upd-cli 0.1.1__tar.gz → 0.1.3__tar.gz

{upd_cli-0.1.1 → upd_cli-0.1.3}/CHANGELOG.md

@@ -11,6 +11,51 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 
 
+
+
+## [0.1.3](https://github.com/rvben/upd/compare/v0.1.2...v0.1.3) - 2026-04-25
+
+### Added
+
+- **lock**: scope lockfile regeneration to the packages upd actually changed ([6b6cfa6](https://github.com/rvben/upd/commit/6b6cfa6fe3e8e8d787e78c7afea24883ebe67833))
+- **npm**: classify and rewrite comparator-range specs ([a60979a](https://github.com/rvben/upd/commit/a60979acd7edb7eb6adfac554a590412a6cf8271))
+
+### Fixed
+
+- **lock**: include config pins in targeted regenerate and update CLI help ([207fdf9](https://github.com/rvben/upd/commit/207fdf94af95c74865f828f258ec9cfa61d22085))
+- **npm**: preserve upper bound when pinning comparator-range specs ([fb7c863](https://github.com/rvben/upd/commit/fb7c863de9f07201af310ab13a59696d17fcb766))
+- **npm**: apply config policy and cooldown to comparator-range updates ([be095dd](https://github.com/rvben/upd/commit/be095dd30443dd547fb6913dae551cbd530cb019))
+- **npm**: update comparator-range specs via constraint-aware resolution ([4481b8b](https://github.com/rvben/upd/commit/4481b8bad6a02c6f761cf489a547b5546099e871))
+- **audit**: order fix versions numerically, not lexicographically ([069eb1d](https://github.com/rvben/upd/commit/069eb1dc8771640376957339e40ada7b60a82b0a))
+
+## [0.1.2](https://github.com/rvben/upd/compare/v0.1.1...v0.1.2) - 2026-04-24
+
+### Added
+
+- **cache**: add optional versions field to CacheEntry for future list_versions caching ([1beb34d](https://github.com/rvben/upd/commit/1beb34dc030f160e3748dff9a63e71bfa1772043))
+- **output**: report held-back and skipped-by-cooldown packages ([3d1a2ce](https://github.com/rvben/upd/commit/3d1a2cef2ae31c59a87b417b074e0d672b7256d2))
+- **updater**: propagate cooldown policy to remaining updaters ([8e80f25](https://github.com/rvben/upd/commit/8e80f252339f022d90f8120694e529c68c3bcf90))
+- **updater**: apply cooldown policy in requirements updater ([5d6cfd3](https://github.com/rvben/upd/commit/5d6cfd32bfe87df7af86453476a93e2945f009ff))
+- **registry**: implement list_versions for GitHub releases ([5f6472b](https://github.com/rvben/upd/commit/5f6472b5d7c4394d59fbabfd4bd9a1d9b736a67a))
+- **registry**: implement list_versions for RubyGems ([1a1dda3](https://github.com/rvben/upd/commit/1a1dda31d73e0f25d8a73e6438aed7c4daadc007))
+- **registry**: implement list_versions for Go module proxy ([196fef6](https://github.com/rvben/upd/commit/196fef634b0ae3c53096222e8bbe3161d8b67a33))
+- **registry**: implement list_versions for crates.io ([8869dec](https://github.com/rvben/upd/commit/8869dec1a69148b5b3db44cc3393a05aaa2b01fb))
+- **registry**: implement list_versions for npm ([b23cd78](https://github.com/rvben/upd/commit/b23cd787e748dfc5404a8fd51981c67f858e1d5a))
+- **registry**: implement list_versions for PyPI ([9aa342c](https://github.com/rvben/upd/commit/9aa342c5c11ae504024aed5aa2d8930c66b4a6df))
+- **cli**: add --min-age flag for cooldown override ([b5bfb30](https://github.com/rvben/upd/commit/b5bfb304c39f6b8099aef3a066e2ef4ed17f606f))
+- **config**: show cooldown policy in --show-config ([9486257](https://github.com/rvben/upd/commit/9486257b22456e55e9af23709089a574cce262be))
+- **config**: add [cooldown] table with default and per-ecosystem overrides ([a9ff8e3](https://github.com/rvben/upd/commit/a9ff8e31050485056a9bb6e03f4d313df1262998))
+- **cooldown**: implement select() selection algorithm ([8b588bb](https://github.com/rvben/upd/commit/8b588bb1b42d84d696a7a17d8e97141a223351a1))
+- **cooldown**: add CooldownPolicy with precedence resolution ([ddba284](https://github.com/rvben/upd/commit/ddba284329dad87bf84cf566ecb487ef665408a1))
+- **cooldown**: add parse_duration for release-age config ([a7e67e0](https://github.com/rvben/upd/commit/a7e67e035764e4d905ace1dc4092f41c27510a5c))
+- **registry**: re-export VersionMeta from crate root ([b2cdd60](https://github.com/rvben/upd/commit/b2cdd6037c09110881f53db4992542e77596f6c3))
+- **registry**: add VersionMeta and list_versions trait method ([09ddbf9](https://github.com/rvben/upd/commit/09ddbf9c2b8f0546feafeb642f27547bed1882da))
+
+### Fixed
+
+- **cooldown**: harden selection against real-world constraints and per-file policy ([a284ea4](https://github.com/rvben/upd/commit/a284ea497dcf3abf65fda2c7e7f6c0c03c3dd8e2))
+- **updater**: pass Poetry constraint to cooldown selection ([a0383e9](https://github.com/rvben/upd/commit/a0383e9167b2ef05cc4583aa23c1035d32268750))
+
 ## [0.1.1](https://github.com/rvben/upd/compare/v0.1.0...v0.1.1) - 2026-04-22
 
