Add blocked versions support to updater job

Integrate a blocked_versions job attribute into the updater's ignore
logic so that dependency versions flagged by GitHub Security are
automatically excluded from update candidates.

Changes:
- Add blocked_versions to Job PERMITTED_KEYS and constructor
- Merge blocked versions into ignore_conditions_for as exact-match
  version requirements (= <version>)
- Use normalized exact name matching (not wildcard) for safety
- Add logging for blocked versions in log_ignore_conditions_for
- Defensive handling of malformed entries (missing name/version)
- Add TODO in update_files_command.rb for API integration point

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: kbukum1

updater/lib/dependabot/job.rb

@@ -57,6 +57,7 @@ class Job # rubocop:disable Metrics/ClassLength
         cooldown
         repo_private
         multi_ecosystem_update
+        blocked_versions
       ).freeze,
       T::Array[Symbol]
     )
@@ -118,6 +119,9 @@ class Job # rubocop:disable Metrics/ClassLength
     sig { returns(T.nilable(Dependabot::Package::ReleaseCooldownOptions)) }
     attr_reader :cooldown
 
+    sig { returns(T::Array[T::Hash[String, T.untyped]]) }
+    attr_reader :blocked_versions
+
     sig { returns(Dependabot::Config::UpdateConfig) }
     attr_reader :update_config
 
@@ -220,6 +224,10 @@ def initialize(attributes) # rubocop:disable Metrics/AbcSize,Metrics/MethodLengt
       @dependency_groups              = T.let(attributes.fetch(:dependency_groups, []) || [], T::Array[T.untyped])
       @dependency_group_to_refresh    = T.let(attributes.fetch(:dependency_group_to_refresh, nil), T.nilable(String))
       @repo_private                   = T.let(attributes.fetch(:repo_private, nil), T.nilable(T::Boolean))
+      @blocked_versions               = T.let(
+        attributes.fetch(:blocked_versions, []) || [],
+        T::Array[T::Hash[String, T.untyped]]
+      )
 
       @update_config = T.let(calculate_update_config, Dependabot::Config::UpdateConfig)
 
@@ -444,7 +452,7 @@ def ignore_conditions_for(dependency)
       # allow update-types cannot be checked in allowed_update? because it runs
       # pre-resolution when only the current version is known. Version ranges
       # only need the current version — the same mechanism as ignore update-types.
-      conditions + ignored_versions_from_allowed_update_types(dependency)
+      conditions + ignored_versions_from_allowed_update_types(dependency) + blocked_versions_for(dependency)
     end
 
     # TODO: Present Dependabot::Config::IgnoreCondition in calling code
@@ -460,24 +468,55 @@ def ignore_conditions_for(dependency)
     sig { params(dependency: Dependabot::Dependency).void }
     def log_ignore_conditions_for(dependency)
       conditions = ignore_conditions.select { |ic| name_match?(ic["dependency-name"], dependency.name) }
-      return if conditions.empty?
-
-      Dependabot.logger.info("Ignored versions:")
-      conditions.each do |ic|
-        unless ic["version-requirement"].nil?
-          Dependabot.logger.info("  #{ic['version-requirement']} - from #{ic['source']}")
-        end
-
-        ic["update-types"]&.each do |update_type|
-          msg = "  #{update_type} - from #{ic['source']}"
-          msg += " (doesn't apply to security update)" if security_updates_only?
-          Dependabot.logger.info(msg)
+      if conditions.any?
+        Dependabot.logger.info("Ignored versions:")
+        conditions.each do |ic|
+          unless ic["version-requirement"].nil?
+            Dependabot.logger.info("  #{ic['version-requirement']} - from #{ic['source']}")
+          end
+
+          ic["update-types"]&.each do |update_type|
+            msg = "  #{update_type} - from #{ic['source']}"
+            msg += " (doesn't apply to security update)" if security_updates_only?
+            Dependabot.logger.info(msg)
+          end
         end
       end
+
+      log_blocked_versions_for(dependency)
     end
 
