dependabot-uv 0.355.0 → 0.356.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 181d67bcde74a88513746bbda787661b2209f8846e3cb2be4e25dc103df5d6ed
-  data.tar.gz: f19a7c8dbc8208cfdba09e5f5513b04895b6ff4eb32c5cba0690bb21e2a2db6d
+  metadata.gz: d86ed84b5d9b47a421b7274955257417ee58559cbb67eaa40577daf3860a6207
+  data.tar.gz: caaf52d0e3e41c6069068f4ff57dec63bc0875fecbef986c584dc91eb9d4305c
 SHA512:
-  metadata.gz: 283cc516dddfee23f781f4ba93cc92d16eeac587f1f018ea13b53c04bc63c47c680dd9cbf4ffeab96b7edfe23ef0d560b355b3b2b8f52b4f0765e02d27d77c23
-  data.tar.gz: a94975fe714eae7eadac990e4ce9c8d996ac4478b0016557245fb5fc2e5745591832f2098d1ca0383bcb7de025cf0e85b047aeefed2baaa8b602e90ac4d0431f
+  metadata.gz: bb666f33ce0bb0f7540ca5d071043e6540acae1bd95cb70d3a153ec3c573ce88535e82d352aedd90b2da1a71169fe04cd77a43920f4c2bab271e87e21bdc6069
+  data.tar.gz: 6c7e22a137622e1cbd5a2c0415b973da7d412e812ee785172c9ba2191b91788ff9de087703197a41457b58a67688baf0912f407cb9b5008b43b210020f986452

data/helpers/requirements.txt

@@ -7,7 +7,7 @@ plette==2.1.0
 poetry==1.8.5
 # TODO: Replace 3p package `tomli` with 3.11's new stdlib `tomllib` once we drop support for Python 3.10.
 tomli==2.0.1
-uv==0.9.11
+uv==0.9.18
 
 # Some dependencies will only install if Cython is present
 Cython==3.0.10

data/lib/dependabot/uv/file_fetcher/workspace_fetcher.rb

@@ -4,10 +4,11 @@
 require "toml-rb"
 require "sorbet-runtime"
 require "dependabot/dependency_file"
+require "dependabot/uv/file_fetcher"
 
 module Dependabot
   module Uv
-    class FileFetcher < Dependabot::FileFetchers::Base
+    class FileFetcher < Dependabot::Python::SharedFileFetcher
       class WorkspaceFetcher
         extend T::Sig
 
@@ -172,7 +173,7 @@ module Dependabot
         # Delegate methods to file_fetcher
         sig { params(path: T.nilable(T.any(Pathname, String))).returns(String) }
         def clean_path(path)
-          @file_fetcher.send(:cleanpath, path)
+          @file_fetcher.send(:clean_path, path)
         end
 
         sig do

data/lib/dependabot/uv/file_fetcher.rb

@@ -5,26 +5,19 @@ require "toml-rb"
 require "sorbet-runtime"
 
 require "dependabot/file_fetchers"
-require "dependabot/file_fetchers/base"
+require "dependabot/python/file_fetcher"
 require "dependabot/uv"
-require "dependabot/uv/language_version_manager"
 require "dependabot/uv/requirements_file_matcher"
-require "dependabot/uv/requirement_parser"
-require "dependabot/uv/file_parser/pyproject_files_parser"
-require "dependabot/uv/file_parser/python_requirement_parser"
 require "dependabot/uv/file_fetcher/workspace_fetcher"
 require "dependabot/errors"
-require "dependabot/file_filtering"
 
 module Dependabot
   module Uv
-    class FileFetcher < Dependabot::FileFetchers::Base # rubocop:disable Metrics/ClassLength
+    class FileFetcher < Dependabot::Python::SharedFileFetcher
       extend T::Sig
-      extend T::Helpers
 
