dependabot-core icon indicating copy to clipboard operation
dependabot-core copied to clipboard
verified publisher icon dependabot

Incorrect ruby version being selected by dependabot

Open salmanasiddiqui opened this issue 8 months ago • 8 comments

Is there an existing issue for this?

  • [x] I have searched the existing issues

Package ecosystem

Bundler

Package manager version

2.6.5

Language version

3.1.6

Manifest location and content before the Dependabot update

Public repo having the issue:

https://github.com/salmanasiddiqui/dependabot_bug_ruby_version

Updated dependency

Given the above state of files dependabot fails to resolve versions of dependencies with the below error

Dependabot encountered the following error:

Could not find compatible versions

Because rails >= 6.1.0.rc1 depends on bundler >= 1.15.0
  and every version of bundler depends on Ruby >= 3.1.0,
  rails >= 6.1.0.rc1 requires Ruby >= 3.1.0.
So, because Gemfile depends on rails ~> 7.1.5
  and current Ruby version is = 3.0.6,
  version solving has failed.

As you can see in above error message,

and current Ruby version is = 3.0.6

Not sure why ruby version 3.0.6 is being used by dependabot when Gemfile and .ruby-version points to 3.1.6. Is it due to gemspec which says it supports ruby ~> 3.0?

A bit more context, if we remove rails gem from Gemfile but keep the same version locked in Gemfile.lock as rails is dependency of another gem, then dependabot downgrades rails version to v0.9.5. I tried updating dependabot config to to ignore rails <= 7.1.5 but that didnt work. Now, I have added rails explicitly in Gemfile but that results in above error.

What you expected to see, versus what you actually saw

I expect dependabot to not fail with the error above and create PRs as expected

Native package manager behavior

No response

Images of the diff or a link to the PR, issue, or logs

No response

Smallest manifest that reproduces the issue

No response

salmanasiddiqui avatar Apr 22 '25 14:04 salmanasiddiqui

@salmanasiddiqui Can you reproduce on a public repo?

koxya avatar May 03 '25 01:05 koxya

@koya-masuda Here is the public repo with same issue https://github.com/salmanasiddiqui/dependabot_bug_ruby_version

This is the error im getting

Dependabot can't resolve your Ruby dependency files Dependabot failed to update your dependencies because there was an error resolving your Ruby dependency files.

Dependabot encountered the following error:

Could not find compatible versions

Because rails >= 6.1.0.rc1 depends on bundler >= 1.15.0 and every version of bundler depends on Ruby >= 3.1.0, rails >= 6.1.0.rc1 requires Ruby >= 3.1.0. So, because Gemfile depends on rails ~> 7.1.5 and current Ruby version is = 3.0.6, version solving has failed.

Dependabot is using ruby 3.0.6 instead of 3.1.6 😢

salmanasiddiqui avatar May 17 '25 20:05 salmanasiddiqui

@salmanasiddiqui

Here is the public repo with same issue

Thanks for great job!! I'll try to get it.

koxya avatar May 19 '25 03:05 koxya

@salmanasiddiqui I tried to reproduce like below, but didn't.

[dependabot-core-dev] ~ $ bin/dry-run.rb bundler salmanasiddiqui/dependabot_bug_ruby_version
=> cloning into /home/dependabot/tmp/salmanasiddiqui/dependabot_bug_ruby_version
🎈 Ecosystem Versions log: {:package_managers=>{"bundler"=>"2"}}
=> parsing dependency files
=> updating 11 dependencies: factory_bot, faker, grpc-tools, rails, rake, rbs, redis, rspec, google-protobuf, i18n, zeitwerk

=== factory_bot (6.5.1)
 => checking for updates 1/11
🌍 --> GET https://rubygems.org/api/v1/versions/factory_bot.json
🌍 <-- 200 https://rubygems.org/api/v1/versions/factory_bot.json
I, [2025-05-22T11:20:20.986176 #11]  INFO -- : Filtered out 4 pre-release versions
 => latest available version is 6.5.1
    (no update needed as it's already up-to-date)

=== faker (3.5.1)
 => checking for updates 2/11
🌍 --> GET https://rubygems.org/api/v1/versions/faker.json
🌍 <-- 200 https://rubygems.org/api/v1/versions/faker.json
 => latest available version is 3.5.1
    (no update needed as it's already up-to-date)

