dependabot-uv 0.350.0 → 0.351.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: b23c5beac181aafb8e92f670984121a88254da3a1804dbd7891e9e6bc274b84c
-  data.tar.gz: c5007c5452b38eac6210eac2df08635c69e3ed7fb7410e8173e9964678902d9b
+  metadata.gz: f74cec4813c7f6b11b51b6f73a10db68327ca41a2737e469ba5d9ea3b4612bea
+  data.tar.gz: e17b701d94aeafdca486c2303d23ea3b423eebbddd93d347ce1224160920cab5
 SHA512:
-  metadata.gz: f646e21b2dd5f869a1fc56a48ab0f04051d202b4efc6f98a4d3dd2efca28526ffae66068ee3d59fd2ad5e03ad243db060ddcc703df018cefb4c1f06369043887
-  data.tar.gz: e5044b7cd9b6bb4f3a8273309e1d20a0ffb784aa5c5b92401f28e0a885cef9ac239ee2e4a51fdff6978425644529e705a835b8d58932bd45aae92e47d9dfc3e5
+  metadata.gz: 32c427d81b22edb5d8b145ced9080a7fca9264e371da8f4a9ff5ca57c89b58f69179b4ade15620e24bb6a5d43194d959489d0c10942b050be8fb5e0c13327121
+  data.tar.gz: 615a296656b8957f897e5b17e3f951b143579bbc08aa8e8c806928bcd3e3349e4f0e3a54f0dcf3b5449fa7c8b6a892677e9a865925ec1fb044094ee35f4de527

data/lib/dependabot/uv/file_updater/lock_file_updater.rb

@@ -285,7 +285,13 @@ module Dependabot
           options_fingerprint = lock_options_fingerprint(options)
 
           # Use pyenv exec to ensure we're using the correct Python environment
-          command = "pyenv exec uv lock --upgrade-package #{T.must(dependency).name} #{options}"
+          # Include the target version to respect ignore conditions and avoid upgrading
+          # to the absolute latest version (which may be blocked by ignore rules)
+          dep_name = T.must(dependency).name
+          dep_version = T.must(dependency).version
+          package_spec = dep_version ? "#{dep_name}==#{dep_version}" : dep_name
+
+          command = "pyenv exec uv lock --upgrade-package #{package_spec} #{options}"
           fingerprint = "pyenv exec uv lock --upgrade-package <dependency_name> #{options_fingerprint}"
 
           run_command(command, fingerprint:)

data/lib/dependabot/uv/language.rb

@@ -1,84 +1,14 @@
 # typed: strong
 # frozen_string_literal: true
 
-require "sorbet-runtime"
-require "dependabot/uv/version"
-require "dependabot/ecosystem"
+require "dependabot/python/language"
 
 module Dependabot
   module Uv
-    LANGUAGE = "python"
-
-    class Language < Dependabot::Ecosystem::VersionManager
-      extend T::Sig
-
-      # This list must match the versions specified at the top of `uv/Dockerfile`
-      # ARG PY_3_13=3.13.2
-      # When updating this list, also update python/lib/dependabot/python/language.rb
-      PRE_INSTALLED_PYTHON_VERSIONS_RAW = %w(
-        3.14.0
-        3.13.9
-        3.12.12
-        3.11.14
-        3.10.19
-        3.9.24
-      ).freeze
-
-      PRE_INSTALLED_PYTHON_VERSIONS = T.let(
-        PRE_INSTALLED_PYTHON_VERSIONS_RAW.map do |v|
-          Version.new(v)
-        end.sort,
-        T::Array[Version]
-      )
-
-      PRE_INSTALLED_VERSIONS_MAP = T.let(
-        PRE_INSTALLED_PYTHON_VERSIONS.to_h do |v|
-          [Version.new(T.must(v.segments[0..1]).join(".")), v]
-        end,
-        T::Hash[Version, Version]
-      )
-
-      PRE_INSTALLED_HIGHEST_VERSION = T.let(T.must(PRE_INSTALLED_PYTHON_VERSIONS.max), Version)
-
-      SUPPORTED_VERSIONS = T.let(
-        PRE_INSTALLED_PYTHON_VERSIONS.map do |v|
-          Version.new(T.must(v.segments[0..1]&.join(".")))
-        end,
-        T::Array[Version]
-      )
-
-      NON_SUPPORTED_HIGHEST_VERSION = "3.8"
-
-      DEPRECATED_VERSIONS = T.let([Version.new(NON_SUPPORTED_HIGHEST_VERSION)].freeze, T::Array[Dependabot::Version])
-
-      sig do
-        params(
-          detected_version: T.nilable(String),
-          raw_version: T.nilable(String),
-          requirement: T.nilable(Requirement)
-        ).void
-      end
-      def initialize(detected_version:, raw_version: nil, requirement: nil)
-        super(
-          name: LANGUAGE,
-          detected_version: detected_version ? major_minor_version(detected_version) : nil,
-          version: raw_version ? Version.new(raw_version) : nil,
-          deprecated_versions: DEPRECATED_VERSIONS,
-          supported_versions: SUPPORTED_VERSIONS,
-          requirement: requirement,
-       )
-      end
-
-      private
-
-      sig { params(version: String).returns(T.nilable(Version)) }
-      def major_minor_version(version)
-        return nil if version.empty?
-
-        major_minor = T.let(T.must(Version.new(version).segments[0..1]&.join(".")), String)
-
-        Version.new(major_minor)
-      end
-    end
+    # Both uv and Python ecosystems use the same Python language versions.
+    # The Python version list is maintained in python/lib/dependabot/python/language.rb
+    # and shared via this alias to avoid dual-maintenance.
+    LANGUAGE = Python::LANGUAGE
+    Language = Python::Language
   end
 end

data/lib/dependabot/uv/language_version_manager.rb

@@ -1,138 +1,13 @@
-# typed: strict
+# typed: strong
 # frozen_string_literal: true
 
