Fix Ruby version conflict error detection for new Bundler versions #4820
Conversation
deivid-rodriguez
force-pushed
the
fix-ruby-error-detection
branch
2 times, most recently
from
e2afd61 to
d4c4c74
Compare
|
I noticed that when Bundler v1 and Bundler v2 behavior differ, you extract interface methods that then get their own version specific implementation at |
No this is fine! Those extracted interface methods are programs that we run as standalone CLIs and parse the results back to the main process. This is mostly used for when we use bundler as a library in order to avoid mismatches between the bundler used to manage dependabot-core itself and the one used to perform updates As for running locally, are you using Also, thanks for contributing! |
Ah, I see!
No, indeed I tried running what's in the
You're welcome, thanks to you for dependabot :) |
|
Turns out that while my changes fix my use case, they break a different use case. The difference between our use cases is the presence of a lockfile. In my case, there's a I'll dig deeper. |
deivid-rodriguez
force-pushed
the
fix-ruby-error-detection
branch
from
d4c4c74 to
b5749ea
Compare
|
I fixed the broken spec in the Bundler 2 suite, and added a spec for this fix. But now I have a broken spec in the Bundler 1 suite 😬. Will keep digging. |
deivid-rodriguez
force-pushed
the
fix-ruby-error-detection
branch
2 times, most recently
from
74ca25f to
2c04439
Compare
|
I think the current failure is some flaky failure, but other than that seems green. However, I need to look closer at the consequences of doing this. It fixes my use case but I think it might break other cases. I imagine now if a library provides a Gemfile + Gemfile.lockfile + gemspec, then dependabot could potentially change a gemspec dependency to a range that no longer resolves on the minimum ruby supported, and that would be bad since it would mean unintentionally dropping old rubies support (although it would most likely be detected by CI running on the minimum ruby since the new lockfile would no longer be installable there). It seems like a very rare case, but I want to double check the new behavior. |
Yes, we unfortunately have a few flaky tests in our bundler suite, one of which is fixed here |
|
@deivid-rodriguez is this ready for review? |
|
Still a WIP and I'm also not even sure this makes sense in general, or just for my use case. In my libraries I use a So, not ready for a review, but happy to get feedback about the idea. |
deivid-rodriguez
force-pushed
the
fix-ruby-error-detection
branch
3 times, most recently
from
49c863e to
a2def54
Compare
|
Alright, so I had another look at this and my conclusion is that this is a bug introduced when Bundler 2 was added. I did my best to explain the context, and the relevant commits/PRs both in the dependabot and bundler side. The explanation is at a2def54. However, I tried this PR against my repository and while it did successfully generate a PR (see activeadmin/activeadmin#7400), it updated the So... I need to investigate that latter issue more. |
Up until the Bundler 2 upgrade, when in the context of updating a library, dependabot would first try locking the Ruby version according to the minimum ruby requirement specified in the gemspec (if any). If that fail, dependabot would retry without any ruby version locking by detecting a specific error message raised by Bundler. This feature was introduced by fcd5682. However, when the upgrade to Bundler 2 happened, the related spec started failing, because the string to look for within Bundler's error message was not updated to match what Bundler 2 was raising (error message was changed upstream at rubygems/bundler#6647). Instead, the spec was updated to match the new result (see dependabot#3319 (comment)). In the spec, dependabot is updating a Gemfile including ```ruby gem 'statesman', "~> 3.0.0" ``` in combination with a gemspec including ```ruby required_ruby_version ">= 1.9.3" ``` Statesman 3.0.0 has a Ruby ">= 2.2" requirement, so it does not support Ruby 1.9.3 already. The original dependabot behaviour was to ignore the preexisting mismatch and move on. That makes sense to me, there's some reasons why a library main have this situation. In my case, I have several Gemfiles testing different major versions of my dependencies (Rails, in particular), and some of them don't support the oldest Ruby supported by my gem (my Rails 7 gemfile does not support my oldest supported Ruby, 2.6). On a more pragmatic point of view, the old behavior didn't cause any reported issues that I know of, while the new behavior did bite my particular case. So this commit changes the expectation to what it used to be and updates the strings to look for in error messages to support both Bundler 1 and Bundler 2 error messages.
deivid-rodriguez
force-pushed
the
fix-ruby-error-detection
branch
from
a2def54 to
e9a759b
Compare
|
Alright I figured that last issue. The problem is that I was generating my activeadmin PRs using this branch + https://github.com/dependabot/dependabot-script. However, dependabot-script does not support the as opposed to the in-repo dry-run script which does check the proper condition at line 680 dependabot-core/bin/dry-run.rb Lines 679 to 688 in d0d849a So, not an issue related to this PR, so I'm marking this as ready! |
@deivid-rodriguez While outside the scope of this PR, it sounds like this is a real issue that needs addressing. Are you planning to tackle this issue in a separate PR or file an issue so all your research work doesn't get forgotten about? |
|
Maybe we should just retire dependabot-script, no one is really maintaining it and it really only serves as an example of how one might use dependabot-core. I wish the code from our dry-run script was a little more composable/reusable and folks could just use that instead, but alas. |
|
I'm not sure what are the differences between the two, but they look very similar. I guess (from naming) one difference is that dry-run.rb is not supposed to actually create PR's. I guess it makes sense to merge them and eventually retire dependabot-script. I'm happy to contribute my fix to dependabot-script to start reducing the delta between the two scripts and open an issue to eventually merge them. How about that? |
|
I filed dependabot/dependabot-script#891 so we don't lose track of ☝️. There's a larger-scope conversation about melding dry-run/dependabot-script or possibly migrating to the CLI but until we get a chance to tackle that, the above issue at least notes the divergence in functionality. |
Hello!
I'm having some issues running specs locally, and I won't be able to finish this work (and possibly write some specs) today, but I want to open a WIP PR if that's ok, so that I don't lose the context and that I can check whether the current version of my patch is ok with your CI.
On some of my repositories I'm getting mysterious Ruby version conflict errors that make dependabot updates fail. See for example: https://github.com/activeadmin/arbre/security/dependabot/9, which shows this error:
However, my library does not impose any Ruby version requirements, so I wasn't sure where this was coming from.
After investigation, I noticed that dependabot is automatically adding this Ruby version constraint to the resolution when updating libraries.
After further investigation, I noticed that dependabot also wants to retry without this constraint, in case adding it fails. It does this by checking the content of the specific error message given by Bundler in this case. In particular
However, in rubygems/bundler#6647 (released with Bundler 2.1.0.pre.1), this message was changed to
That means that when using recent Bundler versions, the error message not longer matches, so dependabot leaves the extra Ruby version constraint there, and update fails.
This PR fixes the issue by also checking for the new error message in order to remove the extra Ruby version constraint.
I tried
dependabot-scriptand it worked just fine with this change, but I want to check full CI too.