=== grpc-tools (1.71.0)
 => checking for updates 3/11
🌍 --> GET https://rubygems.org/api/v1/versions/grpc-tools.json
🌍 <-- 200 https://rubygems.org/api/v1/versions/grpc-tools.json
I, [2025-05-22T11:20:21.890394 #11]  INFO -- : Filtered out 62 pre-release versions
 => latest available version is 1.72.0
 => latest allowed version is 1.72.0
 => requirements to unlock: own
 => requirements update strategy: #<Dependabot::RequirementsUpdateStrategy::BumpVersions>
 => handled error whilst updating grpc-tools: dependency_file_not_resolvable {:message=>"Could not find compatible versions\n\nBecause rails >= 6.1.0.rc1 depends on bundler >= 1.15.0\n  and every version of bundler depends on Ruby >= 3.1.0,\n  rails >= 6.1.0.rc1 requires Ruby >= 3.1.0.\nSo, because Gemfile depends on rails ~> 7.1.5\n  and current Ruby version is = 3.0.6,\n  version solving has failed."}

=== rails (7.1.5.1)
 => checking for updates 4/11
🌍 --> GET https://rubygems.org/api/v1/versions/rails.json
🌍 <-- 200 https://rubygems.org/api/v1/versions/rails.json
I, [2025-05-22T11:20:31.439123 #11]  INFO -- : Filtered out 172 pre-release versions
 => latest available version is 8.0.2
 => latest allowed version is 7.2.2.1
 => requirements to unlock: own
 => requirements update strategy: #<Dependabot::RequirementsUpdateStrategy::BumpVersions>
 => handled error whilst updating rails: dependency_file_not_resolvable {:message=>"Could not find compatible versions\n\nBecause rails >= 7.2.0.beta1, < 8.0.0.beta1 depends on Ruby >= 3.1.0\n  and Gemfile depends on rails = 7.2.2.1,\n  Ruby >= 3.1.0 is required.\nSo, because current Ruby version is = 3.0.6,\n  version solving has failed."}

=== rake (13.2.1)
 => checking for updates 5/11
🌍 --> GET https://rubygems.org/api/v1/versions/rake.json
🌍 <-- 200 https://rubygems.org/api/v1/versions/rake.json
I, [2025-05-22T11:20:36.838152 #11]  INFO -- : Filtered out 16 pre-release versions
 => latest available version is 13.2.1
    (no update needed as it's already up-to-date)

=== rbs (3.9.2)
 => checking for updates 6/11
🌍 --> GET https://rubygems.org/api/v1/versions/rbs.json
🌍 <-- 200 https://rubygems.org/api/v1/versions/rbs.json
I, [2025-05-22T11:20:37.666687 #11]  INFO -- : Filtered out 37 pre-release versions
 => latest available version is 3.9.4
 => latest allowed version is 3.9.4
 => requirements to unlock: own
 => requirements update strategy: #<Dependabot::RequirementsUpdateStrategy::BumpVersions>
 => handled error whilst updating rbs: dependency_file_not_resolvable {:message=>"Could not find compatible versions\n\nBecause rbs >= 3.7.0.dev.1 depends on Ruby >= 3.1\n  and Gemfile depends on rbs = 3.9.4,\n  Ruby >= 3.1 is required.\nSo, because current Ruby version is = 3.0.6,\n  version solving has failed."}

=== redis (4.8.0)
 => checking for updates 7/11
🌍 --> GET https://rubygems.org/api/v1/versions/redis.json
🌍 <-- 200 https://rubygems.org/api/v1/versions/redis.json
I, [2025-05-22T11:20:43.304961 #11]  INFO -- : Filtered out 10 pre-release versions
 => latest available version is 5.4.0
 => latest allowed version is 5.4.0
 => requirements to unlock: own
 => requirements update strategy: #<Dependabot::RequirementsUpdateStrategy::BumpVersions>
 => handled error whilst updating redis: dependency_file_not_resolvable {:message=>"Could not find compatible versions\n\nBecause rails >= 6.1.0.rc1 depends on bundler >= 1.15.0\n  and every version of bundler depends on Ruby >= 3.1.0,\n  rails >= 6.1.0.rc1 requires Ruby >= 3.1.0.\nSo, because Gemfile depends on rails ~> 7.1.5\n  and current Ruby version is = 3.0.6,\n  version solving has failed."}

