dependabot-uv 0.300.0 → 0.301.1

data/lib/dependabot/uv/update_checker/latest_version_finder.rb

@@ -1,4 +1,4 @@
-# typed: true
+# typed: strong
 # frozen_string_literal: true
 
 require "cgi"
@@ -12,284 +12,30 @@ require "dependabot/update_checkers/version_filters"
 require "dependabot/registry_client"
 require "dependabot/uv/authed_url_builder"
 require "dependabot/uv/name_normaliser"
+require "dependabot/uv/package/package_registry_finder"
+require "dependabot/uv/package/package_details_fetcher"
+require "dependabot/package/package_latest_version_finder"
 
 module Dependabot
   module Uv
     class UpdateChecker
-      class LatestVersionFinder
+      class LatestVersionFinder < Dependabot::Package::PackageLatestVersionFinder
         extend T::Sig
 
-        require_relative "index_finder"
-
-        def initialize(dependency:, dependency_files:, credentials:,
-                       ignored_versions:, raise_on_ignored: false,
-                       security_advisories:)
-          @dependency          = dependency
-          @dependency_files    = dependency_files
-          @credentials         = credentials
-          @ignored_versions    = ignored_versions
-          @raise_on_ignored    = raise_on_ignored
-          @security_advisories = security_advisories
-        end
-
-        def latest_version(python_version: nil)
-          @latest_version ||=
-            fetch_latest_version(python_version: python_version)
-        end
-
-        def latest_version_with_no_unlock(python_version: nil)
-          @latest_version_with_no_unlock ||=
-            fetch_latest_version_with_no_unlock(python_version: python_version)
-        end
-
-        def lowest_security_fix_version(python_version: nil)
-          @lowest_security_fix_version ||=
-            fetch_lowest_security_fix_version(python_version: python_version)
-        end
-
-        private
-
-        attr_reader :dependency
-        attr_reader :dependency_files
-        attr_reader :credentials
-        attr_reader :ignored_versions
-        attr_reader :security_advisories
-
-        def fetch_latest_version(python_version:)
-          versions = available_versions
-          versions = filter_yanked_versions(versions)
-          versions = filter_unsupported_versions(versions, python_version)
-          versions = filter_prerelease_versions(versions)
-          versions = filter_ignored_versions(versions)
-          versions.max
-        end
-
-        def fetch_latest_version_with_no_unlock(python_version:)
-          versions = available_versions
-          versions = filter_yanked_versions(versions)
-          versions = filter_unsupported_versions(versions, python_version)
-          versions = filter_prerelease_versions(versions)
-          versions = filter_ignored_versions(versions)
-          versions = filter_out_of_range_versions(versions)
-          versions.max
-        end
-
-        def fetch_lowest_security_fix_version(python_version:)
-          versions = available_versions
-          versions = filter_yanked_versions(versions)
-          versions = filter_unsupported_versions(versions, python_version)
-          versions = filter_prerelease_versions(versions)
-          versions = Dependabot::UpdateCheckers::VersionFilters.filter_vulnerable_versions(versions,
-                                                                                           security_advisories)
-          versions = filter_ignored_versions(versions)
-          versions = filter_lower_versions(versions)
-
-          versions.min
-        end
-
-        sig { params(versions_array: T::Array[T.untyped]).returns(T::Array[T.untyped]) }
-        def filter_yanked_versions(versions_array)
-          filtered = versions_array.reject { |details| details.fetch(:yanked) }
-          if versions_array.count > filtered.count
-            Dependabot.logger.info("Filtered out #{versions_array.count - filtered.count} yanked versions")
-          end
-          filtered
-        end
-
         sig do
-          params(versions_array: T::Array[T.untyped], python_version: T.nilable(T.any(String, Version)))
-            .returns(T::Array[T.untyped])
-        end
-        def filter_unsupported_versions(versions_array, python_version)
-          filtered = versions_array.filter_map do |details|
-            python_requirement = details.fetch(:python_requirement)
-            next details.fetch(:version) unless python_version
-            next details.fetch(:version) unless python_requirement
-            next unless python_requirement.satisfied_by?(python_version)
-
-            details.fetch(:version)
-          end
-          if versions_array.count > filtered.count
-            delta = versions_array.count - filtered.count
-            Dependabot.logger.info("Filtered out #{delta} unsupported Python #{python_version} versions")
-          end
-          filtered
-        end
-
-        sig { params(versions_array: T::Array[T.untyped]).returns(T::Array[T.untyped]) }
