add support for hex aliases

[efcasado]

What are you trying to accomplish?

Dependabot failed to detect updates for Elixir dependencies using the :hex option to alias the package name. The off_broadway_pulsar project is an example, where pulsar-elixir is defined as a dependency as follows

{:pulsar, "~> 2.8.7", hex: :pulsar_elixir}

Prior to this change, the local app name (ie. :pulsar) was used for hex.pm API lookups instead of the actual package name (ie. :pulsar_elixir), causing version checks and metadata lookups to query the wrong package.

Anything you want to highlight for special attention from reviewers?

The change should be backward-compatible. We've introduced a new field, ie. package_name, which defaults to the local application name unless an alias is specified (using the :hex option). When present, the alias is propagated as metadata to other components. The metadata finder has been updated to rely on this new field.

By using a dedicated field, we maintain a clear separation between how the application is represented in the lockfile and how it is handled in Hex (ie. the package manager).

How will you know you've accomplished your goal?

Dependabot will detect updates for dependencies using aliases. For example, pulsar-elixir in off_broadway_pulsar.

Checklist

• I have run the complete test suite to ensure all tests and linters pass.
• I have thoroughly tested my code changes to ensure they work as expected, including adding additional tests for new functionality.
• I have written clear and descriptive commit messages.
• I have provided a detailed description of the changes in the pull request, including the problem it addresses, how it fixes the problem, and any relevant details about the implementation.
• I have ensured that the code is well-documented and easy to understand.

[efcasado]

The dependency.name fallback is only needed because tests are calling Dependency.new directly. That is, the parser is being bypassed (see here).

[Copilot]

Pull request overview

This PR adds Hex package alias support for Elixir dependencies declared with the :hex option (e.g. {:pulsar, "~> 2.8.7", hex: :pulsar_elixir}), ensuring Dependabot queries hex.pm using the actual package name rather than the local app name.

Changes:

• Extend the Elixir helper output to include a resolved package_name for each dependency (alias-aware).
• Persist the resolved Hex package name onto Dependabot::Dependency via metadata[:hex_package] during parsing.
• Update Hex registry lookups (package details + metadata finder) to prefer metadata[:hex_package] over dependency.name, and add fixtures/specs covering the alias behavior.

Reviewed changes

Copilot reviewed 9 out of 9 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
hex/helpers/lib/parse_deps.exs	Emits package_name based on dep.opts[:hex] to capture Hex aliases.
hex/lib/dependabot/hex/file_parser.rb	Stores the parsed package_name into dependency metadata (:hex_package).
hex/lib/dependabot/hex/package/package_details_fetcher.rb	Uses metadata[:hex_package] for hex.pm package API lookups.
hex/lib/dependabot/hex/metadata_finder.rb	Uses metadata[:hex_package] for hex.pm metadata API lookups.
hex/spec/fixtures/mixfiles/hex_alias	New fixture Mixfile demonstrating hex: alias usage.
hex/spec/fixtures/lockfiles/hex_alias	New fixture lockfile showing alias in the :hex lock tuple.
hex/spec/dependabot/hex/file_parser_spec.rb	Adds parsing assertions for aliased and non-aliased deps.
hex/spec/dependabot/hex/package/package_details_fetcher_spec.rb	Adds a spec asserting API lookup uses the aliased package name.
hex/spec/dependabot/hex/metadata_finder_spec.rb	Adds a spec asserting metadata lookup uses the aliased package name.

[Copilot]

Dependabot::Dependency#== compares to_h, which includes metadata. By unconditionally setting metadata: { hex_package: dep["package_name"] } for every parsed dependency, you change equality semantics for all Hex dependencies (even non-aliased ones). This will break existing specs in this file that use include(Dependabot::Dependency.new(...)) without matching metadata. Consider only setting :hex_package metadata when the package name differs from dep["name"] (i.e., when an alias is present), or update all existing expectations to include the new metadata field.

[efcasado]

Curious to hear your thoughts about this change, @robaiken. I see you are usually very active when it comes to changes affecting the Elixir ecosystem 😄

[robaiken]

@gabrielfeo Thanks for the contribution. Seems like a usual change for our Elixir users!

[efcasado]

I can confirm it works as expected (see here). Thanks for the quick turnaround! 🙏