dependabot-uv 0.356.0 → 0.358.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: d86ed84b5d9b47a421b7274955257417ee58559cbb67eaa40577daf3860a6207
-  data.tar.gz: caaf52d0e3e41c6069068f4ff57dec63bc0875fecbef986c584dc91eb9d4305c
+  metadata.gz: b61cf200acbd26b1c5b680d31b17cee5ef1fa9a80b79d7be51907f325fe32b75
+  data.tar.gz: 5cd07c0084c8d303ffa2354338b378ae0fd180d89a0970b52b37d66d9b8775c8
 SHA512:
-  metadata.gz: bb666f33ce0bb0f7540ca5d071043e6540acae1bd95cb70d3a153ec3c573ce88535e82d352aedd90b2da1a71169fe04cd77a43920f4c2bab271e87e21bdc6069
-  data.tar.gz: 6c7e22a137622e1cbd5a2c0415b973da7d412e812ee785172c9ba2191b91788ff9de087703197a41457b58a67688baf0912f407cb9b5008b43b210020f986452
+  metadata.gz: 0eb042e953613765d8d4192dd9867167f47bcc70e8299a761799a98b34e321cc0e6159ee723372adee219daf6dc9c4fcac05203bc1386611e1be4f58d052fe46
+  data.tar.gz: d4e86f346d77bca9ebc40a729cab00822647880b4ffe2c18eadeb9a6be7e064b9b50aca14baf69e1c8cb13c0aec30598c5eb5ce1b7e1de084c779dfab242c150

data/lib/dependabot/uv/file_fetcher/workspace_fetcher.rb

@@ -40,6 +40,30 @@ module Dependabot
           end
         end
 
+        sig { returns(T::Array[Dependabot::DependencyFile]) }
+        def version_source_files
+          return [] unless @pyproject
+
+          workspace_member_paths.flat_map do |member_path|
+            member_pyproject = fetch_workspace_member_pyproject(member_path)
+            fetch_version_source_files_for(member_path, member_pyproject)
+          rescue Dependabot::DependencyFileNotFound
+            []
+          end
+        end
+
+        sig { returns(T::Array[Dependabot::DependencyFile]) }
+        def license_files
+          return [] unless @pyproject
+
+          workspace_member_paths.flat_map do |member_path|
+            member_pyproject = fetch_workspace_member_pyproject(member_path)
+            fetch_license_files_for(member_path, member_pyproject)
+          rescue Dependabot::DependencyFileNotFound
+            []
+          end
+        end
+
         sig { returns(T::Array[{ name: String, file: String }]) }
         def uv_sources_workspace_dependencies
           return [] unless @pyproject
@@ -120,6 +144,108 @@ module Dependabot
           end
         end
 
