dependabot-vcpkg 0.330.0 → 0.331.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 7713306fbe4ea0b15cfa64dd7fc1e907e4752f7b1bec45aacf4225c19aef3aff
-  data.tar.gz: aaa38b5fd4b6f611f39e712b9e85d57b52f7ee0874af2ba643b68223f42a0bd6
+  metadata.gz: de783ea876a57b2c06a733fcfc7a7d77d40620d31e716228011c6c8b2de31198
+  data.tar.gz: e0d94dec9bc66e517553e733a3d1217c1f36e2ab28060a9988cfdf4ad30ea21a
 SHA512:
-  metadata.gz: 5a4fd0d7a1c07f2500a00a6bb0835620e65848150616730f4614964a3788d9d31c8cc8b623c7a604040309f6f4653b025dbb2b8f9ecb665ac5e3248a8ec2ae4b
-  data.tar.gz: 4d7fbde51aa2ee19e1df4cac2219419112105bb1c065994a445137c3203a3e812118163843b1b55a3dcb5383ef6611cbe7df4a9bc95d25565b288dbe4cf4d952
+  metadata.gz: 07746f666b174819f3282ff4c37d8bc2ee8314979a2a04928324cac306668aeb4e16596b7f0bac79772bdad2d073becc589074f5121835ae1dfdb658256cde94
+  data.tar.gz: 9295a5ae0296def79c693358ab21adad0986b214be5ec530b00caa567199aa0711447966c732188ace6394de030f234d69c3187e96c32351cd90e06d9103e3bb

data/lib/dependabot/vcpkg/file_parser.rb

@@ -6,6 +6,7 @@ require "sorbet-runtime"
 require "dependabot/dependency"
 require "dependabot/file_parsers"
 require "dependabot/file_parsers/base"
+require "dependabot/logger"
 
 require "dependabot/vcpkg"
 require "dependabot/vcpkg/language"
@@ -20,12 +21,7 @@ module Dependabot
 
       sig { override.returns(T::Array[Dependabot::Dependency]) }
       def parse
-        dependency_set = DependencySet.new
-
-        dependency_files.filter_map { |file| parse_dependency_file(file) }
-                        .each { |dependency| dependency_set << dependency }
-
-        dependency_set.dependencies
+        dependency_files.flat_map { |file| parse_dependency_file(file) }.compact
       end
 
       sig { override.returns(Ecosystem) }
@@ -49,31 +45,41 @@ module Dependabot
         raise Dependabot::DependencyFileNotFound, VCPKG_JSON_FILENAME
       end
 
-      sig { params(dependency_file: Dependabot::DependencyFile).returns(T.nilable(Dependabot::Dependency)) }
+      sig { params(dependency_file: Dependabot::DependencyFile).returns(T::Array[Dependabot::Dependency]) }
       def parse_dependency_file(dependency_file)
-        return unless dependency_file.content
+        return [] unless dependency_file.content
 
         case dependency_file.name
-        when VCPKG_JSON_FILENAME then parse_vcpkg_json(dependency_file)
-        when VCPKG_CONFIGURATION_JSON_FILENAME then nil # TODO
+        in VCPKG_JSON_FILENAME then parse_vcpkg_json(dependency_file)
+        in VCPKG_CONFIGURATION_JSON_FILENAME then [] # TODO
+        else []
         end
       end
 
-      sig { params(dependency_file: Dependabot::DependencyFile).returns(T.nilable(Dependabot::Dependency)) }
+      sig { params(dependency_file: Dependabot::DependencyFile).returns(T::Array[Dependabot::Dependency]) }
       def parse_vcpkg_json(dependency_file)
         contents = T.must(dependency_file.content)
-
         parsed_json = JSON.parse(contents)
-        baseline = parsed_json["builtin-baseline"]
-        return unless baseline
 
