Since version 1.27.1.685 the update check fails on parameter 'requirements_update_strategy'.

[NSGToolsupport]

Describe the bug Since version 1.27.1.685 (monday 18-03-2024) the update check (Checking if FluentValidation 11.5.2 needs updating) fails on parameter 'requirements_update_strategy'. Expected type T.nilable(Dependabot::RequirementsUpdateStrategy), got type Symbol with value :auto (TypeError).

2024-03-20T04:03:45.8363653Z Checking if FluentValidation 11.5.2 needs updating 2024-03-20T04:03:45.8383968Z /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/sorbet-runtime-0.5.11294/lib/types/configuration.rb:296:in 'call_validation_error_handler_default': Parameter 'requirements_update_strategy': Expected type T.nilable(Dependabot::RequirementsUpdateStrategy), got type Symbol with value :auto (TypeError) 2024-03-20T04:03:45.8384728Z Caller: /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/sorbet-runtime-0.5.11294/lib/types/private/methods/call_validation.rb:215 2024-03-20T04:03:45.8385236Z Definition: /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/dependabot-common-0.247.0/lib/dependabot/update_checkers/base.rb:62 2024-03-20T04:03:45.8385775Z from /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/sorbet-runtime-0.5.11294/lib/types/configuration.rb:303:in 'call_validation_error_handler' 2024-03-20T04:03:45.8386328Z from /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/sorbet-runtime-0.5.11294/lib/types/private/methods/call_validation.rb:300:in 'report_error' 2024-03-20T04:03:45.8386902Z from /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/sorbet-runtime-0.5.11294/lib/types/private/methods/call_validation.rb:218:in 'block in validate_call' 2024-03-20T04:03:45.8387459Z from /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/sorbet-runtime-0.5.11294/lib/types/private/methods/signature.rb:234:in 'block in each_args_value_type' 2024-03-20T04:03:45.8387999Z from /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/sorbet-runtime-0.5.11294/lib/types/private/methods/signature.rb:228:in 'each' 2024-03-20T04:03:45.8388535Z from /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/sorbet-runtime-0.5.11294/lib/types/private/methods/signature.rb:228:in 'each_args_value_type' 2024-03-20T04:03:45.8389075Z from /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/sorbet-runtime-0.5.11294/lib/types/private/methods/call_validation.rb:215:in 'validate_call' 2024-03-20T04:03:45.8389633Z from /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/sorbet-runtime-0.5.11294/lib/types/private/methods/_methods.rb:277:in 'block in _on_method_added' 2024-03-20T04:03:45.8389904Z from bin/update_script.rb:339:in 'new' 2024-03-20T04:03:45.8390116Z from bin/update_script.rb:339:in 'update_checker_for' 2024-03-20T04:03:45.8390335Z from bin/update_script.rb:559:in 'block in <main>' 2024-03-20T04:03:45.8390524Z from bin/update_script.rb:545:in 'each' 2024-03-20T04:03:45.8390723Z from bin/update_script.rb:545:in '<main>' 2024-03-20T04:03:46.0301400Z ##[error]The process '/usr/bin/docker' failed with exit code 1 2024-03-20T04:03:46.0324507Z ##[section]Finishing: dependabot

To Reproduce Steps to reproduce the behavior:

1. Run Azure Devops pipeline with task 'dependabot@1' and the DevOps extension installed:

steps:
  - task: dependabot@1
    inputs:
      azureDevOpsServiceConnection: <redacted>

2. Task will fail on update check

Expected behavior A run without errors

Screenshots See previous screenshot

Extension (please complete the following information):

• Host: Azure DevOps
• Version 1.27.1.685

Server (please complete the following information):

• Region westeurope
• Version n.a.

Additional context It seems that this problem is related to an update of Depandabot core link

[eli-gc]

Having the same issue.

[MattNewbill]

I'm also getting this issue

[prajwalkumar9]

I am also facing the same issue. Did anybody manage to solve it?

[catsburg]

I've found a temporary workaround for this issue:

Pin the docker image (which is downloaded by the task while running) to version (tag) 1.27.0 using the 'dockerImageTag' input parameter of the task:

- task: dependabot@1
    inputs:  
      dockerImageTag: '1.27.0'

[MattNewbill]

@catsburg That worked!!!! You are an absolute lifesaver. I had tried a few approaches to roll back the azure devops extension but found no way to do it. This worked perfectly, thank you so much for sharing!

[prajwalkumar9]

@catsburg its not working for me. could you please share the pipeline stage added in the yaml for dependabot?

[catsburg]

@catsburg its not working for me. could you please share the pipeline stage added in the yaml for dependabot?

@prajwalkumar9 I'm not sure what you're referring to. The workaround is to specify version 1.27.0 for the Azure DevOps task's input parameter 'dockerImageTag'. This ensures an older version of dependabot core is used, as this extension is not compabitle (yet) with the latest version because of a change in dependabot core regarding the 'requirements_update_strategy' parameter.

[jikuja]

Fixed by https://github.com/dependabot/dependabot-core/releases/tag/v0.247.0 ?

[eli-gc]

Fixed by https://github.com/dependabot/dependabot-core/releases/tag/v0.247.0 ?

I think that release causes this issue.

[jikuja]

Fixed by https://github.com/dependabot/dependabot-core/releases/tag/v0.247.0 ?

I think that release causes this issue.

probably true. Extension was working for me march 25th without image tags changes. => v0.248.0 is probaly the correct one then.

[prajwalkumar9]

@jikuja : Does this mean that if we use the latest version of the dependabot extension (1.27.4.707) we would not face this issue?

[NSGToolsupport]

@prajwalkumar9 Tested again today without the 'dockerImageTag' value, but this does not work yet

[jikuja]

Time to collect information for authors.