+        sig do
+          params(
+            path: String,
+            pyproject_file: Dependabot::DependencyFile
+          ).returns(T::Array[Dependabot::DependencyFile])
+        end
+        def fetch_version_source_files_for(path, pyproject_file)
+          version_paths = extract_version_source_paths(pyproject_file)
+
+          version_paths.filter_map do |version_path|
+            resolved_path = resolve_support_file_path(version_path, path)
+            next unless resolved_path
+            next unless path_within_repo?(resolved_path)
+
+            file = fetch_file_from_host(resolved_path, fetch_submodules: true)
+
+            file.support_file = true
+            file
+          rescue Dependabot::DependencyFileNotFound
+            Dependabot.logger.info("Version source file not found: #{resolved_path}")
+            nil
+          end
+        end
+
+        sig do
+          params(
+            path: String,
+            pyproject_file: Dependabot::DependencyFile
+          ).returns(T::Array[Dependabot::DependencyFile])
+        end
+        def fetch_license_files_for(path, pyproject_file)
+          license_paths = extract_license_paths(pyproject_file)
+
+          license_paths.filter_map do |license_path|
+            resolved_path = resolve_support_file_path(license_path, path)
+            next unless resolved_path
+            next unless path_within_repo?(resolved_path)
+
+            file = fetch_file_from_host(resolved_path, fetch_submodules: true)
+
+            file.support_file = true
+            file
+          rescue Dependabot::DependencyFileNotFound
+            Dependabot.logger.info("License file not found: #{resolved_path}")
+            nil
+          end
+        end
+
+        sig { params(pyproject_file: Dependabot::DependencyFile).returns(T::Array[String]) }
+        def extract_version_source_paths(pyproject_file)
+          return [] unless pyproject_file.content
+
+          parsed = TomlRB.parse(T.must(pyproject_file.content))
+          paths = []
+
+          hatch_version_path = parsed.dig("tool", "hatch", "version", "path")
+          paths << hatch_version_path if hatch_version_path.is_a?(String)
+
+          paths
+        rescue TomlRB::ParseError, TomlRB::ValueOverwriteError
+          []
+        end
+
+        sig { params(pyproject_file: Dependabot::DependencyFile).returns(T::Array[String]) }
+        def extract_license_paths(pyproject_file)
+          return [] unless pyproject_file.content
+
+          parsed = TomlRB.parse(T.must(pyproject_file.content))
+          paths = []
+
+          # Handle legacy license = {file = "LICENSE"} format
+          license_decl = parsed.dig("project", "license")
+          paths << license_decl["file"] if license_decl.is_a?(Hash) && license_decl["file"].is_a?(String)
+
+          # Handle license-files = ["LICENSE", "LICENSES/*"] format (without glob expansion)
+          license_files_decl = parsed.dig("project", "license-files")
+          if license_files_decl.is_a?(Array)
+            license_files_decl.each do |pattern|
+              # Only include simple file paths, not glob patterns
+              paths << pattern if pattern.is_a?(String) && !pattern.include?("*")
+            end
+          end
+
+          paths
+        rescue TomlRB::ParseError, TomlRB::ValueOverwriteError
+          []
+        end
+
+        sig { params(file_path: String, base_path: String).returns(T.nilable(String)) }
+        def resolve_support_file_path(file_path, base_path)
+          return nil if file_path.empty?
+          return nil if Pathname.new(file_path).absolute?
+
+          clean_path(File.join(base_path, file_path))
+        end
+
+        sig { params(path: String).returns(T::Boolean) }
+        def path_within_repo?(path)
+          cleaned = clean_path(path)
+          !cleaned.start_with?("../", "/")
+        end
+
         sig { returns(T::Array[String]) }
         def workspace_member_paths
           return [] unless @pyproject

data/lib/dependabot/uv/file_fetcher.rb

@@ -49,8 +49,10 @@ module Dependabot
       def ecosystem_specific_files
         files = []
         files += readme_files
+        files += license_files
         files += uv_lock_files
         files += workspace_member_files
+        files += version_source_files
         files
       end
 
@@ -111,6 +113,143 @@ module Dependabot
         workspace_fetcher.send(:fetch_readme_files_for, directory, T.must(pyproject))
       end
 