-      CHILD_REQUIREMENT_REGEX = /^-r\s?(?<path>.*\.(?:txt|in))/
-      CONSTRAINT_REGEX = /^-c\s?(?<path>.*\.(?:txt|in))/
-      DEPENDENCY_TYPES = %w(packages dev-packages).freeze
+      ECOSYSTEM_SPECIFIC_FILES = T.let(%w(uv.lock).freeze, T::Array[String])
+
       REQUIREMENT_FILE_PATTERNS = T.let(
         {
           extensions: [".txt", ".in"],
@@ -36,88 +29,69 @@ module Dependabot
       # Projects that use README files for metadata may use any of these common names
       README_FILENAMES = T.let(%w(README.md README.rst README.txt README).freeze, T::Array[String])
 
-      MAX_FILE_SIZE = 500_000
-
-      sig { override.params(filenames: T::Array[String]).returns(T::Boolean) }
-      def self.required_files_in?(filenames)
-        return true if filenames.any? do |name|
-          T.must(REQUIREMENT_FILE_PATTERNS[:extensions]).any? do |ext|
-            name.end_with?(ext)
-          end
-        end
-
-        # If there is a directory of requirements return true
-        return true if filenames.include?("requirements")
+      # Type alias for path dependency hashes
+      PathDependency = T.type_alias { T::Hash[Symbol, String] }
 
-        # If this repo is using pyproject.toml return true (uv.lock files require a pyproject.toml)
-        filenames.include?("pyproject.toml")
+      sig { override.returns(T::Array[String]) }
+      def self.ecosystem_specific_required_files
+        # uv.lock is not a standalone required file - it requires pyproject.toml
+        []
       end
 
       sig { override.returns(String) }
       def self.required_files_message
-        "Repo must contain a requirements.txt, uv.lock, requirements.in, or pyproject.toml" \
+        "Repo must contain a requirements.txt, uv.lock, requirements.in, or pyproject.toml"
       end
 
-      sig { override.returns(T.nilable(T::Hash[Symbol, T.untyped])) }
-      def ecosystem_versions
-        # Hmm... it's weird that this calls file parser methods, but here we are in the file fetcher... for all
-        # ecosystems our goal is to extract the user specified versions, so we'll need to do file parsing... so should
-        # we move this `ecosystem_versions` metrics method to run in the file parser for all ecosystems? Downside is if
-        # file parsing blows up, this metric isn't emitted, but reality is we have to parse anyway... as we want to know
-        # the user-specified range of versions, not the version Dependabot chose to run.
-        python_requirement_parser = FileParser::PythonRequirementParser.new(dependency_files: files)
-        language_version_manager = LanguageVersionManager.new(python_requirement_parser: python_requirement_parser)
-        Dependabot.logger.info("Dependabot is using Python version '#{language_version_manager.python_version}'.")
-        {
-          languages: {
-            python: {
-              # TODO: alternatively this could use `python_requirement_parser.user_specified_requirements` which
-              # returns an array... which we could flip to return a hash of manifest name => version
-              # string and then check for min/max versions... today it simply defaults to
-              # array.first which seems rather arbitrary.
-              "raw" => language_version_manager.user_specified_python_version || "unknown",
-              "max" => language_version_manager.python_major_minor || "unknown"
-            }
-          }
-        }
+      private
+
+      sig { override.returns(T::Array[Dependabot::DependencyFile]) }
+      def ecosystem_specific_files
+        files = []
+        files += readme_files
+        files += uv_lock_files
+        files += workspace_member_files
+        files
       end
 
-      sig { override.returns(T::Array[DependencyFile]) }
-      def fetch_files
-        fetched_files = []
+      sig { override.returns(T::Array[Dependabot::DependencyFile]) }
+      def pyproject_files
+        [pyproject].compact
+      end
 
-        fetched_files += pyproject_files
-        # Fetch README support files if referenced in pyproject metadata
-        fetched_files += readme_files
+      sig { override.returns(T::Array[T::Hash[Symbol, String]]) }
+      def path_dependencies
+        [
+          *requirement_txt_path_dependencies,
+          *requirement_in_path_dependencies,
+          *uv_sources_path_dependencies
+        ]
+      end
 
-        fetched_files += requirements_in_files
-        fetched_files += requirement_files if requirements_txt_files.any?
+      sig { override.returns(T::Array[String]) }
+      def additional_path_dependencies
+        []
+      end
 
-        fetched_files += uv_lock_files
-        fetched_files += project_files
-        fetched_files += workspace_member_files
-        fetched_files << python_version_file if python_version_file
+      sig { override.params(file: Dependabot::DependencyFile).returns(T::Boolean) }
+      def lockfile_for_compile_file?(file)
+        requirements_in_file_matcher.compiled_file?(file)
+      end
 
-        uniques = uniq_files(fetched_files)
-        filtered_files = uniques.reject do |file|
-          Dependabot::FileFiltering.should_exclude_path?(file.name, "file from final collection", @exclude_paths)
-        end
+      sig { override.params(path: String).returns(T::Array[Dependabot::DependencyFile]) }
+      def fetch_project_file(path)
+        project_files = []
 
-        filtered_files
-      end
+        path = clean_path(File.join(path, "pyproject.toml")) unless sdist_or_wheel?(path)
 
-      private
+        return [] if path == "pyproject.toml" && pyproject
 
-      sig { params(fetched_files: T::Array[Dependabot::DependencyFile]).returns(T::Array[Dependabot::DependencyFile]) }
-      def uniq_files(fetched_files)
-        uniq_files = fetched_files.reject(&:support_file?).uniq
-        uniq_files += fetched_files
-                      .reject { |f| uniq_files.map(&:name).include?(f.name) }
-      end
+        project_files << fetch_file_from_host(
+          path,
+          fetch_submodules: true
+        ).tap { |f| f.support_file = true }
 
-      sig { returns(T::Array[Dependabot::DependencyFile]) }
-      def pyproject_files
-        [pyproject].compact
+        project_files
       end
 
       sig { returns(T::Array[Dependabot::DependencyFile]) }
@@ -137,65 +111,18 @@ module Dependabot
         workspace_fetcher.send(:fetch_readme_files_for, directory, T.must(pyproject))
       end
 
-      sig { returns(T::Array[Dependabot::DependencyFile]) }
-      def requirement_files
-        [
-          *requirements_txt_files,
-          *child_requirement_txt_files,
-          *constraints_files
-        ]
-      end
-
-      sig { returns(T.nilable(Dependabot::DependencyFile)) }
-      def python_version_file
-        return @python_version_file if defined?(@python_version_file)
-
-        @python_version_file = T.let(fetch_support_file(".python-version"), T.nilable(Dependabot::DependencyFile))
-
-        return @python_version_file if @python_version_file
-        return if [".", "/"].include?(directory)
-
-        # Check the top-level for a .python-version file, too
-        reverse_path = Pathname.new(directory[0]).relative_path_from(directory)
-        @python_version_file =
-          fetch_support_file(File.join(reverse_path, ".python-version"))
-          &.tap { |f| f.name = ".python-version" }
-      end
-
-      sig { returns(T.nilable(Dependabot::DependencyFile)) }
-      def pyproject
-        return @pyproject if defined?(@pyproject)
-
-        @pyproject = T.let(fetch_file_if_present("pyproject.toml"), T.nilable(Dependabot::DependencyFile))
-      end
-
-      sig { returns(T::Array[Dependabot::DependencyFile]) }
-      def requirements_txt_files
-        req_txt_and_in_files.select { |f| f.name.end_with?(".txt") }
-      end
-
-      sig { returns(T::Array[Dependabot::DependencyFile]) }
-      def requirements_in_files
-        req_txt_and_in_files.select { |f| f.name.end_with?(".in") } +
-          child_requirement_in_files
-      end
-
       sig { returns(T::Array[Dependabot::DependencyFile]) }
       def uv_lock_files
         req_txt_and_in_files.select { |f| f.name.end_with?("uv.lock") } +
           child_uv_lock_files
       end
 
-      sig { returns(TomlContent) }
-      def parsed_pyproject
-        raise "No pyproject.toml" unless pyproject
-
-        @parsed_pyproject ||= T.let(TomlRB.parse(T.must(pyproject).content), T.nilable(TomlContent))
-      rescue TomlRB::ParseError, TomlRB::ValueOverwriteError
-        raise Dependabot::DependencyFileNotParseable, T.must(pyproject).path
+      sig { returns(T::Array[Dependabot::DependencyFile]) }
+      def child_uv_lock_files
+        child_requirement_files.select { |f| f.name.end_with?("uv.lock") }
       end
 
-      sig { returns(T::Array[Dependabot::DependencyFile]) }
+      sig { override.returns(T::Array[Dependabot::DependencyFile]) }
       def req_txt_and_in_files
         return @req_txt_and_in_files if @req_txt_and_in_files
 
@@ -215,229 +142,6 @@ module Dependabot
         fetch_requirement_files_from_path(relative_reqs_dir)
       end
 
-      sig { returns(T::Array[Dependabot::DependencyFile]) }
-      def child_requirement_txt_files
-        child_requirement_files.select { |f| f.name.end_with?(".txt") }
-      end
-
-      sig { returns(T::Array[Dependabot::DependencyFile]) }
-      def child_requirement_in_files
-        child_requirement_files.select { |f| f.name.end_with?(".in") }
-      end
-
-      sig { returns(T::Array[Dependabot::DependencyFile]) }
-      def child_uv_lock_files
-        child_requirement_files.select { |f| f.name.end_with?("uv.lock") }
-      end
-
-      sig { returns(T::Array[Dependabot::DependencyFile]) }
-      def child_requirement_files
-        @child_requirement_files ||= T.let(
-          begin
-            fetched_files = req_txt_and_in_files.dup
-            req_txt_and_in_files.flat_map do |requirement_file|
-              child_files = fetch_child_requirement_files(
-                file: requirement_file,
-                previously_fetched_files: fetched_files
-              )
-
-              fetched_files += child_files
-              child_files
-            end
-          end,
-          T.nilable(T::Array[Dependabot::DependencyFile])
-        )
-      end
-
-      sig do
-        params(
-          file: Dependabot::DependencyFile,
-          previously_fetched_files: T::Array[Dependabot::DependencyFile]
-        ).returns(T::Array[Dependabot::DependencyFile])
-      end
-      def fetch_child_requirement_files(file:, previously_fetched_files:)
-        content = file.content
-        return [] if content.nil?
-
-        paths = content.scan(CHILD_REQUIREMENT_REGEX).flatten
-        current_dir = File.dirname(file.name)
-
-        paths.flat_map do |path|
-          path = File.join(current_dir, path) unless current_dir == "."
-          path = cleanpath(path)
-
-          next if previously_fetched_files.map(&:name).include?(path)
-          next if file.name == path
-
-          if Dependabot::Experiments.enabled?(:enable_exclude_paths_subdirectory_manifest_files) &&
-             !@exclude_paths.empty? && Dependabot::FileFiltering.exclude_path?(path, @exclude_paths)
-            raise Dependabot::DependencyFileNotEvaluatable,
-                  "Cannot process requirements: '#{file.name}' references excluded file '#{path}'. " \
-                  "Please either remove the reference from '#{file.name}' " \
-                  "or update your exclude_paths configuration."
-          end
-
-          fetched_file = fetch_file_from_host(path)
-          grandchild_requirement_files = fetch_child_requirement_files(
-            file: fetched_file,
-            previously_fetched_files: previously_fetched_files + [file]
-          )
-          [fetched_file, *grandchild_requirement_files]
-        end.compact
-      end
-
-      sig { returns(T::Array[Dependabot::DependencyFile]) }
-      def constraints_files
-        all_requirement_files = requirements_txt_files +
-                                child_requirement_txt_files
-
-        constraints_paths = all_requirement_files.map do |req_file|
-          current_dir = File.dirname(req_file.name)
-          content = req_file.content
-          next [] if content.nil?
-
-          paths = content.scan(CONSTRAINT_REGEX).flatten
-
-          paths.map do |path|
-            path = File.join(current_dir, path) unless current_dir == "."
-            cleanpath(path)
-          end
-        end.flatten.uniq
-
-        constraints_paths.map { |path| fetch_file_from_host(path) }
-      end
-
-      sig { returns(T::Array[Dependabot::DependencyFile]) }
-      def project_files
-        project_files = T.let([], T::Array[Dependabot::DependencyFile])
-        unfetchable_deps = []
-
-        path_dependencies.each do |dep|
-          path = dep[:path]
-          next if path.nil?
-
-          project_files += fetch_project_file(path)
-        rescue Dependabot::DependencyFileNotFound
-          unfetchable_deps << "\"#{dep[:name]}\" at #{cleanpath(File.join(directory, dep[:file]))}"
-        end
-
-        raise Dependabot::PathDependenciesNotReachable, unfetchable_deps if unfetchable_deps.any?
-
-        project_files
-      end
-
-      sig { params(path: String).returns(T::Array[Dependabot::DependencyFile]) }
-      def fetch_project_file(path)
-        project_files = []
-
-        path = cleanpath(File.join(path, "pyproject.toml")) unless sdist_or_wheel?(path)
-
-        return [] if path == "pyproject.toml" && pyproject
-
-        project_files << fetch_file_from_host(
-          path,
-          fetch_submodules: true
-        ).tap { |f| f.support_file = true }
-
-        project_files
-      end
-
-      sig { params(path: String).returns(T::Boolean) }
-      def sdist_or_wheel?(path)
-        path.end_with?(".tar.gz", ".whl", ".zip")
-      end
-
-      sig { params(file: Dependabot::DependencyFile).returns(T::Boolean) }
-      def requirements_file?(file)
-        return false unless file.content&.valid_encoding?
-        return true if file.name.match?(/requirements/x)
-
-        T.must(file.content).lines.all? do |line|
-          next true if line.strip.empty?
-          next true if line.strip.start_with?("#", "-r ", "-c ", "-e ", "--")
-
-          line.match?(RequirementParser::VALID_REQ_TXT_REQUIREMENT)
-        end
-      end
-
-      sig { returns(T::Array[PathDependency]) }
-      def path_dependencies
-        [
-          *requirement_txt_path_dependencies,
-          *requirement_in_path_dependencies,
-          *uv_sources_path_dependencies
-        ]
-      end
-
-      sig { returns(T::Array[PathDependency]) }
-      def requirement_txt_path_dependencies
-        (requirements_txt_files + child_requirement_txt_files)
-          .map { |req_file| parse_requirement_path_dependencies(req_file) }
-          .flatten.uniq { |dep| dep[:path] }
-      end
-
-      sig { returns(T::Array[PathDependency]) }
-      def requirement_in_path_dependencies
-        requirements_in_files
-          .map { |req_file| parse_requirement_path_dependencies(req_file) }
-          .flatten.uniq { |dep| dep[:path] }
-      end
-
-      sig { params(req_file: Dependabot::DependencyFile).returns(T::Array[PathDependency]) }
-      def parse_requirement_path_dependencies(req_file)
-        # If this is a pip-compile lockfile, rely on whatever path dependencies we found in the main manifest
-        return [] if requirements_in_file_matcher.compiled_file?(req_file)
-
-        content = T.must(req_file.content)
-        uneditable_reqs = parse_uneditable_requirements(content, req_file.name)
-        editable_reqs = parse_editable_requirements(content, req_file.name)
-
-        uneditable_reqs + editable_reqs
-      end
-
-      sig { params(content: String, file_name: String).returns(T::Array[PathDependency]) }
-      def parse_uneditable_requirements(content, file_name)
-        content
-          .scan(/(?<name>^['"]?(?:file:)?(?<path>\..*?)(?=\[|#|'|"|$))/)
-          .filter_map { |match_data| process_requirement_match(T.cast(match_data, T::Array[String]), file_name, false) }
-      end
-
-      sig { params(content: String, file_name: String).returns(T::Array[PathDependency]) }
-      def parse_editable_requirements(content, file_name)
-        content
-          .scan(/(?<name>^(?:-e)\s+['"]?(?:file:)?(?<path>.*?)(?=\[|#|'|"|$))/)
-          .filter_map { |match_data| process_requirement_match(T.cast(match_data, T::Array[String]), file_name, true) }
-      end
-
-      sig do
-        params(
-          match_data: T::Array[String],
-          file_name: String,
-          editable: T::Boolean
-        ).returns(T.nilable(PathDependency))
-      end
-      def process_requirement_match(match_data, file_name, editable)
-        name, path = match_data
-        return nil if name.nil? || path.nil?
-        return nil if path.include?("://")
-        return nil if editable && path.include?("git@")
-
-        { name: name.strip, path: path.strip, file: file_name }
-      end
-
-      sig { params(path: String).returns(String) }
-      def cleanpath(path)
-        Pathname.new(path).cleanpath.to_path
-      end
-
-      sig { returns(Dependabot::Uv::RequiremenstFileMatcher) }
-      def requirements_in_file_matcher
-        @requirements_in_file_matcher ||= T.let(
-          RequiremenstFileMatcher.new(requirements_in_files),
-          T.nilable(Dependabot::Uv::RequiremenstFileMatcher)
-        )
-      end
-
       sig { returns(T::Array[PathDependency]) }
       def uv_sources_path_dependencies
         return [] unless pyproject
@@ -461,6 +165,14 @@ module Dependabot
         workspace_fetcher.uv_sources_workspace_dependencies
       end
 
+      sig { returns(Dependabot::Uv::RequiremenstFileMatcher) }
+      def requirements_in_file_matcher
+        @requirements_in_file_matcher ||= T.let(
+          RequiremenstFileMatcher.new(requirements_in_files),
+          T.nilable(Dependabot::Uv::RequiremenstFileMatcher)
+        )
+      end
+
       sig { params(path: T.nilable(T.any(Pathname, String))).returns(T::Array[Dependabot::DependencyFile]) }
       def fetch_requirement_files_from_path(path = nil)
         contents = path ? repo_contents(dir: path) : repo_contents

data/lib/dependabot/uv/file_updater/compile_file_updater.rb

@@ -610,7 +610,7 @@ module Dependabot
 
         sig { returns(T::Hash[String, T::Array[String]]) }
         def requirement_map
-          child_req_regex = Uv::FileFetcher::CHILD_REQUIREMENT_REGEX
+          child_req_regex = Python::SharedFileFetcher::CHILD_REQUIREMENT_REGEX
           @requirement_map ||= T.let(
             compile_files.each_with_object({}) do |file, req_map|
               paths = T.must(file.content).scan(child_req_regex).flatten

data/lib/dependabot/uv/file_updater/lock_file_updater.rb

@@ -314,13 +314,13 @@ module Dependabot
           command = "pyenv exec uv lock --upgrade-package #{package_spec} #{options}"
           fingerprint = "pyenv exec uv lock --upgrade-package <dependency_name> #{options_fingerprint}"
 
-          run_command(command, fingerprint:)
+          run_command(command, fingerprint: fingerprint, env: explicit_index_env_vars)
         end
 