 ### Added

{upd_cli-0.1.1 → upd_cli-0.1.3}/Cargo.lock

@@ -17,6 +17,15 @@ dependencies = [
  "memchr",
 ]
 
+[[package]]
+name = "android_system_properties"
+version = "0.1.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "819e7219dbd41043ac279b19830f2efc897156490d7fd6ea916720117ee66311"
+dependencies = [
+ "libc",
+]
+
 [[package]]
 name = "anstream"
 version = "1.0.0"
@@ -113,6 +122,12 @@ version = "1.1.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "1505bd5d3d116872e7271a6d4e16d81d0c8570876c8de68093a09ac269d8aac0"
 
+[[package]]
+name = "autocfg"
+version = "1.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c08606f8c3cbf4ce6ec8e28fb0014a2c086708fe954eaa885384a6165172e7e8"
+
 [[package]]
 name = "aws-lc-rs"
 version = "1.16.3"
@@ -199,6 +214,18 @@ version = "0.2.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "613afe47fcd5fac7ccf1db93babcb082c5994d996f20b8b159f2ad1658eb5724"
 
+[[package]]
+name = "chrono"
+version = "0.4.44"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c673075a2e0e5f4a1dde27ce9dee1ea4558c7ffe648f576438a20ca1d2acc4b0"
+dependencies = [
+ "iana-time-zone",
+ "num-traits",
+ "serde",
+ "windows-link",
+]
+
 [[package]]
 name = "clap"
 version = "4.6.1"
@@ -728,6 +755,30 @@ dependencies = [
  "tracing",
 ]
 
+[[package]]
+name = "iana-time-zone"
+version = "0.1.65"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e31bc9ad994ba00e440a8aa5c9ef0ec67d5cb5e5cb0cc7f8b744a35b389cc470"
+dependencies = [
+ "android_system_properties",
+ "core-foundation-sys",
+ "iana-time-zone-haiku",
+ "js-sys",
+ "log",
+ "wasm-bindgen",
+ "windows-core",
+]
+
+[[package]]
+name = "iana-time-zone-haiku"
+version = "0.1.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f31827a206f56af32e590ba56d5d2d085f558508192593743f16b2306495269f"
+dependencies = [
+ "cc",
+]
+
 [[package]]
 name = "icu_collections"
 version = "2.1.1"
@@ -1030,6 +1081,15 @@ dependencies = [
  "windows-sys 0.61.2",
 ]
 
+[[package]]
+name = "num-traits"
+version = "0.2.19"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "071dfc062690e90b734c0b2273ce72ad0ffa95f0c74596bc250dcfd960262841"
+dependencies = [
+ "autocfg",
+]
+
 [[package]]
 name = "num_cpus"
 version = "1.17.0"
@@ -1964,10 +2024,11 @@ checksum = "8ecb6da28b8a351d773b68d5825ac39017e680750f980f3a1a85cd8dd28a47c1"
 