+      sig { returns(T::Array[Dependabot::DependencyFile]) }
+      def license_files
+        return [] unless pyproject
+
+        files = []
+        files += fetch_license_files_for(directory, T.must(pyproject))
+        files += workspace_fetcher.license_files
+        files
+      end
+
+      sig do
+        params(
+          base_path: String,
+          pyproject_file: Dependabot::DependencyFile
+        ).returns(T::Array[Dependabot::DependencyFile])
+      end
+      def fetch_license_files_for(base_path, pyproject_file)
+        license_paths = extract_license_paths(pyproject_file)
+        is_root = base_path == directory
+
+        license_paths.filter_map do |license_path|
+          resolved_path = resolve_support_file_path(license_path, base_path)
+          next unless resolved_path
+          next unless path_within_repo?(resolved_path)
+
+          file = if is_root
+                   fetch_file_if_present(resolved_path)
+                 else
+                   fetch_file_from_host(resolved_path, fetch_submodules: true)
+                 end
+
+          next unless file
+
+          file.support_file = true
+          file
+        rescue Dependabot::DependencyFileNotFound
+          Dependabot.logger.info("License file not found: #{resolved_path}")
+          nil
+        end
+      end
+
+      sig { params(pyproject_file: Dependabot::DependencyFile).returns(T::Array[String]) }
+      def extract_license_paths(pyproject_file)
+        parsed = TomlRB.parse(pyproject_file.content)
+        paths = []
+
+        # Handle legacy license = {file = "LICENSE"} format
+        license_decl = parsed.dig("project", "license")
+        paths << license_decl["file"] if license_decl.is_a?(Hash) && license_decl["file"].is_a?(String)
+
+        # Handle license-files = ["LICENSE", "LICENSES/*"] format (without glob expansion)
+        license_files_decl = parsed.dig("project", "license-files")
+        if license_files_decl.is_a?(Array)
+          license_files_decl.each do |pattern|
+            # Only include simple file paths, not glob patterns
+            paths << pattern if pattern.is_a?(String) && !pattern.include?("*")
+          end
+        end
+
+        paths
+      rescue TomlRB::ParseError, TomlRB::ValueOverwriteError
+        []
+      end
+
+      sig { params(file_path: String, base_path: String).returns(T.nilable(String)) }
+      def resolve_support_file_path(file_path, base_path)
+        return nil if file_path.empty?
+        return nil if Pathname.new(file_path).absolute?
+
+        if base_path == directory || base_path == "."
+          clean_path(file_path)
+        else
+          clean_path(File.join(base_path, file_path))
+        end
+      end
+
+      sig { returns(T::Array[Dependabot::DependencyFile]) }
+      def version_source_files
+        return [] unless pyproject
+
+        files = []
+        files += fetch_version_source_files_for(directory, T.must(pyproject))
+        files += workspace_fetcher.version_source_files
+
+        files
+      end
+
+      sig do
+        params(
+          base_path: String,
+          pyproject_file: Dependabot::DependencyFile
+        ).returns(T::Array[Dependabot::DependencyFile])
+      end
+      def fetch_version_source_files_for(base_path, pyproject_file)
+        version_paths = extract_version_source_paths(pyproject_file)
+        is_root = base_path == directory
+
+        version_paths.filter_map do |version_path|
+          resolved_path = resolve_support_file_path(version_path, base_path)
+          next unless resolved_path
+          next unless path_within_repo?(resolved_path)
+
+          file = if is_root
+                   fetch_file_if_present(resolved_path)
+                 else
+                   fetch_file_from_host(resolved_path, fetch_submodules: true)
+                 end
+
+          next unless file
+
+          file.support_file = true
+          file
+        rescue Dependabot::DependencyFileNotFound
+          Dependabot.logger.info("Version source file not found: #{resolved_path}")
+          nil
+        end
+      end
+
+      sig { params(pyproject_file: Dependabot::DependencyFile).returns(T::Array[String]) }
+      def extract_version_source_paths(pyproject_file)
+        parsed = TomlRB.parse(pyproject_file.content)
+        paths = []
+
+        hatch_version_path = parsed.dig("tool", "hatch", "version", "path")
+        paths << hatch_version_path if hatch_version_path.is_a?(String)
+
+        paths
+      rescue TomlRB::ParseError, TomlRB::ValueOverwriteError
+        []
+      end
+
+      sig { params(path: String).returns(T::Boolean) }
+      def path_within_repo?(path)
+        cleaned = clean_path(path)
+        !cleaned.start_with?("../", "/")
+      end
+
       sig { returns(T::Array[Dependabot::DependencyFile]) }
       def uv_lock_files
         req_txt_and_in_files.select { |f| f.name.end_with?("uv.lock") } +

data/lib/dependabot/uv/file_updater/lock_file_updater.rb

@@ -22,6 +22,7 @@ module Dependabot
         extend T::Sig
 
         require_relative "pyproject_preparer"
+        require_relative "version_config_parser"
 
         REQUIRED_FILES = %w(pyproject.toml uv.lock).freeze # At least one of these files should be present
 
@@ -41,19 +42,24 @@ module Dependabot
         sig { returns(T.nilable(T::Array[T.nilable(String)])) }
         attr_reader :index_urls
 
+        sig { returns(T.nilable(String)) }
+        attr_reader :repo_contents_path
+
         sig do
           params(
             dependencies: T::Array[Dependency],
             dependency_files: T::Array[DependencyFile],
             credentials: T::Array[Dependabot::Credential],
-            index_urls: T.nilable(T::Array[T.nilable(String)])
+            index_urls: T.nilable(T::Array[T.nilable(String)]),
+            repo_contents_path: T.nilable(String)
           ).void
         end
-        def initialize(dependencies:, dependency_files:, credentials:, index_urls: nil)
+        def initialize(dependencies:, dependency_files:, credentials:, index_urls: nil, repo_contents_path: nil)
           @dependencies = dependencies
           @dependency_files = dependency_files
           @credentials = credentials
           @index_urls = index_urls
+          @repo_contents_path = repo_contents_path
           @prepared_pyproject = T.let(nil, T.nilable(String))
           @updated_lockfile_content = T.let(nil, T.nilable(String))
           @pyproject = T.let(nil, T.nilable(Dependabot::DependencyFile))
@@ -243,7 +249,7 @@ module Dependabot
 
         sig { params(pyproject_content: String).returns(String) }
         def updated_lockfile_content_for(pyproject_content)
-          SharedHelpers.in_a_temporary_directory do
+          SharedHelpers.in_a_temporary_repo_directory(directory, repo_contents_path) do
             SharedHelpers.with_git_configured(credentials: credentials) do
               write_temporary_dependency_files(pyproject_content)
 
@@ -267,36 +273,52 @@ module Dependabot
         end
         def handle_uv_error(error)
           error_message = error.message
-          error_message_patterns = ["No solution found when resolving dependencies", "Failed to build"]
-
-          if error_message_patterns.any? { |value| error_message.include?(value) }
-            match_unresolvable_regex = error_message.scan(UV_UNRESOLVABLE_REGEX).last
-            match_failed_to_build_regex = error_message.scan(UV_BUILD_FAILED_REGEX).last
-
-            if match_unresolvable_regex
-              formatted_error = if match_unresolvable_regex.is_a?(Array)
-                                  match_unresolvable_regex.join
-                                else
-                                  match_unresolvable_regex
-                                end
-            end
 
-            if match_failed_to_build_regex
-              formatted_error = if match_failed_to_build_regex.is_a?(Array)
-                                  match_failed_to_build_regex.join
-                                else
-                                  match_failed_to_build_regex
-                                end
-            end
+          if resolution_error?(error_message)
+            handle_resolution_error(error_message)
+          elsif error_message.include?(RESOLUTION_IMPOSSIBLE_ERROR)
+            raise Dependabot::DependencyFileNotResolvable, error_message
+          else
+            raise error
+          end
+        end
 
-            raise Dependabot::DependencyFileNotResolvable, formatted_error
+        sig { params(error_message: String).returns(T::Boolean) }
+        def resolution_error?(error_message)
+          ["No solution found when resolving dependencies", "Failed to build"].any? do |pattern|
+            error_message.include?(pattern)
           end
+        end
 
-          if error_message.include?(RESOLUTION_IMPOSSIBLE_ERROR)
-            raise Dependabot::DependencyFileNotResolvable, error_message
+        sig { params(error_message: String).returns(T.noreturn) }
+        def handle_resolution_error(error_message)
+          match_unresolvable = error_message.scan(UV_UNRESOLVABLE_REGEX).last
+          match_build_failed = error_message.scan(UV_BUILD_FAILED_REGEX).last
+
+          if match_unresolvable
+            formatted_error = Array(match_unresolvable).join
+            conflicting_deps = extract_conflicting_dependencies(formatted_error)
+            raise Dependabot::UpdateNotPossible, conflicting_deps if conflicting_deps.any?
+
+            raise Dependabot::DependencyFileNotResolvable, formatted_error
           end
 
-          raise error
+          formatted_error = match_build_failed ? Array(match_build_failed).join : error_message
+          raise Dependabot::DependencyFileNotResolvable, formatted_error
+        end
+
+        sig { params(error_message: String).returns(T::Array[String]) }
+        def extract_conflicting_dependencies(error_message)
+          # Extract conflicting dependency names from the error message
+          # Pattern: "Because <pkg>==<ver> depends on <dep>>=<ver> and your project depends on <dep>==<ver>"
+          normalized_message = error_message.gsub(/\s+/, " ")
+          conflict_pattern = /Because (\S+)==\S+ depends on (\S+)[><=!]+\S+ and your project depends on \2==\S+/
+
+          match = normalized_message.match(conflict_pattern)
+          return [] unless match
+
+          # Return both the package being updated and the blocking dependency
+          [match[1], match[2]].compact
         end
 
         sig { returns(T.nilable(String)) }
@@ -309,12 +331,17 @@ module Dependabot
           # to the absolute latest version (which may be blocked by ignore rules)
           dep_name = T.must(dependency).name
           dep_version = T.must(dependency).version
-          package_spec = dep_version ? "#{dep_name}==#{dep_version}" : dep_name
+          # Strip extras from the package name for the uv lock command
+          # uv lock --upgrade-package expects the base package name without extras
+          base_dep_name = normalise(dep_name)
+          package_spec = dep_version ? "#{base_dep_name}==#{dep_version}" : base_dep_name
 
           command = "pyenv exec uv lock --upgrade-package #{package_spec} #{options}"
           fingerprint = "pyenv exec uv lock --upgrade-package <dependency_name> #{options_fingerprint}"
 
-          run_command(command, fingerprint: fingerprint, env: explicit_index_env_vars)
+          env_vars = explicit_index_env_vars.merge(setuptools_scm_pretend_version_env_vars)
+
+          run_command(command, fingerprint: fingerprint, env: env_vars)
         end
 
         sig { params(command: String, fingerprint: T.nilable(String), env: T::Hash[String, String]).returns(String) }
@@ -323,7 +350,7 @@ module Dependabot
           SharedHelpers.run_shell_command(command, fingerprint: fingerprint, env: env)
         end
 
-        sig { params(pyproject_content: String).returns(Integer) }
+        sig { params(pyproject_content: String).void }
         def write_temporary_dependency_files(pyproject_content)
           dependency_files.each do |file|
             path = file.name
@@ -333,23 +360,34 @@ module Dependabot
 
           # Overwrite the pyproject with updated content
           File.write("pyproject.toml", pyproject_content)
+
+          ensure_version_file_directories
+        end
+
+        sig { void }
+        def ensure_version_file_directories
+          all_version_configs.each do |config|
+            config.write_paths.each do |write_path|
+              dir = Pathname.new(write_path).dirname
+              next if dir.to_s == "." || dir.to_s.empty?
+
+              Dependabot.logger.info("Creating directory for version file: #{dir}")
+              FileUtils.mkdir_p(dir)
+            end
+          end
         end
 
         sig { void }
         def setup_python_environment
-          # Use LanguageVersionManager to determine and install the appropriate Python version
           Dependabot.logger.info("Setting up Python environment using LanguageVersionManager")
 
           begin
-            # Install the required Python version
             language_version_manager.install_required_python
 
-            # Set the local Python version
             python_version = language_version_manager.python_version
             Dependabot.logger.info("Setting Python version to #{python_version}")
             SharedHelpers.run_shell_command("pyenv local #{python_version}")
 
-            # We don't need to install uv as it should be available in the Docker environment
             Dependabot.logger.info("Using pre-installed uv package")
           rescue StandardError => e
             Dependabot.logger.warn("Error setting up Python environment: #{e.message}")
@@ -541,6 +579,11 @@ module Dependabot
           )
         end
 
+        sig { returns(String) }
+        def directory
+          dependency_files.first&.directory || "/"
+        end
+
         sig { returns(T.nilable(Dependabot::DependencyFile)) }
         def lockfile
           @lockfile ||= T.let(uv_lock, T.nilable(Dependabot::DependencyFile))
@@ -562,6 +605,61 @@ module Dependabot
 
           T.must(dependency).requirements.select { _1[:file].end_with?(*REQUIRED_FILES) }.any?
         end
+
+        sig { returns(T::Hash[String, String]) }
+        def setuptools_scm_pretend_version_env_vars
+          env_vars = T.let({}, T::Hash[String, String])
+
+          all_version_configs.each do |config|
+            package_name = config.package_name
+            next if package_name.nil? || package_name.empty?
+            next unless config.dynamic_version?
+
+            package_env_name = package_name.upcase.gsub(/[-.]/, "_")
+            version = config.fallback_version || "0.0.0"
+
+            env_vars["SETUPTOOLS_SCM_PRETEND_VERSION_FOR_#{package_env_name}"] = version
+          end
+
+          env_vars
+        end
+
+        sig { returns(T::Array[VersionConfigParser::VersionConfig]) }
+        def all_version_configs
+          @all_version_configs ||= T.let(
+            begin
+              configs = []
+
+              root_content = pyproject&.content
+              if root_content
+                parser = VersionConfigParser.new(
+                  pyproject_content: root_content,
+                  base_path: ".",
+                  repo_root: "."
+                )
+                configs << parser.parse
+              end
+
+              dependency_files
+                .select { |f| f.name.end_with?("pyproject.toml") && f.name != "pyproject.toml" }
+                .each do |member_pyproject|
+                  member_content = member_pyproject.content
+                  next unless member_content
+
+                  base_path = Pathname.new(member_pyproject.name).dirname.to_s
+                  parser = VersionConfigParser.new(
+                    pyproject_content: member_content,
+                    base_path: base_path,
+                    repo_root: "."
+                  )
+                  configs << parser.parse
+                end
+
+              configs
+            end,
+            T.nilable(T::Array[VersionConfigParser::VersionConfig])
+          )
+        end
       end
       # rubocop:enable Metrics/ClassLength
     end

data/lib/dependabot/uv/file_updater/version_config_parser.rb

@@ -0,0 +1,172 @@
+# typed: strict
+# frozen_string_literal: true
+
+require "toml-rb"
+require "sorbet-runtime"
+require "pathname"
+
+require "dependabot/uv/file_updater"
+
+module Dependabot
+  module Uv
+    class FileUpdater < Dependabot::FileUpdaters::Base
+      class VersionConfigParser
+        extend T::Sig
+
+        class VersionConfig < T::Struct
+          extend T::Sig
+
+          prop :write_paths, T::Array[String], default: []
+          prop :source_paths, T::Array[String], default: []
+          prop :fallback_version, T.nilable(String), default: nil
+          prop :package_name, T.nilable(String), default: nil
+
+          sig { returns(T::Boolean) }
+          def dynamic_version?
+            write_paths.any? || source_paths.any?
+          end
+        end
+
+        sig { params(pyproject_content: String, base_path: String, repo_root: String).void }
+        def initialize(pyproject_content:, base_path: ".", repo_root: ".")
+          @pyproject_content = pyproject_content
+          @base_path = base_path
+          @repo_root = repo_root
+          @parsed_pyproject = T.let(nil, T.nilable(T::Hash[String, T.untyped]))
+        end
+
+        sig { returns(VersionConfig) }
+        def parse
+          VersionConfig.new(
+            write_paths: collect_write_paths,
+            source_paths: collect_source_paths,
+            fallback_version: extract_fallback_version,
+            package_name: extract_package_name
+          )
+        end
+
+        private
+
+        sig { returns(String) }
+        attr_reader :pyproject_content
+
+        sig { returns(String) }
+        attr_reader :base_path
+
+        sig { returns(String) }
+        attr_reader :repo_root
+
+        sig { returns(T::Hash[String, T.untyped]) }
+        def parsed_pyproject
+          return @parsed_pyproject unless @parsed_pyproject.nil?
+
+          @parsed_pyproject = TomlRB.parse(pyproject_content)
+        rescue TomlRB::ParseError, TomlRB::ValueOverwriteError
+          @parsed_pyproject = {}
+        end
+
+        sig { returns(T::Array[String]) }
+        def collect_write_paths
+          paths = []
+          paths += setuptools_scm_write_paths
+          paths += hatch_vcs_build_hook_write_paths
+          paths.compact.uniq
+        end
+
+        sig { returns(T::Array[String]) }
+        def collect_source_paths
+          paths = []
+          paths += hatch_version_source_paths
+          paths.compact.uniq
+        end
+
+        sig { returns(T::Array[String]) }
+        def setuptools_scm_write_paths
+          scm_config = parsed_pyproject.dig("tool", "setuptools_scm")
+          return [] unless scm_config.is_a?(Hash)
+
+          paths = []
+
+          version_file = scm_config["version_file"]
+          paths << validate_and_resolve_path(version_file) if version_file.is_a?(String)
+
+          write_to = scm_config["write_to"]
+          paths << validate_and_resolve_path(write_to) if write_to.is_a?(String)
+
+          paths.compact
+        end
+
+        sig { returns(T::Array[String]) }
+        def hatch_vcs_build_hook_write_paths
+          vcs_hook = parsed_pyproject.dig("tool", "hatch", "build", "hooks", "vcs")
+          return [] unless vcs_hook.is_a?(Hash)
+
+          paths = []
+
+          version_file = vcs_hook["version-file"]
+          paths << validate_and_resolve_path(version_file) if version_file.is_a?(String)
+
+          paths.compact
+        end
+
+        sig { returns(T::Array[String]) }
+        def hatch_version_source_paths
+          hatch_version = parsed_pyproject.dig("tool", "hatch", "version")
+          return [] unless hatch_version.is_a?(Hash)
+
+          paths = []
+
+          version_path = hatch_version["path"]
+          paths << validate_and_resolve_path(version_path) if version_path.is_a?(String)
+
+          paths.compact
+        end
+
+        sig { returns(T.nilable(String)) }
+        def extract_fallback_version
+          scm_config = parsed_pyproject.dig("tool", "setuptools_scm")
+          if scm_config.is_a?(Hash)
+            fallback = scm_config["fallback_version"]
+            return fallback if fallback.is_a?(String)
+          end
+
+          raw_options = parsed_pyproject.dig("tool", "hatch", "version", "raw-options")
+          if raw_options.is_a?(Hash)
+            fallback = raw_options["fallback_version"]
+            return fallback if fallback.is_a?(String)
+          end
+
+          nil
+        end
+
+        sig { returns(T.nilable(String)) }
+        def extract_package_name
+          name = parsed_pyproject.dig("project", "name")
+          return name if name.is_a?(String)
+
+          nil
+        end
+
+        sig { params(path: String).returns(T.nilable(String)) }
+        def validate_and_resolve_path(path)
+          return nil if path.empty?
+          return nil if Pathname.new(path).absolute?
+
+          resolved = File.expand_path(path, base_path)
+
+          repo_root_expanded = File.expand_path(repo_root)
+          resolved_expanded = File.expand_path(resolved)
+
+          unless resolved_expanded.start_with?(repo_root_expanded)
+            Dependabot.logger.warn(
+              "Version config path '#{path}' resolves outside repository root, ignoring"
+            )
+            return nil
+          end
+
+          Pathname.new(resolved_expanded).relative_path_from(Pathname.new(repo_root_expanded)).to_s
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/uv/file_updater.rb