-        build_baseline_dependency(baseline: baseline, file: dependency_file)
+        dependencies = []
+
+        parsed_json["builtin-baseline"]&.then do |baseline|
+          dependencies << parse_baseline_dependency(baseline:, dependency_file:)
+        end
+
+        parsed_json["dependencies"]&.each do |dep|
+          dependency = parse_port_dependency(dep:, dependency_file:)
+          dependencies << dependency if dependency
+        end
+
+        dependencies.compact
       rescue JSON::ParserError
+        Dependabot.logger.warn("Failed to parse #{dependency_file.name}: #{dependency_file.content}")
         raise Dependabot::DependencyFileNotParseable, T.must(dependency_files.first).path
       end
 
-      sig { params(baseline: String, file: Dependabot::DependencyFile).returns(Dependabot::Dependency) }
-      def build_baseline_dependency(baseline:, file:)
+      sig { params(baseline: String, dependency_file: Dependabot::DependencyFile).returns(Dependabot::Dependency) }
+      def parse_baseline_dependency(baseline:, dependency_file:)
         Dependabot::Dependency.new(
           name: VCPKG_DEFAULT_BASELINE_DEPENDENCY_NAME,
           version: baseline,
@@ -86,20 +92,69 @@ module Dependabot
               url: VCPKG_DEFAULT_BASELINE_URL,
               ref: VCPKG_DEFAULT_BASELINE_DEFAULT_BRANCH
             },
-            file: file.name
+            file: dependency_file.name
           }]
         )
       end
 
-      sig { returns(Ecosystem::VersionManager) }
-      def package_manager
-        @package_manager ||= T.let(PackageManager.new, T.nilable(Dependabot::Vcpkg::PackageManager))
+      sig do
+        params(
+          dep: T.untyped,
+          dependency_file: Dependabot::DependencyFile
+        )
+          .returns(T.nilable(Dependabot::Dependency))
+      end
+      def parse_port_dependency(dep:, dependency_file:)
+        case dep
+        when String
+          # Simple string dependency like "curl" - log and skip
+          Dependabot.logger.warn("Skipping vcpkg dependency '#{dep}' without version>= constraint")
+          nil
+        when Hash
+          name = dep["name"]
+          version_constraint = dep["version>="]
+
+          return nil unless name.is_a?(String)
+
+          unless version_constraint
+            Dependabot.logger.warn("Skipping vcpkg dependency '#{name}' without version>= constraint")
+            return nil
+          end
+
+          # Parse version and optional port-version
+          version, _port_version = parse_version_with_port(version_constraint)
+
+          Dependabot::Dependency.new(
+            name:,
+            version:,
+            package_manager: "vcpkg",
+            requirements: [{
+              requirement: ">=#{version_constraint}",
+              groups: [],
+              source: nil,
+              file: dependency_file.name
+            }]
+          )
+        else
+          Dependabot.logger.warn("Skipping unknown vcpkg dependency format: #{dep.inspect}")
+          nil
+        end
       end
 
-      sig { returns(Ecosystem::VersionManager) }
-      def language
-        @language ||= T.let(Language.new, T.nilable(Dependabot::Vcpkg::Language))
+      sig { params(version_string: String).returns([String, T.nilable(String)]) }
+      def parse_version_with_port(version_string)
+        if version_string.include?("#")
+          version_string.split("#", 2).then { |parts| [parts[0] || "", parts[1]] }
+        else
+          [version_string, nil]
+        end
       end
+
+      sig { returns(Ecosystem::VersionManager) }
+      def package_manager = @package_manager ||= T.let(PackageManager.new, T.nilable(Dependabot::Vcpkg::PackageManager))
+
+      sig { returns(Ecosystem::VersionManager) }
+      def language = @language ||= T.let(Language.new, T.nilable(Dependabot::Vcpkg::Language))
     end
   end
 end

data/lib/dependabot/vcpkg/file_updater.rb

@@ -23,9 +23,7 @@ module Dependabot
       sig { override.returns(T::Array[Dependabot::DependencyFile]) }
       def updated_dependency_files
         vcpkg_json_file = get_original_file(VCPKG_JSON_FILENAME)
-        return [] unless vcpkg_json_file
-
-        return [] unless file_changed?(vcpkg_json_file)
+        return [] unless vcpkg_json_file&.then { |file| file_changed?(file) }
 