-require "dependabot/logger"
-require "dependabot/uv/version"
-require "sorbet-runtime"
+require "dependabot/python/language_version_manager"
 
 module Dependabot
   module Uv
-    class LanguageVersionManager
-      extend T::Sig
-
-      sig { params(python_requirement_parser: T.untyped).void }
-      def initialize(python_requirement_parser:)
-        @python_requirement_parser = python_requirement_parser
-      end
-
-      sig { returns(T.nilable(String)) }
-      def install_required_python
-        # The leading space is important in the version check
-        return if SharedHelpers.run_shell_command("pyenv versions").include?(" #{python_major_minor}.")
-
-        SharedHelpers.run_shell_command(
-          "tar -axf /usr/local/.pyenv/versions/#{python_version}.tar.zst -C /usr/local/.pyenv/versions"
-        )
-      end
-
-      sig { returns(String) }
-      def installed_version
-        # Use `pyenv exec` to query the active Python version
-        output, _status = SharedHelpers.run_shell_command("pyenv exec python --version")
-        version = output.strip.split.last # Extract the version number (e.g., "3.13.1")
-
-        T.must(version)
-      end
-
-      sig { returns(T.untyped) }
-      def python_major_minor
-        @python_major_minor ||= T.let(T.must(Version.new(python_version).segments[0..1]).join("."), T.untyped)
-      end
-
-      sig { returns(String) }
-      def python_version
-        @python_version ||= T.let(python_version_from_supported_versions, T.nilable(String))
-      end
-
-      sig { returns(String) }
-      def python_requirement_string
-        if user_specified_python_version
-          if user_specified_python_version.start_with?(/\d/)
-            parts = user_specified_python_version.split(".")
-            parts.fill("*", (parts.length)..2).join(".")
-          else
-            user_specified_python_version
-          end
-        else
-          python_version_matching_imputed_requirements || Language::PRE_INSTALLED_HIGHEST_VERSION.to_s
-        end
-      end
-
-      sig { params(requirement_string: T.nilable(String)).returns(T.nilable(String)) }
-      def normalize_python_exact_version(requirement_string)
-        return requirement_string if requirement_string.nil? || requirement_string.strip.empty?
-
-        requirement_string = requirement_string.strip
-
-        # If the requirement already has a wildcard, return nil
-        return nil if requirement_string == "*"
-
-        # If the requirement is not an exact version such as not X.Y.Z, =X.Y.Z, ==X.Y.Z, ===X.Y.Z
-        # then return the requirement as is
-        return requirement_string unless requirement_string.match?(/^=?={0,2}\s*\d+\.\d+(\.\d+)?(-[a-z0-9.-]+)?$/i)
-
-        parts = requirement_string.gsub(/^=+/, "").split(".")
-
-        case parts.length
-        when 1 # Only major version (X)
-          ">= #{parts[0]}.0.0 < #{parts[0].to_i + 1}.0.0" # Ensure only major version range
-        when 2 # Major.Minor (X.Y)
-          ">= #{parts[0]}.#{parts[1]}.0 < #{parts[0].to_i}.#{parts[1].to_i + 1}.0" # Ensure only minor version range
-        when 3 # Major.Minor.Patch (X.Y.Z)
-          ">= #{parts[0]}.#{parts[1]}.0 < #{parts[0].to_i}.#{parts[1].to_i + 1}.0" # Convert to >= X.Y.0
-        else
-          requirement_string
-        end
-      end
-
-      sig { returns(String) }
-      def python_version_from_supported_versions
-        requirement_string = python_requirement_string
-
-        # If the requirement string isn't already a range (eg ">3.10"), coerce it to "major.minor.*".
-        # The patch version is ignored because a non-matching patch version is unlikely to affect resolution.
-        requirement_string = requirement_string.gsub(/\.\d+$/, ".*") if /^\d/.match?(requirement_string)
-
-        requirement_string = normalize_python_exact_version(requirement_string)
-
-        if requirement_string.nil? || requirement_string.strip.empty?
-          return Language::PRE_INSTALLED_HIGHEST_VERSION.to_s
-        end
-
-        # Try to match one of our pre-installed Python versions
-        requirement = T.must(Requirement.requirements_array(requirement_string).first)
-        version = Language::PRE_INSTALLED_PYTHON_VERSIONS.find { |v| requirement.satisfied_by?(v) }
-        return version.to_s if version
-
-        # Otherwise we have to raise an error
-        supported_versions = Language::SUPPORTED_VERSIONS.map { |v| "#{v}.*" }.join(", ")
-        raise ToolVersionNotSupported.new("Python", python_requirement_string, supported_versions)
-      end
-
-      sig { returns(T.untyped) }
-      def user_specified_python_version
-        @python_requirement_parser.user_specified_requirements.first
-      end
-
-      sig { returns(T.nilable(String)) }
-      def python_version_matching_imputed_requirements
-        compiled_file_python_requirement_markers =
-          @python_requirement_parser.imputed_requirements.map do |r|
-            Requirement.new(r)
-          end
-        python_version_matching(compiled_file_python_requirement_markers)
-      end
-
-      sig { params(requirements: T.untyped).returns(T.nilable(String)) }
-      def python_version_matching(requirements)
-        Language::PRE_INSTALLED_PYTHON_VERSIONS.find do |version|
-          requirements.all? do |req|
-            next req.any? { |r| r.satisfied_by?(version) } if req.is_a?(Array)
-
-            req.satisfied_by?(version)
-          end
-        end.to_s
-      end
-    end
+    # Uv and Python ecosystems share the same Python version management logic.
+    # This alias ensures uv benefits from improvements in Python's implementation,
+    # including bug fixes like the guard clause in python_version_matching_imputed_requirements.
+    LanguageVersionManager = Python::LanguageVersionManager
   end
 end