 [[package]]
 name = "upd"
-version = "0.1.1"
+version = "0.1.3"
 dependencies = [
  "anyhow",
  "async-trait",
+ "chrono",
  "clap",
  "colored",
  "directories",
@@ -2143,12 +2204,65 @@ dependencies = [
  "windows-sys 0.61.2",
 ]
 
+[[package]]
+name = "windows-core"
+version = "0.62.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b8e83a14d34d0623b51dce9581199302a221863196a1dde71a7663a4c2be9deb"
+dependencies = [
+ "windows-implement",
+ "windows-interface",
+ "windows-link",
+ "windows-result",
+ "windows-strings",
+]
+
+[[package]]
+name = "windows-implement"
+version = "0.60.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "053e2e040ab57b9dc951b72c264860db7eb3b0200ba345b4e4c3b14f67855ddf"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
+[[package]]
+name = "windows-interface"
+version = "0.59.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3f316c4a2570ba26bbec722032c4099d8c8bc095efccdc15688708623367e358"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
 [[package]]
 name = "windows-link"
 version = "0.2.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "f0805222e57f7521d6a62e36fa9163bc891acd422f971defe97d64e70d0a4fe5"
 
+[[package]]
+name = "windows-result"
+version = "0.4.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7781fa89eaf60850ac3d2da7af8e5242a5ea78d1a11c49bf2910bb5a73853eb5"
+dependencies = [
+ "windows-link",
+]
+
+[[package]]
+name = "windows-strings"
+version = "0.5.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7837d08f69c77cf6b07689544538e017c1bfcf57e34b4c0ff58e6c2cd3b37091"
+dependencies = [
+ "windows-link",
+]
+
 [[package]]
 name = "windows-sys"
 version = "0.45.0"

{upd_cli-0.1.1 → upd_cli-0.1.3}/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "upd"
-version = "0.1.1"
+version = "0.1.3"
 edition = "2024"
 rust-version = "1.95.0"
 description = "A fast dependency updater for Python, Node.js, Rust, Go, Ruby, Terraform, GitHub Actions, pre-commit, and Mise projects"
@@ -60,6 +60,7 @@ colored = "3.1.1"
 async-trait = "0.1.89"
 futures = "0.3.32"
 url = "2.5"
+chrono = { version = "0.4", default-features = false, features = ["serde", "clock"] }
 
 [dev-dependencies]
 tempfile = "3.27.0"

{upd_cli-0.1.1 → upd_cli-0.1.3}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: upd-cli
-Version: 0.1.1
+Version: 0.1.3
 Classifier: Development Status :: 4 - Beta
 Classifier: Environment :: Console
 Classifier: Intended Audience :: Developers
@@ -46,7 +46,10 @@ pipx run --spec upd-cli upd --apply
 
