cargo: Fix sparse registry error on update

cargo/lib/dependabot/cargo/file_updater/lockfile_updater.rb

@@ -6,6 +6,7 @@
 require "dependabot/cargo/file_updater"
 require "dependabot/cargo/file_updater/manifest_updater"
 require "dependabot/cargo/file_parser"
+require "dependabot/cargo/toolchain_parser"
 require "dependabot/shared_helpers"
 module Dependabot
   module Cargo
@@ -32,7 +33,8 @@ def updated_lockfile_content
             SharedHelpers.with_git_configured(credentials: credentials) do
               # Shell out to Cargo, which handles everything for us, and does
               # so without doing an install (so it's fast).
-              run_shell_command("cargo update -p #{dependency_spec}", fingerprint: "cargo update -p <dependency_spec>")
+              run_shell_command("cargo #{toolchain_parser.sparse_flag} update -p #{dependency_spec}",
+                                fingerprint: "cargo update -p <dependency_spec>")
             end
 
             updated_lockfile = File.read("Cargo.lock")
@@ -369,6 +371,10 @@ def toolchain
             dependency_files.find { |f| f.name == "rust-toolchain" }
         end
 
+        def toolchain_parser
+          @toolchain_parser ||= Cargo::ToolchainParser.new(toolchain)
+        end
+
         def virtual_manifest?(file)
           !file.content.include?("[package]")
         end

cargo/lib/dependabot/cargo/toolchain_parser.rb

@@ -0,0 +1,37 @@
+# frozen_string_literal: true
+
+require "toml-rb"
+
+module Dependabot
+  module Cargo
+    class ToolchainParser
+      def initialize(toolchain)
+        @toolchain = toolchain
+      end
+
+      def sparse_flag
+        return @sparse_flag if defined?(@sparse_flag)
+
+        @sparse_flag = needs_sparse_flag ? "-Z sparse-registry" : ""
+      end
+
+      private
+
+      attr_reader :toolchain
+
+      # We only need to set the -Z sparse-registry flag for nightly and unstable toolchains
+      # during which the feature exists and is reading the environment variable CARGO_REGISTRIES_CRATES_IO_PROTOCOL.
+      def needs_sparse_flag
+        return false unless toolchain
+
+        channel = TomlRB.parse(toolchain.content).fetch("toolchain", nil)&.fetch("channel", nil)
+        return false unless channel
+
+        date = channel.match(/nightly-(\d{4}-\d{2}-\d{2})/)&.captures&.first
+        return false unless date
+
+        Date.parse(date).between?(Date.parse("2022-07-10"), Date.parse("2023-01-20"))
+      end
+    end
+  end
+end

cargo/lib/dependabot/cargo/update_checker/version_resolver.rb

@@ -6,7 +6,9 @@
 require "dependabot/cargo/update_checker"
 require "dependabot/cargo/file_parser"
 require "dependabot/cargo/version"
+require "dependabot/cargo/toolchain_parser"
 require "dependabot/errors"
+
 module Dependabot
   module Cargo
     class UpdateChecker
@@ -134,7 +136,7 @@ def dependency_spec
         # so without doing an install (so it's fast).
         def run_cargo_update_command
           run_cargo_command(
-            "cargo update -p #{dependency_spec} --verbose",
+            "cargo #{toolchain_parser.sparse_flag} update -p #{dependency_spec} --verbose",
             fingerprint: "cargo update -p <dependency_spec> --verbose"
           )
         end
@@ -407,6 +409,10 @@ def toolchain
                          find { |f| f.name == "rust-toolchain" }
         end
 
+        def toolchain_parser
+          @toolchain_parser ||= Cargo::ToolchainParser.new(toolchain)
+        end
+
         def git_dependency?
           GitCommitChecker.new(
             dependency: dependency,

cargo/spec/dependabot/cargo/toolchain_parser_spec.rb

@@ -0,0 +1,42 @@
+# frozen_string_literal: true
+
+require "dependabot/dependency_file"
+require "dependabot/cargo/toolchain_parser"
+
+RSpec.describe Dependabot::Cargo::ToolchainParser do
+  it "returns sparse-registry for nightlies in a certain range" do
+    toolchain = Dependabot::DependencyFile.new(
+      name: "rust-toolchain",
+      content: "[toolchain]\nchannel = \"nightly-2022-07-10\""
+    )
+    expect(described_class.new(toolchain).sparse_flag).to eq("-Z sparse-registry")
+  end
+
+  it "doesn't return sparse-registry for stable" do
+    toolchain = Dependabot::DependencyFile.new(
+      name: "rust-toolchain",
+      content: "[toolchain]\nchannel = \"stable\""
+    )
+    expect(described_class.new(toolchain).sparse_flag).to eq("")
+  end
+
+  it "doesn't return sparse-registry when no toolchain file" do
+    expect(described_class.new(nil).sparse_flag).to eq("")
+  end
+
+  it "doesn't return sparse-registry for nightlies outside the range" do
+    toolchain = Dependabot::DependencyFile.new(
+      name: "rust-toolchain",
+      content: "[toolchain]\nchannel = \"nightly-2023-01-21\""
+    )
+    expect(described_class.new(toolchain).sparse_flag).to eq("")
+  end
+
+  it "doesn't return sparse-registry when the channel isn't specified" do
+    toolchain = Dependabot::DependencyFile.new(
+      name: "rust-toolchain",
+      content: "[toolchain]"
+    )
+    expect(described_class.new(toolchain).sparse_flag).to eq("")
+  end
+end