data/lib/dependabot/uv/native_helpers.rb

@@ -1,38 +1,12 @@
 # typed: strong
 # frozen_string_literal: true
 
-require "sorbet-runtime"
+require "dependabot/python/native_helpers"
 
 module Dependabot
   module Uv
-    module NativeHelpers
-      extend T::Sig
-
-      sig { returns(String) }
-      def self.python_helper_path
-        clean_path(File.join(python_helpers_dir, "run.py"))
-      end
-
-      sig { returns(String) }
-      def self.python_requirements_path
-        clean_path(File.join(python_helpers_dir, "requirements.txt"))
-      end
-
-      sig { returns(String) }
-      def self.python_helpers_dir
-        File.join(native_helpers_root, "python")
-      end
-
-      sig { returns(String) }
-      def self.native_helpers_root
-        default_path = File.join(__dir__, "../../../..")
-        ENV.fetch("DEPENDABOT_NATIVE_HELPERS_PATH", default_path)
-      end
-
-      sig { params(path: T.nilable(String)).returns(String) }
-      def self.clean_path(path)
-        Pathname.new(path).cleanpath.to_path
-      end
-    end
+    # Uv and Python ecosystems share the same native Python helpers.
+    # Both point to the same helpers/python directory.
+    NativeHelpers = Python::NativeHelpers
   end
 end

data/lib/dependabot/uv/package.rb

@@ -0,0 +1,27 @@
+# typed: strong
+# frozen_string_literal: true
+
+require "sorbet-runtime"
+require "dependabot/python/package/package_registry_finder"
+require "dependabot/python/package/package_details_fetcher"
+
+module Dependabot
+  module Uv
+    # UV uses the same Python package registry handling (PyPI)
+    module Package
+      # Re-export constants from Python::Package for backward compatibility
+      CREDENTIALS_USERNAME = Python::Package::CREDENTIALS_USERNAME
+      CREDENTIALS_PASSWORD = Python::Package::CREDENTIALS_PASSWORD
+      APPLICATION_JSON = Python::Package::APPLICATION_JSON
+      APPLICATION_TEXT = Python::Package::APPLICATION_TEXT
+      CPYTHON = Python::Package::CPYTHON
+      PYTHON = Python::Package::PYTHON
+      UNKNOWN = Python::Package::UNKNOWN
+      MAIN_PYPI_INDEXES = Python::Package::MAIN_PYPI_INDEXES
+      VERSION_REGEX = Python::Package::VERSION_REGEX
+
+      PackageRegistryFinder = Dependabot::Python::Package::PackageRegistryFinder
+      PackageDetailsFetcher = Dependabot::Python::Package::PackageDetailsFetcher
+    end
+  end
+end

data/lib/dependabot/uv/update_checker/latest_version_finder.rb

@@ -1,24 +1,15 @@
 # typed: strong
 # frozen_string_literal: true
 
-require "cgi"
-require "excon"
-require "nokogiri"
 require "sorbet-runtime"
-
-require "dependabot/dependency"
 require "dependabot/uv/update_checker"
-require "dependabot/update_checkers/version_filters"
-require "dependabot/registry_client"
-require "dependabot/uv/authed_url_builder"
-require "dependabot/uv/name_normaliser"
-require "dependabot/uv/package/package_registry_finder"
-require "dependabot/uv/package/package_details_fetcher"
+require "dependabot/uv/package"
 require "dependabot/package/package_latest_version_finder"
 
 module Dependabot
   module Uv
     class UpdateChecker
+      # UV uses the same PyPI registry for package lookups as Python
       class LatestVersionFinder < Dependabot::Package::PackageLatestVersionFinder
         extend T::Sig
 
@@ -26,11 +17,14 @@ module Dependabot
           override.returns(T.nilable(Dependabot::Package::PackageDetails))
         end
         def package_details
-          @package_details ||= Package::PackageDetailsFetcher.new(
-            dependency: dependency,
-            dependency_files: dependency_files,
-            credentials: credentials
-          ).fetch
+          @package_details ||= T.let(
+            Package::PackageDetailsFetcher.new(
+              dependency: dependency,
+              dependency_files: dependency_files,
+              credentials: credentials
+            ).fetch,
+            T.nilable(Dependabot::Package::PackageDetails)
+          )
         end
 