 - **Multi-ecosystem**: Python, Node.js, Rust, Go, Ruby, .NET, Terraform, GitHub Actions, pre-commit, Mise/asdf
 - **Fast**: Parallel registry requests for all dependencies
-- **Constraint-aware**: Respects version constraints like `>=2.0,<3` and `~> 7.1`
+- **Constraint-aware**: Respects `>=2.0,<3` (Python), `~> 7.1` (Ruby), and `^2.0.0` / `~2.0.0` (npm, Cargo).
+  For npm, comparator ranges such as `">=1.0.0 <2.0.0"` are rewritten with a **bump strategy**: the lower
+  bound moves to the highest version satisfying the constraint, preserving the upper bound. Hyphen
+  (`"1 - 2"`) and OR (`"^1 || ^2"`) ranges are reported as warnings and left untouched.
 - **Smart caching**: 24-hour version cache for faster subsequent runs
 - **Update filters**: Filter by bump level with `--only-bump <major|minor|patch>` (repeatable) or cap with `--max-bump`
 - **Interactive mode**: Approve updates individually with `-i`
@@ -469,6 +472,51 @@ upd --verbose
 # pyproject.toml:13: Skipped internal-utils 1.0.0 (ignored)
 ```
 
+## Cooldown (minimum release age)
+
+Hold back updates to versions that have been public for less than N days.
+Reduces exposure to supply-chain attacks that rely on freshly published
+malicious versions being installed before detection. Modelled after
+Renovate's `minimumReleaseAge` / Dependabot's `cooldown`.
+
+Enable in `.updrc.toml`:
+
+```toml
+[cooldown]
+default = "7d"           # applies to every ecosystem unless overridden
+
+[cooldown.ecosystem]
+npm = "14d"              # stricter for npm
+pypi = "14d"
+"crates.io" = "3d"
+```
+
+Duration syntax: `<integer><unit>` where unit is `s`, `m`, `h`, `d`, `w`.
+A bare `0` disables cooldown.
+
+Override from the CLI for one-off runs:
+
+```text
+upd --min-age 14d         # use 14 days regardless of config
+upd --min-age 0           # disable cooldown entirely for this run
+```
+
+**How it works:** when the latest version is still inside the cooldown
+window, `upd` updates to the newest version that *is* old enough. If nothing
+newer is old enough yet, the package is held back. Output marks these
+packages explicitly:
+
+```text
+requirements.txt: Updated requests 2.28.0 → 2.31.0
+package.json: Held back lodash 4.17.20 → 4.17.21 (4.17.22 released 2d ago, cooldown 7d)
+package.json: Skipped express (only newer version 4.19.0 released 1d ago, cooldown 7d)
+```
+
+**Supported ecosystems:** PyPI, npm, crates.io, Go modules, RubyGems,
+GitHub releases (covers GitHub Actions, pre-commit, Mise). NuGet and
+Terraform Registry do not expose per-version publish dates we can
+consume today; cooldown is reported as unavailable for those files.
+
 ## Caching
 
 Version lookups are cached for 24 hours in:
@@ -722,6 +770,33 @@ Global flags (accepted on every subcommand):
 
 Subcommands: `update` (default), `align`, `audit`, `clean-cache`, `self-update`.
 
+#### Commands run by `--lock`
+
+`upd --lock` runs the narrowest per-ecosystem refresh command that
+updates only the packages `upd` just rewrote. Targeted forms are used
+wherever the package manager supports them; targeting falls back to
+`--lockfile-only` flags where no per-package form exists; otherwise
+the manifest-wide refresh command is used.
+
+| Ecosystem | Lockfile                 | Command                                        |
+|-----------|--------------------------|------------------------------------------------|
+| Python    | `poetry.lock`            | `poetry lock --no-update`                      |
+| Python    | `uv.lock`                | `uv lock`                                      |
+| Node      | `package-lock.json`      | `npm install --package-lock-only`              |
+| Node      | `yarn.lock`              | `yarn install --mode update-lockfile` (Yarn 2+)|
+| Node      | `pnpm-lock.yaml`         | `pnpm install --lockfile-only`                 |
+| Node      | `bun.lockb`              | `bun install`                                  |
+| Rust      | `Cargo.lock`             | `cargo update -p <changed> -p <changed> …`     |
+| Go        | `go.sum`                 | `go mod tidy` (no targeted form)               |
+| Ruby      | `Gemfile.lock`           | `bundle lock --update <changed> …`             |
+| .NET      | `packages.lock.json`     | `dotnet restore` (no targeted form)            |
+| Terraform | `.terraform.lock.hcl`    | `terraform providers lock` (no targeted form)  |
+
+Manifests whose `upd` pass produced zero changes have their lockfile
+refresh skipped entirely. A directory where only config pins were
+applied is still refreshed, and the changed-package list includes
+those pinned packages so `cargo update -p <pkg>` / `bundle lock --update <pkg>` stay scoped.
+
 Stable `audit`-specific flags:
 
 | Flag | Purpose |

{upd_cli-0.1.1 → upd_cli-0.1.3}/README.md

@@ -23,7 +23,10 @@ pipx run --spec upd-cli upd --apply
 
 - **Multi-ecosystem**: Python, Node.js, Rust, Go, Ruby, .NET, Terraform, GitHub Actions, pre-commit, Mise/asdf
 - **Fast**: Parallel registry requests for all dependencies
-- **Constraint-aware**: Respects version constraints like `>=2.0,<3` and `~> 7.1`
+- **Constraint-aware**: Respects `>=2.0,<3` (Python), `~> 7.1` (Ruby), and `^2.0.0` / `~2.0.0` (npm, Cargo).
+  For npm, comparator ranges such as `">=1.0.0 <2.0.0"` are rewritten with a **bump strategy**: the lower
+  bound moves to the highest version satisfying the constraint, preserving the upper bound. Hyphen
+  (`"1 - 2"`) and OR (`"^1 || ^2"`) ranges are reported as warnings and left untouched.
 - **Smart caching**: 24-hour version cache for faster subsequent runs
 - **Update filters**: Filter by bump level with `--only-bump <major|minor|patch>` (repeatable) or cap with `--max-bump`
 - **Interactive mode**: Approve updates individually with `-i`
@@ -446,6 +449,51 @@ upd --verbose
 # pyproject.toml:13: Skipped internal-utils 1.0.0 (ignored)
 ```
 