=== rspec (3.13.0)
 => checking for updates 8/11
🌍 --> GET https://rubygems.org/api/v1/versions/rspec.json
🌍 <-- 200 https://rubygems.org/api/v1/versions/rspec.json
I, [2025-05-22T11:20:50.867139 #11]  INFO -- : Filtered out 52 pre-release versions
 => latest available version is 3.13.0
    (no update needed as it's already up-to-date)

=== google-protobuf (4.30.1)
 => checking for updates 9/11
🌍 --> GET https://rubygems.org/api/v1/versions/google-protobuf.json
🌍 <-- 200 https://rubygems.org/api/v1/versions/google-protobuf.json
I, [2025-05-22T11:20:52.475961 #11]  INFO -- : Filtered out 454 pre-release versions
 => latest available version is 4.31.0
 => latest allowed version is 4.31.0
 => requirements to unlock: own
 => requirements update strategy: #<Dependabot::RequirementsUpdateStrategy::BumpVersions>
 => handled error whilst updating google-protobuf: dependency_file_not_resolvable {:message=>"Could not find compatible versions\n\nBecause google-protobuf >= 4.31.0 depends on Ruby >= 3.1, < 3.5.dev\n  and google-protobuf = 4.31.0 depends on Ruby >= 3.1,\n  google-protobuf >= 4.31.0 requires Ruby >= 3.1.\nSo, because Gemfile depends on google-protobuf = 4.31.0\n  and current Ruby version is = 3.0.6,\n  version solving has failed."}

=== i18n (1.14.7)
 => checking for updates 10/11
🌍 --> GET https://rubygems.org/api/v1/versions/i18n.json
🌍 <-- 200 https://rubygems.org/api/v1/versions/i18n.json
I, [2025-05-22T11:20:58.969620 #11]  INFO -- : Filtered out 9 pre-release versions
 => latest available version is 1.14.7
    (no update needed as it's already up-to-date)

=== zeitwerk (2.6.18)
 => checking for updates 11/11
🌍 --> GET https://rubygems.org/api/v1/versions/zeitwerk.json
🌍 <-- 200 https://rubygems.org/api/v1/versions/zeitwerk.json
I, [2025-05-22T11:20:59.299637 #11]  INFO -- : Filtered out 11 pre-release versions
 => latest available version is 2.7.3
 => latest allowed version is 2.6.18
 => requirements to unlock: update_not_possible
 => requirements update strategy: #<Dependabot::RequirementsUpdateStrategy::BumpVersions>
    (no update possible 🙅‍♀️)
I, [2025-05-22T11:21:03.528806 #11]  INFO -- : Filtered out 11 pre-release versions
🌍 Total requests made: '11'
Dry-run completed successfully.

koxya avatar May 22 '25 11:05 koxya

Interesting, this is making me think that there is some issue with dry-run script.

This is what im seeing:

Image

and these are the logs:

Image

salmanasiddiqui avatar May 22 '25 13:05 salmanasiddiqui

is there any update on this issue?

salmanasiddiqui avatar Sep 01 '25 13:09 salmanasiddiqui

I'm experiencing a similar issue and it started just this week. Last week GH dependabot was still pulling an image that does not result to dependency_file_not_resolvable.

"message": "Bundler::SolveFailure with message: Could not find compatible versions\n\nBecause rails >= 6.1.0.rc1 depends on bundler >= 1.15.0\n  and every version of bundler depends on Ruby >= 3.1.0,\n  rails >= 6.1.0.rc1 requires Ruby >= 3.1.0.\nSo, because Gemfile depends on rails ~> 6.1.7.6\n  and current Ruby version is = 3.0.6,\n  version solving has failed."

I'm curious if there are any updates.

katpadi avatar Sep 22 '25 11:09 katpadi

Pretty sure replicating this as well.

Because every version of fastlane depends on bundler >= 1.12.0, < 3.0.0
  and every version of bundler depends on Ruby >= 3.1.0,
  every version of fastlane requires Ruby >= 3.1.0.
So, because Gemfile depends on fastlane >= 0
  and current Ruby version is = 2.6.9,
  version solving has failed.

https://github.com/fastlane/fastlane/actions/runs/19987752349

It doesn't make sense for a few reasons:

  1. Bundler 2.4.22 which is >= 1.12.0 supports Ruby 2.6 which is what we still support as our smallest.
  2. Not all versions of bundler (1.12 - 3.0) are Ruby 3.1 or more.

iBotPeaches avatar Dec 06 '25 12:12 iBotPeaches