         sig { override.returns(T::Boolean) }

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-uv
 version: !ruby/object:Gem::Version
-  version: 0.350.0
+  version: 0.351.0
 platform: ruby
 authors:
 - Dependabot
@@ -15,28 +15,28 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.350.0
+        version: 0.351.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.350.0
+        version: 0.351.0
 - !ruby/object:Gem::Dependency
   name: dependabot-python
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.350.0
+        version: 0.351.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.350.0
+        version: 0.351.0
 - !ruby/object:Gem::Dependency
   name: debug
   requirement: !ruby/object:Gem::Requirement
@@ -278,8 +278,7 @@ files:
 - lib/dependabot/uv/metadata_finder.rb
 - lib/dependabot/uv/name_normaliser.rb
 - lib/dependabot/uv/native_helpers.rb
-- lib/dependabot/uv/package/package_details_fetcher.rb
-- lib/dependabot/uv/package/package_registry_finder.rb
+- lib/dependabot/uv/package.rb
 - lib/dependabot/uv/package_manager.rb
 - lib/dependabot/uv/requirement.rb
 - lib/dependabot/uv/requirement_parser.rb
@@ -296,7 +295,7 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.350.0
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.351.0
 rdoc_options: []
 require_paths:
 - lib

data/lib/dependabot/uv/package/package_details_fetcher.rb

@@ -1,486 +0,0 @@
-# typed: strict
-# frozen_string_literal: true
-
-require "json"
-require "time"
-require "cgi"
-require "excon"
-require "nokogiri"
-require "sorbet-runtime"
-require "dependabot/registry_client"
-require "dependabot/uv/name_normaliser"
-require "dependabot/package/package_release"
-require "dependabot/package/package_details"
-require "dependabot/uv/package/package_registry_finder"
-
-# Stores metadata for a package, including all its available versions
-module Dependabot
-  module Uv
-    module Package
-      CREDENTIALS_USERNAME = "username"
-      CREDENTIALS_PASSWORD = "password"
-
-      APPLICATION_JSON = "application/json"
-      APPLICATION_TEXT = "text/html"
-      CPYTHON = "cpython"
-      PYTHON = "python"
-      UNKNOWN = "unknown"
-
-      MAIN_PYPI_INDEXES = %w(
-        https://pypi.python.org/simple/
-        https://pypi.org/simple/
-      ).freeze
-      VERSION_REGEX = /[0-9]+(?:\.[A-Za-z0-9\-_]+)*/
-
-      class PackageDetailsFetcher
-        extend T::Sig
-
-        sig do
-          params(
-            dependency: Dependabot::Dependency,
-            dependency_files: T::Array[Dependabot::DependencyFile],
-            credentials: T::Array[Dependabot::Credential]
-          ).void
-        end
-        def initialize(
-          dependency:,
-          dependency_files:,
-          credentials:
-        )
-          @dependency          = dependency
-          @dependency_files    = dependency_files
-          @credentials         = credentials
-
-          @registry_urls = T.let(nil, T.nilable(T::Array[String]))
-        end
-
-        sig { returns(Dependabot::Dependency) }
-        attr_reader :dependency
-
-        sig { returns(T::Array[T.untyped]) }
-        attr_reader :dependency_files
-
-        sig { returns(T::Array[T.untyped]) }
-        attr_reader :credentials
-
-        sig { returns(Dependabot::Package::PackageDetails) }
-        def fetch
-          package_releases = registry_urls
-                             .select { |index_url| validate_index(index_url) } # Ensure only valid URLs
-                             .flat_map do |index_url|
-            fetch_from_registry(index_url) || [] # Ensure it always returns an array
-          rescue Excon::Error::Timeout, Excon::Error::Socket
-            raise if MAIN_PYPI_INDEXES.include?(index_url)
-
-            raise PrivateSourceTimedOut, sanitized_url(index_url)
-          rescue URI::InvalidURIError
-            raise DependencyFileNotResolvable, "Invalid URL: #{sanitized_url(index_url)}"
-          end
-
-          Dependabot::Package::PackageDetails.new(
-            dependency: dependency,
-            releases: package_releases.reverse
-          )
-        end
-
-        private
-
-        sig do
-          params(index_url: String)
-            .returns(T.nilable(T::Array[Dependabot::Package::PackageRelease]))
-        end
-        def fetch_from_registry(index_url)
-          metadata = fetch_from_json_registry(index_url)
-
-          return metadata if metadata&.any?
-
-          Dependabot.logger.warn("No valid versions found via JSON API. Falling back to HTML.")
-          fetch_from_html_registry(index_url)
-        rescue StandardError => e
-          Dependabot.logger.warn("Unexpected error in JSON fetch: #{e.message}. Falling back to HTML.")
-          fetch_from_html_registry(index_url)
-        end
-
-        # Example JSON Response Format:
-        #
-        # {
-        #   "info": {
-        #     "name": "requests",
-        #     "summary": "Python HTTP for Humans.",
-        #     "author": "Kenneth Reitz",
-        #     "license": "Apache-2.0"
-        #   },
-        #   "releases": {
-        #     "2.32.3": [
-        #       {
-        #         "filename": "requests-2.32.3-py3-none-any.whl",
-        #         "version": "2.32.3",
-        #         "requires_python": ">=3.8",
-        #         "yanked": false,
-        #         "url": "https://files.pythonhosted.org/packages/f9/9b/335f9764261e915ed497fcdeb11df5dfd6f7bf257d4a6a2a686d80da4d54/requests-2.32.3-py3-none-any.whl"
-        #       },
-        #       {
-        #         "filename": "requests-2.32.3.tar.gz",
-        #         "version": "2.32.3",
-        #         "requires_python": ">=3.8",
-        #         "yanked": false,
-        #         "url": "https://files.pythonhosted.org/packages/63/70/2bf7780ad2d390a8d301ad0b550f1581eadbd9a20f896afe06353c2a2913/requests-2.32.3.tar.gz"
-        #       }
-        #     ],
-        #     "2.27.0": [
-        #       {
-        #         "filename": "requests-2.27.0-py2.py3-none-any.whl",
-        #         "version": "2.27.0",
-        #         "requires_python": ">=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, !=3.4.*, !=3.5.*",
-        #         "yanked": false,
-        #         "url": "https://files.pythonhosted.org/packages/47/01/f420e7add78110940639a958e5af0e3f8e07a8a8b62049bac55ee117aa91/requests-2.27.0-py2.py3-none-any.whl"
-        #       },
-        #       {
-        #         "filename": "requests-2.27.0.tar.gz",
-        #         "version": "2.27.0",
-        #         "requires_python": ">=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, !=3.4.*, !=3.5.*",
-        #         "yanked": false,
-        #         "url": "https://files.pythonhosted.org/packages/c0/e3/826e27b942352a74b656e8f58b4dc7ed9495ce2d4eeb498181167c615303/requests-2.27.0.tar.gz"
-        #       }
-        #     ]
-        #   }
-        # }
-        sig do
-          params(index_url: String)
-            .returns(T.nilable(T::Array[Dependabot::Package::PackageRelease]))
-        end
-        def fetch_from_json_registry(index_url)
-          json_url = index_url.sub(%r{/simple/?$}i, "/pypi/")
-
-          Dependabot.logger.info(
-            "Fetching release information from json registry at #{sanitized_url(json_url)} for #{dependency.name}"
-          )
-
-          response = registry_json_response_for_dependency(json_url)
-
-          return nil unless response.status == 200
-
-          begin
-            data = JSON.parse(response.body)
-
-            version_releases = data["releases"]
-
-            releases = format_version_releases(version_releases)
-
-            releases.sort_by(&:version).reverse
-          rescue JSON::ParserError
-            Dependabot.logger.warn("JSON parsing error for #{json_url}. Falling back to HTML.")
-            nil
-          rescue StandardError => e
-            Dependabot.logger.warn("Unexpected error while fetching JSON data: #{e.message}.")
-            nil
-          end
-        end
-
-        # This URL points to the Simple Index API for the "requests" package on PyPI.
-        # It provides an HTML listing of available package versions following PEP 503 (Simple Repository API).
-        # The information found here is useful for dependency resolution and package version retrieval.
-        #
-        # ✅ Information available in the Simple Index:
-        # - A list of package versions as anchor (`<a>`) elements.
-        # - URLs to distribution files (e.g., `.tar.gz`, `.whl`).
-        # - The `data-requires-python` attribute (if present) specifying the required Python version.
-        # - An optional `data-yanked` attribute indicating a yanked (withdrawn) version.
-        #
-        # ❌ Information NOT available in the Simple Index:
-        # - Release timestamps (upload time).
-        # - File digests (hashes like SHA256, MD5).
-        # - Package metadata such as description, author, or dependencies.
-        # - Download statistics.
-        # - Package type (`sdist` or `bdist_wheel`).
-        #
-        # To obtain full package metadata, use the PyPI JSON API:
-        # - JSON API: https://pypi.org/pypi/requests/json
-        #
-        # More details: https://www.python.org/dev/peps/pep-0503/
-        sig { params(index_url: String).returns(T::Array[Dependabot::Package::PackageRelease]) }
-        def fetch_from_html_registry(index_url)
-          Dependabot.logger.info(
-            "Fetching release information from html registry at #{sanitized_url(index_url)} for #{dependency.name}"
-          )
-          index_response = registry_response_for_dependency(index_url)
-          if index_response.status == 401 || index_response.status == 403
-            registry_index_response = registry_index_response(index_url)
-
-            if registry_index_response.status == 401 || registry_index_response.status == 403
-              raise PrivateSourceAuthenticationFailure, sanitized_url(index_url)
-            end
-          end
-
-          version_releases = extract_release_details_json_from_html(index_response.body)
-          releases = format_version_releases(version_releases)
-
-          releases.sort_by(&:version).reverse
-        end
-
-        sig do
-          params(html_body: String)
-            .returns(T::Hash[String, T::Array[T::Hash[String, T.untyped]]]) # Returns JSON-like format
-        end
-        def extract_release_details_json_from_html(html_body)
-          doc = Nokogiri::HTML(html_body)
-
-          releases = {}
-
-          doc.css("a").each do |a_tag|
-            details = version_details_from_link(a_tag.to_s)
-            if details && details["version"]
-              releases[details["version"]] ||= []
-              releases[details["version"]] << details
-            end
-          end
-
-          releases
-        end
-
-        # rubocop:disable Metrics/PerceivedComplexity
-        sig do
-          params(link: T.nilable(String))
-            .returns(T.nilable(T::Hash[String, T.untyped]))
-        end
-        def version_details_from_link(link)
-          return unless link
-
-          doc = Nokogiri::XML(link)
-          filename = doc.at_css("a")&.content
-          url = doc.at_css("a")&.attributes&.fetch("href", nil)&.value
-
-          return unless filename&.match?(name_regex) || url&.match?(name_regex)
-
-          version = get_version_from_filename(filename)
-          return unless version_class.correct?(version)
-
-          {
-            "version" => version,
-            "requires_python" => requires_python_from_link(link),
-            "yanked" => link.include?("data-yanked"),
-            "url" => link
-          }
-        end
-        # rubocop:enable Metrics/PerceivedComplexity
-
-        sig do
-          params(
-            releases_json: T.nilable(T::Hash[String, T::Array[T::Hash[String, T.untyped]]])
-          )
-            .returns(T::Array[Dependabot::Package::PackageRelease])
-        end
-        def format_version_releases(releases_json)
-          return [] unless releases_json
-
-          releases_json.each_with_object([]) do |(version, release_data_array), versions|
-            release_data = release_data_array.last
-
-            next unless release_data
-
-            release = format_version_release(version, release_data)
-
-            next unless release
-
-            versions << release
-          end
-        end
-
-        sig do
-          params(
-            version: String,
-            release_data: T::Hash[String, T.untyped]
-          )
-            .returns(T.nilable(Dependabot::Package::PackageRelease))
-        end
-        def format_version_release(version, release_data)
-          upload_time = release_data["upload_time"]
-          released_at = Time.parse(upload_time) if upload_time
-          yanked = release_data["yanked"] || false
-          yanked_reason = release_data["yanked_reason"]
-          downloads = release_data["downloads"] || -1
-          url = release_data["url"]
-          package_type = release_data["packagetype"]
-          language = package_language(
-            python_version: release_data["python_version"],
-            requires_python: release_data["requires_python"]
-          )
-
-          release = Dependabot::Package::PackageRelease.new(
-            version: Dependabot::Uv::Version.new(version),
-            released_at: released_at,
-            yanked: yanked,
-            yanked_reason: yanked_reason,
-            downloads: downloads,
-            url: url,
-            package_type: package_type,
-            language: language
-          )
-          release
-        end
-
-        sig do
-          params(
-            python_version: T.nilable(String),
-            requires_python: T.nilable(String)
-          )
-            .returns(T.nilable(Dependabot::Package::PackageLanguage))
-        end
-        def package_language(python_version:, requires_python:)
-          # Extract language name and version
-          language_name, language_version = convert_language_version(python_version)
-
-          # Extract language requirement
-          language_requirement = build_python_requirement(requires_python)
-
-          return nil unless language_version || language_requirement
-
-          # Return a Language object with all details
-          Dependabot::Package::PackageLanguage.new(
-            name: language_name,
-            version: language_version,
-            requirement: language_requirement
-          )
-        end
-
-        sig { params(version: T.nilable(String)).returns([String, T.nilable(Dependabot::Version)]) }
-        def convert_language_version(version)
-          return ["python", nil] if version.nil? || version == "source"
-
-          # Extract numeric parts dynamically (e.g., "cp37" -> "3.7", "py38" -> "3.8")
-          extracted_version = version.scan(/\d+/).join(".")
-
-          # Detect the language implementation
-          language_name = if version.start_with?("cp")
-                            "cpython" # CPython implementation
-                          elsif version.start_with?("py")
-                            "python" # General Python compatibility
-                          else
-                            "unknown" # Fallback for unknown cases
-                          end
-
-          # Ensure extracted version is valid before converting
-          language_version =
-            extracted_version.match?(/^\d+(\.\d+)*$/) ? Dependabot::Version.new(extracted_version) : nil
-
-          Dependabot.logger.warn("Skipping invalid language_version: #{version.inspect}") if language_version.nil?
-
-          [language_name, language_version]
-        end
-
-        sig { returns(T::Array[String]) }
-        def registry_urls
-          @registry_urls ||=
-            Package::PackageRegistryFinder.new(
-              dependency_files: dependency_files,
-              credentials: credentials,
-              dependency: dependency
-            ).registry_urls
-        end
-
-        sig { returns(String) }
-        def normalised_name
-          NameNormaliser.normalise(dependency.name)
-        end
-
-        sig { params(json_url: String).returns(Excon::Response) }
-        def registry_json_response_for_dependency(json_url)
-          url = "#{json_url.chomp('/')}/#{@dependency.name}/json"
-          Dependabot::RegistryClient.get(
-            url: url,
-            headers: { "Accept" => APPLICATION_JSON }
-          )
-        end
-
-        sig { params(index_url: String).returns(Excon::Response) }
-        def registry_response_for_dependency(index_url)
-          Dependabot::RegistryClient.get(
-            url: index_url + normalised_name + "/",
-            headers: { "Accept" => APPLICATION_TEXT }
-          )
-        end
-
-        sig { params(index_url: String).returns(Excon::Response) }
-        def registry_index_response(index_url)
-          Dependabot::RegistryClient.get(
-            url: index_url,
-            headers: { "Accept" => APPLICATION_TEXT }
-          )
-        end
-
-        sig { params(filename: String).returns(T.nilable(String)) }
-        def get_version_from_filename(filename)
-          filename
-            .gsub(/#{name_regex}-/i, "")
-            .split(/-|\.tar\.|\.zip|\.whl/)
-            .first
-        end
-
-        sig do
-          params(req_string: T.nilable(String))
-            .returns(T.nilable(Dependabot::Requirement))
-        end
-        def build_python_requirement(req_string)
-          return nil unless req_string
-
-          requirement_class.new(CGI.unescapeHTML(req_string))
-        rescue Gem::Requirement::BadRequirementError
-          nil
-        end
-
-        sig { params(link: String).returns(T.nilable(String)) }
-        def requires_python_from_link(link)
-          raw_value = Nokogiri::XML(link)
-                              .at_css("a")
-                              &.attribute("data-requires-python")
-                              &.content
-
-          return nil unless raw_value
-
-          CGI.unescapeHTML(raw_value) # Decodes HTML entities like &gt;=3 → >=3
-        end
-
-        sig { returns(T.class_of(Dependabot::Version)) }
-        def version_class
-          dependency.version_class
-        end
-
-        sig { returns(T.class_of(Dependabot::Requirement)) }
-        def requirement_class
-          dependency.requirement_class
-        end
-
-        sig { params(index_url: String).returns(T::Hash[String, String]) }
-        def auth_headers_for(index_url)
-          credential = @credentials.find { |cred| cred["index-url"] == index_url }
-          return {} unless credential
-
-          { "Authorization" => "Basic #{Base64.strict_encode64(
-            "#{credential[CREDENTIALS_USERNAME]}:#{credential[CREDENTIALS_PASSWORD]}"
-          )}" }
-        end
-
-        sig { returns(Regexp) }
-        def name_regex
-          parts = normalised_name.split(/[\s_.-]/).map { |n| Regexp.quote(n) }
-          /#{parts.join("[\s_.-]")}/i
-        end
-
-        sig { params(index_url: T.nilable(String)).returns(T::Boolean) }
-        def validate_index(index_url)
-          return false unless index_url
-
-          return true if index_url.match?(URI::RFC2396_PARSER.regexp[:ABS_URI])
-
-          raise Dependabot::DependencyFileNotResolvable,
-                "Invalid URL: #{sanitized_url(index_url)}"
-        end
-
-        sig { params(index_url: String).returns(String) }
-        def sanitized_url(index_url)
-          index_url.sub(%r{//([^/@]+)@}, "//redacted@")
-        end
-      end
-    end
-  end
-end

data/lib/dependabot/uv/package/package_registry_finder.rb

@@ -1,288 +0,0 @@
-# typed: strict
-# frozen_string_literal: true
-
-require "toml-rb"
-require "sorbet-runtime"
-require "dependabot/dependency"
-require "dependabot/dependency_file"
-require "dependabot/credential"
-require "dependabot/uv/update_checker"
-require "dependabot/uv/authed_url_builder"
-require "dependabot/errors"
-
-module Dependabot
-  module Uv
-    module Package
-      class PackageRegistryFinder
-        extend T::Sig
-
-        PYPI_BASE_URL = "https://pypi.org/simple/"
-        ENVIRONMENT_VARIABLE_REGEX = /\$\{.+\}/
-
-        UrlsHash = T.type_alias { { main: T.nilable(String), extra: T::Array[String] } }
-
-        sig do
-          params(
-            dependency_files: T::Array[Dependabot::DependencyFile],
-            credentials: T::Array[Dependabot::Credential],
-            dependency: Dependabot::Dependency
-          ).void
-        end
-        def initialize(dependency_files:, credentials:, dependency:)
-          @dependency_files = T.let(dependency_files, T::Array[Dependabot::DependencyFile])
-          @credentials      = T.let(credentials, T::Array[Dependabot::Credential])
-          @dependency       = T.let(dependency, Dependabot::Dependency)
-        end
-
-        sig { returns(T::Array[String]) }
-        def registry_urls
-          extra_index_urls =
-            config_variable_index_urls[:extra] +
-            pipfile_index_urls[:extra] +
-            requirement_file_index_urls[:extra] +
-            pip_conf_index_urls[:extra] +
-            pyproject_index_urls[:extra]
-
-          extra_index_urls = extra_index_urls.map do |url|
-            clean_check_and_remove_environment_variables(url)
-          end
-
-          # URL encode any `@` characters within registry URL creds.
-          # TODO: The test that fails if the `map` here is removed is likely a
-          # bug in Ruby's URI parser, and should be fixed there.
-          [main_index_url, *extra_index_urls].map do |url|
-            url.rpartition("@").tap { |a| a.first.gsub!("@", "%40") }.join
-          end.uniq
-        end
-
-        private
-
-        sig { returns(T::Array[Dependabot::DependencyFile]) }
-        attr_reader :dependency_files
-
-        sig { returns(T::Array[Dependabot::Credential]) }
-        attr_reader :credentials
-
-        sig { returns(String) }
-        def main_index_url
-          url =
-            config_variable_index_urls[:main] ||
-            pipfile_index_urls[:main] ||
-            requirement_file_index_urls[:main] ||
-            pip_conf_index_urls[:main] ||
-            pyproject_index_urls[:main] ||
-            PYPI_BASE_URL
-
-          clean_check_and_remove_environment_variables(url)
-        end
-
-        sig { returns(UrlsHash) }
-        def requirement_file_index_urls
-          urls = T.let({ main: nil, extra: [] }, UrlsHash)
-
-          requirements_files.each do |file|
-            content = file.content
-            next unless content
-
-            if content.match?(/^--index-url\s+['"]?([^\s'"]+)['"]?/)
-              match_result = content.match(/^--index-url\s+['"]?([^\s'"]+)['"]?/)
-              urls[:main] = match_result&.captures&.first&.strip
-            end
-            extra_urls = urls[:extra]
-            extra_urls +=
-              content
-              .scan(/^--extra-index-url\s+['"]?([^\s'"]+)['"]?/)
-              .flatten
-              .map(&:strip)
-            urls[:extra] = extra_urls
-          end
-
-          urls
-        end
-
-        sig { returns(UrlsHash) }
-        def pip_conf_index_urls
-          urls = T.let({ main: nil, extra: [] }, UrlsHash)
-
-          return urls unless pip_conf
-
-          pip_conf_file = pip_conf
-          return urls unless pip_conf_file
-
-          content = pip_conf_file.content
-          return urls unless content
-
-          if content.match?(/^index-url\s*=/x)
-            match_result = content.match(/^index-url\s*=\s*(.+)/)
-            urls[:main] = match_result&.captures&.first
-          end
-          extra_urls = urls[:extra]
-          extra_urls += content.scan(/^extra-index-url\s*=(.+)/).flatten
-          urls[:extra] = extra_urls
-
-          urls
-        end
-
-        sig { returns(UrlsHash) }
-        def pipfile_index_urls
-          urls = T.let({ main: nil, extra: [] }, UrlsHash)
-          begin
-            return urls unless pipfile
-
-            pipfile_file = pipfile
-            return urls unless pipfile_file
-
-            content = pipfile_file.content
-            return urls unless content
-
-            pipfile_object = TomlRB.parse(content)
-
-            urls[:main] = pipfile_object["source"]&.first&.fetch("url", nil)
-
-            pipfile_object["source"]&.each do |source|
-              urls[:extra] << source.fetch("url") if source["url"]
-            end
