Implement SBT UpdateChecker to fetch available versions

[AbhishekBhaskar]

What are you trying to accomplish?

Implements the UpdateChecker for the SBT ecosystem. This enables Dependabot to fetch available versions from Maven Central and custom SBT resolvers, correctly resolve Scala-versioned artifacts, and prepare version data for updates. It also refactors the Maven shared version-finding infrastructure to reduce code duplication across Maven, SBT, and Gradle ecosystems.

Changes:
Refactoring: Shared version-finder class hierarchy

Introduced Dependabot::Maven::Shared::BaseVersionFinder as an intermediate abstract class between SharedVersionFinder and the Maven/SBT VersionFinder classes. This separates concerns:

• SharedVersionFinder — Constants (pre-release qualifiers, snapshot regex, git SHA detection), version-type matching (matches_dependency_version_type?), and shared filters (filter_date_based_versions, filter_version_types). Used by all three ecosystems.
• BaseVersionFinder — The release-fetching pipeline (fetch_latest_release, fetch_lowest_security_fix_release) with HEAD-check verification via abstract released?. Used only by Maven and SBT.

New files:

• maven/lib/dependabot/maven/shared/base_version_finder.rb — Intermediate class with the release-fetching filter chain shared by Maven and SBT
• sbt/lib/dependabot/sbt/update_checker/version_finder.rb — Inherits from BaseVersionFinder; delegates to SBT PackageDetailsFetcher
• sbt/lib/dependabot/sbt/update_checker/requirements_updater.rb — Updates exact version strings in requirements, respects property-based dependencies
• sbt/lib/dependabot/sbt/package/package_details_fetcher.rb — Inherits from SharedPackageDetailsFetcher; assembles repositories from SBT resolver declarations + credentials
• sbt/lib/dependabot/sbt/update_checker.rb — Full implementation replacing stub; delegates to VersionFinder for version discovery

Modified files:

• maven/lib/dependabot/maven/shared/shared_version_finder.rb — Removed releases, latest_version_details, lowest_security_fix_version_details, fetch_latest_release, fetch_lowest_security_fix_release, and released? (moved to BaseVersionFinder)
• maven/lib/dependabot/maven/update_checker/version_finder.rb — Now inherits from BaseVersionFinder instead of SharedVersionFinder; removed duplicated filter-chain methods
• gradle/lib/dependabot/gradle/update_checker/version_finder.rb — Removed released? override (no longer needed since SharedVersionFinder doesn't declare it)

Anything you want to highlight for special attention from reviewers?

Design decisions:

• SharedVersionFinder remains abstract! because it inherits from PackageLatestVersionFinder (which has an abstract package_details method) without implementing it
• BaseVersionFinder calls released?(version) in the filter chain, which subclasses must implement — Maven/SBT delegate to package_details_fetcher.released? (HEAD-check), while Gradle bypasses this entirely with its own latest_version_details override
• Gradle's VersionFinder continues to inherit directly from SharedVersionFinder because it uses a fundamentally different approach (no release verification, custom cooldown logic, max_by instead of find)
• Existing specs for all three ecosystems continue to pass without modification since the public API (latest_version_details, lowest_security_fix_version_details, releases) is unchanged

Not in scope (deferred):

• Full-unlock PropertyUpdater for multi-dependency val updates
• Coursier CLI transitive dependency resolution verification
• Git dependency support

How will you know you've accomplished your goal?

All existing Maven, Gradle, and SBT specs pass, and the shared filter chain is defined in exactly one place (BaseVersionFinder) rather than duplicated across ecosystem VersionFinder classes.

Checklist

• I have run the complete test suite to ensure all tests and linters pass.
• I have thoroughly tested my code changes to ensure they work as expected, including adding additional tests for new functionality.
• I have written clear and descriptive commit messages.
• I have provided a detailed description of the changes in the pull request, including the problem it addresses, how it fixes the problem, and any relevant details about the implementation.
• I have ensured that the code is well-documented and easy to understand.

[Copilot]

Pull request overview

This PR implements the SBT ecosystem’s UpdateChecker by reusing the Maven shared version/package details infrastructure, enabling Dependabot to discover available versions (including Scala cross-versioned artifacts) from Maven Central and custom SBT resolvers and to produce updated requirement data.

Changes:

• Add SBT VersionFinder and PackageDetailsFetcher built on Maven shared components to fetch and filter available versions and verify published artifacts via HEAD checks.
• Add SBT RequirementsUpdater to update exact requirement strings while guarding against Maven-style ranges and property-based declarations.
• Replace the SBT UpdateChecker stub with a working implementation and add fixture-backed specs.

Show a summary per file

File	Description
sbt/lib/dependabot/sbt/update_checker.rb	Implements SBT update-checking flow (latest/security fix versions, property-awareness, updated requirements).
sbt/lib/dependabot/sbt/update_checker/version_finder.rb	Finds latest and lowest security-fix versions using Maven shared filtering + release verification.
sbt/lib/dependabot/sbt/update_checker/requirements_updater.rb	Updates requirement strings for exact versions; skips comma-based ranges; respects property-based updates.
sbt/lib/dependabot/sbt/package/package_details_fetcher.rb	Fetches version metadata from Maven Central + SBT resolvers + credential repos using shared Maven fetcher behavior.
sbt/spec/dependabot/sbt/update_checker_spec.rb	Adds end-to-end UpdateChecker behavior coverage for latest/security-fix/property handling.
sbt/spec/dependabot/sbt/update_checker/version_finder_spec.rb	Adds unit coverage for VersionFinder filtering and release verification.
sbt/spec/dependabot/sbt/update_checker/requirements_updater_spec.rb	Adds unit coverage for RequirementsUpdater behavior (exact, nil, range, property-based).
sbt/spec/dependabot/sbt/package/package_details_fetcher_spec.rb	Adds unit coverage for repository assembly and release listing behavior.
sbt/spec/fixtures/maven_metadata/guava.xml	Maven metadata fixture for version listing tests (classifier variants).
sbt/spec/fixtures/maven_metadata/cats_core_2.13.xml	Maven metadata fixture for Scala cross-versioned artifact tests (incl. prerelease).
sbt/spec/fixtures/maven_metadata/akka_actor_2.13.xml	Maven metadata fixture for prerelease-to-stable behavior tests.
sbt/spec/fixtures/maven_metadata/scalatest_2.13.xml	Maven metadata fixture for additional Scala cross-versioned artifact coverage.

Copilot's findings

• Files reviewed: 12/12 changed files
• Comments generated: 3

[kbukum1]

@AbhishekBhaskar , is there a reason we are not sharing most be of filtering functions in shared version finder? I mean I am unable to think if there is any difference between maven and sbt, maybe even gradle.

[kbukum1]

Great job, really. I think everything looks good overall. Just a couple of follow-ups you can consider:

• If you make the package fetcher shared between maven and sbt as a method in their version finders (e.g. def package_fetcher), you can also move the calls related to the fetcher such as released? and so on directly into the shared part, instead of keeping them in their related package managers. You can check uv, pip, and so on to see how they extend the package latest version finder — it may help.

• In general, the PR is doing what it needs to do, so these follow-ups would be more on the optimization side, similar to what I mentioned above.

• For aligning gradle with maven and sbt, it would be great if we could at least have a refactoring issue opened. Then, depending on bandwidth and priorities, we can decide whether to pick it up or not. Just having the issue tracked would already be great.