     private
 
+    sig { params(dependency: Dependabot::Dependency).returns(T::Array[String]) }
+    def blocked_versions_for(dependency)
+      normaliser = name_normaliser
+      normalized_dep_name = T.must(normaliser).call(dependency.name)
+
+      blocked_versions
+        .select { |bv| bv["dependency-name"] && bv["version"] }
+        .select { |bv| T.must(normaliser).call(bv["dependency-name"]) == normalized_dep_name }
+        .map { |bv| "= #{bv['version']}" }
+    end
+
+    sig { params(dependency: Dependabot::Dependency).void }
+    def log_blocked_versions_for(dependency)
+      normaliser = name_normaliser
+      normalized_dep_name = T.must(normaliser).call(dependency.name)
+
+      blocks = blocked_versions
+               .select { |bv| bv["dependency-name"] && bv["version"] }
+               .select { |bv| T.must(normaliser).call(bv["dependency-name"]) == normalized_dep_name }
+      return if blocks.empty?
+
+      Dependabot.logger.info("Blocked versions (by GitHub Security):")
+      blocks.each do |bv|
+        msg = "  = #{bv['version']}"
+        msg += " - reason: #{bv['reason']}" if bv["reason"]
+        Dependabot.logger.info(msg)
+      end
+    end
+
     sig { params(dependency: Dependabot::Dependency).returns(T::Boolean) }
     def completely_ignored?(dependency)
       ignore_conditions_for(dependency).any?(Dependabot::Config::IgnoreCondition::ALL_VERSIONS)

updater/lib/dependabot/update_files_command.rb

@@ -50,6 +50,10 @@ def perform_job
         # As above, we can remove the responsibility for handling fatal/job halting
         # errors from Dependabot::Updater entirely.
         begin
+          # TODO: Fetch blocked versions from dependabot-api and inject into the job.
+          # Call GET /blocked_versions?ecosystem=<job.package_manager> to retrieve
+          # versions blocked by GitHub Security, then pass them into the job so they
+          # are excluded from update candidates.
           Dependabot::Updater.new(service:, job:, dependency_snapshot:).run
         rescue Dependabot::DependencyFileNotParseable => e
           handle_dependency_file_not_parseable_error(e)