         [updated_file(
           file: vcpkg_json_file,
@@ -45,19 +43,28 @@ module Dependabot
       sig { params(file: Dependabot::DependencyFile).returns(String) }
       def updated_vcpkg_json_content(file)
         content = T.must(file.content)
-
         parsed_content = JSON.parse(content)
 
-        # Find the baseline dependency and update it
         dependencies
-          .find { |dep| dep.name == VCPKG_DEFAULT_BASELINE_DEPENDENCY_NAME }
-          &.then { |dep| update_baseline_in_content(parsed_content, dep, file.name) }
+          .filter_map { |dep| [dep, dep.requirements.find { |r| r[:file] == file.name }] }
+          .select { |_, requirement| requirement }
+          .each { |dependency, _| update_dependency_in_content(parsed_content, dependency, file.name) }
 
         JSON.pretty_generate(parsed_content)
       rescue JSON::ParserError
         raise Dependabot::DependencyFileNotParseable, file.path
       end
 
+      sig { params(content: T::Hash[String, T.untyped], dependency: Dependabot::Dependency, filename: String).void }
+      def update_dependency_in_content(content, dependency, filename)
+        case dependency.name
+        when VCPKG_DEFAULT_BASELINE_DEPENDENCY_NAME
+          update_baseline_in_content(content, dependency, filename)
+        else
+          update_port_dependency_in_content(content, dependency)
+        end
+      end
+
       sig { params(content: T::Hash[String, T.untyped], dependency: Dependabot::Dependency, filename: String).void }
       def update_baseline_in_content(content, dependency, filename)
         # Find the requirement for this specific file
@@ -72,6 +79,17 @@ module Dependabot
           # Skip if source doesn't have the expected structure
         end
       end
+
+      sig { params(content: T::Hash[String, T.untyped], dependency: Dependabot::Dependency).void }
+      def update_port_dependency_in_content(content, dependency)
+        # Update the dependencies array
+        dependencies_array = content["dependencies"]
+        return unless dependencies_array.is_a?(Array)
+
+        # Find and update the specific dependency using more functional approach
+        target_dep = dependencies_array.find { _1.is_a?(Hash) && _1["name"] == dependency.name }
+        target_dep&.[]=("version>=", dependency.version)
+      end
     end
   end
 end

data/lib/dependabot/vcpkg/package/package_details_fetcher.rb

@@ -5,10 +5,13 @@ require "sorbet-runtime"
 require "uri"
 
 require "dependabot/git_commit_checker"
+require "dependabot/logger"
 require "dependabot/package/package_details"
 require "dependabot/registry_client"
+require "dependabot/shared_helpers"
 require "dependabot/update_checkers/base"
 
+require "dependabot/vcpkg"
 require "dependabot/vcpkg/version"
 
 module Dependabot
@@ -31,20 +34,10 @@ module Dependabot
 
         sig { returns(T.nilable(Dependabot::Package::PackageDetails)) }
         def fetch
-          return unless git_dependency?
-
-          Dependabot::GitCommitChecker.new(
-            dependency: dependency,
-            credentials: []
-          ).local_tags_for_allowed_versions
-                                      .map { |tag_info| create_package_release(tag_info) }
-                                      .reverse
-                                      .uniq(&:version)
-                                      .then do |releases|
-            Dependabot::Package::PackageDetails.new(
-              dependency: dependency,
-              releases: releases
-            )
+          if registry_dependency?
+            fetch_registry_releases
+          else
+            fetch_port_releases
           end
         rescue Dependabot::GitDependenciesNotReachable
           # Fallback to empty releases if git repo is not reachable
@@ -57,17 +50,122 @@ module Dependabot
         private
 
         sig { returns(T::Boolean) }
-        def git_dependency?
+        def registry_dependency?
           dependency.source_details(allowed_types: ["git"]) in { type: "git" }
         end
 
