dependabot-uv 0.350.0 → 0.352.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: b23c5beac181aafb8e92f670984121a88254da3a1804dbd7891e9e6bc274b84c
-  data.tar.gz: c5007c5452b38eac6210eac2df08635c69e3ed7fb7410e8173e9964678902d9b
+  metadata.gz: 2182d20a6869566befc86859bd0260cbe23c3ce48b128c95c82ec5713af9f25b
+  data.tar.gz: 0c7a49f6debe6d304cc07854636139d2504a9bd74baa1c72ff08a072b2ddea7c
 SHA512:
-  metadata.gz: f646e21b2dd5f869a1fc56a48ab0f04051d202b4efc6f98a4d3dd2efca28526ffae66068ee3d59fd2ad5e03ad243db060ddcc703df018cefb4c1f06369043887
-  data.tar.gz: e5044b7cd9b6bb4f3a8273309e1d20a0ffb784aa5c5b92401f28e0a885cef9ac239ee2e4a51fdff6978425644529e705a835b8d58932bd45aae92e47d9dfc3e5
+  metadata.gz: ee6297977b3276e5d0661dfa1fc1400100a86dfacc0e916adef15ce504f9adb5707db9214c5ee017147202c8c2104333a9bf6c7f351fdd1ce8577e7b88d005ba
+  data.tar.gz: b71b17c588efbd34281a174f229657173f924cdba4194ebb8073a37b3e2b7e37cdeec7effa71da66807291f0d455f76d3da8e8ab2ff560b4e35cbdab60f6781a

data/helpers/lib/parser.py

@@ -32,7 +32,7 @@ def parse_pep621_pep735_dependencies(pyproject_path):
                 next(iter(specifier_set)).operator in {"==", "==="}):
             return next(iter(specifier_set)).version
 
-    def parse_requirement(entry, pyproject_path):
+    def parse_requirement(entry, pyproject_path, requirement_type=None):
         try:
             req = Requirement(entry)
         except InvalidRequirement as e:
@@ -46,14 +46,19 @@ def parse_pep621_pep735_dependencies(pyproject_path):
                 "file": pyproject_path,
                 "requirement": str(req.specifier),
                 "extras": sorted(list(req.extras)),
+                "requirement_type": requirement_type,
             }
             return data
 
-    def parse_toml_section_pep621_dependencies(pyproject_path, dependencies):
+    def parse_toml_section_pep621_dependencies(
+        pyproject_path, dependencies, requirement_type=None
+    ):
         requirement_packages = []
 
         for dependency in dependencies:
-            parsed_dependency = parse_requirement(dependency, pyproject_path)
+            parsed_dependency = parse_requirement(
+                dependency, pyproject_path, requirement_type
+            )
             requirement_packages.append(parsed_dependency)
 
         return requirement_packages
@@ -75,7 +80,9 @@ def parse_pep621_pep735_dependencies(pyproject_path):
         for entry in dependencies:
             # Handle direct requirement
             if isinstance(entry, str):
-                parsed_dependency = parse_requirement(entry, pyproject_path)
+                parsed_dependency = parse_requirement(
+                    entry, pyproject_path, group_name
+                )
                 requirement_packages.append(parsed_dependency)
             # Handle include-group directive
             elif isinstance(entry, dict) and "include-group" in entry:
@@ -128,7 +135,8 @@ def parse_pep621_pep735_dependencies(pyproject_path):
         if 'requires' in build_system_section:
             build_system_dependencies = parse_toml_section_pep621_dependencies(
                 pyproject_path,
-                build_system_section['requires']
+                build_system_section['requires'],
+                "build-system"
             )
             dependencies.extend(build_system_dependencies)
 

data/lib/dependabot/uv/file_updater/lock_file_updater.rb

@@ -12,10 +12,12 @@ require "dependabot/uv/file_parser/python_requirement_parser"
 require "dependabot/uv/file_updater"
 require "dependabot/uv/native_helpers"
 require "dependabot/uv/name_normaliser"
+require "dependabot/uv/requirement_suffix_helper"
 
 module Dependabot
   module Uv
     class FileUpdater
+      # rubocop:disable Metrics/ClassLength
       class LockFileUpdater
         extend T::Sig
 
@@ -73,6 +75,16 @@ module Dependabot
           T.must(dependencies.first)
         end
 
+        sig { returns(T::Boolean) }
+        def build_system_only_dependency?
+          return false unless dependency
+
+          groups = T.must(dependency).requirements.flat_map { |req| req[:groups] || [] }.compact.uniq
+          return false if groups.empty?
+
+          groups.all?("build-system")
+        end
+
         sig { returns(T::Array[Dependabot::DependencyFile]) }
         def fetch_updated_dependency_files
           return [] unless create_or_update_lock_file?
@@ -87,9 +99,10 @@ module Dependabot
               )
           end
 
-          if lockfile
+          if lockfile && !build_system_only_dependency?
             # Use updated_lockfile_content which might raise if the lockfile doesn't change
             new_content = updated_lockfile_content
+
             raise "Expected lockfile to change!" if T.must(lockfile).content == new_content
 
             updated_files << updated_file(file: T.must(lockfile), content: new_content)
@@ -136,17 +149,23 @@ module Dependabot
           updated_content = content.gsub(regex) do
             captured_requirement = Regexp.last_match(2)
 
-            if requirements_match?(T.must(captured_requirement), old_req)
+            requirement_body, suffix = RequirementSuffixHelper.split(T.must(captured_requirement))
+
+            next Regexp.last_match(0) unless old_req
+
+            if requirements_match?(T.must(requirement_body), old_req)
               replaced = true
-              "#{Regexp.last_match(1)}#{new_req}#{Regexp.last_match(3)}"
+              "#{Regexp.last_match(1)}#{new_req}#{suffix}#{Regexp.last_match(3)}"
             else
               Regexp.last_match(0)
             end
           end
-
           unless replaced
             updated_content = content.sub(regex) do
-              "#{Regexp.last_match(1)}#{new_req}#{Regexp.last_match(3)}"
+              captured_requirement = Regexp.last_match(2)
+              _, suffix = RequirementSuffixHelper.split(T.must(captured_requirement))
+
+              "#{Regexp.last_match(1)}#{new_req}#{suffix}#{Regexp.last_match(3)}"
             end
           end
 
@@ -155,11 +174,12 @@ module Dependabot
 
         sig { params(req1: String, req2: String).returns(T::Boolean) }
         def requirements_match?(req1, req2)
-          normalize = lambda do |req|
-            req.split(",").map(&:strip).sort.join(",")
-          end
+          normalized_requirement(req1) == normalized_requirement(req2)
+        end
 
-          normalize.call(req1) == normalize.call(req2)
+        sig { params(req: String).returns(String) }
+        def normalized_requirement(req)
+          req.split(",").map(&:strip).sort.join(",")
         end
 
         sig { returns(String) }
@@ -285,7 +305,13 @@ module Dependabot
           options_fingerprint = lock_options_fingerprint(options)
 
           # Use pyenv exec to ensure we're using the correct Python environment
-          command = "pyenv exec uv lock --upgrade-package #{T.must(dependency).name} #{options}"
+          # Include the target version to respect ignore conditions and avoid upgrading
+          # to the absolute latest version (which may be blocked by ignore rules)
+          dep_name = T.must(dependency).name
+          dep_version = T.must(dependency).version
+          package_spec = dep_version ? "#{dep_name}==#{dep_version}" : dep_name
+
+          command = "pyenv exec uv lock --upgrade-package #{package_spec} #{options}"
           fingerprint = "pyenv exec uv lock --upgrade-package <dependency_name> #{options_fingerprint}"
 
           run_command(command, fingerprint:)
@@ -453,6 +479,7 @@ module Dependabot
           T.must(dependency).requirements.select { _1[:file].end_with?(*REQUIRED_FILES) }.any?
         end
       end
+      # rubocop:enable Metrics/ClassLength
     end
   end
 end

data/lib/dependabot/uv/language.rb

@@ -1,84 +1,14 @@
 # typed: strong
 # frozen_string_literal: true
 
-require "sorbet-runtime"
-require "dependabot/uv/version"
-require "dependabot/ecosystem"
+require "dependabot/python/language"
 
 module Dependabot
   module Uv
-    LANGUAGE = "python"
-
-    class Language < Dependabot::Ecosystem::VersionManager
-      extend T::Sig
-
-      # This list must match the versions specified at the top of `uv/Dockerfile`
-      # ARG PY_3_13=3.13.2
-      # When updating this list, also update python/lib/dependabot/python/language.rb
-      PRE_INSTALLED_PYTHON_VERSIONS_RAW = %w(
-        3.14.0
-        3.13.9
-        3.12.12
-        3.11.14
-        3.10.19
-        3.9.24
-      ).freeze
-
-      PRE_INSTALLED_PYTHON_VERSIONS = T.let(
-        PRE_INSTALLED_PYTHON_VERSIONS_RAW.map do |v|
-          Version.new(v)
-        end.sort,
-        T::Array[Version]
-      )
-
-      PRE_INSTALLED_VERSIONS_MAP = T.let(
-        PRE_INSTALLED_PYTHON_VERSIONS.to_h do |v|
-          [Version.new(T.must(v.segments[0..1]).join(".")), v]
-        end,
-        T::Hash[Version, Version]
-      )
-
-      PRE_INSTALLED_HIGHEST_VERSION = T.let(T.must(PRE_INSTALLED_PYTHON_VERSIONS.max), Version)
-
-      SUPPORTED_VERSIONS = T.let(
-        PRE_INSTALLED_PYTHON_VERSIONS.map do |v|
-          Version.new(T.must(v.segments[0..1]&.join(".")))
-        end,
-        T::Array[Version]
-      )
-
-      NON_SUPPORTED_HIGHEST_VERSION = "3.8"
-
-      DEPRECATED_VERSIONS = T.let([Version.new(NON_SUPPORTED_HIGHEST_VERSION)].freeze, T::Array[Dependabot::Version])
-
-      sig do
-        params(
-          detected_version: T.nilable(String),
-          raw_version: T.nilable(String),
-          requirement: T.nilable(Requirement)
-        ).void
-      end
-      def initialize(detected_version:, raw_version: nil, requirement: nil)
-        super(
-          name: LANGUAGE,
-          detected_version: detected_version ? major_minor_version(detected_version) : nil,
-          version: raw_version ? Version.new(raw_version) : nil,
-          deprecated_versions: DEPRECATED_VERSIONS,
-          supported_versions: SUPPORTED_VERSIONS,
-          requirement: requirement,
-       )
-      end
-
-      private
-
-      sig { params(version: String).returns(T.nilable(Version)) }
-      def major_minor_version(version)
-        return nil if version.empty?
-
-        major_minor = T.let(T.must(Version.new(version).segments[0..1]&.join(".")), String)
-
-        Version.new(major_minor)
-      end
-    end
+    # Both uv and Python ecosystems use the same Python language versions.
+    # The Python version list is maintained in python/lib/dependabot/python/language.rb
+    # and shared via this alias to avoid dual-maintenance.
+    LANGUAGE = Python::LANGUAGE
+    Language = Python::Language
   end
 end

data/lib/dependabot/uv/language_version_manager.rb

@@ -1,138 +1,13 @@
-# typed: strict
+# typed: strong
 # frozen_string_literal: true
 
-require "dependabot/logger"
-require "dependabot/uv/version"
-require "sorbet-runtime"
+require "dependabot/python/language_version_manager"
 
 module Dependabot
   module Uv
-    class LanguageVersionManager
-      extend T::Sig
-
-      sig { params(python_requirement_parser: T.untyped).void }
-      def initialize(python_requirement_parser:)
-        @python_requirement_parser = python_requirement_parser
-      end
-
-      sig { returns(T.nilable(String)) }
-      def install_required_python
-        # The leading space is important in the version check
-        return if SharedHelpers.run_shell_command("pyenv versions").include?(" #{python_major_minor}.")
-
-        SharedHelpers.run_shell_command(
-          "tar -axf /usr/local/.pyenv/versions/#{python_version}.tar.zst -C /usr/local/.pyenv/versions"
-        )
-      end
-
-      sig { returns(String) }
-      def installed_version
-        # Use `pyenv exec` to query the active Python version
-        output, _status = SharedHelpers.run_shell_command("pyenv exec python --version")
-        version = output.strip.split.last # Extract the version number (e.g., "3.13.1")
-
-        T.must(version)
-      end
-
-      sig { returns(T.untyped) }
-      def python_major_minor
-        @python_major_minor ||= T.let(T.must(Version.new(python_version).segments[0..1]).join("."), T.untyped)
-      end
-
-      sig { returns(String) }
-      def python_version
-        @python_version ||= T.let(python_version_from_supported_versions, T.nilable(String))
-      end
-
-      sig { returns(String) }
-      def python_requirement_string
-        if user_specified_python_version
-          if user_specified_python_version.start_with?(/\d/)
-            parts = user_specified_python_version.split(".")
-            parts.fill("*", (parts.length)..2).join(".")
-          else
-            user_specified_python_version
-          end
-        else
-          python_version_matching_imputed_requirements || Language::PRE_INSTALLED_HIGHEST_VERSION.to_s
-        end
-      end
-
-      sig { params(requirement_string: T.nilable(String)).returns(T.nilable(String)) }
-      def normalize_python_exact_version(requirement_string)
-        return requirement_string if requirement_string.nil? || requirement_string.strip.empty?
-
-        requirement_string = requirement_string.strip
-
-        # If the requirement already has a wildcard, return nil
-        return nil if requirement_string == "*"
-
-        # If the requirement is not an exact version such as not X.Y.Z, =X.Y.Z, ==X.Y.Z, ===X.Y.Z
-        # then return the requirement as is
-        return requirement_string unless requirement_string.match?(/^=?={0,2}\s*\d+\.\d+(\.\d+)?(-[a-z0-9.-]+)?$/i)
-
-        parts = requirement_string.gsub(/^=+/, "").split(".")
-
-        case parts.length
-        when 1 # Only major version (X)
-          ">= #{parts[0]}.0.0 < #{parts[0].to_i + 1}.0.0" # Ensure only major version range
-        when 2 # Major.Minor (X.Y)
-          ">= #{parts[0]}.#{parts[1]}.0 < #{parts[0].to_i}.#{parts[1].to_i + 1}.0" # Ensure only minor version range
-        when 3 # Major.Minor.Patch (X.Y.Z)
-          ">= #{parts[0]}.#{parts[1]}.0 < #{parts[0].to_i}.#{parts[1].to_i + 1}.0" # Convert to >= X.Y.0
-        else
-          requirement_string
-        end
-      end
-
-      sig { returns(String) }
-      def python_version_from_supported_versions
-        requirement_string = python_requirement_string
-
-        # If the requirement string isn't already a range (eg ">3.10"), coerce it to "major.minor.*".
-        # The patch version is ignored because a non-matching patch version is unlikely to affect resolution.
-        requirement_string = requirement_string.gsub(/\.\d+$/, ".*") if /^\d/.match?(requirement_string)
-
-        requirement_string = normalize_python_exact_version(requirement_string)
-
-        if requirement_string.nil? || requirement_string.strip.empty?
-          return Language::PRE_INSTALLED_HIGHEST_VERSION.to_s
-        end
-
-        # Try to match one of our pre-installed Python versions
-        requirement = T.must(Requirement.requirements_array(requirement_string).first)
-        version = Language::PRE_INSTALLED_PYTHON_VERSIONS.find { |v| requirement.satisfied_by?(v) }
-        return version.to_s if version
-
-        # Otherwise we have to raise an error
-        supported_versions = Language::SUPPORTED_VERSIONS.map { |v| "#{v}.*" }.join(", ")
-        raise ToolVersionNotSupported.new("Python", python_requirement_string, supported_versions)
-      end
-
-      sig { returns(T.untyped) }
-      def user_specified_python_version
-        @python_requirement_parser.user_specified_requirements.first
-      end
-
-      sig { returns(T.nilable(String)) }
-      def python_version_matching_imputed_requirements
-        compiled_file_python_requirement_markers =
-          @python_requirement_parser.imputed_requirements.map do |r|
-            Requirement.new(r)
-          end
-        python_version_matching(compiled_file_python_requirement_markers)
-      end
-
-      sig { params(requirements: T.untyped).returns(T.nilable(String)) }
-      def python_version_matching(requirements)
-        Language::PRE_INSTALLED_PYTHON_VERSIONS.find do |version|
-          requirements.all? do |req|
-            next req.any? { |r| r.satisfied_by?(version) } if req.is_a?(Array)
-
-            req.satisfied_by?(version)
-          end
-        end.to_s
-      end
-    end
+    # Uv and Python ecosystems share the same Python version management logic.
+    # This alias ensures uv benefits from improvements in Python's implementation,
+    # including bug fixes like the guard clause in python_version_matching_imputed_requirements.
+    LanguageVersionManager = Python::LanguageVersionManager
   end
 end

data/lib/dependabot/uv/native_helpers.rb

@@ -1,38 +1,12 @@
 # typed: strong
 # frozen_string_literal: true
 
-require "sorbet-runtime"
+require "dependabot/python/native_helpers"
 
 module Dependabot
   module Uv
-    module NativeHelpers
-      extend T::Sig
-
-      sig { returns(String) }
-      def self.python_helper_path
-        clean_path(File.join(python_helpers_dir, "run.py"))
-      end
-
-      sig { returns(String) }
-      def self.python_requirements_path
-        clean_path(File.join(python_helpers_dir, "requirements.txt"))
-      end
-
-      sig { returns(String) }
-      def self.python_helpers_dir
-        File.join(native_helpers_root, "python")
-      end
-
-      sig { returns(String) }
-      def self.native_helpers_root
-        default_path = File.join(__dir__, "../../../..")
-        ENV.fetch("DEPENDABOT_NATIVE_HELPERS_PATH", default_path)
-      end
-
-      sig { params(path: T.nilable(String)).returns(String) }
-      def self.clean_path(path)
-        Pathname.new(path).cleanpath.to_path
-      end
-    end
+    # Uv and Python ecosystems share the same native Python helpers.
+    # Both point to the same helpers/python directory.
+    NativeHelpers = Python::NativeHelpers
   end
 end

data/lib/dependabot/uv/package.rb

@@ -0,0 +1,27 @@
+# typed: strong
+# frozen_string_literal: true
+
+require "sorbet-runtime"
+require "dependabot/python/package/package_registry_finder"
+require "dependabot/python/package/package_details_fetcher"
+
+module Dependabot
+  module Uv
+    # UV uses the same Python package registry handling (PyPI)
+    module Package
+      # Re-export constants from Python::Package for backward compatibility
+      CREDENTIALS_USERNAME = Python::Package::CREDENTIALS_USERNAME
+      CREDENTIALS_PASSWORD = Python::Package::CREDENTIALS_PASSWORD
+      APPLICATION_JSON = Python::Package::APPLICATION_JSON
+      APPLICATION_TEXT = Python::Package::APPLICATION_TEXT
+      CPYTHON = Python::Package::CPYTHON
+      PYTHON = Python::Package::PYTHON
+      UNKNOWN = Python::Package::UNKNOWN
+      MAIN_PYPI_INDEXES = Python::Package::MAIN_PYPI_INDEXES
+      VERSION_REGEX = Python::Package::VERSION_REGEX
+
+      PackageRegistryFinder = Dependabot::Python::Package::PackageRegistryFinder
+      PackageDetailsFetcher = Dependabot::Python::Package::PackageDetailsFetcher
+    end
+  end
+end

data/lib/dependabot/uv/requirement_suffix_helper.rb

@@ -0,0 +1,29 @@
+# typed: strong
+# frozen_string_literal: true
+
+require "sorbet-runtime"
+
+module Dependabot
+  module Uv
+    module RequirementSuffixHelper
+      extend T::Sig
+
+      REQUIREMENT_SUFFIX_REGEX = T.let(
+        Regexp.new(
+          "\\A(?<requirement>.*?)(?<suffix>\\s*(?:;|#).*)?\\z",
+          Regexp::MULTILINE
+        ).freeze,
+        Regexp
+      )
+
+      sig { params(segment: String).returns(T::Array[String]) }
+      def self.split(segment)
+        match = REQUIREMENT_SUFFIX_REGEX.match(segment)
+        requirement = match ? match[:requirement] : segment
+        suffix = match&.[](:suffix) || ""
+
+        [T.must(requirement).strip, suffix]
+      end
+    end
+  end
+end

data/lib/dependabot/uv/update_checker/latest_version_finder.rb

@@ -1,24 +1,15 @@
 # typed: strong
 # frozen_string_literal: true
 
-require "cgi"
-require "excon"
-require "nokogiri"
 require "sorbet-runtime"
-
-require "dependabot/dependency"
 require "dependabot/uv/update_checker"
-require "dependabot/update_checkers/version_filters"
-require "dependabot/registry_client"
-require "dependabot/uv/authed_url_builder"
-require "dependabot/uv/name_normaliser"
-require "dependabot/uv/package/package_registry_finder"
-require "dependabot/uv/package/package_details_fetcher"
+require "dependabot/uv/package"
 require "dependabot/package/package_latest_version_finder"
 
 module Dependabot
   module Uv
     class UpdateChecker
+      # UV uses the same PyPI registry for package lookups as Python
       class LatestVersionFinder < Dependabot::Package::PackageLatestVersionFinder
         extend T::Sig
 
@@ -26,11 +17,14 @@ module Dependabot
           override.returns(T.nilable(Dependabot::Package::PackageDetails))
         end
         def package_details
-          @package_details ||= Package::PackageDetailsFetcher.new(
-            dependency: dependency,
-            dependency_files: dependency_files,
-            credentials: credentials
-          ).fetch
+          @package_details ||= T.let(
+            Package::PackageDetailsFetcher.new(
+              dependency: dependency,
+              dependency_files: dependency_files,
+              credentials: credentials
+            ).fetch,
+            T.nilable(Dependabot::Package::PackageDetails)
+          )
         end
 
         sig { override.returns(T::Boolean) }

data/lib/dependabot/uv/update_checker/lock_file_resolver.rb

@@ -6,6 +6,7 @@ require "sorbet-runtime"
 require "dependabot/uv/version"
 require "dependabot/uv/requirement"
 require "dependabot/uv/update_checker"
+require "dependabot/uv/update_checker/latest_version_finder"
 
 module Dependabot
   module Uv
@@ -18,14 +19,25 @@ module Dependabot
             dependency: Dependabot::Dependency,
             dependency_files: T::Array[Dependabot::DependencyFile],
             credentials: T::Array[Dependabot::Credential],
-            repo_contents_path: T.nilable(String)
+            repo_contents_path: T.nilable(String),
+            security_advisories: T::Array[Dependabot::SecurityAdvisory],
+            ignored_versions: T::Array[String]
           ).void
         end
-        def initialize(dependency:, dependency_files:, credentials:, repo_contents_path: nil)
+        def initialize(
+          dependency:,
+          dependency_files:,
+          credentials:,
+          repo_contents_path: nil,
+          security_advisories: [],
+          ignored_versions: []
+        )
           @dependency = dependency
           @dependency_files = dependency_files
           @credentials = credentials
           @repo_contents_path = repo_contents_path
+          @security_advisories = security_advisories
+          @ignored_versions = ignored_versions
         end
 
         sig { params(requirement: T.nilable(String)).returns(T.nilable(Dependabot::Uv::Version)) }
@@ -50,7 +62,12 @@ module Dependabot
 
         sig { returns(T.nilable(Dependabot::Uv::Version)) }
         def lowest_resolvable_security_fix_version
-          nil
+          # Delegate to LatestVersionFinder which handles security advisory filtering
+          fix_version = latest_version_finder.lowest_security_fix_version
+          return nil if fix_version.nil?
+
+          # Return the fix version cast to Uv::Version
+          Uv::Version.new(fix_version.to_s)
         end
 
         private
@@ -66,6 +83,27 @@ module Dependabot
 
         sig { returns(T.nilable(String)) }
         attr_reader :repo_contents_path
+
+        sig { returns(T::Array[Dependabot::SecurityAdvisory]) }
+        attr_reader :security_advisories
+
+        sig { returns(T::Array[String]) }
+        attr_reader :ignored_versions
+
+        sig { returns(LatestVersionFinder) }
+        def latest_version_finder
+          @latest_version_finder ||= T.let(
+            LatestVersionFinder.new(
+              dependency: dependency,
+              dependency_files: dependency_files,
+              credentials: credentials,
+              ignored_versions: ignored_versions,
+              security_advisories: security_advisories,
+              raise_on_ignored: false
+            ),
+            T.nilable(LatestVersionFinder)
+          )
+        end
       end
     end
   end

data/lib/dependabot/uv/update_checker.rb

@@ -127,7 +127,12 @@ module Dependabot
         fix_version = lowest_security_fix_version
         return latest_resolvable_version if fix_version.nil?
 
-        return resolver.lowest_resolvable_security_fix_version if resolver_type == :requirements
+        # For requirements and lock_file resolver types, delegate to the resolver
+        if resolver_type == :requirements || resolver_type == :lock_file
+          resolved_fix = resolver.lowest_resolvable_security_fix_version
+          # If no security fix version is found, fall back to latest_resolvable_version
+          return resolved_fix || latest_resolvable_version
+        end
 
         resolver.resolvable?(version: fix_version) ? fix_version : nil
       end
@@ -216,7 +221,9 @@ module Dependabot
             dependency: dependency,
             dependency_files: dependency_files,
             credentials: credentials,
-            repo_contents_path: repo_contents_path
+            repo_contents_path: repo_contents_path,
+            security_advisories: security_advisories,
+            ignored_versions: ignored_versions
           ),
           T.nilable(LockFileResolver)
         )