-        def filter_prerelease_versions(versions_array)
-          return versions_array if wants_prerelease?
-
-          filtered = versions_array.reject(&:prerelease?)
-
-          if versions_array.count > filtered.count
-            Dependabot.logger.info("Filtered out #{versions_array.count - filtered.count} pre-release versions")
-          end
-
-          filtered
-        end
-
-        sig { params(versions_array: T::Array[T.untyped]).returns(T::Array[T.untyped]) }
-        def filter_ignored_versions(versions_array)
-          filtered = versions_array
-                     .reject { |v| ignore_requirements.any? { |r| r.satisfied_by?(v) } }
-          if @raise_on_ignored && filter_lower_versions(filtered).empty? && filter_lower_versions(versions_array).any?
-            raise Dependabot::AllVersionsIgnored
-          end
-
-          if versions_array.count > filtered.count
-            Dependabot.logger.info("Filtered out #{versions_array.count - filtered.count} ignored versions")
-          end
-          filtered
-        end
-
-        def filter_lower_versions(versions_array)
-          return versions_array unless dependency.numeric_version
-
-          versions_array.select { |version| version > dependency.numeric_version }
-        end
-
-        def filter_out_of_range_versions(versions_array)
-          reqs = dependency.requirements.filter_map do |r|
-            requirement_class.requirements_array(r.fetch(:requirement))
-          end
-
-          versions_array
-            .select { |v| reqs.all? { |r| r.any? { |o| o.satisfied_by?(v) } } }
-        end
-
-        def wants_prerelease?
-          return version_class.new(dependency.version).prerelease? if dependency.version
-
-          dependency.requirements.any? do |req|
-            reqs = (req.fetch(:requirement) || "").split(",").map(&:strip)
-            reqs.any? { |r| r.match?(/[A-Za-z]/) }
-          end
-        end
-
-        # See https://www.python.org/dev/peps/pep-0503/ for details of the
-        # Simple Repository API we use here.
-        def available_versions
-          @available_versions ||=
-            index_urls.flat_map do |index_url|
-              validate_index(index_url)
-
-              sanitized_url = index_url.gsub(%r{(?<=//).*(?=@)}, "redacted")
-
-              index_response = registry_response_for_dependency(index_url)
-              if index_response.status == 401 || index_response.status == 403
-                registry_index_response = registry_index_response(index_url)
-
-                if registry_index_response.status == 401 || registry_index_response.status == 403
-                  raise PrivateSourceAuthenticationFailure, sanitized_url
-                end
-              end
-
-              version_links = []
-              index_response.body.scan(%r{<a\s.*?>.*?</a>}m) do
-                details = version_details_from_link(Regexp.last_match.to_s)
-                version_links << details if details
-              end
-
-              version_links.compact
-            rescue Excon::Error::Timeout, Excon::Error::Socket
-              raise if MAIN_PYPI_INDEXES.include?(index_url)
-
-              raise PrivateSourceTimedOut, sanitized_url
-            rescue URI::InvalidURIError
-              raise DependencyFileNotResolvable, "Invalid URL: #{sanitized_url}"
-            end
+          override.returns(T.nilable(Dependabot::Package::PackageDetails))
         end
-
-        # rubocop:disable Metrics/PerceivedComplexity
-        def version_details_from_link(link)
-          doc = Nokogiri::XML(link)
-          filename = doc.at_css("a")&.content
-          url = doc.at_css("a")&.attributes&.fetch("href", nil)&.value
-          return unless filename&.match?(name_regex) || url&.match?(name_regex)
-
-          version = get_version_from_filename(filename)
-          return unless version_class.correct?(version)
-
-          {
-            version: version_class.new(version),
-            python_requirement: build_python_requirement_from_link(link),
-            yanked: link&.include?("data-yanked")
-          }
-        end
-        # rubocop:enable Metrics/PerceivedComplexity
-
-        def get_version_from_filename(filename)
-          filename
-            .gsub(/#{name_regex}-/i, "")
-            .split(/-|\.tar\.|\.zip|\.whl/)
-            .first
-        end
-
-        def build_python_requirement_from_link(link)
-          req_string = Nokogiri::XML(link)
-                               .at_css("a")
-                               &.attribute("data-requires-python")
-                               &.content
-
-          return unless req_string
-
-          requirement_class.new(CGI.unescapeHTML(req_string))
-        rescue Gem::Requirement::BadRequirementError
-          nil
+        def package_details
+          @package_details ||= Package::PackageDetailsFetcher.new(
+            dependency: dependency,
+            dependency_files: dependency_files,
+            credentials: credentials
+          ).fetch
         end
 
