feat: add semantic-versioning option

Author: caugner

common/lib/dependabot/config/ignore_condition.rb

@@ -37,12 +37,18 @@ def initialize(dependency_name:, versions: nil, update_types: nil)
         @update_types = T.let(update_types || [], T::Array[String])
       end
 
-      sig { params(dependency: Dependency, security_updates_only: T::Boolean).returns(T::Array[String]) }
-      def ignored_versions(dependency, security_updates_only)
+      sig do
+        params(
+          dependency: Dependency,
+          security_updates_only: T::Boolean,
+          semantic_versioning: String
+        ).returns(T::Array[String])
+      end
+      def ignored_versions(dependency, security_updates_only, semantic_versioning: "relaxed")
         return versions if security_updates_only
         return [ALL_VERSIONS] if versions.empty? && transformed_update_types.empty?
 
-        versions_by_type(dependency) + versions
+        versions_by_type(dependency, semantic_versioning: semantic_versioning) + versions
       end
 
       private
@@ -52,19 +58,19 @@ def transformed_update_types
         update_types.map(&:downcase).filter_map(&:strip)
       end
 
-      sig { params(dependency: Dependency).returns(T::Array[T.untyped]) }
-      def versions_by_type(dependency)
+      sig { params(dependency: Dependency, semantic_versioning: String).returns(T::Array[T.untyped]) }
+      def versions_by_type(dependency, semantic_versioning: "relaxed")
         version = correct_version_for(dependency)
         return [] unless version
 
         transformed_update_types.flat_map do |t|
           case t
           when PATCH_VERSION_TYPE
-            version.ignored_patch_versions
+            version.ignored_patch_versions_for_mode(semantic_versioning)
           when MINOR_VERSION_TYPE
-            version.ignored_minor_versions
+            version.ignored_minor_versions_for_mode(semantic_versioning)
           when MAJOR_VERSION_TYPE
-            version.ignored_major_versions
+            version.ignored_major_versions_for_mode(semantic_versioning)
           else
             []
           end

common/lib/dependabot/config/update_config.rb

@@ -32,8 +32,14 @@ def initialize(ignore_conditions: nil, commit_message_options: nil, exclude_path
         @exclude_paths = exclude_paths
       end
 
-      sig { params(dependency: Dependency, security_updates_only: T::Boolean).returns(T::Array[String]) }
-      def ignored_versions_for(dependency, security_updates_only: false)
+      sig do
+        params(
+          dependency: Dependency,
+          security_updates_only: T::Boolean,
+          semantic_versioning: String
+        ).returns(T::Array[String])
+      end
+      def ignored_versions_for(dependency, security_updates_only: false, semantic_versioning: "relaxed")
         normalizer = name_normaliser_for(dependency)
         dep_name = T.must(normalizer).call(dependency.name)
 
@@ -43,7 +49,7 @@ def ignored_versions_for(dependency, security_updates_only: false)
 
         @ignore_conditions
           .select { |ic| self.class.wildcard_match?(T.must(normalizer).call(ic.dependency_name), dep_name) }
-          .map { |ic| ic.ignored_versions(dependency, security_updates_only) }
+          .map { |ic| ic.ignored_versions(dependency, security_updates_only, semantic_versioning: semantic_versioning) }
           .flatten
           .compact
           .uniq

common/lib/dependabot/version.rb

@@ -74,6 +74,32 @@ def lowest_prerelease_suffix
       "a"
     end
 
+    # Mode-aware methods that respect semantic-versioning option
+    # When semantic_versioning is "strict", 0.x versions are treated differently:
+    # - 0.0.z: any change is breaking (major)
+    # - 0.y.z: minor changes are breaking (major)
+
+    sig { params(semantic_versioning: String).returns(T::Array[String]) }
+    def ignored_patch_versions_for_mode(semantic_versioning = "relaxed")
+      return strict_ignored_patch_versions if semantic_versioning == "strict"
+
+      ignored_patch_versions
+    end
+
+    sig { params(semantic_versioning: String).returns(T::Array[String]) }
+    def ignored_minor_versions_for_mode(semantic_versioning = "relaxed")
+      return strict_ignored_minor_versions if semantic_versioning == "strict"
+
+      ignored_minor_versions
+    end
+
+    sig { params(semantic_versioning: String).returns(T::Array[String]) }
+    def ignored_major_versions_for_mode(semantic_versioning = "relaxed")
+      return strict_ignored_major_versions if semantic_versioning == "strict"
+
+      ignored_major_versions
+    end
+
     sig { returns(T.nilable([Integer, Integer, Integer])) }
     def semver_parts
       # Extracts only the numeric major.minor.patch part of the version, ensuring it starts with a number
@@ -86,5 +112,56 @@ def semver_parts
       major, minor, patch = first_match.split(".").map(&:to_i)
       [major || 0, minor || 0, patch || 0]
     end
+
+    private
+
+    # Strict semver: for 0.0.z versions, patch changes are breaking
+    sig { returns(T::Array[String]) }
+    def strict_ignored_patch_versions
+      parts = to_semver.split(".")
+      major = parts[0].to_i
+      minor = parts[1].to_i
+
+      # For 0.0.z versions, patch changes are breaking, so treat as major
+      return strict_ignored_major_versions if major.zero? && minor.zero?
+
+      ignored_patch_versions
+    end
+
+    # Strict semver: for 0.y.z versions, minor changes are breaking
+    sig { returns(T::Array[String]) }
+    def strict_ignored_minor_versions
+      parts = to_semver.split(".")
+      major = parts[0].to_i
+
+      # For 0.y.z versions, minor changes are breaking, so treat as major
+      return strict_ignored_major_versions if major.zero?
+
+      ignored_minor_versions
+    end
+
+    # Strict semver: for 0.x versions, returns range starting from next breaking version
+    sig { returns(T::Array[String]) }
+    def strict_ignored_major_versions
+      parts = to_semver.split(".")
+      major = parts[0].to_i
+      minor = parts[1].to_i
+
+      # For 0.0.z versions, any patch change is breaking
+      if major.zero? && minor.zero?
+        patch = parts[2].to_i
+        lower_parts = [0, 0, patch + 1] + [lowest_prerelease_suffix]
+        return [">= #{lower_parts.join('.')}"]
+      end
+
+      # For 0.y.z versions (y > 0), minor changes are breaking
+      if major.zero?
+        lower_parts = [0, minor + 1] + [lowest_prerelease_suffix]
+        return [">= #{lower_parts.join('.')}"]
+      end
+
+      # For 1.y.z+ versions, use standard semantic versioning
+      ignored_major_versions
+    end
   end
 end

common/spec/dependabot/config/ignore_condition_spec.rb

@@ -342,5 +342,124 @@ def expect_ignored(versions)
         end
       end
     end
+
+    context "with semantic_versioning option" do
+      let(:ignore_condition) { described_class.new(dependency_name: dependency_name, update_types: update_types) }
+
+      context "with 0.y.z versions" do
+        let(:dependency_version) { "0.15.5" }
+        let(:patch_upgrades) { %w(0.15.6 0.15.7) }
+        let(:minor_upgrades) { %w(0.16.0 0.17.0) }
+        let(:major_upgrades) { %w(1.0.0 2.0.0) }
+
+        context "with ignore_major_versions in relaxed mode" do
+          subject(:ignored_versions) do
+            ignore_condition.ignored_versions(dependency, security_updates_only, semantic_versioning: "relaxed")
+          end
+
+          let(:update_types) { ["version-update:semver-major"] }
+
+          it "only ignores actual major versions (1.0+)" do
+            expect(ignored_versions).to eq([">= 1.a"])
+          end
+
+          it "allows minor and patch upgrades within 0.y.z" do
+            expect_allowed(patch_upgrades + minor_upgrades)
+            expect_ignored(major_upgrades)
+          end
+        end
+
+        context "with ignore_major_versions in strict mode" do
+          subject(:ignored_versions) do
+            ignore_condition.ignored_versions(dependency, security_updates_only, semantic_versioning: "strict")
+          end
+
+          let(:update_types) { ["version-update:semver-major"] }
+
+          it "treats minor bumps in 0.y.z as major" do
+            expect(ignored_versions).to eq([">= 0.16.a"])
+          end
+
+          it "ignores minor bumps as breaking changes" do
+            expect_allowed(patch_upgrades)
+            expect_ignored(minor_upgrades + major_upgrades)
+          end
+        end
+
+        context "with ignore_minor_versions in strict mode" do
+          subject(:ignored_versions) do
+            ignore_condition.ignored_versions(dependency, security_updates_only, semantic_versioning: "strict")
+          end
+
+          let(:update_types) { ["version-update:semver-minor"] }
+
+          it "treats 0.y.z minor changes as major, so no minor range exists" do
+            # In strict mode, minor changes in 0.y.z are major, so ignoring "minor" returns the major range
+            expect(ignored_versions).to eq([">= 0.16.a"])
+          end
+        end
+      end
+
+      context "with 0.0.z versions" do
+        let(:dependency_version) { "0.0.3" }
+        let(:patch_upgrades) { %w(0.0.4 0.0.5) }
+        let(:minor_upgrades) { %w(0.1.0 0.2.0) }
+        let(:major_upgrades) { %w(1.0.0 2.0.0) }
+
+        context "with ignore_major_versions in strict mode" do
+          subject(:ignored_versions) do
+            ignore_condition.ignored_versions(dependency, security_updates_only, semantic_versioning: "strict")
+          end
+
+          let(:update_types) { ["version-update:semver-major"] }
+
+          it "treats patch bumps in 0.0.z as major" do
+            expect(ignored_versions).to eq([">= 0.0.4.a"])
+          end
+
+          it "ignores all version bumps as breaking changes" do
+            expect_ignored(patch_upgrades + minor_upgrades + major_upgrades)
+          end
+        end
+
+        context "with ignore_patch_versions in strict mode" do
+          subject(:ignored_versions) do
+            ignore_condition.ignored_versions(dependency, security_updates_only, semantic_versioning: "strict")
+          end
+
+          let(:update_types) { ["version-update:semver-patch"] }
+
+          it "treats 0.0.z patch changes as major, so returns major range" do
+            # In strict mode, patch changes in 0.0.z are major, so ignoring "patch" returns the major range
+            expect(ignored_versions).to eq([">= 0.0.4.a"])
+          end
+        end
+      end
+
+      context "with 1.y.z versions (standard semver)" do
+        let(:dependency_version) { "1.2.3" }
+        let(:update_types) { ["version-update:semver-major"] }
+
+        context "with relaxed mode" do
+          subject(:ignored_versions) do
+            ignore_condition.ignored_versions(dependency, security_updates_only, semantic_versioning: "relaxed")
+          end
+
+          it "uses standard semver" do
+            expect(ignored_versions).to eq([">= 2.a"])
+          end
+        end
+
+        context "with strict mode" do
+          subject(:ignored_versions) do
+            ignore_condition.ignored_versions(dependency, security_updates_only, semantic_versioning: "strict")
+          end
+
+          it "uses standard semver (same as relaxed for >= 1.0)" do
+            expect(ignored_versions).to eq([">= 2.a"])
+          end
+        end
+      end
+    end
   end
 end