add support for hex aliases

efcasado · efcasado · commit 0e420efb5ada · 2026-02-19T20:12:24.000+01:00
diff --git a/hex/helpers/lib/parse_deps.exs b/hex/helpers/lib/parse_deps.exs
@@ -29,6 +29,7 @@ defmodule Parser do
   defp build_dependency(nil, dep) do
     %{
       name: dep.app,
+      package_name: dep.opts[:hex] || dep.app,
       from: Path.relative_to_cwd(dep.from),
       groups: [],
       requirement: normalise_requirement(dep.requirement),
@@ -42,6 +43,7 @@ defmodule Parser do
 
     %{
       name: dep.app,
+      package_name: dep.opts[:hex] || dep.app,
       from: Path.relative_to_cwd(dep.from),
       version: version,
       groups: groups,
diff --git a/hex/lib/dependabot/hex/file_parser.rb b/hex/lib/dependabot/hex/file_parser.rb
@@ -43,7 +43,8 @@ def parse
                 source: dep["source"] && symbolize_keys(dep["source"]),
                 file: dep["from"]
               }],
-              package_manager: "hex"
+              package_manager: "hex",
+              metadata: { hex_package: dep["package_name"] }
             )
         end
 
diff --git a/hex/lib/dependabot/hex/metadata_finder.rb b/hex/lib/dependabot/hex/metadata_finder.rb
@@ -60,7 +60,9 @@ def find_source_from_git_url
       def hex_listing
         return @hex_listing unless @hex_listing.nil?
 
-        response = Dependabot::RegistryClient.get(url: "https://hex.pm/api/packages/#{dependency.name}")
+        response = Dependabot::RegistryClient.get(
+          url: "https://hex.pm/api/packages/#{dependency.metadata[:hex_package] || dependency.name}"
+        )
         @hex_listing = T.let(JSON.parse(response.body), T.nilable(T::Hash[String, T.untyped]))
       end
     end
diff --git a/hex/lib/dependabot/hex/package/package_details_fetcher.rb b/hex/lib/dependabot/hex/package/package_details_fetcher.rb
@@ -27,7 +27,10 @@ class PackageDetailsFetcher
         def initialize(dependency:)
           @dependency = dependency
 
-          @dependency_url = T.let("https://hex.pm/api/packages/#{dependency.name}", T.nilable(String))
+          @dependency_url = T.let(
+            "https://hex.pm/api/packages/#{dependency.metadata[:hex_package] || dependency.name}",
+            T.nilable(String)
+          )
         end
 
         sig { returns(Dependabot::Dependency) }
diff --git a/hex/spec/dependabot/hex/file_parser_spec.rb b/hex/spec/dependabot/hex/file_parser_spec.rb
@@ -451,6 +451,43 @@
       end
     end
 
+    context "with a hex package name alias" do
+      let(:mixfile_fixture_name) { "hex_alias" }
+      let(:lockfile_fixture_name) { "hex_alias" }
+
+      its(:length) { is_expected.to eq(2) }
+
+      describe "the aliased dependency" do
+        subject(:dependency) { dependencies.find { |d| d.name == "pulsar" } }
+
+        it "has the right details" do
+          expect(dependency).to be_a(Dependabot::Dependency)
+          expect(dependency.name).to eq("pulsar")
+          expect(dependency.version).to eq("2.8.7")
+          expect(dependency.requirements).to eq(
+            [{
+              requirement: "~> 2.8.7",
+              file: "mix.exs",
+              groups: [],
+              source: nil
+            }]
+          )
+        end
+
+        it "stores the hex package name in metadata" do
+          expect(dependency.metadata[:hex_package]).to eq("pulsar_elixir")
+        end
+      end
+
+      describe "the non-aliased dependency" do
+        subject(:dependency) { dependencies.find { |d| d.name == "plug" } }
+
+        it "defaults hex_package to the dependency name" do
+          expect(dependency.metadata[:hex_package]).to eq("plug")
+        end
+      end
+    end
+
     context "with reject_external_code" do
       let(:reject_external_code) { true }
 