-        sig { params(command: String, fingerprint: T.nilable(String)).returns(String) }
-        def run_command(command, fingerprint: nil)
+        sig { params(command: String, fingerprint: T.nilable(String), env: T::Hash[String, String]).returns(String) }
+        def run_command(command, fingerprint: nil, env: {})
           Dependabot.logger.info("Running command: #{command}")
-          SharedHelpers.run_shell_command(command, fingerprint: fingerprint)
+          SharedHelpers.run_shell_command(command, fingerprint: fingerprint, env: env)
         end
 
         sig { params(pyproject_content: String).returns(Integer) }
@@ -373,6 +373,7 @@ module Dependabot
         def lock_index_options
           credentials
             .select { |cred| cred["type"] == "python_index" }
+            .reject { |cred| explicit_index?(cred) }
             .map do |cred|
             authed_url = AuthedUrlBuilder.authed_url(credential: cred)
 
@@ -384,6 +385,86 @@ module Dependabot
           end
         end
 
+        sig { params(credential: Dependabot::Credential).returns(T::Boolean) }
+        def explicit_index?(credential)
+          return false if credential.replaces_base?
+
+          cred_url = normalize_index_url(credential["index-url"].to_s)
+          uv_indices.any? do |_name, config|
+            config["explicit"] == true && normalize_index_url(config["url"].to_s) == cred_url
+          end
+        end
+
+        sig { params(url: String).returns(String) }
+        def normalize_index_url(url)
+          url.chomp("/")
+        end
+
+        sig { returns(T::Hash[String, T::Hash[String, T.untyped]]) }
+        def uv_indices
+          @uv_indices ||= T.let(parse_uv_indices, T.nilable(T::Hash[String, T::Hash[String, T.untyped]]))
+        end
+
+        sig { returns(T::Hash[String, T::Hash[String, T.untyped]]) }
+        def parse_uv_indices
+          return {} unless pyproject&.content
+
+          parsed = TomlRB.parse(T.must(pyproject).content)
+          indices = parsed.dig("tool", "uv", "index")
+          return {} unless indices.is_a?(Array)
+
+          indices.each_with_object({}) do |index, result|
+            name = index["name"]
+            next unless name
+
+            result[name] = {
+              "url" => index["url"],
+              "explicit" => index["explicit"] == true
+            }
+          end
+        rescue TomlRB::ParseError
+          {}
+        end
+
+        # For hosted Dependabot, token will be nil since the credentials aren't present
+        # (the proxy handles authentication). This is for those running Dependabot
+        # themselves and for dry-run.
+        sig { returns(T::Hash[String, String]) }
+        def explicit_index_env_vars
+          env_vars = {}
+
+          credentials
+            .select { |cred| cred["type"] == "python_index" }
+            .select { |cred| explicit_index?(cred) }
+            .each do |cred|
+            index_name = find_index_name_for_credential(cred)
+            next unless index_name
+
+            env_name = index_name.upcase.gsub(/[^A-Z0-9]/, "_")
+
+            env_vars["UV_INDEX_#{env_name}_USERNAME"] = cred["username"] if cred["username"]
+
+            if cred["password"]
+              env_vars["UV_INDEX_#{env_name}_PASSWORD"] = cred["password"]
+            elsif cred["token"]
+              env_vars["UV_INDEX_#{env_name}_PASSWORD"] = cred["token"]
+            end
+          end
+
+          env_vars
+        end
+
+        sig { params(credential: Dependabot::Credential).returns(T.nilable(String)) }
+        def find_index_name_for_credential(credential)
+          cred_url = normalize_index_url(credential["index-url"].to_s)
+
+          uv_indices.each do |name, config|
+            return name if normalize_index_url(config["url"].to_s) == cred_url
+          end
+
+          nil
+        end
+
         sig { params(options: String).returns(String) }
         def lock_options_fingerprint(options)
           options.sub(