Configs:

version: 2
updates:
  - package-ecosystem: "pip"
    directory: "/"
    labels:
      - python
      - dependencies
      - dependabot

steps:
- task: dependabot@1
  inputs:
    skipPullRequests: false
    azureDevOpsServiceConnection: dependabot

works for me, no stack to share. Tested

• March 25th
• April 17th

[eli-gc]

@jikuja It worked for you? I am still seeing the error with version: 1.28.708

[prajwalkumar9]

@jikuja - Even i am still facing this issue with version: 1.28.0.708

[JamieMagee]

Hi folks 👋

I work on Dependabot, and it looks like I introduced this issue. It's due to the fact that we migrated the requirements_update_strategy from being a Ruby Symbol to a strictly typed enum. Specifically, Dependabot::RequirementsUpdateStrategy.

The fix in this repository is to migrate the VERSIONING_STRATEGIES hash values from symbols to Dependabot::RequirementsUpdateStrategy enums. Something like this:

VERSIONING_STRATEGIES = {
  "lockfile-only" => RequirementsUpdateStrategy::LockfileOnly,
  "widen" => RequirementsUpdateStrategy::WidenRanges,
  "increase" => RequirementsUpdateStrategy::BumpVersions,
  "increase-if-necessary" => RequirementsUpdateStrategy::BumpVersionsIfNecessary
}.freeze

[prajwalkumar9]

@JamieMagee: Which version of dependabot extension this fix would be part of?

[waltervos]

@prajwalkumar9 I'm not sure that Jamie can answer that, if this is about which Azure DevOps Dependabot Extension this fix is meant for. What I can say, and that goes for @NSGToolsupport as well, is that the Azure DevOps Dependabot@1 extension is currently broken. From what I understand, and from code that I have reviewed, @JamieMagee's proposal would fix that.

[waltervos]

@JamieMagee Which value should be used for the auto key? There's no value for it in the enum (right?); https://github.com/dependabot/dependabot-core/blob/b8605c0e3c8745c64a04acf941a33b5923a89aab/common/lib/dependabot/requirements_update_strategy.rb#L5

Sorry, I've never worked with Ruby so I'm just trying to make sense of it all :)

[JamieMagee]

@waltervos I think you should pass nil for auto. If this is correct: https://github.com/dependabot/dependabot-core/blob/feb07451364eaeac790ee97f52619f8ebb2ca245/bin/dry-run.rb#L226

[mburumaxwell]

Fixed in #1152

[mburumaxwell]

Released in 1.29.0

[catsburg]

Unfortunately, the latest version is still failing with the following error:

Status: Downloaded newer image for ghcr.io/tinglesoftware/dependabot-updater-nuget:1.29
warning: parser/current is loading parser/ruby33, which recognizes 3.3.2-compliant syntax, but you are running 3.3.1.
Please see https://github.com/whitequark/parser#compatibility-with-ruby-mri.
bin/update_script.rb:180:in `<main>': uninitialized constant RequirementsUpdateStrategy (NameError)

    "lockfile-only" => RequirementsUpdateStrategy::LockfileOnly,
                       ^^^^^^^^^^^^^^^^^^^^^^^^^^

[mburumaxwell]

Unfortunately, the latest version is still failing with the following error:

Status: Downloaded newer image for ghcr.io/tinglesoftware/dependabot-updater-nuget:1.29

warning: parser/current is loading parser/ruby33, which recognizes 3.3.2-compliant syntax, but you are running 3.3.1.

Please see https://github.com/whitequark/parser#compatibility-with-ruby-mri.

bin/update_script.rb:180:in `<main>': uninitialized constant RequirementsUpdateStrategy (NameError)



    "lockfile-only" => RequirementsUpdateStrategy::LockfileOnly,

                       ^^^^^^^^^^^^^^^^^^^^^^^^^^

Fixed in 1.29.1?

[catsburg]

Unfortunately, the latest version is still failing with the following error:

Status: Downloaded newer image for ghcr.io/tinglesoftware/dependabot-updater-nuget:1.29

warning: parser/current is loading parser/ruby33, which recognizes 3.3.2-compliant syntax, but you are running 3.3.1.

Please see https://github.com/whitequark/parser#compatibility-with-ruby-mri.

bin/update_script.rb:180:in `<main>': uninitialized constant RequirementsUpdateStrategy (NameError)



    "lockfile-only" => RequirementsUpdateStrategy::LockfileOnly,

                       ^^^^^^^^^^^^^^^^^^^^^^^^^^

Fixed in 1.29.1?

Nope, unfortunately not. Firstly, the Azure DevOps task will pull version 1.29 by default (major.minor). And even when explicitly specifying version 1.29.1, it's still broken (task version 1.29.737):

Status: Downloaded newer image for ghcr.io/tinglesoftware/dependabot-updater-nuget:1.29.1
warning: parser/current is loading parser/ruby33, which recognizes 3.3.2-compliant syntax, but you are running 3.3.1.
Please see https://github.com/whitequark/parser#compatibility-with-ruby-mri.
bin/update_script.rb:181:in `<main>': uninitialized constant RequirementsUpdateStrategy (NameError)

    "lockfile-only" => RequirementsUpdateStrategy::LockfileOnly,
                       ^^^^^^^^^^^^^^^^^^^^^^^^^^
##[error]The process '/usr/bin/docker' failed with exit code 1

[mmoreno79]

We are currently experiencing the same issue "lockfile-only" => RequirementsUpdateStrategy::LockfileOnly. We have been specifying the latest tag. I tried explicitly setting 1.29.3 and still receive the same error. Is there a resolution for this yet?

[eli-gc]

I'm seeing the same parser/ruby33 error now in version 1.29. Do I need to update Ruby in my agent?

[eli-gc]

Latest release: 1.29.5 works for me.