-        def index_urls
-          @index_urls ||=
-            IndexFinder.new(
-              dependency_files: dependency_files,
-              credentials: credentials,
-              dependency: dependency
-            ).index_urls
-        end
-
-        def registry_response_for_dependency(index_url)
-          Dependabot::RegistryClient.get(
-            url: index_url + normalised_name + "/",
-            headers: { "Accept" => "text/html" }
-          )
-        end
-
-        def registry_index_response(index_url)
-          Dependabot::RegistryClient.get(
-            url: index_url,
-            headers: { "Accept" => "text/html" }
-          )
-        end
-
-        def ignore_requirements
-          ignored_versions.flat_map { |req| requirement_class.requirements_array(req) }
-        end
-
-        def normalised_name
-          NameNormaliser.normalise(dependency.name)
-        end
-
-        def name_regex
-          parts = normalised_name.split(/[\s_.-]/).map { |n| Regexp.quote(n) }
-          /#{parts.join("[\s_.-]")}/i
-        end
-
-        def version_class
-          dependency.version_class
-        end
-
-        def requirement_class
-          dependency.requirement_class
-        end
-
-        def validate_index(index_url)
-          sanitized_url = index_url.gsub(%r{(?<=//).*(?=@)}, "redacted")
-
-          return if index_url&.match?(URI::DEFAULT_PARSER.regexp[:ABS_URI])
-
-          raise Dependabot::DependencyFileNotResolvable,
-                "Invalid URL: #{sanitized_url}"
+        sig { override.returns(T::Boolean) }
+        def cooldown_enabled?
+          Dependabot::Experiments.enabled?(:enable_cooldown_for_uv)
         end
       end
     end

data/lib/dependabot/uv/update_checker/lock_file_resolver.rb

@@ -0,0 +1,48 @@
+# typed: true
+# frozen_string_literal: true
+
+require "dependabot/uv/version"
+require "dependabot/uv/requirement"
+require "dependabot/uv/update_checker"
+
+module Dependabot
+  module Uv
+    class UpdateChecker
+      class LockFileResolver
+        def initialize(dependency:, dependency_files:, credentials:, repo_contents_path: nil)
+          @dependency = dependency
+          @dependency_files = dependency_files
+          @credentials = credentials
+          @repo_contents_path = repo_contents_path
+        end
+
+        def latest_resolvable_version(requirement:)
+          return nil unless requirement
+
+          req = Uv::Requirement.new(requirement)
+
+          # Get the version from the dependency if available
+          version_from_dependency = dependency.version && Uv::Version.new(dependency.version)
+          return version_from_dependency if version_from_dependency && req.satisfied_by?(version_from_dependency)
+
+          nil
+        end
+
+        def resolvable?(*)
+          true
+        end
+
+        def lowest_resolvable_security_fix_version
+          nil
+        end
+
+        private
+
+        attr_reader :dependency
+        attr_reader :dependency_files
+        attr_reader :credentials
+        attr_reader :repo_contents_path
+      end
+    end
+  end
+end

data/lib/dependabot/uv/update_checker/pip_version_resolver.rb

@@ -11,28 +11,29 @@ module Dependabot
     class UpdateChecker
       class PipVersionResolver
         def initialize(dependency:, dependency_files:, credentials:,
-                       ignored_versions:, raise_on_ignored: false,
+                       ignored_versions:, update_cooldown: nil, raise_on_ignored: false,
                        security_advisories:)
-          @dependency          = dependency
+          @dependency = dependency
           @dependency_files    = dependency_files
           @credentials         = credentials
           @ignored_versions    = ignored_versions
+          @update_cooldown = update_cooldown
           @raise_on_ignored    = raise_on_ignored
           @security_advisories = security_advisories
         end
 
         def latest_resolvable_version
-          latest_version_finder.latest_version(python_version: language_version_manager.python_version)
+          latest_version_finder.latest_version(language_version: language_version_manager.python_version)
         end
 
         def latest_resolvable_version_with_no_unlock
           latest_version_finder
-            .latest_version_with_no_unlock(python_version: language_version_manager.python_version)
+            .latest_version_with_no_unlock(language_version: language_version_manager.python_version)
         end
 
         def lowest_resolvable_security_fix_version
           latest_version_finder
-            .lowest_security_fix_version(python_version: language_version_manager.python_version)
+            .lowest_security_fix_version(language_version: language_version_manager.python_version)
         end
 
         private
@@ -50,6 +51,7 @@ module Dependabot
             credentials: credentials,
             ignored_versions: ignored_versions,
             raise_on_ignored: @raise_on_ignored,
+            cooldown_options: @update_cooldown,
             security_advisories: security_advisories
           )
         end

data/lib/dependabot/uv/update_checker.rb

@@ -21,6 +21,7 @@ module Dependabot
       require_relative "update_checker/pip_version_resolver"
       require_relative "update_checker/requirements_updater"
       require_relative "update_checker/latest_version_finder"
+      require_relative "update_checker/lock_file_resolver"
 
