dependabot-uv 0.351.0 → 0.353.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f74cec4813c7f6b11b51b6f73a10db68327ca41a2737e469ba5d9ea3b4612bea
-  data.tar.gz: e17b701d94aeafdca486c2303d23ea3b423eebbddd93d347ce1224160920cab5
+  metadata.gz: c7a64a9814f7e13db97058e97650e562835fd427001c18b08d9d13ff426e0b9f
+  data.tar.gz: f19a7c8dbc8208cfdba09e5f5513b04895b6ff4eb32c5cba0690bb21e2a2db6d
 SHA512:
-  metadata.gz: 32c427d81b22edb5d8b145ced9080a7fca9264e371da8f4a9ff5ca57c89b58f69179b4ade15620e24bb6a5d43194d959489d0c10942b050be8fb5e0c13327121
-  data.tar.gz: 615a296656b8957f897e5b17e3f951b143579bbc08aa8e8c806928bcd3e3349e4f0e3a54f0dcf3b5449fa7c8b6a892677e9a865925ec1fb044094ee35f4de527
+  metadata.gz: ff7a174888fb664c4358198498c99eb6179b23c259297a8693b213609b876b8e8fd3350206e928f10bd51654c6f0a64987b28ad792dab1d72ab813d85574cae4
+  data.tar.gz: a94975fe714eae7eadac990e4ce9c8d996ac4478b0016557245fb5fc2e5745591832f2098d1ca0383bcb7de025cf0e85b047aeefed2baaa8b602e90ac4d0431f

data/helpers/lib/parser.py

@@ -32,7 +32,7 @@ def parse_pep621_pep735_dependencies(pyproject_path):
                 next(iter(specifier_set)).operator in {"==", "==="}):
             return next(iter(specifier_set)).version
 
-    def parse_requirement(entry, pyproject_path):
+    def parse_requirement(entry, pyproject_path, requirement_type=None):
         try:
             req = Requirement(entry)
         except InvalidRequirement as e:
@@ -46,14 +46,19 @@ def parse_pep621_pep735_dependencies(pyproject_path):
                 "file": pyproject_path,
                 "requirement": str(req.specifier),
                 "extras": sorted(list(req.extras)),
+                "requirement_type": requirement_type,
             }
             return data
 
-    def parse_toml_section_pep621_dependencies(pyproject_path, dependencies):
+    def parse_toml_section_pep621_dependencies(
+        pyproject_path, dependencies, requirement_type=None
+    ):
         requirement_packages = []
 
         for dependency in dependencies:
-            parsed_dependency = parse_requirement(dependency, pyproject_path)
+            parsed_dependency = parse_requirement(
+                dependency, pyproject_path, requirement_type
+            )
             requirement_packages.append(parsed_dependency)
 
         return requirement_packages
@@ -75,7 +80,9 @@ def parse_pep621_pep735_dependencies(pyproject_path):
         for entry in dependencies:
             # Handle direct requirement
             if isinstance(entry, str):
-                parsed_dependency = parse_requirement(entry, pyproject_path)
+                parsed_dependency = parse_requirement(
+                    entry, pyproject_path, group_name
+                )
                 requirement_packages.append(parsed_dependency)
             # Handle include-group directive
             elif isinstance(entry, dict) and "include-group" in entry:
@@ -128,7 +135,8 @@ def parse_pep621_pep735_dependencies(pyproject_path):
         if 'requires' in build_system_section:
             build_system_dependencies = parse_toml_section_pep621_dependencies(
                 pyproject_path,
-                build_system_section['requires']
+                build_system_section['requires'],
+                "build-system"
             )
             dependencies.extend(build_system_dependencies)
 

