Merge branch 'main' into dependabot/pip/uv/helpers/uv-0.8.6

Author: randhircs

NEW_ECOSYSTEMS.md

@@ -148,6 +148,7 @@ Your ecosystem implementation requires updates to numerous supporting files thro
   - [updater/GemFile.lock](https://github.com/dependabot/dependabot-core/blob/main/updater/Gemfile.lock)
   - [dependabot-omnibus.gemspec](https://github.com/dependabot/dependabot-core/blob/main/omnibus/dependabot-omnibus.gemspec)
   - [omnibus.rb](https://github.com/dependabot/dependabot-core/blob/main/omnibus/lib/dependabot/omnibus.rb)
+  - [Rakefile](https://github.com/dependabot/dependabot-core/blob/main/Rakefile)
 - **Gemfile**: Update if your ecosystem introduces new Ruby dependencies
   - [GemFile](https://github.com/dependabot/dependabot-core/blob/main/Gemfile)
   - [GemFile.lock](https://github.com/dependabot/dependabot-core/blob/main/Gemfile.lock)

bundler/lib/dependabot/bundler/file_parser.rb

@@ -122,7 +122,7 @@ def gemfile_dependencies
           parsed_gemfile.each do |dep|
             next unless gemfile_declaration_finder.gemfile_includes_dependency?(dep)
 
-            dependencies <<
+            dep =
               Dependency.new(
                 name: dep.fetch("name"),
                 version: dependency_version(dep.fetch("name"))&.to_s,
@@ -134,14 +134,17 @@ def gemfile_dependencies
                 }],
                 package_manager: "bundler"
               )
+
+            file.dependencies << dep
+            dependencies << dep
           end
         end
 
         @gemfile_dependencies = dependencies
       end
 
       sig { returns(DependencySet) }
-      def gemspec_dependencies # rubocop:disable Metrics/PerceivedComplexity
+      def gemspec_dependencies # rubocop:disable Metrics/PerceivedComplexity,Metrics/AbcSize
         @gemspec_dependencies = T.let(@gemspec_dependencies, T.nilable(DependencySet))
         return @gemspec_dependencies if @gemspec_dependencies
 
@@ -156,7 +159,7 @@ def gemspec_dependencies # rubocop:disable Metrics/PerceivedComplexity
             parsed_gemspec(gemspec).each do |dependency|
               next unless gemspec_declaration_finder.gemspec_includes_dependency?(dependency)
 
-              queue << Dependency.new(
+              dep = Dependency.new(
                 name: dependency.fetch("name"),
                 version: dependency_version(dependency.fetch("name"))&.to_s,
                 requirements: [{
@@ -171,6 +174,9 @@ def gemspec_dependencies # rubocop:disable Metrics/PerceivedComplexity
                 }],
                 package_manager: "bundler"
               )
+
+              gemspec.dependencies << dep
+              queue << dep
             end
           end
         end
@@ -192,16 +198,23 @@ def lockfile_dependencies
         parsed_lockfile.specs.each do |dependency|
           next if dependency.source.is_a?(::Bundler::Source::Path)
 
-          dependencies <<
-            Dependency.new(
-              name: dependency.name,
-              version: dependency_version(dependency.name)&.to_s,
-              requirements: [],
-              package_manager: "bundler",
-              subdependency_metadata: [{
-                production: production_dep_names.include?(dependency.name)
-              }]
-            )
+          # if a dependency is listed in the lockfiles' DEPENDENCIES section,
+          # then it is a direct dependency & we want to keep track of that fact
+          is_direct = parsed_lockfile.dependencies.key?(dependency.name)
+
+          dep = Dependency.new(
+            name: dependency.name,
+            version: dependency_version(dependency.name)&.to_s,
+            requirements: [],
+            package_manager: "bundler",
+            subdependency_metadata: [{
+              production: production_dep_names.include?(dependency.name)
+            }],
+            direct_relationship: is_direct
+          )
+
+          T.must(lockfile).dependencies << dep
+          dependencies << dep
         end
 
         dependencies

common/lib/dependabot/dependency.rb

@@ -102,12 +102,13 @@ def self.register_name_normaliser(package_manager, name_builder)
         directory: T.nilable(String),
         subdependency_metadata: T.nilable(T::Array[T::Hash[T.any(Symbol, String), String]]),
         removed: T::Boolean,
-        metadata: T.nilable(T::Hash[T.any(Symbol, String), String])
+        metadata: T.nilable(T::Hash[T.any(Symbol, String), String]),
+        direct_relationship: T::Boolean
       ).void
     end
     def initialize(name:, requirements:, package_manager:, version: nil,
                    previous_version: nil, previous_requirements: nil, directory: nil,
-                   subdependency_metadata: [], removed: false, metadata: {})
+                   subdependency_metadata: [], removed: false, metadata: {}, direct_relationship: false)
       @name = name
       @version = T.let(
         case version
@@ -134,6 +135,7 @@ def initialize(name:, requirements:, package_manager:, version: nil,
       end
       @removed = removed
       @metadata = T.let(symbolize_keys(metadata || {}), T::Hash[Symbol, T.untyped])
+      @direct_relationship = direct_relationship
 
       check_values
     end
@@ -145,6 +147,12 @@ def top_level?
       requirements.any?
     end
 
+    # used to support lockfile parsing/DependencySubmission
+    sig { returns(T::Boolean) }
+    def direct?
+      top_level? || @direct_relationship
+    end
+
     sig { returns(T::Boolean) }
     def removed?
       @removed

common/lib/dependabot/dependency_file.rb

@@ -40,6 +40,9 @@ class DependencyFile
     sig { returns(T.nilable(String)) }
     attr_accessor :mode
 
+    sig { returns(T::Set[T.untyped]) }
+    attr_accessor :dependencies
+
     class ContentEncoding
       UTF_8 = "utf-8"
       BASE64 = "base64"
@@ -92,6 +95,7 @@ def initialize(name:, content:, directory: "/", type: "file",
       @content_encoding = content_encoding
       @operation = operation
       @mode = mode
+      @dependencies = T.let(Set.new, T::Set[T.untyped])
       raise ArgumentError, "Invalid Git mode: #{mode}" if mode && !VALID_MODES.include?(mode)
 
       # Make deleted override the operation. Deleted is kept when operation

common/spec/dependabot/dependency_spec.rb

@@ -126,7 +126,7 @@
 
       it { is_expected.to be(true) }
 
-      context "with subdependency metadata" do
+      context "with false subdependency metadata" do
         let(:dependency_args) do
           {
             name: "dep",
@@ -141,6 +141,36 @@
     end
   end
 
+  describe "#direct?" do
+    it "is true when the dependency is top-level" do
+      dependency = described_class.new(name: "dep",
+                                       package_manager: "dummy",
+                                       requirements: [{ file: "a.rb", requirement: "1", groups: [], source: nil }])
+
+      expect(dependency.top_level?).to be(true)
+      expect(dependency.direct?).to be(true)
+    end
+
+    it "returns false when the dependency is not top-level" do
+      dependency = described_class.new(name: "dep",
+                                       package_manager: "dummy",
+                                       requirements: [])
+
+      expect(dependency.top_level?).to be(false)
+      expect(dependency.direct?).to be(false)
+    end
+
+    it "returns true if you specify it directly" do
+      dependency = described_class.new(name: "dep",
+                                       package_manager: "dummy",
+                                       requirements: [],
+                                       direct_relationship: true)
+
+      expect(dependency.top_level?).to be(false)
+      expect(dependency.direct?).to be(true)
+    end
+  end
+
   describe "#display_name" do
     subject(:display_name) { described_class.new(**dependency_args).display_name }
 

npm_and_yarn/Dockerfile

@@ -5,7 +5,7 @@ ARG COREPACK_VERSION=0.33.0
 
 # Check for updates at https://github.com/pnpm/pnpm/releases
 # With every major release update, also update npm_and_yarn/lib/dependabot/npm_and_yarn/pnpm_package_manager.rb (Section : Update instructions)
-ARG PNPM_VERSION=10.11.1
+ARG PNPM_VERSION=10.14.0
 
 # Check for updates at https://github.com/yarnpkg/berry/releases
 # With every major release update, also update npm_and_yarn/lib/dependabot/npm_and_yarn/yarn_package_manager.rb (Section : Update instructions)
@@ -23,7 +23,7 @@ ARG NODEJS_VERSION=22
 # Check for updates at https://github.com/npm/cli/releases
 # This version should be compatible with the NODEJS_VERSION version declared above. See https://nodejs.org/en/download/releases as well
 # With every major release update, also update npm_and_yarn/lib/dependabot/npm_and_yarn/npm_package_manager.rb (Section : Update instructions)
-ARG NPM_VERSION=10.5.0
+ARG NPM_VERSION=10.9.3
 
 # Install Node and npm
 RUN mkdir -p /etc/apt/keyrings \

npm_and_yarn/lib/dependabot/npm_and_yarn/metadata_finder.rb

@@ -215,13 +215,15 @@ def npm_listing
       sig { returns(String) }
       def dependency_url
         registry_url =
-          if new_source.nil? then "https://registry.npmjs.org"
+          if new_source.nil?
+            # Check credentials for a configured registry before falling back to public registry
+            configured_registry_from_credentials || "https://registry.npmjs.org"
           else
             new_source&.fetch(:url)
           end
 
-        # spaces must be escaped in base URL
-        registry_url = registry_url.gsub(" ", "%20")
+        # Remove trailing slashes and escape spaces for proper URL formatting
+        registry_url = URI::DEFAULT_PARSER.escape(registry_url)&.gsub(%r{/+$}, "")
 
         # NPM registries expect slashes to be escaped
         escaped_dependency_name = dependency.name.gsub("/", "%2F")
@@ -235,6 +237,23 @@ def registry_auth_headers
         { "Authorization" => "Bearer #{auth_token}" }
       end
 
+      sig { returns(T.nilable(String)) }
+      def configured_registry_from_credentials
+        # Look for a credential that replaces the base registry (global registry replacement)
+        replaces_base_cred = credentials.find { |cred| cred["type"] == "npm_registry" && cred.replaces_base? }
+        return normalize_registry_url(replaces_base_cred["registry"]) if replaces_base_cred
+
+        nil
+      end
+
+      sig { params(registry: T.nilable(String)).returns(T.nilable(String)) }
+      def normalize_registry_url(registry)
+        return nil unless registry
+        return registry if registry.start_with?("http")
+
+        "https://#{registry}"
+      end
+
       sig { returns(String) }
       def dependency_registry
         if new_source.nil? then "registry.npmjs.org"

npm_and_yarn/spec/dependabot/npm_and_yarn/metadata_finder_spec.rb

@@ -513,4 +513,132 @@
       end
     end
   end
+
+  describe "#dependency_url" do
+    subject(:dependency_url) { finder.send(:dependency_url) }
+
+    context "when no source information is available" do
+      let(:dependency) do
+        Dependabot::Dependency.new(
+          name: dependency_name,
+          version: "1.6.0",
+          requirements: [
+            { file: "package.json", requirement: "^1.0", groups: [], source: nil }
+          ],
+          package_manager: "npm_and_yarn"
+        )
+      end
+
+      context "without credentials" do
+        let(:credentials) { [] }
+
+        it "falls back to public npm registry" do
+          expect(dependency_url).to eq("https://registry.npmjs.org/etag")
+        end
+      end
+
+      context "with replaces-base credential" do
+        let(:credentials) do
+          [Dependabot::Credential.new({
+            "type" => "npm_registry",
+            "registry" => "jfrogghdemo.jfrog.io/artifactory/api/npm/e2e-tests-dependabot-npm/",
+            "token" => "secret_token",
+            "replaces-base" => true
+          })]
+        end
+
+        it "uses private registry from credentials" do
+          expect(dependency_url).to eq("https://jfrogghdemo.jfrog.io/artifactory/api/npm/e2e-tests-dependabot-npm/etag")
+        end
+
+        it "removes trailing slashes from registry URL" do
+          expect(dependency_url).not_to include("npm//etag")
+        end
+      end
+
+      context "with registry URL that has no protocol" do
+        let(:credentials) do
+          [Dependabot::Credential.new({
+            "type" => "npm_registry",
+            "registry" => "npm.fury.io/dependabot",
+            "token" => "secret_token",
+            "replaces-base" => true
+          })]
+        end
+
+        it "adds https protocol" do
+          expect(dependency_url).to eq("https://npm.fury.io/dependabot/etag")
+        end
+      end
+
+      context "with multiple credentials" do
+        let(:credentials) do
+          [
+            Dependabot::Credential.new({
+              "type" => "npm_registry",
+              "registry" => "https://npm.fury.io/dependabot",
+              "token" => "secret_token",
+              "replaces-base" => true
+            }),
+            Dependabot::Credential.new({
+              "type" => "npm_registry",
+              "registry" => "another.registry.com",
+              "token" => "another_secret_token"
+            })
+          ]
+        end
+
+        it "takes precedence over other credentials" do
+          expect(dependency_url).to eq("https://npm.fury.io/dependabot/etag")
+        end
+      end
+
+      context "with scoped dependency name" do
+        let(:dependency_name) { "@babel/core" }
+        let(:credentials) do
+          [Dependabot::Credential.new({
+            "type" => "npm_registry",
+            "registry" => "npm.fury.io/dependabot",
+            "token" => "secret_token",
+            "replaces-base" => true
+          })]
+        end
+
+        it "escapes dependency name properly" do
+          expect(dependency_url).to eq("https://npm.fury.io/dependabot/@babel%2Fcore")
+        end
+      end
+    end
+
+    context "when source information is available from lockfile" do
+      let(:dependency) do
+        Dependabot::Dependency.new(
+          name: dependency_name,
+          version: "1.6.0",
+          requirements: [
+            {
+              file: "package.json",
+              requirement: "^1.0",
+              groups: [],
+              source: { type: "registry", url: "https://npm.fury.io/dependabot" }
+            }
+          ],
+          package_manager: "npm_and_yarn"
+        )
+      end
+
+      let(:credentials) do
+        [Dependabot::Credential.new({
+          "type" => "npm_registry",
+          "registry" => "different.registry.com",
+          "token" => "secret_token",
+          "replaces-base" => true
+        })]
+      end
+
+      it "uses source from lockfile, not credentials" do
+        expect(dependency_url).to eq("https://npm.fury.io/dependabot/etag")
+      end
+    end
+  end
 end