+## Cooldown (minimum release age)
+
+Hold back updates to versions that have been public for less than N days.
+Reduces exposure to supply-chain attacks that rely on freshly published
+malicious versions being installed before detection. Modelled after
+Renovate's `minimumReleaseAge` / Dependabot's `cooldown`.
+
+Enable in `.updrc.toml`:
+
+```toml
+[cooldown]
+default = "7d"           # applies to every ecosystem unless overridden
+
+[cooldown.ecosystem]
+npm = "14d"              # stricter for npm
+pypi = "14d"
+"crates.io" = "3d"
+```
+
+Duration syntax: `<integer><unit>` where unit is `s`, `m`, `h`, `d`, `w`.
+A bare `0` disables cooldown.
+
+Override from the CLI for one-off runs:
+
+```text
+upd --min-age 14d         # use 14 days regardless of config
+upd --min-age 0           # disable cooldown entirely for this run
+```
+
+**How it works:** when the latest version is still inside the cooldown
+window, `upd` updates to the newest version that *is* old enough. If nothing
+newer is old enough yet, the package is held back. Output marks these
+packages explicitly:
+
+```text
+requirements.txt: Updated requests 2.28.0 → 2.31.0
+package.json: Held back lodash 4.17.20 → 4.17.21 (4.17.22 released 2d ago, cooldown 7d)
+package.json: Skipped express (only newer version 4.19.0 released 1d ago, cooldown 7d)
+```
+
+**Supported ecosystems:** PyPI, npm, crates.io, Go modules, RubyGems,
+GitHub releases (covers GitHub Actions, pre-commit, Mise). NuGet and
+Terraform Registry do not expose per-version publish dates we can
+consume today; cooldown is reported as unavailable for those files.
+
 ## Caching
 
 Version lookups are cached for 24 hours in:
@@ -699,6 +747,33 @@ Global flags (accepted on every subcommand):
 
 Subcommands: `update` (default), `align`, `audit`, `clean-cache`, `self-update`.
 
+#### Commands run by `--lock`
+
+`upd --lock` runs the narrowest per-ecosystem refresh command that
+updates only the packages `upd` just rewrote. Targeted forms are used
+wherever the package manager supports them; targeting falls back to
+`--lockfile-only` flags where no per-package form exists; otherwise
+the manifest-wide refresh command is used.
+
+| Ecosystem | Lockfile                 | Command                                        |
+|-----------|--------------------------|------------------------------------------------|
+| Python    | `poetry.lock`            | `poetry lock --no-update`                      |
+| Python    | `uv.lock`                | `uv lock`                                      |
+| Node      | `package-lock.json`      | `npm install --package-lock-only`              |
+| Node      | `yarn.lock`              | `yarn install --mode update-lockfile` (Yarn 2+)|
+| Node      | `pnpm-lock.yaml`         | `pnpm install --lockfile-only`                 |
+| Node      | `bun.lockb`              | `bun install`                                  |
+| Rust      | `Cargo.lock`             | `cargo update -p <changed> -p <changed> …`     |
+| Go        | `go.sum`                 | `go mod tidy` (no targeted form)               |
+| Ruby      | `Gemfile.lock`           | `bundle lock --update <changed> …`             |
+| .NET      | `packages.lock.json`     | `dotnet restore` (no targeted form)            |
+| Terraform | `.terraform.lock.hcl`    | `terraform providers lock` (no targeted form)  |
+
+Manifests whose `upd` pass produced zero changes have their lockfile
+refresh skipped entirely. A directory where only config pins were
+applied is still refreshed, and the changed-package list includes
+those pinned packages so `cargo update -p <pkg>` / `bundle lock --update <pkg>` stay scoped.
+
 Stable `audit`-specific flags:
 
 | Flag | Purpose |

{upd_cli-0.1.1 → upd_cli-0.1.3}/src/audit/mod.rs

@@ -134,7 +134,7 @@ pub fn compute_fix_plan(audit: &AuditResult) -> (HashMap<String, String>, Vec<(S
             .vulnerabilities
             .iter()
             .filter_map(|v| v.fixed_version.as_deref())
-            .max_by(|a, b| compare_fix_versions(a, b));
+            .max_by(|a, b| crate::version::compare::compare_versions(a, b));
 
         if let Some(version) = max_fixed {
             fixable.insert(name.clone(), version.to_string());
@@ -144,44 +144,6 @@ pub fn compute_fix_plan(audit: &AuditResult) -> (HashMap<String, String>, Vec<(S
     (fixable, unfixable)
 }
 
-/// Compare two version strings for ordering, preferring semver but falling back
-/// to lexicographic comparison for non-semver ecosystems.
-fn compare_fix_versions(a: &str, b: &str) -> std::cmp::Ordering {
-    match (semver_parse(a), semver_parse(b)) {
-        (Some(va), Some(vb)) => va.cmp(&vb),
-        _ => a.cmp(b),
-    }
-}
-
-/// Parse a version string as semver, accepting an optional leading `v`.
-///
-/// Returns `(major, minor, patch, is_stable)` where `is_stable` is 1 for stable
-/// releases and 0 for pre-releases (e.g. `2.0.0-rc1`). This ensures stable
-/// versions beat pre-releases when all numeric components are equal.
-fn semver_parse(v: &str) -> Option<(u64, u64, u64, u8)> {
-    let v = v.trim_start_matches('v');
-    let parts: Vec<&str> = v.split('.').collect();
-    if parts.len() < 2 {
-        return None;
-    }
-    let major: u64 = parts[0].parse().ok()?;
-    let minor: u64 = parts[1].parse().ok()?;
-    // Patch may carry a pre-release or build suffix (e.g. "0-rc1", "3+build1").
-    // Take only the leading digit run so "0-rc1" → patch=0, rest="-rc1".
-    let patch_part = parts.get(2).copied().unwrap_or("0");
-    let (patch_digits, rest) = patch_part
-        .split_once(|c: char| !c.is_ascii_digit())
-        .unwrap_or((patch_part, ""));
-    let patch: u64 = if patch_digits.is_empty() {
-        0
-    } else {
-        patch_digits.parse().ok()?
-    };
-    // Stability flag: 1 = stable, 0 = pre-release. Stable wins ties.
-    let is_stable: u8 = if rest.is_empty() { 1 } else { 0 };
-    Some((major, minor, patch, is_stable))
-}
-
 /// Return a sort key for a severity string such that Critical sorts first.
 ///
 /// Lower numeric values sort earlier, so Critical = 0, Unknown = 5.
@@ -858,6 +820,43 @@ mod tests {
         assert_eq!(fixable.get("pkg").map(|s| s.as_str()), Some("2.10.0"));
     }
 
+    #[test]
+    fn test_compute_fix_plan_picks_numerically_highest_non_semver_fix() {
+        // Regression test for 4-segment versions (e.g. Ruby or multi-segment tags)
+        // where the legacy `semver_parse` dropped the 4th segment, making
+        // `1.0.0.10` and `1.0.0.9` compare equal. `max_by` then returned the
+        // *last* element, so the answer depended on fix_version ordering.
+        //
+        // The correct "minimum safe fix" must order by full numeric value.
+        let mut audit = AuditResult::default();
+        audit.vulnerable.push(PackageAuditResult {
+            package: Package {
+                name: "pkg".to_string(),
+                version: "1.0.0.1".to_string(),
+                ecosystem: Ecosystem::RubyGems,
+            },
+            vulnerabilities: vec![
+                Vulnerability {
+                    id: "CVE-A".to_string(),
+                    summary: None,
+                    severity: None,
+                    url: None,
+                    fixed_version: Some("1.0.0.10".to_string()),
+                },
+                Vulnerability {
+                    id: "CVE-B".to_string(),
+                    summary: None,
+                    severity: None,
+                    url: None,
+                    fixed_version: Some("1.0.0.9".to_string()),
+                },
+            ],
+        });
+
+        let (fixable, _) = compute_fix_plan(&audit);
+        assert_eq!(fixable.get("pkg").map(String::as_str), Some("1.0.0.10"));
+    }
+
     // ─── check_packages_cached unit tests ────────────────────────────────────
 
     fn sample_package(name: &str) -> Package {

{upd_cli-0.1.1 → upd_cli-0.1.3}/src/cache.rs

@@ -1,4 +1,4 @@
-use crate::registry::Registry;
+use crate::registry::{Registry, VersionMeta};
 use anyhow::Result;
 use async_trait::async_trait;
 use directories::ProjectDirs;
@@ -35,6 +35,21 @@ pub struct Cache {
 pub struct CacheEntry {
     pub version: String,
     pub fetched_at: u64, // Unix timestamp
+    /// Full per-version metadata fetched via `list_versions`, when available.
+    /// Older cache files predate this field and deserialize with `None`.
+    #[serde(default, skip_serializing_if = "Option::is_none")]
+    pub versions: Option<Vec<CachedVersionMeta>>,
+}
+
+/// Cache-friendly mirror of [`crate::registry::VersionMeta`]. `published_at`
+/// is stored as a Unix timestamp (seconds) so the cache file stays stable
+/// across `chrono` serde format changes.
+#[derive(Debug, Serialize, Deserialize, Clone)]
+pub struct CachedVersionMeta {
+    pub version: String,
+    pub published_at: Option<i64>,
+    pub yanked: bool,
+    pub prerelease: bool,
 }
 
 impl Cache {
@@ -121,6 +136,7 @@ impl Cache {
             CacheEntry {
                 version,
                 fetched_at,
+                versions: None,
             },
         );
     }
@@ -255,6 +271,10 @@ impl<R: Registry> Registry for CachedRegistry<R> {
         Ok(version)
     }
 
+    async fn list_versions(&self, package: &str) -> Result<Vec<VersionMeta>> {
+        self.inner.list_versions(package).await
+    }
+
     fn name(&self) -> &'static str {
         self.inner.name()
     }
@@ -320,6 +340,7 @@ mod tests {
             CacheEntry {
                 version: "0.1.0".to_string(),
                 fetched_at: expired_time,
+                versions: None,
             },
         );
 
@@ -346,6 +367,7 @@ mod tests {
             CacheEntry {
                 version: "0.1.0".to_string(),
                 fetched_at: expired_time,
+                versions: None,
             },
         );
 
@@ -405,6 +427,66 @@ mod tests {
         assert_eq!(restored.get("npm", "lodash"), Some("4.17.21".to_string()));
     }
 
+    #[test]
+    fn test_cache_entry_deserialises_without_versions_field() {
+        // Older cache files predate the `versions` field and must still
+        // deserialise so upgrades do not invalidate on-disk caches.
+        let json = r#"{"version":"1.2.3","fetched_at":1700000000}"#;
+        let entry: CacheEntry = serde_json::from_str(json).unwrap();
+        assert_eq!(entry.version, "1.2.3");
+        assert_eq!(entry.fetched_at, 1_700_000_000);
+        assert!(entry.versions.is_none(), "missing field defaults to None");
+    }
+
+    #[test]
+    fn test_cache_roundtrip_with_versions() {
+        let entry = CacheEntry {
+            version: "2.0.0".to_string(),
+            fetched_at: 1_700_000_000,
+            versions: Some(vec![
+                CachedVersionMeta {
+                    version: "2.0.0".to_string(),
+                    published_at: Some(1_700_000_000),
+                    yanked: false,
+                    prerelease: false,
+                },
+                CachedVersionMeta {
+                    version: "1.9.0".to_string(),
+                    published_at: None,
+                    yanked: true,
+                    prerelease: false,
+                },
+            ]),
+        };
+        let json = serde_json::to_string(&entry).unwrap();
+        let back: CacheEntry = serde_json::from_str(&json).unwrap();
+        assert_eq!(back.version, entry.version);
+        let metas = back.versions.expect("versions must round-trip");
+        assert_eq!(metas.len(), 2);
+        assert!(metas.iter().any(|m| m.yanked));
+        assert!(
+            metas
+                .iter()
+                .any(|m| m.version == "2.0.0" && m.published_at == Some(1_700_000_000))
+        );
+    }
+
+    #[test]
+    fn test_cache_entry_skips_serializing_none_versions() {
+        // Ensure the new field is omitted from JSON when absent, keeping
+        // file size small and preserving compatibility with older readers.
+        let entry = CacheEntry {
+            version: "1.0.0".to_string(),
+            fetched_at: 1_700_000_000,
+            versions: None,
+        };
+        let json = serde_json::to_string(&entry).unwrap();
+        assert!(
+            !json.contains("versions"),
+            "versions field must be omitted when None, got: {json}"
+        );
+    }
+
     #[test]
     fn test_cache_file_operations() {
         use tempfile::tempdir;