data/lib/dependabot/uv/file_fetcher/workspace_fetcher.rb

@@ -0,0 +1,210 @@
+# typed: strict
+# frozen_string_literal: true
+
+require "toml-rb"
+require "sorbet-runtime"
+require "dependabot/dependency_file"
+
+module Dependabot
+  module Uv
+    class FileFetcher < Dependabot::FileFetchers::Base
+      class WorkspaceFetcher
+        extend T::Sig
+
+        README_FILENAMES = T.let(%w(README.md README.rst README.txt README).freeze, T::Array[String])
+
+        sig do
+          params(
+            file_fetcher: Dependabot::Uv::FileFetcher,
+            pyproject: T.nilable(Dependabot::DependencyFile)
+          ).void
+        end
+        def initialize(file_fetcher, pyproject)
+          @file_fetcher = file_fetcher
+          @pyproject = pyproject
+          @parsed_pyproject = T.let(nil, T.nilable(T::Hash[String, T.untyped]))
+        end
+
+        sig { returns(T::Array[Dependabot::DependencyFile]) }
+        def workspace_member_files
+          return [] unless @pyproject
+
+          workspace_member_paths.flat_map do |member_path|
+            member_pyproject = fetch_workspace_member_pyproject(member_path)
+            member_readmes = fetch_readme_files_for(member_path, member_pyproject)
+
+            [member_pyproject] + member_readmes
+          rescue Dependabot::DependencyFileNotFound
+            []
+          end
+        end
+
+        sig { returns(T::Array[{ name: String, file: String }]) }
+        def uv_sources_workspace_dependencies
+          return [] unless @pyproject
+
+          uv_sources = parsed_pyproject.dig("tool", "uv", "sources")
+          return [] unless uv_sources
+
+          uv_sources.filter_map do |name, source_config|
+            if source_config.is_a?(Hash) && source_config["workspace"] == true
+              {
+                name: T.cast(name, String),
+                file: @pyproject.name
+              }
+            end
+          end
+        end
+
+        private
+
+        sig { params(member_path: String).returns(Dependabot::DependencyFile) }
+        def fetch_workspace_member_pyproject(member_path)
+          pyproject_path = clean_path(File.join(member_path, "pyproject.toml"))
+          pyproject_file = fetch_file_from_host(pyproject_path, fetch_submodules: true)
+          pyproject_file.support_file = true
+          pyproject_file
+        end
+
+        sig do
+          params(
+            path: String,
+            pyproject_file: Dependabot::DependencyFile
+          ).returns(T::Array[Dependabot::DependencyFile])
+        end
+        def fetch_readme_files_for(path, pyproject_file)
+          readme_candidates = readme_candidates_from_pyproject(pyproject_file)
+          is_root_project = path == directory
+
+          readme_candidates.filter_map do |filename|
+            file = fetch_readme_file(filename, path, is_root_project)
+            next unless file
+
+            file.support_file = true
+            file
+          rescue Dependabot::DependencyFileNotFound
+            nil
+          end
+        rescue TomlRB::ParseError, TomlRB::ValueOverwriteError
+          []
+        end
+
+        sig { params(pyproject_file: Dependabot::DependencyFile).returns(T::Array[String]) }
+        def readme_candidates_from_pyproject(pyproject_file)
+          parsed_content = TomlRB.parse(pyproject_file.content)
+          readme_declaration = parsed_content.dig("project", "readme")
+
+          case readme_declaration
+          when String then [readme_declaration]
+          when Hash
+            readme_declaration["file"].is_a?(String) ? [T.cast(readme_declaration["file"], String)] : README_FILENAMES
+          else
+            README_FILENAMES
+          end
+        end
+
+        sig do
+          params(
+            filename: String,
+            path: String,
+            is_root_project: T::Boolean
+          ).returns(T.nilable(Dependabot::DependencyFile))
+        end
+        def fetch_readme_file(filename, path, is_root_project)
+          if is_root_project
+            fetch_file_if_present(filename)
+          else
+            file_path = clean_path(File.join(path, filename))
+            fetch_file_from_host(file_path, fetch_submodules: true)
+          end
+        end
+
+        sig { returns(T::Array[String]) }
+        def workspace_member_paths
+          return [] unless @pyproject
+
+          members = parsed_pyproject.dig("tool", "uv", "workspace", "members")
+          return [] unless members.is_a?(Array)
+
+          members.grep(String).flat_map { |pattern| expand_workspace_pattern(pattern) }
+        end
+
+        sig { params(pattern: String).returns(T::Array[String]) }
+        def expand_workspace_pattern(pattern)
+          return [pattern] unless pattern.include?("*")
+
+          base_directory = extract_base_directory_from_glob(pattern)
+          directory_paths = fetch_directory_paths_for_matching(base_directory)
+          match_paths_against_pattern(directory_paths, pattern)
+        end
+
+        sig { params(glob_pattern: String).returns(String) }
+        def extract_base_directory_from_glob(glob_pattern)
+          pattern_without_dot_slash = glob_pattern.gsub(%r{^\./}, "")
+          path_before_glob = pattern_without_dot_slash.split("*").first&.gsub(%r{(?<=/)[^/]*$}, "") || "."
+          path_before_glob.empty? ? "." : path_before_glob.chomp("/")
+        end
+
+        sig { params(base_dir: String).returns(T::Array[String]) }
+        def fetch_directory_paths_for_matching(base_dir)
+          normalized_directory = directory.gsub(%r{(^/|/$)}, "")
+
+          repo_contents(dir: base_dir, raise_errors: false)
+            .select { |file| T.unsafe(file).type == "dir" }
+            .map { |f| T.unsafe(f).path.gsub(%r{^/?#{Regexp.escape(normalized_directory)}/?}, "") }
+        end
+
+        sig { params(paths: T::Array[String], pattern: String).returns(T::Array[String]) }
+        def match_paths_against_pattern(paths, pattern)
+          pattern_without_dot_slash = pattern.gsub(%r{^\./}, "")
+          paths.select { |path| File.fnmatch?(pattern_without_dot_slash, path, File::FNM_PATHNAME) }
+        end
+
+        sig { returns(T::Hash[String, T.untyped]) }
+        def parsed_pyproject
+          cached = @parsed_pyproject
+          return cached if cached
+          return {} unless @pyproject
+
+          @parsed_pyproject = TomlRB.parse(@pyproject.content)
+        end
+
+        # Delegate methods to file_fetcher
+        sig { params(path: T.nilable(T.any(Pathname, String))).returns(String) }
+        def clean_path(path)
+          @file_fetcher.send(:cleanpath, path)
+        end
+
+        sig do
+          params(
+            filename: String,
+            fetch_submodules: T::Boolean
+          ).returns(Dependabot::DependencyFile)
+        end
+        def fetch_file_from_host(filename, fetch_submodules: false)
+          @file_fetcher.send(:fetch_file_from_host, filename, fetch_submodules: fetch_submodules)
+        end
+
+        sig { params(filename: String).returns(T.nilable(Dependabot::DependencyFile)) }
+        def fetch_file_if_present(filename)
+          @file_fetcher.send(:fetch_file_if_present, filename)
+        end
+
+        sig do
+          params(
+            dir: T.nilable(String),
+            raise_errors: T::Boolean
+          ).returns(T::Array[OpenStruct])
+        end
+        def repo_contents(dir: nil, raise_errors: true)
+          @file_fetcher.send(:repo_contents, dir: dir, raise_errors: raise_errors)
+        end
+
+        sig { returns(String) }
+        def directory
+          @file_fetcher.send(:directory)
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/uv/file_fetcher.rb