+        sig { returns(T.nilable(Dependabot::Package::PackageDetails)) }
+        def fetch_registry_releases
+          Dependabot::GitCommitChecker
+            .new(
+              dependency: dependency,
+              credentials: []
+            )
+            .local_tags_for_allowed_versions
+            .map { |tag_info| create_registry_package_release(tag_info) }
+            .reverse
+            .uniq(&:version)
+            .then do |releases|
+            Dependabot::Package::PackageDetails.new(
+              dependency: dependency,
+              releases: releases
+            )
+          end
+        end
+
+        sig { returns(T.nilable(Dependabot::Package::PackageDetails)) }
+        def fetch_port_releases
+          fetch_port_versions_from_git
+            .filter_map { |version_info| create_port_package_release(version_info) }
+            .reverse
+            .uniq(&:version)
+            .then do |releases|
+            Dependabot::Package::PackageDetails.new(
+              dependency: dependency,
+              releases: releases
+            )
+          end
+        end
+
+        sig { returns(T::Array[T::Hash[Symbol, T.untyped]]) }
+        def fetch_port_versions_from_git
+          port_path = "ports/#{dependency.name}/vcpkg.json"
+          vcpkg_repo_path = "/opt/vcpkg"
+
+          # Get each commit that modified the port's vcpkg.json
+          git_log_cmd = [
+            "git", "log", "--format=%H", "--follow", "--", port_path
+          ]
+
+          Dir.chdir(vcpkg_repo_path) do
+            log_output = Dependabot::SharedHelpers.run_shell_command(git_log_cmd.join(" "))
+
+            log_output.lines.map(&:strip).filter_map do |line|
+              next if line.empty?
+
+              commit_sha = line.strip
+              next unless commit_sha.match?(/\A[0-9a-f]{40}\z/) # Validate SHA format
+
+              # Get the vcpkg.json content for this commit
+              version_info = extract_version_from_commit(commit_sha, port_path)
+              version_info[:commit_sha] = commit_sha if version_info
+              version_info
+            end
+          end
+        rescue Dependabot::SharedHelpers::HelperSubprocessFailed => e
+          Dependabot.logger.warn("Failed to fetch port versions for #{dependency.name}: #{e.message}")
+          []
+        end
+
+        sig { params(commit_sha: String, file_path: String).returns(T.nilable(T::Hash[Symbol, T.untyped])) }
+        def extract_version_from_commit(commit_sha, file_path)
+          show_cmd = ["git", "show", "#{commit_sha}:#{file_path}"]
+
+          file_content = Dependabot::SharedHelpers.run_shell_command(show_cmd.join(" "))
+          parsed_json = JSON.parse(file_content)
+
+          version = parsed_json["version"]
+          port_version = parsed_json["port-version"] || 0
+
+          return nil unless version
+
+          # Combine version and port-version
+          full_version = port_version.zero? ? version : "#{version}##{port_version}"
+
+          {
+            version: version,
+            port_version: port_version,
+            full_version: full_version,
+            commit_date: get_commit_date(commit_sha)
+          }
+        rescue JSON::ParserError => e
+          Dependabot.logger.warn("Failed to parse vcpkg.json for commit #{commit_sha}: #{e.message}")
+          nil
+        rescue Dependabot::SharedHelpers::HelperSubprocessFailed => e
+          Dependabot.logger.warn("Failed to show file #{file_path} for commit #{commit_sha}: #{e.message}")
+          nil
+        end
+
+        sig { params(commit_sha: String).returns(T.nilable(Time)) }
+        def get_commit_date(commit_sha)
+          date_cmd = ["git", "show", "--no-patch", "--format=%ci", commit_sha]
+          date_output = Dependabot::SharedHelpers.run_shell_command(date_cmd.join(" "))
+          Time.parse(date_output.strip)
+        rescue Dependabot::SharedHelpers::HelperSubprocessFailed => e
+          Dependabot.logger.warn("Failed to get commit date for #{commit_sha}: #{e.message}")
+          nil
+        rescue ArgumentError => e
+          Dependabot.logger.warn("Invalid date format for commit #{commit_sha}: #{e.message}")
+          nil
+        end
+
         sig { params(tag_info: T::Hash[Symbol, T.untyped]).returns(Dependabot::Package::PackageRelease) }
-        def create_package_release(tag_info)
+        def create_registry_package_release(tag_info)
           Dependabot::Package::PackageRelease.new(
-            version: Version.new(tag_info.fetch(:tag)),
+            version: Dependabot::Vcpkg::Version.new(tag_info.fetch(:tag)),
             tag: tag_info.fetch(:tag),
             url: dependency.source_details&.dig(:url),
-            released_at: extract_release_date(tag_info.fetch(:tag)),
+            released_at: extract_release_date_from_tag(tag_info.fetch(:tag)),
             details: {
               "commit_sha" => tag_info.fetch(:commit_sha),
               "tag_sha" => tag_info.fetch(:tag_sha)
@@ -75,8 +173,23 @@ module Dependabot
           )
         end
 
