dependabot-uv 0.370.0 → 0.372.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a696c9fd0da0ea89a6b4bb13652c87a13536a3d6019d4c553a47d76cefc57a7f
-  data.tar.gz: 077afc2de1293334a8a33d972d734dffcaff90ae7f63a16955f2ea1de9b38f3a
+  metadata.gz: 5b800f6ffdf570bc834de464268bdb32c5051b2af1f7e9e7b522430d6ce4f237
+  data.tar.gz: c4da6008928f94391a149957c5e13bd0274adc0bca2602bc5b0408de8b01676b
 SHA512:
-  metadata.gz: ce87367498361f99b4e64a54e1e0d5e834dcd36f30de5bcea803573fb9bab26477f9b9bf24c10c26a7e3d80655f8539cade1e393ddb17ea9809a4c07d0d4e23d
-  data.tar.gz: 51d3fbf8cb202ea9a6742044c103e9e0b4317e421896e94551312d945180a08879c7d84e4d024cc7b2f5005e6f0df093f550d753cac6223be64b510f6b441e9a
+  metadata.gz: 41b72c005c15263ccdf177000a5ced804ba43b73cf8170dfcb4f65cc4a1ef0a2d02e79146a2a94d81e859b9895a20c665c4e5d3e6fa4663e1af91c58ae858946
+  data.tar.gz: b086ec486967b5a6c78f29611b8fe0adbbff911a4e8f46fc3188efb48d1791d0d2a6be24c7e6c0431bc6a46306b73c95c5bc6bc1a32c254495a0bcd3727a26ba

data/lib/dependabot/uv/file_updater/lock_file_updater.rb

@@ -24,6 +24,7 @@ module Dependabot
         require_relative "pyproject_preparer"
         require_relative "version_config_parser"
         require_relative "lock_file_error_handler"
+        require_relative "lock_index_credential_matcher"
 
         REQUIRED_FILES = %w(pyproject.toml uv.lock).freeze # At least one of these files should be present
 
@@ -285,7 +286,7 @@ module Dependabot
           command = "pyenv exec uv lock --upgrade-package #{package_spec} #{options}"
           fingerprint = "pyenv exec uv lock --upgrade-package <dependency_name> #{options_fingerprint}"
 
-          env_vars = explicit_index_env_vars.merge(setuptools_scm_pretend_version_env_vars)
+          env_vars = pyproject_index_env_vars.merge(setuptools_scm_pretend_version_env_vars)
 
           run_command(command, fingerprint: fingerprint, env: env_vars)
         end
@@ -355,18 +356,67 @@ module Dependabot
 
         sig { returns(T::Array[String]) }
         def lock_index_options
-          credentials
-            .select { |cred| cred["type"] == "python_index" }
-            .reject { |cred| explicit_index?(cred) }
-            .map do |cred|
-            authed_url = AuthedUrlBuilder.authed_url(credential: cred)
-
-            if cred.replaces_base?
-              "--default-index #{authed_url}"
-            else
-              "--index #{authed_url}"
-            end
+          filtered_credentials = credentials
+                                 .select { |cred| cred["type"] == "python_index" }
+                                 .reject do |cred|
+                                   cred.replaces_base? ? defined_in_pyproject?(cred) : explicit_index?(cred)
+                                 end
+
+          options = T.let([], T::Array[String])
+          used_credential_urls = T.let([], T::Array[String])
+          credential_matcher = LockIndexCredentialMatcher.new(credentials: filtered_credentials)
+
+          uv_lock_registry_urls.each do |registry_url|
+            credential = credential_matcher.best_credential_for_registry_url(registry_url)
+            next unless credential
+
+            used_credential_urls << credential["index-url"].to_s
+            options << option_for_credential_url(credential, authed_registry_url(credential, registry_url))
+          end
+
+          # Fall back to credential URLs for indices not represented in uv.lock.
+          filtered_credentials.each do |credential|
+            next if used_credential_urls.include?(credential["index-url"].to_s)
+
+            authed_url = AuthedUrlBuilder.authed_url(credential: credential)
+            options << option_for_credential_url(credential, authed_url)
           end
+
+          options.uniq
+        end
+
+        sig { params(credential: Dependabot::Credential, url: String).returns(String) }
+        def option_for_credential_url(credential, url)
+          if credential.replaces_base?
+            "--default-index #{url}"
+          else
+            "--index #{url}"
+          end
+        end
+
+        sig { params(credential: Dependabot::Credential, registry_url: String).returns(String) }
+        def authed_registry_url(credential, registry_url)
+          lock_credential = Dependabot::Credential.new(credential.to_h.merge("index-url" => registry_url))
+          AuthedUrlBuilder.authed_url(credential: lock_credential)
+        end
+
+        sig { returns(T::Array[String]) }
+        def uv_lock_registry_urls
+          return [] unless lockfile&.content
+
+          parsed = TomlRB.parse(T.must(lockfile).content)
+          packages = parsed["package"]
+          return [] unless packages.is_a?(Array)
+
+          packages.filter_map do |package|
+            source = package["source"]
+            next unless source.is_a?(Hash)
+
+            registry = source["registry"]
+            registry if registry.is_a?(String)
+          end.uniq
+        rescue TomlRB::ParseError
+          []
         end
 
         sig { params(credential: Dependabot::Credential).returns(T::Boolean) }
@@ -379,6 +429,14 @@ module Dependabot
           end
         end
 