updater/spec/dependabot/job_spec.rb

@@ -1273,4 +1273,185 @@
       end
     end
   end
+
+  describe "#ignore_conditions_for with blocked_versions" do
+    subject(:ignored) { job.ignore_conditions_for(dependency) }
+
+    let(:dependency) do
+      Dependabot::Dependency.new(
+        name: "event-stream",
+        package_manager: "bundler",
+        version: "3.3.5",
+        requirements: [{ file: "Gemfile", requirement: "~> 3.3", groups: [], source: nil }]
+      )
+    end
+
+    context "when blocked_versions contains a matching dependency" do
+      let(:attributes) do
+        super().merge(
+          blocked_versions: [
+            {
+              "dependency-name" => "event-stream",
+              "version" => "3.3.6",
+              "reason" => "malware - flatmap-stream injection"
+            }
+          ]
+        )
+      end
+
+      it "includes the blocked version as an exact ignore condition" do
+        expect(ignored).to include("= 3.3.6")
+      end
+    end
+
+    context "when blocked_versions contains multiple versions for the same package" do
+      let(:attributes) do
+        super().merge(
+          blocked_versions: [
+            { "dependency-name" => "event-stream", "version" => "3.3.6", "reason" => "malware" },
+            { "dependency-name" => "event-stream", "version" => "4.0.0", "reason" => "malware" }
+          ]
+        )
+      end
+
+      it "includes all blocked versions" do
+        expect(ignored).to include("= 3.3.6", "= 4.0.0")
+      end
+    end
+
+    context "when blocked_versions does not match the dependency name" do
+      let(:attributes) do
+        super().merge(
+          blocked_versions: [
+            { "dependency-name" => "other-package", "version" => "1.0.0", "reason" => "malware" }
+          ]
+        )
+      end
+
+      it "does not include the blocked version" do
+        expect(ignored).not_to include("= 1.0.0")
+      end
+    end
+
+    context "when blocked_versions uses exact name matching (not wildcard)" do
+      let(:attributes) do
+        super().merge(
+          blocked_versions: [
+            { "dependency-name" => "event-stream*", "version" => "3.3.6", "reason" => "malware" }
+          ]
+        )
+      end
+
+      it "does not match wildcards in blocked version names" do
+        expect(ignored).not_to include("= 3.3.6")
+      end
+    end
+
+    context "when security_updates_only is true" do
+      let(:security_updates_only) { true }
+      let(:dependencies) { ["event-stream"] }
+
+      let(:attributes) do
+        super().merge(
+          blocked_versions: [
+            { "dependency-name" => "event-stream", "version" => "3.3.6", "reason" => "malware" }
+          ]
+        )
+      end
+
+      it "still includes the blocked version (blocks apply regardless of update type)" do
+        expect(ignored).to include("= 3.3.6")
+      end
+    end
+
+    context "when blocked_versions is empty" do
+      let(:attributes) do
+        super().merge(blocked_versions: [])
+      end
+
+      it "returns no additional conditions" do
+        expect(ignored).to be_empty
+      end
+    end
+
+    context "when blocked_versions contains malformed entries" do
+      let(:attributes) do
+        super().merge(
+          blocked_versions: [
+            { "dependency-name" => "event-stream" },
+            { "version" => "3.3.6" },
+            {},
+            { "dependency-name" => "event-stream", "version" => "3.3.6", "reason" => "malware" }
+          ]
+        )
+      end
+
+      it "ignores entries missing dependency-name or version" do
+        expect(ignored).to eq(["= 3.3.6"])
+      end
+    end
+  end
+
+  describe "#log_ignore_conditions_for with blocked_versions" do
+    let(:dependency) do
+      Dependabot::Dependency.new(
+        name: "event-stream",
+        package_manager: "bundler",
+        version: "3.3.5",
+        requirements: [{ file: "Gemfile", requirement: "~> 3.3", groups: [], source: nil }]
+      )
+    end
+
+    context "when blocked_versions contains a matching dependency" do
+      let(:attributes) do
+        super().merge(
+          blocked_versions: [
+            {
+              "dependency-name" => "event-stream",
+              "version" => "3.3.6",
+              "reason" => "malware - flatmap-stream injection"
+            }
+          ]
+        )
+      end
+
+      it "logs the blocked version with reason" do
+        expect(Dependabot.logger).to receive(:info).with("Blocked versions (by GitHub Security):")
+        expect(Dependabot.logger).to receive(:info)
+          .with("  = 3.3.6 - reason: malware - flatmap-stream injection")
+        job.log_ignore_conditions_for(dependency)
+      end
+    end
+
+    context "when blocked_versions has no reason" do
+      let(:attributes) do
+        super().merge(
+          blocked_versions: [
+            { "dependency-name" => "event-stream", "version" => "3.3.6" }
+          ]
+        )
+      end
+
+      it "logs the blocked version without reason" do
+        expect(Dependabot.logger).to receive(:info).with("Blocked versions (by GitHub Security):")
+        expect(Dependabot.logger).to receive(:info).with("  = 3.3.6")
+        job.log_ignore_conditions_for(dependency)
+      end
+    end
+
+    context "when no blocked versions match" do
+      let(:attributes) do
+        super().merge(
+          blocked_versions: [
+            { "dependency-name" => "other-pkg", "version" => "1.0.0", "reason" => "malware" }
+          ]
+        )
+      end
+
+      it "does not log blocked versions" do
+        expect(Dependabot.logger).not_to receive(:info).with("Blocked versions (by GitHub Security):")
+        job.log_ignore_conditions_for(dependency)
+      end
+    end
+  end
 end