@@ -12,6 +12,7 @@ require "dependabot/uv/requirements_file_matcher"
 require "dependabot/uv/requirement_parser"
 require "dependabot/uv/file_parser/pyproject_files_parser"
 require "dependabot/uv/file_parser/python_requirement_parser"
+require "dependabot/uv/file_fetcher/workspace_fetcher"
 require "dependabot/errors"
 require "dependabot/file_filtering"
 
@@ -94,6 +95,7 @@ module Dependabot
 
         fetched_files += uv_lock_files
         fetched_files += project_files
+        fetched_files += workspace_member_files
         fetched_files << python_version_file if python_version_file
 
         uniques = uniq_files(fetched_files)
@@ -119,38 +121,20 @@ module Dependabot
       end
 
       sig { returns(T::Array[Dependabot::DependencyFile]) }
-      def readme_files
-        return [] unless pyproject
+      def workspace_member_files
+        workspace_fetcher.workspace_member_files
+      end
 
-        # Attempt to read the readme declaration from the pyproject. Accept both simplified
-        # string form and table form ( { file = "..." } ).
-        readme_decl = nil
-        begin
-          readme_decl = parsed_pyproject.dig("project", "readme")
-        rescue TomlRB::ParseError
-          # If the pyproject is unparseable fail later in parsed_pyproject.
-        end
+      sig { returns(WorkspaceFetcher) }
+      def workspace_fetcher
+        @workspace_fetcher ||= T.let(WorkspaceFetcher.new(self, pyproject), T.nilable(WorkspaceFetcher))
+      end
 
-        candidate_names =
-          case readme_decl
-          when String then [readme_decl]
-          when Hash
-            if readme_decl["file"].is_a?(String)
-              [T.cast(readme_decl["file"], String)]
-            else
-              README_FILENAMES
-            end
-          else
-            README_FILENAMES
-          end
+      sig { returns(T::Array[Dependabot::DependencyFile]) }
+      def readme_files
+        return [] unless pyproject
 
-        candidate_names.filter_map do |filename|
-          file = fetch_file_if_present(filename)
-          file.support_file = true if file
-          file
-        rescue Dependabot::DependencyFileNotFound
-          nil
-        end
+        workspace_fetcher.send(:fetch_readme_files_for, directory, T.must(pyproject))
       end
 
       sig { returns(T::Array[Dependabot::DependencyFile]) }
@@ -472,6 +456,11 @@ module Dependabot
         end
       end
 
+      sig { returns(T::Array[{ name: String, file: String }]) }
+      def uv_sources_workspace_dependencies
+        workspace_fetcher.uv_sources_workspace_dependencies
+      end
+
       sig { params(path: T.nilable(T.any(Pathname, String))).returns(T::Array[Dependabot::DependencyFile]) }
       def fetch_requirement_files_from_path(path = nil)
         contents = path ? repo_contents(dir: path) : repo_contents

data/lib/dependabot/uv/file_updater/compile_file_updater.rb

@@ -37,6 +37,7 @@ module Dependabot
           "pip._internal.exceptions.InstallationSubprocessError: Getting requirements to build wheel exited with 1",
           String
         )
+        PYTHON_VERSION_REGEX = T.let(/--python-version[=\s]+(?<version>\d+\.\d+(?:\.\d+)?)/, Regexp)
 
         sig { returns(T::Array[Dependabot::Dependency]) }
         attr_reader :dependencies
@@ -475,6 +476,8 @@ module Dependabot
             /--index-url=\S+/, "--index-url=<index_url>"
           ).sub(
             /--extra-index-url=\S+/, "--extra-index-url=<extra_index_url>"
+          ).sub(
+            /--python-version=\S+/, "--python-version=<python_version>"
           )
         end
 
@@ -492,21 +495,27 @@ module Dependabot
 
         sig { params(requirements_file: Dependabot::DependencyFile).returns(T::Array[String]) }
         def uv_compile_options_from_compiled_file(requirements_file)
+          content = T.must(requirements_file.content)
           options = ["--output-file=#{requirements_file.name}"]
-          options << "--emit-index-url" if T.must(requirements_file.content).include?("index-url http")
-          options << "--generate-hashes" if T.must(requirements_file.content).include?("--hash=sha")
-          options << "--no-annotate" unless T.must(requirements_file.content).include?("# via ")
-          options << "--pre" if T.must(requirements_file.content).include?("--pre")
-          options << "--no-strip-extras" if T.must(requirements_file.content).include?("--no-strip-extras")
-
-          if T.must(requirements_file.content).include?("--no-binary") ||
-             T.must(requirements_file.content).include?("--only-binary")
-            options << "--emit-build-options"
-          end
+          options << "--emit-index-url" if content.include?("index-url http")
+          options << "--generate-hashes" if content.include?("--hash=sha")
+          options << "--no-annotate" unless content.include?("# via ")
+          options << "--pre" if content.include?("--pre")
+          options << "--no-strip-extras" if content.include?("--no-strip-extras")
+          options << "--emit-build-options" if content.include?("--no-binary") || content.include?("--only-binary")
+          options << "--universal" if content.include?("--universal")
+
+          python_version_option = extract_python_version_option(content)
+          options << python_version_option if python_version_option
+
+          options.compact
+        end
 
-          options << "--universal" if T.must(requirements_file.content).include?("--universal")
+        sig { params(content: String).returns(T.nilable(String)) }
+        def extract_python_version_option(content)
+          return unless (match = PYTHON_VERSION_REGEX.match(content))
 
-          options
+          "--python-version=#{match[:version]}"
         end
 
         sig { returns(T::Array[String]) }

data/lib/dependabot/uv/file_updater/lock_file_updater.rb

@@ -12,10 +12,12 @@ require "dependabot/uv/file_parser/python_requirement_parser"
 require "dependabot/uv/file_updater"
 require "dependabot/uv/native_helpers"
 require "dependabot/uv/name_normaliser"
+require "dependabot/uv/requirement_suffix_helper"
 
 module Dependabot
   module Uv
     class FileUpdater
+      # rubocop:disable Metrics/ClassLength
       class LockFileUpdater
         extend T::Sig
 
@@ -73,6 +75,16 @@ module Dependabot
           T.must(dependencies.first)
         end
 
+        sig { returns(T::Boolean) }
+        def build_system_only_dependency?
+          return false unless dependency
+
+          groups = T.must(dependency).requirements.flat_map { |req| req[:groups] || [] }.compact.uniq
+          return false if groups.empty?
+
+          groups.all?("build-system")
+        end
+
         sig { returns(T::Array[Dependabot::DependencyFile]) }
         def fetch_updated_dependency_files
           return [] unless create_or_update_lock_file?
@@ -87,9 +99,10 @@ module Dependabot
               )
           end
 
-          if lockfile
+          if lockfile && !build_system_only_dependency?
             # Use updated_lockfile_content which might raise if the lockfile doesn't change
             new_content = updated_lockfile_content
+
             raise "Expected lockfile to change!" if T.must(lockfile).content == new_content
 
             updated_files << updated_file(file: T.must(lockfile), content: new_content)
@@ -127,7 +140,7 @@ module Dependabot
         def replace_dep(dep, content, new_r, old_r)
           new_req = new_r[:requirement]
           old_req = old_r[:requirement]
-          escaped_name = Regexp.escape(dep.name)
+          escaped_name = escape_package_name(dep.name)
 
           regex = /(["']#{escaped_name})([^"']+)(["'])/x
 
@@ -136,17 +149,23 @@ module Dependabot
           updated_content = content.gsub(regex) do
             captured_requirement = Regexp.last_match(2)
 
-            if requirements_match?(T.must(captured_requirement), old_req)
+            requirement_body, suffix = RequirementSuffixHelper.split(T.must(captured_requirement))
+
+            next Regexp.last_match(0) unless old_req
+
+            if requirements_match?(T.must(requirement_body), old_req)
               replaced = true
-              "#{Regexp.last_match(1)}#{new_req}#{Regexp.last_match(3)}"
+              "#{Regexp.last_match(1)}#{new_req}#{suffix}#{Regexp.last_match(3)}"
             else
               Regexp.last_match(0)
             end
           end
-
           unless replaced
             updated_content = content.sub(regex) do
-              "#{Regexp.last_match(1)}#{new_req}#{Regexp.last_match(3)}"
+              captured_requirement = Regexp.last_match(2)
+              _, suffix = RequirementSuffixHelper.split(T.must(captured_requirement))
+
+              "#{Regexp.last_match(1)}#{new_req}#{suffix}#{Regexp.last_match(3)}"
             end
           end
 
@@ -155,11 +174,12 @@ module Dependabot
 
         sig { params(req1: String, req2: String).returns(T::Boolean) }
         def requirements_match?(req1, req2)
-          normalize = lambda do |req|
-            req.split(",").map(&:strip).sort.join(",")
-          end
+          normalized_requirement(req1) == normalized_requirement(req2)
+        end
 
-          normalize.call(req1) == normalize.call(req2)
+        sig { params(req: String).returns(String) }
+        def normalized_requirement(req)
+          req.split(",").map(&:strip).sort.join(",")
         end
 
         sig { returns(String) }
@@ -374,8 +394,9 @@ module Dependabot
         end
 
         sig { params(name: T.any(String, Symbol)).returns(String) }
-        def escape(name)
-          Regexp.escape(name).gsub("\\-", "[-_.]")
+        def escape_package_name(name)
+          # Per PEP 503, Python package names normalize -, _, and . to the same character
+          Regexp.escape(name).gsub(/\\[-_.]/, "[-_.]")
         end
 
         sig { params(file: T.nilable(DependencyFile)).returns(T::Boolean) }
@@ -456,9 +477,12 @@ module Dependabot
 
         sig { returns(T::Boolean) }
         def create_or_update_lock_file?
+          return true if lockfile && T.must(dependency).requirements.empty?
+
           T.must(dependency).requirements.select { _1[:file].end_with?(*REQUIRED_FILES) }.any?
         end
       end
+      # rubocop:enable Metrics/ClassLength
     end
   end
 end

data/lib/dependabot/uv/requirement_suffix_helper.rb

@@ -0,0 +1,29 @@
+# typed: strong
+# frozen_string_literal: true
+
+require "sorbet-runtime"
+
+module Dependabot
+  module Uv
+    module RequirementSuffixHelper
+      extend T::Sig
+
+      REQUIREMENT_SUFFIX_REGEX = T.let(
+        Regexp.new(
+          "\\A(?<requirement>.*?)(?<suffix>\\s*(?:;|#).*)?\\z",
+          Regexp::MULTILINE
+        ).freeze,
+        Regexp
+      )
+
+      sig { params(segment: String).returns(T::Array[String]) }
+      def self.split(segment)
+        match = REQUIREMENT_SUFFIX_REGEX.match(segment)
+        requirement = match ? match[:requirement] : segment
+        suffix = match&.[](:suffix) || ""
+
+        [T.must(requirement).strip, suffix]
+      end
+    end
+  end
+end

data/lib/dependabot/uv/update_checker/lock_file_resolver.rb

@@ -6,6 +6,7 @@ require "sorbet-runtime"
 require "dependabot/uv/version"
 require "dependabot/uv/requirement"
 require "dependabot/uv/update_checker"
+require "dependabot/uv/update_checker/latest_version_finder"
 
 module Dependabot
   module Uv
@@ -18,14 +19,25 @@ module Dependabot
             dependency: Dependabot::Dependency,
             dependency_files: T::Array[Dependabot::DependencyFile],
             credentials: T::Array[Dependabot::Credential],
-            repo_contents_path: T.nilable(String)
+            repo_contents_path: T.nilable(String),
+            security_advisories: T::Array[Dependabot::SecurityAdvisory],
+            ignored_versions: T::Array[String]
           ).void
         end
-        def initialize(dependency:, dependency_files:, credentials:, repo_contents_path: nil)
+        def initialize(
+          dependency:,
+          dependency_files:,
+          credentials:,
+          repo_contents_path: nil,
+          security_advisories: [],
+          ignored_versions: []
+        )
           @dependency = dependency
           @dependency_files = dependency_files
           @credentials = credentials
           @repo_contents_path = repo_contents_path
+          @security_advisories = security_advisories
+          @ignored_versions = ignored_versions
         end
 
         sig { params(requirement: T.nilable(String)).returns(T.nilable(Dependabot::Uv::Version)) }
@@ -50,7 +62,12 @@ module Dependabot
 
         sig { returns(T.nilable(Dependabot::Uv::Version)) }
         def lowest_resolvable_security_fix_version
-          nil
+          # Delegate to LatestVersionFinder which handles security advisory filtering
+          fix_version = latest_version_finder.lowest_security_fix_version
+          return nil if fix_version.nil?
+
+          # Return the fix version cast to Uv::Version
+          Uv::Version.new(fix_version.to_s)
         end
 
         private
@@ -66,6 +83,27 @@ module Dependabot
 
         sig { returns(T.nilable(String)) }
         attr_reader :repo_contents_path
+
+        sig { returns(T::Array[Dependabot::SecurityAdvisory]) }
+        attr_reader :security_advisories
+
+        sig { returns(T::Array[String]) }
+        attr_reader :ignored_versions
+
+        sig { returns(LatestVersionFinder) }
+        def latest_version_finder
+          @latest_version_finder ||= T.let(
+            LatestVersionFinder.new(
+              dependency: dependency,
+              dependency_files: dependency_files,
+              credentials: credentials,
+              ignored_versions: ignored_versions,
+              security_advisories: security_advisories,
+              raise_on_ignored: false
+            ),
+            T.nilable(LatestVersionFinder)
+          )
+        end
       end
     end
   end

data/lib/dependabot/uv/update_checker/pip_compile_version_resolver.rb

@@ -39,6 +39,7 @@ module Dependabot
         RESOLUTION_IMPOSSIBLE_ERROR = T.let("ResolutionImpossible", String)
         ERROR_REGEX = T.let(/(?<=ERROR\:\W).*$/, Regexp)
         UV_UNRESOLVABLE_REGEX = T.let(/ × No solution found when resolving dependencies:[\s\S]*$/, Regexp)
+        PYTHON_VERSION_REGEX = T.let(/--python-version[=\s]+(?<version>\d+\.\d+(?:\.\d+)?)/, Regexp)
 
         sig { returns(Dependabot::Dependency) }
         attr_reader :dependency
@@ -272,6 +273,8 @@ module Dependabot
             /--index-url=\S+/, "--index-url=<index_url>"
           ).sub(
             /--extra-index-url=\S+/, "--extra-index-url=<extra_index_url>"
+          ).sub(
+            /--python-version=\S+/, "--python-version=<python_version>"
           )
         end
 
@@ -342,10 +345,19 @@ module Dependabot
 
           options << "--universal" if T.must(requirements_file.content).include?("--universal")
 
-          options
+          options << extract_python_version_option(requirements_file)
+
+          options.compact
         end
         # rubocop:enable Metrics/AbcSize
 
+        sig { params(requirements_file: Dependabot::DependencyFile).returns(T.nilable(String)) }
+        def extract_python_version_option(requirements_file)
+          return unless (match = PYTHON_VERSION_REGEX.match(T.must(requirements_file.content)))
+
+          "--python-version=#{match[:version]}"
+        end
+
         sig { returns(T::Hash[String, String]) }
         def python_env
           env = {}

data/lib/dependabot/uv/update_checker.rb

@@ -127,7 +127,12 @@ module Dependabot
         fix_version = lowest_security_fix_version
         return latest_resolvable_version if fix_version.nil?
 
-        return resolver.lowest_resolvable_security_fix_version if resolver_type == :requirements
+        # For requirements and lock_file resolver types, delegate to the resolver
+        if resolver_type == :requirements || resolver_type == :lock_file
+          resolved_fix = resolver.lowest_resolvable_security_fix_version
+          # If no security fix version is found, fall back to latest_resolvable_version
+          return resolved_fix || latest_resolvable_version
+        end
 
         resolver.resolvable?(version: fix_version) ? fix_version : nil
       end
@@ -216,7 +221,9 @@ module Dependabot
             dependency: dependency,
             dependency_files: dependency_files,
             credentials: credentials,
-            repo_contents_path: repo_contents_path
+            repo_contents_path: repo_contents_path,
+            security_advisories: security_advisories,
+            ignored_versions: ignored_versions
           ),
           T.nilable(LockFileResolver)
         )

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-uv
 version: !ruby/object:Gem::Version
-  version: 0.351.0
+  version: 0.353.0
 platform: ruby
 authors:
 - Dependabot
@@ -15,28 +15,28 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.351.0
+        version: 0.353.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.351.0
+        version: 0.353.0
 - !ruby/object:Gem::Dependency
   name: dependabot-python
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.351.0
+        version: 0.353.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.351.0
+        version: 0.353.0
 - !ruby/object:Gem::Dependency
   name: debug
   requirement: !ruby/object:Gem::Requirement
@@ -264,6 +264,7 @@ files:
 - lib/dependabot/uv.rb
 - lib/dependabot/uv/authed_url_builder.rb
 - lib/dependabot/uv/file_fetcher.rb
+- lib/dependabot/uv/file_fetcher/workspace_fetcher.rb
 - lib/dependabot/uv/file_parser.rb
 - lib/dependabot/uv/file_parser/pyproject_files_parser.rb
 - lib/dependabot/uv/file_parser/python_requirement_parser.rb
@@ -282,6 +283,7 @@ files:
 - lib/dependabot/uv/package_manager.rb
 - lib/dependabot/uv/requirement.rb
 - lib/dependabot/uv/requirement_parser.rb
+- lib/dependabot/uv/requirement_suffix_helper.rb
 - lib/dependabot/uv/requirements_file_matcher.rb
 - lib/dependabot/uv/update_checker.rb
 - lib/dependabot/uv/update_checker/latest_version_finder.rb
@@ -295,7 +297,7 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.351.0
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.353.0
 rdoc_options: []
 require_paths:
 - lib