha?(updated) &&
              current && git_commit_checker.ref_looks_like_commit_sha?(current) &&
@@ -63,7 +65,8 @@ module Dependabot
           end
 
           new_source = T.must(source).merge(ref: updated)
-          req.merge(source: new_source)
+          new_metadata = updated_comment_version_metadata(req, updated)
+          req.merge(source: new_source, metadata: new_metadata)
         end
       end
 
@@ -89,6 +92,9 @@ module Dependabot
       def current_version
         return super if dependency.numeric_version
 
+        frozen_ver = version_from_comment
+        return frozen_ver if frozen_ver
+
         # For git dependencies, try to parse the version from the ref
         source_details = dependency.source_details(allowed_types: ["git"])
         return nil unless source_details
@@ -102,6 +108,17 @@ module Dependabot
         version_class.new(version_string)
       end
 
+      sig { returns(T::Boolean) }
+      def sha1_version_up_to_date?
+        frozen_ver = version_from_comment
+        return super unless frozen_ver
+
+        resolved_sha = latest_commit_sha
+        return true if resolved_sha && resolved_sha == dependency.version
+
+        false
+      end
+
       sig { override.returns(T::Boolean) }
       def latest_version_resolvable_with_full_unlock?
         false
@@ -166,10 +183,11 @@ module Dependabot
         new_tag = T.must(latest_version_finder).latest_version_tag
 
         if new_tag
-          return T.cast(new_tag.fetch(:commit_sha), String) if git_commit_checker.local_tag_for_pinned_sha
+          if version_from_comment || git_commit_checker.local_tag_for_pinned_sha
+            return T.cast(new_tag.fetch(:commit_sha), String)
+          end
 
           return latest_commit_for_pinned_ref
-
         end
 
         # If there's no tag but we have a latest_version (commit SHA), use it
@@ -184,6 +202,67 @@ module Dependabot
         @git_commit_checker ||= T.let(git_helper.git_commit_checker, T.nilable(Dependabot::GitCommitChecker))
       end
 
+      sig do
+        params(
+          req: T::Hash[Symbol, T.untyped],
+          new_ref: String
+        ).returns(T::Hash[Symbol, T.untyped])
+      end
+      def updated_comment_version_metadata(req, new_ref)
+        existing_metadata = T.cast(req.fetch(:metadata, {}), T::Hash[Symbol, T.untyped])
+        comment = T.cast(existing_metadata[:comment], T.nilable(String))
+        return existing_metadata unless comment
+
+        old_version = extract_version_from_comment(comment)
+        return existing_metadata unless old_version
+
+        new_version = resolve_new_comment_version(new_ref)
+        return existing_metadata unless new_version
+
+        existing_metadata.merge(comment_version: old_version, new_comment_version: new_version)
+      end
+
+      sig { params(comment: String).returns(T.nilable(String)) }
+      def extract_version_from_comment(comment)
+        match = comment.match(CommentVersionHelper::COMMENT_VERSION_PATTERN)
+        match&.[](0)
+      end
+
+      sig { returns(T.nilable(Dependabot::Version)) }
+      def version_from_comment
+        @version_from_comment ||= T.let(
+          begin
+            comment = T.let(
+              @dependency.requirements
+                .filter_map do |req|
+                  val = T.cast(req.fetch(:metadata, {}), T::Hash[Symbol, T.untyped])[:comment]
+                  T.cast(val, T.nilable(String))
+                end
+                .first,
+              T.nilable(String)
+            )
+            return nil unless comment
+
+            version_string = extract_version_from_comment(comment)
+            return nil unless version_string
+
+            cleaned = version_string.sub(/^v/, "")
+            return nil unless version_class.correct?(cleaned)
+
+            version_class.new(cleaned)
+          end,
+          T.nilable(Dependabot::Version)
+        )
+      end
+
+      sig { params(_new_ref: String).returns(T.nilable(String)) }
+      def resolve_new_comment_version(_new_ref)
+        new_tag = T.must(latest_version_finder).latest_version_tag
+        return T.cast(new_tag.fetch(:tag, nil), T.nilable(String)) if new_tag
+
+        nil
+      end
+
       sig { returns(Dependabot::PreCommit::Helpers::Githelper) }
       def git_helper
         Helpers::Githelper.new(

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-pre_commit
 version: !ruby/object:Gem::Version
-  version: 0.362.0
+  version: 0.364.0
 platform: ruby
 authors:
 - Dependabot
@@ -15,84 +15,84 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.362.0
+        version: 0.364.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.362.0
+        version: 0.364.0
 - !ruby/object:Gem::Dependency
   name: dependabot-cargo
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.362.0
+        version: 0.364.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.362.0
+        version: 0.364.0
 - !ruby/object:Gem::Dependency
   name: dependabot-common
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.362.0
+        version: 0.364.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.362.0
+        version: 0.364.0
 - !ruby/object:Gem::Dependency
   name: dependabot-go_modules
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.362.0
+        version: 0.364.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.362.0
+        version: 0.364.0
 - !ruby/object:Gem::Dependency
   name: dependabot-npm_and_yarn
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.362.0
+        version: 0.364.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.362.0
+        version: 0.364.0
 - !ruby/object:Gem::Dependency
   name: dependabot-python
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.362.0
+        version: 0.364.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.362.0
+        version: 0.364.0
 - !ruby/object:Gem::Dependency
   name: debug
   requirement: !ruby/object:Gem::Requirement
@@ -155,14 +155,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.3'
+        version: '2.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.3'
+        version: '2.0'
 - !ruby/object:Gem::Dependency
   name: rspec-sorbet
   requirement: !ruby/object:Gem::Requirement
@@ -314,13 +314,16 @@ files:
 - lib/dependabot/pre_commit.rb
 - lib/dependabot/pre_commit/additional_dependency_checkers.rb
 - lib/dependabot/pre_commit/additional_dependency_checkers/base.rb
+- lib/dependabot/pre_commit/additional_dependency_checkers/dart.rb
 - lib/dependabot/pre_commit/additional_dependency_checkers/go.rb
 - lib/dependabot/pre_commit/additional_dependency_checkers/node.rb
 - lib/dependabot/pre_commit/additional_dependency_checkers/python.rb
 - lib/dependabot/pre_commit/additional_dependency_checkers/ruby.rb
 - lib/dependabot/pre_commit/additional_dependency_checkers/rust.rb
+- lib/dependabot/pre_commit/comment_version_helper.rb
 - lib/dependabot/pre_commit/file_fetcher.rb
 - lib/dependabot/pre_commit/file_parser.rb
+- lib/dependabot/pre_commit/file_parser/hook_language_fetcher.rb
 - lib/dependabot/pre_commit/file_updater.rb
 - lib/dependabot/pre_commit/helpers.rb
 - lib/dependabot/pre_commit/metadata_finder.rb
@@ -335,7 +338,7 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.362.0
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.364.0
 rdoc_options: []
 require_paths:
 - lib