dependabot-core
dependabot-core copied to clipboard
dependabot
Terraform provider versions are sometimes parsed as empty string ""
Is there an existing issue for this?
- [X] I have searched the existing issues
Package ecosystem
terraform
Package manager version
No response
Language version
1.0.7
Manifest location and content before the Dependabot update
In terraform/module/main.tf:
## Source this module
terraform {
required_version = "~> 1.0"
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 3.63"
}
docker = {
source = "kreuzwerker/docker"
version = "~> 2.15"
}
}
}
dependabot.yml content
# To get started with Dependabot version updates, you'll need to specify which
# package ecosystems to update and where the package manifests are located.
# Please see the documentation for all configuration options:
# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
version: 2
updates:
- package-ecosystem: "terraform"
directory: "/terraform/module"
schedule:
interval: "daily"
Updated dependency
No response
What you expected to see, versus what you actually saw
When Dependabot goes through the Terraform provider, it sometimes has trouble parsing out the version of the dependency. For example:
updater | INFO <job_433> Checking if hashicorp/aws needs updating
^
updater | INFO <job_433> Updating hashicorp/aws from to 4.31.0
^
There should be the version number where the ^ are, but it is actually an empty string "".
When asked to ignore: { dependency-name: "hashicorp/aws" }, Dependabot is unable to do so because itβs trying to compare an empty version string with >= 0.
Note that the pull request that Dependabot generates has the correct subject, so Dependabot does know how to get the old version number:
Update hashicorp/aws requirement from ~> 3.63 to ~> 4.31 in /terraform/module
diff --git a/terraform/module/main.tf b/terraform/module/main.tf index b375127..b2e44f7 100644 --- a/terraform/module/main.tf +++ b/terraform/module/main.tf @@ -6,7 +6,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = "~> 3.63" + version = "~> 4.31" } docker = {
Native package manager behavior
No response
Images of the diff or a link to the PR, issue, or logs
Running update job 433
Created update_files container: 36b1f12dcdc7100fac92a0b53b2fd8205e139e66468eb43ccee60c00d16f305d
updater | Updating certificates in /etc/ssl/certs...
updater | 1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
updater | done.
updater | Top level ::CompositeIO is deprecated, require 'multipart/post' and use `Multipart::Post::CompositeReadIO` instead!
updater | Top level ::Parts is deprecated, require 'multipart/post' and use `Multipart::Post::Parts` instead!
updater | I, [2022-09-21T17:24:28.824583 #5[53](https://github.internal/org/repo/runs/3246?check_suite_focus=true#step:7:55)] INFO -- sentry: ** [Raven] Raven 3.1.2 configured not to capture errors: DSN not set
updater | warning: parser/current is loading parser/ruby27, which recognizes2.7.6-compliant syntax, but you are running 2.7.5.
Please see https://github.com/whitequark/parser#compatibility-with-ruby-mri.
updater | INFO <job_433> Starting job processing
updater | INFO <job_433> Starting PR update job for org/repo
proxy | 2022/09/21 17:24:50 [015] POST [https://github.internal:443/_dependabot/update_jobs/433/update_dependency_list](https://github.internal/_dependabot/update_jobs/433/update_dependency_list)
proxy | 2022/09/21 17:24:50 [015] 204 [https://github.internal:443/_dependabot/update_jobs/433/update_dependency_list](https://github.internal/_dependabot/update_jobs/433/update_dependency_list)
updater | INFO <job_433> Checking if hashicorp/aws needs updating
proxy | 2022/09/21 17:24:50 [017] GET [https://registry.terraform.io:443/.well-known/terraform.json](https://registry.terraform.io/.well-known/terraform.json)
proxy | 2022/09/21 17:24:50 [017] 200 [https://registry.terraform.io:443/.well-known/terraform.json](https://registry.terraform.io/.well-known/terraform.json)
proxy | 2022/09/21 17:24:50 [019] GET [https://registry.terraform.io:443/v1/providers/hashicorp/aws/versions](https://registry.terraform.io/v1/providers/hashicorp/aws/versions)
proxy | 2022/09/21 17:24:50 [019] 200 [https://registry.terraform.io:443/v1/providers/hashicorp/aws/versions](https://registry.terraform.io/v1/providers/hashicorp/aws/versions)
updater | INFO <job_433> Latest version is 4.31.0
updater | INFO <job_433> Requirements to unlock own
INFO <job_433> Requirements update strategy
updater | INFO <job_433> Updating hashicorp/aws from to 4.31.0
updater | INFO <job_433> Submitting hashicorp/aws pull request for update
proxy | 2022/09/21 17:25:10 [021] POST [https://github.internal:443/_dependabot/update_jobs/433/update_pull_request](https://github.internal/_dependabot/update_jobs/433/update_pull_request)
proxy | 2022/09/21 17:25:10 [021] 204 [https://github.internal:443/_dependabot/update_jobs/433/update_pull_request](https://github.internal/_dependabot/update_jobs/433/update_pull_request)
proxy | 2022/09/21 17:25:30 [023] PATCH [https://github.internal:443/_dependabot/update_jobs/433/mark_as_processed](https://github.internal/_dependabot/update_jobs/433/mark_as_processed)
proxy | 2022/09/21 17:25:30 [023] 204 [https://github.internal:443/_dependabot/update_jobs/433/mark_as_processed](https://github.internal/_dependabot/update_jobs/433/mark_as_processed)
updater | INFO <job_433> Finished job processing
updater | INFO Results:
+---------+-----------------------------------+
| Changes to Dependabot Pull Requests |
+---------+-----------------------------------+
| updated | hashicorp/aws ( from to 4.31.0 ) |
+---------+-----------------------------------+
Smallest manifest that reproduces the issue
No response
To elaborate on the problem with ignored versions, assume that we add an ignore for all versions of kreuzwerker/docker to our dependabot.yml:
# To get started with Dependabot version updates, you'll need to specify which
# package ecosystems to update and where the package manifests are located.
# Please see the documentation for all configuration options:
# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
version: 2
updates:
- package-ecosystem: "terraform"
directory: "/terraform/module"
schedule:
interval: "daily"
ignore:
- dependency-name: "kreuzwerker/docker"
Now, when Dependabot tries to compute whether to ignore this particular version, it fails the version check:
updater | INFO <job_439> Checking if kreuzwerker/docker needs updating
INFO <job_439> Ignored versions:
INFO <job_439> >= 0 - from .github/dependabot.yml
Note the double space caused by "" as the version string.
Thanks, this is an excellent bug report.
It may be a while til someone can look at it, so if this is a blocker that you want fixed right away you're always welcome to use the dry-run script from within docker and then add some basic puts statements should help you track down exactly which line the bug is on... from there it should be straightforward to open a PR, but if you have questions feel free to ask.
And no problem if you're not interested in tracking it down further, just be aware that unfortunately it may be a while til we get to it.
Hello, currently running also into this issue.
Is there any additional workaround except to exclude the dependencies from the dependabot.yml? In our case it leads to a Runtime error which blocks the PR from being created.
Ok I think I know why this is happening in our case. It is the same issue that was causing https://github.com/dependabot/dependabot-core/pull/6537, if the version preceeds the source. Seems like I missed something.
The following commit fixed the Dependabot scanning in our case:
