dependabot-core
dependabot-core copied to clipboard
dependabot
Dependabot has stopped opening PRs - breaks with sorbet dependencies
Package ecosystem bundler Package manager version unapplicable Language version Ruby 3.1.2 Manifest location and content before the Dependabot update Relevant section in our Gemfile:
# Type checking
gem 'sorbet', '~> 0.5', group: :development
gem 'sorbet-runtime', '~> 0.5'
Resulting in the following in the Gemfile.lock:
sorbet (0.5.10206)
sorbet-static (= 0.5.10206)
sorbet-runtime (0.5.10206)
sorbet-static (0.5.10206-universal-darwin-14)
sorbet-static (0.5.10206-universal-darwin-15)
sorbet-static (0.5.10206-universal-darwin-16)
sorbet-static (0.5.10206-universal-darwin-17)
sorbet-static (0.5.10206-universal-darwin-18)
sorbet-static (0.5.10206-universal-darwin-19)
sorbet-static (0.5.10206-universal-darwin-20)
sorbet-static (0.5.10206-universal-darwin-21)
sorbet-static (0.5.10206-universal-darwin-22)
sorbet-static (0.5.10206-x86_64-linux)
sorbet-static-and-runtime (0.5.10206)
sorbet (= 0.5.10206)
sorbet-runtime (= 0.5.10206)
dependabot.yml content
version: 2
registries:
capdesk-ruby:
type: rubygems-server
url: https://rubygems.pkg.github.com/capdesk
token: ${{ secrets.DEPENDABOT_WORKFLOW_TOKEN }}
updates:
- package-ecosystem: bundler
directory: "/"
schedule:
interval: weekly
insecure-external-code-execution: allow
open-pull-requests-limit: 10
labels:
- ruby
registries:
- capdesk-ruby
- package-ecosystem: npm
directory: "/"
schedule:
interval: weekly
open-pull-requests-limit: 10
labels:
- javascript
ignore:
- dependency-name: ng-table
- dependency-name: webui-popover
Updated dependency sorbet + sorbet_static What you expected to see, versus what you actually saw Best here is to see the error link at the bottom of this report - would expect it to work. Native package manager behavior Works well ✅ Images of the diff or a link to the PR, issue, or logs
Relevant part of update Logs:
updater | INFO <job_427634604> Handled error whilst updating address: dependency_file_not_resolvable {:message=>"Bundler::VersionConflict with message: Bundler could not find compatible versions for gem \"sorbet-static\":\n In Gemfile:\n sorbet (~> 0.5) was resolved to 0.5.10206, which depends on\n sorbet-static (= 0.5.10206)\n\nCould not find gem 'sorbet-static (= 0.5.10206)' with platform 'ruby', which is required by gem 'sorbet (~> 0.5)', in rubygems repository https://rubygems.org/ or installed locally.\n\nThe source contains the following gems matching 'sorbet-static (= 0.5.10206)':\n * sorbet-static-0.5.10206-java\n * sorbet-static-0.5.10206-universal-darwin-14\n * sorbet-static-0.5.10206-universal-darwin-15\n * sorbet-static-0.5.10206-universal-darwin-16\n * sorbet-static-0.5.10206-universal-darwin-17\n * sorbet-static-0.5.10206-universal-darwin-18\n * sorbet-static-0.5.10206-universal-darwin-19\n * sorbet-static-0.5.10206-universal-darwin-20\n * sorbet-static-0.5.10206-universal-darwin-21\n * sorbet-static-0.5.10206-universal-darwin-22\n * sorbet-static-0.5.10206-x86_64-linux"}
I'm really sorry, this is again upstream fault 😞. See https://github.com/rubygems/rubygems/issues/5743. I have good ideas on how to fix it and will get to it soon. Also there's an easy workaround for you: remove the "ruby" platform from the lockfile (which is what I expect the fix will do automatically).
@deivid-rodriguez thank you for the comment! I suspect we cannot remove the ruby platform on our side because of our dependencies on (https://github.com/sqreen/ruby-agent) which ends up depending on libv8-node... but I will try it right away.
Update - it does seem to work adequately by removing ruby as a platform on our side 🙌 . Again, thank you @deivid-rodriguez for the suggestion.
@jurre should I close this issue, or do you want to keep it opened for tracking purpose?
Update - it does seem to work adequately by removing
rubyas a platform on our side 🙌 . Again, thank you @deivid-rodriguez for the suggestion.@jurre should I close this issue, or do you want to keep it opened for tracking purpose?
Happy that resolved it! Since it's already tracked upstream I'm fine with closing this one here, we'll pull in those changes as they're released
Removing the ruby platform doesn't do me any good since it's the only platform in my lockfile - this basically means that dependabot doesn't work for me at all. Is there some way for me to force dependabot to use a working version of bundler?
I'm guessing there a bunch of people in my situation, who haven't had any dependabot pulls in a couple of weeks, and still just think things have been quiet vs broken.
I've opened https://github.com/dependabot/dependabot-core/pull/5465 which bumps us to the latest version of bundler, but I don't think a version with a fix for this issue has been released yet, so unfortunately there is not much we can do other than wait.
The silent failing is definitely annoying and I wish we had a better answer for this, the errors for this are buried fairly deeply in the UI. We're thinking about possible solutions for this, but unfortunately I can't offer much in terms of a solution for it right now.
I've opened #5465 which bumps us to the latest version of bundler, but I don't think a version with a fix for this issue has been released yet, so unfortunately there is not much we can do other than wait.
The silent failing is definitely annoying and I wish we had a better answer for this, the errors for this are buried fairly deeply in the UI. We're thinking about possible solutions for this, but unfortunately I can't offer much in terms of a solution for it right now.
Thanks!
edit: I do wonder if you might consider downgrading bundler to the previously-working version until it's fixed?
Just some heads up here.
I think @kbarrette was having a different issue due to having the force_ruby_platform set locally, so although he hasn't confirmed, I believe he has a workaround.
In addition to that, I proposed a fix in Bundler, so that it should stop raising this error for these lockfiles: https://github.com/rubygems/rubygems/pull/5807, so hopefully dependabot should work again for these lockfiles once the fix is merged and released and dependabot upgrades Bundler.
edit: I do wonder if you might consider downgrading bundler to the previously-working version until it's fixed?
@kbarrette yeah, I'm open to it
@deivid-rodriguez do you happen to know what the latest version of bundler is that doesn't have this regression? And any sense of when it could be forward-fixed in a new version?
Yes, last working version is 2.3.16. And the fix for this is https://github.com/rubygems/rubygems/pull/5807, which should be released in about a week.
Thanks so much 🙇 I'll downgrade to 2.3.16 for now as we've also gotten some reports of this via our customer support, and once a new version is released with a fix we'll pull that in
Thanks, and sorry for too many regressions lately :(
No need to apologize, so many different configurations out in the world that it's really hard to always spot all the edge cases, and making these changes is the only way to improve bundler, your work is appreciated!
https://github.com/dependabot/dependabot-core/pull/5479 should resolve things for now
Although this keeps giving trouble upstream, dependabot-core is now locked to a version without issues, and we don't plan to change that 😅. So closing!