+        # Checks if a credential's index URL matches any index defined in pyproject.toml.
+        # When true, authentication is provided via env vars so uv uses the pyproject.toml URL,
+        # preserving URL format alignment between pyproject.toml and uv.lock.
+        sig { params(credential: Dependabot::Credential).returns(T::Boolean) }
+        def defined_in_pyproject?(credential)
+          !find_index_name_for_credential(credential).nil?
+        end
+
         sig { params(url: String).returns(String) }
         def normalize_index_url(url)
           url.chomp("/")
@@ -414,16 +472,17 @@ module Dependabot
         # (the proxy handles authentication). This is for those running Dependabot
         # themselves and for dry-run.
         sig { returns(T::Hash[String, String]) }
-        def explicit_index_env_vars
+        def pyproject_index_env_vars
           env_vars = {}
 
-          credentials
-            .select { |cred| cred["type"] == "python_index" }
-            .select { |cred| explicit_index?(cred) }
-            .each do |cred|
-            index_name = find_index_name_for_credential(cred)
-            next unless index_name
+          matched_credentials = credentials
+                                .select { |cred| cred["type"] == "python_index" }
+                                .filter_map do |cred|
+                                  index_name = find_index_name_for_credential(cred)
+                                  [cred, index_name] if index_name
+                                end
 
+          matched_credentials.each do |cred, index_name|
             env_name = index_name.upcase.gsub(/[^A-Z0-9]/, "_")
 
             env_vars["UV_INDEX_#{env_name}_USERNAME"] = cred["username"] if cred["username"]
@@ -451,9 +510,9 @@ module Dependabot
 
         sig { params(options: String).returns(String) }
         def lock_options_fingerprint(options)
-          options.sub(
+          options.gsub(
             /--default-index\s+\S+/, "--default-index <default_index>"
-          ).sub(
+          ).gsub(
             /--index\s+\S+/, "--index <index>"
           )
         end

data/lib/dependabot/uv/file_updater/lock_index_credential_matcher.rb

@@ -0,0 +1,74 @@
+# typed: strong
+# frozen_string_literal: true
+
+require "uri"
+require "dependabot/uv/file_updater"
+
+module Dependabot
+  module Uv
+    class FileUpdater < Dependabot::FileUpdaters::Base
+      class LockIndexCredentialMatcher
+        extend T::Sig
+
+        sig { params(credentials: T::Array[Dependabot::Credential]).void }
+        def initialize(credentials:)
+          @credentials = credentials
+        end
+
+        sig { params(registry_url: String).returns(T.nilable(Dependabot::Credential)) }
+        def best_credential_for_registry_url(registry_url)
+          credential_scores = @credentials.map do |credential|
+            [credential, credential_match_score(credential["index-url"].to_s, registry_url)]
+          end
+          best_match = credential_scores.max_by { |_, score| score }
+
+          return nil unless best_match
+          return nil if best_match[1].negative?
+
+          best_match[0]
+        end
+
+        private
+
+        sig { params(credential_url: String, registry_url: String).returns(Integer) }
+        def credential_match_score(credential_url, registry_url)
+          normalized_credential_url = normalize_index_url(credential_url)
+          normalized_registry_url = normalize_index_url(registry_url)
+
+          return 100_000 if normalized_credential_url == normalized_registry_url
+
+          credential_uri = URI.parse(normalized_credential_url)
+          registry_uri = URI.parse(normalized_registry_url)
+
+          return -1 unless credential_uri.scheme == registry_uri.scheme
+          return -1 unless credential_uri.host == registry_uri.host
+          return -1 unless credential_uri.port == registry_uri.port
+
+          credential_path = normalized_uri_path(credential_uri)
+          registry_path = normalized_uri_path(registry_uri)
+
+          return 1 if credential_path == "/"
+
+          if registry_path.start_with?(credential_path.chomp("/") + "/")
+            credential_path.length
+          else
+            -1
+          end
+        rescue URI::InvalidURIError
+          -1
+        end
+
+        sig { params(url: String).returns(String) }
+        def normalize_index_url(url)
+          url.chomp("/")
+        end
+
+        sig { params(uri: URI::Generic).returns(String) }
+        def normalized_uri_path(uri)
+          path = uri.path.to_s
+          path.empty? ? "/" : path
+        end
+      end
+    end
+  end
+end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-uv
 version: !ruby/object:Gem::Version
-  version: 0.370.0
+  version: 0.372.0
 platform: ruby
 authors:
 - Dependabot
@@ -15,28 +15,28 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.370.0
+        version: 0.372.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.370.0
+        version: 0.372.0
 - !ruby/object:Gem::Dependency
   name: dependabot-python
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.370.0
+        version: 0.372.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.370.0
+        version: 0.372.0
 - !ruby/object:Gem::Dependency
   name: debug
   requirement: !ruby/object:Gem::Requirement
@@ -273,6 +273,7 @@ files:
 - lib/dependabot/uv/file_updater/compile_file_updater.rb
 - lib/dependabot/uv/file_updater/lock_file_error_handler.rb
 - lib/dependabot/uv/file_updater/lock_file_updater.rb
+- lib/dependabot/uv/file_updater/lock_index_credential_matcher.rb
 - lib/dependabot/uv/file_updater/pyproject_preparer.rb
 - lib/dependabot/uv/file_updater/requirement_file_updater.rb
 - lib/dependabot/uv/file_updater/requirement_replacer.rb
@@ -300,7 +301,7 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.370.0
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.372.0
 rdoc_options: []
 require_paths:
 - lib