Allow updates for sub-dependencies in XCode SwiftPM projects (#14619)

* allow updates for sub-dependencies in xcode swiftpm projects

* refactor function to check if requirement comes from package.resolved

* reuse function from XCodeFileHelpers class

Author: AbhishekBhaskar

swift/lib/dependabot/swift/update_checker/xcode_version_resolver.rb

@@ -6,6 +6,7 @@
 require "dependabot/swift/update_checker"
 require "dependabot/swift/requirement"
 require "dependabot/swift/version"
+require "dependabot/swift/xcode_file_helpers"
 require "dependabot/update_checkers/version_filters"
 
 module Dependabot
@@ -145,12 +146,32 @@ def version_meets_requirements?(version)
           # Only versionRange has an explicit upper bound that should be respected.
           return true if %w(exactVersion upToNextMajorVersion upToNextMinorVersion).include?(kind)
 
+          # For sub-dependencies that are not declared directly in project.pbxproj
+          # (e.g., transitive dependencies of local packages), kind will be nil and
+          # the requirement comes from Package.resolved as an equality pin.
+          # In this case, we allow updates since the actual constraint lives in
+          # the local package's Package.swift, which we don't have access to.
+          # This may produce a pin that is not resolvable for the full package graph.
+          # In Xcode mode we intentionally defer that validation to downstream
+          # SwiftPM/Xcode resolution.
+          return true if kind.nil? && package_resolved_requirement?
+
           requirement = dependency_requirement
           return true unless requirement
 
           requirement.satisfied_by?(version)
         end
 
+        # Returns true if the dependency's requirement originates from an
+        # Xcode-managed Package.resolved file (rather than project.pbxproj).
+        sig { returns(T::Boolean) }
+        def package_resolved_requirement?
+          dependency.requirements.any? do |req|
+            file = req[:file]
+            file.is_a?(String) && XcodeFileHelpers.xcode_resolved_path?(file)
+          end
+        end
+
         sig do
           params(
             tags: T::Array[T::Hash[Symbol, T.untyped]]

swift/spec/dependabot/swift/update_checker/xcode_version_resolver_spec.rb

@@ -164,7 +164,7 @@
       end
     end
 
-    context "with nil requirement kind" do
+    context "with nil requirement kind from pbxproj" do
       let(:requirements) do
         [{
           file: "MyApp.xcodeproj/project.pbxproj",
@@ -179,6 +179,22 @@
         expect(resolver.send(:version_meets_requirements?, version)).to be false
       end
     end
+
+    context "with nil requirement kind from Package.resolved (sub-dependency)" do
+      let(:requirements) do
+        [{
+          file: "MyApp.xcodeproj/project.xcworkspace/xcshareddata/swiftpm/Package.resolved",
+          requirement: "= 7.0.0",
+          groups: ["dependencies"],
+          source: { type: "git", url: "https://github.com/Quick/Quick.git", ref: "7.0.0", branch: nil },
+          metadata: { identity: "quick" }
+        }]
+      end
+
+      it "allows updates since actual constraint is in local package's Package.swift" do
+        expect(resolver.send(:version_meets_requirements?, version)).to be true
+      end
+    end
   end
 
   describe "#version_pinned?" do