diff --git a/hex/spec/dependabot/hex/metadata_finder_spec.rb b/hex/spec/dependabot/hex/metadata_finder_spec.rb
@@ -110,5 +110,32 @@
         it { is_expected.to be_nil }
       end
     end
+
+    context "when the dependency has a hex package name alias" do
+      let(:dependency) do
+        Dependabot::Dependency.new(
+          name: "pulsar",
+          version: "2.8.7",
+          requirements: [{
+            file: "mix.exs",
+            requirement: "~> 2.8.7",
+            groups: [],
+            source: nil
+          }],
+          package_manager: "hex",
+          metadata: { hex_package: "pulsar_elixir" }
+        )
+      end
+
+      let(:hex_url) { "https://hex.pm/api/packages/pulsar_elixir" }
+      let(:hex_response) do
+        fixture("registry_api", "phoenix_response.json")
+      end
+
+      it "queries the hex.pm API using the hex package name" do
+        source_url
+        expect(WebMock).to have_requested(:get, hex_url).once
+      end
+    end
   end
 end
diff --git a/hex/spec/dependabot/hex/package/package_details_fetcher_spec.rb b/hex/spec/dependabot/hex/package/package_details_fetcher_spec.rb
@@ -68,5 +68,41 @@
         expect(fetcher.fetch_package_releases).to eq([])
       end
     end
+
+    context "when the dependency has a hex package name alias" do
+      let(:dependency) do
+        Dependabot::Dependency.new(
+          name: "pulsar",
+          version: "2.8.7",
+          requirements: [{
+            file: "mix.exs",
+            requirement: "~> 2.8.7",
+            groups: [],
+            source: nil
+          }],
+          package_manager: "hex",
+          metadata: { hex_package: "pulsar_elixir" }
+        )
+      end
+
+      let(:response) do
+        instance_double(
+          Excon::Response,
+          status: 200,
+          body:
+                fixture("package_fetch_response", "hex-parser.json")
+        )
+      end
+
+      before do
+        allow(Dependabot::RegistryClient).to receive(:get).and_return(response)
+      end
+
+      it "queries the hex.pm API using the hex package name" do
+        fetcher.fetch_package_releases
+        expect(Dependabot::RegistryClient).to have_received(:get)
+          .with(url: "https://hex.pm/api/packages/pulsar_elixir")
+      end
+    end
   end
 end
diff --git a/hex/spec/fixtures/lockfiles/hex_alias b/hex/spec/fixtures/lockfiles/hex_alias
@@ -0,0 +1,5 @@
+%{
+  "mime": {:hex, :mime, "1.2.0", "78adaa84832b3680de06f88f0997e3ead3b451a440d183d688085be2d709b534", [:mix], [], "hexpm", "b24d1d704209b760aeac161255c8031c5160de1a5cb7dd28bb84ef5bda2ba29e"},
+  "plug": {:hex, :plug, "1.3.5", "7503bfcd7091df2a9761ef8cecea666d1f2cc454cbbaf0afa0b6e259203b7031", [:mix], [{:cowboy, "~> 1.0.1 or ~> 1.1", [hex: :cowboy, repo: "hexpm", optional: true]}, {:mime, "~> 1.0", [hex: :mime, repo: "hexpm", optional: false]}], "hexpm", "141058cca1fa800128391ece7f442f71a7b42a7411e6eaa56dc8f85283c8dde7"},
+  "pulsar": {:hex, :pulsar_elixir, "2.8.7", "aabbccdd11223344556677889900aabbccdd11223344556677889900aabbccdd", [:mix], [], "hexpm", "112233445566778899aabbccddeeff00112233445566778899aabbccddeeff00"},
+}
diff --git a/hex/spec/fixtures/mixfiles/hex_alias b/hex/spec/fixtures/mixfiles/hex_alias
@@ -0,0 +1,24 @@
+defmodule DependabotTest.Mixfile do
+  use Mix.Project
+
+  def project do
+    [
+      app: :dependabot_test,
+      version: "0.1.0",
+      elixir: "~> 1.5",
+      start_permanent: Mix.env == :prod,
+      deps: deps()
+    ]
+  end
+
+  def application do
+    [extra_applications: [:logger]]
+  end
+
+  defp deps do
+    [
+      {:plug, "~> 1.3.0"},
+      {:pulsar, "~> 2.8.7", hex: :pulsar_elixir}
+    ]
+  end
+end

Original file line number	Diff line number	Diff line change
`@@ -43,7 +43,8 @@ def parse`
`43`	`43`	`source: dep["source"] && symbolize_keys(dep["source"]),`
`44`	`44`	`file: dep["from"]`
`45`	`45`	`}],`
`46`		`- package_manager: "hex"`
	`46`	`+ package_manager: "hex",`
	`47`	`+ metadata: { hex_package: dep["package_name"] }`
`47`	`48`	`)`
`48`	`49`	`end`
`49`	`50`