Merge pull request #12027 from dependabot/ssandhu/adds-cooldown-for-cargo

Adds cooldown options to Cargo ecosystem latest version finder

Author: sachin-sandhu

cargo/lib/dependabot/cargo/update_checker.rb

@@ -116,14 +116,16 @@ def library?
       end
 
       def latest_version_finder
-        @latest_version_finder ||= LatestVersionFinder.new(
-          dependency: dependency,
-          dependency_files: dependency_files,
-          credentials: credentials,
-          ignored_versions: ignored_versions,
-          raise_on_ignored: raise_on_ignored,
-          security_advisories: security_advisories
-        )
+        @latest_version_finder ||=
+          LatestVersionFinder.new(
+            dependency: dependency,
+            dependency_files: dependency_files,
+            credentials: credentials,
+            ignored_versions: ignored_versions,
+            security_advisories: security_advisories,
+            cooldown_options: update_cooldown,
+            raise_on_ignored: raise_on_ignored
+          )
       end
 
       def latest_version_for_git_dependency

cargo/lib/dependabot/cargo/update_checker/latest_version_finder.rb

@@ -15,17 +15,6 @@ class UpdateChecker
       class LatestVersionFinder < Dependabot::Package::PackageLatestVersionFinder
         extend T::Sig
 
-        def initialize(dependency:, dependency_files:, credentials:,
-                       ignored_versions:, raise_on_ignored: false,
-                       security_advisories:)
-          @dependency          = dependency
-          @dependency_files    = dependency_files
-          @credentials         = credentials
-          @ignored_versions    = ignored_versions
-          @raise_on_ignored    = raise_on_ignored
-          @security_advisories = security_advisories
-        end
-
         sig do
           override.returns(T.nilable(Dependabot::Package::PackageDetails))
         end
@@ -57,6 +46,11 @@ def wants_prerelease?
           end
         end
 
+        sig { override.returns(T::Boolean) }
+        def cooldown_enabled?
+          Dependabot::Experiments.enabled?(:enable_cooldown_for_cargo)
+        end
+
         private
 
         attr_reader :dependency

cargo/spec/dependabot/cargo/update_checker/latest_version_finder_spec.rb

@@ -20,9 +20,11 @@
       credentials: credentials,
       ignored_versions: ignored_versions,
       raise_on_ignored: raise_on_ignored,
-      security_advisories: security_advisories
+      security_advisories: security_advisories,
+      cooldown_options: cooldown_options
     )
   end
+  let(:cooldown_options) { nil }
   let(:credentials) do
     [{
       "type" => "git_source",
@@ -467,5 +469,78 @@
         end
       end
     end
+
+    describe "#latest_version with cooldown options" do
+      subject(:latest_version) { finder.latest_version }
+
+      before do
+        allow(Dependabot::Experiments).to receive(:enabled?)
+          .with(:enable_cooldown_for_cargo).and_return(true)
+        stub_request(:get, sparse_registry_url).to_return(status: 200, body: sparse_registry_response)
+      end
+
+      let(:cooldown_options) do
+        Dependabot::Package::ReleaseCooldownOptions.new(default_days: 7)
+      end
+      let(:expected_cooldown_options) do
+        Dependabot::Package::ReleaseCooldownOptions.new(
+          default_days: 7,
+          semver_major_days: 7,
+          semver_minor_days: 7,
+          semver_patch_days: 7,
+          include: [],
+          exclude: []
+        )
+      end
+
+      context "when the latest version is released" do
+        let(:sparse_registry_response) do
+          <<~BODY
+            {"name": "hello-world", "vers": "1.0.0", "created_at": "2024-12-02T20:07:38.990663Z", "deps": [], "cksum": "b2c263921f1114820f4acc6b542d72bbc859ce7023c5b235346b157074dcccc7", "features": {}, "yanked": false, "links": null}
+            {"name": "hello-world", "vers": "2.0.0", "created_at": "#{Time.now}", "deps": [], "cksum": "8a55b58def1ecc7aa8590c7078f379ec9a85328363ffb81d4354314b132b95c4", "features": {}, "yanked": false, "links": null}
+          BODY
+        end
+
+        context "when new version is released but it is filtered out due to cooldown period" do
+          let(:requirements) do
+            [{
+              file: "Cargo.toml",
+              requirement: "~2.0.0",
+              groups: ["dependencies"],
+              source: {
+                type: "registry",
+                name: "honeyankit-test",
+                index: "sparse+https://cargo.cloudsmith.io/honeyankit/test/",
+                dl: "https://dl.cloudsmith.io/basic/honeyankit/test/cargo/{crate}-{version}.crate",
+                api: "https://cargo.cloudsmith.io/honeyankit/test"
+              }
+            }]
+          end
+
+          it { is_expected.to eq(Gem::Version.new("1.0.0")) }
+        end
+
+        context "when new version is released but and cooldown is disabled" do
+          let(:cooldown_options) { nil }
+
+          let(:requirements) do
+            [{
+              file: "Cargo.toml",
+              requirement: "~2.0.0",
+              groups: ["dependencies"],
+              source: {
+                type: "registry",
+                name: "honeyankit-test",
+                index: "sparse+https://cargo.cloudsmith.io/honeyankit/test/",
+                dl: "https://dl.cloudsmith.io/basic/honeyankit/test/cargo/{crate}-{version}.crate",
+                api: "https://cargo.cloudsmith.io/honeyankit/test"
+              }
+            }]
+          end
+
+          it { is_expected.to eq(Gem::Version.new("2.0.0")) }
+        end
+      end
+    end
   end
 end

cargo/spec/dependabot/cargo/update_checker_spec.rb

@@ -49,6 +49,7 @@
   let(:security_advisories) { [] }
   let(:raise_on_ignored) { false }
   let(:ignored_versions) { [] }
+  let(:update_cooldown) { nil }
   let(:checker) do
     described_class.new(
       dependency: dependency,
@@ -57,7 +58,8 @@
       ignored_versions: ignored_versions,
       raise_on_ignored: raise_on_ignored,
       security_advisories: security_advisories,
-      requirements_update_strategy: requirements_update_strategy
+      requirements_update_strategy: requirements_update_strategy,
+      update_cooldown: update_cooldown
     )
   end
   let(:crates_fixture_name) { "#{dependency_name}.json" }
@@ -508,4 +510,43 @@
       it { is_expected.to be(false) }
     end
   end
+
+  describe "with cooldown options" do
+    let(:update_cooldown) do
+      Dependabot::Package::ReleaseCooldownOptions.new(default_days: 7)
+    end
+    let(:expected_cooldown_options) do
+      Dependabot::Package::ReleaseCooldownOptions.new(
+        default_days: 7,
+        semver_major_days: 7,
+        semver_minor_days: 7,
+        semver_patch_days: 7,
+        include: [],
+        exclude: []
+      )
+    end
+
+    before do
+      latest_version = instance_double(Dependabot::Cargo::UpdateChecker::LatestVersionFinder)
+      allow(latest_version)
+        .to receive(:latest_version).and_return({ version: Gem::Version.new("1.5.0") })
+      allow(Dependabot::Cargo::UpdateChecker::LatestVersionFinder)
+        .to receive(:new).and_return(latest_version)
+    end
+
+    it "passes cooldown_options to LatestVersionFinder" do
+      checker.latest_version
+
+      expect(Dependabot::Cargo::UpdateChecker::LatestVersionFinder).to have_received(:new).with(
+        hash_including(cooldown_options: an_object_having_attributes(
+          default_days: expected_cooldown_options.default_days,
+          semver_major_days: expected_cooldown_options.semver_major_days,
+          semver_minor_days: expected_cooldown_options.semver_minor_days,
+          semver_patch_days: expected_cooldown_options.semver_patch_days,
+          include: expected_cooldown_options.include,
+          exclude: expected_cooldown_options.exclude
+        ))
+      )
+    end
+  end
 end