@@ -64,7 +64,8 @@ module Dependabot
           dependencies: dependencies,
           dependency_files: dependency_files,
           credentials: credentials,
-          index_urls: pip_compile_index_urls
+          index_urls: pip_compile_index_urls,
+          repo_contents_path: repo_contents_path
         ).updated_dependency_files
       end
 

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-uv
 version: !ruby/object:Gem::Version
-  version: 0.356.0
+  version: 0.358.0
 platform: ruby
 authors:
 - Dependabot
@@ -15,28 +15,28 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.356.0
+        version: 0.358.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.356.0
+        version: 0.358.0
 - !ruby/object:Gem::Dependency
   name: dependabot-python
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.356.0
+        version: 0.358.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.356.0
+        version: 0.358.0
 - !ruby/object:Gem::Dependency
   name: debug
   requirement: !ruby/object:Gem::Requirement
@@ -274,6 +274,7 @@ files:
 - lib/dependabot/uv/file_updater/pyproject_preparer.rb
 - lib/dependabot/uv/file_updater/requirement_file_updater.rb
 - lib/dependabot/uv/file_updater/requirement_replacer.rb
+- lib/dependabot/uv/file_updater/version_config_parser.rb
 - lib/dependabot/uv/language.rb
 - lib/dependabot/uv/language_version_manager.rb
 - lib/dependabot/uv/metadata_finder.rb
@@ -297,7 +298,7 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.356.0
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.358.0
 rdoc_options: []
 require_paths:
 - lib
@@ -312,7 +313,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: 3.3.0
 requirements: []
-rubygems_version: 3.6.9
+rubygems_version: 3.7.2
 specification_version: 4
 summary: Provides Dependabot support for Python uv
 test_files: []