       MAIN_PYPI_INDEXES = %w(
         https://pypi.python.org/simple/
@@ -118,6 +119,7 @@ module Dependabot
         case resolver_type
         when :pip_compile then pip_compile_version_resolver
         when :requirements then pip_version_resolver
+        when :lock_file then lock_file_resolver
         else raise "Unexpected resolver type #{resolver_type}"
         end
       end
@@ -134,6 +136,7 @@ module Dependabot
         # which resolver to use based on the filename of its requirements
         return :requirements if updating_pyproject?
         return :pip_compile if updating_in_file?
+        return :lock_file if updating_uv_lock?
 
         if dependency.version && !exact_requirement?(reqs)
           subdependency_resolver
@@ -167,10 +170,15 @@ module Dependabot
           credentials: credentials,
           ignored_versions: ignored_versions,
           raise_on_ignored: @raise_on_ignored,
+          update_cooldown: @update_cooldown,
           security_advisories: security_advisories
         )
       end
 
+      def lock_file_resolver
+        @lock_file_resolver ||= LockFileResolver.new(**resolver_args)
+      end
+
       def resolver_args
         {
           dependency: dependency,
@@ -187,7 +195,7 @@ module Dependabot
         requirement = reqs.find do |r|
           file = r[:file]
 
-          file == "Pipfile" || file == "pyproject.toml" || file.end_with?(".in") || file.end_with?(".txt")
+          file == "uv.lock" || file == "pyproject.toml" || file.end_with?(".in") || file.end_with?(".txt")
         end
 
         requirement&.fetch(:requirement)
@@ -234,6 +242,7 @@ module Dependabot
           credentials: credentials,
           ignored_versions: ignored_versions,
           raise_on_ignored: @raise_on_ignored,
+          cooldown_options: @update_cooldown,
           security_advisories: security_advisories
         )
       end
@@ -267,6 +276,10 @@ module Dependabot
         requirement_files.any? { |f| f.end_with?(".in") }
       end
 
+      def updating_uv_lock?
+        requirement_files.any?("uv.lock")
+      end
+
       def requirements_text_file?
         requirement_files.any? { |f| f.end_with?("requirements.txt") }
       end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-uv
 version: !ruby/object:Gem::Version
-  version: 0.300.0
+  version: 0.301.1
 platform: ruby
 authors:
 - Dependabot
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2025-03-06 00:00:00.000000000 Z
+date: 2025-03-14 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dependabot-common
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.300.0
+        version: 0.301.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.300.0
+        version: 0.301.1
 - !ruby/object:Gem::Dependency
   name: debug
   requirement: !ruby/object:Gem::Requirement
@@ -257,6 +257,7 @@ files:
 - lib/dependabot/uv/file_parser/setup_file_parser.rb
 - lib/dependabot/uv/file_updater.rb
 - lib/dependabot/uv/file_updater/compile_file_updater.rb
+- lib/dependabot/uv/file_updater/lock_file_updater.rb
 - lib/dependabot/uv/file_updater/pyproject_preparer.rb
 - lib/dependabot/uv/file_updater/requirement_file_updater.rb
 - lib/dependabot/uv/file_updater/requirement_replacer.rb
@@ -265,14 +266,16 @@ files:
 - lib/dependabot/uv/metadata_finder.rb
 - lib/dependabot/uv/name_normaliser.rb
 - lib/dependabot/uv/native_helpers.rb
+- lib/dependabot/uv/package/package_details_fetcher.rb
+- lib/dependabot/uv/package/package_registry_finder.rb
 - lib/dependabot/uv/package_manager.rb
 - lib/dependabot/uv/pipenv_runner.rb
 - lib/dependabot/uv/requirement.rb
 - lib/dependabot/uv/requirement_parser.rb
 - lib/dependabot/uv/requirements_file_matcher.rb
 - lib/dependabot/uv/update_checker.rb
-- lib/dependabot/uv/update_checker/index_finder.rb
 - lib/dependabot/uv/update_checker/latest_version_finder.rb
+- lib/dependabot/uv/update_checker/lock_file_resolver.rb
 - lib/dependabot/uv/update_checker/pip_compile_version_resolver.rb
 - lib/dependabot/uv/update_checker/pip_version_resolver.rb
 - lib/dependabot/uv/update_checker/requirements_updater.rb
@@ -282,7 +285,7 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.300.0
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.301.1
 post_install_message:
 rdoc_options: []
 require_paths: