dependabot-uv 0.331.0 → 0.333.0

data/lib/dependabot/uv/update_checker.rb

@@ -1,8 +1,9 @@
-# typed: true
+# typed: strict
 # frozen_string_literal: true
 
 require "excon"
 require "toml-rb"
+require "sorbet-runtime"
 
 require "dependabot/dependency"
 require "dependabot/errors"
@@ -17,6 +18,8 @@ require "dependabot/update_checkers/base"
 module Dependabot
   module Uv
     class UpdateChecker < Dependabot::UpdateCheckers::Base
+      extend T::Sig
+
       require_relative "update_checker/pip_compile_version_resolver"
       require_relative "update_checker/pip_version_resolver"
       require_relative "update_checker/requirements_updater"
@@ -29,12 +32,17 @@ module Dependabot
       ).freeze
       VERSION_REGEX = /[0-9]+(?:\.[A-Za-z0-9\-_]+)*/
 
+      sig { override.returns(T.nilable(Gem::Version)) }
       def latest_version
-        @latest_version ||= fetch_latest_version
+        @latest_version ||= T.let(
+          fetch_latest_version,
+          T.nilable(Gem::Version)
+        )
       end
 
+      sig { override.returns(T.nilable(Gem::Version)) }
       def latest_resolvable_version
-        @latest_resolvable_version ||=
+        @latest_resolvable_version ||= T.let(
           if resolver_type == :requirements
             resolver.latest_resolvable_version
           elsif resolver_type == :pip_compile && resolver.resolvable?(version: latest_version)
@@ -43,33 +51,41 @@ module Dependabot
             resolver.latest_resolvable_version(
               requirement: unlocked_requirement_string
             )
-          end
+          end,
+          T.nilable(Gem::Version)
+        )
       end
 
+      sig { override.returns(T.nilable(Gem::Version)) }
       def latest_resolvable_version_with_no_unlock
-        @latest_resolvable_version_with_no_unlock ||=
+        @latest_resolvable_version_with_no_unlock ||= T.let(
           if resolver_type == :requirements
             resolver.latest_resolvable_version_with_no_unlock
           else
             resolver.latest_resolvable_version(
               requirement: current_requirement_string
             )
-          end
+          end,
+          T.nilable(Gem::Version)
+        )
       end
 
+      sig { override.returns(T.nilable(Gem::Version)) }
       def lowest_security_fix_version
         latest_version_finder.lowest_security_fix_version
       end
 
+      sig { override.returns(T.nilable(Gem::Version)) }
       def lowest_resolvable_security_fix_version
         raise "Dependency not vulnerable!" unless vulnerable?
 
-        return @lowest_resolvable_security_fix_version if defined?(@lowest_resolvable_security_fix_version)
-
-        @lowest_resolvable_security_fix_version =
-          fetch_lowest_resolvable_security_fix_version
+        @lowest_resolvable_security_fix_version ||= T.let(
+          fetch_lowest_resolvable_security_fix_version,
+          T.nilable(Gem::Version)
+        )
       end
 
+      sig { override.returns(T::Array[T::Hash[Symbol, T.untyped]]) }
       def updated_requirements
         RequirementsUpdater.new(
           requirements: requirements,
@@ -79,10 +95,12 @@ module Dependabot
         ).updated_requirements
       end
 
+      sig { override.returns(T::Boolean) }
       def requirements_unlocked_or_can_be?
         !requirements_update_strategy.lockfile_only?
       end
 
+      sig { override.returns(Dependabot::RequirementsUpdateStrategy) }
       def requirements_update_strategy
         # If passed in as an option (in the base class) honour that option
         return @requirements_update_strategy if @requirements_update_strategy
@@ -93,15 +111,18 @@ module Dependabot
 
       private
 
+      sig { override.returns(T::Boolean) }
       def latest_version_resolvable_with_full_unlock?
         # Full unlock checks aren't implemented for Python (yet)
         false
       end
 
+      sig { override.returns(T::Array[Dependabot::Dependency]) }
       def updated_dependencies_after_full_unlock
         raise NotImplementedError
       end
 
+      sig { returns(T.nilable(Gem::Version)) }
       def fetch_lowest_resolvable_security_fix_version
         fix_version = lowest_security_fix_version
         return latest_resolvable_version if fix_version.nil?
@@ -111,6 +132,7 @@ module Dependabot
         resolver.resolvable?(version: fix_version) ? fix_version : nil
       end
 
+      sig { returns(T.untyped) }
       def resolver
         case resolver_type
         when :pip_compile then pip_compile_version_resolver
@@ -120,6 +142,7 @@ module Dependabot
         end
       end
 
+      sig { returns(Symbol) }
       def resolver_type
         reqs = requirements
 
@@ -141,6 +164,7 @@ module Dependabot
         end
       end
 
+      sig { returns(Symbol) }
       def subdependency_resolver
         return :pip_compile if pip_compile_files.any?
         return :lock_file if uv_lock.any?
@@ -148,6 +172,7 @@ module Dependabot
         raise "Claimed to be a sub-dependency, but no lockfile exists!"
       end
 
+      sig { params(reqs: T::Array[T::Hash[Symbol, T.untyped]]).returns(T::Boolean) }
       def exact_requirement?(reqs)
         reqs = reqs.map { |r| r.fetch(:requirement) }
         reqs = reqs.compact
@@ -155,27 +180,49 @@ module Dependabot
         reqs.any? { |r| Uv::Requirement.new(r).exact? }
       end
 
+      sig { returns(PipCompileVersionResolver) }
       def pip_compile_version_resolver
-        @pip_compile_version_resolver ||=
-          PipCompileVersionResolver.new(**resolver_args)
+        @pip_compile_version_resolver ||= T.let(
+          PipCompileVersionResolver.new(
+            dependency: dependency,
+            dependency_files: dependency_files,
+            credentials: credentials,
+            repo_contents_path: repo_contents_path
+          ),
+          T.nilable(PipCompileVersionResolver)
+        )
       end
 
+      sig { returns(PipVersionResolver) }
       def pip_version_resolver
-        @pip_version_resolver ||= PipVersionResolver.new(
-          dependency: dependency,
-          dependency_files: dependency_files,
-          credentials: credentials,
-          ignored_versions: ignored_versions,
-          raise_on_ignored: @raise_on_ignored,
-          update_cooldown: @update_cooldown,
-          security_advisories: security_advisories
+        @pip_version_resolver ||= T.let(
+          PipVersionResolver.new(
+            dependency: dependency,
+            dependency_files: dependency_files,
+            credentials: credentials,
+            ignored_versions: ignored_versions,
+            raise_on_ignored: @raise_on_ignored,
+            update_cooldown: @update_cooldown,
+            security_advisories: security_advisories
+          ),
+          T.nilable(PipVersionResolver)
         )
       end
 
+      sig { returns(LockFileResolver) }
       def lock_file_resolver
-        @lock_file_resolver ||= LockFileResolver.new(**resolver_args)
+        @lock_file_resolver ||= T.let(
+          LockFileResolver.new(
+            dependency: dependency,
+            dependency_files: dependency_files,
+            credentials: credentials,
+            repo_contents_path: repo_contents_path
+          ),
+          T.nilable(LockFileResolver)
+        )
       end
 
+      sig { returns(T::Hash[Symbol, T.untyped]) }
       def resolver_args
         {
           dependency: dependency,
@@ -185,6 +232,7 @@ module Dependabot
         }
       end
 
+      sig { returns(T.nilable(String)) }
       def current_requirement_string
         reqs = requirements
         return if reqs.none?
@@ -198,6 +246,7 @@ module Dependabot
         requirement&.fetch(:requirement)
       end
 
+      sig { returns(String) }
       def unlocked_requirement_string
         lower_bound_req = updated_version_req_lower_bound
 
@@ -214,6 +263,7 @@ module Dependabot
         lower_bound_req + ",<=#{latest_version}"
       end
 
+      sig { returns(String) }
       def updated_version_req_lower_bound
         return ">=#{dependency.version}" if dependency.version
 
@@ -228,99 +278,133 @@ module Dependabot
         ">=#{version_for_requirement || 0}"
       end
 
+      sig { returns(T.nilable(Gem::Version)) }
       def fetch_latest_version
         latest_version_finder.latest_version
       end
 
+      sig { returns(LatestVersionFinder) }
       def latest_version_finder
-        @latest_version_finder ||= LatestVersionFinder.new(
-          dependency: dependency,
-          dependency_files: dependency_files,
-          credentials: credentials,
-          ignored_versions: ignored_versions,
-          raise_on_ignored: @raise_on_ignored,
-          cooldown_options: @update_cooldown,
-          security_advisories: security_advisories
+        @latest_version_finder ||= T.let(
+          LatestVersionFinder.new(
+            dependency: dependency,
+            dependency_files: dependency_files,
+            credentials: credentials,
+            ignored_versions: ignored_versions,
+            raise_on_ignored: @raise_on_ignored,
+            cooldown_options: @update_cooldown,
+            security_advisories: security_advisories
+          ),
+          T.nilable(LatestVersionFinder)
         )
       end
 
+      sig { returns(T::Boolean) }
       def library?
         return false unless updating_pyproject?
+        return false unless library_details
 
-        return false if library_details["name"].nil?
+        return false if T.must(library_details)["name"].nil?
 
         # Hit PyPi and check whether there are details for a library with a
         # matching name and description
         index_response = Dependabot::RegistryClient.get(
-          url: "https://pypi.org/pypi/#{normalised_name(library_details['name'])}/json/"
+          url: "https://pypi.org/pypi/#{normalised_name(T.must(library_details)['name'])}/json/"
         )
 
         return false unless index_response.status == 200
 
         pypi_info = JSON.parse(index_response.body)["info"] || {}
-        pypi_info["summary"] == library_details["description"]
+        pypi_info["summary"] == T.must(library_details)["description"]
       rescue Excon::Error::Timeout, Excon::Error::Socket
         false
       rescue URI::InvalidURIError
         false
       end
 
+      sig { returns(T::Boolean) }
       def updating_pyproject?
         requirement_files.any?("pyproject.toml")
       end
 
+      sig { returns(T::Boolean) }
       def updating_in_file?
         requirement_files.any? { |f| f.end_with?(".in") }
       end
 
+      sig { returns(T::Boolean) }
       def updating_uv_lock?
         requirement_files.any?("uv.lock")
       end
 
+      sig { returns(T::Boolean) }
       def requirements_text_file?
         requirement_files.any? { |f| f.end_with?("requirements.txt") }
       end
 
+      sig { returns(T::Boolean) }
       def updating_requirements_file?
         requirement_files.any? { |f| f =~ /\.txt$|\.in$/ }
       end
 
+      sig { returns(T::Array[String]) }
       def requirement_files
         requirements.map { |r| r.fetch(:file) }
       end
 
+      sig { returns(T::Array[T::Hash[Symbol, T.untyped]]) }
       def requirements
         dependency.requirements
       end
 
+      sig { params(name: String).returns(String) }
       def normalised_name(name)
         NameNormaliser.normalise(name)
       end
 
+      sig { returns(T.nilable(Dependabot::DependencyFile)) }
       def pyproject
         dependency_files.find { |f| f.name == "pyproject.toml" }
       end
 
+      sig { returns(T.nilable(T::Hash[String, T.untyped])) }
       def library_details
-        @library_details ||= standard_details || build_system_details
+        @library_details ||= T.let(
+          standard_details || build_system_details,
+          T.nilable(T::Hash[String, T.untyped])
+        )
       end
 
+      sig { returns(T.nilable(T::Hash[String, T.untyped])) }
       def standard_details
-        @standard_details ||= toml_content["project"]
+        @standard_details ||= T.let(
+          toml_content["project"],
+          T.nilable(T::Hash[String, T.untyped])
+        )
       end
 
+      sig { returns(T.nilable(T::Hash[String, T.untyped])) }
       def build_system_details
-        @build_system_details ||= toml_content["build-system"]
+        @build_system_details ||= T.let(
+          toml_content["build-system"],
+          T.nilable(T::Hash[String, T.untyped])
+        )
       end
 
+      sig { returns(T::Hash[String, T.untyped]) }
       def toml_content
-        @toml_content ||= TomlRB.parse(pyproject.content)
+        @toml_content ||= T.let(
+          TomlRB.parse(T.must(pyproject).content),
+          T.nilable(T::Hash[String, T.untyped])
+        )
       end
 
+      sig { returns(T::Array[Dependabot::DependencyFile]) }
       def pip_compile_files
         dependency_files.select { |f| f.name.end_with?(".in") }
       end
 
+      sig { returns(T::Array[Dependabot::DependencyFile]) }
       def uv_lock
         dependency_files.select { |f| f.name == "uv.lock" }
       end

data/lib/dependabot/uv/version.rb

@@ -1,6 +1,8 @@
-# typed: true
+# typed: strict
 # frozen_string_literal: true
 
+require "sorbet-runtime"
+
 require "dependabot/version"
 require "dependabot/utils"
 
@@ -9,6 +11,8 @@ require "dependabot/utils"
 module Dependabot
   module Uv
     class Version < Dependabot::Version
+      extend T::Sig
+
       sig { returns(Integer) }
       attr_reader :epoch
 
@@ -27,8 +31,8 @@ module Dependabot
       sig { returns(T.nilable(T::Array[T.any(String, Integer)])) }
       attr_reader :local
 
-      INFINITY = 1000
-      NEGATIVE_INFINITY = -INFINITY
+      INFINITY = T.let(1000, Integer)
+      NEGATIVE_INFINITY = T.let(-INFINITY, Integer)
 
       # See https://peps.python.org/pep-0440/#appendix-b-parsing-version-strings-with-regular-expressions
       VERSION_PATTERN = /
@@ -72,10 +76,10 @@ module Dependabot
       end
 
       sig { override.params(version: VersionParameter).void }
-      def initialize(version)
+      def initialize(version) # rubocop:disable Metrics/AbcSize
         raise Dependabot::BadRequirementError, "Malformed version string - string is nil" if version.nil?
 
-        @version_string = version.to_s
+        @version_string = T.let(version.to_s, String)
 
         raise Dependabot::BadRequirementError, "Malformed version string - string is empty" if @version_string.empty?
 
@@ -86,12 +90,17 @@ module Dependabot
                 "Malformed version string - #{@version_string} does not match regex"
         end
 
-        @epoch = matches["epoch"].to_i
-        @release_segment = matches["release"]&.split(".")&.map(&:to_i) || []
-        @pre = parse_letter_version(matches["pre_l"], matches["pre_n"])
-        @post = parse_letter_version(matches["post_l"], matches["post_n1"] || matches["post_n2"])
-        @dev = parse_letter_version(matches["dev_l"], matches["dev_n"])
-        @local = parse_local_version(matches["local"])
+        @epoch = T.let(matches["epoch"].to_i, Integer)
+        @release_segment = T.let(matches["release"]&.split(".")&.map(&:to_i) || [], T::Array[Integer])
+        @pre = T.let(parse_letter_version(matches["pre_l"], matches["pre_n"]),
+                     T.nilable(T::Array[T.any(String, Integer)]))
+        @post = T.let(
+          parse_letter_version(matches["post_l"], matches["post_n1"] || matches["post_n2"]),
+          T.nilable(T::Array[T.any(String, Integer)])
+        )
+        @dev = T.let(parse_letter_version(matches["dev_l"], matches["dev_n"]),
+                     T.nilable(T::Array[T.any(String, Integer)]))
+        @local = T.let(parse_local_version(matches["local"]), T.nilable(T::Array[T.any(String, Integer)]))
         super(matches["release"] || "")
       end
 
@@ -123,7 +132,6 @@ module Dependabot
       sig { params(other: VersionParameter).returns(Integer) }
       def <=>(other)
         other = Dependabot::Uv::Version.new(other.to_s) unless other.is_a?(Dependabot::Uv::Version)
-        other = T.cast(other, Dependabot::Uv::Version)
 
         epoch_comparison = epoch <=> other.epoch
         return epoch_comparison unless epoch_comparison.zero?
@@ -183,13 +191,13 @@ module Dependabot
           # - Alphanumeric segments sort lexicographically
           # - Numeric segments sort numerically
           # - Shorter versions sort before longer versions when the prefixes match exactly
-          local&.map do |token|
+          T.must(local).map do |token|
             if token.is_a?(Integer)
               [token, ""]
             else
               [NEGATIVE_INFINITY, token]
             end
-          end
+          end.flatten
         end
       end
 

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-uv
 version: !ruby/object:Gem::Version
-  version: 0.331.0
+  version: 0.333.0
 platform: ruby
 authors:
 - Dependabot
@@ -15,14 +15,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.331.0
+        version: 0.333.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.331.0
+        version: 0.333.0
 - !ruby/object:Gem::Dependency
   name: debug
   requirement: !ruby/object:Gem::Requirement
@@ -211,14 +211,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.18'
+        version: '3.25'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.18'
+        version: '3.25'
 - !ruby/object:Gem::Dependency
   name: webrick
   requirement: !ruby/object:Gem::Requirement
@@ -284,7 +284,7 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.331.0
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.333.0
 rdoc_options: []
 require_paths:
 - lib