-            urls[:extra] = urls[:extra].uniq
-
-            urls
-          rescue TomlRB::ParseError, TomlRB::ValueOverwriteError
-            urls
-          end
-        end
-
-        # rubocop:disable Metrics/PerceivedComplexity
-        sig { returns(UrlsHash) }
-        def pyproject_index_urls
-          urls = T.let({ main: nil, extra: [] }, UrlsHash)
-
-          begin
-            return urls unless pyproject
-
-            pyproject_file = pyproject
-            return urls unless pyproject_file
-
-            pyproject_content = pyproject_file.content
-            return urls unless pyproject_content
-
-            sources =
-              TomlRB.parse(pyproject_content).dig("tool", "poetry", "source") ||
-              []
-
-            sources.each do |source|
-              # If source is PyPI, skip it, and let it pick the default URI
-              next if source["name"].casecmp?("PyPI")
-
-              if @dependency.all_sources.include?(source["name"])
-                # If dependency has specified this source, use it
-                return { main: source["url"], extra: [] }
-              elsif source["default"]
-                urls[:main] = source["url"]
-              elsif source["priority"] != "explicit"
-                # if source is not explicit, add it to extra
-                urls[:extra] << source["url"]
-              end
-            end
-            urls[:extra] = urls[:extra].uniq
-
-            urls
-          rescue TomlRB::ParseError, TomlRB::ValueOverwriteError
-            urls
-          end
-        end
-        # rubocop:enable Metrics/PerceivedComplexity
-
-        sig { returns(UrlsHash) }
-        def config_variable_index_urls
-          urls = T.let({ main: nil, extra: [] }, UrlsHash)
-
-          index_url_creds = credentials
-                            .select { |cred| cred["type"] == "python_index" }
-
-          if (main_cred = index_url_creds.find(&:replaces_base?))
-            urls[:main] = AuthedUrlBuilder.authed_url(credential: main_cred)
-          end
-
-          urls[:extra] =
-            index_url_creds
-            .reject(&:replaces_base?)
-            .map { |cred| AuthedUrlBuilder.authed_url(credential: cred) }
-
-          urls
-        end
-
-        sig { params(url: String).returns(String) }
-        def clean_check_and_remove_environment_variables(url)
-          url = url.strip.sub(%r{/+$}, "") + "/"
-
-          return authed_base_url(url) unless url.match?(ENVIRONMENT_VARIABLE_REGEX)
-
-          config_variable_urls =
-            [
-              config_variable_index_urls[:main],
-              *config_variable_index_urls[:extra]
-            ]
-            .compact
-            .map { |u| u.strip.gsub(%r{/*$}, "") + "/" }
-
-          regexp = url
-                   .sub(%r{(?<=://).+@}, "")
-                   .sub(%r{https?://}, "")
-                   .split(ENVIRONMENT_VARIABLE_REGEX)
-                   .map { |part| Regexp.quote(part) }
-                   .join(".+")
-          authed_url = config_variable_urls.find { |u| u.match?(regexp) }
-          return authed_url if authed_url
-
-          cleaned_url = url.gsub(%r{#{ENVIRONMENT_VARIABLE_REGEX}/?}o, "")
-          authed_url = authed_base_url(cleaned_url)
-          return authed_url if credential_for(cleaned_url)
-
-          raise PrivateSourceAuthenticationFailure, url
-        end
-
-        sig { params(base_url: String).returns(String) }
-        def authed_base_url(base_url)
-          cred = credential_for(base_url)
-          return base_url unless cred
-
-          AuthedUrlBuilder.authed_url(credential: cred).gsub(%r{/*$}, "") + "/"
-        end
-
-        sig { params(url: String).returns(T.nilable(Dependabot::Credential)) }
-        def credential_for(url)
-          credentials
-            .select { |c| c["type"] == "python_index" }
-            .find do |c|
-              cred_url = c.fetch("index-url").gsub(%r{/*$}, "") + "/"
-              cred_url.include?(url)
-            end
-        end
-
-        sig { returns(T.nilable(Dependabot::DependencyFile)) }
-        def pip_conf
-          dependency_files.find { |f| f.name == "pip.conf" }
-        end
-
-        sig { returns(T.nilable(Dependabot::DependencyFile)) }
-        def pipfile
-          dependency_files.find { |f| f.name == "Pipfile" }
-        end
-
-        sig { returns(T.nilable(Dependabot::DependencyFile)) }
-        def pyproject
-          dependency_files.find { |f| f.name == "pyproject.toml" }
-        end
-
-        sig { returns(T::Array[Dependabot::DependencyFile]) }
-        def requirements_files
-          dependency_files.select { |f| f.name.match?(/requirements/x) }
-        end
-
-        sig { returns(T::Array[Dependabot::DependencyFile]) }
-        def pip_compile_files
-          dependency_files.select { |f| f.name.end_with?(".in") }
-        end
-      end
-    end
-  end
-end