+        sig { params(version_info: T::Hash[Symbol, T.untyped]).returns(Dependabot::Package::PackageRelease) }
+        def create_port_package_release(version_info)
+          Dependabot::Package::PackageRelease.new(
+            version: Dependabot::Vcpkg::Version.new(version_info.fetch(:full_version)),
+            tag: version_info.fetch(:full_version),
+            url: "#{Vcpkg::VCPKG_DEFAULT_BASELINE_URL}/tree/#{version_info[:commit_sha]}/ports/#{dependency.name}",
+            released_at: version_info[:commit_date],
+            details: {
+              "commit_sha" => version_info[:commit_sha],
+              "base_version" => version_info[:version],
+              "port_version" => version_info[:port_version]
+            }
+          )
+        end
+
         sig { params(tag_name: String).returns(T.nilable(Time)) }
-        def extract_release_date(tag_name)
+        def extract_release_date_from_tag(tag_name)
           # Extract date from vcpkg tag format like "2025.06.13"
           # Use pattern matching for cleaner validation and extraction
           case tag_name.gsub(/^v?/, "")

data/lib/dependabot/vcpkg/update_checker/latest_version_finder.rb

@@ -24,17 +24,39 @@ module Dependabot
           )
         end
 
-        sig { returns(T.nilable(String)) }
-        def latest_tag
-          available_versions
-            &.then { |releases| filter_by_cooldown(releases) }
-            &.max_by(&:version)
-            &.details
-            &.[]("tag_sha")
+        sig do
+          override
+            .params(language_version: T.nilable(T.any(String, Dependabot::Version)))
+            .returns(T.nilable(Dependabot::Version))
+        end
+        def fetch_latest_version(language_version: nil) # rubocop:disable Lint/UnusedMethodArgument
+          latest_release_info&.version
+        end
+
+        sig { returns(T.nilable(Dependabot::Package::PackageRelease)) }
+        def latest_release_info
+          @latest_release_info ||= T.let(
+            begin
+              releases = available_versions
+              return unless releases
+
+              releases = filter_yanked_versions(releases)
+              releases = filter_by_cooldown(releases)
+              releases = filter_ignored_versions(releases)
+
+              releases.max_by(&:version)
+            end,
+            T.nilable(Dependabot::Package::PackageRelease)
+          )
         end
 
         private
 
+        sig { returns(T::Boolean) }
+        def registry_dependency?
+          dependency.source_details(allowed_types: ["git"]) in { type: "git" }
+        end
+
         sig { override.returns(T::Boolean) }
         def cooldown_enabled? = true
       end

data/lib/dependabot/vcpkg/update_checker.rb

@@ -1,4 +1,4 @@
-# typed: strong
+# typed: strict
 # frozen_string_literal: true
 
 require "sorbet-runtime"
@@ -17,7 +17,7 @@ module Dependabot
       sig { override.returns(T.nilable(T.any(String, Dependabot::Version))) }
       def latest_version
         @latest_version ||= T.let(
-          latest_version_finder.latest_tag,
+          latest_version_finder.latest_version,
           T.nilable(T.any(String, Dependabot::Version))
         )
       end
@@ -36,10 +36,17 @@ module Dependabot
 
         dependency.requirements.filter_map do |requirement|
           source = T.cast(requirement[:source], T.nilable(T::Hash[Symbol, T.untyped]))
+          requirement_constraint = requirement[:requirement]
 
