Align dry-run.rb blocked_versions with version-requirement rename

Update bin/dry-run.rb (from merged PR #14916) to use 'version-requirement'
instead of 'version' in the blocked_versions data structure, matching the
rename done in job.rb and the API contract.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: kbukum1

bin/dry-run.rb

@@ -228,7 +228,7 @@
 
 unless ENV["BLOCKED_VERSIONS"].to_s.strip.empty?
   # For example:
-  # [{"dependency-name":"event-stream","version":"= 3.3.6","reason":"malware"}]
+  # [{"dependency-name":"event-stream","version-requirement":"= 3.3.6","reason":"malware"}]
   $options[:blocked_versions] = JSON.parse(ENV.fetch("BLOCKED_VERSIONS", nil))
 end
 
@@ -730,9 +730,9 @@ def ignored_versions_for(dep)
 
   def blocked_versions_for(dep)
     $options[:blocked_versions]
-      .select { |bv| bv["dependency-name"] && bv["version"] }
+      .select { |bv| bv["dependency-name"] && bv["version-requirement"] }
       .select { |bv| bv["dependency-name"].casecmp(dep.name).zero? }
-      .map { |bv| bv["version"] }
+      .map { |bv| bv["version-requirement"] }
   end
 
   def security_advisories
@@ -794,7 +794,7 @@ def security_fix?(dependency)
   if $options[:blocked_versions].any?
     puts "=> blocked versions active:"
     $options[:blocked_versions].each do |bv|
-      msg = "   #{bv['dependency-name']} #{bv['version']}"
+      msg = "   #{bv['dependency-name']} #{bv['version-requirement']}"
       msg += " (#{bv['reason']})" if bv["reason"]
       puts msg
     end

updater/lib/dependabot/api_client.rb

@@ -408,7 +408,7 @@ def fetch_blocked_versions(package_manager)
           return []
         end
         data = parsed.fetch("data", [])
-        unless data.is_a?(Array)
+        unless data.is_a?(Array) && data.all?(Hash)
           Dependabot.logger.warn("Unexpected blocked versions format, continuing without them")
           return []
         end

updater/lib/dependabot/update_files_command.rb

@@ -73,15 +73,14 @@ def job
           definition = JSON.parse(JSON.generate(Environment.job_definition))
           job_hash = definition["job"]
 
-          # Register experiments from the job definition early so experiment
-          # gates below can read flags that arrive via the job payload.
-          (job_hash["experiments"] || {}).each do |name, value|
-            Experiments.register(name.to_s.tr("-", "_"), value)
-          end
-
           # Fetch blocked versions from the API if the experiment is enabled.
+          # Check both the Experiments registry and the raw job definition since
+          # job-scoped experiments are not registered until Job construction.
           # Inject them into the job definition so they're available at construction time.
-          if Experiments.enabled?(:dependabot_blocked_versions)
+          experiments = job_hash["experiments"] || {}
+          if Experiments.enabled?(:dependabot_blocked_versions) ||
+             experiments["dependabot_blocked_versions"] ||
+             experiments["dependabot-blocked-versions"]
             package_manager = job_hash["package-manager"] || job_hash["package_manager"] || ""
             blocked = service.fetch_blocked_versions(package_manager)
             job_hash["blocked-versions"] = blocked

updater/spec/dependabot/api_client_spec.rb

@@ -921,5 +921,23 @@
         expect(result).to eq([])
       end
     end
+
+    context "when the API returns data entries that are not hashes" do
+      before do
+        stub_request(:get, blocked_versions_url)
+          .with(query: { "package-manager": "npm_and_yarn" })
+          .to_return(
+            status: 200,
+            body: { data: [1, "not-a-hash"] }.to_json,
+            headers: headers
+          )
+      end
+
+      it "returns an empty array and logs a warning" do
+        expect(Dependabot.logger).to receive(:warn).with(/Unexpected blocked versions format/)
+        result = client.fetch_blocked_versions("npm_and_yarn")
+        expect(result).to eq([])
+      end
+    end
   end
 end