-          if source
-            requirement.merge(source: source.merge(ref: latest_version.to_s))
+          if source && registry_dependency?
+            # For git dependencies (baselines), update the git ref with the commit SHA
+            latest_commit_sha = latest_version_finder.latest_release_info&.details&.dig("commit_sha")
+            requirement.merge(source: source.merge(ref: latest_commit_sha))
+          elsif source.nil? && requirement_constraint
+            # For port dependencies (no source but has requirement), update the version constraint
+            requirement.merge(requirement: ">=#{latest_version}")
           else
+            # Keep the original requirement unchanged for other cases
             requirement
           end
         end
@@ -47,6 +54,17 @@ module Dependabot
 
       private
 
+      sig { returns(T::Boolean) }
+      def registry_dependency?
+        dependency.source_details(allowed_types: ["git"]) in { type: "git" }
+      end
+
+      sig { returns(T::Boolean) }
+      def port_dependency?
+        # A port dependency has no git source but has a requirement constraint
+        !registry_dependency? && dependency.requirements.any? { |req| req[:requirement] }
+      end
+
       # Vcpkg doesn't support full unlocking since dependencies are tracked via baselines
       sig { override.returns(T::Boolean) }
       def latest_version_resolvable_with_full_unlock? = false

data/lib/dependabot/vcpkg/version.rb

@@ -9,6 +9,62 @@ require "dependabot/version"
 module Dependabot
   module Vcpkg
     class Version < Dependabot::Version
+      extend T::Sig
+
+      VERSION_PATTERN = /\A([0-9]+(?:\.[0-9]+)*(?:-[0-9A-Za-z\-\.]+)?(?:\+[0-9A-Za-z\-\.]+)?)(?:\#([0-9]+))?\z/
+
+      sig { override.params(version: VersionParameter).void }
+      def initialize(version)
+        @version_string = T.let(version.to_s, String)
+        parsed_version = parse_version(@version_string)
+        super(T.cast(parsed_version[:base_version], String))
+        @port_version = T.let(parsed_version[:port_version], T.nilable(Integer))
+      end
+
+      sig { returns(T.nilable(Integer)) }
+      attr_reader :port_version
+
+      sig { override.returns(String) }
+      def to_s
+        port_version ? "#{super}##{port_version}" : super
+      end
+
+      sig { params(other: Object).returns(T.nilable(Integer)) }
+      def <=>(other)
+        case other
+        when Version
+          # Compare with another vcpkg version
+          base_comparison = super
+          return base_comparison if base_comparison.nil? || !base_comparison.zero?
+
+          # If base versions are equal, compare port versions
+          (port_version || 0) <=> (other.port_version || 0)
+        when String
+          # Compare with a string by creating a version object from it
+          begin
+            self <=> self.class.new(other)
+          rescue ArgumentError
+            # If the string isn't a valid version, try comparing as base version only
+            super(Gem::Version.new(other))
+          end
+        when Gem::Version, Dependabot::Version
+          # Compare with a regular Gem::Version by comparing just the base version
+          super
+        end
+      end
+
+      private
+
+      sig { params(version_string: String).returns(T::Hash[Symbol, T.untyped]) }
+      def parse_version(version_string)
+        match = version_string.match(VERSION_PATTERN)
+        raise ArgumentError, "Malformed version number string #{version_string}" unless match
+
+        {
+          base_version: match[1],
+          port_version: match[2]&.to_i
+        }
+      end
     end
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-vcpkg
 version: !ruby/object:Gem::Version
-  version: 0.330.0
+  version: 0.331.0
 platform: ruby
 authors:
 - Dependabot
@@ -15,14 +15,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.330.0
+        version: 0.331.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.330.0
+        version: 0.331.0
 - !ruby/object:Gem::Dependency
   name: debug
   requirement: !ruby/object:Gem::Requirement
@@ -256,7 +256,7 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.330.0
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.331.0
 rdoc_options: []
 require_paths:
 - lib